@node9/proxy 1.26.3 → 1.27.1

package/README.md

@@ -10,7 +10,7 @@
 
 Node9 sits between your AI agent and the tools it can use — **discover** what it's already been doing, **protect** against risky actions in real time, and **review** what happened over any time window.
 
-Works with **Claude Code · Codex CLI · Gemini CLI · Cursor · Windsurf · any MCP server**.
+Works with **Claude Code · Codex CLI · Gemini CLI · Cursor · Windsurf · VSCode · Claude Desktop · Opencode · Pi · any MCP server**.
 
 ## What Node9 does
 
@@ -66,7 +66,7 @@ npm install -g node9-ai
 ```
 
 ```bash
-node9 init       # auto-wires Claude Code, Gemini CLI, Cursor, Codex, MCP servers
+node9 init       # auto-wires all detected agents + MCP servers
 node9 doctor     # verify everything is wired correctly
 ```
 
@@ -195,7 +195,7 @@ def run_command(cmd: str) -> str:
 ## Under the hood
 
 - **Scan** reads raw agent history from `~/.claude/projects/`, `~/.gemini/tmp/`, `~/.codex/sessions/` — no API calls, fully offline
-- **Runtime** wires PreToolUse hooks into Claude Code, Gemini CLI, and Codex — hooks write to `~/.node9/audit.log` atomically
+- **Runtime** intercepts tool calls via pre-execution hooks (Claude Code, Codex, Gemini CLI, Opencode, Pi) or via the MCP gateway (Cursor, Windsurf, VSCode, Claude Desktop). All decisions land in `~/.node9/audit.log` atomically.
 - **MCP gateway** is a stdio proxy; intercepts `tools/list` + `tools/call` JSON-RPC, forwards the rest
 - **Policy engine** uses [mvdan-sh](https://github.com/mvdan/sh) for bash AST analysis — defeats obfuscation via backslash escaping, variable substitution, eval of remote download
 - **Shadow repo** for auto-undo lives at `~/.node9/snapshots/<hash16>/` — never touches your `.git`

package/dist/cli.js

@@ -6647,6 +6647,200 @@ var init_setup_opencode_shim = __esm({
   }
 });
 
+// src/setup-pi-shim.ts
+function renderPiShim(input) {
+  const { node9Argv, version: version2 } = input;
+  return `// Auto-generated by \`node9 init\`. Do not edit \u2014 re-run init to upgrade.
+// NODE9_SHIM_VERSION = "${version2}"
+//
+// node9 protection shim for Pi (https://pi.dev). Wires four hooks
+// against the agent's extension API and shells out to the node9 CLI
+// for verdicts.
+//
+// Contract (verified against opensources/pi-main):
+//   - tool_call  \u2192 return { block: true, reason } to block (NOT throw)
+//   - tool_result \u2192 audit fire-and-forget
+//   - input      \u2192 return { action: "handled" } to block, { action: "continue" } to allow
+//   - user_bash  \u2192 return synthetic BashResult { output, exitCode: 1, ... } to block
+//                  (UserBashEventResult has no block field by design)
+
+const { spawnSync } = require("node:child_process");
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+
+function debugLog(entry) {
+  // Best-effort write to ~/.node9/hook-debug.log so audit-log failures
+  // in the tool_result catch leave a breadcrumb. Pi has no equivalent
+  // of node9's own hook-debug.log path, and silent swallow makes
+  // misconfiguration invisible until block-rate dashboards catch on.
+  // Wrapped in try because this hook NEVER throws \u2014 see catch comment.
+  try {
+    const logPath = path.join(os.homedir(), ".node9", "hook-debug.log");
+    fs.mkdirSync(path.dirname(logPath), { recursive: true });
+    fs.appendFileSync(logPath, JSON.stringify({
+      ts: new Date().toISOString(),
+      source: "pi-shim",
+      ...entry,
+    }) + "\\n");
+  } catch (_) {
+    // ignore \u2014 last-resort breadcrumb is best-effort
+  }
+}
+
+// argv prefix for invoking the node9 CLI. argv[0] is the executable
+// (either the npm-installed wrapper script or the node binary); the
+// remaining entries (if any) are passed as the leading args before
+// the subcommand name (e.g. ["/path/to/dist/cli.js"] for dev mode).
+const NODE9_ARGV = ${JSON.stringify(node9Argv)};
+const HOOK_TIMEOUT_MS = 30000;
+const LOG_TIMEOUT_MS = 5000;
+
+// Pi tool names \u2192 Claude tool names. Policy rules in ~/.node9/config.yaml
+// match against Claude's PascalCase names (Bash/Read/Edit/Write/...).
+// Without this mapping every DLP and project-jail rule silently no-ops
+// for pi payloads (design R5).
+const TOOL_NAME_MAP = {
+  bash: "Bash",
+  read: "Read",
+  edit: "Edit",
+  write: "Write",
+  grep: "Grep",
+  find: "Glob",
+  ls: "LS",
+};
+
+function normalizeToolName(piName) {
+  return TOOL_NAME_MAP[piName] || piName;
+}
+
+function parseReason(stdout) {
+  // node9 check emits {decision, reason, message} JSON on stdout when
+  // blocking. Fall back to a generic string if anything goes wrong.
+  try {
+    const v = JSON.parse(stdout || "");
+    return v && (v.reason || v.message);
+  } catch (e) {
+    return null;
+  }
+}
+
+function runCheck(payload, timeoutMs) {
+  return spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "check"], {
+    input: JSON.stringify(payload),
+    encoding: "utf-8",
+    timeout: timeoutMs,
+  });
+}
+
+module.exports = function (pi) {
+  pi.on("tool_call", async (event, ctx) => {
+    const payload = {
+      hook_event_name: "PreToolUse",
+      tool_name: normalizeToolName(event.toolName),
+      tool_input: event.input,
+      cwd: ctx.cwd,
+      meta: { agent: "Pi" },
+    };
+    const r = runCheck(payload, HOOK_TIMEOUT_MS);
+    if (r.status === 0) return undefined;
+    const reason = parseReason(r.stdout) || "blocked by node9";
+    return { block: true, reason: "[node9] " + reason };
+  });
+
+  pi.on("tool_result", async (event, ctx) => {
+    // Fire-and-forget audit log. Failures here must NEVER throw or
+    // return an error result \u2014 we'd retroactively "fail" a tool call
+    // that already completed.
+    const payload = {
+      hook_event_name: "PostToolUse",
+      tool_name: normalizeToolName(event.toolName),
+      tool_input: event.input,
+      cwd: ctx.cwd,
+      meta: { agent: "Pi" },
+    };
+    try {
+      spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "log"], {
+        input: JSON.stringify(payload),
+        encoding: "utf-8",
+        timeout: LOG_TIMEOUT_MS,
+      });
+    } catch (e) {
+      // Swallow + breadcrumb. Audit log gaps are preferable to crashing
+      // the agent, but a persistent failure here (e.g. NODE9_ARGV[0]
+      // no longer exists after a node-version bump) used to be invisible
+      // because pi has no hook-debug surface. Write a one-line entry to
+      // ~/.node9/hook-debug.log so dashboards can catch silent drift.
+      debugLog({
+        event: "tool_result-spawn-failed",
+        tool: payload.tool_name,
+        agent: "Pi",
+        error: e && e.message ? e.message : String(e),
+      });
+    }
+    return undefined;
+  });
+
+  pi.on("input", async (event, ctx) => {
+    // Pre-prompt DLP. event.text is the user's typed/pasted prompt.
+    // Block via { action: "handled" }; allow via { action: "continue" }.
+    // We do NOT use { action: "transform" } in v1 \u2014 block-only mirrors
+    // Claude/Codex/Opencode behavior. Redact-mode is a future option.
+    const payload = {
+      hook_event_name: "UserPromptSubmit",
+      prompt: event.text,
+      cwd: ctx.cwd,
+      meta: { agent: "Pi" },
+    };
+    const r = runCheck(payload, HOOK_TIMEOUT_MS);
+    if (r.status === 0) return { action: "continue" };
+    const reason = parseReason(r.stdout) || "prompt blocked";
+    if (ctx.hasUI) {
+      ctx.ui.notify("[node9] " + reason, "error");
+    }
+    return { action: "handled" };
+  });
+
+  pi.on("user_bash", async (event, ctx) => {
+    // The !/!! prompt-escape side channel (design R4). Synthesize a
+    // Bash-shaped PreToolUse payload so the same dangerous-words / DLP
+    // rules that gate tool_call(bash) also gate user_bash.
+    //
+    // UserBashEventResult has no { block } field \u2014 by design, since
+    // pi.on("user_bash") was meant for execution-replacement. We block
+    // by returning a synthetic BashResult that looks like the command
+    // failed with our reason as the output (exitCode: 1).
+    const payload = {
+      hook_event_name: "PreToolUse",
+      tool_name: "Bash",
+      tool_input: { command: event.command },
+      cwd: event.cwd,
+      meta: { agent: "Pi" },
+    };
+    const r = runCheck(payload, HOOK_TIMEOUT_MS);
+    if (r.status === 0) return undefined;
+    const reason = parseReason(r.stdout) || "blocked by node9";
+    if (ctx.hasUI) {
+      ctx.ui.notify("[node9] " + reason, "error");
+    }
+    return {
+      result: {
+        output: "[node9] blocked: " + reason,
+        exitCode: 1,
+        cancelled: false,
+        truncated: false,
+      },
+    };
+  });
+};
+`;
+}
+var init_setup_pi_shim = __esm({
+  "src/setup-pi-shim.ts"() {
+    "use strict";
+  }
+});
+
 // src/setup.ts
 function hasNode9McpServer(servers) {
   const entry = servers["node9"];
@@ -7139,7 +7333,14 @@ function detectAgents(homeDir2 = import_os12.default.homedir()) {
     claudeDesktop: desktopPath !== null && exists(import_path15.default.dirname(desktopPath)),
     // Opencode creates ~/.config/opencode lazily on first launch — fall back
     // to a PATH lookup so installed-but-never-launched CLIs are still wired.
-    opencode: exists(import_path15.default.join(homeDir2, ".config", "opencode")) || binaryInPath("opencode")
+    opencode: exists(import_path15.default.join(homeDir2, ".config", "opencode")) || binaryInPath("opencode"),
+    // Pi (https://pi.dev): config dir is ~/.pi/agent (CONFIG_DIR_NAME=".pi"
+    // + agentDir, verified against opensources/pi-main/packages/coding-agent/
+    // src/config.ts:449,475). The Bun-compiled binary path may create this
+    // dir lazily on first launch — same class of bug as opencode's #186
+    // (design R6) — so fall back to PATH lookup for installed-but-never-
+    // launched pi.
+    pi: exists(import_path15.default.join(homeDir2, ".pi", "agent")) || binaryInPath("pi")
   };
 }
 async function setupCursor() {
@@ -7893,6 +8094,59 @@ function teardownOpencode() {
     console.log(import_chalk.default.blue("  \u2139\uFE0F  No node9 entries found in ~/.config/opencode/opencode.json"));
   }
 }
+async function setupPi() {
+  seedMcpPinsIfMissing();
+  const homeDir2 = import_os12.default.homedir();
+  const extensionsDir = import_path15.default.join(homeDir2, ".pi", "agent", "extensions");
+  const extensionPath = import_path15.default.join(extensionsDir, PI_EXTENSION_NAME);
+  try {
+    import_fs13.default.mkdirSync(extensionsDir, { recursive: true });
+  } catch (err2) {
+    const code = err2.code;
+    console.log(import_chalk.default.yellow(`  \u26A0\uFE0F  Could not create ${extensionsDir}: ${code ?? String(err2)}`));
+    return;
+  }
+  const shimContent = renderPiShim({
+    node9Argv: node9ArgvForShim(),
+    version: node9Version()
+  });
+  const existingShim = (() => {
+    try {
+      return import_fs13.default.readFileSync(extensionPath, "utf-8");
+    } catch {
+      return null;
+    }
+  })();
+  if (existingShim === shimContent) {
+    console.log(import_chalk.default.blue("  \u2139\uFE0F  Node9 is already fully configured for Pi."));
+    return;
+  }
+  import_fs13.default.writeFileSync(extensionPath, shimContent);
+  if (existingShim) {
+    console.log(import_chalk.default.yellow("  \u{1F527} Pi extension shim updated to current version"));
+  } else {
+    console.log(
+      import_chalk.default.green("  \u2705 Pi extension installed \u2192 tool_call / tool_result / input / user_bash")
+    );
+  }
+  console.log(import_chalk.default.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Pi!"));
+  console.log(import_chalk.default.gray("    Restart Pi for changes to take effect."));
+  printDaemonTip();
+}
+function teardownPi() {
+  const homeDir2 = import_os12.default.homedir();
+  const extensionPath = import_path15.default.join(homeDir2, ".pi", "agent", "extensions", PI_EXTENSION_NAME);
+  try {
+    if (import_fs13.default.existsSync(extensionPath)) {
+      import_fs13.default.unlinkSync(extensionPath);
+      console.log(import_chalk.default.green("  \u2705 Removed node9 extension from ~/.pi/agent/extensions/"));
+    } else {
+      console.log(import_chalk.default.blue("  \u2139\uFE0F  No Pi extension installed \u2014 nothing to remove"));
+    }
+  } catch (err2) {
+    console.log(import_chalk.default.yellow(`  \u26A0\uFE0F  Could not remove ${extensionPath}: ${String(err2)}`));
+  }
+}
 function getAgentsStatus(homeDir2 = import_os12.default.homedir()) {
   const detected = detectAgents(homeDir2);
   const claudeWired = (() => {
@@ -7995,10 +8249,19 @@ function getAgentsStatus(homeDir2 = import_os12.default.homedir()) {
         return !!cfg?.mcp?.["node9"];
       })(),
       mode: detected.opencode ? "hooks" : null
+    },
+    {
+      name: "pi",
+      label: "Pi",
+      installed: detected.pi,
+      // Pi has no MCP path — only the extension file. "wired" is a
+      // simple existence check on the canonical install location.
+      wired: import_fs13.default.existsSync(import_path15.default.join(homeDir2, ".pi", "agent", "extensions", PI_EXTENSION_NAME)),
+      mode: detected.pi ? "hooks" : null
     }
   ];
 }
-var import_fs13, import_path15, import_os12, import_chalk, import_prompts, import_smol_toml, NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS, OPENCODE_PLUGIN_NAME;
+var import_fs13, import_path15, import_os12, import_chalk, import_prompts, import_smol_toml, NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS, OPENCODE_PLUGIN_NAME, PI_EXTENSION_NAME;
 var init_setup = __esm({
   "src/setup.ts"() {
     "use strict";
@@ -8010,9 +8273,11 @@ var init_setup = __esm({
     import_smol_toml = require("smol-toml");
     init_mcp_pin();
     init_setup_opencode_shim();
+    init_setup_pi_shim();
     NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
     CODEX_PRE_TOOL_MATCHERS = ["^Bash$", "^apply_patch$", "^mcp__.*"];
     OPENCODE_PLUGIN_NAME = "node9.js";
+    PI_EXTENSION_NAME = "node9.js";
   }
 });
 
@@ -16812,7 +17077,15 @@ function registerLogCommand(program2) {
         const payload = JSON.parse(raw);
         const tool = sanitize3(payload.tool_name ?? payload.name ?? "unknown");
         const rawInput = payload.tool_input ?? payload.args ?? {};
-        const agent = payload.turn_id !== void 0 ? "Codex" : payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
+        const metaTag = (() => {
+          const m = payload.meta;
+          if (m && typeof m === "object") {
+            const tagged = m.agent;
+            if (typeof tagged === "string" && tagged.length > 0) return tagged;
+          }
+          return void 0;
+        })();
+        const agent = metaTag !== void 0 ? metaTag : payload.turn_id !== void 0 ? "Codex" : payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
         const entry = {
           ts: (/* @__PURE__ */ new Date()).toISOString(),
           tool,
@@ -18946,11 +19219,13 @@ function registerInitCommand(program2) {
       if (found.length === 0) {
         console.log(
           import_chalk16.default.gray(
-            "No AI agents detected. Install Claude Code, Gemini CLI, Cursor, Windsurf, VSCode, or Codex"
+            "No AI agents detected. Install one of the supported agents (Claude Code, Codex, Gemini CLI, Cursor, Windsurf, VSCode, Claude Desktop, Opencode, or Pi)."
           )
         );
         console.log(
-          import_chalk16.default.gray("then run: node9 agents add <claude|gemini|cursor|windsurf|vscode|codex>")
+          import_chalk16.default.gray(
+            "then run: node9 agents add <claude|codex|gemini|cursor|windsurf|vscode|claudeDesktop|opencode|pi>"
+          )
         );
         return;
       }
@@ -18969,6 +19244,7 @@ function registerInitCommand(program2) {
         else if (agent === "vscode") await setupVSCode();
         else if (agent === "claudeDesktop") await setupClaudeDesktop();
         else if (agent === "opencode") await setupOpencode();
+        else if (agent === "pi") await setupPi();
         console.log("");
       }
       if ((process.platform === "darwin" || process.platform === "linux") && process.stdout.isTTY) {
@@ -20729,7 +21005,8 @@ var SETUP_FN = {
   windsurf: setupWindsurf,
   vscode: setupVSCode,
   claudeDesktop: setupClaudeDesktop,
-  opencode: setupOpencode
+  opencode: setupOpencode,
+  pi: setupPi
 };
 var TEARDOWN_FN = {
   claude: teardownClaude,
@@ -20739,7 +21016,8 @@ var TEARDOWN_FN = {
   windsurf: teardownWindsurf,
   vscode: teardownVSCode,
   claudeDesktop: teardownClaudeDesktop,
-  opencode: teardownOpencode
+  opencode: teardownOpencode,
+  pi: teardownPi
 };
 var AGENT_NAMES = Object.keys(SETUP_FN);
 function registerAgentsCommand(program2) {

package/dist/cli.mjs

@@ -6622,6 +6622,200 @@ var init_setup_opencode_shim = __esm({
   }
 });
 
+// src/setup-pi-shim.ts
+function renderPiShim(input) {
+  const { node9Argv, version: version2 } = input;
+  return `// Auto-generated by \`node9 init\`. Do not edit \u2014 re-run init to upgrade.
+// NODE9_SHIM_VERSION = "${version2}"
+//
+// node9 protection shim for Pi (https://pi.dev). Wires four hooks
+// against the agent's extension API and shells out to the node9 CLI
+// for verdicts.
+//
+// Contract (verified against opensources/pi-main):
+//   - tool_call  \u2192 return { block: true, reason } to block (NOT throw)
+//   - tool_result \u2192 audit fire-and-forget
+//   - input      \u2192 return { action: "handled" } to block, { action: "continue" } to allow
+//   - user_bash  \u2192 return synthetic BashResult { output, exitCode: 1, ... } to block
+//                  (UserBashEventResult has no block field by design)
+
+const { spawnSync } = require("node:child_process");
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+
+function debugLog(entry) {
+  // Best-effort write to ~/.node9/hook-debug.log so audit-log failures
+  // in the tool_result catch leave a breadcrumb. Pi has no equivalent
+  // of node9's own hook-debug.log path, and silent swallow makes
+  // misconfiguration invisible until block-rate dashboards catch on.
+  // Wrapped in try because this hook NEVER throws \u2014 see catch comment.
+  try {
+    const logPath = path.join(os.homedir(), ".node9", "hook-debug.log");
+    fs.mkdirSync(path.dirname(logPath), { recursive: true });
+    fs.appendFileSync(logPath, JSON.stringify({
+      ts: new Date().toISOString(),
+      source: "pi-shim",
+      ...entry,
+    }) + "\\n");
+  } catch (_) {
+    // ignore \u2014 last-resort breadcrumb is best-effort
+  }
+}
+
+// argv prefix for invoking the node9 CLI. argv[0] is the executable
+// (either the npm-installed wrapper script or the node binary); the
+// remaining entries (if any) are passed as the leading args before
+// the subcommand name (e.g. ["/path/to/dist/cli.js"] for dev mode).
+const NODE9_ARGV = ${JSON.stringify(node9Argv)};
+const HOOK_TIMEOUT_MS = 30000;
+const LOG_TIMEOUT_MS = 5000;
+
+// Pi tool names \u2192 Claude tool names. Policy rules in ~/.node9/config.yaml
+// match against Claude's PascalCase names (Bash/Read/Edit/Write/...).
+// Without this mapping every DLP and project-jail rule silently no-ops
+// for pi payloads (design R5).
+const TOOL_NAME_MAP = {
+  bash: "Bash",
+  read: "Read",
+  edit: "Edit",
+  write: "Write",
+  grep: "Grep",
+  find: "Glob",
+  ls: "LS",
+};
+
+function normalizeToolName(piName) {
+  return TOOL_NAME_MAP[piName] || piName;
+}
+
+function parseReason(stdout) {
+  // node9 check emits {decision, reason, message} JSON on stdout when
+  // blocking. Fall back to a generic string if anything goes wrong.
+  try {
+    const v = JSON.parse(stdout || "");
+    return v && (v.reason || v.message);
+  } catch (e) {
+    return null;
+  }
+}
+
+function runCheck(payload, timeoutMs) {
+  return spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "check"], {
+    input: JSON.stringify(payload),
+    encoding: "utf-8",
+    timeout: timeoutMs,
+  });
+}
+
+module.exports = function (pi) {
+  pi.on("tool_call", async (event, ctx) => {
+    const payload = {
+      hook_event_name: "PreToolUse",
+      tool_name: normalizeToolName(event.toolName),
+      tool_input: event.input,
+      cwd: ctx.cwd,
+      meta: { agent: "Pi" },
+    };
+    const r = runCheck(payload, HOOK_TIMEOUT_MS);
+    if (r.status === 0) return undefined;
+    const reason = parseReason(r.stdout) || "blocked by node9";
+    return { block: true, reason: "[node9] " + reason };
+  });
+
+  pi.on("tool_result", async (event, ctx) => {
+    // Fire-and-forget audit log. Failures here must NEVER throw or
+    // return an error result \u2014 we'd retroactively "fail" a tool call
+    // that already completed.
+    const payload = {
+      hook_event_name: "PostToolUse",
+      tool_name: normalizeToolName(event.toolName),
+      tool_input: event.input,
+      cwd: ctx.cwd,
+      meta: { agent: "Pi" },
+    };
+    try {
+      spawnSync(NODE9_ARGV[0], [...NODE9_ARGV.slice(1), "log"], {
+        input: JSON.stringify(payload),
+        encoding: "utf-8",
+        timeout: LOG_TIMEOUT_MS,
+      });
+    } catch (e) {
+      // Swallow + breadcrumb. Audit log gaps are preferable to crashing
+      // the agent, but a persistent failure here (e.g. NODE9_ARGV[0]
+      // no longer exists after a node-version bump) used to be invisible
+      // because pi has no hook-debug surface. Write a one-line entry to
+      // ~/.node9/hook-debug.log so dashboards can catch silent drift.
+      debugLog({
+        event: "tool_result-spawn-failed",
+        tool: payload.tool_name,
+        agent: "Pi",
+        error: e && e.message ? e.message : String(e),
+      });
+    }
+    return undefined;
+  });
+
+  pi.on("input", async (event, ctx) => {
+    // Pre-prompt DLP. event.text is the user's typed/pasted prompt.
+    // Block via { action: "handled" }; allow via { action: "continue" }.
+    // We do NOT use { action: "transform" } in v1 \u2014 block-only mirrors
+    // Claude/Codex/Opencode behavior. Redact-mode is a future option.
+    const payload = {
+      hook_event_name: "UserPromptSubmit",
+      prompt: event.text,
+      cwd: ctx.cwd,
+      meta: { agent: "Pi" },
+    };
+    const r = runCheck(payload, HOOK_TIMEOUT_MS);
+    if (r.status === 0) return { action: "continue" };
+    const reason = parseReason(r.stdout) || "prompt blocked";
+    if (ctx.hasUI) {
+      ctx.ui.notify("[node9] " + reason, "error");
+    }
+    return { action: "handled" };
+  });
+
+  pi.on("user_bash", async (event, ctx) => {
+    // The !/!! prompt-escape side channel (design R4). Synthesize a
+    // Bash-shaped PreToolUse payload so the same dangerous-words / DLP
+    // rules that gate tool_call(bash) also gate user_bash.
+    //
+    // UserBashEventResult has no { block } field \u2014 by design, since
+    // pi.on("user_bash") was meant for execution-replacement. We block
+    // by returning a synthetic BashResult that looks like the command
+    // failed with our reason as the output (exitCode: 1).
+    const payload = {
+      hook_event_name: "PreToolUse",
+      tool_name: "Bash",
+      tool_input: { command: event.command },
+      cwd: event.cwd,
+      meta: { agent: "Pi" },
+    };
+    const r = runCheck(payload, HOOK_TIMEOUT_MS);
+    if (r.status === 0) return undefined;
+    const reason = parseReason(r.stdout) || "blocked by node9";
+    if (ctx.hasUI) {
+      ctx.ui.notify("[node9] " + reason, "error");
+    }
+    return {
+      result: {
+        output: "[node9] blocked: " + reason,
+        exitCode: 1,
+        cancelled: false,
+        truncated: false,
+      },
+    };
+  });
+};
+`;
+}
+var init_setup_pi_shim = __esm({
+  "src/setup-pi-shim.ts"() {
+    "use strict";
+  }
+});
+
 // src/setup.ts
 import fs13 from "fs";
 import path15 from "path";
@@ -7120,7 +7314,14 @@ function detectAgents(homeDir2 = os12.homedir()) {
     claudeDesktop: desktopPath !== null && exists(path15.dirname(desktopPath)),
     // Opencode creates ~/.config/opencode lazily on first launch — fall back
     // to a PATH lookup so installed-but-never-launched CLIs are still wired.
-    opencode: exists(path15.join(homeDir2, ".config", "opencode")) || binaryInPath("opencode")
+    opencode: exists(path15.join(homeDir2, ".config", "opencode")) || binaryInPath("opencode"),
+    // Pi (https://pi.dev): config dir is ~/.pi/agent (CONFIG_DIR_NAME=".pi"
+    // + agentDir, verified against opensources/pi-main/packages/coding-agent/
+    // src/config.ts:449,475). The Bun-compiled binary path may create this
+    // dir lazily on first launch — same class of bug as opencode's #186
+    // (design R6) — so fall back to PATH lookup for installed-but-never-
+    // launched pi.
+    pi: exists(path15.join(homeDir2, ".pi", "agent")) || binaryInPath("pi")
   };
 }
 async function setupCursor() {
@@ -7874,6 +8075,59 @@ function teardownOpencode() {
     console.log(chalk.blue("  \u2139\uFE0F  No node9 entries found in ~/.config/opencode/opencode.json"));
   }
 }
+async function setupPi() {
+  seedMcpPinsIfMissing();
+  const homeDir2 = os12.homedir();
+  const extensionsDir = path15.join(homeDir2, ".pi", "agent", "extensions");
+  const extensionPath = path15.join(extensionsDir, PI_EXTENSION_NAME);
+  try {
+    fs13.mkdirSync(extensionsDir, { recursive: true });
+  } catch (err2) {
+    const code = err2.code;
+    console.log(chalk.yellow(`  \u26A0\uFE0F  Could not create ${extensionsDir}: ${code ?? String(err2)}`));
+    return;
+  }
+  const shimContent = renderPiShim({
+    node9Argv: node9ArgvForShim(),
+    version: node9Version()
+  });
+  const existingShim = (() => {
+    try {
+      return fs13.readFileSync(extensionPath, "utf-8");
+    } catch {
+      return null;
+    }
+  })();
+  if (existingShim === shimContent) {
+    console.log(chalk.blue("  \u2139\uFE0F  Node9 is already fully configured for Pi."));
+    return;
+  }
+  fs13.writeFileSync(extensionPath, shimContent);
+  if (existingShim) {
+    console.log(chalk.yellow("  \u{1F527} Pi extension shim updated to current version"));
+  } else {
+    console.log(
+      chalk.green("  \u2705 Pi extension installed \u2192 tool_call / tool_result / input / user_bash")
+    );
+  }
+  console.log(chalk.green.bold("\u{1F6E1}\uFE0F  Node9 is now protecting Pi!"));
+  console.log(chalk.gray("    Restart Pi for changes to take effect."));
+  printDaemonTip();
+}
+function teardownPi() {
+  const homeDir2 = os12.homedir();
+  const extensionPath = path15.join(homeDir2, ".pi", "agent", "extensions", PI_EXTENSION_NAME);
+  try {
+    if (fs13.existsSync(extensionPath)) {
+      fs13.unlinkSync(extensionPath);
+      console.log(chalk.green("  \u2705 Removed node9 extension from ~/.pi/agent/extensions/"));
+    } else {
+      console.log(chalk.blue("  \u2139\uFE0F  No Pi extension installed \u2014 nothing to remove"));
+    }
+  } catch (err2) {
+    console.log(chalk.yellow(`  \u26A0\uFE0F  Could not remove ${extensionPath}: ${String(err2)}`));
+  }
+}
 function getAgentsStatus(homeDir2 = os12.homedir()) {
   const detected = detectAgents(homeDir2);
   const claudeWired = (() => {
@@ -7976,18 +8230,29 @@ function getAgentsStatus(homeDir2 = os12.homedir()) {
         return !!cfg?.mcp?.["node9"];
       })(),
       mode: detected.opencode ? "hooks" : null
+    },
+    {
+      name: "pi",
+      label: "Pi",
+      installed: detected.pi,
+      // Pi has no MCP path — only the extension file. "wired" is a
+      // simple existence check on the canonical install location.
+      wired: fs13.existsSync(path15.join(homeDir2, ".pi", "agent", "extensions", PI_EXTENSION_NAME)),
+      mode: detected.pi ? "hooks" : null
     }
   ];
 }
-var NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS, OPENCODE_PLUGIN_NAME;
+var NODE9_MCP_SERVER_ENTRY, CODEX_PRE_TOOL_MATCHERS, OPENCODE_PLUGIN_NAME, PI_EXTENSION_NAME;
 var init_setup = __esm({
   "src/setup.ts"() {
     "use strict";
     init_mcp_pin();
     init_setup_opencode_shim();
+    init_setup_pi_shim();
     NODE9_MCP_SERVER_ENTRY = { command: "node9", args: ["mcp-server"] };
     CODEX_PRE_TOOL_MATCHERS = ["^Bash$", "^apply_patch$", "^mcp__.*"];
     OPENCODE_PLUGIN_NAME = "node9.js";
+    PI_EXTENSION_NAME = "node9.js";
   }
 });
 
@@ -16784,7 +17049,15 @@ function registerLogCommand(program2) {
         const payload = JSON.parse(raw);
         const tool = sanitize3(payload.tool_name ?? payload.name ?? "unknown");
         const rawInput = payload.tool_input ?? payload.args ?? {};
-        const agent = payload.turn_id !== void 0 ? "Codex" : payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
+        const metaTag = (() => {
+          const m = payload.meta;
+          if (m && typeof m === "object") {
+            const tagged = m.agent;
+            if (typeof tagged === "string" && tagged.length > 0) return tagged;
+          }
+          return void 0;
+        })();
+        const agent = metaTag !== void 0 ? metaTag : payload.turn_id !== void 0 ? "Codex" : payload.hook_event_name === "PreToolUse" || payload.hook_event_name === "PostToolUse" || payload.tool_use_id !== void 0 || payload.permission_mode !== void 0 ? "Claude Code" : payload.hook_event_name === "BeforeTool" || payload.hook_event_name === "AfterTool" || payload.timestamp !== void 0 ? "Gemini CLI" : void 0;
         const entry = {
           ts: (/* @__PURE__ */ new Date()).toISOString(),
           tool,
@@ -18918,11 +19191,13 @@ function registerInitCommand(program2) {
       if (found.length === 0) {
         console.log(
           chalk16.gray(
-            "No AI agents detected. Install Claude Code, Gemini CLI, Cursor, Windsurf, VSCode, or Codex"
+            "No AI agents detected. Install one of the supported agents (Claude Code, Codex, Gemini CLI, Cursor, Windsurf, VSCode, Claude Desktop, Opencode, or Pi)."
           )
         );
         console.log(
-          chalk16.gray("then run: node9 agents add <claude|gemini|cursor|windsurf|vscode|codex>")
+          chalk16.gray(
+            "then run: node9 agents add <claude|codex|gemini|cursor|windsurf|vscode|claudeDesktop|opencode|pi>"
+          )
         );
         return;
       }
@@ -18941,6 +19216,7 @@ function registerInitCommand(program2) {
         else if (agent === "vscode") await setupVSCode();
         else if (agent === "claudeDesktop") await setupClaudeDesktop();
         else if (agent === "opencode") await setupOpencode();
+        else if (agent === "pi") await setupPi();
         console.log("");
       }
       if ((process.platform === "darwin" || process.platform === "linux") && process.stdout.isTTY) {
@@ -20701,7 +20977,8 @@ var SETUP_FN = {
   windsurf: setupWindsurf,
   vscode: setupVSCode,
   claudeDesktop: setupClaudeDesktop,
-  opencode: setupOpencode
+  opencode: setupOpencode,
+  pi: setupPi
 };
 var TEARDOWN_FN = {
   claude: teardownClaude,
@@ -20711,7 +20988,8 @@ var TEARDOWN_FN = {
   windsurf: teardownWindsurf,
   vscode: teardownVSCode,
   claudeDesktop: teardownClaudeDesktop,
-  opencode: teardownOpencode
+  opencode: teardownOpencode,
+  pi: teardownPi
 };
 var AGENT_NAMES = Object.keys(SETUP_FN);
 function registerAgentsCommand(program2) {

package/dist/dashboard.mjs

@@ -3383,6 +3383,13 @@ var init_setup_opencode_shim = __esm({
   }
 });
 
+// src/setup-pi-shim.ts
+var init_setup_pi_shim = __esm({
+  "src/setup-pi-shim.ts"() {
+    "use strict";
+  }
+});
+
 // src/setup.ts
 import chalk2 from "chalk";
 import { confirm } from "@inquirer/prompts";
@@ -3392,6 +3399,7 @@ var init_setup = __esm({
     "use strict";
     init_mcp_pin();
     init_setup_opencode_shim();
+    init_setup_pi_shim();
   }
 });
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@node9/proxy",
-  "version": "1.26.3",
-  "description": "The Sudo Command for AI Agents. Execution Security for Claude Code & MCP.",
+  "version": "1.27.1",
+  "description": "The Sudo Command for AI Agents. Execution Security for Claude Code, Codex, Gemini, Cursor, Opencode, Pi, and any MCP server.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
   "types": "./dist/index.d.ts",
@@ -31,13 +31,19 @@
   "homepage": "https://github.com/node9-ai/node9-proxy#readme",
   "keywords": [
     "ai-security",
+    "agent-security",
+    "agentic-ai",
     "mcp",
     "mcp-proxy",
     "claude-code",
+    "claude-desktop",
+    "codex",
     "gemini-cli",
     "cursor",
-    "agentic-ai",
-    "agent-security",
+    "windsurf",
+    "vscode",
+    "opencode",
+    "pi-agent",
     "sudo",
     "security-proxy",
     "human-in-the-loop",