failproofai 0.0.10-beta.8 → 0.0.10

package/lib/opencode-projects.ts

@@ -22,7 +22,6 @@
  *       https://opencode.ai/docs/plugins/  (plugin model context)
  */
 import { execFileSync } from "node:child_process";
-import { basename } from "node:path";
 import { encodeFolderName } from "./paths";
 import type { ProjectFolder, SessionFile } from "./projects";
 import { runtimeCache } from "./runtime-cache";
@@ -91,10 +90,11 @@ function readProjectRows(): OpenCodeProjectRow[] | null {
 
 /**
  * Group sessions by `project_id` and produce one ProjectFolder per project.
- * The folder name comes from `project.name` when set, else `basename(worktree)`,
- * else the project_id (last-resort). `lastModified` is the max session
- * `time_updated` for that project (or the project's own time_updated if no
- * sessions exist yet).
+ * The folder name is `encodeFolderName(worktree)` (matches every other CLI's
+ * URL-slug encoding so the dashboard's `/project/[name]` route resolves), or
+ * the project_id when no worktree is recorded. `lastModified` is the max
+ * session `time_updated` for that project (or the project's own time_updated
+ * if no sessions exist yet).
  */
 export async function getOpenCodeProjects(): Promise<ProjectFolder[]> {
   const sessions = readSessionRows();
@@ -122,13 +122,15 @@ export async function getOpenCodeProjects(): Promise<ProjectFolder[]> {
 
   // Emit one ProjectFolder per project that has at least one session OR a
   // project row (covers projects opencode knows about but hasn't run yet).
+  // `name` is the dashboard's URL slug — must be `encodeFolderName(cwd)` to
+  // match every other CLI (and the resolver in `getOpenCodeSessionsByEncodedName`).
   const seen = new Set<string>();
   const out: ProjectFolder[] = [];
   for (const [projectId, group] of groups) {
     seen.add(projectId);
     const proj = projectMap.get(projectId);
     const worktree = proj?.worktree ?? group.rows[0]?.directory ?? null;
-    const name = proj?.name?.trim() || (worktree ? basename(worktree) : projectId);
+    const name = worktree ? encodeFolderName(worktree) : projectId;
     const path = worktree ?? "";
     const lastModified = new Date(Math.max(group.latest, proj?.time_updated ?? 0));
     out.push({
@@ -143,7 +145,7 @@ export async function getOpenCodeProjects(): Promise<ProjectFolder[]> {
   for (const p of projects ?? []) {
     if (seen.has(p.id)) continue;
     const worktree = p.worktree ?? "";
-    const name = p.name?.trim() || (worktree ? basename(worktree) : p.id);
+    const name = worktree ? encodeFolderName(worktree) : p.id;
     const lastModified = new Date(p.time_updated);
     out.push({
       name,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "failproofai",
-  "version": "0.0.10-beta.8",
+  "version": "0.0.10",
   "description": "The easiest way to manage policies that keep your AI agents reliable, on-task, and running autonomously — for Claude Code & the Agents SDK",
   "bin": {
     "failproofai": "./dist/cli.mjs"
@@ -71,6 +71,7 @@
     "access": "public"
   },
   "devDependencies": {
+    "@anthropic-ai/sdk": "^0.93.0",
     "@tailwindcss/postcss": "^4.1.18",
     "@tanstack/react-virtual": "^3.13.18",
     "@testing-library/jest-dom": "^6.9.1",
@@ -91,7 +92,6 @@
     "tailwind-merge": "^3.4.0",
     "tailwindcss": "^4.1.18",
     "typescript": "^6.0.2",
-    "@anthropic-ai/sdk": "^0.93.0",
     "vitest": "^4.0.18"
   },
   "dependencies": {

package/pi-extension/index.ts

@@ -129,6 +129,36 @@ function canonicalizeToolName(piToolName: string | undefined): string | undefine
   return PI_TOOL_MAP[piToolName] ?? piToolName;
 }
 
+/**
+ * Per-tool input-key translation. Pi's Read / Write / Edit tools deliver
+ * `path` (not `file_path`); failproofai's `block-env-files` and
+ * `block-secrets-write` builtins only read `file_path`, so without this map
+ * they silently no-op on Pi. `block-read-outside-cwd` already has a `path`
+ * fallback so it works either way. Pi's Edit tool nests `edits[{oldText,
+ * newText}]` which doesn't translate flatly to Claude's `{old_string,
+ * new_string}` — we only map the top-level `path`; the nested array stays
+ * Pi-shape (no current builtin reads it).
+ *
+ * Keep in sync with PI_TOOL_INPUT_MAP in src/hooks/types.ts.
+ */
+const PI_TOOL_INPUT_MAP: Record<string, Record<string, string>> = {
+  Read: { path: "file_path" },
+  Write: { path: "file_path" },
+  Edit: { path: "file_path" },
+};
+
+function canonicalizeToolInput(
+  canonicalToolName: string | undefined,
+  args: Record<string, unknown> | undefined,
+): Record<string, unknown> | undefined {
+  if (!args || typeof args !== "object" || !canonicalToolName) return args;
+  const map = PI_TOOL_INPUT_MAP[canonicalToolName];
+  if (!map) return args;
+  const out: Record<string, unknown> = {};
+  for (const k of Object.keys(args)) out[map[k] ?? k] = args[k];
+  return out;
+}
+
 /** Resolve the cwd for the policy payload. Pi events don't include cwd, so
  *  fall back to the extension's process.cwd() — which is where Pi was
  *  launched and where `.failproofai/` config lives. */
@@ -201,6 +231,24 @@ function discoverPiSessionId(cwd: string): string | undefined {
  *  across multiple workspace roots) can't cross-attribute. Cleared on
  *  session_shutdown reasons `new`/`resume`/`fork` (Pi reuses the process). */
 const cachedSessionIdByCwd = new Map<string, string>();
+
+/** Pending Stop-policy deny reason from agent_end, keyed by sessionId.
+ *  Drained by before_agent_start on the next user turn in the same Pi
+ *  process. Cleared on every session_shutdown.
+ *
+ *  Why this exists: Pi's agent_end has no Result type — the agent loop
+ *  has already exited when it fires, so a deny return cannot keep Pi
+ *  running the way Claude's exit-2-from-Stop does. The closest analog
+ *  is to capture the deny here and re-inject it as a MANDATORY ACTION
+ *  system-prompt addition on the NEXT before_agent_start, which fires
+ *  after the user submits a prompt but before the agent loop runs.
+ *  Best-effort: bounded by the Pi process lifetime — same bound Claude
+ *  has on exit-2-from-Stop (kill the agent and the gate is missed).
+ *
+ *  Why per-session not per-cwd: a Pi process can host multiple sessions
+ *  via /resume and /fork; per-cwd would cross-attribute a stale block
+ *  from a prior session into a fresh one. */
+const pendingStopBlockBySession = new Map<string, string>();
 function resolveSessionId(eventSessionId: string | undefined, cwd: string): string | undefined {
   if (eventSessionId) {
     cachedSessionIdByCwd.set(cwd, eventSessionId);
@@ -272,6 +320,17 @@ interface PiAgentEndEvent {
   sessionId?: string;
 }
 
+/** Pi v0.73.x before_agent_start event payload. Fires once per turn,
+ *  after the user submits a prompt but before the agent loop runs. */
+interface PiBeforeAgentStartEvent {
+  type?: string;
+  prompt?: string;
+  /** The fully assembled system prompt for this turn — we append to it. */
+  systemPrompt?: string;
+  cwd?: string;
+  sessionId?: string;
+}
+
 interface PiExtensionApi {
   on(event: string, handler: (event: unknown) => unknown): void;
 }
@@ -280,9 +339,10 @@ export default function failproofaiBridge(pi: PiExtensionApi) {
   // tool_call → PreToolUse. Block tool execution when failproofai denies.
   pi.on("tool_call", (event: unknown): unknown => {
     const e = event as PiToolCallEvent;
+    const canonicalTool = canonicalizeToolName(e.toolName);
     const decision = callPolicy("tool_call", {
-      tool_name: canonicalizeToolName(e.toolName),
-      tool_input: e.input,
+      tool_name: canonicalTool,
+      tool_input: canonicalizeToolInput(canonicalTool, e.input),
       session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
       cwd: resolveCwd(e.cwd),
       hook_event_name: "PreToolUse",
@@ -341,9 +401,10 @@ export default function failproofaiBridge(pi: PiExtensionApi) {
   // the activity store + stderr — but Pi keeps the original tool result.
   pi.on("tool_result", (event: unknown): unknown => {
     const e = event as PiToolResultEvent;
+    const canonicalTool = canonicalizeToolName(e.toolName);
     callPolicy("tool_result", {
-      tool_name: canonicalizeToolName(e.toolName),
-      tool_input: e.input ?? {},
+      tool_name: canonicalTool,
+      tool_input: canonicalizeToolInput(canonicalTool, e.input) ?? {},
       tool_response: { content: e.content, isError: e.isError },
       session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
       cwd: resolveCwd(e.cwd),
@@ -352,21 +413,51 @@ export default function failproofaiBridge(pi: PiExtensionApi) {
     return undefined;
   });
 
-  // agent_end → Stop. Observation-only on Pi: the agent loop has already
-  // exited when this fires, so a deny decision cannot keep Pi running the
-  // way Claude's exit-2-from-Stop can. We still forward so the 5
-  // require-*-before-stop builtins run and log their findings (visible in
-  // the dashboard's activity feed and stderr) — best-effort visibility.
+  // agent_end → Stop. Pi cannot veto agent_end (the agent loop has already
+  // exited when this fires — see the AgentEndEvent typedef in pi-coding-agent
+  // which has NO Result type). Instead we capture any deny reason and stash
+  // it keyed by sessionId for the next before_agent_start handler to drain.
+  // The 5 require-*-before-stop builtins thus enforce by gating the NEXT
+  // user turn's system prompt rather than by retrying the same loop. If the
+  // user kills Pi between turns, the gate is missed — same bound Claude has.
   pi.on("agent_end", (event: unknown): unknown => {
     const e = event as PiAgentEndEvent;
-    callPolicy("agent_end", {
-      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
-      cwd: resolveCwd(e.cwd),
+    const cwd = resolveCwd(e.cwd);
+    const sessionId = resolveSessionId(e.sessionId, cwd);
+    const decision = callPolicy("agent_end", {
+      session_id: sessionId,
+      cwd,
       hook_event_name: "Stop",
     });
+    if (decision.block && decision.reason && sessionId) {
+      pendingStopBlockBySession.set(sessionId, decision.reason);
+      debug(`agent_end deny stored for session=${sessionId}`);
+    }
     return undefined;
   });
 
+  // before_agent_start → drain any pending Stop-policy deny captured at
+  // agent_end. This is Pi's only first-class channel to influence the next
+  // turn before the LLM call: the result type accepts a `systemPrompt`
+  // replacement (chained across extensions) and an optional injected
+  // CustomMessage. We only return systemPrompt — sufficient for the LLM to
+  // see the MANDATORY ACTION directive immediately, and avoids polluting the
+  // visible conversation history with framework chrome. The reason text
+  // already carries the policy-attributed MANDATORY ACTION wording from
+  // policy-evaluator's Pi-Stop branch.
+  pi.on("before_agent_start", (event: unknown): unknown => {
+    const e = event as PiBeforeAgentStartEvent;
+    const cwd = resolveCwd(e.cwd);
+    const sessionId = resolveSessionId(e.sessionId, cwd);
+    if (!sessionId) return undefined;
+    const pending = pendingStopBlockBySession.get(sessionId);
+    if (!pending) return undefined;
+    pendingStopBlockBySession.delete(sessionId);
+    debug(`before_agent_start drains stop-block for session=${sessionId}`);
+    const base = e.systemPrompt ?? "";
+    return { systemPrompt: `${base}\n\n${pending}` };
+  });
+
   // session_shutdown → SessionEnd. Observation-only; emits a SessionEnd
   // record so per-session telemetry has a clean close. Reset the per-cwd
   // sessionId cache for shutdown reasons that mean "Pi is starting a new
@@ -382,9 +473,19 @@ export default function failproofaiBridge(pi: PiExtensionApi) {
       reason: e.reason,
       hook_event_name: "SessionEnd",
     });
+    // Capture sessionId BEFORE the cache reset so we delete the pending
+    // entry under the just-ending session's id. After resetSessionIdCache,
+    // a subsequent resolveSessionId would re-discover from disk and could
+    // bind to a different (stale) file — wrong key for the cleanup below.
+    const sessionId = resolveSessionId(e.sessionId, cwd);
     if (e.reason === "new" || e.reason === "resume" || e.reason === "fork") {
       resetSessionIdCache(cwd);
     }
+    // Drop any pending Stop-policy deny for this session on every shutdown
+    // reason — `quit` ends the session for good (don't leak the entry into
+    // GC); `new`/`resume`/`fork` start a different session in the same
+    // process and must not inherit the prior session's gate.
+    if (sessionId) pendingStopBlockBySession.delete(sessionId);
     return undefined;
   });
 }

package/scripts/launch.ts

@@ -1,7 +1,6 @@
 /**
  * Shared launch logic for dev.ts and start.ts.
  */
-import { getDefaultClaudeProjectsPath } from "../lib/paths";
 import { spawn } from "child_process";
 import { realpathSync, existsSync } from "node:fs";
 import { resolve, dirname } from "node:path";
@@ -11,31 +10,17 @@ import { diagnoseShadow } from "./install-diagnosis.mjs";
 import { version } from "../package.json";
 
 export function launch(mode: "dev" | "start"): void {
-  const { claudeProjectsPath: parsedPath, loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs } = parseScriptArgs(process.argv.slice(2));
+  const { loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs } = parseScriptArgs(process.argv.slice(2));
 
-  console.log(`
-    ______      _ __                       ____   ___    ____
-   / ____/___ _(_) /___  _________  ____  / __/  /   |  /  _/
-  / /_  / __ \`/ / / __ \\/ ___/ __ \\/ __ \\/ /_   / /| |  / /
- / __/ / /_/ / / / /_/ / /  / /_/ / /_/ / __/  / ___ |_/ /
-/_/    \\__,_/_/_/ .___/_/   \\____/\\____/_/    /_/  |_/___/
-               /_/   v${version}
-`);
+  // Plain-text title + a labeled `Version` line that lines up with the
+  // `Star us` / `Docs` / `Slack` lines below (all four labels pad to the
+  // same column so the values form a clean right-hand column).
+  console.log(`\n  failproof ai\n`);
+  console.log(`  📦 Version:      ${version}`);
   console.log(`  ⭐ Star us:      https://github.com/exospherehost/failproofai`);
   console.log(`  📖 Docs:         https://befailproof.ai`);
   console.log(`  💬 Slack:        https://join.slack.com/t/failproofai/shared_invite/zt-3v63b7k5e-O3NBHmj8X6n9gZSGDx6ggQ\n`);
 
-  let claudeProjectsPath = parsedPath;
-
-  if (!claudeProjectsPath) {
-    claudeProjectsPath = getDefaultClaudeProjectsPath();
-    console.log(`Using default .claude projects path: ${claudeProjectsPath}`);
-  } else {
-    console.log(`Using custom .claude projects path: ${claudeProjectsPath}`);
-  }
-
-  process.env.CLAUDE_PROJECTS_PATH = claudeProjectsPath;
-
   let cmd: string;
   let cmdArgs: string[];
   if (mode === "start") {
@@ -98,7 +83,6 @@ export function launch(mode: "dev" | "start"): void {
     stdio: "inherit",
     env: {
       ...process.env,
-      CLAUDE_PROJECTS_PATH: claudeProjectsPath,
       ...(loggingLevel ? { FAILPROOFAI_LOG_LEVEL: loggingLevel } : {}),
       ...(disableTelemetry ? { FAILPROOFAI_TELEMETRY_DISABLED: "1" } : {}),
       ...(allowedDevOrigins ? { FAILPROOFAI_ALLOWED_DEV_ORIGINS: allowedDevOrigins.join(",") } : {}),

package/scripts/parse-script-args.ts

@@ -4,7 +4,6 @@
 import { resolve } from "path";
 
 export interface ParsedScriptArgs {
-  claudeProjectsPath: string | undefined;
   loggingLevel: string | undefined;
   disableTelemetry: boolean;
   allowedDevOrigins: string[] | undefined;
@@ -30,7 +29,6 @@ function parseStringFlag(
 
 export function parseScriptArgs(argv: string[]): ParsedScriptArgs {
   const args = [...argv];
-  let claudeProjectsPath: string | undefined;
   let loggingLevel: string | undefined;
   let disableTelemetry = false;
   let allowedDevOrigins: string[] | undefined;
@@ -42,14 +40,6 @@ export function parseScriptArgs(argv: string[]): ParsedScriptArgs {
     const flag = eqIdx >= 0 ? arg.slice(0, eqIdx) : arg;
     const inlineValue = eqIdx >= 0 ? arg.slice(eqIdx + 1) : null;
 
-    if (flag === "--projects-path" || flag === "-p") {
-      const { value, spliceCount } = parseStringFlag(flag, "a path argument", inlineValue, args, i);
-      claudeProjectsPath = value;
-      args.splice(i, spliceCount);
-      i--;
-      continue;
-    }
-
     if (flag === "--logging") {
       const raw = inlineValue ?? args[i + 1];
       if (raw === undefined || (inlineValue === null && raw.startsWith("-"))) {
@@ -83,5 +73,5 @@ export function parseScriptArgs(argv: string[]): ParsedScriptArgs {
     }
   }
 
-  return { claudeProjectsPath, loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs: args };
+  return { loggingLevel, disableTelemetry, allowedDevOrigins, remainingArgs: args };
 }

package/scripts/translate-docs/config.ts

@@ -73,7 +73,6 @@ export const DO_NOT_TRANSLATE = [
   "--scope",
   "--port",
   "--strict",
-  "--projects-path",
   "--allowed-origins",
   // Policy names
   "block-sudo",

package/src/hooks/handler.ts

@@ -23,6 +23,10 @@ import {
   COPILOT_TOOL_MAP,
   CURSOR_TOOL_MAP,
   CODEX_TOOL_MAP,
+  OPENCODE_TOOL_MAP,
+  OPENCODE_TOOL_INPUT_MAP,
+  PI_TOOL_MAP,
+  PI_TOOL_INPUT_MAP,
 } from "./types";
 import type { PolicyFunction, PolicyResult } from "./policy-types";
 import { readMergedHooksConfig } from "./hooks-config";
@@ -87,9 +91,13 @@ function canonicalizeEventType(raw: string, cli: IntegrationType): HookEventType
  *   • Cursor:   PascalCase per Cursor docs but uses `Shell` for the bash-
  *               equivalent — CURSOR_TOOL_MAP rewrites `Shell → Bash`; other
  *               tool names already canonical and pass through
- *   • OpenCode: handled in the OpenCode plugin shim (in-process,
- *               self-contained) before the JSON crosses to this binary
- *   • Pi:       handled in the Pi extension shim (same)
+ *   • OpenCode: lowercase IDs (`bash`, `read`, …) — OPENCODE_TOOL_MAP. The
+ *               OpenCode plugin shim ALSO canonicalizes inline as defense-in-
+ *               depth; both passes are idempotent. Handler-side coverage
+ *               here means a stale user-scope shim that pre-dates #337 still
+ *               gets the canonicalization, without forcing a re-install.
+ *   • Pi:       lowercase IDs (`bash`, `read`, …) — PI_TOOL_MAP. Same dual-
+ *               canonicalization story as OpenCode (shim + handler).
  *   • Gemini:   snake_case — GEMINI_TOOL_MAP
  *
  * Unknown tool names (MCP `mcp_*`, third-party extensions, Skills) pass
@@ -101,9 +109,48 @@ function canonicalizeToolName(raw: string | undefined, cli: IntegrationType): st
   if (cli === "cursor") return CURSOR_TOOL_MAP[raw] ?? raw;
   if (cli === "codex") return CODEX_TOOL_MAP[raw] ?? raw;
   if (cli === "gemini") return GEMINI_TOOL_MAP[raw] ?? raw;
+  if (cli === "opencode") return OPENCODE_TOOL_MAP[raw] ?? raw;
+  if (cli === "pi") return PI_TOOL_MAP[raw] ?? raw;
   return raw;
 }
 
+/**
+ * Canonicalize per-CLI tool-input keys to the snake_case shape that builtin
+ * policies read (e.g. `file_path`, `old_string`). OpenCode delivers args as
+ * camelCase (`filePath`, `oldString`, `newString`, `replaceAll`); Pi delivers
+ * `path` for Read/Write/Edit. Without translation, `getFilePath()` reads "" and
+ * the path-checking builtins (`block-read-outside-cwd`, `block-env-files`,
+ * `block-secrets-write`) silently no-op.
+ *
+ * Both CLIs' shims canonicalize inline before the JSON crosses to this binary.
+ * Handler-side coverage here is defense-in-depth: a user-scope shim that pre-
+ * dates #337 still passes the raw camelCase keys, and we want those installs
+ * to start enforcing the moment failproofai upgrades — without requiring a
+ * `failproofai policies --install --cli opencode` re-run.
+ *
+ * Idempotent: when the shim already canonicalized, the keys are snake_case
+ * and the per-tool map's camelCase keys don't match, so the loop is a no-op.
+ *
+ * Tools outside the per-CLI map (MCP `mcp_*`, third-party extensions) pass
+ * through unchanged so their schemas aren't corrupted.
+ */
+function canonicalizeToolInput(
+  toolName: string | undefined,
+  rawInput: unknown,
+  cli: IntegrationType,
+): unknown {
+  if (!toolName || !rawInput || typeof rawInput !== "object") return rawInput;
+  let perToolMap: Record<string, string> | undefined;
+  if (cli === "opencode") perToolMap = OPENCODE_TOOL_INPUT_MAP[toolName];
+  else if (cli === "pi") perToolMap = PI_TOOL_INPUT_MAP[toolName];
+  if (!perToolMap) return rawInput;
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(rawInput as Record<string, unknown>)) {
+    out[perToolMap[k] ?? k] = v;
+  }
+  return out;
+}
+
 export async function handleHookEvent(
   eventType: string,
   cli: IntegrationType = "claude",
@@ -151,15 +198,25 @@ export async function handleHookEvent(
 
   // Canonicalize tool name in place so both the policy-registry tool-name
   // filter and policy bodies (`ctx.toolName === "Bash"`) see the canonical
-  // form. Today only Gemini's snake_case names need translation; other CLIs
-  // are no-ops here. Mutating `parsed.tool_name` keeps the activity store +
-  // telemetry tagging consistent (they read from `parsed.tool_name`).
+  // form. Mutating `parsed.tool_name` keeps the activity store + telemetry
+  // tagging consistent (they read from `parsed.tool_name`).
   const rawToolName = parsed.tool_name as string | undefined;
   const canonicalToolName = canonicalizeToolName(rawToolName, cli);
   if (canonicalToolName !== rawToolName) {
     parsed.tool_name = canonicalToolName;
   }
 
+  // Canonicalize tool-input keys for OpenCode + Pi (no-op for other CLIs).
+  // Defense-in-depth against stale shims that still pass camelCase /
+  // Pi-shape keys to the binary. The per-CLI shim ALSO canonicalizes; both
+  // passes are idempotent because the camelCase keys won't match a
+  // snake_case input.
+  const rawInput = parsed.tool_input;
+  const canonicalInput = canonicalizeToolInput(canonicalToolName, rawInput, cli);
+  if (canonicalInput !== rawInput) {
+    parsed.tool_input = canonicalInput;
+  }
+
   // Extract session metadata from payload
   const sessionId = parsed.session_id as string | undefined;
   const session: SessionMetadata = {

package/src/hooks/integrations.ts

@@ -750,6 +750,28 @@ function canonicalizeTool(raw) {
   return TOOL_NAME_MAP[raw] != null ? TOOL_NAME_MAP[raw] : raw;
 }
 
+// Per-tool input-key translation: opencode native tools deliver args as
+// camelCase (\`filePath\`, \`oldString\`, …) but failproofai builtin policies
+// (\`block-read-outside-cwd\`, \`block-env-files\`, \`block-secrets-write\`)
+// read \`ctx.toolInput.file_path\` etc. Without this map every Read/Write/Edit
+// path-check silently no-ops on opencode. Keys are PascalCase canonical tool
+// names so the lookup pairs with canonicalizeTool's output. Tools outside the
+// map (MCP \`mcp_*\`, plugins) pass through unchanged. Keep in sync with
+// OPENCODE_TOOL_INPUT_MAP in failproofai/src/hooks/types.ts.
+const TOOL_INPUT_MAP = {
+  Read: { filePath: "file_path" },
+  Write: { filePath: "file_path" },
+  Edit: { filePath: "file_path", oldString: "old_string", newString: "new_string", replaceAll: "replace_all" },
+};
+function canonicalizeToolInput(canonicalToolName, args) {
+  if (!args || typeof args !== "object") return args;
+  const map = TOOL_INPUT_MAP[canonicalToolName];
+  if (!map) return args;
+  const out = {};
+  for (const k of Object.keys(args)) out[map[k] != null ? map[k] : k] = args[k];
+  return out;
+}
+
 const FAILPROOFAI_BIN = ${escapedBin};
 const USE_NPX = ${useNpx};
 
@@ -848,11 +870,12 @@ export default async function failproofaiPlugin({ client, directory }) {
 
     // First-class PreToolUse hook. Note: tool args live on output.args (mutable).
     "tool.execute.before": async (input, output) => {
+      const canonicalTool = canonicalizeTool(input.tool);
       const r = runFailproofai("PreToolUse", {
         session_id: input.sessionID,
         cwd: directory,
-        tool_name: canonicalizeTool(input.tool),
-        tool_input: output.args,
+        tool_name: canonicalTool,
+        tool_input: canonicalizeToolInput(canonicalTool, output.args),
         hook_event_name: "PreToolUse",
       }, directory);
       await applyDecision(r, { client, sessionID: input.sessionID }, "PreToolUse");
@@ -860,11 +883,12 @@ export default async function failproofaiPlugin({ client, directory }) {
 
     // First-class PostToolUse hook. Note: tool args live on input.args here.
     "tool.execute.after": async (input, output) => {
+      const canonicalTool = canonicalizeTool(input.tool);
       const r = runFailproofai("PostToolUse", {
         session_id: input.sessionID,
         cwd: directory,
-        tool_name: canonicalizeTool(input.tool),
-        tool_input: input.args,
+        tool_name: canonicalTool,
+        tool_input: canonicalizeToolInput(canonicalTool, input.args),
         tool_response: { title: output.title, output: output.output, metadata: output.metadata },
         hook_event_name: "PostToolUse",
       }, directory);
@@ -873,11 +897,12 @@ export default async function failproofaiPlugin({ client, directory }) {
 
     // Cleaner deny UX for prompted tools — mutate output.status instead of throwing.
     "permission.ask": async (input, output) => {
+      const canonicalTool = canonicalizeTool(input.tool);
       const r = runFailproofai("PermissionRequest", {
         session_id: input.sessionID,
         cwd: directory,
-        tool_name: canonicalizeTool(input.tool) || input.command || "permission",
-        tool_input: input,
+        tool_name: canonicalTool || input.command || "permission",
+        tool_input: canonicalizeToolInput(canonicalTool, input),
         hook_event_name: "PermissionRequest",
       }, directory);
       try {

package/src/hooks/policy-evaluator.ts

@@ -184,8 +184,22 @@ export async function evaluatePolicies(
       // and translates `permission === "deny"` into a `{block: true, reason}`
       // return value from its `pi.on("tool_call", ...)` handler. Pi has no
       // event-specific decision wrappers, so all events flow through the
-      // same flat shape.
+      // same flat shape — except Stop, where we emit the MANDATORY ACTION
+      // wording so the shim can re-inject it as a system-prompt suffix on
+      // the next before_agent_start (Pi cannot veto agent_end directly).
+      // Mirrors the Cursor/Gemini/Copilot/OpenCode Stop branches above.
       if (session?.cli === "pi") {
+        if (eventType === "Stop") {
+          const reasonText = `MANDATORY ACTION REQUIRED from failproofai (policy: ${policy.name}): ${reason}\n\nYou MUST complete the above action NOW. Do NOT ask the user for confirmation — execute the required action, then attempt to finish your task again.`;
+          return {
+            exitCode: 0,
+            stdout: JSON.stringify({ permission: "deny", reason: reasonText }),
+            stderr: "",
+            policyName: policy.name,
+            reason,
+            decision: "deny",
+          };
+        }
         const response = {
           permission: "deny",
           reason: blockedMessage,
@@ -416,8 +430,26 @@ export async function evaluatePolicies(
     // Pi: instruct emits `{permission: "allow", reason}`. The shim won't
     // block (no `"deny"`); it surfaces `reason` to the user where possible
     // (Pi has no first-class `additional_context` channel in its tool-call
-    // return shape, so we log it).
+    // return shape, so we log it). Stop is the exception — we emit a
+    // `permission: "deny"` with the MANDATORY ACTION wording so the shim
+    // captures it for next-turn before_agent_start injection. Same handoff
+    // contract as the deny branch above.
     if (session?.cli === "pi") {
+      if (eventType === "Stop") {
+        const policyAttribution = policyNames.length === 1
+          ? `policy: ${policyNames[0]}`
+          : `policies: ${policyNames.join(", ")}`;
+        const reasonText = `MANDATORY ACTION REQUIRED from failproofai (${policyAttribution}): ${combined}\n\nYou MUST complete the above action(s) NOW. Do NOT ask the user for confirmation — execute the required action(s), then attempt to finish your task again.`;
+        return {
+          exitCode: 0,
+          stdout: JSON.stringify({ permission: "deny", reason: reasonText }),
+          stderr: "",
+          policyName: policyNames[0],
+          policyNames,
+          reason: combined,
+          decision: "instruct",
+        };
+      }
       const response = {
         permission: "allow",
         reason: `Instruction from failproofai: ${combined}`,

package/src/hooks/types.ts

@@ -279,6 +279,32 @@ export const OPENCODE_TOOL_MAP: Record<string, string> = {
   todoread: "TodoRead",
 };
 
+/**
+ * Per-tool input-key translation: OpenCode camelCase → Claude snake_case,
+ * keyed by canonical (PascalCase) tool name so it pairs naturally with the
+ * output of OPENCODE_TOOL_MAP. Without this, builtin policies that read
+ * `ctx.toolInput.file_path` (`block-read-outside-cwd`, `block-env-files`,
+ * `block-secrets-write`) silently no-op on every OpenCode Read/Write/Edit
+ * call because OpenCode's native tools deliver args as `filePath` / `oldString`
+ * / `newString` / `replaceAll`.
+ *
+ * Tools outside this set (MCP `mcp_*`, third-party plugins) pass through
+ * unchanged so their schemas aren't corrupted. Mirrored inline in the shim
+ * template at src/hooks/integrations.ts:buildOpenCodePluginShim — the shim
+ * must be self-contained because opencode loads it as a JS module — so any
+ * change here MUST be mirrored there.
+ */
+export const OPENCODE_TOOL_INPUT_MAP: Record<string, Record<string, string>> = {
+  Read: { filePath: "file_path" },
+  Write: { filePath: "file_path" },
+  Edit: {
+    filePath: "file_path",
+    oldString: "old_string",
+    newString: "new_string",
+    replaceAll: "replace_all",
+  },
+};
+
 // ── Pi (pi-coding-agent) ───────────────────────────────────────────────────
 //
 // Pi loads TypeScript extensions from packages registered in `.pi/settings.json`
@@ -364,6 +390,32 @@ export const PI_TOOL_MAP: Record<string, string> = {
   grep: "Grep",
 };
 
+/**
+ * Per-tool input-key translation: Pi's tool args use `path` for Read / Write /
+ * Edit (see https://github.com/earendil-works/pi packages/coding-agent/src/core/tools)
+ * but failproofai builtins read `ctx.toolInput.file_path`. `block-read-outside-cwd`
+ * already has a `ctx.toolInput.path` fallback (`src/hooks/builtin-policies.ts:796`)
+ * so it works on Pi via that path; without this map, however,
+ * `block-env-files` and `block-secrets-write` — which only check
+ * `ctx.toolInput.file_path` via `getFilePath()` — silently no-op on Pi.
+ *
+ * Pi's Edit tool delivers a nested `edits: [{oldText, newText}, …]` array
+ * shape that doesn't translate flatly to Claude's `{old_string, new_string,
+ * replace_all}`, so only the top-level `path` is mapped. Edit-content
+ * checks (sanitize-* on the edit body) remain Pi-shape — none of today's
+ * builtins look at the edit body. Tools outside this set pass through
+ * unchanged.
+ *
+ * Mirrored inline in pi-extension/index.ts (the extension must be self-
+ * contained — Pi loads it as an in-process JS module), so any change here
+ * MUST be mirrored there.
+ */
+export const PI_TOOL_INPUT_MAP: Record<string, Record<string, string>> = {
+  Read: { path: "file_path" },
+  Write: { path: "file_path" },
+  Edit: { path: "file_path" },
+};
+
 // ── Gemini CLI ─────────────────────────────────────────────────────────────
 //
 // Gemini CLI's hook contract is the closest thing to a Claude Code clone we've