failproofai 0.0.9 → 0.0.10-beta.0

package/pi-extension/index.ts

@@ -0,0 +1,373 @@
+/**
+ * failproofai policy bridge for Pi (pi-coding-agent).
+ *
+ * This extension is loaded by Pi at startup and registered via
+ * `pi install <abs-path-to-this-dir> [-l]` (or by hand-authoring an entry in
+ * `<scope>/.pi/settings.json`). It subscribes to Pi's `tool_call`, `user_bash`,
+ * `input`, and `session_start` events and forwards them to the failproofai
+ * binary as `failproofai --hook <Event> --cli pi`. failproofai prints a
+ * decision JSON to stdout; this shim parses it and translates into Pi's
+ * `{ block: true, reason }` return shape so policy `deny` decisions cancel
+ * tool execution.
+ *
+ * Marker comment for failproofai's installer detection (do not remove):
+ *   __failproofai_hook__: true
+ *
+ * Binary resolution. failproofai ships two entrypoints:
+ *   • dist/cli.mjs — bundled, node-compatible (production npm install)
+ *   • bin/failproofai.mjs — source, requires `bun` (dev / monorepo)
+ *
+ * dist/cli.mjs is preferred because spawning `node bin/failproofai.mjs`
+ * fails with ERR_IMPORT_ATTRIBUTE_MISSING (the source `import package.json`
+ * needs `with { type: "json" }` under node, which bun handles transparently
+ * but the build:cli step transpiles away in dist/cli.mjs). When dist/cli.mjs
+ * isn't present, fall back to running bin/failproofai.mjs with `bun`. Pi
+ * spawns extensions with an undefined cwd contract, so paths are resolved
+ * relative to this file via `import.meta.url`, NOT process.cwd().
+ */
+import { spawnSync } from "node:child_process";
+import { resolve, dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { existsSync, readdirSync, statSync } from "node:fs";
+import { homedir } from "node:os";
+
+const HERE = dirname(fileURLToPath(import.meta.url));
+const DIST_BIN = resolve(HERE, "..", "dist", "cli.mjs");
+const SRC_BIN = resolve(HERE, "..", "bin", "failproofai.mjs");
+// Prefer the bundled dist/cli.mjs (node-compatible); fall back to source +
+// bun for dev workflows where dist/ hasn't been built yet.
+function resolveSpawn(): { cmd: string; args: string[] } {
+  if (process.env.FAILPROOFAI_BINARY_OVERRIDE) {
+    return { cmd: "node", args: [process.env.FAILPROOFAI_BINARY_OVERRIDE] };
+  }
+  if (existsSync(DIST_BIN)) {
+    return { cmd: "node", args: [DIST_BIN] };
+  }
+  return { cmd: "bun", args: [SRC_BIN] };
+}
+
+interface PolicyDecision {
+  permission?: "allow" | "deny";
+  reason?: string;
+}
+
+/**
+ * Spawn `failproofai --hook <eventName> --cli pi`, write the JSON payload to
+ * stdin, and parse the flat `{permission, reason}` JSON we expect failproofai
+ * to print on stdout. Fail-open on any subprocess / parse error.
+ */
+/** Optional stderr trace for debugging the shim. Enabled with
+ *  FAILPROOFAI_PI_DEBUG=1; silent otherwise. */
+function debug(msg: string): void {
+  if (process.env.FAILPROOFAI_PI_DEBUG === "1") {
+    process.stderr.write(`[failproofai-pi-shim] ${msg}\n`);
+  }
+}
+
+function callPolicy(eventName: string, payload: unknown): { block: boolean; reason: string } {
+  const { cmd, args } = resolveSpawn();
+  debug(`callPolicy event=${eventName} cmd=${cmd}`);
+  try {
+    const result = spawnSync(
+      cmd,
+      [...args, "--hook", eventName, "--cli", "pi"],
+      {
+        input: JSON.stringify(payload),
+        encoding: "utf8",
+        timeout: 60_000,
+      },
+    );
+    if (result.status !== 0) return { block: false, reason: "" };
+    const stdout = (result.stdout || "").trim();
+    if (!stdout) return { block: false, reason: "" };
+    const parsed = JSON.parse(stdout) as PolicyDecision;
+    if (parsed.permission === "deny") {
+      debug(`DENY reason=${parsed.reason}`);
+      return { block: true, reason: parsed.reason ?? "Blocked by failproofai" };
+    }
+  } catch (err) {
+    debug(`EXCEPTION ${err instanceof Error ? err.message : String(err)}`);
+    // Fail-open: never block tool execution because of an infra failure.
+  }
+  return { block: false, reason: "" };
+}
+
+interface PiToolCallEvent {
+  type?: string;
+  toolName?: string;
+  toolCallId?: string;
+  input?: Record<string, unknown>;
+  cwd?: string;
+  sessionId?: string;
+}
+
+/**
+ * Pi emits tool names in lowercase (`bash`, `read`, `edit`, `write`).
+ * failproofai's builtin policies match on Claude-shaped capitalized names
+ * (`Bash`, `Read`, `Edit`, `Write`). Map between the two so existing
+ * tool-name match clauses fire on Pi sessions.
+ */
+function canonicalizeToolName(piToolName: string | undefined): string | undefined {
+  if (!piToolName) return undefined;
+  return piToolName.charAt(0).toUpperCase() + piToolName.slice(1);
+}
+
+/** Resolve the cwd for the policy payload. Pi events don't include cwd, so
+ *  fall back to the extension's process.cwd() — which is where Pi was
+ *  launched and where `.failproofai/` config lives. */
+function resolveCwd(eventCwd: string | undefined): string {
+  return eventCwd ?? process.cwd();
+}
+
+/**
+ * Pi (verified empirically against pi-coding-agent v0.71.1) does NOT
+ * populate `event.sessionId` on any of its events — `session_start`,
+ * `tool_call`, `user_bash`, `input`, `tool_result`, `agent_end`,
+ * `session_shutdown` all leave it undefined. Without help the shim can't
+ * tag activity records with a session id, so the dashboard renders
+ * `Session ID: —` for every Pi row.
+ *
+ * What Pi DOES do: at session start it creates a JSONL transcript at
+ * `~/.pi/agent/sessions/<encodedCwd>/<isoTimestamp>_<uuid>.jsonl` where
+ * the filename encodes the sessionId. We discover ours by scanning the
+ * encoded-cwd directory for the most-recently-modified matching file.
+ *
+ * Strategy: scan once and cache. Pi runs one session per process so the
+ * cache is per-process and lives for the session's lifetime. If Pi ever
+ * multiplexes, we'd need a keyed map.
+ */
+const PI_FILE_RE = /^[\d-]+T[\d-]+Z_([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\.jsonl$/i;
+
+/** Encode a cwd into Pi's on-disk session-dir name. Pi strips the leading
+ *  `/` before replacing remaining slashes with `-`, e.g.
+ *  `/home/u/repo` → `--home-u-repo--`. */
+function piEncodeCwd(cwd: string): string {
+  const inner = cwd.replace(/^\/+/, "").replace(/\//g, "-");
+  return `--${inner}--`;
+}
+
+/** Process start boundary — files older than this aren't from the current
+ *  Pi session. Captured at module load so cold-start in a cwd with stale
+ *  transcripts doesn't pin a previous session's UUID. We allow a small
+ *  tolerance below `processStartMs` because mtime resolution and clock
+ *  skew can put a "current" file's mtime a few hundred ms before module
+ *  load on slow startup. */
+const PROCESS_START_MS = Date.now();
+const STALE_TOLERANCE_MS = 2_000;
+
+/** Find the newest `<ts>_<uuid>.jsonl` file under `~/.pi/agent/sessions/<encodedCwd>/`
+ *  whose mtime indicates it belongs to the CURRENT Pi process (≥ process
+ *  start, with a small tolerance). Files older than that are stale
+ *  transcripts from prior sessions in the same cwd — caching their UUID
+ *  would cross-attribute every event of the new session.
+ *  Returns undefined when the dir doesn't exist, has no matching file, or
+ *  every matching file is stale. */
+function discoverPiSessionId(cwd: string): string | undefined {
+  const root = process.env.PI_SESSIONS_DIR || join(homedir(), ".pi", "agent", "sessions");
+  const dir = join(root, piEncodeCwd(cwd));
+  let entries: string[];
+  try { entries = readdirSync(dir); } catch { return undefined; }
+  const boundary = PROCESS_START_MS - STALE_TOLERANCE_MS;
+  let best: { sessionId: string; mtime: number } | undefined;
+  for (const name of entries) {
+    const m = PI_FILE_RE.exec(name);
+    if (!m) continue;
+    let mtime: number;
+    try { mtime = statSync(join(dir, name)).mtimeMs; } catch { continue; }
+    if (mtime < boundary) continue;
+    if (!best || mtime > best.mtime) best = { sessionId: m[1], mtime };
+  }
+  return best?.sessionId;
+}
+
+/** sessionId cache, keyed by cwd. Per-cwd so a multi-cwd Pi (extension running
+ *  across multiple workspace roots) can't cross-attribute. Cleared on
+ *  session_shutdown reasons `new`/`resume`/`fork` (Pi reuses the process). */
+const cachedSessionIdByCwd = new Map<string, string>();
+function resolveSessionId(eventSessionId: string | undefined, cwd: string): string | undefined {
+  if (eventSessionId) {
+    cachedSessionIdByCwd.set(cwd, eventSessionId);
+    return eventSessionId;
+  }
+  const cached = cachedSessionIdByCwd.get(cwd);
+  if (cached) return cached;
+  // Pi v0.71.1 never sets sessionId — discover from disk.
+  const discovered = discoverPiSessionId(cwd);
+  if (discovered) cachedSessionIdByCwd.set(cwd, discovered);
+  return discovered;
+}
+/** Clear the cached sessionId for a cwd. Called on session_shutdown reasons
+ *  that indicate a new session is starting in the same process (`new`,
+ *  `resume`, `fork`). Without this, the next session would inherit the prior
+ *  sessionId until disk discovery refreshed it. */
+function resetSessionIdCache(cwd: string): void {
+  cachedSessionIdByCwd.delete(cwd);
+}
+
+interface PiUserBashEvent {
+  type?: string;
+  command?: string;
+  cwd?: string;
+  sessionId?: string;
+}
+
+interface PiInputEvent {
+  type?: string;
+  text?: string;
+  source?: string;
+  cwd?: string;
+  sessionId?: string;
+}
+
+interface PiSessionStartEvent {
+  type?: string;
+  reason?: string;
+  cwd?: string;
+  sessionId?: string;
+}
+
+interface PiSessionShutdownEvent {
+  type?: string;
+  /** "quit" | "reload" | "new" | "resume" | "fork" per pi-coding-agent v0.72.1 */
+  reason?: string;
+  targetSessionFile?: string;
+  cwd?: string;
+  sessionId?: string;
+}
+
+interface PiToolResultEvent {
+  type?: string;
+  toolCallId?: string;
+  toolName?: string;
+  input?: Record<string, unknown>;
+  /** TextContent | ImageContent — opaque to us; forwarded as-is. */
+  content?: unknown[];
+  isError?: boolean;
+  cwd?: string;
+  sessionId?: string;
+}
+
+interface PiAgentEndEvent {
+  type?: string;
+  /** AgentMessage[] — opaque; not forwarded (Stop policies don't need it). */
+  messages?: unknown[];
+  cwd?: string;
+  sessionId?: string;
+}
+
+interface PiExtensionApi {
+  on(event: string, handler: (event: unknown) => unknown): void;
+}
+
+export default function failproofaiBridge(pi: PiExtensionApi) {
+  // tool_call → PreToolUse. Block tool execution when failproofai denies.
+  pi.on("tool_call", (event: unknown): unknown => {
+    const e = event as PiToolCallEvent;
+    const decision = callPolicy("tool_call", {
+      tool_name: canonicalizeToolName(e.toolName),
+      tool_input: e.input,
+      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
+      cwd: resolveCwd(e.cwd),
+      hook_event_name: "PreToolUse",
+    });
+    if (decision.block) return { block: true, reason: decision.reason };
+    return undefined;
+  });
+
+  // user_bash → PreToolUse with synthesized toolName=Bash.
+  pi.on("user_bash", (event: unknown): unknown => {
+    const e = event as PiUserBashEvent;
+    const decision = callPolicy("user_bash", {
+      tool_name: "Bash",
+      tool_input: { command: e.command },
+      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
+      cwd: resolveCwd(e.cwd),
+      hook_event_name: "PreToolUse",
+    });
+    if (decision.block) return { block: true, reason: decision.reason };
+    return undefined;
+  });
+
+  // input → UserPromptSubmit. Honor block decisions if Pi accepts them
+  // (Pi's docs describe block on input but it's not exhaustively tested).
+  pi.on("input", (event: unknown): unknown => {
+    const e = event as PiInputEvent;
+    const decision = callPolicy("input", {
+      prompt: e.text,
+      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
+      cwd: resolveCwd(e.cwd),
+      hook_event_name: "UserPromptSubmit",
+    });
+    if (decision.block) return { block: true, reason: decision.reason };
+    return undefined;
+  });
+
+  // session_start → SessionStart. Observe-only; we still forward so the
+  // activity feed records the session and any UserPromptSubmit policies that
+  // need session_id continuity see the metadata.
+  pi.on("session_start", (event: unknown): unknown => {
+    const e = event as PiSessionStartEvent;
+    callPolicy("session_start", {
+      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
+      cwd: resolveCwd(e.cwd),
+      reason: e.reason,
+      hook_event_name: "SessionStart",
+    });
+    return undefined;
+  });
+
+  // tool_result → PostToolUse. Observation-only on Pi: ToolResultEventResult
+  // exposes {content, details, isError} for mutation but no `block`. We
+  // forward to the failproofai binary so PostToolUse builtins (sanitize-jwt,
+  // sanitize-api-keys, sanitize-connection-strings, sanitize-private-key-
+  // content, sanitize-bearer-tokens) run and get their decisions logged to
+  // the activity store + stderr — but Pi keeps the original tool result.
+  pi.on("tool_result", (event: unknown): unknown => {
+    const e = event as PiToolResultEvent;
+    callPolicy("tool_result", {
+      tool_name: canonicalizeToolName(e.toolName),
+      tool_input: e.input ?? {},
+      tool_response: { content: e.content, isError: e.isError },
+      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
+      cwd: resolveCwd(e.cwd),
+      hook_event_name: "PostToolUse",
+    });
+    return undefined;
+  });
+
+  // agent_end → Stop. Observation-only on Pi: the agent loop has already
+  // exited when this fires, so a deny decision cannot keep Pi running the
+  // way Claude's exit-2-from-Stop can. We still forward so the 5
+  // require-*-before-stop builtins run and log their findings (visible in
+  // the dashboard's activity feed and stderr) — best-effort visibility.
+  pi.on("agent_end", (event: unknown): unknown => {
+    const e = event as PiAgentEndEvent;
+    callPolicy("agent_end", {
+      session_id: resolveSessionId(e.sessionId, resolveCwd(e.cwd)),
+      cwd: resolveCwd(e.cwd),
+      hook_event_name: "Stop",
+    });
+    return undefined;
+  });
+
+  // session_shutdown → SessionEnd. Observation-only; emits a SessionEnd
+  // record so per-session telemetry has a clean close. Reset the per-cwd
+  // sessionId cache for shutdown reasons that mean "Pi is starting a new
+  // session in the same process" — without the reset, the next session's
+  // events would inherit the prior session's id until disk discovery
+  // refreshed it.
+  pi.on("session_shutdown", (event: unknown): unknown => {
+    const e = event as PiSessionShutdownEvent;
+    const cwd = resolveCwd(e.cwd);
+    callPolicy("session_shutdown", {
+      session_id: resolveSessionId(e.sessionId, cwd),
+      cwd,
+      reason: e.reason,
+      hook_event_name: "SessionEnd",
+    });
+    if (e.reason === "new" || e.reason === "resume" || e.reason === "fork") {
+      resetSessionIdCache(cwd);
+    }
+    return undefined;
+  });
+}

package/pi-extension/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "@failproofai/pi-extension",
+  "version": "0.0.1",
+  "description": "failproofai policy bridge for Pi (pi-coding-agent)",
+  "type": "module",
+  "main": "./index.ts",
+  "private": true,
+  "keywords": [
+    "pi-extension",
+    "failproofai"
+  ]
+}

package/scripts/translate-docs/mdx-translator.ts

@@ -14,6 +14,59 @@ import type { TranslationResult, TranslationCache } from "./types";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const DOCS_DIR = join(__dirname, "..", "..", "docs");
 
+/**
+ * Strip stray ASCII `"` that appear right after a JSX attribute's closing
+ * quote — e.g. `<Tab title="Tab „Richtlinien"">`. The translator sometimes
+ * wraps an inner phrase in language-specific typographic quotes (`„…"`,
+ * `「…」`, etc.) but uses an ASCII `"` for the closing instead of the
+ * proper U+201D, which terminates the attribute and leaves the real
+ * closing `"` as a stray character that breaks `mintlify validate`.
+ *
+ * Also drops unmatched typographic opening quotes inside the same attribute
+ * value so the rendered title doesn't end with a dangling `„` after we strip
+ * the extras.
+ */
+export function sanitizeJsxAttributes(content: string): string {
+  // Each pair must use an OPENER that is unambiguously an opener — i.e. the
+  // codepoint never serves as a CLOSER of a different pair. That's why we
+  // skip English curly “…” (U+201C/U+201D): U+201C is also the German
+  // closer, so processing English curly after German would strip the very
+  // German closer we just preserved.
+  const openings: Array<[string, string]> = [
+    ["„", "“"], // German „ … "
+    ["«", "»"], // French « … »
+    ["‹", "›"], // French single ‹ … ›
+    ["「", "」"], // Japanese 「 … 」
+    ["『", "』"], // Japanese 『 … 』
+  ];
+  return content.replace(
+    /([a-zA-Z_-]+=")([^"\n]*)"+(?=\s|\/|>)/g,
+    (match, prefix: string, value: string) => {
+      // If the original had exactly one closing " (i.e. no extras),
+      // leave it alone — the regex's `"+` would still match a single
+      // quote, so we need to re-check the match length to be safe.
+      const expectedMinLen = `${prefix}${value}"`.length;
+      if (match.length === expectedMinLen) return match;
+      let cleaned = value;
+      for (const [open, close] of openings) {
+        const opens = cleaned.split(open).length - 1;
+        const closes = cleaned.split(close).length - 1;
+        // Drop only the surplus unmatched openers, removing from the right.
+        // A value like `„Foo“ und „Bar` (one matched pair plus one stray
+        // opener) keeps the leading `„Foo“` intact and only the dangling
+        // `„Bar` opener gets stripped.
+        let surplus = opens - closes;
+        while (surplus-- > 0) {
+          const i = cleaned.lastIndexOf(open);
+          if (i < 0) break;
+          cleaned = cleaned.slice(0, i) + cleaned.slice(i + open.length);
+        }
+      }
+      return `${prefix}${cleaned}"`;
+    },
+  );
+}
+
 /**
  * Rewrite internal doc links to include the language prefix.
  * e.g. href="/built-in-policies" -> href="/es/built-in-policies"
@@ -94,8 +147,9 @@ export async function translateMdxPage(
     options.model,
   );
 
-  // Rewrite internal links
-  const withLinks = rewriteInternalLinks(translated, lang);
+  // Strip stray quote artifacts from JSX attribute values, then rewrite links
+  const sanitized = sanitizeJsxAttributes(translated);
+  const withLinks = rewriteInternalLinks(sanitized, lang);
 
   // Write output
   mkdirSync(dirname(outputPath), { recursive: true });

package/scripts/translate-docs/translator.ts

@@ -15,7 +15,7 @@ const SYSTEM_PROMPT = `You are a professional technical documentation translator
 ## Rules
 
 1. **Preserve all code blocks exactly as-is** — never translate content inside backtick-fenced code blocks (\`\`\`...\`\`\`) or inline code (\`...\`).
-2. **Preserve MDX component syntax** — tags like <Card>, <CardGroup>, <CodeGroup>, <Steps>, <Step>, <Note>, <Tip>, <Tabs>, <Tab>, <Warning> must remain unchanged. Their attribute names (title, icon, href, cols) must remain in English. Only translate the text content of the \`title\` attribute and the text body between tags.
+2. **Preserve MDX component syntax** — tags like <Card>, <CardGroup>, <CodeGroup>, <Steps>, <Step>, <Note>, <Tip>, <Tabs>, <Tab>, <Warning> must remain unchanged. Their attribute names (title, icon, href, cols) must remain in English. Only translate the text content of the \`title\` attribute and the text body between tags. **Never put an ASCII straight \`"\` inside a \`title="…"\` (or any JSX attribute value)** — it terminates the attribute and breaks MDX parsing. If the target language would normally wrap a word in quotation marks (e.g. German „…", Japanese 「…」), drop the inner quotes inside attribute values and rely on the surrounding tag for emphasis.
 3. **Preserve YAML frontmatter keys** — only translate the string values of \`title\` and \`description\`. Keep the \`icon\` value unchanged.
 4. **Preserve all URLs and paths** — never modify href values, image paths, or links.
 5. **Preserve Markdown structure** — headers (#, ##), lists (-, *), tables (|), bold (**), italic (*), links ([text](url)) must keep their Markdown formatting.

package/src/hooks/builtin-policies.ts

@@ -12,27 +12,71 @@ import { hookLogWarn } from "./hook-logger";
 
 /**
  * Whether `resolved` lives under an agent CLI's home directory
- * (~/.claude/ or ~/.codex/). Used to whitelist agent self-reads of their own
- * config and transcripts.
+ * (~/.claude/, ~/.codex/, ~/.copilot/, ~/.cursor/, ~/.pi/, ~/.gemini/, or any
+ * of OpenCode's three home-side dirs). Used to whitelist agent self-reads of
+ * their own config and transcripts.
+ *
+ * OpenCode splits its data across three locations (verified live on
+ * opencode v1.14.33 via `opencode debug paths`):
+ *   • ~/.config/opencode/   — config + plugins
+ *   • ~/.local/share/opencode/ — sessions, snapshots, opencode.db (SQLite)
+ *   • ~/.opencode/          — legacy fallback path
  */
 function isAgentInternalPath(resolved: string): boolean {
-  for (const dir of [".claude", ".codex"]) {
-    const root = join(homedir(), dir);
-    if (resolved === root || resolved.startsWith(root + "/")) return true;
+  // Normalize backslashes to forward slashes so the same `startsWith` check
+  // works on Windows. `resolve()` returns forward slashes on POSIX but
+  // backslashes on Windows; `join(homedir(), ...)` follows the same OS
+  // convention. Comparing both sides under a single forward-slash form
+  // avoids per-OS branching.
+  const normResolved = resolved.replaceAll("\\", "/");
+  for (const dir of [".claude", ".codex", ".copilot", ".cursor", ".opencode", ".pi", ".gemini"]) {
+    const root = join(homedir(), dir).replaceAll("\\", "/");
+    if (normResolved === root || normResolved.startsWith(root + "/")) return true;
+  }
+  for (const sub of [join(".config", "opencode"), join(".local", "share", "opencode")]) {
+    const root = join(homedir(), sub).replaceAll("\\", "/");
+    if (normResolved === root || normResolved.startsWith(root + "/")) return true;
   }
   return false;
 }
 
 /**
  * Whether `resolved` is a settings/hooks file for an agent CLI:
- *   • Claude Code: `.claude/settings.json`, `.claude/settings.local.json`, etc.
- *   • Codex: `.codex/hooks.json`
+ *   • Claude Code:  `.claude/settings.json`, `.claude/settings.local.json`, etc.
+ *   • Codex:        `.codex/hooks.json`
+ *   • Copilot CLI:  `.copilot/hooks/*.json`, `.github/hooks/*.json`
+ *   • Cursor Agent: `.cursor/hooks.json`
+ *   • OpenCode:     `.opencode/opencode.{json,jsonc}`,
+ *                   `.opencode/plugins/*.{mjs,js,ts}`,
+ *                   `~/.config/opencode/{opencode.json,opencode.jsonc,config.json}`,
+ *                   `~/.config/opencode/plugins/*.{mjs,js,ts}`
+ *   • Pi:           `.pi/settings.json` (project) and `.pi/agent/settings.json`
+ *                   (user); also the Pi-managed extension dir
+ *                   `.pi/extensions/` / `.pi/agent/extensions/`.
+ *   • Gemini CLI:   `.gemini/settings.json` (both project and user scope —
+ *                   user is `~/.gemini/settings.json`); also the Gemini-managed
+ *                   hooks scripts dir `.gemini/hooks/`.
  * These must NEVER be edited by the agent itself — that would let it disable
  * its own protections.
  */
 function isAgentSettingsFile(resolved: string): boolean {
   if (/[\\/]\.claude[\\/]settings(?:\.[^/\\]+)?\.json$/.test(resolved)) return true;
   if (/[\\/]\.codex[\\/]hooks\.json$/.test(resolved)) return true;
+  if (/[\\/]\.copilot[\\/]hooks[\\/][^/\\]+\.json$/.test(resolved)) return true;
+  if (/[\\/]\.github[\\/]hooks[\\/][^/\\]+\.json$/.test(resolved)) return true;
+  if (/[\\/]\.cursor[\\/]hooks\.json$/.test(resolved)) return true;
+  // OpenCode: project config + plugins, user config + plugins, legacy config.
+  if (/[\\/]\.opencode[\\/]opencode\.jsonc?$/.test(resolved)) return true;
+  if (/[\\/]\.opencode[\\/]plugins[\\/][^/\\]+\.(?:mjs|js|ts)$/.test(resolved)) return true;
+  if (/[\\/]\.config[\\/]opencode[\\/]opencode\.jsonc?$/.test(resolved)) return true;
+  if (/[\\/]\.config[\\/]opencode[\\/]config\.json$/.test(resolved)) return true;
+  if (/[\\/]\.config[\\/]opencode[\\/]plugins[\\/][^/\\]+\.(?:mjs|js|ts)$/.test(resolved)) return true;
+  // Pi: settings + extensions dirs (project and user-scope variants).
+  if (/[\\/]\.pi[\\/](?:agent[\\/])?settings\.json$/.test(resolved)) return true;
+  if (/[\\/]\.pi[\\/](?:agent[\\/])?extensions[\\/]/.test(resolved)) return true;
+  // Gemini: settings.json + hooks dir referenced by `command: $GEMINI_PROJECT_DIR/.gemini/hooks/...`.
+  if (/[\\/]\.gemini[\\/]settings\.json$/.test(resolved)) return true;
+  if (/[\\/]\.gemini[\\/]hooks[\\/]/.test(resolved)) return true;
   return false;
 }
 
@@ -735,7 +779,7 @@ function blockReadOutsideCwd(ctx: PolicyContext): PolicyResult {
     for (const p of paths) {
       const resolved = resolve(cwd, p);
       if (isClaudeSettingsFile(resolved)) {
-        return deny(`Reading Claude settings file blocked: ${resolved}`);
+        return deny(`Reading agent settings file blocked: ${resolved}`);
       }
       if (isClaudeInternalPath(resolved)) continue; // Whitelist ~/.claude/
       if (resolved === "/dev/null") continue; // Harmless special file
@@ -758,7 +802,7 @@ function blockReadOutsideCwd(ctx: PolicyContext): PolicyResult {
 
   // Block settings files in any .claude directory before whitelisting
   if (isClaudeSettingsFile(resolved)) {
-    return deny(`Reading Claude settings file blocked: ${resolved}`);
+    return deny(`Reading agent settings file blocked: ${resolved}`);
   }
 
   // Whitelist ~/.claude/ — Claude Code's own config, plans, memory, and settings
@@ -1365,17 +1409,44 @@ function requireCiGreenBeforeStop(ctx: PolicyContext): PolicyResult {
     const branch = getCurrentBranch(cwd);
     if (!branch || branch === "HEAD") return allow("Detached HEAD, skipping CI check.");
 
-    // 1. GitHub Actions workflow runs
+    // Resolve HEAD up front — the workflow-runs filter below uses it to
+    // ignore runs targeting prior commits on the same branch (otherwise a
+    // stale failure on commit X is still reported after the fix on Y lands).
+    // Third-party checks and commit statuses (queried by SHA below) already
+    // scope to HEAD via getThirdPartyCheckRuns / getCommitStatuses.
+    const sha = getHeadSha(cwd);
+
+    // 1. GitHub Actions workflow runs (filtered to current HEAD, deduped by name)
     let workflowRuns: CiCheck[] = [];
     try {
+      // --limit 20 (was 5): a busy branch can push the latest run for some
+      // workflow out of the top-5 window after the SHA filter. 20 covers
+      // ~4 commits worth of runs for a 5-workflow repo without being slow.
       const runsJson = execFileSync(
         "gh",
-        ["run", "list", "--branch", branch, "--limit", "5", "--json", "status,conclusion,name"],
+        ["run", "list", "--branch", branch, "--limit", "20", "--json", "status,conclusion,name,headSha"],
         { cwd, encoding: "utf8", stdio: ["pipe", "pipe", "pipe"], timeout: 15000 },
       ).trim();
 
       if (runsJson && runsJson !== "[]") {
-        workflowRuns = JSON.parse(runsJson) as CiCheck[];
+        const allWorkflowRuns = JSON.parse(runsJson) as Array<CiCheck & { headSha?: string }>;
+        // Filter to runs targeting the current HEAD commit only — not
+        // historical runs for prior commits on the same branch. When `sha`
+        // is unavailable (e.g. brand-new repo with no commits) fall back
+        // to the unfiltered list so the policy still has something to act on.
+        const headRuns = sha
+          ? allWorkflowRuns.filter((r) => r.headSha === sha)
+          : allWorkflowRuns;
+        // Dedupe by workflow name, keeping the first occurrence (gh run list
+        // returns newest-first). This handles GitHub's "Re-run all jobs" which
+        // creates a fresh run record with the same name + headSha — without
+        // dedupe the older failed record would still trip the deny.
+        const seen = new Set<string>();
+        workflowRuns = headRuns.filter((r) => {
+          if (seen.has(r.name)) return false;
+          seen.add(r.name);
+          return true;
+        });
       }
     } catch {
       // fail-open for workflow runs; continue to check third-party checks
@@ -1384,7 +1455,6 @@ function requireCiGreenBeforeStop(ctx: PolicyContext): PolicyResult {
     // 2. Third-party check runs (CodeRabbit, SonarCloud, Codecov, etc.)
     let thirdPartyChecks: CiCheck[] = [];
     let commitStatuses: CiCheck[] = [];
-    const sha = getHeadSha(cwd);
     if (sha) {
       thirdPartyChecks = getThirdPartyCheckRuns(cwd, sha);
       commitStatuses = getCommitStatuses(cwd, sha);
@@ -1879,7 +1949,7 @@ export const BUILTIN_POLICIES: BuiltinPolicyDefinition[] = [
   },
   {
     name: "require-ci-green-before-stop",
-    description: "Require CI checks to pass on the current branch before Claude stops",
+    description: "Require CI checks to pass on the current HEAD commit before Claude stops (ignores stale runs on prior commits)",
     fn: requireCiGreenBeforeStop,
     match: { events: ["Stop"] },
     defaultEnabled: false,