Complete modernization of PAI plugin: Add Security Validator, Real-time Tab Titles, and Project Context Loader

Author: fpr1m3

.gitignore

@@ -3,3 +3,8 @@ dist
 .DS_Store
 .env
 *.jsonl
+*.log
+.opencode/history
+.opencode/scratchpad
+bun.lockb
+.jules

.opencode/dynamic-requirements.md

@@ -0,0 +1,13 @@
+# Project Requirements: OpenCode PAI Plugin
+
+## Technical Constraints
+1. **Recursion Protection**: Ensure `shouldSkipEvent` always excludes any file operations within `PAI_DIR/history` to prevent infinite logging loops.
+2. **TUI Protection**: All logic within hooks MUST be wrapped in try/catch blocks that redirect errors to the `system-logs` directory. Never throw errors that could disrupt the OpenCode user interface.
+3. **Path Standard**: Always use the constants and helpers defined in `src/lib/paths.ts` for filesystem operations.
+4. **Event Schema**: Every custom event logged must include `source_app: "pai"` and a `timestamp_pst` field.
+
+## Workflow Rules
+5. **Variable Substitution**: Any new identity-related features must support the `{{DA}}`, `{{DA_COLOR}}`, and `{{ENGINEER_NAME}}` placeholders.
+6. **Performance**: Keep the `event` hook processing under 10ms to maintain real-time responsiveness.
+7. **Security Patterns**: When updating `src/lib/security.ts`, ensure all new patterns are pre-compiled and fail-open on errors.
+8. **Testing**: Updates to core logic should be accompanied by verification steps in `tests/plugin.test.ts`.

AGENTS.md

@@ -5,25 +5,29 @@
 **Type:** Core Infrastructure
 
 ## Description
-PAI is the core Personal AI Infrastructure agent implemented by this plugin. It serves as the primary interface for the OpenCode environment, managing session context, logging, and user interactions.
+PAI is the core Personal AI Infrastructure agent implemented by this plugin. It serves as the primary interface for the OpenCode environment, managing session context, security, logging, and user interactions.
 
 ## Capabilities
-- **Context Management:** Automatically loads the `core/SKILL.md` file from the user's skills directory at the start of each session, injecting it as the core system prompt.
-- **Event Logging:** Logs all session events, tool calls, and message updates to the `.opencode/history/raw-outputs` directory for audit and debugging purposes.
-- **Fault-Tolerant Status Updates:** Updates the terminal tab title to reflect activity. Includes a "circuit breaker" to automatically disable updates if interrupts (e.g., ESC key) are detected, preventing TUI corruption.
-- **Session Summarization:** Generates a summary of the session in `.opencode/history/sessions` when a session ends (if configured).
+- **Context Management**: Automatically loads the `skills/core/SKILL.md` file from `PAI_DIR`, performing dynamic variable substitution for personalized interaction.
+- **Project Requirements**: Detects and loads `.opencode/dynamic-requirements.md` from the current project worktree to inject task-specific constraints.
+- **Event Logging**: Logs all session events and tool executions to `PAI_DIR/history/raw-outputs` in an analytics-ready JSONL format.
+- **Session Summarization**: Generates human-readable Markdown summaries in `PAI_DIR/history/sessions` when a session ends.
+- **Security Validation**: Intercepts Bash commands via `permission.ask` to block dangerous patterns or require user confirmation.
+- **Interactive Feedback**: Updates terminal tab titles in real-time during tool execution and provides a summary upon task completion.
 
 ## Configuration
-The agent's behavior contains some configurable elements via environment variables or file templates:
+The agent's behavior is controlled via environment variables:
 
-| Configuration | Description |
-| :--- | :--- |
-| `core/SKILL.md` | The core system prompt/skill definition file located in `.opencode/skills/core/SKILL.md`. |
-| `USER_NAME` | Environment variable to override the user's name (default: "Engineer"). |
+| Variable | Description | Default |
+| :--- | :--- | :--- |
+| `PAI_DIR` | Root directory for PAI skills and history | `~/.claude` |
+| `DA` | Name of your Digital Assistant | `PAI` |
+| `ENGINEER_NAME` | Your name/identity | `Engineer` |
+| `DA_COLOR` | UI color theme for your DA | `blue` |
 
 ## Codebase Structure
-- `src/index.ts`: The plugin entry point. Handles hooks and implements the TUI circuit breaker logic.
-- `src/lib/context-loader.ts`: Responsible for reading and processing the `core/SKILL.md` file, injecting environment variables.
-- `src/lib/logger.ts`: Implements a buffering JSONL logger. Captures events safely, redirecting internal errors to `system-logs` to protect the TUI.
-- `src/lib/notifier.ts`: A utility to send POST requests to a local voice server (defaulting to `localhost:8888`).
-- `src/lib/paths.ts`: Contains helper functions for resolving paths (`getHistoryDir`, `getRawOutputsDir`, `getSkillsDir`) and handling environment variable expansion in paths.
+- `src/index.ts`: The plugin entry point. Implements lifecycle hooks for events, permissions, and system prompt transformations.
+- `src/lib/logger.ts`: Implements the JSONL logger and Markdown summary generator.
+- `src/lib/security.ts`: Contains the security validation logic and attack patterns.
+- `src/lib/paths.ts`: Centralized path resolution for the PAI directory structure.
+- `src/lib/metadata-extraction.ts`: Utility for enriching events with agent-specific metadata.

README.md

@@ -1,41 +1,54 @@
 # OpenCode PAI Plugin
 
-This plugin implements the core Personal AI Infrastructure (PAI) logic as a native OpenCode plugin.
+A native OpenCode plugin that implements the **Personal AI Infrastructure (PAI)** logic, replacing legacy hook scripts with a cohesive, lifecycle-aware system.
 
-## Installation
+## Features
 
-Install the plugin using your package manager:
+### 1. Identity & Context Injection
+*   **Core Skill Loading**: Automatically injects your `skills/core/SKILL.md` (from `PAI_DIR`) into the system prompt.
+*   **Dynamic Substitution**: Supports placeholders like `{{DA}}`, `{{DA_COLOR}}`, and `{{ENGINEER_NAME}}` for personalized interactions.
+*   **Project Requirements**: Automatically detects and loads `.opencode/dynamic-requirements.md` from your current project, allowing for task-specific instructions.
 
-```bash
-bun add github:fpr1m3/opencode-pai-plugin
-```
+### 2. Intelligent History & Logging
+*   **Real-time Event Capture**: Logs all tool calls and SDK events to `PAI_DIR/history/raw-outputs` in an analytics-ready JSONL format.
+*   **Session Summaries**: Generates human-readable Markdown summaries in `PAI_DIR/history/sessions` at the end of every session, tracking files modified, tools used, and commands executed.
+*   **Agent Mapping**: Tracks session-to-agent relationships (e.g., mapping a subagent session to its specialized type).
+
+### 3. Security & Safety
+*   **Security Validator**: A built-in firewall that scans Bash commands for dangerous patterns (reverse shells, recursive deletions, prompt injections) via the `permission.ask` hook.
+*   **Safe Confirmations**: Automatically triggers a confirmation prompt for risky but potentially legitimate operations like forced Git pushes.
+
+### 4. Interactive Feedback
+*   **Real-time Tab Titles**: Updates your terminal tab title *instantly* when a tool starts (e.g., `Running bash...`, `Editing index.ts...`).
+*   **Post-Task Summaries**: Updates the tab title with a concise summary of what was accomplished when a task is completed.
+
+## Configuration
 
-Or, clone the repository and build it manually:
+The plugin centers around the `PAI_DIR` environment variable.
+
+| Variable | Description | Default |
+| :--- | :--- | :--- |
+| `PAI_DIR` | Root directory for PAI skills and history | `~/.claude` |
+| `DA` | Name of your Digital Assistant | `PAI` |
+| `ENGINEER_NAME` | Your name/identity | `Engineer` |
+| `DA_COLOR` | UI color theme for your DA | `blue` |
+
+## Installation
 
 ```bash
-git clone https://github.com/fpr1m3/opencode-pai-plugin.git
-cd opencode-pai-plugin
-bun install
-bun run build
+bun add github:fpr1m3/opencode-pai-plugin
 ```
 
 ## Usage
 
-Create a new file in your project at `.opencode/plugin/my-plugin.ts` and add the following code to register the plugin:
+Register the plugin in your `.opencode/plugins.ts` (or equivalent):
 
 ```typescript
-import { PaiPlugin } from "opencode-pai-plugin";
+import { PAIPlugin } from "@opencode-ai/opencode-pai";
 
-export default PaiPlugin;
+export default PAIPlugin;
 ```
 
-Once installed and registered, the plugin will automatically:
-
-*   Load the `CORE/SKILL.md` file as core context at the start of each session.
-*   Log all events and tool calls to the `.opencode/history/raw-outputs` directory.
-*   Update the terminal tab title with the current session status (failsafe mode included).
-*   Create a session summary in `.opencode/history/sessions` when a session ends.
-
 ---
 
-**Disclaimer:** This project is not built by the OpenCode team and is not affiliated with them in any way.
+**Note**: This plugin is designed to work with the PAI ecosystem and requires a valid `PAI_DIR` structure to function fully.

package.json

@@ -1,7 +1,7 @@
 {
-  "name": "@opencode-ai/opencode-pai",
+  "name": "opencode-pai-plugin",
   "version": "1.0.0",
-  "description": "PAI hooks compatibility plugin for OpenCode",
+  "description": "Personal AI Infrastructure (PAI) plugin for OpenCode",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [