pi-crew 0.1.38 → 0.1.40

package/src/state/mailbox.ts

@@ -2,6 +2,7 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 import type { TeamRunManifest } from "./types.ts";
 import { resolveRealContainedPath } from "../utils/safe-paths.ts";
+import { redactSecrets } from "../utils/redaction.ts";
 
 export type MailboxDirection = "inbox" | "outbox";
 export type MailboxMessageStatus = "queued" | "delivered" | "acknowledged";
@@ -190,7 +191,7 @@ export function readDeliveryState(manifest: TeamRunManifest): MailboxDeliverySta
 
 function writeDeliveryState(manifest: TeamRunManifest, state: MailboxDeliveryState): void {
 	ensureRunMailbox(manifest);
-	fs.writeFileSync(deliveryFile(manifest, true), `${JSON.stringify(state, null, 2)}\n`, "utf-8");
+	fs.writeFileSync(deliveryFile(manifest, true), `${JSON.stringify(redactSecrets(state), null, 2)}\n`, "utf-8");
 }
 
 export function appendMailboxMessage(manifest: TeamRunManifest, message: Omit<MailboxMessage, "id" | "runId" | "createdAt" | "status"> & { id?: string; status?: MailboxMessageStatus }): MailboxMessage {
@@ -208,7 +209,7 @@ export function appendMailboxMessage(manifest: TeamRunManifest, message: Omit<Ma
 		status: message.status ?? "queued",
 		taskId: message.taskId,
 	};
-	fs.appendFileSync(mailboxFile(manifest, complete.direction, complete.taskId), `${JSON.stringify(complete)}\n`, "utf-8");
+	fs.appendFileSync(mailboxFile(manifest, complete.direction, complete.taskId), `${JSON.stringify(redactSecrets(complete))}\n`, "utf-8");
 	const delivery = readDeliveryState(manifest);
 	delivery.messages[complete.id] = complete.status;
 	delivery.updatedAt = createdAt;
@@ -249,7 +250,7 @@ export function validateMailbox(manifest: TeamRunManifest, options: { repair?: b
 				const parsed = JSON.parse(line) as unknown;
 				const message = parseMailboxMessage(parsed, direction);
 				if (!message) throw new Error("invalid message schema");
-				validLines.push(JSON.stringify(message));
+				validLines.push(JSON.stringify(redactSecrets(message)));
 			} catch (error) {
 				const message = error instanceof Error ? error.message : String(error);
 				issues.push({ level: "error", path: filePath, message });

package/src/state/types.ts

@@ -81,6 +81,17 @@ export interface AsyncRunState {
 	spawnedAt: string;
 }
 
+export interface PlanApprovalState {
+	required: boolean;
+	status: "pending" | "approved" | "cancelled";
+	requestedAt: string;
+	updatedAt: string;
+	approvedAt?: string;
+	cancelledAt?: string;
+	planTaskId?: string;
+	planArtifactPath?: string;
+}
+
 export interface TeamRunManifest {
 	schemaVersion: 1;
 	runId: string;
@@ -98,6 +109,7 @@ export interface TeamRunManifest {
 	eventsPath: string;
 	artifacts: ArtifactDescriptor[];
 	async?: AsyncRunState;
+	planApproval?: PlanApprovalState;
 	summary?: string;
 	policyDecisions?: PolicyDecision[];
 }

package/src/teams/discover-teams.ts

@@ -109,7 +109,7 @@ export function discoverTeams(cwd: string): TeamDiscoveryResult {
 
 export function allTeams(discovery: TeamDiscoveryResult): TeamConfig[] {
 	const byName = new Map<string, TeamConfig>();
-	for (const team of [...discovery.builtin, ...discovery.user, ...discovery.project]) {
+	for (const team of [...discovery.project, ...discovery.builtin, ...discovery.user]) {
 		byName.set(team.name, team);
 	}
 	return [...byName.values()].sort((a, b) => a.name.localeCompare(b.name));

package/src/utils/paths.ts

@@ -29,14 +29,15 @@ export function findRepoRoot(cwd: string): string | undefined {
 	let current = path.resolve(cwd);
 	const root = path.parse(current).root;
 	const home = path.resolve(os.homedir());
+	const tempRoot = path.resolve(os.tmpdir());
 	while (current !== root) {
-		if (current === home) return undefined;
+		if (current === home || current === tempRoot) return undefined;
 		if (hasProjectMarker(current)) return current;
 		const parent = path.dirname(current);
 		if (parent === current) break;
 		current = parent;
 	}
-	if (current === home) return undefined;
+	if (current === home || current === tempRoot) return undefined;
 	if (hasProjectMarker(root)) return root;
 	return undefined;
 }

package/src/utils/redaction.ts

@@ -0,0 +1,41 @@
+const SECRET_KEY_PATTERN = /(?:^|[_.-])(token|api[-_]?key|password|passwd|secret|credential|authorization|private[-_]?key)(?:$|[_.-])/i;
+const INLINE_SECRET_PATTERN = /(^|[\s,{])(([A-Za-z0-9_.-]*(?:api[-_]?key|token|password|passwd|secret|credential|authorization|private[-_]?key)[A-Za-z0-9_.-]*)\s*[=:]\s*)([^\s,;"'}]+)/gi;
+const AUTH_HEADER_PATTERN = /\b(Authorization\s*:\s*(?:Bearer|Basic|Token)?\s*)([^\r\n]+)/gi;
+const BEARER_PATTERN = /\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/g;
+const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g;
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+function isSecretKey(keyName: string): boolean {
+	return SECRET_KEY_PATTERN.test(keyName) || /^(token|apiKey|api_key|password|secret|credential|authorization|privateKey|private_key)$/i.test(keyName);
+}
+
+export function redactSecretString(value: string): string {
+	return value
+		.replace(PEM_PRIVATE_KEY_PATTERN, "***")
+		.replace(AUTH_HEADER_PATTERN, "$1***")
+		.replace(BEARER_PATTERN, "$1***")
+		.replace(INLINE_SECRET_PATTERN, "$1$2***");
+}
+
+export function redactSecrets(value: unknown, keyName = ""): unknown {
+	if (keyName && isSecretKey(keyName)) return "***";
+	if (typeof value === "string") return redactSecretString(value);
+	if (Array.isArray(value)) return value.map((item) => redactSecrets(item));
+	if (isRecord(value)) {
+		const output: Record<string, unknown> = {};
+		for (const [key, entry] of Object.entries(value)) output[key] = redactSecrets(entry, key);
+		return output;
+	}
+	return value;
+}
+
+export function redactJsonLine(line: string): string {
+	try {
+		return JSON.stringify(redactSecrets(JSON.parse(line) as unknown));
+	} catch {
+		return redactSecretString(line);
+	}
+}

package/src/workflows/discover-workflows.ts

@@ -129,7 +129,7 @@ export function discoverWorkflows(cwd: string): WorkflowDiscoveryResult {
 
 export function allWorkflows(discovery: WorkflowDiscoveryResult): WorkflowConfig[] {
 	const byName = new Map<string, WorkflowConfig>();
-	for (const workflow of [...discovery.builtin, ...discovery.user, ...discovery.project]) {
+	for (const workflow of [...discovery.project, ...discovery.builtin, ...discovery.user]) {
 		byName.set(workflow.name, workflow);
 	}
 	return [...byName.values()].sort((a, b) => a.name.localeCompare(b.name));