pi-crew 0.1.46 → 0.1.49

package/src/runtime/recovery-recipes.ts

@@ -1,74 +1,74 @@
-import type { PolicyDecision, PolicyDecisionReason } from "../state/types.ts";
-
-export type FailureScenario = "trust_prompt_unresolved" | "prompt_misdelivery" | "stale_branch" | "compile_red_cross_crate" | "mcp_handshake_failure" | "partial_plugin_startup" | "provider_failure" | "task_failed" | "worker_stale" | "green_unsatisfied";
-export type RecoveryStep = "accept_trust_prompt" | "redirect_prompt_to_agent" | "rebase_branch" | "clean_build" | "retry_mcp_handshake" | "restart_plugin" | "restart_worker" | "rerun_task" | "collect_verification_evidence" | "escalate_to_human";
-export type RecoveryResultState = "planned" | "skipped" | "escalation_required";
-
-export interface RecoveryRecipe {
-	scenario: FailureScenario;
-	steps: RecoveryStep[];
-	maxAttempts: number;
-	escalationPolicy: "alert_human" | "log_and_continue" | "abort";
-}
-
-export interface RecoveryLedgerEntry {
-	scenario: FailureScenario;
-	taskId?: string;
-	decisionReason: PolicyDecisionReason;
-	attempt: number;
-	state: RecoveryResultState;
-	steps: RecoveryStep[];
-	message: string;
-	createdAt: string;
-}
-
-export interface RecoveryLedger {
-	entries: RecoveryLedgerEntry[];
-}
-
-export function scenarioForPolicyReason(reason: PolicyDecisionReason): FailureScenario {
-	switch (reason) {
-		case "branch_stale": return "stale_branch";
-		case "worker_stale": return "worker_stale";
-		case "green_unsatisfied": return "green_unsatisfied";
-		case "task_failed": return "task_failed";
-		default: return "provider_failure";
-	}
-}
-
-export function recipeFor(scenario: FailureScenario): RecoveryRecipe {
-	switch (scenario) {
-		case "trust_prompt_unresolved": return { scenario, steps: ["accept_trust_prompt"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "prompt_misdelivery": return { scenario, steps: ["redirect_prompt_to_agent"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "stale_branch": return { scenario, steps: ["rebase_branch", "clean_build"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "compile_red_cross_crate": return { scenario, steps: ["clean_build"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "mcp_handshake_failure": return { scenario, steps: ["retry_mcp_handshake"], maxAttempts: 1, escalationPolicy: "abort" };
-		case "partial_plugin_startup": return { scenario, steps: ["restart_plugin", "retry_mcp_handshake"], maxAttempts: 1, escalationPolicy: "log_and_continue" };
-		case "worker_stale": return { scenario, steps: ["restart_worker"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "green_unsatisfied": return { scenario, steps: ["collect_verification_evidence"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "task_failed": return { scenario, steps: ["rerun_task"], maxAttempts: 1, escalationPolicy: "alert_human" };
-		case "provider_failure": return { scenario, steps: ["restart_worker"], maxAttempts: 1, escalationPolicy: "alert_human" };
-	}
-}
-
-export function buildRecoveryLedger(decisions: PolicyDecision[], previous: RecoveryLedger = { entries: [] }): RecoveryLedger {
-	const entries = [...previous.entries];
-	for (const item of decisions) {
-		if (!["retry", "escalate", "block"].includes(item.action)) continue;
-		const scenario = scenarioForPolicyReason(item.reason);
-		const recipe = recipeFor(scenario);
-		const priorAttempts = entries.filter((entry) => entry.scenario === scenario && entry.taskId === item.taskId).length;
-		const attempt = priorAttempts + 1;
-		entries.push({
-			scenario,
-			taskId: item.taskId,
-			decisionReason: item.reason,
-			attempt,
-			state: attempt <= recipe.maxAttempts && item.action !== "block" ? "planned" : "escalation_required",
-			steps: attempt <= recipe.maxAttempts ? recipe.steps : ["escalate_to_human"],
-			message: item.message,
-			createdAt: new Date().toISOString(),
-		});
-	}
-	return { entries };
-}
+import type { PolicyDecision, PolicyDecisionReason } from "../state/types.ts";
+
+export type FailureScenario = "trust_prompt_unresolved" | "prompt_misdelivery" | "stale_branch" | "compile_red_cross_crate" | "mcp_handshake_failure" | "partial_plugin_startup" | "provider_failure" | "task_failed" | "worker_stale" | "green_unsatisfied";
+export type RecoveryStep = "accept_trust_prompt" | "redirect_prompt_to_agent" | "rebase_branch" | "clean_build" | "retry_mcp_handshake" | "restart_plugin" | "restart_worker" | "rerun_task" | "collect_verification_evidence" | "escalate_to_human";
+export type RecoveryResultState = "planned" | "skipped" | "escalation_required";
+
+export interface RecoveryRecipe {
+	scenario: FailureScenario;
+	steps: RecoveryStep[];
+	maxAttempts: number;
+	escalationPolicy: "alert_human" | "log_and_continue" | "abort";
+}
+
+export interface RecoveryLedgerEntry {
+	scenario: FailureScenario;
+	taskId?: string;
+	decisionReason: PolicyDecisionReason;
+	attempt: number;
+	state: RecoveryResultState;
+	steps: RecoveryStep[];
+	message: string;
+	createdAt: string;
+}
+
+export interface RecoveryLedger {
+	entries: RecoveryLedgerEntry[];
+}
+
+export function scenarioForPolicyReason(reason: PolicyDecisionReason): FailureScenario {
+	switch (reason) {
+		case "branch_stale": return "stale_branch";
+		case "worker_stale": return "worker_stale";
+		case "green_unsatisfied": return "green_unsatisfied";
+		case "task_failed": return "task_failed";
+		default: return "provider_failure";
+	}
+}
+
+export function recipeFor(scenario: FailureScenario): RecoveryRecipe {
+	switch (scenario) {
+		case "trust_prompt_unresolved": return { scenario, steps: ["accept_trust_prompt"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "prompt_misdelivery": return { scenario, steps: ["redirect_prompt_to_agent"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "stale_branch": return { scenario, steps: ["rebase_branch", "clean_build"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "compile_red_cross_crate": return { scenario, steps: ["clean_build"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "mcp_handshake_failure": return { scenario, steps: ["retry_mcp_handshake"], maxAttempts: 1, escalationPolicy: "abort" };
+		case "partial_plugin_startup": return { scenario, steps: ["restart_plugin", "retry_mcp_handshake"], maxAttempts: 1, escalationPolicy: "log_and_continue" };
+		case "worker_stale": return { scenario, steps: ["restart_worker"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "green_unsatisfied": return { scenario, steps: ["collect_verification_evidence"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "task_failed": return { scenario, steps: ["rerun_task"], maxAttempts: 1, escalationPolicy: "alert_human" };
+		case "provider_failure": return { scenario, steps: ["restart_worker"], maxAttempts: 1, escalationPolicy: "alert_human" };
+	}
+}
+
+export function buildRecoveryLedger(decisions: PolicyDecision[], previous: RecoveryLedger = { entries: [] }): RecoveryLedger {
+	const entries = [...previous.entries];
+	for (const item of decisions) {
+		if (!["retry", "escalate", "block"].includes(item.action)) continue;
+		const scenario = scenarioForPolicyReason(item.reason);
+		const recipe = recipeFor(scenario);
+		const priorAttempts = entries.filter((entry) => entry.scenario === scenario && entry.taskId === item.taskId).length;
+		const attempt = priorAttempts + 1;
+		entries.push({
+			scenario,
+			taskId: item.taskId,
+			decisionReason: item.reason,
+			attempt,
+			state: attempt <= recipe.maxAttempts && item.action !== "block" ? "planned" : "escalation_required",
+			steps: attempt <= recipe.maxAttempts ? recipe.steps : ["escalate_to_human"],
+			message: item.message,
+			createdAt: new Date().toISOString(),
+		});
+	}
+	return { entries };
+}

package/src/runtime/result-extractor.ts

@@ -0,0 +1,121 @@
+/**
+ * Structured Result Extractor — attempts to extract structured data from worker output.
+ * Tries multiple extraction strategies before falling back to raw text.
+ */
+export interface ExtractedResult {
+	/** Whether structured data was successfully extracted */
+	structured: boolean;
+	/** Parsed structured data (if structured=true) */
+	data: unknown;
+	/** Raw text output (always available) */
+	rawText: string;
+	/** Error message if extraction was attempted but failed */
+	error?: string;
+}
+
+/**
+ * Extract structured result from raw worker output text.
+ * Tries strategies in order: direct JSON, fenced JSON, key-value markers.
+ */
+export function extractStructuredResult(raw: string, _schema?: Record<string, unknown>): ExtractedResult {
+	const trimmed = raw.trim();
+	if (!trimmed) {
+		return { structured: false, data: null, rawText: raw };
+	}
+
+	// Strategy 1: Direct JSON parse (entire output is JSON)
+	const directResult = tryDirectJson(trimmed);
+	if (directResult !== undefined) {
+		return { structured: true, data: directResult, rawText: raw };
+	}
+
+	// Strategy 2: Extract from ```json ... ``` fence
+	const fencedResult = tryFencedJson(trimmed);
+	if (fencedResult !== undefined) {
+		return { structured: true, data: fencedResult, rawText: raw };
+	}
+
+	// Strategy 3: Extract from markers like "RESULT:" or "OUTPUT:"
+	const markerResult = tryMarkerExtraction(trimmed);
+	if (markerResult !== undefined) {
+		return { structured: true, data: markerResult, rawText: raw };
+	}
+
+	return { structured: false, data: null, rawText: raw };
+}
+
+function tryDirectJson(text: string): unknown | undefined {
+	if (!text.startsWith("{") && !text.startsWith("[")) return undefined;
+	try {
+		return JSON.parse(text);
+	} catch {
+		return undefined;
+	}
+}
+
+function tryFencedJson(text: string): unknown | undefined {
+	const match = text.match(/```json\s*\n([\s\S]*?)\n\s*```/);
+	if (!match?.[1]) return undefined;
+	try {
+		return JSON.parse(match[1].trim());
+	} catch {
+		return undefined;
+	}
+}
+
+function tryMarkerExtraction(text: string): unknown | undefined {
+	// Try to find JSON after common markers
+	const markers = ["RESULT:", "OUTPUT:", "ANSWER:", "### Result\n", "## Output\n"];
+	for (const marker of markers) {
+		const idx = text.indexOf(marker);
+		if (idx === -1) continue;
+		const after = text.slice(idx + marker.length).trim();
+		// Try JSON parse on text after marker
+		if (after.startsWith("{") || after.startsWith("[")) {
+			try {
+				return JSON.parse(after);
+			} catch {
+				// Try to find just the JSON object/array
+				const jsonEnd = findMatchingBracket(after);
+				if (jsonEnd > 0) {
+					try {
+						return JSON.parse(after.slice(0, jsonEnd));
+					} catch {
+						continue;
+					}
+				}
+			}
+		}
+	}
+	return undefined;
+}
+
+function findMatchingBracket(text: string): number {
+	const openChar = text[0];
+	const closeChar = openChar === "{" ? "}" : "]";
+	let depth = 0;
+	let inString = false;
+	let escape = false;
+	for (let i = 0; i < text.length; i++) {
+		const ch = text[i];
+		if (escape) {
+			escape = false;
+			continue;
+		}
+		if (ch === "\\") {
+			escape = true;
+			continue;
+		}
+		if (ch === '"') {
+			inString = !inString;
+			continue;
+		}
+		if (inString) continue;
+		if (ch === openChar) depth++;
+		if (ch === closeChar) {
+			depth--;
+			if (depth === 0) return i + 1;
+		}
+	}
+	return -1;
+}

package/src/runtime/role-permission.ts

@@ -1,39 +1,39 @@
-export type RolePermissionMode = "read_only" | "workspace_write" | "danger_full_access" | "explicit_confirm";
-
-const READ_ONLY_ROLES = new Set(["explorer", "reviewer", "security-reviewer", "verifier", "analyst", "critic", "planner", "writer"]);
-const WRITE_ROLES = new Set(["executor", "test-engineer"]);
-const READ_ONLY_COMMANDS = new Set(["cat", "head", "tail", "less", "more", "wc", "ls", "find", "grep", "rg", "awk", "sed", "echo", "printf", "which", "where", "whoami", "pwd", "env", "printenv", "date", "df", "du", "uname", "file", "stat", "diff", "sort", "uniq", "tr", "cut", "paste", "test", "true", "false", "type", "readlink", "realpath", "basename", "dirname", "sha256sum", "md5sum", "xxd", "hexdump", "od", "strings", "tree", "jq", "git", "gh"]);
-
-export interface PermissionCheckResult {
-	allowed: boolean;
-	mode: RolePermissionMode;
-	reason?: string;
-}
-
-export function permissionForRole(role: string): RolePermissionMode {
-	if (READ_ONLY_ROLES.has(role)) return "read_only";
-	if (WRITE_ROLES.has(role)) return "workspace_write";
-	return "workspace_write";
-}
-
-export function isReadOnlyCommand(command: string): boolean {
-	const first = command.trim().split(/\s+/)[0]?.split(/[\\/]/).pop() ?? "";
-	return READ_ONLY_COMMANDS.has(first) && !/\s(-i|--in-place)\b|\s>{1,2}\s|\brm\b|\bmv\b|\bcp\b|\b(?:npm|pnpm|yarn|bun)\s+(install|add|ci|remove)\b|\bgit\s+(commit|push|merge|rebase|reset|checkout|clean)\b/.test(command);
-}
-
-export function checkRolePermission(role: string, command: string): PermissionCheckResult {
-	const mode = permissionForRole(role);
-	if (mode === "read_only" && !isReadOnlyCommand(command)) return { allowed: false, mode, reason: `Role '${role}' is read-only and command may modify state.` };
-	return { allowed: true, mode };
-}
-
-export function currentCrewRole(env: NodeJS.ProcessEnv = process.env): string | undefined {
-	return env.PI_CREW_ROLE?.trim() || env.PI_TEAMS_ROLE?.trim() || undefined;
-}
-
-export function checkSubagentSpawnPermission(role: string | undefined): PermissionCheckResult {
-	if (!role) return { allowed: true, mode: "workspace_write" };
-	const mode = permissionForRole(role);
-	if (mode === "read_only") return { allowed: false, mode, reason: `Role '${role}' is read-only and cannot spawn additional subagents.` };
-	return { allowed: true, mode };
-}
+export type RolePermissionMode = "read_only" | "workspace_write" | "danger_full_access" | "explicit_confirm";
+
+const READ_ONLY_ROLES = new Set(["explorer", "reviewer", "security-reviewer", "verifier", "analyst", "critic", "planner", "writer"]);
+const WRITE_ROLES = new Set(["executor", "test-engineer"]);
+const READ_ONLY_COMMANDS = new Set(["cat", "head", "tail", "less", "more", "wc", "ls", "find", "grep", "rg", "awk", "sed", "echo", "printf", "which", "where", "whoami", "pwd", "env", "printenv", "date", "df", "du", "uname", "file", "stat", "diff", "sort", "uniq", "tr", "cut", "paste", "test", "true", "false", "type", "readlink", "realpath", "basename", "dirname", "sha256sum", "md5sum", "xxd", "hexdump", "od", "strings", "tree", "jq", "git", "gh"]);
+
+export interface PermissionCheckResult {
+	allowed: boolean;
+	mode: RolePermissionMode;
+	reason?: string;
+}
+
+export function permissionForRole(role: string): RolePermissionMode {
+	if (READ_ONLY_ROLES.has(role)) return "read_only";
+	if (WRITE_ROLES.has(role)) return "workspace_write";
+	return "workspace_write";
+}
+
+export function isReadOnlyCommand(command: string): boolean {
+	const first = command.trim().split(/\s+/)[0]?.split(/[\\/]/).pop() ?? "";
+	return READ_ONLY_COMMANDS.has(first) && !/\s(-i|--in-place)\b|\s>{1,2}\s|\brm\b|\bmv\b|\bcp\b|\b(?:npm|pnpm|yarn|bun)\s+(install|add|ci|remove)\b|\bgit\s+(commit|push|merge|rebase|reset|checkout|clean)\b/.test(command);
+}
+
+export function checkRolePermission(role: string, command: string): PermissionCheckResult {
+	const mode = permissionForRole(role);
+	if (mode === "read_only" && !isReadOnlyCommand(command)) return { allowed: false, mode, reason: `Role '${role}' is read-only and command may modify state.` };
+	return { allowed: true, mode };
+}
+
+export function currentCrewRole(env: NodeJS.ProcessEnv = process.env): string | undefined {
+	return env.PI_CREW_ROLE?.trim() || env.PI_TEAMS_ROLE?.trim() || undefined;
+}
+
+export function checkSubagentSpawnPermission(role: string | undefined): PermissionCheckResult {
+	if (!role) return { allowed: true, mode: "workspace_write" };
+	const mode = permissionForRole(role);
+	if (mode === "read_only") return { allowed: false, mode, reason: `Role '${role}' is read-only and cannot spawn additional subagents.` };
+	return { allowed: true, mode };
+}

package/src/runtime/runtime-resolver.ts

@@ -32,9 +32,6 @@ export function runtimeResolutionState(runtime: CrewRuntimeCapabilities, resolve
 }
 
 export async function isLiveSessionRuntimeAvailable(timeoutMs = 1500, env: NodeJS.ProcessEnv = process.env): Promise<{ available: boolean; reason?: string }> {
-	if (env.PI_CREW_ENABLE_EXPERIMENTAL_LIVE_SESSION !== "1") {
-		return { available: false, reason: "Live-session runtime adapter is experimental and disabled. Set PI_CREW_ENABLE_EXPERIMENTAL_LIVE_SESSION=1 to probe SDK support." };
-	}
 	if (env.PI_CREW_MOCK_LIVE_SESSION === "success") {
 		return { available: true, reason: "Mock live-session runtime is enabled." };
 	}
@@ -74,7 +71,7 @@ export async function resolveCrewRuntime(config: PiTeamsConfig, env: NodeJS.Proc
 	if (requestedMode === "live-session" || (requestedMode === "auto" && config.runtime?.preferLiveSession === true)) {
 		const live = await isLiveSessionRuntimeAvailable(1500, env);
 		if (live.available) return liveCaps(requestedMode);
-		if (requestedMode === "live-session" && config.runtime?.allowChildProcessFallback === false) return { ...scaffoldCaps(requestedMode), available: false, reason: live.reason };
+		if (requestedMode === "live-session" && config.runtime?.allowChildProcessFallback === false) return scaffoldCaps(requestedMode, live.reason, "blocked");
 		return { ...childCaps(requestedMode), fallback: "child-process", reason: live.reason };
 	}
 	return childCaps(requestedMode);

package/src/runtime/semaphore.ts

@@ -0,0 +1,131 @@
+/**
+ * Phase 6: Semaphore and fail-fast parallel execution.
+ *
+ * Adapted from oh-my-pi's `parallel.ts` Semaphore class and
+ * `mapWithConcurrencyLimit` implementation. Provides:
+ * - Explicit acquire/release Semaphore for concurrency control
+ * - Fail-fast on first error (via Promise.race)
+ * - AbortSignal support for graceful cancellation
+ * - Partial results on abort
+ */
+
+/**
+ * Simple counting semaphore for limiting concurrency across independently-scheduled async work.
+ */
+export class Semaphore {
+	#max: number;
+	#current = 0;
+	#queue: Array<() => void> = [];
+
+	constructor(max: number) {
+		this.#max = Math.max(1, max);
+	}
+
+	async acquire(): Promise<void> {
+		if (this.#current < this.#max) {
+			this.#current++;
+			return;
+		}
+		const { promise, resolve } = (() => {
+			let res: () => void;
+			const p = new Promise<void>((r) => { res = r; });
+			return { promise: p, resolve: res! };
+		})();
+		this.#queue.push(resolve);
+		return promise;
+	}
+
+	release(): void {
+		const next = this.#queue.shift();
+		if (next) {
+			next();
+		} else if (this.#current > 0) {
+			this.#current--;
+		}
+		// Guard: over-release is a no-op to prevent #current going negative
+	}
+
+	/** Current number of acquired slots. */
+	get current(): number {
+		return this.#current;
+	}
+
+	/** Number of waiters in the queue. */
+	get waiting(): number {
+		return this.#queue.length;
+	}
+}
+
+/**
+ * Result of parallel execution with fail-fast support.
+ */
+export interface ParallelResult<R> {
+	/** Results array — undefined entries indicate tasks that were skipped due to abort. */
+	results: (R | undefined)[];
+	/** Whether execution was aborted before all tasks completed. */
+	aborted: boolean;
+	/** The first error that triggered fail-fast, if any. */
+	firstError?: unknown;
+}
+
+/**
+ * Execute items with a concurrency limit, fail-fast, and abort signal support.
+ *
+ * - On first error: aborts remaining workers and rethrows.
+ * - On external abort: returns partial results with `aborted: true`.
+ * - Results are returned in the same order as input items.
+ *
+ * Adapted from oh-my-pi's `mapWithConcurrencyLimit`.
+ */
+export async function mapWithFailFast<T, R>(
+	items: T[],
+	concurrency: number,
+	fn: (item: T, index: number, signal: AbortSignal) => Promise<R>,
+	signal?: AbortSignal,
+): Promise<ParallelResult<R>> {
+	const limit = Math.max(1, Math.min(concurrency, items.length));
+	const results: (R | undefined)[] = new Array(items.length);
+	let nextIndex = 0;
+
+	// Internal abort controller for fail-fast
+	const abortController = new AbortController();
+	const workerSignal = signal
+		? AbortSignal.any([signal, abortController.signal])
+		: abortController.signal;
+
+	// Promise that rejects on first error — used for fail-fast
+	let rejectFirst: (error: unknown) => void;
+	const firstErrorPromise = new Promise<never>((_, reject) => {
+		rejectFirst = reject;
+	});
+
+	const worker = async (): Promise<void> => {
+		while (true) {
+			if (workerSignal.aborted) return;
+			const index = nextIndex++;
+			if (index >= items.length) return;
+			try {
+				results[index] = await fn(items[index], index, workerSignal);
+			} catch (error) {
+				if (!workerSignal.aborted) {
+					abortController.abort();
+					rejectFirst(error);
+					throw error;
+				}
+			}
+		}
+	};
+
+	const workers = Array.from({ length: limit }, () => worker());
+
+	try {
+		await Promise.race([Promise.all(workers), firstErrorPromise]);
+	} catch (error) {
+		if (signal?.aborted) {
+			return { results, aborted: true, firstError: error };
+		}
+		throw error;
+	}
+
+	return { results, aborted: signal?.aborted ?? false };
+}

package/src/runtime/sensitive-paths.ts

@@ -0,0 +1,92 @@
+/**
+ * Sensitive file detection for worker constraints.
+ *
+ * Inspired by caveman's compress.py — prevents workers from reading
+ * or compressing files that contain secrets, credentials, or PII.
+ *
+ * Workers should refuse operations on matching paths. This is enforced
+ * in the worker prompt and validated here for defense-in-depth.
+ */
+
+import * as path from "node:path";
+
+/** Basenames that almost certainly hold secrets or PII */
+const SENSITIVE_BASENAMES = /\.(?:env|pem|key|p12|pfx|crt|cer|jks|keystore|asc|gpg)(?:\..+)?$/i;
+const SENSITIVE_EXACT = /^(?:\.env|\.netrc|\.npmrc|\.pypirc|credentials|secrets?|passwords?|id_(?:rsa|dsa|ecdsa|ed25519)(?:\.pub)?|authorized_keys|known_hosts)$/i;
+
+/** Path components that indicate sensitive directories */
+const SENSITIVE_DIRS = new Set([".ssh", ".aws", ".gnupg", ".kube", ".docker", ".config/gcloud"]);
+
+/** Name tokens that suggest sensitive content */
+const SENSITIVE_TOKENS = ["secret", "credential", "password", "passwd", "apikey", "accesskey", "token", "privatekey"];
+
+/**
+ * Check if a file path looks like it contains sensitive data.
+ * Returns true if the path should be refused for worker operations.
+ */
+export function isSensitivePath(filePath: string): boolean {
+	const resolved = path.resolve(filePath);
+	const basename = path.basename(resolved);
+	const lower = basename.toLowerCase();
+
+	// Check exact sensitive filenames
+	if (SENSITIVE_EXACT.test(basename)) return true;
+
+	// Check sensitive extensions
+	if (SENSITIVE_BASENAMES.test(basename)) return true;
+
+	// Check path components
+	const parts = resolved.split(/[/\\]/).map((p) => p.toLowerCase());
+	for (const dir of SENSITIVE_DIRS) {
+		const dirParts = dir.split("/");
+		for (let i = 0; i <= parts.length - dirParts.length; i++) {
+			const slice = parts.slice(i, i + dirParts.length);
+			if (slice.join("/") === dir) return true;
+		}
+	}
+
+	// Check name tokens with word-boundary awareness to reduce false positives.
+	// Strategy: split filename on separators to get "words", then check if
+	// any token matches. For substring matching in the normalized form,
+	// we require the token to end at a segment boundary or string end.
+	// This matches 'secret', 'secrets' but NOT 'secretary'.
+	const words = lower.split(/[_\-\s.]+/).filter(Boolean);
+	const normalized = lower.replace(/[_\-\s.]/g, "");
+	for (const token of SENSITIVE_TOKENS) {
+		// Check individual words — exact match or token is prefix and word is <= token+2 chars
+		for (const word of words) {
+			if (word === token) return true;
+			// 'secrets' starts with 'secret' and is only 1 char longer → match
+			// 'secretary' starts with 'secret' but is 4 chars longer → no match
+			if (word.startsWith(token) && word.length <= token.length + 2) return true;
+		}
+		// Check fully-normalized form for compound tokens like 'api-key' → 'apikey'
+		// The token must appear as a complete segment (not a partial substring).
+		// After the token, the remaining chars must be a complete word (extension).
+		const idx = normalized.indexOf(token);
+		if (idx !== -1) {
+			const after = idx + token.length;
+			if (after === normalized.length) return true;
+			// Check if remaining chars after token correspond to a known word segment
+			const remaining = normalized.slice(after);
+			if (words.some((w) => remaining === w || remaining.startsWith(w))) return true;
+		}
+	}
+
+	return false;
+}
+
+/**
+ * Build a worker prompt constraint block listing forbidden paths.
+ * This goes into the worker system prompt to prevent accidental reads.
+ */
+export function buildSensitivePathConstraint(): string {
+	return [
+		"## Security Constraints",
+		"NEVER read, compress, or include content from:",
+		"- Files matching: .env*, *.pem, *.key, *.p12, credentials*, secrets*, passwords*, id_rsa*",
+		"- Directories: .ssh/, .aws/, .gnupg/, .kube/, .docker/",
+		"- Files with names containing: secret, credential, password, apikey, token, privatekey",
+		"If asked to read such a file, refuse and explain the security risk.",
+	].join("\n");
+}

package/src/runtime/session-resources.ts

@@ -1,25 +1,25 @@
-import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
-import { logInternalError } from "../utils/internal-error.ts";
-
-/**
- * Try to register a cleanup function with Pi's session resource cleanup API (v0.72+).
- * Falls back to returning undefined if the API is not available.
- *
- * The returned function (if defined) can be called to unregister the cleanup.
- */
-export function tryRegisterSessionCleanup(pi: ExtensionAPI, cleanup: () => void): (() => void) | undefined {
-	const api = pi as unknown as Record<string, unknown>;
-	const registerFn = api["registerSessionResourceCleanup"];
-	if (typeof registerFn === "function") {
-		try {
-			const unregister = (registerFn as (fn: () => void) => (() => void) | void)(cleanup);
-			if (typeof unregister === "function") return unregister;
-			// API returned void — cleanup is registered but cannot be unregistered
-			return undefined;
-		} catch (error) {
-			logInternalError("session-resources.register", error);
-			return undefined;
-		}
-	}
-	return undefined;
-}
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+import { logInternalError } from "../utils/internal-error.ts";
+
+/**
+ * Try to register a cleanup function with Pi's session resource cleanup API (v0.72+).
+ * Falls back to returning undefined if the API is not available.
+ *
+ * The returned function (if defined) can be called to unregister the cleanup.
+ */
+export function tryRegisterSessionCleanup(pi: ExtensionAPI, cleanup: () => void): (() => void) | undefined {
+	const api = pi as unknown as Record<string, unknown>;
+	const registerFn = api["registerSessionResourceCleanup"];
+	if (typeof registerFn === "function") {
+		try {
+			const unregister = (registerFn as (fn: () => void) => (() => void) | void)(cleanup);
+			if (typeof unregister === "function") return unregister;
+			// API returned void — cleanup is registered but cannot be unregistered
+			return undefined;
+		} catch (error) {
+			logInternalError("session-resources.register", error);
+			return undefined;
+		}
+	}
+	return undefined;
+}