pi-crew 0.2.2 → 0.2.4

package/src/runtime/pi-spawn.ts

@@ -1,167 +1,167 @@
-import * as fs from "node:fs";
-import * as os from "node:os";
-import { fileURLToPath } from "node:url";
-import * as path from "node:path";
-
-export interface PiSpawnCommand {
-	command: string;
-	args: string[];
-}
-
-function isRunnableNodeScript(filePath: string): boolean {
-	return fs.existsSync(filePath) && /\.(?:mjs|cjs|js)$/i.test(filePath);
-}
-
-/**
- * Check that a resolved path is within known safe prefixes.
- * Allowed prefixes: npm global bin (APPDATA/npm), project node_modules/.bin,
- * or the current process's execPath directory.
- */
-function isWithinAllowedPrefixes(resolvedPath: string): boolean {
-	const normalized = path.resolve(resolvedPath).toLowerCase();
-
-	const allowedPrefixes: string[] = [];
-
-	// Current process execPath directory (e.g. node installation)
-	try {
-		const execDir = path.dirname(fs.realpathSync.native(process.execPath));
-		allowedPrefixes.push(execDir.toLowerCase());
-	} catch { /* ignore */ }
-
-	// npm global bin via APPDATA
-	if (process.env.APPDATA) {
-		allowedPrefixes.push(path.join(process.env.APPDATA, "npm").toLowerCase());
-	}
-
-	// Project-local node_modules/.bin
-	try {
-		const projectBin = path.resolve("node_modules", ".bin");
-		allowedPrefixes.push(projectBin.toLowerCase());
-	} catch { /* ignore */ }
-
-	// User home npm-global
-	try {
-		const homeNpm = path.join(os.homedir(), ".npm-global", "bin");
-		allowedPrefixes.push(homeNpm.toLowerCase());
-	} catch { /* ignore */ }
-
-	// User home .local/bin
-	try {
-		const homeLocal = path.join(os.homedir(), ".local", "bin");
-		allowedPrefixes.push(homeLocal.toLowerCase());
-	} catch { /* ignore */ }
-
-	return allowedPrefixes.some((prefix) => normalized.startsWith(prefix));
-}
-
-function resolvePiPackageRoot(): string | undefined {
-	try {
-		const entry = process.argv[1];
-		if (!entry) return undefined;
-		let dir = path.dirname(fs.realpathSync(entry));
-		while (dir !== path.dirname(dir)) {
-			try {
-				const pkg = JSON.parse(fs.readFileSync(path.join(dir, "package.json"), "utf-8")) as { name?: string };
-				if (pkg.name === "@mariozechner/pi-coding-agent") return dir;
-			} catch {
-				// Continue walking upward.
-			}
-			dir = path.dirname(dir);
-		}
-	} catch {
-		return undefined;
-	}
-	return undefined;
-}
-
-function packageBinScript(packageJsonPath: string): string | undefined {
-	try {
-		const pkg = JSON.parse(fs.readFileSync(packageJsonPath, "utf-8")) as { bin?: string | Record<string, string> };
-		const binPath = typeof pkg.bin === "string" ? pkg.bin : pkg.bin?.pi ?? Object.values(pkg.bin ?? {})[0];
-		if (!binPath) return undefined;
-		const candidate = path.resolve(path.dirname(packageJsonPath), binPath);
-		return isRunnableNodeScript(candidate) ? candidate : undefined;
-	} catch {
-		return undefined;
-	}
-}
-
-function findPiPackageJsonFrom(startDir: string): string | undefined {
-	let dir = startDir;
-	while (dir !== path.dirname(dir)) {
-		const direct = path.join(dir, "package.json");
-		try {
-			const pkg = JSON.parse(fs.readFileSync(direct, "utf-8")) as { name?: string };
-			if (pkg.name === "@mariozechner/pi-coding-agent") return direct;
-		} catch {
-			// Continue searching upward and in node_modules.
-		}
-		const dependency = path.join(dir, "node_modules", "@mariozechner", "pi-coding-agent", "package.json");
-		if (fs.existsSync(dependency)) return dependency;
-		dir = path.dirname(dir);
-	}
-	return undefined;
-}
-
-function resolvePiCliScript(): string | undefined {
-	const argv1 = process.argv[1];
-	if (argv1) {
-		const argvPath = path.isAbsolute(argv1) ? argv1 : path.resolve(argv1);
-		if (isRunnableNodeScript(argvPath)) return argvPath;
-	}
-
-	const roots = [
-		resolvePiPackageRoot(),
-		process.env.APPDATA ? path.join(process.env.APPDATA, "npm", "node_modules", "@mariozechner", "pi-coding-agent") : undefined,
-		path.dirname(fileURLToPath(import.meta.url)),
-		process.cwd(),
-	].filter((entry): entry is string => Boolean(entry));
-
-	for (const root of roots) {
-		const packageJsonPath = root.endsWith("package.json") ? root : findPiPackageJsonFrom(root) ?? path.join(root, "package.json");
-		const script = packageBinScript(packageJsonPath);
-		if (script) return script;
-	}
-	return undefined;
-}
-
-function validateExplicitBin(explicit: string): string | undefined {
-	const resolved = path.resolve(explicit);
-	if (!fs.existsSync(resolved)) return undefined;
-	// Reject paths outside allowed safe prefixes
-	if (!isWithinAllowedPrefixes(resolved)) {
-		throw new Error(
-			`PI_TEAMS_PI_BIN path '${resolved}' is outside allowed prefixes. ` +
-			`Allowed: npm global bin, project node_modules/.bin, APPDATA/npm, or process execPath directory.`,
-		);
-	}
-	// Reject if symlink points outside expected directories
-	try {
-		const real = fs.realpathSync(resolved);
-		if (!isWithinAllowedPrefixes(real)) {
-			throw new Error(
-				`PI_TEAMS_PI_BIN symlink target '${real}' is outside allowed prefixes.`,
-			);
-		}
-	} catch (e) {
-		if (e instanceof Error && e.message.includes("allowed prefixes")) throw e;
-		return undefined;
-	}
-	return resolved;
-}
-
-export function getPiSpawnCommand(args: string[]): PiSpawnCommand {
-	const explicit = process.env.PI_TEAMS_PI_BIN?.trim();
-	if (explicit) {
-		const validated = validateExplicitBin(explicit);
-		if (validated) {
-			if (isRunnableNodeScript(validated)) return { command: process.execPath, args: [validated, ...args] };
-			return { command: validated, args };
-		}
-	}
-	if (process.platform === "win32") {
-		const script = resolvePiCliScript();
-		if (script) return { command: process.execPath, args: [script, ...args] };
-	}
-	return { command: "pi", args };
-}
+import * as fs from "node:fs";
+import * as os from "node:os";
+import { fileURLToPath } from "node:url";
+import * as path from "node:path";
+
+export interface PiSpawnCommand {
+	command: string;
+	args: string[];
+}
+
+function isRunnableNodeScript(filePath: string): boolean {
+	return fs.existsSync(filePath) && /\.(?:mjs|cjs|js)$/i.test(filePath);
+}
+
+/**
+ * Check that a resolved path is within known safe prefixes.
+ * Allowed prefixes: npm global bin (APPDATA/npm), project node_modules/.bin,
+ * or the current process's execPath directory.
+ */
+function isWithinAllowedPrefixes(resolvedPath: string): boolean {
+	const normalized = path.resolve(resolvedPath).toLowerCase();
+
+	const allowedPrefixes: string[] = [];
+
+	// Current process execPath directory (e.g. node installation)
+	try {
+		const execDir = path.dirname(fs.realpathSync.native(process.execPath));
+		allowedPrefixes.push(execDir.toLowerCase());
+	} catch { /* ignore */ }
+
+	// npm global bin via APPDATA
+	if (process.env.APPDATA) {
+		allowedPrefixes.push(path.join(process.env.APPDATA, "npm").toLowerCase());
+	}
+
+	// Project-local node_modules/.bin
+	try {
+		const projectBin = path.resolve("node_modules", ".bin");
+		allowedPrefixes.push(projectBin.toLowerCase());
+	} catch { /* ignore */ }
+
+	// User home npm-global
+	try {
+		const homeNpm = path.join(os.homedir(), ".npm-global", "bin");
+		allowedPrefixes.push(homeNpm.toLowerCase());
+	} catch { /* ignore */ }
+
+	// User home .local/bin
+	try {
+		const homeLocal = path.join(os.homedir(), ".local", "bin");
+		allowedPrefixes.push(homeLocal.toLowerCase());
+	} catch { /* ignore */ }
+
+	return allowedPrefixes.some((prefix) => normalized.startsWith(prefix));
+}
+
+function resolvePiPackageRoot(): string | undefined {
+	try {
+		const entry = process.argv[1];
+		if (!entry) return undefined;
+		let dir = path.dirname(fs.realpathSync(entry));
+		while (dir !== path.dirname(dir)) {
+			try {
+				const pkg = JSON.parse(fs.readFileSync(path.join(dir, "package.json"), "utf-8")) as { name?: string };
+				if (pkg.name === "@mariozechner/pi-coding-agent") return dir;
+			} catch {
+				// Continue walking upward.
+			}
+			dir = path.dirname(dir);
+		}
+	} catch {
+		return undefined;
+	}
+	return undefined;
+}
+
+function packageBinScript(packageJsonPath: string): string | undefined {
+	try {
+		const pkg = JSON.parse(fs.readFileSync(packageJsonPath, "utf-8")) as { bin?: string | Record<string, string> };
+		const binPath = typeof pkg.bin === "string" ? pkg.bin : pkg.bin?.pi ?? Object.values(pkg.bin ?? {})[0];
+		if (!binPath) return undefined;
+		const candidate = path.resolve(path.dirname(packageJsonPath), binPath);
+		return isRunnableNodeScript(candidate) ? candidate : undefined;
+	} catch {
+		return undefined;
+	}
+}
+
+function findPiPackageJsonFrom(startDir: string): string | undefined {
+	let dir = startDir;
+	while (dir !== path.dirname(dir)) {
+		const direct = path.join(dir, "package.json");
+		try {
+			const pkg = JSON.parse(fs.readFileSync(direct, "utf-8")) as { name?: string };
+			if (pkg.name === "@mariozechner/pi-coding-agent") return direct;
+		} catch {
+			// Continue searching upward and in node_modules.
+		}
+		const dependency = path.join(dir, "node_modules", "@mariozechner", "pi-coding-agent", "package.json");
+		if (fs.existsSync(dependency)) return dependency;
+		dir = path.dirname(dir);
+	}
+	return undefined;
+}
+
+function resolvePiCliScript(): string | undefined {
+	const argv1 = process.argv[1];
+	if (argv1) {
+		const argvPath = path.isAbsolute(argv1) ? argv1 : path.resolve(argv1);
+		if (isRunnableNodeScript(argvPath)) return argvPath;
+	}
+
+	const roots = [
+		resolvePiPackageRoot(),
+		process.env.APPDATA ? path.join(process.env.APPDATA, "npm", "node_modules", "@mariozechner", "pi-coding-agent") : undefined,
+		path.dirname(fileURLToPath(import.meta.url)),
+		process.cwd(),
+	].filter((entry): entry is string => Boolean(entry));
+
+	for (const root of roots) {
+		const packageJsonPath = root.endsWith("package.json") ? root : findPiPackageJsonFrom(root) ?? path.join(root, "package.json");
+		const script = packageBinScript(packageJsonPath);
+		if (script) return script;
+	}
+	return undefined;
+}
+
+function validateExplicitBin(explicit: string): string | undefined {
+	const resolved = path.resolve(explicit);
+	if (!fs.existsSync(resolved)) return undefined;
+	// Reject paths outside allowed safe prefixes
+	if (!isWithinAllowedPrefixes(resolved)) {
+		throw new Error(
+			`PI_TEAMS_PI_BIN path '${resolved}' is outside allowed prefixes. ` +
+			`Allowed: npm global bin, project node_modules/.bin, APPDATA/npm, or process execPath directory.`,
+		);
+	}
+	// Reject if symlink points outside expected directories
+	try {
+		const real = fs.realpathSync(resolved);
+		if (!isWithinAllowedPrefixes(real)) {
+			throw new Error(
+				`PI_TEAMS_PI_BIN symlink target '${real}' is outside allowed prefixes.`,
+			);
+		}
+	} catch (e) {
+		if (e instanceof Error && e.message.includes("allowed prefixes")) throw e;
+		return undefined;
+	}
+	return resolved;
+}
+
+export function getPiSpawnCommand(args: string[]): PiSpawnCommand {
+	const explicit = process.env.PI_TEAMS_PI_BIN?.trim();
+	if (explicit) {
+		const validated = validateExplicitBin(explicit);
+		if (validated) {
+			if (isRunnableNodeScript(validated)) return { command: process.execPath, args: [validated, ...args] };
+			return { command: validated, args };
+		}
+	}
+	if (process.platform === "win32") {
+		const script = resolvePiCliScript();
+		if (script) return { command: process.execPath, args: [script, ...args] };
+	}
+	return { command: "pi", args };
+}

package/src/runtime/policy-engine.ts

@@ -1,79 +1,79 @@
-import type { CrewLimitsConfig } from "../config/config.ts";
-import type { PolicyDecision, PolicyDecisionAction, PolicyDecisionReason, TeamRunManifest, TeamTaskState } from "../state/types.ts";
-import { evaluateGreenContract } from "./green-contract.ts";
-import { isWorkerHeartbeatStale } from "./worker-heartbeat.ts";
-
-export interface PolicyEngineInput {
-	manifest: TeamRunManifest;
-	tasks: TeamTaskState[];
-	limits?: CrewLimitsConfig;
-	now?: Date;
-}
-
-function decision(action: PolicyDecisionAction, reason: PolicyDecisionReason, message: string, taskId?: string): PolicyDecision {
-	return {
-		action,
-		reason,
-		message,
-		taskId,
-		createdAt: new Date().toISOString(),
-	};
-}
-
-function taskDepth(task: TeamTaskState, tasksById: Map<string, TeamTaskState>): number {
-	let depth = 0;
-	let current = task.graph?.parentId;
-	const seen = new Set<string>();
-	while (current && !seen.has(current)) {
-		seen.add(current);
-		depth += 1;
-		current = tasksById.get(current)?.graph?.parentId;
-	}
-	return depth;
-}
-
-export function evaluateCrewPolicy(input: PolicyEngineInput): PolicyDecision[] {
-	const decisions: PolicyDecision[] = [];
-	const maxTasksPerRun = Number.isFinite(input.limits?.maxTasksPerRun) ? input.limits!.maxTasksPerRun : undefined;
-	if (maxTasksPerRun !== undefined && input.tasks.length > maxTasksPerRun) {
-		decisions.push(decision("block", "limit_exceeded", `Run has ${input.tasks.length} tasks, exceeding maxTasksPerRun=${maxTasksPerRun}.`));
-	}
-	const runningCount = input.tasks.filter((task) => task.status === "running").length;
-	const maxConcurrentWorkers = Number.isFinite(input.limits?.maxConcurrentWorkers) ? input.limits!.maxConcurrentWorkers : undefined;
-	if (maxConcurrentWorkers !== undefined && runningCount > maxConcurrentWorkers) {
-		decisions.push(decision("block", "limit_exceeded", `Run has ${runningCount} running workers, exceeding maxConcurrentWorkers=${maxConcurrentWorkers}.`));
-	}
-	const tasksById = new Map(input.tasks.map((task) => [task.id, task]));
-
-	for (const task of input.tasks) {
-		if (input.limits?.maxChildrenPerTask !== undefined && (task.graph?.children.length ?? 0) > input.limits.maxChildrenPerTask) {
-			decisions.push(decision("block", "limit_exceeded", `Task has ${task.graph?.children.length ?? 0} children, exceeding maxChildrenPerTask=${input.limits.maxChildrenPerTask}.`, task.id));
-		}
-		if (input.limits?.maxTaskDepth !== undefined && taskDepth(task, tasksById) > input.limits.maxTaskDepth) {
-			decisions.push(decision("block", "limit_exceeded", `Task graph depth exceeds maxTaskDepth=${input.limits.maxTaskDepth}.`, task.id));
-		}
-		if (task.status === "failed") {
-			const retryCount = task.policy?.retryCount ?? 0;
-			const maxRetries = input.limits?.maxRetriesPerTask ?? 0;
-			decisions.push(decision(retryCount < maxRetries ? "retry" : "escalate", "task_failed", task.error ? `Task failed: ${task.error}` : "Task failed.", task.id));
-		}
-		if ((task.status === "running" || task.status === "queued") && task.heartbeat && task.heartbeat.alive !== false && isWorkerHeartbeatStale(task.heartbeat, input.limits?.heartbeatStaleMs ?? 60_000, input.now)) {
-			decisions.push(decision("escalate", "worker_stale", "Worker heartbeat is stale.", task.id));
-		}
-		if (task.taskPacket?.verification) {
-			const outcome = evaluateGreenContract(task.taskPacket.verification, task.verification);
-			if (!outcome.satisfied && task.status === "completed") {
-				decisions.push(decision("block", "green_unsatisfied", `Green contract unsatisfied: required=${outcome.requiredGreenLevel}, observed=${outcome.observedGreenLevel}.`, task.id));
-			}
-		}
-	}
-
-	if (decisions.length === 0 && input.tasks.length > 0 && input.tasks.every((task) => task.status === "completed")) {
-		decisions.push(decision("closeout", "run_complete", "All tasks completed and no policy blockers were found."));
-	}
-	return decisions;
-}
-
-export function summarizePolicyDecisions(decisions: PolicyDecision[]): string[] {
-	return decisions.map((item) => `- ${item.action} (${item.reason})${item.taskId ? ` ${item.taskId}` : ""}: ${item.message}`);
-}
+import type { CrewLimitsConfig } from "../config/config.ts";
+import type { PolicyDecision, PolicyDecisionAction, PolicyDecisionReason, TeamRunManifest, TeamTaskState } from "../state/types.ts";
+import { evaluateGreenContract } from "./green-contract.ts";
+import { isWorkerHeartbeatStale } from "./worker-heartbeat.ts";
+
+export interface PolicyEngineInput {
+	manifest: TeamRunManifest;
+	tasks: TeamTaskState[];
+	limits?: CrewLimitsConfig;
+	now?: Date;
+}
+
+function decision(action: PolicyDecisionAction, reason: PolicyDecisionReason, message: string, taskId?: string): PolicyDecision {
+	return {
+		action,
+		reason,
+		message,
+		taskId,
+		createdAt: new Date().toISOString(),
+	};
+}
+
+function taskDepth(task: TeamTaskState, tasksById: Map<string, TeamTaskState>): number {
+	let depth = 0;
+	let current = task.graph?.parentId;
+	const seen = new Set<string>();
+	while (current && !seen.has(current)) {
+		seen.add(current);
+		depth += 1;
+		current = tasksById.get(current)?.graph?.parentId;
+	}
+	return depth;
+}
+
+export function evaluateCrewPolicy(input: PolicyEngineInput): PolicyDecision[] {
+	const decisions: PolicyDecision[] = [];
+	const maxTasksPerRun = Number.isFinite(input.limits?.maxTasksPerRun) ? input.limits!.maxTasksPerRun : undefined;
+	if (maxTasksPerRun !== undefined && input.tasks.length > maxTasksPerRun) {
+		decisions.push(decision("block", "limit_exceeded", `Run has ${input.tasks.length} tasks, exceeding maxTasksPerRun=${maxTasksPerRun}.`));
+	}
+	const runningCount = input.tasks.filter((task) => task.status === "running").length;
+	const maxConcurrentWorkers = Number.isFinite(input.limits?.maxConcurrentWorkers) ? input.limits!.maxConcurrentWorkers : undefined;
+	if (maxConcurrentWorkers !== undefined && runningCount > maxConcurrentWorkers) {
+		decisions.push(decision("block", "limit_exceeded", `Run has ${runningCount} running workers, exceeding maxConcurrentWorkers=${maxConcurrentWorkers}.`));
+	}
+	const tasksById = new Map(input.tasks.map((task) => [task.id, task]));
+
+	for (const task of input.tasks) {
+		if (input.limits?.maxChildrenPerTask !== undefined && (task.graph?.children.length ?? 0) > input.limits.maxChildrenPerTask) {
+			decisions.push(decision("block", "limit_exceeded", `Task has ${task.graph?.children.length ?? 0} children, exceeding maxChildrenPerTask=${input.limits.maxChildrenPerTask}.`, task.id));
+		}
+		if (input.limits?.maxTaskDepth !== undefined && taskDepth(task, tasksById) > input.limits.maxTaskDepth) {
+			decisions.push(decision("block", "limit_exceeded", `Task graph depth exceeds maxTaskDepth=${input.limits.maxTaskDepth}.`, task.id));
+		}
+		if (task.status === "failed") {
+			const retryCount = task.policy?.retryCount ?? 0;
+			const maxRetries = input.limits?.maxRetriesPerTask ?? 0;
+			decisions.push(decision(retryCount < maxRetries ? "retry" : "escalate", "task_failed", task.error ? `Task failed: ${task.error}` : "Task failed.", task.id));
+		}
+		if ((task.status === "running" || task.status === "queued") && task.heartbeat && task.heartbeat.alive !== false && isWorkerHeartbeatStale(task.heartbeat, input.limits?.heartbeatStaleMs ?? 60_000, input.now)) {
+			decisions.push(decision("escalate", "worker_stale", "Worker heartbeat is stale.", task.id));
+		}
+		if (task.taskPacket?.verification) {
+			const outcome = evaluateGreenContract(task.taskPacket.verification, task.verification);
+			if (!outcome.satisfied && task.status === "completed") {
+				decisions.push(decision("block", "green_unsatisfied", `Green contract unsatisfied: required=${outcome.requiredGreenLevel}, observed=${outcome.observedGreenLevel}.`, task.id));
+			}
+		}
+	}
+
+	if (decisions.length === 0 && input.tasks.length > 0 && input.tasks.every((task) => task.status === "completed")) {
+		decisions.push(decision("closeout", "run_complete", "All tasks completed and no policy blockers were found."));
+	}
+	return decisions;
+}
+
+export function summarizePolicyDecisions(decisions: PolicyDecision[]): string[] {
+	return decisions.map((item) => `- ${item.action} (${item.reason})${item.taskId ? ` ${item.taskId}` : ""}: ${item.message}`);
+}