pi-crew 0.3.5 → 0.3.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.3.5",
+  "version": "0.3.6",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/extension/cross-extension-rpc.ts

@@ -38,6 +38,46 @@ function textOf(result: Awaited<ReturnType<typeof handleTeamTool>>): string {
 	return result.content?.map((item) => item.type === "text" ? item.text : "").join("\n") ?? "";
 }
 
+// SECURITY: Strictly enumerate allowed operations per RPC channel.
+// Only read-only operations are permitted via RPC to prevent malicious extensions
+// from mutating run state without user consent.
+const RPC_ALLOWED_OPERATIONS = new Set([
+	// Read-only manifest/plan ops
+	"metrics-snapshot", "inventory", "read-manifest",
+	"list-tasks", "read-task", "read-events",
+	// Read-only agent ops
+	"list-agents", "read-agent-status", "read-agent-events",
+	"read-agent-transcript", "read-agent-output", "agent-dashboard",
+	// Mailbox read ops
+	"read-mailbox", "read-delivery", "read-heartbeat",
+	// No mutating ops (approve-plan, cancel-plan, steer-agent, stop-agent, etc.)
+	// — these require explicit intent confirmation and are NOT allowed via RPC.
+]);
+
+function isAllowedRpcOperation(operation: string): boolean {
+	return RPC_ALLOWED_OPERATIONS.has(operation);
+}
+
+function isAllowedRpcRunParams(params: TeamToolParamsValue): { ok: boolean; error?: string } {
+	// SECURITY: Require explicit intent for any RPC-initiated run creation.
+	// This prevents malicious extensions from spawning child Pi processes silently.
+	const cfg = params.config as Record<string, unknown> | undefined;
+	const intent = cfg?.intent as string | undefined;
+	if (!intent || typeof intent !== "string" || intent.trim().length === 0) {
+		return { ok: false, error: "RPC run requires config.intent (a non-empty intent string)" };
+	}
+	// SECURITY: Validate cwd is within the project directory if provided.
+	if (params.cwd && typeof params.cwd === "string") {
+		try {
+			const { resolveContainedPath } = require("../utils/safe-paths.ts");
+			resolveContainedPath(params.cwd, ".");
+		} catch {
+			return { ok: false, error: "RPC run config.cwd must be within the project directory" };
+		}
+	}
+	return { ok: true };
+}
+
 function on(events: EventBusLike, channel: string, handler: (raw: unknown) => void): () => void {
 	const unsub = events.on(channel, handler);
 	return typeof unsub === "function" ? unsub : () => {};
@@ -65,6 +105,11 @@ export function registerPiCrewRpc(events: EventBusLike | undefined, getCtx: () =
 				} else {
 					params = { action: "run" };
 				}
+				const permission = isAllowedRpcRunParams(params);
+				if (!permission.ok) {
+					reply(events, "pi-crew:rpc:run", id, { success: false, error: permission.error ?? "permission denied" });
+					return;
+				}
 				const result = await handleTeamTool(params, ctx);
 				reply(events, "pi-crew:rpc:run", id, result.isError ? { success: false, error: textOf(result) } : { success: true, data: result.details });
 			} catch (error) {
@@ -87,18 +132,29 @@ export function registerPiCrewRpc(events: EventBusLike | undefined, getCtx: () =
 			const request = parseLiveControlRealtimeMessage(raw);
 			if (request) publishLiveControlRealtime(request);
 		}),
-		on(events, "pi-crew:rpc:live-control", async (raw) => {
-			const id = requestId(raw);
-			try {
-				const ctx = getCtx();
-				if (!ctx) throw new Error("No active pi-crew session context.");
-				const obj = raw && typeof raw === "object" && !Array.isArray(raw) ? raw as Record<string, unknown> : {};
-				const result = await handleTeamTool({ action: "api", runId: typeof obj.runId === "string" ? obj.runId : undefined, config: { operation: typeof obj.operation === "string" ? obj.operation : "steer-agent", agentId: obj.agentId, message: obj.message, prompt: obj.prompt } }, ctx);
-				reply(events, "pi-crew:rpc:live-control", id, result.isError ? { success: false, error: textOf(result) } : { success: true, data: { text: textOf(result), details: result.details } });
-			} catch (error) {
-				reply(events, "pi-crew:rpc:live-control", id, { success: false, error: error instanceof Error ? error.message : String(error) });
-			}
-		}),
+			on(events, "pi-crew:rpc:live-control", async (raw) => {
+				const id = requestId(raw);
+				try {
+					const ctx = getCtx();
+					if (!ctx) throw new Error("No active pi-crew session context.");
+					const obj = raw && typeof raw === "object" && !Array.isArray(raw) ? raw as Record<string, unknown> : {};
+					const rawOp = typeof obj.operation === "string" ? obj.operation : "steer-agent";
+					// SECURITY: Reject any operation not in the explicit allowlist.
+					// Mutating ops (approve-plan, cancel-plan, steer-agent, stop-agent, etc.)
+					// require user consent and are blocked here.
+					if (!isAllowedRpcOperation(rawOp)) {
+						reply(events, "pi-crew:rpc:live-control", id, {
+							success: false,
+							error: `RPC operation '${rawOp}' is not allowed. Allowed: ${[...RPC_ALLOWED_OPERATIONS].join(", ")}`,
+						});
+						return;
+					}
+					const result = await handleTeamTool({ action: "api", runId: typeof obj.runId === "string" ? obj.runId : undefined, config: { operation: rawOp, agentId: obj.agentId, message: obj.message, prompt: obj.prompt } }, ctx);
+					reply(events, "pi-crew:rpc:live-control", id, result.isError ? { success: false, error: textOf(result) } : { success: true, data: { text: textOf(result), details: result.details } });
+				} catch (error) {
+					reply(events, "pi-crew:rpc:live-control", id, { success: false, error: error instanceof Error ? error.message : String(error) });
+				}
+			}),
 	];
 	return { unsubscribe: () => unsubs.forEach((unsub) => unsub()) };
 }

package/src/extension/management.ts

@@ -107,10 +107,17 @@ function parseSteps(value: unknown): { steps?: WorkflowStep[]; error?: string }
 		if (id.error) return { error: id.error };
 		const role = requireString(obj.role, `config.steps[${i}].role`);
 		if (role.error) return { error: role.error };
+		// SECURITY: Sanitize task field to prevent markdown injection in workflow markdown.
+		// Strip characters that could create headings, code blocks, or links.
+		// Defense-in-depth — the task field is stored in YAML frontmatter, not executed.
+		const rawTask = obj.task;
+		const task = typeof rawTask === "string"
+			? rawTask.replace(/^#{1,6}\s+/gm, "").replace(/```/g, "\`\`").replace(/\n{3,}/g, "\n\n").slice(0, 4000)
+			: "{goal}";
 		steps.push({
 			id: sanitizeName(id.value!),
 			role: sanitizeName(role.value!),
-			task: typeof obj.task === "string" ? obj.task : "{goal}",
+			task,
 			dependsOn: parseStringArray(obj.dependsOn),
 			parallelGroup: typeof obj.parallelGroup === "string" ? obj.parallelGroup.trim() : undefined,
 			output: obj.output === false ? false : typeof obj.output === "string" ? obj.output.trim() : undefined,

package/src/extension/register.ts

@@ -468,12 +468,13 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 			};
 			while (!check()) await new Promise((resolve) => setTimeout(resolve, 500));
 		};
-		registry.hasRunning = (runId: string) => {
+		registry.hasRunning = async (runId: string) => {
 			const manifest = manifestCacheForRegistry.get(runId);
 			if (!manifest) return false;
-		// LAZY: state-store only needed in hasRunning; avoid at startup.
-			const { loadRunManifestById } = require("../state/state-store.ts");
-			const loaded = loadRunManifestById(currentCtx?.cwd ?? process.cwd(), runId);
+			// LAZY: state-store only needed in hasRunning; avoid at startup.
+			// Use dynamic import to avoid CJS/ESM mixed module issues.
+			const { loadRunManifestById: loadRunForHasRunning } = await import("../state/state-store.ts");
+			const loaded = loadRunForHasRunning(currentCtx?.cwd ?? process.cwd(), runId);
 			if (!loaded) return false;
 			return loaded.tasks.some((t: { status: string }) => t.status === "running" || t.status === "queued");
 		};

package/src/extension/run-import.ts

@@ -16,6 +16,10 @@ export interface ImportedRunBundleInfo {
 
 function importRoot(cwd: string, scope: "project" | "user"): string {
 	const base = scope === "project" ? projectCrewRoot(cwd) : userCrewRoot();
+	// SECURITY NOTE: `DEFAULT_PATHS.state.importsSubdir` is a constant (not user-controlled).
+	// If this constant ever becomes user-influenced, this function could become a path
+	// traversal risk. Always keep `importsSubdir` as a hardcoded constant. Do NOT accept
+	// `importsSubdir` as a parameter or from config.
 	return path.join(base, DEFAULT_PATHS.state.importsSubdir);
 }
 

package/src/hooks/registry.ts

@@ -5,6 +5,11 @@ import { runEventBus } from "../ui/run-event-bus.ts";
 
 const registry = new Map<HookName, HookDefinition[]>();
 
+// SECURITY: Hooks are currently global (registered once, applied to all workspaces).
+// For multi-workspace environments, consider filtering hooks by workspace scope:
+//   const workspaceHooks = getHooks(name).filter(h => !h.workspaceId || h.workspaceId === ctx.workspaceId);
+// This prevents globally-registered hooks from operating on runs they weren't designed for.
+
 export function registerHook(definition: HookDefinition): void {
 	const hooks = registry.get(definition.name) ?? [];
 	hooks.push(definition);
@@ -22,15 +27,22 @@ export function getHooks(name: HookName): HookDefinition[] {
 export async function executeHook(name: HookName, ctx: HookContext): Promise<HookExecutionReport> {
 	const hooks = getHooks(name);
 	if (hooks.length === 0) return { hookName: name, outcome: "allow", durationMs: 0 };
+	// SECURITY: If ctx contains a workspaceId, filter hooks to only those scoped to
+	// this workspace. This prevents globally-registered hooks from operating on runs
+	// they weren't designed for.
+	const scopedHooks = ctx.workspaceId
+		? hooks.filter((h) => !h.workspaceId || h.workspaceId === ctx.workspaceId)
+		: hooks;
+	if (scopedHooks.length === 0) return { hookName: name, outcome: "allow", durationMs: 0 };
 	const start = Date.now();
 	const diagnostics: string[] = [];
 	let capturedModifications: Record<string, unknown> | undefined;
-	for (const hook of hooks) {
-		try {
-			const result: HookResult = await hook.handler(ctx);
-			if (hook.mode === "blocking" && result.outcome === "block") {
-				return { hookName: name, outcome: "block", durationMs: Date.now() - start, reason: result.reason };
-			}
+	for (const hook of scopedHooks) {
+			try {
+				const result: HookResult = await hook.handler(ctx);
+				if (hook.mode === "blocking" && result.outcome === "block") {
+					return { hookName: name, outcome: "block", durationMs: Date.now() - start, reason: result.reason };
+				}
 			if (result.outcome === "modify" && result.data) {
 				Object.assign(ctx, result.data);
 				capturedModifications = { ...result.data };

package/src/hooks/types.ts

@@ -30,6 +30,9 @@ export interface HookDefinition {
 	name: HookName;
 	mode: HookMode;
 	handler: (ctx: HookContext) => HookResult | Promise<HookResult>;
+	// SECURITY: Optional workspace scoping. When set, the hook only executes for
+	// runs in the specified workspace. When absent, the hook applies to all runs.
+	workspaceId?: string;
 }
 
 export interface HookExecutionReport {

package/src/runtime/subagent-manager.ts

@@ -79,6 +79,10 @@ export function savePersistedSubagentRecord(cwd: string, record: SubagentRecord)
 		const filePath = persistedSubagentPath(cwd, record.id);
 		fs.mkdirSync(path.dirname(filePath), { recursive: true });
 		fs.writeFileSync(filePath, `${JSON.stringify(redactSecrets(serializableRecord(record)), null, 2)}\n`, "utf-8");
+		// SECURITY: Restrict permissions to owner-only (rw-------).
+		// On multi-user systems, other users must not read task prompts,
+		// agent descriptions, and run IDs from subagent record files.
+		fs.chmodSync(filePath, 0o600);
 	} catch (error) {
 		logInternalError("subagent-manager.save", error, `id=${record.id}`);
 	}

package/src/worktree/worktree-manager.ts

@@ -77,18 +77,36 @@ function normalizeSyntheticPath(worktreePath: string, rawPath: string): string {
  * @param hookPath - The hook script path to validate
  * @returns true if the path is allowed, false otherwise
  */
-	function isAllowedSetupHook(hookPath: string): boolean {
-		if (!hookPath || hookPath.trim().length === 0) return false;
-		if (!path.isAbsolute(hookPath)) {
-			// Use path.posix.normalize for consistent forward-slash handling on all platforms.
-			const normalized = path.posix.normalize(hookPath);
-			return normalized === ".hooks" || normalized.startsWith(".hooks/");
-		}
-		// Normalize to forward slashes for consistent cross-platform comparison.
-		const normalizedHookPath = hookPath.replace(/\\/g, "/");
-		const homeHooksNormalized = (process.env.HOME ?? "").replace(/\\/g, "/") + "/.pi/hooks";
-		return normalizedHookPath === homeHooksNormalized || normalizedHookPath.startsWith(homeHooksNormalized + "/");
+function isAllowedSetupHook(hookPath: string): boolean {
+	if (!hookPath || hookPath.trim().length === 0) return false;
+	if (!path.isAbsolute(hookPath)) {
+		// Use path.posix.normalize for consistent forward-slash handling on all platforms.
+		const normalized = path.posix.normalize(hookPath);
+		return normalized === ".hooks" || normalized.startsWith(".hooks/");
+	}
+	// Normalize to forward slashes for consistent cross-platform comparison.
+	const normalizedHookPath = hookPath.replace(/\\/g, "/");
+	const homeHooksNormalized = (process.env.HOME ?? "").replace(/\\/g, "/") + "/.pi/hooks";
+	return normalizedHookPath === homeHooksNormalized || normalizedHookPath.startsWith(homeHooksNormalized + "/");
+}
+
+/**
+ * SECURITY: Verify a hook script path remains within the allowed directory after
+ * real-path resolution. This prevents symlink-based escape where repoRoot is a
+ * symlink and the hook path would resolve outside the repository.
+ * @param repoRoot - The repository root (resolved to real path)
+ * @param hookPath - The resolved absolute hook path
+ * @returns true if the hook is safely contained within repoRoot
+ */
+function isHookPathContainedInRepoRoot(repoRoot: string, hookPath: string): boolean {
+	try {
+		const realRepoRoot = fs.realpathSync(repoRoot);
+		const realHookPath = fs.realpathSync(path.dirname(hookPath));
+		return realHookPath.startsWith(realRepoRoot + path.sep) || realHookPath === realRepoRoot;
+	} catch {
+		return false;
 	}
+}
 
 function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot: string, worktreePath: string, branch: string): string[] {
 	const cfg = loadConfig(manifest.cwd).config.worktree;
@@ -99,6 +117,12 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 		return [];
 	}
 	const hookPath = path.isAbsolute(rawHookPath) ? rawHookPath : path.resolve(repoRoot, rawHookPath);
+	// SECURITY: Verify the resolved hook path is contained within the real repoRoot.
+	// This prevents symlink-based escape where repoRoot is a symlink.
+	if (!path.isAbsolute(rawHookPath) && !isHookPathContainedInRepoRoot(repoRoot, hookPath)) {
+		logInternalError("worktree.setupHook.contained", new Error("hook path escapes repoRoot after realpath resolution: " + hookPath), `repoRoot=${repoRoot}`);
+		return [];
+	}
 	if (!fs.existsSync(hookPath) || fs.statSync(hookPath).isDirectory()) {
 		logInternalError("worktree.setupHook.missing", new Error("hook not found or is directory: " + hookPath), `cwd=${manifest.cwd}`);
 		return [];