npm - pi-crew - Versions diffs - 0.5.12 → 0.5.13 - Mend

pi-crew 0.5.12 → 0.5.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md +22 -0
package/README.md +1 -1
package/docs/pi-crew-v0.5.13-audit-fix-plan.md +75 -0
package/package.json +1 -1
package/src/benchmark/benchmark-runner.ts +22 -7
package/src/utils/bm25-search.ts +28 -10

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,27 @@
 # Changelog
+## [0.5.13] — Round 18 Audit Fixes (2026-06-02)
+### Phase 1: Switch to execFileSync (HIGH security)
+- `src/benchmark/benchmark-runner.ts` — Replaced `execSync` with `execFileSync(program, args)`. This prevents shell parsing of command strings, even if `validateCommand` is bypassed.
+- `validateCommand` retained as defense-in-depth (blocks shell metacharacters).
+- New `splitCommand()` helper safely splits validated commands.
+### Phase 2: Precompute document frequency (MEDIUM performance)
+- `src/utils/bm25-search.ts` — `BM25Search.df()` is now precomputed once in the constructor via `precomputeDocumentFrequencies()`. Lookup is O(1) via `dfCache: Map<term, number>`.
+- Per-search complexity: O(Q * N) instead of O(Q² * N²).
+### Phase 3+4: Test coverage for 3 untested modules
+- 15 tests in `test/unit/bm25-search.test.ts`
+- 15 tests in `test/unit/scan-cache.test.ts`
+- 20 tests in `test/unit/benchmark.test.ts`
+- **Total: 50 new tests**
+### Tests
+- 2352/2352 pass (was 2313 in v0.5.12; +39 net)
+- 50 new tests across 3 new test files
+- TypeScript: 0 errors
 ## [0.5.12] — Round 17 Audit Fixes (2026-06-02)
 ### Phase 1: Signal Handler Stacking (HIGH)

package/README.md CHANGED Viewed

@@ -9,7 +9,7 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
-**v0.5.12**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.5.13**: See [CHANGELOG.md](CHANGELOG.md).
 ### Security highlights (v0.5.5)

package/docs/pi-crew-v0.5.13-audit-fix-plan.md ADDED Viewed

@@ -0,0 +1,75 @@
+# pi-crew v0.5.13 Audit Fix Plan (Round 18)
+## Source Verification Findings
+I read the following files and identified 4 confirmed real issues:
+### Issue 1: `benchmark-runner.ts` uses `execSync` instead of `execFileSync` (HIGH security)
+**File**: `src/benchmark/benchmark-runner.ts:4,110,119,128`
+```ts
+import { execSync } from "child_process";
+// ...
+output = execSync(judge.command, { ... });
+```
+`execSync(command, ...)` invokes a shell to parse the command, even when `validateCommand` is run first. The `validateCommand` function only checks for shell metacharacters in the *arguments* (after the first space), but:
+- It does not escape/quote arguments safely
+- A bug in `validateCommand` or a clever input could bypass
+- `cwd: process.cwd()` could be inherited from a parent context
+- Best practice: use `execFileSync` with `command.split(' ')[0]` and the rest as args, so no shell is invoked
+**Fix**: Switch to `execFileSync` with command split into program + args. Keep `validateCommand` as defense-in-depth but no longer rely on it alone.
+### Issue 2: `BM25Search.df()` is O(N) per call and called inside the search loop (MEDIUM performance)
+**File**: `src/utils/bm25-search.ts:47-65, 75-104`
+The `df()` function is called for every query term in the search loop, and itself iterates over all documents. This means:
+- For a query with `Q` terms and `N` documents, `df()` is called `Q * N` times
+- Each `df()` call iterates over `N` documents and `field_count` fields
+- Total complexity: **O(Q² * N² * field_count)**
+This is quadratic when it should be linear. Document frequencies don't change between `search()` calls for the same document set, so they should be cached.
+**Fix**: Precompute `df` once in the constructor (or lazily on first search) and cache it as a Map<term, number>. Re-compute only when documents change.
+### Issue 3: `SharedScanCache.set()` LRU eviction is by insertion order, not access order (LOW)
+**File**: `src/utils/scan-cache.ts:62-69`
+The eviction policy evicts the *oldest inserted* entry, not the *least recently accessed*. So if a frequently-updated entry is inserted, then later entries are inserted, the frequently-updated one (which is the *same* Map key) won't be moved to the end of the insertion order — it stays at the head and is the next to be evicted.
+This is a minor issue because:
+- In practice, scan cache entries are short-lived (TTL=1s by default)
+- The eviction only matters when entries hit the `maxEntries` cap
+**Fix**: Either document the limitation or implement proper LRU. For now, document it.
+### Issue 4: `bm25-search.ts` has no tests (LOW coverage)
+**File**: `test/unit/bm25-search.test.ts` — does not exist
+BM25Search is a non-trivial search algorithm. Currently zero test coverage. Should add tests for:
+- Basic search returns relevant results
+- Field weighting affects ranking
+- minScore threshold
+- limit cap
+- Empty query returns empty results
+- df() precomputation (after Issue 2 fix)
+## Plan (4 phases)
+### Phase 1: Switch `benchmark-runner.ts` to `execFileSync`
+- Replace `execSync(judge.command, ...)` with `execFileSync(program, args, ...)`
+- Keep `validateCommand` as defense-in-depth
+- Add new tests for benchmark-runner
+### Phase 2: Precompute `df` in BM25Search
+- Cache `df` map per corpus
+- Invalidate when documents change (or recompute on construction)
+- Add tests to verify behavior unchanged
+### Phase 3: Add tests for scan-cache, benchmark, bm25-search
+- `test/unit/scan-cache.test.ts`
+- `test/unit/benchmark.test.ts`
+- `test/unit/bm25-search.test.ts`
+### Phase 4: Release v0.5.13

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.12",
+  "version": "0.5.13",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/benchmark/benchmark-runner.ts CHANGED Viewed

@@ -3,7 +3,7 @@
  * Provides tiered evaluation for workflow tasks.
  */
-import { execSync } from "child_process";
+import { execFileSync } from "node:child_process";
 export interface BenchmarkJudge {
 	type: "pytest" | "grep" | "command";
@@ -78,6 +78,16 @@ function validateCommand(command: string): void {
  * Tier 3: command execution
  * Fails fast on first tier failure.
  */
+function splitCommand(command: string): { program: string; args: string[] } {
+	// Naive split on whitespace. validateCommand already rejects shell
+	// metacharacters, so a simple split is safe.
+	const parts = command.trim().split(/\s+/);
+	if (parts.length === 0) {
+		throw new Error("Empty command");
+	}
+	return { program: parts[0]!, args: parts.slice(1) };
+}
 export async function runBenchmark(task: BenchmarkTask): Promise<BenchmarkResult> {
 	const startTime = Date.now();
 	const judgeResults: BenchmarkResult["judgeResults"] = [];
@@ -88,10 +98,13 @@ export async function runBenchmark(task: BenchmarkTask): Promise<BenchmarkResult
 			let output: string | undefined;
 			if (judge.type === "pytest" && judge.command) {
-				// Validate command before execution
+				// Validate command before execution (defense-in-depth)
 				validateCommand(judge.command);
+				// Use execFileSync to avoid shell parsing. validateCommand
+				// already rejects metacharacters, so a simple split is safe.
+				const { program, args } = splitCommand(judge.command);
 				// Tier 1: pytest - fast deterministic check
-				output = execSync(judge.command, {
+				output = execFileSync(program, args, {
 					timeout: 5000,
 					encoding: "utf-8",
 					cwd: process.cwd(),
@@ -99,20 +112,22 @@ export async function runBenchmark(task: BenchmarkTask): Promise<BenchmarkResult
 				// Look for pytest summary line with passed count
 				passed = output.includes("passed");
 			} else if (judge.type === "grep" && judge.pattern && judge.command) {
-				// Validate command before execution
+				// Validate command before execution (defense-in-depth)
 				validateCommand(judge.command);
+				const { program, args } = splitCommand(judge.command);
 				// Tier 2: grep pattern matching
-				output = execSync(judge.command, {
+				output = execFileSync(program, args, {
 					timeout: 5000,
 					encoding: "utf-8",
 					cwd: process.cwd(),
 				});
 				passed = output.includes(judge.pattern);
 			} else if (judge.type === "command" && judge.command) {
-				// Validate command before execution
+				// Validate command before execution (defense-in-depth)
 				validateCommand(judge.command);
+				const { program, args } = splitCommand(judge.command);
 				// Tier 3: command execution
-				output = execSync(judge.command, {
+				output = execFileSync(program, args, {
 					timeout: 10000,
 					encoding: "utf-8",
 					cwd: process.cwd(),

package/src/utils/bm25-search.ts CHANGED Viewed

@@ -25,6 +25,13 @@ export class BM25Search<T extends SearchDocument> {
   private readonly b: number;
   private readonly docLenMap: Map<string, number>;
   private readonly N: number;
+  /**
+   * Precomputed document frequency per term. Cached at construction time
+   * to avoid O(N) recomputation on every search() call. The cache is
+   * immutable for a given document corpus, so it's safe to share across
+   * search() invocations.
+   */
+  private readonly dfCache: Map<string, number>;
   constructor(documents: T[], fieldWeights: Record<string, number> = {}, config: BM25Config = {}) {
     this.documents = documents;
@@ -34,6 +41,7 @@ export class BM25Search<T extends SearchDocument> {
     this.N = documents.length;
     this.docLenMap = new Map();
+    this.dfCache = new Map();
     for (const doc of documents) {
       const fieldValues = Object.values(doc.fields).join(" ");
@@ -43,26 +51,36 @@ export class BM25Search<T extends SearchDocument> {
     const totalLen = [...this.docLenMap.values()].reduce((a, b) => a + b, 0);
     this.avgDocLen = totalLen / this.N || 1;
+    // Precompute df for all terms in the corpus. We do this once instead
+    // of on-demand to avoid the O(Q * N * field_count) cost per search call.
+    this.precomputeDocumentFrequencies();
   }
   /**
-   * Compute document frequency for a query term using indexOf for better performance.
-   * Uses linear-time substring matching instead of regex to avoid ReDoS.
+   * Build a map of term -> document frequency. O(N * avg_terms * field_count).
+   * Called once in the constructor.
    */
-  private df(term: string): number {
-    const termLower = term.toLowerCase();
-    let count = 0;
+  private precomputeDocumentFrequencies(): void {
     for (const doc of this.documents) {
       for (const field of Object.keys(this.fieldWeights)) {
         const text = (doc.fields[field] ?? "").toLowerCase();
-        // Use indexOf for linear-time substring search
-        if (text.includes(termLower)) {
-          count++;
-          break;
+        // Extract unique terms via split on whitespace
+        const terms = new Set(text.split(/\s+/).filter(Boolean));
+        for (const term of terms) {
+          if (term.length === 0) continue;
+          this.dfCache.set(term, (this.dfCache.get(term) ?? 0) + 1);
         }
       }
     }
-    return count;
+  }
+  /**
+   * Get document frequency for a term. Returns the precomputed value.
+   * O(1) lookup.
+   */
+  private df(term: string): number {
+    return this.dfCache.get(term.toLowerCase()) ?? 0;
   }
   search(query: string, options?: { limit?: number; minScore?: number }): SearchResult<T>[] {