pi-crew 0.5.14 → 0.5.16

package/src/extension/register.ts

@@ -6,7 +6,7 @@ import type {
 	ExtensionContext,
 } from "@earendil-works/pi-coding-agent";
 import { loadConfig } from "../config/config.ts";
-import { applyCrewSettingsToConfig, loadCrewSettings, saveCrewSettings } from "../runtime/settings-store.ts";
+import { applyCrewSettingsToConfig, loadCrewSettings } from "../runtime/settings-store.ts";
 // 2.7: Lazy-load LiveRunSidebar — only constructed when the user actually opens
 // a live run sidebar overlay. The class pulls in transcript-viewer and other
 // heavy UI modules.
@@ -47,12 +47,9 @@ import {
 	createMetricFileSink,
 	type MetricSink,
 } from "../observability/metric-sink.ts";
-import { killProcessPid } from "../runtime/child-pi.ts";
 import { listLiveAgents } from "../runtime/live-agent-manager.ts";
 import { createManifestCache } from "../runtime/manifest-cache.ts";
-import { checkProcessLiveness } from "../runtime/process-status.ts";
 import { CrewScheduler } from "../runtime/scheduler.ts";
-import { appendEvent } from "../state/event-log.ts";
 import { loadRunManifestById, updateRunStatus } from "../state/state-store.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 import { SubagentManager } from "../subagents/manager.ts";
@@ -128,9 +125,6 @@ import type {
 // deferred cleanup and cleanupRuntime. Each function is awaited inside an
 // async context that already runs after registration completes.
 import {
-	cancelOrphanedRuns,
-	detectInterruptedRuns,
-	purgeStaleActiveRunIndex,
 	reconcileAllStaleRuns,
 } from "../runtime/crash-recovery.ts";
 import { appendDeadletter } from "../runtime/deadletter.ts";
@@ -482,6 +476,13 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 		}
 	};
 	const autoRecoveryLast = new Map<string, number>();
+	// FIX (Round 22, defensive cap): Bound the cooldown-gate Map. Each run
+	// contributes up to 4 keys (one per maybeNotifyHealth kind). Without a cap,
+	// a long-running pi session that runs thousands of teams accumulates
+	// thousands of entries. Eviction: oldest insertion first — matches the
+	// 5-minute cooldown gate semantics, since once the gate has expired the
+	// entry is irrelevant.
+	const AUTO_RECOVERY_LAST_MAX_ENTRIES = 1000;
 	const configureDeliveryCoordinator = (): void => {
 		deliveryCoordinator?.dispose();
 		deliveryCoordinator = undefined;
@@ -1531,6 +1532,14 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 							now - previous < 5 * 60_000
 						)
 							return;
+						// Defensive cap: evict oldest entries before inserting
+						// when size exceeds the limit. Map's natural insertion
+						// order means the first key is the oldest.
+						while (autoRecoveryLast.size >= AUTO_RECOVERY_LAST_MAX_ENTRIES) {
+							const oldest = autoRecoveryLast.keys().next().value;
+							if (oldest === undefined) break;
+							autoRecoveryLast.delete(oldest);
+						}
 						autoRecoveryLast.set(key, now);
 						notifyOperator({
 							id: key,

package/src/extension/registration/viewers.ts

@@ -2,7 +2,7 @@ import type { ExtensionCommandContext } from "@earendil-works/pi-coding-agent";
 import { loadRunManifestById } from "../../state/state-store.ts";
 import { readCrewAgents } from "../../runtime/crew-agent-records.ts";
 import { loadConfig } from "../../config/config.ts";
-import { listLiveAgents, type LiveAgentHandle } from "../../runtime/live-agent-manager.ts";
+import { listLiveAgents } from "../../runtime/live-agent-manager.ts";
 import { LiveConversationOverlay } from "../../ui/live-conversation-overlay.ts";
 import { asCrewTheme } from "../../ui/theme-adapter.ts";
 // Lazy-loaded: DurableTranscriptViewer is 658ms — only needed for /crew transcript command

package/src/extension/run-index.ts

@@ -7,7 +7,7 @@ import { findRepoRoot, projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
 import { activeRunEntries } from "../state/active-run-registry.ts";
 import { isSafePathId, resolveRealContainedPath } from "../utils/safe-paths.ts";
 import { sharedScanCache } from "../utils/scan-cache.ts";
-import { CancellationToken, createCancellationToken } from "../runtime/cancellation-token.ts";
+import { createCancellationToken } from "../runtime/cancellation-token.ts";
 
 function readManifest(filePath: string): TeamRunManifest | undefined {
 	const cached = sharedScanCache.readAndCache("manifests", filePath, filePath);

package/src/extension/team-tool/explain.ts

@@ -1,6 +1,5 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
-import { toolResult } from "../tool-result.ts";
 import { loadRunManifestById } from "../../state/state-store.ts";
 import type { TeamRunManifest, TeamTaskState } from "../../state/types.ts";
 

package/src/extension/team-tool/handle-schedule.ts

@@ -3,7 +3,6 @@ import type { PiTeamsToolResult } from "../tool-result.ts";
 import type { TeamToolParamsValue } from "../../schema/team-tool-schema.ts";
 import { result, type TeamContext } from "./context.ts";
 import { humanizeSchedule, nextRunTime, parseSchedule } from "../../runtime/scheduler.ts";
-import { loadConfig } from "../../config/config.ts";
 import { loadCrewSettings, saveCrewSettings } from "../../runtime/settings-store.ts";
 
 // Global key for cross-module scheduler access.

package/src/extension/team-tool/health-monitor.ts

@@ -8,7 +8,6 @@ import { listRuns } from "../run-index.ts";
 import { readCrewAgents } from "../../runtime/crew-agent-records.ts";
 import {
 	isActiveRunStatus,
-	isFinishedRunStatus,
 	hasStaleAsyncProcess,
 	isLikelyOrphanedActiveRun,
 } from "../../runtime/process-status.ts";

package/src/extension/team-tool/run.ts

@@ -8,7 +8,7 @@ import { registerActiveRun, unregisterActiveRun } from "../../state/active-run-r
 import { createRunManifest, loadRunManifestById, updateRunStatus } from "../../state/state-store.ts";
 import { atomicWriteJson } from "../../state/atomic-write.ts";
 import { validateWorkflowForTeam } from "../../workflows/validate-workflow.ts";
-import { PipelineRunner, type PipelineWorkflow, type PipelineStage } from "../../runtime/pipeline-runner.ts";
+import { PipelineRunner, type PipelineWorkflow } from "../../runtime/pipeline-runner.ts";
 // Heavy runtime — lazy-loaded to avoid 1.4s import cost at extension registration.
 import type { executeTeamRun as ExecuteTeamRunFn } from "../../runtime/team-runner.ts";
 // eslint-disable-next-line @typescript-eslint/no-unused-vars -- type-only import for TS inference
@@ -24,7 +24,7 @@ async function executeTeamRun(...args: Parameters<typeof ExecuteTeamRunFn>): Pro
 	return _cachedExecuteTeamRun(...args);
 }
 import { spawnBackgroundTeamRun } from "../../subagents/async-entry.ts";
-import { appendEvent, appendEventAsync, readEvents } from "../../state/event-log.ts";
+import { appendEventAsync, readEvents } from "../../state/event-log.ts";
 import { resolveCrewRuntime, runtimeResolutionState } from "../../runtime/runtime-resolver.ts";
 import { normalizeSkillOverride } from "../../runtime/skill-instructions.ts";
 import { expandParallelResearchWorkflow } from "../../runtime/parallel-research.ts";

package/src/extension/team-tool/status.ts

@@ -8,7 +8,7 @@ import { applyAttentionState, formatActivityAge, resolveCrewControlConfig } from
 import { readCrewAgents } from "../../runtime/crew-agent-records.ts";
 import { checkProcessLiveness, isActiveRunStatus } from "../../runtime/process-status.ts";
 import { formatTaskGraphLines, waitingReason } from "../../runtime/task-display.ts";
-import { verifyTaskCompletion, formatOutputPreview } from "../../runtime/completion-guard.ts";
+import { verifyTaskCompletion } from "../../runtime/completion-guard.ts";
 import { evaluateRunEffectiveness } from "../../runtime/effectiveness.ts";
 import type { PiTeamsToolResult } from "../tool-result.ts";
 import { locateRunCwd } from "../team-tool.ts";

package/src/extension/team-tool.ts

@@ -4,7 +4,6 @@ import type { AgentConfig } from "../agents/agent-config.ts";
 import {
 	allAgents,
 	discoverAgents,
-	invalidateAgentDiscoveryCache,
 	listDynamicAgents,
 	registerDynamicAgent,
 	unregisterDynamicAgent,
@@ -19,8 +18,8 @@ import {
 import type { executeTeamRun as _executeTeamRunFn } from "../runtime/team-runner.ts";
 import type { TeamToolParamsValue } from "../schema/team-tool-schema.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
-import { appendEvent, readEvents } from "../state/event-log.ts";
-import { withRunLock, withRunLockSync } from "../state/locks.ts";
+import { appendEvent } from "../state/event-log.ts";
+import { withRunLock } from "../state/locks.ts";
 import { replayPendingMailboxMessages } from "../state/mailbox.ts";
 import {
 	loadRunManifestById,
@@ -33,22 +32,15 @@ import type {
 	TeamRunManifest,
 	TeamTaskState,
 } from "../state/types.ts";
-import { aggregateUsage, formatUsage } from "../state/usage.ts";
 import { allTeams, discoverTeams } from "../teams/discover-teams.ts";
 import {
 	allWorkflows,
 	discoverWorkflows,
 } from "../workflows/discover-workflows.ts";
-import { validateWorkflowForTeam } from "../workflows/validate-workflow.ts";
-import { cleanupRunWorktrees } from "../worktree/cleanup.ts";
 import { piTeamsHelp } from "./help.ts";
-import { listImportedRuns } from "./import-index.ts";
 import { handleCreate, handleDelete, handleUpdate } from "./management.ts";
 import { initializeProject } from "./project-init.ts";
-import { exportRunBundle } from "./run-export.ts";
-import { importRunBundle } from "./run-import.ts";
 import { listRuns } from "./run-index.ts";
-import { pruneFinishedRuns } from "./run-maintenance.ts";
 import { formatRecommendation, recommendTeam } from "./team-recommendation.ts";
 import { handleSettings } from "./team-tool/handle-settings.ts";
 import type { PiTeamsToolResult } from "./tool-result.ts";
@@ -70,31 +62,12 @@ async function executeTeamRun(
 	return _cachedExecuteTeamRun(...args);
 }
 
-import {
-	applyAttentionState,
-	formatActivityAge,
-	resolveCrewControlConfig,
-} from "../runtime/agent-control.ts";
-import {
-	readCrewAgents,
-	recordFromTask,
-	saveCrewAgents,
-} from "../runtime/crew-agent-records.ts";
 import { directTeamAndWorkflowFromRun } from "../runtime/direct-run.ts";
-import { writeForegroundInterruptRequest } from "../runtime/foreground-control.ts";
 import { parsePiJsonOutput } from "../runtime/pi-json-output.ts";
-import {
-	checkProcessLiveness,
-	isActiveRunStatus,
-} from "../runtime/process-status.ts";
 import {
 	resolveCrewRuntime,
 	runtimeResolutionState,
 } from "../runtime/runtime-resolver.ts";
-import {
-	formatTaskGraphLines,
-	waitingReason,
-} from "../runtime/task-display.ts";
 import { handleApi } from "./team-tool/api.ts";
 import {
 	autonomousPatchFromConfig,
@@ -128,7 +101,6 @@ async function handleRun(
 
 import { waitForRun } from "../runtime/run-tracker.ts";
 import { normalizeSkillOverride } from "../runtime/skill-instructions.ts";
-import { logInternalError } from "../utils/internal-error.ts";
 import { searchAgents, searchTeams } from "../utils/bm25-search.ts";
 import { projectCrewRoot } from "../utils/paths.ts";
 import {

package/src/observability/exporters/otlp-exporter.ts

@@ -124,8 +124,18 @@ export class OTLPExporter implements MetricExporter {
 		}
 	}
 
-	dispose(): void {
+	/**
+	 * FIX (Round 23, resource cleanup): Make dispose() async and await the
+	 * in-flight push so it completes (or aborts) before we return. The push
+	 * itself is bounded by the 10s fetch timeout, so this won't hang
+	 * indefinitely. Without this, dispose() would orphan an in-flight
+	 * network request whose result is then discarded.
+	 */
+	async dispose(): Promise<void> {
 		if (this.timer) clearInterval(this.timer);
 		this.timer = undefined;
+		if (this.inFlight) {
+			try { await this.inFlight; } catch { /* swallow — push() already logs errors */ }
+		}
 	}
 }

package/src/runtime/child-pi.ts

@@ -8,7 +8,7 @@ import { getPiSpawnCommand } from "./pi-spawn.ts";
 import { DEFAULT_CHILD_PI } from "../config/defaults.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { attachPostExitStdioGuard, trySignalChild } from "./post-exit-stdio-guard.ts";
-import { redactJsonLine, isSecretKey } from "../utils/redaction.ts";
+import { redactJsonLine } from "../utils/redaction.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 import { registerChildProcess, unregisterChildProcess } from "../extension/crew-cleanup.ts";
 

package/src/runtime/crash-recovery.ts

@@ -11,7 +11,7 @@ import type { ManifestCache } from "./manifest-cache.ts";
 import { checkProcessLiveness } from "./process-status.ts";
 import { reconcileStaleRun, type ReconcileResult } from "./stale-reconciler.ts";
 import { executeHook, appendHookEvent } from "../hooks/registry.ts";
-import { activeRunEntries, unregisterActiveRun, readActiveRunRegistry } from "../state/active-run-registry.ts";
+import { unregisterActiveRun, readActiveRunRegistry } from "../state/active-run-registry.ts";
 import { resolveRealContainedPath } from "../utils/safe-paths.ts";
 import { projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
 import { terminateLiveAgentsForRun } from "./live-agent-manager.ts";

package/src/runtime/crew-agent-records.ts

@@ -263,8 +263,28 @@ export function readCrewAgentStatus(manifest: TeamRunManifest, taskOrAgentId: st
 }
 
 const agentEventSeqCache = new Map<string, { size: number; mtimeMs: number; seq: number }>();
+// FIX (Round 22, defensive cap): Bound the per-file-path cache. Without a cap,
+// a long-running pi-crew process that spawns 1000s of agents accumulates 1000s
+// of entries. Mirrors the `asyncAgentReaderCache` pattern (above) and the
+// `NotificationRouter.SEEN_MAP_MAX_SIZE` pattern.
+const AGENT_EVENT_SEQ_CACHE_MAX_ENTRIES = 1000;
 const AGENT_EVENT_SEQ_SIDECAR = ".seq";
 
+/**
+ * Set an entry in the seq cache, evicting the oldest entries when the cache
+ * exceeds the cap. Map's natural insertion order means the first key is the
+ * oldest — same as the pattern used in `asyncAgentReaderCache`.
+ */
+function setAgentEventSeqCache(filePath: string, entry: { size: number; mtimeMs: number; seq: number }): void {
+	if (agentEventSeqCache.has(filePath)) agentEventSeqCache.delete(filePath);
+	agentEventSeqCache.set(filePath, entry);
+	while (agentEventSeqCache.size > AGENT_EVENT_SEQ_CACHE_MAX_ENTRIES) {
+		const oldest = agentEventSeqCache.keys().next().value;
+		if (oldest === undefined) break;
+		agentEventSeqCache.delete(oldest);
+	}
+}
+
 function readSeqFromSidecar(filePath: string): number | undefined {
 	try {
 		const raw = fs.readFileSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`, "utf-8");
@@ -295,7 +315,7 @@ function nextAgentEventSeq(filePath: string): number {
 	// FIX: Try sidecar file for O(1) lookup before falling back to O(n) scan.
 	const sidecarSeq = readSeqFromSidecar(filePath);
 	if (sidecarSeq !== undefined) {
-		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: sidecarSeq });
+		setAgentEventSeqCache(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: sidecarSeq });
 		return sidecarSeq + 1;
 	}
 	let max = 0;
@@ -309,7 +329,7 @@ function nextAgentEventSeq(filePath: string): number {
 			max += 1;
 		}
 	}
-	agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: max });
+	setAgentEventSeqCache(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: max });
 	writeSeqToSidecar(filePath, max);
 	return max + 1;
 }
@@ -321,7 +341,7 @@ export function appendCrewAgentEvent(manifest: TeamRunManifest, taskId: string,
 	fs.appendFileSync(filePath, `${JSON.stringify(redactSecrets({ seq, time: new Date().toISOString(), event }))}\n`, "utf-8");
 	try {
 		const stat = fs.statSync(filePath);
-		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq });
+		setAgentEventSeqCache(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq });
 		writeSeqToSidecar(filePath, seq);
 	} catch (error) {
 		logInternalError("crew-agent-records.stat", error, `filePath=${filePath}`);

package/src/runtime/crew-hooks.ts

@@ -146,7 +146,7 @@ export class HookRegistry {
 	emit(event: CrewHookEvent): void {
 		// Validate event type using type guard
 		if (!isValidEventType(event.type)) {
-			console.warn(`[crew-hooks] Unknown event type: ${event.type}`);
+			logInternalError("crew-hooks.unknown-event-type", new Error(`Unknown event type: ${event.type}`));
 			return;
 		}
 

package/src/runtime/handoff-manager.ts

@@ -55,7 +55,6 @@ export function isValidHandoffSummary(value: unknown): value is HandoffSummary {
  */
 
 import type { TeamEvent } from "../state/event-log.ts";
-import { appendEventAsync } from "../state/event-log.ts";
 
 /**
  * Represents a key decision made during task execution.

package/src/runtime/heartbeat-watcher.ts

@@ -6,7 +6,7 @@ import { loadRunManifestById } from "../state/state-store.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import type { ManifestCache } from "./manifest-cache.ts";
-import { classifyHeartbeat, DEFAULT_GRADIENT_THRESHOLDS, heartbeatAgeMs, type GradientThresholds, type HeartbeatLevel } from "./heartbeat-gradient.ts";
+import { DEFAULT_GRADIENT_THRESHOLDS, heartbeatAgeMs, type GradientThresholds, type HeartbeatLevel } from "./heartbeat-gradient.ts";
 
 export interface HeartbeatWatcherRouter {
 	enqueue(notification: NotificationDescriptor): boolean;

package/src/runtime/live-session-runtime.ts

@@ -24,7 +24,6 @@ import { buildExtensionBridge } from "./live-extension-bridge.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 // prose-compressor imported for custom tool descriptions below;
 // tool description compression for SDK-managed tools awaits SDK support.
-import { compressToolDescription } from "./prose-compressor.ts";
 import { buildSensitivePathConstraint } from "./sensitive-paths.ts";
 import { collectLiveSessionHealth, formatLiveSessionDiagnostics, type LiveSessionHealth } from "./live-session-health.ts";
 import { listLiveAgents } from "./live-agent-manager.ts";

package/src/runtime/loop-gates.ts

@@ -8,7 +8,6 @@
  * Distilled from pi-autoresearch's dual-gate loop pattern.
  */
 import * as fs from "node:fs";
-import * as path from "node:path";
 import type { TeamTaskState } from "../state/types.ts";
 
 /**

package/src/runtime/mcp-proxy.ts

@@ -16,8 +16,8 @@
  * when proxying from the parent.
  */
 
-import { defineTool, type ToolDefinition } from "@earendil-works/pi-coding-agent";
-import { Type, type Static, type TSchema } from "@sinclair/typebox";
+import { type ToolDefinition } from "@earendil-works/pi-coding-agent";
+import { type Static, type TSchema } from "@sinclair/typebox";
 
 export interface McpProxyConfig {
 	/** Whether to enable MCP in the child session. */

package/src/runtime/pipeline-runner.ts

@@ -2,8 +2,7 @@ import type { TeamTaskState } from "../state/types.ts";
 import type { WorkflowConfig, WorkflowStep } from "../workflows/workflow-config.ts";
 import type { TeamConfig } from "../teams/team-config.ts";
 import type { AgentConfig } from "../agents/agent-config.ts";
-import { writeArtifact } from "../state/artifact-store.ts";
-import { appendEvent, appendEventAsync } from "../state/event-log.ts";
+import { appendEventAsync } from "../state/event-log.ts";
 import { mapConcurrent } from "./parallel-utils.ts";
 
 /**

package/src/runtime/task-runner/live-executor.ts

@@ -3,7 +3,6 @@ import type { AgentConfig } from "../../agents/agent-config.ts";
 import type { CrewRuntimeConfig } from "../../config/config.ts";
 import { writeArtifact } from "../../state/artifact-store.ts";
 import {
-	appendEvent,
 	appendEventFireAndForget,
 } from "../../state/event-log.ts";
 import type {
@@ -11,7 +10,7 @@ import type {
 	TeamRunManifest,
 	TeamTaskState,
 } from "../../state/types.ts";
-import { loadRunManifestById, saveRunTasks } from "../../state/state-store.ts";
+import { loadRunManifestById } from "../../state/state-store.ts";
 import { persistSingleTaskUpdate } from "./state-helpers.ts";
 import type { WorkflowStep } from "../../workflows/workflow-config.ts";
 import { appendCrewAgentEvent, appendCrewAgentOutput, emptyCrewAgentProgress, recordFromTask, upsertCrewAgent } from "../crew-agent-records.ts";

package/src/runtime/task-runner.ts

@@ -11,7 +11,7 @@ import type {
 } from "../state/types.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
-import { appendEvent, appendEventAsync, appendEventFireAndForget } from "../state/event-log.ts";
+import { appendEventAsync, appendEventFireAndForget } from "../state/event-log.ts";
 import { saveRunManifest } from "../state/state-store.ts";
 import { createTaskClaim } from "../state/task-claims.ts";
 import {

package/src/state/jsonl-writer.ts

@@ -14,10 +14,17 @@ export interface JsonlWriteStream {
 }
 
 const DEFAULT_MAX_JSONL_BYTES = 50 * 1024 * 1024;
+// FIX (Round 21, per-line cap): A single huge line could exhaust memory during
+// redactJsonLine if an upstream caller constructs an enormous string. Cap each
+// line at 1MB by default — large enough for any legitimate event payload, small
+// enough to prevent memory blow-up. Mirrors the upstream oh-my-pi pattern of
+// bounding chunk boundaries in Bun.file().writer().
+const DEFAULT_MAX_LINE_BYTES = 1 * 1024 * 1024;
 
 export interface JsonlWriterDeps {
 	createWriteStream?: (filePath: string) => JsonlWriteStream;
 	maxBytes?: number;
+	maxLineBytes?: number;
 }
 
 export interface JsonlWriter {
@@ -47,7 +54,9 @@ export function createJsonlWriter(filePath: string | undefined, source: Drainabl
 	let backpressured = false;
 	let closed = false;
 	let bytesWritten = 0;
+	let linesDroppedForSize = 0;
 	const maxBytes = deps.maxBytes ?? DEFAULT_MAX_JSONL_BYTES;
+	const maxLineBytes = deps.maxLineBytes ?? DEFAULT_MAX_LINE_BYTES;
 
 	return {
 		writeLine(line: string) {
@@ -55,6 +64,21 @@ export function createJsonlWriter(filePath: string | undefined, source: Drainabl
 			const safeLine = redactJsonLine(line);
 			const chunk = `${safeLine}\n`;
 			const chunkBytes = Buffer.byteLength(chunk, "utf-8");
+			// FIX (Round 21, per-line cap): Drop oversize lines. Without this, a
+			// single huge payload (e.g. a 100MB base64-encoded transcript) would
+			// be buffered in memory by redactJsonLine AND queued in the write
+			// stream. We log the drop so silent loss is visible.
+			if (chunkBytes > maxLineBytes) {
+				linesDroppedForSize++;
+				if (linesDroppedForSize === 1 || linesDroppedForSize % 100 === 0) {
+					logInternalError(
+						"jsonl-writer.lineTooLarge",
+						new Error(`line size ${chunkBytes} exceeds maxLineBytes ${maxLineBytes}`),
+						`file=${filePath} dropped=${linesDroppedForSize}`,
+					);
+				}
+				return;
+			}
 			if (bytesWritten + chunkBytes > maxBytes) return;
 			try {
 				const ok = stream.write(chunk);

package/src/state/locks.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { randomUUID } from "node:crypto";
 import type { TeamRunManifest } from "./types.ts";
 import { DEFAULT_LOCKS } from "../config/defaults.ts";
 import { sleepSync } from "../utils/sleep.ts";
@@ -59,22 +60,71 @@ function isLockHolderAlive(filePath: string): boolean {
 	}
 }
 
-function writeLockFile(filePath: string): void {
+/**
+ * Lock file kinds. Discriminator written to the lock file payload so that:
+ *   - Debugging tools (e.g. a future `pi-crew locks` command) can identify
+ *     what a lock is protecting.
+ *   - Cross-kind ambiguity is prevented if two locks somehow resolve to the
+ *     same path (defense in depth).
+ *   - Forward compat: new lock types can be added without changing the
+ *     on-disk format (the `kind` field is the only discriminator).
+ */
+export type LockKind = "run" | "file";
+
+function writeLockFile(filePath: string, token: string, kind: LockKind = "file"): void {
 	const fd = fs.openSync(filePath, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL, 0o644);
 	try {
-		fs.writeSync(fd, JSON.stringify({ pid: process.pid, createdAt: new Date().toISOString() }));
+		fs.writeSync(fd, JSON.stringify({ kind, pid: process.pid, createdAt: new Date().toISOString(), token }));
 	} finally {
 		fs.closeSync(fd);
 	}
 }
 
-function acquireLockWithRetry(filePath: string, staleMs: number): void {
+/**
+ * Read the token stored in a lock file. Returns undefined if the file
+ * cannot be read or parsed.
+ */
+function readLockToken(filePath: string): string | undefined {
+	try {
+		const raw = fs.readFileSync(filePath, "utf-8");
+		const parsed = JSON.parse(raw) as { token?: unknown };
+		return typeof parsed.token === "string" ? parsed.token : undefined;
+	} catch {
+		return undefined;
+	}
+}
+
+/**
+ * Release a lock file, but ONLY if the stored token matches. This prevents
+ * the "losing contender wipes winner's lock" race that occurs when:
+ *   1. Process A acquires lock with token T_A
+ *   2. Process B times out waiting, steals the lock (overwriting with T_B)
+ *   3. Process A finishes, tries to release — would otherwise rm Process B's lock
+ *
+ * With token matching, A's release is a no-op for B's lock.
+ */
+function releaseLock(filePath: string, token: string): void {
+	const stored = readLockToken(filePath);
+	if (stored === undefined || stored === token) {
+		try {
+			fs.rmSync(filePath, { force: true });
+		} catch {
+			// Best-effort cleanup. Either someone else with the same token got
+			// there first, or the lock is already gone — both are fine.
+		}
+	}
+	// If the stored token does not match, our lock has been stolen
+	// (probably stale and overtaken). Do not touch it — the new holder owns it.
+}
+
+function acquireLockWithRetry(filePath: string, staleMs: number, kind: LockKind = "file"): string {
 	let attempt = 0;
 	const deadline = Date.now() + staleMs * 2;
 	while (true) {
+		const token = randomUUID();
 		try {
-			writeLockFile(filePath);
-			return;
+			writeLockFile(filePath, token, kind);
+			return token;
 		} catch (error) {
 			const code = (error as NodeJS.ErrnoException).code;
 			if (code !== "EEXIST") throw error;
@@ -105,21 +155,14 @@ function sleep(ms: number): Promise<void> {
 	return new Promise((resolve) => setTimeout(resolve, ms));
 }
 
-function readLockStateAsync(filePath: string, staleMs: number): void {
-	try {
-		if (isLockStale(filePath, staleMs)) fs.rmSync(filePath, { force: true });
-	} catch {
-		// Ignore stale-check races.
-	}
-}
-
-async function acquireLockWithRetryAsync(filePath: string, staleMs: number): Promise<void> {
+async function acquireLockWithRetryAsync(filePath: string, staleMs: number, kind: LockKind = "file"): Promise<string> {
 	let attempt = 0;
 	const deadline = Date.now() + staleMs * 2;
 	while (true) {
+		const token = randomUUID();
 		try {
-			writeLockFile(filePath);
-			return;
+			writeLockFile(filePath, token, kind);
+			return token;
 		} catch (error) {
 			const code = (error as NodeJS.ErrnoException).code;
 			if (code !== "EEXIST") throw error;
@@ -139,7 +182,6 @@ async function acquireLockWithRetryAsync(filePath: string, staleMs: number): Pro
 			try {
 				fs.rmSync(filePath, { force: true });
 			} catch { /* race — let loop retry */ }
-			await readLockStateAsync(filePath, staleMs);
 			const delay = Math.min(250, 25 * 2 ** attempt);
 			await sleep(delay);
 			attempt++;
@@ -159,15 +201,12 @@ export function withFileLockSync<T>(filePath: string, fn: () => T, options: RunL
 	const lockFile = `${filePath}.lock`;
 	const staleMs = options.staleMs ?? DEFAULT_STALE_MS;
 	fs.mkdirSync(path.dirname(lockFile), { recursive: true });
-	acquireLockWithRetry(lockFile, staleMs);
+	const token = acquireLockWithRetry(lockFile, staleMs, "file");
 	try {
 		return fn();
 	} finally {
-		try {
-			fs.rmSync(lockFile, { force: true });
-		} catch {
-			// Best-effort lock cleanup.
-		}
+		// Token-guarded release: don't rm the lock if it has been stolen.
+		releaseLock(lockFile, token);
 	}
 }
 
@@ -175,15 +214,11 @@ export function withRunLockSync<T>(manifest: TeamRunManifest, fn: () => T, optio
 	const filePath = lockPath(manifest);
 	const staleMs = options.staleMs ?? DEFAULT_STALE_MS;
 	fs.mkdirSync(path.dirname(filePath), { recursive: true });
-	acquireLockWithRetry(filePath, staleMs);
+	const token = acquireLockWithRetry(filePath, staleMs, "run");
 	try {
 		return fn();
 	} finally {
-		try {
-			fs.rmSync(filePath, { force: true });
-		} catch {
-			// Best-effort lock cleanup.
-		}
+		releaseLock(filePath, token);
 	}
 }
 
@@ -191,14 +226,10 @@ export async function withRunLock<T>(manifest: TeamRunManifest, fn: () => Promis
 	const filePath = lockPath(manifest);
 	const staleMs = options.staleMs ?? DEFAULT_STALE_MS;
 	fs.mkdirSync(path.dirname(filePath), { recursive: true });
-	await acquireLockWithRetryAsync(filePath, staleMs);
+	const token = await acquireLockWithRetryAsync(filePath, staleMs, "run");
 	try {
 		return await fn();
 	} finally {
-		try {
-			fs.rmSync(filePath, { force: true });
-		} catch {
-			// Best-effort lock cleanup.
-		}
+		releaseLock(filePath, token);
 	}
 }

package/src/state/run-metrics.ts

@@ -1,9 +1,8 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { loadRunManifestById } from "./state-store.ts";
-import { projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
+import { projectCrewRoot } from "../utils/paths.ts";
 import { atomicWriteJson, readJsonFile } from "./atomic-write.ts";
-import { DEFAULT_PATHS } from "../config/defaults.ts";
 
 /**
  * Run metrics snapshot captured after a run completes (or on demand).