pi-crew 0.5.14 → 0.5.17

package/src/extension/register.ts

@@ -6,7 +6,7 @@ import type {
 	ExtensionContext,
 } from "@earendil-works/pi-coding-agent";
 import { loadConfig } from "../config/config.ts";
-import { applyCrewSettingsToConfig, loadCrewSettings, saveCrewSettings } from "../runtime/settings-store.ts";
+import { applyCrewSettingsToConfig, loadCrewSettings } from "../runtime/settings-store.ts";
 // 2.7: Lazy-load LiveRunSidebar — only constructed when the user actually opens
 // a live run sidebar overlay. The class pulls in transcript-viewer and other
 // heavy UI modules.
@@ -47,12 +47,9 @@ import {
 	createMetricFileSink,
 	type MetricSink,
 } from "../observability/metric-sink.ts";
-import { killProcessPid } from "../runtime/child-pi.ts";
 import { listLiveAgents } from "../runtime/live-agent-manager.ts";
 import { createManifestCache } from "../runtime/manifest-cache.ts";
-import { checkProcessLiveness } from "../runtime/process-status.ts";
 import { CrewScheduler } from "../runtime/scheduler.ts";
-import { appendEvent } from "../state/event-log.ts";
 import { loadRunManifestById, updateRunStatus } from "../state/state-store.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 import { SubagentManager } from "../subagents/manager.ts";
@@ -128,9 +125,6 @@ import type {
 // deferred cleanup and cleanupRuntime. Each function is awaited inside an
 // async context that already runs after registration completes.
 import {
-	cancelOrphanedRuns,
-	detectInterruptedRuns,
-	purgeStaleActiveRunIndex,
 	reconcileAllStaleRuns,
 } from "../runtime/crash-recovery.ts";
 import { appendDeadletter } from "../runtime/deadletter.ts";
@@ -482,6 +476,13 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 		}
 	};
 	const autoRecoveryLast = new Map<string, number>();
+	// FIX (Round 22, defensive cap): Bound the cooldown-gate Map. Each run
+	// contributes up to 4 keys (one per maybeNotifyHealth kind). Without a cap,
+	// a long-running pi session that runs thousands of teams accumulates
+	// thousands of entries. Eviction: oldest insertion first — matches the
+	// 5-minute cooldown gate semantics, since once the gate has expired the
+	// entry is irrelevant.
+	const AUTO_RECOVERY_LAST_MAX_ENTRIES = 1000;
 	const configureDeliveryCoordinator = (): void => {
 		deliveryCoordinator?.dispose();
 		deliveryCoordinator = undefined;
@@ -1531,6 +1532,14 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 							now - previous < 5 * 60_000
 						)
 							return;
+						// Defensive cap: evict oldest entries before inserting
+						// when size exceeds the limit. Map's natural insertion
+						// order means the first key is the oldest.
+						while (autoRecoveryLast.size >= AUTO_RECOVERY_LAST_MAX_ENTRIES) {
+							const oldest = autoRecoveryLast.keys().next().value;
+							if (oldest === undefined) break;
+							autoRecoveryLast.delete(oldest);
+						}
 						autoRecoveryLast.set(key, now);
 						notifyOperator({
 							id: key,

package/src/extension/registration/viewers.ts

@@ -2,7 +2,7 @@ import type { ExtensionCommandContext } from "@earendil-works/pi-coding-agent";
 import { loadRunManifestById } from "../../state/state-store.ts";
 import { readCrewAgents } from "../../runtime/crew-agent-records.ts";
 import { loadConfig } from "../../config/config.ts";
-import { listLiveAgents, type LiveAgentHandle } from "../../runtime/live-agent-manager.ts";
+import { listLiveAgents } from "../../runtime/live-agent-manager.ts";
 import { LiveConversationOverlay } from "../../ui/live-conversation-overlay.ts";
 import { asCrewTheme } from "../../ui/theme-adapter.ts";
 // Lazy-loaded: DurableTranscriptViewer is 658ms — only needed for /crew transcript command

package/src/extension/run-index.ts

@@ -7,7 +7,7 @@ import { findRepoRoot, projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
 import { activeRunEntries } from "../state/active-run-registry.ts";
 import { isSafePathId, resolveRealContainedPath } from "../utils/safe-paths.ts";
 import { sharedScanCache } from "../utils/scan-cache.ts";
-import { CancellationToken, createCancellationToken } from "../runtime/cancellation-token.ts";
+import { createCancellationToken } from "../runtime/cancellation-token.ts";
 
 function readManifest(filePath: string): TeamRunManifest | undefined {
 	const cached = sharedScanCache.readAndCache("manifests", filePath, filePath);

package/src/extension/team-tool/explain.ts

@@ -1,6 +1,5 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
-import { toolResult } from "../tool-result.ts";
 import { loadRunManifestById } from "../../state/state-store.ts";
 import type { TeamRunManifest, TeamTaskState } from "../../state/types.ts";
 

package/src/extension/team-tool/handle-schedule.ts

@@ -3,7 +3,6 @@ import type { PiTeamsToolResult } from "../tool-result.ts";
 import type { TeamToolParamsValue } from "../../schema/team-tool-schema.ts";
 import { result, type TeamContext } from "./context.ts";
 import { humanizeSchedule, nextRunTime, parseSchedule } from "../../runtime/scheduler.ts";
-import { loadConfig } from "../../config/config.ts";
 import { loadCrewSettings, saveCrewSettings } from "../../runtime/settings-store.ts";
 
 // Global key for cross-module scheduler access.

package/src/extension/team-tool/health-monitor.ts

@@ -8,7 +8,6 @@ import { listRuns } from "../run-index.ts";
 import { readCrewAgents } from "../../runtime/crew-agent-records.ts";
 import {
 	isActiveRunStatus,
-	isFinishedRunStatus,
 	hasStaleAsyncProcess,
 	isLikelyOrphanedActiveRun,
 } from "../../runtime/process-status.ts";

package/src/extension/team-tool/orchestrate.ts

@@ -15,6 +15,7 @@ import {
 	parsePlanDocumentSimple,
 	type OrchestratedStep,
 } from "../plan-orchestrate.ts";
+import { resolveContainedPath } from "../../utils/safe-paths.ts";
 
 /**
  * Handle the orchestrate action.
@@ -38,10 +39,17 @@ export function handleOrchestrate(
 		);
 	}
 
-	// Resolve relative paths against ctx.cwd
-	const resolvedPath = path.isAbsolute(planPath)
-		? planPath
-		: path.resolve(ctx.cwd, planPath);
+	// Resolve and validate path stays within ctx.cwd (path-traversal protection)
+	let resolvedPath: string;
+	try {
+		resolvedPath = resolveContainedPath(ctx.cwd, planPath);
+	} catch {
+		return result(
+			`planPath must be within project directory: ${planPath}`,
+			{ action: "orchestrate", status: "error" },
+			true,
+		);
+	}
 
 	if (!fs.existsSync(resolvedPath)) {
 		return result(

package/src/extension/team-tool/run.ts

@@ -8,7 +8,7 @@ import { registerActiveRun, unregisterActiveRun } from "../../state/active-run-r
 import { createRunManifest, loadRunManifestById, updateRunStatus } from "../../state/state-store.ts";
 import { atomicWriteJson } from "../../state/atomic-write.ts";
 import { validateWorkflowForTeam } from "../../workflows/validate-workflow.ts";
-import { PipelineRunner, type PipelineWorkflow, type PipelineStage } from "../../runtime/pipeline-runner.ts";
+import { PipelineRunner, type PipelineWorkflow } from "../../runtime/pipeline-runner.ts";
 // Heavy runtime — lazy-loaded to avoid 1.4s import cost at extension registration.
 import type { executeTeamRun as ExecuteTeamRunFn } from "../../runtime/team-runner.ts";
 // eslint-disable-next-line @typescript-eslint/no-unused-vars -- type-only import for TS inference
@@ -24,7 +24,7 @@ async function executeTeamRun(...args: Parameters<typeof ExecuteTeamRunFn>): Pro
 	return _cachedExecuteTeamRun(...args);
 }
 import { spawnBackgroundTeamRun } from "../../subagents/async-entry.ts";
-import { appendEvent, appendEventAsync, readEvents } from "../../state/event-log.ts";
+import { appendEventAsync, readEvents } from "../../state/event-log.ts";
 import { resolveCrewRuntime, runtimeResolutionState } from "../../runtime/runtime-resolver.ts";
 import { normalizeSkillOverride } from "../../runtime/skill-instructions.ts";
 import { expandParallelResearchWorkflow } from "../../runtime/parallel-research.ts";

package/src/extension/team-tool/status.ts

@@ -8,7 +8,7 @@ import { applyAttentionState, formatActivityAge, resolveCrewControlConfig } from
 import { readCrewAgents } from "../../runtime/crew-agent-records.ts";
 import { checkProcessLiveness, isActiveRunStatus } from "../../runtime/process-status.ts";
 import { formatTaskGraphLines, waitingReason } from "../../runtime/task-display.ts";
-import { verifyTaskCompletion, formatOutputPreview } from "../../runtime/completion-guard.ts";
+import { verifyTaskCompletion } from "../../runtime/completion-guard.ts";
 import { evaluateRunEffectiveness } from "../../runtime/effectiveness.ts";
 import type { PiTeamsToolResult } from "../tool-result.ts";
 import { locateRunCwd } from "../team-tool.ts";

package/src/extension/team-tool.ts

@@ -4,7 +4,6 @@ import type { AgentConfig } from "../agents/agent-config.ts";
 import {
 	allAgents,
 	discoverAgents,
-	invalidateAgentDiscoveryCache,
 	listDynamicAgents,
 	registerDynamicAgent,
 	unregisterDynamicAgent,
@@ -19,8 +18,8 @@ import {
 import type { executeTeamRun as _executeTeamRunFn } from "../runtime/team-runner.ts";
 import type { TeamToolParamsValue } from "../schema/team-tool-schema.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
-import { appendEvent, readEvents } from "../state/event-log.ts";
-import { withRunLock, withRunLockSync } from "../state/locks.ts";
+import { appendEvent } from "../state/event-log.ts";
+import { withRunLock } from "../state/locks.ts";
 import { replayPendingMailboxMessages } from "../state/mailbox.ts";
 import {
 	loadRunManifestById,
@@ -33,22 +32,15 @@ import type {
 	TeamRunManifest,
 	TeamTaskState,
 } from "../state/types.ts";
-import { aggregateUsage, formatUsage } from "../state/usage.ts";
 import { allTeams, discoverTeams } from "../teams/discover-teams.ts";
 import {
 	allWorkflows,
 	discoverWorkflows,
 } from "../workflows/discover-workflows.ts";
-import { validateWorkflowForTeam } from "../workflows/validate-workflow.ts";
-import { cleanupRunWorktrees } from "../worktree/cleanup.ts";
 import { piTeamsHelp } from "./help.ts";
-import { listImportedRuns } from "./import-index.ts";
 import { handleCreate, handleDelete, handleUpdate } from "./management.ts";
 import { initializeProject } from "./project-init.ts";
-import { exportRunBundle } from "./run-export.ts";
-import { importRunBundle } from "./run-import.ts";
 import { listRuns } from "./run-index.ts";
-import { pruneFinishedRuns } from "./run-maintenance.ts";
 import { formatRecommendation, recommendTeam } from "./team-recommendation.ts";
 import { handleSettings } from "./team-tool/handle-settings.ts";
 import type { PiTeamsToolResult } from "./tool-result.ts";
@@ -70,31 +62,12 @@ async function executeTeamRun(
 	return _cachedExecuteTeamRun(...args);
 }
 
-import {
-	applyAttentionState,
-	formatActivityAge,
-	resolveCrewControlConfig,
-} from "../runtime/agent-control.ts";
-import {
-	readCrewAgents,
-	recordFromTask,
-	saveCrewAgents,
-} from "../runtime/crew-agent-records.ts";
 import { directTeamAndWorkflowFromRun } from "../runtime/direct-run.ts";
-import { writeForegroundInterruptRequest } from "../runtime/foreground-control.ts";
 import { parsePiJsonOutput } from "../runtime/pi-json-output.ts";
-import {
-	checkProcessLiveness,
-	isActiveRunStatus,
-} from "../runtime/process-status.ts";
 import {
 	resolveCrewRuntime,
 	runtimeResolutionState,
 } from "../runtime/runtime-resolver.ts";
-import {
-	formatTaskGraphLines,
-	waitingReason,
-} from "../runtime/task-display.ts";
 import { handleApi } from "./team-tool/api.ts";
 import {
 	autonomousPatchFromConfig,
@@ -128,7 +101,6 @@ async function handleRun(
 
 import { waitForRun } from "../runtime/run-tracker.ts";
 import { normalizeSkillOverride } from "../runtime/skill-instructions.ts";
-import { logInternalError } from "../utils/internal-error.ts";
 import { searchAgents, searchTeams } from "../utils/bm25-search.ts";
 import { projectCrewRoot } from "../utils/paths.ts";
 import {

package/src/observability/exporters/otlp-exporter.ts

@@ -124,8 +124,18 @@ export class OTLPExporter implements MetricExporter {
 		}
 	}
 
-	dispose(): void {
+	/**
+	 * FIX (Round 23, resource cleanup): Make dispose() async and await the
+	 * in-flight push so it completes (or aborts) before we return. The push
+	 * itself is bounded by the 10s fetch timeout, so this won't hang
+	 * indefinitely. Without this, dispose() would orphan an in-flight
+	 * network request whose result is then discarded.
+	 */
+	async dispose(): Promise<void> {
 		if (this.timer) clearInterval(this.timer);
 		this.timer = undefined;
+		if (this.inFlight) {
+			try { await this.inFlight; } catch { /* swallow — push() already logs errors */ }
+		}
 	}
 }

package/src/runtime/adaptive-plan.ts

@@ -44,11 +44,27 @@ export function slug(value: string): string {
 	return value.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 32) || "task";
 }
 
+/** Strip surrounding markdown code fences if present. */
+function stripCodeFence(raw: string): string {
+	let s = raw.trim();
+	// Remove opening fence: ```json or ```
+	if (s.startsWith("```")) {
+		const firstNewline = s.indexOf("\n");
+		if (firstNewline >= 0) s = s.slice(firstNewline + 1);
+		else s = s.slice(3); // edge case: ``` alone on one line
+	}
+	// Remove closing fence
+	if (s.endsWith("```")) {
+		s = s.slice(0, -3);
+	}
+	return s.trim();
+}
+
 export function extractAdaptivePlanJson(text: string): string | undefined {
 	const markerMatch = text.match(/ADAPTIVE_PLAN_JSON_START\s*([\s\S]*?)\s*ADAPTIVE_PLAN_JSON_END/);
-	if (markerMatch?.[1]) return markerMatch[1];
+	if (markerMatch?.[1]) return stripCodeFence(markerMatch[1]);
 	const startIndex = text.indexOf("ADAPTIVE_PLAN_JSON_START");
-	if (startIndex >= 0) return text.slice(startIndex + "ADAPTIVE_PLAN_JSON_START".length).trim();
+	if (startIndex >= 0) return stripCodeFence(text.slice(startIndex + "ADAPTIVE_PLAN_JSON_START".length));
 	const fencedMatch = text.match(/```(?:json)?\s*([\s\S]*?)```/i);
 	return fencedMatch?.[1];
 }

package/src/runtime/child-pi.ts

@@ -8,7 +8,7 @@ import { getPiSpawnCommand } from "./pi-spawn.ts";
 import { DEFAULT_CHILD_PI } from "../config/defaults.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { attachPostExitStdioGuard, trySignalChild } from "./post-exit-stdio-guard.ts";
-import { redactJsonLine, isSecretKey } from "../utils/redaction.ts";
+import { redactJsonLine } from "../utils/redaction.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 import { registerChildProcess, unregisterChildProcess } from "../extension/crew-cleanup.ts";
 
@@ -181,6 +181,16 @@ export function buildChildPiSpawnOptions(cwd: string, env: NodeJS.ProcessEnv): S
 	// Bug #12 fix: essential env vars (PATH, HOME, etc.) are always preserved so child can find npm/node.
 	const filteredEnv = sanitizeEnvSecrets(env, {
 		allowList: [
+			/*
+			 * SECURITY WARNING: All model provider API keys below are passed to EVERY child worker.
+			 * If any child is compromised (e.g. via prompt injection), all listed keys are exposed.
+			 * This is a deliberate trade-off: multi-provider setups require the child Pi process to
+			 * authenticate with whichever provider the model routes to. Reducing keys per-child
+			 * would break multi-provider functionality. Mitigations:
+			 *   - sanitizeEnvSecrets strips all env vars NOT on this list.
+			 *   - Do NOT add wildcards ("*_API_KEY") — only explicit, intended provider keys.
+			 *   - Consider per-task key scoping if the architecture allows it in the future.
+			 */
 			// Model provider API keys (explicit list — do NOT use wildcards)
 			"MINIMAX_API_KEY",
 			"MINIMAX_GROUP_ID",
@@ -405,14 +415,16 @@ export async function runChildPi(input: ChildPiRunInput): Promise<ChildPiRunResu
 	if (depth.blocked) return { exitCode: 1, stdout: "", stderr: `pi-crew depth guard blocked child worker: depth ${depth.depth} >= max ${depth.maxDepth}` };
 	const mock = process.env.PI_TEAMS_MOCK_CHILD_PI;
 	if (mock) {
-		// SECURITY: Log mock mode activation prominently for audit trail
-		console.warn(`[⚠️ PI_CREW_MOCK_MODE] Mock mode active: ${mock} — NOT running real agents!`);
-		// SECURITY FIX: Require PI_CREW_ALLOW_MOCK alongside PI_TEAMS_MOCK_CHILD_PI
+		// SECURITY: Require explicit PI_CREW_ALLOW_MOCK=1 to activate mock mode.
+		// PI_CREW_ALLOW_MOCK must be set in the parent process env (not by child hooks)
+		// since sanitizeEnvSecrets only passes PI_CREW_* vars from the parent.
+		// Setup hooks cannot inject PI_CREW_ALLOW_MOCK into the parent's env.
 		const allowMock = process.env.PI_CREW_ALLOW_MOCK === "1" || process.env.PI_CREW_ALLOW_MOCK === "true";
 		if (!allowMock) {
-			console.error(`[🚨 PI_CREW_MOCK_MODE] SECURITY: PI_TEAMS_MOCK_CHILD_PI is set but PI_CREW_ALLOW_MOCK is not "1". Ignoring mock request for safety.`);
-			return { exitCode: 1, stdout: "", stderr: "Mock mode requires PI_CREW_ALLOW_MOCK=1 alongside PI_TEAMS_MOCK_CHILD_PI" };
+			return { exitCode: 1, stdout: "", stderr: "Mock mode requires PI_CREW_ALLOW_MOCK=1" };
 		}
+		// SECURITY: Log mock mode activation prominently for audit trail
+		console.warn(`Mock mode active: ${mock} — NOT running real agents!`);
 		if (mock === "success") {
 			const stdout = `[MOCK] Success for ${input.agent.name}\n`;
 			observeStdoutChunk(input, stdout);

package/src/runtime/crash-recovery.ts

@@ -11,7 +11,7 @@ import type { ManifestCache } from "./manifest-cache.ts";
 import { checkProcessLiveness } from "./process-status.ts";
 import { reconcileStaleRun, type ReconcileResult } from "./stale-reconciler.ts";
 import { executeHook, appendHookEvent } from "../hooks/registry.ts";
-import { activeRunEntries, unregisterActiveRun, readActiveRunRegistry } from "../state/active-run-registry.ts";
+import { unregisterActiveRun, readActiveRunRegistry } from "../state/active-run-registry.ts";
 import { resolveRealContainedPath } from "../utils/safe-paths.ts";
 import { projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
 import { terminateLiveAgentsForRun } from "./live-agent-manager.ts";

package/src/runtime/crew-agent-records.ts

@@ -263,8 +263,28 @@ export function readCrewAgentStatus(manifest: TeamRunManifest, taskOrAgentId: st
 }
 
 const agentEventSeqCache = new Map<string, { size: number; mtimeMs: number; seq: number }>();
+// FIX (Round 22, defensive cap): Bound the per-file-path cache. Without a cap,
+// a long-running pi-crew process that spawns 1000s of agents accumulates 1000s
+// of entries. Mirrors the `asyncAgentReaderCache` pattern (above) and the
+// `NotificationRouter.SEEN_MAP_MAX_SIZE` pattern.
+const AGENT_EVENT_SEQ_CACHE_MAX_ENTRIES = 1000;
 const AGENT_EVENT_SEQ_SIDECAR = ".seq";
 
+/**
+ * Set an entry in the seq cache, evicting the oldest entries when the cache
+ * exceeds the cap. Map's natural insertion order means the first key is the
+ * oldest — same as the pattern used in `asyncAgentReaderCache`.
+ */
+function setAgentEventSeqCache(filePath: string, entry: { size: number; mtimeMs: number; seq: number }): void {
+	if (agentEventSeqCache.has(filePath)) agentEventSeqCache.delete(filePath);
+	agentEventSeqCache.set(filePath, entry);
+	while (agentEventSeqCache.size > AGENT_EVENT_SEQ_CACHE_MAX_ENTRIES) {
+		const oldest = agentEventSeqCache.keys().next().value;
+		if (oldest === undefined) break;
+		agentEventSeqCache.delete(oldest);
+	}
+}
+
 function readSeqFromSidecar(filePath: string): number | undefined {
 	try {
 		const raw = fs.readFileSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`, "utf-8");
@@ -295,7 +315,7 @@ function nextAgentEventSeq(filePath: string): number {
 	// FIX: Try sidecar file for O(1) lookup before falling back to O(n) scan.
 	const sidecarSeq = readSeqFromSidecar(filePath);
 	if (sidecarSeq !== undefined) {
-		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: sidecarSeq });
+		setAgentEventSeqCache(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: sidecarSeq });
 		return sidecarSeq + 1;
 	}
 	let max = 0;
@@ -309,7 +329,7 @@ function nextAgentEventSeq(filePath: string): number {
 			max += 1;
 		}
 	}
-	agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: max });
+	setAgentEventSeqCache(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: max });
 	writeSeqToSidecar(filePath, max);
 	return max + 1;
 }
@@ -321,7 +341,7 @@ export function appendCrewAgentEvent(manifest: TeamRunManifest, taskId: string,
 	fs.appendFileSync(filePath, `${JSON.stringify(redactSecrets({ seq, time: new Date().toISOString(), event }))}\n`, "utf-8");
 	try {
 		const stat = fs.statSync(filePath);
-		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq });
+		setAgentEventSeqCache(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq });
 		writeSeqToSidecar(filePath, seq);
 	} catch (error) {
 		logInternalError("crew-agent-records.stat", error, `filePath=${filePath}`);

package/src/runtime/crew-hooks.ts

@@ -146,7 +146,7 @@ export class HookRegistry {
 	emit(event: CrewHookEvent): void {
 		// Validate event type using type guard
 		if (!isValidEventType(event.type)) {
-			console.warn(`[crew-hooks] Unknown event type: ${event.type}`);
+			logInternalError("crew-hooks.unknown-event-type", new Error(`Unknown event type: ${event.type}`));
 			return;
 		}
 

package/src/runtime/dynamic-script-runner.ts

@@ -444,8 +444,9 @@ export class DynamicScriptRunner {
 	/**
 	 * Execute a script without validation (assumes pre-validated).
 	 * Use with caution - prefer execute() for untrusted scripts.
+	 * @internal TEST ONLY — do not use in production code
 	 */
-	executeUnchecked(code: string, timeout?: number): ScriptExecutionResult {
+	private executeUnchecked(code: string, timeout?: number): ScriptExecutionResult {
 		const startTime = Date.now();
 
 		try {
@@ -480,3 +481,15 @@ export class DynamicScriptRunner {
 export function createScriptRunner(options?: DynamicScriptOptions): DynamicScriptRunner {
 	return new DynamicScriptRunner(options);
 }
+
+/**
+ * @internal TEST ONLY — do not use in production code.
+ * Exposes DynamicScriptRunner.executeUnchecked for unit testing.
+ */
+export function __test_executeUnchecked(
+	runner: DynamicScriptRunner,
+	code: string,
+	timeout?: number,
+): ScriptExecutionResult {
+	return (runner as unknown as { executeUnchecked: (code: string, timeout?: number) => ScriptExecutionResult }).executeUnchecked(code, timeout);
+}

package/src/runtime/handoff-manager.ts

@@ -55,7 +55,6 @@ export function isValidHandoffSummary(value: unknown): value is HandoffSummary {
  */
 
 import type { TeamEvent } from "../state/event-log.ts";
-import { appendEventAsync } from "../state/event-log.ts";
 
 /**
  * Represents a key decision made during task execution.

package/src/runtime/heartbeat-watcher.ts

@@ -6,7 +6,7 @@ import { loadRunManifestById } from "../state/state-store.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import type { ManifestCache } from "./manifest-cache.ts";
-import { classifyHeartbeat, DEFAULT_GRADIENT_THRESHOLDS, heartbeatAgeMs, type GradientThresholds, type HeartbeatLevel } from "./heartbeat-gradient.ts";
+import { DEFAULT_GRADIENT_THRESHOLDS, heartbeatAgeMs, type GradientThresholds, type HeartbeatLevel } from "./heartbeat-gradient.ts";
 
 export interface HeartbeatWatcherRouter {
 	enqueue(notification: NotificationDescriptor): boolean;

package/src/runtime/live-session-runtime.ts

@@ -24,7 +24,6 @@ import { buildExtensionBridge } from "./live-extension-bridge.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 // prose-compressor imported for custom tool descriptions below;
 // tool description compression for SDK-managed tools awaits SDK support.
-import { compressToolDescription } from "./prose-compressor.ts";
 import { buildSensitivePathConstraint } from "./sensitive-paths.ts";
 import { collectLiveSessionHealth, formatLiveSessionDiagnostics, type LiveSessionHealth } from "./live-session-health.ts";
 import { listLiveAgents } from "./live-agent-manager.ts";

package/src/runtime/loop-gates.ts

@@ -8,7 +8,6 @@
  * Distilled from pi-autoresearch's dual-gate loop pattern.
  */
 import * as fs from "node:fs";
-import * as path from "node:path";
 import type { TeamTaskState } from "../state/types.ts";
 
 /**

package/src/runtime/mcp-proxy.ts

@@ -16,8 +16,8 @@
  * when proxying from the parent.
  */
 
-import { defineTool, type ToolDefinition } from "@earendil-works/pi-coding-agent";
-import { Type, type Static, type TSchema } from "@sinclair/typebox";
+import { type ToolDefinition } from "@earendil-works/pi-coding-agent";
+import { type Static, type TSchema } from "@sinclair/typebox";
 
 export interface McpProxyConfig {
 	/** Whether to enable MCP in the child session. */

package/src/runtime/pipeline-runner.ts

@@ -2,8 +2,7 @@ import type { TeamTaskState } from "../state/types.ts";
 import type { WorkflowConfig, WorkflowStep } from "../workflows/workflow-config.ts";
 import type { TeamConfig } from "../teams/team-config.ts";
 import type { AgentConfig } from "../agents/agent-config.ts";
-import { writeArtifact } from "../state/artifact-store.ts";
-import { appendEvent, appendEventAsync } from "../state/event-log.ts";
+import { appendEventAsync } from "../state/event-log.ts";
 import { mapConcurrent } from "./parallel-utils.ts";
 
 /**

package/src/runtime/sandbox.ts

@@ -18,6 +18,9 @@ const FORBIDDEN_PATTERNS = [
 	/__dirname/,                       // __dirname reference
 	/__filename/,                      // __filename reference
 	/\bdefine\s*\(/,                  // AMD define
+	// Global escape vectors
+	/\bglobalThis\b/,                 // globalThis reference
+	/\bglobal\b/,                      // global reference (Node.js)
 ] as const;
 
 /**
@@ -119,6 +122,11 @@ export class WorkflowSandbox {
 			safeGlobals[key] = value;
 		}
 
+		// Freeze prototypes before passing to sandbox context to prevent
+		// prototype pollution from sandboxed code escaping the sandbox.
+		Object.freeze(Object.prototype);
+		Object.freeze(Array.prototype);
+
 		// Context isolation - explicitly list allowed globals
 		const contextGlobals: Record<string, unknown> = {
 			...safeGlobals,