npm - pi-crew - Versions diffs - 0.5.18 → 0.5.19 - Mend

pi-crew 0.5.18 → 0.5.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/CHANGELOG.md +30 -0
package/package.json +1 -1
package/src/agents/discover-agents.ts +15 -8
package/src/extension/register.ts +2 -0
package/src/observability/event-bus.ts +8 -0
package/src/observability/metrics-primitives.ts +13 -0
package/src/runtime/settings-store.ts +2 -1
package/src/runtime/sidechain-output.ts +2 -0
package/src/runtime/streaming-output.ts +3 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,35 @@
 # Changelog
+## [0.5.19] — Final Sweep: 8 MEDIUM/LOW Fixes + 2 Test Fixes (2026-06-03)
+### Highlights
+- **All remaining issues fixed** — 4-agent review sweep found 0 CRITICAL/HIGH
+- 2 pre-existing test failures fixed (env isolation)
+- Memory bounds added to security log and metrics primitives
+- Defensive path validation in streaming/sidechain output
+- Production cleanup now clears hooks
+### Fixes
+#### MEDIUM: Memory bounds
+- `securityEventLog` in `discover-agents.ts` capped at 1,000 entries (was unbounded)
+- `Counter`/`Gauge`/`Histogram` Maps in `metrics-primitives.ts` capped at 10,000 label combinations
+#### LOW: Code quality
+- `console.warn` → `logInternalError` in `settings-store.ts` and `discover-agents.ts`
+- `crewEventBus` dead code documented (retained for future use)
+- `clearHooks()` called in production cleanup path (`register.ts`)
+- `assertSafePathId` added to `streaming-output.ts` and `sidechain-output.ts`
+#### Test fixes
+- `adaptive-implementation.test.ts`: replaced `restoreEnv` with `delete` to prevent leaked `PI_CREW_ROLE`
+- `subagent-tools-integration.test.ts`: added env isolation to first test case
+### Stats
+- Test suite: 2688 pass + 1 skip, 0 fail
+- TypeScript: 0 errors
+- Files changed: 9
 ## [0.5.18] — Final Review Fixes (2026-06-03)
 ### Highlights

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.18",
+  "version": "0.5.19",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/agents/discover-agents.ts CHANGED Viewed

@@ -103,7 +103,9 @@ interface SecurityEvent {
 /**
  * Security event log. In production, this should be sent to a security SIEM.
+ * Bounded at MAX_SECURITY_LOG_ENTRIES to prevent unbounded memory growth.
  */
+const MAX_SECURITY_LOG_ENTRIES = 1000;
 const securityEventLog: SecurityEvent[] = [];
 /**
@@ -113,11 +115,16 @@ const securityEventLog: SecurityEvent[] = [];
  */
 function logSecurityEvent(event: SecurityEvent): void {
 	securityEventLog.push(event);
+	// Evict oldest entries when cap exceeded
+	while (securityEventLog.length > MAX_SECURITY_LOG_ENTRIES) {
+		securityEventLog.shift();
+	}
-	// Console output for development/debugging (redacted in production)
-	const prefix = "\x1b[33m[SECURITY]\x1b[0m"; // Yellow warning
-	console.warn(
-		`${prefix} ${event.type}: agent="${event.name}" reason="${event.reason}" time=${new Date(event.timestamp).toISOString()}`
+	// Log security events via structured logger
+	logInternalError(
+		`security.${event.type}`,
+		undefined,
+		`agent="${event.name}" reason="${event.reason}"`,
 	);
 }
@@ -195,10 +202,10 @@ function checkProjectAgentShadowsBuiltin(name: string): void {
 			reason: "project_shadows_protected_builtin",
 			timestamp: Date.now(),
 		});
-		console.warn(
-			`\x1b[33m[SECURITY WARNING]\x1b[0m Project agent "${name}" shadows a protected builtin. ` +
-			`This agent will be loaded but builtin agents take priority. ` +
-			`If this is intentional, consider using a different name.`
+		logInternalError(
+			`security.agent_shadow_warning`,
+			undefined,
+			`Project agent "${name}" shadows a protected builtin. Builtin agents take priority.`,
 		);
 		return;
 	}

package/src/extension/register.ts CHANGED Viewed

@@ -18,6 +18,7 @@ import {
 } from "./async-notifier.ts";
 import { registerAutonomousPolicy } from "./autonomous-policy.ts";
 import { registerCleanupHandler } from "./crew-cleanup.ts";
+import { clearHooks } from "../hooks/registry.ts";
 import { notifyActiveRuns } from "./session-summary.ts";
 let _cachedLiveRunSidebar: typeof LiveRunSidebarType | undefined;
@@ -1109,6 +1110,7 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 		otlpExporter = undefined;
 		metricRegistry = undefined;
 		deliveryCoordinator?.dispose();
+		clearHooks();
 		overflowTracker?.dispose();
 		deliveryCoordinator = undefined;
 		overflowTracker = undefined;

package/src/observability/event-bus.ts CHANGED Viewed

@@ -71,4 +71,12 @@ class EventBus {
   }
 }
+/**
+ * Global event bus for crew lifecycle events.
+ *
+ * NOTE: Currently only emits — no production subscribers yet.
+ * The `runEventBus` (from `ui/run-event-bus.ts`) is the active event system.
+ * This bus is retained for future observability/SIEM integration.
+ * See also: progress-tracker.ts which emits agent:progress events.
+ */
 export const crewEventBus = EventBus.getInstance();

package/src/observability/metrics-primitives.ts CHANGED Viewed

@@ -36,6 +36,16 @@ interface StoredHistogram {
 export const DEFAULT_HISTOGRAM_BUCKETS = [1, 2, 5, 10, 25, 50, 100, 250, 500, 1000, 2500, 5000, 10000] as const;
+/** Maximum number of unique label combinations per metric. */
+const MAX_LABEL_COMBINATIONS = 10_000;
+function enforceLabelCap(map: Map<string, unknown>, metricName: string): void {
+	while (map.size > MAX_LABEL_COMBINATIONS) {
+		const firstKey = map.keys().next().value;
+		if (firstKey !== undefined) map.delete(firstKey);
+	}
+}
 function normalizeLabels(labels: MetricLabels = {}): MetricLabels {
 	const normalized: MetricLabels = {};
 	for (const [key, value] of Object.entries(labels).sort(([left], [right]) => left.localeCompare(right))) normalized[key] = value;
@@ -70,6 +80,7 @@ export class Counter extends Metric {
 		const key = labelKey(labels);
 		const current = this.values.get(key) ?? { labels: normalizeLabels(labels), value: 0 };
 		this.values.set(key, { labels: current.labels, value: current.value + delta });
+		enforceLabelCap(this.values, this.name);
 	}
 	value(labels: MetricLabels = {}): number {
@@ -87,6 +98,7 @@ export class Gauge extends Metric {
 	set(labels: MetricLabels = {}, value: number): void {
 		if (!Number.isFinite(value)) return;
 		this.values.set(labelKey(labels), { labels: normalizeLabels(labels), value });
+		enforceLabelCap(this.values, this.name);
 	}
 	add(labels: MetricLabels = {}, delta: number): void {
@@ -123,6 +135,7 @@ export class Histogram extends Metric {
 		current.sum += value;
 		current.count += 1;
 		if (!existing) this.observations.set(key, current);
+		enforceLabelCap(this.observations, this.name);
 	}
 	quantile(labels: MetricLabels = {}, q: number): number {

package/src/runtime/settings-store.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { homedir } from "node:os";
+import { logInternalError } from "../utils/internal-error.ts";
 import type { JoinMode } from "./group-join.ts";
 export interface CrewSettings {
@@ -71,7 +72,7 @@ function readSettingsFile(filePath: string): CrewSettings {
 		return sanitizeSettings(JSON.parse(fs.readFileSync(filePath, "utf-8")));
 	} catch (err) {
 		const reason = err instanceof Error ? err.message : String(err);
-		console.warn(`[pi-crew] Ignoring malformed settings at ${filePath}: ${reason}`);
+		logInternalError("settings-store.read", err, `Ignoring malformed settings at ${filePath}`);
 		return {};
 	}
 }

package/src/runtime/sidechain-output.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { isSafePathId } from "../utils/safe-paths.ts";
 import { redactSecrets } from "../utils/redaction.ts";
 export interface SidechainEntry {
@@ -17,6 +18,7 @@ export function writeSidechainEntry(filePath: string, entry: Omit<SidechainEntry
 }
 export function sidechainOutputPath(stateRoot: string, taskId: string): string {
+	if (!isSafePathId(taskId)) throw new Error(`Invalid taskId: ${taskId}`);
 	return path.join(stateRoot, "agents", taskId, "sidechain.output.jsonl");
 }

package/src/runtime/streaming-output.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { isSafePathId } from "../utils/safe-paths.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 export interface StreamingOutputHandle {
@@ -9,6 +10,7 @@ export interface StreamingOutputHandle {
 }
 export function createStreamingOutput(manifest: TeamRunManifest, taskId: string): StreamingOutputHandle {
+	if (!isSafePathId(taskId)) throw new Error(`Invalid taskId: ${taskId}`);
 	const outputDir = path.join(manifest.artifactsRoot, "streaming");
 	fs.mkdirSync(outputDir, { recursive: true });
 	const outputPath = path.join(outputDir, `${taskId}.md`);
@@ -37,6 +39,7 @@ export function createStreamingOutput(manifest: TeamRunManifest, taskId: string)
 }
 export function readStreamingOutput(manifest: TeamRunManifest, taskId: string): string {
+	if (!isSafePathId(taskId)) return "";
 	const outputPath = path.join(manifest.artifactsRoot, "streaming", `${taskId}.md`);
 	if (!fs.existsSync(outputPath)) return "";
 	try {