pi-crew 0.5.2 → 0.5.5

package/src/ui/tool-render.ts

@@ -90,12 +90,12 @@ export function renderTeamToolCall(
 	if (!context.expanded) {
 		const preview = goal.length > 60 ? goal.slice(0, 60) + "…" : goal;
 		return new Text(
-			`${theme.fg("toolTitle", theme.bold("team"))} action=${theme.fg("accent", `'${action}'`)}${team}${theme.fg("dim", preview ? ` "${preview.replace(/\n/g, " ")}"` : "")}`,
+			`${theme.fg("toolTitle", theme.bold("team"))}  action=${theme.fg("accent", `'${action}'`)}${team}${theme.fg("dim", preview ? `  "${preview.replace(/\n/g, " ")}"` : "")}`,
 			0, 0,
 		);
 	}
 	const c = context.lastComponent instanceof Container ? (context.lastComponent.clear(), context.lastComponent) : new Container();
-	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("team"))} action=${theme.fg("accent", `'${action}'`)}${team}`, 0, 0));
+	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("team"))}  action=${theme.fg("accent", `'${action}'`)}${team}`, 0, 0));
 	if (goal) { c.addChild(new Spacer(1)); c.addChild(new Text(theme.fg("text", goal), 0, 0)); }
 	return c;
 }
@@ -110,13 +110,13 @@ export function renderAgentToolCall(
 	if (!context.expanded) {
 		const preview = prompt.length > 60 ? prompt.slice(0, 60) + "…" : prompt;
 		return new Text(
-			`${theme.fg("toolTitle", theme.bold("agent"))} ${theme.fg("accent", agentName)}${theme.fg("dim", preview ? ` "${preview.replace(/\n/g, " ")}"` : "")}`,
+			`${theme.fg("toolTitle", theme.bold("agent"))}  ${theme.fg("accent", agentName)}${theme.fg("dim", preview ? `  "${preview.replace(/\n/g, " ")}"` : "")}`,
 			0, 0,
 		);
 	}
 	const c = context.lastComponent instanceof Container ? (context.lastComponent.clear(), context.lastComponent) : new Container();
-	const cwdLabel = args.cwd ? theme.fg("dim", ` (cwd: ${args.cwd})`) : "";
-	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("agent"))} ${theme.fg("accent", agentName)}${cwdLabel}`, 0, 0));
+	const cwdLabel = args.cwd ? theme.fg("dim", `  (cwd:  ${args.cwd})`) : "";
+	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("agent"))}  ${theme.fg("accent", agentName)}${cwdLabel}`, 0, 0));
 	if (prompt) { c.addChild(new Spacer(1)); c.addChild(new Text(theme.fg("text", prompt), 0, 0)); }
 	return c;
 }
@@ -153,21 +153,21 @@ export function renderAgentProgress(
 	const stats = `${prog?.toolCount ?? record.toolUses ?? 0} tools · ${formatDuration(durationMs)}`;
 	const modelStr = record.model ? ` (${record.model})` : "";
 	const roleLabel = record.role || record.agent || "agent";
-	addLine(`${icon} ${theme.fg("toolTitle", theme.bold(roleLabel))}${theme.fg("dim", modelStr)} — ${theme.fg("dim", stats)}`);
+	addLine(`${icon}  ${theme.fg("toolTitle", theme.bold(roleLabel))}${theme.fg("dim", modelStr)}  —  ${theme.fg("dim", stats)}`);
 
 	// Current tool (running)
 	if (isRunning && prog?.currentTool) {
 		const toolLabel = formatToolPreview(prog.currentTool, parseArgs(prog.currentToolArgs));
-		addLine(theme.fg("warning", `▸ ${prog.currentTool}: ${toolLabel}`));
+		addLine(theme.fg("warning", `▸  ${prog.currentTool}:  ${toolLabel}`));
 	}
 
 	// Recent tools log
 	if (prog?.recentTools?.length) {
 		for (const tool of prog.recentTools) {
-			const detail = tool.args ? `: ${tool.args}` : "";
+			const detail = tool.args ? `:  ${tool.args}` : "";
 			const line = tool.endedAt
 				? theme.fg("muted", `  ${tool.tool}${detail}`)
-				: theme.fg("warning", `▸ ${tool.tool}${detail}`);
+				: theme.fg("warning", `▸  ${tool.tool}${detail}`);
 			addLine(line);
 		}
 	}
@@ -231,7 +231,7 @@ export function renderTeamToolResult(
 			if ((result as any).runId) parts.push(`runId=${(result as any).runId}`);
 			if ((result as any).error) parts.push(theme.fg("error", `error`));
 			if ((result as any).goal && parts.length === 0) parts.push(theme.fg("dim", truncLine((result as any).goal, 116)));
-			return new Text(parts.join(" "), 0, 0);
+			return new Text(parts.join("  ·  "), 0, 0);
 		}
 		// No details found, fall back to content
 		const text = extractText(result?.content).slice(0, 200);
@@ -253,7 +253,7 @@ export function renderTeamToolResult(
 	if (d.error) parts.push(theme.fg("error", `error=${d.error}`));
 	if (d.goal) parts.push(theme.fg("dim", truncLine(d.goal, 116)));
 	if (parts.length === 0) return new Text(theme.fg("muted", "(no output)"), 0, 0);
-	return new Text(parts.join(" · "), 0, 0);
+	return new Text(parts.join("  ·  "), 0, 0);
 }
 
 /** agent tool result: shows agent output rows with status icons */
@@ -275,9 +275,9 @@ export function renderAgentToolResult(
 				: item.status === "running" ? theme.fg("warning", "⟳")
 				: theme.fg("dim", "○");
 			const label = item.agentId || "agent";
-			c.addChild(new Text(`${icon} ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
+			c.addChild(new Text(`${icon}  ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
 			if (item.error) {
-				c.addChild(new Text(theme.fg("error", `  Error: ${item.error}`), 0, 0));
+				c.addChild(new Text(theme.fg("error", `  Error:  ${item.error}`), 0, 0));
 			} else if (item.output) {
 				for (const line of item.output.split("\n").slice(0, 5))
 					c.addChild(new Text(theme.fg("dim", `  ${truncLine(line, w - 2)}`), 0, 0));
@@ -293,9 +293,9 @@ export function renderAgentToolResult(
 			: d.status === "running" ? theme.fg("warning", "⟳")
 			: theme.fg("dim", "○");
 		const label = d.agentId;
-		c.addChild(new Text(`${icon} ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
+		c.addChild(new Text(`${icon}  ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
 		if (d.error) {
-			c.addChild(new Text(theme.fg("error", `  Error: ${d.error}`), 0, 0));
+			c.addChild(new Text(theme.fg("error", `  Error:  ${d.error}`), 0, 0));
 		} else if (d.output) {
 			for (const line of d.output.split("\n").slice(0, 5))
 				c.addChild(new Text(theme.fg("dim", `  ${truncLine(line, w - 2)}`), 0, 0));

package/src/utils/session-utils.ts

@@ -0,0 +1,52 @@
+/**
+ * Session ID utilities for pi-crew / pi session alignment.
+ *
+ * pi's session IDs use the format:
+ * ^[A-Za-z0-9](?:[A-Za-z0-9._-]*[A-Za-z0-9])?$
+ *
+ * This module provides utilities to generate valid pi session IDs
+ * that align with pi-crew run IDs for easy cross-referencing.
+ */
+
+/**
+ * Validate session ID format per pi's requirements.
+ * Format: ^[A-Za-z0-9](?:[A-Za-z0-9._-]*[A-Za-z0-9])?$
+ */
+export function assertValidSessionId(id: string): void {
+	if (!id || !/^[A-Za-z0-9](?:[A-Za-z0-9._-]*[A-Za-z0-9])?$/.test(id)) {
+		throw new Error(
+			`Invalid session id: must be non-empty, alphanumeric with '-', '_', '.' and start/end with alphanumeric`,
+		);
+	}
+}
+
+/**
+ * Convert a pi-crew run ID to a valid pi session ID.
+ *
+ * - Strips non-alphanumeric characters
+ * - Lowercases
+ * - Prefixes with "crew-"
+ * - Truncates to 16 chars for safety
+ *
+ * @param runId - The pi-crew run ID (e.g., "team_20260528133725_02e05cc5480d0175")
+ * @returns Valid pi session ID (e.g., "crew-team20260528133")
+ */
+export function toPiSessionId(runId: string): string {
+	// Strip non-alphanumeric, lowercase, prefix with "crew-"
+	const sanitized = runId.replace(/[^A-Za-z0-9]/g, "").toLowerCase();
+	return `crew-${sanitized.slice(0, 16)}`;
+}
+
+/**
+ * Validate and convert a run ID to a pi session ID.
+ * Returns the session ID if valid, or undefined if conversion would produce invalid ID.
+ */
+export function safeToPiSessionId(runId: string): string | undefined {
+	try {
+		const sessionId = toPiSessionId(runId);
+		assertValidSessionId(sessionId);
+		return sessionId;
+	} catch {
+		return undefined;
+	}
+}

package/src/worktree/worktree-manager.ts

@@ -128,19 +128,38 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 		return [];
 	}
 	const nodeHook = hookPath.endsWith(".js") || hookPath.endsWith(".cjs") || hookPath.endsWith(".mjs");
-	// On Windows, set shell:true to ensure PATH resolution and .cjs/.bat file associations work.
-	const useShell = process.platform === "win32";
-	const result = spawnSync(nodeHook ? process.execPath : hookPath, nodeHook ? [hookPath] : [], {
-		cwd: worktreePath,
-		encoding: "utf-8",
-		input: JSON.stringify({ version: 1, repoRoot, worktreePath, agentCwd: worktreePath, branch, runId: manifest.runId, taskId: task.id, agent: task.agent }),
-		timeout: cfg.setupHookTimeoutMs ?? 30_000,
-		shell: useShell,
-		env: sanitizeEnvSecrets(process.env, {
-			allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "PI_*"],
-		}),
-		windowsHide: true,
-	});
+	// For .bat/.cmd files on Windows, execute via cmd.exe /c directly
+	const isBatchFile = hookPath.endsWith(".bat") || hookPath.endsWith(".cmd");
+	// SECURITY: Never use shell:true — prevents command injection from untrusted hooks.
+	// Non-node, non-batch hooks on Windows will fail to execute rather than
+	// running through a shell that could interpret malicious filenames.
+	const useShell = false;
+	if (process.platform === "win32" && !nodeHook && !isBatchFile) {
+		logInternalError("worktree.setupHook.windowsNoShell", new Error("Non-node, non-batch hook skipped on Windows (shell:true disabled for security)"), `hook=${hookPath}`);
+	}
+	const result = isBatchFile
+		? spawnSync("cmd.exe", ["/c", hookPath], {
+			cwd: worktreePath,
+			encoding: "utf-8",
+			input: JSON.stringify({ version: 1, repoRoot, worktreePath, agentCwd: worktreePath, branch, runId: manifest.runId, taskId: task.id, agent: task.agent }),
+			timeout: cfg.setupHookTimeoutMs ?? 30_000,
+			shell: false,  // cmd.exe /c handles batch files safely
+			env: sanitizeEnvSecrets(process.env, {
+				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "PI_*"],
+			}),
+			windowsHide: true,
+		})
+		: spawnSync(nodeHook ? process.execPath : hookPath, nodeHook ? [hookPath] : [], {
+			cwd: worktreePath,
+			encoding: "utf-8",
+			input: JSON.stringify({ version: 1, repoRoot, worktreePath, agentCwd: worktreePath, branch, runId: manifest.runId, taskId: task.id, agent: task.agent }),
+			timeout: cfg.setupHookTimeoutMs ?? 30_000,
+			shell: useShell,
+			env: sanitizeEnvSecrets(process.env, {
+				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "PI_*"],
+			}),
+			windowsHide: true,
+		});
 	if (result.error) throw new Error(`worktree setup hook failed: ${result.error.message}`);
 	if (result.status !== 0) throw new Error(`worktree setup hook failed with exit code ${result.status}: ${result.stderr || result.stdout || "no output"}`);
 	const trimmed = result.stdout.trim();