pi-crew 0.5.2 → 0.5.6

package/src/ui/tool-render.ts

@@ -90,12 +90,12 @@ export function renderTeamToolCall(
 	if (!context.expanded) {
 		const preview = goal.length > 60 ? goal.slice(0, 60) + "…" : goal;
 		return new Text(
-			`${theme.fg("toolTitle", theme.bold("team"))} action=${theme.fg("accent", `'${action}'`)}${team}${theme.fg("dim", preview ? ` "${preview.replace(/\n/g, " ")}"` : "")}`,
+			`${theme.fg("toolTitle", theme.bold("team"))}  action=${theme.fg("accent", `'${action}'`)}${team}${theme.fg("dim", preview ? `  "${preview.replace(/\n/g, " ")}"` : "")}`,
 			0, 0,
 		);
 	}
 	const c = context.lastComponent instanceof Container ? (context.lastComponent.clear(), context.lastComponent) : new Container();
-	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("team"))} action=${theme.fg("accent", `'${action}'`)}${team}`, 0, 0));
+	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("team"))}  action=${theme.fg("accent", `'${action}'`)}${team}`, 0, 0));
 	if (goal) { c.addChild(new Spacer(1)); c.addChild(new Text(theme.fg("text", goal), 0, 0)); }
 	return c;
 }
@@ -110,13 +110,13 @@ export function renderAgentToolCall(
 	if (!context.expanded) {
 		const preview = prompt.length > 60 ? prompt.slice(0, 60) + "…" : prompt;
 		return new Text(
-			`${theme.fg("toolTitle", theme.bold("agent"))} ${theme.fg("accent", agentName)}${theme.fg("dim", preview ? ` "${preview.replace(/\n/g, " ")}"` : "")}`,
+			`${theme.fg("toolTitle", theme.bold("agent"))}  ${theme.fg("accent", agentName)}${theme.fg("dim", preview ? `  "${preview.replace(/\n/g, " ")}"` : "")}`,
 			0, 0,
 		);
 	}
 	const c = context.lastComponent instanceof Container ? (context.lastComponent.clear(), context.lastComponent) : new Container();
-	const cwdLabel = args.cwd ? theme.fg("dim", ` (cwd: ${args.cwd})`) : "";
-	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("agent"))} ${theme.fg("accent", agentName)}${cwdLabel}`, 0, 0));
+	const cwdLabel = args.cwd ? theme.fg("dim", `  (cwd:  ${args.cwd})`) : "";
+	c.addChild(new Text(`${theme.fg("toolTitle", theme.bold("agent"))}  ${theme.fg("accent", agentName)}${cwdLabel}`, 0, 0));
 	if (prompt) { c.addChild(new Spacer(1)); c.addChild(new Text(theme.fg("text", prompt), 0, 0)); }
 	return c;
 }
@@ -153,21 +153,21 @@ export function renderAgentProgress(
 	const stats = `${prog?.toolCount ?? record.toolUses ?? 0} tools · ${formatDuration(durationMs)}`;
 	const modelStr = record.model ? ` (${record.model})` : "";
 	const roleLabel = record.role || record.agent || "agent";
-	addLine(`${icon} ${theme.fg("toolTitle", theme.bold(roleLabel))}${theme.fg("dim", modelStr)} — ${theme.fg("dim", stats)}`);
+	addLine(`${icon}  ${theme.fg("toolTitle", theme.bold(roleLabel))}${theme.fg("dim", modelStr)}  —  ${theme.fg("dim", stats)}`);
 
 	// Current tool (running)
 	if (isRunning && prog?.currentTool) {
 		const toolLabel = formatToolPreview(prog.currentTool, parseArgs(prog.currentToolArgs));
-		addLine(theme.fg("warning", `▸ ${prog.currentTool}: ${toolLabel}`));
+		addLine(theme.fg("warning", `▸  ${prog.currentTool}:  ${toolLabel}`));
 	}
 
 	// Recent tools log
 	if (prog?.recentTools?.length) {
 		for (const tool of prog.recentTools) {
-			const detail = tool.args ? `: ${tool.args}` : "";
+			const detail = tool.args ? `:  ${tool.args}` : "";
 			const line = tool.endedAt
 				? theme.fg("muted", `  ${tool.tool}${detail}`)
-				: theme.fg("warning", `▸ ${tool.tool}${detail}`);
+				: theme.fg("warning", `▸  ${tool.tool}${detail}`);
 			addLine(line);
 		}
 	}
@@ -231,7 +231,7 @@ export function renderTeamToolResult(
 			if ((result as any).runId) parts.push(`runId=${(result as any).runId}`);
 			if ((result as any).error) parts.push(theme.fg("error", `error`));
 			if ((result as any).goal && parts.length === 0) parts.push(theme.fg("dim", truncLine((result as any).goal, 116)));
-			return new Text(parts.join(" "), 0, 0);
+			return new Text(parts.join("  ·  "), 0, 0);
 		}
 		// No details found, fall back to content
 		const text = extractText(result?.content).slice(0, 200);
@@ -253,7 +253,7 @@ export function renderTeamToolResult(
 	if (d.error) parts.push(theme.fg("error", `error=${d.error}`));
 	if (d.goal) parts.push(theme.fg("dim", truncLine(d.goal, 116)));
 	if (parts.length === 0) return new Text(theme.fg("muted", "(no output)"), 0, 0);
-	return new Text(parts.join(" · "), 0, 0);
+	return new Text(parts.join("  ·  "), 0, 0);
 }
 
 /** agent tool result: shows agent output rows with status icons */
@@ -275,9 +275,9 @@ export function renderAgentToolResult(
 				: item.status === "running" ? theme.fg("warning", "⟳")
 				: theme.fg("dim", "○");
 			const label = item.agentId || "agent";
-			c.addChild(new Text(`${icon} ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
+			c.addChild(new Text(`${icon}  ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
 			if (item.error) {
-				c.addChild(new Text(theme.fg("error", `  Error: ${item.error}`), 0, 0));
+				c.addChild(new Text(theme.fg("error", `  Error:  ${item.error}`), 0, 0));
 			} else if (item.output) {
 				for (const line of item.output.split("\n").slice(0, 5))
 					c.addChild(new Text(theme.fg("dim", `  ${truncLine(line, w - 2)}`), 0, 0));
@@ -293,9 +293,9 @@ export function renderAgentToolResult(
 			: d.status === "running" ? theme.fg("warning", "⟳")
 			: theme.fg("dim", "○");
 		const label = d.agentId;
-		c.addChild(new Text(`${icon} ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
+		c.addChild(new Text(`${icon}  ${theme.fg("toolTitle", theme.bold(label))}`, 0, 0));
 		if (d.error) {
-			c.addChild(new Text(theme.fg("error", `  Error: ${d.error}`), 0, 0));
+			c.addChild(new Text(theme.fg("error", `  Error:  ${d.error}`), 0, 0));
 		} else if (d.output) {
 			for (const line of d.output.split("\n").slice(0, 5))
 				c.addChild(new Text(theme.fg("dim", `  ${truncLine(line, w - 2)}`), 0, 0));

package/src/ui/transcript-cache.ts

@@ -19,6 +19,7 @@ export interface TranscriptReadOptions {
 
 const TRANSCRIPT_CACHE_TTL_MS = 500;
 const DEFAULT_TAIL_BYTES = 256 * 1024;
+const MAX_CACHE_SIZE = 100;
 const transcriptCache = new Map<string, TranscriptCacheEntry>();
 
 function cacheKey(path: string, options: Required<Pick<TranscriptReadOptions, "full">> & { maxTailBytes: number }): string {
@@ -85,6 +86,18 @@ export function readTranscriptLinesCached(path: string, parse: (text: string) =>
 			truncated: read.truncated,
 		};
 		transcriptCache.set(key, entry);
+		// Evict oldest entry if cache exceeds max size
+		if (transcriptCache.size > MAX_CACHE_SIZE) {
+			let oldestKey: string | null = null;
+			let oldestParsedAt = Infinity;
+			for (const [k, v] of transcriptCache.entries()) {
+				if (v.parsedAt < oldestParsedAt) {
+					oldestParsedAt = v.parsedAt;
+					oldestKey = k;
+				}
+			}
+			if (oldestKey) transcriptCache.delete(oldestKey);
+		}
 		return lines;
 	} catch {
 		return previous?.lines ?? [];

package/src/utils/bm25-search.ts

@@ -46,17 +46,17 @@ export class BM25Search<T extends SearchDocument> {
   }
 
   /**
-   * Compute document frequency for a query term using substring matching,
-   * consistent with the regex-based tf computation in search().
+   * Compute document frequency for a query term using indexOf for better performance.
+   * Uses linear-time substring matching instead of regex to avoid ReDoS.
    */
   private df(term: string): number {
-    const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const re = new RegExp(escaped, "g");
+    const termLower = term.toLowerCase();
     let count = 0;
     for (const doc of this.documents) {
       for (const field of Object.keys(this.fieldWeights)) {
         const text = (doc.fields[field] ?? "").toLowerCase();
-        if (re.test(text)) {
+        // Use indexOf for linear-time substring search
+        if (text.includes(termLower)) {
           count++;
           break;
         }
@@ -81,11 +81,19 @@ export class BM25Search<T extends SearchDocument> {
         let fieldScore = 0;
 
         for (const term of queryTerms) {
-          const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-          const tf = (textLower.match(new RegExp(escaped, "g")) ?? []).length;
+          // Use indexOf for linear-time substring counting instead of regex
+          const termLower = term.toLowerCase();
+          let tf = 0;
+          let pos = 0;
+          while ((pos = textLower.indexOf(termLower, pos)) !== -1) {
+            tf++;
+            pos += termLower.length;
+            // Cap tf to prevent runaway on repeated patterns
+            if (tf > 100) break;
+          }
           if (tf === 0) continue;
 
-          const df = this.df(term);
+          const df = this.df(termLower);
           if (df === 0) continue;
 
           const idf = Math.log((this.N - df + 0.5) / (df + 0.5) + 1);

package/src/utils/env-filter.ts

@@ -1,4 +1,4 @@
-import { SECRET_KEY_PATTERN } from "./redaction.ts";
+import { isSecretKey } from "./redaction.ts";
 
 export interface SanitizeEnvOptions {
 	/** Allow-list of env var names to preserve. Supports trailing glob, e.g. `"PI_*"`. */
@@ -8,14 +8,17 @@ export interface SanitizeEnvOptions {
 /**
  * Strip env vars whose keys look like secrets before passing to child processes.
  *
- * Default mode (no allowList): deny-list using SECRET_KEY_PATTERN.
+ * Default mode (no allowList): deny-list using isSecretKey.
  * When allowList is provided, only keys matching the allow-list are preserved.
  */
 export function sanitizeEnvSecrets(env: NodeJS.ProcessEnv, options?: SanitizeEnvOptions): Record<string, string> {
 	const filtered: Record<string, string> = {};
 	if (options?.allowList && options.allowList.length > 0) {
 		const matchers = options.allowList.map((p) => {
-			if (p.endsWith("*")) return (k: string) => k.startsWith(p.slice(0, -1));
+			if (p.endsWith("*")) {
+				const prefix = p.slice(0, -1);
+				return (k: string) => k.startsWith(prefix) && k.length > prefix.length;
+			}
 			return (k: string) => k === p;
 		});
 		for (const [key, value] of Object.entries(env)) {
@@ -24,7 +27,7 @@ export function sanitizeEnvSecrets(env: NodeJS.ProcessEnv, options?: SanitizeEnv
 		return filtered;
 	}
 	for (const [key, value] of Object.entries(env)) {
-		if (value !== undefined && !SECRET_KEY_PATTERN.test(key)) filtered[key] = value;
+		if (value !== undefined && !isSecretKey(key)) filtered[key] = value;
 	}
 	return filtered;
-}
+}

package/src/utils/redaction.ts

@@ -1,26 +1,180 @@
-export const SECRET_KEY_PATTERN = /(?:^|[_.-])(token|api[-_]?key|password|passwd|secret|credential|authorization|private[-_]?key)(?:$|[_.-])/i;
-const INLINE_SECRET_PATTERN = /(^|[\s,{])(([A-Za-z0-9_.-]*(?:api[-_]?key|token|password|passwd|secret|credential|authorization|private[-_]?key)[A-Za-z0-9_.-]*)\s*[=:]\s*)([^\s,;"'}]+)/gi;
-const AUTH_HEADER_PATTERN = /\b(Authorization\s*:\s*(?:Bearer|Basic|Token)?\s*)([^\r\n]+)/gi;
-const BEARER_PATTERN = /\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/g;
-const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]{0,65536}?-----END [A-Z ]*PRIVATE KEY-----/g;
+/**
+ * ReDoS-resistant pattern matching for secret detection.
+ * Uses linear-time scan instead of complex regex to prevent catastrophic backtracking.
+ */
+
+// Pattern for PEM private keys (possessive quantifier prevents backtracking)
+export const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]+PRIVATE KEY-----[\s\S]+?-----END [A-Z ]+PRIVATE KEY-----/g;
+
+// Linear-time secret key detection
+export function isSecretKey(keyName: string): boolean {
+	// Fast path: common secret key names
+	const lower = keyName.toLowerCase();
+	if (/^(token|apikey|api_key|password|secret|credential|authorization|privatekey|private_key)$/.test(lower)) {
+		return true;
+	}
+	// Linear scan for prefix characters followed by keywords
+	const prefixes = "_.-";
+	const keywords = ["token", "api", "key", "password", "passwd", "secret", "credential", "authorization", "private"];
+	
+	for (let i = 0; i < keyName.length; i++) {
+		if (prefixes.includes(keyName[i])) {
+			const remaining = keyName.substring(i + 1).toLowerCase();
+			for (const kw of keywords) {
+				if (remaining.startsWith(kw)) {
+					const afterKw = remaining.substring(kw.length);
+					if (afterKw === "" || prefixes.includes(afterKw[0]) || /[a-zA-Z0-9]/.test(afterKw[0])) {
+						return true;
+					}
+				}
+			}
+		}
+	}
+	return false;
+}
+
+// Linear-time Authorization header redaction
+export function redactAuthHeader(line: string): string {
+	const lower = line.toLowerCase();
+	const authIdx = lower.indexOf("authorization:");
+	if (authIdx === -1) return line;
+	
+	// Verify word boundary - must be at start of line or preceded by whitespace/comma/brace
+	if (authIdx > 0) {
+		const before = line[authIdx - 1];
+		if (before !== ' ' && before !== ',' && before !== '{' && before !== '[' && before !== '"' && before !== '\r' && before !== '\n') {
+			return line; // Not a word boundary
+		}
+	}
+	
+	// Check if this is followed by Bearer token (don't redact Bearer tokens separately)
+	// Look for "Bearer" after "authorization:"
+	const afterAuth = lower.substring(authIdx + 14).trimStart();
+	if (!afterAuth.startsWith('bearer ')) {
+		// No Bearer token, this is a regular Authorization header - redact it
+		let end = authIdx + 14;
+		while (end < line.length && line[end] !== "\r" && line[end] !== "\n") {
+			end++;
+		}
+		return line.substring(0, end) + " ***" + (end < line.length ? line.substring(end) : "");
+	}
+	
+	// It's a Bearer token format - don't redact here, let redactBearerTokens handle it
+	return line;
+}
+
+// Linear-time Bearer token redaction
+export function redactBearerTokens(line: string): string {
+	const upper = line.toUpperCase();
+	const result: string[] = [];
+	let i = 0;
+	
+	while (i < line.length) {
+		if (upper.startsWith("BEARER ", i)) {
+			// Check word boundary: preceded by start, space, comma, brace, or newline
+			if (i > 0) {
+				const before = line[i - 1];
+				if (before !== ' ' && before !== ',' && before !== '{' && before !== '[' && before !== '"' && before !== '\r' && before !== '\n') {
+					result.push(line[i]);
+					i++;
+					continue;
+				}
+			}
+			
+			// Found "Bearer " - now find the token
+			const bearerPrefix = line.substring(i, i + 7); // "Bearer "
+			let j = i + 7;
+			let tokenLen = 0;
+			while (j < line.length && tokenLen < 200 && /[A-Za-z0-9._~+/-]/.test(line[j])) {
+				j++;
+				tokenLen++;
+			}
+			
+			if (tokenLen >= 8) {
+				// Replace with Bearer + *** (redact the token)
+				result.push(bearerPrefix + "***");
+				i = j;
+				continue;
+			}
+		}
+		result.push(line[i]);
+		i++;
+	}
+	
+	return result.join("");
+}
 
 function isRecord(value: unknown): value is Record<string, unknown> {
 	if (!value || typeof value !== "object" || Array.isArray(value)) return false;
-	// Exclude built-in types whose Object.entries() would produce empty arrays.
 	if (value instanceof Date || value instanceof RegExp || value instanceof Error || value instanceof Map || value instanceof Set) return false;
 	return true;
 }
 
-function isSecretKey(keyName: string): boolean {
-	return SECRET_KEY_PATTERN.test(keyName) || /^(token|apiKey|api_key|password|secret|credential|authorization|privateKey|private_key)$/i.test(keyName);
+export function redactSecretString(value: string): string {
+	let result = value;
+	
+	// Replace PEM private keys
+	result = result.replace(PEM_PRIVATE_KEY_PATTERN, "***");
+	
+	// Replace Authorization headers (non-Bearer format)
+	result = redactAuthHeader(result);
+	
+	// Replace Bearer tokens
+	result = redactBearerTokens(result);
+	
+	// Replace inline secrets: key=value or key:value patterns
+	result = redactInlineSecrets(result);
+	
+	return result;
 }
 
-export function redactSecretString(value: string): string {
-	return value
-		.replace(PEM_PRIVATE_KEY_PATTERN, "***")
-		.replace(AUTH_HEADER_PATTERN, "$1***")
-		.replace(BEARER_PATTERN, "$1***")
-		.replace(INLINE_SECRET_PATTERN, "$1$2***");
+// Linear-time inline secret redaction: token=xxx, api_key=xxx, etc.
+function redactInlineSecrets(value: string): string {
+	const result: string[] = [];
+	let i = 0;
+	
+	while (i < value.length) {
+		// Look for pattern: word_chars + = or : + non-whitespace_value
+		// Check for secret key followed by = or :
+		let j = i;
+		let keyLen = 0;
+		
+		// Collect key characters (alphanumeric, underscore, hyphen)
+		while (j < value.length && /[a-zA-Z0-9_-]/.test(value[j])) {
+			j++;
+			keyLen++;
+		}
+		
+		if (keyLen > 0 && j < value.length && (value[j] === '=' || value[j] === ':')) {
+			const key = value.substring(i, i + keyLen);
+			
+			// Check if this is a secret key
+			if (isSecretKey(key)) {
+				// Find the value (everything after = or : until space, comma, or end)
+				const sep = value[j];
+				let k = j + 1;
+				let valLen = 0;
+				while (k < value.length && valLen < 500 && value[k] !== ' ' && value[k] !== ',' && value[k] !== ';' && value[k] !== '"' && value[k] !== '"' && value[k] !== '\r' && value[k] !== '\n') {
+					k++;
+					valLen++;
+				}
+				
+				// Only redact if there's actual content
+				if (valLen > 0) {
+					result.push(key);
+					result.push(sep);
+					result.push("***");
+					i = k;
+					continue;
+				}
+			}
+		}
+		
+		result.push(value[i]);
+		i++;
+	}
+	
+	return result.join("");
 }
 
 export function redactSecrets(value: unknown, keyName = ""): unknown {
@@ -41,4 +195,4 @@ export function redactJsonLine(line: string): string {
 	} catch {
 		return redactSecretString(line);
 	}
-}
+}

package/src/utils/session-utils.ts

@@ -0,0 +1,52 @@
+/**
+ * Session ID utilities for pi-crew / pi session alignment.
+ *
+ * pi's session IDs use the format:
+ * ^[A-Za-z0-9](?:[A-Za-z0-9._-]*[A-Za-z0-9])?$
+ *
+ * This module provides utilities to generate valid pi session IDs
+ * that align with pi-crew run IDs for easy cross-referencing.
+ */
+
+/**
+ * Validate session ID format per pi's requirements.
+ * Format: ^[A-Za-z0-9](?:[A-Za-z0-9._-]*[A-Za-z0-9])?$
+ */
+export function assertValidSessionId(id: string): void {
+	if (!id || !/^[A-Za-z0-9](?:[A-Za-z0-9._-]*[A-Za-z0-9])?$/.test(id)) {
+		throw new Error(
+			`Invalid session id: must be non-empty, alphanumeric with '-', '_', '.' and start/end with alphanumeric`,
+		);
+	}
+}
+
+/**
+ * Convert a pi-crew run ID to a valid pi session ID.
+ *
+ * - Strips non-alphanumeric characters
+ * - Lowercases
+ * - Prefixes with "crew-"
+ * - Truncates to 16 chars for safety
+ *
+ * @param runId - The pi-crew run ID (e.g., "team_20260528133725_02e05cc5480d0175")
+ * @returns Valid pi session ID (e.g., "crew-team20260528133")
+ */
+export function toPiSessionId(runId: string): string {
+	// Strip non-alphanumeric, lowercase, prefix with "crew-"
+	const sanitized = runId.replace(/[^A-Za-z0-9]/g, "").toLowerCase();
+	return `crew-${sanitized.slice(0, 16)}`;
+}
+
+/**
+ * Validate and convert a run ID to a pi session ID.
+ * Returns the session ID if valid, or undefined if conversion would produce invalid ID.
+ */
+export function safeToPiSessionId(runId: string): string | undefined {
+	try {
+		const sessionId = toPiSessionId(runId);
+		assertValidSessionId(sessionId);
+		return sessionId;
+	} catch {
+		return undefined;
+	}
+}

package/src/utils/sse-parser.ts

@@ -8,6 +8,9 @@ export interface ServerSentEvent {
 /** L1: Maximum number of raw lines before discarding an oversized event. */
 const MAX_EVENT_LINES = 1000;
 
+/** L2: Maximum data size per line to prevent unbounded memory usage. */
+const MAX_DATA_SIZE = 100000; // 100KB per line
+
 /** Read newline-delimited lines from a text ReadableStream, buffering partial chunks. */
 async function* readLines(
 	stream: ReadableStream<string>,
@@ -97,13 +100,19 @@ export async function* readSseEvents(
 
 		currentRaw.push(line);
 
-		// L1: Guard against unbounded memory growth
+		// L1: Guard against unbounded memory growth (line count)
 		if (currentRaw.length > MAX_EVENT_LINES) {
 			const evt = flush();
 			if (evt) yield evt;
 			continue;
 		}
 
+		// L2: Guard against unbounded memory growth (data size per line)
+		if (value.length > MAX_DATA_SIZE) {
+			// Truncate oversized data to prevent memory issues
+			value = value.slice(0, MAX_DATA_SIZE);
+		}
+
 		if (field === "event") {
 			currentEvent = value;
 		} else if (field === "data") {

package/src/worktree/cleanup.ts

@@ -59,7 +59,12 @@ export function cleanupRunWorktrees(manifest: TeamRunManifest, options: { force?
 			// Commit changes to a branch instead of just preserving the worktree
 			try {
 				execFileSync("git", ["add", "-A"], { cwd: worktreePath, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...process.env, LANG: "C", LC_ALL: "C" }, windowsHide: true });
-				const safeDesc = entry.name.slice(0, 200);
+				let safeDesc = entry.name.slice(0, 200);
+				// SECURITY: Strip any newlines that could be injected via a malicious worktree name
+				// to prevent newline injection in git commit messages
+				if (safeDesc.includes("\n")) {
+					safeDesc = safeDesc.replace(/[\r\n]+/g, " ");
+				}
 				execFileSync("git", ["commit", "-m", `pi-crew: ${safeDesc}`], { cwd: worktreePath, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...process.env, LANG: "C", LC_ALL: "C" }, windowsHide: true });
 				// Create branch in the main repo pointing to this worktree's HEAD
 				try {

package/src/worktree/worktree-manager.ts

@@ -128,19 +128,38 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 		return [];
 	}
 	const nodeHook = hookPath.endsWith(".js") || hookPath.endsWith(".cjs") || hookPath.endsWith(".mjs");
-	// On Windows, set shell:true to ensure PATH resolution and .cjs/.bat file associations work.
-	const useShell = process.platform === "win32";
-	const result = spawnSync(nodeHook ? process.execPath : hookPath, nodeHook ? [hookPath] : [], {
-		cwd: worktreePath,
-		encoding: "utf-8",
-		input: JSON.stringify({ version: 1, repoRoot, worktreePath, agentCwd: worktreePath, branch, runId: manifest.runId, taskId: task.id, agent: task.agent }),
-		timeout: cfg.setupHookTimeoutMs ?? 30_000,
-		shell: useShell,
-		env: sanitizeEnvSecrets(process.env, {
-			allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "PI_*"],
-		}),
-		windowsHide: true,
-	});
+	// For .bat/.cmd files on Windows, execute via cmd.exe /c directly
+	const isBatchFile = hookPath.endsWith(".bat") || hookPath.endsWith(".cmd");
+	// SECURITY: Never use shell:true — prevents command injection from untrusted hooks.
+	// Non-node, non-batch hooks on Windows will fail to execute rather than
+	// running through a shell that could interpret malicious filenames.
+	const useShell = false;
+	if (process.platform === "win32" && !nodeHook && !isBatchFile) {
+		logInternalError("worktree.setupHook.windowsNoShell", new Error("Non-node, non-batch hook skipped on Windows (shell:true disabled for security)"), `hook=${hookPath}`);
+	}
+	const result = isBatchFile
+		? spawnSync("cmd.exe", ["/c", hookPath], {
+			cwd: worktreePath,
+			encoding: "utf-8",
+			input: JSON.stringify({ version: 1, repoRoot, worktreePath, agentCwd: worktreePath, branch, runId: manifest.runId, taskId: task.id, agent: task.agent }),
+			timeout: cfg.setupHookTimeoutMs ?? 30_000,
+			shell: false,  // cmd.exe /c handles batch files safely
+			env: sanitizeEnvSecrets(process.env, {
+				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "PI_*"],
+			}),
+			windowsHide: true,
+		})
+		: spawnSync(nodeHook ? process.execPath : hookPath, nodeHook ? [hookPath] : [], {
+			cwd: worktreePath,
+			encoding: "utf-8",
+			input: JSON.stringify({ version: 1, repoRoot, worktreePath, agentCwd: worktreePath, branch, runId: manifest.runId, taskId: task.id, agent: task.agent }),
+			timeout: cfg.setupHookTimeoutMs ?? 30_000,
+			shell: useShell,
+			env: sanitizeEnvSecrets(process.env, {
+				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "PI_*"],
+			}),
+			windowsHide: true,
+		});
 	if (result.error) throw new Error(`worktree setup hook failed: ${result.error.message}`);
 	if (result.status !== 0) throw new Error(`worktree setup hook failed with exit code ${result.status}: ${result.stderr || result.stdout || "no output"}`);
 	const trimmed = result.stdout.trim();