pi-crew 0.5.20 → 0.5.22

package/CHANGELOG.md

@@ -1,5 +1,48 @@
 # Changelog
 
+## [0.5.22] — Remaining Issues from Ultimate Sweep (2026-06-03)
+
+### Highlights
+- `DEFAULT_CHILD_PI` frozen with `Readonly<>` type (prevents mutation)
+- `parseWithSchema` logs validation failures with context
+- Global registry cleanup (`uninstallCrewGlobalRegistry`)
+- Mailbox sender auth and cross-workspace hooks documented
+
+### Fixes
+- `defaults.ts`: `DEFAULT_CHILD_PI` wrapped in `Readonly<{...}>` to prevent mutation via module injection
+- `config.ts`: `parseWithSchema` logs validation failures when context provided
+- `team-tool.ts`: Added `uninstallCrewGlobalRegistry()` paired with install
+- `register.ts`: Calls `uninstallCrewGlobalRegistry()` in `cleanupRuntime()`
+- `mailbox.ts`: Security documentation for sender authentication
+- `hooks/registry.ts`: Security documentation for cross-workspace hook behavior
+
+### Stats
+- Test suite: 2703 pass + 1 skip, 0 fail
+- TypeScript: 0 errors
+
+## [0.5.21] — Ultimate Final Sweep: HIGH Security + Correctness Fixes (2026-06-03)
+
+### Highlights
+- **safe-bash line-continuation bypass fixed** — `$\n(evil)` now blocked
+- **scheduledJobs dead code fixed** — settings sanitizer now passes through scheduled jobs
+- **Memory-bounded file reads** — `readIfSmall` uses `fs.readSync` with buffer instead of full file read
+- **Event log corruption detection** — `scanSequence` logs warnings for corrupt JSON lines
+
+### Security
+- `safe-bash.ts`: All structural checks now use `normalized` string (stripped line continuations)
+- `\$\s*\(` regex catches `$<newline>(evil)` → `$(evil)` bypass that bash interprets as command substitution
+- Added 2 regression tests for line-continuation bypass
+
+### Fixes
+- `settings-store.ts`: `sanitizeSettings()` now copies `scheduledJobs` as opaque array
+- `task-output-context.ts`: `readIfSmall` uses `Buffer.alloc` + `fs.readSync` instead of `readFileSync` + `slice`
+- `event-log.ts`: `scanSequence` counts and logs corrupt JSON lines via `logInternalError`
+
+### Stats
+- Test suite: 2703 pass + 1 skip, 0 fail
+- TypeScript: 0 errors
+- Total issues fixed across 37 rounds: ~155+
+
 ## [0.5.20] — Verification Sweep: 7 Fixes (2026-06-03)
 
 ### Highlights

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.20",
+  "version": "0.5.22",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/config/config.ts

@@ -520,8 +520,14 @@ function asRecord(value: unknown): Record<string, unknown> | undefined {
 function parseWithSchema<T extends TSchema>(
 	schema: T,
 	value: unknown,
+	context?: string,
 ): Static<T> | undefined {
-	if (!Value.Check(schema, value)) return undefined;
+	if (!Value.Check(schema, value)) {
+		if (context) {
+			logInternalError("config.parseWithSchema", undefined, `${context}: schema validation failed`);
+		}
+		return undefined;
+	}
 	return Value.Decode(schema, value);
 }
 

package/src/config/defaults.ts

@@ -1,4 +1,14 @@
-export const DEFAULT_CHILD_PI = {
+export const DEFAULT_CHILD_PI: Readonly<{
+	postExitStdioGuardMs: number;
+	finalDrainMs: number;
+	hardKillMs: number;
+	responseTimeoutMs: number;
+	maxCaptureBytes: number;
+	maxAssistantTextChars: number;
+	maxToolResultChars: number;
+	maxToolInputChars: number;
+	maxCompactContentChars: number;
+}> = {
 	postExitStdioGuardMs: 3000,
 	finalDrainMs: 5000,
 	hardKillMs: 3000,

package/src/extension/register.ts

@@ -20,6 +20,7 @@ import { registerAutonomousPolicy } from "./autonomous-policy.ts";
 import { registerCleanupHandler } from "./crew-cleanup.ts";
 import type { ScheduledJob } from "../runtime/scheduler.ts";
 import { clearHooks } from "../hooks/registry.ts";
+import { uninstallCrewGlobalRegistry } from "./team-tool.ts";
 import { notifyActiveRuns } from "./session-summary.ts";
 
 let _cachedLiveRunSidebar: typeof LiveRunSidebarType | undefined;
@@ -1112,6 +1113,7 @@ export function registerPiTeams(pi: ExtensionAPI): void {
 		metricRegistry = undefined;
 		deliveryCoordinator?.dispose();
 		clearHooks();
+		uninstallCrewGlobalRegistry();
 		overflowTracker?.dispose();
 		deliveryCoordinator = undefined;
 		overflowTracker = undefined;

package/src/extension/team-tool.ts

@@ -1278,3 +1278,8 @@ export function installCrewGlobalRegistry(): void {
 		listDynamicAgents,
 	});
 }
+
+/** Remove the global CrewRegistry singleton. Call during session cleanup. */
+export function uninstallCrewGlobalRegistry(): void {
+	delete (globalThis as Record<symbol | string, unknown>)[CREW_REGISTRY_KEY];
+}

package/src/hooks/registry.ts

@@ -30,6 +30,9 @@ export async function executeHook(name: HookName, ctx: HookContext): Promise<Hoo
 	// SECURITY: If ctx contains a workspaceId, filter hooks to only those scoped to
 	// this workspace. This prevents globally-registered hooks from operating on runs
 	// they weren't designed for.
+	// SECURITY: Hooks without workspaceId match ALL workspaces. This is intentional
+	// for globally-applicable hooks (e.g., logging, metrics). For multi-tenant
+	// environments, all hooks should set workspaceId to prevent cross-workspace access.
 	const scopedHooks = hooks.filter((h) => !h.workspaceId || h.workspaceId === ctx.workspaceId);
 	if (scopedHooks.length === 0) return { hookName: name, outcome: "allow", durationMs: 0 };
 	const start = Date.now();

package/src/runtime/settings-store.ts

@@ -57,6 +57,10 @@ function sanitizeSettings(raw: unknown): CrewSettings {
 	if (typeof r.notifierIntervalMs === "number" && r.notifierIntervalMs >= 1000) {
 		out.notifierIntervalMs = r.notifierIntervalMs;
 	}
+	// Pass through scheduledJobs as opaque array (validated by crewScheduler.add)
+	if (Array.isArray(r.scheduledJobs)) {
+		out.scheduledJobs = r.scheduledJobs;
+	}
 	return out;
 }
 

package/src/runtime/task-output-context.ts

@@ -34,7 +34,17 @@ function readIfSmall(filePath: string, maxBytes = 24_000, baseDir?: string): str
 	try {
 		const safePath = baseDir ? resolveRealContainedPath(baseDir, filePath) : filePath;
 		const stat = fs.statSync(safePath);
-		if (stat.size > maxBytes) return `${fs.readFileSync(safePath, "utf-8").slice(0, maxBytes)}\n\n...(truncated ${stat.size - maxBytes} bytes)`;
+		if (stat.size > maxBytes) {
+			// Use bounded read to avoid loading entire file into memory
+			const buf = Buffer.alloc(maxBytes);
+			const fd = fs.openSync(safePath, "r");
+			try {
+				fs.readSync(fd, buf, 0, maxBytes, 0);
+			} finally {
+				fs.closeSync(fd);
+			}
+			return `${buf.toString("utf-8")}\n\n...(truncated ${stat.size - maxBytes} bytes)`;
+		}
 		return fs.readFileSync(safePath, "utf-8");
 	} catch {
 		return undefined;

package/src/state/event-log.ts

@@ -149,12 +149,18 @@ function parseSequence(raw: string): number | undefined {
 export function scanSequence(eventsPath: string): number {
 	if (!fs.existsSync(eventsPath)) return 0;
 	let max = 0;
+	let skipped = 0;
 	for (const line of fs.readFileSync(eventsPath, "utf-8").split("\n")) {
 		if (!line.trim()) continue;
 		try {
 			const event = JSON.parse(line) as TeamEvent;
 			max = Math.max(max, event.metadata?.seq ?? 0);
-		} catch { /* skip corrupt lines without incrementing sequence */ }
+		} catch {
+			skipped++;
+		}
+	}
+	if (skipped > 0) {
+		logInternalError("event-log.scanSequence.corrupt_lines", undefined, `${eventsPath}: skipped ${skipped} corrupt line(s)`);
 	}
 	return max;
 }

package/src/state/mailbox.ts

@@ -327,6 +327,18 @@ function writeDeliveryState(manifest: TeamRunManifest, state: MailboxDeliverySta
 	atomicWriteFile(deliveryFile(manifest, true), `${JSON.stringify(redactSecrets(state), null, 2)}\n`);
 }
 
+/**
+ * Append a message to a run's or task's mailbox.
+ *
+ * SECURITY NOTE: The `from` field is caller-declared — there is no cryptographic
+ * sender authentication. This is acceptable because `appendMailboxMessage` is an
+ * internal API only callable from within the pi-crew process (no external input).
+ * All callers (handleSteer, handleRespond, handleFollowUp) derive `from` from
+ * authenticated context (session role, task assignment).
+ *
+ * If pi-crew ever exposes mailbox writes to external/untrusted input, sender
+ * authentication (HMAC or session key) must be added.
+ */
 export function appendMailboxMessage(manifest: TeamRunManifest, message: Omit<MailboxMessage, "id" | "runId" | "createdAt" | "status"> & { id?: string; status?: MailboxMessageStatus }): MailboxMessage {
 	if (message.taskId) ensureTaskMailbox(manifest, message.taskId);
 	else ensureRunMailbox(manifest);

package/src/tools/safe-bash.ts

@@ -201,22 +201,23 @@ export function isDangerous(command: string, options: SafeBashOptions = {}): str
 	}
 
 	// Additional shell injection checks using regex for non-critical patterns
-	// Block command substitution $(...)
-	if (/\$\([^)]*\)/.test(command)) {
+	// Block command substitution $(...)  — use normalized to prevent $\n(evil) bypass
+	// Also match $<space>(...) which is the normalized form of $\n(evil)
+	if (/\$\s*\([^)]*\)/.test(normalized)) {
 		return "Command blocked by safe_bash: command substitution $(...) is not allowed";
 	}
 	// Block backtick substitution
 	const backtickRe = /`[^`]*`/;
-	if (backtickRe.test(command)) {
+	if (backtickRe.test(normalized)) {
 		return "Command blocked by safe_bash: backtick substitution is not allowed";
 	}
 	// Block here-docs <<
-	if (/<<\s*['"]?[\w-]+['"]?/.test(command) || /\$<<\s*['"]?[\w-]+['"]?/.test(command)) {
+	if (/<<\s*['"]?[\w-]+['"]?/.test(normalized) || /\$<<\s*['"]?[\w-]+['"]?/.test(normalized)) {
 		return "Command blocked by safe_bash: here-doc is not allowed";
 	}
-	// Block ${...} variable expansion containing shell metacharacters (pipes, redirects, &&/||)
+	// Block ${...} variable expansion containing shell metacharacters
 	const varExpRe = /\$\{([^}]*)\}/;
-	const varMatch = command.match(varExpRe);
+	const varMatch = normalized.match(varExpRe);
 	if (varMatch && /[|&;<>]/.test(varMatch[1])) {
 		return "Command blocked by safe_bash: variable expansion with shell metacharacters is not allowed";
 	}