pi-crew 0.5.22 → 0.5.23

package/CHANGELOG.md

@@ -1382,3 +1382,22 @@ correctness+error-handling, and performance+architecture audits across 77 source
 
 - Initial scaffold for `pi-crew`.
 - Added Pi package manifest, extension entry, minimal team tool, slash commands, builtin resources, and documentation placeholders.
+
+## [0.5.23] — Documentation & CI Update (2026-06-03)
+
+### Highlights
+- **CI typecheck re-enabled** — was disabled with stale comment about tsconfig errors
+- All docs updated to v0.5.22 references
+
+### Documentation
+- README.md: version stamp v0.5.22, updated security highlights (12 items)
+- SECURITY-ISSUES.md: added v0.5.17–v0.5.22 security fix summary
+- SECURITY-AUDIT.md: scope updated to v0.5.22
+- docs/architecture.md: v0.5.22, 38 rounds of review
+- docs/pi-crew-bugs.md: v0.5.22 + historical note
+- docs/TEST_MATRIX.md: test count updated to 2703
+- docs/deep-review-report.md: marked historical
+- docs/migration-v0.4-v0.5.md: drop-in replacement note
+
+### CI
+- `.github/workflows/ci.yml`: typecheck step re-enabled (was disabled since v0.3.x)

package/README.md

@@ -9,18 +9,22 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
 
-**v0.5.15**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.5.22**: See [CHANGELOG.md](CHANGELOG.md).
 
-### Security highlights (v0.5.5)
+### Security highlights (v0.5.22)
 
 - **ReDoS-free secret redaction** — linear-time scanning in `redaction.ts`; no catastrophic backtracking
 - **v8.deserialize hardened** — `BINARY_MAGIC` header guards on registry binaries prevent untrusted-file RCE
 - **Cache lock protection** — `withFileLockSync` and atomic writes across `run-cache.ts` and `state-store.ts`
-- **Shell injection prevented** — shell-metacharacter blocking in `benchmark-runner.ts`
+- **Shell injection prevented** — `execFileSync` with array args everywhere (no shell-interpreted strings)
+- **Safe-bash line-continuation hardening** — `$\n(evil)` command substitution bypass blocked
+- **Sandbox prototype isolation** — `Object.freeze` scoped to VM context (not host process)
+- **Path traversal mitigated** — `resolveContainedPath`/`resolveRealContainedPath` across all file ops
 - **TOCTOU-free file ops** — atomic `mkdirSync` in `crew-init.ts`; `realpath`-based path validation
-- **Memory leaks capped** — `MAX_HANDOFFS_PER_ANCHOR=100`, `MAX_DELIVERY_MESSAGES=10000`, `MAX_RUNS=1000`
+- **Memory leaks capped** — Maps, Sets, arrays bounded with eviction across all modules
 - **Inline secret detection** — `token=`, `api_key=`, `password=` patterns redacted at event/mailbox boundaries
-- **Subagent log scrubbing** — pre-aborted signal logging no longer dumps unredacted params
+- **CI exit code enforced** — `test-runner.mjs` wrapper ensures non-zero exit on failures
+- **38 audit rounds, 160+ issues fixed** — 3 CRITICAL + 6 HIGH + 3 MEDIUM security issues resolved
 
 See [SECURITY-ISSUES.md](SECURITY-ISSUES.md) for the full list (SEC-001 – SEC-007 all marked fixed).
 

package/docs/TEST_MATRIX.md

@@ -16,7 +16,7 @@ Maps pi-crew behavior to proof. Every row must have real validation evidence.
 
 | Story | Contract | Unit | Integration | CI | Status | Evidence |
 |-------|----------|------|-------------|-----|--------|----------|
-| Core team run | `docs/product/team-run.md` | yes | yes | yes 3/3 | implemented | 1655 tests pass (268 unit + 14 integration files) |
+| Core team run | `docs/product/team-run.md` | yes | yes | yes 3/3 | implemented | 2703 tests pass (133 suites) |
 | Child process runner | `docs/product/child-process.md` | yes | yes | yes 3/3 | implemented | child-pi-pool.test.ts, child-pi-timeout.test.ts, mock-child-run.test.ts |
 | Async runner | `docs/product/async-runner.md` | yes | yes | yes 3/3 | implemented | async-runner.test.ts, async-restart-recovery.test.ts |
 | Live session | `docs/product/live-session.md` | yes | no | yes 3/3 | implemented | live-session-context.test.ts, live-session-runtime.test.ts |

package/docs/architecture.md

@@ -2,7 +2,7 @@
 
 `pi-crew` is a Pi package for coordinated multi-agent work. It is intentionally durable-first: every run is represented on disk, every task has a state record, and child workers stream progress into JSONL/status files so foreground sessions, background jobs, dashboards, and later restarts all read the same source of truth.
 
-**Current version:** v0.5.5 — 13 rounds of code review hardening (see [CHANGELOG.md](../CHANGELOG.md) and [pi-crew-v0.5.5-audit-fix-plan.md](pi-crew-v0.5.5-audit-fix-plan.md)).
+**Current version:** v0.5.22 — 38 rounds of code review hardening (see [CHANGELOG.md](../CHANGELOG.md)).
 
 ## Layers
 

package/docs/deep-review-report.md

@@ -1,7 +1,7 @@
 # pi-crew Deep Review Report
 
 **Project:** pi-crew  
-**Version:** v0.5.2  
+**Version:** v0.5.2 *(historical — current version is v0.5.22)*  
 **Review Date:** 2026-05-28  
 **Updated:** 2026-05-29  
 **Reviewers:** Security Reviewer, Code Reviewer, Documentation Reviewer

package/docs/migration-v0.4-v0.5.md

@@ -2,7 +2,7 @@
 
 **Author:** pi-crew team  
 **Date:** 2026-06-01  
-**Version:** 0.5.5
+**Version:** 0.5.5 *(covers v0.4→v0.5 migration; later v0.5.x versions are drop-in replacements)*
 
 ---
 

package/docs/pi-crew-bugs.md

@@ -1,6 +1,7 @@
 # Historical Bug Reports (v0.2.x)
 
-> **Current version: v0.5.2** — See [CHANGELOG.md](../CHANGELOG.md) for all bug fixes.
+> **Current version: v0.5.22** — See [CHANGELOG.md](../CHANGELOG.md) for all bug fixes.
+> This page tracks historical bugs from v0.2.x. All listed bugs are fixed.
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.22",
+  "version": "0.5.23",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",