pi-crew 0.5.25 → 0.6.1

package/CHANGELOG.md

@@ -1,5 +1,70 @@
 # Changelog
 
+## [0.6.1] — Post-v0.6.0 Security Hardening + Test Coverage (2026-06-04)
+
+### Highlights
+- **42+ security issues fixed** — 7 CRITICAL, 10 HIGH, 11 MEDIUM, 14 post-restart review findings
+- **~1,900 new tests** across 113+ test files — total suite now ~4,600 tests
+- **38 dead exports cleaned** across 19 modules
+- **12 `any` types replaced** with proper TypeScript types
+- **Full battle-testing** — 2 Pi restart cycles, all team types, management operations verified
+
+### Security Fixes (CRITICAL)
+- `async-runner.ts`: Environment variable leak in child process — sanitized with `sanitizeEnvSecrets()`
+- `verification-gates.ts`: Shell injection via user-controlled strings — switched to `execFileSync`
+- `sandbox.ts`: `String.fromCharCode` bypass — added `constructor` to `FORBIDDEN_PATTERNS`
+- `locks.ts`: Timing-unsafe comparison on lock tokens — replaced with constant-time compare
+- `event-log.ts`: Request IDs logged in plaintext — now hashed before logging
+- `team-runner.ts`: Missing heartbeat for long-running tasks — added 30s heartbeat writer
+- `worktree-manager.ts`: Environment secrets leaked to git subprocesses — `sanitizeEnvSecrets()`
+
+### Security Fixes (HIGH)
+- `preStepScript` symlink traversal — `fs.realpathSync` before path containment check
+- `childEnvAllowList` wildcard patterns (`LC_*`, `XDG_*`) could leak secrets
+- Event log sync/async race condition — route sync `appendEvent` through async queue
+- Subagent record validation — `sanitizePersistedRecord()` with allow-listed fields
+- Verification gate redirect — allow single `>` for `2>&1`, block `>>` and `<[^&]`
+- `allowPatterns` validation — reject patterns matching empty strings
+
+### Security Fixes (MEDIUM)
+- `logInternalError` import paths normalized across all modules
+- `Object.freeze()` narrowing fix — use `Readonly<{...}>` explicit types
+- NTFS mtime granularity — write-first, `utimes`-after for cache invalidation
+- Windows path separators — platform-agnostic assertions in tests
+- `executeUnchecked` visibility — `__test_executeUnchecked` export pattern
+- `seedPaths` containment — `normalizeSeedPaths()` validates paths stay within `repoRoot`
+
+### Code Quality
+- 38 dead/unused exports removed across 19 source modules
+- 12 `any` types replaced with proper interfaces
+- `enforceLabelCap` MRU correctness — `delete`-then-`set` to maintain Map insertion order
+- `readIfSmall` bounded reads — `Buffer.alloc` + `fs.readSync` instead of `readFileSync`
+
+### Test Coverage
+- 113 new test files, ~1,900 new test cases
+- Modules now covered: config, extension, workflow, subagent, observability, runtime, graph,
+  heartbeat, permissions, state, locks, event-log, safe-bash, sandbox, verification-gates,
+  async-runner, team-runner, background-runner, worktree, fingerprint, BM25 search, and more
+- Windows CI verified: path separators, `npx.cmd` resolution, NTFS mtime all pass
+- Test runner wrapper (`scripts/test-runner.mjs`) ensures non-zero exit on failures
+
+### Stats
+- Test suite: ~4,600 pass, 0 fail
+- TypeScript: 0 errors
+- Lines added since v0.6.0: 22,520 (742 src + 21,777 test)
+- Files changed: 204
+- Security issues fixed: 42+
+- Audit rounds: 42 (including post-v0.6.0 battle-testing)
+
+## [0.6.0] — Source Tour Patterns + 15 New Modules (2026-06-03)
+
+### Highlights
+- **15 upstream patterns implemented** from 63-repository source tour
+- **10 new source modules** (2,267 LOC): chain-parser, run-drift, intercom-bridge,
+  plan-templates, task-id, context-retrieval, intermediate-store, fingerprint,
+  memory-store, observation-store
+- **37 skills reviewed** with origin fields, all passing validation
+
 ## [0.5.22] — Remaining Issues from Ultimate Sweep (2026-06-03)
 
 ### Highlights
@@ -1401,3 +1466,37 @@ correctness+error-handling, and performance+architecture audits across 77 source
 
 ### CI
 - `.github/workflows/ci.yml`: typecheck step re-enabled (was disabled since v0.3.x)
+
+## [0.6.0] — Source Tour Patterns Implementation (2026-06-04)
+
+### Highlights
+- **15 patterns** implemented from 63-repo source tour (2,267 LOC)
+- All patterns pass TypeScript strict mode with 0 errors
+- 37 skills (including new council skill)
+
+### Tier 1 — Quick Wins
+- **Council skill** (Pattern 5): 3 adversarial roles for critical decisions
+- **6 lifecycle hooks** (Pattern 12): after_run_complete, after_task_complete, session hooks
+- **3-tier convention** (Pattern 13): Command→Agent→Skill documentation + effort field
+- **Pre-step scripts** (Pattern 2): Deterministic scripts before LLM dispatch
+- **Chain DSL parser** (Pattern 8): step1 -> parallel(step2, step3) -> step4
+
+### Tier 2 — Medium-Term
+- **DAG enhancements** (Pattern 7): findBlockedTasks, getBlockingTasks, topologicalSort
+- **Drift detection** (Pattern 10): 5 detectors, 2-pass reconciliation
+- **Hash-based task IDs** (Pattern 11): Base36 + adaptive length + hierarchical
+- **Iterative retrieval** (Pattern 6): Score → converge → refine loop
+- **Intercom bridge** (Pattern 9): Worker→orchestrator escalation queue
+- **Plan templates** (Pattern 15): Built-in standard-review and full-implementation
+
+### Tier 3 — Long-Term
+- **Phase-gated intermediates** (Pattern 1): Disk-persistent step outputs
+- **Incremental fingerprinting** (Pattern 3): Content hash + structural signature
+- **4-tier memory** (Pattern 4): Working→Episodic→Semantic→Procedural with Ebbinghaus decay
+- **Observation system** (Pattern 14): Capture→compress→re-inject with privacy tags
+
+### Stats
+- Test suite: 2698 pass + 1 skip, 0 fail
+- TypeScript: 0 errors
+- Skills: 37/37 PASS
+- New modules: 11 files, 2,267 LOC

package/README.md

@@ -9,22 +9,24 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
 
-**v0.5.22**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.6.1**: See [CHANGELOG.md](CHANGELOG.md).
 
-### Security highlights (v0.5.22)
+### Security highlights (v0.6.1)
 
-- **ReDoS-free secret redaction** — linear-time scanning in `redaction.ts`; no catastrophic backtracking
-- **v8.deserialize hardened** — `BINARY_MAGIC` header guards on registry binaries prevent untrusted-file RCE
-- **Cache lock protection** — `withFileLockSync` and atomic writes across `run-cache.ts` and `state-store.ts`
-- **Shell injection prevented** — `execFileSync` with array args everywhere (no shell-interpreted strings)
+- **42+ security issues fixed** — 7 CRITICAL, 10 HIGH, 11 MEDIUM, 14 post-restart findings
+- **Timing-safe token comparison** — constant-time compare for lock tokens and request IDs
+- **Environment leak prevention** — `sanitizeEnvSecrets()` on all child process spawns
+- **Shell injection hardened** — `execFileSync` with array args; blocked `String.fromCharCode` bypass
+- **ReDoS-free secret redaction** — linear-time scanning in `redaction.ts`
+- **Sandbox prototype isolation** — `Object.freeze` scoped to VM context; `constructor` pattern blocked
+- **Symlink traversal prevention** — `fs.realpathSync` before path containment checks
 - **Safe-bash line-continuation hardening** — `$\n(evil)` command substitution bypass blocked
-- **Sandbox prototype isolation** — `Object.freeze` scoped to VM context (not host process)
 - **Path traversal mitigated** — `resolveContainedPath`/`resolveRealContainedPath` across all file ops
-- **TOCTOU-free file ops** — atomic `mkdirSync` in `crew-init.ts`; `realpath`-based path validation
 - **Memory leaks capped** — Maps, Sets, arrays bounded with eviction across all modules
-- **Inline secret detection** — `token=`, `api_key=`, `password=` patterns redacted at event/mailbox boundaries
-- **CI exit code enforced** — `test-runner.mjs` wrapper ensures non-zero exit on failures
-- **38 audit rounds, 160+ issues fixed** — 3 CRITICAL + 6 HIGH + 3 MEDIUM security issues resolved
+- **Event log race conditions fixed** — sync/async queue unification
+- **Subagent record sanitization** — allow-listed field persistence
+- **~1,900 new tests**, 113 test files — total suite ~4,600 tests, 0 failures
+- **42+ audit rounds, 160+ issues fixed** across all severity levels
 
 See [SECURITY-ISSUES.md](SECURITY-ISSUES.md) for the full list (SEC-001 – SEC-007 all marked fixed).
 

package/docs/patterns/command-agent-skill.md

@@ -0,0 +1,71 @@
+# Command → Agent → Skill: 3-Tier Pattern
+
+> **Origin**: `source/claude-code-best-practice/CLAUDE.md`
+> **Applicable to**: pi-crew v0.5.25+
+
+## The 3 Tiers
+
+```
+User invokes → [Command] → [Agent] → [Skill]
+                entry       worker     reusable
+                point       + tools    capability
+```
+
+### Tier 1: Command (Entry Point)
+- Maps user intent to an agent
+- Defined in workflow `.md` files as a step
+- Example: `team action='run' team='review'`
+
+### Tier 2: Agent (Specialized Worker)
+- Has a system prompt, model, tools, skills, effort level
+- Defined as `.md` file with YAML frontmatter in `agents/` directory
+- Example:
+
+```markdown
+---
+name: security-reviewer
+description: Chief Security Officer who finds OWASP Top 10 threats
+tools: read, bash, edit
+model: claude-sonnet-4-20250514
+effort: high
+skills: safe-bash, security-review
+maxTurns: 30
+contextMode: fresh
+---
+
+You are a Chief Security Officer...
+```
+
+### Tier 3: Skill (Reusable Capability)
+- A `SKILL.md` file with instructions + operating rules
+- Injected into agent context at dispatch time
+- Example: `skills/safe-bash/SKILL.md`
+
+## How to Compose
+
+1. **Define the skill** — Create `skills/my-skill/SKILL.md`
+2. **Define the agent** — Create `agents/my-agent.md` referencing the skill
+3. **Define the workflow** — Create `workflows/my-workflow.workflow.md` referencing the agent as a step
+
+```yaml
+# workflows/my-workflow.workflow.md
+steps:
+  - name: analyze
+    agent: my-agent
+    # The agent loads my-skill automatically
+```
+
+## Agent YAML Frontmatter Reference
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `name` | string | Agent identifier |
+| `description` | string | One-line description for routing |
+| `tools` | csv | Tools the agent can use |
+| `model` | string | Model override |
+| `skills` | csv | Skills to inject |
+| `effort` | `low`/`medium`/`high` | Work effort level |
+| `maxTurns` | number | Maximum conversation turns |
+| `contextMode` | `fresh`/`fork` | Context inheritance |
+| `loadMode` | `essential`/`lean` | Tool loading strategy |
+| `thinking` | string | Thinking level override |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.25",
+  "version": "0.6.1",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/skills/council/SKILL.md

@@ -0,0 +1,163 @@
+---
+name: council
+description: >
+  Spawn 3 adversarial subagents (Skeptic, Pragmatist, Critic) to evaluate a decision,
+  architecture choice, or plan. Anti-anchoring: each role receives ONLY the question,
+  not conversation history. Aggregates votes into consensus recommendation with dissent tracking.
+  Use when facing critical decisions, architecture choices, security tradeoffs, or plan reviews
+  where single-perspective analysis is insufficient.
+origin: ECC/skills/council
+---
+
+# Council Pattern — Adversarial Multi-Perspective Decision Making
+
+## When to Use
+
+- Evaluating architecture decisions with significant tradeoffs
+- Reviewing security-sensitive design choices
+- Validating implementation plans before execution
+- Resolving ambiguity where multiple valid approaches exist
+- Deciding whether to build, buy, or extend
+
+## Prerequisites
+
+- A clearly formulated question or decision to evaluate
+- Sufficient context about the system for meaningful analysis
+
+## Operating Rules
+
+1. You MUST spawn exactly 3 subagents with isolated context (fresh, not forked)
+2. Each subagent receives ONLY the question — NO conversation history (anti-anchoring)
+3. You MUST NOT influence any subagent's analysis direction
+4. You MUST record all 3 votes before forming consensus
+5. You MUST include dissent in the final recommendation
+
+## Workflow
+
+### Step 1: Formulate the Question
+
+Write a clear, neutral question that includes:
+- The decision to be made
+- Relevant constraints (performance, security, timeline)
+- Available options (if known)
+- What "success" looks like
+
+DO NOT bias the question toward any particular answer.
+
+### Step 2: Spawn 3 Council Members
+
+Launch 3 parallel subagents with these EXACT roles:
+
+**Skeptic** (Goal: Find flaws):
+```
+You are the Skeptic on a council evaluating: [QUESTION]
+
+Your role: Find every possible flaw, risk, and failure mode.
+- Challenge assumptions
+- Identify edge cases that break the proposed approach
+- Focus on what could go WRONG
+- Rate your confidence (0.0-1.0) and give a PRO/CON/ABSTAIN position
+- Provide your top 3 risks
+
+Output format:
+Position: PRO | CON | ABSTAIN
+Confidence: 0.0-1.0
+Reasoning: [your analysis]
+Top 3 Risks: [list]
+```
+
+**Pragmatist** (Goal: Evaluate tradeoffs):
+```
+You are the Pragmatist on a council evaluating: [QUESTION]
+
+Your role: Weigh practical tradeoffs objectively.
+- Consider implementation cost, maintenance burden, team impact
+- Evaluate time-to-value and opportunity cost
+- Compare against realistic alternatives
+- Rate your confidence (0.0-1.0) and give a PRO/CON/ABSTAIN position
+
+Output format:
+Position: PRO | CON | ABSTAIN
+Confidence: 0.0-1.0
+Reasoning: [your analysis]
+Alternatives Considered: [list]
+```
+
+**Critic** (Goal: Stress-test reasoning):
+```
+You are the Critic on a council evaluating: [QUESTION]
+
+Your role: Stress-test the logical foundations of each possible answer.
+- Identify logical fallacies in common arguments for/against
+- Check if the question itself contains hidden assumptions
+- Evaluate whether the stated constraints are real or assumed
+- Rate your confidence (0.0-1.0) and give a PRO/CON/ABSTAIN position
+
+Output format:
+Position: PRO | CON | ABSTAIN
+Confidence: 0.0-1.0
+Reasoning: [your analysis]
+Hidden Assumptions: [list]
+```
+
+### Step 3: Aggregate Votes
+
+Collect all 3 responses. Compute consensus:
+
+| Vote Pattern | Consensus Level | Action |
+|---|---|---|
+| 3 PRO | **Strong accept** | Proceed with high confidence |
+| 2 PRO, 1 CON | **Weak accept** | Proceed, but address CON dissent |
+| 2 PRO, 1 ABSTAIN | **Accept with uncertainty** | Proceed, investigate ABSTAIN concerns |
+| 1 PRO, 1 CON, 1 ABSTAIN | **No consensus** | Reformulate question or gather more data |
+| 2 CON, 1 PRO | **Weak reject** | Do not proceed; explore alternatives |
+| 3 CON | **Strong reject** | Reject; fundamentally rethink approach |
+
+### Step 4: Output Recommendation
+
+```markdown
+## Council Decision: [Question Summary]
+
+### Votes
+| Role | Position | Confidence |
+|------|----------|------------|
+| Skeptic | PRO/CON/ABSTAIN | 0.X |
+| Pragmatist | PRO/CON/ABSTAIN | 0.X |
+| Critic | PRO/CON/ABSTAIN | 0.X |
+
+### Consensus: [STRONG ACCEPT | WEAK ACCEPT | NO CONSENSUS | WEAK REJECT | STRONG REJECT]
+
+### Recommendation
+[One-paragraph synthesis]
+
+### Key Insights
+- [Best point from Skeptic]
+- [Best point from Pragmatist]
+- [Best point from Critic]
+
+### Dissent
+[Summary of any dissenting opinions and why they were overruled or remain unresolved]
+
+### Action Items
+- [ ] [Specific next step 1]
+- [ ] [Specific next step 2]
+```
+
+## Anti-Patterns
+
+- DO NOT spawn fewer than 3 roles
+- DO NOT share one subagent's analysis with another (contamination)
+- DO NOT phrase the question to favor a specific outcome
+- DO NOT override the council's consensus without documented justification
+- DO NOT use council for trivial decisions (wastes resources)
+
+## Enforcement — Council Gate
+
+Before finalizing a council result, verify:
+
+- [ ] All 3 roles spawned with isolated (fresh) context
+- [ ] Each role received ONLY the question, no prior conversation
+- [ ] All 3 votes recorded with confidence scores
+- [ ] Consensus level computed from vote pattern
+- [ ] Dissent explicitly documented (not hidden)
+- [ ] Recommendation includes actionable next steps

package/src/agents/agent-config.ts

@@ -36,6 +36,8 @@ export interface AgentConfig {
 	contextMode?: "fresh" | "fork";
 	/** Maximum turns for this agent. Overrides runtime config if set. */
 	maxTurns?: number;
+	/** Effort level for this agent. Controls how much work the agent puts in. */
+	effort?: "low" | "medium" | "high";
 	/** Tools to explicitly forbid for this agent. Takes precedence over allowedTools. */
 	disallowedTools?: string[];
 	disabled?: boolean;
@@ -67,7 +69,8 @@ export function getAgentSessionOptions(role: string): {
  * @param agent - The agent configuration
  * @param role - The role name to use for tool restrictions (defaults to agent.name)
  */
-export function buildAgentSessionOptions(
+/** @internal */
+function buildAgentSessionOptions(
 	agent: AgentConfig,
 	role?: string,
 ): {

package/src/agents/discover-agents.ts

@@ -376,6 +376,7 @@ function parseAgentFile(filePath: string, source: ResourceSource): AgentConfig |
 		defaultTools: frontmatter.defaultTools !== undefined ? parseCsv(frontmatter.defaultTools) ?? null : undefined,
 		contextMode: parseContextMode(frontmatter.contextMode),
 		maxTurns: (() => { const n = Number.parseInt(frontmatter.maxTurns, 10); return Number.isFinite(n) && n > 0 ? n : undefined; })(),
+		effort: frontmatter.effort === "low" || frontmatter.effort === "medium" || frontmatter.effort === "high" ? frontmatter.effort : undefined,
 		disabled: frontmatter.disabled === "true" || frontmatter.enabled === "false",
 		routing: triggers || useWhen || avoidWhen || cost || category ? { triggers, useWhen, avoidWhen, cost, category } : undefined,
 		};

package/src/benchmark/feedback-loop.ts

@@ -4,13 +4,15 @@
 
 import type { RunMetrics } from "../state/run-metrics.ts";
 
-export interface FeedbackLoopStats {
+/** @internal */
+interface FeedbackLoopStats {
 	runsObserved: number;
 	avgSuccessRate: number;
 	recommendations: string[];
 }
 
-export class FeedbackLoop {
+/** @internal */
+class FeedbackLoop {
 	private runs: RunMetrics[] = [];
 	private static readonly MAX_RUNS = 1000;
 

package/src/extension/cross-extension-rpc.ts

@@ -32,6 +32,8 @@ function requestId(raw: unknown): string | undefined {
 
 function reply(events: EventBusLike, channel: string, id: string | undefined, payload: RpcReply): void {
 	if (!id) return;
+	// SECURITY: Validate requestId format to prevent channel injection.
+	if (!/^[a-zA-Z0-9_-]+$/.test(id)) return;
 	events.emit(`${channel}:reply:${id}`, payload);
 }
 
@@ -59,6 +61,36 @@ function isAllowedRpcOperation(operation: string): boolean {
 	return RPC_ALLOWED_OPERATIONS.has(operation);
 }
 
+// SECURITY (HIGH #4 fix): In-memory rate limiter for RPC run requests.
+// Prevents any extension from spawning unlimited child processes.
+const RPC_RATE_LIMIT_MAX = 5; // Max 5 RPC run requests...
+const RPC_RATE_LIMIT_WINDOW_MS = 60_000; // ...per 60 seconds
+const rpcRunTimestamps: number[] = [];
+
+function checkRpcRateLimit(): { allowed: boolean; retryAfterMs?: number } {
+	const now = Date.now();
+	// Evict entries older than the window
+	const cutoff = now - RPC_RATE_LIMIT_WINDOW_MS;
+	while (rpcRunTimestamps.length > 0 && rpcRunTimestamps[0] < cutoff) {
+		rpcRunTimestamps.shift();
+	}
+	if (rpcRunTimestamps.length >= RPC_RATE_LIMIT_MAX) {
+		const oldestInWindow = rpcRunTimestamps[0];
+		const retryAfterMs = oldestInWindow + RPC_RATE_LIMIT_WINDOW_MS - now;
+		return { allowed: false, retryAfterMs: Math.max(retryAfterMs, 1000) };
+	}
+	return { allowed: true };
+}
+
+function recordRpcRun(): void {
+	rpcRunTimestamps.push(Date.now());
+}
+
+/** Reset the RPC rate limiter. Used primarily for testing. */
+export function resetRpcRateLimit(): void {
+	rpcRunTimestamps.length = 0;
+}
+
 function isAllowedRpcRunParams(params: TeamToolParamsValue): { ok: boolean; error?: string } {
 	// SECURITY: Require explicit intent for any RPC-initiated run creation.
 	// This prevents malicious extensions from spawning child Pi processes silently.
@@ -83,6 +115,12 @@ function on(events: EventBusLike, channel: string, handler: (raw: unknown) => vo
 	return typeof unsub === "function" ? unsub : () => {};
 }
 
+// SECURITY TRUST BOUNDARY: RPC channels (pi-crew:rpc:run, pi-crew:rpc:status,
+// pi-crew:rpc:live-control) are accessible to any extension on the shared event
+// bus. Mitigations applied: rate limiting (RPC_RATE_LIMIT_MAX), explicit intent
+// requirement for runs, operation allowlist for live-control reads, and cwd
+// containment validation. A full fix requires event-bus-level origin signing.
+
 export function registerPiCrewRpc(events: EventBusLike | undefined, getCtx: () => ExtensionContext | undefined): PiCrewRpcHandle | undefined {
 	if (!events) return undefined;
 	const unsubs = [
@@ -90,6 +128,16 @@ export function registerPiCrewRpc(events: EventBusLike | undefined, getCtx: () =
 		on(events, "pi-crew:rpc:run", async (raw) => {
 			const id = requestId(raw);
 			try {
+				// SECURITY (HIGH #4 fix): Rate limit RPC run requests
+				const rateLimit = checkRpcRateLimit();
+				if (!rateLimit.allowed) {
+					reply(events, "pi-crew:rpc:run", id, {
+						success: false,
+						error: `RPC run rate limit exceeded. Max ${RPC_RATE_LIMIT_MAX} requests per ${RPC_RATE_LIMIT_WINDOW_MS / 1000}s. Retry after ${Math.ceil((rateLimit.retryAfterMs ?? 60000) / 1000)}s.`,
+					});
+					return;
+				}
+				recordRpcRun();
 				const ctx = getCtx();
 				if (!ctx) throw new Error("No active pi-crew session context.");
 				// Validate payload: only allow known fields from TeamToolParamsValue

package/src/extension/registration/commands.ts

@@ -428,7 +428,8 @@ export function registerTeamCommands(pi: ExtensionAPI, deps: RegisterTeamCommand
 			if (selection.action === "agent-transcript" && await openTranscriptViewer(ctx, selection.runId)) continue;
 			if (selection.action === "agent-live" && await openLiveConversation(ctx, selection.runId)) continue;
 			if (selection.action === "agent-live") { await notifyCommandResult(ctx, commandText({ content: [{ type: "text", text: "No live agent found for this run." }] })); continue; }
-			const result = selection.action === "api" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-manifest" } }, teamCommandContext(ctx)) : selection.action === "agents" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "agent-dashboard" } }, teamCommandContext(ctx)) : selection.action === "mailbox" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-mailbox" } }, teamCommandContext(ctx)) : selection.action === "agent-events" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-events", limit: 50 } }, teamCommandContext(ctx)) : selection.action === "agent-output" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-output", maxBytes: 32_000 } }, teamCommandContext(ctx)) : selection.action === "agent-transcript" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-transcript" } }, teamCommandContext(ctx)) : await handleTeamTool({ action: selection.action as any, runId: selection.runId }, teamCommandContext(ctx));
+			const result = selection.action === "api" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-manifest" } }, teamCommandContext(ctx)) : selection.action === "agents" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "agent-dashboard" } }, teamCommandContext(ctx)) : selection.action === "mailbox" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-mailbox" } }, teamCommandContext(ctx)) : selection.action === "agent-events" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-events", limit: 50 } }, teamCommandContext(ctx)) : selection.action === "agent-output" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-output", maxBytes: 32_000 } }, teamCommandContext(ctx)) : selection.action === "agent-transcript" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-transcript" } }, teamCommandContext(ctx)) : // eslint-disable-next-line @typescript-eslint/no-explicit-any
+				await handleTeamTool({ action: selection.action as any, runId: selection.runId }, teamCommandContext(ctx));
 			await notifyCommandResult(ctx, commandText(result));
 			return;
 		}

package/src/extension/registration/subagent-tools.ts

@@ -96,9 +96,11 @@ export function registerSubagentTools(pi: ExtensionAPI, subagentManager: Subagen
 			}
 			return foregroundResult;
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderCall(args: any, theme: any, context: any): any {
 			return renderAgentToolCall(args, theme, context);
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderResult(result: any, options: any, theme: any, context: any): any {
 			return renderAgentToolResult(result, options, theme, context);
 		},

package/src/extension/registration/team-tool.ts

@@ -105,9 +105,11 @@ export function registerTeamTool(pi: ExtensionAPI, deps: RegisterTeamToolDeps):
 				stopProgress.stop();
 			}
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderCall(args: any, theme: any, context: any): any {
 			return renderTeamToolCall(args, theme, context);
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderResult(result: any, options: any, theme: any, context: any): any {
 			return renderTeamToolResult(result, options, theme, context);
 		},

package/src/extension/registration/viewers.ts

@@ -58,6 +58,7 @@ export async function openLiveConversation(ctx: ExtensionCommandContext, initial
 	const handle = liveAgents.find((h) => h.runId === selected.runId && (selected.taskId ? h.taskId === selected.taskId : true));
 	if (!handle) return false;
 	const theme = asCrewTheme({});
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	await ctx.ui.custom<undefined>((tui: any, _theme: any, _keybindings: any, done: (result: undefined) => void) => {
 		const columns = tui?.terminal?.columns ?? 80;
 		const rows = tui?.terminal?.rows ?? 24;

package/src/extension/run-export.ts

@@ -1,17 +1,29 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import * as os from "node:os";
+import * as crypto from "node:crypto";
 import type { TeamRunManifest, TeamTaskState } from "../state/types.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
 import { readEvents, type TeamEvent } from "../state/event-log.ts";
 import { redactSecrets } from "../utils/redaction.ts";
 
 /** Replace absolute paths containing home directory with ~/ */
+/** Escape special regex characters in a string */
+function escapeRegex(str: string): string {
+	return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/** Only redact home directory at path boundaries to avoid corrupting substrings */
+function redactHomePathInString(str: string, home: string): string {
+	return str.replace(new RegExp(`(^|(?<=[:=/]))${escapeRegex(home)}`, "g"), "$1~");
+}
+
+/** Replace absolute paths containing home directory with ~/ at path boundaries only */
 function redactHomePaths<T>(obj: T): T {
 	const home = os.homedir();
 	if (!home) return redactSecrets(obj) as T;
 	const json = JSON.stringify(obj);
-	const safe = json.split(home).join("~");
+	const safe = redactHomePathInString(json, home);
 	return redactSecrets(JSON.parse(safe)) as T;
 }
 
@@ -37,6 +49,9 @@ export function exportRunBundle(manifest: TeamRunManifest, tasks: TeamTaskState[
 		events: safeEvents as TeamEvent[],
 		artifactPaths: safeManifest.artifacts.map((artifact) => artifact.path),
 	};
+	// Compute SHA-256 integrity hash of the bundle and store in manifest
+	const sha256 = crypto.createHash("sha256").update(JSON.stringify(bundle)).digest("hex");
+	(bundle.manifest as unknown as Record<string, unknown>).sha256 = sha256;
 	const json = writeArtifact(manifest.artifactsRoot, {
 		kind: "metadata",
 		relativePath: "export/run-export.json",

package/src/extension/run-import.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import * as crypto from "node:crypto";
 import { assertRunBundle } from "./run-bundle-schema.ts";
 import { projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
 import { DEFAULT_PATHS } from "../config/defaults.ts";
@@ -42,6 +43,21 @@ export function importRunBundle(cwd: string, bundlePath: string, scope: "project
 	if (!isContained) throw new Error(`Import path must be within project directory or crew root: ${resolvedPath}`);
 	const raw = JSON.parse(fs.readFileSync(resolvedPath, "utf-8")) as unknown;
 	assertRunBundle(raw);
+
+	// Integrity check: verify SHA-256 hash if present in manifest
+	const bundleJson = fs.readFileSync(resolvedPath, "utf-8");
+	const parsedForHash = JSON.parse(bundleJson) as { manifest?: { sha256?: string } };
+	if (parsedForHash.manifest?.sha256) {
+		const expectedHash = parsedForHash.manifest.sha256;
+		// Recompute hash by stringifying the bundle without the sha256 field
+		const { sha256: _sha256, ...manifestWithoutHash } = parsedForHash.manifest as Record<string, unknown> & { sha256?: string };
+		const bundleForHash = { ...parsedForHash, manifest: manifestWithoutHash };
+		const recomputedHash = crypto.createHash("sha256").update(JSON.stringify(bundleForHash)).digest("hex");
+		if (recomputedHash !== expectedHash) {
+			throw new Error(`Integrity check failed: SHA-256 mismatch. Expected ${expectedHash}, got ${recomputedHash}`);
+		}
+	}
+
 	const runId = assertSafePathId("runId", raw.manifest.runId);
 	const importedAt = new Date().toISOString();
 

package/src/extension/team-tool/anchor.ts

@@ -40,9 +40,13 @@ export function handleAnchorSet(
 	const cfg = params.config ?? {};
 
 	// Parse context from config
+	const POLLUTED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 	const context: Record<string, unknown> = {};
 	if (cfg.context && typeof cfg.context === "object") {
-		Object.assign(context, cfg.context as Record<string, unknown>);
+		const raw = cfg.context as Record<string, unknown>;
+		for (const [k, v] of Object.entries(raw)) {
+			if (!POLLUTED_KEYS.has(k)) context[k] = v;
+		}
 	}
 	if (cfg.key) {
 		// Single key shorthand