pi-crew 0.5.5 → 0.5.7

package/src/tools/safe-bash.ts

@@ -1,50 +1,144 @@
 /**
  * Safe Bash Tool for pi-crew
  * Wraps bash with dangerous command blocking
+ * Uses linear-time scanning to prevent ReDoS attacks
  */
 
 import { Type } from "@sinclair/typebox";
 
-// Dangerous command patterns to block
+// Backward-compatible pattern array (kept for getPatterns API)
+// IMPORTANT: Line 8 (rm pattern with nested quantifiers) has been replaced
+// with linear-time checking in isDangerous() to prevent ReDoS attacks.
 const DANGEROUS_PATTERNS = [
-	// rm -rf / or rm -rf ~ (catastrophic root/home deletion)
-	/\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*\s*)+(\/|~)(\s*$)/,
-	/\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*\s*)+(\/|~)($|\s)/,
-	// Privilege escalation
+	// NOTE: rm patterns handled by matchesDangerousRm() for linear-time safety
 	/\bsudo\b/,
 	/\bsu\s+root\b/,
-	// Filesystem destruction
 	/\bmkfs\b/,
 	/\bdd\s+if=/,
-	// Fork bomb
 	/^:\s*\(\s*\)\s*\{.*\|.*&.*\}\s*;.*$/,
-	// Device writing
 	/>\s*\/dev\/[sh]d[a-z]/,
 	/\bchmod\s+(-[a-zA-Z]+\s+)?777\s+\//,
 	/\bchown\s+(-[a-zA-Z]+\s+)?root/,
-	// Pipe to shell (download and execute)
 	/\bcurl\s.*\|\s*(ba)?sh/i,
 	/\bwget\s.*\|\s*(ba)?sh/i,
-	// System shutdown/reboot
 	/\bshutdown\b/,
 	/\breboot\b/,
 	/\binit\s+0\b/,
-	// Kill critical processes
 	/\bkill\s+-9\s+1\b/,
 	/\bkillall\b/,
-	// Encoded commands
 	/\|\s*base64\s+-d/,
 	/\|\s*python.*-c/,
 	/\|\s*perl.*-e/,
 	/\|\s*ruby.*-e/,
-	// Network to shell
-	/\bbash\s+-i\s+>\s*\&/,
+	/\bbash\s+-i\s*>\s*\&/,
 	/\bexec\s+.*bash/,
-	// /etc/passwd manipulation
 	/\becho\s+.*>\s*\/etc\/passwd/,
 	/\bcat\s+.*>\s*\/etc\/passwd/,
 ];
 
+/**
+ * Linear-time check if command contains a dangerous rm pattern like "rm -rf /" or "rm -rf ~"
+ * Replaces O(n²) regex backtracking with O(n) string scanning
+ */
+function matchesDangerousRm(command: string): boolean {
+	let pos = 0;
+	const len = command.length;
+	// Find "rm" at word boundary
+	while (pos < len) {
+		const rmIdx = command.indexOf("rm", pos);
+		if (rmIdx === -1) return false;
+		// Check word boundary before "rm"
+		if (rmIdx > 0 && /\w/.test(command[rmIdx - 1])) {
+			pos = rmIdx + 1;
+			continue;
+		}
+		// Must be followed by whitespace
+		const afterRm = rmIdx + 2;
+		if (afterRm >= len || /\s/.test(command[afterRm])) {
+			// Found "rm " - now check for -rf flags followed by / or ~
+			let p = afterRm + 1;
+			while (p < len) {
+				// Skip whitespace
+				while (p < len && /\s/.test(command[p])) p++;
+				if (p >= len) break;
+				// Check for flag
+				if (command[p] !== "-") break;
+				p++;
+				let hasR = false, hasF = false;
+				while (p < len && /[a-zA-Z]/.test(command[p])) {
+					if (command[p] === "r" || command[p] === "R") hasR = true;
+					if (command[p] === "f" || command[p] === "F") hasF = true;
+					p++;
+				}
+				if (!hasR && !hasF) break; // Flag must have r or f
+				// Skip whitespace after flag
+				while (p < len && /\s/.test(command[p])) p++;
+			}
+			// Now check if followed by / or ~ (end or whitespace)
+			if (p < len && (command[p] === "/" || command[p] === "~")) {
+				const afterSlash = p + 1;
+				if (afterSlash >= len || /\s/.test(command[afterSlash]) || command[afterSlash] === ";") {
+					return true; // Dangerous!
+				}
+			}
+		}
+		pos = rmIdx + 1;
+	}
+	return false;
+}
+
+/**
+ * Linear-time check for fork bomb pattern: :() { ... | ... & ... } ; ...
+ */
+function matchesForkBomb(command: string): boolean {
+	// Must start with :
+	const trimmed = command.trimStart();
+	if (!trimmed.startsWith(":")) return false;
+	// Find () after :
+	const parenIdx = trimmed.indexOf("()");
+	if (parenIdx === -1 || parenIdx > 10) return false; // : must be close to ()
+	// Find { after ()
+	const braceIdx = trimmed.indexOf("{", parenIdx);
+	if (braceIdx === -1 || braceIdx > parenIdx + 5) return false;
+	// Find } closing brace
+	const closeBrace = trimmed.indexOf("}", braceIdx);
+	if (closeBrace === -1) return false;
+	// Check content between braces for | and &
+	const content = trimmed.slice(braceIdx + 1, closeBrace);
+	if (content.includes("|") && content.includes("&")) return true;
+	return false;
+}
+
+/**
+ * Check for encoded command patterns (pipe to shell)
+ */
+function matchesEncodedPipe(command: string): boolean {
+	const lower = command.toLowerCase();
+	const pipeIdx = lower.indexOf("|");
+	if (pipeIdx === -1) return false;
+	const afterPipe = lower.slice(pipeIdx + 1).trimStart();
+	if (afterPipe.startsWith("base64") || afterPipe.startsWith("python") || afterPipe.startsWith("perl") || afterPipe.startsWith("ruby")) {
+		// Check if followed by -d or -c or -e
+		const rest = afterPipe.slice(6).trimStart();
+		if (rest.startsWith("-d") || rest.startsWith("-c") || rest.startsWith("-e")) return true;
+	}
+	return false;
+}
+
+/**
+ * Check if command contains a specific dangerous substring
+ */
+function containsDangerous(command: string, pattern: string): boolean {
+	return command.indexOf(pattern) !== -1;
+}
+
+/**
+ * Check if command starts with dangerous prefix
+ */
+function startsWithDangerous(command: string, pattern: string): boolean {
+	return command.trimStart().startsWith(pattern);
+}
+
 export interface SafeBashOptions {
 	/** Enable/disable safe mode. Default: true */
 	enabled?: boolean;
@@ -75,9 +169,47 @@ export function isDangerous(command: string, options: SafeBashOptions = {}): str
 		}
 	}
 
-	// Check dangerous patterns
-	const allPatterns = [...DANGEROUS_PATTERNS, ...additionalPatterns];
-	for (const pattern of allPatterns) {
+	// Use linear-time scanning functions for critical patterns
+	if (matchesDangerousRm(normalized)) {
+		return "Command blocked by safe_bash: dangerous rm pattern detected";
+	}
+	if (matchesForkBomb(normalized)) {
+		return "Command blocked by safe_bash: fork bomb pattern detected";
+	}
+	if (matchesEncodedPipe(normalized)) {
+		return "Command blocked by safe_bash: encoded pipe to shell detected";
+	}
+
+	// Check remaining patterns using regex (these are safe from ReDoS)
+	for (const pattern of DANGEROUS_PATTERNS) {
+		if (pattern.test(normalized)) {
+			return `Command blocked by safe_bash: matches dangerous pattern \`${pattern}\``;
+		}
+	}
+
+	// Additional shell injection checks using regex for non-critical patterns
+	// Block command substitution $(...)
+	if (/\$\([^)]*\)/.test(command)) {
+		return "Command blocked by safe_bash: command substitution $(...) is not allowed";
+	}
+	// Block backtick substitution
+	const backtickRe = /`[^`]*`/;
+	if (backtickRe.test(command)) {
+		return "Command blocked by safe_bash: backtick substitution is not allowed";
+	}
+	// Block here-docs <<
+	if (/<<\s*['"]?[\w-]+['"]?/.test(command) || /\$<<\s*['"]?[\w-]+['"]?/.test(command)) {
+		return "Command blocked by safe_bash: here-doc is not allowed";
+	}
+	// Block ${...} variable expansion containing shell metacharacters (pipes, redirects, &&/||)
+	const varExpRe = /\$\{([^}]*)\}/;
+	const varMatch = command.match(varExpRe);
+	if (varMatch && /[|&;<>]/.test(varMatch[1])) {
+		return "Command blocked by safe_bash: variable expansion with shell metacharacters is not allowed";
+	}
+
+	// Check additional patterns (user-provided regex)
+	for (const pattern of additionalPatterns) {
 		if (pattern.test(normalized)) {
 			return `Command blocked by safe_bash: matches dangerous pattern \`${pattern}\``;
 		}
@@ -142,8 +274,9 @@ export function createSafeBash(options: SafeBashOptions = {}) {
  * These can be used in allowPatterns for specific use cases
  */
 export const COMMON_SAFE_PATTERNS = {
-	// Safe rm with specific paths
-	safeRm: /\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?((?![\/~])\/)?(tmp|cache|node_modules|dist|build)\//,
+	// FIX: Stricter regex — target must be exactly tmp/, cache/, node_modules/, dist/, or build/
+	// (with optional ./ prefix). Rejects path traversal (./../../../other) and absolute paths.
+	safeRm: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(?:\.\/)?(?:tmp|cache|node_modules|dist|build)\/[a-zA-Z0-9._/-]+$/,
 	// Safe git operations
 	safeGit: /\bgit\s+(clone|pull|push|commit|add|status|diff|log|branch|checkout|merge|rebase)/,
 	// Safe npm/yarn/pnpm

package/src/ui/overlays/mailbox-detail-overlay.ts

@@ -20,6 +20,8 @@ export class MailboxDetailOverlay {
 	private side: "inbox" | "outbox" = "inbox";
 	private selected = 0;
 	private expanded = false;
+	private lastRefreshedTaskCount = 0;
+	private needsRefresh = true;
 
 	constructor(opts: { runId: string; cwd: string; done: (action: MailboxAction | undefined) => void; theme?: unknown }) {
 		this.runId = opts.runId;
@@ -32,6 +34,12 @@ export class MailboxDetailOverlay {
 	private refresh(): void {
 		const loaded = loadRunManifestById(this.cwd, this.runId);
 		if (!loaded) return;
+		// Track task count changes to trigger re-render
+		const taskCount = loaded.tasks.length;
+		if (taskCount !== this.lastRefreshedTaskCount) {
+			this.lastRefreshedTaskCount = taskCount;
+			this.needsRefresh = true;
+		}
 		const delivery = readDeliveryState(loaded.manifest).messages;
 		const applyDelivery = (message: MailboxMessage): MailboxMessage => ({ ...message, status: delivery[message.id] ?? message.status });
 		const taskIds = loaded.tasks.map((task) => task.id);
@@ -49,11 +57,14 @@ export class MailboxDetailOverlay {
 	}
 
 	invalidate(): void {
-		this.refresh();
+		this.needsRefresh = true;
 	}
 
 	render(width: number): string[] {
-		this.refresh();
+		if (this.needsRefresh) {
+			this.refresh();
+			this.needsRefresh = false;
+		}
 		const inner = Math.max(40, width - 4);
 		const col = Math.max(18, Math.floor((inner - 3) / 2));
 		const lines = [

package/src/ui/powerbar-publisher.ts

@@ -294,6 +294,7 @@ export function requestPowerbarUpdate(
 
 /** Dispose the powerbar coalescer. Call during extension cleanup. */
 export function disposePowerbarCoalescer(): void {
+	powerbarCoalescer.flush();
 	powerbarCoalescer.dispose();
 }
 

package/src/ui/transcript-cache.ts

@@ -19,6 +19,7 @@ export interface TranscriptReadOptions {
 
 const TRANSCRIPT_CACHE_TTL_MS = 500;
 const DEFAULT_TAIL_BYTES = 256 * 1024;
+const MAX_CACHE_SIZE = 100;
 const transcriptCache = new Map<string, TranscriptCacheEntry>();
 
 function cacheKey(path: string, options: Required<Pick<TranscriptReadOptions, "full">> & { maxTailBytes: number }): string {
@@ -85,6 +86,18 @@ export function readTranscriptLinesCached(path: string, parse: (text: string) =>
 			truncated: read.truncated,
 		};
 		transcriptCache.set(key, entry);
+		// Evict oldest entry if cache exceeds max size
+		if (transcriptCache.size > MAX_CACHE_SIZE) {
+			let oldestKey: string | null = null;
+			let oldestParsedAt = Infinity;
+			for (const [k, v] of transcriptCache.entries()) {
+				if (v.parsedAt < oldestParsedAt) {
+					oldestParsedAt = v.parsedAt;
+					oldestKey = k;
+				}
+			}
+			if (oldestKey) transcriptCache.delete(oldestKey);
+		}
 		return lines;
 	} catch {
 		return previous?.lines ?? [];

package/src/utils/bm25-search.ts

@@ -46,17 +46,17 @@ export class BM25Search<T extends SearchDocument> {
   }
 
   /**
-   * Compute document frequency for a query term using substring matching,
-   * consistent with the regex-based tf computation in search().
+   * Compute document frequency for a query term using indexOf for better performance.
+   * Uses linear-time substring matching instead of regex to avoid ReDoS.
    */
   private df(term: string): number {
-    const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const re = new RegExp(escaped, "g");
+    const termLower = term.toLowerCase();
     let count = 0;
     for (const doc of this.documents) {
       for (const field of Object.keys(this.fieldWeights)) {
         const text = (doc.fields[field] ?? "").toLowerCase();
-        if (re.test(text)) {
+        // Use indexOf for linear-time substring search
+        if (text.includes(termLower)) {
           count++;
           break;
         }
@@ -81,11 +81,19 @@ export class BM25Search<T extends SearchDocument> {
         let fieldScore = 0;
 
         for (const term of queryTerms) {
-          const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-          const tf = (textLower.match(new RegExp(escaped, "g")) ?? []).length;
+          // Use indexOf for linear-time substring counting instead of regex
+          const termLower = term.toLowerCase();
+          let tf = 0;
+          let pos = 0;
+          while ((pos = textLower.indexOf(termLower, pos)) !== -1) {
+            tf++;
+            pos += termLower.length;
+            // Cap tf to prevent runaway on repeated patterns
+            if (tf > 100) break;
+          }
           if (tf === 0) continue;
 
-          const df = this.df(term);
+          const df = this.df(termLower);
           if (df === 0) continue;
 
           const idf = Math.log((this.N - df + 0.5) / (df + 0.5) + 1);

package/src/utils/env-filter.ts

@@ -1,4 +1,4 @@
-import { SECRET_KEY_PATTERN } from "./redaction.ts";
+import { isSecretKey } from "./redaction.ts";
 
 export interface SanitizeEnvOptions {
 	/** Allow-list of env var names to preserve. Supports trailing glob, e.g. `"PI_*"`. */
@@ -8,14 +8,17 @@ export interface SanitizeEnvOptions {
 /**
  * Strip env vars whose keys look like secrets before passing to child processes.
  *
- * Default mode (no allowList): deny-list using SECRET_KEY_PATTERN.
+ * Default mode (no allowList): deny-list using isSecretKey.
  * When allowList is provided, only keys matching the allow-list are preserved.
  */
 export function sanitizeEnvSecrets(env: NodeJS.ProcessEnv, options?: SanitizeEnvOptions): Record<string, string> {
 	const filtered: Record<string, string> = {};
 	if (options?.allowList && options.allowList.length > 0) {
 		const matchers = options.allowList.map((p) => {
-			if (p.endsWith("*")) return (k: string) => k.startsWith(p.slice(0, -1));
+			if (p.endsWith("*")) {
+				const prefix = p.slice(0, -1);
+				return (k: string) => k.startsWith(prefix) && k.length > prefix.length;
+			}
 			return (k: string) => k === p;
 		});
 		for (const [key, value] of Object.entries(env)) {
@@ -24,7 +27,7 @@ export function sanitizeEnvSecrets(env: NodeJS.ProcessEnv, options?: SanitizeEnv
 		return filtered;
 	}
 	for (const [key, value] of Object.entries(env)) {
-		if (value !== undefined && !SECRET_KEY_PATTERN.test(key)) filtered[key] = value;
+		if (value !== undefined && !isSecretKey(key)) filtered[key] = value;
 	}
 	return filtered;
-}
+}

package/src/utils/redaction.ts

@@ -1,26 +1,180 @@
-export const SECRET_KEY_PATTERN = /(?:^|[_.-])(token|api[-_]?key|password|passwd|secret|credential|authorization|private[-_]?key)(?:$|[_.-])/i;
-const INLINE_SECRET_PATTERN = /(^|[\s,{])(([A-Za-z0-9_.-]*(?:api[-_]?key|token|password|passwd|secret|credential|authorization|private[-_]?key)[A-Za-z0-9_.-]*)\s*[=:]\s*)([^\s,;"'}]+)/gi;
-const AUTH_HEADER_PATTERN = /\b(Authorization\s*:\s*(?:Bearer|Basic|Token)?\s*)([^\r\n]+)/gi;
-const BEARER_PATTERN = /\b(Bearer\s+)([A-Za-z0-9._~+/=-]{8,})\b/g;
-const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]{0,65536}?-----END [A-Z ]*PRIVATE KEY-----/g;
+/**
+ * ReDoS-resistant pattern matching for secret detection.
+ * Uses linear-time scan instead of complex regex to prevent catastrophic backtracking.
+ */
+
+// Pattern for PEM private keys (possessive quantifier prevents backtracking)
+export const PEM_PRIVATE_KEY_PATTERN = /-----BEGIN [A-Z ]+PRIVATE KEY-----[\s\S]+?-----END [A-Z ]+PRIVATE KEY-----/g;
+
+// Linear-time secret key detection
+export function isSecretKey(keyName: string): boolean {
+	// Fast path: common secret key names
+	const lower = keyName.toLowerCase();
+	if (/^(token|apikey|api_key|password|secret|credential|authorization|privatekey|private_key)$/.test(lower)) {
+		return true;
+	}
+	// Linear scan for prefix characters followed by keywords
+	const prefixes = "_.-";
+	const keywords = ["token", "api", "key", "password", "passwd", "secret", "credential", "authorization", "private"];
+	
+	for (let i = 0; i < keyName.length; i++) {
+		if (prefixes.includes(keyName[i])) {
+			const remaining = keyName.substring(i + 1).toLowerCase();
+			for (const kw of keywords) {
+				if (remaining.startsWith(kw)) {
+					const afterKw = remaining.substring(kw.length);
+					if (afterKw === "" || prefixes.includes(afterKw[0]) || /[a-zA-Z0-9]/.test(afterKw[0])) {
+						return true;
+					}
+				}
+			}
+		}
+	}
+	return false;
+}
+
+// Linear-time Authorization header redaction
+export function redactAuthHeader(line: string): string {
+	const lower = line.toLowerCase();
+	const authIdx = lower.indexOf("authorization:");
+	if (authIdx === -1) return line;
+	
+	// Verify word boundary - must be at start of line or preceded by whitespace/comma/brace
+	if (authIdx > 0) {
+		const before = line[authIdx - 1];
+		if (before !== ' ' && before !== ',' && before !== '{' && before !== '[' && before !== '"' && before !== '\r' && before !== '\n') {
+			return line; // Not a word boundary
+		}
+	}
+	
+	// Check if this is followed by Bearer token (don't redact Bearer tokens separately)
+	// Look for "Bearer" after "authorization:"
+	const afterAuth = lower.substring(authIdx + 14).trimStart();
+	if (!afterAuth.startsWith('bearer ')) {
+		// No Bearer token, this is a regular Authorization header - redact it
+		let end = authIdx + 14;
+		while (end < line.length && line[end] !== "\r" && line[end] !== "\n") {
+			end++;
+		}
+		return line.substring(0, end) + " ***" + (end < line.length ? line.substring(end) : "");
+	}
+	
+	// It's a Bearer token format - don't redact here, let redactBearerTokens handle it
+	return line;
+}
+
+// Linear-time Bearer token redaction
+export function redactBearerTokens(line: string): string {
+	const upper = line.toUpperCase();
+	const result: string[] = [];
+	let i = 0;
+	
+	while (i < line.length) {
+		if (upper.startsWith("BEARER ", i)) {
+			// Check word boundary: preceded by start, space, comma, brace, or newline
+			if (i > 0) {
+				const before = line[i - 1];
+				if (before !== ' ' && before !== ',' && before !== '{' && before !== '[' && before !== '"' && before !== '\r' && before !== '\n') {
+					result.push(line[i]);
+					i++;
+					continue;
+				}
+			}
+			
+			// Found "Bearer " - now find the token
+			const bearerPrefix = line.substring(i, i + 7); // "Bearer "
+			let j = i + 7;
+			let tokenLen = 0;
+			while (j < line.length && tokenLen < 200 && /[A-Za-z0-9._~+/-]/.test(line[j])) {
+				j++;
+				tokenLen++;
+			}
+			
+			if (tokenLen >= 8) {
+				// Replace with Bearer + *** (redact the token)
+				result.push(bearerPrefix + "***");
+				i = j;
+				continue;
+			}
+		}
+		result.push(line[i]);
+		i++;
+	}
+	
+	return result.join("");
+}
 
 function isRecord(value: unknown): value is Record<string, unknown> {
 	if (!value || typeof value !== "object" || Array.isArray(value)) return false;
-	// Exclude built-in types whose Object.entries() would produce empty arrays.
 	if (value instanceof Date || value instanceof RegExp || value instanceof Error || value instanceof Map || value instanceof Set) return false;
 	return true;
 }
 
-function isSecretKey(keyName: string): boolean {
-	return SECRET_KEY_PATTERN.test(keyName) || /^(token|apiKey|api_key|password|secret|credential|authorization|privateKey|private_key)$/i.test(keyName);
+export function redactSecretString(value: string): string {
+	let result = value;
+	
+	// Replace PEM private keys
+	result = result.replace(PEM_PRIVATE_KEY_PATTERN, "***");
+	
+	// Replace Authorization headers (non-Bearer format)
+	result = redactAuthHeader(result);
+	
+	// Replace Bearer tokens
+	result = redactBearerTokens(result);
+	
+	// Replace inline secrets: key=value or key:value patterns
+	result = redactInlineSecrets(result);
+	
+	return result;
 }
 
-export function redactSecretString(value: string): string {
-	return value
-		.replace(PEM_PRIVATE_KEY_PATTERN, "***")
-		.replace(AUTH_HEADER_PATTERN, "$1***")
-		.replace(BEARER_PATTERN, "$1***")
-		.replace(INLINE_SECRET_PATTERN, "$1$2***");
+// Linear-time inline secret redaction: token=xxx, api_key=xxx, etc.
+function redactInlineSecrets(value: string): string {
+	const result: string[] = [];
+	let i = 0;
+	
+	while (i < value.length) {
+		// Look for pattern: word_chars + = or : + non-whitespace_value
+		// Check for secret key followed by = or :
+		let j = i;
+		let keyLen = 0;
+		
+		// Collect key characters (alphanumeric, underscore, hyphen)
+		while (j < value.length && /[a-zA-Z0-9_-]/.test(value[j])) {
+			j++;
+			keyLen++;
+		}
+		
+		if (keyLen > 0 && j < value.length && (value[j] === '=' || value[j] === ':')) {
+			const key = value.substring(i, i + keyLen);
+			
+			// Check if this is a secret key
+			if (isSecretKey(key)) {
+				// Find the value (everything after = or : until space, comma, or end)
+				const sep = value[j];
+				let k = j + 1;
+				let valLen = 0;
+				while (k < value.length && valLen < 500 && value[k] !== ' ' && value[k] !== ',' && value[k] !== ';' && value[k] !== '"' && value[k] !== '"' && value[k] !== '\r' && value[k] !== '\n') {
+					k++;
+					valLen++;
+				}
+				
+				// Only redact if there's actual content
+				if (valLen > 0) {
+					result.push(key);
+					result.push(sep);
+					result.push("***");
+					i = k;
+					continue;
+				}
+			}
+		}
+		
+		result.push(value[i]);
+		i++;
+	}
+	
+	return result.join("");
 }
 
 export function redactSecrets(value: unknown, keyName = ""): unknown {
@@ -41,4 +195,4 @@ export function redactJsonLine(line: string): string {
 	} catch {
 		return redactSecretString(line);
 	}
-}
+}

package/src/utils/sse-parser.ts

@@ -8,6 +8,9 @@ export interface ServerSentEvent {
 /** L1: Maximum number of raw lines before discarding an oversized event. */
 const MAX_EVENT_LINES = 1000;
 
+/** L2: Maximum data size per line to prevent unbounded memory usage. */
+const MAX_DATA_SIZE = 100000; // 100KB per line
+
 /** Read newline-delimited lines from a text ReadableStream, buffering partial chunks. */
 async function* readLines(
 	stream: ReadableStream<string>,
@@ -97,13 +100,19 @@ export async function* readSseEvents(
 
 		currentRaw.push(line);
 
-		// L1: Guard against unbounded memory growth
+		// L1: Guard against unbounded memory growth (line count)
 		if (currentRaw.length > MAX_EVENT_LINES) {
 			const evt = flush();
 			if (evt) yield evt;
 			continue;
 		}
 
+		// L2: Guard against unbounded memory growth (data size per line)
+		if (value.length > MAX_DATA_SIZE) {
+			// Truncate oversized data to prevent memory issues
+			value = value.slice(0, MAX_DATA_SIZE);
+		}
+
 		if (field === "event") {
 			currentEvent = value;
 		} else if (field === "data") {

package/src/worktree/cleanup.ts

@@ -59,7 +59,12 @@ export function cleanupRunWorktrees(manifest: TeamRunManifest, options: { force?
 			// Commit changes to a branch instead of just preserving the worktree
 			try {
 				execFileSync("git", ["add", "-A"], { cwd: worktreePath, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...process.env, LANG: "C", LC_ALL: "C" }, windowsHide: true });
-				const safeDesc = entry.name.slice(0, 200);
+				let safeDesc = entry.name.slice(0, 200);
+				// SECURITY: Strip any newlines that could be injected via a malicious worktree name
+				// to prevent newline injection in git commit messages
+				if (safeDesc.includes("\n")) {
+					safeDesc = safeDesc.replace(/[\r\n]+/g, " ");
+				}
 				execFileSync("git", ["commit", "-m", `pi-crew: ${safeDesc}`], { cwd: worktreePath, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...process.env, LANG: "C", LC_ALL: "C" }, windowsHide: true });
 				// Create branch in the main repo pointing to this worktree's HEAD
 				try {