pi-crew 0.5.6 → 0.5.7

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## [0.5.7] — 11 Issue Fixes Across 5 Phases (2026-06-01)
+
+### Phase 1: Schema/Type Fixes
+
+- **`invalidate` schema divergence** (Critical) — `src/schema/team-tool-schema.ts`: added `"invalidate"` to TypeBox union. Previously TS interface had it but TypeBox schema did not, causing silent `-32602` failure.
+- **OTLP header key validation** (Low) — `src/config/config.ts`: hardened `parseOtlpConfig` with case-insensitive check for 12 dangerous keys (`__proto__`, `hasOwnProperty`, `toString`, etc.) and format validation `/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/`.
+
+### Phase 2: Security Hardening
+
+- **OTLP endpoint unsanitized** (Critical) — `src/config/config.ts`: project config can no longer override `otlp.endpoint` (would have allowed credential exfiltration via attacker URL).
+- **Wildcard env leakage** (High) — `src/runtime/child-pi.ts`: replaced broad wildcards (`LC_*`, `XDG_*`, `NVM_*`, `NODE_*`, `npm_*`) with specific names. Previously `NPM_TOKEN`, `NODE_ENV=production`, `NVM_RC_VERSION` all leaked.
+
+### Phase 3: Correctness Fixes
+
+- **AbortSignal not propagated** (High) — `src/runtime/task-runner.ts`: check signal before `persistSingleTaskUpdate`. Cancelled tasks now return early with cancelled status instead of writing stale state.
+- **MAILBOX_ARCHIVE_THRESHOLD 10MB/task** (High) — `src/state/mailbox.ts` + `src/config/defaults.ts`: added `DEFAULT_MAILBOX.maxArchivesPerDirection=10` cap and `pruneOldMailboxArchives()` to prevent unbounded growth (1GB+ for 100 tasks).
+- **`safeRm` regex bypass** (Medium) — `src/tools/safe-bash.ts`: stricter regex requires path to be exactly `tmp/`, `cache/`, `node_modules/`, `dist/`, or `build/` with optional `./` prefix. Rejects path traversal like `./../../../etc`.
+- **`writeEntries` silent drop** (Medium) — `src/state/active-run-registry.ts`: emit `logInternalError` warning when entries overflow cap.
+
+### Phase 4: Performance Optimization
+
+- **`nextAgentEventSeq` O(n) cold cache** (Medium) — `src/runtime/crew-agent-records.ts`: added `.seq` sidecar file for O(1) lookup. Fall back to O(n) scan only when sidecar is missing.
+- **`nextSequence` O(n) cold cache** (Medium) — `src/state/event-log.ts`: trust sidecar seq file when present. Fall back to `scanSequence` only when sidecar missing or file shrunk.
+
+### Phase 5: Deferred (Low severity)
+
+- **Issue #12: `acquireLockWithRetry` race** — defer (race window small, retry loop handles).
+- **Issue #13: `loadRunManifestById` TOCTOU** — defer (cache TTL 30s, race window small).
+- **Issue #14: `cleanupOldArtifacts` N stat calls** — defer (typical artifact dirs small).
+- **Issue #15: `validateMailbox` full load** — defer (10MB cap, bounded).
+- **Issue #16: `updateMailboxMessageReply` full rewrite** — defer (10MB cap, bounded).
+
+### Tests
+
+- 2282 tests pass / 0 failures (`npm test`).
+- New tests: `invalidate`/`anchor`/`auto-summarize`/`auto_boomerang` schema, OTLP header key validation, OTLP endpoint sanitization, wildcard env leakage, sidecar seq lookup.
+
 ## [0.5.6] — Documentation Sync + Type-Only Import Fix (2026-06-01)
 
 ### Documentation

package/README.md

@@ -9,7 +9,7 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
 
-**v0.5.6**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.5.7**: See [CHANGELOG.md](CHANGELOG.md).
 
 ### Security highlights (v0.5.5)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.6",
+  "version": "0.5.7",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/config/config.ts

@@ -244,6 +244,15 @@ function sanitizeProjectConfig(
 			sanitized.otlp = undefined;
 		warnings.push(projectOverrideWarning(projectPath, "otlp.headers"));
 	}
+	// FIX: Block project config from setting otlp.endpoint — it controls where
+	// OTLP headers (potentially containing credentials) are sent.
+	if (config.otlp?.endpoint !== undefined) {
+		if (!sanitized.otlp) sanitized.otlp = { ...config.otlp, endpoint: undefined };
+		else sanitized.otlp = { ...sanitized.otlp, endpoint: undefined };
+		if (!Object.values(sanitized.otlp).some((entry) => entry !== undefined))
+			sanitized.otlp = undefined;
+		warnings.push(projectOverrideWarning(projectPath, "otlp.endpoint"));
+	}
 	if (
 		config.agents?.disableBuiltins !== undefined ||
 		config.agents?.overrides !== undefined
@@ -1051,13 +1060,28 @@ function parseOtlpConfig(value: unknown): CrewOtlpConfig | undefined {
 	if (rawHeaders)
 		for (const [key, entry] of Object.entries(rawHeaders)) {
 			if (typeof entry !== "string") continue;
-			// Prevent prototype pollution via __proto__ / constructor / prototype keys.
+			// Prevent prototype pollution via dangerous Object.prototype keys.
+			// Case-insensitive check to catch __Proto__, CONSTRUCTOR, etc.
+			const lowerKey = key.toLowerCase();
 			if (
-				key === "__proto__" ||
-				key === "constructor" ||
-				key === "prototype"
+				lowerKey === "__proto__" ||
+				lowerKey === "constructor" ||
+				lowerKey === "prototype" ||
+				lowerKey === "hasownproperty" ||
+				lowerKey === "tostring" ||
+				lowerKey === "valueof" ||
+				lowerKey === "isprototypeof" ||
+				lowerKey === "propertyisenumerable" ||
+				lowerKey === "tolocalestring" ||
+				lowerKey === "__definegetter__" ||
+				lowerKey === "__definesetter__" ||
+				lowerKey === "__lookupgetter__" ||
+				lowerKey === "__lookupsetter__"
 			)
 				continue;
+			// Validate key format: must start with letter, then alphanumeric/hyphen/underscore.
+			// Blocks CRLF, NUL, spaces, shell metacharacters in header keys.
+			if (!/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/.test(key)) continue;
 			headers[key] = entry;
 		}
 	const otlp: CrewOtlpConfig = {

package/src/config/defaults.ts

@@ -91,6 +91,11 @@ export const DEFAULT_CACHE = {
 	manifestMaxEntries: 64,
 };
 
+export const DEFAULT_MAILBOX = {
+	perFileThresholdBytes: 10 * 1024 * 1024, // 10MB per mailbox file
+	maxArchivesPerDirection: 10, // Keep at most 10 archives per direction per run
+};
+
 export const DEFAULT_SUBAGENT = {
 	stuckBlockedNotifyMs: 5 * 60_000,
 };

package/src/runtime/child-pi.ts

@@ -206,11 +206,29 @@ export function buildChildPiSpawnOptions(cwd: string, env: NodeJS.ProcessEnv): S
 			"SHELL",
 			"TERM",
 			"LANG",
-			"LC_*",
-			"XDG_*",
-			"NVM_*",
-			"NODE_*",
-			"npm_*",
+			// FIX: Replaced broad wildcards (LC_*, XDG_*, NVM_*, NODE_*, npm_*) with
+			// specific names. Previously NPM_TOKEN, NODE_ENV=production, NVM_RC_VERSION
+			// all leaked through wildcards.
+			"LC_ALL",
+			"LC_COLLATE",
+			"LC_CTYPE",
+			"LC_MESSAGES",
+			"LC_MONETARY",
+			"LC_NUMERIC",
+			"LC_TIME",
+			"XDG_CONFIG_HOME",
+			"XDG_DATA_HOME",
+			"XDG_CACHE_HOME",
+			"XDG_RUNTIME_DIR",
+			"NVM_BIN",
+			"NVM_DIR",
+			"NVM_INC",
+			"NODE_PATH",
+			"NODE_DISABLE_COLORS",
+			"NODE_EXTRA_CA_CERTS",
+			"NPM_CONFIG_REGISTRY",
+			"NPM_CONFIG_USERCONFIG",
+			"NPM_CONFIG_GLOBALCONFIG",
 			"PI_*",
 			"PI_CREW_*",
 			"PI_TEAMS_*",

package/src/runtime/crew-agent-records.ts

@@ -263,12 +263,41 @@ export function readCrewAgentStatus(manifest: TeamRunManifest, taskOrAgentId: st
 }
 
 const agentEventSeqCache = new Map<string, { size: number; mtimeMs: number; seq: number }>();
+const AGENT_EVENT_SEQ_SIDECAR = ".seq";
+
+function readSeqFromSidecar(filePath: string): number | undefined {
+	try {
+		const raw = fs.readFileSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`, "utf-8");
+		const n = Number.parseInt(raw, 10);
+		return Number.isFinite(n) && n > 0 ? n : undefined;
+	} catch {
+		return undefined;
+	}
+}
+
+function writeSeqToSidecar(filePath: string, seq: number): void {
+	try {
+		fs.writeFileSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`, String(seq));
+	} catch (error) {
+		logInternalError("crew-agent-records.seq-sidecar", error, `filePath=${filePath}`);
+	}
+}
 
 function nextAgentEventSeq(filePath: string): number {
-	if (!fs.existsSync(filePath)) return 1;
+	if (!fs.existsSync(filePath)) {
+		// Clean up stale sidecar when main file is gone.
+		try { fs.unlinkSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`); } catch {}
+		return 1;
+	}
 	const stat = fs.statSync(filePath);
 	const cached = agentEventSeqCache.get(filePath);
 	if (cached && cached.size === stat.size && cached.mtimeMs === stat.mtimeMs) return cached.seq + 1;
+	// FIX: Try sidecar file for O(1) lookup before falling back to O(n) scan.
+	const sidecarSeq = readSeqFromSidecar(filePath);
+	if (sidecarSeq !== undefined) {
+		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: sidecarSeq });
+		return sidecarSeq + 1;
+	}
 	let max = 0;
 	for (const line of fs.readFileSync(filePath, "utf-8").split(/\r?\n/)) {
 		if (!line.trim()) continue;
@@ -281,6 +310,7 @@ function nextAgentEventSeq(filePath: string): number {
 		}
 	}
 	agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: max });
+	writeSeqToSidecar(filePath, max);
 	return max + 1;
 }
 
@@ -292,6 +322,7 @@ export function appendCrewAgentEvent(manifest: TeamRunManifest, taskId: string,
 	try {
 		const stat = fs.statSync(filePath);
 		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq });
+		writeSeqToSidecar(filePath, seq);
 	} catch (error) {
 		logInternalError("crew-agent-records.stat", error, `filePath=${filePath}`);
 	}

package/src/runtime/task-runner.ts

@@ -205,6 +205,20 @@ export async function runTeamTask(
 			input.taskRuntimeOverride ??
 			input.runtimeKind ??
 			(input.executeWorkers ? "child-process" : "scaffold");
+		// FIX: Check signal before persisting state — if cancelled, skip the write.
+		if (input.signal?.aborted) {
+			const cancelReason = cancellationReasonFromSignal(input.signal);
+			const cancelledTask: TeamTaskState = {
+				...task,
+				status: "cancelled",
+				error: `${cancelReason.code}: ${cancelReason.message}`,
+				finishedAt: new Date().toISOString(),
+			};
+			return {
+				manifest: input.manifest,
+				tasks: updateTask(tasks, cancelledTask),
+			};
+		}
 		tasks = persistSingleTaskUpdate(manifest, tasks, task);
 		if (runtimeKind === "child-process")
 			({ task, tasks } = checkpointTask(

package/src/schema/team-tool-schema.ts

@@ -58,6 +58,7 @@ export const TeamToolParams = Type.Object({
 				Type.Literal("api"),
 				Type.Literal("settings"),
 				Type.Literal("steer"),
+				Type.Literal("invalidate"),
 				Type.Literal("health"),
 				Type.Literal("graph"),
 				Type.Literal("onboard"),

package/src/state/active-run-registry.ts

@@ -135,7 +135,16 @@ export function readActiveRunRegistry(maxEntries = DEFAULT_CACHE.manifestMaxEntr
 }
 
 function writeEntries(entries: ActiveRunRegistryEntry[]): void {
-	const trimmed = entries.slice(0, DEFAULT_CACHE.manifestMaxEntries);
+	const max = DEFAULT_CACHE.manifestMaxEntries;
+	// FIX: Emit warning when entries overflow the cap, instead of silent drop.
+	if (entries.length > max) {
+		logInternalError(
+			"active-run-registry.overflow",
+			new Error(`${entries.length - max} entries dropped (cap=${max})`),
+			JSON.stringify({ dropped: entries.length - max, total: entries.length, cap: max }),
+		);
+	}
+	const trimmed = entries.slice(0, max);
 	fs.mkdirSync(path.dirname(registryPath()), { recursive: true });
 	// 2.4 — dual-ship: write both formats. Readers prefer binary; legacy
 	// readers (other tools / older releases) keep using the JSON file.

package/src/state/event-log.ts

@@ -167,11 +167,16 @@ function nextSequence(eventsPath: string): number {
 	if (cached && cached.size === stat.size && cached.mtimeMs === stat.mtimeMs) {
 		return cached.seq + 1;
 	}
-	let current = readStoredSequence(eventsPath);
-	if (current === undefined || (cached && stat.size < cached.size)) {
-		current = scanSequence(eventsPath);
+	// FIX: Trust the sidecar seq file if it exists and the file is non-empty.
+	// Only fall back to O(n) scan if sidecar is missing or file shrunk unexpectedly.
+	const stored = readStoredSequence(eventsPath);
+	if (stored !== undefined && (!cached || stat.size >= cached.size)) {
+		sequenceCache.set(eventsPath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: stored });
+		return stored + 1;
 	}
+	const current = scanSequence(eventsPath);
 	sequenceCache.set(eventsPath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: current });
+	persistSequence(eventsPath, current);
 	return current + 1;
 }
 

package/src/state/mailbox.ts

@@ -6,6 +6,7 @@ import { redactSecrets } from "../utils/redaction.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { atomicWriteFile } from "./atomic-write.ts";
 import { withEventLogLockSync } from "./event-log.ts";
+import { DEFAULT_MAILBOX } from "../config/defaults.ts";
 
 export type MailboxDirection = "inbox" | "outbox";
 export type MailboxMessageStatus = "queued" | "delivered" | "acknowledged";
@@ -228,7 +229,7 @@ function safeReadMailboxFile(filePath: string, direction: MailboxDirection): Mai
  * primary file. Readers continue to see all messages because
  * `safeReadMailboxFile` walks both the primary file and any archives.
  */
-const MAILBOX_ARCHIVE_THRESHOLD_BYTES = 10 * 1024 * 1024;
+const MAILBOX_ARCHIVE_THRESHOLD_BYTES = DEFAULT_MAILBOX.perFileThresholdBytes;
 function rotateMailboxFileIfNeeded(filePath: string, thresholdBytes = MAILBOX_ARCHIVE_THRESHOLD_BYTES): boolean {
 	try {
 		if (!fs.existsSync(filePath)) return false;
@@ -238,6 +239,8 @@ function rotateMailboxFileIfNeeded(filePath: string, thresholdBytes = MAILBOX_AR
 		const archivePath = `${filePath}.${ts}.archive.jsonl`;
 		fs.renameSync(filePath, archivePath);
 		fs.writeFileSync(filePath, "", "utf-8");
+		// FIX: Prune old archives so total per-direction count stays bounded.
+		pruneOldMailboxArchives(filePath);
 		return true;
 	} catch (error) {
 		logInternalError("mailbox.rotate", error, filePath);
@@ -245,6 +248,27 @@ function rotateMailboxFileIfNeeded(filePath: string, thresholdBytes = MAILBOX_AR
 	}
 }
 
+/**
+ * Keep at most `DEFAULT_MAILBOX.maxArchivesPerDirection` archive files per
+ * mailbox. Older archives are deleted. Prevents unbounded growth on long runs.
+ */
+function pruneOldMailboxArchives(mailboxFilePath: string): void {
+	try {
+		const dir = path.dirname(mailboxFilePath);
+		const base = path.basename(mailboxFilePath);
+		const archives = fs
+			.readdirSync(dir)
+			.filter((f) => f.startsWith(base) && f.includes(".archive.jsonl"))
+			.sort(); // Chronological (ISO timestamp in filename)
+		const excess = archives.length - DEFAULT_MAILBOX.maxArchivesPerDirection;
+		for (let i = 0; i < excess; i += 1) {
+			fs.rmSync(path.join(dir, archives[i]), { force: true });
+		}
+	} catch (error) {
+		logInternalError("mailbox.prune", error, mailboxFilePath);
+	}
+}
+
 export function readMailbox(manifest: TeamRunManifest, direction?: MailboxDirection, taskId?: string, kind?: MailboxMessageKind): MailboxMessage[] {
 	const directions = direction ? [direction] : ["inbox", "outbox"] as const;
 	return directions.flatMap((item) => safeReadMailboxFile(mailboxFile(manifest, item, taskId), item)).filter((msg) => !kind || msg.kind === kind).sort((a, b) => a.createdAt.localeCompare(b.createdAt));

package/src/tools/safe-bash.ts

@@ -274,8 +274,9 @@ export function createSafeBash(options: SafeBashOptions = {}) {
  * These can be used in allowPatterns for specific use cases
  */
 export const COMMON_SAFE_PATTERNS = {
-	// Safe rm with specific paths - uses simple contains check
-	safeRm: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?((?![\/~])\/)?(tmp|cache|node_modules|dist|build)\//,
+	// FIX: Stricter regex — target must be exactly tmp/, cache/, node_modules/, dist/, or build/
+	// (with optional ./ prefix). Rejects path traversal (./../../../other) and absolute paths.
+	safeRm: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(?:\.\/)?(?:tmp|cache|node_modules|dist|build)\/[a-zA-Z0-9._/-]+$/,
 	// Safe git operations
 	safeGit: /\bgit\s+(clone|pull|push|commit|add|status|diff|log|branch|checkout|merge|rebase)/,
 	// Safe npm/yarn/pnpm