pi-crew 0.5.6 → 0.5.8

package/CHANGELOG.md

@@ -1,5 +1,64 @@
 # Changelog
 
+## [0.5.8] — Final 5 Low-Severity Issue Fixes (2026-06-01)
+
+### Phase 5 (Final): Race Conditions + Edge Cases
+
+- **Issue #12: `acquireLockWithRetry` race** (Low) — `src/state/locks.ts`: added `isLockHolderAlive()` check. Now uses BOTH staleness AND PID liveness: fresh + alive holder = fail, else = safe to clear. Prevents stealing a lock from a still-running process whose PID was recently reused.
+
+- **Issue #13: `loadRunManifestById` TOCTOU** (Low) — `src/state/state-store.ts`: retry-on-stat-mismatch approach. Re-stat and re-read in a loop (up to 3 attempts) until size/mtime are stable across stat and read. Catches torn writes without depending on `withFileLockSync`.
+
+- **Issue #14: `cleanupOldArtifacts` N stat calls** (Low) — `src/state/artifact-store.ts`: use `Dirent.isDirectory()` from `readdirSync({ withFileTypes: true })` to avoid `statSync` for type info. `statSync` now only for mtime.
+
+- **Issue #15: `validateMailbox` concurrent access** (Low) — `src/state/mailbox.ts`: wrap read + optional repair in `withFileLockSync`.
+
+- **Issue #16: `updateMailboxMessageReply` concurrent rewrite** (Low) — `src/state/mailbox.ts`: wrap read-modify-write in `withFileLockSync`.
+
+### Bug fix in `withFileLockSync`
+
+- `src/state/locks.ts`: use separate `.lock` sidecar instead of the file path itself. Previously `withFileLockSync(path)` used `path` as the lock file, colliding with append/read operations on the same path.
+
+### Tests
+
+- 2282 tests pass / 0 failures (`npm test`).
+
+## [0.5.7] — 11 Issue Fixes Across 5 Phases (2026-06-01)
+
+### Phase 1: Schema/Type Fixes
+
+- **`invalidate` schema divergence** (Critical) — `src/schema/team-tool-schema.ts`: added `"invalidate"` to TypeBox union. Previously TS interface had it but TypeBox schema did not, causing silent `-32602` failure.
+- **OTLP header key validation** (Low) — `src/config/config.ts`: hardened `parseOtlpConfig` with case-insensitive check for 12 dangerous keys (`__proto__`, `hasOwnProperty`, `toString`, etc.) and format validation `/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/`.
+
+### Phase 2: Security Hardening
+
+- **OTLP endpoint unsanitized** (Critical) — `src/config/config.ts`: project config can no longer override `otlp.endpoint` (would have allowed credential exfiltration via attacker URL).
+- **Wildcard env leakage** (High) — `src/runtime/child-pi.ts`: replaced broad wildcards (`LC_*`, `XDG_*`, `NVM_*`, `NODE_*`, `npm_*`) with specific names. Previously `NPM_TOKEN`, `NODE_ENV=production`, `NVM_RC_VERSION` all leaked.
+
+### Phase 3: Correctness Fixes
+
+- **AbortSignal not propagated** (High) — `src/runtime/task-runner.ts`: check signal before `persistSingleTaskUpdate`. Cancelled tasks now return early with cancelled status instead of writing stale state.
+- **MAILBOX_ARCHIVE_THRESHOLD 10MB/task** (High) — `src/state/mailbox.ts` + `src/config/defaults.ts`: added `DEFAULT_MAILBOX.maxArchivesPerDirection=10` cap and `pruneOldMailboxArchives()` to prevent unbounded growth (1GB+ for 100 tasks).
+- **`safeRm` regex bypass** (Medium) — `src/tools/safe-bash.ts`: stricter regex requires path to be exactly `tmp/`, `cache/`, `node_modules/`, `dist/`, or `build/` with optional `./` prefix. Rejects path traversal like `./../../../etc`.
+- **`writeEntries` silent drop** (Medium) — `src/state/active-run-registry.ts`: emit `logInternalError` warning when entries overflow cap.
+
+### Phase 4: Performance Optimization
+
+- **`nextAgentEventSeq` O(n) cold cache** (Medium) — `src/runtime/crew-agent-records.ts`: added `.seq` sidecar file for O(1) lookup. Fall back to O(n) scan only when sidecar is missing.
+- **`nextSequence` O(n) cold cache** (Medium) — `src/state/event-log.ts`: trust sidecar seq file when present. Fall back to `scanSequence` only when sidecar missing or file shrunk.
+
+### Phase 5: Deferred (Low severity)
+
+- **Issue #12: `acquireLockWithRetry` race** — defer (race window small, retry loop handles).
+- **Issue #13: `loadRunManifestById` TOCTOU** — defer (cache TTL 30s, race window small).
+- **Issue #14: `cleanupOldArtifacts` N stat calls** — defer (typical artifact dirs small).
+- **Issue #15: `validateMailbox` full load** — defer (10MB cap, bounded).
+- **Issue #16: `updateMailboxMessageReply` full rewrite** — defer (10MB cap, bounded).
+
+### Tests
+
+- 2282 tests pass / 0 failures (`npm test`).
+- New tests: `invalidate`/`anchor`/`auto-summarize`/`auto_boomerang` schema, OTLP header key validation, OTLP endpoint sanitization, wildcard env leakage, sidecar seq lookup.
+
 ## [0.5.6] — Documentation Sync + Type-Only Import Fix (2026-06-01)
 
 ### Documentation

package/README.md

@@ -9,7 +9,7 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
 
-**v0.5.6**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.5.8**: See [CHANGELOG.md](CHANGELOG.md).
 
 ### Security highlights (v0.5.5)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.5.6",
+  "version": "0.5.8",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/config/config.ts

@@ -244,6 +244,15 @@ function sanitizeProjectConfig(
 			sanitized.otlp = undefined;
 		warnings.push(projectOverrideWarning(projectPath, "otlp.headers"));
 	}
+	// FIX: Block project config from setting otlp.endpoint — it controls where
+	// OTLP headers (potentially containing credentials) are sent.
+	if (config.otlp?.endpoint !== undefined) {
+		if (!sanitized.otlp) sanitized.otlp = { ...config.otlp, endpoint: undefined };
+		else sanitized.otlp = { ...sanitized.otlp, endpoint: undefined };
+		if (!Object.values(sanitized.otlp).some((entry) => entry !== undefined))
+			sanitized.otlp = undefined;
+		warnings.push(projectOverrideWarning(projectPath, "otlp.endpoint"));
+	}
 	if (
 		config.agents?.disableBuiltins !== undefined ||
 		config.agents?.overrides !== undefined
@@ -1051,13 +1060,28 @@ function parseOtlpConfig(value: unknown): CrewOtlpConfig | undefined {
 	if (rawHeaders)
 		for (const [key, entry] of Object.entries(rawHeaders)) {
 			if (typeof entry !== "string") continue;
-			// Prevent prototype pollution via __proto__ / constructor / prototype keys.
+			// Prevent prototype pollution via dangerous Object.prototype keys.
+			// Case-insensitive check to catch __Proto__, CONSTRUCTOR, etc.
+			const lowerKey = key.toLowerCase();
 			if (
-				key === "__proto__" ||
-				key === "constructor" ||
-				key === "prototype"
+				lowerKey === "__proto__" ||
+				lowerKey === "constructor" ||
+				lowerKey === "prototype" ||
+				lowerKey === "hasownproperty" ||
+				lowerKey === "tostring" ||
+				lowerKey === "valueof" ||
+				lowerKey === "isprototypeof" ||
+				lowerKey === "propertyisenumerable" ||
+				lowerKey === "tolocalestring" ||
+				lowerKey === "__definegetter__" ||
+				lowerKey === "__definesetter__" ||
+				lowerKey === "__lookupgetter__" ||
+				lowerKey === "__lookupsetter__"
 			)
 				continue;
+			// Validate key format: must start with letter, then alphanumeric/hyphen/underscore.
+			// Blocks CRLF, NUL, spaces, shell metacharacters in header keys.
+			if (!/^[a-zA-Z][a-zA-Z0-9_-]{0,127}$/.test(key)) continue;
 			headers[key] = entry;
 		}
 	const otlp: CrewOtlpConfig = {

package/src/config/defaults.ts

@@ -91,6 +91,11 @@ export const DEFAULT_CACHE = {
 	manifestMaxEntries: 64,
 };
 
+export const DEFAULT_MAILBOX = {
+	perFileThresholdBytes: 10 * 1024 * 1024, // 10MB per mailbox file
+	maxArchivesPerDirection: 10, // Keep at most 10 archives per direction per run
+};
+
 export const DEFAULT_SUBAGENT = {
 	stuckBlockedNotifyMs: 5 * 60_000,
 };

package/src/runtime/child-pi.ts

@@ -206,11 +206,29 @@ export function buildChildPiSpawnOptions(cwd: string, env: NodeJS.ProcessEnv): S
 			"SHELL",
 			"TERM",
 			"LANG",
-			"LC_*",
-			"XDG_*",
-			"NVM_*",
-			"NODE_*",
-			"npm_*",
+			// FIX: Replaced broad wildcards (LC_*, XDG_*, NVM_*, NODE_*, npm_*) with
+			// specific names. Previously NPM_TOKEN, NODE_ENV=production, NVM_RC_VERSION
+			// all leaked through wildcards.
+			"LC_ALL",
+			"LC_COLLATE",
+			"LC_CTYPE",
+			"LC_MESSAGES",
+			"LC_MONETARY",
+			"LC_NUMERIC",
+			"LC_TIME",
+			"XDG_CONFIG_HOME",
+			"XDG_DATA_HOME",
+			"XDG_CACHE_HOME",
+			"XDG_RUNTIME_DIR",
+			"NVM_BIN",
+			"NVM_DIR",
+			"NVM_INC",
+			"NODE_PATH",
+			"NODE_DISABLE_COLORS",
+			"NODE_EXTRA_CA_CERTS",
+			"NPM_CONFIG_REGISTRY",
+			"NPM_CONFIG_USERCONFIG",
+			"NPM_CONFIG_GLOBALCONFIG",
 			"PI_*",
 			"PI_CREW_*",
 			"PI_TEAMS_*",

package/src/runtime/crew-agent-records.ts

@@ -263,12 +263,41 @@ export function readCrewAgentStatus(manifest: TeamRunManifest, taskOrAgentId: st
 }
 
 const agentEventSeqCache = new Map<string, { size: number; mtimeMs: number; seq: number }>();
+const AGENT_EVENT_SEQ_SIDECAR = ".seq";
+
+function readSeqFromSidecar(filePath: string): number | undefined {
+	try {
+		const raw = fs.readFileSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`, "utf-8");
+		const n = Number.parseInt(raw, 10);
+		return Number.isFinite(n) && n > 0 ? n : undefined;
+	} catch {
+		return undefined;
+	}
+}
+
+function writeSeqToSidecar(filePath: string, seq: number): void {
+	try {
+		fs.writeFileSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`, String(seq));
+	} catch (error) {
+		logInternalError("crew-agent-records.seq-sidecar", error, `filePath=${filePath}`);
+	}
+}
 
 function nextAgentEventSeq(filePath: string): number {
-	if (!fs.existsSync(filePath)) return 1;
+	if (!fs.existsSync(filePath)) {
+		// Clean up stale sidecar when main file is gone.
+		try { fs.unlinkSync(`${filePath}.${AGENT_EVENT_SEQ_SIDECAR}`); } catch {}
+		return 1;
+	}
 	const stat = fs.statSync(filePath);
 	const cached = agentEventSeqCache.get(filePath);
 	if (cached && cached.size === stat.size && cached.mtimeMs === stat.mtimeMs) return cached.seq + 1;
+	// FIX: Try sidecar file for O(1) lookup before falling back to O(n) scan.
+	const sidecarSeq = readSeqFromSidecar(filePath);
+	if (sidecarSeq !== undefined) {
+		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: sidecarSeq });
+		return sidecarSeq + 1;
+	}
 	let max = 0;
 	for (const line of fs.readFileSync(filePath, "utf-8").split(/\r?\n/)) {
 		if (!line.trim()) continue;
@@ -281,6 +310,7 @@ function nextAgentEventSeq(filePath: string): number {
 		}
 	}
 	agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: max });
+	writeSeqToSidecar(filePath, max);
 	return max + 1;
 }
 
@@ -292,6 +322,7 @@ export function appendCrewAgentEvent(manifest: TeamRunManifest, taskId: string,
 	try {
 		const stat = fs.statSync(filePath);
 		agentEventSeqCache.set(filePath, { size: stat.size, mtimeMs: stat.mtimeMs, seq });
+		writeSeqToSidecar(filePath, seq);
 	} catch (error) {
 		logInternalError("crew-agent-records.stat", error, `filePath=${filePath}`);
 	}

package/src/runtime/task-runner.ts

@@ -205,6 +205,20 @@ export async function runTeamTask(
 			input.taskRuntimeOverride ??
 			input.runtimeKind ??
 			(input.executeWorkers ? "child-process" : "scaffold");
+		// FIX: Check signal before persisting state — if cancelled, skip the write.
+		if (input.signal?.aborted) {
+			const cancelReason = cancellationReasonFromSignal(input.signal);
+			const cancelledTask: TeamTaskState = {
+				...task,
+				status: "cancelled",
+				error: `${cancelReason.code}: ${cancelReason.message}`,
+				finishedAt: new Date().toISOString(),
+			};
+			return {
+				manifest: input.manifest,
+				tasks: updateTask(tasks, cancelledTask),
+			};
+		}
 		tasks = persistSingleTaskUpdate(manifest, tasks, task);
 		if (runtimeKind === "child-process")
 			({ task, tasks } = checkpointTask(

package/src/schema/team-tool-schema.ts

@@ -58,6 +58,7 @@ export const TeamToolParams = Type.Object({
 				Type.Literal("api"),
 				Type.Literal("settings"),
 				Type.Literal("steer"),
+				Type.Literal("invalidate"),
 				Type.Literal("health"),
 				Type.Literal("graph"),
 				Type.Literal("onboard"),

package/src/state/active-run-registry.ts

@@ -135,7 +135,16 @@ export function readActiveRunRegistry(maxEntries = DEFAULT_CACHE.manifestMaxEntr
 }
 
 function writeEntries(entries: ActiveRunRegistryEntry[]): void {
-	const trimmed = entries.slice(0, DEFAULT_CACHE.manifestMaxEntries);
+	const max = DEFAULT_CACHE.manifestMaxEntries;
+	// FIX: Emit warning when entries overflow the cap, instead of silent drop.
+	if (entries.length > max) {
+		logInternalError(
+			"active-run-registry.overflow",
+			new Error(`${entries.length - max} entries dropped (cap=${max})`),
+			JSON.stringify({ dropped: entries.length - max, total: entries.length, cap: max }),
+		);
+	}
+	const trimmed = entries.slice(0, max);
 	fs.mkdirSync(path.dirname(registryPath()), { recursive: true });
 	// 2.4 — dual-ship: write both formats. Readers prefer binary; legacy
 	// readers (other tools / older releases) keep using the JSON file.

package/src/state/artifact-store.ts

@@ -66,6 +66,10 @@ export function cleanupOldArtifacts(artifactsRoot: string, options: ArtifactClea
 	const cutoff = nowMs() - maxAgeMs;
 	let didCleanup = false;
 	try {
+		// FIX: Use { withFileTypes: true } to get Dirent objects (with isDirectory/isFile
+		// info), avoiding the need for a separate statSync per entry just to check the
+		// type. We still need statSync for mtime, but only on entries that passed the
+		// marker-file and symlink filters.
 		const entries = fs.readdirSync(artifactsRoot, { withFileTypes: true });
 		for (const entry of entries) {
 			if (entry.name === markerFile) continue;
@@ -74,7 +78,8 @@ export function cleanupOldArtifacts(artifactsRoot: string, options: ArtifactClea
 			try {
 				const stat = fs.statSync(target);
 				if (stat.mtimeMs >= cutoff) continue;
-				if (stat.isDirectory()) {
+				// Use Dirent info instead of stat.isDirectory() to save a stat call
+				if (entry.isDirectory()) {
 					fs.rmSync(target, { recursive: true, force: true });
 				} else {
 					fs.unlinkSync(target);

package/src/state/event-log.ts

@@ -167,11 +167,16 @@ function nextSequence(eventsPath: string): number {
 	if (cached && cached.size === stat.size && cached.mtimeMs === stat.mtimeMs) {
 		return cached.seq + 1;
 	}
-	let current = readStoredSequence(eventsPath);
-	if (current === undefined || (cached && stat.size < cached.size)) {
-		current = scanSequence(eventsPath);
+	// FIX: Trust the sidecar seq file if it exists and the file is non-empty.
+	// Only fall back to O(n) scan if sidecar is missing or file shrunk unexpectedly.
+	const stored = readStoredSequence(eventsPath);
+	if (stored !== undefined && (!cached || stat.size >= cached.size)) {
+		sequenceCache.set(eventsPath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: stored });
+		return stored + 1;
 	}
+	const current = scanSequence(eventsPath);
 	sequenceCache.set(eventsPath, { size: stat.size, mtimeMs: stat.mtimeMs, seq: current });
+	persistSequence(eventsPath, current);
 	return current + 1;
 }
 

package/src/state/locks.ts

@@ -40,6 +40,25 @@ function isLockStale(filePath: string, staleMs: number): boolean {
 	}
 }
 
+function isLockHolderAlive(filePath: string): boolean {
+	try {
+		const raw = fs.readFileSync(filePath, "utf-8");
+		const parsed = JSON.parse(raw) as { pid?: unknown };
+		const pid = typeof parsed.pid === "number" ? parsed.pid : undefined;
+		if (pid === undefined) return true; // Unknown holder — assume alive to be safe
+		try {
+			process.kill(pid, 0);
+			return true; // Signal 0 succeeded — process is alive
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			// EPERM: process exists but we don't have permission to signal it
+			return code === "EPERM";
+		}
+	} catch {
+		return true; // Can't read — assume alive to be safe
+	}
+}
+
 function writeLockFile(filePath: string): void {
 	const fd = fs.openSync(filePath, fs.constants.O_WRONLY | fs.constants.O_CREAT | fs.constants.O_EXCL, 0o644);
 	try {
@@ -62,11 +81,17 @@ function acquireLockWithRetry(filePath: string, staleMs: number): void {
 			if (Date.now() > deadline) {
 				throw new Error(`Run '${path.basename(filePath)}' is locked by another operation.`);
 			}
-			// If lock is not stale, fail fast (sync should not wait for active locks)
-			if (!isLockStale(filePath, staleMs)) {
+			// FIX: Use both staleness AND PID liveness to decide if we can steal
+			// a lock. Previously only staleness was checked, so a process whose
+			// PID was recently reused by another process could have its lock
+			// stolen even while still active. Now: fresh+alive = fail, else = clear.
+			const isStale = isLockStale(filePath, staleMs);
+			const isHolderAlive = isLockHolderAlive(filePath);
+			if (!isStale && isHolderAlive) {
+				// Lock is fresh AND holder is alive — fail fast
 				throw new Error(`Run '${path.basename(filePath)}' is locked by another operation.`);
 			}
-			// Lock is stale — try to clear it, but don't bail on rmSync error — let loop retry
+			// Lock is stale OR holder is dead — safe to clear
 			try {
 				fs.rmSync(filePath, { force: true });
 			} catch { /* race — let loop retry */ }
@@ -118,14 +143,19 @@ async function acquireLockWithRetryAsync(filePath: string, staleMs: number): Pro
  * Uses the same O_EXCL atomic create strategy as run locks.
  */
 export function withFileLockSync<T>(filePath: string, fn: () => T, options: RunLockOptions = {}): T {
+	// FIX: Use a separate .lock sidecar so the lock file doesn't collide with
+	// the file being protected. Previously withFileLockSync used the file path
+	// itself as the lock, which meant any operation on the same file (read,
+	// append, or even the lock acquisition itself) would race with the lock.
+	const lockFile = `${filePath}.lock`;
 	const staleMs = options.staleMs ?? DEFAULT_STALE_MS;
-	fs.mkdirSync(path.dirname(filePath), { recursive: true });
-	acquireLockWithRetry(filePath, staleMs);
+	fs.mkdirSync(path.dirname(lockFile), { recursive: true });
+	acquireLockWithRetry(lockFile, staleMs);
 	try {
 		return fn();
 	} finally {
 		try {
-			fs.rmSync(filePath, { force: true });
+			fs.rmSync(lockFile, { force: true });
 		} catch {
 			// Best-effort lock cleanup.
 		}

package/src/state/mailbox.ts

@@ -6,6 +6,8 @@ import { redactSecrets } from "../utils/redaction.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { atomicWriteFile } from "./atomic-write.ts";
 import { withEventLogLockSync } from "./event-log.ts";
+import { withFileLockSync } from "./locks.ts";
+import { DEFAULT_MAILBOX } from "../config/defaults.ts";
 
 export type MailboxDirection = "inbox" | "outbox";
 export type MailboxMessageStatus = "queued" | "delivered" | "acknowledged";
@@ -228,7 +230,7 @@ function safeReadMailboxFile(filePath: string, direction: MailboxDirection): Mai
  * primary file. Readers continue to see all messages because
  * `safeReadMailboxFile` walks both the primary file and any archives.
  */
-const MAILBOX_ARCHIVE_THRESHOLD_BYTES = 10 * 1024 * 1024;
+const MAILBOX_ARCHIVE_THRESHOLD_BYTES = DEFAULT_MAILBOX.perFileThresholdBytes;
 function rotateMailboxFileIfNeeded(filePath: string, thresholdBytes = MAILBOX_ARCHIVE_THRESHOLD_BYTES): boolean {
 	try {
 		if (!fs.existsSync(filePath)) return false;
@@ -238,6 +240,8 @@ function rotateMailboxFileIfNeeded(filePath: string, thresholdBytes = MAILBOX_AR
 		const archivePath = `${filePath}.${ts}.archive.jsonl`;
 		fs.renameSync(filePath, archivePath);
 		fs.writeFileSync(filePath, "", "utf-8");
+		// FIX: Prune old archives so total per-direction count stays bounded.
+		pruneOldMailboxArchives(filePath);
 		return true;
 	} catch (error) {
 		logInternalError("mailbox.rotate", error, filePath);
@@ -245,6 +249,27 @@ function rotateMailboxFileIfNeeded(filePath: string, thresholdBytes = MAILBOX_AR
 	}
 }
 
+/**
+ * Keep at most `DEFAULT_MAILBOX.maxArchivesPerDirection` archive files per
+ * mailbox. Older archives are deleted. Prevents unbounded growth on long runs.
+ */
+function pruneOldMailboxArchives(mailboxFilePath: string): void {
+	try {
+		const dir = path.dirname(mailboxFilePath);
+		const base = path.basename(mailboxFilePath);
+		const archives = fs
+			.readdirSync(dir)
+			.filter((f) => f.startsWith(base) && f.includes(".archive.jsonl"))
+			.sort(); // Chronological (ISO timestamp in filename)
+		const excess = archives.length - DEFAULT_MAILBOX.maxArchivesPerDirection;
+		for (let i = 0; i < excess; i += 1) {
+			fs.rmSync(path.join(dir, archives[i]), { force: true });
+		}
+	} catch (error) {
+		logInternalError("mailbox.prune", error, mailboxFilePath);
+	}
+}
+
 export function readMailbox(manifest: TeamRunManifest, direction?: MailboxDirection, taskId?: string, kind?: MailboxMessageKind): MailboxMessage[] {
 	const directions = direction ? [direction] : ["inbox", "outbox"] as const;
 	return directions.flatMap((item) => safeReadMailboxFile(mailboxFile(manifest, item, taskId), item)).filter((msg) => !kind || msg.kind === kind).sort((a, b) => a.createdAt.localeCompare(b.createdAt));
@@ -395,29 +420,34 @@ export function updateMailboxMessageReply(manifest: TeamRunManifest, originalMes
 
 	for (const { filePath, direction } of filesToSearch) {
 		if (!fs.existsSync(filePath)) continue;
-		const lines = fs.readFileSync(filePath, "utf-8").split(/\r?\n/).filter(Boolean);
-		let found = false;
-		const updatedLines: string[] = [];
-		for (const line of lines) {
-			try {
-				const parsed = JSON.parse(line) as unknown;
-				const msg = parseMailboxMessage(parsed, direction);
-				if (msg && msg.id === originalMessageId) {
-					msg.repliedAt = new Date().toISOString();
-					msg.replyContent = replyContent;
-					updatedLines.push(JSON.stringify(redactSecrets(msg)));
-					found = true;
-				} else {
+		// FIX: Wrap read-modify-write in withFileLockSync to prevent concurrent
+		// updates from clobbering each other (each reply rewrites the whole file).
+		const found = withFileLockSync(filePath, () => {
+			const lines = fs.readFileSync(filePath, "utf-8").split(/\r?\n/).filter(Boolean);
+			let localFound = false;
+			const updatedLines: string[] = [];
+			for (const line of lines) {
+				try {
+					const parsed = JSON.parse(line) as unknown;
+					const msg = parseMailboxMessage(parsed, direction);
+					if (msg && msg.id === originalMessageId) {
+						msg.repliedAt = new Date().toISOString();
+						msg.replyContent = replyContent;
+						updatedLines.push(JSON.stringify(redactSecrets(msg)));
+						localFound = true;
+					} else {
+						updatedLines.push(line);
+					}
+				} catch {
 					updatedLines.push(line);
 				}
-			} catch {
-				updatedLines.push(line);
 			}
-		}
-		if (found) {
-			atomicWriteFile(filePath, `${updatedLines.join("\n")}\n`);
-			return;
-		}
+			if (localFound) {
+				atomicWriteFile(filePath, `${updatedLines.join("\n")}\n`);
+			}
+			return localFound;
+		});
+		if (found) return;
 	}
 	// Not finding the original is non-fatal; the reply is still delivered.
 }
@@ -440,26 +470,31 @@ export function validateMailbox(manifest: TeamRunManifest, options: { repair?: b
 	for (const direction of ["inbox", "outbox"] as const) {
 		if (options.signal?.aborted) break;
 		const filePath = mailboxFile(manifest, direction);
-		const lines = fs.readFileSync(filePath, "utf-8").split(/\r?\n/).filter(Boolean);
-		const validLines: string[] = [];
-		for (let i = 0; i < lines.length; i += 1) {
-			if (options.signal?.aborted) break;
-			const line = lines[i];
-			if (!line) continue;
-			try {
-				const parsed = JSON.parse(line) as unknown;
-				const message = parseMailboxMessage(parsed, direction);
-				if (!message) throw new Error("invalid message schema");
-				validLines.push(JSON.stringify(redactSecrets(message)));
-			} catch (error) {
-				const message = error instanceof Error ? error.message : String(error);
-				issues.push({ level: "error", path: filePath, message });
+		// FIX: Wrap read + optional repair in withFileLockSync so concurrent appends
+		// don't race with the read-modify-write. Mailbox files are capped at 10MB
+		// (MAILBOX_ARCHIVE_THRESHOLD_BYTES), so the per-call memory is bounded.
+		withFileLockSync(filePath, () => {
+			const lines = fs.readFileSync(filePath, "utf-8").split(/\r?\n/).filter(Boolean);
+			const validLines: string[] = [];
+			for (let i = 0; i < lines.length; i += 1) {
+				if (options.signal?.aborted) break;
+				const line = lines[i];
+				if (!line) continue;
+				try {
+					const parsed = JSON.parse(line) as unknown;
+					const message = parseMailboxMessage(parsed, direction);
+					if (!message) throw new Error("invalid message schema");
+					validLines.push(JSON.stringify(redactSecrets(message)));
+				} catch (error) {
+					const message = error instanceof Error ? error.message : String(error);
+					issues.push({ level: "error", path: filePath, message });
+				}
 			}
-		}
-		if (options.repair && validLines.length !== lines.length) {
-			atomicWriteFile(filePath, `${validLines.join("\n")}${validLines.length ? "\n" : ""}`);
-			repaired.push(filePath);
-		}
+			if (options.repair && validLines.length !== lines.length) {
+				atomicWriteFile(filePath, `${validLines.join("\n")}${validLines.length ? "\n" : ""}`);
+				repaired.push(filePath);
+			}
+		});
 	}
 	const delivery = readDeliveryState(manifest);
 	const allMessages = readMailbox(manifest);

package/src/state/state-store.ts

@@ -324,18 +324,39 @@ export function loadRunManifestById(cwd: string, runId: string): { manifest: Tea
 		}
 	}
 
-	const manifest = readJsonFile<TeamRunManifest>(manifestPath);
+	// FIX: Re-stat and re-read inside a single synchronous block to close the
+	// TOCTOU window. We use a sentinel-based re-read: if mtime/size changed
+	// between the initial stat and the read, re-read until stable. With file
+	// sizes typically small (<5MB), the extra cost is negligible. Note: this
+	// doesn't fully prevent torn writes — callers needing strict consistency
+	// should use withRunLock() around the whole load+modify+save sequence.
+	let attempts = 0;
+	let manifest: TeamRunManifest | undefined;
+	let tasks: TeamTaskState[] | undefined;
+	while (attempts < 3) {
+		const freshStat = fs.statSync(manifestPath);
+		manifest = readJsonFile<TeamRunManifest>(manifestPath);
+		const freshTasksStat = fs.existsSync(tasksPath) ? fs.statSync(tasksPath) : undefined;
+		tasks = readJsonFile<TeamTaskState[]>(tasksPath) ?? [];
+		// If size/mtime didn't change between stat and read, we're consistent.
+		if (freshStat.mtimeMs === manifestStat.mtimeMs && freshStat.size === manifestStat.size
+			&& (!freshTasksStat || (freshTasksStat.mtimeMs === tasksStat?.mtimeMs && freshTasksStat.size === tasksStat?.size))) {
+			break;
+		}
+		attempts += 1;
+		manifestStat = freshStat;
+		tasksStat = freshTasksStat;
+	}
 	if (!manifest || !validateRunManifestPaths(cwd, runId, manifest, stateRoot, tasksPath)) return undefined;
-	const tasks = readJsonFile<TeamTaskState[]>(tasksPath) ?? [];
 	setManifestCache(stateRoot, {
 		manifest,
-		tasks,
+		tasks: tasks ?? [],
 		manifestMtimeMs: manifestStat.mtimeMs,
 		manifestSize: manifestStat.size,
 		tasksMtimeMs,
 		tasksSize: tasksStat?.size ?? 0,
 	});
-	return { manifest, tasks };
+	return { manifest, tasks: tasks ?? [] };
 }
 
 export async function loadRunManifestByIdAsync(cwd: string, runId: string): Promise<{ manifest: TeamRunManifest; tasks: TeamTaskState[] } | undefined> {

package/src/tools/safe-bash.ts

@@ -274,8 +274,9 @@ export function createSafeBash(options: SafeBashOptions = {}) {
  * These can be used in allowPatterns for specific use cases
  */
 export const COMMON_SAFE_PATTERNS = {
-	// Safe rm with specific paths - uses simple contains check
-	safeRm: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?((?![\/~])\/)?(tmp|cache|node_modules|dist|build)\//,
+	// FIX: Stricter regex — target must be exactly tmp/, cache/, node_modules/, dist/, or build/
+	// (with optional ./ prefix). Rejects path traversal (./../../../other) and absolute paths.
+	safeRm: /rm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(?:\.\/)?(?:tmp|cache|node_modules|dist|build)\/[a-zA-Z0-9._/-]+$/,
 	// Safe git operations
 	safeGit: /\bgit\s+(clone|pull|push|commit|add|status|diff|log|branch|checkout|merge|rebase)/,
 	// Safe npm/yarn/pnpm