pi-crew 0.6.0 → 0.6.1

package/CHANGELOG.md

@@ -1,5 +1,70 @@
 # Changelog
 
+## [0.6.1] — Post-v0.6.0 Security Hardening + Test Coverage (2026-06-04)
+
+### Highlights
+- **42+ security issues fixed** — 7 CRITICAL, 10 HIGH, 11 MEDIUM, 14 post-restart review findings
+- **~1,900 new tests** across 113+ test files — total suite now ~4,600 tests
+- **38 dead exports cleaned** across 19 modules
+- **12 `any` types replaced** with proper TypeScript types
+- **Full battle-testing** — 2 Pi restart cycles, all team types, management operations verified
+
+### Security Fixes (CRITICAL)
+- `async-runner.ts`: Environment variable leak in child process — sanitized with `sanitizeEnvSecrets()`
+- `verification-gates.ts`: Shell injection via user-controlled strings — switched to `execFileSync`
+- `sandbox.ts`: `String.fromCharCode` bypass — added `constructor` to `FORBIDDEN_PATTERNS`
+- `locks.ts`: Timing-unsafe comparison on lock tokens — replaced with constant-time compare
+- `event-log.ts`: Request IDs logged in plaintext — now hashed before logging
+- `team-runner.ts`: Missing heartbeat for long-running tasks — added 30s heartbeat writer
+- `worktree-manager.ts`: Environment secrets leaked to git subprocesses — `sanitizeEnvSecrets()`
+
+### Security Fixes (HIGH)
+- `preStepScript` symlink traversal — `fs.realpathSync` before path containment check
+- `childEnvAllowList` wildcard patterns (`LC_*`, `XDG_*`) could leak secrets
+- Event log sync/async race condition — route sync `appendEvent` through async queue
+- Subagent record validation — `sanitizePersistedRecord()` with allow-listed fields
+- Verification gate redirect — allow single `>` for `2>&1`, block `>>` and `<[^&]`
+- `allowPatterns` validation — reject patterns matching empty strings
+
+### Security Fixes (MEDIUM)
+- `logInternalError` import paths normalized across all modules
+- `Object.freeze()` narrowing fix — use `Readonly<{...}>` explicit types
+- NTFS mtime granularity — write-first, `utimes`-after for cache invalidation
+- Windows path separators — platform-agnostic assertions in tests
+- `executeUnchecked` visibility — `__test_executeUnchecked` export pattern
+- `seedPaths` containment — `normalizeSeedPaths()` validates paths stay within `repoRoot`
+
+### Code Quality
+- 38 dead/unused exports removed across 19 source modules
+- 12 `any` types replaced with proper interfaces
+- `enforceLabelCap` MRU correctness — `delete`-then-`set` to maintain Map insertion order
+- `readIfSmall` bounded reads — `Buffer.alloc` + `fs.readSync` instead of `readFileSync`
+
+### Test Coverage
+- 113 new test files, ~1,900 new test cases
+- Modules now covered: config, extension, workflow, subagent, observability, runtime, graph,
+  heartbeat, permissions, state, locks, event-log, safe-bash, sandbox, verification-gates,
+  async-runner, team-runner, background-runner, worktree, fingerprint, BM25 search, and more
+- Windows CI verified: path separators, `npx.cmd` resolution, NTFS mtime all pass
+- Test runner wrapper (`scripts/test-runner.mjs`) ensures non-zero exit on failures
+
+### Stats
+- Test suite: ~4,600 pass, 0 fail
+- TypeScript: 0 errors
+- Lines added since v0.6.0: 22,520 (742 src + 21,777 test)
+- Files changed: 204
+- Security issues fixed: 42+
+- Audit rounds: 42 (including post-v0.6.0 battle-testing)
+
+## [0.6.0] — Source Tour Patterns + 15 New Modules (2026-06-03)
+
+### Highlights
+- **15 upstream patterns implemented** from 63-repository source tour
+- **10 new source modules** (2,267 LOC): chain-parser, run-drift, intercom-bridge,
+  plan-templates, task-id, context-retrieval, intermediate-store, fingerprint,
+  memory-store, observation-store
+- **37 skills reviewed** with origin fields, all passing validation
+
 ## [0.5.22] — Remaining Issues from Ultimate Sweep (2026-06-03)
 
 ### Highlights

package/README.md

@@ -9,22 +9,24 @@ npm: pi-crew
 repo: https://github.com/baphuongna/pi-crew
 ```
 
-**v0.5.22**: See [CHANGELOG.md](CHANGELOG.md).
+**v0.6.1**: See [CHANGELOG.md](CHANGELOG.md).
 
-### Security highlights (v0.5.22)
+### Security highlights (v0.6.1)
 
-- **ReDoS-free secret redaction** — linear-time scanning in `redaction.ts`; no catastrophic backtracking
-- **v8.deserialize hardened** — `BINARY_MAGIC` header guards on registry binaries prevent untrusted-file RCE
-- **Cache lock protection** — `withFileLockSync` and atomic writes across `run-cache.ts` and `state-store.ts`
-- **Shell injection prevented** — `execFileSync` with array args everywhere (no shell-interpreted strings)
+- **42+ security issues fixed** — 7 CRITICAL, 10 HIGH, 11 MEDIUM, 14 post-restart findings
+- **Timing-safe token comparison** — constant-time compare for lock tokens and request IDs
+- **Environment leak prevention** — `sanitizeEnvSecrets()` on all child process spawns
+- **Shell injection hardened** — `execFileSync` with array args; blocked `String.fromCharCode` bypass
+- **ReDoS-free secret redaction** — linear-time scanning in `redaction.ts`
+- **Sandbox prototype isolation** — `Object.freeze` scoped to VM context; `constructor` pattern blocked
+- **Symlink traversal prevention** — `fs.realpathSync` before path containment checks
 - **Safe-bash line-continuation hardening** — `$\n(evil)` command substitution bypass blocked
-- **Sandbox prototype isolation** — `Object.freeze` scoped to VM context (not host process)
 - **Path traversal mitigated** — `resolveContainedPath`/`resolveRealContainedPath` across all file ops
-- **TOCTOU-free file ops** — atomic `mkdirSync` in `crew-init.ts`; `realpath`-based path validation
 - **Memory leaks capped** — Maps, Sets, arrays bounded with eviction across all modules
-- **Inline secret detection** — `token=`, `api_key=`, `password=` patterns redacted at event/mailbox boundaries
-- **CI exit code enforced** — `test-runner.mjs` wrapper ensures non-zero exit on failures
-- **38 audit rounds, 160+ issues fixed** — 3 CRITICAL + 6 HIGH + 3 MEDIUM security issues resolved
+- **Event log race conditions fixed** — sync/async queue unification
+- **Subagent record sanitization** — allow-listed field persistence
+- **~1,900 new tests**, 113 test files — total suite ~4,600 tests, 0 failures
+- **42+ audit rounds, 160+ issues fixed** across all severity levels
 
 See [SECURITY-ISSUES.md](SECURITY-ISSUES.md) for the full list (SEC-001 – SEC-007 all marked fixed).
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/agents/agent-config.ts

@@ -69,7 +69,8 @@ export function getAgentSessionOptions(role: string): {
  * @param agent - The agent configuration
  * @param role - The role name to use for tool restrictions (defaults to agent.name)
  */
-export function buildAgentSessionOptions(
+/** @internal */
+function buildAgentSessionOptions(
 	agent: AgentConfig,
 	role?: string,
 ): {

package/src/benchmark/feedback-loop.ts

@@ -4,13 +4,15 @@
 
 import type { RunMetrics } from "../state/run-metrics.ts";
 
-export interface FeedbackLoopStats {
+/** @internal */
+interface FeedbackLoopStats {
 	runsObserved: number;
 	avgSuccessRate: number;
 	recommendations: string[];
 }
 
-export class FeedbackLoop {
+/** @internal */
+class FeedbackLoop {
 	private runs: RunMetrics[] = [];
 	private static readonly MAX_RUNS = 1000;
 

package/src/extension/cross-extension-rpc.ts

@@ -32,6 +32,8 @@ function requestId(raw: unknown): string | undefined {
 
 function reply(events: EventBusLike, channel: string, id: string | undefined, payload: RpcReply): void {
 	if (!id) return;
+	// SECURITY: Validate requestId format to prevent channel injection.
+	if (!/^[a-zA-Z0-9_-]+$/.test(id)) return;
 	events.emit(`${channel}:reply:${id}`, payload);
 }
 
@@ -59,6 +61,36 @@ function isAllowedRpcOperation(operation: string): boolean {
 	return RPC_ALLOWED_OPERATIONS.has(operation);
 }
 
+// SECURITY (HIGH #4 fix): In-memory rate limiter for RPC run requests.
+// Prevents any extension from spawning unlimited child processes.
+const RPC_RATE_LIMIT_MAX = 5; // Max 5 RPC run requests...
+const RPC_RATE_LIMIT_WINDOW_MS = 60_000; // ...per 60 seconds
+const rpcRunTimestamps: number[] = [];
+
+function checkRpcRateLimit(): { allowed: boolean; retryAfterMs?: number } {
+	const now = Date.now();
+	// Evict entries older than the window
+	const cutoff = now - RPC_RATE_LIMIT_WINDOW_MS;
+	while (rpcRunTimestamps.length > 0 && rpcRunTimestamps[0] < cutoff) {
+		rpcRunTimestamps.shift();
+	}
+	if (rpcRunTimestamps.length >= RPC_RATE_LIMIT_MAX) {
+		const oldestInWindow = rpcRunTimestamps[0];
+		const retryAfterMs = oldestInWindow + RPC_RATE_LIMIT_WINDOW_MS - now;
+		return { allowed: false, retryAfterMs: Math.max(retryAfterMs, 1000) };
+	}
+	return { allowed: true };
+}
+
+function recordRpcRun(): void {
+	rpcRunTimestamps.push(Date.now());
+}
+
+/** Reset the RPC rate limiter. Used primarily for testing. */
+export function resetRpcRateLimit(): void {
+	rpcRunTimestamps.length = 0;
+}
+
 function isAllowedRpcRunParams(params: TeamToolParamsValue): { ok: boolean; error?: string } {
 	// SECURITY: Require explicit intent for any RPC-initiated run creation.
 	// This prevents malicious extensions from spawning child Pi processes silently.
@@ -83,6 +115,12 @@ function on(events: EventBusLike, channel: string, handler: (raw: unknown) => vo
 	return typeof unsub === "function" ? unsub : () => {};
 }
 
+// SECURITY TRUST BOUNDARY: RPC channels (pi-crew:rpc:run, pi-crew:rpc:status,
+// pi-crew:rpc:live-control) are accessible to any extension on the shared event
+// bus. Mitigations applied: rate limiting (RPC_RATE_LIMIT_MAX), explicit intent
+// requirement for runs, operation allowlist for live-control reads, and cwd
+// containment validation. A full fix requires event-bus-level origin signing.
+
 export function registerPiCrewRpc(events: EventBusLike | undefined, getCtx: () => ExtensionContext | undefined): PiCrewRpcHandle | undefined {
 	if (!events) return undefined;
 	const unsubs = [
@@ -90,6 +128,16 @@ export function registerPiCrewRpc(events: EventBusLike | undefined, getCtx: () =
 		on(events, "pi-crew:rpc:run", async (raw) => {
 			const id = requestId(raw);
 			try {
+				// SECURITY (HIGH #4 fix): Rate limit RPC run requests
+				const rateLimit = checkRpcRateLimit();
+				if (!rateLimit.allowed) {
+					reply(events, "pi-crew:rpc:run", id, {
+						success: false,
+						error: `RPC run rate limit exceeded. Max ${RPC_RATE_LIMIT_MAX} requests per ${RPC_RATE_LIMIT_WINDOW_MS / 1000}s. Retry after ${Math.ceil((rateLimit.retryAfterMs ?? 60000) / 1000)}s.`,
+					});
+					return;
+				}
+				recordRpcRun();
 				const ctx = getCtx();
 				if (!ctx) throw new Error("No active pi-crew session context.");
 				// Validate payload: only allow known fields from TeamToolParamsValue

package/src/extension/registration/commands.ts

@@ -428,7 +428,8 @@ export function registerTeamCommands(pi: ExtensionAPI, deps: RegisterTeamCommand
 			if (selection.action === "agent-transcript" && await openTranscriptViewer(ctx, selection.runId)) continue;
 			if (selection.action === "agent-live" && await openLiveConversation(ctx, selection.runId)) continue;
 			if (selection.action === "agent-live") { await notifyCommandResult(ctx, commandText({ content: [{ type: "text", text: "No live agent found for this run." }] })); continue; }
-			const result = selection.action === "api" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-manifest" } }, teamCommandContext(ctx)) : selection.action === "agents" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "agent-dashboard" } }, teamCommandContext(ctx)) : selection.action === "mailbox" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-mailbox" } }, teamCommandContext(ctx)) : selection.action === "agent-events" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-events", limit: 50 } }, teamCommandContext(ctx)) : selection.action === "agent-output" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-output", maxBytes: 32_000 } }, teamCommandContext(ctx)) : selection.action === "agent-transcript" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-transcript" } }, teamCommandContext(ctx)) : await handleTeamTool({ action: selection.action as any, runId: selection.runId }, teamCommandContext(ctx));
+			const result = selection.action === "api" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-manifest" } }, teamCommandContext(ctx)) : selection.action === "agents" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "agent-dashboard" } }, teamCommandContext(ctx)) : selection.action === "mailbox" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-mailbox" } }, teamCommandContext(ctx)) : selection.action === "agent-events" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-events", limit: 50 } }, teamCommandContext(ctx)) : selection.action === "agent-output" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-output", maxBytes: 32_000 } }, teamCommandContext(ctx)) : selection.action === "agent-transcript" ? await handleTeamTool({ action: "api", runId: selection.runId, config: { operation: "read-agent-transcript" } }, teamCommandContext(ctx)) : // eslint-disable-next-line @typescript-eslint/no-explicit-any
+				await handleTeamTool({ action: selection.action as any, runId: selection.runId }, teamCommandContext(ctx));
 			await notifyCommandResult(ctx, commandText(result));
 			return;
 		}

package/src/extension/registration/subagent-tools.ts

@@ -96,9 +96,11 @@ export function registerSubagentTools(pi: ExtensionAPI, subagentManager: Subagen
 			}
 			return foregroundResult;
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderCall(args: any, theme: any, context: any): any {
 			return renderAgentToolCall(args, theme, context);
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderResult(result: any, options: any, theme: any, context: any): any {
 			return renderAgentToolResult(result, options, theme, context);
 		},

package/src/extension/registration/team-tool.ts

@@ -105,9 +105,11 @@ export function registerTeamTool(pi: ExtensionAPI, deps: RegisterTeamToolDeps):
 				stopProgress.stop();
 			}
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderCall(args: any, theme: any, context: any): any {
 			return renderTeamToolCall(args, theme, context);
 		},
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		renderResult(result: any, options: any, theme: any, context: any): any {
 			return renderTeamToolResult(result, options, theme, context);
 		},

package/src/extension/registration/viewers.ts

@@ -58,6 +58,7 @@ export async function openLiveConversation(ctx: ExtensionCommandContext, initial
 	const handle = liveAgents.find((h) => h.runId === selected.runId && (selected.taskId ? h.taskId === selected.taskId : true));
 	if (!handle) return false;
 	const theme = asCrewTheme({});
+	// eslint-disable-next-line @typescript-eslint/no-explicit-any
 	await ctx.ui.custom<undefined>((tui: any, _theme: any, _keybindings: any, done: (result: undefined) => void) => {
 		const columns = tui?.terminal?.columns ?? 80;
 		const rows = tui?.terminal?.rows ?? 24;

package/src/extension/run-export.ts

@@ -1,17 +1,29 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import * as os from "node:os";
+import * as crypto from "node:crypto";
 import type { TeamRunManifest, TeamTaskState } from "../state/types.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
 import { readEvents, type TeamEvent } from "../state/event-log.ts";
 import { redactSecrets } from "../utils/redaction.ts";
 
 /** Replace absolute paths containing home directory with ~/ */
+/** Escape special regex characters in a string */
+function escapeRegex(str: string): string {
+	return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/** Only redact home directory at path boundaries to avoid corrupting substrings */
+function redactHomePathInString(str: string, home: string): string {
+	return str.replace(new RegExp(`(^|(?<=[:=/]))${escapeRegex(home)}`, "g"), "$1~");
+}
+
+/** Replace absolute paths containing home directory with ~/ at path boundaries only */
 function redactHomePaths<T>(obj: T): T {
 	const home = os.homedir();
 	if (!home) return redactSecrets(obj) as T;
 	const json = JSON.stringify(obj);
-	const safe = json.split(home).join("~");
+	const safe = redactHomePathInString(json, home);
 	return redactSecrets(JSON.parse(safe)) as T;
 }
 
@@ -37,6 +49,9 @@ export function exportRunBundle(manifest: TeamRunManifest, tasks: TeamTaskState[
 		events: safeEvents as TeamEvent[],
 		artifactPaths: safeManifest.artifacts.map((artifact) => artifact.path),
 	};
+	// Compute SHA-256 integrity hash of the bundle and store in manifest
+	const sha256 = crypto.createHash("sha256").update(JSON.stringify(bundle)).digest("hex");
+	(bundle.manifest as unknown as Record<string, unknown>).sha256 = sha256;
 	const json = writeArtifact(manifest.artifactsRoot, {
 		kind: "metadata",
 		relativePath: "export/run-export.json",

package/src/extension/run-import.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import * as crypto from "node:crypto";
 import { assertRunBundle } from "./run-bundle-schema.ts";
 import { projectCrewRoot, userCrewRoot } from "../utils/paths.ts";
 import { DEFAULT_PATHS } from "../config/defaults.ts";
@@ -42,6 +43,21 @@ export function importRunBundle(cwd: string, bundlePath: string, scope: "project
 	if (!isContained) throw new Error(`Import path must be within project directory or crew root: ${resolvedPath}`);
 	const raw = JSON.parse(fs.readFileSync(resolvedPath, "utf-8")) as unknown;
 	assertRunBundle(raw);
+
+	// Integrity check: verify SHA-256 hash if present in manifest
+	const bundleJson = fs.readFileSync(resolvedPath, "utf-8");
+	const parsedForHash = JSON.parse(bundleJson) as { manifest?: { sha256?: string } };
+	if (parsedForHash.manifest?.sha256) {
+		const expectedHash = parsedForHash.manifest.sha256;
+		// Recompute hash by stringifying the bundle without the sha256 field
+		const { sha256: _sha256, ...manifestWithoutHash } = parsedForHash.manifest as Record<string, unknown> & { sha256?: string };
+		const bundleForHash = { ...parsedForHash, manifest: manifestWithoutHash };
+		const recomputedHash = crypto.createHash("sha256").update(JSON.stringify(bundleForHash)).digest("hex");
+		if (recomputedHash !== expectedHash) {
+			throw new Error(`Integrity check failed: SHA-256 mismatch. Expected ${expectedHash}, got ${recomputedHash}`);
+		}
+	}
+
 	const runId = assertSafePathId("runId", raw.manifest.runId);
 	const importedAt = new Date().toISOString();
 

package/src/extension/team-tool/anchor.ts

@@ -40,9 +40,13 @@ export function handleAnchorSet(
 	const cfg = params.config ?? {};
 
 	// Parse context from config
+	const POLLUTED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 	const context: Record<string, unknown> = {};
 	if (cfg.context && typeof cfg.context === "object") {
-		Object.assign(context, cfg.context as Record<string, unknown>);
+		const raw = cfg.context as Record<string, unknown>;
+		for (const [k, v] of Object.entries(raw)) {
+			if (!POLLUTED_KEYS.has(k)) context[k] = v;
+		}
 	}
 	if (cfg.key) {
 		// Single key shorthand

package/src/extension/team-tool/api.ts

@@ -25,9 +25,14 @@ import type { PiTeamsToolResult } from "../tool-result.ts";
 import { locateRunCwd } from "../team-tool.ts";
 import { configRecord, result, type TeamContext } from "./context.ts";
 
-function globMatch(value: string, pattern: string): boolean {
-	const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\?/g, "\\?").replace(/\*/g, ".*");
-	return new RegExp(`^${escaped}$`).test(value);
+export function globMatch(value: string, pattern: string): boolean {
+	// Prevent ReDoS: reject excessively long patterns
+	if (pattern.length > 200) return false;
+	const regex = pattern
+		.replace(/[.+^${}()|[\]\\]/g, "\\$&")  // escape regex special chars
+		.replace(/\*/g, "[^/]*")  // * matches non-slash characters only
+		.replace(/\?/g, "[^/]");  // ? matches single non-slash
+	return new RegExp(`^${regex}$`).test(value);
 }
 
 function safeReadContainedFile(baseDir: string, filePath: string | undefined): string | undefined {
@@ -364,7 +369,7 @@ export async function handleApi(params: TeamToolParamsValue, ctx: TeamContext):
 				const updatedTask = claimTask(task, owner);
 				const tasks = loaded.tasks.map((item) => item.id === task.id ? updatedTask : item);
 				saveRunTasks(loaded.manifest, tasks);
-				appendEvent(loaded.manifest.eventsPath, { type: "task.claimed", runId: loaded.manifest.runId, taskId: task.id, data: { owner, token: updatedTask.claim?.token, leasedUntil: updatedTask.claim?.leasedUntil } });
+				appendEvent(loaded.manifest.eventsPath, { type: "task.claimed", runId: loaded.manifest.runId, taskId: task.id, data: { owner, token: "[REDACTED]", leasedUntil: updatedTask.claim?.leasedUntil } });
 				return result(JSON.stringify(updatedTask.claim, null, 2), { action: "api", status: "ok", runId: loaded.manifest.runId, artifactsRoot: loaded.manifest.artifactsRoot });
 			});
 		} catch (error) {

package/src/extension/team-tool/config-patch.ts

@@ -1,5 +1,19 @@
 import { effectiveAutonomousConfig, parseConfig, type PiTeamsAutonomousConfig, type PiTeamsConfig } from "../../config/config.ts";
 
+const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+
+/** Recursively strip dangerous prototype-pollution keys from all levels of an object. */
+export function sanitizeObject<T>(obj: T): T {
+	if (obj === null || obj === undefined || typeof obj !== "object") return obj;
+	if (Array.isArray(obj)) return obj.map((item) => sanitizeObject(item)) as T;
+	const safe: Record<string, unknown> = {};
+	for (const key of Object.keys(obj as Record<string, unknown>)) {
+		if (DANGEROUS_KEYS.has(key)) continue;
+		safe[key] = sanitizeObject((obj as Record<string, unknown>)[key]);
+	}
+	return safe as T;
+}
+
 export function autonomousPatchFromConfig(config: unknown): PiTeamsAutonomousConfig {
 	const rootPatch = parseConfig(config).autonomous;
 	if (rootPatch) return rootPatch;
@@ -11,7 +25,7 @@ export function configPatchFromConfig(config: unknown): PiTeamsConfig {
 }
 
 export function effectiveRunConfig(base: PiTeamsConfig, rawOverride: unknown): PiTeamsConfig {
-	const patch = parseConfig(rawOverride);
+	const patch = sanitizeObject(parseConfig(rawOverride));
 	return {
 		...base,
 		...patch,

package/src/extension/team-tool.ts

@@ -1258,7 +1258,8 @@ export function registerCrewGlobalRegistry(registry: CrewRegistry): void {
 		registry;
 }
 
-export function getCrewGlobalRegistry(): CrewRegistry | undefined {
+/** @internal */
+function getCrewGlobalRegistry(): CrewRegistry | undefined {
 	return (globalThis as Record<symbol | string, unknown>)[
 		CREW_REGISTRY_KEY
 	] as CrewRegistry | undefined;

package/src/hooks/registry.ts

@@ -35,6 +35,14 @@ export async function executeHook(name: HookName, ctx: HookContext): Promise<Hoo
 	// environments, all hooks should set workspaceId to prevent cross-workspace access.
 	const scopedHooks = hooks.filter((h) => !h.workspaceId || h.workspaceId === ctx.workspaceId);
 	if (scopedHooks.length === 0) return { hookName: name, outcome: "allow", durationMs: 0 };
+	const POLLUTED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+	function sanitizeMergeData(data: Record<string, unknown>): Record<string, unknown> {
+		const clean: Record<string, unknown> = {};
+		for (const [k, v] of Object.entries(data)) {
+			if (!POLLUTED_KEYS.has(k)) clean[k] = v;
+		}
+		return clean;
+	}
 	const start = Date.now();
 	const diagnostics: string[] = [];
 	let capturedModifications: Record<string, unknown> | undefined;
@@ -45,7 +53,7 @@ export async function executeHook(name: HookName, ctx: HookContext): Promise<Hoo
 					return { hookName: name, outcome: "block", durationMs: Date.now() - start, reason: result.reason };
 				}
 			if (result.outcome === "modify" && result.data) {
-				Object.assign(ctx, result.data);
+				Object.assign(ctx, sanitizeMergeData(result.data));
 				capturedModifications = { ...result.data };
 			}
 		} catch (error) {

package/src/hooks/types.ts

@@ -20,9 +20,9 @@ export type HookName =
  * - 1 = warn (non-blocking error, continue)
  * - 2 = block (blocking error, stop)
  */
-export const HOOK_EXIT_SUCCESS = 0 as const;
-export const HOOK_EXIT_WARN = 1 as const;
-export const HOOK_EXIT_BLOCK = 2 as const;
+/** @internal */ const HOOK_EXIT_SUCCESS = 0 as const;
+/** @internal */ const HOOK_EXIT_WARN = 1 as const;
+/** @internal */ const HOOK_EXIT_BLOCK = 2 as const;
 
 export type HookMode = "blocking" | "non_blocking";
 export type HookOutcome = "allow" | "block" | "modify" | "diagnostic";

package/src/i18n.ts

@@ -129,13 +129,26 @@ export function t(key: Key, params?: Params): string {
  * @example
  * addTranslations("vi", { "agent.requiresPrompt": "Agent cần prompt." })
  */
+const DANGEROUS_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+
+function stripDangerousKeys<T extends Record<string, unknown>>(obj: T): T {
+	const safe: Record<string, unknown> = {};
+	for (const key of Object.keys(obj)) {
+		if (!DANGEROUS_KEYS.has(key)) {
+			safe[key] = obj[key];
+		}
+	}
+	return safe as T;
+}
+
 export function addTranslations(locale: string, bundle: Partial<Record<Key, string>>): void {
 	if (!locale) return;
+	const safeBundle = stripDangerousKeys(bundle as Record<string, unknown>) as Partial<Record<Key, string>>;
 	const existing = translations[locale];
 	if (existing) {
-		Object.assign(existing, bundle);
+		Object.assign(existing, safeBundle);
 	} else {
-		translations[locale] = { ...bundle };
+		translations[locale] = { ...safeBundle };
 	}
 }
 

package/src/observability/exporters/otlp-exporter.ts

@@ -8,6 +8,78 @@ import type { MetricExporter } from "./adapter.ts";
 
 const gzipAsync = promisify(gzip);
 
+/**
+ * SSRF protection: validate that an OTLP endpoint URL does not target
+ * private/reserved networks or dangerous protocols.
+ * Rejects: localhost, loopback, private IPs, link-local, cloud metadata,
+ * IPv6 private, file:// and javascript:// protocols.
+ * Only http:// and https:// to public hostnames are allowed.
+ */
+export function validateEndpoint(endpoint: string): void {
+	let url: URL;
+	try {
+		url = new URL(endpoint);
+	} catch {
+		throw new Error(`Invalid OTLP endpoint URL: ${endpoint}`);
+	}
+
+	// Only allow http and https protocols
+	if (url.protocol !== "http:" && url.protocol !== "https:") {
+		throw new Error(
+			`OTLP endpoint must use http:// or https:// protocol, got: ${url.protocol}`,
+		);
+	}
+
+	const hostname = url.hostname.toLowerCase();
+
+	// Reject known localhost names
+	if (hostname === "localhost" || hostname.endsWith(".localhost")) {
+		throw new Error(`OTLP endpoint must not target localhost: ${endpoint}`);
+	}
+
+	// Reject IPv6 loopback and private
+	if (hostname.startsWith("[")) {
+		const bare = hostname.replace(/^\[|\]$/g, "");
+		if (bare === "::1") {
+			throw new Error(`OTLP endpoint must not target loopback address: ${endpoint}`);
+		}
+		if (bare.toLowerCase().startsWith("fd") || bare.toLowerCase().startsWith("fc")) {
+			throw new Error(`OTLP endpoint must not target private IPv6 address: ${endpoint}`);
+		}
+	}
+
+	// Reject IPv4 private/reserved ranges
+	// Match plain IPv4 addresses (not hostnames that look like IPs)
+	const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+	if (ipv4Match) {
+		const octets = [Number(ipv4Match[1]), Number(ipv4Match[2]), Number(ipv4Match[3]), Number(ipv4Match[4])];
+		// 127.x.x.x - loopback
+		if (octets[0] === 127) {
+			throw new Error(`OTLP endpoint must not target loopback address: ${endpoint}`);
+		}
+		// 10.x.x.x - private class A
+		if (octets[0] === 10) {
+			throw new Error(`OTLP endpoint must not target private network (10.0.0.0/8): ${endpoint}`);
+		}
+		// 172.16.x.x - 172.31.x.x - private class B
+		if (octets[0] === 172 && octets[1] >= 16 && octets[1] <= 31) {
+			throw new Error(`OTLP endpoint must not target private network (172.16.0.0/12): ${endpoint}`);
+		}
+		// 192.168.x.x - private class C
+		if (octets[0] === 192 && octets[1] === 168) {
+			throw new Error(`OTLP endpoint must not target private network (192.168.0.0/16): ${endpoint}`);
+		}
+		// 169.254.x.x - link-local / cloud metadata
+		if (octets[0] === 169 && octets[1] === 254) {
+			throw new Error(`OTLP endpoint must not target link-local/metadata endpoint (169.254.0.0/16): ${endpoint}`);
+		}
+		// 0.x.x.x - this network
+		if (octets[0] === 0) {
+			throw new Error(`OTLP endpoint must not target this-network address (0.0.0.0/8): ${endpoint}`);
+		}
+	}
+}
+
 // FIX (Round 15): Cap the number of snapshots per push to prevent OOM when
 // the metric registry has grown large. The OTLP HTTP spec allows many metrics
 // in one payload, but a single push > 10_000 metrics would balloon the
@@ -71,6 +143,7 @@ export class OTLPExporter implements MetricExporter {
 	private readonly registry: MetricRegistry;
 
 	constructor(opts: OTLPExporterOptions, registry: MetricRegistry) {
+		validateEndpoint(opts.endpoint);
 		this.opts = opts;
 		this.registry = registry;
 	}

package/src/runtime/adaptive-plan.ts

@@ -22,6 +22,7 @@ import type { TeamConfig } from "../teams/team-config.ts";
 import type { WorkflowConfig, WorkflowStep } from "../workflows/workflow-config.ts";
 import type { TeamRunManifest, TeamTaskState } from "../state/types.ts";
 import { refreshTaskGraphQueues } from "./task-graph-scheduler.ts";
+import { getPlanTemplate, renderPlanTemplate, listPlanTemplates } from "./plan-templates.ts";
 
 export interface AdaptivePlanTask {
 	role: string;
@@ -70,6 +71,29 @@ export function extractAdaptivePlanJson(text: string): string | undefined {
 }
 
 export function parseAdaptivePlan(text: string, allowedRoles: string[]): AdaptivePlan | undefined {
+	// Check if the text is a plan template reference: "template:<name>" with optional JSON variables
+	const templateRefMatch = text.match(/^template:([a-zA-Z0-9_-]+)/);
+	if (templateRefMatch?.[1]) {
+		const template = getPlanTemplate(templateRefMatch[1]);
+		if (template) {
+			// Try to extract variables from the remaining text
+			let variables: Record<string, string> = {};
+			try {
+				const varsJson = text.slice(templateRefMatch[0].length).trim();
+				if (varsJson) variables = JSON.parse(varsJson);
+			} catch { /* use empty variables */ }
+			const rendered = renderPlanTemplate(templateRefMatch[1], variables);
+			if (rendered) {
+				// Convert RenderedPlan → AdaptivePlan
+				const phases: AdaptivePlanPhase[] = rendered.phases.map(phase => ({
+					name: phase.name,
+					tasks: [{ role: phase.role, task: phase.task }],
+				}));
+				return phases.length ? { phases } : undefined;
+			}
+		}
+	}
+
 	const raw = extractAdaptivePlanJson(text);
 	if (!raw) return undefined;
 	let parsed: unknown;