pi-crew 0.6.0 → 0.6.1

package/src/runtime/agent-control.ts

@@ -69,7 +69,8 @@ export function applyAttentionState(manifest: TeamRunManifest, agent: CrewAgentR
 	return updated;
 }
 
-export function applyLongRunningCheck(
+/** @internal */
+function applyLongRunningCheck(
 	manifest: TeamRunManifest,
 	agent: CrewAgentRecord,
 	config: CrewControlConfig,
@@ -105,7 +106,8 @@ export function applyLongRunningCheck(
 	return updated;
 }
 
-export function trackConsecutiveToolFailure(
+/** @internal */
+function trackConsecutiveToolFailure(
 	manifest: TeamRunManifest,
 	agent: CrewAgentRecord,
 	toolName: string,
@@ -140,7 +142,8 @@ export function trackConsecutiveToolFailure(
 	return updated;
 }
 
-export function resetConsecutiveToolFailures(
+/** @internal */
+function resetConsecutiveToolFailures(
 	manifest: TeamRunManifest,
 	agent: CrewAgentRecord,
 ): void {

package/src/runtime/async-runner.ts

@@ -5,6 +5,7 @@ import * as path from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { logInternalError } from "../utils/internal-error.ts";
 import { appendEvent } from "../state/event-log.ts";
+import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 
 
@@ -131,8 +132,62 @@ export async function spawnBackgroundTeamRun(manifest: TeamRunManifest): Promise
 	const logPath = path.join(manifest.stateRoot, "background.log");
 	fs.mkdirSync(manifest.stateRoot, { recursive: true });
 
-	// NOTE: Do NOT set PI_CREW_PARENT_PID for the background runner.
-	const { PI_CREW_PARENT_PID: _, ...envWithoutParentPid } = process.env;
+	// SECURITY FIX: Use sanitizeEnvSecrets with same allow-list as child-pi.ts
+	// to prevent leaking all env vars (including secrets) to detached background runner.
+	// Previously, destructuring only removed PI_CREW_PARENT_PID but kept everything else.
+	const filteredEnv = sanitizeEnvSecrets(process.env, {
+		allowList: [
+			// Model provider API keys (same as child-pi.ts)
+			"MINIMAX_API_KEY",
+			"MINIMAX_GROUP_ID",
+			"OPENAI_API_KEY",
+			"OPENAI_ORG_ID",
+			"ANTHROPIC_API_KEY",
+			"GOOGLE_API_KEY",
+			"GOOGLE_GENERATIVE_LANGUAGE_API_KEY",
+			"AZURE_OPENAI_API_KEY",
+			"AZURE_OPENAI_ENDPOINT",
+			"AWS_ACCESS_KEY_ID",
+			"AWS_SECRET_ACCESS_KEY",
+			"AWS_REGION",
+			"ZEU_API_KEY",
+			"ZERODEV_API_KEY",
+			// Essential non-secret vars
+			"PATH",
+			"HOME",
+			"USER",
+			"SHELL",
+			"TERM",
+			"LANG",
+			"LC_ALL",
+			"LC_COLLATE",
+			"LC_CTYPE",
+			"LC_MESSAGES",
+			"LC_MONETARY",
+			"LC_NUMERIC",
+			"LC_TIME",
+			"XDG_CONFIG_HOME",
+			"XDG_DATA_HOME",
+			"XDG_CACHE_HOME",
+			"XDG_RUNTIME_DIR",
+			"NVM_BIN",
+			"NVM_DIR",
+			"NVM_INC",
+			"NODE_PATH",
+			"NODE_DISABLE_COLORS",
+			"NODE_EXTRA_CA_CERTS",
+			"NPM_CONFIG_REGISTRY",
+			"NPM_CONFIG_USERCONFIG",
+			"NPM_CONFIG_GLOBALCONFIG",
+			"PI_*",
+			"PI_CREW_*",
+			"PI_TEAMS_*",
+		],
+	});
+	// Block execution control vars from leaking
+	delete filteredEnv.PI_CREW_PARENT_PID;
+	delete filteredEnv.PI_CREW_EXECUTE_WORKERS;
+	delete filteredEnv.PI_TEAMS_EXECUTE_WORKERS;
 
 	const loader = resolveTypeScriptLoader();
 	if (!loader) {
@@ -159,7 +214,7 @@ export async function spawnBackgroundTeamRun(manifest: TeamRunManifest): Promise
 		detached: true,
 		setsid: true,
 		stdio: ["ignore", "pipe", "pipe"],
-		env: envWithoutParentPid,
+		env: filteredEnv,
 		windowsHide: true,
 	} as unknown as Parameters<typeof spawn>[2];
 	const child = spawn(process.execPath, command.args, spawnOpts);

package/src/runtime/background-runner.ts

@@ -138,7 +138,7 @@ async function main(): Promise<void> {
 		try {
 			const logPath = path.join(_cwd, ".crew/state/runs", _runId, "background.log");
 			logFd = fs.openSync(logPath, "a");
-			const origWrite = (prefix: string) => (data: any, ...args: any[]) => {
+			const origWrite = (_prefix: string) => (data: unknown, ...args: unknown[]) => {
 				const msg = [data, ...args].map(String).join(" ") + "\n";
 				fs.writeSync(logFd!, msg);
 			};

package/src/runtime/chain-runner.ts

@@ -11,6 +11,8 @@
  */
 
 import type { HandoffSummary, HandoffManager, TaskPacket, TaskResult } from "./handoff-manager.ts";
+import { parseChainDSL } from "./chain-parser.ts";
+import type { ChainStep as DSLChainStep } from "./chain-parser.ts";
 
 /**
  * Single step in a chain.
@@ -123,10 +125,25 @@ export class ChainRunner {
 	 * parseChain('"Research AI trends" -> "Analyze findings"')
 	 * parseChain("@step1 --model claude-opus-3 -> @step2")
 	 * 
+	 * Also supports DSL syntax from chain-parser for advanced constructs:
+	 * parseChain("step1 -> parallel(step2, step3) -> step4")
+	 * parseChain("step1:3 -> step2 --with-context -> step3")
+	 * 
 	 * @param chainString - The chain string to parse
 	 * @returns Parsed chain specification
 	 */
 	parseChain(chainString: string): ChainSpec {
+		// Try DSL parser first for advanced syntax (parallel groups, loop counts, flags)
+		// Falls back to the simple split parser if DSL parsing fails
+		if (this.hasDSLConstructs(chainString)) {
+			try {
+				const dslSteps = parseChainDSL(chainString);
+				return this.dslToChainSpec(dslSteps, chainString);
+			} catch {
+				// DSL parse failed; fall through to simple parser
+			}
+		}
+
 		const stepStrings = chainString.split("->").map(s => s.trim());
 
 		const steps: ChainStep[] = stepStrings.map((step, index) => {
@@ -337,6 +354,47 @@ export class ChainRunner {
 		return parsed;
 	}
 
+	/**
+	 * Detect if chainString uses DSL constructs that require chain-parser.
+	 * DSL features: parallel(...), :loopCount, --with-context flag
+	 */
+	private hasDSLConstructs(chainString: string): boolean {
+		return /\bparallel\s*\(/.test(chainString) ||
+			/\w+:\d+\b/.test(chainString) ||
+			/--with-context/.test(chainString);
+	}
+
+	/**
+	 * Convert DSL AST steps (from chain-parser) to ChainSpec.
+	 */
+	private dslToChainSpec(dslSteps: DSLChainStep[], chainString: string): ChainSpec {
+		const steps: ChainStep[] = dslSteps.map((dslStep, index) => {
+			// For parallel groups, use a synthetic step name
+			if (dslStep.parallel) {
+				return {
+					name: dslStep.name,
+					context: {
+						parallel: dslStep.parallel.map(p => ({ name: p.name, loopCount: p.loopCount, withContext: p.withContext, args: p.args })),
+					},
+					loopCount: dslStep.loopCount,
+				};
+			}
+			const step: ChainStep = { name: dslStep.name };
+			if (dslStep.loopCount) step.context = { ...step.context, loopCount: dslStep.loopCount };
+			if (dslStep.withContext) step.context = { ...step.context, withContext: true };
+			if (dslStep.args && dslStep.args.length > 0) step.context = { ...step.context, args: dslStep.args };
+			return step;
+		});
+
+		// Extract global overrides using existing logic
+		const globalModel = this.extractGlobalFlag(chainString, "global-model");
+		const globalSkill = this.extractGlobalFlag(chainString, "global-skill");
+		const globalThinking = this.extractGlobalFlag(chainString, "global-thinking") as "fast" | "standard" | "deep" | undefined;
+		const continueOnError = this.extractGlobalFlag(chainString, "continue-on-error") === "true";
+
+		return { steps, globalModel, globalSkill, globalThinking, continueOnError };
+	}
+
 	/**
 	 * Sanitize identifier to prevent injection.
 	 */

package/src/runtime/child-pi.ts

@@ -424,7 +424,7 @@ export async function runChildPi(input: ChildPiRunInput): Promise<ChildPiRunResu
 			return { exitCode: 1, stdout: "", stderr: "Mock mode requires PI_CREW_ALLOW_MOCK=1" };
 		}
 		// SECURITY: Log mock mode activation prominently for audit trail
-		console.warn(`Mock mode active: ${mock} — NOT running real agents!`);
+		logInternalError("child-pi.mock", new Error(`Mock mode active: ${mock}`), "NOT running real agents");
 		if (mock === "success") {
 			const stdout = `[MOCK] Success for ${input.agent.name}\n`;
 			observeStdoutChunk(input, stdout);

package/src/runtime/crew-agent-records.ts

@@ -249,8 +249,8 @@ export function writeCrewAgentStatusCoalesced(manifest: TeamRunManifest, record:
 	atomicWriteJsonCoalesced(agentStatusPath(manifest, record.taskId), redactSecrets(record), AGENT_COALESCE_MS);
 }
 
-/** Flush all coalesced agent writes synchronously. Hook into cleanup paths. */
-export function flushPendingAgentWrites(): void {
+/** @internal Flush all coalesced agent writes synchronously. Hook into cleanup paths. */
+function flushPendingAgentWrites(): void {
 	flushPendingAtomicWrites();
 }
 
@@ -353,7 +353,8 @@ export interface CrewAgentEventCursorOptions {
 	limit?: number;
 }
 
-export function readCrewAgentEvents(manifest: TeamRunManifest, taskId: string): unknown[] {
+/** @internal Convenience wrapper around readCrewAgentEventsCursor. */
+function readCrewAgentEvents(manifest: TeamRunManifest, taskId: string): unknown[] {
 	return readCrewAgentEventsCursor(manifest, taskId).events;
 }
 

package/src/runtime/cross-extension-rpc.ts

@@ -29,15 +29,19 @@ function handleRpc<P extends { requestId: string }>(
 ): () => void {
 	return events.on(channel, async (raw: unknown) => {
 		const params = raw as P;
+		// SECURITY: Validate requestId format to prevent channel injection.
+		if (!/^[a-zA-Z0-9_-]+$/.test(params.requestId)) {
+			throw new Error("Security: invalid requestId format");
+		}
 		try {
 			const data = await fn(params);
 			const reply: { success: true; data?: unknown } = { success: true };
 			if (data !== undefined) reply.data = data;
 			events.emit(`${channel}:reply:${params.requestId}`, reply);
-		} catch (err: any) {
+		} catch (err: unknown) {
 			events.emit(`${channel}:reply:${params.requestId}`, {
 				success: false,
-				error: err?.message ?? String(err),
+				error: err instanceof Error ? err.message : String(err),
 			});
 		}
 	});
@@ -50,21 +54,43 @@ export function registerCrewRpcHandlers(deps: RpcDeps): RpcHandle {
 		return { version: PROTOCOL_VERSION };
 	});
 
-	const unsubSpawn = handleRpc<{ requestId: string; type: string; prompt: string; options?: Record<string, unknown> }>(
+	// SECURITY TRUST BOUNDARY: crew:rpc:spawn and crew:rpc:stop are privileged
+	// operations that create or terminate child processes. Any subscriber on
+	// the shared event bus can emit these events. In a multi-extension
+	// environment, this means a malicious extension could spawn/stop agents.
+	// Mitigation: validate that the caller is the pi-crew extension by checking
+	// the request includes a known extension identifier. Log all invocations
+	// for audit. A full fix requires event-bus-level origin signing.
+	const CREW_RPC_SOURCE = "pi-crew";
+
+	function validateRpcSource(params: { requestId: string; source?: string }): boolean {
+		if (!params.source || params.source !== CREW_RPC_SOURCE) {
+			console.warn(
+				`[pi-crew SECURITY] RPC invocation from unexpected source: ${params.source ?? "(none)"}. ` +
+				`Expected '${CREW_RPC_SOURCE}'. Request may be from an untrusted extension.`,
+			);
+			return false;
+		}
+		return true;
+	}
+
+	const unsubSpawn = handleRpc<{ requestId: string; type: string; prompt: string; options?: Record<string, unknown>; source?: string }>(
 		events,
 		"crew:rpc:spawn",
-		({ type, prompt, options }) => {
+		(params) => {
+			if (!validateRpcSource(params)) throw new Error("Unauthorized: RPC spawn requires source='pi-crew'");
 			const ctx = getCtx();
 			if (!ctx) throw new Error("No active session");
-			return { id: spawn(type, prompt, options ?? {}) };
+			return { id: spawn(params.type, params.prompt, params.options ?? {}) };
 		},
 	);
 
-	const unsubStop = handleRpc<{ requestId: string; agentId: string }>(
+	const unsubStop = handleRpc<{ requestId: string; agentId: string; source?: string }>(
 		events,
 		"crew:rpc:stop",
-		({ agentId }) => {
-			if (!abort(agentId)) throw new Error("Agent not found");
+		(params) => {
+			if (!validateRpcSource(params)) throw new Error("Unauthorized: RPC stop requires source='pi-crew'");
+			if (!abort(params.agentId)) throw new Error("Agent not found");
 		},
 	);
 

package/src/runtime/diagnostic-export.ts

@@ -9,9 +9,9 @@ import { loadRunManifestById } from "../state/state-store.ts";
 import type { TeamRunManifest, TeamTaskState } from "../state/types.ts";
 import { summarizeHeartbeats, type HeartbeatSummary } from "../ui/heartbeat-aggregator.ts";
 import type { RunUiSnapshot } from "../ui/snapshot-types.ts";
-import { redactSecrets } from "../utils/redaction.ts";
+import { redactSecrets, isSecretKey } from "../utils/redaction.ts";
 import { buildRecoveryLedger, type RecoveryLedgerEntry } from "./recovery-recipes.ts";
-export { redactSecrets } from "../utils/redaction.ts";
+export { redactSecrets, isSecretKey } from "../utils/redaction.ts";
 
 export interface DiagnosticReport {
 	schemaVersion?: number;
@@ -37,13 +37,12 @@ export interface DiagnosticReport {
 	recoveryLedger: RecoveryLedgerEntry[];
 }
 
-const SECRET_KEY_PATTERN = /(token|key|password|secret|credential|auth)/i;
 const ENV_DEBUG_ALLOWLIST = /^(PI_CREW_|PI_TEAMS_|PI_.*HOME|NODE_ENV|NODE_VERSION|OS|PROCESSOR|TERM|LANG|HOME|USERPROFILE|APPDATA|PLATFORM|ARCH|WIN32|DOCKER|CI|VERBOSE|DEBUG|NO_COLOR|FORCE_COLOR|NPM_CONFIG|npm_)/i;
 
 function envRedacted(): Record<string, string> {
 	const output: Record<string, string> = {};
 	for (const [key, value] of Object.entries(process.env)) {
-		if (SECRET_KEY_PATTERN.test(key)) output[key] = "***";
+		if (isSecretKey(key)) output[key] = "***";
 		else if (typeof value === "string" && ENV_DEBUG_ALLOWLIST.test(key)) output[key] = value;
 		// All other env vars are omitted to prevent leaking sensitive paths or system topology.
 	}

package/src/runtime/dynamic-script-runner.ts

@@ -484,11 +484,11 @@ export function createScriptRunner(options?: DynamicScriptOptions): DynamicScrip
 /**
  * @internal TEST ONLY — do not use in production code.
  * Exposes DynamicScriptRunner.executeUnchecked for unit testing.
+ * Returns undefined in non-test environments to prevent production use.
  */
-export function __test_executeUnchecked(
-	runner: DynamicScriptRunner,
-	code: string,
-	timeout?: number,
-): ScriptExecutionResult {
-	return (runner as unknown as { executeUnchecked: (code: string, timeout?: number) => ScriptExecutionResult }).executeUnchecked(code, timeout);
-}
+export const __test_executeUnchecked: ((runner: DynamicScriptRunner, code: string, timeout?: number) => ScriptExecutionResult) | undefined =
+	process.env.NODE_ENV === "test"
+		? (runner: DynamicScriptRunner, code: string, timeout?: number): ScriptExecutionResult => {
+			return (runner as unknown as { executeUnchecked: (code: string, timeout?: number) => ScriptExecutionResult }).executeUnchecked(code, timeout);
+		}
+		: undefined;

package/src/runtime/foreground-watchdog.ts

@@ -41,8 +41,8 @@ export function stopWatchdog(runId: string): void {
 	}
 }
 
-/** Stop all active watchdogs. Called on session shutdown. */
-export function stopAllWatchdogs(): void {
+/** @internal Stop all active watchdogs. Called on session shutdown. */
+function stopAllWatchdogs(): void {
 	for (const [runId, timer] of activeWatchdogs) {
 		clearTimeout(timer);
 	}

package/src/runtime/live-agent-manager.ts

@@ -81,7 +81,8 @@ export function listLiveAgentsByWorkspace(workspaceId: string): LiveAgentHandle[
 /**
  * List only active agents (running/queued/waiting) for a specific workspace.
  */
-export function listActiveLiveAgentsByWorkspace(workspaceId: string): LiveAgentHandle[] {
+/** @internal */
+function listActiveLiveAgentsByWorkspace(workspaceId: string): LiveAgentHandle[] {
 	return listActiveLiveAgents().filter((a) => a.workspaceId === workspaceId);
 }
 
@@ -150,7 +151,8 @@ function safeDisposeLiveSession(handle: LiveAgentHandle): void {
 	}
 }
 
-export function removeLiveAgentHandle(agentId: string): LiveAgentHandle | undefined {
+/** @internal */
+function removeLiveAgentHandle(agentId: string): LiveAgentHandle | undefined {
 	const handle = liveAgents.get(agentId);
 	if (!handle) return undefined;
 	liveAgents.delete(agentId);
@@ -406,7 +408,8 @@ export function broadcastIrcMessage(fromAgentId: string, message: IrcMessage): s
 }
 
 /** Phase 7: Get pending IRC messages for an agent (and clear them). */
-export function drainIrcMessages(agentIdOrTaskId: string): IrcMessage[] {
+/** @internal */
+function drainIrcMessages(agentIdOrTaskId: string): IrcMessage[] {
 	const handle = getLiveAgent(agentIdOrTaskId);
 	if (!handle) return [];
 	const messages = [...handle.pendingMessages];

package/src/runtime/live-irc.ts

@@ -51,7 +51,8 @@ export function renderIrcPeerRoster(selfId: string, peers: Array<{ agentId: stri
 /**
  * Build the IRC system prompt section for a live-session worker.
  */
-export function buildIrcSystemSection(selfId: string, peers: Array<{ agentId: string; status: string }>): string {
+/** @internal */
+function buildIrcSystemSection(selfId: string, peers: Array<{ agentId: string; status: string }>): string {
 	const roster = renderIrcPeerRoster(selfId, peers);
 	return [
 		"## Inter-Agent Communication",
@@ -66,7 +67,8 @@ export function buildIrcSystemSection(selfId: string, peers: Array<{ agentId: st
  * Route an IRC message to the appropriate agent(s).
  * Returns the list of agent IDs that received the message.
  */
-export function routeIrcMessage(
+/** @internal */
+function routeIrcMessage(
 	message: IrcSendMessage,
 	selfId: string,
 	routing: {

package/src/runtime/parallel-utils.ts

@@ -63,7 +63,8 @@ export async function mapConcurrent<T, R>(items: T[], limit: number, fn: (item:
  * On abort: returns partial results (may contain undefined entries).
  * On error: throws immediately (fail-fast) and cancels remaining work.
  */
-export async function mapConcurrentWithSignal<T, R>(
+/** @internal */
+async function mapConcurrentWithSignal<T, R>(
 	items: T[],
 	limit: number,
 	fn: (item: T, i: number, signal: AbortSignal) => Promise<R>,

package/src/runtime/post-checks.ts

@@ -5,6 +5,7 @@
  * Distilled from pi-autoresearch's post-check / backpressure pattern.
  */
 import { execFileSync } from "node:child_process";
+import * as path from "node:path";
 import { resolveShellForScript } from "../utils/resolve-shell.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 
@@ -56,9 +57,8 @@ function resolveScriptPath(config: PostCheckConfig): string | undefined {
  * If no script path is available (neither config nor env var), the check
  * passes by default with a note.
  *
- * **Security note:** The script path is user-configurable (config or env var)
- * and executed with minimal environment (PATH, HOME, USER, LANG). Only use with trusted script
- * paths. No path containment validation is performed.
+ * **Security note:** The script path is validated to stay within `cwd`.
+ * Scripts that escape the working directory are rejected.
  *
  * @param config - Post-check configuration (script path and timeout)
  * @param cwd - Working directory for script execution
@@ -77,6 +77,13 @@ export async function runPostCheck(config: PostCheckConfig, cwd: string): Promis
 		};
 	}
 
+	// M1: Validate that the script path is contained within cwd to prevent arbitrary file execution
+	const resolved = path.resolve(cwd, scriptPath);
+	const resolvedCwd = path.resolve(cwd);
+	if (!resolved.startsWith(resolvedCwd + path.sep) && resolved !== resolvedCwd) {
+		throw new Error(`Security: PI_CREW_POST_CHECK_SCRIPT escapes cwd: ${scriptPath}`);
+	}
+
 	const startTime = Date.now();
 
 	return new Promise<PostCheckResult>((resolve) => {

package/src/runtime/{drift-detectors.ts → run-drift.ts}

@@ -208,7 +208,7 @@ export function runDriftDetection(ctx: DriftContext, maxPasses = 2): DriftReport
 					newFindings++;
 				}
 			} catch (error) {
-				logInternalError("drift-detectors", error, `detector=${detector.name} runId=${ctx.manifest?.runId}`);
+				logInternalError("run-drift", error, `detector=${detector.name} runId=${ctx.manifest?.runId}`);
 			}
 		}
 

package/src/runtime/sandbox.ts

@@ -21,28 +21,32 @@ const FORBIDDEN_PATTERNS = [
 	// Global escape vectors
 	/\bglobalThis\b/,                 // globalThis reference
 	/\bglobal\b/,                      // global reference (Node.js)
+	/\bconstructor\b/,                 // Block constructor chain escape: [].constructor.constructor("return process")()
 ] as const;
 
+Object.freeze(FORBIDDEN_PATTERNS);
+
 /**
- * Whitelist of allowed identifiers for strict mode.
- * Only these identifiers can be used in sandboxed code.
+ * SECURITY (HIGH #3 fix): Normalize source code before forbidden-pattern checks
+ * to prevent unicode-escape bypasses.
+ *
+ * Attackers can write `import\u0028"fs"\u0029` which compiles as
+ * `import("fs")` but does not match the regex `/import\s*\(/`.
+ *
+ * This function:
+ * 1. Strips null bytes (used to split keywords across boundaries)
+ * 2. Decodes \uXXXX escape sequences so regexes see the actual characters
  */
-const ALLOWED_IDENTIFIERS = new Set([
-	// Built-in constructors
-	"Array", "Boolean", "Date", "Error", "Function", "JSON", "Map", "Number", "Object", "Promise", "RegExp", "Set", "String", "Symbol",
-	// Static methods
-	"ArrayBuffer", "Uint8Array", "parseInt", "parseFloat", "isNaN", "isFinite",
-	// URI encoding
-	"encodeURI", "decodeURI", "encodeURIComponent", "decodeURIComponent",
-	// Math (read-only)
-	"Math",
-	// Console (safe methods only)
-	"console",
-	// Process (limited)
-	"process",
-]);
-
-Object.freeze(FORBIDDEN_PATTERNS);
+export function normalizeCodeForValidation(code: string): string {
+	// Strip null bytes
+	let normalized = code.replace(/\0/g, "");
+	// Decode common unicode escapes: \u0028 → (
+	normalized = normalized.replace(
+		/\\u([0-9a-fA-F]{4})/g,
+		(_, hex) => String.fromCharCode(Number.parseInt(hex, 16)),
+	);
+	return normalized;
+}
 
 export interface SandboxOptions {
 	timeout?: number;
@@ -204,15 +208,17 @@ export class WorkflowSandbox {
 	 * ensure compilation is safe.
 	 */
 	private validateScript(code: string): void {
+		// SECURITY (HIGH #3 fix): Normalize unicode escapes before pattern matching
+		const normalized = normalizeCodeForValidation(code);
 		// Check for ESM/module patterns
 		for (const pattern of FORBIDDEN_PATTERNS) {
-			if (pattern.test(code)) {
+			if (pattern.test(normalized)) {
 				throw new Error(`Forbidden pattern detected: ${pattern.source}`);
 			}
 		}
 
 		// Check for import.meta specifically (C4)
-		if (/import\.meta/.test(code)) {
+		if (/import\.meta/.test(normalized)) {
 			throw new Error("import.meta is not allowed in sandboxed code");
 		}
 

package/src/runtime/semaphore.ts

@@ -88,7 +88,8 @@ export interface ParallelResult<R> {
  *
  * Adapted from oh-my-pi's `mapWithConcurrencyLimit`.
  */
-export async function mapWithFailFast<T, R>(
+/** @internal */
+async function mapWithFailFast<T, R>(
 	items: T[],
 	concurrency: number,
 	fn: (item: T, index: number, signal: AbortSignal) => Promise<R>,

package/src/runtime/settings-store.ts

@@ -20,6 +20,18 @@ const MAX_TURNS_CEILING = 10_000;
 const GRACE_TURNS_CEILING = 1_000;
 const VALID_JOIN_MODES = new Set<JoinMode>(["async", "group", "smart"]);
 
+/**
+ * M2: Validate that a scheduled job object has required fields before passing to scheduler.
+ * Prevents opaque unknown[] from reaching CrewScheduler.add() without validation.
+ */
+function validateScheduledJob(job: unknown): boolean {
+	if (!job || typeof job !== "object") return false;
+	const obj = job as Record<string, unknown>;
+	return typeof obj.id === "string" && obj.id.length > 0
+		&& typeof obj.scheduleType === "string"
+		&& typeof obj.enabled === "boolean";
+}
+
 function sanitizeSettings(raw: unknown): CrewSettings {
 	if (!raw || typeof raw !== "object") return {};
 	const r = raw as Record<string, unknown>;
@@ -57,9 +69,9 @@ function sanitizeSettings(raw: unknown): CrewSettings {
 	if (typeof r.notifierIntervalMs === "number" && r.notifierIntervalMs >= 1000) {
 		out.notifierIntervalMs = r.notifierIntervalMs;
 	}
-	// Pass through scheduledJobs as opaque array (validated by crewScheduler.add)
+	// Pass through scheduledJobs after basic validation
 	if (Array.isArray(r.scheduledJobs)) {
-		out.scheduledJobs = r.scheduledJobs;
+		out.scheduledJobs = (r.scheduledJobs as unknown[]).filter(validateScheduledJob);
 	}
 	return out;
 }

package/src/runtime/skill-effectiveness.ts

@@ -374,7 +374,8 @@ export function getWeightedSkillsForRole(
  * Filter skills by confidence threshold.
  * Skills below threshold are marked as "suggest" only.
  */
-export function filterSkillsByConfidence(
+/** @internal */
+function filterSkillsByConfidence(
 	skillIds: string[],
 	runId: string,
 	threshold: keyof typeof CONFIDENCE_THRESHOLDS = "MODERATE",
@@ -431,7 +432,8 @@ export function registerSkillEffectivenessHooks(): void {
 /**
  * Generate a skill effectiveness report for a run.
  */
-export function generateSkillEffectivenessReport(
+/** @internal */
+function generateSkillEffectivenessReport(
 	runId: string,
 	skillIds: string[],
 ): string {

package/src/runtime/skill-instructions.ts

@@ -244,7 +244,10 @@ export function renderSkillInstructions(input: RenderSkillInstructionsInput & {
 		const confidenceNote = weighted ? ` [Confidence: ${(weighted.confidence * 100).toFixed(0)}% — ${weighted.threshold}]` : "";
 
 		const header = [`## ${safeName}`, description ? `Description: ${description}${confidenceNote}` : undefined, `Source: ${source}`].filter(Boolean).join("\n");
-		const section = `${header}\n\n${compactSkillContent(loaded.content)}`;
+		const rawContent = compactSkillContent(loaded.content);
+		// Wrap skill content with provenance markers to help LLMs distinguish skill instructions
+		const wrappedContent = `<!-- skill: ${safeName} -->\n${rawContent}\n<!-- end-skill: ${safeName} -->`;
+		const section = `${header}\n\n${wrappedContent}`;
 		if (!pushSection(section)) omittedCount += 1;
 	}
 	if (omittedCount > 0) {

package/src/runtime/subagent-manager.ts

@@ -88,10 +88,28 @@ export function savePersistedSubagentRecord(cwd: string, record: SubagentRecord)
 	}
 }
 
+const ALLOWED_RECORD_FIELDS = new Set([
+	"agentId", "agentName", "subagentType", "status", "spawnedAt",
+	"completedAt", "model", "runId", "cwd", "taskId", "taskId",
+]);
+
+function sanitizePersistedRecord(raw: unknown): SubagentRecord | undefined {
+	if (!raw || typeof raw !== "object" || Array.isArray(raw)) return undefined;
+	const obj = raw as Record<string, unknown>;
+	if (typeof obj.agentId !== "string" || !obj.agentId) return undefined;
+	const clean: Record<string, unknown> = { agentId: obj.agentId };
+	for (const key of Object.keys(obj)) {
+		if (ALLOWED_RECORD_FIELDS.has(key) && (typeof obj[key] === "string" || typeof obj[key] === "number" || typeof obj[key] === "boolean")) {
+			clean[key] = obj[key];
+		}
+	}
+	return clean as unknown as SubagentRecord;
+}
+
 export function readPersistedSubagentRecord(cwd: string, id: string): SubagentRecord | undefined {
 	try {
-		const parsed = JSON.parse(fs.readFileSync(persistedSubagentPath(cwd, id), "utf-8"));
-		return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed as SubagentRecord : undefined;
+		const raw = JSON.parse(fs.readFileSync(persistedSubagentPath(cwd, id), "utf-8"));
+		return sanitizePersistedRecord(raw);
 	} catch {
 		return undefined;
 	}