pi-crew 0.6.0 → 0.6.1

package/src/runtime/subprocess-tool-registry.ts

@@ -61,7 +61,7 @@ class SubprocessToolRegistryImpl implements SubprocessToolRegistry {
 
 export const subprocessToolRegistry: SubprocessToolRegistry = new SubprocessToolRegistryImpl();
 
-/** H3: Reset the global singleton registry (for test isolation). */
-export function resetSubprocessToolRegistry(): void {
+/** @internal Reset the global singleton registry (for test isolation). */
+function resetSubprocessToolRegistry(): void {
 	subprocessToolRegistry.clear();
 }

package/src/runtime/task-packet.ts

@@ -1,6 +1,7 @@
 import * as path from "node:path";
 import type { TeamRunManifest, TaskPacket, TaskScope, VerificationContract } from "../state/types.ts";
 import type { WorkflowStep } from "../workflows/workflow-config.ts";
+import { generateTaskHashId } from "./task-id.ts";
 
 // ═══════════════════════════════════════════════════════════════════════════
 // SEC-007 Fix: Workflow Step Task Sanitization
@@ -81,8 +82,19 @@ export function buildTaskPacket(input: BuildTaskPacketInput): TaskPacket {
 	const scopePath = reads.length === 1 ? reads[0] : reads.length > 1 ? reads.join(", ") : undefined;
 	// SEC-007: Sanitize task text before inserting into task packet
 	const sanitizedTask = sanitizeTaskText(input.step.task);
+	const sanitizedGoal = sanitizeTaskText(input.manifest.goal);
+
+	// Generate a deterministic hash-based task ID for traceability and logging.
+	// Uses goal + step ID + run ID as content parts.
+	// TODO: Once TaskPacket type gains a hashId field, include this in the packet.
+	const _taskHashId = generateTaskHashId([
+		input.manifest.goal,
+		input.step.id,
+		input.manifest.runId,
+	]);
+
 	return {
-		objective: sanitizedTask.replaceAll("{goal}", input.manifest.goal),
+		objective: sanitizedTask.replaceAll("{goal}", sanitizedGoal),
 		scope,
 		scopePath,
 		repo: path.basename(input.manifest.cwd) || input.manifest.cwd,

package/src/runtime/task-runner.ts

@@ -1,4 +1,5 @@
 import * as fs from "node:fs";
+import * as path from "node:path";
 import type { AgentConfig } from "../agents/agent-config.ts";
 import type { CrewLimitsConfig, CrewRuntimeConfig } from "../config/config.ts";
 import type {
@@ -272,6 +273,11 @@ export async function runTeamTask(
 		if (input.step.preStepScript) {
 			const scriptTimeout = input.step.preStepTimeout ?? 30_000;
 			const scriptArgs = input.step.preStepArgs ?? [];
+			// SECURITY: Validate preStepScript path is contained within cwd
+			const resolved = path.resolve(manifest.cwd, input.step.preStepScript);
+			if (!resolved.startsWith(path.resolve(manifest.cwd) + path.sep) && resolved !== path.resolve(manifest.cwd)) {
+				throw new Error(`Security: preStepScript path escapes working directory: ${input.step.preStepScript}`);
+			}
 			try {
 				const { execFileSync } = await import("node:child_process");
 				preStepOutput = execFileSync(input.step.preStepScript, scriptArgs, {
@@ -526,6 +532,9 @@ export async function runTeamTask(
 							collectedJsonEvents.push(
 								event as Record<string, unknown>,
 							);
+							if (collectedJsonEvents.length > 1000) {
+								collectedJsonEvents.splice(0, collectedJsonEvents.length - 1000);
+							}
 						// Accumulate lifetime usage via message_end events (survives compaction)
 						if (event && typeof event === "object" && (event as Record<string, unknown>).type === "message_end") {
 							const msg = (event as Record<string, unknown>).message as Record<string, unknown> | undefined;

package/src/runtime/usage-tracker.ts

@@ -16,7 +16,8 @@ export function addUsage(into: LifetimeUsage, delta: { input?: number; output?:
 	if (typeof delta.cacheWrite === "number") into.cacheWrite += delta.cacheWrite;
 }
 
-export function lifetimeUsageFromState(state: UsageState | undefined): LifetimeUsage {
+/** @internal */
+function lifetimeUsageFromState(state: UsageState | undefined): LifetimeUsage {
 	if (!state) return emptyLifetimeUsage();
 	return {
 		input: state.input ?? 0,
@@ -59,7 +60,8 @@ export const getTaskUsage = getTrackedTaskUsage;
 export const getRunUsage = getTrackedTaskUsage;
 export const clearAllTaskUsage = clearAllTrackedTaskUsage;
 
-export function aggregateTrackedUsageForRun(manifest: TeamRunManifest, tasks: TeamTaskState[]): UsageState {
+/** @internal */
+function aggregateTrackedUsageForRun(manifest: TeamRunManifest, tasks: TeamTaskState[]): UsageState {
 	const total = emptyLifetimeUsage();
 	for (const task of tasks) {
 		const tracked = getTrackedTaskUsage(task.id);

package/src/runtime/verification-gates.ts

@@ -38,35 +38,61 @@ export interface PhaseGateBundle {
  * Sequential enforcement: each phase must pass before proceeding.
  */
 export const NPM_TYPESCRIPT_GATES: Array<{ name: string; command: string; critical: boolean }> = [
-	{ name: "build", command: "npm run build 2>&1 || true", critical: true },
-	{ name: "typecheck", command: "npx tsc --noEmit 2>&1 || true", critical: true },
-	{ name: "lint", command: "npm run lint 2>&1 || true", critical: false },
-	{ name: "tests", command: "npm test 2>&1 || true", critical: true },
+	{ name: "build", command: "npm run build 2>&1", critical: true },
+	{ name: "typecheck", command: "npx tsc --noEmit 2>&1", critical: true },
+	{ name: "lint", command: "npm run lint 2>&1", critical: false },
+	{ name: "tests", command: "npm test 2>&1", critical: true },
 ];
 
 /**
  * Cargo/Rust project phase gates.
  */
 export const CARGO_RUST_GATES: Array<{ name: string; command: string; critical: boolean }> = [
-	{ name: "check", command: "cargo check 2>&1 || true", critical: true },
-	{ name: "test", command: "cargo test 2>&1 || true", critical: true },
-	{ name: "clippy", command: "cargo clippy 2>&1 || true", critical: false },
+	{ name: "check", command: "cargo check 2>&1", critical: true },
+	{ name: "test", command: "cargo test 2>&1", critical: true },
+	{ name: "clippy", command: "cargo clippy 2>&1", critical: false },
 ];
 
 /**
  * Execute a single command and capture output.
  */
+/** Characters/patterns that indicate dangerous shell metacharacters. */
+const DANGEROUS_SHELL_PATTERNS = /(?:;|&&|\|\||\$\(|`|\$\{|\b(eval|exec)\b|>>|<[^&])/;
+// Note: single `>` is NOT blocked here because `2>&1` is a safe redirect used by built-in gates.
+// `>>` (append) is still blocked. `<` without `&` (input redirect) is still blocked.
+
+/**
+ * Validate a verification gate command is safe to execute.
+ * Rejects commands with shell metacharacters that could enable injection.
+ * Allows: pipes (|), redirection of stderr (2>&1), and basic npm/cargo/npx commands.
+ */
+function validateGateCommand(command: string): void {
+	const normalized = command
+		.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, '')  // ANSI escape sequences
+		.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '')  // control chars
+		.replace(/\\\n/g, ' ')  // escaped newlines
+		.replace(/\s+/g, ' ')  // collapse whitespace
+		.trim();
+	if (DANGEROUS_SHELL_PATTERNS.test(normalized)) {
+		throw new Error(
+			`Security: verification gate command rejected (dangerous shell pattern): ${command}`,
+		);
+	}
+}
+
 async function executeCommand(
 	command: string,
 	cwd: string,
 	timeoutMs: number = 120000,
 ): Promise<{ exitCode: number | null; output: string; durationMs: number }> {
+	// SECURITY: Validate command before shell execution to prevent injection.
+	validateGateCommand(command);
+
 	const start = Date.now();
 	let output = "";
 	let exitCode: number | null = null;
 
 	return new Promise((resolve) => {
-		// Use shell to handle compound commands
 		const shell = spawn("sh", ["-c", command], {
 			cwd,
 			timeout: timeoutMs,
@@ -313,7 +339,8 @@ export function computeGreenLevelFromResults(
  * Create a verification gate report artifact.
  * Formatted for human review per ECC verification-loop pattern.
  */
-export function createVerificationGateReport(
+/** @internal */
+function createVerificationGateReport(
 	taskId: string,
 	contract: VerificationContract,
 	results: VerificationCommandResult[],

package/src/state/contracts.ts

@@ -28,7 +28,8 @@ export const TEAM_TASK_STATUS_TRANSITIONS: Readonly<Record<TeamTaskStatus, reado
 	needs_attention: ["queued", "running"],
 };
 
-export const TEAM_EVENT_TYPES = [
+/** @internal */
+const TEAM_EVENT_TYPES = [
 	"run.created",
 	"run.queued",
 	"run.planning",

package/src/state/event-log.ts

@@ -80,7 +80,11 @@ export function withEventLogLockSync<T>(eventsPath: string, fn: () => T): T {
 	const lockDir = `${eventsPath}.lock`;
 	const pidFile = path.join(lockDir, "pid");
 	const start = Date.now();
-	const timeout = 120000; // 120s timeout for slow CI environments
+	// SECURITY (HIGH #2 fix): Reduced from 120s to 5s to prevent blocking the
+	// event loop indefinitely. 500 retries × 10ms = 5s max. After timeout, we
+	// throw a clear error instead of blocking forever. This ensures AbortSignal
+	// handlers, SIGTERM, and graceful shutdown can fire within seconds.
+	const timeout = 5000;
 	const staleMs = 10000;
 	let acquired = false;
 	while (true) {
@@ -91,10 +95,12 @@ export function withEventLogLockSync<T>(eventsPath: string, fn: () => T): T {
 			break;
 		} catch {
 			if (Date.now() - start > timeout) {
-				// Log error and continue without lock — lock is held by live process.
-				// Stale detection will clean up dead locks on next attempt.
-				logInternalError("event-log.lock-timeout", new Error(`Event log lock timeout for ${eventsPath}`), `lockDir=${lockDir}`);
-				break;
+				// SECURITY (HIGH #2 fix): Throw instead of continuing without lock.
+				// Previously this logged and broke out of the loop, executing the
+				// operation without lock protection. Now we throw so callers can retry.
+				throw new Error(
+					`Event log lock timeout for ${eventsPath}: could not acquire lock within ${timeout}ms`,
+				);
 			}
 			// Stale detection: if the owning process is dead, remove the stale lock.
 			try {
@@ -217,6 +223,11 @@ export function appendEvent(eventsPath: string, event: AppendTeamEvent): TeamEve
 // --- Async write queue (non-blocking alternative to withEventLogLockSync) ---
 const asyncQueues = new Map<string, Promise<unknown>>();
 
+/** Reset event log mode (for testing only). */
+export function resetEventLogMode(): void {
+	asyncQueues.clear();
+}
+
 /**
  * Append an event to the event log using non-blocking async I/O.
  *

package/src/state/hook-instinct-bridge.ts

@@ -80,7 +80,8 @@ crewHooks.register("run_completed", async (event) => {
 /**
  * Get instinct-based recommendations.
  */
-export async function getInstinctRecommendations() {
+/** @internal */
+async function getInstinctRecommendations() {
 	try {
 		const store = await getStore();
 		return store.getInstincts().filter((i: { confidence: number }) => i.confidence >= 0.6);

package/src/state/locks.ts

@@ -1,6 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
-import { randomUUID } from "node:crypto";
+import { randomUUID, timingSafeEqual } from "node:crypto";
 import type { TeamRunManifest } from "./types.ts";
 import { DEFAULT_LOCKS } from "../config/defaults.ts";
 import { sleepSync } from "../utils/sleep.ts";
@@ -103,9 +103,16 @@ function readLockToken(filePath: string): string | undefined {
  *
  * With token matching, A's release is a no-op for B's lock.
  */
+function timingSafeTokenMatch(a: string, b: string): boolean {
+	const bufA = Buffer.from(String(a));
+	const bufB = Buffer.from(String(b));
+	if (bufA.length !== bufB.length) return false;
+	return timingSafeEqual(bufA, bufB);
+}
+
 function releaseLock(filePath: string, token: string): void {
 	const stored = readLockToken(filePath);
-	if (stored === undefined || stored === token) {
+	if (stored === undefined || timingSafeTokenMatch(stored, token)) {
 		try {
 			fs.rmSync(filePath, { force: true });
 		} catch {

package/src/state/state-store.ts

@@ -208,7 +208,8 @@ export function saveRunTasks(manifest: TeamRunManifest, tasks: TeamTaskState[]):
  * intended use case. Single-update + read-update loops (e.g.
  * persistSingleTaskUpdate) should keep using saveRunTasks.
  */
-export function saveRunTasksCoalesced(manifest: TeamRunManifest, tasks: TeamTaskState[]): void {
+/** @internal */
+function saveRunTasksCoalesced(manifest: TeamRunManifest, tasks: TeamTaskState[]): void {
 	atomicWriteJsonCoalesced(manifest.tasksPath, tasks);
 	invalidateRunCache(manifest.stateRoot);
 }
@@ -226,7 +227,8 @@ export async function saveRunTasksAsync(manifest: TeamRunManifest, tasks: TeamTa
  * This is acceptable because crash recovery detects and repairs
  * inconsistent state on next session start.
  */
-export async function saveManifestAndTasksAtomic(manifest: TeamRunManifest, tasks: TeamTaskState[]): Promise<void> {
+/** @internal */
+async function saveManifestAndTasksAtomic(manifest: TeamRunManifest, tasks: TeamTaskState[]): Promise<void> {
 	await withRunLock(manifest, async () => {
 		await Promise.all([
 			atomicWriteJsonAsync(path.join(manifest.stateRoot, "manifest.json"), manifest),

package/src/state/task-claims.ts

@@ -1,4 +1,4 @@
-import { randomUUID } from "node:crypto";
+import { randomUUID, timingSafeEqual } from "node:crypto";
 import type { TeamTaskState } from "./types.ts";
 
 export interface TaskClaimState {
@@ -18,8 +18,15 @@ export function isTaskClaimExpired(claim: TaskClaimState | undefined, now = new
 	return Number.isFinite(parsed) ? parsed <= now.getTime() : true;
 }
 
+export function timingSafeTokenMatch(a: string, b: string): boolean {
+	const bufA = Buffer.from(String(a));
+	const bufB = Buffer.from(String(b));
+	if (bufA.length !== bufB.length) return false;
+	return timingSafeEqual(bufA, bufB);
+}
+
 export function canUseTaskClaim(task: Pick<TeamTaskState, "claim">, owner: string, token: string, now = new Date()): boolean {
-	return task.claim?.owner === owner && task.claim.token === token && !isTaskClaimExpired(task.claim, now);
+	return task.claim?.owner === owner && timingSafeTokenMatch(task.claim.token, token) && !isTaskClaimExpired(task.claim, now);
 }
 
 export function claimTask<T extends TeamTaskState>(task: T, owner: string, leaseMs?: number, now = new Date()): T {

package/src/tools/safe-bash.ts

@@ -39,7 +39,8 @@ const DANGEROUS_PATTERNS = [
 
 /**
  * Linear-time check if command contains a dangerous rm pattern like "rm -rf /" or "rm -rf ~"
- * Replaces O(n²) regex backtracking with O(n) string scanning
+ * Replaces O(n²) regex backtracking with O(n) string scanning.
+ * Expanded to also block: rm -rf /etc/*, rm --recursive --force /, rm -rf ~/.ssh, etc.
  */
 function matchesDangerousRm(command: string): boolean {
 	let pos = 0;
@@ -56,32 +57,75 @@ function matchesDangerousRm(command: string): boolean {
 		// Must be followed by whitespace
 		const afterRm = rmIdx + 2;
 		if (afterRm >= len || /\s/.test(command[afterRm])) {
-			// Found "rm " - now check for -rf flags followed by / or ~
+			// Found "rm " - now check for recursive/force flags
 			let p = afterRm + 1;
+			let hasR = false;
+			let hasF = false;
 			while (p < len) {
 				// Skip whitespace
 				while (p < len && /\s/.test(command[p])) p++;
 				if (p >= len) break;
-				// Check for flag
-				if (command[p] !== "-") break;
-				p++;
-				let hasR = false, hasF = false;
-				while (p < len && /[a-zA-Z]/.test(command[p])) {
-					if (command[p] === "r" || command[p] === "R") hasR = true;
-					if (command[p] === "f" || command[p] === "F") hasF = true;
+				// Check for short flags (-r, -f, -rf, -R, -F, etc.)
+				if (command[p] === "-" && p + 1 < len && /[a-zA-Z]/.test(command[p + 1]) && command[p + 1] !== "-") {
 					p++;
+					while (p < len && /[a-zA-Z]/.test(command[p])) {
+						if (command[p] === "r" || command[p] === "R") hasR = true;
+						if (command[p] === "f" || command[p] === "F") hasF = true;
+						p++;
+					}
+					// Skip whitespace after flag
+					while (p < len && /\s/.test(command[p])) p++;
+					continue;
 				}
-				if (!hasR && !hasF) break; // Flag must have r or f
-				// Skip whitespace after flag
-				while (p < len && /\s/.test(command[p])) p++;
-			}
-			// Now check if followed by / or ~ (end or whitespace)
-			if (p < len && (command[p] === "/" || command[p] === "~")) {
-				const afterSlash = p + 1;
-				if (afterSlash >= len || /\s/.test(command[afterSlash]) || command[afterSlash] === ";") {
-					return true; // Dangerous!
+				// Check for long flags (--recursive, --force)
+				if (command[p] === "-" && p + 1 < len && command[p + 1] === "-") {
+					p += 2;
+					const flagStart = p;
+					while (p < len && /[a-zA-Z]/.test(command[p])) p++;
+					const flagName = command.slice(flagStart, p);
+					if (flagName === "recursive") hasR = true;
+					if (flagName === "force") hasF = true;
+					// Skip whitespace after flag
+					while (p < len && /\s/.test(command[p])) p++;
+					continue;
 				}
+				// Not a flag — stop parsing flags
+				break;
+			}
+			// Must have both -r and -f (or equivalents) to be dangerous
+			if (!hasR || !hasF) {
+				pos = rmIdx + 1;
+				continue;
+			}
+			// Now check if followed by dangerous targets
+			if (p >= len) {
+				pos = rmIdx + 1;
+				continue;
+			}
+			// Block: ~ (home directory references)
+			const charAtP = command[p];
+			if (charAtP === "~") return true; // Home directory reference
+			// Block: / (root or dangerous system paths)
+			if (charAtP === "/") {
+				// Exact root '/' with nothing after
+				if (p + 1 >= len || /\s/.test(command[p + 1]) || command[p + 1] === ";") return true;
+				// Block dangerous system paths
+				const rest = command.slice(p);
+				if (/^\/etc[\/\s;]/.test(rest) || rest === "/etc") return true;
+				if ((/^\/var\/(?!tmp)/.test(rest)) || rest === "/var") return true;
+				if (/^\/usr[\/\s;]/.test(rest) || rest === "/usr") return true;
+				if (/^\/boot[\/\s;]/.test(rest) || rest === "/boot") return true;
+				if (/^\/sys[\/\s;]/.test(rest) || rest === "/sys") return true;
+				if (/^\/proc[\/\s;]/.test(rest) || rest === "/proc") return true;
+				if (/^\/dev[\/\s;]/.test(rest) || rest === "/dev") return true;
+				if (/^\/root[\/\s;]/.test(rest) || rest === "/root") return true;
+				if (/^\/home[\/\s;]/.test(rest) || rest === "/home") return true;
+				// /tmp/ and other non-system absolute paths are allowed
 			}
+			// Check for sensitive relative paths: .ssh, .gnupg
+			const rest = command.slice(p);
+			if (/^\.ssh[\/\\\s;]/.test(rest)) return true;
+			if (/^\.gnupg[\/\\\s;]/.test(rest)) return true;
 		}
 		pos = rmIdx + 1;
 	}
@@ -172,8 +216,13 @@ export function isDangerous(command: string, options: SafeBashOptions = {}): str
 		}
 	}
 
-	// Normalize: remove line continuations, collapse whitespace
-	const normalized = command.replace(/\\\n/g, " ").replace(/\s+/g, " ").trim();
+	// Normalize: strip ANSI escapes and control chars, remove line continuations, collapse whitespace
+	const normalized = command
+		.replace(/\x1b\[[0-9;]*[a-zA-Z]/g, '')  // strip ANSI escapes
+		.replace(/[\x00-\x08\x0b\x0c\x0e-\x1f]/g, '')  // strip control chars
+		.replace(/\\\n/g, " ")
+		.replace(/\s+/g, " ")
+		.trim();
 
 	// Check allow patterns first (overrides)
 	for (const pattern of allowPatterns) {

package/src/types/new-api-types.ts

@@ -11,24 +11,29 @@ export type {
 // Using AgentEndEvent and AgentStartEvent instead
 
 // Type guards for pi-crew usage
-export function isToolEvent(event: AgentSessionEvent): boolean {
+/** @internal */
+function isToolEvent(event: AgentSessionEvent): boolean {
   return event.type === "tool_execution_start" || 
          event.type === "tool_execution_update" || 
          event.type === "tool_execution_end";
 }
 
-export function isAgentLifecycleEvent(event: AgentSessionEvent): boolean {
+/** @internal */
+function isAgentLifecycleEvent(event: AgentSessionEvent): boolean {
   return event.type === "agent_start" || event.type === "agent_end";
 }
 
-export function isCompactionEvent(event: AgentSessionEvent): boolean {
+/** @internal */
+function isCompactionEvent(event: AgentSessionEvent): boolean {
   return event.type === "compaction_start" || event.type === "compaction_end";
 }
 
-export function isRetryEvent(event: AgentSessionEvent): boolean {
+/** @internal */
+function isRetryEvent(event: AgentSessionEvent): boolean {
   return event.type === "auto_retry_start" || event.type === "auto_retry_end";
 }
 
-export function isQueueEvent(event: AgentSessionEvent): boolean {
+/** @internal */
+function isQueueEvent(event: AgentSessionEvent): boolean {
   return event.type === "queue_update";
 }

package/src/ui/keybinding-map.ts

@@ -21,7 +21,8 @@ export const DASHBOARD_KEYS = {
 	notification: { dismissAll: ["H"] },
 } as const;
 
-export const KEY_RESERVED = new Set<string>([
+/** @internal */
+const KEY_RESERVED = new Set<string>([
 	...DASHBOARD_KEYS.close,
 	...DASHBOARD_KEYS.select,
 	...Object.values(DASHBOARD_KEYS.root).flat(),

package/src/ui/run-action-dispatcher.ts

@@ -111,7 +111,8 @@ export async function dispatchDiagnosticExport(ctx: ExtensionContext, runId: str
 	}
 }
 
-export function defaultNudgeAgentId(ctx: Pick<ExtensionContext, "cwd">, runId: string): string | undefined {
+/** @internal */
+function defaultNudgeAgentId(ctx: Pick<ExtensionContext, "cwd">, runId: string): string | undefined {
 	const loaded = loadRunManifestById(ctx.cwd, runId);
 	if (!loaded) return undefined;
 	return readCrewAgents(loaded.manifest).find((agent) => agent.status === "running" || agent.status === "queued")?.taskId;

package/src/ui/status-colors.ts

@@ -47,7 +47,8 @@ export function iconForStatus(status: RunStatus, options?: { runningGlyph?: stri
 	}
 }
 
-export function colorForActivity(activityState: string | undefined): CrewThemeColor {
+/** @internal */
+function colorForActivity(activityState: string | undefined): CrewThemeColor {
 	if (activityState === "needs_attention") return "warning";
 	if (activityState === "stale") return "error";
 	return "dim";

package/src/ui/syntax-highlight.ts

@@ -22,7 +22,8 @@ function buildCliTheme(theme: CrewTheme): Record<string, (text: string) => strin
 	};
 }
 
-export function detectLanguageFromPath(filePath: string): string | undefined {
+/** @internal */
+function detectLanguageFromPath(filePath: string): string | undefined {
 	const ext = filePath.split(".").pop()?.toLowerCase();
 	if (!ext) return undefined;
 	return languageMap[ext];

package/src/ui/tool-render.ts

@@ -29,6 +29,15 @@ export interface AgentToolResultDetails {
 	results?: Array<{ agentId?: string; status?: string; output?: string; error?: string }>;
 }
 
+/** Combined type for renderAgentToolResult — handles both nested details and flat result shapes */
+interface AgentResultData extends AgentToolResultDetails {
+	agentId?: string;
+	status?: string;
+	error?: string;
+	output?: string;
+	runId?: string;
+}
+
 // ── Helpers ─────────────────────────────────────────────────────────
 
 export function formatTokens(n: number): string {
@@ -45,7 +54,8 @@ export function formatDuration(ms: number): string {
 	return s > 0 ? `${m}m${s}s` : `${m}m`;
 }
 
-export function formatContextUsage(tokens: number, contextWindow: number | undefined): string {
+/** @internal */
+function formatContextUsage(tokens: number, contextWindow: number | undefined): string {
 	if (!contextWindow) return `${formatTokens(tokens)} ctx`;
 	const pct = (tokens / contextWindow) * 100;
 	const maxStr = contextWindow >= 1_000_000 ? `${(contextWindow / 1_000_000).toFixed(1)}M` : `${Math.round(contextWindow / 1000)}k`;
@@ -294,7 +304,7 @@ export function renderAgentToolResult(
 	_options: unknown, theme: Theme, _context: unknown,
 ): Component {
 	// Handle both nested details and flattened result shape
-	const d = (result as any).details ?? result;
+	const d = (result.details ?? result) as AgentResultData;
 	const c = new Container();
 	const w = 116;
 
@@ -351,7 +361,7 @@ export function renderAgentToolResult(
 function extractText(content: unknown[] | undefined): string {
 	if (!content) return "(no output)";
 	if (!Array.isArray(content)) return String(content);
-	return content.filter((c: any) => c?.type === "text").map((c: any) => c?.text ?? "").join("\n") || "(no output)";
+	return content.filter((c): c is Record<string, unknown> => typeof c === "object" && c !== null && (c as Record<string, unknown>).type === "text").map((c) => String((c as Record<string, unknown>).text ?? "")).join("\n") || "(no output)";
 }
 
 function parseArgs(argsStr: string | undefined): Record<string, unknown> {

package/src/utils/fs-watch.ts

@@ -2,7 +2,8 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 import type { FSWatcher, WatchListener } from "node:fs";
 
-export const FS_WATCH_RETRY_DELAY_MS = 5000;
+/** @internal */
+const FS_WATCH_RETRY_DELAY_MS = 5000;
 
 export function closeWatcher(watcher: FSWatcher | null | undefined): void {
 	if (!watcher) {
@@ -85,4 +86,5 @@ export function watchCrewState(
 }
 
 // Re-export path helper so callers don't pull node:path just for join.
-export const joinPath = path.join;
+/** @internal */
+const joinPath = path.join;

package/src/utils/gh-protocol.ts

@@ -473,7 +473,8 @@ export function resolveGitHubUrl(parsed: Parsed, scheme: "issue" | "pr", cwd: st
  * Resolve a raw `issue://` or `pr://` URL string.
  * Convenience wrapper combining parse + resolve.
  */
-export function resolveGitHubProtocol(raw: string, scheme: "issue" | "pr", cwd: string): GhResult<unknown> {
+/** @internal */
+function resolveGitHubProtocol(raw: string, scheme: "issue" | "pr", cwd: string): GhResult<unknown> {
 	const parsed = parseGitHubUrl(raw, scheme);
 	return resolveGitHubUrl(parsed, scheme, cwd);
 }

package/src/utils/safe-paths.ts

@@ -11,6 +11,9 @@ export function assertSafePathId(kind: string, value: string): string {
 }
 
 export function resolveContainedPath(baseDir: string, targetPath: string): string {
+	if (targetPath.includes('\0')) {
+		throw new Error(`Security: path contains null byte`);
+	}
 	const base = path.resolve(baseDir);
 	const resolved = path.isAbsolute(targetPath) ? path.resolve(targetPath) : path.resolve(base, targetPath);
 	const relative = path.relative(base, resolved);
@@ -41,6 +44,9 @@ export function resolveRealContainedPath(baseDir: string, targetPath: string): s
 }
 
 export function resolveContainedRelativePath(baseDir: string, relativePath: string, kind = "path"): string {
+	if (relativePath.includes('\0')) {
+		throw new Error(`Security: path contains null byte: ${kind}`);
+	}
 	const normalized = relativePath.replaceAll("\\", "/").replace(/^\.\/+/, "");
 	if (!normalized || normalized.split("/").some((segment) => segment === "..") || path.isAbsolute(normalized)) throw new Error(`Invalid ${kind}: ${relativePath}`);
 	return resolveContainedPath(baseDir, path.resolve(baseDir, normalized));