pi-crew 0.7.4 → 0.7.6

package/src/state/event-log.ts

@@ -3,12 +3,13 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 import { DEFAULT_EVENT_LOG } from "../config/defaults.ts";
 import { atomicWriteFile } from "./atomic-write.ts";
+import { errors } from "../errors.ts";
 import { emitFromTeamEvent } from "../ui/run-event-bus.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { readJsonlSince, type IncrementalReadState } from "../utils/incremental-reader.ts";
 import { redactSecrets } from "../utils/redaction.ts";
 import { sleepSync } from "../utils/sleep.ts";
-import { needsRotation, compactEventLog, rotateEventLog } from "./event-log-rotation.ts";
+import { needsRotation, compactEventLog, rotateEventLog, applyCompactionUnlocked, prepareCompaction, rotateEventLogUnlocked } from "./event-log-rotation.ts";
 
 export type TeamEventProvenance = "live_worker" | "test" | "healthcheck" | "replay" | "api" | "background" | "team_runner";
 export type TeamWatcherAction = "act" | "observe" | "ignore";
@@ -75,7 +76,7 @@ let overflowCounter = 0;
  *  `flushOneEventLogBuffer`, and `state/mailbox.ts`. Prefer the async alternative
  *  (`appendEventAsync`) for all new code.
  */
-export function withEventLogLockSync<T>(eventsPath: string, fn: () => T): T {
+export function withEventLogLockSync<T>(eventsPath: string, fn: () => T, options?: { timeoutMs?: number; staleMs?: number }): T {
 	// Ensure parent directory exists before attempting lock
 	fs.mkdirSync(path.dirname(eventsPath), { recursive: true });
 	const lockDir = `${eventsPath}.lock`;
@@ -85,8 +86,8 @@ export function withEventLogLockSync<T>(eventsPath: string, fn: () => T): T {
 	// event loop indefinitely. 500 retries × 10ms = 5s max. After timeout, we
 	// throw a clear error instead of blocking forever. This ensures AbortSignal
 	// handlers, SIGTERM, and graceful shutdown can fire within seconds.
-	const timeout = 5000;
-	const staleMs = 10000;
+	const timeout = options?.timeoutMs ?? 5000;
+	const staleMs = options?.staleMs ?? 10000;
 	let acquired = false;
 	while (true) {
 		try {
@@ -105,28 +106,39 @@ export function withEventLogLockSync<T>(eventsPath: string, fn: () => T): T {
 				// SECURITY (HIGH #2 fix): Throw instead of continuing without lock.
 				// Previously this logged and broke out of the loop, executing the
 				// operation without lock protection. Now we throw so callers can retry.
-				throw new Error(
-					`Event log lock timeout for ${eventsPath}: could not acquire lock within ${timeout}ms`,
-				);
+				// E1 (Round 15): structured CrewError (E010) with help hint so users know
+				// to check for orphaned .lock dirs / stale processes.
+				throw errors.eventLogLockTimeout(eventsPath, timeout);
 			}
-			// Stale detection: if the owning process is dead, remove the stale lock.
+			// Round 26 (BUG 3): mtime-based stale check INDEPENDENT of pidFile.
+			// If the holder crashed between mkdir and writing pidFile, there is no
+			// pidFile to read — the old code just slept until the 5s timeout, then
+			// threw, leaving the dir orphaned FOREVER (every retry repeats the
+			// timeout). Now: if the lock dir's mtime exceeds staleMs, reclaim it.
+			try {
+				const dirStat = fs.statSync(lockDir);
+				if (Date.now() - dirStat.mtimeMs > staleMs) {
+					fs.rmSync(lockDir, { recursive: true, force: true });
+					continue;
+				}
+			} catch { /* dir vanished — let loop retry */ }
+			// Round 26 (BUG 4): the mtime check was previously NESTED inside
+			// `if (!alive)`, so a recycled PID (crashed holder's PID reused by an
+			// unrelated live process) kept `alive=true` and the mtime check NEVER
+			// fired → permanent wedge. mtime is now checked FIRST (above) for ALL
+			// holders. The PID check below is a secondary fast-path: if the holder
+			// PID is provably dead AND the lock isn't stale yet, we still wait
+			// (don't steal a fresh lock just because the pid lookup raced).
 			try {
 				const raw = fs.readFileSync(pidFile, "utf-8").trim();
 				const ownerPid = Number.parseInt(raw, 10);
 				if (!Number.isNaN(ownerPid) && ownerPid !== process.pid) {
 					let alive = false;
 					try { process.kill(ownerPid, 0); alive = true; } catch { /* dead */ }
-					if (!alive) {
-						try {
-							const stat = fs.statSync(lockDir);
-							if (Date.now() - stat.mtimeMs > staleMs) {
-								fs.rmSync(lockDir, { recursive: true, force: true });
-								continue;
-							}
-						} catch { /* race — let loop sleep */ }
-					}
+					// (mtime already handled above; nothing to do here for dead-but-fresh.)
+					void alive;
 				}
-			} catch { /* no pid file — fall through to sleep */ }
+			} catch { /* no pid file — mtime check above already handles it */ }
 			sleepSync(10);
 		}
 	}
@@ -134,7 +146,19 @@ export function withEventLogLockSync<T>(eventsPath: string, fn: () => T): T {
 		return fn();
 	} finally {
 		if (acquired) {
-			try { fs.rmSync(lockDir, { recursive: true, force: true }); } catch { /* best-effort */ }
+			// Round 26 (BUG 5): token/PID-guarded release. Previously the release
+			// was an UNCONDITIONAL rmSync. If our fn exceeded staleMs, another
+			// process could steal our lock (rm our dir, make its own); when our fn
+			// finished our finally block would then DELETE THE STEALER's dir → both
+			// in the critical section + lost lock. Verify the pidFile still records
+			// OUR pid before removing; if it doesn't, the lock was stolen and the
+			// current holder owns the dir.
+			try {
+				const currentPid = fs.readFileSync(pidFile, "utf-8").trim();
+				if (currentPid === String(process.pid)) {
+					fs.rmSync(lockDir, { recursive: true, force: true });
+				}
+			} catch { /* lock stolen or already gone — do not touch */ }
 		}
 	}
 }
@@ -151,6 +175,29 @@ function evictOldestSequenceCacheEntries(): void {
 	}
 }
 
+/** @internal — exported for sequence-cache LRU testing (Round 19). */
+export function __test__sequenceCacheSize(): number {
+	return sequenceCache.size;
+}
+
+/** @internal — seed an entry into the sequence cache for testing. */
+export function __test__seedSequenceCache(eventsPath: string, lastAccessMs: number): void {
+	sequenceCache.set(eventsPath, { size: 1, mtimeMs: 0, seq: 0, lastAccessMs });
+}
+
+/** @internal — expose eviction for testing. */
+export function __test__evictOldestSequenceCacheEntries(): void {
+	evictOldestSequenceCacheEntries();
+}
+
+/** @internal — clear the sequence cache. */
+export function __test__clearSequenceCache(): void {
+	sequenceCache.clear();
+}
+
+/** @internal — the max sequence cache entries bound. */
+export const MAX_SEQUENCE_CACHE_ENTRIES_VALUE = MAX_SEQUENCE_CACHE_ENTRIES;
+
 export function sequencePath(eventsPath: string): string {
 	return `${eventsPath}.seq`;
 }
@@ -496,9 +543,14 @@ function appendEventInsideLock(eventsPath: string, event: AppendTeamEvent): Team
 	if (!isTerminal && fs.existsSync(eventsPath)) {
 		const stat = fs.statSync(eventsPath);
 		if (stat.size > MAX_EVENTS_BYTES) {
-			// Try immediate compact (not waiting for counter % 100)
+			// Try immediate compact (not waiting for counter % 100).
+			// Round 24 (BUG 1): we are INSIDE withEventLogLockSync. Use the unlocked
+			// apply/rotate cores — the locked variants would deadlock (mkdir lock
+			// is not re-entrant → 5s timeout → compaction/rotation never ran →
+			// unbounded log growth → events silently dropped past 50MB).
 			try {
-				compactEventLog(eventsPath);
+				const prepared = prepareCompaction(eventsPath);
+				if (prepared) applyCompactionUnlocked(eventsPath, prepared);
 			} catch (error) {
 				logInternalError("event-log.immediate-compact", error, `eventsPath=${eventsPath}`);
 			}
@@ -506,7 +558,7 @@ function appendEventInsideLock(eventsPath: string, event: AppendTeamEvent): Team
 			if (fs.existsSync(eventsPath)) {
 				const afterCompact = fs.statSync(eventsPath);
 				if (afterCompact.size > MAX_EVENTS_BYTES) {
-					rotateEventLog(eventsPath);
+					rotateEventLogUnlocked(eventsPath);
 				}
 			}
 		}
@@ -554,7 +606,15 @@ function appendEventInsideLock(eventsPath: string, event: AppendTeamEvent): Team
 	}
 	appendCounter++;
 	if (appendCounter % 100 === 0 && needsRotation(eventsPath)) {
-		try { compactEventLog(eventsPath); } catch (error) { logInternalError("event-log.rotation", error, `eventsPath=${eventsPath}`); }
+		// Round 24 (BUG 1): we are INSIDE withEventLogLockSync here (called via
+		// appendEventInsideLock). The mkdir lock is NOT re-entrant, so calling the
+		// locked compactEventLog would deadlock → 5s timeout → compaction never
+		// ran → unbounded log growth → events silently dropped past 50MB. Use the
+		// unlocked apply path instead (lock already held).
+		try {
+			const prepared = prepareCompaction(eventsPath);
+			if (prepared) applyCompactionUnlocked(eventsPath, prepared);
+		} catch (error) { logInternalError("event-log.rotation", error, `eventsPath=${eventsPath}`); }
 	}
 	try { emitFromTeamEvent(fullEvent); } catch (error) { logInternalError("event-log.emit", error); }
 	return fullEvent;

package/src/state/health-store.ts

@@ -4,7 +4,12 @@ import type { RunHealth } from "../runtime/task-health.ts";
 import { computeRunHealth } from "../runtime/task-health.ts";
 import type { ManifestSummary } from "../runtime/task-health.ts";
 
-const HEALTH_DIR = ".crew/state/health";
+// Relative to the crew root (`<cwd>/.crew`). BUG A fix (pts/2 hang
+// investigation 2026-06-16): this was `.crew/state/health`, which double-joined
+// to `<crewRoot>/state/.crew/state/health` because the caller passed the state
+// dir (not the crew root). Now the caller passes the real crew root, so this is
+// a plain `state/health` suffix.
+const HEALTH_DIR = "state/health";
 
 export interface HealthSnapshot {
   runId: string;

package/src/state/locks.ts

@@ -66,6 +66,57 @@ function isLockHolderAlive(filePath: string): boolean {
 	}
 }
 
+/**
+ * Round 26 (BUG 1): read the lock file ONCE and evaluate staleness + holder
+ * liveness from that single snapshot.
+ *
+ * Previously `acquireLockWithRetry` called `isLockStale()` and
+ * `isLockHolderAlive()` separately, each performing its own `readFileSync`.
+ * Between those two reads the lock could transition stale→fresh (old holder
+ * released, new holder acquired): isLockStale saw the OLD createdAt → stale,
+ * isLockHolderAlive saw the NEW pid → alive, yielding `!stale && alive` =
+ * false → we forcibly rm the NEW holder's freshly-acquired lock and take it
+ * ourselves → BOTH in the critical section. Reading once closes the window.
+ *
+ * Returns `{ canSteal: true }` if the lock is stale OR the holder is dead
+ * (safe to forcibly remove); `{ canSteal: false }` if it is fresh AND held by
+ * a live process (must keep waiting).
+ */
+function readLockSnapshot(filePath: string, staleMs: number): { canSteal: boolean } {
+	let stat: fs.Stats | undefined;
+	let raw: string | undefined;
+	try {
+		stat = fs.statSync(filePath);
+		raw = fs.readFileSync(filePath, "utf-8");
+	} catch {
+		// File vanished between writeLockFile's EEXIST and now (holder released).
+		// Loop will retry the create; safe to signal "nothing to steal".
+		return { canSteal: false };
+	}
+	// Staleness from a single snapshot.
+	let createdAt = parseCreatedAtFromLock(raw);
+	if (createdAt === undefined) createdAt = stat.mtimeMs;
+	const isStale = Date.now() - createdAt > staleMs;
+	// Holder liveness from the SAME snapshot.
+	let isAlive = true; // Unknown holder — assume alive to be safe (matches isLockHolderAlive).
+	try {
+		const parsed = JSON.parse(raw) as { pid?: unknown };
+		const pid = typeof parsed.pid === "number" ? parsed.pid : undefined;
+		if (pid !== undefined) {
+			try {
+				process.kill(pid, 0);
+				isAlive = true;
+			} catch (error) {
+				const code = (error as NodeJS.ErrnoException).code;
+				// EPERM/ESRCH → treat as not-alive (stealable), see isLockHolderAlive.
+				isAlive = false;
+			}
+		}
+	} catch { /* malformed payload — keep isAlive=true */ }
+	// Steal if stale OR holder dead — matches the original intent.
+	return { canSteal: isStale || !isAlive };
+}
+
 /**
  * Lock file kinds. Discriminator written to the lock file payload so that:
  *   - Debugging tools (e.g. a future `pi-crew locks` command) can identify
@@ -180,9 +231,10 @@ function acquireLockWithRetry(filePath: string, staleMs: number, kind: LockKind
 			if (Date.now() > deadline) {
 				throw new Error(`Run '${path.basename(filePath)}' is locked by another operation.`);
 			}
-			const isStale = isLockStale(filePath, staleMs);
-			const isHolderAlive = isLockHolderAlive(filePath);
-			if (!isStale && isHolderAlive) {
+			// Round 26 (BUG 1): single-snapshot read closes the TOCTOU window between
+			// separate stale + alive reads (which could race stale→fresh).
+			const { canSteal } = readLockSnapshot(filePath, staleMs);
+			if (!canSteal) {
 				throw new Error(`Run '${path.basename(filePath)}' is locked by another operation.`);
 			}
 			// Stale or dead holder — forcibly remove the lock.
@@ -213,9 +265,9 @@ async function acquireLockWithRetryAsync(filePath: string, staleMs: number, kind
 			if (Date.now() > deadline) {
 				throw new Error(`Run '${path.basename(filePath)}' is locked by another operation.`);
 			}
-			const isStale = isLockStale(filePath, staleMs);
-			const isHolderAlive = isLockHolderAlive(filePath);
-			if (!isStale && isHolderAlive) {
+			// Round 26 (BUG 1): single-snapshot read (see sync variant).
+			const { canSteal } = readLockSnapshot(filePath, staleMs);
+			if (!canSteal) {
 				throw new Error(`Run '${path.basename(filePath)}' is locked by another operation.`);
 			}
 			// Stale or dead holder — forcibly remove the lock.
@@ -244,16 +296,14 @@ export function withFileLockSync<T>(filePath: string, fn: () => T, options: RunL
 	// Between mkdir and lock acquisition, an attacker could plant a symlink.
 	if (!isSymlinkSafePath(path.dirname(lockFile))) throw new Error("Refusing: parent of lock directory is a symlink");
 	fs.mkdirSync(path.dirname(lockFile), { recursive: true });
-	// FIX: Validate that the target file still exists. If it was deleted and
-	// recreated since the last lock cycle, the old .lock file may be orphaned
-	// and should not block the new cycle. Clean it up if the target is missing.
-	try {
-		fs.statSync(filePath);
-	} catch {
-		// Target file doesn't exist — clean up any stale .lock file and proceed.
-		// The lock will be acquired fresh for the new file (if fn creates it).
-		try { fs.rmSync(lockFile, { force: true }); } catch { /* ignore */ }
-	}
+	// Round 26 (BUG 2): REMOVED the pre-acquisition target-file-existence check.
+	// It was racy — between statSync(target) and acquire, a concurrent process
+	// could acquire the lock to CREATE the target, and we'd delete its active
+	// lock. It was also actively wrong for callers that pass a path already
+	// ending in `.lock` (config.ts: the checked "target" never exists, so the
+	// cleanup ALWAYS fired, deleting a fresh concurrent holder's lock). Genuine
+	// orphan locks (crashed holder) are reclaimed by acquireLockWithRetry's
+	// staleMs-based steal logic after at most `staleMs`.
 	// FIX (TOCTOU): Re-validate symlink safety before each lock acquisition
 	// attempt. Between our initial check and the acquisition (and between
 	// acquireLockWithRetry's internal retries), an attacker could plant a

package/src/state/state-store.ts

@@ -17,6 +17,37 @@ import type { WorkflowConfig } from "../workflows/workflow-config.ts";
 import { toPiSessionId } from "../utils/session-utils.ts";
 import { HealthStore } from "./health-store.ts";
 
+/**
+ * stat() the manifest with a brief retry on Windows for the AV-scan window.
+ *
+ * On the GitHub Actions windows-latest runner, Windows Defender real-time
+ * scanning can make a freshly-written manifest.json briefly invisible to
+ * statSync (ENOENT) even though the write succeeded and the file is on disk.
+ * loadRunManifestById is called right after createRunManifest in tests and in
+ * production (e.g. refreshPersistedSubagentRecord), so without a retry the
+ * caller sees a phantom "missing" run.
+ *
+ * On non-Windows, ENOENT means the file genuinely doesn't exist — passthrough
+ * (throw immediately) with no retry. On Windows, ENOENT/EPERM/EBUSY/EAGAIN get
+ * a handful of short retries (~30ms worst case) before giving up and throwing
+ * so the caller's catch returns undefined as before.
+ */
+function statManifestWithWindowsRetry(manifestPath: string): fs.Stats {
+	if (process.platform !== "win32") return fs.statSync(manifestPath);
+	const retryable = new Set(["ENOENT", "EPERM", "EBUSY", "EAGAIN"]);
+	for (let attempt = 0; attempt < 5; attempt++) {
+		try {
+			return fs.statSync(manifestPath);
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (!retryable.has(code ?? "")) throw error;
+			const end = Date.now() + Math.min(8, 1 * 2 ** attempt);
+			while (Date.now() < end) { /* brief spin to ride out the AV scan window */ }
+		}
+	}
+	return fs.statSync(manifestPath); // last attempt — let caller's catch handle ENOENT
+}
+
 export interface RunPaths {
 	runId: string;
 	stateRoot: string;
@@ -26,7 +57,7 @@ export interface RunPaths {
 	eventsPath: string;
 }
 
-interface ManifestCacheEntry {
+export interface ManifestCacheEntry {
 	manifest: TeamRunManifest;
 	tasks: TeamTaskState[];
 	manifestMtimeMs: number;
@@ -45,6 +76,19 @@ const MANIFEST_CACHE_TTL_MS = 15 * 1000; // 15 seconds (FIX: increased from 5s f
 const LOAD_MANIFEST_RETRY_LIMIT = 5; // Configurable retry limit for mtime/size stability checks under contention
 const manifestCache = new Map<string, ManifestCacheEntry>();
 
+/** @internal — exported for TTL-eviction unit testing (Round 19). */
+export function __test__setManifestCache(stateRoot: string, entry: ManifestCacheEntry): void {
+	setManifestCache(stateRoot, entry);
+}
+
+/** @internal — exported for TTL-eviction unit testing (Round 19). */
+export function __test__getManifestCacheEntry(stateRoot: string): ManifestCacheEntry | undefined {
+	return manifestCache.get(stateRoot);
+}
+
+/** @internal — the TTL in ms used for manifest cache eviction. */
+export const MANIFEST_CACHE_TTL_MS_VALUE = MANIFEST_CACHE_TTL_MS;
+
 function setManifestCache(stateRoot: string, entry: ManifestCacheEntry): void {
 	if (manifestCache.has(stateRoot)) manifestCache.delete(stateRoot);
 	entry.cachedAt = Date.now();
@@ -506,7 +550,7 @@ export function loadRunManifestById(cwd: string, runId: string): { manifest: Tea
 
 	let manifestStat: fs.Stats;
 	try {
-		manifestStat = fs.statSync(manifestPath);
+		manifestStat = statManifestWithWindowsRetry(manifestPath);
 	} catch {
 		return undefined;
 	}

package/src/ui/card-colors.ts

@@ -14,6 +14,7 @@
  *   30-35% — word-level emphasis (prominent)
  */
 import type { CrewTheme } from "./theme-adapter.ts";
+import { visibleWidth as visualWidth } from "../utils/visual.ts";
 
 // ── ANSI parsing ────────────────────────────────────────────────────────
 
@@ -96,12 +97,15 @@ export function deriveCardBackground(
 
 // ── Helpers for padding lines with a background ─────────────────────────
 
-const ANSI_SGR_RE = /\x1b\[[0-9;]*m/g;
 const RESET = "\x1b[0m";
 
-/** Strip ANSI SGR codes to get visible character count. */
+/** Strip ANSI SGR codes then compute the VISUAL width (Unicode-aware).
+ * Round 23 (BUG 2): previously this used `.length` (UTF-16 code units), which
+ * under-counts CJK/emoji → wrong padding → broken frame borders in crew cards.
+ * Delegate to the canonical Unicode-aware visualWidth from utils/visual.ts
+ * used by every other renderer. */
 export function visibleWidth(text: string): number {
-	return text.replace(ANSI_SGR_RE, "").length;
+	return visualWidth(text);
 }
 
 /**

package/src/ui/dashboard-panes/agents-pane.ts

@@ -3,7 +3,9 @@ import { iconForStatus } from "../status-colors.ts";
 import type { RunUiSnapshot } from "../snapshot-types.ts";
 import { spinnerFrame } from "../spinner.ts";
 import type { CrewAgentRecord } from "../../runtime/crew-agent-runtime.ts";
+import { formatCost } from "../../state/usage.ts";
 import { listLiveAgents, listLiveAgentsByWorkspace, type LiveAgentHandle } from "../../runtime/live-agent-manager.ts";
+import { computeLiveDurationMs } from "../live-duration.ts";
 
 /**
  * Returns true if this agent did real work (LLM call, tool use, or non-trivial duration).
@@ -82,15 +84,26 @@ export function renderAgentsPane(snapshot: RunUiSnapshot | undefined, options: R
 			: agent.status === "failed" ? (agent.error ?? "failed")
 			: "done";
 
-		// Stats: tokens + duration only
+		// Stats: tokens + cost + duration
 		const stats: string[] = [];
 		const tokenTotal = (agent.usage?.input ?? 0) + (agent.usage?.output ?? 0) + (agent.usage?.cacheRead ?? 0) + (agent.usage?.cacheWrite ?? 0);
 		if (tokenTotal > 0) {
 			const tok = tokenTotal >= 1000 ? `${(tokenTotal / 1000).toFixed(1)}k` : `${tokenTotal}`;
 			stats.push(tok);
 		}
+		// Per-agent cost (Round 17 BS-1): the data is already on task.usage.cost;
+		// surface it live so the user sees $ burn per agent during a run.
+		if (agent.usage?.cost && agent.usage.cost > 0) {
+			stats.push(formatCost(agent.usage.cost));
+		}
 		if (liveHandle) {
-			const ms = (liveHandle.activity.completedAtMs ?? Date.now()) - liveHandle.activity.startedAtMs;
+			// Round 23 (BUG 1): the duration math here was naive —
+			//   (completedAtMs ?? Date.now()) - startedAtMs
+			// which produced a giant NEGATIVE duration whenever startedAtMs was
+			// 0/undefined/bad, or a race set completedAtMs < startedAtMs. This
+			// fired for EVERY running live agent in the dashboard. Use the shared,
+			// validated computeLiveDurationMs (mirrors widget-formatters.ts).
+			const ms = computeLiveDurationMs(liveHandle.activity);
 			stats.push(`${(ms / 1000).toFixed(1)}s`);
 			if (options.showModel !== false && liveHandle.modelName && liveHandle.modelName !== "default") {
 				stats.push(liveHandle.modelName);

package/src/ui/live-duration.ts

@@ -0,0 +1,58 @@
+/**
+ * Round 23 (BUG 1 fix): live-agent duration computation.
+ *
+ * The naive `(completedAtMs ?? Date.now()) - startedAtMs` produced giant
+ * NEGATIVE durations for every running live agent whenever startedAtMs was
+ * 0/undefined/out-of-range, or a race set completedAtMs < startedAtMs.
+ *
+ * This module consolidates the validated duration math (previously duplicated
+ * between widget-formatters.ts and agents-pane.ts) into one pure, fully
+ * testable function: it normalizes seconds-vs-ms, sanity-checks the start
+ * timestamp against the current time, and never returns a negative value.
+ */
+
+export interface LiveActivity {
+	startedAtMs?: number;
+	completedAtMs?: number;
+}
+
+/** Normalize a raw timestamp that may be seconds or milliseconds. */
+function toMs(v: number): number {
+	if (v <= 0) return 0;
+	// 1e9 < seconds < 1e10  → seconds, scale up
+	if (v > 1_000_000_000 && v < 10_000_000_000) return v * 1000;
+	// 1e11 < ms < 1e13      → already ms
+	if (v > 100_000_000_000 && v < 10_000_000_000_000) return v;
+	return v;
+}
+
+/**
+ * Compute the live elapsed duration in milliseconds for an agent activity.
+ *
+ * - Never negative (clamped to >= 0).
+ * - Returns 0 if the start timestamp is missing or implausible.
+ * - Uses `completedAtMs` when present and sane; otherwise `nowMs` (running).
+ *
+ * @param activity the live agent activity handle
+ * @param nowMs    optional override for `Date.now()` (tests / determinism)
+ */
+export function computeLiveDurationMs(activity: LiveActivity, nowMs: number = Date.now()): number {
+	const rawStarted = activity.startedAtMs || 0;
+	const rawCompleted = activity.completedAtMs || 0;
+	const startedMs = toMs(rawStarted);
+	const completedMs = rawCompleted > 0 ? toMs(rawCompleted) : 0;
+	// A valid start is positive, not more than 1 minute in the future, and not
+	// more than ~1000 years in the past (guards against 0 / garbage / clock skew).
+	const isValidStarted =
+		startedMs > 0 &&
+		startedMs < nowMs + 60_000 &&
+		startedMs > nowMs - 31_556_926_000_000;
+	const end = completedMs > 0 && completedMs < nowMs + 60_000 ? completedMs : nowMs;
+	const ms = end - (isValidStarted ? startedMs : nowMs);
+	return Number.isFinite(ms) && ms >= 0 ? ms : 0;
+}
+
+/** Format a live duration in seconds, e.g. `12.3s`. Returns `0.0s` for 0. */
+export function formatLiveDuration(activity: LiveActivity, nowMs: number = Date.now()): string {
+	return `${(computeLiveDurationMs(activity, nowMs) / 1000).toFixed(1)}s`;
+}

package/src/ui/tool-render.ts

@@ -10,6 +10,7 @@
 import { Container, Spacer, Text, visibleWidth } from "@earendil-works/pi-tui";
 import type { CrewAgentRecord } from "../runtime/crew-agent-runtime.ts";
 import { replaceTabs } from "./render-diff.ts";
+import { truncateToWidth } from "../utils/visual.ts";
 
 // ── Types ──────────────────────────────────────────────────────────────
 export interface Theme {
@@ -68,17 +69,12 @@ function formatContextUsage(tokens: number, contextWindow: number | undefined):
 
 export function truncLine(text: string, maxWidth: number): string {
 	if (text.includes("\n") || text.includes("\r")) text = text.replace(/\r?\n/g, "↵ ");
-	if (visibleWidth(text) <= maxWidth) return text;
-	let result = "", width = 0;
-	for (let i = 0; i < text.length; i++) {
-		if (text[i] === "\x1b") {
-			const m = text.slice(i).match(/^\x1b\[[0-9;]*m/);
-			if (m) { result += m[0]; i += m[0].length - 1; continue; }
-		}
-		if (width >= maxWidth - 1) return result + "…";
-		result += text[i]; width++;
-	}
-	return result;
+	// Round 23 (BUG 4): previously this loop counted 1 visual column per UTF-16
+	// code unit and indexed text[i], so for CJK it emitted up to 2x the visual
+	// width (frame overflow) and for emoji it split surrogate pairs (U+FFFD).
+	// Delegate to the grapheme/ANSI-aware truncateToWidth (keeps ANSI codes,
+	// respects double-wide CJK + surrogate pairs, adds the '…' ellipsis).
+	return truncateToWidth(text, maxWidth);
 }
 
 export function formatToolPreview(name: string, args: Record<string, unknown>): string {

package/src/ui/tool-renderers/index.ts

@@ -12,6 +12,7 @@ import type { CrewTheme } from "../theme-adapter.ts";
 import { truncLine, formatTokens, formatDuration } from "../tool-render.ts";
 import type { CrewAgentRecord } from "../../runtime/crew-agent-runtime.ts";
 import { isBrief, briefToolResult } from "./brief-mode.ts";
+import { truncateToWidth } from "../../utils/visual.ts";
 
 // ── Types ──────────────────────────────────────────────────────────────
 
@@ -42,9 +43,11 @@ function padVisual(str: string, targetWidth: number): string {
 /** Truncate a string (which may contain ANSI codes) to a target VISUAL width. */
 function truncVisual(str: string, maxWidth: number): string {
 	if (visibleWidth(str) <= maxWidth) return str;
-	// Strip ANSI to truncate safely, then caller re-colors
-	const stripped = str.replace(/\x1b\[[0-9;]*m/g, "");
-	return stripped.slice(0, maxWidth);
+	// Round 23 (BUG 3): previously used String.slice(0, maxWidth) which counts
+	// UTF-16 code units — for CJK that overflows the card by up to 2x, and for
+	// emoji it splits a surrogate pair (U+FFFD). Use the grapheme/ANSI-aware
+	// truncateToWidth with empty ellipsis (the caller appends its own '…').
+	return truncateToWidth(str, maxWidth, "");
 }
 
 // ── Visual primitives ──────────────────────────────────────────────────

package/src/ui/widget/widget-formatters.ts

@@ -7,6 +7,7 @@
 import type { CrewAgentRecord } from "../../runtime/crew-agent-runtime.ts";
 import type { LiveAgentHandle } from "../../runtime/live-agent-manager.ts";
 import { getTaskUsage } from "../../runtime/usage-tracker.ts";
+import { computeLiveDurationMs } from "../live-duration.ts";
 
 // ── Token formatting ──────────────────────────────────────────────────
 
@@ -115,19 +116,7 @@ export function agentStats(agent: CrewAgentRecord, liveHandle?: LiveAgentHandle)
 			const ctxPct = stats?.contextUsage?.percent;
 			if (ctxPct != null) parts.push(`${Math.round(ctxPct)}% ctx`);
 		} catch { /* ignore */ }
-		const rawStarted = act.startedAtMs || 0;
-		const rawCompleted = act.completedAtMs || 0;
-		const nowMs = Date.now();
-		const toMs = (v: number): number => {
-			if (v <= 0) return 0;
-			if (v > 1000000000 && v < 10000000000) return v * 1000;
-			if (v > 100000000000 && v < 10000000000000) return v;
-			return v;
-		};
-		const startedMs = toMs(rawStarted);
-		const completedMs = rawCompleted > 0 ? toMs(rawCompleted) : 0;
-		const isValidStarted = startedMs > 0 && startedMs < nowMs + 60000 && startedMs > nowMs - 3155692600000;
-		const ms = (completedMs > 0 && completedMs < nowMs + 60000 ? completedMs : nowMs) - (isValidStarted ? startedMs : nowMs);
+		const ms = computeLiveDurationMs(act);
 		parts.push(`${(ms / 1000).toFixed(1)}s`);
 	} else {
 		if (agent.toolUses) parts.push(`${agent.toolUses} tools`);