pi-crew 0.9.0 → 0.9.1

package/CHANGELOG.md

@@ -1,5 +1,100 @@
 # Changelog
 
+## [v0.9.1] — Windows essentials fix + cross-platform CI green (2026-06-22)
+
+Patch release. No new features. Fixes a real Windows bug reported by a user,
+plus the cross-platform CI failures that followed.
+
+### fix(windows): `${APPDATA}` npm-global resolution failure (root cause)
+
+Reported symptom (Windows): running pi-crew created a phantom literal
+`${APPDATA}/npm/` directory in the project root (containing `node_modules`,
+`pi-crew`, `pi-crew.cmd`, `pi-crew.ps1`) and leaked a literal `${APPDATA}`
+line into `.gitignore`.
+
+Root cause: pi-crew's subprocess env sanitization used explicit allowlists
+that stripped **all Windows-essential env vars** (`APPDATA`, `LOCALAPPDATA`,
+`USERPROFILE`, `SystemRoot`, `ComSpec`, `TEMP`, `TMP`). When a child pi
+process (or npm inside it) tried to resolve the npm-global prefix on Windows,
+it used `%APPDATA%` (cmd expansion) / `${APPDATA}` (bash expansion), but
+`APPDATA` was missing from the env — so the shell left the literal
+`${APPDATA}` in place and operations created/ignored paths under that
+literal name.
+
+Fix: added the 7 Windows essentials to all 7 subprocess env allowlists
+(child-pi, async-runner, verification-gates, post-checks, iteration-hooks,
+worktree/cleanup, worktree/worktree-manager). (commit `a7ddc50`)
+
+### refactor(env): centralize Windows essentials + regression guard
+
+The same 7 vars were duplicated inline across 9 call sites — easy to forget
+on a new allowlist, with nothing preventing a future site from omitting them.
+
+- New single source of truth: `WINDOWS_ESSENTIAL_ENV_VARS` in
+  `src/utils/env-allowlist.ts` (with full root-cause documentation).
+- All 9 call sites now spread the constant instead of inlining (net −42/+19
+  lines, behavior unchanged).
+- New regression test `test/unit/env-allowlist.test.ts`: scans ALL
+  `src/**/*.ts` files and fails if any hardcodes the 7 vars inline (the only
+  allowed location is the constant file). This catches any new allowlist that
+  forgets the constant — the exact regression that caused the bug.
+(commit `6a0284c`)
+
+### fix(ci): cross-platform CI green (ubuntu + macOS + Windows)
+
+Three distinct containment/path bugs that only surfaced on non-ubuntu CI:
+
+1. **Windows 8.3 short-name paths** — `resolveWindowsCanonical()` used
+   non-native `realpathSync`, preserving the `RUNNER~1` vs `runneradmin`
+   form mismatch. A legitimately-contained dynamic workflow file was
+   rejected as "outside the allowed directories". Fixed by using
+   `realpathSync.native` (canonical long-name form) as the primary resolver.
+   (commit `e9e7137`)
+
+2. **ESM `file://` URLs** — two integration tests passed raw Windows paths
+   (`D:\…`) to native `import()`, which Node rejects on Windows
+   (`ERR_UNSUPPORTED_ESM_URL_SCHEME: protocol 'd:'`). Wrapped with
+   `pathToFileURL(…).href`. (commit `e9e7137`)
+
+3. **macOS symlink-ancestor** — `isSymlinkSafePath()` walked up the temp
+   path and hit `/var` (a symlink → `/private/var`). The old check compared
+   the resolved `/private/var` against the tmpdir
+   `/private/var/folders/…/T` — `/private/var` is an **ancestor**, not a
+   descendant, so it was wrongly rejected (5 macOS worker-atomic-writer
+   failures). Fixed by accepting a symlink whose target is a safe root, is
+   UNDER a safe root, OR is an ANCESTOR of a safe root. Added two behavioral
+   regression tests (symlink-ancestor accept + symlink-attack reject).
+   (commit `e9e7137`)
+
+4. **macOS `/var` containment** — `resolveContainedPath()` only
+   canonicalized paths on win32; on POSIX it compared raw paths, so base
+   (`/private/var`) vs target (`/var`) diverged → false "outside" rejection
+   (macOS dwf-setresult failure). Added platform-agnostic
+   `resolveCanonicalPath()`. Added a darwin-only regression test for the
+   real `/var` divergence. (commit `4821bb1`)
+
+5. **Windows wakeup timing** — `subagent-manager` polls the child run
+   manifest every 1000ms. On the slower Windows CI runner, child-process
+   spawn + first poll exceeded the test's 10s deadline (failed at 11.6s).
+   Bumped the mock-test deadline to 30s. (commit `4821bb1`)
+
+### Verification
+
+- tsc: 0
+- Full test suite: 5207 tests, 0 fail on **all three** platforms (ubuntu,
+  macOS, Windows)
+- CI run `27955398241`: success across ubuntu-latest, macos-latest,
+  windows-latest
+- Regression tests added: env-allowlist scan, worker-atomic-writer symlink
+  ancestor/attack, safe-paths darwin `/var` divergence
+
+### Breaking changes
+
+None. All fixes are additive or behavior-preserving. Windows users who hit
+the `${APPDATA}` bug should upgrade.
+
+---
+
 ## [v0.9.0] — goal loops + dynamic workflows (2026-06-18)
 
 Two new features, both built on a shared `runKind` background-dispatch discriminator.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.9.0",
+  "version": "0.9.1",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/runtime/async-runner.ts

@@ -3,6 +3,7 @@ import { createRequire } from "node:module";
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { appendEvent } from "../state/event-log.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
@@ -183,6 +184,8 @@ export async function spawnBackgroundTeamRun(manifest: TeamRunManifest): Promise
 			"XDG_DATA_HOME",
 			"XDG_CACHE_HOME",
 			"XDG_RUNTIME_DIR",
+			// Windows essentials — see WINDOWS_ESSENTIAL_ENV_VARS (src/utils/env-allowlist.ts).
+			...WINDOWS_ESSENTIAL_ENV_VARS,
 			"NVM_BIN",
 			"NVM_DIR",
 			"NVM_INC",

package/src/runtime/child-pi.ts

@@ -1,6 +1,7 @@
 import { spawn, type ChildProcess, type SpawnOptions } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import type { AgentConfig } from "../agents/agent-config.ts";
 import type { WorkerExitStatus } from "../state/types.ts";
 import { buildPiWorkerArgs, checkCrewDepth, cleanupTempDir } from "./pi-args.ts";
@@ -245,6 +246,8 @@ export function buildChildPiSpawnOptions(cwd: string, env: NodeJS.ProcessEnv): S
 			"XDG_DATA_HOME",
 			"XDG_CACHE_HOME",
 			"XDG_RUNTIME_DIR",
+			// Windows essentials — see WINDOWS_ESSENTIAL_ENV_VARS (src/utils/env-allowlist.ts).
+			...WINDOWS_ESSENTIAL_ENV_VARS,
 			"NVM_BIN",
 			"NVM_DIR",
 			"NVM_INC",

package/src/runtime/iteration-hooks.ts

@@ -7,6 +7,7 @@
 import { spawn } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { resolveShellForScript } from "../utils/resolve-shell.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 import { DENIED_METRIC_NAMES } from "./metric-parser.ts";
@@ -171,7 +172,7 @@ export async function runIterationHook(
 		const { command, args } = resolveShellForScript(resolvedScript);
 		const child = spawn(command, args, {
 			cwd: payload.cwd,
-			env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "ComSpec", "SystemRoot", "PI_CREW_*"] }), PI_CREW_HOOK: "1" },
+			env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL", "PI_CREW_*"] }), PI_CREW_HOOK: "1" },
 			stdio: ["pipe", "pipe", "pipe"],
 		});
 

package/src/runtime/post-checks.ts

@@ -6,6 +6,7 @@
  */
 import { execFileSync } from "node:child_process";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { resolveShellForScript } from "../utils/resolve-shell.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 
@@ -94,7 +95,7 @@ export async function runPostCheck(config: PostCheckConfig, cwd: string): Promis
 				timeout: timeoutMs,
 				encoding: "utf-8",
 				maxBuffer: 10 * 1024 * 1024, // 10 MB
-				env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "ComSpec", "SystemRoot", "PI_CREW_*"] }), PI_CREW_POST_CHECK: "1" },
+				env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL", "PI_CREW_*"] }), PI_CREW_POST_CHECK: "1" },
 			});
 
 			const durationMs = Date.now() - startTime;

package/src/runtime/verification-gates.ts

@@ -12,6 +12,7 @@
 import { spawn } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
 import { redactSecretString } from "../utils/redaction.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
@@ -48,6 +49,8 @@ const VERIFICATION_ENV_ALLOWLIST: readonly string[] = [
 	"XDG_DATA_HOME",
 	"XDG_CACHE_HOME",
 	"XDG_RUNTIME_DIR",
+	// Windows essentials — see WINDOWS_ESSENTIAL_ENV_VARS (src/utils/env-allowlist.ts).
+	...WINDOWS_ESSENTIAL_ENV_VARS,
 	"NVM_BIN",
 	"NVM_DIR",
 	"NVM_INC",

package/src/state/worker-atomic-writer.ts

@@ -40,24 +40,38 @@ const crypto = require("node:crypto");
 
 function isSymlinkSafePath(filePath) {
   try {
-    let currentPath = filePath;
+    // Safe roots: the system temp dir (resolved through any symlinks, e.g.
+    // macOS /var → /private/var) and the current project cwd.
+    var tmpReal;
+    try { tmpReal = fs.realpathSync(require("node:os").tmpdir()); } catch (e2) { tmpReal = require("node:os").tmpdir(); }
+    var cwd = process.cwd();
+    // Accept a symlink ancestor as safe if the resolved target (a) IS a safe
+    // root, (b) is UNDER a safe root (target is a descendant), or (c) is an
+    // ANCESTOR of a safe root (target is a parent dir of a safe root).
+    // Case (c) is essential on macOS: /var → /private/var is an ancestor of
+    // the tmpdir /private/var/folders/…, so it must be allowed.
+    var isSafeAncestor = function (real) {
+      var roots = [tmpReal, cwd];
+      return roots.some(function (root) {
+        return real === root
+          || real.indexOf(root + path.sep) === 0
+          || root.indexOf(real + path.sep) === 0;
+      });
+    };
+    var currentPath = filePath;
     while (currentPath !== path.dirname(currentPath)) {
-      const dir = path.dirname(currentPath);
+      var dir = path.dirname(currentPath);
       try {
-        const stat = fs.lstatSync(dir);
+        var stat = fs.lstatSync(dir);
         if (stat.isSymbolicLink()) {
-          // Accept symlinks under /tmp (macOS /var/folders) and project dirs;
-          // reject others. Mirrors atomic-write.ts policy for goal-loop paths.
-          const real = fs.realpathSync(dir);
-          if (!real.startsWith("/tmp/") && !real.startsWith(process.cwd())) {
-            return false;
-          }
+          var real = fs.realpathSync(dir);
+          if (!isSafeAncestor(real)) return false;
         }
-      } catch { /* not found — fine */ }
+      } catch (e3) { /* not found — fine */ }
       currentPath = dir;
     }
     return true;
-  } catch { return true; }
+  } catch (e) { return true; }
 }
 
 function syncAtomicWriteFile(filePath, content) {

package/src/utils/env-allowlist.ts

@@ -0,0 +1,30 @@
+/**
+ * Windows-essential environment variables that MUST be present in every
+ * subprocess env allowlist in pi-crew.
+ *
+ * Without them, child processes on Windows cannot locate the npm-global prefix
+ * (`%APPDATA%\npm`), the user profile, system DLLs (SystemRoot), cmd.exe
+ * (ComSpec), or a writable temp dir.
+ *
+ * Regression root cause (v0.9.0): env allowlists stripped these vars, so child
+ * pi/npm resolved the npm-global prefix via the literal `%APPDATA%` (cmd) /
+ * `${APPDATA}` (bash) expansion — but APPDATA was missing from the env, so the
+ * shell left the literal `${APPDATA}` in place. A phantom `${APPDATA}/npm`
+ * directory appeared in the project root and a literal `${APPDATA}` line leaked
+ * into `.gitignore`.
+ *
+ * USAGE: spread this constant into every `allowList` array:
+ *   `allowList: ["PATH", "HOME", ...WINDOWS_ESSENTIAL_ENV_VARS, ...]`
+ *
+ * The regression test `test/unit/env-allowlist.test.ts` enforces that no
+ * `src/` file hardcodes these vars inline — all sites MUST use this constant.
+ */
+export const WINDOWS_ESSENTIAL_ENV_VARS: readonly string[] = [
+	"APPDATA",
+	"LOCALAPPDATA",
+	"USERPROFILE",
+	"SystemRoot",
+	"ComSpec",
+	"TEMP",
+	"TMP",
+];

package/src/utils/safe-paths.ts

@@ -16,32 +16,73 @@ export function resolveContainedPath(baseDir: string, targetPath: string): strin
 	}
 	const base = path.resolve(baseDir);
 	const resolved = path.isAbsolute(targetPath) ? path.resolve(targetPath) : path.resolve(base, targetPath);
-	// On Windows, paths are case-insensitive and short-name (8.3) aliases may
-	// differ from long-name forms (e.g. C:\Users\RUNNER~1 vs C:\Users\runneradmin).
-	// We normalize both paths to their canonical form by resolving through
-	// realpathSync, walking up ancestors for non-existent paths.
-	const baseNorm = process.platform === "win32" ? resolveWindowsCanonical(base) : base;
-	const resolvedNorm = process.platform === "win32" ? resolveWindowsCanonical(resolved) : resolved;
+	// Normalize BOTH paths to canonical form on ALL platforms. This resolves
+	// symlinks so that a base and target that refer to the same physical dir
+	// via different paths (Windows 8.3 short-name; macOS /var → /private/var)
+	// compare equal. Without this, a legitimately-contained target under an
+	// OS-managed symlink is wrongly rejected as "outside" the base.
+	const baseNorm = resolveCanonicalPath(base);
+	const resolvedNorm = resolveCanonicalPath(resolved);
 	const relative = process.platform === "win32"
 		? path.relative(baseNorm.toLowerCase(), resolvedNorm.toLowerCase())
-		: path.relative(base, resolved);
+		: path.relative(baseNorm, resolvedNorm);
 	if (relative.startsWith("..") || path.isAbsolute(relative)) throw new Error(`Path is outside ${baseDir}: ${targetPath}`);
 	return resolved;
 }
 
+/**
+ * Platform-agnostic canonical path resolution. Resolves symlinks (via
+ * realpathSync) to normalize paths so the same physical location always
+ * yields the same string regardless of how it was referenced.
+ *
+ * - Windows: delegates to resolveWindowsCanonical (canonical LONG-NAME form,
+ *   resolving 8.3 short-name aliases like RUNNER~1 → runneradmin).
+ * - POSIX: uses realpathSync, which resolves system symlinks such as the
+ *   macOS /var → /private/var mapping.
+ *
+ * For non-existent paths (write targets), walks up to the deepest existing
+ * ancestor and joins the remaining components, so the canonical prefix is
+ * still comparable.
+ */
+function resolveCanonicalPath(p: string): string {
+	if (process.platform === "win32") return resolveWindowsCanonical(p);
+	try {
+		return fs.realpathSync(p);
+	} catch {
+		const parts: string[] = [];
+		let current = p;
+		while (current !== path.dirname(current)) {
+			try {
+				const real = fs.realpathSync(current);
+				let acc = real;
+				for (let i = parts.length - 1; i >= 0; i--) acc = path.join(acc, parts[i]);
+				return acc;
+			} catch { /* keep walking up */ }
+			parts.push(path.basename(current));
+			current = path.dirname(current);
+		}
+		return p;
+	}
+}
+
 /**
  * On Windows, resolve a path to its canonical (long-name) form.
  * Walks up ancestors until finding one that exists, then joins back down.
  * This handles paths where intermediate directories don't exist yet but
  * their ancestors do (and may use short-name aliases).
+ *
+ * Uses fs.realpathSync.native (canonical long-name form) as the primary
+ * resolver, falling back to non-native realpathSync if .native fails.
  */
 function resolveWindowsCanonical(p: string): string {
 	try {
-		// Use regular realpathSync (not .native) to preserve the input path form.
-		// On Windows CI, .native always returns long-name (runneradmin) while
-		// non-native preserves short-name (RUNNER~1). Using non-native ensures
-		// the returned form matches what os.tmpdir() and mkdtempSync produce.
-		let real = fs.realpathSync(p);
+		// Use the NATIVE realpath to resolve to canonical LONG-NAME form.
+		// On Windows, fs.realpathSync.native resolves 8.3 short-name aliases
+		// (e.g. RUNNER~1) to long-name (runneradmin). This is essential for
+		// containment checks: base (from cwd, often long-name) and target
+		// (from os.tmpdir()/mkdtempSync, often short-name) must normalize to
+		// the SAME form or a contained target is wrongly rejected as "outside".
+		let real = fs.realpathSync.native(p);
 		// Guard against NTFS internal paths (e.g. C:\$Extend\$Deleted)
 		if (real.includes("$Extend") || real.includes("$Deleted")) throw new Error("NTFS internal path");
 		return real;
@@ -56,8 +97,8 @@ function resolveWindowsCanonical(p: string): string {
 		let current = p;
 		while (current !== path.dirname(current)) {
 			try {
-				// Use non-native to preserve input path form
-				let real = fs.realpathSync(current);
+				let real: string;
+				try { real = fs.realpathSync.native(current); } catch { real = fs.realpathSync(current); }
 				// Guard against NTFS internal paths
 				if (real.includes("$Extend") || real.includes("$Deleted")) throw new Error("NTFS internal path");
 				// Found existing ancestor — join with remaining parts in reverse order

package/src/worktree/cleanup.ts

@@ -1,6 +1,7 @@
 import { execFileSync } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
 import { projectCrewRoot } from "../utils/paths.ts";
@@ -18,7 +19,7 @@ export interface WorktreeCleanupResult {
 
 // SECURITY: PI_* and PI_CREW_* wildcards removed — they could match secret vars like PI_PASSWORD.
 // Git operations do not need PI_CREW_* execution-control vars.
-const GIT_SAFE_ENV = { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "C", LC_ALL: "C" };
+const GIT_SAFE_ENV = { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "C", LC_ALL: "C" };
 
 function sanitizeBranchPart(value: string): string {
 	return value.toLowerCase().replace(/[^a-z0-9._/-]+/g, "-").replace(/^-+|-+$/g, "") || "task";

package/src/worktree/worktree-manager.ts

@@ -1,6 +1,7 @@
 import { execFileSync, spawnSync } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { loadConfig } from "../config/config.ts";
 import { projectCrewRoot } from "../utils/paths.ts";
 import { DEFAULT_PATHS } from "../config/defaults.ts";
@@ -27,7 +28,7 @@ export interface WorktreeDiffStat {
 function git(cwd: string, args: string[]): string {
 	// SECURITY: PI_* and PI_CREW_* wildcards removed — they could match secret vars like PI_PASSWORD.
 // Git operations do not need PI_CREW_* execution-control vars.
-return execFileSync("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "en_US.UTF-8", LC_ALL: "en_US.UTF-8" }, windowsHide: true }).trim();
+return execFileSync("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "en_US.UTF-8", LC_ALL: "en_US.UTF-8" }, windowsHide: true }).trim();
 }
 
 // Dots are removed from branch names since they are used in path construction,
@@ -182,7 +183,7 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 			timeout: cfg.setupHookTimeoutMs ?? 30_000,
 			shell: false,  // cmd.exe /c handles batch files safely
 			env: sanitizeEnvSecrets(process.env, {
-				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL"],
+				allowList: ["PATH", "HOME", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL"],
 			}),
 			windowsHide: true,
 		})
@@ -193,7 +194,7 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 			timeout: cfg.setupHookTimeoutMs ?? 30_000,
 			shell: false,
 			env: sanitizeEnvSecrets(process.env, {
-				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL"],
+				allowList: ["PATH", "HOME", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL"],
 			}),
 			windowsHide: true,
 		});