pi-crew 0.9.0 → 0.9.2

package/CHANGELOG.md

@@ -1,5 +1,137 @@
 # Changelog
 
+## [v0.9.2] — package cleanup: remove scratch scripts leaked into npm tarball (2026-06-22)
+
+Patch release. **No code changes.** Purely a published-package hygiene fix.
+
+### What was wrong
+
+The `package.json` `files` field includes a root-level `*.mjs` glob, intended
+for the legit `install.mjs` (postinstall script). It accidentally also picked
+up three ad-hoc scratch scripts that were committed at the repo root during
+earlier development:
+
+- `test-tp.mjs` — a 12-line `tool-progress` format smoke print
+- `test-bugs-all.mjs` — an 89-line string-matching bug-fix verifier
+- `test-lastActivityAt.mjs` — a manual `node:test` for a heartbeat fallback
+
+All three shipped in the published npm tarball (v0.9.0 and v0.9.1) even though
+they are not part of `npm test` and have no runtime value for consumers.
+
+### Fix
+
+- `git rm`'d the three scratch scripts. The behavior they checked is covered by
+  the real unit suite (`test/unit/`), which does NOT ship to npm.
+- After the fix, the only `.mjs` in the tarball is the intended `install.mjs`.
+
+### Verification
+
+- tsc: 0
+- `npm pack --dry-run` confirms `install.mjs` is the only `.mjs` shipped
+- regression suite (env-allowlist, goal-p1d-schema): 11/11 pass
+- No behavior change — consumers see no functional difference
+
+### Breaking changes
+
+None.
+
+---
+
+## [v0.9.1] — Windows essentials fix + cross-platform CI green (2026-06-22)
+
+Patch release. No new features. Fixes a real Windows bug reported by a user,
+plus the cross-platform CI failures that followed.
+
+### fix(windows): `${APPDATA}` npm-global resolution failure (root cause)
+
+Reported symptom (Windows): running pi-crew created a phantom literal
+`${APPDATA}/npm/` directory in the project root (containing `node_modules`,
+`pi-crew`, `pi-crew.cmd`, `pi-crew.ps1`) and leaked a literal `${APPDATA}`
+line into `.gitignore`.
+
+Root cause: pi-crew's subprocess env sanitization used explicit allowlists
+that stripped **all Windows-essential env vars** (`APPDATA`, `LOCALAPPDATA`,
+`USERPROFILE`, `SystemRoot`, `ComSpec`, `TEMP`, `TMP`). When a child pi
+process (or npm inside it) tried to resolve the npm-global prefix on Windows,
+it used `%APPDATA%` (cmd expansion) / `${APPDATA}` (bash expansion), but
+`APPDATA` was missing from the env — so the shell left the literal
+`${APPDATA}` in place and operations created/ignored paths under that
+literal name.
+
+Fix: added the 7 Windows essentials to all 7 subprocess env allowlists
+(child-pi, async-runner, verification-gates, post-checks, iteration-hooks,
+worktree/cleanup, worktree/worktree-manager). (commit `a7ddc50`)
+
+### refactor(env): centralize Windows essentials + regression guard
+
+The same 7 vars were duplicated inline across 9 call sites — easy to forget
+on a new allowlist, with nothing preventing a future site from omitting them.
+
+- New single source of truth: `WINDOWS_ESSENTIAL_ENV_VARS` in
+  `src/utils/env-allowlist.ts` (with full root-cause documentation).
+- All 9 call sites now spread the constant instead of inlining (net −42/+19
+  lines, behavior unchanged).
+- New regression test `test/unit/env-allowlist.test.ts`: scans ALL
+  `src/**/*.ts` files and fails if any hardcodes the 7 vars inline (the only
+  allowed location is the constant file). This catches any new allowlist that
+  forgets the constant — the exact regression that caused the bug.
+(commit `6a0284c`)
+
+### fix(ci): cross-platform CI green (ubuntu + macOS + Windows)
+
+Three distinct containment/path bugs that only surfaced on non-ubuntu CI:
+
+1. **Windows 8.3 short-name paths** — `resolveWindowsCanonical()` used
+   non-native `realpathSync`, preserving the `RUNNER~1` vs `runneradmin`
+   form mismatch. A legitimately-contained dynamic workflow file was
+   rejected as "outside the allowed directories". Fixed by using
+   `realpathSync.native` (canonical long-name form) as the primary resolver.
+   (commit `e9e7137`)
+
+2. **ESM `file://` URLs** — two integration tests passed raw Windows paths
+   (`D:\…`) to native `import()`, which Node rejects on Windows
+   (`ERR_UNSUPPORTED_ESM_URL_SCHEME: protocol 'd:'`). Wrapped with
+   `pathToFileURL(…).href`. (commit `e9e7137`)
+
+3. **macOS symlink-ancestor** — `isSymlinkSafePath()` walked up the temp
+   path and hit `/var` (a symlink → `/private/var`). The old check compared
+   the resolved `/private/var` against the tmpdir
+   `/private/var/folders/…/T` — `/private/var` is an **ancestor**, not a
+   descendant, so it was wrongly rejected (5 macOS worker-atomic-writer
+   failures). Fixed by accepting a symlink whose target is a safe root, is
+   UNDER a safe root, OR is an ANCESTOR of a safe root. Added two behavioral
+   regression tests (symlink-ancestor accept + symlink-attack reject).
+   (commit `e9e7137`)
+
+4. **macOS `/var` containment** — `resolveContainedPath()` only
+   canonicalized paths on win32; on POSIX it compared raw paths, so base
+   (`/private/var`) vs target (`/var`) diverged → false "outside" rejection
+   (macOS dwf-setresult failure). Added platform-agnostic
+   `resolveCanonicalPath()`. Added a darwin-only regression test for the
+   real `/var` divergence. (commit `4821bb1`)
+
+5. **Windows wakeup timing** — `subagent-manager` polls the child run
+   manifest every 1000ms. On the slower Windows CI runner, child-process
+   spawn + first poll exceeded the test's 10s deadline (failed at 11.6s).
+   Bumped the mock-test deadline to 30s. (commit `4821bb1`)
+
+### Verification
+
+- tsc: 0
+- Full test suite: 5207 tests, 0 fail on **all three** platforms (ubuntu,
+  macOS, Windows)
+- CI run `27955398241`: success across ubuntu-latest, macos-latest,
+  windows-latest
+- Regression tests added: env-allowlist scan, worker-atomic-writer symlink
+  ancestor/attack, safe-paths darwin `/var` divergence
+
+### Breaking changes
+
+None. All fixes are additive or behavior-preserving. Windows users who hit
+the `${APPDATA}` bug should upgrade.
+
+---
+
 ## [v0.9.0] — goal loops + dynamic workflows (2026-06-18)
 
 Two new features, both built on a shared `runKind` background-dispatch discriminator.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-crew",
-  "version": "0.9.0",
+  "version": "0.9.2",
   "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
   "author": "baphuongna",
   "license": "MIT",

package/src/runtime/async-runner.ts

@@ -3,6 +3,7 @@ import { createRequire } from "node:module";
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { logInternalError } from "../utils/internal-error.ts";
 import { appendEvent } from "../state/event-log.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
@@ -183,6 +184,8 @@ export async function spawnBackgroundTeamRun(manifest: TeamRunManifest): Promise
 			"XDG_DATA_HOME",
 			"XDG_CACHE_HOME",
 			"XDG_RUNTIME_DIR",
+			// Windows essentials — see WINDOWS_ESSENTIAL_ENV_VARS (src/utils/env-allowlist.ts).
+			...WINDOWS_ESSENTIAL_ENV_VARS,
 			"NVM_BIN",
 			"NVM_DIR",
 			"NVM_INC",

package/src/runtime/child-pi.ts

@@ -1,6 +1,7 @@
 import { spawn, type ChildProcess, type SpawnOptions } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import type { AgentConfig } from "../agents/agent-config.ts";
 import type { WorkerExitStatus } from "../state/types.ts";
 import { buildPiWorkerArgs, checkCrewDepth, cleanupTempDir } from "./pi-args.ts";
@@ -245,6 +246,8 @@ export function buildChildPiSpawnOptions(cwd: string, env: NodeJS.ProcessEnv): S
 			"XDG_DATA_HOME",
 			"XDG_CACHE_HOME",
 			"XDG_RUNTIME_DIR",
+			// Windows essentials — see WINDOWS_ESSENTIAL_ENV_VARS (src/utils/env-allowlist.ts).
+			...WINDOWS_ESSENTIAL_ENV_VARS,
 			"NVM_BIN",
 			"NVM_DIR",
 			"NVM_INC",

package/src/runtime/iteration-hooks.ts

@@ -7,6 +7,7 @@
 import { spawn } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { resolveShellForScript } from "../utils/resolve-shell.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 import { DENIED_METRIC_NAMES } from "./metric-parser.ts";
@@ -171,7 +172,7 @@ export async function runIterationHook(
 		const { command, args } = resolveShellForScript(resolvedScript);
 		const child = spawn(command, args, {
 			cwd: payload.cwd,
-			env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "ComSpec", "SystemRoot", "PI_CREW_*"] }), PI_CREW_HOOK: "1" },
+			env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL", "PI_CREW_*"] }), PI_CREW_HOOK: "1" },
 			stdio: ["pipe", "pipe", "pipe"],
 		});
 

package/src/runtime/post-checks.ts

@@ -6,6 +6,7 @@
  */
 import { execFileSync } from "node:child_process";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { resolveShellForScript } from "../utils/resolve-shell.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 
@@ -94,7 +95,7 @@ export async function runPostCheck(config: PostCheckConfig, cwd: string): Promis
 				timeout: timeoutMs,
 				encoding: "utf-8",
 				maxBuffer: 10 * 1024 * 1024, // 10 MB
-				env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "ComSpec", "SystemRoot", "PI_CREW_*"] }), PI_CREW_POST_CHECK: "1" },
+				env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL", "PI_CREW_*"] }), PI_CREW_POST_CHECK: "1" },
 			});
 
 			const durationMs = Date.now() - startTime;

package/src/runtime/verification-gates.ts

@@ -12,6 +12,7 @@
 import { spawn } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
 import { redactSecretString } from "../utils/redaction.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
@@ -48,6 +49,8 @@ const VERIFICATION_ENV_ALLOWLIST: readonly string[] = [
 	"XDG_DATA_HOME",
 	"XDG_CACHE_HOME",
 	"XDG_RUNTIME_DIR",
+	// Windows essentials — see WINDOWS_ESSENTIAL_ENV_VARS (src/utils/env-allowlist.ts).
+	...WINDOWS_ESSENTIAL_ENV_VARS,
 	"NVM_BIN",
 	"NVM_DIR",
 	"NVM_INC",

package/src/state/worker-atomic-writer.ts

@@ -40,24 +40,38 @@ const crypto = require("node:crypto");
 
 function isSymlinkSafePath(filePath) {
   try {
-    let currentPath = filePath;
+    // Safe roots: the system temp dir (resolved through any symlinks, e.g.
+    // macOS /var → /private/var) and the current project cwd.
+    var tmpReal;
+    try { tmpReal = fs.realpathSync(require("node:os").tmpdir()); } catch (e2) { tmpReal = require("node:os").tmpdir(); }
+    var cwd = process.cwd();
+    // Accept a symlink ancestor as safe if the resolved target (a) IS a safe
+    // root, (b) is UNDER a safe root (target is a descendant), or (c) is an
+    // ANCESTOR of a safe root (target is a parent dir of a safe root).
+    // Case (c) is essential on macOS: /var → /private/var is an ancestor of
+    // the tmpdir /private/var/folders/…, so it must be allowed.
+    var isSafeAncestor = function (real) {
+      var roots = [tmpReal, cwd];
+      return roots.some(function (root) {
+        return real === root
+          || real.indexOf(root + path.sep) === 0
+          || root.indexOf(real + path.sep) === 0;
+      });
+    };
+    var currentPath = filePath;
     while (currentPath !== path.dirname(currentPath)) {
-      const dir = path.dirname(currentPath);
+      var dir = path.dirname(currentPath);
       try {
-        const stat = fs.lstatSync(dir);
+        var stat = fs.lstatSync(dir);
         if (stat.isSymbolicLink()) {
-          // Accept symlinks under /tmp (macOS /var/folders) and project dirs;
-          // reject others. Mirrors atomic-write.ts policy for goal-loop paths.
-          const real = fs.realpathSync(dir);
-          if (!real.startsWith("/tmp/") && !real.startsWith(process.cwd())) {
-            return false;
-          }
+          var real = fs.realpathSync(dir);
+          if (!isSafeAncestor(real)) return false;
         }
-      } catch { /* not found — fine */ }
+      } catch (e3) { /* not found — fine */ }
       currentPath = dir;
     }
     return true;
-  } catch { return true; }
+  } catch (e) { return true; }
 }
 
 function syncAtomicWriteFile(filePath, content) {

package/src/utils/env-allowlist.ts

@@ -0,0 +1,30 @@
+/**
+ * Windows-essential environment variables that MUST be present in every
+ * subprocess env allowlist in pi-crew.
+ *
+ * Without them, child processes on Windows cannot locate the npm-global prefix
+ * (`%APPDATA%\npm`), the user profile, system DLLs (SystemRoot), cmd.exe
+ * (ComSpec), or a writable temp dir.
+ *
+ * Regression root cause (v0.9.0): env allowlists stripped these vars, so child
+ * pi/npm resolved the npm-global prefix via the literal `%APPDATA%` (cmd) /
+ * `${APPDATA}` (bash) expansion — but APPDATA was missing from the env, so the
+ * shell left the literal `${APPDATA}` in place. A phantom `${APPDATA}/npm`
+ * directory appeared in the project root and a literal `${APPDATA}` line leaked
+ * into `.gitignore`.
+ *
+ * USAGE: spread this constant into every `allowList` array:
+ *   `allowList: ["PATH", "HOME", ...WINDOWS_ESSENTIAL_ENV_VARS, ...]`
+ *
+ * The regression test `test/unit/env-allowlist.test.ts` enforces that no
+ * `src/` file hardcodes these vars inline — all sites MUST use this constant.
+ */
+export const WINDOWS_ESSENTIAL_ENV_VARS: readonly string[] = [
+	"APPDATA",
+	"LOCALAPPDATA",
+	"USERPROFILE",
+	"SystemRoot",
+	"ComSpec",
+	"TEMP",
+	"TMP",
+];

package/src/utils/safe-paths.ts

@@ -16,32 +16,73 @@ export function resolveContainedPath(baseDir: string, targetPath: string): strin
 	}
 	const base = path.resolve(baseDir);
 	const resolved = path.isAbsolute(targetPath) ? path.resolve(targetPath) : path.resolve(base, targetPath);
-	// On Windows, paths are case-insensitive and short-name (8.3) aliases may
-	// differ from long-name forms (e.g. C:\Users\RUNNER~1 vs C:\Users\runneradmin).
-	// We normalize both paths to their canonical form by resolving through
-	// realpathSync, walking up ancestors for non-existent paths.
-	const baseNorm = process.platform === "win32" ? resolveWindowsCanonical(base) : base;
-	const resolvedNorm = process.platform === "win32" ? resolveWindowsCanonical(resolved) : resolved;
+	// Normalize BOTH paths to canonical form on ALL platforms. This resolves
+	// symlinks so that a base and target that refer to the same physical dir
+	// via different paths (Windows 8.3 short-name; macOS /var → /private/var)
+	// compare equal. Without this, a legitimately-contained target under an
+	// OS-managed symlink is wrongly rejected as "outside" the base.
+	const baseNorm = resolveCanonicalPath(base);
+	const resolvedNorm = resolveCanonicalPath(resolved);
 	const relative = process.platform === "win32"
 		? path.relative(baseNorm.toLowerCase(), resolvedNorm.toLowerCase())
-		: path.relative(base, resolved);
+		: path.relative(baseNorm, resolvedNorm);
 	if (relative.startsWith("..") || path.isAbsolute(relative)) throw new Error(`Path is outside ${baseDir}: ${targetPath}`);
 	return resolved;
 }
 
+/**
+ * Platform-agnostic canonical path resolution. Resolves symlinks (via
+ * realpathSync) to normalize paths so the same physical location always
+ * yields the same string regardless of how it was referenced.
+ *
+ * - Windows: delegates to resolveWindowsCanonical (canonical LONG-NAME form,
+ *   resolving 8.3 short-name aliases like RUNNER~1 → runneradmin).
+ * - POSIX: uses realpathSync, which resolves system symlinks such as the
+ *   macOS /var → /private/var mapping.
+ *
+ * For non-existent paths (write targets), walks up to the deepest existing
+ * ancestor and joins the remaining components, so the canonical prefix is
+ * still comparable.
+ */
+function resolveCanonicalPath(p: string): string {
+	if (process.platform === "win32") return resolveWindowsCanonical(p);
+	try {
+		return fs.realpathSync(p);
+	} catch {
+		const parts: string[] = [];
+		let current = p;
+		while (current !== path.dirname(current)) {
+			try {
+				const real = fs.realpathSync(current);
+				let acc = real;
+				for (let i = parts.length - 1; i >= 0; i--) acc = path.join(acc, parts[i]);
+				return acc;
+			} catch { /* keep walking up */ }
+			parts.push(path.basename(current));
+			current = path.dirname(current);
+		}
+		return p;
+	}
+}
+
 /**
  * On Windows, resolve a path to its canonical (long-name) form.
  * Walks up ancestors until finding one that exists, then joins back down.
  * This handles paths where intermediate directories don't exist yet but
  * their ancestors do (and may use short-name aliases).
+ *
+ * Uses fs.realpathSync.native (canonical long-name form) as the primary
+ * resolver, falling back to non-native realpathSync if .native fails.
  */
 function resolveWindowsCanonical(p: string): string {
 	try {
-		// Use regular realpathSync (not .native) to preserve the input path form.
-		// On Windows CI, .native always returns long-name (runneradmin) while
-		// non-native preserves short-name (RUNNER~1). Using non-native ensures
-		// the returned form matches what os.tmpdir() and mkdtempSync produce.
-		let real = fs.realpathSync(p);
+		// Use the NATIVE realpath to resolve to canonical LONG-NAME form.
+		// On Windows, fs.realpathSync.native resolves 8.3 short-name aliases
+		// (e.g. RUNNER~1) to long-name (runneradmin). This is essential for
+		// containment checks: base (from cwd, often long-name) and target
+		// (from os.tmpdir()/mkdtempSync, often short-name) must normalize to
+		// the SAME form or a contained target is wrongly rejected as "outside".
+		let real = fs.realpathSync.native(p);
 		// Guard against NTFS internal paths (e.g. C:\$Extend\$Deleted)
 		if (real.includes("$Extend") || real.includes("$Deleted")) throw new Error("NTFS internal path");
 		return real;
@@ -56,8 +97,8 @@ function resolveWindowsCanonical(p: string): string {
 		let current = p;
 		while (current !== path.dirname(current)) {
 			try {
-				// Use non-native to preserve input path form
-				let real = fs.realpathSync(current);
+				let real: string;
+				try { real = fs.realpathSync.native(current); } catch { real = fs.realpathSync(current); }
 				// Guard against NTFS internal paths
 				if (real.includes("$Extend") || real.includes("$Deleted")) throw new Error("NTFS internal path");
 				// Found existing ancestor — join with remaining parts in reverse order

package/src/worktree/cleanup.ts

@@ -1,6 +1,7 @@
 import { execFileSync } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import type { TeamRunManifest } from "../state/types.ts";
 import { writeArtifact } from "../state/artifact-store.ts";
 import { projectCrewRoot } from "../utils/paths.ts";
@@ -18,7 +19,7 @@ export interface WorktreeCleanupResult {
 
 // SECURITY: PI_* and PI_CREW_* wildcards removed — they could match secret vars like PI_PASSWORD.
 // Git operations do not need PI_CREW_* execution-control vars.
-const GIT_SAFE_ENV = { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "C", LC_ALL: "C" };
+const GIT_SAFE_ENV = { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "C", LC_ALL: "C" };
 
 function sanitizeBranchPart(value: string): string {
 	return value.toLowerCase().replace(/[^a-z0-9._/-]+/g, "-").replace(/^-+|-+$/g, "") || "task";

package/src/worktree/worktree-manager.ts

@@ -1,6 +1,7 @@
 import { execFileSync, spawnSync } from "node:child_process";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { WINDOWS_ESSENTIAL_ENV_VARS } from "../utils/env-allowlist.ts";
 import { loadConfig } from "../config/config.ts";
 import { projectCrewRoot } from "../utils/paths.ts";
 import { DEFAULT_PATHS } from "../config/defaults.ts";
@@ -27,7 +28,7 @@ export interface WorktreeDiffStat {
 function git(cwd: string, args: string[]): string {
 	// SECURITY: PI_* and PI_CREW_* wildcards removed — they could match secret vars like PI_PASSWORD.
 // Git operations do not need PI_CREW_* execution-control vars.
-return execFileSync("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "en_US.UTF-8", LC_ALL: "en_US.UTF-8" }, windowsHide: true }).trim();
+return execFileSync("git", args, { cwd, encoding: "utf-8", stdio: ["ignore", "pipe", "pipe"], env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", ...WINDOWS_ESSENTIAL_ENV_VARS, "SHELL", "TERM", "LANG", "LC_ALL", "LC_COLLATE", "LC_CTYPE", "LC_MESSAGES", "XDG_CONFIG_HOME", "XDG_DATA_HOME", "XDG_CACHE_HOME", "NVM_BIN", "NVM_DIR", "NODE_PATH", "GIT_CONFIG_GLOBAL", "GIT_CONFIG_SYSTEM", "GIT_AUTHOR_NAME", "GIT_AUTHOR_EMAIL", "GIT_COMMITTER_NAME", "GIT_COMMITTER_EMAIL"] }), LANG: "en_US.UTF-8", LC_ALL: "en_US.UTF-8" }, windowsHide: true }).trim();
 }
 
 // Dots are removed from branch names since they are used in path construction,
@@ -182,7 +183,7 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 			timeout: cfg.setupHookTimeoutMs ?? 30_000,
 			shell: false,  // cmd.exe /c handles batch files safely
 			env: sanitizeEnvSecrets(process.env, {
-				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL"],
+				allowList: ["PATH", "HOME", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL"],
 			}),
 			windowsHide: true,
 		})
@@ -193,7 +194,7 @@ function runSetupHook(manifest: TeamRunManifest, task: TeamTaskState, repoRoot:
 			timeout: cfg.setupHookTimeoutMs ?? 30_000,
 			shell: false,
 			env: sanitizeEnvSecrets(process.env, {
-				allowList: ["PATH", "HOME", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL"],
+				allowList: ["PATH", "HOME", ...WINDOWS_ESSENTIAL_ENV_VARS, "TMPDIR", "LANG", "LC_ALL"],
 			}),
 			windowsHide: true,
 		});

package/test-bugs-all.mjs

@@ -1,89 +0,0 @@
-import fs from "node:fs";
-import path from "node:path";
-
-console.log("=== PI-CREW BUG FIXES VERIFICATION ===\n");
-
-let allPassed = true;
-
-// Bug #17: Check killAsync is commented out
-console.log("Bug #17: Background runner session shutdown fix");
-const registerContent = fs.readFileSync("src/extension/register.ts", "utf-8");
-const killAsyncMatch = registerContent.match(/\/\/\s*for\s*\(\s*const\s+manifest\s+of\s+manifestCache\.list\(50\)/);
-if (killAsyncMatch) {
-    console.log("  ✅ killAsync loop is commented out");
-} else if (registerContent.includes("for (const manifest of manifestCache.list(50))") && !registerContent.includes("// for (const manifest")) {
-    console.log("  ❌ killAsync loop is NOT commented out - BUG NOT FIXED");
-    allPassed = false;
-} else {
-    console.log("  ✅ killAsync pattern not found (may have been refactored)");
-}
-
-// Bug #18: Check stdio is ["ignore", "pipe", "pipe"]
-console.log("\nBug #18: Child-pi stdin fix");
-const childPiContent = fs.readFileSync("src/runtime/child-pi.ts", "utf-8");
-const stdioMatch = childPiContent.match(/stdio:\s*\[\s*"ignore"\s*,\s*"pipe"\s*,\s*"pipe"\s*\]/);
-if (stdioMatch) {
-    console.log("  ✅ stdio is ['ignore', 'pipe', 'pipe']");
-} else if (childPiContent.includes('stdio: ["pipe", "pipe", "pipe"]')) {
-    console.log("  ❌ stdio is still ['pipe', 'pipe', 'pipe'] - BUG NOT FIXED");
-    allPassed = false;
-} else {
-    console.log("  ⚠️  stdio pattern not found in expected format");
-}
-
-// Bug #19: Check temp workspace cleanup
-console.log("\nBug #19: Phantom runs temp workspace fix");
-const runIndexContent = fs.readFileSync("src/extension/run-index.ts", "utf-8");
-const tempDirCheck = runIndexContent.includes("isTempRoot") || runIndexContent.includes("tmpdir") || runIndexContent.includes("tmpDir");
-const activeRunContent = fs.readFileSync("src/state/active-run-registry.ts", "utf-8");
-const timeoutCheck = activeRunContent.includes("30 * 60 * 1000") || activeRunContent.includes("30*60*1000");
-if (tempDirCheck && timeoutCheck) {
-    console.log("  ✅ Temp workspace detection and 30-min timeout present");
-} else if (!tempDirCheck) {
-    console.log("  ❌ Temp workspace detection NOT found - BUG NOT FIXED");
-    allPassed = false;
-} else if (!timeoutCheck) {
-    console.log("  ❌ 30-min timeout NOT found - BUG NOT FIXED");
-    allPassed = false;
-}
-
-// Bug #20: Check needs_attention in completedIds
-console.log("\nBug #20: Infinite retry loop fix");
-const teamRunnerContent = fs.readFileSync("src/runtime/team-runner.ts", "utf-8");
-const needsAttentionMatch = teamRunnerContent.match(/status\s*===\s*"needs_attention"/g);
-if (needsAttentionMatch && needsAttentionMatch.length >= 3) {
-    console.log("  ✅ needs_attention status checks found (" + needsAttentionMatch.length + " places)");
-} else {
-    console.log("  ❌ needs_attention status check NOT found or insufficient - BUG NOT FIXED");
-    allPassed = false;
-}
-
-// Check the specific completedIds fix
-const completedIdsFix = teamRunnerContent.includes('status === "completed" || t.status === "needs_attention"');
-if (completedIdsFix) {
-    console.log("  ✅ completedIds includes needs_attention");
-} else {
-    console.log("  ❌ completedIds does NOT include needs_attention - BUG NOT FIXED");
-    allPassed = false;
-}
-
-// Check dist file
-console.log("\n=== Checking dist/index.mjs ===");
-if (fs.existsSync("dist/index.mjs")) {
-	const distContent = fs.readFileSync("dist/index.mjs", "utf-8");
-	const distNeedsAttention = distContent.includes('t2.status === "completed" || t2.status === "needs_attention"');
-	if (distNeedsAttention) {
-		console.log("  ✅ Bug #20 fix is in dist/index.mjs");
-	} else {
-		console.log("  ❌ Bug #20 fix NOT in dist/index.mjs - rebuild needed");
-		allPassed = false;
-	}
-} else {
-	console.log("  ⚠️  dist/index.mjs not found - run npm run build first");
-}
-
-console.log("\n" + "=".repeat(40));
-console.log(allPassed ? "✅ ALL BUGS ARE FIXED" : "❌ SOME BUGS ARE NOT FIXED");
-console.log("=".repeat(40));
-
-process.exit(allPassed ? 0 : 1);

package/test-lastActivityAt.mjs

@@ -1,167 +0,0 @@
-/**
- * Test for lastActivityAt fallback in heartbeat-watcher
- * Verifies that tasks with stale heartbeat but recent lastActivityAt are not marked dead
- */
-
-import test from "node:test";
-import assert from "node:assert/strict";
-import * as fs from "node:fs";
-import * as os from "node:os";
-import * as path from "node:path";
-import { createMetricRegistry } from "./src/observability/metric-registry.ts";
-import { HeartbeatWatcher } from "./src/runtime/heartbeat-watcher.ts";
-import { createRunManifest, saveRunTasks, updateRunStatus } from "./src/state/state-store.ts";
-import { createManifestCache } from "./src/runtime/manifest-cache.ts";
-
-const team = { name: "t", description: "", source: "test", filePath: "t", roles: [{ name: "r", agent: "a" }] };
-const workflow = { name: "w", description: "", source: "test", filePath: "w", steps: [{ id: "s", role: "r", task: "x" }] };
-
-test("HeartbeatWatcher uses lastActivityAt fallback - task NOT dead when heartbeat stale but activity recent", () => {
-	const cwd = fs.mkdtempSync(path.join(os.tmpdir(), "pi-crew-lastactivity-at-"));
-	try {
-		fs.writeFileSync(path.join(cwd, "package.json"), "{}", "utf-8");
-		const created = createRunManifest({ cwd, team, workflow, goal: "hb" });
-		const manifest = updateRunStatus(created.manifest, "running", "running");
-		
-		// Create task with STALE heartbeat (old lastSeenAt) but RECENT lastActivityAt
-		// Heartbeat is from Jan 1, 2026 (stale - 10 minutes old)
-		// lastActivityAt is from Jan 1, 2026 00:08:00 (2 minutes old - within dead threshold of 5 minutes)
-		const tasksWithHeartbeat = created.tasks.map((task) => ({
-			...task,
-			status: "running",
-			heartbeat: { workerId: task.id, lastSeenAt: "2026-01-01T00:00:00.000Z", alive: true },
-			// Agent is still active - lastActivityAt is recent (within dead threshold)
-			agentProgress: { 
-				lastActivityAt: "2026-01-01T00:08:00.000Z",  // 2 minutes ago
-				currentTool: "working",
-				toolCount: 5,
-				tokens: 1000,
-				turns: 2
-			}
-		}));
-		
-		saveRunTasks(manifest, tasksWithHeartbeat);
-		const cache = createManifestCache(cwd, { watch: false, debounceMs: 0 });
-		const notifications = [];
-		let deadletters = 0;
-		const watcher = new HeartbeatWatcher({ 
-			cwd, 
-			manifestCache: cache, 
-			registry: createMetricRegistry(), 
-			router: { enqueue: (n) => { notifications.push(n.id ?? ""); return true; } }, 
-			deadletterTickThreshold: 3, 
-			onDeadletterTrigger: () => { deadletters += 1; } 
-		});
-		
-		// Simulate time at 00:10:00 - 10 minutes after heartbeat, 2 minutes after activity
-		// With fallback: activity age = 2 minutes < dead threshold (5 minutes) -> should be warn/stale, not dead
-		watcher.tick(Date.parse("2026-01-01T00:10:00.000Z"));
-		watcher.tick(Date.parse("2026-01-01T00:10:05.000Z"));
-		watcher.tick(Date.parse("2026-01-01T00:10:10.000Z"));
-		
-		// Should NOT have any dead notifications because lastActivityAt is recent
-		assert.equal(notifications.length, 0, "Should NOT mark task dead when lastActivityAt is recent (within dead threshold)");
-		assert.equal(deadletters, 0, "Should NOT trigger deadletter when lastActivityAt is recent");
-		
-		watcher.dispose();
-		cache.dispose();
-	} finally {
-		fs.rmSync(cwd, { recursive: true, force: true });
-	}
-});
-
-test("HeartbeatWatcher marks task dead when BOTH heartbeat and lastActivityAt are stale", () => {
-	const cwd = fs.mkdtempSync(path.join(os.tmpdir(), "pi-crew-both-stale-"));
-	try {
-		fs.writeFileSync(path.join(cwd, "package.json"), "{}", "utf-8");
-		const created = createRunManifest({ cwd, team, workflow, goal: "hb" });
-		const manifest = updateRunStatus(created.manifest, "running", "running");
-		
-		// Create task with BOTH stale heartbeat AND stale lastActivityAt
-		// Heartbeat is from Jan 1, 2026 00:00:00 (10 minutes old)
-		// lastActivityAt is also from Jan 1, 2026 00:00:00 (also 10 minutes old - beyond dead threshold)
-		const tasksWithHeartbeat = created.tasks.map((task) => ({
-			...task,
-			status: "running",
-			heartbeat: { workerId: task.id, lastSeenAt: "2026-01-01T00:00:00.000Z", alive: true },
-			agentProgress: { 
-				lastActivityAt: "2026-01-01T00:00:00.000Z",  // 10 minutes old - beyond dead threshold
-				currentTool: "done",
-				toolCount: 5,
-				tokens: 1000,
-				turns: 2
-			}
-		}));
-		
-		saveRunTasks(manifest, tasksWithHeartbeat);
-		const cache = createManifestCache(cwd, { watch: false, debounceMs: 0 });
-		const notifications = [];
-		let deadletters = 0;
-		const watcher = new HeartbeatWatcher({ 
-			cwd, 
-			manifestCache: cache, 
-			registry: createMetricRegistry(), 
-			router: { enqueue: (n) => { notifications.push(n.id ?? ""); return true; } }, 
-			deadletterTickThreshold: 3, 
-			onDeadletterTrigger: () => { deadletters += 1; } 
-		});
-		
-		// Simulate time at 00:10:00 - both heartbeat and activity are 10 minutes old
-		watcher.tick(Date.parse("2026-01-01T00:10:00.000Z"));
-		watcher.tick(Date.parse("2026-01-01T00:10:05.000Z"));
-		watcher.tick(Date.parse("2026-01-01T00:10:10.000Z"));
-		
-		// SHOULD have dead notifications because BOTH are stale (> 5 minutes)
-		assert.ok(notifications.length > 0, "Should mark task dead when BOTH heartbeat and lastActivityAt are stale");
-		assert.ok(deadletters > 0, "Should trigger deadletter when BOTH are stale");
-		
-		watcher.dispose();
-		cache.dispose();
-	} finally {
-		fs.rmSync(cwd, { recursive: true, force: true });
-	}
-});
-
-test("HeartbeatWatcher without lastActivityAt still marks stale heartbeat as dead", () => {
-	const cwd = fs.mkdtempSync(path.join(os.tmpdir(), "pi-crew-no-activity-"));
-	try {
-		fs.writeFileSync(path.join(cwd, "package.json"), "{}", "utf-8");
-		const created = createRunManifest({ cwd, team, workflow, goal: "hb" });
-		const manifest = updateRunStatus(created.manifest, "running", "running");
-		
-		// Create task with stale heartbeat but NO lastActivityAt
-		const tasksWithHeartbeat = created.tasks.map((task) => ({
-			...task,
-			status: "running",
-			heartbeat: { workerId: task.id, lastSeenAt: "2026-01-01T00:00:00.000Z", alive: true },
-			// No agentProgress at all
-		}));
-		
-		saveRunTasks(manifest, tasksWithHeartbeat);
-		const cache = createManifestCache(cwd, { watch: false, debounceMs: 0 });
-		const notifications = [];
-		let deadletters = 0;
-		const watcher = new HeartbeatWatcher({ 
-			cwd, 
-			manifestCache: cache, 
-			registry: createMetricRegistry(), 
-			router: { enqueue: (n) => { notifications.push(n.id ?? ""); return true; } }, 
-			deadletterTickThreshold: 3, 
-			onDeadletterTrigger: () => { deadletters += 1; } 
-		});
-		
-		// Simulate time at 00:10:00 - heartbeat is 10 minutes old
-		watcher.tick(Date.parse("2026-01-01T00:10:00.000Z"));
-		watcher.tick(Date.parse("2026-01-01T00:10:05.000Z"));
-		watcher.tick(Date.parse("2026-01-01T00:10:10.000Z"));
-		
-		// SHOULD have dead notifications because heartbeat is stale and no fallback
-		assert.ok(notifications.length > 0, "Should mark task dead when heartbeat stale and no lastActivityAt");
-		assert.ok(deadletters > 0, "Should trigger deadletter when no fallback available");
-		
-		watcher.dispose();
-		cache.dispose();
-	} finally {
-		fs.rmSync(cwd, { recursive: true, force: true });
-	}
-});

package/test-tp.mjs

@@ -1,12 +0,0 @@
-import { formatToolProgress, formatCurrentToolLine } from "./src/runtime/tool-progress.ts";
-
-const progress = {
-  recentTools: [{ tool: "bash", args: "ls", endedAt: "2024-01-01T00:00:00.000Z" }],
-  toolCount: 1,
-  activityState: "active"
-};
-
-const display = formatToolProgress(progress);
-console.log("currentTool:", display.currentTool);
-console.log("toolCount:", display.toolCount);
-console.log("TEST PASSED if no errors above");