pi-crew 0.9.3 → 0.9.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +29 -0
  2. package/package.json +1 -1
  3. package/src/benchmark/benchmark-runner.ts +6 -2
package/CHANGELOG.md CHANGED
@@ -1,5 +1,34 @@
1
1
  # Changelog
2
2
 
3
+ ## [v0.9.4] — fix macOS CI: benchmark allowlist + cross-platform fixtures (2026-06-23)
4
+
5
+ Patch fix for a CI failure introduced in v0.9.3 (caught by the macOS CI job,
6
+ which the v0.9.3 release unfortunately did not wait for — lesson learned).
7
+
8
+ ### What was wrong
9
+
10
+ The v0.9.3 benchmark test fixtures used `grep --help` as a benign exit-0
11
+ command. GNU grep (Linux) exits 0, but **BSD grep (macOS) does not support
12
+ `--help`** and exits 2 — so `runBenchmarkSuite computes total counts` failed
13
+ on macOS CI (`2 !== 0`). Local Linux verification missed this.
14
+
15
+ ### Fix
16
+
17
+ - `benchmark-runner.ts`: added `echo` to the command allowlist. Safe because the
18
+ shell-metachar blocker already rejects command substitution (`$(…)`, backticks),
19
+ so `echo $(evil)` cannot execute; bare `echo …` only prints. `echo` is the
20
+ canonical cross-platform exit-0 command.
21
+ - `test/unit/benchmark.test.ts`: fixtures switched from `grep --help` → `echo ok`
22
+ (exits 0 on Linux/macOS/Windows-sh). The "not in allowlist" test now uses `ls`
23
+ (genuinely disallowed).
24
+
25
+ ### Process note
26
+
27
+ This is the release where the project re-commits to: **tag/publish ONLY after
28
+ the full OS matrix CI (ubuntu/windows/macos) is green.** v0.9.3 was published
29
+ mid-CI-run; the package itself is correct (the broken file is test-only and
30
+ not shipped), but the repo CI went red. v0.9.4 restores green CI.
31
+
3
32
  ## [v0.9.3] — security hardening + crash-diagnostics (code review 2026-06-23)
4
33
 
5
34
  Patch release addressing findings from a full codebase code review
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "pi-crew",
3
- "version": "0.9.3",
3
+ "version": "0.9.4",
4
4
  "description": "Pi extension for coordinated AI teams, workflows, worktrees, and async task orchestration",
5
5
  "author": "baphuongna",
6
6
  "license": "MIT",
package/src/benchmark/benchmark-runner.ts CHANGED
@@ -46,9 +46,13 @@ function validateCommand(command: string): void {
46
46
  // execution without any shell metacharacter (e.g. `npx --yes evil-package`
47
47
  // or `node -e "require('fs')…"`). Use `npm test`/`npm run …` instead of raw
48
48
  // `node`/`npx` in benchmark task definitions.
49
- const allowlist = /^(pytest|grep|npm test|cargo test|cargo clippy) /;
49
+ // `echo` is allowed because the metachar blocker (validateGateCommand) rejects
50
+ // command substitution (`$(...)`, backticks), so `echo $(evil)` cannot run;
51
+ // bare `echo …` only prints. It's the canonical exit-0 command used in
52
+ // benchmark fixtures across Linux/macOS/Windows(sh).
53
+ const allowlist = /^(pytest|grep|npm test|cargo test|cargo clippy|echo) /;
50
54
  if (!allowlist.test(command)) {
51
- throw new Error(`Command not allowed: ${command}. Only pytest, grep, npm test, cargo test/clippy allowed.`);
55
+ throw new Error(`Command not allowed: ${command}. Only pytest, grep, npm test, cargo test/clippy, echo allowed.`);
52
56
  }
53
57
 
54
58
  // Block shell metacharacters after command name