# Changelog ## [Unreleased] ### Added - **Streaming progress for `team` and `Agent` foreground tool calls** — The Pi tool widget previously showed only the tool label "Agent" / "Team" while a foreground run was executing, then dumped the full result at completion. Both tools now wire the `onUpdate` callback and stream a compact 3-4 line progress block once per second (status, elapsed, active agent role, current tool, latest output snippet). Background subagents are unchanged. Files: `src/ui/tool-progress-formatter.ts` (new), `src/extension/registration/subagent-tools.ts`, `src/extension/registration/team-tool.ts`. ### Fixed - **Agent "stopped" + "No output." without explanation** — `SubagentManager.markStopped()` and the `start()` catch block previously set `status: "stopped"` but never wrote a reason into `record.error`, so the user only saw the generic "No output." fallback. Fix: `markStopped(record, reason?)` and `abortAll(reason?)` now persist the abort reason (e.g. "Session switching — foreground subagents cancelled."), and the `Agent` tool foreground result chain includes `record.error` before the "No output." fallback. Files: `src/runtime/subagent-manager.ts`, `src/extension/register.ts`, `src/extension/registration/subagent-tools.ts`. - **Foreground crew_agent runs now use startForegroundRun** — Previously the `crew_agent` / `Agent` tool's runner did not pass `startForegroundRun` to `handleTeamTool`, causing it to use the blocking `executeTeamRun` path instead of the non-blocking foreground run path. The blocking path was vulnerable to Pi tool signal aborts (user cancel, session switch), causing premature "stopped" results. The runner now receives `startForegroundRun` from the registration layer, so `handleRun` starts the team run as a non-blocking foreground run and returns immediately, while the SubagentManager polls `pollRunToTerminal` until completion. This mirrors the `team` tool's foreground path and avoids signal-abort race conditions. File: `src/extension/registration/subagent-tools.ts`, `src/extension/register.ts`. - **Pre-aborted signal detection** — Added a diagnostic check at the top of the `crew_agent` `execute` function: if the Pi tool signal is already aborted before the agent even starts, the tool returns an explicit error message instead of spawning a doomed subagent that would show "stopped + No output." File: `src/extension/registration/subagent-tools.ts`. ### Tests - Added `test/unit/tool-progress-formatter.test.ts` (5 cases covering empty run, run-only header, active agent with tool, long-output trimming + usage tokens fallback, spawn error). --- ## 0.2.3 — Bug Fixes & Hardening (2026-05-12) ### Security - **[MEDIUM] Event log append concurrency** — `appendFileSync` on Windows is not atomic; concurrent parent + background-runner writes could interleave JSONL lines. Fix: cross-process `withEventLogLockSync` using atomic `mkdirSync` + stale-lock detection via owner PID. - **[MEDIUM] Subagent path traversal** — `persistedSubagentPath(cwd, id)` did not validate `id` before joining into a file path. Fix: `isValidSubagentId` regex guard (`^[a-z0-9_]+$`, max 128 chars). - **[LOW] PEM redaction unbounded scan** — `PEM_PRIVATE_KEY_PATTERN` used `\s\S]*?` without length limit, causing full-file scan on truncated input. Fix: capped to 65,536 characters. - **[LOW] Sleep utility `require()` in ESM** — `sleep.ts` used `require("node:child_process")` inside an ES module. Fix: top-level ESM `import { execFileSync }`. ### Correctness - **Async lock fail-fast** — `acquireLockWithRetryAsync` previously waited the full deadline (~60 s) when an active (non-stale) lock existed. Fix: throw immediately, matching sync behavior. - **Atomic-write sync parity** — Async `atomicWriteFileAsync` had a "matches" fallback (read existing, compare content) for race conditions; sync path lacked it. Fix: added identical fallback to sync. - **Sequence cache leak** — `sequenceCache` was an unbounded Map. Fix: `MAX_SEQUENCE_CACHE_ENTRIES = 256` with oldest-entry eviction. - **Iteration hooks / post-checks env inconsistency** — `runSetupHook` used `sanitizeEnvSecrets(..., { allowList })` but `runIterationHook` and `runPostCheck` used hard-coded env whitelists. Fix: unified all three to `sanitizeEnvSecrets` with the same allow-list (includes Windows vars: `USERPROFILE`, `TEMP`, `ComSpec`, `SystemRoot`). - **Worktree error parsing locale-dependent** — `git worktree add` error messages parsed with English regexes but `git()` helper did not force locale. Fix: `LANG: "C"`, `LC_ALL: "C"` injected into all `git()` calls in `worktree-manager.ts` and `cleanup.ts`. - **Event log lock stale-detect** — `withEventLogLockSync` previously had no stale-lock recovery and always `rmdirSync`ed in `finally` even when lock was never acquired. Fix: PID-based stale detection + conditional cleanup only on `acquired=true`. ### Portability - **Windows `.cmd/.bat` spawn safety** — Node ≥ 20 CVE-2024-27980 blocks direct `.cmd/.bat` spawn. Fix: `.cmd`/`.bat` scripts on Windows now run via `cmd.exe /d /s /c scriptPath`. - **Git Bash fallback on Windows** — `resolveShellForScript` now prefers Git Bash (`bash.exe` from `Git\bin`) when available, falling back to PowerShell/cmd only when absent. - **Jiti loader resolution for hoisted installs** — `resolveJitiRegisterPath` used hard-coded `../../` candidates that failed when pi-crew was installed via local path or in a hoisted monorepo. Fix: ancestor walk upward from `packageRoot` plus fallback candidates `register.mjs` and `dist/register.mjs`. ### Tests - Added `test/unit/worktree-manager.test.ts` (branch recovery, reuse, clean leader, file node_modules skip). - Added `test/unit/artifact-store.test.ts` (hash integrity, path traversal, nested dirs). - Added `test/unit/locks-race.test.ts` tests (stale lock recovery sync+async, active lock fail-fast). - Added `test/unit/redaction-transcript-roundtrip.test.ts`. - Added `test/unit/env-filter.test.ts` and `test/unit/resolve-shell.test.ts`. - Added `scripts/check-lazy-imports.mjs` with `npm run check:lazy-imports` CI gate. --- ## 0.2.0 — Security & Performance Hardening ### Performance - **Extension registration: 72% faster** — Lazy-loaded the entire runtime chain (team-tool, team-runner, runtime-resolver, etc.) from `register.ts`. Pi cold-start: 3,200ms → 780ms. - **Commands UI: 65% faster** — Lazy-loaded RunDashboard (288ms), DurableTextViewer (658ms), and 5 overlay components that were statically imported but only used on demand. - **Verifier: 80% faster** — 6-turn budget enforced at runtime via `maxTurns` agent config. Run-once + cache strategy (tee to `.crew/cache/`) eliminates repeated 3-minute test suite runs. Typical verifier runtime: 40+ min → ~8 min. - **Transcript viewer: lazy-loaded** — DurableTranscriptViewer (658ms) only loaded when user runs `/crew transcript`. ### Security - **[HIGH] Path traversal in `handleImport`** — Bundle paths were accepted without containment validation. Arbitrary file read was possible via absolute paths. Fix: `isContained` check validates paths stay within `cwd`, `userCrewRoot`, or `projectCrewRoot`. - **[HIGH] Env variable leak in hooks** — Iteration hooks and post-checks passed the full `process.env` to user bash scripts, exposing API keys and tokens. Fix: minimal env with only `PATH`, `HOME`, `USER`, `LANG`. - **[HIGH] Ownership check on `handleForget`** — The most destructive action (recursive `fs.rmSync`) had no session ownership guard. Any Pi session could delete any other session's run data. Fix: `foreignRun` guard matching `handleCancel`/`handleRetry`. - **[MEDIUM] TOCTOU on Windows `O_NOFOLLOW=0`** — On Windows where `O_NOFOLLOW` is unsupported (0), a symlink race between validation and write was possible. Fix: post-open `fstat`/`fstatSync` verification in both sync and async atomic-write paths. - **[MEDIUM] Ownership check on `handleCleanup`** — Worktree cleanup had no cross-session guard. Any session could clean up another session's worktrees. Fix: `foreignRun` guard added. - **[MEDIUM] `handleForget` scope detection** — Used `startsWith(userCrewRoot())` which could false-match `pi-crew-evil` against `pi-crew`. Fix: `startsWith(userCrewRoot() + path.sep)`. - **[MEDIUM] `isSafeToPrune` always used `projectCrewRoot`** — User-scoped runs could never be pruned, causing stale data accumulation. Fix: same scope detection as `handleForget`. - **[MEDIUM] `readJsonFile` swallowed all errors silently** — Permission denied, corrupt JSON, and other errors were silently swallowed, preventing crash recovery. Fix: `logInternalError` for non-ENOENT/ENOTDIR errors. - **[LOW] TOCTOU in `atomic-write mkdirSync`** — Between `isSymlinkSafePath` check and `mkdirSync`, an attacker could replace a directory with a symlink. Mitigated by `O_EXCL` on subsequent file open. - **[LOW] `handlePrune` cross-session behavior documented** — Pruning all finished runs regardless of session is intentional maintenance behavior, now documented. - **[INFO] `handleExport` intentionally cross-session** — Read-only export deliberately allows cross-session access, documented with comment. ### Correctness - **Ghost run accumulation** — 73 deadletter runs were stuck as `queued` forever because their temp CWD directories had been cleaned by the OS. Fix: `collectRuns` now filters by CWD existence, `pruneUserLevelRuns` auto-cleans ghost runs. - **Double-close file descriptor in `readTailLines`** — Giant-line fallback was calling `closeSync(fd)` then falling through to `finally { closeSync(fd) }` (double close). Fix: sentinel `GiantLineFallbackError` class caught in outer `catch`. - **Race condition in lazy-load caches** — `ui()` and `handleTeamTool()` in `commands.ts` could trigger redundant parallel imports if multiple `/crew` commands fired before cache populated. Fix: promise-deduplication pattern (`_uiCachePromise` / `_handleTeamToolPromise`). - **`handlePrune` hook only fired for first run** — Batch pruning fired `before_cleanup` hook for only the first run. Fix: fires once with `removedRunIds` in data payload. - **`maxTurns` parsing accepted invalid values** — `parseInt("0")` → `0` (falsy → `undefined`) was accidental; `parseInt("-1")` → `-1` (truthy → passed through). Fix: explicit `Number.isFinite(n) && n > 0` check in both parsing and runtime override. - **`GiantLineFallbackError` sentinel string** — Using a magic string for control flow was fragile. Fix: dedicated error class. - **Tail reader UTF-8 corruption** — Reading from middle of file could split a multibyte character at the boundary. Fix: search for first newline boundary before reading. - **Tail reader empty result on giant line** — Single line >256KB with no newlines: `lines.shift()` removed ALL content. Fix: fallback to full file read when no newline found in tail chunk, with 2MB safety cap. - **Stale JSDoc in hooks** — Security notes still said "full inherited environment" after minimal env change. Fix: updated to "minimal environment (PATH, HOME, USER, LANG)". - **`readJsonFile` redundant `existsSync` check** — TOCTOU guard was redundant since `catch` handles ENOENT anyway. Fix: removed redundant check. ### Architecture - **`maxTurns` agent frontmatter** — New `maxTurns` field in `AgentConfig` (parsed from `agents/*.md` frontmatter) enforces per-agent turn limits at runtime. Verifier uses `maxTurns: 6` for efficiency. - **Verifier efficiency contract** — Complete rewrite of `agents/verifier.md`: 6-turn budget, run-once-cache strategy, targeted verification only, PASS/FAIL with evidence format. - **Sensitive path detection expanded** — Added `.config/gh` (GitHub CLI tokens), `jwt.json`, `session.cookie`, `.token` to detection patterns. - **Manifest goal sanitization** — `manifest.goal` in compaction summaries now collapsed (newlines → spaces) and truncated (500 chars) to prevent markdown injection. - **`utils/atomic-write.ts` dead code removed** — This module had zero production imports; tests were testing the wrong (unsafe) version. Deleted; tests rewritten against `src/state/atomic-write.ts`. - **Test coverage** — 17 new tests: `atomic-write.test.ts` (9 tests), `compaction-summary.test.ts` (8 tests, all pass). ### Research (not in package) - `docs/research/CAVEMAN-DEEP-RESEARCH.md` — Caveman output contract patterns, role-based compression, verification framework. - `docs/research/LIVE-SESSION-PRODUCTION-READY-PLAN.md` — 9-phase plan for live-session reliability, all phases implemented. ### Contributors - 6 rounds of structured code review across 3 sessions - 30+ issues found and fixed (0 CRITICAL remaining, 0 HIGH remaining) ## 0.1.51 ### Fixed - **Stale foreground spinner** — Working message/spinner now always clears when foreground run completes, even if session generation changed during the run. - **Completed-run widget grace period (8s)** — Runs that just completed stay visible in the widget for 8 seconds so users can see results before the widget hides. ## 0.1.50 ### Fixed - **Parallel execution** — Raised default concurrency (implementation 2→4, review 2→3, research 2→3). Fixed `defaultWorkflowConcurrency()` routing bug where review/default both returned the implementation value. - **Planner prompt** — Added explicit "MAXIMIZE PARALLELISM" instruction with examples, so planner models produce parallel phases instead of sequential. - **20 review findings** — 6 CRITICAL (optional chaining crash, env leak, path redaction, RPC validation, hook JSON safety, temp dir security), 6 HIGH (unsafe casts, busy-wait CPU, timestamp merge guard, prompt injection delimiter, binary validation), 5 MEDIUM, 3 LOW. - **Widget flicker** — Pinned preloaded manifests to widget component model to prevent manifestCache TTL race. Scoped snapshotCache invalidation to specific run instead of clearing all. - **Delegation policy** — Rewritten as mandatory decision table with concrete thresholds (>3 files read or >2 files edit = must delegate). Injected into every session via system prompt. - **ignoreMethod option** — New config to write ignore entries to `.git/info/exclude` instead of `.gitignore` (Closes #2). ## 0.1.49 ### Added - **Caveman output contracts** — Role-based output validation framework with `output-validator.ts`: regex-based format checking for explorer, executor, reviewer, verifier, security-reviewer roles. Non-blocking: validation failures emit `task.output_validation` events + set `needs_attention` but do NOT fail the task. - **Prose compressor** — `prose-compressor.ts` compresses verbose worker output for token-sensitive contexts (role-aware compression levels). - **Sensitive paths** — Word-boundary-aware token matching in `sensitive-paths.ts` prevents false positives (e.g. `secretary.ts` no longer flagged as `secret`). - **Symlink-safe I/O** — Artifact and shared output paths reject traversal attempts and symlinked root escapes. - **Output contract eval harness** — 19 unit tests covering three-arm evaluation (contract vs terse vs baseline), format compliance, token savings, regex safety (no `/g` lastIndex state leak). ### Changed - **Delegation policy rewritten** — Replaced advisory "you should consider" text with a mandatory decision table: concrete thresholds (>3 files read OR >2 files edit = MUST delegate), explicit YES/NO cases per task type, conflict-safe task splitting rules. Injected into every session via `before_agent_start` hook. - **Powerbar dedup** — `powerbar-publisher.ts` now skips `powerbar:update` emit when segment data is unchanged (inspired by pi-powerbar's `segmentEquals` pattern). Combined with existing 200ms coalescing for minimal unnecessary renders. - **UI responsiveness** — `task-runner.ts` now emits `streamBridge` event immediately after `task.started`, giving the widget agent status within ~100ms instead of 2-5s (child process startup delay). - **"spawning…" indicator** — Widget shows "spawning…" for agents < 5 seconds old with no tool activity, distinguishing from "thinking…" for long-running agents. ### Fixed - **H1: MCP proxy fallback** — `mcp-proxy.ts` now falls back to `enableMcp: true` when `createMcpProxyTools()` returns empty, so child sessions self-discover MCP instead of losing all access. - **H2: parallel-utils throw undefined** — `mapConcurrent` now throws the actual error instead of `throw undefined`. - **H3: Semaphore over-release** — `release()` guard against `#current > 0` prevents over-release corruption. - **M1: IRC tool TOCTOU** — `irc-tool.ts` wraps `sendIrcMessage`/`broadcastIrcMessage` in try-catch. - **M2: submit-result ordering** — Builds response string before calling `onYield`, wrapped in try-catch. - **M3: Sensitive paths false positives** — Word-boundary-aware token matching replaces substring matching. - **M4: atomic-write sleepSync** — Added WARNING comment about blocking main thread. - **M7: URL regex trailing punctuation** — Precise regex excludes trailing punctuation from URL matches. - **L1: parent-guard comment** — Corrected misleading comment about `process.kill` on Windows. - **Yield handler DRY** — Extracted `extractYieldDataFromArgs` helper, `isObjectRecord`/`isStringRecord` type guards, safe `find()` pattern. - **Event-log-rotation TOCTOU** — `compactEventLog` re-reads file after initial read to merge concurrent appends; `readEvents` skips corrupt JSON lines. - **Ghost agent dedup** — Fixed duplicate agent records in `crew-agent-records` after crash recovery. ### Research - `docs/research/AGENT-EXECUTION-ARCHITECTURE.md` — Detailed comparison of 3 execution modes (oh-my-pi in-process, pi-crew child-process, pi-crew live-session). - `docs/research/UI-RESPONSIVENESS-AUDIT.md` — Root cause analysis for 2-5s agent spawn visibility delay, 5 proposed fixes with priority matrix. - `docs/research/DEEP-RESEARCH-PI-POWERBAR.md` — Deep analysis of pi-powerbar architecture (producer/consumer pattern, rendering, settings, comparison with pi-crew's powerbar publisher). ## 0.1.48 ### Added - **Yield-based completion contract** — Workers can call `submit_result` tool to return structured results; task-runner warns on workers that don't yield. - **Typed event channels** — `RunEventBus` supports 5 channels (`worker:progress`, `worker:lifecycle`, `worker:stream`, `run:state`, `ui:invalidate`) with `onChannel`/`onChannelForRun` subscriptions and auto-classification. - **Human-readable task names** — `generateTaskName()` produces AdjectiveNoun names (14,400 combinations); `displayName` field on `TeamTaskState`. - **SubprocessToolRegistry** — Extensible tool event handling with `register`/`extractAll`/`shouldTerminate` pattern; wired into event-stream-bridge. - **Event log rotation/compaction** — Auto-compacts event logs over 5MB/50k events, keeping last 1000 events; atomic file replacement. - **Incremental JSONL reader** — `readLinesSince`/`readJsonlSince` for seek-based file reading; wired into `readEventsCursor` with `fromByteOffset`. ### Fixed - Fixed `readBlob`/`readBlobMetadata` crash on missing files — now returns `undefined`. - Fixed `readSseJson` crash on non-JSON SSE data — now skips malformed events. - Fixed wrong value `"long_running"` → `"active_long_running"` in agent-control. - Fixed `consecutiveFailures` type bypass — added to `CrewAgentProgress` interface. - Fixed `streamBridge.dispose()` memory leak — now in try/finally. - Fixed blob-store redundant ternary `typeof x === "string" ? x : x`. - Fixed team-runner non-null assertion on potentially empty array. - Fixed event-log silent error swallowing — now logs via `logInternalError`. - Fixed team-tool switch case indentation. - Removed dead code `expandIcon` in agent-management-overlay. ### Changed - Moved 6 research .md files from repo root to `docs/research/`. - `discoverAgents`/`discoverSkills` silent catches now log via `logInternalError`. - `executeHook` accumulates non-blocking diagnostics instead of short-circuiting. - `CancellationToken.heartbeat` wired into `collectRuns` and `pruneFinishedRuns`. - `CapabilitySource` extended with `"git"` to match `ResourceSource`. ## 0.1.47 ### Added - **Typed hook lifecycle** — 8 of 9 hooks wired: `before_run_start`, `before_task_start`, `task_result`, `before_cancel`, `before_forget`, `before_cleanup`, `before_publish`, `run_recovery`. Hooks are opt-in, blocking/non-blocking, with audit events. - **Event-first UI bus** — `RunEventBus` emits on every `appendEvent` call; dashboard, crew widget, sidebar, and snapshot cache subscribe for event-driven invalidation instead of polling. - **Shared scan cache** — `SharedScanCache` caches manifest reads and active-run entries with TTL, mtime/size invalidation, and LRU eviction. - **Capability inventory** — `buildCapabilityInventory()` enumerates teams, workflows, agents, and skills with stable `kind:name` IDs; supports policy disable and shadowing detection. - **Skills in capability inventory** — `discoverSkills()` reads SKILL.md frontmatter; skills appear with kind=`skill` and source=`package`/`project`. - **Mailbox kind-separated breakdown** — `RunUiMailbox` tracks `steerUnread`/`followUpUnread`/`responseUnread`/`messageUnread`; mailbox pane shows urgency indicators. - **Run recovery hook** — `applyRecoveryPlan` fires `run_recovery` hook; blocked recovery emits `crew.run.recovery_blocked` event. - **Synthetic tool cancellation evidence** — Cancelled in-flight tasks receive `tool`-level terminal evidence alongside `worker`-level. - **CancellationToken wired into production loops** — `collectRuns` and `pruneFinishedRuns` use `CancellationToken.heartbeat(stage)` for progress diagnostics. - **Blob artifact store** — SHA-256 content-addressed storage with metadata sidecars. - **Run event provenance** — Event metadata includes `parentEventId`, `attemptId`, `branchId`, `causationId`, `correlationId`. - **Control channel reservation** — `ControlReservation` before worker spawn with deterministic `controllerId`. - **Release smoke test** — `npm run smoke:release` automates tarball install + version consistency check. - **Width-safety tests** — Crew widget rendering verified at widths 1/40/200/empty/multiple. ### Changed - `handleCancel`, `handleForget`, `handleCleanup`, `handlePrune`, `handleExport` converted to async for hook execution. - `before_cancel`/`before_forget`/`before_cleanup` hooks can block their respective operations. - `before_publish` hook fires before run export. - `task_result` hook fires before `task.completed`/`task.failed` events. - Dashboard, widget, and sidebar auto-invalidate on `RunEventBus` events. ## 0.1.45 ### Added - Added `/team-respond ` for replying to interactive/waiting tasks from slash commands. - Added runtime-extensible run ownership metadata (`ownerSessionId`) so destructive cancellation can be guarded by session ownership. - Added async manifest and crew-agent readers used by snapshot preloading. ### Fixed - Fixed `respond` action to validate waiting-only tasks, write replies to task mailboxes, and reject non-waiting task responses instead of reporting false success. - Fixed `cancel` ownership handling so runs created by another Pi session are not cancelled when `ownerSessionId` mismatches. - Fixed `DeliveryCoordinator` to requeue payloads when active delivery callbacks throw, and to drop queued payloads from stale session generations. - Fixed `OverflowRecoveryTracker` collisions by keying recovery state with `runId + taskId`, plus cleanup of terminal recovery states. - Fixed stale reconciliation false positives for foreground/live no-PID runs by preserving runs with recent task heartbeat or agent progress evidence. - Fixed UI waiting counts: snapshots, powerbar, and crew widget now include `waiting` tasks/agents where appropriate. - Fixed team tool `cwd` override handling so valid overrides are applied consistently and invalid overrides return a clear error. - Fixed session history pollution by only appending `crew:run-started` after a successful run with a real `runId`. - Fixed async snapshot preload path to avoid synchronous manifest/agent reads. - Fixed mailbox count semantics for large mailbox files by marking tail-derived counts as approximate when the file is larger than the bounded tail window. - Fixed auto-retry freshness by reloading manifest/tasks before retry attempts and fallback task runs. ### Changed - Wired session snapshots into `session_before_switch` logging so active runs and pending deliveries are captured before session transitions. - Dashboard mailbox pane now indicates when counts are approximate tail-derived values. ## 0.1.43 ### Added - `/team-settings` command: view and manage all pi-crew config from Pi CLI (`list`, `get`, `set`, `unset`, `path`, `scope`). - `addTranslations(locale, bundle)` and `listLocales()` for runtime-extensible i18n. ### Fixed - **UI freeze crash**: replaced `setInterval` with recursive `setTimeout` in `RenderScheduler` and `HeartbeatWatcher` to prevent timer storms when renders exceed the interval. - **Growing-file I/O bottleneck**: `safeRecentEvents`, `readMailboxCounts`, `readGroupJoinMailbox` now use tail-reading (last 32 KB) instead of reading entire `.jsonl` files that grow unbounded over long runs. - **Snapshot cache TTL** increased from 250 ms to 500 ms, halving unnecessary I/O. - **Heartbeat watcher memory leak**: stale keys are now cleaned after 10 minutes of inactivity instead of being held forever. - **Dashboard crash guard**: `render()` is wrapped in `try/catch` with a fallback error display. - **Dashboard selected-index mismatch**: reset `selected` to 0 when the selected run disappears from the manifest cache. - **`live-run-sidebar.ts` crash**: fixed missing optional chaining on `agent.progress?.recentOutput?.at(-1)`. - **`signatureFor` crash**: `JSON.stringify` in snapshot cache wrapped in `try/catch` with a timestamp fallback. - **Render scheduler timer leak**: added a `disposed` guard after `schedule()` to prevent orphaned timers. - **Render scheduler loop guard**: capped at 5 iterations per `flush()` to prevent infinite loops when `render()` re-enters `flush()`. - **`powerbar-publisher.ts`**: replaced `.filter().length` with `.reduce()` counting to avoid temporary array allocations. ### Changed - **i18n module hardened**: locale validated at runtime (not hardcoded union type), `currentLocale` reset on dispose, missing-key guard (`fallback[key] ?? key`), `__test__resetI18n()` helper. ## 0.1.42 ### Fixed - Reduced atomic-write rename retries from 20 to 5 and added busy-wait fallback for `Atomics.wait` to avoid event-loop stalls on Windows with aggressive file-locking. - Applied the same `sleepSync` fallback pattern to `locks.ts` for consistent lock-acquisition resilience. - Removed dead `findReadyTask` function in team-runner. - Eliminated a redundant `refreshTaskGraphQueues` O(n) call per batch iteration by reusing the already-computed `taskGraphSnapshot` for ready-task selection. - Expanded `appendTaskAttentionEvent` dedup window from 100 to 200 events and switched to a computed dedup key. ### Changed - Extended `MUTATING_TOOLS` set in completion guard with `replace_in_file`, `insert`, `delete_files`, `create_file`, `overwrite`, and `patch`. - Extended `MUTATING_COMMANDS` regex with `sed -i`, `tee`, `wget -O`, and `curl -o` patterns. - Reordered bash-command mutation check so mutating patterns (`sed -i`) take priority over read-only patterns (`sed`). - Unknown bash commands that don't match the read-only list are now treated as potentially mutating (conservative default). ### Hardened - Replaced `timer.unref?.()` with `timer.unref()` in `SubagentManager` blocked-poll and stuck-notify timers. - Added session-liveness guard to `notifyOperator` fallback so it won't attempt `sendFollowUp` after extension cleanup. ## 0.1.41 ### Added - Added strict-provider-friendly team tool schema shapes and config schema coverage for result delivery controls. - Added resilient result watcher fallback polling for resource-limit watch failures and partial JSON retry handling. - Added `runtime.completionMutationGuard` (`off`/`warn`/`fail`) with structured `task.attention` events when implementation-style workers complete without observed mutations. - Added group-join mailbox delivery metadata, request-id dedupe, ack observability, timeout events, and dashboard/status visibility. - Expanded `team doctor` and `team status` with schema, async/result delivery, worktree/readiness, attention, transcript, and group-join diagnostics. ### Fixed - Recovered adaptive implementation planner output when compaction truncates the end marker but complete phase objects are still present. ## 0.1.40 ### Added - Added owner-session generation guards for background subagents, async run notifications, result watchers, and live-session callbacks so stale sessions do not receive completions. - Added `runtime.requirePlanApproval` with approve/cancel API support to gate mutating adaptive implementation tasks behind an explicit planner artifact approval. - Added shared secret redaction for event logs, mailbox persistence, artifacts, JSONL streams, agent records, notifications, metrics, and diagnostics. ### Changed - Project-local agents, teams, and workflows can no longer shadow builtin or user resources with the same name. - Project-level sensitive config such as worker execution, runtime mode, autonomy, agent overrides, worktree setup hooks, and OTLP headers is ignored with warnings unless configured in trusted user scope. ### Fixed - Fixed lost async completion notifications after auto-compaction/session restart by continuing to track active runs across notifier restarts. - Fixed stale background subagent wakeups after session switch/shutdown while preserving terminal results for explicit joins. - Fixed resume bypasses in plan approval by re-gating persisted mutating adaptive tasks when approval state is missing or pending. - Restricted plan approval and cancellation to non-read-only roles and rejected cancel/approve after the approval state is no longer pending. ## 0.1.39 ### Fixed - Made CI test execution deterministic across Node 22/macOS/Linux/Windows by running Node test files sequentially to avoid cross-file environment races. - Fixed live-agent durable control symlink-file rejection to return an API error instead of throwing from the tool handler. - Tightened symlink artifact security assertions so tests check leaked file contents rather than safe metadata paths. ## 0.1.38 ### Added - Added parent-session wake-up for completed background subagents so the main agent automatically joins results and continues the original task. - Added stronger resource/parser coverage for team role metadata and workflow task-body headings. ### Changed - Clarified the current default worker execution model and local disable controls in project guidance. - Aligned config schema constraints for UI settings with the published package schema. ### Fixed - Hardened subagent abort handling so stopped records are persisted and late runner completion does not regress them to completed/error. - Fixed blocked subagent result joins, blocked duration persistence, and final wake-up after blocked runs resume to terminal status. - Blocked path traversal through workflow shared artifacts, run ids, imported run bundles, task-scoped mailbox APIs, agent runtime files, and untrusted artifact/transcript paths; hardened reads/writes with realpath containment to prevent symlink escapes; bound live-agent control to the selected run. - Documented actual project resource paths for `.crew/` and `.pi/teams/` layouts. ## 0.1.31 ### Fixed - Added required Agent Skills frontmatter (`name` and `description`) to built-in coding skills so Pi loads them without conflicts. - Tightened built-in skill package coverage to require standards-compliant frontmatter. ## 0.1.30 ### Added - Added Phase 6 async hardening: jiti loader resolution/fail-fast, async startup marker files, and early background-runner exit detection. - Added worker concurrency hard cap with explicit `limits.allowUnboundedConcurrency` opt-out and observability event. - Added persisted model routing metadata on tasks and agent records: requested model, resolved model, fallback chain, reason, and used attempt. - Added self-contained architecture/runtime-flow docs and five built-in coding skills. - Added mailbox replay on resume for pending inbox messages, including task-scoped messages. - Added task resume checkpoints and recovery for crash-after-final-stdout and crash-after-artifact-write child-process tasks. - Added async notifier detection for quiet dead background runners with durable `async.died` events. - Added adaptive planner repair for malformed JSON, oversized task plans, and common role aliases before blocking implementation runs. - Added package snapshot coverage for Phase 6 docs, skills, Pi manifest entries, and the runtime `jiti` dependency. - Added `src/subagents/*` consolidation entrypoints for child spawning, background runner commands, and subagent manager APIs. - Split `team-tool.ts` actions into focused status, inspect, lifecycle, cancel, and plan modules while preserving public action names. - Split `register.ts` lifecycle wiring into command, team-tool, subagent-tool, and artifact-cleanup registration modules. - Added async restart recovery integration smoke coverage for stale background pids. - Added explicit recursive subagent depth and read-only role spawn-denial tests. ### Changed - Async background runs now use an explicit jiti loader path and expose startup markers for recovery/health checks. - Active batch selection now caps excessive user concurrency by default to protect local machines. - Resume now emits mailbox replay metadata before restarting queued work. - Child-process tasks now persist checkpoint phases (`started`, `child-spawned`, `child-stdout-final`, `artifact-written`) during execution. - Split `task-runner.ts` prompt/progress/state/live helpers into focused modules while keeping `runTeamTask` as the public entrypoint. - Moved live-session access behind `src/subagents/live/*` and dynamic task-runner imports so default child-process flow does not eagerly load live runtime code. ### Fixed - Background runner startup failures are reported earlier instead of silently leaving queued/running manifests stale. ### Release prep notes - Suggested next release grouping: `0.1.30` for Phase 6 runtime hardening, resume recovery, model observability, docs/skills, and internal refactors. - Gate run locally: `npm run typecheck`, `npm test`, and `npm pack --dry-run`. - No breaking public API changes: tool actions, slash commands, config schema, and package name remain stable. ## 0.1.29 - Republished the child worker response timeout fix as a fresh npm version. ## 0.1.28 - Fixed child-process workers being terminated after only 15 seconds of quiet provider/tool time by increasing the default response watchdog to five minutes and clarifying the timeout error message. ## 0.1.20 - Reworked the implementation workflow into an adaptive planner-led orchestration flow that decides the number, roles, and phases of subagents from the task instead of using a fixed fanout template. - Added dynamic adaptive task injection, persisted adaptive task metadata, and resume reconstruction for planner-selected subagent steps. - Block implementation runs when the planner does not produce a valid adaptive plan, including missing/unreadable planner artifacts and malformed/oversized plans. - Added tests for adaptive plan parsing, dynamic batch fanout, invalid-plan blocking, writer-role support, and adaptive resume recovery. - Hardened subagent/runtime fixes from post-0.1.19 review: env-isolated depth tests, foreground failure status updates, generic tool conflict aliases, and max_turns propagation. ## 0.1.19 - Added Claude-style `Agent`, `get_subagent_result`, and `steer_subagent` tools backed by pi-crew's durable worker runtime, plus conflict-safe `crew_agent`, `crew_agent_result`, and `crew_agent_steer` aliases. - Added a durable subagent manager with background queueing, completion notifications, result joins, session-bound cleanup, and direct single-agent runs via `team run agent=...`. - Disabled risky auto-opening of the right sidebar by default, added foreground completion notifications, and reduced duplicate widget/sidebar UI. - Added progress coalescing and workflow concurrency helpers to keep foreground sessions responsive during busy worker output. - Fixed live-session runs being classified as scaffold when workers are enabled and hardened session switch/shutdown cleanup for foreground child processes. ## 0.1.18 - Added a built-in `parallel-research` team/workflow for map-reduce style source audits with dynamic `Source/pi-*` fanout and parallel explorer shards. - Made the live right sidebar the default foreground UI: active foreground runs auto-open a top-right live sidebar when the terminal is wide enough. - Added live sidebar sections for active agents, waiting tasks, completed agents, task graph, model, tool, and token/usage details. - Stopped materializing queued dependency tasks as child-process agents; status now separates active agents, waiting tasks, and completed agents. - Added workflow-aware default concurrency so research/parallel-research can use ready parallel work instead of always running one worker. - Dropped user/system prompt messages from child event persistence to avoid prompt/context leakage in agent event logs. - Tightened child event compaction with separate assistant/tool input/tool result caps and improved powerbar active/waiting/model/token summaries. ## 0.1.17 - Fixed terminal/completed workers being incorrectly escalated as stale heartbeat blockers after all tasks completed. - Cleaned child-process result extraction so result artifacts prefer final assistant output and no longer include worker prompt/context. - Made `/team-dashboard` visibly render as a top-right sidebar by default with explicit right-sidebar title text. - Added per-subagent model and usage fields to agent records, status output, and dashboard fallbacks so model/token totals stay visible while and after workers run. ## 0.1.16 - Added right-side `/team-dashboard` placement with model, token, and tool detail rows for subagents. - Added UI config for dashboard placement/width and model/token/tool visibility. - Foreground child-process runs now continue without blocking the interactive chat and remain tied to session shutdown. - Child-process observability now drops noisy `message_update`/encrypted thinking deltas and stores compact events to prevent massive JSONL/output logs from freezing sessions. - Cancel now syncs agent records and writes a foreground interrupt request so queued/running agents stop appearing stale. ## 0.1.15 - Child-process model selection now uses Pi-configured/available models and auto-discovers provider/model entries from Pi settings/models config. - Added configured-model fallback chains for worker runs instead of forcing builtin provider hints. - Fixed skipped task agent records so they no longer appear queued. ## 0.1.0 - Initial scaffold for `pi-crew`. - Added Pi package manifest, extension entry, minimal team tool, slash commands, builtin resources, and documentation placeholders.