@blackbelt-technology/pi-agent-dashboard 0.4.2 → 0.4.3

package/AGENTS.md

@@ -391,7 +391,8 @@ make clean              # Destroy all cloned VMs
 | `packages/electron/scripts/test-electron-install.sh` | Full e2e Docker test: install, wizard, server launch, health check |
 | `packages/electron/scripts/test-electron-install-inner.sh` | Inner test script run inside Docker container |
 | `packages/electron/resources/icon.png` | Master 1024×1024 app icon (π on dark navy) |
-| `.github/workflows/publish.yml` | CI: builds DMG (macOS), DEB+AppImage (Linux), NSIS+ZIP+portable (Windows) on native runners; publishes npm + GitHub Release. **Two triggers**: (a) push of any `v*` tag (the original path — release-cut skill / hand tag), (b) `workflow_dispatch` from the GitHub Actions UI with a single required `version` input (e.g. `"0.4.1"`). The `prepare` job branches on `github.event_name`: tag-push extracts the version from `GITHUB_REF_NAME`; dispatch validates the input as semver, checks tag uniqueness on origin, bumps every workspace `package.json` via `npm version -ws`, syncs cross-ref specifiers via `scripts/sync-versions.js`, promotes `## [Unreleased]` to a dated `## [<version>]` section in `CHANGELOG.md`, commits + tags + pushes the branch. The publish, electron, and github-release jobs all `needs: prepare` and check out `ref: ${{ needs.prepare.outputs.tag }}` so both trigger paths publish the same tree. **Idempotent ordered npm publish (commit b9fcea9)**: the publish step replaced the bulk `npm publish --workspaces --include-workspace-root` call with a per-package loop that (a) **skips** already-published versions via `npm view <pkg>@<ver>` (so a re-run after partial-publish failure resumes cleanly instead of aborting on "cannot publish over previously published"), (b) publishes the **4 stable sub-packages first** (`pi-dashboard-shared` → `extension` → `server` → `web`), then the brand-new `dashboard-plugin-runtime`, then the **root metapackage last** so the registry already serves matching sub-package versions before the root tarball lands and resolves dependents like `@blackbelt-technology/pi-dashboard-extension@^X.Y.Z`. v0.4.0 and v0.4.1 shipped broken because the bulk call aborted on the first error and only the root tarball landed — `npm install @blackbelt-technology/pi-agent-dashboard@0.4.1` returned ETARGET on the sub-deps. Single-failure isolation: any non-skip failure marks the step failed via a `FAIL=1` accumulator but lets the loop finish so logs show every package's outcome. Also (commit b9fcea9): `packages/server/package.json#dependencies` now declares `@blackbelt-technology/dashboard-plugin-runtime: ^<ver>` — previously imported via workspace symlinks but missing from the published tarball, so a clean `npm install` of just the server crashed with `MODULE_NOT_FOUND` on first start. Also (commit 2728c31): every workspace `package.json` (`shared`, `extension`, `server`, `client`, `dashboard-plugin-runtime`, plus `electron`) now declares a `repository` field — required for npm provenance attestation validation when publishing with `--provenance` from GitHub Actions OIDC. |
+| `.github/workflows/publish.yml` | CI: builds DMG (macOS), DEB+AppImage (Linux), NSIS+ZIP+portable (Windows) on native runners; publishes npm + GitHub Release. **Two triggers**: (a) push of any `v*` tag (the original path — release-cut skill / hand tag), (b) `workflow_dispatch` from the GitHub Actions UI with a single required `version` input (e.g. `"0.4.1"`). The `prepare` job branches on `github.event_name`: tag-push extracts the version from `GITHUB_REF_NAME`; dispatch validates the input as semver, checks tag uniqueness on origin, bumps every workspace `package.json` via `npm version -ws`, syncs cross-ref specifiers via `scripts/sync-versions.js`, promotes `## [Unreleased]` to a dated `## [<version>]` section in `CHANGELOG.md`, commits + tags + pushes the branch. The publish, electron, and github-release jobs all `needs: prepare` and check out `ref: ${{ needs.prepare.outputs.tag }}` so both trigger paths publish the same tree. **Idempotent ordered npm publish (commit b9fcea9)**: the publish step replaced the bulk `npm publish --workspaces --include-workspace-root` call with a per-package loop that (a) **skips** already-published versions via `npm view <pkg>@<ver>` (so a re-run after partial-publish failure resumes cleanly instead of aborting on "cannot publish over previously published"), (b) publishes the **4 stable sub-packages first** (`pi-dashboard-shared` → `extension` → `server` → `web`), then the brand-new `dashboard-plugin-runtime`, then the **root metapackage last** so the registry already serves matching sub-package versions before the root tarball lands and resolves dependents like `@blackbelt-technology/pi-dashboard-extension@^X.Y.Z`. v0.4.0 and v0.4.1 shipped broken because the bulk call aborted on the first error and only the root tarball landed — `npm install @blackbelt-technology/pi-agent-dashboard@0.4.1` returned ETARGET on the sub-deps. Single-failure isolation: any non-skip failure marks the step failed via a `FAIL=1` accumulator but lets the loop finish so logs show every package's outcome. Also (commit b9fcea9): `packages/server/package.json#dependencies` now declares `@blackbelt-technology/dashboard-plugin-runtime: ^<ver>` — previously imported via workspace symlinks but missing from the published tarball, so a clean `npm install` of just the server crashed with `MODULE_NOT_FOUND` on first start. Also (commit 2728c31): every workspace `package.json` (`shared`, `extension`, `server`, `client`, `dashboard-plugin-runtime`, plus `electron`) now declares a `repository` field — required for npm provenance attestation validation when publishing with `--provenance` from GitHub Actions OIDC. **Electron-publish dependency-graph contract** (change: publish-fix-macos): the `electron` matrix job declares `needs: [prepare, publish]` and `strategy.fail-fast: false`. The `needs: publish` gate closes the ETARGET race that broke release run #34 — `bundle-server.sh` runs `npm install --omit=dev` against the live npm registry and resolves `@blackbelt-technology/dashboard-plugin-runtime@^<ver>` (added in commit b9fcea9 to fix `MODULE_NOT_FOUND` on clean server installs), so it must run AFTER publish has uploaded the just-bumped sub-packages. `fail-fast: false` keeps a single-OS failure from cancelling the other four matrix variants — release engineers see the full diagnostic per OS instead of one error and four cancellations. Locked by `packages/shared/src/__tests__/publish-workflow-contract.test.ts`. |
+| `packages/shared/src/__tests__/publish-workflow-contract.test.ts` | Repo-level lint: parses `.github/workflows/publish.yml`, asserts the electron job's `needs:` array contains both `prepare` and `publish` AND `strategy.fail-fast` is the literal `false`. Failure messages cite change `publish-fix-macos` so the contributor knows where to look. Mirrors `no-direct-process-kill.test.ts` and `no-raw-node-import.test.ts`. See change: publish-fix-macos. |
 
 ## Build & Restart Workflow
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blackbelt-technology/pi-agent-dashboard",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Web dashboard for monitoring and interacting with pi agent sessions",
   "repository": {
     "type": "git",
@@ -66,9 +66,9 @@
     "screenshots": "npm --prefix site run screenshots"
   },
   "dependencies": {
-    "@blackbelt-technology/pi-dashboard-extension": "^0.4.2",
-    "@blackbelt-technology/pi-dashboard-server": "^0.4.2",
-    "@blackbelt-technology/pi-dashboard-web": "^0.4.2"
+    "@blackbelt-technology/pi-dashboard-extension": "^0.4.3",
+    "@blackbelt-technology/pi-dashboard-server": "^0.4.3",
+    "@blackbelt-technology/pi-dashboard-web": "^0.4.3"
   },
   "devDependencies": {
     "jsdom": "^29.0.2",

package/packages/extension/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blackbelt-technology/pi-dashboard-extension",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Pi bridge extension for pi-dashboard",
   "type": "module",
   "repository": {
@@ -24,7 +24,7 @@
     ".pi/skills/pi-dashboard/"
   ],
   "dependencies": {
-    "@blackbelt-technology/pi-dashboard-shared": "^0.4.2",
+    "@blackbelt-technology/pi-dashboard-shared": "^0.4.3",
     "ws": "^8.18.0"
   },
   "peerDependencies": {

package/packages/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blackbelt-technology/pi-dashboard-server",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Dashboard server for monitoring and interacting with pi agent sessions",
   "type": "module",
   "repository": {
@@ -31,9 +31,9 @@
     "postinstall": "node scripts/fix-pty-permissions.cjs"
   },
   "dependencies": {
-    "@blackbelt-technology/dashboard-plugin-runtime": "^0.4.2",
-    "@blackbelt-technology/pi-dashboard-extension": "^0.4.2",
-    "@blackbelt-technology/pi-dashboard-shared": "^0.4.2",
+    "@blackbelt-technology/dashboard-plugin-runtime": "^0.4.3",
+    "@blackbelt-technology/pi-dashboard-extension": "^0.4.3",
+    "@blackbelt-technology/pi-dashboard-shared": "^0.4.3",
     "@fastify/compress": "^8.3.1",
     "@fastify/cookie": "^11.0.2",
     "@fastify/cors": "^11.0.0",

package/packages/shared/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blackbelt-technology/pi-dashboard-shared",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "description": "Shared types and utilities for pi-dashboard",
   "type": "module",
   "repository": {

package/packages/shared/src/__tests__/publish-workflow-contract.test.ts

@@ -0,0 +1,123 @@
+/**
+ * Repo-level invariant: `.github/workflows/publish.yml`'s `electron` job
+ * MUST `needs: [prepare, publish]` and MUST set `strategy.fail-fast: false`.
+ *
+ * Why: the bundled-server step in the electron matrix runs `npm install`
+ * against the live npm registry, which depends on `@blackbelt-technology/*`
+ * sub-packages being uploaded by the `publish` job FIRST. Without this gate
+ * the electron job races publish and ETARGETs on the just-bumped version
+ * (release run #34 — macOS hit ETARGET 1m 45s before publish finished).
+ *
+ * Without `fail-fast: false`, a single OS failure cascades and cancels the
+ * other four matrix variants — losing diagnostic output and wasting runner
+ * minutes.
+ *
+ * If this test fails, restore the two lines in `publish.yml`:
+ *   electron:
+ *     needs: [prepare, publish]
+ *     strategy:
+ *       fail-fast: false
+ *       matrix: ...
+ *
+ * See change: publish-fix-macos.
+ */
+import { describe, it, expect } from "vitest";
+import fs from "node:fs";
+import path from "node:path";
+import url from "node:url";
+
+const __dirname = path.dirname(url.fileURLToPath(import.meta.url));
+const REPO_ROOT = path.resolve(__dirname, "..", "..", "..", "..");
+const WORKFLOW_PATH = path.join(REPO_ROOT, ".github", "workflows", "publish.yml");
+
+/**
+ * Extract the YAML body of a top-level job by name. Returns the lines
+ * between `  <jobName>:` and the next sibling-indent (`  `) job, or EOF.
+ *
+ * We avoid pulling in a YAML library — the test only needs to inspect two
+ * specific scalar/list keys on a known job, and the file format is stable
+ * (2-space indent, no tabs, no anchors). Same pattern as
+ * `no-direct-process-kill.test.ts` and `no-raw-node-import.test.ts`.
+ */
+function extractJobBlock(yaml: string, jobName: string): string {
+  const lines = yaml.split("\n");
+  const headerRe = new RegExp(`^  ${jobName}:\\s*$`);
+  let start = -1;
+  for (let i = 0; i < lines.length; i++) {
+    if (headerRe.test(lines[i])) {
+      start = i;
+      break;
+    }
+  }
+  if (start === -1) {
+    throw new Error(`job '${jobName}' not found in publish.yml`);
+  }
+  // Walk forward until next line at the same 2-space indent that is a
+  // job header (`^  [a-z][a-z0-9-]*:\s*$`) or EOF.
+  const siblingRe = /^  [a-z][a-z0-9-]*:\s*$/;
+  let end = lines.length;
+  for (let i = start + 1; i < lines.length; i++) {
+    if (siblingRe.test(lines[i])) {
+      end = i;
+      break;
+    }
+  }
+  return lines.slice(start, end).join("\n");
+}
+
+describe("publish.yml — electron job dependency-graph contract", () => {
+  const yaml = fs.readFileSync(WORKFLOW_PATH, "utf8");
+  const electronBlock = extractJobBlock(yaml, "electron");
+
+  it("electron job's `needs:` includes both `prepare` and `publish`", () => {
+    // Accept either flow-list (`needs: [prepare, publish]`) or
+    // block-list:
+    //   needs:
+    //     - prepare
+    //     - publish
+    // (Currently flow-list — but the test should not lock the surface
+    // syntax, only the dependency contract.)
+    const flowMatch = electronBlock.match(/^\s{4}needs:\s*\[([^\]]*)\]/m);
+    const blockMatch = electronBlock.match(
+      /^\s{4}needs:\s*\n((?:\s{6}-\s+\S+\s*\n)+)/m,
+    );
+
+    let names: string[] = [];
+    if (flowMatch) {
+      names = flowMatch[1]
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+    } else if (blockMatch) {
+      names = blockMatch[1]
+        .split("\n")
+        .map((l) => l.replace(/^\s*-\s+/, "").trim())
+        .filter(Boolean);
+    } else {
+      throw new Error(
+        "electron job has no `needs:` key — must declare `needs: [prepare, publish]`. " +
+          "See change: publish-fix-macos. Job block was:\n" +
+          electronBlock,
+      );
+    }
+
+    expect(names).toContain("prepare");
+    expect(names).toContain("publish");
+  });
+
+  it("electron job's `strategy.fail-fast` is `false`", () => {
+    // Match `fail-fast: false` (any whitespace after the colon, but the
+    // value must be the literal `false` — not `False`, not absent).
+    const m = electronBlock.match(/^\s{6}fail-fast:\s*(\S+)\s*$/m);
+    if (!m) {
+      throw new Error(
+        "electron job's `strategy.fail-fast` is absent — the GitHub Actions " +
+          "default of `true` would re-introduce the run-#34 cascade. " +
+          "Set `fail-fast: false`. See change: publish-fix-macos.\n" +
+          "Job block was:\n" +
+          electronBlock,
+      );
+    }
+    expect(m[1]).toBe("false");
+  });
+});