@blackbelt-technology/pi-agent-dashboard 0.5.0 → 0.5.2

package/packages/server/src/changelog-parser.ts

@@ -0,0 +1,321 @@
+/**
+ * Pure parser for Keep-a-Changelog-style markdown files.
+ *
+ * Pi (`@mariozechner/pi-coding-agent`) ships a `CHANGELOG.md` whose
+ * format is mechanically reliable:
+ *   - H2 release headers: `## [<version>] - <date>`
+ *   - H3 sub-section headers: `### Breaking Changes`, `### New Features`,
+ *     `### Added`, `### Changed`, `### Fixed`
+ *   - Bullets at column 0 starting `- `
+ *   - Issue/PR links as `([#NNN](URL))` at end of bullet
+ *
+ * The parser is regex-based on purpose — a full markdown AST would
+ * add hundreds of LOC of dependency surface for marginal gain. When
+ * the file deviates from convention the parser degrades gracefully:
+ * unrecognized H3 headings are dropped from typed slots but the
+ * release's `raw` field still contains the verbatim section.
+ *
+ * Plus a 60-second mtime-keyed in-memory cache so the REST route
+ * doesn't re-parse 150 KB of markdown on every dialog open.
+ *
+ * See change: pi-update-whats-new-panel.
+ */
+import fs from "node:fs";
+import type { ChangelogBullet, ChangelogRelease } from "@blackbelt-technology/pi-dashboard-shared/changelog-types.js";
+
+/** Single line, anchors at line start: `## [<version>] - <date>` (date optional). */
+const RELEASE_HEADER_RE = /^## \[([^\]]+)\](?:\s*-\s*(.+?))?\s*$/gm;
+
+/** Single line, anchors at line start: `### <heading>`. */
+const SUBSECTION_HEADER_RE = /^### (.+?)\s*$/gm;
+
+/** End-of-bullet issue ref: `([#NNN](URL))`. */
+const ISSUE_LINK_RE = /\(\[#(\d+)\]\((https?:\/\/[^)]+)\)\)/g;
+
+/** Subset of YYYY-MM-DD-ish date strings we treat as "valid enough". */
+const ISO_DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+
+/** Recognized H3 sub-section names → release-field key. */
+const KNOWN_SUBSECTIONS: Record<string, "breaking" | "features" | "changed" | "fixed"> = {
+  "Breaking Changes": "breaking",
+  "New Features": "features",
+  "Added": "features",
+  "Changed": "changed",
+  "Fixed": "fixed",
+};
+
+/**
+ * Parse a CHANGELOG.md text into a list of release entries, latest
+ * first. Pure function — no I/O. Returns `[]` when the input contains
+ * no recognizable H2 release headers.
+ */
+export function parseChangelog(markdown: string): ChangelogRelease[] {
+  if (!markdown || typeof markdown !== "string") return [];
+
+  // Locate every H2 release header and split the document by them.
+  // The regex's `lastIndex` walks the string giving us each header's
+  // (start offset, captured groups) in one pass.
+  const headers: { version: string; date: string | null; start: number; bodyStart: number }[] = [];
+
+  // Reset the global regex lastIndex to be safe across re-entrant calls.
+  RELEASE_HEADER_RE.lastIndex = 0;
+  let m: RegExpExecArray | null;
+  while ((m = RELEASE_HEADER_RE.exec(markdown)) !== null) {
+    const version = m[1].trim();
+    const dateRaw = (m[2] ?? "").trim();
+    const date = ISO_DATE_RE.test(dateRaw) ? dateRaw : null;
+    headers.push({
+      version,
+      date,
+      start: m.index,
+      bodyStart: m.index + m[0].length,
+    });
+  }
+
+  if (headers.length === 0) return [];
+
+  // Sort by occurrence order (already in order since regex walks
+  // left→right). Assemble each release as the slice from this
+  // header's start to (the next header's start, or EOF).
+  const releases: ChangelogRelease[] = [];
+  for (let i = 0; i < headers.length; i++) {
+    const h = headers[i];
+    const nextStart = i + 1 < headers.length ? headers[i + 1].start : markdown.length;
+    const raw = markdown.slice(h.start, nextStart).replace(/\s+$/, "");
+    const body = markdown.slice(h.bodyStart, nextStart);
+    const sections = splitSubsections(body);
+
+    const release: ChangelogRelease = {
+      version: h.version,
+      date: h.date,
+      breaking: [],
+      features: [],
+      changed: [],
+      fixed: [],
+      raw,
+    };
+
+    for (const sec of sections) {
+      const slot = KNOWN_SUBSECTIONS[sec.heading];
+      if (!slot) continue;
+      const bullets = extractBullets(sec.body);
+      // `features` is the merge of New Features + Added; both map to
+      // the same slot, so just push in source order.
+      release[slot].push(...bullets);
+    }
+    releases.push(release);
+  }
+
+  return releases;
+}
+
+/**
+ * Walk a release's body (text between its H2 and the next H2) and
+ * return one entry per H3 sub-heading. Text before the first H3 is
+ * dropped — pi never puts content there.
+ */
+function splitSubsections(body: string): { heading: string; body: string }[] {
+  const out: { heading: string; body: string }[] = [];
+  const positions: { heading: string; bodyStart: number; headerStart: number }[] = [];
+
+  SUBSECTION_HEADER_RE.lastIndex = 0;
+  let m: RegExpExecArray | null;
+  while ((m = SUBSECTION_HEADER_RE.exec(body)) !== null) {
+    positions.push({
+      heading: m[1].trim(),
+      headerStart: m.index,
+      bodyStart: m.index + m[0].length,
+    });
+  }
+  for (let i = 0; i < positions.length; i++) {
+    const p = positions[i];
+    const nextStart = i + 1 < positions.length ? positions[i + 1].headerStart : body.length;
+    out.push({ heading: p.heading, body: body.slice(p.bodyStart, nextStart) });
+  }
+  return out;
+}
+
+/**
+ * Extract bullets from a sub-section body. A bullet starts with `- `
+ * at column 0 and continues until the next column-0 `- ` line, the
+ * next H-heading line, or end-of-section.
+ */
+function extractBullets(body: string): ChangelogBullet[] {
+  const lines = body.split("\n");
+  const bullets: string[] = [];
+  let current: string | null = null;
+
+  for (const line of lines) {
+    if (/^- /.test(line)) {
+      if (current !== null) bullets.push(current);
+      current = line.slice(2);
+    } else if (current !== null) {
+      // Continuation of the current bullet only when the line is
+      // either blank-and-followed-by-content (we drop blanks) or
+      // indented. Stop on an undented non-bullet line that looks
+      // like new content.
+      if (line.trim() === "") {
+        // Skip blank lines inside a bullet block; they may separate
+        // paragraphs but don't terminate the bullet.
+        continue;
+      }
+      if (/^\s/.test(line)) {
+        current += "\n" + line.replace(/^\s+/, "");
+      } else {
+        // Undented non-bullet line: treat as end of bullet block.
+        bullets.push(current);
+        current = null;
+      }
+    }
+  }
+  if (current !== null) bullets.push(current);
+
+  return bullets.map((text) => ({
+    text: text.trim(),
+    issues: extractIssues(text),
+  }));
+}
+
+/** Collect all `([#NNN](URL))` matches in a bullet's prose. */
+function extractIssues(text: string): { num: number; url: string }[] {
+  const out: { num: number; url: string }[] = [];
+  ISSUE_LINK_RE.lastIndex = 0;
+  let m: RegExpExecArray | null;
+  while ((m = ISSUE_LINK_RE.exec(text)) !== null) {
+    const num = parseInt(m[1], 10);
+    if (!Number.isNaN(num)) out.push({ num, url: m[2] });
+  }
+  return out;
+}
+
+// ── Cache ──────────────────────────────────────────────────────────
+
+const CACHE_TTL_MS = 60_000;
+
+export type ChangelogSource = "local" | "remote";
+
+interface CacheEntry {
+  /** Result of parsing the file/text. */
+  releases: ChangelogRelease[];
+  /**
+   * mtime of the source file when this entry was created (local source
+   * only). 0 for remote entries (mtime irrelevant; ETag drives remote
+   * freshness).
+   */
+  mtimeMs: number;
+  /** Wall-clock expiry. */
+  expiresAt: number;
+  /** ETag from a remote response, if any. Used for conditional GET. */
+  etag: string | null;
+}
+
+/** Cache key combines pkg + source so remote and local don't collide. */
+function cacheKey(pkg: string, source: ChangelogSource): string {
+  return `${source}:${pkg}`;
+}
+
+const cache = new Map<string, CacheEntry>();
+
+/**
+ * Read + parse a CHANGELOG.md file with a 60-second mtime-keyed
+ * cache. The cache is keyed by `pkg`; the entry is invalidated when
+ * the file's mtime changes (e.g. after a fresh `npm install`) or
+ * when 60 seconds have elapsed.
+ *
+ * Returns `[]` (not throwing) for ENOENT — callers treat "not found"
+ * the same as "no releases". Other I/O errors propagate.
+ */
+export function readAndParseChangelog(
+  pkg: string,
+  filePath: string,
+  now: () => number = Date.now,
+): ChangelogRelease[] {
+  let stat: fs.Stats;
+  try {
+    stat = fs.statSync(filePath);
+  } catch (err: any) {
+    if (err?.code === "ENOENT") return [];
+    throw err;
+  }
+  const mtimeMs = stat.mtimeMs;
+  const t = now();
+
+  const key = cacheKey(pkg, "local");
+  const hit = cache.get(key);
+  if (hit && hit.mtimeMs === mtimeMs && t < hit.expiresAt) {
+    return hit.releases;
+  }
+
+  const content = fs.readFileSync(filePath, "utf8");
+  const releases = parseChangelog(content);
+  cache.set(key, {
+    releases,
+    mtimeMs,
+    expiresAt: t + CACHE_TTL_MS,
+    etag: null,
+  });
+  return releases;
+}
+
+/**
+ * Cache-hit accessor for the remote-source entry. Returns the cached
+ * releases + last-known ETag. Caller decides what to do with `expired`
+ * (typically: try a conditional GET, reuse on 304).
+ */
+export function getCachedRemoteChangelog(
+  pkg: string,
+  now: () => number = Date.now,
+): { releases: ChangelogRelease[]; etag: string | null; expired: boolean } | undefined {
+  const hit = cache.get(cacheKey(pkg, "remote"));
+  if (!hit) return undefined;
+  return {
+    releases: hit.releases,
+    etag: hit.etag,
+    expired: now() >= hit.expiresAt,
+  };
+}
+
+/** Store a remote fetch result. */
+export function setRemoteChangelog(
+  pkg: string,
+  releases: ChangelogRelease[],
+  etag: string | null,
+  now: () => number = Date.now,
+): void {
+  cache.set(cacheKey(pkg, "remote"), {
+    releases,
+    mtimeMs: 0,
+    expiresAt: now() + CACHE_TTL_MS,
+    etag,
+  });
+}
+
+/**
+ * Extend a remote cache entry's TTL without re-parsing. Used after a
+ * 304 Not Modified response.
+ */
+export function refreshRemoteChangelogTtl(
+  pkg: string,
+  now: () => number = Date.now,
+): void {
+  const entry = cache.get(cacheKey(pkg, "remote"));
+  if (entry) entry.expiresAt = now() + CACHE_TTL_MS;
+}
+
+/** Clear all cache entries. Test seam + invalidation hook. */
+export function _resetChangelogCache(): void {
+  cache.clear();
+}
+
+/**
+ * Clear a single package's cache entries (both local and remote
+ * sources). Wired into PiCoreChecker.invalidate.
+ */
+export function invalidateChangelogCache(pkg?: string): void {
+  if (pkg === undefined) {
+    cache.clear();
+    return;
+  }
+  cache.delete(cacheKey(pkg, "local"));
+  cache.delete(cacheKey(pkg, "remote"));
+}

package/packages/server/src/changelog-remote.ts

@@ -0,0 +1,134 @@
+/**
+ * Fetches the upstream CHANGELOG.md from GitHub raw, so the dashboard
+ * can show release notes for versions newer than the locally-installed
+ * tarball describes.
+ *
+ * Trust model identical to `pi-dev-version-check`: HTTPS, default Node
+ * trust store, 10-second timeout, env-skippable via `PI_OFFLINE`.
+ *
+ * See change: read-changelog-from-github.
+ */
+
+const DEFAULT_TIMEOUT_MS = 10_000;
+
+/** Discriminated result of a remote fetch attempt. */
+export type RemoteChangelogResult =
+  | { status: "ok"; text: string; etag: string | null }
+  | { status: "not-modified" }
+  | null; // hard failure (network, parse, env-skipped) → caller falls back to local
+
+export interface FetchRemoteChangelogOptions {
+  /** Optional ETag from a previous response. When set, sent as `If-None-Match`. */
+  etag?: string | null;
+  /** Override fetch timeout. Default 10 s. */
+  timeoutMs?: number;
+  /** Test seam. */
+  fetchImpl?: typeof fetch;
+}
+
+/**
+ * Sibling of `deriveChangelogUrl` that returns the *raw* form suitable
+ * for parsing (vs the `/blob/main/` URL which is for human viewing).
+ *
+ * Accepts the same `repository` field shapes:
+ *   - `"github:org/repo"` shorthand
+ *   - URL strings (`"https://github.com/org/repo.git"`, `"git@github.com:org/repo.git"`, etc.)
+ *   - object form `{ url, directory? }` (monorepos)
+ *
+ * Returns `null` for non-GitHub or unparseable input.
+ */
+export function deriveChangelogRawUrl(repository: unknown): string | null {
+  if (!repository) return null;
+
+  let urlStr: string | null = null;
+  let directory: string | null = null;
+
+  if (typeof repository === "string") {
+    urlStr = repository;
+  } else if (typeof repository === "object" && repository !== null) {
+    const rec = repository as Record<string, unknown>;
+    if (typeof rec.url === "string") urlStr = rec.url;
+    if (typeof rec.directory === "string" && rec.directory.length > 0) {
+      directory = rec.directory.replace(/^\/+|\/+$/g, "");
+    }
+  }
+  if (!urlStr) return null;
+
+  const m = parseGitHubUrl(urlStr);
+  if (!m) return null;
+
+  const subPath = directory ? `${directory}/` : "";
+  return `https://raw.githubusercontent.com/${m.org}/${m.repo}/main/${subPath}CHANGELOG.md`;
+}
+
+/**
+ * Parse the various GitHub URL forms used in `package.json#repository`
+ * into `{ org, repo }`. Internal helper duplicating the same logic in
+ * `changelog-fs.ts::parseGitHubUrl` — kept inline to avoid cross-module
+ * coupling for a 10-line regex.
+ */
+function parseGitHubUrl(s: string): { org: string; repo: string } | null {
+  const trimmed = s.trim();
+
+  // github:org/repo shorthand
+  let m = trimmed.match(/^github:([^/]+)\/([^/#]+)/i);
+  if (m) return { org: m[1], repo: stripGitSuffix(m[2]) };
+
+  // git+https://github.com/org/repo.git
+  // https://github.com/org/repo
+  // ssh://git@github.com/org/repo.git
+  // git@github.com:org/repo.git
+  m = trimmed.match(/(?:^|[/@:])github\.com[/:]([^/]+)\/([^/#?]+)/i);
+  if (m) return { org: m[1], repo: stripGitSuffix(m[2]) };
+
+  return null;
+}
+
+function stripGitSuffix(repo: string): string {
+  return repo.replace(/\.git$/i, "");
+}
+
+/**
+ * Fetch the markdown text at `rawUrl`. Returns:
+ *   - `{ status: "ok", text, etag }` on 2xx
+ *   - `{ status: "not-modified" }` on 304 (when If-None-Match was sent and
+ *     server confirmed the cached body is current)
+ *   - `null` for: PI_OFFLINE / env-skipped, non-2xx (other than 304),
+ *     network error, abort, malformed response.
+ *
+ * Caller is responsible for falling back to the local CHANGELOG on
+ * `null` return.
+ */
+export async function fetchRemoteChangelog(
+  rawUrl: string,
+  opts: FetchRemoteChangelogOptions = {},
+): Promise<RemoteChangelogResult> {
+  if (process.env.PI_OFFLINE) return null;
+
+  const fetchFn = opts.fetchImpl ?? fetch;
+  const timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  const headers: Record<string, string> = { accept: "text/plain, */*" };
+  if (opts.etag) headers["If-None-Match"] = opts.etag;
+
+  try {
+    const response = await fetchFn(rawUrl, {
+      headers,
+      signal: AbortSignal.timeout(timeoutMs),
+      redirect: "follow",
+    });
+
+    // 304: server confirms cache is current. Caller reuses cached body.
+    if (response.status === 304) {
+      return { status: "not-modified" };
+    }
+    if (!response.ok) return null;
+
+    const text = await response.text();
+    if (typeof text !== "string" || text.length === 0) return null;
+
+    const etag = response.headers.get("etag");
+    return { status: "ok", text, etag };
+  } catch {
+    return null;
+  }
+}

package/packages/server/src/cli.ts

@@ -1,4 +1,4 @@
-#!/usr/bin/env node --import tsx
+#!/usr/bin/env node
 /**
  * PI Dashboard Server CLI
  *
@@ -17,11 +17,13 @@
  */
 import { createServer, type ServerConfig } from "./server.js";
 import { loadConfig, ensureConfig } from "@blackbelt-technology/pi-dashboard-shared/config.js";
-import { spawn } from "@blackbelt-technology/pi-dashboard-shared/platform/exec.js";
-import { spawnNodeScript } from "@blackbelt-technology/pi-dashboard-shared/platform/node-spawn.js";
-import { createRequire } from "node:module";
-import { fileURLToPath, pathToFileURL } from "node:url";
-import fs from "node:fs";
+import {
+  launchDashboardServer,
+  JitiNotFoundError,
+  PortConflictError,
+  EarlyExitError,
+} from "@blackbelt-technology/pi-dashboard-shared/server-launcher.js";
+import { fileURLToPath } from "node:url";
 import os from "node:os";
 import path from "node:path";
 import { readPid, removePid, isServerRunning } from "./server-pid.js";
@@ -42,7 +44,7 @@ export function findPortHolders(
 }
 import { isDashboardRunning } from "@blackbelt-technology/pi-dashboard-shared/server-identity.js";
 import { discoverDashboard } from "@blackbelt-technology/pi-dashboard-shared/mdns-discovery.js";
-import { resolveJitiImport } from "@blackbelt-technology/pi-dashboard-shared/resolve-jiti.js";
+
 import { assertNodeVersionSupported } from "./node-guard.js";
 import { getDefaultRegistry } from "@blackbelt-technology/pi-dashboard-shared/tool-registry/index.js";
 import { bootstrapInstall } from "@blackbelt-technology/pi-dashboard-shared/bootstrap-install.js";
@@ -141,6 +143,7 @@ export function buildConfig(flags: Partial<ServerConfig>): ServerConfig {
     shutdownIdleSeconds: fileConfig.shutdownIdleSeconds,
     tunnel: flags.tunnel ?? fileConfig.tunnel.enabled,
     tunnelReservedToken: fileConfig.tunnel.reservedToken,
+    tunnelWatchdog: fileConfig.tunnel.watchdog,
     authConfig: fileConfig.auth,
     maxEventsPerSession: fileConfig.memoryLimits.maxEventsPerSession,
     maxStringFieldSize: fileConfig.memoryLimits.maxStringFieldSize,
@@ -252,7 +255,7 @@ async function runDegradedModeBootstrap(server: DashboardServer): Promise<void>
     return;
   }
 
-  const installPackages = ["@mariozechner/pi-coding-agent", "@fission-ai/openspec", "tsx"];
+  const installPackages = ["@earendil-works/pi-coding-agent", "@fission-ai/openspec"];
   server.bootstrapState.setLastInstallPackages(installPackages);
   console.log("[bootstrap] installing (pi unresolved, running background install)");
   server.bootstrapState.set({
@@ -351,7 +354,10 @@ async function cmdStart(config: ServerConfig): Promise<void> {
     process.exit(1);
   }
 
-  // Spawn ourselves in foreground mode (no subcommand) as a detached process
+  // Spawn ourselves in foreground mode (no subcommand) as a detached process.
+  // All concerns below — jiti loader resolution, --import argv URL-wrapping,
+  // env merge, log-file header, readiness polling, port-conflict / early-exit
+  // detection — are owned by the shared `launchDashboardServer` primitive.
   const cliPath = fileURLToPath(import.meta.url);
   const args: string[] = [];
   if (config.port !== 8000) args.push("--port", String(config.port));
@@ -359,83 +365,39 @@ async function cmdStart(config: ServerConfig): Promise<void> {
   if (config.dev) args.push("--dev");
   if (!config.tunnel) args.push("--no-tunnel");
 
-  let tsLoader: string;
-  try {
-    tsLoader = resolveJitiImport();
-  } catch {
-    // Fallback to tsx when jiti is not available (e.g. running outside pi).
-    // The loader is passed to `node --import`; on Windows, Node >= 20 rejects
-    // raw absolute paths with a drive letter (parsed as URL scheme), so we
-    // return a file:// URL. See change: fix-windows-server-parity.
-    try {
-      const tsxMain = createRequire(cliPath).resolve("tsx");
-      const tsxLoaderPath = path.join(path.dirname(tsxMain), "esm", "index.mjs");
-      tsLoader = pathToFileURL(tsxLoaderPath).href;
-    } catch {
-      console.error(
-        "[pi-dashboard] Cannot find TypeScript loader. " +
-        "Install tsx (`npm install`) or run inside a pi session."
-      );
-      process.exit(1);
-    }
-  }
-
-  // Redirect daemon stdout/stderr to a log file for crash diagnosis.
-  // Log is opened in append mode ("a") so output from prior start attempts
-  // is preserved across retries — critical for diagnosing intermittent or
-  // silent launch failures. A timestamped header line distinguishes runs.
-  // See change: fix-windows-server-parity.
   const logDir = path.join(os.homedir(), ".pi", "dashboard");
-  fs.mkdirSync(logDir, { recursive: true });
   const logPath = path.join(logDir, "server.log");
-  const logFd = fs.openSync(logPath, "a");
-  fs.writeSync(
-    logFd,
-    `\n[${new Date().toISOString()}] pi-dashboard start (parent pid ${process.pid}, port ${config.port})\n`,
-  );
-
-  // Both tsLoader and cliPath are wrapped as file:// URLs by spawnNodeScript.
-  // Required on Windows for node --import (see change: fix-windows-entry-script-url).
-  const child = spawnNodeScript({
-    loader: tsLoader,
-    entry: cliPath,
-    args,
-    spawnOptions: {
-      detached: true,
-      stdio: ["ignore", logFd, logFd],
+
+  try {
+    const result = await launchDashboardServer({
+      cliPath,
+      extraArgs: args,
+      stdio: { logFile: logPath },
+      starter: "Standalone",
+      healthTimeoutMs: 30_000,
+      port: config.port,
       env: { ...process.env },
-    },
-  });
-  child.unref();
-  // Close the parent's copy of the fd — child has its own via stdio inheritance.
-  try { fs.closeSync(logFd); } catch { /* ignore */ }
-
-  // Wait for dashboard to become available. Windows + jiti cold-start can
-  // take 10s+ (TS compile on first boot, native module loads). 30s is the
-  // outer bound — if the server isn't up by then, something's genuinely wrong.
-  const READINESS_TIMEOUT_MS = 30_000;
-  const deadline = Date.now() + READINESS_TIMEOUT_MS;
-  let started = false;
-  while (Date.now() < deadline) {
-    // Also bail if the child has already exited (fast-path crash detection).
-    if (child.exitCode !== null) break;
-    await new Promise((r) => setTimeout(r, 300));
-    const status = await isDashboardRunning(config.port);
-    if (status.running) {
-      started = true;
-      break;
+    });
+    const reportedPid = result.reportedPid ?? readPid() ?? result.childPid;
+    console.log(`Dashboard server started (pid ${reportedPid}) at http://localhost:${config.port}`);
+  } catch (err: unknown) {
+    if (err instanceof JitiNotFoundError) {
+      console.error(`[pi-dashboard] ${err.message}`);
+      process.exit(1);
     }
-  }
-
-  if (started) {
-    const pid = readPid();
-    console.log(`Dashboard server started (pid ${pid ?? child.pid}) at http://localhost:${config.port}`);
-  } else {
-    const reason = child.exitCode !== null
-      ? `child process exited with code ${child.exitCode}`
-      : `timed out after ${READINESS_TIMEOUT_MS / 1000}s`;
+    if (err instanceof PortConflictError) {
+      console.error(`Port ${err.port} is occupied by another service (not the dashboard).`);
+      console.error(`Change the port in ~/.pi/dashboard/config.json or use --port <n>`);
+      process.exit(1);
+    }
+    if (err instanceof EarlyExitError) {
+      console.error(`Failed to start dashboard server (child process exited with code ${err.code})`);
+      console.error(`Check logs at ${logPath}`);
+      process.exit(1);
+    }
+    const reason = err instanceof Error ? err.message : String(err);
     console.error(`Failed to start dashboard server (${reason})`);
-    console.error(`Check logs at ${path.join(logDir, "server.log")}`);
+    console.error(`Check logs at ${logPath}`);
     process.exit(1);
   }
 }
@@ -598,7 +560,7 @@ async function cmdUpgradePi(config: ServerConfig): Promise<void> {
 
   console.log("[upgrade-pi] no dashboard running — installing directly");
   const res = await bootstrapInstall({
-    packages: ["@mariozechner/pi-coding-agent"],
+    packages: ["@earendil-works/pi-coding-agent"],
     progress: (p) => {
       const line = p.output
         ? `[upgrade-pi] ${p.step} ${p.status}: ${p.output}`
@@ -666,7 +628,25 @@ async function cmdStatus(port: number): Promise<void> {
   console.log(`Dashboard server is running (pid ${pid}) on port ${port}`);
 }
 
+/**
+ * Install process-level safety net so a single misbehaving plugin or
+ * library cannot kill the whole dashboard. Logs the offending error and
+ * keeps the event loop running. We do NOT exit; the surrounding daemon
+ * harness already restarts on real crashes (signal/exit-code), and
+ * silently swallowing recoverable async faults is the lesser evil here.
+ */
+function installCrashSafetyNet(): void {
+  process.on("unhandledRejection", (reason: unknown) => {
+    const err = reason instanceof Error ? reason : new Error(String(reason));
+    console.error("[crash-safety] unhandledRejection (suppressed):", err.stack || err.message);
+  });
+  process.on("uncaughtException", (err: Error) => {
+    console.error("[crash-safety] uncaughtException (suppressed):", err.stack || err.message);
+  });
+}
+
 async function main() {
+  installCrashSafetyNet();
   ensureConfig();
 
   const { subcommand, flags } = parseArgs(process.argv.slice(2));