@blackbelt-technology/pi-agent-dashboard 0.5.1 → 0.5.2

package/packages/server/src/__tests__/pi-dashboard-bin-wrapper.test.ts

@@ -0,0 +1,84 @@
+/**
+ * Tests for `packages/server/bin/pi-dashboard.mjs` — the published CLI
+ * bin entry. Spawns the wrapper as a child process to exercise the
+ * real jiti-resolution + re-exec behaviour.
+ *
+ * See change: replace-tsx-with-jiti.
+ */
+import { describe, it, expect, beforeAll } from "vitest";
+import { spawnSync } from "node:child_process";
+import { mkdtempSync, writeFileSync, mkdirSync, rmSync, existsSync } from "node:fs";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import url from "node:url";
+
+const here = path.dirname(url.fileURLToPath(import.meta.url));
+const wrapperPath = path.resolve(here, "..", "..", "bin", "pi-dashboard.mjs");
+const repoNodeModules = path.resolve(here, "..", "..", "..", "..", "node_modules");
+const repoJitiRegister = path.join(repoNodeModules, "jiti", "lib", "jiti-register.mjs");
+
+describe("bin/pi-dashboard.mjs wrapper", () => {
+  beforeAll(() => {
+    if (!existsSync(wrapperPath)) {
+      throw new Error(`Wrapper missing at ${wrapperPath}`);
+    }
+  });
+
+  it("exits 1 with install-hint when jiti cannot be resolved", () => {
+    // Build an isolated anchor with NO node_modules tree — createRequire on
+    // it will fail to resolve `jiti/package.json`, triggering the miss path.
+    const tmp = mkdtempSync(path.join(tmpdir(), "pi-dashboard-bin-test-"));
+    try {
+      const fakeAnchor = path.join(tmp, "fake-anchor.js");
+      writeFileSync(fakeAnchor, "// no-op anchor with no node_modules\n");
+
+      // Spawn the wrapper. We override process.argv[1] indirectly by
+      // invoking node with `<wrapper>` then forcing argv[1] to the fake
+      // anchor via a tiny preamble — but the wrapper reads its OWN
+      // process.argv[1] which is the wrapper path itself when invoked
+      // directly. Strategy: copy the wrapper into the isolated tmp dir so
+      // its argv[1] resolves there with no jiti adjacency.
+      const isolatedWrapper = path.join(tmp, "pi-dashboard.mjs");
+      const wrapperSrc = require("node:fs").readFileSync(wrapperPath, "utf-8");
+      writeFileSync(isolatedWrapper, wrapperSrc);
+
+      const result = spawnSync(process.execPath, [isolatedWrapper, "--version"], {
+        encoding: "utf-8",
+        env: { ...process.env, NODE_PATH: "" },
+        timeout: 10_000,
+      });
+
+      expect(result.status).toBe(1);
+      expect(result.stderr).toContain("pi-dashboard: cannot find jiti");
+      expect(result.stderr).toContain("npm install -g @earendil-works/pi-coding-agent");
+      // No tsx mention — proposal mandates no-fallback wrapper.
+      expect(result.stderr).not.toMatch(/tsx/i);
+    } finally {
+      rmSync(tmp, { recursive: true, force: true });
+    }
+  });
+
+  it("resolves jiti from process.argv[1] anchor and re-execs cli.ts", () => {
+    // Repo root has jiti at node_modules/jiti — wrapper invoked with its
+    // real path SHOULD walk createRequire(realpath(argv[1])) up into the
+    // repo's node_modules and find jiti.
+    if (!existsSync(repoJitiRegister)) {
+      // CI / fresh clone without `npm install` — skip rather than fail.
+      return;
+    }
+
+    // Use `status` — it doesn't bind ports and exits quickly regardless
+    // of whether a server is running. We don't care about exit code (0 if
+    // a dashboard is up, 1 if not — both are valid outcomes that prove
+    // the wrapper successfully resolved jiti and re-execed cli.ts). What
+    // we DO care about: (a) no jiti-miss error on stderr, (b) cli.ts
+    // produced its own "Dashboard server" output (running OR not running).
+    const result = spawnSync(process.execPath, [wrapperPath, "status"], {
+      encoding: "utf-8",
+      timeout: 30_000,
+    });
+
+    expect(result.stderr).not.toContain("pi-dashboard: cannot find jiti");
+    expect(result.stdout).toMatch(/Dashboard server/i);
+  }, 60_000);
+});

package/packages/server/src/__tests__/process-manager-keeper-spawn.test.ts

@@ -0,0 +1,206 @@
+/**
+ * Tests for the `useRpcKeeper: true` branch in `spawnHeadless` (Phase 5).
+ *
+ * Drives `spawnPiSession({strategy: "headless"})` with the keeper-flag
+ * override on, an injected fake KeeperManager, and verifies:
+ *   - keeper branch fires (KeeperManager.spawnKeeperFor called, NOT pi resolved)
+ *   - returned SpawnResult.pid is the keeper PID
+ *   - env passed to the keeper includes `PI_DASHBOARD_SPAWN_TOKEN`
+ *   - keeper failure surfaces as `PI_CRASHED` or `SPAWN_ERRNO`
+ *   - flag OFF (default) → keeper is NOT used
+ */
+import { EventEmitter } from "node:events";
+import { existsSync, mkdtempSync, rmSync } from "node:fs";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import type {
+  KeeperManager,
+  KeeperSpawnResult,
+} from "../rpc-keeper/keeper-manager.js";
+import {
+  setKeeperManager,
+  _setUseRpcKeeperOverrideForTests,
+  spawnPiSession,
+} from "../process-manager.js";
+
+class FakeKeeperChild extends EventEmitter {
+  pid: number;
+  unref = vi.fn();
+  kill = vi.fn();
+  // Never emits "exit" → waitForNoCrash window completes cleanly.
+  constructor(pid: number) { super(); this.pid = pid; }
+}
+
+interface FakeKeeperManagerState {
+  spawnCalls: Array<{ sessionId: string; cwd: string; env: NodeJS.ProcessEnv; piArgs?: string[] }>;
+  writeCalls: Array<{ sessionId: string; line: string }>;
+  killCalls: string[];
+  spawnResult: KeeperSpawnResult;
+}
+
+function makeFakeKeeperManager(
+  state: Partial<FakeKeeperManagerState> & { spawnResult: KeeperSpawnResult },
+): { km: KeeperManager; state: FakeKeeperManagerState } {
+  const full: FakeKeeperManagerState = {
+    spawnCalls: state.spawnCalls ?? [],
+    writeCalls: state.writeCalls ?? [],
+    killCalls: state.killCalls ?? [],
+    spawnResult: state.spawnResult,
+  };
+  const km: KeeperManager = {
+    sessionsDir: "/fake/sessions",
+    spawnKeeperFor: async (sessionId, cwd, env, piArgs) => {
+      full.spawnCalls.push({ sessionId, cwd, env, piArgs });
+      return full.spawnResult;
+    },
+    writeRpc: async (sessionId, line) => {
+      full.writeCalls.push({ sessionId, line });
+      return true;
+    },
+    writeRpcToSockPath: async (_sockPath, _line) => true,
+    killKeeper: (sessionId) => {
+      full.killCalls.push(sessionId);
+      return true;
+    },
+    discoverExistingKeepers: async () => [],
+  };
+  return { km, state: full };
+}
+
+let tmpCwd: string;
+
+beforeEach(() => {
+  tmpCwd = mkdtempSync(path.join("/tmp", "km-cwd-"));
+});
+afterEach(() => {
+  setKeeperManager(null);
+  _setUseRpcKeeperOverrideForTests(null);
+  rmSync(tmpCwd, { recursive: true, force: true });
+});
+
+describe("spawnHeadless (useRpcKeeper: true)", () => {
+  it("routes through KeeperManager when flag is on", async () => {
+    const fakeChild = new FakeKeeperChild(11111);
+    const { km, state } = makeFakeKeeperManager({
+      spawnResult: {
+        success: true,
+        pid: 11111,
+        sockPath: "/fake/sessions/sid.rpc.sock",
+        process: fakeChild as unknown as import("node:child_process").ChildProcess,
+      },
+    });
+    setKeeperManager(km);
+    _setUseRpcKeeperOverrideForTests(true);
+
+    const result = await spawnPiSession(tmpCwd, { strategy: "headless" });
+
+    expect(result.success).toBe(true);
+    expect(result.pid).toBe(11111);
+    expect(state.spawnCalls).toHaveLength(1);
+    expect(state.spawnCalls[0].cwd).toBe(tmpCwd);
+
+    // spawnToken contract (task 5.3): the env passed to the keeper carries
+    // PI_DASHBOARD_SPAWN_TOKEN, which the keeper forwards to pi via
+    // process.env inheritance.
+    expect(state.spawnCalls[0].env.PI_DASHBOARD_SPAWN_TOKEN).toBeDefined();
+    expect(typeof state.spawnCalls[0].env.PI_DASHBOARD_SPAWN_TOKEN).toBe("string");
+    expect(state.spawnCalls[0].env.PI_DASHBOARD_SPAWN_TOKEN!.length).toBeGreaterThan(0);
+
+    // The returned spawnToken matches what was injected into env.
+    expect(result.spawnToken).toBe(state.spawnCalls[0].env.PI_DASHBOARD_SPAWN_TOKEN);
+
+    // Bare-spawn piArgs are at least `--mode rpc`.
+    expect(state.spawnCalls[0].piArgs).toBeDefined();
+    expect(state.spawnCalls[0].piArgs).toContain("--mode");
+    expect(state.spawnCalls[0].piArgs).toContain("rpc");
+
+    // SpawnResult.keeperSockPath populated so callers can pass it to
+    // `headlessPidRegistry.register(..., {keeperPid, keeperSockPath})`
+    // (Phase 6 contract). See change: add-rpc-stdin-dispatch-with-keeper-sidecar.
+    expect(result.keeperSockPath).toBe("/fake/sessions/sid.rpc.sock");
+  });
+
+  it("forwards resume flags (sessionFile / mode) to the keeper as piArgs", async () => {
+    const fakeChild = new FakeKeeperChild(33333);
+    const { km, state } = makeFakeKeeperManager({
+      spawnResult: {
+        success: true,
+        pid: 33333,
+        sockPath: "/fake/x.sock",
+        process: fakeChild as unknown as import("node:child_process").ChildProcess,
+      },
+    });
+    setKeeperManager(km);
+    _setUseRpcKeeperOverrideForTests(true);
+
+    const sessionFile = "/tmp/sess-resume.jsonl";
+    const result = await spawnPiSession(tmpCwd, {
+      strategy: "headless",
+      sessionFile,
+      mode: "continue",
+    });
+
+    expect(result.success).toBe(true);
+    expect(state.spawnCalls).toHaveLength(1);
+    const piArgs = state.spawnCalls[0].piArgs ?? [];
+    // piArgs MUST carry the session-file flag so resume actually resumes
+    // (regression guard: in the first Phase-5 cut the keeper hardcoded
+    // ["--mode","rpc"] and resume created a fresh session instead).
+    expect(piArgs).toContain("--mode");
+    expect(piArgs).toContain("rpc");
+    // sessionFlagsToArgv emits the session-file path; the exact flag name
+    // (`--session-file`) is verified in spawn-mechanism unit tests; here
+    // we only assert the path token is present so we don't double-bind to
+    // upstream argv shape.
+    expect(piArgs).toContain(sessionFile);
+  });
+
+  it("returns SPAWN_ERRNO when KeeperManager.spawnKeeperFor reports !success", async () => {
+    const { km } = makeFakeKeeperManager({
+      spawnResult: { success: false, error: "EACCES on socket bind" },
+    });
+    setKeeperManager(km);
+    _setUseRpcKeeperOverrideForTests(true);
+
+    const result = await spawnPiSession(tmpCwd, { strategy: "headless" });
+    expect(result.success).toBe(false);
+    expect(result.code).toBe("SPAWN_ERRNO");
+    expect(result.message).toMatch(/RPC keeper/);
+    expect(result.message).toMatch(/EACCES/);
+  });
+
+  it("returns PI_CRASHED when keeper exits within the crash window", async () => {
+    // A child that emits "exit" inside 300 ms triggers the waitForNoCrash gate.
+    const fakeChild = new FakeKeeperChild(22222);
+    setTimeout(() => fakeChild.emit("exit", 1, null), 20);
+
+    const { km } = makeFakeKeeperManager({
+      spawnResult: {
+        success: true,
+        pid: 22222,
+        sockPath: "/fake/sessions/sid.rpc.sock",
+        process: fakeChild as unknown as import("node:child_process").ChildProcess,
+      },
+    });
+    setKeeperManager(km);
+    _setUseRpcKeeperOverrideForTests(true);
+
+    const result = await spawnPiSession(tmpCwd, { strategy: "headless" });
+    expect(result.success).toBe(false);
+    expect(result.code).toBe("PI_CRASHED");
+    expect(result.message).toMatch(/crash window/);
+  });
+
+  it("does NOT route through KeeperManager when flag is off (default)", async () => {
+    const { km, state } = makeFakeKeeperManager({
+      spawnResult: { success: true, pid: 99999, sockPath: "/fake/x.sock" },
+    });
+    setKeeperManager(km);
+    _setUseRpcKeeperOverrideForTests(false);
+
+    // We don't care about the actual headless spawn result here — only that
+    // it does NOT call the fake KeeperManager.
+    await spawnPiSession(tmpCwd, { strategy: "headless" });
+    expect(state.spawnCalls).toEqual([]);
+  });
+});

package/packages/server/src/__tests__/provider-routes-recursion-guard.test.ts

@@ -0,0 +1,131 @@
+/**
+ * Integration test for recursion guard wired into PUT /api/providers (task 10.4).
+ *
+ * Verifies:
+ * - Self-pointing baseUrl → 400 with code RECURSIVE_PROXY
+ * - Valid external baseUrl → accepted (2xx, written to disk)
+ * - Existing providers untouched on validation failure
+ */
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import Fastify from "fastify";
+import { writeFileSync, mkdirSync, rmSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import { registerProviderRoutes } from "../routes/provider-routes.js";
+
+const PROVIDERS_PATH = join(homedir(), ".pi", "agent", "providers.json");
+const PROVIDERS_DIR = join(homedir(), ".pi", "agent");
+
+// Back up / restore providers.json around each test
+let backup: string | null = null;
+beforeEach(() => {
+  try { backup = require("fs").readFileSync(PROVIDERS_PATH, "utf-8"); } catch { backup = null; }
+});
+afterEach(() => {
+  try {
+    if (backup !== null) {
+      writeFileSync(PROVIDERS_PATH, backup);
+    } else {
+      rmSync(PROVIDERS_PATH, { force: true });
+    }
+  } catch {}
+});
+
+async function buildApp(port = 8000) {
+  const app = Fastify({ logger: false });
+  const networkGuard = async () => {};
+  mkdirSync(PROVIDERS_DIR, { recursive: true });
+  registerProviderRoutes(app, { networkGuard, port });
+  await app.ready();
+  return app;
+}
+
+describe("recursion guard on PUT /api/providers (task 10.4)", () => {
+  it("localhost self-pointing baseUrl → 400 RECURSIVE_PROXY", async () => {
+    const app = await buildApp(8000);
+
+    const res = await app.inject({
+      method: "PUT",
+      url: "/api/providers",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        providers: {
+          self: { baseUrl: "http://localhost:8000/v1", apiKey: "" },
+        },
+      }),
+    });
+
+    expect(res.statusCode).toBe(400);
+    const body = JSON.parse(res.body);
+    expect(body.code).toBe("RECURSIVE_PROXY");
+    expect(body.offendingBaseUrl).toBe("http://localhost:8000/v1");
+  });
+
+  it("127.0.0.1 variant also caught", async () => {
+    const app = await buildApp(8000);
+
+    const res = await app.inject({
+      method: "PUT",
+      url: "/api/providers",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        providers: {
+          self: { baseUrl: "http://127.0.0.1:8000/v1", apiKey: "" },
+        },
+      }),
+    });
+
+    expect(res.statusCode).toBe(400);
+    expect(JSON.parse(res.body).code).toBe("RECURSIVE_PROXY");
+  });
+
+  it("external baseUrl passes validation", async () => {
+    const app = await buildApp(8000);
+
+    const res = await app.inject({
+      method: "PUT",
+      url: "/api/providers",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        providers: {
+          openai: { baseUrl: "https://api.openai.com/v1", apiKey: "sk-test" },
+        },
+      }),
+    });
+
+    // Should succeed (200/204) or return a non-400 error
+    expect(res.statusCode).not.toBe(400);
+    const body = JSON.parse(res.body);
+    expect(body.code).not.toBe("RECURSIVE_PROXY");
+  });
+
+  it("validation failure leaves existing providers untouched", async () => {
+    // Pre-populate providers.json with a valid provider
+    mkdirSync(PROVIDERS_DIR, { recursive: true });
+    writeFileSync(PROVIDERS_PATH, JSON.stringify({
+      providers: { openai: { baseUrl: "https://api.openai.com/v1", apiKey: "sk-existing" } },
+    }));
+
+    const app = await buildApp(8000);
+
+    // Attempt to add a recursive provider — should fail
+    const res = await app.inject({
+      method: "PUT",
+      url: "/api/providers",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        providers: {
+          openai: { baseUrl: "https://api.openai.com/v1", apiKey: "sk-existing" },
+          self: { baseUrl: "http://localhost:8000/v1", apiKey: "" },
+        },
+      }),
+    });
+
+    expect(res.statusCode).toBe(400);
+
+    // Read providers.json — existing provider should still be there
+    const stored = JSON.parse(require("fs").readFileSync(PROVIDERS_PATH, "utf-8"));
+    expect(stored.providers?.openai?.baseUrl).toBe("https://api.openai.com/v1");
+    expect(stored.providers?.self).toBeUndefined();
+  });
+});

package/packages/server/src/__tests__/recommended-routes.test.ts

@@ -195,7 +195,7 @@ describe("GET /api/packages/recommended", () => {
 		return fastify;
 	}
 
-	it("returns the 5 manifest entries with default (offline) descriptions", async () => {
+	it("returns the 6 manifest entries with default (offline) descriptions", async () => {
 		vi.mocked(fetchPackageMeta).mockResolvedValue(null);
 		vi.mocked(fetchGithubPackageJson).mockResolvedValue(null);
 		await setupRoute();
@@ -208,7 +208,7 @@ describe("GET /api/packages/recommended", () => {
 		const body = JSON.parse(res.payload);
 		expect(body.success).toBe(true);
 		const entries = body.data.recommended;
-		expect(entries).toHaveLength(5);
+		expect(entries).toHaveLength(6);
 		// Every entry falls back to fallbackDescription and has no version.
 		for (const e of entries) {
 			expect(typeof e.description).toBe("string");

package/packages/server/src/__tests__/tunnel-watchdog.test.ts

@@ -0,0 +1,139 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import {
+  probeTunnel,
+  startTunnelWatchdog,
+  stopTunnelWatchdog,
+  getTunnelWatchdogStatus,
+  _runTickForTest,
+  _resetForTest,
+} from "../tunnel-watchdog.js";
+
+const URL = "https://abc.share.zrok.io";
+
+function makeFetch(responses: Array<Response | Error>): typeof fetch {
+  let i = 0;
+  return (async () => {
+    const r = responses[Math.min(i, responses.length - 1)];
+    i += 1;
+    if (r instanceof Error) throw r;
+    return r;
+  }) as unknown as typeof fetch;
+}
+
+describe("probeTunnel", () => {
+  it("returns ok on 2xx", async () => {
+    const f = makeFetch([new Response("{}", { status: 200 })]);
+    expect(await probeTunnel(URL, 1000, f)).toEqual({ ok: true, status: 200 });
+  });
+
+  it("returns ok on 4xx (auth gate proves edge↔local works)", async () => {
+    const f = makeFetch([new Response("", { status: 401 })]);
+    expect(await probeTunnel(URL, 1000, f)).toEqual({ ok: true, status: 401 });
+  });
+
+  it("returns NOT ok on 5xx", async () => {
+    const f = makeFetch([new Response("bad gateway", { status: 502 })]);
+    const r = await probeTunnel(URL, 1000, f);
+    expect(r.ok).toBe(false);
+    expect(r.status).toBe(502);
+    expect(r.reason).toMatch(/502/);
+  });
+
+  it("returns NOT ok on network error", async () => {
+    const f = makeFetch([new Error("ENOTFOUND")]);
+    const r = await probeTunnel(URL, 1000, f);
+    expect(r.ok).toBe(false);
+    expect(r.reason).toMatch(/ENOTFOUND/);
+  });
+});
+
+describe("watchdog lifecycle", () => {
+  beforeEach(() => { _resetForTest(); });
+  afterEach(() => { _resetForTest(); });
+
+  it("does not start when disabled", () => {
+    startTunnelWatchdog(
+      { getUrl: () => URL, recycle: vi.fn(async () => URL) },
+      { enabled: false },
+    );
+    expect(getTunnelWatchdogStatus()).toBeNull();
+  });
+
+  it("recycles after threshold consecutive 5xx", async () => {
+    const recycle = vi.fn(async () => URL);
+    const fetchFn = makeFetch([
+      new Response("", { status: 502 }),
+      new Response("", { status: 502 }),
+    ]);
+    startTunnelWatchdog(
+      { getUrl: () => URL, recycle, fetchFn, log: () => {} },
+      { intervalMs: 1000, failureThreshold: 2, probeTimeoutMs: 500 },
+    );
+    await _runTickForTest();
+    expect(recycle).not.toHaveBeenCalled();
+    expect(getTunnelWatchdogStatus()?.consecutiveFailures).toBe(1);
+
+    await _runTickForTest();
+    expect(recycle).toHaveBeenCalledTimes(1);
+    const s = getTunnelWatchdogStatus()!;
+    expect(s.consecutiveFailures).toBe(0);
+    expect(s.recycleCount).toBe(1);
+    expect(s.lastRecycleAt).toBeGreaterThan(0);
+  });
+
+  it("does not recycle on a single failure surrounded by success", async () => {
+    const recycle = vi.fn(async () => URL);
+    const fetchFn = makeFetch([
+      new Response("", { status: 200 }),
+      new Response("", { status: 502 }),
+      new Response("", { status: 200 }),
+    ]);
+    startTunnelWatchdog(
+      { getUrl: () => URL, recycle, fetchFn, log: () => {} },
+      { intervalMs: 1000, failureThreshold: 2, probeTimeoutMs: 500 },
+    );
+    await _runTickForTest();
+    await _runTickForTest();
+    await _runTickForTest();
+    expect(recycle).not.toHaveBeenCalled();
+    expect(getTunnelWatchdogStatus()?.consecutiveFailures).toBe(0);
+  });
+
+  it("treats recycle failure as a no-op for stats but flags it for backoff", async () => {
+    const recycle = vi.fn(async () => null); // recycle returned no URL
+    const fetchFn = makeFetch([
+      new Response("", { status: 502 }),
+      new Response("", { status: 502 }),
+    ]);
+    startTunnelWatchdog(
+      { getUrl: () => URL, recycle, fetchFn, log: () => {} },
+      { intervalMs: 1000, failureThreshold: 2, probeTimeoutMs: 500 },
+    );
+    await _runTickForTest();
+    await _runTickForTest();
+    expect(recycle).toHaveBeenCalledTimes(1);
+    expect(getTunnelWatchdogStatus()?.recycleCount).toBe(1);
+  });
+
+  it("skips probing when no tunnel URL", async () => {
+    const recycle = vi.fn(async () => URL);
+    const fetchFn = vi.fn();
+    startTunnelWatchdog(
+      { getUrl: () => null, recycle, fetchFn: fetchFn as any, log: () => {} },
+      { intervalMs: 1000, failureThreshold: 2, probeTimeoutMs: 500 },
+    );
+    await _runTickForTest();
+    expect(fetchFn).not.toHaveBeenCalled();
+    expect(recycle).not.toHaveBeenCalled();
+  });
+
+  it("stop clears state", () => {
+    startTunnelWatchdog(
+      { getUrl: () => URL, recycle: vi.fn(async () => URL), log: () => {} },
+      { intervalMs: 1000 },
+    );
+    expect(getTunnelWatchdogStatus()).not.toBeNull();
+    stopTunnelWatchdog();
+    expect(getTunnelWatchdogStatus()).toBeNull();
+  });
+});

package/packages/server/src/auth-plugin.ts

@@ -253,6 +253,9 @@ export async function registerAuthPlugin(
     // Skip health endpoint
     if (request.url === "/api/health") return;
 
+    // Skip /v1/* — proxy auth gate handles those
+    if (request.url.startsWith("/v1/")) return;
+
     // Skip configured bypass URL prefixes
     if (isBypassed(request.url, authState.bypassUrls)) return;
 

package/packages/server/src/bootstrap-state.ts

@@ -69,6 +69,16 @@ export interface BootstrapState {
     /** Package names that failed to install. */
     failed: string[];
   };
+  /**
+   * Legacy `@mariozechner/pi-coding-agent` installs detected on disk.
+   * Populated at server start and after every cleanup POST. See
+   * `legacy-pi-cleanup.ts`.
+   */
+  legacyPiInstalls?: Array<{
+    scope: "npm-global" | "npx-cache" | "managed";
+    path: string;
+    version: string | null;
+  }>;
 }
 
 export type BootstrapListener = (state: BootstrapState) => void;

package/packages/server/src/browser-gateway.ts

@@ -5,6 +5,7 @@
 import { WebSocketServer, WebSocket } from "ws";
 import type {
   ServerToBrowserMessage,
+  BrowserOpenSpecUpdateMessage,
   BrowserToServerMessage,
 } from "@blackbelt-technology/pi-dashboard-shared/browser-protocol.js";
 import type { SessionManager } from "./memory-session-manager.js";
@@ -15,7 +16,7 @@ import { createHeadlessPidRegistry, type HeadlessPidRegistry } from "./headless-
 import type { PendingForkRegistry } from "./pending-fork-registry.js";
 import type { SessionOrderManager } from "./session-order-manager.js";
 import type { PreferencesStore } from "./preferences-store.js";
-import { hasOpenSpecDir, type DirectoryService } from "./directory-service.js";
+import { hasOpenSpecDir, hasOpenSpecRoot, type DirectoryService } from "./directory-service.js";
 
 /**
  * Pure helper: build the per-cwd `openspec_update` messages a freshly
@@ -31,23 +32,30 @@ import { hasOpenSpecDir, type DirectoryService } from "./directory-service.js";
 export function buildOpenSpecConnectSnapshot(
   directoryService: Pick<DirectoryService, "knownDirectories" | "getOpenSpecData">,
   hasDir: (cwd: string) => boolean,
-): Array<ServerToBrowserMessage> {
-  const out: Array<ServerToBrowserMessage> = [];
+  hasRoot: (cwd: string) => boolean = hasDir,
+): Array<BrowserOpenSpecUpdateMessage> {
+  const out: Array<BrowserOpenSpecUpdateMessage> = [];
   for (const cwd of directoryService.knownDirectories()) {
     const cached = directoryService.getOpenSpecData(cwd);
+    const root = hasRoot(cwd);
     if (cached && cached.initialized) {
-      out.push({ type: "openspec_update", cwd, data: cached });
+      // Cached payload already carries `hasOpenspecDir` set by `pollOne`; if
+      // an old cache entry predates that field, fill it from the live probe.
+      const data = cached.hasOpenspecDir === undefined
+        ? { ...cached, hasOpenspecDir: root }
+        : cached;
+      out.push({ type: "openspec_update", cwd, data });
     } else if (hasDir(cwd)) {
       out.push({
         type: "openspec_update",
         cwd,
-        data: { initialized: false, pending: true, changes: [] },
+        data: { initialized: false, pending: true, changes: [], hasOpenspecDir: root },
       });
     } else {
       out.push({
         type: "openspec_update",
         cwd,
-        data: { initialized: false, pending: false, changes: [] },
+        data: { initialized: false, pending: false, changes: [], hasOpenspecDir: root },
       });
     }
   }
@@ -272,7 +280,7 @@ export function createBrowserGateway(
     // `openspec_update` per cwd, never silently omit.
     // See change: fix-cold-boot-openspec-protocol.
     if (directoryService) {
-      for (const msg of buildOpenSpecConnectSnapshot(directoryService, hasOpenSpecDir)) {
+      for (const msg of buildOpenSpecConnectSnapshot(directoryService, hasOpenSpecDir, hasOpenSpecRoot)) {
         sendTo(ws, msg);
       }
     }