@geekbeer/minion 3.5.6 → 3.5.30

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekbeer/minion",
-  "version": "3.5.6",
+  "version": "3.5.30",
   "description": "AI Agent runtime for Minion - manages status and skill deployment on VPS",
   "main": "linux/server.js",
   "bin": {
@@ -10,6 +10,7 @@
     "hq-win": "./win/bin/hq-win.js"
   },
   "files": [
+    "postinstall.js",
     "core/",
     "linux/",
     "win/",
@@ -22,7 +23,8 @@
   ],
   "scripts": {
     "start": "node linux/server.js",
-    "start:win": "node win/server.js"
+    "start:win": "node win/server.js",
+    "postinstall": "node postinstall.js"
   },
   "dependencies": {
     "better-sqlite3": "^11.0.0",

package/postinstall.js

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+// postinstall.js — Re-apply file ACLs on Windows after npm install -g.
+// On Linux this is a no-op (permissions are not affected by reinstall).
+
+if (process.platform !== 'win32') process.exit(0);
+
+const { spawnSync } = require('child_process');
+const path = require('path');
+
+const ps1 = path.join(__dirname, 'win', 'postinstall.ps1');
+const result = spawnSync('powershell.exe', [
+  '-ExecutionPolicy', 'Bypass',
+  '-NoProfile',
+  '-NoLogo',
+  '-File', ps1,
+], { stdio: 'inherit', timeout: 30_000 });
+
+process.exit(result.status || 0);

package/win/lib/process-manager.js

@@ -35,6 +35,20 @@ function getNssmPath() {
   return vendorNssm
 }
 
+/**
+ * Derive the npm global prefix from the nssm.exe path.
+ * nssm is bundled at: <npm-prefix>/node_modules/@geekbeer/minion/win/vendor/nssm.exe
+ * So the prefix is the ancestor directory containing node_modules.
+ * @param {string} nssmPath - Absolute path to nssm.exe
+ * @returns {string|null} npm global prefix, or null if not derivable
+ */
+function getNpmPrefix(nssmPath) {
+  const parts = nssmPath.split(path.sep)
+  const nmIndex = parts.lastIndexOf('node_modules')
+  if (nmIndex > 0) return parts.slice(0, nmIndex).join(path.sep)
+  return null
+}
+
 /**
  * Detect Windows process manager. Always returns 'nssm'.
  * @returns {'nssm'}
@@ -56,7 +70,7 @@ function buildGracefulStopBlock(agentPort, apiToken) {
   return [
     `  try {`,
     `    Invoke-RestMethod -Uri 'http://localhost:${agentPort}/api/shutdown' -Method POST ` +
-         `-ContentType 'application/json' -Headers @{ Authorization = 'Bearer ${apiToken}' } -TimeoutSec 5 | Out-Null`,
+         `-Body '{}' -ContentType 'application/json' -Headers @{ Authorization = 'Bearer ${apiToken}' } -TimeoutSec 5 | Out-Null`,
     `    Log 'Graceful shutdown requested, waiting for offline heartbeat...'`,
     `    Start-Sleep -Seconds 4`,
     `  } catch {`,
@@ -71,6 +85,11 @@ function buildGracefulStopBlock(agentPort, apiToken) {
  * 2. Stop service via NSSM
  * 3. Run npm install -g
  * 4. Start service via NSSM
+ * 5. Remove the temporary updater service (self-cleanup)
+ *
+ * This script is registered as a temporary NSSM service ("minion-update")
+ * so it runs independently of the minion-agent service and survives
+ * the agent's stop/restart cycle.
  *
  * @param {string} npmInstallCmd - The npm install command to run
  * @param {string} nssmPath - Absolute path to nssm.exe
@@ -81,34 +100,63 @@ function buildGracefulStopBlock(agentPort, apiToken) {
  */
 function buildUpdateScript(npmInstallCmd, nssmPath, scriptName = 'update-agent', agentPort = 8080, apiToken = '') {
   const dataDir = path.join(os.homedir(), '.minion')
+  const homeDir = os.homedir()
+  const npmPrefix = getNpmPrefix(nssmPath)
   const scriptPath = path.join(dataDir, `${scriptName}.ps1`)
-  const logPath = path.join(dataDir, `${scriptName}.log`)
-  const nssm = nssmPath.replace(/\\/g, '\\\\')
+  const logDir = path.join(dataDir, 'logs')
+  const logPath = path.join(logDir, `${scriptName}.log`)
+
+  // Append --prefix to npm command so it installs to the correct global directory
+  const fullNpmCmd = npmPrefix
+    ? `${npmInstallCmd} --prefix "${npmPrefix}"`
+    : npmInstallCmd
 
   const gracefulStop = buildGracefulStopBlock(agentPort, apiToken)
 
   const ps1 = [
+    `# Override LocalSystem's default profile so npm uses the correct paths`,
+    `$env:USERPROFILE = '${homeDir}'`,
+    `$env:HOME = '${homeDir}'`,
     `$ErrorActionPreference = 'Stop'`,
-    `$logFile = '${logPath.replace(/\\/g, '\\\\')}'`,
+    `# Use nssm.exe from data dir (copied there to avoid EBUSY on package files)`,
+    `$nssm = '${path.join(dataDir, 'nssm.exe')}'`,
+    `$logFile = '${logPath}'`,
     `function Log($msg) { "$(Get-Date -Format o) $msg" | Out-File -Append $logFile }`,
     `Log 'Update started'`,
     `try {`,
     `  Log 'Requesting graceful shutdown...'`,
     gracefulStop,
     `  Log 'Stopping service via NSSM...'`,
-    `  & '${nssm}' stop minion-agent`,
+    `  & $nssm stop minion-agent`,
     `  Start-Sleep -Seconds 3`,
+    `  # Retry npm install up to 5 times (Windows may hold file locks briefly after service stop)`,
     `  Log 'Installing package...'`,
-    `  $out = & cmd /c "${npmInstallCmd} 2>&1"`,
-    `  Log "npm output: $out"`,
-    `  if ($LASTEXITCODE -ne 0) { throw "npm install failed (exit code $LASTEXITCODE)" }`,
+    `  $installed = $false`,
+    `  for ($attempt = 1; $attempt -le 5; $attempt++) {`,
+    `    $out = & cmd /c "${fullNpmCmd} 2>&1"`,
+    `    if ($LASTEXITCODE -eq 0) {`,
+    `      Log "npm output: $out"`,
+    `      $installed = $true`,
+    `      break`,
+    `    }`,
+    `    Log "npm install attempt $attempt failed (exit $LASTEXITCODE): $out"`,
+    `    if ($attempt -lt 5) {`,
+    `      Log "Retrying in 10 seconds..."`,
+    `      Start-Sleep -Seconds 10`,
+    `    }`,
+    `  }`,
+    `  if (-not $installed) { throw "npm install failed after 5 attempts" }`,
     `  Log 'Starting service...'`,
-    `  & '${nssm}' start minion-agent`,
+    `  & $nssm start minion-agent`,
     `  Log 'Update completed successfully'`,
     `} catch {`,
     `  Log "Update failed: $_"`,
     `  Log 'Attempting to start service anyway...'`,
-    `  & '${nssm}' start minion-agent`,
+    `  & $nssm start minion-agent`,
+    `} finally {`,
+    `  Log 'Cleaning up updater service...'`,
+    `  & $nssm stop minion-update confirm 2>$null`,
+    `  & $nssm remove minion-update confirm 2>$null`,
     `}`,
   ].join('\n')
 
@@ -122,35 +170,47 @@ function buildUpdateScript(npmInstallCmd, nssmPath, scriptName = 'update-agent',
  * Generate a temporary PowerShell restart script:
  * 1. Graceful shutdown via HTTP API (offline heartbeat)
  * 2. Restart service via NSSM
+ * 3. Remove the temporary updater service (self-cleanup)
+ *
+ * Registered as a temporary NSSM service ("minion-update") so the restart
+ * process is independent of the minion-agent service.
  *
  * @param {string} nssmPath - Absolute path to nssm.exe
  * @param {number} agentPort - The agent's HTTP port
  * @param {string} apiToken - The agent's API token
  * @returns {string} - Path to the generated restart script (.ps1)
  */
-function buildRestartScript(nssmPath, agentPort, apiToken) {
+function buildRestartScript(_nssmPath, agentPort, apiToken) {
   const dataDir = path.join(os.homedir(), '.minion')
+  const homeDir = os.homedir()
   const scriptPath = path.join(dataDir, 'restart-agent.ps1')
-  const logPath = path.join(dataDir, 'restart-agent.log')
-  const nssm = nssmPath.replace(/\\/g, '\\\\')
+  const logDir = path.join(dataDir, 'logs')
+  const logPath = path.join(logDir, 'restart-agent.log')
 
   const gracefulStop = buildGracefulStopBlock(agentPort, apiToken)
 
   const ps1 = [
+    `$env:USERPROFILE = '${homeDir}'`,
+    `$env:HOME = '${homeDir}'`,
     `$ErrorActionPreference = 'Stop'`,
-    `$logFile = '${logPath.replace(/\\/g, '\\\\')}'`,
+    `$nssm = '${path.join(dataDir, 'nssm.exe')}'`,
+    `$logFile = '${logPath}'`,
     `function Log($msg) { "$(Get-Date -Format o) $msg" | Out-File -Append $logFile }`,
     `Log 'Restart started'`,
     `try {`,
     `  Log 'Requesting graceful shutdown...'`,
     gracefulStop,
     `  Log 'Restarting service via NSSM...'`,
-    `  & '${nssm}' restart minion-agent`,
+    `  & $nssm restart minion-agent`,
     `  Log 'Restart completed successfully'`,
     `} catch {`,
     `  Log "Restart failed: $_"`,
     `  Log 'Attempting to start service...'`,
-    `  & '${nssm}' start minion-agent`,
+    `  & $nssm start minion-agent`,
+    `} finally {`,
+    `  Log 'Cleaning up updater service...'`,
+    `  & $nssm stop minion-update confirm 2>$null`,
+    `  & $nssm remove minion-update confirm 2>$null`,
     `}`,
   ].join('\n')
 
@@ -162,9 +222,15 @@ function buildRestartScript(nssmPath, agentPort, apiToken) {
 
 /**
  * Build allowed commands for NSSM-based service management.
+ *
+ * Deferred commands (update/restart) use a temporary NSSM service
+ * ("minion-update") to run PowerShell scripts independently of the
+ * minion-agent service. This allows the script to stop, update, and
+ * restart minion-agent without being killed in the process.
+ *
  * @param {string} _procMgr - Ignored (always 'nssm')
  * @param {{ AGENT_PORT?: number, API_TOKEN?: string }} [agentConfig] - Agent config
- * @returns {Record<string, { description: string; command?: string; spawnArgs?: [string, string[]]; deferred?: boolean }>}
+ * @returns {Record<string, { description: string; command?: string; nssmService?: { scriptPath: string }; deferred?: boolean }>}
  */
 function buildAllowedCommands(_procMgr, agentConfig = {}) {
   const commands = {}
@@ -174,28 +240,29 @@ function buildAllowedCommands(_procMgr, agentConfig = {}) {
 
   commands['restart-agent'] = {
     description: 'Restart the minion agent service',
-    spawnArgs: ['powershell', ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command',
-      `& '${buildRestartScript(nssmPath, agentPort, apiToken)}'`]],
+    nssmService: { scriptPath: buildRestartScript(nssmPath, agentPort, apiToken) },
     deferred: true,
   }
 
   commands['update-agent'] = {
     description: 'Update @geekbeer/minion to latest version and restart',
-    spawnArgs: ['powershell', ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command',
-      `& '${buildUpdateScript(
+    nssmService: {
+      scriptPath: buildUpdateScript(
         'npm install -g @geekbeer/minion@latest',
         nssmPath, 'update-agent', agentPort, apiToken,
-      )}'`]],
+      ),
+    },
     deferred: true,
   }
 
   commands['update-agent-dev'] = {
     description: 'Update @geekbeer/minion from Verdaccio (dev) and restart',
-    spawnArgs: ['powershell', ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-Command',
-      `& '${buildUpdateScript(
+    nssmService: {
+      scriptPath: buildUpdateScript(
         'npm install -g @geekbeer/minion@latest --registry http://verdaccio:4873',
         nssmPath, 'update-agent-dev', agentPort, apiToken,
-      )}'`]],
+      ),
+    },
     deferred: true,
   }
 

package/win/minion-cli.ps1

@@ -360,7 +360,13 @@ function Stop-MinionService {
         Write-Host "minion-agent: not installed" -ForegroundColor Red
         return
     }
-    # Graceful shutdown via HTTP API first (sends offline heartbeat to HQ)
+    if ($state -eq 'STOPPED') {
+        Write-Host "minion-agent service is already stopped"
+        return
+    }
+    # Trigger graceful shutdown (sends offline heartbeat to HQ) but do NOT wait
+    # for the process to exit — otherwise NSSM sees the exit as a crash and
+    # restarts the process before sc.exe stop can run.
     $token = ''
     if (Test-Path $EnvFile) {
         $envVars = Read-EnvFile $EnvFile
@@ -369,13 +375,18 @@ function Stop-MinionService {
     try {
         $headers = @{}
         if ($token) { $headers['Authorization'] = "Bearer $token" }
-        Invoke-RestMethod -Uri "$AgentUrl/api/shutdown" -Method POST -ContentType 'application/json' -Headers $headers -TimeoutSec 5 | Out-Null
-        Write-Host "Graceful shutdown requested, waiting..."
-        Start-Sleep -Seconds 4
+        Invoke-RestMethod -Uri "$AgentUrl/api/shutdown" -Method POST -ContentType 'application/json' -Headers $headers -TimeoutSec 3 | Out-Null
     } catch {
-        Write-Host "Graceful shutdown skipped (agent may not be running)"
+        # Agent may not be responding — sc.exe stop will handle it
     }
+    # Immediately stop via NSSM (prevents auto-restart, sends kill if still alive)
     sc.exe stop minion-agent 2>&1 | Out-Null
+    # Wait for service to fully stop (up to 10 seconds)
+    for ($i = 0; $i -lt 10; $i++) {
+        $s = Get-ServiceState 'minion-agent'
+        if ($s -eq 'STOPPED') { break }
+        Start-Sleep -Seconds 1
+    }
     Write-Host "minion-agent service stopped"
 }
 
@@ -1326,11 +1337,19 @@ function Invoke-Configure {
 # ============================================================
 
 function Show-Status {
-    $state = Get-ServiceState 'minion-agent'
-    if ($state) {
-        Write-Host "minion-agent: $state"
-    } else {
-        Write-Host "minion-agent: not installed"
+    try {
+        $response = Invoke-RestMethod -Uri "$AgentUrl/api/status" -TimeoutSec 5 -ErrorAction Stop
+        # Pretty-print the JSON response
+        $response | ConvertTo-Json -Depth 5 | Write-Host
+    }
+    catch {
+        # API unreachable — fall back to service state
+        $state = Get-ServiceState 'minion-agent'
+        if ($state) {
+            Write-Host "minion-agent: $state (API unreachable)"
+        } else {
+            Write-Host "minion-agent: not installed"
+        }
     }
 }
 

package/win/postinstall.ps1

@@ -0,0 +1,82 @@
+# postinstall.ps1 — Re-apply file ACLs after npm install -g replaces the package directory.
+# Called automatically from postinstall.js on Windows.
+# Requires Administrator privileges (npm install -g typically runs as admin).
+# Exit silently if not admin or if setup has never been run (no .target-user-profile).
+
+$ErrorActionPreference = 'SilentlyContinue'
+
+# --- Locate setup metadata ---------------------------------------------------
+# During setup, .minion/.target-user-profile is written to the target user's
+# home directory.  We need to find it by scanning user profiles.
+
+function Find-TargetUserProfile {
+    $profiles = Get-CimInstance Win32_UserProfile -ErrorAction SilentlyContinue |
+        Where-Object { -not $_.Special -and $_.LocalPath -and $_.LocalPath -notmatch '\\(systemprofile|LocalService|NetworkService)$' }
+
+    foreach ($p in $profiles) {
+        $candidate = Join-Path $p.LocalPath '.minion\.target-user-profile'
+        if (Test-Path $candidate) {
+            $saved = ([System.IO.File]::ReadAllText($candidate)).Trim()
+            if ($saved -and (Test-Path $saved)) { return $saved }
+        }
+    }
+    return $null
+}
+
+# --- Main ---------------------------------------------------------------------
+
+# Must be admin (npm install -g runs as admin)
+$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
+    [Security.Principal.WindowsBuiltInRole]::Administrator)
+if (-not $isAdmin) { exit 0 }
+
+$TargetUserProfile = Find-TargetUserProfile
+if (-not $TargetUserProfile) { exit 0 }  # setup never ran — nothing to fix
+
+$targetUserName = Split-Path $TargetUserProfile -Leaf
+
+# Determine npm global bin directory (where minion-cli-win.cmd lives)
+$adminNpmBin = Split-Path (Get-Command minion-cli-win -ErrorAction SilentlyContinue).Source -ErrorAction SilentlyContinue
+if (-not $adminNpmBin) {
+    $adminNpmBin = & npm config get prefix 2>$null
+}
+if (-not $adminNpmBin) { exit 0 }
+
+# Skip if the target user's own npm prefix (no ACL fix needed)
+if ($adminNpmBin -eq (Join-Path $TargetUserProfile 'AppData\Roaming\npm')) { exit 0 }
+
+# 1. Grant ReadAndExecute on bin links (minion-cli-win.cmd, hq-win.cmd, etc.)
+$binFiles = @()
+$binFiles += Get-ChildItem -Path $adminNpmBin -Filter '*minion*' -ErrorAction SilentlyContinue
+$binFiles += Get-ChildItem -Path $adminNpmBin -Filter '*hq-win*' -ErrorAction SilentlyContinue
+foreach ($f in $binFiles) {
+    icacls $f.FullName /grant "${targetUserName}:(RX)" /Q 2>$null | Out-Null
+}
+
+# 2. Grant ReadAndExecute on the @geekbeer/minion package directory (recursive)
+$minionPkgDir = Join-Path (Join-Path $adminNpmBin 'node_modules') '@geekbeer\minion'
+if (Test-Path $minionPkgDir) {
+    icacls $minionPkgDir /grant "${targetUserName}:(OI)(CI)RX" /T /Q 2>$null | Out-Null
+}
+
+# 3. Grant traverse access on ancestor directories (idempotent)
+$traverseDirs = @(
+    $adminNpmBin,
+    (Join-Path $adminNpmBin 'node_modules'),
+    (Join-Path $adminNpmBin 'node_modules\@geekbeer')
+)
+$walkDir = $adminNpmBin
+while ($walkDir) {
+    $parent = Split-Path $walkDir -Parent
+    if (-not $parent -or $parent -eq $walkDir) { break }
+    $traverseDirs += $parent
+    $walkDir = $parent
+    if ($parent.Length -le 3) { break }
+}
+foreach ($dir in ($traverseDirs | Select-Object -Unique)) {
+    if (Test-Path $dir) {
+        icacls $dir /grant "${targetUserName}:(RX)" /Q 2>$null | Out-Null
+    }
+}
+
+Write-Host "[@geekbeer/minion] postinstall: file permissions restored for user '$targetUserName'"

package/win/routes/commands.js

@@ -4,7 +4,7 @@
  * Same API as routes/commands.js but uses win/process-manager.js
  */
 
-const { exec, spawn } = require('child_process')
+const { exec, execSync } = require('child_process')
 const { promisify } = require('util')
 const fs = require('fs')
 const path = require('path')
@@ -13,11 +13,11 @@ const execAsync = promisify(exec)
 
 const { verifyToken } = require('../../core/lib/auth')
 const { config } = require('../../core/config')
-const { detectProcessManager, buildAllowedCommands } = require('../lib/process-manager')
+const { detectProcessManager, buildAllowedCommands, getNssmPath } = require('../lib/process-manager')
 
-const SPAWN_LOG = path.join(os.homedir(), '.minion', 'spawn-debug.log')
-function spawnLog(msg) {
-  try { fs.appendFileSync(SPAWN_LOG, `${new Date().toISOString()} ${msg}\n`) } catch {}
+const DEFERRED_LOG = path.join(os.homedir(), '.minion', 'logs', 'deferred-debug.log')
+function deferredLog(msg) {
+  try { fs.appendFileSync(DEFERRED_LOG, `${new Date().toISOString()} ${msg}\n`) } catch {}
 }
 
 const PROC_MGR = detectProcessManager()
@@ -64,29 +64,45 @@ async function commandRoutes(fastify) {
     if (allowedCommand.deferred) {
       console.log(`[Command] Scheduling deferred command: ${command}`)
       setTimeout(() => {
-        if (allowedCommand.spawnArgs) {
-          const [cmd, args] = allowedCommand.spawnArgs
-          spawnLog(`[${command}] spawn: ${cmd} ${JSON.stringify(args)}`)
+        if (allowedCommand.nssmService) {
+          // Register and start a temporary NSSM service to run the script
+          // independently of the minion-agent service process tree.
+          const { scriptPath } = allowedCommand.nssmService
+          const nssmPath = getNssmPath()
+          const svcName = 'minion-update'
+          deferredLog(`[${command}] registering NSSM service: ${svcName}`)
           try {
-            const stderrPath = path.join(os.homedir(), '.minion', `${command}-stderr.log`)
-            const stderrFd = fs.openSync(stderrPath, 'w')
-            const child = spawn(cmd, args, {
-              detached: true,
-              stdio: ['ignore', 'ignore', stderrFd],
-            })
-            child.on('error', (err) => {
-              spawnLog(`[${command}] child error: ${err.message}`)
-              console.error(`[Command] Spawn child error: ${command} - ${err.message}`)
-            })
-            child.on('exit', (code, signal) => {
-              spawnLog(`[${command}] child exit: code=${code} signal=${signal}`)
-            })
-            child.unref()
-            spawnLog(`[${command}] spawned pid=${child.pid}`)
-            console.log(`[Command] Deferred command spawned: ${command} (pid: ${child.pid})`)
+            // Copy nssm.exe to data dir so the service wrapper binary is
+            // outside the npm package directory. This prevents EBUSY when
+            // npm tries to replace the package during update.
+            const dataDirNssm = path.join(os.homedir(), '.minion', 'nssm.exe')
+            fs.copyFileSync(nssmPath, dataDirNssm)
+            const svcNssm = dataDirNssm
+
+            // Clean up any leftover service from a previous run
+            try { execSync(`"${svcNssm}" stop ${svcName} confirm`, { stdio: 'ignore', timeout: 10000 }) } catch {}
+            try { execSync(`"${svcNssm}" remove ${svcName} confirm`, { stdio: 'ignore', timeout: 10000 }) } catch {}
+
+            const powershellPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
+            const args = `-NoProfile -ExecutionPolicy Bypass -File "${scriptPath}"`
+
+            execSync(`"${svcNssm}" install ${svcName} "${powershellPath}" ${args}`, { timeout: 10000 })
+            execSync(`"${svcNssm}" set ${svcName} AppDirectory "${path.dirname(scriptPath)}"`, { stdio: 'ignore', timeout: 5000 })
+            execSync(`"${svcNssm}" set ${svcName} Start SERVICE_DEMAND_START`, { stdio: 'ignore', timeout: 5000 })
+            execSync(`"${svcNssm}" set ${svcName} AppExit Default Exit`, { stdio: 'ignore', timeout: 5000 })
+
+            // Redirect service stdout/stderr to log files
+            const svcLogDir = path.join(os.homedir(), '.minion', 'logs')
+            execSync(`"${svcNssm}" set ${svcName} AppStdout "${path.join(svcLogDir, `${command}-svc-stdout.log`)}"`, { stdio: 'ignore', timeout: 5000 })
+            execSync(`"${svcNssm}" set ${svcName} AppStderr "${path.join(svcLogDir, `${command}-svc-stderr.log`)}"`, { stdio: 'ignore', timeout: 5000 })
+
+            // Start the service (runs asynchronously, independent of minion-agent)
+            execSync(`"${svcNssm}" start ${svcName}`, { timeout: 10000 })
+            deferredLog(`[${command}] NSSM service started: ${svcName}`)
+            console.log(`[Command] Deferred command started via NSSM service: ${command}`)
           } catch (err) {
-            spawnLog(`[${command}] spawn threw: ${err.message}`)
-            console.error(`[Command] Deferred spawn failed: ${command} - ${err.message}`)
+            deferredLog(`[${command}] NSSM service failed: ${err.message}`)
+            console.error(`[Command] Deferred NSSM service failed: ${command} - ${err.message}`)
           }
         } else {
           exec(allowedCommand.command, { timeout: 60000, shell: true }, (err) => {