@oss-autopilot/core 0.44.1 → 0.44.3

package/dist/commands/daily.js

@@ -7,22 +7,12 @@
  * orchestration layer that wires up the phases and handles I/O.
  */
 import { getStateManager, PRMonitor, IssueConversationMonitor, requireGitHubToken, CRITICAL_STATUSES, computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, } from '../core/index.js';
-import { errorMessage, getHttpStatusCode } from '../core/errors.js';
+import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult } from '../core/github-stats.js';
+import { updateMonthlyAnalytics } from './dashboard-data.js';
 import { deduplicateDigest, compactActionableIssues, compactRepoGroups, } from '../formatters/json.js';
 const MODULE = 'daily';
-/** Return true for errors that should propagate (not degrade gracefully). */
-function isRateLimitOrAuthError(err) {
-    const status = getHttpStatusCode(err);
-    if (status === 401 || status === 429)
-        return true;
-    if (status === 403) {
-        const msg = errorMessage(err).toLowerCase();
-        return msg.includes('rate limit') || msg.includes('abuse detection');
-    }
-    return false;
-}
 // Re-export domain functions so existing consumers (tests, dashboard, startup)
 // can continue importing from './daily.js' without changes.
 export { computeRepoSignals, groupPRsByRepo, assessCapacity, collectActionableIssues, computeActionMenu, toShelvedPRRef, formatBriefSummary, formatSummary, printDigest, CRITICAL_STATUSES, } from '../core/index.js';
@@ -218,53 +208,6 @@ async function updateRepoScores(prMonitor, prs, mergedCounts, closedCounts) {
         warn(MODULE, `[ALL_TRUST_SYNCS_FAILED] All ${mergedCounts.size} trusted project sync(s) failed. This may indicate corrupted state.`);
     }
 }
-/**
- * Phase 3: Persist monthly chart analytics to state.
- * Stores merged, closed, and combined opened counts per month.
- * Each metric is isolated so partial failures don't produce inconsistent state.
- */
-function updateAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed) {
-    const stateManager = getStateManager();
-    // Store monthly chart data (non-critical — each metric isolated so partial failures don't leave inconsistent state).
-    // Guard: skip overwriting when the data is empty to avoid wiping existing chart data on transient API failures.
-    // An empty object means the fetch failed and fell back to emptyPRCountsResult(), so we preserve previous state.
-    try {
-        if (Object.keys(monthlyCounts).length > 0) {
-            stateManager.setMonthlyMergedCounts(monthlyCounts);
-        }
-    }
-    catch (error) {
-        warn(MODULE, `Failed to store monthly merged counts: ${errorMessage(error)}`);
-    }
-    try {
-        if (Object.keys(monthlyClosedCounts).length > 0) {
-            stateManager.setMonthlyClosedCounts(monthlyClosedCounts);
-        }
-    }
-    catch (error) {
-        warn(MODULE, `Failed to store monthly closed counts: ${errorMessage(error)}`);
-    }
-    try {
-        // Build combined monthly opened counts from merged + closed + currently-open PRs
-        const combinedOpenedCounts = { ...openedFromMerged };
-        for (const [month, count] of Object.entries(openedFromClosed)) {
-            combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + count;
-        }
-        // Add currently-open PR creation dates
-        for (const pr of prs) {
-            if (pr.createdAt) {
-                const month = pr.createdAt.slice(0, 7);
-                combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + 1;
-            }
-        }
-        if (Object.keys(combinedOpenedCounts).length > 0) {
-            stateManager.setMonthlyOpenedCounts(combinedOpenedCounts);
-        }
-    }
-    catch (error) {
-        warn(MODULE, `Failed to compute/store monthly opened counts: ${errorMessage(error)}`);
-    }
-}
 /**
  * Phase 4: Expire snoozes and partition PRs into active vs shelved buckets.
  * Auto-unshelves PRs where maintainers have engaged, generates the digest,
@@ -459,7 +402,7 @@ async function executeDailyCheckInternal(token) {
     // Phase 2: Update repo scores (signals, star counts, trust sync)
     await updateRepoScores(prMonitor, prs, mergedCounts, closedCounts);
     // Phase 3: Persist monthly analytics
-    updateAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
+    updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
     // Phase 4: Expire snoozes, partition PRs, generate and save digest
     const { activePRs, shelvedPRs, digest } = partitionPRs(prMonitor, prs, recentlyClosedPRs, recentlyMergedPRs);
     // Phase 5: Build structured output (capacity, dismiss filter, action menu)

package/dist/commands/dashboard-data.d.ts

@@ -12,10 +12,23 @@ export interface DashboardStats {
     mergeRate: string;
 }
 export declare function buildDashboardStats(digest: DailyDigest, state: Readonly<AgentState>): DashboardStats;
+/**
+ * Persist monthly chart analytics (merged, closed, opened) to state.
+ * Each metric is isolated so partial failures don't produce inconsistent state.
+ * Skips overwriting when data is empty to avoid wiping chart data on transient API failures.
+ */
+export declare function updateMonthlyAnalytics(prs: Array<{
+    createdAt?: string;
+}>, monthlyCounts: Record<string, number>, monthlyClosedCounts: Record<string, number>, openedFromMerged: Record<string, number>, openedFromClosed: Record<string, number>): void;
 export interface DashboardFetchResult {
     digest: DailyDigest;
     commentedIssues: CommentedIssue[];
 }
+/**
+ * Fetch fresh dashboard data from GitHub.
+ * Returns the digest and commented issues, updating state as a side effect.
+ * Throws if the fetch fails entirely (caller should fall back to cached data).
+ */
 export declare function fetchDashboardData(token: string): Promise<DashboardFetchResult>;
 /**
  * Compute PRs grouped by repository from a digest and state.

package/dist/commands/dashboard-data.js

@@ -4,9 +4,11 @@
  * Consumed by the dashboard HTTP server (dashboard-server.ts) for the SPA API.
  */
 import { getStateManager, PRMonitor, IssueConversationMonitor } from '../core/index.js';
-import { errorMessage, getHttpStatusCode } from '../core/errors.js';
+import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
+import { warn } from '../core/logger.js';
 import { emptyPRCountsResult } from '../core/github-stats.js';
 import { toShelvedPRRef } from './daily.js';
+const MODULE = 'dashboard-data';
 export function buildDashboardStats(digest, state) {
     const summary = digest.summary || {
         totalActivePRs: 0,
@@ -22,21 +24,53 @@ export function buildDashboardStats(digest, state) {
         mergeRate: `${(summary.mergeRate ?? 0).toFixed(1)}%`,
     };
 }
+/**
+ * Persist monthly chart analytics (merged, closed, opened) to state.
+ * Each metric is isolated so partial failures don't produce inconsistent state.
+ * Skips overwriting when data is empty to avoid wiping chart data on transient API failures.
+ */
+export function updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed) {
+    const stateManager = getStateManager();
+    try {
+        if (Object.keys(monthlyCounts).length > 0) {
+            stateManager.setMonthlyMergedCounts(monthlyCounts);
+        }
+    }
+    catch (error) {
+        warn(MODULE, `Failed to store monthly merged counts: ${errorMessage(error)}`);
+    }
+    try {
+        if (Object.keys(monthlyClosedCounts).length > 0) {
+            stateManager.setMonthlyClosedCounts(monthlyClosedCounts);
+        }
+    }
+    catch (error) {
+        warn(MODULE, `Failed to store monthly closed counts: ${errorMessage(error)}`);
+    }
+    try {
+        const combinedOpenedCounts = { ...openedFromMerged };
+        for (const [month, count] of Object.entries(openedFromClosed)) {
+            combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + count;
+        }
+        for (const pr of prs) {
+            if (pr.createdAt) {
+                const month = pr.createdAt.slice(0, 7);
+                combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + 1;
+            }
+        }
+        if (Object.keys(combinedOpenedCounts).length > 0) {
+            stateManager.setMonthlyOpenedCounts(combinedOpenedCounts);
+        }
+    }
+    catch (error) {
+        warn(MODULE, `Failed to store monthly opened counts: ${errorMessage(error)}`);
+    }
+}
 /**
  * Fetch fresh dashboard data from GitHub.
  * Returns the digest and commented issues, updating state as a side effect.
  * Throws if the fetch fails entirely (caller should fall back to cached data).
  */
-function isRateLimitOrAuthError(err) {
-    const status = getHttpStatusCode(err);
-    if (status === 401 || status === 429)
-        return true;
-    if (status === 403) {
-        const msg = errorMessage(err).toLowerCase();
-        return msg.includes('rate limit') || msg.includes('abuse detection');
-    }
-    return false;
-}
 export async function fetchDashboardData(token) {
     const stateManager = getStateManager();
     const prMonitor = new PRMonitor(token);
@@ -46,34 +80,34 @@ export async function fetchDashboardData(token) {
         prMonitor.fetchRecentlyClosedPRs().catch((err) => {
             if (isRateLimitOrAuthError(err))
                 throw err;
-            console.error(`Warning: Failed to fetch recently closed PRs: ${errorMessage(err)}`);
+            warn(MODULE, `Failed to fetch recently closed PRs: ${errorMessage(err)}`);
             return [];
         }),
         prMonitor.fetchRecentlyMergedPRs().catch((err) => {
             if (isRateLimitOrAuthError(err))
                 throw err;
-            console.error(`Warning: Failed to fetch recently merged PRs: ${errorMessage(err)}`);
+            warn(MODULE, `Failed to fetch recently merged PRs: ${errorMessage(err)}`);
             return [];
         }),
         prMonitor.fetchUserMergedPRCounts().catch((err) => {
             if (isRateLimitOrAuthError(err))
                 throw err;
-            console.error(`Warning: Failed to fetch merged PR counts: ${errorMessage(err)}`);
+            warn(MODULE, `Failed to fetch merged PR counts: ${errorMessage(err)}`);
             return emptyPRCountsResult();
         }),
         prMonitor.fetchUserClosedPRCounts().catch((err) => {
             if (isRateLimitOrAuthError(err))
                 throw err;
-            console.error(`Warning: Failed to fetch closed PR counts: ${errorMessage(err)}`);
+            warn(MODULE, `Failed to fetch closed PR counts: ${errorMessage(err)}`);
             return emptyPRCountsResult();
         }),
         issueMonitor.fetchCommentedIssues().catch((error) => {
             const msg = errorMessage(error);
             if (msg.includes('No GitHub username configured')) {
-                console.error(`[DASHBOARD] Issue conversation tracking requires setup: ${msg}`);
+                warn(MODULE, `Issue conversation tracking requires setup: ${msg}`);
             }
             else {
-                console.error(`[DASHBOARD] Issue conversation fetch failed: ${msg}`);
+                warn(MODULE, `Issue conversation fetch failed: ${msg}`);
             }
             return {
                 issues: [],
@@ -83,49 +117,15 @@ export async function fetchDashboardData(token) {
     ]);
     const commentedIssues = fetchedIssues.issues;
     if (fetchedIssues.failures.length > 0) {
-        console.error(`[DASHBOARD] ${fetchedIssues.failures.length} issue conversation check(s) failed`);
+        warn(MODULE, `${fetchedIssues.failures.length} issue conversation check(s) failed`);
     }
     if (failures.length > 0) {
-        console.error(`Warning: ${failures.length} PR fetch(es) failed`);
+        warn(MODULE, `${failures.length} PR fetch(es) failed`);
     }
     // Store monthly chart data (opened/merged/closed) so charts have data
     const { monthlyCounts, monthlyOpenedCounts: openedFromMerged } = mergedResult;
     const { monthlyCounts: monthlyClosedCounts, monthlyOpenedCounts: openedFromClosed } = closedResult;
-    // Guard: skip overwriting when data is empty to avoid wiping chart data on transient API failures.
-    try {
-        if (Object.keys(monthlyCounts).length > 0) {
-            stateManager.setMonthlyMergedCounts(monthlyCounts);
-        }
-    }
-    catch (error) {
-        console.error('[DASHBOARD] Failed to store monthly merged counts:', errorMessage(error));
-    }
-    try {
-        if (Object.keys(monthlyClosedCounts).length > 0) {
-            stateManager.setMonthlyClosedCounts(monthlyClosedCounts);
-        }
-    }
-    catch (error) {
-        console.error('[DASHBOARD] Failed to store monthly closed counts:', errorMessage(error));
-    }
-    try {
-        const combinedOpenedCounts = { ...openedFromMerged };
-        for (const [month, count] of Object.entries(openedFromClosed)) {
-            combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + count;
-        }
-        for (const pr of prs) {
-            if (pr.createdAt) {
-                const month = pr.createdAt.slice(0, 7);
-                combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + 1;
-            }
-        }
-        if (Object.keys(combinedOpenedCounts).length > 0) {
-            stateManager.setMonthlyOpenedCounts(combinedOpenedCounts);
-        }
-    }
-    catch (error) {
-        console.error('[DASHBOARD] Failed to store monthly opened counts:', errorMessage(error));
-    }
+    updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
     const digest = prMonitor.generateDigest(prs, recentlyClosedPRs, recentlyMergedPRs);
     // Apply shelve partitioning for display (auto-unshelve only runs in daily check)
     // Dormant PRs are treated as shelved for display purposes
@@ -139,9 +139,9 @@ export async function fetchDashboardData(token) {
         stateManager.save();
     }
     catch (error) {
-        console.error('Warning: Failed to save dashboard digest to state:', errorMessage(error));
+        warn(MODULE, `Failed to save dashboard digest to state: ${errorMessage(error)}`);
     }
-    console.error(`Refreshed: ${prs.length} PRs fetched`);
+    warn(MODULE, `Refreshed: ${prs.length} PRs fetched`);
     return { digest, commentedIssues };
 }
 /**

package/dist/commands/dashboard-server.js

@@ -10,6 +10,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import { getStateManager, getGitHubToken, getDataDir } from '../core/index.js';
 import { errorMessage, ValidationError } from '../core/errors.js';
+import { warn } from '../core/logger.js';
 import { validateUrl, validateGitHubUrl, validateMessage, PR_URL_PATTERN, ISSUE_OR_PR_URL_PATTERN, } from './validation.js';
 import { fetchDashboardData, computePRsByRepo, computeTopRepos, getMonthlyData, buildDashboardStats, } from './dashboard-data.js';
 import { openInBrowser } from './startup.js';
@@ -22,7 +23,9 @@ const VALID_ACTIONS = new Set([
     'dismiss',
     'undismiss',
 ]);
+const MODULE = 'dashboard-server';
 const MAX_BODY_BYTES = 10_240;
+const REQUEST_TIMEOUT_MS = 30_000;
 const MIME_TYPES = {
     '.html': 'text/html',
     '.js': 'application/javascript',
@@ -48,7 +51,7 @@ export function readDashboardServerInfo() {
             typeof parsed.pid !== 'number' ||
             typeof parsed.port !== 'number' ||
             typeof parsed.startedAt !== 'string') {
-            console.error('[DASHBOARD] PID file has invalid structure, ignoring');
+            warn(MODULE, 'PID file has invalid structure, ignoring');
             return null;
         }
         return parsed;
@@ -56,7 +59,7 @@ export function readDashboardServerInfo() {
     catch (err) {
         const code = err.code;
         if (code !== 'ENOENT') {
-            console.error(`[DASHBOARD] Failed to read PID file: ${err.message}`);
+            warn(MODULE, `Failed to read PID file: ${err.message}`);
         }
         return null;
     }
@@ -68,7 +71,7 @@ export function removeDashboardServerInfo() {
     catch (err) {
         const code = err.code;
         if (code !== 'ENOENT') {
-            console.error(`[DASHBOARD] Failed to remove PID file: ${err.message}`);
+            warn(MODULE, `Failed to remove PID file: ${err.message}`);
         }
     }
 }
@@ -98,7 +101,7 @@ export async function findRunningDashboardServer() {
     catch (err) {
         const code = err.code;
         if (code !== 'ESRCH' && code !== 'EPERM') {
-            console.error(`[DASHBOARD] Unexpected error checking PID ${info.pid}: ${err.message}`);
+            warn(MODULE, `Unexpected error checking PID ${info.pid}: ${err.message}`);
         }
         // ESRCH = no process at that PID; EPERM = PID recycled to another user's process
         // Either way, our dashboard server is no longer running — clean up stale PID file
@@ -170,10 +173,32 @@ function readBody(req, maxBytes = MAX_BODY_BYTES) {
         });
     });
 }
+/**
+ * Set security headers on every response.
+ */
+function setSecurityHeaders(res) {
+    res.setHeader('X-Content-Type-Options', 'nosniff');
+    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'");
+    res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+}
+/**
+ * Validate that POST requests originate from the local dashboard.
+ * Returns true if the Origin is acceptable, false otherwise.
+ */
+function isValidOrigin(req, port) {
+    const origin = req.headers['origin'];
+    if (!origin)
+        return true; // No Origin header = same-origin request (non-browser or same-page)
+    const allowed = [`http://localhost:${port}`, `http://127.0.0.1:${port}`];
+    return allowed.includes(origin);
+}
 /**
  * Send a JSON response.
  */
 function sendJson(res, statusCode, data) {
+    setSecurityHeaders(res);
+    res.setHeader('Cache-Control', 'no-store');
     const body = JSON.stringify(data);
     res.writeHead(statusCode, {
         'Content-Type': 'application/json',
@@ -199,9 +224,7 @@ export async function startDashboardServer(options) {
     let cachedDigest = stateManager.getState().lastDigest;
     let cachedCommentedIssues = [];
     if (!cachedDigest) {
-        console.error('No dashboard data available. Run the daily check first:');
-        console.error('  GITHUB_TOKEN=$(gh auth token) npm start -- daily');
-        process.exit(1);
+        throw new Error('No dashboard data available. Run the daily check first: GITHUB_TOKEN=$(gh auth token) npm start -- daily');
     }
     // ── Build cached JSON response ───────────────────────────────────────────
     let cachedJsonData;
@@ -209,9 +232,7 @@ export async function startDashboardServer(options) {
         cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues);
     }
     catch (error) {
-        console.error('Failed to build dashboard data from cached digest:', error);
-        console.error('Your state data may be corrupted. Try running: daily --json');
-        process.exit(1);
+        throw new Error(`Failed to build dashboard data: ${errorMessage(error)}. State data may be corrupted — try running: daily --json`, { cause: error });
     }
     // ── Request handler ──────────────────────────────────────────────────────
     const server = http.createServer(async (req, res) => {
@@ -224,10 +245,18 @@ export async function startDashboardServer(options) {
                 return;
             }
             if (url === '/api/action' && method === 'POST') {
+                if (!isValidOrigin(req, actualPort)) {
+                    sendError(res, 403, 'Invalid origin');
+                    return;
+                }
                 await handleAction(req, res);
                 return;
             }
             if (url === '/api/refresh' && method === 'POST') {
+                if (!isValidOrigin(req, actualPort)) {
+                    sendError(res, 403, 'Invalid origin');
+                    return;
+                }
                 await handleRefresh(req, res);
                 return;
             }
@@ -239,12 +268,13 @@ export async function startDashboardServer(options) {
             sendError(res, 405, 'Method not allowed');
         }
         catch (error) {
-            console.error('Unhandled request error:', method, url, error);
+            warn(MODULE, `Unhandled request error: ${method} ${url} ${errorMessage(error)}`);
             if (!res.headersSent) {
                 sendError(res, 500, 'Internal server error');
             }
         }
     });
+    server.requestTimeout = REQUEST_TIMEOUT_MS;
     // ── POST /api/action handler ─────────────────────────────────────────────
     async function handleAction(req, res) {
         let body;
@@ -279,7 +309,7 @@ export async function startDashboardServer(options) {
                 sendError(res, 400, err.message);
             }
             else {
-                console.error('Unexpected error during URL validation:', err);
+                warn(MODULE, `Unexpected error during URL validation: ${errorMessage(err)}`);
                 sendError(res, 400, 'Invalid URL');
             }
             return;
@@ -300,7 +330,7 @@ export async function startDashboardServer(options) {
                         sendError(res, 400, err.message);
                     }
                     else {
-                        console.error('Unexpected error during message validation:', err);
+                        warn(MODULE, `Unexpected error during message validation: ${errorMessage(err)}`);
                         sendError(res, 400, 'Invalid reason');
                     }
                     return;
@@ -333,8 +363,8 @@ export async function startDashboardServer(options) {
             stateManager.save();
         }
         catch (error) {
-            console.error('Action failed:', body.action, body.url, error);
-            sendError(res, 500, `Action failed: ${errorMessage(error)}`);
+            warn(MODULE, `Action failed: ${body.action} ${body.url} ${errorMessage(error)}`);
+            sendError(res, 500, 'Action failed');
             return;
         }
         // Rebuild dashboard data from cached digest + updated state
@@ -349,7 +379,7 @@ export async function startDashboardServer(options) {
             return;
         }
         try {
-            console.error('Refreshing dashboard data from GitHub...');
+            warn(MODULE, 'Refreshing dashboard data from GitHub...');
             const result = await fetchDashboardData(currentToken);
             cachedDigest = result.digest;
             cachedCommentedIssues = result.commentedIssues;
@@ -357,8 +387,8 @@ export async function startDashboardServer(options) {
             sendJson(res, 200, cachedJsonData);
         }
         catch (error) {
-            console.error('Dashboard refresh failed:', error);
-            sendError(res, 500, `Refresh failed: ${errorMessage(error)}`);
+            warn(MODULE, `Dashboard refresh failed: ${errorMessage(error)}`);
+            sendError(res, 500, 'Refresh failed');
         }
     }
     // ── Static file serving ──────────────────────────────────────────────────
@@ -368,8 +398,8 @@ export async function startDashboardServer(options) {
         try {
             urlPath = decodeURIComponent(requestUrl.split('?')[0]);
         }
-        catch (err) {
-            console.error('Malformed URL received:', requestUrl, err);
+        catch (_err) {
+            warn(MODULE, `Malformed URL received: ${requestUrl}`);
             sendError(res, 400, 'Malformed URL');
             return;
         }
@@ -399,7 +429,7 @@ export async function startDashboardServer(options) {
                 filePath = path.join(resolvedAssetsDir, 'index.html');
             }
             else {
-                console.error('Failed to stat file:', filePath, err);
+                warn(MODULE, `Failed to stat file: ${filePath}`);
                 sendError(res, 500, 'Internal server error');
                 return;
             }
@@ -408,9 +438,11 @@ export async function startDashboardServer(options) {
         const contentType = MIME_TYPES[ext] || 'application/octet-stream';
         try {
             const content = fs.readFileSync(filePath);
+            setSecurityHeaders(res);
             res.writeHead(200, {
                 'Content-Type': contentType,
                 'Content-Length': content.length,
+                'Cache-Control': 'public, max-age=3600',
             });
             res.end(content);
         }
@@ -420,7 +452,7 @@ export async function startDashboardServer(options) {
                 sendError(res, 404, 'Not found');
             }
             else {
-                console.error('Failed to serve static file:', filePath, error);
+                warn(MODULE, `Failed to serve static file: ${filePath}`);
                 sendError(res, 500, 'Failed to read file');
             }
         }
@@ -440,18 +472,17 @@ export async function startDashboardServer(options) {
         catch (err) {
             const nodeErr = err;
             if (nodeErr.code === 'EADDRINUSE' && attempt < MAX_PORT_ATTEMPTS - 1) {
-                console.error(`Port ${actualPort} is in use, trying ${actualPort + 1}...`);
+                warn(MODULE, `Port ${actualPort} is in use, trying ${actualPort + 1}...`);
                 actualPort++;
                 continue;
             }
-            console.error(`Failed to start server: ${nodeErr.message}`);
-            process.exit(1);
+            throw new Error(`Failed to start server: ${nodeErr.message}`, { cause: err });
         }
     }
     // Write PID file so other processes can detect this running server
     writeDashboardServerInfo({ pid: process.pid, port: actualPort, startedAt: new Date().toISOString() });
     const serverUrl = `http://localhost:${actualPort}`;
-    console.error(`Dashboard server running at ${serverUrl}`);
+    warn(MODULE, `Dashboard server running at ${serverUrl}`);
     // ── Background refresh ─────────────────────────────────────────────────
     // Port is bound and PID file written — now fetch fresh data from GitHub
     // so subsequent /api/data requests get live data instead of cached state.
@@ -461,10 +492,10 @@ export async function startDashboardServer(options) {
             cachedDigest = result.digest;
             cachedCommentedIssues = result.commentedIssues;
             cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues);
-            console.error('Background data refresh complete');
+            warn(MODULE, 'Background data refresh complete');
         })
             .catch((error) => {
-            console.error('Background data refresh failed (serving cached data):', errorMessage(error));
+            warn(MODULE, `Background data refresh failed (serving cached data): ${errorMessage(error)}`);
         });
     }
     // ── Open browser ─────────────────────────────────────────────────────────
@@ -473,7 +504,7 @@ export async function startDashboardServer(options) {
     }
     // ── Clean shutdown ───────────────────────────────────────────────────────
     const shutdown = () => {
-        console.error('\nShutting down dashboard server...');
+        warn(MODULE, 'Shutting down dashboard server...');
         removeDashboardServerInfo();
         server.close(() => {
             process.exit(0);

package/dist/commands/dashboard-templates.js

@@ -42,7 +42,7 @@ export function generateDashboardHtml(stats, monthlyMerged, monthlyClosed, month
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>OSS Autopilot - Mission Control</title>
-  <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
+  <script src="https://cdn.jsdelivr.net/npm/chart.js@4.5.1" integrity="sha384-jb8JQMbMoBUzgWatfe6COACi2ljcDdZQ2OxczGA3bGNeWe+6DChMTBJemed7ZnvJ" crossorigin="anonymous"></script>
   <link rel="preconnect" href="https://fonts.googleapis.com">
   <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
   <link href="https://fonts.googleapis.com/css2?family=Geist:wght@400;500;600;700&family=Geist+Mono:wght@400;500&display=swap" rel="stylesheet">

package/dist/core/checklist-analysis.js

@@ -32,8 +32,10 @@ export function analyzeChecklist(body) {
         return { hasIncompleteChecklist: false };
     // Filter out conditional checklist items that are intentionally unchecked
     const nonConditionalUnchecked = uncheckedLines.filter((line) => !isConditionalChecklistItem(line));
+    // Use consistent total that excludes conditional items (matches hasIncompleteChecklist logic)
+    const effectiveTotal = checked + nonConditionalUnchecked.length;
     return {
         hasIncompleteChecklist: nonConditionalUnchecked.length > 0,
-        checklistStats: { checked, total },
+        checklistStats: { checked, total: effectiveTotal },
     };
 }

package/dist/core/ci-analysis.d.ts

@@ -3,21 +3,6 @@
  * Extracted from PRMonitor to isolate CI-related logic (#263).
  */
 import { CIFailureCategory, ClassifiedCheck, CIStatusResult } from './types.js';
-/**
- * Known CI check name patterns that indicate fork limitations rather than real failures (#81).
- * These are deployment/preview services that require repo-level secrets unavailable in forks.
- */
-export declare const FORK_LIMITATION_PATTERNS: RegExp[];
-/**
- * Known CI check name patterns that indicate authorization gates (#81).
- * These require maintainer approval and are not real failures.
- */
-export declare const AUTH_GATE_PATTERNS: RegExp[];
-/**
- * Known CI check name patterns that indicate infrastructure/transient failures (#145).
- * These are runner issues, dependency install problems, or service outages — not code failures.
- */
-export declare const INFRASTRUCTURE_PATTERNS: RegExp[];
 /**
  * Classify a failing CI check as actionable, fork_limitation, auth_gate, or infrastructure (#81, #145).
  * Default is 'actionable' — only known patterns get reclassified.
@@ -45,7 +30,7 @@ export declare function analyzeCheckRuns(checkRuns: Array<{
     failingCheckConclusions: Map<string, string>;
 };
 /** Result shape from analyzeCheckRuns, used by mergeStatuses. */
-export interface CheckRunAnalysis {
+interface CheckRunAnalysis {
     hasFailingChecks: boolean;
     hasPendingChecks: boolean;
     hasSuccessfulChecks: boolean;
@@ -53,7 +38,7 @@ export interface CheckRunAnalysis {
     failingCheckConclusions: Map<string, string>;
 }
 /** Result shape from analyzeCombinedStatus, used by mergeStatuses. */
-export interface CombinedStatusAnalysis {
+interface CombinedStatusAnalysis {
     effectiveCombinedState: string;
     hasStatuses: boolean;
     failingStatusNames: string[];
@@ -76,3 +61,4 @@ export declare function analyzeCombinedStatus(combinedStatus: {
  * Priority: failing > pending > passing > unknown.
  */
 export declare function mergeStatuses(checkRunAnalysis: CheckRunAnalysis, combinedAnalysis: CombinedStatusAnalysis, checkRunCount: number): CIStatusResult;
+export {};

package/dist/core/ci-analysis.js

@@ -6,7 +6,7 @@
  * Known CI check name patterns that indicate fork limitations rather than real failures (#81).
  * These are deployment/preview services that require repo-level secrets unavailable in forks.
  */
-export const FORK_LIMITATION_PATTERNS = [
+const FORK_LIMITATION_PATTERNS = [
     /vercel/i,
     /netlify/i,
     /\bpreview\s*deploy/i,
@@ -20,12 +20,12 @@ export const FORK_LIMITATION_PATTERNS = [
  * Known CI check name patterns that indicate authorization gates (#81).
  * These require maintainer approval and are not real failures.
  */
-export const AUTH_GATE_PATTERNS = [/authoriz/i, /approval/i, /\bcla\b/i, /license\/cla/i];
+const AUTH_GATE_PATTERNS = [/authoriz/i, /approval/i, /\bcla\b/i, /license\/cla/i];
 /**
  * Known CI check name patterns that indicate infrastructure/transient failures (#145).
  * These are runner issues, dependency install problems, or service outages — not code failures.
  */
-export const INFRASTRUCTURE_PATTERNS = [
+const INFRASTRUCTURE_PATTERNS = [
     /\binstall\s*(os\s*)?dep(endenc|s\b)/i,
     /\bsetup\s+fail(ed|ure)?\b/i,
     /\bservice\s*unavailable/i,