@oss-autopilot/core 0.45.0 → 0.46.1

package/dist/commands/dashboard-lifecycle.js

@@ -4,7 +4,7 @@
  * and detecting whether a server is already running.
  */
 import { spawn } from 'child_process';
-import { findRunningDashboardServer, isDashboardServerRunning, readDashboardServerInfo, removeDashboardServerInfo, } from './dashboard-server.js';
+import { findRunningDashboardServer, isDashboardServerRunning, readDashboardServerInfo, removeDashboardServerInfo, } from './dashboard-process.js';
 import { resolveAssetsDir } from './dashboard.js';
 import { getCLIVersion } from '../core/index.js';
 const DEFAULT_PORT = 3000;

package/dist/commands/dashboard-process.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Dashboard server process management.
+ * PID file operations, health probes, and running server detection.
+ */
+export interface DashboardServerInfo {
+    pid: number;
+    port: number;
+    startedAt: string;
+    version?: string;
+}
+export declare function getDashboardPidPath(): string;
+export declare function writeDashboardServerInfo(info: DashboardServerInfo): void;
+export declare function readDashboardServerInfo(): DashboardServerInfo | null;
+export declare function removeDashboardServerInfo(): void;
+export declare function isDashboardServerRunning(port: number): Promise<boolean>;
+export declare function findRunningDashboardServer(): Promise<{
+    port: number;
+    url: string;
+} | null>;

package/dist/commands/dashboard-process.js

@@ -0,0 +1,93 @@
+/**
+ * Dashboard server process management.
+ * PID file operations, health probes, and running server detection.
+ */
+import * as http from 'http';
+import * as fs from 'fs';
+import * as path from 'path';
+import { getDataDir } from '../core/index.js';
+import { warn } from '../core/logger.js';
+const MODULE = 'dashboard-server';
+// ── PID File Management ────────────────────────────────────────────────────────
+export function getDashboardPidPath() {
+    return path.join(getDataDir(), 'dashboard-server.pid');
+}
+export function writeDashboardServerInfo(info) {
+    fs.writeFileSync(getDashboardPidPath(), JSON.stringify(info), { mode: 0o600 });
+}
+export function readDashboardServerInfo() {
+    try {
+        const content = fs.readFileSync(getDashboardPidPath(), 'utf-8');
+        const parsed = JSON.parse(content);
+        if (typeof parsed !== 'object' ||
+            parsed === null ||
+            typeof parsed.pid !== 'number' ||
+            !Number.isInteger(parsed.pid) ||
+            parsed.pid <= 0 ||
+            typeof parsed.port !== 'number' ||
+            typeof parsed.startedAt !== 'string') {
+            warn(MODULE, 'PID file has invalid structure, ignoring');
+            return null;
+        }
+        return parsed;
+    }
+    catch (err) {
+        const code = err.code;
+        if (code !== 'ENOENT') {
+            warn(MODULE, `Failed to read PID file: ${err.message}`);
+        }
+        return null;
+    }
+}
+export function removeDashboardServerInfo() {
+    try {
+        fs.unlinkSync(getDashboardPidPath());
+    }
+    catch (err) {
+        const code = err.code;
+        if (code !== 'ENOENT') {
+            warn(MODULE, `Failed to remove PID file: ${err.message}`);
+        }
+    }
+}
+// ── Health Probe ───────────────────────────────────────────────────────────────
+export function isDashboardServerRunning(port) {
+    return new Promise((resolve) => {
+        const req = http.get(`http://127.0.0.1:${port}/api/data`, { timeout: 2000 }, (res) => {
+            // Consume response data to free up memory
+            res.resume();
+            resolve(res.statusCode === 200);
+        });
+        req.on('error', () => resolve(false));
+        req.on('timeout', () => {
+            req.destroy();
+            resolve(false);
+        });
+    });
+}
+export async function findRunningDashboardServer() {
+    const info = readDashboardServerInfo();
+    if (!info)
+        return null;
+    // Check if process is alive (signal 0 = existence check only)
+    try {
+        process.kill(info.pid, 0);
+    }
+    catch (err) {
+        const code = err.code;
+        if (code !== 'ESRCH' && code !== 'EPERM') {
+            warn(MODULE, `Unexpected error checking PID ${info.pid}: ${err.message}`);
+        }
+        // ESRCH = no process at that PID; EPERM = PID recycled to another user's process
+        // Either way, our dashboard server is no longer running — clean up stale PID file
+        removeDashboardServerInfo();
+        return null;
+    }
+    // Process exists — verify it's actually our server via HTTP probe
+    if (await isDashboardServerRunning(info.port)) {
+        return { port: info.port, url: `http://localhost:${info.port}` };
+    }
+    // Process exists but not responding on expected port — stale
+    removeDashboardServerInfo();
+    return null;
+}

package/dist/commands/dashboard-server.d.ts

@@ -5,25 +5,11 @@
  *
  * Uses Node's built-in http module — no Express/Fastify.
  */
+export { getDashboardPidPath, writeDashboardServerInfo, readDashboardServerInfo, removeDashboardServerInfo, isDashboardServerRunning, findRunningDashboardServer, type DashboardServerInfo, } from './dashboard-process.js';
 export interface DashboardServerOptions {
     port: number;
     assetsDir: string;
     token: string | null;
     open: boolean;
 }
-export interface DashboardServerInfo {
-    pid: number;
-    port: number;
-    startedAt: string;
-    version?: string;
-}
-export declare function getDashboardPidPath(): string;
-export declare function writeDashboardServerInfo(info: DashboardServerInfo): void;
-export declare function readDashboardServerInfo(): DashboardServerInfo | null;
-export declare function removeDashboardServerInfo(): void;
-export declare function isDashboardServerRunning(port: number): Promise<boolean>;
-export declare function findRunningDashboardServer(): Promise<{
-    port: number;
-    url: string;
-} | null>;
 export declare function startDashboardServer(options: DashboardServerOptions): Promise<void>;

package/dist/commands/dashboard-server.js

@@ -8,12 +8,16 @@
 import * as http from 'http';
 import * as fs from 'fs';
 import * as path from 'path';
-import { getStateManager, getGitHubToken, getDataDir, getCLIVersion } from '../core/index.js';
+import { getStateManager, getGitHubToken, getCLIVersion } from '../core/index.js';
 import { errorMessage, ValidationError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { validateUrl, validateGitHubUrl, PR_URL_PATTERN } from './validation.js';
 import { fetchDashboardData, computePRsByRepo, computeTopRepos, getMonthlyData, buildDashboardStats, } from './dashboard-data.js';
 import { openInBrowser } from './startup.js';
+import { writeDashboardServerInfo, removeDashboardServerInfo } from './dashboard-process.js';
+import { RateLimiter } from './rate-limiter.js';
+// Re-export process management functions for backward compatibility
+export { getDashboardPidPath, writeDashboardServerInfo, readDashboardServerInfo, removeDashboardServerInfo, isDashboardServerRunning, findRunningDashboardServer, } from './dashboard-process.js';
 // ── Constants ────────────────────────────────────────────────────────────────
 const VALID_ACTIONS = new Set(['shelve', 'unshelve', 'override_status']);
 const MODULE = 'dashboard-server';
@@ -62,89 +66,6 @@ function applyStatusOverrides(prs, state) {
     }
     return result;
 }
-// ── PID File Management ──────────────────────────────────────────────────────
-export function getDashboardPidPath() {
-    return path.join(getDataDir(), 'dashboard-server.pid');
-}
-export function writeDashboardServerInfo(info) {
-    fs.writeFileSync(getDashboardPidPath(), JSON.stringify(info), { mode: 0o600 });
-}
-export function readDashboardServerInfo() {
-    try {
-        const content = fs.readFileSync(getDashboardPidPath(), 'utf-8');
-        const parsed = JSON.parse(content);
-        if (typeof parsed !== 'object' ||
-            parsed === null ||
-            typeof parsed.pid !== 'number' ||
-            !Number.isInteger(parsed.pid) ||
-            parsed.pid <= 0 ||
-            typeof parsed.port !== 'number' ||
-            typeof parsed.startedAt !== 'string') {
-            warn(MODULE, 'PID file has invalid structure, ignoring');
-            return null;
-        }
-        return parsed;
-    }
-    catch (err) {
-        const code = err.code;
-        if (code !== 'ENOENT') {
-            warn(MODULE, `Failed to read PID file: ${err.message}`);
-        }
-        return null;
-    }
-}
-export function removeDashboardServerInfo() {
-    try {
-        fs.unlinkSync(getDashboardPidPath());
-    }
-    catch (err) {
-        const code = err.code;
-        if (code !== 'ENOENT') {
-            warn(MODULE, `Failed to remove PID file: ${err.message}`);
-        }
-    }
-}
-// ── Health Probe ─────────────────────────────────────────────────────────────
-export function isDashboardServerRunning(port) {
-    return new Promise((resolve) => {
-        const req = http.get(`http://127.0.0.1:${port}/api/data`, { timeout: 2000 }, (res) => {
-            // Consume response data to free up memory
-            res.resume();
-            resolve(res.statusCode === 200);
-        });
-        req.on('error', () => resolve(false));
-        req.on('timeout', () => {
-            req.destroy();
-            resolve(false);
-        });
-    });
-}
-export async function findRunningDashboardServer() {
-    const info = readDashboardServerInfo();
-    if (!info)
-        return null;
-    // Check if process is alive (signal 0 = existence check only)
-    try {
-        process.kill(info.pid, 0);
-    }
-    catch (err) {
-        const code = err.code;
-        if (code !== 'ESRCH' && code !== 'EPERM') {
-            warn(MODULE, `Unexpected error checking PID ${info.pid}: ${err.message}`);
-        }
-        // ESRCH = no process at that PID; EPERM = PID recycled to another user's process
-        // Either way, our dashboard server is no longer running — clean up stale PID file
-        removeDashboardServerInfo();
-        return null;
-    }
-    // Process exists — verify it's actually our server via HTTP probe
-    if (await isDashboardServerRunning(info.port)) {
-        return { port: info.port, url: `http://localhost:${info.port}` };
-    }
-    // Process exists but not responding on expected port — stale
-    removeDashboardServerInfo();
-    return null;
-}
 // ── Helpers ────────────────────────────────────────────────────────────────────
 /**
  * Build the JSON payload that the SPA expects from GET /api/data.
@@ -262,6 +183,10 @@ export async function startDashboardServer(options) {
     catch (error) {
         throw new Error(`Failed to build dashboard data: ${errorMessage(error)}. State data may be corrupted — try running: daily --json`, { cause: error });
     }
+    // ── Rate limiters ───────────────────────────────────────────────────────
+    const dataLimiter = new RateLimiter({ maxRequests: 30, windowMs: 60_000 }); // 30/min
+    const actionLimiter = new RateLimiter({ maxRequests: 10, windowMs: 60_000 }); // 10/min
+    const refreshLimiter = new RateLimiter({ maxRequests: 2, windowMs: 60_000 }); // 2/min
     // ── Request handler ──────────────────────────────────────────────────────
     const server = http.createServer(async (req, res) => {
         const method = req.method || 'GET';
@@ -269,6 +194,12 @@ export async function startDashboardServer(options) {
         try {
             // ── API routes ─────────────────────────────────────────────────────
             if (url === '/api/data' && method === 'GET') {
+                const check = dataLimiter.check();
+                if (!check.allowed) {
+                    res.setHeader('Retry-After', String(check.retryAfterSeconds));
+                    sendError(res, 429, 'Too many requests');
+                    return;
+                }
                 sendJson(res, 200, cachedJsonData);
                 return;
             }
@@ -277,6 +208,12 @@ export async function startDashboardServer(options) {
                     sendError(res, 403, 'Invalid origin');
                     return;
                 }
+                const check = actionLimiter.check();
+                if (!check.allowed) {
+                    res.setHeader('Retry-After', String(check.retryAfterSeconds));
+                    sendError(res, 429, 'Too many requests');
+                    return;
+                }
                 await handleAction(req, res);
                 return;
             }
@@ -285,6 +222,12 @@ export async function startDashboardServer(options) {
                     sendError(res, 403, 'Invalid origin');
                     return;
                 }
+                const check = refreshLimiter.check();
+                if (!check.allowed) {
+                    res.setHeader('Retry-After', String(check.retryAfterSeconds));
+                    sendError(res, 429, 'Too many requests');
+                    return;
+                }
                 await handleRefresh(req, res);
                 return;
             }

package/dist/commands/dashboard.d.ts

@@ -1,16 +1,6 @@
 /**
  * Dashboard command — serves the interactive Preact SPA dashboard.
- * Also provides writeDashboardFromState() for generating a static HTML fallback
- * when the SPA cannot be launched (e.g., assets not built).
  */
-/**
- * Generate dashboard HTML from state (no GitHub fetch).
- * Call after executeDailyCheck() which saves fresh data to state.
- * Returns the path to the generated dashboard HTML file.
- *
- * Used as a safety net when the interactive SPA dashboard cannot be launched.
- */
-export declare function writeDashboardFromState(): string;
 interface ServeOptions {
     port: number;
     open: boolean;

package/dist/commands/dashboard.js

@@ -1,35 +1,9 @@
 /**
  * Dashboard command — serves the interactive Preact SPA dashboard.
- * Also provides writeDashboardFromState() for generating a static HTML fallback
- * when the SPA cannot be launched (e.g., assets not built).
  */
 import * as fs from 'fs';
 import * as path from 'path';
-import { getStateManager, getDashboardPath, getGitHubToken } from '../core/index.js';
-import { getMonthlyData } from './dashboard-data.js';
-import { buildDashboardStats, generateDashboardHtml } from './dashboard-templates.js';
-// ── Static HTML fallback ────────────────────────────────────────────────────
-/**
- * Generate dashboard HTML from state (no GitHub fetch).
- * Call after executeDailyCheck() which saves fresh data to state.
- * Returns the path to the generated dashboard HTML file.
- *
- * Used as a safety net when the interactive SPA dashboard cannot be launched.
- */
-export function writeDashboardFromState() {
-    const stateManager = getStateManager();
-    const state = stateManager.getState();
-    const digest = state.lastDigest;
-    if (!digest) {
-        throw new Error('No digest data available. Run daily check first.');
-    }
-    const { monthlyMerged, monthlyClosed, monthlyOpened } = getMonthlyData(state);
-    const stats = buildDashboardStats(digest, state);
-    const html = generateDashboardHtml(stats, monthlyMerged, monthlyClosed, monthlyOpened, digest, state);
-    const dashboardPath = getDashboardPath();
-    fs.writeFileSync(dashboardPath, html, { mode: 0o644 });
-    return dashboardPath;
-}
+import { getGitHubToken } from '../core/index.js';
 /**
  * Resolve the SPA assets directory from packages/dashboard/dist/.
  * Tries multiple strategies to locate it across dev (tsx) and bundled (cjs) modes.

package/dist/commands/index.d.ts

@@ -1,23 +1,67 @@
 /**
  * Barrel export for all command functions and their output types.
  * Used by @oss-autopilot/mcp to import command functions directly.
+ *
+ * @example
+ * ```typescript
+ * import { runDaily, runSearch, runStatus } from '@oss-autopilot/core/commands';
+ *
+ * const digest = await runDaily();
+ * const issues = await runSearch({ maxResults: 10 });
+ * const stats = await runStatus({});
+ * ```
  */
-export { runDaily, runDailyForDisplay, executeDailyCheck } from './daily.js';
+/** Fetch all open PRs, compute digest, and return structured daily output. Requires GITHUB_TOKEN. */
+export { runDaily } from './daily.js';
+/** Like runDaily but returns the full (non-deduplicated) result for text-mode display. */
+export { runDailyForDisplay } from './daily.js';
+/** Lower-level daily check that accepts a token directly. Used by startup orchestration. */
+export { executeDailyCheck } from './daily.js';
+/** Combined startup: auth check, setup check, daily fetch, dashboard launch, version detection. */
+export { runStartup } from './startup.js';
+/** Return contribution statistics (merge rate, PR counts, repo breakdown) from local state. */
 export { runStatus } from './status.js';
+/** Search GitHub for contributable issues using multi-strategy discovery. */
 export { runSearch } from './search.js';
+/** Vet a single GitHub issue for claimability (open, unassigned, no linked PRs, repo health). */
 export { runVet } from './vet.js';
-export { runTrack, runUntrack } from './track.js';
+/** Add a PR to tracking state. */
+export { runTrack } from './track.js';
+/** Remove a PR from tracking state. */
+export { runUntrack } from './track.js';
+/** Mark PR comments as read. */
 export { runRead } from './read.js';
-export { runComments, runPost, runClaim } from './comments.js';
+/** Temporarily hide a PR from the daily digest. */
+export { runShelve } from './shelve.js';
+/** Restore a shelved PR to the daily digest. */
+export { runUnshelve } from './shelve.js';
+/** Dismiss issue reply notifications (auto-resurfaces on new activity). */
+export { runDismiss } from './dismiss.js';
+/** Restore a dismissed issue to notifications. */
+export { runUndismiss } from './dismiss.js';
+/** Temporarily suppress CI failure notifications for a PR. */
+export { runSnooze } from './snooze.js';
+/** Restore CI failure notifications for a snoozed PR. */
+export { runUnsnooze } from './snooze.js';
+/** Fetch comments for tracked issues/PRs. */
+export { runComments } from './comments.js';
+/** Post a comment to a GitHub issue or PR. */
+export { runPost } from './comments.js';
+/** Post a claim comment on a GitHub issue. */
+export { runClaim } from './comments.js';
+/** Read or write user configuration (githubUsername, languages, labels, etc). */
 export { runConfig } from './config.js';
+/** Initialize with a GitHub username and import open PRs. */
 export { runInit } from './init.js';
-export { runSetup, runCheckSetup } from './setup.js';
-export { runShelve, runUnshelve } from './shelve.js';
-export { runDismiss, runUndismiss } from './dismiss.js';
-export { runSnooze, runUnsnooze } from './snooze.js';
-export { runStartup } from './startup.js';
+/** Interactive first-run setup wizard. */
+export { runSetup } from './setup.js';
+/** Check whether setup has been completed. */
+export { runCheckSetup } from './setup.js';
+/** Parse a curated markdown issue list file into structured issue items. */
 export { runParseList } from './parse-list.js';
+/** Check if new files are properly referenced/integrated. */
 export { runCheckIntegration } from './check-integration.js';
+/** Scan for locally cloned repos. */
 export { runLocalRepos } from './local-repos.js';
 export type { DailyOutput, SearchOutput, StartupOutput, StatusOutput, TrackOutput } from '../formatters/json.js';
 export type { VetOutput, CommentsOutput, PostOutput, ClaimOutput } from '../formatters/json.js';

package/dist/commands/index.js

@@ -1,22 +1,70 @@
 /**
  * Barrel export for all command functions and their output types.
  * Used by @oss-autopilot/mcp to import command functions directly.
+ *
+ * @example
+ * ```typescript
+ * import { runDaily, runSearch, runStatus } from '@oss-autopilot/core/commands';
+ *
+ * const digest = await runDaily();
+ * const issues = await runSearch({ maxResults: 10 });
+ * const stats = await runStatus({});
+ * ```
  */
-// Command functions
-export { runDaily, runDailyForDisplay, executeDailyCheck } from './daily.js';
+// ── Primary Commands ────────────────────────────────────────────────────────
+/** Fetch all open PRs, compute digest, and return structured daily output. Requires GITHUB_TOKEN. */
+export { runDaily } from './daily.js';
+/** Like runDaily but returns the full (non-deduplicated) result for text-mode display. */
+export { runDailyForDisplay } from './daily.js';
+/** Lower-level daily check that accepts a token directly. Used by startup orchestration. */
+export { executeDailyCheck } from './daily.js';
+/** Combined startup: auth check, setup check, daily fetch, dashboard launch, version detection. */
+export { runStartup } from './startup.js';
+/** Return contribution statistics (merge rate, PR counts, repo breakdown) from local state. */
 export { runStatus } from './status.js';
+/** Search GitHub for contributable issues using multi-strategy discovery. */
 export { runSearch } from './search.js';
+/** Vet a single GitHub issue for claimability (open, unassigned, no linked PRs, repo health). */
 export { runVet } from './vet.js';
-export { runTrack, runUntrack } from './track.js';
+// ── PR Management ───────────────────────────────────────────────────────────
+/** Add a PR to tracking state. */
+export { runTrack } from './track.js';
+/** Remove a PR from tracking state. */
+export { runUntrack } from './track.js';
+/** Mark PR comments as read. */
 export { runRead } from './read.js';
-export { runComments, runPost, runClaim } from './comments.js';
+/** Temporarily hide a PR from the daily digest. */
+export { runShelve } from './shelve.js';
+/** Restore a shelved PR to the daily digest. */
+export { runUnshelve } from './shelve.js';
+/** Dismiss issue reply notifications (auto-resurfaces on new activity). */
+export { runDismiss } from './dismiss.js';
+/** Restore a dismissed issue to notifications. */
+export { runUndismiss } from './dismiss.js';
+/** Temporarily suppress CI failure notifications for a PR. */
+export { runSnooze } from './snooze.js';
+/** Restore CI failure notifications for a snoozed PR. */
+export { runUnsnooze } from './snooze.js';
+// ── Issue & Comment Management ──────────────────────────────────────────────
+/** Fetch comments for tracked issues/PRs. */
+export { runComments } from './comments.js';
+/** Post a comment to a GitHub issue or PR. */
+export { runPost } from './comments.js';
+/** Post a claim comment on a GitHub issue. */
+export { runClaim } from './comments.js';
+// ── Configuration & Setup ───────────────────────────────────────────────────
+/** Read or write user configuration (githubUsername, languages, labels, etc). */
 export { runConfig } from './config.js';
+/** Initialize with a GitHub username and import open PRs. */
 export { runInit } from './init.js';
-export { runSetup, runCheckSetup } from './setup.js';
-export { runShelve, runUnshelve } from './shelve.js';
-export { runDismiss, runUndismiss } from './dismiss.js';
-export { runSnooze, runUnsnooze } from './snooze.js';
-export { runStartup } from './startup.js';
+/** Interactive first-run setup wizard. */
+export { runSetup } from './setup.js';
+/** Check whether setup has been completed. */
+export { runCheckSetup } from './setup.js';
+// ── Utilities ───────────────────────────────────────────────────────────────
+/** Parse a curated markdown issue list file into structured issue items. */
 export { runParseList } from './parse-list.js';
+/** Check if new files are properly referenced/integrated. */
 export { runCheckIntegration } from './check-integration.js';
+/** Scan for locally cloned repos. */
 export { runLocalRepos } from './local-repos.js';

package/dist/commands/rate-limiter.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Simple in-memory sliding-window rate limiter for the dashboard server.
+ *
+ * Each endpoint gets its own limiter with a configurable max number of
+ * requests per time window. Returns 429 with Retry-After when exceeded.
+ */
+export interface RateLimiterConfig {
+    /** Maximum requests allowed within the window. */
+    maxRequests: number;
+    /** Window duration in milliseconds. */
+    windowMs: number;
+}
+export declare class RateLimiter {
+    private readonly maxRequests;
+    private readonly windowMs;
+    /** Timestamps of accepted requests within the current window. */
+    private timestamps;
+    constructor(config: RateLimiterConfig);
+    /**
+     * Check if a request is allowed.
+     *
+     * @returns `{ allowed: true }` if under the limit, or
+     *          `{ allowed: false, retryAfterSeconds }` if rate-limited.
+     */
+    check(): {
+        allowed: true;
+    } | {
+        allowed: false;
+        retryAfterSeconds: number;
+    };
+}

package/dist/commands/rate-limiter.js

@@ -0,0 +1,36 @@
+/**
+ * Simple in-memory sliding-window rate limiter for the dashboard server.
+ *
+ * Each endpoint gets its own limiter with a configurable max number of
+ * requests per time window. Returns 429 with Retry-After when exceeded.
+ */
+export class RateLimiter {
+    maxRequests;
+    windowMs;
+    /** Timestamps of accepted requests within the current window. */
+    timestamps = [];
+    constructor(config) {
+        this.maxRequests = config.maxRequests;
+        this.windowMs = config.windowMs;
+    }
+    /**
+     * Check if a request is allowed.
+     *
+     * @returns `{ allowed: true }` if under the limit, or
+     *          `{ allowed: false, retryAfterSeconds }` if rate-limited.
+     */
+    check() {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        // Prune timestamps outside the current window
+        this.timestamps = this.timestamps.filter((t) => t > windowStart);
+        if (this.timestamps.length >= this.maxRequests) {
+            // Earliest timestamp in window — client must wait until it expires
+            const oldestInWindow = this.timestamps[0];
+            const retryAfterMs = oldestInWindow + this.windowMs - now;
+            return { allowed: false, retryAfterSeconds: Math.ceil(retryAfterMs / 1000) };
+        }
+        this.timestamps.push(now);
+        return { allowed: true };
+    }
+}

package/dist/commands/startup.d.ts

@@ -32,7 +32,7 @@ export declare function openInBrowser(url: string): void;
  * Returns StartupOutput with one of three shapes:
  * 1. Setup incomplete: { version, setupComplete: false }
  * 2. Auth failure: { version, setupComplete: true, authError: "..." }
- * 3. Success: { version, setupComplete: true, daily, dashboardUrl?, dashboardPath?, issueList? }
+ * 3. Success: { version, setupComplete: true, daily, dashboardUrl?, issueList? }
  *
  * Errors from the daily check propagate to the caller.
  */