@oss-autopilot/core 1.16.1 → 1.17.0

package/dist/commands/dashboard-data.js

@@ -4,7 +4,7 @@
  * Consumed by the dashboard HTTP server (dashboard-server.ts) for the SPA API.
  */
 import { getStateManager, PRMonitor, IssueConversationMonitor, getOctokit } from '../core/index.js';
-import { errorMessage, isRateLimitOrAuthError, nonFatalCatch } from '../core/errors.js';
+import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult, fetchMergedPRsSince, fetchClosedPRsSince } from '../core/github-stats.js';
 import { parseGitHubUrl } from '../core/utils.js';
@@ -38,13 +38,21 @@ export function buildDashboardStats(digest, state, storedMergedCount, storedClos
 /**
  * Merge fresh API counts into existing stored counts.
  * Months present in the fresh data are updated; months only in the existing data are preserved.
- * This prevents historical data loss when the API returns incomplete results
- * (e.g. due to pagination limits or transient failures).
+ *
+ * Anti-regression guard (#1035): when the fresh count for a given month is
+ * smaller than the already-stored count for that month, we keep the larger
+ * value. This matters when the fresh fetch was capped (pagination limits,
+ * 1000-result Search API ceiling, or partial failures) and would otherwise
+ * silently overwrite authoritative historical data with a partial window.
+ * The trade-off: a month that genuinely shrinks (e.g., user deleted a merged
+ * PR reference remotely) cannot be decremented via this path — but that is
+ * a rare case, and the alternative is silent decay of historical analytics.
  */
 export function mergeMonthlyCounts(existing, fresh) {
     const merged = { ...existing };
     for (const [month, count] of Object.entries(fresh)) {
-        merged[month] = count;
+        const current = merged[month];
+        merged[month] = current === undefined ? count : Math.max(current, count);
     }
     return merged;
 }
@@ -108,22 +116,30 @@ export async function fetchDashboardData(token) {
     // Get watermarks for incremental PR fetch
     const watermark = stateManager.getMergedPRWatermark();
     const closedWatermark = stateManager.getClosedPRWatermark();
-    const [{ prs, failures }, recentlyClosedPRs, recentlyMergedPRs, mergedResult, closedResult, fetchedIssues, newMergedPRs, newClosedPRs,] = await Promise.all([
+    // Track which non-critical sub-fetches degraded to fallbacks so the SPA
+    // can surface a "partial data" banner instead of silently showing zeros.
+    // Rate-limit / auth errors still rethrow via isRateLimitOrAuthError —
+    // those abort the whole run, not a partial surface.
+    const partialFailures = [];
+    const trackingCatch = (label, fallback) => {
+        return (err) => {
+            if (isRateLimitOrAuthError(err))
+                throw err;
+            partialFailures.push(label);
+            warn(MODULE, `Failed to ${label}: ${errorMessage(err)}`);
+            return fallback;
+        };
+    };
+    const [{ prs, failures, warnings: fetchWarnings }, recentlyClosedPRs, recentlyMergedPRs, mergedResult, closedResult, fetchedIssues, newMergedPRs, newClosedPRs,] = await Promise.all([
         prMonitor.fetchUserOpenPRs(),
+        prMonitor.fetchRecentlyClosedPRs().catch(trackingCatch('fetch recently closed PRs', [])),
+        prMonitor.fetchRecentlyMergedPRs().catch(trackingCatch('fetch recently merged PRs', [])),
         prMonitor
-            .fetchRecentlyClosedPRs()
-            .catch(nonFatalCatch({ module: MODULE, label: 'fetch recently closed PRs', fallback: [] })),
-        prMonitor
-            .fetchRecentlyMergedPRs()
-            .catch(nonFatalCatch({ module: MODULE, label: 'fetch recently merged PRs', fallback: [] })),
-        prMonitor.fetchUserMergedPRCounts(starFilter).catch(nonFatalCatch({
-            module: MODULE,
-            label: 'fetch merged PR counts',
-            fallback: emptyPRCountsResult(),
-        })),
+            .fetchUserMergedPRCounts(starFilter)
+            .catch(trackingCatch('fetch merged PR counts', emptyPRCountsResult())),
         prMonitor
             .fetchUserClosedPRCounts(starFilter)
-            .catch(nonFatalCatch({ module: MODULE, label: 'fetch closed PR counts', fallback: emptyPRCountsResult() })),
+            .catch(trackingCatch('fetch closed PR counts', emptyPRCountsResult())),
         // Issue conversation fetch has custom messaging based on the error content, so it keeps its bespoke catch.
         issueMonitor.fetchCommentedIssues().catch((error) => {
             if (isRateLimitOrAuthError(error))
@@ -134,14 +150,15 @@ export async function fetchDashboardData(token) {
             }
             else {
                 warn(MODULE, `Issue conversation fetch failed: ${msg}`);
+                partialFailures.push('fetch issue conversations');
             }
             return {
                 issues: [],
                 failures: [{ issueUrl: 'N/A', error: `Issue conversation fetch failed: ${msg}` }],
             };
         }),
-        fetchMergedPRsSince(octokit, config, watermark).catch(nonFatalCatch({ module: MODULE, label: 'fetch merged PRs for storage', fallback: [] })),
-        fetchClosedPRsSince(octokit, config, closedWatermark).catch(nonFatalCatch({ module: MODULE, label: 'fetch closed PRs for storage', fallback: [] })),
+        fetchMergedPRsSince(octokit, config, watermark).catch(trackingCatch('fetch merged PRs for storage', [])),
+        fetchClosedPRsSince(octokit, config, closedWatermark).catch(trackingCatch('fetch closed PRs for storage', [])),
     ]);
     const commentedIssues = fetchedIssues.issues;
     if (fetchedIssues.failures.length > 0) {
@@ -150,6 +167,15 @@ export async function fetchDashboardData(token) {
     if (failures.length > 0) {
         warn(MODULE, `${failures.length} PR fetch(es) failed`);
     }
+    // Surface search-API truncation warnings (#1057 M25) into the dashboard's
+    // partialFailures banner so a user with >1000 open PRs sees the "partial
+    // view" signal in the SPA rather than silently seeing an incomplete list.
+    if (fetchWarnings) {
+        for (const message of fetchWarnings) {
+            partialFailures.push(message);
+            warn(MODULE, message);
+        }
+    }
     // Wrap all state mutations in a batch for a single disk write.
     // try-catch: save errors should not crash the dashboard data fetch.
     try {
@@ -194,7 +220,7 @@ export async function fetchDashboardData(token) {
     if (!digest) {
         throw new Error('Dashboard data fetch failed: digest was not generated');
     }
-    return { digest, commentedIssues, allMergedPRs, allClosedPRs };
+    return { digest, commentedIssues, allMergedPRs, allClosedPRs, partialFailures };
 }
 /**
  * Convert a stored-shape PR array (StoredMergedPR[] or StoredClosedPR[]) to

package/dist/commands/dashboard-server.d.ts

@@ -21,5 +21,5 @@ export interface DashboardServerOptions {
  * handler harness can't reach (it bakes a stale cachedDigest at server
  * start-up, so tests that need a specific digest should call this directly).
  */
-export declare function buildDashboardJson(digest: DailyDigest, state: Readonly<AgentState>, commentedIssues: CommentedIssue[], allMergedPRs?: MergedPR[], allClosedPRs?: ClosedPR[]): DashboardJsonData;
+export declare function buildDashboardJson(digest: DailyDigest, state: Readonly<AgentState>, commentedIssues: CommentedIssue[], allMergedPRs?: MergedPR[], allClosedPRs?: ClosedPR[], partialFailures?: string[]): DashboardJsonData;
 export declare function startDashboardServer(options: DashboardServerOptions): Promise<void>;

package/dist/commands/dashboard-server.js

@@ -8,6 +8,7 @@
 import * as http from 'http';
 import * as fs from 'fs';
 import * as path from 'path';
+import * as crypto from 'crypto';
 import { getStateManager, getGitHubToken, getCLIVersion, applyStatusOverrides } from '../core/index.js';
 import { errorMessage, ValidationError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
@@ -73,7 +74,7 @@ function getIssueListMtimeMs() {
  * handler harness can't reach (it bakes a stale cachedDigest at server
  * start-up, so tests that need a specific digest should call this directly).
  */
-export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs, allClosedPRs) {
+export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs, allClosedPRs, partialFailures) {
     const prsByRepo = computePRsByRepo(digest, state);
     const topRepos = computeTopRepos(prsByRepo);
     const { monthlyMerged, monthlyOpened, monthlyClosed } = getMonthlyData(state);
@@ -122,6 +123,7 @@ export function buildDashboardJson(digest, state, commentedIssues, allMergedPRs,
         allClosedPRs: filteredClosedPRs,
         repoMetadata,
         vettedIssues,
+        partialFailures: partialFailures && partialFailures.length > 0 ? partialFailures : undefined,
     };
 }
 /**
@@ -160,20 +162,65 @@ function readBody(req, maxBytes = MAX_BODY_BYTES) {
 function setSecurityHeaders(res) {
     res.setHeader('X-Content-Type-Options', 'nosniff');
     res.setHeader('X-Frame-Options', 'DENY');
-    res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'");
+    // worker-src: canvas-confetti generates its animation worker as a Blob and
+    // loads it via a blob: URL. Without this directive the browser falls back
+    // to script-src, which doesn't list blob:, and the celebrate button fails
+    // silently. Scoped to workers only — safer than widening script-src.
+    res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; worker-src 'self' blob:");
     res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
 }
+/**
+ * Valid Host header values for this server — used for both Origin checks
+ * (strips the `http://` scheme) and Host-header DNS-rebinding checks.
+ */
+function allowedHostsFor(port) {
+    return [`localhost:${port}`, `127.0.0.1:${port}`, `oss.localhost:${port}`];
+}
 /**
  * Validate that POST requests originate from the local dashboard.
- * Returns true if the Origin is acceptable, false otherwise.
+ *
+ * Returns true only if the `Origin` header is present AND matches the
+ * loopback allow-list. A missing `Origin` now returns false — previously it
+ * returned true to allow non-browser same-origin calls, but that let any
+ * local process (curl, scripts) POST to /api/action and /api/refresh. See
+ * issue #1031.
  */
 function isValidOrigin(req, port) {
     const origin = req.headers['origin'];
-    if (!origin)
-        return true; // No Origin header = same-origin request (non-browser or same-page)
-    const allowed = [`http://localhost:${port}`, `http://127.0.0.1:${port}`, `http://oss.localhost:${port}`];
+    if (typeof origin !== 'string')
+        return false;
+    const allowed = allowedHostsFor(port).map((h) => `http://${h}`);
     return allowed.includes(origin);
 }
+/**
+ * Validate the `Host` header against the loopback allow-list.
+ *
+ * Blocks DNS-rebinding attacks: a victim browser resolves an attacker domain
+ * to 127.0.0.1, reaches this server, and the `Host` header carries the
+ * attacker's hostname. Rejecting non-loopback Host headers closes that path
+ * for both GET /api/data (data exfil) and the POST endpoints.
+ */
+function isValidHost(req, port) {
+    const host = req.headers['host'];
+    if (typeof host !== 'string')
+        return false;
+    return allowedHostsFor(port).includes(host);
+}
+/**
+ * Validate the CSRF token header for state-mutating POST endpoints.
+ */
+function isValidCsrfToken(req, expected) {
+    const token = req.headers['x-csrf-token'];
+    if (typeof token !== 'string' || token.length !== expected.length)
+        return false;
+    // Constant-time comparison to avoid leaking token bytes via timing.
+    try {
+        return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(expected));
+    }
+    catch {
+        return false;
+    }
+}
 /**
  * Send a JSON response.
  */
@@ -198,12 +245,26 @@ export async function startDashboardServer(options) {
     const { port: requestedPort, assetsDir, token, open } = options;
     const stateManager = getStateManager();
     const resolvedAssetsDir = path.resolve(assetsDir);
+    // ── CSRF token ──────────────────────────────────────────────────────────
+    // Fresh per server-start. Exposed to the SPA via X-CSRF-Token on every
+    // /api/data response; required back on X-CSRF-Token for state-mutating
+    // POST endpoints. Prevents local non-browser processes (curl, scripts)
+    // from invoking /api/action and /api/refresh even when they guess the
+    // Origin header — the token itself is only reachable by calling
+    // /api/data, which enforces the Host check.
+    const csrfToken = crypto.randomBytes(32).toString('hex');
     // ── Cached data ──────────────────────────────────────────────────────────
     // Start immediately with state.json data (written by the daily check that
     // precedes this server launch). A background GitHub fetch refreshes the
     // cache after the port is bound, so the startup poller sees us in time.
     let cachedDigest = stateManager.getState().lastDigest;
     let cachedCommentedIssues = [];
+    // Persist the last-known partialFailures across rebuild requests (#1035).
+    // Cleared only when a fresh fetchDashboardData returns zero failures;
+    // re-threaded into every buildDashboardJson call so the SPA banner does
+    // not disappear when /api/data rebuilds after a state change or after a
+    // POST /api/action completes.
+    let cachedPartialFailures = undefined;
     if (!cachedDigest) {
         throw new Error('No dashboard data available. Run the daily check first: GITHUB_TOKEN=$(gh auth token) npm start -- daily');
     }
@@ -211,7 +272,7 @@ export async function startDashboardServer(options) {
     let cachedJsonData;
     let cachedIssueListMtimeMs = getIssueListMtimeMs();
     try {
-        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues);
+        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, cachedPartialFailures);
     }
     catch (error) {
         throw new Error(`Failed to build dashboard data: ${errorMessage(error)}. State data may be corrupted — try running: daily --json`, { cause: error });
@@ -225,6 +286,13 @@ export async function startDashboardServer(options) {
         const method = req.method || 'GET';
         const url = req.url || '/';
         try {
+            // ── Host-header check (DNS-rebinding defense) ──────────────────────
+            // Applied to every request including static files so a rebound
+            // attacker hostname cannot read SPA assets or API responses.
+            if (url.startsWith('/api/') && !isValidHost(req, actualPort)) {
+                sendError(res, 403, 'Invalid host');
+                return;
+            }
             // ── API routes ─────────────────────────────────────────────────────
             if (url === '/api/data' && method === 'GET') {
                 const check = dataLimiter.check();
@@ -233,6 +301,9 @@ export async function startDashboardServer(options) {
                     sendError(res, 429, 'Too many requests');
                     return;
                 }
+                // Expose the CSRF token to the SPA on every data fetch so the client
+                // can attach it on subsequent POSTs. Fresh fetch → fresh token view.
+                res.setHeader('X-CSRF-Token', csrfToken);
                 // Re-read state if modified externally (file mtime for local, Gist API for Gist mode)
                 let stateChanged = false;
                 if (stateManager.isGistMode()) {
@@ -246,7 +317,7 @@ export async function startDashboardServer(options) {
                 const issueListChanged = currentIssueListMtimeMs !== cachedIssueListMtimeMs;
                 if (stateChanged || issueListChanged) {
                     try {
-                        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues);
+                        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, cachedPartialFailures);
                         cachedIssueListMtimeMs = currentIssueListMtimeMs;
                     }
                     catch (error) {
@@ -260,30 +331,41 @@ export async function startDashboardServer(options) {
                 return;
             }
             if (url === '/api/action' && method === 'POST') {
-                if (!isValidOrigin(req, actualPort)) {
-                    sendError(res, 403, 'Invalid origin');
-                    return;
-                }
+                // Rate limit BEFORE auth checks so a local attacker cannot flood
+                // invalid-CSRF requests without consuming their quota. The Host
+                // check above already ran; still need Origin + CSRF below.
                 const check = actionLimiter.check();
                 if (!check.allowed) {
                     res.setHeader('Retry-After', String(check.retryAfterSeconds));
                     sendError(res, 429, 'Too many requests');
                     return;
                 }
-                await handleAction(req, res);
-                return;
-            }
-            if (url === '/api/refresh' && method === 'POST') {
                 if (!isValidOrigin(req, actualPort)) {
                     sendError(res, 403, 'Invalid origin');
                     return;
                 }
+                if (!isValidCsrfToken(req, csrfToken)) {
+                    sendError(res, 403, 'Missing or invalid CSRF token');
+                    return;
+                }
+                await handleAction(req, res);
+                return;
+            }
+            if (url === '/api/refresh' && method === 'POST') {
                 const check = refreshLimiter.check();
                 if (!check.allowed) {
                     res.setHeader('Retry-After', String(check.retryAfterSeconds));
                     sendError(res, 429, 'Too many requests');
                     return;
                 }
+                if (!isValidOrigin(req, actualPort)) {
+                    sendError(res, 403, 'Invalid origin');
+                    return;
+                }
+                if (!isValidCsrfToken(req, csrfToken)) {
+                    sendError(res, 403, 'Missing or invalid CSRF token');
+                    return;
+                }
                 await handleRefresh(req, res);
                 return;
             }
@@ -364,8 +446,11 @@ export async function startDashboardServer(options) {
             sendError(res, 500, 'Action failed');
             return;
         }
-        // Rebuild dashboard data from cached digest + updated state
-        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues);
+        // Rebuild dashboard data from cached digest + updated state. Persist
+        // the last-known partialFailures across action rebuilds (#1035) so the
+        // SPA banner survives user interactions until the next successful
+        // refresh clears it.
+        cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, undefined, undefined, cachedPartialFailures);
         cachedIssueListMtimeMs = getIssueListMtimeMs();
         sendJson(res, 200, cachedJsonData);
     }
@@ -387,7 +472,10 @@ export async function startDashboardServer(options) {
             const result = await fetchDashboardData(currentToken);
             cachedDigest = result.digest;
             cachedCommentedIssues = result.commentedIssues;
-            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs);
+            // Update the persistent banner signal — clear on a clean refresh,
+            // set when one or more sub-fetches degraded. See #1035.
+            cachedPartialFailures = result.partialFailures.length > 0 ? result.partialFailures : undefined;
+            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs, cachedPartialFailures);
             cachedIssueListMtimeMs = getIssueListMtimeMs();
             sendJson(res, 200, cachedJsonData);
         }
@@ -507,7 +595,8 @@ export async function startDashboardServer(options) {
             }
             cachedDigest = result.digest;
             cachedCommentedIssues = result.commentedIssues;
-            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs);
+            cachedPartialFailures = result.partialFailures.length > 0 ? result.partialFailures : undefined;
+            cachedJsonData = buildDashboardJson(cachedDigest, stateManager.getState(), cachedCommentedIssues, result.allMergedPRs, result.allClosedPRs, cachedPartialFailures);
             cachedIssueListMtimeMs = getIssueListMtimeMs();
             warn(MODULE, 'Background data refresh complete');
         })

package/dist/commands/dismiss.js

@@ -3,8 +3,9 @@
  * Manages dismissing issue notifications without posting a comment.
  * Dismissed URLs resurface automatically when new responses arrive after the dismiss timestamp.
  */
-import { getStateManager } from '../core/index.js';
+import { getStateManager, maybeCheckpoint } from '../core/index.js';
 import { ISSUE_URL_PATTERN, validateGitHubUrl, validateUrl } from './validation.js';
+const MODULE = 'dismiss';
 /**
  * Dismiss an issue's reply notifications without posting a comment.
  * The dismissal auto-resurfaces when new responses arrive after the dismiss timestamp.
@@ -19,6 +20,7 @@ export async function runDismiss(options) {
     validateGitHubUrl(options.url, ISSUE_URL_PATTERN, 'issue');
     const stateManager = getStateManager();
     const added = stateManager.dismissIssue(options.url, new Date().toISOString());
+    await maybeCheckpoint(stateManager, MODULE);
     return { dismissed: added, url: options.url };
 }
 /**
@@ -34,5 +36,6 @@ export async function runUndismiss(options) {
     validateGitHubUrl(options.url, ISSUE_URL_PATTERN, 'issue');
     const stateManager = getStateManager();
     const removed = stateManager.undismissIssue(options.url);
+    await maybeCheckpoint(stateManager, MODULE);
     return { undismissed: removed, url: options.url };
 }

package/dist/commands/doctor.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Doctor command — a real system-health audit.
+ *
+ * Runs independent checks against the local environment and reports an
+ * aggregate `DoctorOutput` so users can diagnose common failure modes
+ * (missing token, unauthenticated gh CLI, stale bundle, corrupted state,
+ * unresolvable scout dependency, low rate-limit budget) in one go.
+ *
+ * Each `check*` function is exported individually so tests can mock its
+ * external dependencies in isolation.
+ */
+export type DoctorCheckStatus = 'ok' | 'warning' | 'error';
+export interface DoctorCheck {
+    name: string;
+    status: DoctorCheckStatus;
+    message: string;
+    remediation?: string;
+}
+export interface DoctorOutput {
+    checks: DoctorCheck[];
+    summary: {
+        ok: number;
+        warnings: number;
+        errors: number;
+    };
+}
+export declare function checkGhCli(): Promise<DoctorCheck>;
+export declare function checkGhAuth(): Promise<DoctorCheck>;
+export declare function checkGitHubToken(preloadedToken?: string | null): Promise<DoctorCheck>;
+/**
+ * Bundle-freshness check only fires when the *source* file is present — that's
+ * the dev-repo workflow. npm consumers install the pre-built bundle with no
+ * source, so we just confirm the bundle exists.
+ */
+export declare function checkBundleUpToDate(options?: {
+    bundlePath?: string;
+    sourcePath?: string;
+}): DoctorCheck;
+export declare function checkStateFile(options?: {
+    statePathOverride?: string;
+}): DoctorCheck;
+/**
+ * Dynamic import of `@oss-scout/core`. Extracted so tests can inject a throwing
+ * stub without mocking the module registry.
+ */
+export type ScoutImporter = () => Promise<unknown>;
+export declare function checkScoutResolvable(importer?: ScoutImporter): Promise<DoctorCheck>;
+export declare function checkGitHubRateLimit(preloadedToken?: string | null): Promise<DoctorCheck>;
+export declare function runDoctor(): Promise<DoctorOutput>;