fix: resolve 10 audit issues — security, reliability, bugs, consolidation (#534)

* fix: resolve 10 open issues — security, reliability, bugs, consolidation, performance

- Fix vetIssuesParallel concurrency bug: replace Promise.race+splice with Map-based tracking (#517)
- Fix minor bugs: daysBetween clamping, formatRelativeTime future guard, star count log typo, checklist stats consistency (#525)
- Consolidate isRateLimitError/isRateLimitOrAuthError into errors.ts from 4 files (#518)
- Replace all console.error with structured logger.warn in dashboard-data.ts and dashboard-server.ts (#530)
- Add security headers (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy), Origin validation, request timeout (#519)
- Improve dashboard server reliability: replace process.exit with thrown errors, sanitize client error messages (#526)
- Add SRI integrity hash and pin Chart.js to v4.5.1 (#528)
- Parallelize CONTRIBUTING.md probing with Promise.allSettled (#520)
- Extract shared updateMonthlyAnalytics function, eliminating duplicated analytics code (#527)
- Consolidate DEFAULT_CONCURRENCY constant across 3 files (#522)

* fix: address lint errors — add error causes, prefix unused catch var

* style: fix prettier formatting

Author: costajohnt

packages/core/src/commands/daily.ts

@@ -31,9 +31,10 @@ import {
   type PRCheckFailure,
   type RepoGroup,
 } from '../core/index.js';
-import { errorMessage, getHttpStatusCode } from '../core/errors.js';
+import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
 import { warn } from '../core/logger.js';
 import { emptyPRCountsResult } from '../core/github-stats.js';
+import { updateMonthlyAnalytics } from './dashboard-data.js';
 import {
   deduplicateDigest,
   compactActionableIssues,
@@ -46,17 +47,6 @@ import {
 
 const MODULE = 'daily';
 
-/** Return true for errors that should propagate (not degrade gracefully). */
-function isRateLimitOrAuthError(err: unknown): boolean {
-  const status = getHttpStatusCode(err);
-  if (status === 401 || status === 429) return true;
-  if (status === 403) {
-    const msg = errorMessage(err).toLowerCase();
-    return msg.includes('rate limit') || msg.includes('abuse detection');
-  }
-  return false;
-}
-
 // Re-export domain functions so existing consumers (tests, dashboard, startup)
 // can continue importing from './daily.js' without changes.
 export {
@@ -335,60 +325,6 @@ async function updateRepoScores(
   }
 }
 
-/**
- * Phase 3: Persist monthly chart analytics to state.
- * Stores merged, closed, and combined opened counts per month.
- * Each metric is isolated so partial failures don't produce inconsistent state.
- */
-function updateAnalytics(
-  prs: FetchedPR[],
-  monthlyCounts: Record<string, number>,
-  monthlyClosedCounts: Record<string, number>,
-  openedFromMerged: Record<string, number>,
-  openedFromClosed: Record<string, number>,
-): void {
-  const stateManager = getStateManager();
-
-  // Store monthly chart data (non-critical — each metric isolated so partial failures don't leave inconsistent state).
-  // Guard: skip overwriting when the data is empty to avoid wiping existing chart data on transient API failures.
-  // An empty object means the fetch failed and fell back to emptyPRCountsResult(), so we preserve previous state.
-  try {
-    if (Object.keys(monthlyCounts).length > 0) {
-      stateManager.setMonthlyMergedCounts(monthlyCounts);
-    }
-  } catch (error) {
-    warn(MODULE, `Failed to store monthly merged counts: ${errorMessage(error)}`);
-  }
-
-  try {
-    if (Object.keys(monthlyClosedCounts).length > 0) {
-      stateManager.setMonthlyClosedCounts(monthlyClosedCounts);
-    }
-  } catch (error) {
-    warn(MODULE, `Failed to store monthly closed counts: ${errorMessage(error)}`);
-  }
-
-  try {
-    // Build combined monthly opened counts from merged + closed + currently-open PRs
-    const combinedOpenedCounts: Record<string, number> = { ...openedFromMerged };
-    for (const [month, count] of Object.entries(openedFromClosed)) {
-      combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + count;
-    }
-    // Add currently-open PR creation dates
-    for (const pr of prs) {
-      if (pr.createdAt) {
-        const month = pr.createdAt.slice(0, 7);
-        combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + 1;
-      }
-    }
-    if (Object.keys(combinedOpenedCounts).length > 0) {
-      stateManager.setMonthlyOpenedCounts(combinedOpenedCounts);
-    }
-  } catch (error) {
-    warn(MODULE, `Failed to compute/store monthly opened counts: ${errorMessage(error)}`);
-  }
-}
-
 /**
  * Phase 4: Expire snoozes and partition PRs into active vs shelved buckets.
  * Auto-unshelves PRs where maintainers have engaged, generates the digest,
@@ -627,7 +563,7 @@ async function executeDailyCheckInternal(token: string): Promise<DailyCheckResul
   await updateRepoScores(prMonitor, prs, mergedCounts, closedCounts);
 
   // Phase 3: Persist monthly analytics
-  updateAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
+  updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
 
   // Phase 4: Expire snoozes, partition PRs, generate and save digest
   const { activePRs, shelvedPRs, digest } = partitionPRs(prMonitor, prs, recentlyClosedPRs, recentlyMergedPRs);

packages/core/src/commands/dashboard-data.ts

@@ -5,9 +5,12 @@
  */
 
 import { getStateManager, PRMonitor, IssueConversationMonitor } from '../core/index.js';
-import { errorMessage, getHttpStatusCode } from '../core/errors.js';
+import { errorMessage, isRateLimitOrAuthError } from '../core/errors.js';
+import { warn } from '../core/logger.js';
 import { emptyPRCountsResult } from '../core/github-stats.js';
 import { toShelvedPRRef } from './daily.js';
+
+const MODULE = 'dashboard-data';
 import type { DailyDigest, AgentState, ClosedPR, MergedPR, CommentedIssue } from '../core/types.js';
 
 export interface DashboardStats {
@@ -34,6 +37,53 @@ export function buildDashboardStats(digest: DailyDigest, state: Readonly<AgentSt
   };
 }
 
+/**
+ * Persist monthly chart analytics (merged, closed, opened) to state.
+ * Each metric is isolated so partial failures don't produce inconsistent state.
+ * Skips overwriting when data is empty to avoid wiping chart data on transient API failures.
+ */
+export function updateMonthlyAnalytics(
+  prs: Array<{ createdAt?: string }>,
+  monthlyCounts: Record<string, number>,
+  monthlyClosedCounts: Record<string, number>,
+  openedFromMerged: Record<string, number>,
+  openedFromClosed: Record<string, number>,
+): void {
+  const stateManager = getStateManager();
+
+  try {
+    if (Object.keys(monthlyCounts).length > 0) {
+      stateManager.setMonthlyMergedCounts(monthlyCounts);
+    }
+  } catch (error) {
+    warn(MODULE, `Failed to store monthly merged counts: ${errorMessage(error)}`);
+  }
+  try {
+    if (Object.keys(monthlyClosedCounts).length > 0) {
+      stateManager.setMonthlyClosedCounts(monthlyClosedCounts);
+    }
+  } catch (error) {
+    warn(MODULE, `Failed to store monthly closed counts: ${errorMessage(error)}`);
+  }
+  try {
+    const combinedOpenedCounts: Record<string, number> = { ...openedFromMerged };
+    for (const [month, count] of Object.entries(openedFromClosed)) {
+      combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + count;
+    }
+    for (const pr of prs) {
+      if (pr.createdAt) {
+        const month = pr.createdAt.slice(0, 7);
+        combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + 1;
+      }
+    }
+    if (Object.keys(combinedOpenedCounts).length > 0) {
+      stateManager.setMonthlyOpenedCounts(combinedOpenedCounts);
+    }
+  } catch (error) {
+    warn(MODULE, `Failed to store monthly opened counts: ${errorMessage(error)}`);
+  }
+}
+
 export interface DashboardFetchResult {
   digest: DailyDigest;
   commentedIssues: CommentedIssue[];
@@ -44,16 +94,6 @@ export interface DashboardFetchResult {
  * Returns the digest and commented issues, updating state as a side effect.
  * Throws if the fetch fails entirely (caller should fall back to cached data).
  */
-function isRateLimitOrAuthError(err: unknown): boolean {
-  const status = getHttpStatusCode(err);
-  if (status === 401 || status === 429) return true;
-  if (status === 403) {
-    const msg = errorMessage(err).toLowerCase();
-    return msg.includes('rate limit') || msg.includes('abuse detection');
-  }
-  return false;
-}
-
 export async function fetchDashboardData(token: string): Promise<DashboardFetchResult> {
   const stateManager = getStateManager();
   const prMonitor = new PRMonitor(token);
@@ -64,30 +104,30 @@ export async function fetchDashboardData(token: string): Promise<DashboardFetchR
       prMonitor.fetchUserOpenPRs(),
       prMonitor.fetchRecentlyClosedPRs().catch((err): ClosedPR[] => {
         if (isRateLimitOrAuthError(err)) throw err;
-        console.error(`Warning: Failed to fetch recently closed PRs: ${errorMessage(err)}`);
+        warn(MODULE, `Failed to fetch recently closed PRs: ${errorMessage(err)}`);
         return [];
       }),
       prMonitor.fetchRecentlyMergedPRs().catch((err): MergedPR[] => {
         if (isRateLimitOrAuthError(err)) throw err;
-        console.error(`Warning: Failed to fetch recently merged PRs: ${errorMessage(err)}`);
+        warn(MODULE, `Failed to fetch recently merged PRs: ${errorMessage(err)}`);
         return [];
       }),
       prMonitor.fetchUserMergedPRCounts().catch((err) => {
         if (isRateLimitOrAuthError(err)) throw err;
-        console.error(`Warning: Failed to fetch merged PR counts: ${errorMessage(err)}`);
+        warn(MODULE, `Failed to fetch merged PR counts: ${errorMessage(err)}`);
         return emptyPRCountsResult<{ count: number; lastMergedAt: string }>();
       }),
       prMonitor.fetchUserClosedPRCounts().catch((err) => {
         if (isRateLimitOrAuthError(err)) throw err;
-        console.error(`Warning: Failed to fetch closed PR counts: ${errorMessage(err)}`);
+        warn(MODULE, `Failed to fetch closed PR counts: ${errorMessage(err)}`);
         return emptyPRCountsResult<number>();
       }),
       issueMonitor.fetchCommentedIssues().catch((error) => {
         const msg = errorMessage(error);
         if (msg.includes('No GitHub username configured')) {
-          console.error(`[DASHBOARD] Issue conversation tracking requires setup: ${msg}`);
+          warn(MODULE, `Issue conversation tracking requires setup: ${msg}`);
         } else {
-          console.error(`[DASHBOARD] Issue conversation fetch failed: ${msg}`);
+          warn(MODULE, `Issue conversation fetch failed: ${msg}`);
         }
         return {
           issues: [] as CommentedIssue[],
@@ -98,49 +138,17 @@ export async function fetchDashboardData(token: string): Promise<DashboardFetchR
 
   const commentedIssues = fetchedIssues.issues;
   if (fetchedIssues.failures.length > 0) {
-    console.error(`[DASHBOARD] ${fetchedIssues.failures.length} issue conversation check(s) failed`);
+    warn(MODULE, `${fetchedIssues.failures.length} issue conversation check(s) failed`);
   }
 
   if (failures.length > 0) {
-    console.error(`Warning: ${failures.length} PR fetch(es) failed`);
+    warn(MODULE, `${failures.length} PR fetch(es) failed`);
   }
 
   // Store monthly chart data (opened/merged/closed) so charts have data
   const { monthlyCounts, monthlyOpenedCounts: openedFromMerged } = mergedResult;
   const { monthlyCounts: monthlyClosedCounts, monthlyOpenedCounts: openedFromClosed } = closedResult;
-
-  // Guard: skip overwriting when data is empty to avoid wiping chart data on transient API failures.
-  try {
-    if (Object.keys(monthlyCounts).length > 0) {
-      stateManager.setMonthlyMergedCounts(monthlyCounts);
-    }
-  } catch (error) {
-    console.error('[DASHBOARD] Failed to store monthly merged counts:', errorMessage(error));
-  }
-  try {
-    if (Object.keys(monthlyClosedCounts).length > 0) {
-      stateManager.setMonthlyClosedCounts(monthlyClosedCounts);
-    }
-  } catch (error) {
-    console.error('[DASHBOARD] Failed to store monthly closed counts:', errorMessage(error));
-  }
-  try {
-    const combinedOpenedCounts: Record<string, number> = { ...openedFromMerged };
-    for (const [month, count] of Object.entries(openedFromClosed)) {
-      combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + count;
-    }
-    for (const pr of prs) {
-      if (pr.createdAt) {
-        const month = pr.createdAt.slice(0, 7);
-        combinedOpenedCounts[month] = (combinedOpenedCounts[month] || 0) + 1;
-      }
-    }
-    if (Object.keys(combinedOpenedCounts).length > 0) {
-      stateManager.setMonthlyOpenedCounts(combinedOpenedCounts);
-    }
-  } catch (error) {
-    console.error('[DASHBOARD] Failed to store monthly opened counts:', errorMessage(error));
-  }
+  updateMonthlyAnalytics(prs, monthlyCounts, monthlyClosedCounts, openedFromMerged, openedFromClosed);
 
   const digest = prMonitor.generateDigest(prs, recentlyClosedPRs, recentlyMergedPRs);
 
@@ -156,9 +164,9 @@ export async function fetchDashboardData(token: string): Promise<DashboardFetchR
   try {
     stateManager.save();
   } catch (error) {
-    console.error('Warning: Failed to save dashboard digest to state:', errorMessage(error));
+    warn(MODULE, `Failed to save dashboard digest to state: ${errorMessage(error)}`);
   }
-  console.error(`Refreshed: ${prs.length} PRs fetched`);
+  warn(MODULE, `Refreshed: ${prs.length} PRs fetched`);
 
   return { digest, commentedIssues };
 }

packages/core/src/commands/dashboard-server.test.ts

@@ -171,6 +171,7 @@ function createMockReq(method: string, url: string, body?: string): IncomingMess
   const req = new EventEmitter() as IncomingMessage;
   req.method = method;
   req.url = url;
+  req.headers = {};
 
   // For POST requests, simulate body streaming
   if (body !== undefined) {
@@ -203,6 +204,11 @@ function createMockRes(): { res: ServerResponse; result: Promise<MockResponseRes
 
   const res = resEmitter as unknown as ServerResponse;
 
+  res.setHeader = vi.fn((name: string, value: string | number) => {
+    headers[name.toLowerCase()] = value;
+    return res;
+  });
+
   res.writeHead = vi.fn((code: number, hdrs?: Record<string, string | number>) => {
     statusCode = code;
     if (hdrs) Object.assign(headers, hdrs);