Replace universe-log with pino in renderer (CSP fix)

gandalf_automationrequested to merge
renderer-replace-universe-log-with-pino into develop

Summary

Replace universe-log with pino in the renderer package to fix CSP violations and broken logging.

Issues Fixed

  • CSP violation: universe-log uses new Function() constructor for environment detection, which is equivalent to eval() and blocked by CSP script-src policies
  • Broken object logging (#788 (closed)): Objects passed as arguments were silently dropped from output
  • Wrong console method: All log levels were routed to console.error() instead of appropriate methods

Why This Change

universe-log (v5.2.0) has been abandoned since August 2019 and has no CSP-compatible version. Pino is already used elsewhere in denser and provides:

  • CSP-safe environment detection using typeof window === 'undefined'
  • Proper argument handling (objects preserved via asObject: false)
  • Correct console methods per log level (debug/warn/error)
  • ~11KB bundle size reduction (universe-log ~15KB → pino ~4KB)

Files Changed

File Change
packages/renderer/src/Log.ts Rewritten to use pino
packages/renderer/package.json Add pino, remove universe-log
pnpm-lock.yaml Regenerated

API Compatibility

The public API remains unchanged - Log.log().error(), Log.log().warn(), Log.log().debug() all work identically. No changes needed in the 11 files that import Log.

Testing

  • Renderer unit tests have a pre-existing ts-node/ESM configuration issue (unrelated to this change)
  • CI pipeline will verify the build succeeds
  • CSP compliance should be verified on staging after deployment

Fixes #788 (closed)

Merge request reports