loki-mode 5.34.0 → 5.35.0

package/autonomy/sandbox.sh

@@ -56,7 +56,7 @@ SANDBOX_MEMORY="${LOKI_SANDBOX_MEMORY:-4g}"
 SANDBOX_READONLY="${LOKI_SANDBOX_READONLY:-false}"
 
 # API ports
-API_PORT="${LOKI_API_PORT:-9898}"
+API_PORT="${LOKI_DASHBOARD_PORT:-57374}"
 DASHBOARD_PORT="${LOKI_DASHBOARD_PORT:-57374}"
 
 # Security: Prompt injection disabled by default for enterprise security
@@ -766,12 +766,7 @@ start_sandbox() {
     validate_project_dir || return 1
     ensure_image
 
-    # Check port availability
-    if ! check_port_available "$API_PORT"; then
-        log_error "Port $API_PORT is already in use"
-        log_info "Set LOKI_API_PORT to use a different port"
-        return 1
-    fi
+    # Check port availability (unified dashboard/API port)
     if ! check_port_available "$DASHBOARD_PORT"; then
         log_error "Port $DASHBOARD_PORT is already in use"
         log_info "Set LOKI_DASHBOARD_PORT to use a different port"
@@ -898,8 +893,7 @@ start_sandbox() {
 
     # Expose ports
     docker_args+=(
-        "--publish" "$API_PORT:9898"
-        "--publish" "$DASHBOARD_PORT:57374"
+        "--publish" "$API_PORT:57374"
     )
 
     # Expose additional ports for testing (e.g., LOKI_EXTRA_PORTS="3000:3000,8080:8080")

package/autonomy/serve.sh

@@ -9,15 +9,15 @@
 #   loki serve [OPTIONS]
 #
 # Options:
-#   --port, -p <port>   Port to listen on (default: 8420)
+#   --port, -p <port>   Port to listen on (default: 57374)
 #   --host, -h <host>   Host to bind to (default: localhost)
 #   --no-cors           Disable CORS
 #   --no-auth           Disable authentication
 #   --help              Show help message
 #
 # Environment Variables:
-#   LOKI_API_PORT       Port (default: 8420)
-#   LOKI_API_HOST       Host (default: localhost)
+#   LOKI_DASHBOARD_PORT Port (default: 57374)
+#   LOKI_DASHBOARD_HOST Host (default: localhost)
 #   LOKI_API_TOKEN      API token for remote access
 #===============================================================================
 
@@ -28,8 +28,8 @@ PROJECT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
 API_DIR="$PROJECT_DIR/api"
 
 # Default configuration
-PORT="${LOKI_API_PORT:-8420}"
-HOST="${LOKI_API_HOST:-localhost}"
+PORT="${LOKI_DASHBOARD_PORT:-57374}"
+HOST="${LOKI_DASHBOARD_HOST:-localhost}"
 CORS="true"
 AUTH="true"
 
@@ -63,7 +63,7 @@ Usage:
   loki serve [OPTIONS]
 
 Options:
-  --port, -p <port>   Port to listen on (default: 8420)
+  --port, -p <port>   Port to listen on (default: 57374)
   --host <host>       Host to bind to (default: localhost)
   --no-cors           Disable CORS
   --no-auth           Disable authentication
@@ -71,14 +71,14 @@ Options:
   --help              Show this help message
 
 Environment Variables:
-  LOKI_API_PORT       Port (overridden by --port)
-  LOKI_API_HOST       Host (overridden by --host)
+  LOKI_DASHBOARD_PORT Port (overridden by --port)
+  LOKI_DASHBOARD_HOST Host (overridden by --host)
   LOKI_API_TOKEN      API token for remote access
   LOKI_DIR            Loki installation directory
   LOKI_DEBUG          Enable debug output
 
 Examples:
-  # Start with defaults (localhost:8420)
+  # Start with defaults (localhost:57374)
   loki serve
 
   # Custom port
@@ -89,7 +89,7 @@ Examples:
   loki serve --host 0.0.0.0
 
   # Connect from another machine
-  curl -H "Authorization: Bearer \$TOKEN" http://server:8420/health
+  curl -H "Authorization: Bearer \$TOKEN" http://server:57374/health
 
 EOF
 }

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "5.34.0"
+__version__ = "5.35.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -188,7 +188,7 @@ class ConnectionManager:
 
 
 manager = ConnectionManager()
-start_time = datetime.now()
+start_time = datetime.now(timezone.utc)
 
 
 @asynccontextmanager
@@ -217,8 +217,8 @@ app.add_middleware(
     CORSMiddleware,
     allow_origins=[o.strip() for o in _cors_origins if o.strip()],
     allow_credentials=True,
-    allow_methods=["*"],
-    allow_headers=["*"],
+    allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
+    allow_headers=["Content-Type", "Authorization", "X-Requested-With"],
 )
 
 # Static file serving is configured at the end of the file (after all API routes)
@@ -236,7 +236,7 @@ async def health_check() -> dict[str, str]:
 async def get_status() -> StatusResponse:
     """Get system status from .loki/ session files."""
     loki_dir = _get_loki_dir()
-    uptime = (datetime.now() - start_time).total_seconds()
+    uptime = (datetime.now(timezone.utc) - start_time).total_seconds()
 
     # Read dashboard-state.json (written by run.sh every 2 seconds)
     state_file = loki_dir / "dashboard-state.json"
@@ -681,7 +681,7 @@ async def update_task(
 
     # Handle status change to completed
     if "status" in update_data and update_data["status"] == TaskStatus.DONE:
-        update_data["completed_at"] = datetime.now()
+        update_data["completed_at"] = datetime.now(timezone.utc)
 
     for field, value in update_data.items():
         setattr(task, field, value)
@@ -748,7 +748,7 @@ async def move_task(
 
     # Set completed_at if moving to completed
     if move.status == TaskStatus.DONE and old_status != TaskStatus.DONE:
-        task.completed_at = datetime.now()
+        task.completed_at = datetime.now(timezone.utc)
     elif move.status != TaskStatus.DONE:
         task.completed_at = None
 
@@ -1135,10 +1135,10 @@ _SAFE_ID_RE = re.compile(r'^[a-zA-Z0-9_-]+$')
 
 def _sanitize_agent_id(agent_id: str) -> str:
     """Validate agent_id contains only safe characters for file paths."""
-    if not agent_id or ".." in agent_id or not _SAFE_ID_RE.match(agent_id):
+    if not agent_id or len(agent_id) > 128 or ".." in agent_id or not _SAFE_ID_RE.match(agent_id):
         raise HTTPException(
             status_code=400,
-            detail="Invalid agent_id: must contain only alphanumeric characters, hyphens, and underscores",
+            detail="Invalid agent_id: must be 1-128 chars of alphanumeric, hyphens, and underscores",
         )
     return agent_id
 
@@ -1611,7 +1611,7 @@ async def pause_session():
     """Pause the current session by creating PAUSE file."""
     pause_file = _get_loki_dir() / "PAUSE"
     pause_file.parent.mkdir(parents=True, exist_ok=True)
-    pause_file.write_text(datetime.now().isoformat())
+    pause_file.write_text(datetime.now(timezone.utc).isoformat())
     return {"success": True, "message": "Session paused"}
 
 
@@ -1632,7 +1632,7 @@ async def stop_session():
     """Stop the session by creating STOP file and sending SIGTERM."""
     stop_file = _get_loki_dir() / "STOP"
     stop_file.parent.mkdir(parents=True, exist_ok=True)
-    stop_file.write_text(datetime.now().isoformat())
+    stop_file.write_text(datetime.now(timezone.utc).isoformat())
 
     # Try to kill the process
     pid_file = _get_loki_dir() / "loki.pid"
@@ -1979,7 +1979,7 @@ async def force_council_review():
     signal_dir = _get_loki_dir() / "signals"
     signal_dir.mkdir(parents=True, exist_ok=True)
     (signal_dir / "COUNCIL_REVIEW_REQUESTED").write_text(
-        datetime.now().isoformat()
+        datetime.now(timezone.utc).isoformat()
     )
     return {"success": True, "message": "Council review requested"}
 
@@ -1990,15 +1990,15 @@ async def force_council_review():
 
 class CheckpointCreate(BaseModel):
     """Schema for creating a checkpoint."""
-    message: Optional[str] = Field(None, description="Optional description for the checkpoint")
+    message: Optional[str] = Field(None, max_length=500, description="Optional description for the checkpoint")
 
 
 def _sanitize_checkpoint_id(checkpoint_id: str) -> str:
     """Validate checkpoint_id contains only safe characters for file paths."""
-    if not checkpoint_id or ".." in checkpoint_id or not _SAFE_ID_RE.match(checkpoint_id):
+    if not checkpoint_id or len(checkpoint_id) > 128 or ".." in checkpoint_id or not _SAFE_ID_RE.match(checkpoint_id):
         raise HTTPException(
             status_code=400,
-            detail="Invalid checkpoint_id: must contain only alphanumeric characters, hyphens, and underscores",
+            detail="Invalid checkpoint_id: must be 1-128 chars of alphanumeric, hyphens, and underscores",
         )
     return checkpoint_id
 
@@ -2241,7 +2241,7 @@ async def pause_agent(agent_id: str):
     signal_dir = _get_loki_dir() / "signals"
     signal_dir.mkdir(parents=True, exist_ok=True)
     (signal_dir / f"PAUSE_AGENT_{agent_id}").write_text(
-        datetime.now().isoformat()
+        datetime.now(timezone.utc).isoformat()
     )
     return {"success": True, "message": f"Pause signal sent to agent {agent_id}"}
 
@@ -2290,7 +2290,7 @@ async def get_logs(lines: int = 100):
         for log_file in log_files[:1]:
             try:
                 # Use file mtime as fallback timestamp
-                file_mtime = datetime.fromtimestamp(log_file.stat().st_mtime).strftime(
+                file_mtime = datetime.fromtimestamp(log_file.stat().st_mtime, tz=timezone.utc).strftime(
                     "%Y-%m-%dT%H:%M:%S"
                 )
                 content = log_file.read_text()