loki-mode 6.13.0 → 6.14.0

package/README.md

@@ -9,7 +9,7 @@
 [![Agent Types](https://img.shields.io/badge/Agent%20Types-41-blue)]()
 [![Autonomi](https://img.shields.io/badge/Autonomi-autonomi.dev-5B4EEA)](https://www.autonomi.dev/)
 
-**Current Version: v6.13.0**
+**Current Version: v6.14.0**
 
 ---
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v6.13.0
+# Loki Mode v6.14.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -267,4 +267,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v6.13.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v6.14.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-6.13.0
+6.14.0

package/autonomy/loki

@@ -419,6 +419,7 @@ show_help() {
     echo "  checkpoint|cp    Save/restore session checkpoints"
     echo "  projects         Multi-project registry management"
     echo "  audit [cmd]      Agent audit log and quality scanning (log|scan)"
+    echo "  review [dir]     Run quality gates on any project (standalone, no AI needed)"
     echo "  optimize         Optimize prompts based on session history"
     echo "  enterprise       Enterprise feature management (tokens, OIDC)"
     echo "  metrics          Prometheus/OpenMetrics metrics from dashboard"
@@ -7848,6 +7849,9 @@ main() {
         audit)
             cmd_audit "$@"
             ;;
+        review)
+            cmd_review "$@"
+            ;;
         optimize)
             cmd_optimize "$@"
             ;;
@@ -7895,6 +7899,223 @@ main() {
     esac
 }
 
+# Standalone project review - run quality gates on any codebase (v6.14.0)
+cmd_review() {
+    local target_dir="."
+    local json_output=""
+    local verbose=""
+
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --json) json_output="true"; shift ;;
+            --verbose|-v) verbose="true"; shift ;;
+            --help|-h)
+                echo -e "${BOLD}loki review${NC} - Run quality gates on any project (standalone)"
+                echo ""
+                echo "Usage: loki review [directory] [options]"
+                echo ""
+                echo "Arguments:"
+                echo "  directory       Path to project (default: current directory)"
+                echo ""
+                echo "Options:"
+                echo "  --json          Machine-readable JSON output"
+                echo "  --verbose, -v   Show detailed output per gate"
+                echo "  --help, -h      Show this help"
+                echo ""
+                echo "Gates: project-type, lint, tests, security, dependencies, structure"
+                echo "Exit code: 0 if all pass, 1 if any fail"
+                return 0
+                ;;
+            -*) echo -e "${RED}Unknown option: $1${NC}"; return 1 ;;
+            *) target_dir="$1"; shift ;;
+        esac
+    done
+
+    # Resolve and validate directory
+    target_dir="$(cd "$target_dir" 2>/dev/null && pwd)" || {
+        echo -e "${RED}Error: Directory not found: $target_dir${NC}"; return 1
+    }
+
+    local project_type="unknown"
+    local results=()  # gate:status pairs
+    local total_pass=0 total_warn=0 total_fail=0
+    local gate_details=()
+
+    # Helper: record gate result
+    _review_gate() {
+        local gate="$1" status="$2" detail="${3:-}"
+        results+=("$gate:$status")
+        gate_details+=("$gate:$detail")
+        case "$status" in
+            PASS) total_pass=$((total_pass + 1)) ;;
+            WARN) total_warn=$((total_warn + 1)) ;;
+            FAIL) total_fail=$((total_fail + 1)) ;;
+        esac
+    }
+
+    # Gate 1: Detect project type
+    if [ -f "$target_dir/package.json" ]; then
+        project_type="node"
+    elif [ -f "$target_dir/pyproject.toml" ] || [ -f "$target_dir/setup.py" ] || [ -f "$target_dir/requirements.txt" ]; then
+        project_type="python"
+    elif [ -f "$target_dir/go.mod" ]; then
+        project_type="go"
+    elif [ -f "$target_dir/Cargo.toml" ]; then
+        project_type="rust"
+    fi
+    if [ "$project_type" != "unknown" ]; then
+        _review_gate "project-type" "PASS" "Detected: $project_type"
+    else
+        _review_gate "project-type" "WARN" "Could not detect project type"
+    fi
+
+    # Gate 2: Lint check
+    local lint_output="" lint_status="PASS"
+    case "$project_type" in
+        node)
+            if [ -f "$target_dir/.eslintrc.js" ] || [ -f "$target_dir/.eslintrc.json" ] || [ -f "$target_dir/.eslintrc.yml" ] || [ -f "$target_dir/eslint.config.js" ] || [ -f "$target_dir/eslint.config.mjs" ]; then
+                lint_output=$(cd "$target_dir" && npx eslint . --max-warnings=0 2>&1) || lint_status="FAIL"
+            else
+                lint_output="No ESLint config found"; lint_status="WARN"
+            fi ;;
+        python)
+            if command -v ruff &>/dev/null; then
+                lint_output=$(cd "$target_dir" && ruff check . 2>&1) || lint_status="FAIL"
+            elif command -v pylint &>/dev/null; then
+                lint_output=$(cd "$target_dir" && pylint --recursive=y . 2>&1) || lint_status="FAIL"
+            else
+                lint_output="No linter available (install ruff or pylint)"; lint_status="WARN"
+            fi ;;
+        go)
+            if command -v golangci-lint &>/dev/null; then
+                lint_output=$(cd "$target_dir" && golangci-lint run 2>&1) || lint_status="FAIL"
+            else
+                lint_output=$(cd "$target_dir" && go vet ./... 2>&1) || lint_status="FAIL"
+            fi ;;
+        rust)
+            lint_output=$(cd "$target_dir" && cargo clippy -- -D warnings 2>&1) || lint_status="FAIL"
+            ;;
+        *) lint_output="Skipped (unknown project type)"; lint_status="WARN" ;;
+    esac
+    _review_gate "lint" "$lint_status" "$lint_output"
+
+    # Gate 3: Tests
+    local test_output="" test_status="PASS"
+    case "$project_type" in
+        node)
+            if grep -q '"test"' "$target_dir/package.json" 2>/dev/null; then
+                test_output=$(cd "$target_dir" && npm test 2>&1) || test_status="FAIL"
+            else
+                test_output="No test script in package.json"; test_status="WARN"
+            fi ;;
+        python)
+            if command -v pytest &>/dev/null; then
+                test_output=$(cd "$target_dir" && pytest --tb=short 2>&1) || test_status="FAIL"
+            else
+                test_output="pytest not available"; test_status="WARN"
+            fi ;;
+        go) test_output=$(cd "$target_dir" && go test ./... 2>&1) || test_status="FAIL" ;;
+        rust) test_output=$(cd "$target_dir" && cargo test 2>&1) || test_status="FAIL" ;;
+        *) test_output="Skipped (unknown project type)"; test_status="WARN" ;;
+    esac
+    _review_gate "tests" "$test_status" "$test_output"
+
+    # Gate 4: Security - grep for hardcoded secrets
+    local secret_output="" secret_status="PASS"
+    local secret_patterns='(API_KEY|SECRET_KEY|PASSWORD|TOKEN|PRIVATE_KEY)\s*[=:]\s*["\x27][A-Za-z0-9+/=_-]{8,}'
+    secret_output=$(grep -rEn "$secret_patterns" "$target_dir" \
+        --include="*.js" --include="*.ts" --include="*.py" --include="*.go" --include="*.rs" \
+        --include="*.jsx" --include="*.tsx" --include="*.java" --include="*.rb" \
+        --exclude-dir=node_modules --exclude-dir=.git --exclude-dir=vendor \
+        --exclude-dir=__pycache__ --exclude-dir=.venv --exclude-dir=target 2>/dev/null) || true
+    if [ -n "$secret_output" ]; then
+        secret_status="FAIL"
+        secret_output="Potential hardcoded secrets found:
+$secret_output"
+    else
+        secret_output="No hardcoded secrets detected"
+    fi
+    _review_gate "security" "$secret_status" "$secret_output"
+
+    # Gate 5: Dependency audit
+    local dep_output="" dep_status="PASS"
+    case "$project_type" in
+        node)
+            if [ -f "$target_dir/package-lock.json" ] || [ -f "$target_dir/yarn.lock" ]; then
+                dep_output=$(cd "$target_dir" && npm audit --production 2>&1) || dep_status="WARN"
+            else
+                dep_output="No lockfile found"; dep_status="WARN"
+            fi ;;
+        python)
+            if command -v pip-audit &>/dev/null; then
+                dep_output=$(cd "$target_dir" && pip-audit 2>&1) || dep_status="WARN"
+            else
+                dep_output="pip-audit not available"; dep_status="WARN"
+            fi ;;
+        *) dep_output="No dependency audit available for $project_type"; dep_status="WARN" ;;
+    esac
+    _review_gate "dependencies" "$dep_status" "$dep_output"
+
+    # Gate 6: Structure check
+    local struct_output="" struct_status="PASS" struct_issues=()
+    [ ! -f "$target_dir/README.md" ] && [ ! -f "$target_dir/README.rst" ] && [ ! -f "$target_dir/README" ] && struct_issues+=("Missing README")
+    local file_count
+    file_count=$(find "$target_dir" -type f -not -path '*/.git/*' -not -path '*/node_modules/*' -not -path '*/vendor/*' -not -path '*/__pycache__/*' -not -path '*/.venv/*' -not -path '*/target/*' 2>/dev/null | wc -l | tr -d ' ')
+    [ "$file_count" -gt 5000 ] && struct_issues+=("Large project: $file_count files")
+    local huge_files
+    huge_files=$(find "$target_dir" -type f -size +1M -not -path '*/.git/*' -not -path '*/node_modules/*' -not -path '*/vendor/*' -not -path '*/target/*' 2>/dev/null | head -5)
+    [ -n "$huge_files" ] && struct_issues+=("Files >1MB found: $(echo "$huge_files" | wc -l | tr -d ' ')")
+    if [ ${#struct_issues[@]} -gt 0 ]; then
+        struct_status="WARN"
+        struct_output=$(printf '%s\n' "${struct_issues[@]}")
+    else
+        struct_output="README present, $file_count files, no oversized files"
+    fi
+    _review_gate "structure" "$struct_status" "$struct_output"
+
+    # Output results
+    if [ -n "$json_output" ]; then
+        local gates_json="["
+        local first="true"
+        for r in "${results[@]}"; do
+            local gate="${r%%:*}" status="${r#*:}"
+            [ "$first" = "true" ] && first="" || gates_json+=","
+            gates_json+="{\"gate\":\"$gate\",\"status\":\"$status\"}"
+        done
+        gates_json+="]"
+        printf '{"directory":"%s","project_type":"%s","pass":%d,"warn":%d,"fail":%d,"gates":%s}\n' \
+            "$target_dir" "$project_type" "$total_pass" "$total_warn" "$total_fail" "$gates_json"
+    else
+        echo -e "${BOLD}Loki Review: $target_dir${NC}"
+        echo -e "Project type: ${CYAN}$project_type${NC}"
+        echo "---"
+        for r in "${results[@]}"; do
+            local gate="${r%%:*}" status="${r#*:}"
+            case "$status" in
+                PASS) echo -e "  ${GREEN}[PASS]${NC} $gate" ;;
+                WARN) echo -e "  ${YELLOW}[WARN]${NC} $gate" ;;
+                FAIL) echo -e "  ${RED}[FAIL]${NC} $gate" ;;
+            esac
+        done
+        echo "---"
+        echo -e "Results: ${GREEN}$total_pass passed${NC}, ${YELLOW}$total_warn warnings${NC}, ${RED}$total_fail failed${NC}"
+
+        if [ -n "$verbose" ]; then
+            echo ""
+            echo -e "${BOLD}Details:${NC}"
+            for d in "${gate_details[@]}"; do
+                local gate="${d%%:*}" detail="${d#*:}"
+                echo -e "\n${CYAN}[$gate]${NC}"
+                echo "$detail" | head -30
+            done
+        fi
+    fi
+
+    # Exit code: 1 if any failures
+    [ "$total_fail" -gt 0 ] && return 1
+    return 0
+}
+
 # Worktree management (v6.7.0)
 cmd_worktree() {
     local subcommand="${1:-list}"

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "6.13.0"
+__version__ = "6.14.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v6.13.0
+**Version:** v6.14.0
 
 ---
 

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '6.13.0'
+__version__ = '6.14.0'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "6.13.0",
+  "version": "6.14.0",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "agent",

package/templates/api-only.md

@@ -1,10 +1,34 @@
 # PRD: REST API Service
 
 ## Overview
-A simple REST API for managing notes. Tests Loki Mode's backend-only capabilities.
+A simple REST API for managing notes. Tests Loki Mode's backend-only capabilities with proper validation, error handling, and test coverage.
 
 ## Target Users
-Developers who need a notes API.
+- Developers who need a lightweight notes API for prototyping
+- Teams evaluating backend code generation quality
+- Frontend developers needing a mock API to build against
+
+## Features
+
+### MVP Features
+1. **Create Note** - Add a new note with title and content
+2. **List Notes** - Retrieve all notes
+3. **Get Note** - Retrieve a single note by ID
+4. **Update Note** - Edit an existing note's title or content
+5. **Delete Note** - Remove a note
+6. **Health Check** - Service health endpoint
+
+### Data Model
+
+```typescript
+interface Note {
+  id: string;
+  title: string;
+  content: string;
+  createdAt: string;       // ISO 8601 timestamp
+  updatedAt: string;       // ISO 8601 timestamp
+}
+```
 
 ## API Endpoints
 
@@ -12,23 +36,23 @@ Developers who need a notes API.
 
 #### GET /api/notes
 - Returns list of all notes
-- Response: `[{ id, title, content, createdAt }]`
+- Response: `[{ id, title, content, createdAt, updatedAt }]`
 
 #### GET /api/notes/:id
 - Returns single note
-- Response: `{ id, title, content, createdAt }`
+- Response: `{ id, title, content, createdAt, updatedAt }`
 - Error: 404 if not found
 
 #### POST /api/notes
 - Creates new note
 - Body: `{ title, content }`
-- Response: `{ id, title, content, createdAt }`
-- Error: 400 if validation fails
+- Response: `{ id, title, content, createdAt, updatedAt }` (201)
+- Error: 400 if validation fails (title required, content required)
 
 #### PUT /api/notes/:id
 - Updates existing note
-- Body: `{ title?, content? }`
-- Response: `{ id, title, content, updatedAt }`
+- Body: `{ title?, content? }` (partial update)
+- Response: `{ id, title, content, createdAt, updatedAt }`
 - Error: 404 if not found
 
 #### DELETE /api/notes/:id
@@ -44,36 +68,70 @@ Developers who need a notes API.
 ## Tech Stack
 - Runtime: Node.js 18+
 - Framework: Express.js
+- Language: TypeScript
 - Database: In-memory (array) for simplicity
-- Validation: zod or joi
-- Testing: Jest + supertest
+- Validation: zod
+- Testing: Vitest + supertest
+
+### Structure
+```
+/
+├── src/
+│   ├── index.ts                 # Express server setup, middleware
+│   ├── routes/
+│   │   ├── notes.ts             # Notes CRUD handlers
+│   │   └── health.ts            # Health check endpoint
+│   ├── middleware/
+│   │   └── errorHandler.ts      # Global error handler
+│   ├── schemas/
+│   │   └── note.ts              # Zod validation schemas
+│   └── types/
+│       └── index.ts             # TypeScript type definitions
+├── tests/
+│   ├── notes.test.ts            # Notes endpoint tests
+│   └── health.test.ts           # Health check test
+├── package.json
+├── tsconfig.json
+└── README.md
+```
 
 ## Requirements
-- Input validation on all endpoints
-- Proper HTTP status codes
-- JSON error responses
-- Request logging
-- Unit tests for each endpoint
+- TypeScript throughout
+- Input validation on all endpoints using zod
+- Proper HTTP status codes (200, 201, 204, 400, 404)
+- JSON error responses: `{ error: "message" }`
+- Request logging (method, path, status code)
+- CORS enabled for development
+
+## Testing
+- API tests: All endpoints with valid input, invalid input, and edge cases (Vitest + supertest)
+- Minimum test cases:
+  - `POST /api/notes` with valid data -> 201 + note object
+  - `POST /api/notes` with missing title -> 400 + error
+  - `POST /api/notes` with missing content -> 400 + error
+  - `GET /api/notes` -> 200 + array
+  - `GET /api/notes/:id` with valid id -> 200 + note
+  - `GET /api/notes/:id` with invalid id -> 404
+  - `PUT /api/notes/:id` with valid data -> 200 + updated note
+  - `PUT /api/notes/:id` with invalid id -> 404
+  - `DELETE /api/notes/:id` -> 204
+  - `DELETE /api/notes/:id` with invalid id -> 404
+  - `GET /health` -> 200 + status object
 
 ## Out of Scope
 - Authentication
-- Database persistence
+- Database persistence (file or SQL)
 - Rate limiting
 - API documentation (OpenAPI)
 - Deployment
 
-## Test Cases
-```
-POST /api/notes with valid data → 201 + note object
-POST /api/notes with missing title → 400 + error
-GET /api/notes → 200 + array
-GET /api/notes/:id with valid id → 200 + note
-GET /api/notes/:id with invalid id → 404
-PUT /api/notes/:id with valid data → 200 + updated note
-DELETE /api/notes/:id → 204
-GET /health → 200 + status object
-```
+## Success Criteria
+- All 6 endpoints return correct status codes and response bodies
+- Validation rejects invalid input with descriptive error messages
+- All tests pass
+- Server starts without errors on `npm start`
+- Health check returns valid response
 
 ---
 
-**Purpose:** Tests backend agent capabilities, code review, and QA without frontend complexity.
+**Purpose:** Tests backend agent capabilities, code review, and QA without frontend complexity. Expect ~15-20 minutes for full execution.

package/templates/e-commerce.md

@@ -12,7 +12,7 @@ A simple e-commerce storefront called "ShopBase" with a product catalog, shoppin
 
 ### MVP Features
 1. **Product Catalog** - Browse products with images, prices, descriptions, and categories
-2. **Product Detail** - Full product page with image gallery, variants (size/color), and reviews
+2. **Product Detail** - Full product page with image gallery and variants (size/color)
 3. **Shopping Cart** - Add/remove items, update quantities, persistent cart (survives refresh)
 4. **Checkout** - Shipping address form, order summary, Stripe payment
 5. **Order Confirmation** - Confirmation page and email receipt

package/templates/full-stack-demo.md

@@ -1,27 +1,34 @@
 # PRD: Full-Stack Demo App
 
 ## Overview
-A complete full-stack application demonstrating Loki Mode's end-to-end capabilities. A simple bookmark manager with tags.
+A complete full-stack application demonstrating Loki Mode's end-to-end capabilities. A bookmark manager called "Stash" with tags, search, and a clean UI.
 
 ## Target Users
-Users who want to save and organize bookmarks.
+- Users who want to save and organize bookmarks with tags
+- Developers testing Loki Mode's full-stack generation pipeline
 
 ## Features
 
 ### Core Features
 1. **Add Bookmark** - Save URL with title and optional tags
-2. **View Bookmarks** - List all bookmarks with search/filter
+   - Acceptance: Form validates URL format, title is required, tags are comma-separated, form clears on submit
+2. **View Bookmarks** - List all bookmarks with search and tag filter
+   - Acceptance: Shows URL, title, tags, and creation date; search filters by title with 300ms debounce; tag chips are clickable for filtering
 3. **Edit Bookmark** - Update title, URL, or tags
-4. **Delete Bookmark** - Remove bookmark
+   - Acceptance: Inline edit or modal form, pre-populated with current values, saves on submit
+4. **Delete Bookmark** - Remove bookmark with confirmation
+   - Acceptance: Confirmation dialog before delete, bookmark removed from list and database
 5. **Tag Management** - Create, view, and filter by tags
+   - Acceptance: Tag sidebar shows all tags with bookmark counts, clicking a tag filters the list, unused tags cleaned up on bookmark delete
 
 ### User Flow
-1. User opens app → sees bookmark list
-2. Clicks "Add Bookmark" → form appears
-3. Enters URL, title, tags → submits
-4. Bookmark appears in list
-5. Can filter by tag or search by title
+1. User opens app -> sees bookmark list (or empty state if none)
+2. Clicks "Add Bookmark" -> form appears
+3. Enters URL, title, tags -> submits
+4. Bookmark appears in list with tag chips
+5. Can filter by tag (click tag) or search by title (search bar)
 6. Can edit or delete any bookmark
+7. Refreshes page -> all state persists from database
 
 ## Tech Stack
 
@@ -42,17 +49,41 @@ Users who want to save and organize bookmarks.
 /
 ├── frontend/
 │   ├── src/
+│   │   ├── App.tsx                      # Main app with layout
 │   │   ├── components/
+│   │   │   ├── BookmarkList.tsx         # List of bookmark cards
+│   │   │   ├── BookmarkCard.tsx         # Single bookmark display
+│   │   │   ├── BookmarkForm.tsx         # Add/edit form
+│   │   │   ├── SearchBar.tsx            # Search input with debounce
+│   │   │   ├── TagSidebar.tsx           # Tag list with counts
+│   │   │   ├── TagChip.tsx              # Clickable tag badge
+│   │   │   ├── ConfirmDialog.tsx        # Delete confirmation
+│   │   │   └── EmptyState.tsx           # Shown when no bookmarks
 │   │   ├── hooks/
+│   │   │   ├── useBookmarks.ts          # CRUD operations via React Query
+│   │   │   └── useTags.ts              # Tag fetching hook
 │   │   ├── types/
-│   │   └── App.tsx
+│   │   │   └── index.ts                # Bookmark and Tag types
+│   │   └── main.tsx
+│   ├── tests/
+│   │   ├── BookmarkCard.test.tsx        # Card rendering and actions
+│   │   ├── BookmarkForm.test.tsx        # Form validation and submit
+│   │   └── SearchBar.test.tsx           # Debounce and filter behavior
 │   ├── package.json
 │   └── vite.config.ts
 ├── backend/
 │   ├── src/
+│   │   ├── index.ts                     # Express server setup
 │   │   ├── routes/
+│   │   │   ├── bookmarks.ts             # Bookmark CRUD handlers
+│   │   │   └── tags.ts                  # Tag list handler
 │   │   ├── db/
-│   │   └── index.ts
+│   │   │   └── index.ts                 # SQLite connection + schema init
+│   │   └── schemas/
+│   │       └── bookmark.ts              # Zod validation schemas
+│   ├── tests/
+│   │   ├── bookmarks.test.ts            # Bookmark API tests
+│   │   └── tags.test.ts                 # Tag API tests
 │   ├── package.json
 │   └── tsconfig.json
 └── README.md
@@ -62,17 +93,20 @@ Users who want to save and organize bookmarks.
 
 ### Bookmarks
 - `GET /api/bookmarks` - List all (query: `?tag=`, `?search=`)
-- `POST /api/bookmarks` - Create new
-- `PUT /api/bookmarks/:id` - Update
-- `DELETE /api/bookmarks/:id` - Delete
+- `POST /api/bookmarks` - Create new (body: `{ url, title, tags? }`)
+- `PUT /api/bookmarks/:id` - Update (body: `{ url?, title?, tags? }`)
+- `DELETE /api/bookmarks/:id` - Delete (returns 204)
 
 ### Tags
-- `GET /api/tags` - List all tags with counts
+- `GET /api/tags` - List all tags with bookmark counts
+
+### Health
+- `GET /health` - Returns `{ status: "ok" }`
 
 ## Database Schema
 ```sql
 CREATE TABLE bookmarks (
-  id INTEGER PRIMARY KEY,
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
   url TEXT NOT NULL,
   title TEXT NOT NULL,
   created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
@@ -80,29 +114,31 @@ CREATE TABLE bookmarks (
 );
 
 CREATE TABLE tags (
-  id INTEGER PRIMARY KEY,
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
   name TEXT UNIQUE NOT NULL
 );
 
 CREATE TABLE bookmark_tags (
-  bookmark_id INTEGER REFERENCES bookmarks(id),
-  tag_id INTEGER REFERENCES tags(id),
+  bookmark_id INTEGER REFERENCES bookmarks(id) ON DELETE CASCADE,
+  tag_id INTEGER REFERENCES tags(id) ON DELETE CASCADE,
   PRIMARY KEY (bookmark_id, tag_id)
 );
 ```
 
 ## Requirements
 - TypeScript throughout
-- Input validation (frontend + backend)
-- Error handling with user feedback
-- Loading states
-- Empty states
-- Responsive design
+- Input validation (frontend + backend): URL format, title required
+- Error handling with user-visible feedback (toast or inline messages)
+- Loading states during API calls
+- Empty states for no bookmarks and no search results
+- Search debounce: 300ms delay before API call
+- Responsive design (single-column on mobile, sidebar on desktop)
 
 ## Testing
-- Backend: Jest + supertest for API tests
-- Frontend: Basic component tests (optional)
-- E2E: Manual testing checklist
+- Backend API tests: Bookmark CRUD, tag listing, search/filter queries (Vitest + supertest)
+- Frontend component tests: BookmarkCard rendering, BookmarkForm validation, SearchBar debounce (Vitest + React Testing Library)
+- Minimum 10 test cases across frontend and backend
+- All tests required to pass (no optional tests)
 
 ## Out of Scope
 - User authentication
@@ -112,10 +148,13 @@ CREATE TABLE bookmark_tags (
 - Real-time sync
 
 ## Success Criteria
-- All CRUD operations work
-- Search and filter work
+- All CRUD operations work end-to-end (create, read, update, delete)
+- Search filters bookmarks by title with debounce
+- Tag filter shows only bookmarks with selected tag
+- Tag counts are accurate
+- Data persists across page refresh
 - No console errors
-- Tests pass
+- All tests pass
 - Code review passes (all 3 reviewers)
 
 ---

package/templates/simple-todo-app.md

@@ -1,48 +1,133 @@
 # PRD: Simple Todo App
 
 ## Overview
-A minimal todo application for testing Loki Mode with a simple, well-defined scope.
+A minimal todo application for testing Loki Mode with a simple, well-defined scope. A single-page app called "Todos" with a React frontend, Express API, and SQLite persistence.
 
 ## Target Users
-Individual users who want a simple way to track tasks.
+- Individual users who want a simple way to track tasks
+- Developers testing Loki Mode's core generation pipeline
 
 ## Features
 
 ### MVP Features
 1. **Add Todo** - Users can add a new todo item with a title
-2. **View Todos** - Display list of all todos
-3. **Complete Todo** - Mark a todo as done
-4. **Delete Todo** - Remove a todo from the list
+2. **View Todos** - Display list of all todos with completion status
+3. **Complete Todo** - Mark a todo as done (toggle)
+4. **Delete Todo** - Remove a todo from the list with confirmation
 
-### Tech Stack (Suggested)
-- Frontend: React + TypeScript
-- Backend: Node.js + Express
-- Database: SQLite (local file)
-- No deployment (local testing only)
+### User Flow
+1. User opens app -> sees todo list (or empty state if none)
+2. Types a title in the input field -> presses Enter or clicks Add
+3. New todo appears at the top of the list, input clears
+4. Clicks checkbox to toggle complete -> visual strikethrough
+5. Clicks delete icon -> confirmation prompt -> todo removed
+6. Refreshes page -> all state persists from database
+
+## Tech Stack
+
+### Frontend
+- React 18 with TypeScript
+- Vite for bundling
+- TailwindCSS for styling
+
+### Backend
+- Node.js 18+
+- Express.js
+- SQLite via better-sqlite3
+- zod for input validation
+
+### Structure
+```
+/
+├── frontend/
+│   ├── src/
+│   │   ├── App.tsx                  # Main app component
+│   │   ├── components/
+│   │   │   ├── TodoList.tsx         # List of todo items
+│   │   │   ├── TodoItem.tsx         # Single todo with checkbox/delete
+│   │   │   ├── AddTodo.tsx          # Input form for new todos
+│   │   │   └── EmptyState.tsx       # Shown when no todos exist
+│   │   ├── hooks/
+│   │   │   └── useTodos.ts         # API fetch/mutate hook
+│   │   ├── types/
+│   │   │   └── index.ts            # Todo type definition
+│   │   └── main.tsx
+│   ├── package.json
+│   └── vite.config.ts
+├── backend/
+│   ├── src/
+│   │   ├── index.ts                # Express server setup
+│   │   ├── routes/
+│   │   │   └── todos.ts            # CRUD route handlers
+│   │   └── db/
+│   │       └── index.ts            # SQLite connection + init
+│   ├── package.json
+│   └── tsconfig.json
+├── tests/
+│   ├── todos.test.ts               # API endpoint tests
+│   └── components/
+│       └── TodoItem.test.tsx        # Component tests
+└── README.md
+```
+
+## Database Schema
+
+```sql
+CREATE TABLE todos (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  title TEXT NOT NULL,
+  completed INTEGER DEFAULT 0,       -- 0 = false, 1 = true
+  created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+```
+
+## API Endpoints
+
+### Todos
+- `GET /api/todos` - List all todos (ordered by created_at DESC)
+- `POST /api/todos` - Create todo (body: `{ title }`, returns created todo)
+- `PATCH /api/todos/:id` - Toggle completion (body: `{ completed }`)
+- `DELETE /api/todos/:id` - Delete todo (returns 204)
+
+### Health
+- `GET /health` - Returns `{ status: "ok" }`
 
 ## Acceptance Criteria
 
 ### Add Todo
 - [ ] Input field for todo title
-- [ ] Submit button
+- [ ] Submit on Enter key or button click
 - [ ] New todo appears in list
 - [ ] Input clears after submit
+- [ ] Empty title is rejected (frontend + backend validation)
 
 ### View Todos
 - [ ] Shows all todos in a list
-- [ ] Shows completion status
-- [ ] Empty state when no todos
+- [ ] Shows completion status (checkbox)
+- [ ] Empty state message when no todos exist
 
 ### Complete Todo
-- [ ] Checkbox or button to mark complete
-- [ ] Visual indicator for completed items
-- [ ] Persists after refresh
+- [ ] Checkbox toggles complete/incomplete
+- [ ] Visual strikethrough for completed items
+- [ ] Persists after page refresh
 
 ### Delete Todo
 - [ ] Delete button on each todo
 - [ ] Confirmation before delete
 - [ ] Removes from list and database
 
+## Requirements
+- TypeScript throughout
+- Input validation on both frontend and backend
+- Proper HTTP status codes (201 for create, 204 for delete, 400 for validation errors)
+- Loading states during API calls
+- Responsive design (usable on mobile)
+
+## Testing
+- API tests: All 4 CRUD endpoints with valid and invalid input (Vitest + supertest)
+- Component tests: TodoItem renders correctly, AddTodo form submission works
+- Minimum 6 test cases covering happy path and error cases
+
 ## Out of Scope
 - User authentication
 - Due dates
@@ -50,11 +135,14 @@ Individual users who want a simple way to track tasks.
 - Mobile app
 - Cloud deployment
 
-## Success Metrics
-- All features functional
-- Tests passing
+## Success Criteria
+- All 4 CRUD features functional end-to-end
+- All tests pass
 - No console errors
+- Empty state displays correctly
+- Data persists across page refresh
+- Input validation rejects empty titles
 
 ---
 
-**Purpose:** This PRD is intentionally simple to allow quick testing of Loki Mode's core functionality without waiting for complex builds or deployments.
+**Purpose:** This PRD is intentionally simple to allow quick testing of Loki Mode's core functionality without waiting for complex builds or deployments. Expect ~15-25 minutes for full execution.