npm - loki-mode - Versions diffs - 6.37.1 → 6.37.3 - Mend

loki-mode 6.37.1 → 6.37.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/SKILL.md +2 -2
package/VERSION +1 -1
package/dashboard/__init__.py +1 -1
package/dashboard/auth.py +28 -19
package/dashboard/server.py +18 -8
package/dashboard/static/index.html +20 -20
package/docs/INSTALLATION.md +1 -1
package/mcp/__init__.py +1 -1
package/package.json +1 -1
package/web-app/dist/assets/index-BVw_Fxig.js +66 -0
package/web-app/dist/assets/index-CDiM5Vh4.css +1 -0
package/web-app/dist/index.html +2 -2
package/web-app/server.py +123 -41
package/web-app/dist/assets/index-Cm-odtQC.js +0 -66
package/web-app/dist/assets/index-SenDDIyx.css +0 -1

package/SKILL.md CHANGED Viewed

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
-# Loki Mode v6.37.1
+# Loki Mode v6.37.3
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
@@ -267,4 +267,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
-**v6.37.1 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v6.37.3 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 6.37.1
1	+ 6.37.3

package/dashboard/__init__.py CHANGED Viewed

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
-__version__ = "6.37.1"
+__version__ = "6.37.3"
 # Expose the control app for easy import
 try:

package/dashboard/auth.py CHANGED Viewed

@@ -14,6 +14,7 @@ from __future__ import annotations
 import base64
 import hashlib
+import hmac
 import json
 import os
 import secrets
@@ -103,6 +104,9 @@ def _save_tokens(tokens: dict) -> None:
     TOKEN_FILE.touch(mode=0o600, exist_ok=True)
     with open(TOKEN_FILE, "w") as f:
         json.dump(tokens, f, indent=2, default=str)
+    # Enforce 0600 on every write, not just creation -- touch(mode=) only
+    # applies when the file is new, so an external chmod would persist.
+    os.chmod(TOKEN_FILE, 0o600)
 def _hash_token(token: str, salt: str = None) -> tuple[str, str]:
@@ -123,7 +127,7 @@ def _hash_token(token: str, salt: str = None) -> tuple[str, str]:
 def _constant_time_compare(a: str, b: str) -> bool:
     """Constant-time string comparison to prevent timing attacks."""
-    return secrets.compare_digest(a.encode(), b.encode())
+    return hmac.compare_digest(a.encode(), b.encode())
 def resolve_scopes(role_or_scopes) -> list[str]:
@@ -342,30 +346,35 @@ def validate_token(raw_token: str) -> Optional[dict]:
     tokens = _load_tokens()
-    # Find matching token (using constant-time comparison to prevent timing attacks)
+    # Iterate ALL tokens to prevent timing side-channel that leaks token count.
+    # Do not short-circuit on match -- always hash and compare every entry.
+    matched_token: Optional[dict] = None
     for token in tokens["tokens"].values():
         stored_salt = token.get("salt", "")
         token_hash, _ = _hash_token(raw_token, salt=stored_salt)
         if _constant_time_compare(token["hash"], token_hash):
-            # Check if revoked
-            if token.get("revoked"):
+            matched_token = token
+    if matched_token is not None:
+        # Check if revoked
+        if matched_token.get("revoked"):
+            return None
+        # Check expiration
+        if matched_token.get("expires_at"):
+            expires = datetime.fromisoformat(matched_token["expires_at"])
+            if datetime.now(timezone.utc) > expires:
                 return None
-            # Check expiration
-            if token.get("expires_at"):
-                expires = datetime.fromisoformat(token["expires_at"])
-                if datetime.now(timezone.utc) > expires:
-                    return None
-            # Update last used
-            token["last_used"] = datetime.now(timezone.utc).isoformat()
-            _save_tokens(tokens)
-            return {
-                "id": token["id"],
-                "name": token["name"],
-                "scopes": token["scopes"],
-            }
+        # Update last used
+        matched_token["last_used"] = datetime.now(timezone.utc).isoformat()
+        _save_tokens(tokens)
+        return {
+            "id": matched_token["id"],
+            "name": matched_token["name"],
+            "scopes": matched_token["scopes"],
+        }
     return None

package/dashboard/server.py CHANGED Viewed

@@ -1284,20 +1284,23 @@ async def websocket_endpoint(websocket: WebSocket) -> None:
             "data": {"message": "Connected to Loki Dashboard"},
         })
-        # Keep connection alive and handle incoming messages
+        # Keep connection alive and handle incoming messages.
+        # Close idle connections after ~60s of no response to pings.
+        missed_pongs = 0
         while True:
             try:
                 data = await asyncio.wait_for(
                     websocket.receive_text(),
-                    timeout=30.0  # Ping every 30 seconds
+                    timeout=30.0  # Ping every 30 seconds of silence
                 )
-                # Handle incoming messages (e.g., subscriptions)
+                missed_pongs = 0  # any message resets idle counter
                 try:
                     message = json.loads(data)
                     if message.get("type") == "ping":
                         await manager.send_personal(websocket, {"type": "pong"})
+                    elif message.get("type") == "pong":
+                        pass  # client responded to our ping
                     elif message.get("type") == "subscribe":
-                        # Could implement channel subscriptions here
                         await manager.send_personal(websocket, {
                             "type": "subscribed",
                             "data": message.get("data", {}),
@@ -1305,8 +1308,15 @@ async def websocket_endpoint(websocket: WebSocket) -> None:
                 except json.JSONDecodeError as e:
                     logger.debug(f"WebSocket received invalid JSON: {e}")
             except asyncio.TimeoutError:
-                # Send keepalive ping
-                await manager.send_personal(websocket, {"type": "ping"})
+                missed_pongs += 1
+                if missed_pongs >= 2:
+                    # Two consecutive pings with no reply -- close idle connection
+                    logger.info("Closing idle WebSocket (no pong response)")
+                    break
+                try:
+                    await manager.send_personal(websocket, {"type": "ping"})
+                except Exception:
+                    break
     except WebSocketDisconnect:
         manager.disconnect(websocket)
@@ -1608,7 +1618,7 @@ class AuditQueryParams(BaseModel):
     offset: int = 0
-@app.get("/api/enterprise/audit")
+@app.get("/api/enterprise/audit", dependencies=[Depends(auth.require_scope("audit"))])
 async def query_audit_logs(
     start_date: Optional[str] = None,
     end_date: Optional[str] = None,
@@ -1640,7 +1650,7 @@ async def query_audit_logs(
     )
-@app.get("/api/enterprise/audit/summary")
+@app.get("/api/enterprise/audit/summary", dependencies=[Depends(auth.require_scope("audit"))])
 async def get_audit_summary(days: int = 7):
     """Get audit activity summary."""
     if not audit.is_audit_enabled():