loki-mode 6.53.0 → 6.55.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v6.53.0
+# Loki Mode v6.55.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -267,4 +267,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v6.53.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v6.55.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-6.53.0
+6.55.0

package/bin/postinstall.js

@@ -131,6 +131,35 @@ try {
   // If npm bin check fails, skip PATH warning silently
 }
 
+// Install Python dependencies for Purple Lab (pexpect, watchdog, httpx)
+try {
+  const { execSync } = require('child_process');
+  const pyDeps = ['pexpect', 'watchdog', 'httpx'];
+  // Check if deps are already installed
+  const missing = pyDeps.filter(dep => {
+    try {
+      execSync(`python3 -c "import ${dep}"`, { stdio: 'pipe' });
+      return false;
+    } catch { return true; }
+  });
+  if (missing.length > 0) {
+    console.log(`Installing Python dependencies: ${missing.join(', ')}...`);
+    try {
+      execSync(`python3 -m pip install --break-system-packages ${missing.join(' ')}`, { stdio: 'pipe', timeout: 60000 });
+      console.log('  [OK] Python dependencies installed');
+    } catch {
+      try {
+        execSync(`python3 -m pip install ${missing.join(' ')}`, { stdio: 'pipe', timeout: 60000 });
+        console.log('  [OK] Python dependencies installed');
+      } catch {
+        console.log(`  [WARN] Could not install Python deps. Run: pip install ${missing.join(' ')}`);
+      }
+    }
+  }
+} catch {
+  // Python not available, skip silently
+}
+
 console.log('');
 console.log('CLI commands:');
 console.log('  loki start ./prd.md              Start with Claude (default)');

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "6.53.0"
+__version__ = "6.55.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v6.53.0
+**Version:** v6.55.0
 
 ---
 

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '6.53.0'
+__version__ = '6.55.0'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "6.53.0",
+  "version": "6.55.0",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "agent",
@@ -83,7 +83,16 @@
     "completions/",
     "src/",
     "web-app/dist/",
-    "web-app/server.py"
+    "web-app/server.py",
+    "web-app/auth.py",
+    "web-app/models.py",
+    "web-app/crypto.py",
+    "web-app/requirements.txt",
+    "web-app/alembic.ini",
+    "web-app/migrations/",
+    "web-app/Dockerfile",
+    "web-app/docker-compose.purple-lab.yml",
+    "web-app/deploy/"
   ],
   "scripts": {
     "postinstall": "node bin/postinstall.js",

package/web-app/Dockerfile

@@ -0,0 +1,59 @@
+# Purple Lab Dockerfile
+# Build: docker compose -f docker-compose.purple-lab.yml build
+# Run:   docker compose -f docker-compose.purple-lab.yml up
+
+# --- Stage 1: Build frontend ---
+FROM node:20-alpine AS frontend-build
+
+WORKDIR /build
+COPY package.json package-lock.json* ./
+RUN npm ci --ignore-scripts
+COPY tsconfig*.json vite.config.ts tailwind.config.js postcss.config.js index.html ./
+COPY src/ ./src/
+RUN npm run build
+
+# --- Stage 2: Production image ---
+FROM python:3.12-slim
+
+LABEL maintainer="Lokesh Mure"
+LABEL description="Purple Lab - Replit-like web UI for Loki Mode"
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bash \
+    curl \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user
+RUN useradd -m -s /bin/bash -u 1000 purplelab
+
+WORKDIR /opt/purple-lab
+
+# Install Python dependencies
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy Python backend
+COPY server.py auth.py models.py ./
+
+# Copy built frontend from stage 1
+COPY --from=frontend-build /build/dist/ ./dist/
+
+# Copy loki CLI and supporting files from parent context (if needed at runtime)
+# For standalone mode, the server works without loki CLI
+
+# Set ownership
+RUN chown -R purplelab:purplelab /opt/purple-lab
+
+# Create project data directory
+RUN mkdir -p /projects && chown purplelab:purplelab /projects
+
+EXPOSE 57375
+
+USER purplelab
+
+CMD ["python3", "server.py"]
+
+HEALTHCHECK --interval=10s --timeout=5s --start-period=15s --retries=3 \
+    CMD curl -f http://localhost:57375/health || exit 1

package/web-app/alembic.ini

@@ -0,0 +1,43 @@
+[alembic]
+script_location = migrations
+prepend_sys_path = .
+
+# The URL is overridden at runtime from DATABASE_URL env var.
+# This placeholder is required by alembic but never used directly.
+sqlalchemy.url = driver://user:pass@localhost/dbname
+
+[post_write_hooks]
+
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

package/web-app/auth.py

@@ -0,0 +1,249 @@
+"""Purple Lab authentication -- JWT + OAuth.
+
+When no DATABASE_URL is configured, authentication is completely disabled
+and all endpoints are accessible without tokens (local development mode).
+"""
+import logging
+import os
+import secrets
+import time
+from datetime import datetime, timedelta
+from typing import Optional
+
+from fastapi import Depends, HTTPException, Request
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+try:
+    from jose import JWTError, jwt
+except ImportError:
+    jwt = None  # type: ignore[assignment]
+    JWTError = Exception  # type: ignore[assignment,misc]
+
+try:
+    from passlib.context import CryptContext
+    pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+except ImportError:
+    pwd_context = None  # type: ignore[assignment]
+
+logger = logging.getLogger("purple-lab.auth")
+
+# ---------------------------------------------------------------------------
+# Config from environment variables
+# ---------------------------------------------------------------------------
+
+SECRET_KEY = os.environ.get("PURPLE_LAB_SECRET_KEY", "")
+if not SECRET_KEY:
+    SECRET_KEY = secrets.token_hex(32)
+    logger.warning(
+        "PURPLE_LAB_SECRET_KEY not set -- generated ephemeral key. "
+        "Tokens will not survive server restarts. "
+        "Set PURPLE_LAB_SECRET_KEY env var for production use."
+    )
+ALGORITHM = "HS256"
+ACCESS_TOKEN_EXPIRE_HOURS = 24
+
+# OAuth config
+GITHUB_CLIENT_ID = os.environ.get("GITHUB_CLIENT_ID", "")
+GITHUB_CLIENT_SECRET = os.environ.get("GITHUB_CLIENT_SECRET", "")
+GOOGLE_CLIENT_ID = os.environ.get("GOOGLE_CLIENT_ID", "")
+GOOGLE_CLIENT_SECRET = os.environ.get("GOOGLE_CLIENT_SECRET", "")
+
+security = HTTPBearer(auto_error=False)
+
+
+# ---------------------------------------------------------------------------
+# Token helpers
+# ---------------------------------------------------------------------------
+
+def create_access_token(data: dict, expires_delta: timedelta | None = None) -> str:
+    """Create a signed JWT access token."""
+    if jwt is None:
+        raise RuntimeError("python-jose is not installed. Install with: pip install python-jose[cryptography]")
+    to_encode = data.copy()
+    expire = datetime.utcnow() + (expires_delta or timedelta(hours=ACCESS_TOKEN_EXPIRE_HOURS))
+    to_encode.update({"exp": expire})
+    return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
+
+
+def verify_token(token: str) -> Optional[dict]:
+    """Verify and decode a JWT token. Returns None if invalid."""
+    if jwt is None:
+        return None
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        return payload
+    except JWTError:
+        return None
+
+
+def hash_password(password: str) -> str:
+    """Hash a password using bcrypt."""
+    if pwd_context is None:
+        raise RuntimeError("passlib is not installed. Install with: pip install passlib[bcrypt]")
+    return pwd_context.hash(password)
+
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """Verify a password against a bcrypt hash."""
+    if pwd_context is None:
+        return False
+    return pwd_context.verify(plain_password, hashed_password)
+
+
+# ---------------------------------------------------------------------------
+# FastAPI dependencies
+# ---------------------------------------------------------------------------
+
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security),
+) -> Optional[dict]:
+    """Get current user from JWT token. Returns None if no auth configured."""
+    # If no database is configured, auth is disabled (local development mode)
+    from models import async_session_factory
+
+    if async_session_factory is None:
+        return None  # Auth disabled, allow all requests
+
+    if not credentials:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+
+    payload = verify_token(credentials.credentials)
+    if not payload:
+        raise HTTPException(status_code=401, detail="Invalid or expired token")
+
+    return payload
+
+
+# ---------------------------------------------------------------------------
+# OAuth state (CSRF protection)
+# ---------------------------------------------------------------------------
+
+# In-memory store of valid OAuth state tokens.  Each entry maps
+# state -> expiry timestamp.  Tokens expire after 10 minutes.
+_oauth_states: dict[str, float] = {}
+_OAUTH_STATE_TTL = 600  # 10 minutes
+
+
+def generate_oauth_state() -> str:
+    """Generate a cryptographically random state token for OAuth CSRF protection."""
+    _purge_expired_states()
+    state = secrets.token_urlsafe(32)
+    _oauth_states[state] = time.time() + _OAUTH_STATE_TTL
+    return state
+
+
+def validate_oauth_state(state: str | None) -> bool:
+    """Validate and consume an OAuth state token.  Returns False if invalid or expired."""
+    if not state:
+        return False
+    _purge_expired_states()
+    expiry = _oauth_states.pop(state, None)
+    if expiry is None:
+        return False
+    return time.time() < expiry
+
+
+def _purge_expired_states() -> None:
+    """Remove expired state tokens to prevent memory growth."""
+    now = time.time()
+    expired = [s for s, exp in _oauth_states.items() if now >= exp]
+    for s in expired:
+        _oauth_states.pop(s, None)
+
+
+# ---------------------------------------------------------------------------
+# OAuth handlers
+# ---------------------------------------------------------------------------
+
+async def github_oauth_callback(code: str) -> dict:
+    """Exchange GitHub OAuth code for user info."""
+    import httpx
+
+    async with httpx.AsyncClient(timeout=10.0) as client:
+        # Exchange code for token
+        token_resp = await client.post(
+            "https://github.com/login/oauth/access_token",
+            json={
+                "client_id": GITHUB_CLIENT_ID,
+                "client_secret": GITHUB_CLIENT_SECRET,
+                "code": code,
+            },
+            headers={"Accept": "application/json"},
+        )
+        token_data = token_resp.json()
+        access_token = token_data.get("access_token")
+
+        if not access_token:
+            error_desc = token_data.get("error_description", "Unknown error")
+            logger.warning("GitHub OAuth token exchange failed: %s", error_desc)
+            raise HTTPException(status_code=400, detail=f"Failed to get GitHub access token: {error_desc}")
+
+        # Get user info
+        user_resp = await client.get(
+            "https://api.github.com/user",
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        if user_resp.status_code != 200:
+            raise HTTPException(status_code=502, detail="Failed to fetch GitHub user info")
+        user_data = user_resp.json()
+
+        # Get primary email
+        email_resp = await client.get(
+            "https://api.github.com/user/emails",
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        emails = email_resp.json() if email_resp.status_code == 200 else []
+        primary_email = next(
+            (e["email"] for e in emails if isinstance(e, dict) and e.get("primary")), None
+        )
+
+        return {
+            "email": primary_email or user_data.get("email"),
+            "name": user_data.get("name") or user_data.get("login"),
+            "avatar_url": user_data.get("avatar_url"),
+            "provider": "github",
+            "provider_id": str(user_data["id"]),
+        }
+
+
+async def google_oauth_callback(code: str, redirect_uri: str) -> dict:
+    """Exchange Google OAuth code for user info."""
+    import httpx
+
+    async with httpx.AsyncClient(timeout=10.0) as client:
+        token_resp = await client.post(
+            "https://oauth2.googleapis.com/token",
+            data={
+                "code": code,
+                "client_id": GOOGLE_CLIENT_ID,
+                "client_secret": GOOGLE_CLIENT_SECRET,
+                "redirect_uri": redirect_uri,
+                "grant_type": "authorization_code",
+            },
+        )
+        token_data = token_resp.json()
+        access_token = token_data.get("access_token")
+
+        if not access_token:
+            error_desc = token_data.get("error_description", "Unknown error")
+            logger.warning("Google OAuth token exchange failed: %s", error_desc)
+            raise HTTPException(status_code=400, detail=f"Failed to get Google access token: {error_desc}")
+
+        user_resp = await client.get(
+            "https://www.googleapis.com/oauth2/v2/userinfo",
+            headers={"Authorization": f"Bearer {access_token}"},
+        )
+        if user_resp.status_code != 200:
+            raise HTTPException(status_code=502, detail="Failed to fetch Google user info")
+        user_data = user_resp.json()
+
+        if "email" not in user_data:
+            raise HTTPException(status_code=400, detail="Google account has no email")
+
+        return {
+            "email": user_data["email"],
+            "name": user_data.get("name"),
+            "avatar_url": user_data.get("picture"),
+            "provider": "google",
+            "provider_id": str(user_data["id"]),
+        }

package/web-app/crypto.py

@@ -0,0 +1,83 @@
+"""Purple Lab secrets encryption -- Fernet symmetric encryption.
+
+When PURPLE_LAB_SECRET_KEY is set, secret values are encrypted at rest
+using Fernet (AES-128-CBC with HMAC-SHA256). In local dev mode without
+the env var, secrets are stored in plaintext.
+"""
+import base64
+import hashlib
+import logging
+import os
+
+logger = logging.getLogger("purple-lab.crypto")
+
+try:
+    from cryptography.fernet import Fernet, InvalidToken
+    _HAS_FERNET = True
+except ImportError:
+    _HAS_FERNET = False
+    InvalidToken = Exception  # type: ignore[assignment,misc]
+    logger.warning(
+        "cryptography package not installed -- secret encryption disabled. "
+        "Install with: pip install cryptography"
+    )
+
+
+def _get_secret_key() -> str | None:
+    """Return PURPLE_LAB_SECRET_KEY if explicitly set, else None."""
+    return os.environ.get("PURPLE_LAB_SECRET_KEY") or None
+
+
+def _derive_fernet_key(secret: str) -> bytes:
+    """Derive a Fernet-compatible key from an arbitrary secret string.
+
+    Fernet requires a 32-byte URL-safe base64-encoded key.  We derive it
+    deterministically from the secret using SHA-256.
+    """
+    raw = hashlib.sha256(secret.encode()).digest()
+    return base64.urlsafe_b64encode(raw)
+
+
+def encryption_available() -> bool:
+    """Return True if encryption is both available and configured."""
+    return _HAS_FERNET and _get_secret_key() is not None
+
+
+def encrypt_value(plaintext: str) -> str:
+    """Encrypt a string value using Fernet.
+
+    Returns the ciphertext as a UTF-8 string.  If encryption is not
+    available or not configured, returns the plaintext unchanged.
+    """
+    secret = _get_secret_key()
+    if not _HAS_FERNET or secret is None:
+        return plaintext
+    try:
+        f = Fernet(_derive_fernet_key(secret))
+        return f.encrypt(plaintext.encode()).decode()
+    except Exception:
+        logger.exception("Failed to encrypt value -- storing plaintext")
+        return plaintext
+
+
+def decrypt_value(ciphertext: str) -> str:
+    """Decrypt a Fernet-encrypted string.
+
+    Returns the plaintext.  If the value was never encrypted (legacy
+    plaintext) or decryption fails, returns the original string so that
+    existing unencrypted secrets continue to work.
+    """
+    secret = _get_secret_key()
+    if not _HAS_FERNET or secret is None:
+        return ciphertext
+    try:
+        f = Fernet(_derive_fernet_key(secret))
+        return f.decrypt(ciphertext.encode()).decode()
+    except InvalidToken:
+        # Value is likely plaintext from before encryption was enabled.
+        # Return as-is so existing secrets keep working.
+        logger.debug("Could not decrypt value -- returning as plaintext (likely legacy)")
+        return ciphertext
+    except Exception:
+        logger.exception("Unexpected decryption error -- returning raw value")
+        return ciphertext

package/web-app/deploy/k8s/purple-lab/configmap.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: purple-lab-config
+data:
+  PURPLE_LAB_HOST: "0.0.0.0"
+  PURPLE_LAB_PORT: "57375"
+  LOG_LEVEL: "info"

package/web-app/deploy/k8s/purple-lab/deployment.yaml

@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: purple-lab
+  labels:
+    app: purple-lab
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: purple-lab
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  template:
+    metadata:
+      labels:
+        app: purple-lab
+    spec:
+      serviceAccountName: purple-lab
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
+      containers:
+        - name: purple-lab
+          image: asklokesh/purple-lab:latest
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 57375
+              protocol: TCP
+          envFrom:
+            - configMapRef:
+                name: purple-lab-config
+            - secretRef:
+                name: purple-lab-secrets
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
+          volumeMounts:
+            - name: project-storage
+              mountPath: /projects
+      volumes:
+        - name: project-storage
+          persistentVolumeClaim:
+            claimName: purple-lab-projects

package/web-app/deploy/k8s/purple-lab/hpa.yaml

@@ -0,0 +1,24 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: purple-lab
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: purple-lab
+  minReplicas: 2
+  maxReplicas: 10
+  metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 70
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: 80

package/web-app/deploy/k8s/purple-lab/ingress.yaml

@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: purple-lab
+  annotations:
+    nginx.ingress.kubernetes.io/websocket-services: "purple-lab"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - lab.autonomi.dev
+      secretName: purple-lab-tls
+  rules:
+    - host: lab.autonomi.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: purple-lab
+                port:
+                  number: 80