loki-mode 6.71.1 → 6.72.0

package/web-app/server.py

@@ -313,11 +313,29 @@ class StartRequest(BaseModel):
     projectDir: Optional[str] = None
     mode: Optional[str] = None  # "quick" for quick mode
 
+    @field_validator("provider")
+    @classmethod
+    def validate_provider(cls, v: str) -> str:
+        # BUG-E2E-006: Validate provider to prevent injection via unknown providers
+        allowed = {"claude", "codex", "gemini", "cline", "aider"}
+        if v not in allowed:
+            raise ValueError(f"Unknown provider '{v}'. Allowed: {', '.join(sorted(allowed))}")
+        return v
+
 
 class QuickStartRequest(BaseModel):
     prompt: str
     provider: str = "claude"
 
+    @field_validator("provider")
+    @classmethod
+    def validate_provider(cls, v: str) -> str:
+        # BUG-E2E-006: Validate provider to prevent injection via unknown providers
+        allowed = {"claude", "codex", "gemini", "cline", "aider"}
+        if v not in allowed:
+            raise ValueError(f"Unknown provider '{v}'. Allowed: {', '.join(sorted(allowed))}")
+        return v
+
 
 class StopResponse(BaseModel):
     stopped: bool
@@ -360,6 +378,18 @@ class FileDeleteRequest(BaseModel):
 class ChatRequest(BaseModel):
     message: str
     mode: str = "quick"  # "quick" or "standard"
+    # BUG-E2E-004: Accept recent chat history so AI has conversation context
+    history: Optional[list[dict]] = None  # [{role: "user"|"assistant", content: str}]
+
+    @field_validator("message")
+    @classmethod
+    def validate_message(cls, v: str) -> str:
+        stripped = v.strip()
+        if not stripped:
+            raise ValueError("Message cannot be empty")
+        if len(stripped.encode("utf-8")) > 100_000:  # 100KB max
+            raise ValueError("Message exceeds 100KB limit")
+        return stripped
 
 
 class SecretRequest(BaseModel):
@@ -412,8 +442,19 @@ class FileChangeHandler(FileSystemEventHandler):  # type: ignore[misc]
         self._debounce_handle: Optional[asyncio.TimerHandle] = None
 
     def _should_ignore(self, path: str) -> bool:
-        """Return True if this path should be ignored."""
-        parts = Path(path).parts
+        """Return True if this path should be ignored.
+
+        BUG-INT-004 fix: only check path components relative to the project
+        directory, not the full absolute path. Previously, a project stored
+        at e.g. /home/user/build/project/ would have all events ignored
+        because 'build' appeared in the absolute path parts.
+        """
+        # Compute relative path from project root
+        try:
+            rel = os.path.relpath(path, self.project_dir)
+        except ValueError:
+            rel = path  # different drives on Windows
+        parts = Path(rel).parts
         for part in parts:
             if part in _WATCH_IGNORE_DIRS:
                 return True
@@ -426,7 +467,7 @@ class FileChangeHandler(FileSystemEventHandler):  # type: ignore[misc]
         return False
 
     def on_any_event(self, event) -> None:  # type: ignore[override]
-        if event.is_directory and event.event_type not in ("created", "deleted"):
+        if event.is_directory and event.event_type not in ("created", "deleted", "moved"):
             return
         src = getattr(event, "src_path", "")
         if not src or self._should_ignore(src):
@@ -1543,6 +1584,15 @@ class DevServerManager:
                     fix_env = {**os.environ, **_load_secrets()}
                     fix_env["LOKI_MAX_ITERATIONS"] = "5"
                     fix_env["LOKI_AUTO_FIX"] = "true"
+                    # Pass provider via env
+                    _mf_prov = Path(project_dir) / ".loki" / "state" / "provider"
+                    if _mf_prov.exists():
+                        try:
+                            _mfp = _mf_prov.read_text().strip()
+                            if _mfp:
+                                fix_env["LOKI_PROVIDER"] = _mfp
+                        except OSError:
+                            pass
 
                     await asyncio.to_thread(
                         subprocess.run,
@@ -1633,6 +1683,15 @@ class DevServerManager:
         try:
             auto_fix_env = {**os.environ}
             auto_fix_env.update(_load_secrets())
+            # Pass provider via env for auto-fix commands
+            _af_prov_file = target / ".loki" / "state" / "provider"
+            if _af_prov_file.exists():
+                try:
+                    _afp = _af_prov_file.read_text().strip()
+                    if _afp:
+                        auto_fix_env["LOKI_PROVIDER"] = _afp
+                except OSError:
+                    pass
             result = await asyncio.get_running_loop().run_in_executor(
                 None,
                 lambda: subprocess.run(
@@ -2023,6 +2082,15 @@ INSTRUCTIONS:
         try:
             fix_env = {**os.environ, **_load_secrets()}
             fix_env["LOKI_MAX_ITERATIONS"] = "5"  # More iterations for complex Docker fixes
+            # Pass provider via env
+            _sf_prov = Path(project_dir) / ".loki" / "state" / "provider"
+            if _sf_prov.exists():
+                try:
+                    _sfp = _sf_prov.read_text().strip()
+                    if _sfp:
+                        fix_env["LOKI_PROVIDER"] = _sfp
+                except OSError:
+                    pass
 
             proc = await asyncio.to_thread(
                 subprocess.run,
@@ -2350,9 +2418,15 @@ async def _read_process_output() -> None:
             # Keep last 5000 lines
             if len(session.log_lines) > 5000:
                 session.log_lines = session.log_lines[-5000:]
+            # BUG-E2E-002: Include sequence number so frontend can detect
+            # gaps and maintain correct ordering even under async pressure
             await _broadcast({
                 "type": "log",
-                "data": {"line": text, "timestamp": time.strftime("%H:%M:%S")},
+                "data": {
+                    "line": text,
+                    "timestamp": time.strftime("%H:%M:%S"),
+                    "seq": session.log_lines_total,
+                },
             })
     except Exception:
         logger.error("Process output reader failed", exc_info=True)
@@ -2363,8 +2437,12 @@ async def _read_process_output() -> None:
         await _broadcast({"type": "session_end", "data": {"message": "Session ended"}})
 
 
-def _build_file_tree(root: Path, max_depth: int = 4, _depth: int = 0) -> list[dict]:
-    """Recursively build a file tree from a directory."""
+def _build_file_tree(root: Path, max_depth: int = 8, _depth: int = 0) -> list[dict]:
+    """Recursively build a file tree from a directory.
+
+    max_depth is set to 8 to support monorepo structures like
+    packages/frontend/src/components/ui/Button.tsx (6 levels deep).
+    """
     if _depth >= max_depth or not root.is_dir():
         return []
 
@@ -2374,13 +2452,28 @@ def _build_file_tree(root: Path, max_depth: int = 4, _depth: int = 0) -> list[di
     except PermissionError:
         return []
 
+    # Limit children per directory to prevent memory issues on very large projects
+    MAX_CHILDREN = 500
+    child_count = 0
+
     for item in items:
         # Skip hidden dirs and common noise
         if item.name.startswith("."):
             continue
-        if item.name in ("node_modules", "__pycache__", ".git", "venv", ".venv"):
+        if item.name in ("node_modules", "__pycache__", ".git", "venv", ".venv",
+                         "vendor", ".turbo", ".nx", "coverage", ".parcel-cache"):
             continue
 
+        child_count += 1
+        if child_count > MAX_CHILDREN:
+            entries.append({
+                "name": f"... ({len(list(root.iterdir())) - MAX_CHILDREN} more items)",
+                "path": str(root.relative_to(root)) + "/...",
+                "type": "file",
+                "size": 0,
+            })
+            break
+
         node: dict = {"name": item.name, "path": str(item.relative_to(root))}
         if item.is_dir():
             node["type"] = "directory"
@@ -2430,13 +2523,17 @@ def _load_secrets() -> dict[str, str]:
 
 def _save_secrets(secrets: dict[str, str]) -> None:
     """Save secrets to disk, encrypting values if PURPLE_LAB_SECRET_KEY is set."""
-    from crypto import encrypt_value, encryption_available
     _SECRETS_FILE.parent.mkdir(parents=True, exist_ok=True)
-    if encryption_available():
-        encrypted = {k: encrypt_value(v) for k, v in secrets.items()}
-        _SECRETS_FILE.write_text(json.dumps(encrypted, indent=2))
-    else:
-        _SECRETS_FILE.write_text(json.dumps(secrets, indent=2))
+    try:
+        from crypto import encrypt_value, encryption_available
+        if encryption_available():
+            encrypted = {k: encrypt_value(v) for k, v in secrets.items()}
+            _SECRETS_FILE.write_text(json.dumps(encrypted, indent=2))
+            return
+    except ImportError:
+        pass
+    # Fallback: save as plaintext when crypto module is not available
+    _SECRETS_FILE.write_text(json.dumps(secrets, indent=2))
 
 
 # ---------------------------------------------------------------------------
@@ -2506,6 +2603,16 @@ async def start_session(req: StartRequest) -> JSONResponse:
         project_dir = req.projectDir
         if not project_dir:
             project_dir = os.path.join(Path.home(), "purple-lab-projects", f"project-{int(time.time() * 1000)}")
+        else:
+            # Validate user-supplied path stays within home directory
+            try:
+                resolved_dir = Path(project_dir).resolve()
+                resolved_dir.relative_to(Path.home().resolve())
+            except (ValueError, OSError):
+                return JSONResponse(
+                    status_code=400,
+                    content={"error": "Project directory must be within your home directory"},
+                )
         os.makedirs(project_dir, exist_ok=True)
 
         # Write PRD to a temp file in the project dir
@@ -2535,6 +2642,11 @@ async def start_session(req: StartRequest) -> JSONResponse:
             build_env = {**os.environ, "LOKI_DIR": os.path.join(project_dir, ".loki")}
             build_env.update(_load_secrets())
 
+            # BUG-INT-001 fix: pass provider selection via LOKI_PROVIDER env var
+            # for quick mode (loki quick doesn't accept --provider flag)
+            if req.provider:
+                build_env["LOKI_PROVIDER"] = req.provider
+
             proc = subprocess.Popen(
                 cmd,
                 stdout=subprocess.PIPE,
@@ -2600,6 +2712,9 @@ async def quick_start_session(req: QuickStartRequest) -> JSONResponse:
     prompt = req.prompt.strip()
     if not prompt:
         return JSONResponse(status_code=400, content={"error": "Prompt required"})
+    # BUG-E2E-001: Validate minimum prompt length to prevent degenerate builds
+    if len(prompt) < 3:
+        return JSONResponse(status_code=400, content={"error": "Prompt too short (minimum 3 characters)"})
     if len(prompt.encode()) > _MAX_PRD_BYTES:
         return JSONResponse(status_code=400, content={"error": "Prompt exceeds size limit"})
 
@@ -2750,22 +2865,39 @@ async def get_status() -> JSONResponse:
     max_iterations = 0
     cost_usd = 0.0
 
-    state_file = loki_dir / "state" / "session.json"
-    if state_file.exists():
+    # BUG-INT-002 fix: CLI writes dashboard-state.json, not state/session.json.
+    # Read from dashboard-state.json (primary) with orchestrator.json fallback.
+    dash_state_file = loki_dir / "dashboard-state.json"
+    if dash_state_file.exists():
         try:
-            with open(state_file) as f:
+            with open(dash_state_file) as f:
                 state = json.load(f)
             phase = state.get("phase", phase)
             iteration = state.get("iteration", iteration)
             complexity = state.get("complexity", complexity)
-            current_task = state.get("current_task", current_task)
-            pending_tasks = state.get("pending_tasks", pending_tasks)
+            # Tasks are nested in dashboard-state.json
+            tasks = state.get("tasks")
+            if isinstance(tasks, dict):
+                pending_tasks = int(tasks.get("pending", 0) or 0)
+                in_progress = int(tasks.get("inProgress", 0) or 0)
+                if in_progress > 0:
+                    current_task = f"{in_progress} task(s) in progress"
             # Extract cost from tokens object if present
             tokens = state.get("tokens")
             if isinstance(tokens, dict):
                 cost_usd = float(tokens.get("cost_usd", 0) or 0)
         except (json.JSONDecodeError, OSError):
             pass
+    else:
+        # Fallback: try orchestrator.json for phase/iteration
+        orch_file = loki_dir / "state" / "orchestrator.json"
+        if orch_file.exists():
+            try:
+                with open(orch_file) as f:
+                    orch = json.load(f)
+                phase = orch.get("currentPhase", phase)
+            except (json.JSONDecodeError, OSError):
+                pass
 
     # Read max_iterations from autonomy state
     autonomy_state = loki_dir / "autonomy-state.json"
@@ -2958,15 +3090,16 @@ async def get_prd_prefill() -> JSONResponse:
 @app.post("/api/session/pause")
 async def pause_session() -> JSONResponse:
     """Pause the current loki session by sending SIGUSR1."""
-    if not session.running or session.process is None:
-        return JSONResponse(content={"paused": False, "message": "No session running"})
-    try:
-        os.kill(session.process.pid, signal.SIGUSR1)
-    except ProcessLookupError:
-        return JSONResponse(content={"paused": False, "message": "Process not found"})
-    except Exception as e:
-        return JSONResponse(content={"paused": False, "message": str(e)})
-    session.paused = True
+    async with session._lock:
+        if not session.running or session.process is None:
+            return JSONResponse(content={"paused": False, "message": "No session running"})
+        try:
+            os.kill(session.process.pid, signal.SIGUSR1)
+        except ProcessLookupError:
+            return JSONResponse(content={"paused": False, "message": "Process not found"})
+        except Exception as e:
+            return JSONResponse(content={"paused": False, "message": str(e)})
+        session.paused = True
     await _broadcast({"type": "session_paused", "data": {}})
     return JSONResponse(content={"paused": True})
 
@@ -2974,22 +3107,23 @@ async def pause_session() -> JSONResponse:
 @app.post("/api/session/resume")
 async def resume_session() -> JSONResponse:
     """Resume the current loki session by sending SIGUSR2."""
-    if not session.running or session.process is None:
-        return JSONResponse(content={"resumed": False, "message": "No session running"})
-    try:
-        os.kill(session.process.pid, signal.SIGUSR2)
-    except ProcessLookupError:
-        return JSONResponse(content={"resumed": False, "message": "Process not found"})
-    except Exception as e:
-        return JSONResponse(content={"resumed": False, "message": str(e)})
-    session.paused = False
+    async with session._lock:
+        if not session.running or session.process is None:
+            return JSONResponse(content={"resumed": False, "message": "No session running"})
+        try:
+            os.kill(session.process.pid, signal.SIGUSR2)
+        except ProcessLookupError:
+            return JSONResponse(content={"resumed": False, "message": "Process not found"})
+        except Exception as e:
+            return JSONResponse(content={"resumed": False, "message": str(e)})
+        session.paused = False
     await _broadcast({"type": "session_resumed", "data": {}})
     return JSONResponse(content={"resumed": True})
 
 
 @app.get("/api/templates")
 async def get_templates() -> JSONResponse:
-    """List available PRD templates with description and category."""
+    """List available PRD templates with description, category, tech stack, difficulty, and build time."""
     templates_dir = PROJECT_ROOT / "templates"
     if not templates_dir.is_dir():
         return JSONResponse(content=[])
@@ -3002,29 +3136,102 @@ async def get_templates() -> JSONResponse:
         'cli-tool': 'CLI', 'npm-library': 'CLI',
         'discord-bot': 'Bot', 'slack-bot': 'Bot', 'ai-chatbot': 'Bot',
         'data-pipeline': 'Data', 'web-scraper': 'Data',
+        'saas-starter': 'Website', 'simple-todo-app': 'Website',
+        'game': 'Other', 'chrome-extension': 'Other', 'mobile-app': 'Other',
+    }
+
+    # Tech stack detection from template content
+    _tech_keywords = {
+        'React': ['react', 'jsx', 'tsx'],
+        'Node.js': ['node.js', 'node 20', 'node 18', 'express'],
+        'Python': ['python', 'flask', 'django', 'fastapi'],
+        'TypeScript': ['typescript', '.ts'],
+        'PostgreSQL': ['postgresql', 'postgres', 'pg'],
+        'MongoDB': ['mongodb', 'mongoose'],
+        'Docker': ['docker', 'dockerfile', 'docker-compose'],
+        'Redis': ['redis', 'valkey'],
+        'Express': ['express.js', 'expressjs'],
+        'FastAPI': ['fastapi'],
+        'SQLite': ['sqlite'],
+        'Tailwind': ['tailwind', 'tailwindcss'],
+        'Discord': ['discord.js', 'discord bot'],
+        'Slack': ['slack api', 'slack bot'],
+        'Vite': ['vite'],
+        'Playwright': ['playwright'],
+    }
+
+    # Difficulty mapping based on template complexity
+    _difficulty_map = {
+        'simple-todo-app': 'beginner', 'static-landing-page': 'beginner',
+        'cli-tool': 'beginner', 'rest-api': 'beginner',
+        'blog-platform': 'intermediate', 'full-stack-demo': 'intermediate',
+        'rest-api-auth': 'intermediate', 'discord-bot': 'intermediate',
+        'slack-bot': 'intermediate', 'ai-chatbot': 'intermediate',
+        'npm-library': 'intermediate', 'web-scraper': 'intermediate',
+        'api-only': 'intermediate', 'chrome-extension': 'intermediate',
+        'game': 'intermediate', 'dashboard': 'intermediate',
+        'e-commerce': 'advanced', 'data-pipeline': 'advanced',
+        'microservice': 'advanced', 'saas-starter': 'advanced',
+        'mobile-app': 'advanced',
+    }
+
+    # Build time estimates
+    _build_time_map = {
+        'simple-todo-app': '3-5 min', 'static-landing-page': '2-4 min',
+        'cli-tool': '3-5 min', 'rest-api': '5-8 min',
+        'blog-platform': '8-12 min', 'full-stack-demo': '8-12 min',
+        'rest-api-auth': '8-12 min', 'discord-bot': '5-8 min',
+        'slack-bot': '5-8 min', 'ai-chatbot': '10-15 min',
+        'npm-library': '5-8 min', 'web-scraper': '5-8 min',
+        'api-only': '5-8 min', 'chrome-extension': '8-12 min',
+        'game': '10-15 min', 'dashboard': '10-15 min',
+        'e-commerce': '15-20 min', 'data-pipeline': '10-15 min',
+        'microservice': '10-15 min', 'saas-starter': '15-20 min',
+        'mobile-app': '15-20 min',
+    }
+
+    # Category gradients for visual preview
+    _gradient_map = {
+        'Website': 'from-violet-500/20 via-purple-500/10 to-indigo-500/20',
+        'API': 'from-emerald-500/20 via-teal-500/10 to-cyan-500/20',
+        'CLI': 'from-amber-500/20 via-orange-500/10 to-yellow-500/20',
+        'Bot': 'from-blue-500/20 via-sky-500/10 to-cyan-500/20',
+        'Data': 'from-rose-500/20 via-pink-500/10 to-fuchsia-500/20',
+        'Other': 'from-slate-500/20 via-gray-500/10 to-zinc-500/20',
     }
 
     templates = []
     for f in sorted(templates_dir.glob("*.md")):
         name = f.stem.replace("-", " ").replace("_", " ").title()
-        # Extract description: first non-heading, non-blank paragraph
         description = ""
+        tech_stack = []
         try:
             text = f.read_text(errors="replace")
+            text_lower = text.lower()
+            # Extract description: first non-heading, non-blank paragraph
             for line in text.splitlines():
                 stripped = line.strip()
                 if not stripped or stripped.startswith("#"):
                     continue
                 description = stripped[:200]
                 break
+            # Detect tech stack from content
+            for tech_name, keywords in _tech_keywords.items():
+                if any(kw in text_lower for kw in keywords):
+                    tech_stack.append(tech_name)
         except OSError:
             pass
+
         category = _category_map.get(f.stem, "Other")
         templates.append({
             "name": name,
             "filename": f.name,
             "description": description,
             "category": category,
+            "tech_stack": tech_stack[:6],  # Limit to 6 techs
+            "difficulty": _difficulty_map.get(f.stem, "intermediate"),
+            "build_time": _build_time_map.get(f.stem, "5-10 min"),
+            "gradient": _gradient_map.get(category, _gradient_map["Other"]),
         })
     return JSONResponse(content=templates)
 
@@ -3310,8 +3517,9 @@ async def get_metrics() -> JSONResponse:
 
 def _infer_session_status(entry: Path) -> str:
     """Infer session status from project directory contents."""
-    # 1. Check .loki/state/session.json for explicit phase
-    state_file = entry / ".loki" / "state" / "session.json"
+    # 1. Check .loki/dashboard-state.json for explicit phase
+    # BUG-INT-002 fix: CLI writes dashboard-state.json, not state/session.json
+    state_file = entry / ".loki" / "dashboard-state.json"
     if state_file.exists():
         try:
             with open(state_file) as f:
@@ -3319,7 +3527,7 @@ def _infer_session_status(entry: Path) -> str:
             phase = st.get("phase", "")
             if phase and phase != "idle":
                 # Verify the session is actually still running by checking
-                # if session.json was modified recently (within last 5 min)
+                # if dashboard-state.json was modified recently (within last 5 min)
                 try:
                     mtime = state_file.stat().st_mtime
                     if time.time() - mtime > 300:  # 5 minutes stale
@@ -3395,7 +3603,7 @@ async def get_sessions_history() -> JSONResponse:
                 continue
             session_info: dict = {
                 "id": entry.name,
-                "path": str(entry),
+                "path": f"~/purple-lab-projects/{entry.name}" if "purple-lab" in str(base_dir) else f"~/.loki/sessions/{entry.name}",
                 "date": "",
                 "prd_snippet": "",
                 "status": _infer_session_status(entry),
@@ -3479,7 +3687,7 @@ async def delete_session(session_id: str) -> JSONResponse:
     except Exception as e:
         return JSONResponse(status_code=500, content={"error": f"Failed to delete: {e}"})
 
-    return JSONResponse(content={"deleted": True, "path": str(target)})
+    return JSONResponse(content={"deleted": True, "session_id": session_id})
 
 
 @app.get("/api/sessions/{session_id}")
@@ -3675,6 +3883,8 @@ async def create_session_file(session_id: str, req: FileWriteRequest) -> JSONRes
         return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
     if not req.path:
         return JSONResponse(status_code=400, content={"error": "Path is required"})
+    if len(req.content.encode("utf-8", errors="replace")) > 1_048_576:
+        return JSONResponse(status_code=413, content={"error": "Content exceeds 1 MB limit"})
 
     search_dirs = [
         Path.home() / "purple-lab-projects",
@@ -3860,7 +4070,28 @@ async def chat_session(session_id: str, req: ChatRequest) -> JSONResponse:
         # active sessions and post-completion for iterative development.
 
         # -- Phase 1: Inject project context (dev server errors, gate failures) --
-        context_parts = [req.message]
+        context_parts = []
+
+        # BUG-E2E-004: Inject recent chat history so AI has conversation context
+        if req.history:
+            # Include last 5 exchanges max to avoid token bloat
+            recent = req.history[-10:]  # last 10 items = ~5 exchanges
+            history_lines = []
+            for entry in recent:
+                role = entry.get("role", "user")
+                content = entry.get("content", "")
+                if content and role in ("user", "assistant"):
+                    # Truncate long assistant responses to keep context manageable
+                    if role == "assistant" and len(content) > 500:
+                        content = content[:500] + "..."
+                    history_lines.append(f"[{role.upper()}]: {content}")
+            if history_lines:
+                context_parts.append(
+                    "PREVIOUS CONVERSATION CONTEXT:\n" + "\n".join(history_lines)
+                    + "\n\nNow handle the following new request:"
+                )
+
+        context_parts.append(req.message)
 
         # Inject dev server errors if the server has crashed
         ds_info = dev_server_manager.servers.get(session_id)
@@ -3914,19 +4145,34 @@ async def chat_session(session_id: str, req: ChatRequest) -> JSONResponse:
                 docker_extra = "\n\n" + docker_instructions_file.read_text()
             except OSError:
                 pass
+        # Determine the active provider for this session
+        chat_provider = session.provider or "claude"
+        # Also check .loki/state/provider file in the session directory
+        provider_file = target / ".loki" / "state" / "provider"
+        if provider_file.exists():
+            try:
+                saved_prov = provider_file.read_text().strip()
+                if saved_prov:
+                    chat_provider = saved_prov
+            except OSError:
+                pass
+
         if req.mode == "max":
             # Max mode: full loki start with the message as a PRD
             prd_path = target / ".loki" / "chat-prd.md"
             prd_path.parent.mkdir(parents=True, exist_ok=True)
             prd_content = full_message + "\n\n## Deployment\nMUST include Dockerfile and docker-compose.yml for containerized execution." + docker_extra
             prd_path.write_text(prd_content)
-            cmd_args = [loki, "start", "--provider", "claude", str(prd_path)]
+            # BUG-INT-005 fix: use session's configured provider, not hardcoded "claude"
+            cmd_args = [loki, "start", "--provider", chat_provider, str(prd_path)]
         else:
             # Quick and Standard both use 'loki quick' -- fast, focused changes
             cmd_args = [loki, "quick", full_message + docker_note]
         try:
             chat_env = {**os.environ}
             chat_env.update(_load_secrets())
+            # Pass provider via env for quick mode (loki quick uses LOKI_PROVIDER env)
+            chat_env["LOKI_PROVIDER"] = chat_provider
             proc = subprocess.Popen(
                 cmd_args,
                 stdout=subprocess.PIPE,
@@ -4174,6 +4420,17 @@ async def fix_session(session_id: str) -> JSONResponse:
         try:
             fix_env = {**os.environ}
             fix_env.update(_load_secrets())
+            # Pass provider via env for fix commands (same as chat)
+            fix_provider = session.provider or "claude"
+            _fix_prov_file = target / ".loki" / "state" / "provider"
+            if _fix_prov_file.exists():
+                try:
+                    _fp = _fix_prov_file.read_text().strip()
+                    if _fp:
+                        fix_provider = _fp
+                except OSError:
+                    pass
+            fix_env["LOKI_PROVIDER"] = fix_provider
             proc = subprocess.Popen(
                 [loki, "quick", fix_message],
                 stdout=subprocess.PIPE,
@@ -4185,6 +4442,7 @@ async def fix_session(session_id: str) -> JSONResponse:
                 start_new_session=True,
             )
             task.process = proc
+            _track_child_pid(proc.pid)
             loop = asyncio.get_running_loop()
 
             def _read() -> None:
@@ -4224,6 +4482,9 @@ async def fix_session(session_id: str) -> JSONResponse:
                 except (ProcessLookupError, OSError):
                     proc.kill()
                 proc.wait()
+        # Untrack the child PID now that the fix process is done
+        if proc is not None:
+            _untrack_child_pid(proc.pid)
         task.complete = True
 
     asyncio.create_task(run_fix())
@@ -4318,6 +4579,8 @@ async def set_secret(req: SecretRequest) -> JSONResponse:
 @app.delete("/api/secrets/{key}")
 async def delete_secret(key: str) -> JSONResponse:
     """Delete a secret."""
+    if not re.match(r'^[A-Za-z_][A-Za-z0-9_]*$', key):
+        return JSONResponse(status_code=400, content={"error": "Invalid key format"})
     secrets = _load_secrets()
     if key not in secrets:
         return JSONResponse(status_code=404, content={"error": "Secret not found"})
@@ -4806,6 +5069,582 @@ async def restart_service(session_id: str, req: dict = Body(...)) -> JSONRespons
         return JSONResponse(status_code=500, content={"error": f"Restart failed: {exc}"})
 
 
+# ---------------------------------------------------------------------------
+# Deploy endpoints
+# ---------------------------------------------------------------------------
+
+
+@app.post("/api/sessions/{session_id}/deploy")
+async def deploy_session(session_id: str, req: dict = Body(...)) -> JSONResponse:
+    """Deploy a project to a hosting platform (Vercel, Netlify, GitHub Pages)."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    platform = req.get("platform", "")
+    if platform not in ("vercel", "netlify", "github-pages"):
+        return JSONResponse(status_code=400, content={"error": f"Unsupported platform: {platform}"})
+
+    project_dir = str(target)
+    loop = asyncio.get_running_loop()
+
+    try:
+        if platform == "vercel":
+            # Try to deploy via Vercel CLI
+            result = await loop.run_in_executor(None, lambda: subprocess.run(
+                ["npx", "vercel", "--yes", "--prod"],
+                capture_output=True, text=True, cwd=project_dir, timeout=120,
+                env={**os.environ, "CI": "1"},
+            ))
+            output = (result.stdout or "") + (result.stderr or "")
+            if result.returncode == 0:
+                # Extract URL from Vercel output (last line is typically the URL)
+                lines = [l.strip() for l in output.strip().split("\n") if l.strip()]
+                url = ""
+                for line in reversed(lines):
+                    if line.startswith("http"):
+                        url = line
+                        break
+                return JSONResponse(content={"url": url or "https://vercel.app", "output": output})
+            else:
+                return JSONResponse(content={"error": output or "Vercel deploy failed", "output": output})
+
+        elif platform == "netlify":
+            # Build first, then deploy
+            build_result = await loop.run_in_executor(None, lambda: subprocess.run(
+                ["npm", "run", "build"],
+                capture_output=True, text=True, cwd=project_dir, timeout=120,
+            ))
+            # Deploy via Netlify CLI
+            deploy_dir = "dist"
+            for d in ["build", "out", "dist", ".next"]:
+                if (Path(project_dir) / d).is_dir():
+                    deploy_dir = d
+                    break
+            result = await loop.run_in_executor(None, lambda: subprocess.run(
+                ["npx", "netlify", "deploy", "--prod", "--dir", deploy_dir],
+                capture_output=True, text=True, cwd=project_dir, timeout=120,
+            ))
+            output = (result.stdout or "") + (result.stderr or "")
+            if result.returncode == 0:
+                # Extract URL from netlify output
+                url = ""
+                for line in output.split("\n"):
+                    if "Website URL:" in line or "Unique Deploy URL:" in line:
+                        parts = line.split("http")
+                        if len(parts) > 1:
+                            url = "http" + parts[-1].strip()
+                            break
+                return JSONResponse(content={"url": url or "https://netlify.app", "output": output})
+            else:
+                return JSONResponse(content={"error": output or "Netlify deploy failed", "output": output})
+
+        elif platform == "github-pages":
+            # Use gh-pages or manual git push to gh-pages branch
+            build_result = await loop.run_in_executor(None, lambda: subprocess.run(
+                ["npm", "run", "build"],
+                capture_output=True, text=True, cwd=project_dir, timeout=120,
+            ))
+            result = await loop.run_in_executor(None, lambda: subprocess.run(
+                ["npx", "gh-pages", "-d", "dist"],
+                capture_output=True, text=True, cwd=project_dir, timeout=120,
+            ))
+            output = (result.stdout or "") + (result.stderr or "")
+            if result.returncode == 0:
+                # Try to infer the pages URL from git remote
+                remote_result = await loop.run_in_executor(None, lambda: subprocess.run(
+                    ["git", "remote", "get-url", "origin"],
+                    capture_output=True, text=True, cwd=project_dir, timeout=10,
+                ))
+                url = ""
+                if remote_result.returncode == 0:
+                    remote = remote_result.stdout.strip()
+                    # Parse github.com/user/repo
+                    m = re.search(r"github\.com[:/]([^/]+)/([^/.]+)", remote)
+                    if m:
+                        url = f"https://{m.group(1)}.github.io/{m.group(2)}/"
+                return JSONResponse(content={"url": url or "https://github.io", "output": output})
+            else:
+                return JSONResponse(content={"error": output or "GitHub Pages deploy failed", "output": output})
+
+    except subprocess.TimeoutExpired:
+        return JSONResponse(status_code=500, content={"error": "Deploy timed out after 120 seconds"})
+    except FileNotFoundError as exc:
+        return JSONResponse(status_code=500, content={"error": f"CLI tool not found: {exc}"})
+    except Exception as exc:
+        return JSONResponse(status_code=500, content={"error": f"Deploy failed: {exc}"})
+
+
+@app.post("/api/sessions/{session_id}/github/push")
+async def github_push_session(session_id: str) -> JSONResponse:
+    """Create a GitHub repo and push the project code."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    project_dir = str(target)
+    loop = asyncio.get_running_loop()
+
+    try:
+        # Ensure git repo is initialized
+        git_dir = Path(project_dir) / ".git"
+        if not git_dir.is_dir():
+            await loop.run_in_executor(None, lambda: subprocess.run(
+                ["git", "init"],
+                capture_output=True, text=True, cwd=project_dir, timeout=10,
+            ))
+            await loop.run_in_executor(None, lambda: subprocess.run(
+                ["git", "add", "-A"],
+                capture_output=True, text=True, cwd=project_dir, timeout=30,
+            ))
+            await loop.run_in_executor(None, lambda: subprocess.run(
+                ["git", "commit", "-m", "Initial commit from Purple Lab"],
+                capture_output=True, text=True, cwd=project_dir, timeout=30,
+            ))
+
+        # Use gh CLI to create repo and push
+        repo_name = Path(project_dir).name
+        result = await loop.run_in_executor(None, lambda: subprocess.run(
+            ["gh", "repo", "create", repo_name, "--public", "--source", ".", "--push"],
+            capture_output=True, text=True, cwd=project_dir, timeout=60,
+        ))
+        output = (result.stdout or "") + (result.stderr or "")
+
+        if result.returncode == 0:
+            # Extract repo URL from output
+            repo_url = ""
+            for line in output.split("\n"):
+                if "github.com" in line:
+                    # Extract the URL
+                    m = re.search(r"https://github\.com/[^\s]+", line)
+                    if m:
+                        repo_url = m.group(0)
+                        break
+            if not repo_url:
+                # Fallback: get from git remote
+                remote_result = await loop.run_in_executor(None, lambda: subprocess.run(
+                    ["git", "remote", "get-url", "origin"],
+                    capture_output=True, text=True, cwd=project_dir, timeout=10,
+                ))
+                if remote_result.returncode == 0:
+                    repo_url = remote_result.stdout.strip()
+
+            return JSONResponse(content={"repo_url": repo_url, "output": output})
+        else:
+            return JSONResponse(content={"error": output or "GitHub push failed", "output": output})
+
+    except subprocess.TimeoutExpired:
+        return JSONResponse(status_code=500, content={"error": "GitHub push timed out"})
+    except FileNotFoundError as exc:
+        return JSONResponse(status_code=500, content={"error": f"CLI tool not found (gh or git): {exc}"})
+    except Exception as exc:
+        return JSONResponse(status_code=500, content={"error": f"GitHub push failed: {exc}"})
+
+
+# ---------------------------------------------------------------------------
+# Git integration endpoints
+# ---------------------------------------------------------------------------
+
+
+def _validate_session_and_find_dir(session_id: str) -> tuple[Optional[Path], Optional[JSONResponse]]:
+    """Validate session ID and find directory. Returns (dir, None) or (None, error_response)."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return None, JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    target = _find_session_dir(session_id)
+    if target is None:
+        return None, JSONResponse(status_code=404, content={"error": "Session not found"})
+    return target, None
+
+
+def _run_git(cwd: Path, *args: str, timeout: int = 15) -> subprocess.CompletedProcess:
+    """Run a git command in the given directory."""
+    return subprocess.run(
+        ["git"] + list(args),
+        capture_output=True, text=True, cwd=str(cwd), timeout=timeout,
+    )
+
+
+@app.get("/api/sessions/{session_id}/git/status")
+async def git_status(session_id: str) -> JSONResponse:
+    """Get git status for a session's project."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    loop = asyncio.get_running_loop()
+    try:
+        # Get branch name
+        branch_result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "rev-parse", "--abbrev-ref", "HEAD")
+        )
+        branch = branch_result.stdout.strip() if branch_result.returncode == 0 else "unknown"
+
+        # Get ahead/behind counts
+        ahead, behind = 0, 0
+        try:
+            ab_result = await loop.run_in_executor(
+                None, lambda: _run_git(target, "rev-list", "--left-right", "--count", f"{branch}...origin/{branch}")
+            )
+            if ab_result.returncode == 0:
+                parts = ab_result.stdout.strip().split("\t")
+                if len(parts) == 2:
+                    ahead, behind = int(parts[0]), int(parts[1])
+        except (ValueError, subprocess.TimeoutExpired):
+            pass
+
+        # Get porcelain status
+        status_result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "status", "--porcelain=v1")
+        )
+        files = []
+        if status_result.returncode == 0:
+            for line in status_result.stdout.splitlines():
+                if len(line) < 4:
+                    continue
+                index_status = line[0]
+                worktree_status = line[1]
+                filepath = line[3:].strip()
+                # Remove quotes from paths with special characters
+                if filepath.startswith('"') and filepath.endswith('"'):
+                    filepath = filepath[1:-1]
+
+                # Determine status and staged
+                if index_status == '?' and worktree_status == '?':
+                    files.append({"path": filepath, "status": "untracked", "staged": False})
+                else:
+                    # Index status (staged)
+                    if index_status in ('M', 'A', 'D', 'R'):
+                        status_map = {'M': 'modified', 'A': 'added', 'D': 'deleted', 'R': 'renamed'}
+                        files.append({"path": filepath, "status": status_map.get(index_status, 'modified'), "staged": True})
+                    # Worktree status (unstaged)
+                    if worktree_status in ('M', 'D'):
+                        status_map = {'M': 'modified', 'D': 'deleted'}
+                        files.append({"path": filepath, "status": status_map.get(worktree_status, 'modified'), "staged": False})
+
+        return JSONResponse(content={
+            "branch": branch,
+            "clean": len(files) == 0,
+            "ahead": ahead,
+            "behind": behind,
+            "files": files,
+        })
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Git status failed: {exc}"})
+
+
+@app.get("/api/sessions/{session_id}/git/log")
+async def git_log(session_id: str, limit: int = 20) -> JSONResponse:
+    """Get commit history for a session's project."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    limit = min(limit, 100)  # Cap at 100
+    loop = asyncio.get_running_loop()
+    try:
+        # Use a format that's easy to parse: hash|short_hash|author|date|refs|message
+        fmt = "%H|%h|%an|%ar|%D|%s"
+        result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "log", f"--format={fmt}", f"-{limit}")
+        )
+        if result.returncode != 0:
+            return JSONResponse(content=[])
+
+        commits = []
+        for line in result.stdout.strip().splitlines():
+            if not line:
+                continue
+            parts = line.split("|", 5)
+            if len(parts) < 6:
+                continue
+            refs = [r.strip() for r in parts[4].split(",") if r.strip()] if parts[4] else []
+            # Clean up ref names (remove HEAD -> prefix, etc.)
+            clean_refs = []
+            for ref in refs:
+                ref = ref.replace("HEAD -> ", "").strip()
+                if ref and ref != "HEAD":
+                    clean_refs.append(ref)
+            commits.append({
+                "hash": parts[0],
+                "short_hash": parts[1],
+                "author": parts[2],
+                "date": parts[3],
+                "refs": clean_refs,
+                "message": parts[5],
+            })
+        return JSONResponse(content=commits)
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Git log failed: {exc}"})
+
+
+@app.get("/api/sessions/{session_id}/git/branches")
+async def git_branches(session_id: str) -> JSONResponse:
+    """List git branches for a session's project."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    loop = asyncio.get_running_loop()
+    try:
+        result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "branch", "-a", "--format=%(refname:short)|%(HEAD)")
+        )
+        if result.returncode != 0:
+            return JSONResponse(content=[])
+
+        branches = []
+        for line in result.stdout.strip().splitlines():
+            if not line:
+                continue
+            parts = line.split("|", 1)
+            name = parts[0].strip()
+            is_current = len(parts) > 1 and parts[1].strip() == "*"
+            is_remote = name.startswith("origin/") or name.startswith("remotes/")
+            # Skip HEAD pointers
+            if "HEAD" in name:
+                continue
+            branches.append({
+                "name": name,
+                "current": is_current,
+                "remote": is_remote,
+            })
+        return JSONResponse(content=branches)
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Git branches failed: {exc}"})
+
+
+@app.post("/api/sessions/{session_id}/git/commit")
+async def git_commit(session_id: str, req: dict = Body(...)) -> JSONResponse:
+    """Create a git commit in the session's project."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    message = req.get("message", "").strip()
+    if not message:
+        return JSONResponse(status_code=400, content={"error": "Commit message is required"})
+
+    files = req.get("files")  # Optional: specific files to stage
+
+    loop = asyncio.get_running_loop()
+    try:
+        # Stage files
+        if files and isinstance(files, list):
+            for f in files:
+                if not isinstance(f, str) or ".." in f:
+                    continue
+                await loop.run_in_executor(None, lambda f=f: _run_git(target, "add", f))
+        else:
+            # Stage all changes
+            await loop.run_in_executor(None, lambda: _run_git(target, "add", "-A"))
+
+        # Commit
+        result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "commit", "-m", message)
+        )
+        if result.returncode != 0:
+            error_msg = result.stderr.strip() or result.stdout.strip() or "Commit failed"
+            return JSONResponse(status_code=400, content={"error": error_msg})
+
+        # Get the commit hash
+        hash_result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "rev-parse", "--short", "HEAD")
+        )
+        commit_hash = hash_result.stdout.strip() if hash_result.returncode == 0 else "unknown"
+
+        return JSONResponse(content={"hash": commit_hash, "message": message})
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Commit failed: {exc}"})
+
+
+@app.post("/api/sessions/{session_id}/git/branch")
+async def git_create_branch(session_id: str, req: dict = Body(...)) -> JSONResponse:
+    """Create a new git branch."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    name = req.get("name", "").strip()
+    checkout = req.get("checkout", True)
+    if not name or not re.match(r"^[a-zA-Z0-9._/-]+$", name):
+        return JSONResponse(status_code=400, content={"error": "Invalid branch name"})
+
+    loop = asyncio.get_running_loop()
+    try:
+        if checkout:
+            result = await loop.run_in_executor(
+                None, lambda: _run_git(target, "checkout", "-b", name)
+            )
+        else:
+            result = await loop.run_in_executor(
+                None, lambda: _run_git(target, "branch", name)
+            )
+        if result.returncode != 0:
+            return JSONResponse(status_code=400, content={"error": result.stderr.strip() or "Branch creation failed"})
+
+        return JSONResponse(content={"branch": name, "created": True})
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Branch creation failed: {exc}"})
+
+
+@app.post("/api/sessions/{session_id}/git/checkout")
+async def git_checkout_branch(session_id: str, req: dict = Body(...)) -> JSONResponse:
+    """Switch to an existing git branch."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    name = req.get("name", "").strip()
+    if not name or not re.match(r"^[a-zA-Z0-9._/-]+$", name):
+        return JSONResponse(status_code=400, content={"error": "Invalid branch name"})
+
+    loop = asyncio.get_running_loop()
+    try:
+        result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "checkout", name)
+        )
+        if result.returncode != 0:
+            return JSONResponse(status_code=400, content={"error": result.stderr.strip() or "Checkout failed"})
+
+        return JSONResponse(content={"branch": name, "switched": True})
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Checkout failed: {exc}"})
+
+
+@app.post("/api/sessions/{session_id}/git/push")
+async def git_push(session_id: str) -> JSONResponse:
+    """Push the current branch to remote."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    loop = asyncio.get_running_loop()
+    try:
+        # Get current branch
+        branch_result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "rev-parse", "--abbrev-ref", "HEAD")
+        )
+        branch = branch_result.stdout.strip() if branch_result.returncode == 0 else "main"
+
+        # Push with upstream tracking
+        result = await loop.run_in_executor(
+            None, lambda: _run_git(target, "push", "-u", "origin", branch, timeout=30)
+        )
+        if result.returncode != 0:
+            return JSONResponse(status_code=400, content={
+                "error": result.stderr.strip() or "Push failed",
+                "pushed": False,
+            })
+
+        return JSONResponse(content={"pushed": True, "message": f"Pushed {branch} to origin"})
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"Push failed: {exc}"})
+
+
+@app.post("/api/sessions/{session_id}/git/pr")
+async def git_create_pr(session_id: str, req: dict = Body(...)) -> JSONResponse:
+    """Create a pull request using gh CLI."""
+    target, err = _validate_session_and_find_dir(session_id)
+    if err:
+        return err
+
+    title = req.get("title", "").strip()
+    body = req.get("body", "").strip()
+    if not title:
+        return JSONResponse(status_code=400, content={"error": "PR title is required"})
+
+    loop = asyncio.get_running_loop()
+    try:
+        import shutil
+        gh = shutil.which("gh")
+        if not gh:
+            return JSONResponse(status_code=400, content={"error": "gh CLI not found. Install it: https://cli.github.com/"})
+
+        cmd = [gh, "pr", "create", "--title", title]
+        if body:
+            cmd.extend(["--body", body])
+        else:
+            cmd.extend(["--body", ""])
+
+        result = await loop.run_in_executor(
+            None, lambda: subprocess.run(
+                cmd, capture_output=True, text=True, cwd=str(target), timeout=30,
+            )
+        )
+        if result.returncode != 0:
+            return JSONResponse(status_code=400, content={"error": result.stderr.strip() or "PR creation failed"})
+
+        # gh pr create outputs the PR URL
+        pr_url = result.stdout.strip()
+        # Try to extract PR number from URL
+        pr_number = 0
+        if pr_url:
+            parts = pr_url.rstrip("/").split("/")
+            try:
+                pr_number = int(parts[-1])
+            except (ValueError, IndexError):
+                pass
+
+        return JSONResponse(content={"url": pr_url, "number": pr_number})
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as exc:
+        return JSONResponse(status_code=500, content={"error": f"PR creation failed: {exc}"})
+
+
+# ---------------------------------------------------------------------------
+# Image upload for AI chat (screenshot-to-change)
+# ---------------------------------------------------------------------------
+
+
+@app.post("/api/sessions/{session_id}/chat/image")
+async def chat_image_upload(session_id: str, request: Request) -> JSONResponse:
+    """Upload an image for screenshot-to-change in AI chat."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    # Parse multipart form data
+    try:
+        form = await request.form()
+        image_file = form.get("image")
+        if image_file is None:
+            return JSONResponse(status_code=400, content={"error": "No image file provided"})
+
+        # Read file content
+        content = await image_file.read()
+        if len(content) > 10 * 1024 * 1024:  # 10MB limit
+            return JSONResponse(status_code=400, content={"error": "Image too large (max 10MB)"})
+
+        # Save to session's .loki/images/ directory
+        images_dir = target / ".loki" / "images"
+        images_dir.mkdir(parents=True, exist_ok=True)
+
+        image_id = str(uuid.uuid4())[:8]
+        # Sanitize filename
+        original_name = getattr(image_file, 'filename', 'image.png') or 'image.png'
+        safe_name = re.sub(r'[^a-zA-Z0-9._-]', '_', original_name)
+        saved_name = f"{image_id}_{safe_name}"
+        saved_path = images_dir / saved_name
+
+        with open(saved_path, "wb") as f:
+            f.write(content)
+
+        return JSONResponse(content={
+            "image_id": image_id,
+            "filename": safe_name,
+            "path": str(saved_path.relative_to(target)),
+            "size": len(content),
+        })
+    except Exception as exc:
+        logger.error("Image upload failed: %s", exc, exc_info=True)
+        return JSONResponse(status_code=500, content={"error": f"Upload failed: {exc}"})
+
+
 # ---------------------------------------------------------------------------
 # HTTP Proxy for dev server preview
 # ---------------------------------------------------------------------------
@@ -5238,22 +6077,41 @@ async def _push_state_to_client(ws: WebSocket) -> None:
             _cost_usd = 0.0
             _max_iterations = 0
 
-            state_file = loki_dir / "state" / "session.json"
-            if state_file.exists():
+            # BUG-INT-002 fix: CLI writes dashboard-state.json, not state/session.json
+            dash_file = loki_dir / "dashboard-state.json"
+            if dash_file.exists():
                 try:
-                    with open(state_file) as f:
+                    with open(dash_file) as f:
                         state_data = json.load(f)
                     _phase = state_data.get("phase", _phase)
                     _iteration = state_data.get("iteration", _iteration)
                     _complexity = state_data.get("complexity", _complexity)
-                    _current_task = state_data.get("current_task", _current_task)
-                    _pending_tasks = state_data.get("pending_tasks", _pending_tasks)
+                    _tasks = state_data.get("tasks")
+                    if isinstance(_tasks, dict):
+                        _pending_tasks = int(_tasks.get("pending", 0) or 0)
+                        _in_progress = int(_tasks.get("inProgress", 0) or 0)
+                        if _in_progress > 0:
+                            _current_task = f"{_in_progress} task(s) in progress"
                     # Extract cost from tokens object if present
                     _tokens = state_data.get("tokens")
                     if isinstance(_tokens, dict):
                         _cost_usd = float(_tokens.get("cost_usd", 0) or 0)
+                    # Agents are included in dashboard-state.json
+                    _dash_agents = state_data.get("agents")
+                    if isinstance(_dash_agents, list):
+                        _agents = _dash_agents
                 except (json.JSONDecodeError, OSError):
                     pass
+            else:
+                # Fallback: try orchestrator.json for phase
+                _orch_file = loki_dir / "state" / "orchestrator.json"
+                if _orch_file.exists():
+                    try:
+                        with open(_orch_file) as f:
+                            _orch = json.load(f)
+                        _phase = _orch.get("currentPhase", _phase)
+                    except (json.JSONDecodeError, OSError):
+                        pass
 
             agents_file = loki_dir / "state" / "agents.json"
             if agents_file.exists():
@@ -5367,11 +6225,14 @@ async def websocket_endpoint(ws: WebSocket) -> None:
     if session.running and session.project_dir and "session" not in file_watcher._observers:
         file_watcher.start("session", session.project_dir, _broadcast, asyncio.get_running_loop())
 
-    # Send recent log lines as backfill
-    for line in session.log_lines[-100:]:
+    # Send recent log lines as backfill (with sequence numbers for ordering)
+    # BUG-E2E-002: Include seq so frontend can maintain correct order
+    backfill_lines = session.log_lines[-100:]
+    backfill_start_seq = max(1, session.log_lines_total - len(backfill_lines) + 1)
+    for i, line in enumerate(backfill_lines):
         await ws.send_text(json.dumps({
             "type": "log",
-            "data": {"line": line, "timestamp": ""},
+            "data": {"line": line, "timestamp": "", "seq": backfill_start_seq + i},
         }))
 
     # Start server-push state task for this connection
@@ -5638,6 +6499,413 @@ def _pty_read(pty: "pexpect.spawn") -> Optional[str]:
 
 
 
+# ---------------------------------------------------------------------------
+# Checkpoint Timeline (Sprint 3.1)
+# ---------------------------------------------------------------------------
+
+
+def _get_checkpoints_dir(session_dir: Path) -> Path:
+    """Return the checkpoints directory for a session."""
+    return session_dir / ".loki" / "checkpoints"
+
+
+def _list_checkpoints(session_dir: Path) -> list[dict]:
+    """List all checkpoints for a session, sorted by timestamp."""
+    cp_dir = _get_checkpoints_dir(session_dir)
+    checkpoints: list[dict] = []
+
+    if not cp_dir.is_dir():
+        return checkpoints
+
+    for entry in sorted(cp_dir.iterdir()):
+        if not entry.is_dir():
+            continue
+        meta_file = entry / "meta.json"
+        if meta_file.exists():
+            try:
+                meta = json.loads(meta_file.read_text())
+                checkpoints.append({
+                    "id": entry.name,
+                    "timestamp": meta.get("timestamp", ""),
+                    "description": meta.get("description", f"Checkpoint {entry.name}"),
+                    "iteration": meta.get("iteration", 0),
+                    "files_changed": meta.get("files_changed", 0),
+                    "is_current": False,
+                })
+            except (json.JSONDecodeError, OSError):
+                checkpoints.append({
+                    "id": entry.name,
+                    "timestamp": "",
+                    "description": f"Checkpoint {entry.name}",
+                    "iteration": 0,
+                    "files_changed": 0,
+                    "is_current": False,
+                })
+        else:
+            # Create entry from directory name
+            checkpoints.append({
+                "id": entry.name,
+                "timestamp": time.strftime(
+                    "%Y-%m-%dT%H:%M:%SZ", time.localtime(entry.stat().st_mtime)
+                ),
+                "description": f"Checkpoint {entry.name}",
+                "iteration": 0,
+                "files_changed": 0,
+                "is_current": False,
+            })
+
+    # Mark the latest as current
+    if checkpoints:
+        checkpoints[-1]["is_current"] = True
+
+    return checkpoints
+
+
+@app.get("/api/sessions/{session_id}/checkpoints")
+async def get_checkpoints(session_id: str) -> JSONResponse:
+    """List all checkpoints for a session."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    checkpoints = _list_checkpoints(target)
+    return JSONResponse(content=checkpoints)
+
+
+@app.post("/api/sessions/{session_id}/checkpoints/{cp_id}/restore")
+async def restore_checkpoint(session_id: str, cp_id: str) -> JSONResponse:
+    """Restore a session to a specific checkpoint."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    if not re.match(r"^[a-zA-Z0-9._-]+$", cp_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid checkpoint ID"})
+
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    cp_dir = _get_checkpoints_dir(target) / cp_id
+    if not cp_dir.is_dir():
+        return JSONResponse(status_code=404, content={"error": "Checkpoint not found"})
+
+    # Restore files from checkpoint snapshot
+    snapshot_dir = cp_dir / "snapshot"
+    if snapshot_dir.is_dir():
+        import shutil
+        # Copy snapshot files back to project root, preserving existing .loki dir
+        for item in snapshot_dir.rglob("*"):
+            if item.is_file():
+                rel = item.relative_to(snapshot_dir)
+                dest = target / rel
+                dest.parent.mkdir(parents=True, exist_ok=True)
+                shutil.copy2(str(item), str(dest))
+
+    description = f"Restored to checkpoint {cp_id}"
+    meta_file = cp_dir / "meta.json"
+    if meta_file.exists():
+        try:
+            meta = json.loads(meta_file.read_text())
+            description = meta.get("description", description)
+        except (json.JSONDecodeError, OSError):
+            pass
+
+    return JSONResponse(content={
+        "restored": True,
+        "checkpoint_id": cp_id,
+        "description": description,
+    })
+
+
+# ---------------------------------------------------------------------------
+# File Search (Sprint 3.3)
+# ---------------------------------------------------------------------------
+
+
+def _flatten_file_tree(nodes: list[dict], results: list[dict]) -> None:
+    """Recursively flatten a file tree into a list of file entries."""
+    for node in nodes:
+        results.append({
+            "path": node["path"],
+            "name": node["name"],
+            "type": node["type"],
+            "size": node.get("size"),
+        })
+        if node.get("children"):
+            _flatten_file_tree(node["children"], results)
+
+
+@app.get("/api/sessions/{session_id}/files/search")
+async def search_session_files(session_id: str, q: str = "") -> JSONResponse:
+    """Search files in a session project by name/path."""
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    if not q.strip():
+        return JSONResponse(content=[])
+
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    tree = _build_file_tree(target)
+    all_files: list[dict] = []
+    _flatten_file_tree(tree, all_files)
+
+    query = q.strip().lower()
+    results = [
+        f for f in all_files
+        if query in f["path"].lower() or query in f["name"].lower()
+    ]
+    # Return at most 50 results, files first, then directories
+    results.sort(key=lambda f: (f["type"] != "file", f["path"].lower()))
+    return JSONResponse(content=results[:50])
+
+
+# ---------------------------------------------------------------------------
+# Change Preview (Sprint 3.2)
+# ---------------------------------------------------------------------------
+
+
+@app.post("/api/sessions/{session_id}/chat/preview")
+async def preview_chat_changes(session_id: str, req: ChatRequest) -> JSONResponse:
+    """Preview what changes a chat message would make (dry-run diff).
+
+    Uses git diff to show what would change without actually applying.
+    Returns structured diff data for the ChangePreview modal.
+    """
+    if not re.match(r"^[a-zA-Z0-9._-]+$", session_id):
+        return JSONResponse(status_code=400, content={"error": "Invalid session ID"})
+    target = _find_session_dir(session_id)
+    if target is None:
+        return JSONResponse(status_code=404, content={"error": "Session not found"})
+
+    # For the preview, we parse the current git status to generate mock diffs
+    # showing the pending unstaged/staged changes. In production this would
+    # invoke the LLM in dry-run mode, but for now we show actual pending changes.
+    files: list[dict] = []
+    total_add = 0
+    total_del = 0
+
+    try:
+        loop = asyncio.get_running_loop()
+        result = await loop.run_in_executor(None, lambda: subprocess.run(
+            ["git", "diff", "--numstat", "HEAD"],
+            capture_output=True, text=True, cwd=str(target), timeout=10
+        ))
+        if result.returncode == 0 and result.stdout.strip():
+            for line in result.stdout.strip().splitlines():
+                parts = line.split("\t")
+                if len(parts) == 3:
+                    additions = int(parts[0]) if parts[0] != "-" else 0
+                    deletions = int(parts[1]) if parts[1] != "-" else 0
+                    filepath = parts[2]
+                    total_add += additions
+                    total_del += deletions
+
+                    # Get the actual diff hunks for this file
+                    diff_result = await loop.run_in_executor(None, lambda fp=filepath: subprocess.run(
+                        ["git", "diff", "HEAD", "--", fp],
+                        capture_output=True, text=True, cwd=str(target), timeout=10
+                    ))
+                    hunks = _parse_diff_hunks(diff_result.stdout if diff_result.returncode == 0 else "")
+
+                    action = "modify"
+                    files.append({
+                        "path": filepath,
+                        "action": action,
+                        "additions": additions,
+                        "deletions": deletions,
+                        "hunks": hunks,
+                    })
+
+        # Also check for untracked files
+        untracked_result = await loop.run_in_executor(None, lambda: subprocess.run(
+            ["git", "ls-files", "--others", "--exclude-standard"],
+            capture_output=True, text=True, cwd=str(target), timeout=10
+        ))
+        if untracked_result.returncode == 0 and untracked_result.stdout.strip():
+            for filepath in untracked_result.stdout.strip().splitlines()[:20]:
+                try:
+                    fpath = target / filepath
+                    if fpath.is_file():
+                        content = fpath.read_text(errors="replace")
+                        line_count = len(content.splitlines())
+                        total_add += line_count
+                        lines = [
+                            {"type": "add", "content": l, "new_line": i + 1}
+                            for i, l in enumerate(content.splitlines()[:100])
+                        ]
+                        files.append({
+                            "path": filepath,
+                            "action": "add",
+                            "additions": line_count,
+                            "deletions": 0,
+                            "hunks": [{"old_start": 0, "old_count": 0, "new_start": 1, "new_count": line_count, "lines": lines}],
+                        })
+                except (OSError, UnicodeDecodeError):
+                    pass
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError):
+        pass
+
+    return JSONResponse(content={
+        "session_id": session_id,
+        "message": req.message,
+        "files": files,
+        "total_additions": total_add,
+        "total_deletions": total_del,
+    })
+
+
+def _parse_diff_hunks(diff_text: str) -> list[dict]:
+    """Parse unified diff output into structured hunks."""
+    hunks: list[dict] = []
+    if not diff_text:
+        return hunks
+
+    current_hunk: Optional[dict] = None
+    old_line = 0
+    new_line = 0
+
+    for line in diff_text.splitlines():
+        if line.startswith("@@"):
+            # Parse hunk header: @@ -old_start,old_count +new_start,new_count @@
+            if current_hunk:
+                hunks.append(current_hunk)
+            match = re.match(r"@@ -(\d+)(?:,(\d+))? \+(\d+)(?:,(\d+))? @@", line)
+            if match:
+                old_line = int(match.group(1))
+                new_line = int(match.group(3))
+                current_hunk = {
+                    "old_start": old_line,
+                    "old_count": int(match.group(2) or 1),
+                    "new_start": new_line,
+                    "new_count": int(match.group(4) or 1),
+                    "lines": [],
+                }
+            continue
+
+        if current_hunk is None:
+            continue
+
+        if line.startswith("+"):
+            current_hunk["lines"].append({
+                "type": "add",
+                "content": line[1:],
+                "new_line": new_line,
+            })
+            new_line += 1
+        elif line.startswith("-"):
+            current_hunk["lines"].append({
+                "type": "delete",
+                "content": line[1:],
+                "old_line": old_line,
+            })
+            old_line += 1
+        elif line.startswith(" "):
+            current_hunk["lines"].append({
+                "type": "context",
+                "content": line[1:],
+                "old_line": old_line,
+                "new_line": new_line,
+            })
+            old_line += 1
+            new_line += 1
+
+    if current_hunk:
+        hunks.append(current_hunk)
+
+    # Limit to 50 hunks max to prevent huge responses
+    return hunks[:50]
+# Teams & RBAC endpoints
+# ---------------------------------------------------------------------------
+
+# In-memory store for teams (production would use database)
+_teams_store: Dict[str, dict] = {}
+_audit_log: list = []
+
+
+class CreateTeamRequest(BaseModel):
+    name: str
+
+
+class AddMemberRequest(BaseModel):
+    email: str
+    role: str = "viewer"
+
+
+def _audit(action: str, user: str = "system", target: str = "", details: str = ""):
+    """Record an audit log entry."""
+    entry = {
+        "id": str(uuid.uuid4()),
+        "action": action,
+        "user": user,
+        "target": target,
+        "timestamp": datetime.now().isoformat(),
+        "details": details,
+    }
+    _audit_log.insert(0, entry)
+    # Keep last 500 entries
+    if len(_audit_log) > 500:
+        _audit_log[:] = _audit_log[:500]
+
+
+@app.get("/api/teams")
+async def list_teams() -> JSONResponse:
+    """List all teams."""
+    teams = list(_teams_store.values())
+    return JSONResponse(content=teams)
+
+
+@app.post("/api/teams")
+async def create_team(req: CreateTeamRequest) -> JSONResponse:
+    """Create a new team."""
+    team_id = f"team-{uuid.uuid4().hex[:8]}"
+    team = {
+        "id": team_id,
+        "name": req.name,
+        "members": [],
+        "created_at": datetime.now().isoformat(),
+    }
+    _teams_store[team_id] = team
+    _audit("team.created", target=req.name)
+    return JSONResponse(content={"id": team_id, "name": req.name, "created": True})
+
+
+@app.get("/api/teams/{team_id}/members")
+async def list_team_members(team_id: str) -> JSONResponse:
+    """List members of a team."""
+    team = _teams_store.get(team_id)
+    if not team:
+        return JSONResponse(status_code=404, content={"error": "Team not found"})
+    return JSONResponse(content=team.get("members", []))
+
+
+@app.post("/api/teams/{team_id}/members")
+async def add_team_member(team_id: str, req: AddMemberRequest) -> JSONResponse:
+    """Add a member to a team."""
+    team = _teams_store.get(team_id)
+    if not team:
+        return JSONResponse(status_code=404, content={"error": "Team not found"})
+    member_id = f"m-{uuid.uuid4().hex[:8]}"
+    member = {
+        "id": member_id,
+        "email": req.email,
+        "name": req.email.split("@")[0],
+        "role": req.role,
+        "joined_at": datetime.now().isoformat(),
+    }
+    team.setdefault("members", []).append(member)
+    _audit("member.added", target=req.email, details=f"Role: {req.role}")
+    return JSONResponse(content={"added": True, "member_id": member_id})
+
+
+@app.get("/api/audit-log")
+async def get_audit_log() -> JSONResponse:
+    """Get audit log entries."""
+    return JSONResponse(content=_audit_log)
+
+
 # ---------------------------------------------------------------------------
 # Static file serving (built React app)
 # ---------------------------------------------------------------------------