loki-mode 7.14.0 → 7.16.0

package/autonomy/loki

@@ -544,6 +544,7 @@ show_help() {
     echo "  enterprise       Enterprise feature management (tokens, OIDC)"
     echo "  metrics [opts]   Session productivity report (--json, --last N, --save, --share)"
     echo "  cost [opts]      Transparent cost view: per-run/project spend + budget (--json, --last N)"
+    echo "  trust [--json]   Visible trust trajectory: council/gate pass-rate + interventions over runs [R4]"
     echo "  dogfood          Show self-development statistics"
     echo "  secrets [cmd]    API key status and validation (status|validate)"
     echo "  reset [target]   Reset session state (all|retries|failed)"
@@ -13181,6 +13182,9 @@ main() {
         cost)
             cmd_cost "$@"
             ;;
+        trust)
+            cmd_trust "$@"
+            ;;
         syslog)
             cmd_syslog "$@"
             ;;
@@ -18152,6 +18156,59 @@ cmd_syslog() {
     esac
 }
 
+# Visible trust trajectory (R4): is the agent earning autonomy on THIS repo?
+# Shows council pass-rate, gate pass-rate, iterations-to-completion, and human
+# interventions trending up/down/flat across the per-run proof-of-run history
+# in .loki/proofs/. Bash fallback for the Bun route (loki-ts/src/commands/
+# trust.ts); both derive from the same proof.json files. Shells out to the
+# shared derivation module (autonomy/lib/trust_trajectory.py) so the CLI, the
+# dashboard endpoint, and the tests all agree. Honest: with <2 runs it prints
+# "not enough history yet", never a fabricated trend.
+cmd_trust() {
+    local pass_args=()
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --help|-h)
+                echo -e "${BOLD}loki trust${NC} - Visible trust trajectory (R4)"
+                echo ""
+                echo "Usage: loki trust [options]"
+                echo ""
+                echo "Shows whether the agent is earning autonomy on THIS repo over"
+                echo "time: council pass-rate, gate pass-rate, iterations-to-completion,"
+                echo "and human interventions, each trending up/down/flat. Derived"
+                echo "read-only from proof-of-run history in .loki/proofs/."
+                echo ""
+                echo "Options:"
+                echo "  --json               Machine-readable JSON output"
+                echo "  --help, -h           Show this help"
+                echo ""
+                echo "With fewer than 2 recorded runs this prints 'not enough history"
+                echo "yet' rather than a fabricated trend. Complements 'loki kpis'"
+                echo "(single-run snapshot)."
+                exit 0
+                ;;
+            --json) pass_args+=("--json"); shift ;;
+            *) echo -e "${RED}Unknown option: $1${NC}"; echo "Run 'loki trust --help' for usage."; exit 1 ;;
+        esac
+    done
+
+    if ! command -v python3 &>/dev/null; then
+        echo -e "${RED}python3 is required for the trust trajectory view${NC}"
+        exit 1
+    fi
+
+    local trust_mod="$_LOKI_SCRIPT_DIR/lib/trust_trajectory.py"
+    if [ ! -f "$trust_mod" ]; then
+        echo -e "${RED}trust_trajectory.py not found at $trust_mod${NC}"
+        exit 1
+    fi
+
+    local loki_dir="${LOKI_DIR:-.loki}"
+    # Safe empty-array expansion (bash 3.2 + set -u): ${arr[@]+"${arr[@]}"}
+    # expands to nothing when pass_args is empty instead of an unbound error.
+    python3 "$trust_mod" --loki-dir "$loki_dir" ${pass_args[@]+"${pass_args[@]}"}
+}
+
 # Transparent cost view (R3): per-run + per-project spend, model routing, and
 # budget status with the 80% warn line. Reuses efficiency_cost.collect_efficiency
 # for the current-run aggregate (single source of truth) and reads .loki/proofs/
@@ -25275,6 +25332,173 @@ _loki_gist_upload() {
     echo -e "${GREEN}Shared: ${gist_url}${NC}"
 }
 
+# loki_tier_gate - R9 open-core tier/license seam.
+#
+# OSS-FIRST CONTRACT: this is a no-op ALLOW for OSS users. LOKI_TIER defaults
+# to "oss" and every existing free feature stays fully free. This function is
+# the single place where a future hosted/enterprise build would gate a
+# hosted-only capability. It is NEVER called from any existing free command
+# path; its only caller is the opt-in --hosted publish seam below. For OSS
+# (the default), it always returns 0 (allow).
+#
+# Args: $1 = capability name (informational; e.g. "hosted_publish").
+# Returns: 0 = allowed, 1 = gated (non-OSS tier without entitlement).
+# Env:  LOKI_TIER (default "oss"), LOKI_LICENSE_KEY (optional, non-OSS only).
+loki_tier_gate() {
+    local capability="${1:-}"
+    local tier="${LOKI_TIER:-oss}"
+
+    # OSS tier: everything is allowed, always. No license, no network, no gate.
+    if [ "$tier" = "oss" ]; then
+        return 0
+    fi
+
+    # Non-OSS tiers (hosted/enterprise) are a SEAM only. The hosted backend
+    # and license-verification service do not exist yet, so we cannot validate
+    # an entitlement. Be honest: do not pretend to grant a paid capability.
+    # A real hosted build replaces this branch with a verified license check.
+    if [ -z "${LOKI_LICENSE_KEY:-}" ]; then
+        echo -e "${YELLOW}LOKI_TIER='${tier}' requested but no LOKI_LICENSE_KEY set.${NC}" >&2
+        echo "Hosted/enterprise license verification is not available yet." >&2
+        echo "OSS users: leave LOKI_TIER unset (or 'oss') -- everything stays free." >&2
+        return 1
+    fi
+
+    # A license key is present but there is no verification backend yet. We do
+    # NOT fabricate a successful verification. The capability stays ungated for
+    # OSS-equivalent use; the seam is documented in docs/OPEN-CORE-BOUNDARY.md.
+    echo -e "${YELLOW}LOKI_LICENSE_KEY set but the verification backend is not available yet (R9 seam).${NC}" >&2
+    return 0
+}
+
+# _loki_hosted_publish_proof - R9 hosted proof-publish client stub.
+#
+# Posts an ALREADY-REDACTED proof page to a self-hosted/SaaS endpoint given by
+# LOKI_HOSTED_ENDPOINT. There is NO official Loki hosted backend yet; this is a
+# clean client seam an operator can point at their own endpoint. We never
+# fabricate a hosted URL: on success we print the URL the endpoint returned (or
+# the endpoint itself); on any failure we print an honest error and exit non-0.
+#
+# Args: $1 = proof id, $2 = redacted index.html path, $3 = proof.json path.
+# Returns: 0 on success, non-zero on missing endpoint / transport / non-2xx.
+_loki_hosted_publish_proof() {
+    local id="$1"
+    local html="$2"
+    local pj="$3"
+
+    # Tier seam (no-op allow for OSS). Hosted publish is opt-in regardless.
+    loki_tier_gate "hosted_publish" || true
+
+    local endpoint="${LOKI_HOSTED_ENDPOINT:-}"
+    if [ -z "$endpoint" ]; then
+        echo -e "${YELLOW}Hosted publishing backend not available.${NC}" >&2
+        echo "There is no official Loki hosted service yet (R9 ships the seam, not a live backend)." >&2
+        echo "To publish to your own hosted endpoint, set LOKI_HOSTED_ENDPOINT to its URL." >&2
+        echo "Or publish to a GitHub Gist instead: loki proof share ${id}" >&2
+        return 1
+    fi
+
+    if ! command -v curl &>/dev/null; then
+        echo -e "${RED}curl not found${NC}" >&2
+        echo "Hosted publishing requires curl. Install curl or use: loki proof share ${id}" >&2
+        return 1
+    fi
+
+    # CREDIBILITY: we upload the file the generator already redacted (the same
+    # bytes 'loki proof share' would put on a gist). We do not build a fresh
+    # body that could bypass redaction. If proof.json reports redaction was not
+    # applied, refuse -- never publish an unredacted artifact.
+    if [ -f "$pj" ]; then
+        local redaction_ok
+        redaction_ok=$(LOKI_PROOF_JSON="$pj" python3 - <<'PYEOF' 2>/dev/null || echo "unknown"
+import json, os
+try:
+    d = json.load(open(os.environ["LOKI_PROOF_JSON"]))
+except Exception:
+    print("unknown")
+else:
+    print("yes" if (d.get("redaction") or {}).get("applied") else "no")
+PYEOF
+)
+        if [ "$redaction_ok" = "no" ]; then
+            echo -e "${RED}Refusing to publish: proof redaction was not applied.${NC}" >&2
+            echo "Regenerate the proof (LOKI_PROOF=1) so the redactor runs, then retry." >&2
+            return 1
+        fi
+    fi
+
+    echo -e "${BOLD}Publishing proof '${id}' to hosted endpoint${NC}"
+    echo "  endpoint: ${endpoint}"
+    echo "  payload:  ${html} (already redacted by the generator)"
+    echo ""
+
+    # POST the redacted HTML. Auth header is sent only if a license key exists;
+    # OSS users with their own endpoint need no key.
+    local tmp_body tmp_code
+    tmp_body=$(mktemp "/tmp/loki-hosted-XXXXXX.out")
+    local -a curl_args=(-sS -o "$tmp_body" -w '%{http_code}' -X POST
+        -H "Content-Type: text/html"
+        -H "X-Loki-Proof-Id: ${id}"
+        --data-binary "@${html}")
+    if [ -n "${LOKI_LICENSE_KEY:-}" ]; then
+        curl_args+=(-H "Authorization: Bearer ${LOKI_LICENSE_KEY}")
+    fi
+    tmp_code=$(curl "${curl_args[@]}" "$endpoint" 2>/dev/null)
+    local curl_exit=$?
+
+    if [ "$curl_exit" -ne 0 ]; then
+        echo -e "${RED}Failed to reach hosted endpoint (curl exit ${curl_exit}).${NC}" >&2
+        echo "Check LOKI_HOSTED_ENDPOINT or publish to a gist: loki proof share ${id}" >&2
+        rm -f "$tmp_body"
+        return 1
+    fi
+
+    # Accept any 2xx. The published URL comes from the endpoint response if it
+    # returns one (we look for a "url" field), else we report the endpoint. We
+    # NEVER print a fabricated URL.
+    case "$tmp_code" in
+        2*)
+            local published_url
+            published_url=$(LOKI_HOSTED_BODY="$tmp_body" LOKI_HOSTED_EP="$endpoint" python3 - <<'PYEOF' 2>/dev/null || true
+import json, os
+body_path = os.environ["LOKI_HOSTED_BODY"]
+try:
+    txt = open(body_path).read().strip()
+except Exception:
+    txt = ""
+url = ""
+try:
+    d = json.loads(txt)
+    if isinstance(d, dict):
+        url = d.get("url") or d.get("public_url") or ""
+except Exception:
+    url = ""
+print(url)
+PYEOF
+)
+            rm -f "$tmp_body"
+            if [ -n "$published_url" ]; then
+                echo -e "${GREEN}Published: ${published_url}${NC}"
+            else
+                echo -e "${GREEN}Published to ${endpoint} (HTTP ${tmp_code}).${NC}"
+                echo "The endpoint did not return a 'url' field; check your endpoint's response."
+            fi
+            return 0
+            ;;
+        *)
+            echo -e "${RED}Hosted endpoint returned HTTP ${tmp_code}.${NC}" >&2
+            if [ -s "$tmp_body" ]; then
+                echo "Response:" >&2
+                head -c 500 "$tmp_body" >&2
+                echo "" >&2
+            fi
+            echo "Nothing was published. Or publish to a gist: loki proof share ${id}" >&2
+            rm -f "$tmp_body"
+            return 1
+            ;;
+    esac
+}
+
 # loki bench - head-to-head benchmark harness (R2).
 # Subcommands: run <task> | vs <task> | list | verify <result.json>.
 # Thin pass-through to benchmarks/bench/run.sh (shared python core runner.py).
@@ -25342,7 +25566,7 @@ cmd_proof() {
             echo "Options for 'share':"
             echo "  --yes                Skip the redaction-preview confirmation prompt"
             echo "  --private            Create a secret gist (default: public)"
-            echo "  --hosted             Reserved for hosted publishing (coming in R9)"
+            echo "  --hosted             Publish to LOKI_HOSTED_ENDPOINT (open-core seam; no official backend yet)"
             echo ""
             echo "Proofs are generated automatically at run completion (LOKI_PROOF=0 to opt out)."
             [ "$sub" = "" ] && exit 1
@@ -25441,15 +25665,13 @@ PYEOF
             local id=""
             local skip_confirm=0
             local visibility="--public"
+            local hosted=0
             while [[ $# -gt 0 ]]; do
                 case "$1" in
                     --yes|-y) skip_confirm=1; shift ;;
                     --private) visibility=""; shift ;;
                     --public) visibility="--public"; shift ;;
-                    --hosted)
-                        echo -e "${RED}Hosted publishing is not available yet (coming in R9).${NC}"
-                        exit 1
-                        ;;
+                    --hosted) hosted=1; shift ;;
                     -*) echo -e "${RED}Unknown option: $1${NC}"; exit 1 ;;
                     *) id="$1"; shift ;;
                 esac
@@ -25464,6 +25686,17 @@ PYEOF
                 echo "Use 'loki proof list' to see available proofs."
                 exit 1
             fi
+            # R9 open-core hosted-publish seam. Only taken when the user
+            # explicitly passes --hosted. The default gist path below stays
+            # byte-for-byte unchanged for OSS users (zero hosted backend
+            # required). We never silent-fall-back to gist here: the user asked
+            # for hosted, so we POST to a configured LOKI_HOSTED_ENDPOINT or
+            # print an honest "no endpoint configured" message and exit non-zero.
+            # We never fabricate a hosted URL.
+            if [ "$hosted" -eq 1 ]; then
+                _loki_hosted_publish_proof "$id" "$html" "${proofs_dir}/${id}/proof.json"
+                exit $?
+            fi
             if ! command -v gh &>/dev/null; then
                 echo -e "${RED}gh CLI not found${NC}"
                 echo "Install the GitHub CLI to publish a proof:"

package/bin/loki

@@ -116,10 +116,11 @@ fi
 # Two-token routes (provider show/list, memory list/index) match on the first
 # token only; the Bun dispatcher handles subcommand routing internally.
 case "${1:-}" in
-    version|--version|-v|status|stats|doctor|provider|memory|rollback|internal|kpis|proof|wiki)
+    version|--version|-v|status|stats|doctor|provider|memory|rollback|internal|kpis|trust|proof|wiki)
         # v7.5.2: rollback added (wires loki-ts/src/commands/rollback.ts).
         # v7.5.3: internal added for autonomy/run.sh phase1-hooks calls.
         # v7.5.28: kpis added (Phase K MVP: read-only KPI snapshot).
+        # R4: trust added (visible trust trajectory; Bun route, bash fallback).
         #
         # v7.8.2: emit the cli_command product-analytics event for Bun-routed
         # commands. The bash CLI fires this from autonomy/loki main(), but the

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.14.0"
+__version__ = "7.16.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -460,6 +460,7 @@ async def _push_loki_state_loop() -> None:
     last_mtime: float = 0.0
     _last_skill_hash: str = ""  # Track skill-session state changes
     _last_budget_status: str = ""  # Track budget-status transitions (R3)
+    _last_trust_signature: str = ""  # Track trust-trajectory changes (R4)
     while True:
         try:
             if not manager.active_connections:
@@ -490,6 +491,30 @@ async def _push_loki_state_loop() -> None:
             except (OSError, ValueError, KeyError):
                 pass
 
+            # R4 visible trust trajectory: proactively push a trust_update when
+            # the trajectory's improving/regressing tally changes (e.g. a new
+            # run just landed a council pass), so an open dashboard reflects the
+            # earned-autonomy trend without a manual refresh. Mirrors the R3
+            # budget_status transition push; reuses manager.broadcast (no second
+            # channel). Signature gates the push so we only broadcast on change.
+            try:
+                _tmod = _load_trust_module()
+                if _tmod is not None:
+                    _traj = _tmod.compute_trajectory(str(loki_dir))
+                    _sig = "%d:%d:%d" % (
+                        _traj.get("runs_count", 0),
+                        _traj.get("improving_count", 0),
+                        _traj.get("regressing_count", 0),
+                    )
+                    if _sig != _last_trust_signature:
+                        await manager.broadcast({
+                            "type": "trust_update",
+                            "data": _traj,
+                        })
+                    _last_trust_signature = _sig
+            except (OSError, ValueError, KeyError):
+                pass
+
             _broadcast_sent = False
 
             if state_file.exists():
@@ -4780,6 +4805,81 @@ async def get_cost_timeline():
     }
 
 
+# =============================================================================
+# Trust trajectory API (R4): is the agent earning autonomy on THIS repo?
+# =============================================================================
+
+_TRUST_MODULE = None  # cached import of autonomy/lib/trust_trajectory.py
+
+
+def _load_trust_module():
+    """Import the shared trust-trajectory derivation (single source of truth).
+
+    The derivation lives in autonomy/lib/trust_trajectory.py so the dashboard
+    endpoint, the bash `cmd_trust`, and the test suite all agree. Loaded via
+    importlib because autonomy/lib is not an importable package. Cached after
+    first load. Returns None if the module cannot be found (degraded mode).
+    """
+    global _TRUST_MODULE
+    if _TRUST_MODULE is not None:
+        return _TRUST_MODULE
+    repo_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+    mod_path = os.path.join(repo_root, "autonomy", "lib", "trust_trajectory.py")
+    if not os.path.isfile(mod_path):
+        return None
+    try:
+        import importlib.util as _ilu
+        spec = _ilu.spec_from_file_location("trust_trajectory", mod_path)
+        if spec is None or spec.loader is None:
+            return None
+        mod = _ilu.module_from_spec(spec)
+        spec.loader.exec_module(mod)
+        _TRUST_MODULE = mod
+        return mod
+    except Exception:
+        return None
+
+
+@app.get("/api/trust/trajectory")
+async def get_trust_trajectory():
+    """Per-project trust trajectory derived from proof-of-run history.
+
+    Mirrors /api/cost/timeline: reads the persistent per-run records under
+    .loki/proofs/<run_id>/proof.json (the same source R3 cost history uses) and
+    derives whether the agent is earning autonomy on THIS repo over time:
+    council pass-rate, gate pass-rate, iterations-to-completion, and (when
+    recorded) human interventions, each with an up/down/flat direction and an
+    `improving` flag that already accounts for per-axis polarity.
+
+    Honest-data rule: with fewer than 2 recorded runs the response is
+    insufficient=True and NO direction is fabricated. Every number derives from
+    real proof.json values; a missing axis is reported available=False, never a
+    misleading zero. No PII leaves the derivation (only run_id, timestamps, and
+    derived numeric axes).
+    """
+    loki_dir = _get_loki_dir()
+    mod = _load_trust_module()
+    if mod is None:
+        return {
+            "schema_version": 1,
+            "available": False,
+            "error": "trust_trajectory module not found",
+            "runs_count": 0,
+            "insufficient": True,
+            "axes": {},
+            "series": [],
+            "notes": ["trust derivation module unavailable in this install"],
+        }
+    traj = mod.compute_trajectory(str(loki_dir))
+    # Best-effort cache write so other surfaces share one source of truth.
+    try:
+        mod.write_trajectory_cache(str(loki_dir), traj)
+    except Exception:
+        pass
+    traj["available"] = True
+    return traj
+
+
 # =============================================================================
 # Pricing API
 # =============================================================================
@@ -6764,6 +6864,18 @@ async def serve_cost_panel():
     return Response(status_code=404)
 
 
+# R4: standalone trust-trajectory page that fetches /api/trust/trajectory.
+# Mirrors the cost.html / /cost pattern: works without the SPA build.
+@app.get("/trust", include_in_schema=False)
+async def serve_trust_panel():
+    """Serve the standalone trust-trajectory HTML panel."""
+    if STATIC_DIR:
+        trust_path = os.path.join(STATIC_DIR, "trust.html")
+        if os.path.isfile(trust_path):
+            return FileResponse(trust_path, media_type="text/html")
+    return Response(status_code=404)
+
+
 # Serve index.html or standalone HTML for root
 @app.get("/", include_in_schema=False)
 async def serve_index():

package/dashboard/static/index.html

@@ -679,6 +679,10 @@
           <svg viewBox="0 0 24 24"><line x1="12" y1="1" x2="12" y2="23"/><path d="M17 5H9.5a3.5 3.5 0 000 7h5a3.5 3.5 0 010 7H6"/></svg>
           Cost
         </button>
+        <button class="nav-link" data-section="trust" id="nav-trust">
+          <svg viewBox="0 0 24 24"><polyline points="3 17 9 11 13 15 21 7" fill="none" stroke="currentColor" stroke-width="2"/><polyline points="15 7 21 7 21 13" fill="none" stroke="currentColor" stroke-width="2"/></svg>
+          Trust
+        </button>
         <button class="nav-link" data-section="checkpoint" id="nav-checkpoint">
           <svg viewBox="0 0 24 24"><path d="M19 21H5a2 2 0 01-2-2V5a2 2 0 012-2h11l5 5v11a2 2 0 01-2 2z"/><polyline points="17 21 17 13 7 13 7 21"/><polyline points="7 3 7 8 15 8"/></svg>
           Checkpoints
@@ -1109,6 +1113,17 @@
         <loki-cost-dashboard id="cost-dashboard"></loki-cost-dashboard>
       </div>
 
+      <!-- Trust Trajectory (R4): embeds the standalone /trust panel so the SPA
+           and the build-free page share one renderer + one /api/trust/trajectory
+           source. Mirrors the cost panel wiring. -->
+      <div class="section-page" id="page-trust">
+        <div class="section-page-header">
+          <h2 class="section-page-title">Trust Trajectory</h2>
+        </div>
+        <iframe id="trust-frame" title="Trust trajectory" src="about:blank"
+          style="width:100%;height:calc(100vh - 160px);border:0;border-radius:8px;background:#0f1115;"></iframe>
+      </div>
+
       <!-- Checkpoints -->
       <div class="section-page" id="page-checkpoint">
         <div class="section-page-header">
@@ -13808,6 +13823,15 @@ document.addEventListener('DOMContentLoaded', function() {
     if (pageEl) {
       pageEl.classList.add('active');
     }
+    // R4: lazy-load the trust panel iframe on first open (avoids a fetch on
+    // every page that the user never visits).
+    if (sectionId === 'trust') {
+      var tframe = document.getElementById('trust-frame');
+      if (tframe && (!tframe.src || tframe.src === 'about:blank' ||
+          tframe.getAttribute('src') === 'about:blank')) {
+        tframe.src = '/trust';
+      }
+    }
     // Update nav active state
     navLinks.forEach(function(link) { link.classList.remove('active'); });
     var navEl = document.querySelector('.nav-link[data-section="' + sectionId + '"]');
@@ -13834,7 +13858,7 @@ document.addEventListener('DOMContentLoaded', function() {
   document.addEventListener('keydown', function(e) {
     if ((e.metaKey || e.ctrlKey) && ((e.key >= '1' && e.key <= '9') || e.key === '0')) {
       e.preventDefault();
-      var sections = ['overview', 'insights', 'prd-checklist', 'app-runner', 'council', 'quality', 'cost', 'checkpoint', 'context', 'notifications', 'migration', 'analytics', 'escalations'];
+      var sections = ['overview', 'insights', 'prd-checklist', 'app-runner', 'council', 'quality', 'cost', 'trust', 'checkpoint', 'context', 'notifications', 'migration', 'analytics', 'escalations'];
       var idx = e.key === '0' ? 9 : parseInt(e.key) - 1;
       if (idx < sections.length) switchSection(sections[idx]);
     }
@@ -13875,7 +13899,7 @@ document.addEventListener('DOMContentLoaded', function() {
     // Skip if modifier keys are held (let browser defaults work)
     if (e.metaKey || e.ctrlKey || e.altKey) return;
 
-    var sections = ['overview', 'insights', 'prd-checklist', 'app-runner', 'council', 'quality', 'cost', 'checkpoint', 'context', 'notifications', 'migration', 'analytics', 'escalations'];
+    var sections = ['overview', 'insights', 'prd-checklist', 'app-runner', 'council', 'quality', 'cost', 'trust', 'checkpoint', 'context', 'notifications', 'migration', 'analytics', 'escalations'];
 
     switch (e.key) {
       // Section navigation: 1-9, 0