loki-mode 7.23.1 → 7.25.0

package/README.md

@@ -26,6 +26,8 @@
 
 - **Spec-driven, autonomous, with a built-in trust layer** -- Hand Loki a spec, walk away, come back to working code with tests. The full RARV-C closure loop (Reason - Act - Reflect - Verify - Close) runs until the work is actually done, not just attempted. The verified-completion evidence gate (`skills/quality-gates.md`) refuses any "done" claim on an empty git diff against the run-start commit, and blocks completion when tests run red, so "complete" means proven, not promised.
 - **Production quality built in** -- 11 quality gates (`skills/quality-gates.md`), blind 3-reviewer code review (`run.sh:run_code_review()`), anti-sycophancy checks
+- **Live App Preview** -- The dashboard embeds the locally-running app in an iframe so you can interact with it immediately during a build. Use `loki preview` (alias `loki open`) to print the URL and open it in your browser. Local-first: no hosted service, no vendor lock (v7.24.0).
+- **Intelligent `loki start`** -- For interactive foreground runs the dashboard auto-opens in the browser (cross-platform; skipped in CI, SSH-without-TTY, and piped runs; opt out with `LOKI_NO_AUTO_OPEN=1`). The completion summary shows "Your app is live at <url>" so you know exactly where to try what Loki just built. The autonomous loop passes Claude Code's `--effort`, `--max-budget-usd`, and `--fallback-model` on every iteration (each gated on CLI support and individual opt-out env vars) for better long-run unattended execution (v7.25.0).
 - **Cross-project memory** -- Episodic/semantic/procedural memory with vector search; knowledge learned on one project surfaces on the next (v5.15.0+, see `memory/engine.py`)
 - **Self-hosted and private** -- Your keys, your infrastructure, no data leaves your network
 - **Legacy system healing** -- `loki heal` archaeology/stabilize/isolate/modernize/validate phases (v6.67.0, see `skills/healing.md`)
@@ -251,7 +253,7 @@ Blind review, anti-sycophancy, severity blocking, mock/mutation detection, backw
 <td width="33%" valign="top">
 
 ### Dashboard
-Real-time monitoring, agent status, task queue, WebSocket streaming. Auto-starts at `localhost:57374`.
+Real-time monitoring, agent status, task queue, WebSocket streaming, and Live App Preview (embedded iframe of the running app with Refresh/Open/Restart toolbar). Auto-starts at `localhost:57374`.
 
 [Dashboard Guide](docs/dashboard-guide.md)
 
@@ -346,12 +348,13 @@ Claude gets full features (subagents, parallelization, MCP, Task tool). Other ac
 
 | Command | Description |
 |---------|-------------|
-| `loki start [PRD]` | Start with optional PRD file (also accepts an issue ref; replaces deprecated `loki run`) |
+| `loki start [PRD]` | Start with optional PRD file (also accepts an issue ref; replaces deprecated `loki run`). Auto-opens the dashboard in the browser for interactive runs and passes native `--effort`/`--max-budget-usd`/`--fallback-model` for resilience (v7.25.0) |
 | `loki stop` | Stop execution |
 | `loki heal <path>` | Legacy system healing (archaeology, stabilize, isolate, modernize, validate -- v6.67.0) |
 | `loki pause` / `resume` | Pause/resume after current session |
 | `loki status` | Show current status |
 | `loki dashboard` | Open web dashboard |
+| `loki preview` / `loki open` | Print running app URL and open in browser (Live App Preview, v7.24.0) |
 | `loki web` | Launch Purple Lab web UI |
 | `loki doctor` | Check environment and dependencies |
 | `loki plan [PRD]` | Pre-execution analysis: complexity, cost, iterations |
@@ -421,7 +424,7 @@ See [benchmarks/](benchmarks/) for methodology.
 
 ![Loki Mode Presentation](docs/loki-mode-presentation.gif)
 
-*9 slides: Problem, Solution, 41 Agents, RARV Cycle, Benchmarks, Multi-Provider, Full Lifecycle*
+*11 slides: Problem, Solution, 41 Agents, RARV Cycle, 9 Quality Gates (HumanEval 98.78%), Multi-Provider, Enterprise Hardening (Live App Preview), Full Lifecycle*
 
 **[Download PPTX](docs/loki-mode-presentation.pptx)**
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.23.1
+# Loki Mode v7.25.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -383,4 +383,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.23.1 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.25.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.23.1
+7.25.0

package/autonomy/loki

@@ -536,6 +536,7 @@ show_help() {
     echo "  logs             Show recent log output"
     echo "  dashboard [cmd]  Dashboard server (start|stop|status|url|open)"
     echo "  web [cmd]        Web app UI (start|stop|status) -- serves web-app/dist/"
+    echo "  preview          Open the running app Loki built (alias: open)"
     echo "  provider [cmd]   Manage AI provider (show|set|list|info)"
     echo "  serve            Start dashboard/API server (alias for api start)"
     echo "  api [cmd]        Dashboard/API server (start|stop|status)"
@@ -4751,6 +4752,87 @@ cmd_web_status() {
     echo "Purple Lab is not running."
 }
 
+# Open the running app preview (the app Loki built and started locally).
+# Surfaces the existing app-runner state; does not start or change the app.
+cmd_preview() {
+    local open_browser=true
+    case "${1:-}" in
+        --help|-h|help)
+            echo -e "${BOLD}Loki Mode -- open the running app preview${NC}"
+            echo ""
+            echo "Usage: loki preview [--no-open]"
+            echo "       loki open      (alias)"
+            echo ""
+            echo "Prints the URL of the app Loki built and started locally, then"
+            echo "opens it in your browser. The app runner starts the app after the"
+            echo "first successful build iteration. This serves a real local build"
+            echo "from localhost on your machine; it is not hosted."
+            echo ""
+            echo "Options:"
+            echo "  --no-open    Print the URL and status only; do not open a browser"
+            echo "  --help, -h   Show this help and exit"
+            return 0
+            ;;
+        --no-open)
+            open_browser=false
+            ;;
+    esac
+
+    local state_file="${LOKI_DIR}/app-runner/state.json"
+    if [ ! -f "$state_file" ]; then
+        echo "No app running. The app runner starts after the first successful build iteration."
+        echo "Run 'loki status' to check the current run."
+        return 0
+    fi
+
+    # Parse url/status/port. Prefer python3 (used throughout); fall back to grep.
+    # Pass the path as argv (not inline interpolation) so a path with quotes
+    # cannot break the script, and parse all three fields in one invocation.
+    local url status port parsed
+    if command -v python3 &> /dev/null; then
+        parsed=$(python3 -c "import json,sys
+try:
+    d=json.load(open(sys.argv[1]))
+    print(d.get('url',''))
+    print(d.get('status',''))
+    print(d.get('port',''))
+except Exception:
+    print('');print('');print('')" "$state_file" 2>/dev/null)
+        url=$(printf '%s\n' "$parsed" | sed -n '1p')
+        status=$(printf '%s\n' "$parsed" | sed -n '2p')
+        port=$(printf '%s\n' "$parsed" | sed -n '3p')
+    else
+        url=$(grep -oE '"url"[[:space:]]*:[[:space:]]*"[^"]*"' "$state_file" 2>/dev/null | head -1 | sed 's/.*"url"[[:space:]]*:[[:space:]]*"//;s/"$//')
+        status=$(grep -oE '"status"[[:space:]]*:[[:space:]]*"[^"]*"' "$state_file" 2>/dev/null | head -1 | sed 's/.*"status"[[:space:]]*:[[:space:]]*"//;s/"$//')
+        port=$(grep -oE '"port"[[:space:]]*:[[:space:]]*[0-9]+' "$state_file" 2>/dev/null | head -1 | grep -oE '[0-9]+$')
+    fi
+
+    if [ "$status" != "running" ]; then
+        echo "App is not running (status: ${status:-unknown})."
+        echo "The app runner starts the app after a successful build iteration."
+        return 0
+    fi
+
+    if [ -z "$url" ]; then
+        url="http://localhost:${port:-3000}"
+    fi
+
+    echo -e "${GREEN}Live app:${NC} $url  [running, port ${port:-?}]"
+    echo "Served from localhost on this machine."
+
+    if [ "$open_browser" = true ]; then
+        if command -v open &> /dev/null; then
+            open "$url"
+        elif command -v xdg-open &> /dev/null; then
+            xdg-open "$url"
+        elif command -v start &> /dev/null; then
+            start "$url"
+        else
+            echo "Please open in browser: $url"
+        fi
+    fi
+}
+
 # Import GitHub issues
 cmd_import() {
     # v7.6.2 B-13 fix: --help must print help, not start an import.
@@ -13296,6 +13378,9 @@ main() {
         web)
             cmd_web "$@"
             ;;
+        preview|open)
+            cmd_preview "$@"
+            ;;
         logs)
             cmd_logs "$@"
             ;;

package/autonomy/run.sh

@@ -2423,6 +2423,20 @@ build_completion_summary() {
         *)              outcome_label="$outcome";          notify_title="Run finished" ;;
     esac
 
+    # Live app URL (best-effort): if the app runner has a running app, surface
+    # where the user can try it. Reads .loki/app-runner/state.json written by
+    # app-runner.sh. Empty when no app is running.
+    local live_app_url=""
+    local _app_state_file="$loki_dir/app-runner/state.json"
+    if [ -f "$_app_state_file" ]; then
+        live_app_url="$(python3 -c "import json,sys
+try:
+    d=json.load(open(sys.argv[1]))
+    print(d.get('url','') if d.get('status')=='running' else '')
+except Exception:
+    print('')" "$_app_state_file" 2>/dev/null)"
+    fi
+
     # Branch + diff stats vs the run-start SHA (best-effort; non-git or empty
     # baseline yields empty values, which we render as "unknown"/"0").
     local start_sha="${_LOKI_RUN_START_SHA:-}"
@@ -2483,6 +2497,15 @@ build_completion_summary() {
             echo "Pull request: not opened (set LOKI_DELEGATE_PR=1 to open one)"
         fi
         echo ""
+        if [ -n "$live_app_url" ]; then
+            # Compute the dashboard scheme the same way start_dashboard does
+            # (url_scheme is local to that function, not visible here).
+            local _dash_scheme="http"
+            [ -n "${LOKI_TLS_CERT:-}" ] && [ -n "${LOKI_TLS_KEY:-}" ] && _dash_scheme="https"
+            echo "Your app is live at: $live_app_url  (served locally on this machine)"
+            echo "  Dashboard: ${_dash_scheme}://127.0.0.1:${DASHBOARD_PORT:-57374}/  (App Runner -> Live App)"
+            echo ""
+        fi
         echo "Tasks: pending=$pending in_progress=$in_progress completed=$completed failed=$failed"
         echo ""
         echo "Review the work:"
@@ -8216,9 +8239,22 @@ start_dashboard() {
         log_info "Dashboard started (PID: $DASHBOARD_PID)"
         log_info "Dashboard: ${CYAN}${url_scheme}://127.0.0.1:$DASHBOARD_PORT/${NC}"
 
-        # Open in browser (macOS)
-        if [[ "$OSTYPE" == "darwin"* ]]; then
-            open "${url_scheme}://127.0.0.1:$DASHBOARD_PORT/" 2>/dev/null || true
+        # Auto-open the dashboard in the browser, but ONLY for an interactive
+        # foreground session. Gated on: a TTY on stdout ([ -t 1 ]), not
+        # background/detached mode, and not explicitly opted out via
+        # LOKI_NO_AUTO_OPEN=1. This keeps CI, --detach, SSH-no-TTY, and piped
+        # runs from spawning a browser. Cross-platform: open / xdg-open / start.
+        if [ -t 1 ] && [ "${BACKGROUND_MODE:-false}" != "true" ] && [ "${LOKI_NO_AUTO_OPEN:-0}" != "1" ]; then
+            local _dash_url="${url_scheme}://127.0.0.1:$DASHBOARD_PORT/"
+            if command -v open >/dev/null 2>&1; then
+                open "$_dash_url" 2>/dev/null || true
+            elif command -v xdg-open >/dev/null 2>&1; then
+                xdg-open "$_dash_url" 2>/dev/null || true
+            elif command -v cmd.exe >/dev/null 2>&1; then
+                # Windows (Git Bash/WSL): `start` is a cmd builtin, not on PATH,
+                # so invoke it via cmd.exe. The empty "" is start's title arg.
+                cmd.exe /c start "" "$_dash_url" 2>/dev/null || true
+            fi
         fi
         return 0
     else
@@ -12141,6 +12177,59 @@ except Exception as exc:
            && loki_claude_flag_supported "--include-partial-messages"; then
             _loki_claude_argv+=("--include-partial-messages")
         fi
+        # ---- Bash<->Bun invocation-flag convergence ledger (v7.25.0) ----------
+        # The fixture corpus covers build_prompt/stats output, NOT this claude
+        # argv, so drift here is invisible to parity tests. Keep this ledger
+        # current. Live route today is BASH (bin/loki routes `start` -> bash).
+        # The claude provider in loki-ts/src/runner/providers.ts is implemented
+        # but is NOT reached for `start` (start is not ported to the Bun router;
+        # the shim falls through to bash), so its flag set has zero live impact
+        # today.
+        # Bash argv (canonical, live): --dangerously-skip-permissions --model M
+        #   [--append-system-prompt] [--setting-sources] [--include-partial-messages]
+        #   [--effort] [--max-budget-usd] [--fallback-model] -p PROMPT
+        #   --output-format stream-json --verbose
+        # Bun buildAutoFlags also emits: --exclude-dynamic-system-prompt-sections
+        #   (cost-only), --mcp-config (bash gets MCP via --setting-sources +
+        #   .mcp.json discovery; a how-difference, likely behavior-equivalent),
+        #   --include-hook-events (bash handles hook events in its embedded
+        #   stream parser; likely moot). These three are Bun-only and MUST be
+        #   reconciled to a deliberately chosen canonical set BEFORE `start`
+        #   flips to the Bun runner. They have zero live impact today.
+        # v7.25.0: long-run resilience + cost flags, appended individually here
+        # (NOT via _loki_build_claude_auto_flags, which would double the three
+        # flags above). Each is gated on CLI support + an opt-out env var, same
+        # pattern as above. These improve unattended/long-run execution:
+        #   --effort           adaptive reasoning depth per RARV tier
+        #   --max-budget-usd   per-call hard backstop (complements the
+        #                      cumulative check_budget_limit PAUSE gate)
+        #   --fallback-model   resilience to model overload/unavailability
+        # The trust/verification gates stay deterministic; these only tune how
+        # the provider is invoked, never whether work is judged complete.
+        if [ "${LOKI_AUTO_EFFORT:-on}" != "off" ] \
+           && type loki_effort_for_tier >/dev/null 2>&1 \
+           && type loki_claude_flag_supported >/dev/null 2>&1 \
+           && loki_claude_flag_supported "--effort"; then
+            local _loki_effort
+            _loki_effort="$(loki_effort_for_tier "$CURRENT_TIER" "${DETECTED_COMPLEXITY:-${LOKI_COMPLEXITY:-standard}}")"
+            [ -n "$_loki_effort" ] && _loki_claude_argv+=("--effort" "$_loki_effort")
+        fi
+        if [ "${LOKI_AUTO_BUDGET:-on}" != "off" ] \
+           && type loki_remaining_budget >/dev/null 2>&1 \
+           && type loki_claude_flag_supported >/dev/null 2>&1 \
+           && loki_claude_flag_supported "--max-budget-usd"; then
+            local _loki_rem_budget
+            _loki_rem_budget="$(loki_remaining_budget)"
+            [ -n "$_loki_rem_budget" ] && _loki_claude_argv+=("--max-budget-usd" "$_loki_rem_budget")
+        fi
+        if [ "${LOKI_AUTO_FALLBACK:-on}" != "off" ] \
+           && type loki_fallback_for_primary >/dev/null 2>&1 \
+           && type loki_claude_flag_supported >/dev/null 2>&1 \
+           && loki_claude_flag_supported "--fallback-model"; then
+            local _loki_fallback
+            _loki_fallback="$(loki_fallback_for_primary "$tier_param")"
+            [ -n "$_loki_fallback" ] && _loki_claude_argv+=("--fallback-model" "$_loki_fallback")
+        fi
         case "${PROVIDER_NAME:-claude}" in
             claude)
                 # Claude: Full features with stream-json output and agent tracking

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.23.1"
+__version__ = "7.25.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -6628,20 +6628,97 @@ async def get_app_runner_status():
         return {"status": "error"}
 
 
+def _get_log_redactor():
+    """Lazily load autonomy/lib/proof_redact.redact_value.
+
+    Lives under autonomy/lib (not on the dashboard import path), so import it
+    by path with a graceful fallback. Returns a callable str -> str. On any
+    import failure returns a redactor that withholds the line rather than
+    leaking raw runtime output (which can contain secrets in stack traces).
+    """
+    cached = getattr(_get_log_redactor, "_cached", None)
+    if cached is not None:
+        return cached
+    try:
+        import importlib.util
+
+        lib_path = _Path(__file__).resolve().parent.parent / "autonomy" / "lib" / "proof_redact.py"
+        spec = importlib.util.spec_from_file_location("loki_proof_redact", str(lib_path))
+        if spec is None or spec.loader is None:
+            raise ImportError("proof_redact spec unavailable")
+        mod = importlib.util.module_from_spec(spec)
+        spec.loader.exec_module(mod)
+        try:
+            mod.set_context(home=os.path.expanduser("~"), repo_root=str(_project_root()))
+        except Exception:
+            pass
+        redactor = mod.redact_value
+    except Exception:
+        # Fail closed: withhold rather than leak raw log content.
+        def redactor(_s):
+            return "[log withheld: redactor unavailable]"
+    _get_log_redactor._cached = redactor
+    return redactor
+
+
 @app.get("/api/app-runner/logs")
 async def get_app_runner_logs(lines: int = Query(default=100, ge=1, le=1000)):
-    """Get last N lines of app runner logs."""
+    """Get last N lines of app runner logs (redacted)."""
     loki_dir = _get_loki_dir()
     log_file = loki_dir / "app-runner" / "app.log"
     if not log_file.exists():
         return {"lines": []}
     try:
+        redact = _get_log_redactor()
         all_lines = _safe_read_text(log_file).splitlines()
-        return {"lines": all_lines[-lines:]}
+        return {"lines": [redact(ln) for ln in all_lines[-lines:]], "redacted": True}
     except OSError:
         return {"lines": []}
 
 
+@app.get("/api/app-runner/errors")
+async def get_app_runner_errors(lines: int = Query(default=50, ge=1, le=500)):
+    """Get the last N lines of app runner output, redacted, plus crash state.
+
+    Powers the dashboard error banner. Reads .loki/app-runner/app.log (the same
+    log the app writes) and the crash/status fields from state.json so the UI
+    can decide whether to surface the banner without a second round-trip.
+    The error banner is fed exclusively by this server-side endpoint: the
+    running app is cross-origin to the dashboard, so the browser cannot read
+    runtime errors out of the preview iframe.
+    """
+    loki_dir = _get_loki_dir()
+    app_dir = loki_dir / "app-runner"
+    log_file = app_dir / "app.log"
+    state_file = app_dir / "state.json"
+
+    status = "not_initialized"
+    crash_count = 0
+    if state_file.exists():
+        try:
+            state = json.loads(state_file.read_text())
+            status = state.get("status", "unknown")
+            crash_count = int(state.get("crash_count", 0) or 0)
+        except (json.JSONDecodeError, OSError, ValueError, TypeError):
+            status = "error"
+
+    out_lines = []
+    if log_file.exists():
+        try:
+            redact = _get_log_redactor()
+            all_lines = _safe_read_text(log_file).splitlines()
+            out_lines = [redact(ln) for ln in all_lines[-lines:]]
+        except OSError:
+            out_lines = []
+
+    return {
+        "lines": out_lines,
+        "redacted": True,
+        "status": status,
+        "crash_count": crash_count,
+    }
+
+
 @app.post("/api/control/app-restart", dependencies=[Depends(auth.require_scope("control"))])
 async def control_app_restart(request: Request):
     """Signal app runner to restart the application."""