loki-mode 7.28.2 → 7.30.0

package/README.md

@@ -28,13 +28,14 @@
 - **Production quality built in** -- 11 quality gates (`skills/quality-gates.md`), blind 3-reviewer code review (`run.sh:run_code_review()`), anti-sycophancy checks
 - **Standalone verification: `loki verify`** -- Run Loki's deterministic gates (build, tests, static analysis, secret scan, dependency audit) against any branch or PR diff, including code written by other agents or humans. CI-ready exit codes (0 VERIFIED, 1 CONCERNS, 2 BLOCKED), machine-readable evidence at `.loki/verify/evidence.json`. Inconclusive evidence is never reported as VERIFIED (v7.27.0).
 - **Living spec and pre-build interrogation** -- `loki spec` locks a spec and detects drift deterministically (`spec.lock`, `drift-report.json`, and a `SPEC_DRIFT` finding in `loki verify` with CI exit codes), so you can tell when the build diverges from what was agreed. `loki grill` runs a Devil's-Advocate interrogation of the spec before you build, surfacing gaps and contradictions early (v7.28.0).
+- **Guided first build: `loki quickstart`** -- four quick questions (setup check, one-line idea, template pick, plan review) and your build starts; pressing Enter through every step builds the sample Todo app. The plan step quotes the real cost/time estimate before anything is spent, and `loki demo` now confirms its estimate the same way. If no AI provider CLI is installed, Loki offers to install Claude Code (consent-gated, interactive terminals only) (v7.29.0).
 - **Live App Preview** -- The dashboard embeds the locally-running app in an iframe so you can interact with it immediately during a build. Use `loki preview` (alias `loki open`) to print the URL and open it in your browser. Local-first: no hosted service, no vendor lock (v7.24.0).
 - **Compose-first fullstack** -- When a spec needs more than one service (web + database + cache) Loki generates a 12-factor `docker-compose.yml` with healthchecks, `depends_on` wiring, env-var config, and a `.env.example`. The Live App Preview surfaces the web service URL (not a database port), and health reflects the web service's Docker healthcheck so a crashed app shows as crashed even when the database stays up. Single-service apps stay on a plain run command. All local-first, no hosted service (v7.26.0).
 - **Intelligent `loki start`** -- For interactive foreground runs the dashboard auto-opens in the browser (cross-platform; skipped in CI, SSH-without-TTY, and piped runs; opt out with `LOKI_NO_AUTO_OPEN=1`). The completion summary shows "Your app is live at <url>" so you know exactly where to try what Loki just built. The autonomous loop passes Claude Code's `--effort`, `--max-budget-usd`, and `--fallback-model` on every iteration (each gated on CLI support and individual opt-out env vars) for better long-run unattended execution (v7.25.0).
 - **Cross-project memory** -- Episodic/semantic/procedural memory with vector search; knowledge learned on one project surfaces on the next (v5.15.0+, see `memory/engine.py`)
 - **Self-hosted and private** -- Your keys, your infrastructure, no data leaves your network
 - **Legacy system healing** -- `loki heal` archaeology/stabilize/isolate/modernize/validate phases (v6.67.0, see `skills/healing.md`)
-- **MCP server** -- 34 tools (including ChromaDB code search) plus 3 resources and 2 prompts (`mcp/server.py`, with managed-memory and magic tools registered from `mcp/managed_tools.py` and `mcp/magic_tools.py`)
+- **MCP server** -- 34 tools (including ChromaDB code search) plus 3 resources and 2 prompts (`mcp/server.py`, with magic tools registered from `mcp/magic_tools.py` and the managed-memory tool from `mcp/managed_tools.py`). Of the 34, 33 are always available; `loki_memory_redact` is registered but only succeeds when `LOKI_MANAGED_AGENTS=true` and `LOKI_MANAGED_MEMORY=true`. Launch with `loki mcp` (bootstraps the Python MCP SDK on first run).
 - **Full-stack output** -- Source code, tests, Docker Compose stacks (multi-service with healthchecks), CI/CD pipelines, audit logs
 - **Provider-agnostic** -- runs on Claude, Codex, Cline, or Aider with automatic failover (`loki-ts/src/runner/providers.ts`); no vendor lock-in. Gemini CLI deprecated v7.5.18; Antigravity CLI coming soon.
 - **Open source** -- Free for personal, internal, and academic use.
@@ -101,7 +102,7 @@ loki quick "build a landing page with a signup form"
 |--------|---------|-------|
 | **Bun (recommended)** | `bun install -g loki-mode` | Fastest startup for CLI commands. |
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` | Auto-installs Bun as a dep |
-| **Docker** | `docker pull asklokesh/loki-mode:7.28.2 && docker run --rm asklokesh/loki-mode:7.28.2 start prd.md` | Bun pre-installed in image |
+| **Docker** | `docker pull asklokesh/loki-mode:7.30.0 && docker run --rm asklokesh/loki-mode:7.30.0 start prd.md` | Bun pre-installed in image |
 | **npm (compat)** | `npm install -g loki-mode` | Works without Bun (bash fallback). Migrate any time with `loki self-update --to bun`. |
 
 **Upgrading:**
@@ -161,7 +162,7 @@ The next major release sunsets the Bash runtime entirely. There is no firm calen
 | Method | Command |
 |--------|---------|
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` |
-| **Docker** | `docker pull asklokesh/loki-mode:7.28.2` |
+| **Docker** | `docker pull asklokesh/loki-mode:7.30.0` |
 | **Inside Claude Code** | `claude --dangerously-skip-permissions` then type "Loki Mode" |
 | **Git clone** | `git clone https://github.com/asklokesh/loki-mode.git` |
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.28.2
+# Loki Mode v7.30.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -342,6 +342,12 @@ Two completion-trust features extend the verification gates. Full details in `sk
 - **Held-out spec evals:** ~25% of checklist items (deterministic `sha256(id)` order, `N >= 4`) are reserved into `.loki/checklist/held-out.json` and excluded from the build prompt feed; the completion council blocks if a held-out item fails. Opt out with `LOKI_HELDOUT_GATE=0`. Honest limit: this guards the prompt feed, not a sandbox; the reservation file is on disk and an agent with filesystem access can read it.
 - **Inconclusive-baseline disclosure:** when the evidence gate cannot establish a diff baseline (`no_git_repo` / `no_run_start_sha`) it writes `.loki/state/evidence-inconclusive.json` and `COMPLETION.txt` carries an honest "not independently verified" line. It never blocks non-git projects; red tests still block.
 
+## First-run UX (v7.29.0)
+
+- **`loki quickstart`:** guided 4-step first build (setup check, one-line idea, offline template match, plan review with real estimator figures); Enter-through-everything builds the sample Todo app; non-TTY/CI exits 2 with an automation hint.
+- **Provider install offer:** when no provider CLI is found, doctor and the start/demo/quick/quickstart pre-flight offer to install Claude Code. Consent-gated on an interactive TTY only; the single command executed is printed first; auth handoff via `claude auth login` with readiness confirmed by `claude auth status`. Opt out: `LOKI_NO_INSTALL_OFFER=1`.
+- **`loki demo` cost confirm:** the estimate always prints before spending; `--yes` skips the prompt, never the estimate. `LOKI_COMPLEXITY` is honored by `loki plan` with an honest forced-tier note.
+
 ---
 
 ## Concurrency and Security Hardening (v7.5.7 - v7.5.13)
@@ -392,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.28.2 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.30.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.28.2
+7.30.0

package/autonomy/loki

@@ -68,6 +68,24 @@ if [ -f "$_LOKI_SCRIPT_DIR/crash.sh" ]; then
     source "$_LOKI_SCRIPT_DIR/crash.sh"
 fi
 
+# Provider install offer (v7.29.0): shared, self-contained helper providing
+# detect_any_provider, offer_provider_install, and provider_offer_gate. Sourced
+# here for the bash route; doctor.ts invokes the same file via child_process so
+# the offer copy never drifts between routes. Self-guarded against double-source.
+if [ -f "$_LOKI_SCRIPT_DIR/provider-offer.sh" ]; then
+    # shellcheck source=provider-offer.sh
+    source "$_LOKI_SCRIPT_DIR/provider-offer.sh"
+fi
+
+# Quickstart guided interview (v7.29.0): provides cmd_quickstart and its
+# deterministic offline template matcher. Functions-only file (no top-level
+# command), sourced here so the dispatch case can call cmd_quickstart. Composes
+# the provider offer (above), show_prd_plan, and cmd_start. Self-guarded.
+if [ -f "$_LOKI_SCRIPT_DIR/quickstart.sh" ]; then
+    # shellcheck source=quickstart.sh
+    source "$_LOKI_SCRIPT_DIR/quickstart.sh"
+fi
+
 # Resolve the script's real path (handles symlinks)
 resolve_script_path() {
     local script="$1"
@@ -522,6 +540,7 @@ show_help() {
     echo "  quick \"task\"     Quick single-task mode (lightweight, 3 iterations max)"
     echo "  monitor [path]   Monitor Docker Compose services with auto-fix (v6.67.0)"
     echo "  demo             Build a sample todo app end to end (real run)"
+    echo "  quickstart [idea]  Guided first build: setup, idea, template, plan, go"
     echo "  init [name]      Project scaffolding with 21 PRD templates"
     echo "  issue <url|num>  (deprecated) Use 'loki start <issue-ref>' instead"
     echo "  watch [prd]      Auto-rerun on PRD file changes (v6.33.0)"
@@ -683,6 +702,13 @@ show_help() {
 show_landing() {
     local version
     version=$(get_version)
+    # v7.30.0 (item 5): strip color when stdout is not a TTY (piped/redirected)
+    # in addition to the global NO_COLOR honoring above, so captured landing
+    # output is clean. Local overrides only; the rest of the CLI is untouched.
+    local BOLD="$BOLD" CYAN="$CYAN" NC="$NC"
+    if [ ! -t 1 ]; then
+        BOLD=''; CYAN=''; NC=''
+    fi
     echo -e "${BOLD}Loki Mode v$version${NC} - the spec-driven builder that verifies its own work."
     echo ""
     echo -e "First time here? ${CYAN}loki doctor${NC} checks your setup (an AI provider CLI is required)."
@@ -690,6 +716,7 @@ show_landing() {
     echo "Get started:"
     echo -e "  ${CYAN}loki start ./prd.md${NC}   Build from a spec (PRD file, GitHub issue, or no arg)"
     echo -e "  ${CYAN}loki demo${NC}             Build a sample todo app end to end (real run)"
+    echo -e "  ${CYAN}loki web${NC}              Open the visual builder to input a spec and watch agents build"
     echo -e "  ${CYAN}loki dashboard start${NC}  Start the live run monitor (then: loki dashboard open)"
     echo ""
     echo -e "Need help? ${CYAN}loki help${NC} lists every command."
@@ -1260,6 +1287,17 @@ cmd_start() {
         esac
     done
 
+    # v7.29.0: provider pre-flight gate. If no provider CLI is installed, offer
+    # to install one (TTY) or print honest manual instructions and exit 2
+    # (non-TTY/CI), BEFORE any spend or runner entry. This moves what used to be
+    # an opaque deep-runner failure to a friendly, actionable top-of-run gate.
+    # --help already returned inside the arg loop, so we never gate help.
+    if declare -f provider_offer_gate >/dev/null 2>&1; then
+        if ! provider_offer_gate; then
+            exit 2
+        fi
+    fi
+
     # Clear any stale raw-brief marker from a PRIOR run before we decide the
     # mode of THIS run. Only the brief branch (below) re-writes it. Without this,
     # a brief run leaves .loki/state/brief.txt behind and a later non-brief run
@@ -2286,10 +2324,18 @@ PYDASH
     # v7.7.30: --all preserves the legacy machine-wide kill. It runs even when
     # the current folder has no live session (the "clean everything" use case),
     # reaping every folder's orphaned loki-run-* temp script (SIGTERM, SIGKILL).
+    #
+    # The kill pattern is "loki-run-" for real users and is NOT user-overridable
+    # at the CLI -- that is the documented machine-wide behavior. LOKI_STOP_ALL_PATTERN
+    # exists ONLY so the test suite can exercise this exact code path against its
+    # own uniquely-marked fake runners without SIGKILLing an unrelated live
+    # loki-run-* on the same machine (e.g. a long SWE-bench instance). It defaults
+    # to "loki-run-" so user-facing semantics are unchanged when unset.
     if [ "$stop_all" = true ]; then
-        pkill -f "loki-run-" 2>/dev/null || true
+        local _stop_all_pat="${LOKI_STOP_ALL_PATTERN:-loki-run-}"
+        pkill -f "$_stop_all_pat" 2>/dev/null || true
         sleep 0.5
-        pkill -9 -f "loki-run-" 2>/dev/null || true
+        pkill -9 -f "$_stop_all_pat" 2>/dev/null || true
         echo -e "${RED}--all: signalled all loki-run-* processes on this machine.${NC}"
     fi
 }
@@ -4698,8 +4744,10 @@ cmd_web_stop() {
         rm -f "$pids_file" 2>/dev/null || true
     fi
 
-    # Global cleanup: kill ALL loki-related processes regardless of CWD
-    # This ensures "loki web stop" from anywhere cleans up everything
+    # Companion cleanup: stop the dashboard server that the web UI runs
+    # alongside. Scoped to the dashboard, NOT to every loki process: the
+    # documented intent of "loki web stop" is to stop the Purple Lab web UI
+    # session, not to reap unrelated builds.
 
     # Kill any dashboard server (by process name and by port)
     local dash_port="${LOKI_DASHBOARD_PORT:-57374}"
@@ -4724,21 +4772,14 @@ cmd_web_stop() {
         kill -0 "$dash_port_pid" 2>/dev/null && kill -9 "$dash_port_pid" 2>/dev/null || true
     fi
 
-    # Kill any loki run.sh orchestrator processes (status monitors, resource monitors)
-    local run_pids
-    run_pids=$(pgrep -f "loki-run-\|status-monitor\|resource-monitor" 2>/dev/null || true)
-    if [ -n "$run_pids" ]; then
-        for rpid in $run_pids; do
-            kill "$rpid" 2>/dev/null || true
-        done
-        sleep 1
-        for rpid in $run_pids; do
-            kill -0 "$rpid" 2>/dev/null && kill -9 "$rpid" 2>/dev/null || true
-        done
-        if [ "$stopped" = true ]; then
-            echo "Background processes cleaned up"
-        fi
-    fi
+    # FIX-563 (v7.30.0): do NOT blanket-kill loki-run-* orchestrators here.
+    # The prior unscoped `pgrep -f "loki-run-..."` reaped EVERY orchestrator on
+    # the machine, including foreign `loki start` sessions launched from other
+    # terminals/CWDs that the web UI never owned. Purple Lab's own build
+    # processes are already reaped authoritatively above via child-pids.json
+    # (the only PIDs this session actually started). Foreign builds survive,
+    # mirroring the cwd-scoped dashboard-stop pattern (FIX rationale: a user
+    # invoking "loki web stop" expects the web UI gone, not their other builds).
 
     # Clean up all PID files globally
     rm -f "${LOKI_DIR}/dashboard/dashboard.pid" 2>/dev/null || true
@@ -7728,15 +7769,19 @@ cmd_doctor() {
     doctor_check "Cline CLI"           cline    optional || true
     doctor_check "Aider CLI"           aider    optional || true
 
-    # Check if at least one provider is installed
-    local _any_provider=false
-    for _dp in claude codex cline aider; do
-        command -v "$_dp" &>/dev/null && _any_provider=true && break
-    done
-    if ! $_any_provider; then
+    # Check if at least one provider is installed (detect_any_provider is the
+    # shared helper from provider-offer.sh, extracted from this exact loop).
+    if ! detect_any_provider; then
         echo -e "  ${RED}FAIL${NC}  No AI provider CLI installed -- at least one is required"
         echo -e "         ${YELLOW}Install: npm install -g @anthropic-ai/claude-code${NC}"
         fail_count=$((fail_count + 1))
+        # v7.29.0: on a TTY (non-json), append the consent-gated install offer.
+        # In report mode the helper is a no-op on non-TTY/CI, so the doctor
+        # output stays byte-identical for the bun-parity matrix. --json never
+        # reaches here (cmd_doctor dispatches to cmd_doctor_json earlier).
+        if declare -f offer_provider_install >/dev/null 2>&1; then
+            offer_provider_install report || true
+        fi
     fi
     echo ""
 
@@ -9030,6 +9075,77 @@ cmd_sandbox() {
     exec "$SANDBOX_SH" "$subcommand" "$@"
 }
 
+# v7.29.0 (feature #4): print the SIMPLE-tier cost/time/iteration estimate for
+# the demo PRD, parsed from the single estimator source (show_prd_plan JSON).
+# Because `loki demo` always runs `loki start --simple` (which exports
+# LOKI_COMPLEXITY=simple), the estimate is computed with LOKI_COMPLEXITY=simple
+# so the quoted figures are the ones the demo will actually incur -- honest by
+# construction (the keystone fix makes show_prd_plan honor LOKI_COMPLEXITY).
+# Returns 0 when a real estimate was printed, 1 when the estimator failed (the
+# caller then falls back to a no-number confirm). Never fabricates a number.
+emit_demo_estimate() {
+    local prd_path="$1"
+    # v7.30.0 (item 5): the demo estimate always prints before spending, incl.
+    # non-TTY (--dry-run / --yes piped), so gate color on a TTY here too (the
+    # global vars are only blanked on NO_COLOR). Mirrors provider-offer.sh and
+    # quickstart.sh. Local overrides only.
+    local BOLD="$BOLD" YELLOW="$YELLOW" DIM="$DIM" NC="$NC"
+    if [ ! -t 1 ]; then
+        BOLD=''; YELLOW=''; DIM=''; NC=''
+    fi
+    local plan_json=""
+    plan_json=$(LOKI_COMPLEXITY=simple show_prd_plan "$prd_path" "true" "false" 2>/dev/null) || plan_json=""
+
+    if [ -z "$plan_json" ]; then
+        echo -e "${YELLOW}Could not compute a cost estimate (the estimator did not return a result).${NC}"
+        return 1
+    fi
+
+    local parsed
+    parsed=$(printf '%s' "$plan_json" | python3 -c "
+import json, sys
+try:
+    d = json.load(sys.stdin)
+except Exception:
+    sys.exit(1)
+cost = d.get('cost', {}).get('total_usd')
+time_est = d.get('time', {}).get('estimated')
+iters = d.get('iterations', {}).get('estimated')
+rng = d.get('iterations', {}).get('range', [])
+tier = d.get('complexity', {}).get('tier', 'simple')
+if cost is None or time_est is None or iters is None:
+    sys.exit(1)
+rng_str = ''
+if isinstance(rng, list) and len(rng) == 2:
+    rng_str = ' (range {}-{})'.format(rng[0], rng[1])
+print(tier.upper())
+print('{:.2f}'.format(float(cost)))
+print(time_est)
+print('{}{}'.format(iters, rng_str))
+" 2>/dev/null) || parsed=""
+
+    if [ -z "$parsed" ]; then
+        echo -e "${YELLOW}Could not compute a cost estimate (the estimator did not return a result).${NC}"
+        return 1
+    fi
+
+    local tier_u cost_u time_u iter_u
+    tier_u=$(printf '%s' "$parsed" | sed -n '1p')
+    cost_u=$(printf '%s' "$parsed" | sed -n '2p')
+    time_u=$(printf '%s' "$parsed" | sed -n '3p')
+    iter_u=$(printf '%s' "$parsed" | sed -n '4p')
+
+    echo -e "${BOLD}Estimate (${tier_u} tier, the path this demo actually runs):${NC}"
+    printf '  Cost:        ~$%s\n' "$cost_u"
+    echo "  Time:        ~$time_u"
+    echo "  Iterations:  $iter_u"
+    echo ""
+    echo -e "${DIM}This is an estimate. Actual usage depends on PRD complexity,"
+    echo -e "code review cycles, and test failures.${NC}"
+    echo ""
+    return 0
+}
+
 # Demo mode - build a real project from a bundled PRD template
 cmd_demo() {
     # Handle --help
@@ -9055,6 +9171,16 @@ cmd_demo() {
         return 0
     fi
 
+    # v7.30.0 (item 5): demo emits user-facing color (header, dry-run block,
+    # cancel/refuse messages) on paths that always run even when piped/non-TTY,
+    # so gate color on a TTY here (the global vars are only blanked on NO_COLOR).
+    # Placed AFTER the --help early return so help output is untouched. Local
+    # overrides only; mirrors provider-offer.sh / quickstart.sh.
+    local BOLD="$BOLD" CYAN="$CYAN" YELLOW="$YELLOW" GREEN="$GREEN" DIM="$DIM" RED="$RED" NC="$NC"
+    if [ ! -t 1 ]; then
+        BOLD=''; CYAN=''; YELLOW=''; GREEN=''; DIM=''; RED=''; NC=''
+    fi
+
     local version
     version=$(get_version)
     local demo_prd="$SKILL_DIR/templates/simple-todo-app.md"
@@ -9062,10 +9188,21 @@ cmd_demo() {
     local provider=""
     local dry_run=false
     local start_args=()
+    # v7.29.0 (feature #4): demo now shows the FORCED-simple cost estimate
+    # before spending and asks for confirmation. --yes / LOKI_ASSUME_YES skip
+    # the prompt but still print the estimate (the spend is never hidden).
+    local assume_yes=false
+    if [ "${LOKI_ASSUME_YES:-}" = "1" ] || [ "${LOKI_ASSUME_YES:-}" = "true" ]; then
+        assume_yes=true
+    fi
 
     # Parse arguments
     while [[ $# -gt 0 ]]; do
         case "$1" in
+            --yes|-y)
+                assume_yes=true
+                shift
+                ;;
             --dir)
                 if [[ -z "${2:-}" ]]; then
                     echo -e "${RED}Error: --dir requires a path${NC}"
@@ -9106,6 +9243,17 @@ cmd_demo() {
         esac
     done
 
+    # v7.29.0: provider pre-flight gate (skipped for --dry-run, which never
+    # spends). On a TTY, offer to install; on non-TTY/CI, print honest manual
+    # instructions and exit 2 before any spend. Detect-first, so the nested
+    # cmd_start gate below no-ops once a provider is present. --help already
+    # returned at the top of cmd_demo.
+    if [ "$dry_run" != true ] && declare -f provider_offer_gate >/dev/null 2>&1; then
+        if ! provider_offer_gate; then
+            exit 2
+        fi
+    fi
+
     # Fall back to examples/ if templates/ doesn't exist
     if [ ! -f "$demo_prd" ]; then
         demo_prd="$SKILL_DIR/examples/simple-todo-app.md"
@@ -9146,6 +9294,9 @@ cmd_demo() {
     fi
 
     if [ "$dry_run" = true ]; then
+        # v7.29.0: dry-run is now a genuine cost preview -- show the estimate,
+        # no prompt, no spend.
+        emit_demo_estimate "$demo_dir/prd.md" || true
         echo -e "${YELLOW}[dry-run] Would run:${NC}"
         echo "  cd $demo_dir"
         echo -n "  loki start prd.md --simple --yes"
@@ -9156,6 +9307,52 @@ cmd_demo() {
         return 0
     fi
 
+    # v7.29.0 (feature #4): cost confirm before any spend. The estimate ALWAYS
+    # prints (even with --yes), so the spend is never hidden. The prompt is
+    # shown only on a TTY without --yes; non-TTY without --yes refuses (exit 2)
+    # rather than hanging on read -- the project's "never hang in CI" idiom.
+    local estimate_ok=true
+    emit_demo_estimate "$demo_dir/prd.md" || estimate_ok=false
+
+    # Interactive only when stdin is a real TTY and CI is not forcing
+    # non-interactive (matches the project's first-run gate semantics).
+    local demo_interactive=true
+    if [ ! -t 0 ] || [ -n "${CI:-}" ]; then
+        demo_interactive=false
+    fi
+
+    if [ "$assume_yes" != true ]; then
+        if [ "$demo_interactive" = true ]; then
+            local demo_answer=""
+            if [ "$estimate_ok" = true ]; then
+                # Default YES: Enter proceeds.
+                echo -n "Build the Todo app now? [Y/n] "
+                read -r demo_answer </dev/tty 2>/dev/null || demo_answer=""
+                if [[ -n "$demo_answer" && ! "$demo_answer" =~ ^[Yy] ]]; then
+                    echo ""
+                    echo -e "Cancelled. Nothing was spent. The demo PRD is at:"
+                    echo -e "  ${CYAN}$demo_dir/prd.md${NC}"
+                    echo -e "Run 'loki plan ${demo_dir}/prd.md' for the full breakdown."
+                    return 0
+                fi
+            else
+                # No honest number available: default NO (the safe direction).
+                echo -n "Proceed with the demo build anyway? [y/N] "
+                read -r demo_answer </dev/tty 2>/dev/null || demo_answer=""
+                if [[ ! "$demo_answer" =~ ^[Yy] ]]; then
+                    echo ""
+                    echo -e "Cancelled. Nothing was spent. The demo PRD is at:"
+                    echo -e "  ${CYAN}$demo_dir/prd.md${NC}"
+                    return 0
+                fi
+            fi
+        else
+            # Non-TTY without --yes: never hang; refuse with an honest message.
+            echo "demo needs confirmation; re-run with --yes to proceed non-interactively" >&2
+            return 2
+        fi
+    fi
+
     echo -e "${DIM}Starting autonomous build...${NC}"
     echo -e "${DIM}(Press Ctrl+C to stop at any time)${NC}"
     echo ""
@@ -9380,6 +9577,15 @@ cmd_quick() {
         exit 2
     fi
 
+    # v7.29.0: provider pre-flight gate. Offer install on a TTY; print honest
+    # manual instructions and exit 2 on non-TTY/CI, before any spend. --help and
+    # the no-args usage path already returned/exited above.
+    if declare -f provider_offer_gate >/dev/null 2>&1; then
+        if ! provider_offer_gate; then
+            exit 2
+        fi
+    fi
+
     local task_desc="$*"
     local version=$(get_version)
     local max_iter="${LOKI_MAX_ITERATIONS:-3}"
@@ -11451,6 +11657,28 @@ cmd_grill() {
     return $?
 }
 
+# ---------------------------------------------------------------------------
+# loki mcp - launch the MCP (Model Context Protocol) server
+#
+# Thin dispatcher that sources autonomy/mcp-launch.sh and delegates to
+# mcp_launch_main(). The launcher checks for python3 + the MCP SDK and, when
+# the SDK is missing, offers a consent-gated bootstrap into a project-local
+# virtualenv (.loki/mcp-venv) before exec'ing the server over stdio. This
+# closes the fresh-npm-consumer gap where the only bin was `loki` and the
+# Python MCP dependencies were never installed (task 562).
+# ---------------------------------------------------------------------------
+cmd_mcp() {
+    local mcp_mod="$_LOKI_SCRIPT_DIR/mcp-launch.sh"
+    if [ ! -f "$mcp_mod" ]; then
+        echo -e "${RED}Error: mcp launcher not found at $mcp_mod${NC}" >&2
+        return 3
+    fi
+    # shellcheck source=/dev/null
+    source "$mcp_mod"
+    mcp_launch_main "$@"
+    return $?
+}
+
 cmd_heal_help() {
     echo -e "${BOLD}loki heal${NC} - Legacy system healing (v6.67.0)"
     echo ""
@@ -12833,6 +13061,20 @@ show_verbose = sys.argv[3] == 'true'
 session_model_env = (os.environ.get('LOKI_SESSION_MODEL', 'sonnet') or 'sonnet').strip().lower()
 legacy_tier_switching = (os.environ.get('LOKI_LEGACY_TIER_SWITCHING', 'false') or 'false').strip().lower() == 'true'
 
+# v7.29.0: Honor LOKI_COMPLEXITY -- the SAME env var the runner honors at
+# run.sh:920 -- so a forced-tier run (e.g. 'loki demo' / 'loki start --simple'
+# which export LOKI_COMPLEXITY=simple) quotes the tier it will actually run,
+# not the content-derived tier. Without this the estimate diverges from
+# execution (audit finding #9). Runner vocabulary is auto|simple|standard|complex;
+# the estimator's internal tiers are simple|moderate|complex|enterprise, so
+# 'standard' aliases to 'moderate' (the 6-12 iteration analog). 'auto', empty,
+# and any unrecognized value are ignored (content tier is used) -- honest by
+# construction. The override is applied AFTER the content score-to-tier map.
+_forced_complexity_raw = (os.environ.get('LOKI_COMPLEXITY', '') or '').strip().lower()
+forced_complexity = {'standard': 'moderate'}.get(_forced_complexity_raw, _forced_complexity_raw)
+if forced_complexity not in ('simple', 'moderate', 'complex', 'enterprise'):
+    forced_complexity = ''
+
 # Map session model name to tier key used in tokens_per_tier below.
 # Unknown models fall through to 'development' (Sonnet) as a safe default.
 _session_tier_map = {
@@ -12985,6 +13227,14 @@ elif complexity_score <= 5:
 else:
     complexity = 'enterprise'
 
+# v7.29.0: apply the forced-tier override AFTER the content score-to-tier map,
+# so it is not clobbered by the assignment above. Everything downstream
+# (iterations, tokens, cost, time) derives from the complexity variable, so the
+# whole estimate becomes consistent with what the run will actually do.
+if forced_complexity:
+    complexity = forced_complexity
+    complexity_reasons.insert(0, 'Complexity forced via LOKI_COMPLEXITY=' + _forced_complexity_raw)
+
 # --- Estimate iterations ---
 iteration_map = {
     'simple': (3, 5),
@@ -13215,7 +13465,10 @@ if ui_count > 0:
 color = {'simple': GREEN, 'moderate': YELLOW, 'complex': RED, 'enterprise': RED}
 cx_color = color.get(complexity, NC)
 print(f'\n{CYAN}Complexity{NC}')
-print(f'  Tier: {cx_color}{BOLD}{complexity.upper()}{NC} (score: {complexity_score})')
+if forced_complexity:
+    print(f'  Tier: {cx_color}{BOLD}{complexity.upper()}{NC} (forced via LOKI_COMPLEXITY={_forced_complexity_raw})')
+else:
+    print(f'  Tier: {cx_color}{BOLD}{complexity.upper()}{NC} (score: {complexity_score})')
 for reason in complexity_reasons:
     print(f'  {DIM}- {reason}{NC}')
 
@@ -13446,6 +13699,9 @@ main() {
         demo)
             cmd_demo "$@"
             ;;
+        quickstart)
+            cmd_quickstart "$@"
+            ;;
         welcome)
             cmd_welcome "$@"
             ;;
@@ -13609,6 +13865,9 @@ main() {
         grill)
             cmd_grill "$@"
             ;;
+        mcp)
+            cmd_mcp "$@"
+            ;;
         migrate)
             cmd_migrate "$@"
             ;;