loki-mode 7.42.0 → 7.44.0

package/README.md

@@ -13,7 +13,7 @@ _The free, source-available autonomous coding agent by [Autonomi](https://www.au
 [![Docker Pulls](https://img.shields.io/docker/pulls/asklokesh/loki-mode?style=for-the-badge&logo=docker&logoColor=white&color=2F71E3)](https://hub.docker.com/r/asklokesh/loki-mode)
 [![License](https://img.shields.io/badge/License-BUSL--1.1-36342E?style=for-the-badge)](LICENSE)
 
-[Website](https://www.autonomi.dev/) | [Documentation](wiki/Home.md) | [Installation](docs/INSTALLATION.md) | [Changelog](CHANGELOG.md) | [Purple Lab Web UI](#purple-lab)
+[Website](https://www.autonomi.dev/) | [Documentation](wiki/Home.md) | [Installation](docs/INSTALLATION.md) | [Changelog](CHANGELOG.md) | [Purple Lab -- deprecated v7.44.0](#purple-lab)
 
 </div>
 
@@ -290,36 +290,9 @@ TLS, OIDC/SSO, RBAC, OTEL tracing, policy engine, audit trails. Activated via en
 
 ## Purple Lab
 
-The hosted development platform. A Replit-like web UI for visual PRD-to-code workflow, with the Loki agent for iterative development. The same software is free and source-available as the local Loki Mode dashboard; offered managed to teams and enterprises under the **Autonomi** brand (Autonomi Cloud).
+**[DEPRECATED in v7.44.0]** Purple Lab (`loki web`, port 57375) is deprecated. The local build monitor and project dashboard are now the dashboard (auto-launched by `loki start`, http://localhost:57374). For the hosted/commercial platform, see [Autonomi Cloud](https://www.autonomi.dev/).
 
-```bash
-loki web                           # launches at http://localhost:57375
-```
-
-<table>
-<tr>
-<td width="50%" valign="top">
-
-**Platform Pages**
-- Home -- One-line prompt to start building instantly
-- Projects -- Browse, search, filter past builds
-- Templates -- 20+ starter PRDs by category
-- Showcase -- Gallery of example projects to build
-- Compare -- Feature comparison vs competitors
-
-</td>
-<td width="50%" valign="top">
-
-**IDE Workspace**
-- Monaco editor with tabs, Cmd+P quick open
-- AI chat panel for iterative development
-- Activity panel: build log, agents, quality gates
-- Live preview with URL bar navigation
-- Right-click context menu: Review, Test, Explain
-
-</td>
-</tr>
-</table>
+The historical feature set (platform pages, Monaco IDE workspace, AI chat panel) lives on in the dashboard and in Autonomi Cloud. `loki web` still invokes the old binary for backward compatibility but will be removed in a future major version.
 
 ---
 
@@ -372,7 +345,7 @@ Status legend: "E2E-verified" means we run real spec-to-code builds on it oursel
 | `loki status` | Show current status |
 | `loki dashboard` | Open web dashboard |
 | `loki preview` | Print running app URL and open in browser (Live App Preview, v7.24.0; was: `loki open`) |
-| `loki web` | Launch Purple Lab web UI |
+| `loki web` | Launch Purple Lab web UI [DEPRECATED in v7.44.0 -- use `loki start` which auto-opens the dashboard at http://localhost:57374; for the hosted platform see Autonomi Cloud] |
 | `loki doctor` | Check environment and dependencies |
 | `loki plan [PRD]` | Pre-execution analysis: complexity, cost, iterations |
 | `loki review [--staged\|--diff]` | AI-powered code review with severity filtering |

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.42.0
+# Loki Mode v7.44.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.42.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.44.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.42.0
+7.44.0

package/autonomy/app-runner.sh

@@ -156,6 +156,112 @@ _rewrite_detection_port() {
     _write_detection "$d_type" "$d_command"
 }
 
+# Collect the transitive descendant tree of a PID (children, grandchildren, ...).
+#
+# Echoes one PID per line, deepest-LAST is NOT guaranteed; order is breadth-first
+# from the root. The root PID itself is NOT included. Used by the non-setsid stop
+# fallback (BUG 1): the app is started as `( ... ) &` WITHOUT setsid, so on stock
+# macOS the whole tree (subshell -> bash -lc -> npm -> sh -> node -> workers)
+# inherits the ORCHESTRATOR's process group. A `kill -- -PGID` would therefore
+# signal run.sh and the Claude agent driving it (self-termination), so we MUST
+# walk parent->child links from OUR pid only. This guarantees we never signal a
+# process outside our own subtree: every returned pid has our root as an ancestor.
+#
+# Snapshot semantics: the caller MUST collect the full tree BEFORE sending any
+# signal. If we TERM top-down while walking, grandchildren reparent to init and
+# `pgrep -P <dead-parent>` returns nothing, re-creating the orphaned-worker bug
+# this fix exists to close.
+_app_runner_collect_descendants() {
+    local root="$1"
+    # Guard against empty / init / kernel pids: walking from 0/1 would sweep
+    # unrelated processes. A valid app pid is always > 1.
+    case "$root" in
+        ''|0|1) return 0 ;;
+    esac
+    if ! [[ "$root" =~ ^[0-9]+$ ]]; then
+        return 0
+    fi
+
+    local -a frontier=("$root")
+    local -a found=()
+    local pid child
+    local -a kids
+    # Bound iterations defensively against a pathological/looping tree.
+    local guard=0
+    while [ "${#frontier[@]}" -gt 0 ] && [ "$guard" -lt 10000 ]; do
+        guard=$(( guard + 1 ))
+        pid="${frontier[0]}"
+        frontier=("${frontier[@]:1}")
+        # Direct children of pid.
+        kids=()
+        while IFS= read -r child; do
+            [ -n "$child" ] && kids+=("$child")
+        done < <(pgrep -P "$pid" 2>/dev/null)
+        local k
+        for k in "${kids[@]:-}"; do
+            [ -n "$k" ] || continue
+            found+=("$k")
+            frontier+=("$k")
+        done
+    done
+
+    local f
+    for f in "${found[@]:-}"; do
+        [ -n "$f" ] && printf '%s\n' "$f"
+    done
+}
+
+# Signal an EXPLICIT, pre-captured set of PIDs with a given signal.
+#
+# Usage: _app_runner_signal_pids <SIGNAL> <pid> [pid ...]
+#
+# Why an explicit list and not "(re-)walk from root": a worker that traps
+# SIGTERM (a Node server doing graceful shutdown is the textbook case) survives
+# the TERM phase while its intermediate ancestors (npm, sh) die. Once the
+# ancestors die, the surviving worker reparents to init, so re-deriving the tree
+# from the now-dead root via `pgrep -P` would return NOTHING -- the KILL phase
+# would be skipped and the orphaned, port-holding worker would live on. That is
+# exactly the orphaned-worker bug (BUG 1) resurfacing at the force-kill phase.
+# The fix: the caller snapshots root + all descendants ONCE before any signal,
+# and every phase (TERM, aliveness, KILL) operates over that frozen list.
+#
+# Safety: the caller builds the list from _app_runner_collect_descendants, which
+# only ever follows parent->child links from OUR pid, so the list can never
+# contain a process outside our own subtree. We signal pids individually (never
+# a process group) because in the non-setsid path the app inherits the
+# orchestrator's process group; a group signal would kill run.sh and the agent.
+# Pids are signaled in REVERSE capture order so descendants (captured after the
+# root) are signaled before the root.
+_app_runner_signal_pids() {
+    local sig="$1"; shift
+    local -a pids=("$@")
+    local i p
+    for (( i=${#pids[@]}-1; i>=0; i-- )); do
+        p="${pids[$i]}"
+        case "$p" in
+            ''|0|1) continue ;;
+        esac
+        kill "-${sig}" "$p" 2>/dev/null || true
+    done
+}
+
+# True (0) if ANY pid in the EXPLICIT pre-captured list is still alive.
+# Used by the non-setsid stop grace-wait so a deep worker that outlived the main
+# subshell does not let us fall through to "stopped" prematurely. Operates over
+# the frozen snapshot for the same reason _app_runner_signal_pids does.
+_app_runner_any_alive() {
+    local p
+    for p in "$@"; do
+        case "$p" in
+            ''|0|1) continue ;;
+        esac
+        if kill -0 "$p" 2>/dev/null; then
+            return 0
+        fi
+    done
+    return 1
+}
+
 # Fix #2 (finding #597): reconcile the recorded port with the port the app
 # ACTUALLY bound, using the listen line in app.log as the source of truth. This
 # corrects the dashboard Live Preview even when the app ignores PORT and picks
@@ -887,32 +993,82 @@ app_runner_stop() {
         fi
     fi
 
+    # BUG 1 fix: on the non-setsid fallback (the DEFAULT path on stock macOS,
+    # which has no setsid) capture the FULL process subtree -- root + every
+    # transitive descendant -- ONCE, BEFORE sending any signal. The old
+    # `pkill -TERM -P <pid>` reached only ONE level of children, so deep workers
+    # (npm -> sh -> node -> workers) holding the listening socket survived as
+    # orphans and kept the port bound, blocking the next start.
+    #
+    # Capturing once is load-bearing: a worker that traps SIGTERM survives the
+    # TERM phase while its intermediate ancestors die, then reparents to init.
+    # Re-deriving the tree from the now-dead root would return nothing and skip
+    # the KILL phase, leaving the port-holder alive. Every phase below (TERM,
+    # grace-wait, KILL) operates over this one frozen snapshot instead.
+    local -a _stop_snapshot=()
+    if [ "$_APP_RUNNER_HAS_SETSID" != true ]; then
+        _stop_snapshot=("$_APP_RUNNER_PID")
+        local _snap_d
+        while IFS= read -r _snap_d; do
+            [ -n "$_snap_d" ] && _stop_snapshot+=("$_snap_d")
+        done < <(_app_runner_collect_descendants "$_APP_RUNNER_PID")
+    fi
+
     # Send SIGTERM to process and children
     if [ "$_APP_RUNNER_HAS_SETSID" = true ]; then
+        # setsid path: the app is its own process group leader, so a group
+        # signal reaches the whole tree safely. Unchanged.
         kill -TERM "-$_APP_RUNNER_PID" 2>/dev/null || kill -TERM "$_APP_RUNNER_PID" 2>/dev/null || true
     else
-        pkill -TERM -P "$_APP_RUNNER_PID" 2>/dev/null || true
-        kill -TERM "$_APP_RUNNER_PID" 2>/dev/null || true
+        # Group-kill is NOT used here: in this path the app inherits the
+        # orchestrator's process group, so a group signal would kill run.sh and
+        # the agent driving it. Signal the frozen snapshot, descendants first.
+        _app_runner_signal_pids TERM "${_stop_snapshot[@]}"
     fi
 
-    # Wait up to 5 seconds for graceful shutdown
+    # Wait up to 5 seconds for graceful shutdown. Key the wait on the WHOLE
+    # snapshot being alive (not just the main pid): a deep worker can outlive the
+    # main subshell, and treating the main pid's exit as "done" is exactly what
+    # let workers leak before. setsid path keeps the simpler main-pid check.
     local waited=0
     while [ "$waited" -lt 5 ]; do
-        if ! kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
-            break
+        if [ "$_APP_RUNNER_HAS_SETSID" = true ]; then
+            kill -0 "$_APP_RUNNER_PID" 2>/dev/null || break
+        else
+            _app_runner_any_alive "${_stop_snapshot[@]}" || break
         fi
         sleep 1
         waited=$(( waited + 1 ))
     done
 
     # Force kill if still running
-    if kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
+    local _still_alive=false
+    if [ "$_APP_RUNNER_HAS_SETSID" = true ]; then
+        kill -0 "$_APP_RUNNER_PID" 2>/dev/null && _still_alive=true
+    else
+        _app_runner_any_alive "${_stop_snapshot[@]}" && _still_alive=true
+    fi
+    if [ "$_still_alive" = true ]; then
         log_warn "App Runner: process did not stop gracefully, sending SIGKILL"
         if [ "$_APP_RUNNER_HAS_SETSID" = true ]; then
             kill -KILL "-$_APP_RUNNER_PID" 2>/dev/null || kill -KILL "$_APP_RUNNER_PID" 2>/dev/null || true
         else
-            pkill -KILL -P "$_APP_RUNNER_PID" 2>/dev/null || true
-            kill -KILL "$_APP_RUNNER_PID" 2>/dev/null || true
+            # BUG 1 fix (KILL phase): SIGKILL the SAME frozen snapshot (root +
+            # all descendants captured pre-signal), so a TERM-trapping worker
+            # that reparented to init is still force-killed. SIGKILL cannot be
+            # trapped, so this is the terminal guarantee that no port-holder
+            # survives. The snapshot does the real work. The fresh walk below only
+            # adds anything while the root is still alive (a worker spawned during
+            # shutdown); once the root is dead it is empty and the snapshot covers.
+            _app_runner_signal_pids KILL "${_stop_snapshot[@]}"
+            local -a _kill_fresh=()
+            local _kf
+            while IFS= read -r _kf; do
+                [ -n "$_kf" ] && _kill_fresh+=("$_kf")
+            done < <(_app_runner_collect_descendants "$_APP_RUNNER_PID")
+            if [ "${#_kill_fresh[@]}" -gt 0 ]; then
+                _app_runner_signal_pids KILL "${_kill_fresh[@]}"
+            fi
         fi
     fi
 
@@ -1094,6 +1250,11 @@ app_runner_watchdog() {
     # it restarts the stack under the same crash-count circuit breaker.
     if [ "$_APP_RUNNER_IS_DOCKER" = true ] && echo "$_APP_RUNNER_METHOD" | grep -q "docker compose"; then
         if app_runner_health_check; then
+            # BUG 3 fix: the breaker is meant to fire on 5 CONSECUTIVE failures.
+            # A confirmed-healthy observation clears any accumulated count so a
+            # long-lived stack that recovered from a few transient blips is not
+            # tripped permanently on cumulative (non-consecutive) crashes.
+            _APP_RUNNER_CRASH_COUNT=0
             return 0
         fi
         _APP_RUNNER_CRASH_COUNT=$(( _APP_RUNNER_CRASH_COUNT + 1 ))
@@ -1125,6 +1286,11 @@ app_runner_watchdog() {
 
     # Process alive, nothing to do
     if kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
+        # BUG 3 fix: a confirmed-alive observation clears the accumulated crash
+        # count so the breaker fires only on 5 CONSECUTIVE deaths, not on 5
+        # cumulative crashes that were each successfully recovered over a long
+        # session (which would trip the breaker on a HEALTHY app).
+        _APP_RUNNER_CRASH_COUNT=0
         return 0
     fi
 

package/autonomy/completion-council.sh

@@ -1519,8 +1519,17 @@ council_evidence_gate() {
         if committed_files=$(git diff --name-only "$base_sha" HEAD 2>/dev/null); then
             :
         else
-            # Base present but unreachable (e.g. shallow clone): fall back to
-            # working-tree diff vs HEAD (mirrors proof-generator.py fallback).
+            # Base present but UNREACHABLE (e.g. shallow clone, history rewrite,
+            # or `git reset --hard` -- a documented live hazard). The diff vs the
+            # run-start SHA cannot be computed, so we can no longer prove that the
+            # committed-union diff is empty. Treat this as INCONCLUSIVE, not as
+            # positive empty-diff fabrication evidence: an agent that committed
+            # all its work leaves a clean working tree, and `git diff HEAD` would
+            # read empty -> a false BLOCK. We still fall back to the working-tree
+            # diff vs HEAD to capture any uncommitted work, but the empty-diff
+            # block is suppressed below via the diff_inconclusive guard.
+            diff_inconclusive="true"
+            diff_inconclusive_reason="base_unreachable"
             committed_files=$(git diff --name-only HEAD 2>/dev/null || echo "")
         fi
         unstaged_files=$(git diff --name-only HEAD 2>/dev/null || echo "")
@@ -1543,7 +1552,11 @@ council_evidence_gate() {
         else
             diff_files=0
         fi
-        if [ "$diff_files" -eq 0 ]; then
+        # Only treat an empty union as positive fabrication evidence when the
+        # baseline was CONCLUSIVE. If the base SHA was unreachable (history
+        # rewrite / reset --hard), a clean committed tree yields an empty
+        # working-tree diff that must NOT read as empty-diff fabrication.
+        if [ "$diff_files" -eq 0 ] && [ "$diff_inconclusive" != "true" ]; then
             diff_fails="true"
         fi
     fi

package/autonomy/loki

@@ -891,7 +891,6 @@ show_landing() {
     echo "Get started:"
     echo -e "  ${CYAN}loki start ./prd.md${NC}   Build from a spec (PRD file, GitHub issue, or no arg)"
     echo -e "  ${CYAN}loki demo${NC}             Build a sample todo app end to end (real run)"
-    echo -e "  ${CYAN}loki web${NC}              Open the visual builder to input a spec and watch agents build"
     echo -e "  ${CYAN}loki dashboard start${NC}  Start the live run monitor (then: loki dashboard open)"
     echo ""
     echo -e "Need help? ${CYAN}loki help${NC} lists every command."
@@ -1057,6 +1056,7 @@ cmd_start() {
                 echo "Options:"
                 echo "  --provider NAME       AI provider: claude (default), codex, cline, aider"
                 echo "  --parallel            Enable parallel mode with git worktrees"
+                echo "  --allow-haiku         Enable Haiku model for the fast tier (default: disabled)"
                 echo "  --bg, --background    Run in background mode"
                 echo "  --simple              Force simple complexity tier (3 phases)"
                 echo "  --complex             Force complex complexity tier (8 phases)"
@@ -1180,6 +1180,17 @@ cmd_start() {
                 args+=("--parallel")
                 shift
                 ;;
+            --allow-haiku)
+                # Enable Haiku for the fast tier. Mirrors the LOKI_ALLOW_HAIKU=true
+                # env var (consumed by providers/claude.sh and run.sh). Documented in
+                # loki --help and run.sh; previously only the env var worked here, so
+                # `loki start ./prd.md --allow-haiku` aborted with "Unknown option".
+                # Export reaches the runner; also forward as an arg so the run.sh
+                # parser (run.sh:15015) sees it on every route.
+                export LOKI_ALLOW_HAIKU=true
+                args+=("--allow-haiku")
+                shift
+                ;;
             --regen-prd|--regenerate-prd|--regen|--fresh-prd)
                 # v7.8.1: force a fresh generated PRD on a no-PRD run, overriding
                 # the staleness-aware reuse (decide_generated_prd_action in
@@ -3958,9 +3969,9 @@ cmd_dashboard_help() {
     echo "Usage: loki dashboard <command> [options]"
     echo ""
     echo "Note: 'loki dashboard' is the operations/observability UI (port ${DASHBOARD_DEFAULT_PORT})."
-    echo "      It is NOT the same as 'loki web' (Purple Lab, port ${PURPLE_LAB_DEFAULT_PORT}, where you input PRDs)."
-    echo "      Use 'loki dashboard' to monitor agents, tasks, costs, council, escalations."
-    echo "      Use 'loki web' to submit a PRD and watch agents build."
+    echo "      It is NOT the same as 'loki web' (Purple Lab, port ${PURPLE_LAB_DEFAULT_PORT}, deprecated v7.44.0)."
+    echo "      Use 'loki dashboard' to monitor agents, tasks, costs, council, escalations,"
+    echo "      and to submit a PRD via the embedded 'Lab' tab (replaces the deprecated 'loki web')."
     echo ""
     echo "Commands:"
     echo "  start    Start the dashboard server"
@@ -4193,9 +4204,11 @@ cmd_dashboard_start() {
         echo "  URL:  $url"
         echo "  Logs: $log_file"
         echo ""
-        # v7.28.x UX #5: distinguish the two browser UIs up front so a newcomer
-        # who wants to submit a spec does not land on the ops monitor by mistake.
-        echo -e "${DIM}Looking for the project web UI to submit a spec? loki web (:${PURPLE_LAB_DEFAULT_PORT:-57375})${NC}"
+        # v7.28.x UX #5: point a newcomer who wants to submit a spec at the right
+        # surface. v7.44.0: the standalone Purple Lab (loki web) is deprecated and
+        # consolidated here, so steer to the embedded Lab tab instead of spawning
+        # a second port.
+        echo -e "${DIM}Want to submit a spec in the browser? Open the 'Lab' tab in this dashboard.${NC}"
         echo ""
         echo -e "Open in browser: ${CYAN}loki dashboard open${NC}"
         echo -e "Check status:    ${CYAN}loki dashboard status${NC}"
@@ -4566,6 +4579,32 @@ PURPLE_LAB_PID_FILE="${PURPLE_LAB_STATE_DIR}/purple-lab.pid"
 cmd_web() {
     local subcommand="${1:-start}"
 
+    # Deprecation (v7.44.0): Purple Lab (loki web, port 57375) is deprecated and
+    # consolidated into the dashboard. The hosted/commercial role moved to the
+    # separate Autonomi Cloud repo. This is a VALUE-PRESERVING deprecation: the
+    # command STILL WORKS (it launches after the banner) so no one is stranded.
+    # The banner + telemetry mirror the run->start deprecation contract: print
+    # to stderr, suppress under machine-output flags (--json/-q/--quiet/json...),
+    # and only emit telemetry when .loki already exists (events/emit.sh creates
+    # "$LOKI_DIR/events/pending" as a side effect that would flip downstream
+    # guards in a clean directory). The --help/-h/help path shows the deprecation
+    # in its own help text instead, so we skip the banner there.
+    case "$subcommand" in
+        --help|-h|help) ;;
+        *)
+            if ! _deprecated_alias_should_suppress "$@"; then
+                echo "loki web (Purple Lab) is deprecated as of v7.44.0. For local build + monitoring, use the dashboard (auto-launches at 'loki start', http://localhost:${DASHBOARD_DEFAULT_PORT}; or 'loki dashboard'). For the hosted platform, see Autonomi Cloud." >&2
+                if [ -d "${LOKI_DIR:-.loki}" ]; then
+                    emit_event cli_command_deprecated cli web \
+                        "from=web" \
+                        "to=dashboard" \
+                        "version=7.44.0" \
+                        "argv=${*:-}"
+                fi
+            fi
+            ;;
+    esac
+
     case "$subcommand" in
         start)
             shift || true
@@ -4605,13 +4644,19 @@ cmd_web() {
 }
 
 cmd_web_help() {
-    echo -e "${BOLD}Purple Lab -- Loki Mode Web UI${NC}"
+    echo -e "${BOLD}Purple Lab -- Loki Mode Web UI (deprecated -- use the dashboard)${NC}"
     echo ""
     echo "Usage: loki web [command] [options]"
     echo ""
+    echo "DEPRECATED as of v7.44.0: Purple Lab is consolidated into the dashboard."
+    echo "  For local build + monitoring, use the dashboard (auto-launches at"
+    echo "  'loki start', http://localhost:${DASHBOARD_DEFAULT_PORT}; or 'loki dashboard')."
+    echo "  For the hosted platform, see Autonomi Cloud."
+    echo "  'loki web' still works for now (it launches after a deprecation notice),"
+    echo "  but it will be removed in a future release. Migrate to the dashboard."
+    echo ""
     echo "Note: 'loki web' is Purple Lab (the PRD-input/build-watch UI, port ${PURPLE_LAB_DEFAULT_PORT})."
     echo "      It is NOT the same as 'loki dashboard' (operations UI, port ${DASHBOARD_DEFAULT_PORT})."
-    echo "      Use 'loki web' to submit a PRD and watch agents build it."
     echo "      Use 'loki dashboard' to monitor running agents, tasks, costs, council, escalations."
     echo ""
     echo "Commands:"

package/autonomy/run.sh

@@ -7041,6 +7041,48 @@ enforce_test_coverage() {
             local output
             output=$(cd "${TARGET_DIR:-.}" && timeout "$gate_timeout" npx mocha 2>&1) || test_passed=false
             details="mocha: $(echo "$output" | tail -3 | tr '\n' ' ')"
+        else
+            # v7.41.x (test-coverage fail-open fix): a real "scripts.test" was
+            # previously missed entirely. A greenfield project whose package.json
+            # has {"scripts":{"test":"node --test"}} (or any non-placeholder test
+            # script) actually runs a working suite via `npm test`, yet the gate
+            # reported runner:none + pass:true -- so a project whose tests FAIL
+            # green-lit identically. Detect a real test script (excluding the npm
+            # placeholder "no test specified") with a JSON parser, not grep (grep
+            # would false-positive on devDeps / unrelated keys), then run the
+            # configured command. This MUST sit before the monorepo/python/go/rust
+            # checks, all of which gate on test_runner=="none".
+            local _pkg_test_script
+            _pkg_test_script=$(_LOKI_PKG="${TARGET_DIR:-.}/package.json" python3 -c "
+import json, os, sys
+try:
+    with open(os.environ['_LOKI_PKG']) as f:
+        d = json.load(f)
+except Exception:
+    sys.exit(0)
+t = (d.get('scripts') or {}).get('test') or ''
+# npm's default placeholder; treat as 'no test'.
+if 'no test specified' in t.lower():
+    sys.exit(0)
+sys.stdout.write(t.strip())
+" 2>/dev/null || echo "")
+            if [ -n "$_pkg_test_script" ]; then
+                # LOKI_TEST_COMMAND lets an operator override the invocation; the
+                # default is the project's own `npm test`.
+                local _test_cmd="${LOKI_TEST_COMMAND:-npm test}"
+                # Label the runner by what the script invokes so evidence is
+                # honest (node --test, vitest, jest, etc. all surface here).
+                case "$_pkg_test_script" in
+                    *"node --test"*|*"node:test"*) test_runner="node-test" ;;
+                    *vitest*) test_runner="vitest" ;;
+                    *jest*)   test_runner="jest" ;;
+                    *mocha*)  test_runner="mocha" ;;
+                    *)        test_runner="npm-test" ;;
+                esac
+                local output
+                output=$(cd "${TARGET_DIR:-.}" && timeout "$gate_timeout" sh -c "$_test_cmd" 2>&1) || test_passed=false
+                details="$test_runner ($_test_cmd): $(echo "$output" | tail -5 | tr '\n' ' ')"
+            fi
         fi
     fi
 
@@ -7165,10 +7207,23 @@ enforce_test_coverage() {
     fi
 
     if [ "$test_runner" = "none" ]; then
-        log_info "Test coverage: no test runner detected, skipping"
+        log_info "Test coverage: no test runner detected, recording inconclusive (not pass)"
+        # v7.41.x fail-open fix: previously this wrote pass:true, so a project
+        # whose tests truly do not run was indistinguishable from one whose tests
+        # passed. Record pass:"inconclusive" instead. The completion-council
+        # evidence gate already treats runner=="none" as pass-through regardless
+        # of the pass value (completion-council.sh: runner=='none' short-circuits
+        # BEFORE the `passed is False` block), so genuinely-no-tests stays
+        # non-blocking (no infinite hang), while the JSON record is now honest:
+        # "no tests" never reads as "tests passed". A DETECTED runner that fails
+        # still writes pass:false below and BLOCKS.
+        #
+        # unit-tests.pass is only read for the status-line display (run.sh ~2183,
+        # PASS vs PENDING); keeping the touch preserves the historical
+        # non-blocking behavior for legitimate no-test projects.
         touch "$quality_dir/unit-tests.pass"
         cat > "$quality_dir/test-results.json" << TREOF
-{"timestamp":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","runner":"none","pass":true,"summary":"No test runner detected"}
+{"timestamp":"$(date -u +%Y-%m-%dT%H:%M:%SZ)","runner":"none","pass":"inconclusive","summary":"No test runner detected"}
 TREOF
         # Finding #598: stamp the per-iteration freshness marker so a later
         # completion-route capture (ensure_completion_test_evidence) reuses this
@@ -14161,6 +14216,22 @@ if __name__ == "__main__":
                 log_warn "  Review details under .loki/quality/reviews/ ; gate_failures=${gate_failures}"
                 _gate_block_for_completion=""
                 # Fall through; the gate-failed loop continues normally
+            # HIGH (trust-gate): the checklist hard gate must also guard the
+            # DEFAULT completion-promise / loki_complete_task route, not only the
+            # interval-gated council path (council_evaluate) and the dashboard
+            # force-review path -- both of which already call this gate. Without
+            # it, an agent that leaves a `priority: critical` checklist item
+            # `failing` and claims done on a non-council-interval iteration would
+            # ship, bypassing the checklist gate entirely. council_reverify_checklist
+            # ran above (when a claim is present) so statuses are fresh here.
+            # Mirrors the evidence/held-out gate arms below. No-op safe:
+            # council_checklist_gate returns 0 (pass) when there is no checklist
+            # results file or when no critical items are failing, so this branch
+            # never fires on those projects. Gate output is written by the gate.
+            elif [ "$_completion_claimed" = 1 ] && type council_checklist_gate &>/dev/null && ! council_checklist_gate; then
+                log_warn "Completion claim rejected: critical checklist item(s) failing (hard gate)."
+                log_warn "  Details under .loki/council/gate-block.json"
+                # Fall through; keep iterating until critical checklist items pass.
             # v7.19.1: the verified-completion evidence gate must also guard the
             # DEFAULT completion route (a completion claim via loki_complete_task
             # / the completion-promise text), not only the interval-gated council

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.42.0"
+__version__ = "7.44.0"
 
 # Expose the control app for easy import
 try: