loki-mode 7.43.0 → 7.45.0

package/README.md

@@ -13,7 +13,7 @@ _The free, source-available autonomous coding agent by [Autonomi](https://www.au
 [![Docker Pulls](https://img.shields.io/docker/pulls/asklokesh/loki-mode?style=for-the-badge&logo=docker&logoColor=white&color=2F71E3)](https://hub.docker.com/r/asklokesh/loki-mode)
 [![License](https://img.shields.io/badge/License-BUSL--1.1-36342E?style=for-the-badge)](LICENSE)
 
-[Website](https://www.autonomi.dev/) | [Documentation](wiki/Home.md) | [Installation](docs/INSTALLATION.md) | [Changelog](CHANGELOG.md) | [Purple Lab Web UI](#purple-lab)
+[Website](https://www.autonomi.dev/) | [Documentation](wiki/Home.md) | [Installation](docs/INSTALLATION.md) | [Changelog](CHANGELOG.md) | [Purple Lab -- deprecated v7.44.0](#purple-lab)
 
 </div>
 
@@ -105,7 +105,8 @@ loki quick "build a landing page with a signup form"
 |--------|---------|-------|
 | **Bun (recommended)** | `bun install -g loki-mode` | Fastest startup for CLI commands. |
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` | Auto-installs Bun as a dep |
-| **Docker** | `docker pull asklokesh/loki-mode:7.40.0 && docker run --rm asklokesh/loki-mode:7.40.0 start prd.md` | Bun pre-installed in image |
+| **Docker (easiest)** | `loki docker start prd.md` | Host wrapper: runs loki in the published image with zero config. Bind-mounts the current folder so `.loki` state, resume, and continuity work exactly like local. Auto-detects auth (`ANTHROPIC_API_KEY`, else your host Claude Code login). Needs loki + Docker on the host. See DOCKER_README.md |
+| **Docker (raw)** | `docker pull asklokesh/loki-mode:7.45.0 && docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" asklokesh/loki-mode:7.45.0 start prd.md` | Bun + Claude CLI pre-installed; needs an API key, or use docker compose with a .env file, see DOCKER_README.md |
 | **npm (compat)** | `npm install -g loki-mode` | Works without Bun (bash fallback). Migrate any time with `loki self-update --to bun`. |
 
 **Upgrading:**
@@ -165,7 +166,7 @@ The next major release sunsets the Bash runtime entirely. There is no firm calen
 | Method | Command |
 |--------|---------|
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` |
-| **Docker** | `docker pull asklokesh/loki-mode:7.40.0` |
+| **Docker** | `docker pull asklokesh/loki-mode:7.45.0` |
 | **Inside Claude Code** | `claude --dangerously-skip-permissions` then type "Loki Mode" |
 | **Git clone** | `git clone https://github.com/asklokesh/loki-mode.git` |
 
@@ -290,36 +291,9 @@ TLS, OIDC/SSO, RBAC, OTEL tracing, policy engine, audit trails. Activated via en
 
 ## Purple Lab
 
-The hosted development platform. A Replit-like web UI for visual PRD-to-code workflow, with the Loki agent for iterative development. The same software is free and source-available as the local Loki Mode dashboard; offered managed to teams and enterprises under the **Autonomi** brand (Autonomi Cloud).
+**[DEPRECATED in v7.44.0]** Purple Lab (`loki web`, port 57375) is deprecated. The local build monitor and project dashboard are now the dashboard (auto-launched by `loki start`, http://localhost:57374). For the hosted/commercial platform, see [Autonomi Cloud](https://www.autonomi.dev/).
 
-```bash
-loki web                           # launches at http://localhost:57375
-```
-
-<table>
-<tr>
-<td width="50%" valign="top">
-
-**Platform Pages**
-- Home -- One-line prompt to start building instantly
-- Projects -- Browse, search, filter past builds
-- Templates -- 20+ starter PRDs by category
-- Showcase -- Gallery of example projects to build
-- Compare -- Feature comparison vs competitors
-
-</td>
-<td width="50%" valign="top">
-
-**IDE Workspace**
-- Monaco editor with tabs, Cmd+P quick open
-- AI chat panel for iterative development
-- Activity panel: build log, agents, quality gates
-- Live preview with URL bar navigation
-- Right-click context menu: Review, Test, Explain
-
-</td>
-</tr>
-</table>
+The historical feature set (platform pages, Monaco IDE workspace, AI chat panel) lives on in the dashboard and in Autonomi Cloud. `loki web` still invokes the old binary for backward compatibility but will be removed in a future major version.
 
 ---
 
@@ -372,7 +346,7 @@ Status legend: "E2E-verified" means we run real spec-to-code builds on it oursel
 | `loki status` | Show current status |
 | `loki dashboard` | Open web dashboard |
 | `loki preview` | Print running app URL and open in browser (Live App Preview, v7.24.0; was: `loki open`) |
-| `loki web` | Launch Purple Lab web UI |
+| `loki web` | Launch Purple Lab web UI [DEPRECATED in v7.44.0 -- use `loki start` which auto-opens the dashboard at http://localhost:57374; for the hosted platform see Autonomi Cloud] |
 | `loki doctor` | Check environment and dependencies |
 | `loki plan [PRD]` | Pre-execution analysis: complexity, cost, iterations |
 | `loki review [--staged\|--diff]` | AI-powered code review with severity filtering |

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.43.0
+# Loki Mode v7.45.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -219,6 +219,15 @@ loki start --provider aider ./prd.md         # Aider (18+ providers), degraded m
 loki start ./prd.md --parallel
 loki start 123 --ship                        # Issue -> PR -> auto-merge
 
+# Run any loki command inside the published Docker image, zero config (v7.45.0).
+# Bind-mounts the current folder to /workspace so .loki state, resume, and
+# continuity behave exactly like the local CLI. Auth auto-detected: ANTHROPIC_API_KEY,
+# else the host Claude Code login (Max/Pro), else an honest error. Requires loki + Docker on the host.
+loki docker start prd.md                      # full local experience in Docker
+loki docker status                            # any loki command works
+loki docker --dry-run start prd.md            # print the docker command, do not run
+loki docker --image IMG start prd.md          # override the image
+
 # Legacy: `loki run <issue>` still works but prints a deprecation notice.
 # It is an alias for `loki start <issue>` and will be removed in a future major.
 ```
@@ -398,4 +407,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.43.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.45.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.43.0
+7.45.0

package/autonomy/docker-run.sh

@@ -0,0 +1,243 @@
+#!/usr/bin/env bash
+#===============================================================================
+# Loki Mode - zero-friction Docker host wrapper
+#
+# Lets a user run loki inside the published Docker image with the SAME
+# experience as the local CLI: run it in a project folder and it just works.
+# .loki/ state (memory, session, queue, checkpoints) persists via the workspace
+# bind mount, so resume and continuity behave exactly like `loki start` on the
+# host.
+#
+# Auth precedence (zero config for Claude Code subscribers):
+#   1. ANTHROPIC_API_KEY set in the environment  -> passed through (explicit).
+#   2. else host Claude Code login auto-detected  -> credentials extracted to a
+#      per-run temp copy and mounted read-write so the in-container claude can
+#      refresh the short-lived token for the duration of the run. Each run
+#      re-extracts a fresh token from the host store, so a long-idle token is
+#      never an issue. (The temp copy is wiped on exit; refreshes are not written
+#      back to the host store, which is why per-run re-extraction matters.)
+#   3. else                                        -> honest error with guidance.
+#
+# Token handling: the extracted credentials file is written to a private temp
+# path (0600) and removed on exit. It is NEVER written into the project, never
+# committed, never logged.
+#
+# Sourced by autonomy/loki (cmd_docker). Also runnable standalone for tests:
+#   loki_docker_detect_auth   -> prints: apikey | oauth | none
+#   loki_docker_extract_creds <dest>  -> writes host OAuth creds to <dest>
+#   loki_docker_build_argv ...        -> prints the docker argv it would run
+#===============================================================================
+
+# Default image. Overridable for local builds / pinning.
+: "${LOKI_DOCKER_IMAGE:=asklokesh/loki-mode:latest}"
+# In-container path claude reads OAuth credentials from (Linux, no keychain).
+_LOKI_DOCKER_CRED_DEST="/home/loki/.claude/.credentials.json"
+# Dashboard port (kept identical to the local default).
+: "${LOKI_DASHBOARD_PORT:=57374}"
+
+# Detect which auth method is available on this host.
+# Echoes one of: apikey | oauth | none
+loki_docker_detect_auth() {
+    if [ -n "${ANTHROPIC_API_KEY:-}" ]; then
+        echo "apikey"
+        return 0
+    fi
+    # macOS: token in the login keychain under "Claude Code-credentials".
+    if command -v security >/dev/null 2>&1; then
+        if security find-generic-password -s "Claude Code-credentials" -w >/dev/null 2>&1; then
+            echo "oauth"
+            return 0
+        fi
+    fi
+    # Linux / non-keychain: claude stores creds as a plain file.
+    if [ -f "${HOME}/.claude/.credentials.json" ]; then
+        echo "oauth"
+        return 0
+    fi
+    echo "none"
+    return 0
+}
+
+# Extract host Claude Code OAuth credentials into $1 (0600). Returns non-zero
+# if no host login is found. Writes ONLY the claudeAiOauth object claude needs;
+# never the unrelated mcpOAuth blobs.
+loki_docker_extract_creds() {
+    local dest="$1"
+    [ -n "$dest" ] || { echo "loki_docker_extract_creds: missing dest" >&2; return 2; }
+
+    # Create the file privately BEFORE writing the token (no race on perms).
+    ( umask 077; : > "$dest" ) || return 2
+    chmod 600 "$dest" 2>/dev/null || true
+
+    local raw=""
+    if command -v security >/dev/null 2>&1; then
+        raw="$(security find-generic-password -s "Claude Code-credentials" -w 2>/dev/null || true)"
+    fi
+    if [ -z "$raw" ] && [ -f "${HOME}/.claude/.credentials.json" ]; then
+        raw="$(cat "${HOME}/.claude/.credentials.json" 2>/dev/null || true)"
+    fi
+    if [ -z "$raw" ]; then
+        echo "loki_docker_extract_creds: no host Claude Code login found" >&2
+        return 1
+    fi
+
+    # Normalize to {"claudeAiOauth": {...}}. Prefer jq; fall back to raw if jq
+    # is absent and the payload already looks like the right shape.
+    if command -v jq >/dev/null 2>&1; then
+        if ! printf '%s' "$raw" | jq -e 'has("claudeAiOauth")' >/dev/null 2>&1; then
+            echo "loki_docker_extract_creds: host credentials missing claudeAiOauth" >&2
+            return 1
+        fi
+        printf '%s' "$raw" | jq '{claudeAiOauth}' > "$dest" 2>/dev/null || return 2
+    else
+        printf '%s' "$raw" > "$dest"
+    fi
+    chmod 600 "$dest" 2>/dev/null || true
+    return 0
+}
+
+# Assemble the docker argv (printed one arg per line so callers can read it
+# into an array safely). $1 = auth method (apikey|oauth|none), $2 = creds path
+# (for oauth), remaining args = the loki command to run in the container.
+# $1 = auth, $2 = creds path, $3 = with_api (1 to publish the dashboard port +
+# enable the dashboard, like local `loki start --api`; 0 for a plain one-shot
+# build). Remaining args = the loki command.
+loki_docker_build_argv() {
+    local auth="$1"; shift
+    local creds="$1"; shift
+    local with_api="${1:-0}"; shift
+    local workspace; workspace="$(pwd)"
+
+    local -a argv=(docker run --rm)
+    # Allocate a TTY / keep stdin open ONLY when we actually have a terminal.
+    # `-it` against a non-terminal (piped, CI, headless) fails with
+    # "cannot attach stdin to a TTY-enabled container because stdin is not a
+    # terminal". Probe stdin (-t 0) and stdout (-t 1) and add the flags
+    # conditionally so the wrapper works both interactively and headless.
+    # Override with LOKI_DOCKER_TTY=1 (force) or =0 (never).
+    local _tty="${LOKI_DOCKER_TTY:-auto}"
+    if [ "$_tty" = "1" ]; then
+        argv+=(-it)
+    elif [ "$_tty" = "auto" ] && [ -t 0 ] && [ -t 1 ]; then
+        argv+=(-it)
+    elif [ "$_tty" = "auto" ] && [ -t 0 ]; then
+        argv+=(-i)
+    fi
+    # Workspace mount: this is what makes .loki state (and thus resume +
+    # continuity) persist exactly like the local CLI.
+    argv+=(-v "${workspace}:/workspace:rw" -w /workspace)
+    # Dashboard: OFF by default, exactly like local `loki start` (which only
+    # starts the dashboard with --api). A plain one-shot build does not need it,
+    # and publishing a fixed host port made two `loki docker` runs collide on
+    # 57374 and left a lingering container holding the port. With --api we both
+    # enable the dashboard inside the container AND publish the port.
+    if [ "$with_api" = "1" ]; then
+        argv+=(-p "${LOKI_DASHBOARD_PORT}:${LOKI_DASHBOARD_PORT}")
+        argv+=(-e "LOKI_DASHBOARD=true" -e "LOKI_DASHBOARD_PORT=${LOKI_DASHBOARD_PORT}")
+    else
+        argv+=(-e "LOKI_DASHBOARD=false")
+    fi
+    # Forward git/gh identity so commits + PRs work like local. Mounting just
+    # ~/.gitconfig is NOT enough: it commonly uses `includeIf` to pull the real
+    # identity from per-host files (e.g. a github.com identity in a separate
+    # included file). Those includes are absent in the container, so git would
+    # silently fall back to the top-level [user] -- which can be a corporate
+    # default -- and mis-attribute commits. A `loki docker` build is destined for
+    # github.com, so the container must commit with the GitHub identity. We
+    # resolve it by preference:
+    #   1. the identity from the user's github includeIf target (the file pulled
+    #      in for github.com remotes), if we can find it -- this is the correct
+    #      identity for the autonomous greenfield flow (build -> add github
+    #      remote -> commit -> push), which a workspace-context lookup would miss
+    #      because a fresh repo has no github remote yet;
+    #   2. else the host's globally-configured identity.
+    # Forwarded as authoritative GIT_AUTHOR_*/GIT_COMMITTER_* env. NOTE: this
+    # freezes the identity for the run (env overrides per-commit includeIf
+    # re-evaluation), which is the intended behavior here -- the container has
+    # ONE purpose (github.com builds) so one frozen GitHub identity is correct.
+    [ -f "${HOME}/.gitconfig" ] && argv+=(-v "${HOME}/.gitconfig:/home/loki/.gitconfig:ro")
+    if command -v git >/dev/null 2>&1; then
+        local _gname="" _gemail="" _ghinc=""
+        # Find the path referenced by a github includeIf, if any.
+        if [ -f "${HOME}/.gitconfig" ]; then
+            _ghinc="$(git config --file "${HOME}/.gitconfig" --get-regexp 'includeif\..*github.*\.path' 2>/dev/null | awk '{print $2; exit}')"
+            # Expand a leading ~ to $HOME. (The "~/" here is a literal case
+            # pattern we are matching against, not a path to expand.)
+            # shellcheck disable=SC2088
+            case "$_ghinc" in "~/"*) _ghinc="${HOME}/${_ghinc#\~/}";; esac
+        fi
+        if [ -n "$_ghinc" ] && [ -f "$_ghinc" ]; then
+            _gname="$(git config --file "$_ghinc" --get user.name 2>/dev/null || true)"
+            _gemail="$(git config --file "$_ghinc" --get user.email 2>/dev/null || true)"
+        fi
+        # Fallback to the globally-resolved identity if the github include did
+        # not yield one.
+        [ -z "$_gname" ] && _gname="$(git config --get user.name 2>/dev/null || true)"
+        [ -z "$_gemail" ] && _gemail="$(git config --get user.email 2>/dev/null || true)"
+        if [ -n "$_gname" ]; then
+            argv+=(-e "GIT_AUTHOR_NAME=${_gname}" -e "GIT_COMMITTER_NAME=${_gname}")
+        fi
+        if [ -n "$_gemail" ]; then
+            argv+=(-e "GIT_AUTHOR_EMAIL=${_gemail}" -e "GIT_COMMITTER_EMAIL=${_gemail}")
+        fi
+    fi
+    [ -d "${HOME}/.config/gh" ] && argv+=(-v "${HOME}/.config/gh:/home/loki/.config/gh:ro")
+    # Forward GitHub tokens if set.
+    [ -n "${GITHUB_TOKEN:-}" ] && argv+=(-e "GITHUB_TOKEN=${GITHUB_TOKEN}")
+    [ -n "${GH_TOKEN:-}" ] && argv+=(-e "GH_TOKEN=${GH_TOKEN}")
+    # No desktop notifications inside a container.
+    argv+=(-e "LOKI_NOTIFICATIONS=false")
+    # Multi-repo unified dashboard (Option B): the in-container run.sh must NOT
+    # register into the project registry. A container only sees /workspace, not
+    # the real host path, and registry.register_project() hard-fails on a path
+    # that does not exist inside the container -- so in-container registration
+    # is both wrong (every repo would key as /workspace) and a silent no-op.
+    # Instead cmd_docker registers on the HOST with the real $(pwd), no pid, so
+    # the existing host dashboard aggregates every `loki docker` repo exactly
+    # like it aggregates host `loki start` repos (state read from the
+    # bind-mounted .loki/session.json). See loki_register_running_project.
+    argv+=(-e "LOKI_SKIP_PROJECT_REGISTRY=1")
+    # Deterministic per-host-path container name: two repos get two distinct
+    # concurrent containers (multi-repo parity with the host CLI) and a stable
+    # handle for `loki docker stop`. Hash the workspace path; fall back to a
+    # sanitized basename if no sha tool is present.
+    local _name_hash=""
+    if command -v shasum >/dev/null 2>&1; then
+        _name_hash="$(printf '%s' "$workspace" | shasum -a 256 2>/dev/null | cut -c1-12)"
+    elif command -v sha256sum >/dev/null 2>&1; then
+        _name_hash="$(printf '%s' "$workspace" | sha256sum 2>/dev/null | cut -c1-12)"
+    fi
+    if [ -n "$_name_hash" ]; then
+        argv+=(--name "loki-${_name_hash}")
+    else
+        argv+=(--name "loki-$(basename "$workspace" | tr -c 'A-Za-z0-9_.-' '_')")
+    fi
+    # The container IS the session boundary, so the runner must NOT setsid into
+    # a new, detached session: setsid detach inside a `--rm` container makes the
+    # `docker run` exit code report 0 even when the runner failed (a user with
+    # an expired token would get RC=0 and a silently empty folder). Running the
+    # runner in the foreground propagates the real exit code out through
+    # `docker run`, so the wrapper exits non-zero on a failed build -- exactly
+    # like the local CLI. Stop semantics still work: `docker stop` / Ctrl+C
+    # signals the container's main process.
+    argv+=(-e "LOKI_NO_NEW_SESSION=1")
+
+    case "$auth" in
+        apikey)
+            argv+=(-e "ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}")
+            ;;
+        oauth)
+            # rw so the in-container claude can refresh the short-lived token
+            # for the duration of THIS run. (The mounted file is a per-run temp
+            # copy that is wiped on exit, so the refresh does not persist to the
+            # host store -- but each run re-extracts a fresh, host-refreshed
+            # token, so an idle token is never a problem.)
+            argv+=(-v "${creds}:${_LOKI_DOCKER_CRED_DEST}:rw")
+            ;;
+    esac
+
+    argv+=("$LOKI_DOCKER_IMAGE")
+    argv+=("$@")
+
+    printf '%s\n' "${argv[@]}"
+}

package/autonomy/loki

@@ -891,7 +891,6 @@ show_landing() {
     echo "Get started:"
     echo -e "  ${CYAN}loki start ./prd.md${NC}   Build from a spec (PRD file, GitHub issue, or no arg)"
     echo -e "  ${CYAN}loki demo${NC}             Build a sample todo app end to end (real run)"
-    echo -e "  ${CYAN}loki web${NC}              Open the visual builder to input a spec and watch agents build"
     echo -e "  ${CYAN}loki dashboard start${NC}  Start the live run monitor (then: loki dashboard open)"
     echo ""
     echo -e "Need help? ${CYAN}loki help${NC} lists every command."
@@ -1932,6 +1931,21 @@ cmd_start() {
     if [ -f "$_start_pid_file" ]; then
         local _existing_pid
         _existing_pid=$(cat "$_start_pid_file" 2>/dev/null | tr -dc '0-9')
+        # Docker resume fix: in a `--rm` container every run starts a fresh PID
+        # namespace where the orchestrator is PID 1. A prior run that wrote
+        # loki.pid=1 leaves that marker in the bind-mounted .loki on the host;
+        # the NEXT container is ALSO PID 1, so `kill -0 1` (a self-signal) always
+        # succeeds and the lock falsely reads "another instance is running",
+        # making resume in the same folder impossible. Two cases are NOT a live
+        # sibling and must be cleared: (a) the recorded pid equals OUR OWN pid
+        # ($$) -- this is the in-container resume case, where the new run is PID 1
+        # and the stale marker is also 1; (b) the recorded pid is 1 but we are
+        # NOT pid 1 (a host reading a container's leftover marker). Mirrors the
+        # downstream guard in run.sh. A genuine concurrent sibling can never
+        # share our $$, so this never masks a real running instance.
+        if [ "$_existing_pid" = "$$" ] || { [ "$_existing_pid" = "1" ] && [ "$$" != "1" ]; }; then
+            _existing_pid=""
+        fi
         if [ -n "$_existing_pid" ] && kill -0 "$_existing_pid" 2>/dev/null; then
             echo -e "${RED}Error: another loki instance is running (pid $_existing_pid).${NC}" >&2
             echo -e "${YELLOW}Run 'loki stop' first, then retry 'loki start'.${NC}" >&2
@@ -3970,9 +3984,9 @@ cmd_dashboard_help() {
     echo "Usage: loki dashboard <command> [options]"
     echo ""
     echo "Note: 'loki dashboard' is the operations/observability UI (port ${DASHBOARD_DEFAULT_PORT})."
-    echo "      It is NOT the same as 'loki web' (Purple Lab, port ${PURPLE_LAB_DEFAULT_PORT}, where you input PRDs)."
-    echo "      Use 'loki dashboard' to monitor agents, tasks, costs, council, escalations."
-    echo "      Use 'loki web' to submit a PRD and watch agents build."
+    echo "      It is NOT the same as 'loki web' (Purple Lab, port ${PURPLE_LAB_DEFAULT_PORT}, deprecated v7.44.0)."
+    echo "      Use 'loki dashboard' to monitor agents, tasks, costs, council, escalations,"
+    echo "      and to submit a PRD via the embedded 'Lab' tab (replaces the deprecated 'loki web')."
     echo ""
     echo "Commands:"
     echo "  start    Start the dashboard server"
@@ -4205,9 +4219,11 @@ cmd_dashboard_start() {
         echo "  URL:  $url"
         echo "  Logs: $log_file"
         echo ""
-        # v7.28.x UX #5: distinguish the two browser UIs up front so a newcomer
-        # who wants to submit a spec does not land on the ops monitor by mistake.
-        echo -e "${DIM}Looking for the project web UI to submit a spec? loki web (:${PURPLE_LAB_DEFAULT_PORT:-57375})${NC}"
+        # v7.28.x UX #5: point a newcomer who wants to submit a spec at the right
+        # surface. v7.44.0: the standalone Purple Lab (loki web) is deprecated and
+        # consolidated here, so steer to the embedded Lab tab instead of spawning
+        # a second port.
+        echo -e "${DIM}Want to submit a spec in the browser? Open the 'Lab' tab in this dashboard.${NC}"
         echo ""
         echo -e "Open in browser: ${CYAN}loki dashboard open${NC}"
         echo -e "Check status:    ${CYAN}loki dashboard status${NC}"
@@ -4578,6 +4594,32 @@ PURPLE_LAB_PID_FILE="${PURPLE_LAB_STATE_DIR}/purple-lab.pid"
 cmd_web() {
     local subcommand="${1:-start}"
 
+    # Deprecation (v7.44.0): Purple Lab (loki web, port 57375) is deprecated and
+    # consolidated into the dashboard. The hosted/commercial role moved to the
+    # separate Autonomi Cloud repo. This is a VALUE-PRESERVING deprecation: the
+    # command STILL WORKS (it launches after the banner) so no one is stranded.
+    # The banner + telemetry mirror the run->start deprecation contract: print
+    # to stderr, suppress under machine-output flags (--json/-q/--quiet/json...),
+    # and only emit telemetry when .loki already exists (events/emit.sh creates
+    # "$LOKI_DIR/events/pending" as a side effect that would flip downstream
+    # guards in a clean directory). The --help/-h/help path shows the deprecation
+    # in its own help text instead, so we skip the banner there.
+    case "$subcommand" in
+        --help|-h|help) ;;
+        *)
+            if ! _deprecated_alias_should_suppress "$@"; then
+                echo "loki web (Purple Lab) is deprecated as of v7.44.0. For local build + monitoring, use the dashboard (auto-launches at 'loki start', http://localhost:${DASHBOARD_DEFAULT_PORT}; or 'loki dashboard'). For the hosted platform, see Autonomi Cloud." >&2
+                if [ -d "${LOKI_DIR:-.loki}" ]; then
+                    emit_event cli_command_deprecated cli web \
+                        "from=web" \
+                        "to=dashboard" \
+                        "version=7.44.0" \
+                        "argv=${*:-}"
+                fi
+            fi
+            ;;
+    esac
+
     case "$subcommand" in
         start)
             shift || true
@@ -4617,13 +4659,19 @@ cmd_web() {
 }
 
 cmd_web_help() {
-    echo -e "${BOLD}Purple Lab -- Loki Mode Web UI${NC}"
+    echo -e "${BOLD}Purple Lab -- Loki Mode Web UI (deprecated -- use the dashboard)${NC}"
     echo ""
     echo "Usage: loki web [command] [options]"
     echo ""
+    echo "DEPRECATED as of v7.44.0: Purple Lab is consolidated into the dashboard."
+    echo "  For local build + monitoring, use the dashboard (auto-launches at"
+    echo "  'loki start', http://localhost:${DASHBOARD_DEFAULT_PORT}; or 'loki dashboard')."
+    echo "  For the hosted platform, see Autonomi Cloud."
+    echo "  'loki web' still works for now (it launches after a deprecation notice),"
+    echo "  but it will be removed in a future release. Migrate to the dashboard."
+    echo ""
     echo "Note: 'loki web' is Purple Lab (the PRD-input/build-watch UI, port ${PURPLE_LAB_DEFAULT_PORT})."
     echo "      It is NOT the same as 'loki dashboard' (operations UI, port ${DASHBOARD_DEFAULT_PORT})."
-    echo "      Use 'loki web' to submit a PRD and watch agents build it."
     echo "      Use 'loki dashboard' to monitor running agents, tasks, costs, council, escalations."
     echo ""
     echo "Commands:"
@@ -14337,6 +14385,9 @@ main() {
         web)
             cmd_web "$@"
             ;;
+        docker)
+            cmd_docker "$@"
+            ;;
         preview)
             cmd_preview "$@"
             ;;
@@ -28327,4 +28378,178 @@ PYEOF
     esac
 }
 
+# ---------------------------------------------------------------------------
+# loki docker - zero-friction Docker host wrapper
+#
+# Runs loki inside the published image with the SAME experience as the local
+# CLI: invoke it in a project folder and it just works. The current directory
+# is bind-mounted to /workspace, so .loki/ state (memory, session, queue,
+# checkpoints) persists on the host and resume + continuity behave exactly like
+# `loki start` locally. Auth is auto-detected (ANTHROPIC_API_KEY if set, else
+# the host Claude Code login), so Claude Code subscribers get zero-config runs.
+#
+# Usage:
+#   loki docker start prd.md       # run a build in the container, .loki persists
+#   loki docker <any-loki-command> # forwards any command into the container
+#   loki docker --dry-run start    # print the docker argv without running
+#   loki docker --image IMG ...    # override the image (default published tag)
+# ---------------------------------------------------------------------------
+cmd_docker() {
+    local docker_mod="$_LOKI_SCRIPT_DIR/docker-run.sh"
+    if [ ! -f "$docker_mod" ]; then
+        echo -e "${RED}Error: docker wrapper module not found at $docker_mod${NC}" >&2
+        return 3
+    fi
+
+    local sub="${1:-}"
+    case "$sub" in
+        ""|--help|-h|help)
+            echo -e "${BOLD}loki docker${NC} - run loki inside the Docker image, zero config"
+            echo ""
+            echo "Usage: loki docker [--image IMG] [--dry-run] <loki-command> [args]"
+            echo ""
+            echo "Runs the published Loki image with your current folder mounted at"
+            echo "/workspace, so .loki state persists and resume works exactly like"
+            echo "the local CLI. Auth is auto-detected:"
+            echo "  1. ANTHROPIC_API_KEY (if set in your environment), else"
+            echo "  2. your host Claude Code login (Max/Pro subscription), else"
+            echo "  3. an error with setup guidance."
+            echo ""
+            echo "Examples:"
+            echo "  loki docker start prd.md"
+            echo "  loki docker status"
+            echo "  loki docker --dry-run start prd.md"
+            echo ""
+            echo "Options:"
+            echo "  --image IMG   Override the image (default: ${LOKI_DOCKER_IMAGE:-asklokesh/loki-mode:latest})"
+            echo "  --dry-run     Print the docker command that would run, then exit"
+            [ "$sub" = "" ] && return 1
+            return 0
+            ;;
+    esac
+
+    if ! command -v docker >/dev/null 2>&1; then
+        echo -e "${RED}Error: docker is not installed or not on PATH.${NC}" >&2
+        echo "Install Docker Desktop (https://www.docker.com/products/docker-desktop/) and retry." >&2
+        return 4
+    fi
+
+    # Parse wrapper-only flags (everything else is the loki command to forward).
+    # --api is BOTH a forwarded loki flag (start --api) and a wrapper signal to
+    # publish the dashboard port, so we detect it without consuming it.
+    local dry_run=0
+    local with_api=0
+    local -a fwd=()
+    while [ $# -gt 0 ]; do
+        case "$1" in
+            --image) shift; export LOKI_DOCKER_IMAGE="${1:-}"; shift ;;
+            --dry-run) dry_run=1; shift ;;
+            --api) with_api=1; fwd+=("$1"); shift ;;
+            *) fwd+=("$1"); shift ;;
+        esac
+    done
+
+    # shellcheck source=/dev/null
+    source "$docker_mod"
+
+    local auth; auth="$(loki_docker_detect_auth)"
+    local creds=""
+    local cleanup_creds=0
+
+    case "$auth" in
+        apikey)
+            echo -e "${DIM:-}Auth: ANTHROPIC_API_KEY (from environment)${NC}" >&2
+            ;;
+        oauth)
+            creds="$(mktemp "${TMPDIR:-/tmp}/loki-docker-creds.XXXXXX")" || {
+                echo -e "${RED}Error: could not create a temp file for credentials.${NC}" >&2
+                return 2
+            }
+            cleanup_creds=1
+            # Wipe the token file on any exit path.
+            # shellcheck disable=SC2064
+            trap "rm -f '$creds' 2>/dev/null || true" EXIT INT TERM
+            if ! loki_docker_extract_creds "$creds"; then
+                echo -e "${RED}Error: found a host Claude Code login but could not read its token.${NC}" >&2
+                return 2
+            fi
+            echo -e "${DIM:-}Auth: host Claude Code login (auto-detected, mounted read-write)${NC}" >&2
+            ;;
+        none)
+            echo -e "${RED}Error: no auth available for the Docker run.${NC}" >&2
+            echo "Do ONE of the following, then retry:" >&2
+            echo "  - export ANTHROPIC_API_KEY=sk-ant-...   (get one at https://console.anthropic.com/settings/keys)" >&2
+            echo "  - or log in to Claude Code on this host (claude) so loki can reuse it." >&2
+            return 5
+            ;;
+    esac
+
+    # Default the command to 'help' if the user passed only wrapper flags.
+    [ ${#fwd[@]} -eq 0 ] && fwd=(help)
+
+    local -a docker_argv=()
+    while IFS= read -r line; do docker_argv+=("$line"); done < <(loki_docker_build_argv "$auth" "$creds" "$with_api" "${fwd[@]}")
+
+    if [ "$dry_run" = "1" ]; then
+        echo "Would run:"
+        # Mask the API key value: dry-run output is exactly what users paste into
+        # bug reports / CI logs, so never print the secret.
+        local _a
+        for _a in "${docker_argv[@]}"; do
+            case "$_a" in
+                ANTHROPIC_API_KEY=*) printf '  %q' "ANTHROPIC_API_KEY=***" ;;
+                *) printf '  %q' "$_a" ;;
+            esac
+        done
+        echo ""
+        [ "$cleanup_creds" = "1" ] && rm -f "$creds" 2>/dev/null || true
+        return 0
+    fi
+
+    # Multi-repo unified dashboard (Option B): register THIS project on the host
+    # with the real cwd and NO pid, so the existing host dashboard
+    # (`loki dashboard`) lists it alongside host `loki start` projects and reads
+    # its live status from the bind-mounted .loki/session.json. Best-effort and
+    # failure-swallowed: registry bookkeeping must never block a build.
+    _loki_docker_register_host running
+    "${docker_argv[@]}"
+    local rc=$?
+    _loki_docker_register_host stopped
+    [ "$cleanup_creds" = "1" ] && rm -f "$creds" 2>/dev/null || true
+    return $rc
+}
+
+# Host-side project registry bookkeeping for `loki docker` (Option B). Registers
+# $(pwd) in ~/.loki/dashboard/projects.json with NO pid (pid=None) so the
+# dashboard's "running" decision falls back to .loki/session.json (which the
+# container writes into the bind-mounted workspace). $1 = running|stopped.
+_loki_docker_register_host() {
+    local _state="${1:-running}"
+    command -v python3 >/dev/null 2>&1 || return 0
+    local _skill="${SKILL_DIR:-$_LOKI_SCRIPT_DIR/..}"
+    LOKI_REG_TARGET="$(pwd)" LOKI_REG_SKILL="$_skill" LOKI_REG_STATE="$_state" \
+    python3 - <<'PYDOCKERREG' >/dev/null 2>&1 || true
+import os, sys
+sys.path.insert(0, os.environ.get("LOKI_REG_SKILL", "."))
+try:
+    from dashboard import registry
+    target = os.path.abspath(os.environ["LOKI_REG_TARGET"])
+    state = os.environ.get("LOKI_REG_STATE", "running")
+    if state == "stopped":
+        registry.mark_project_stopped(target)
+    else:
+        registry.register_project(target)
+        reg = registry._load_registry()
+        pid_key = registry._generate_project_id(target)
+        if pid_key in reg.get("projects", {}):
+            # No host pid for a containerized run: the dashboard uses the
+            # bind-mounted .loki/session.json to decide "running".
+            reg["projects"][pid_key]["pid"] = None
+            reg["projects"][pid_key]["status"] = "running"
+            registry._save_registry(reg)
+except Exception:
+    pass
+PYDOCKERREG
+}
+
 main "$@"