npm - loki-mode - Versions diffs - 7.5.28 → 7.5.29 - Mend

loki-mode 7.5.28 → 7.5.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (75) hide show

package/SKILL.md CHANGED Viewed

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
-# Loki Mode v7.5.28
+# Loki Mode v7.5.29
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
@@ -381,4 +381,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 ---
-**v7.5.28 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.5.29 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 7.5.28
1	+ 7.5.29

package/autonomy/loki CHANGED Viewed

@@ -3783,7 +3783,7 @@ cmd_web_start() {
         existing_pid=$(cat "$PURPLE_LAB_PID_FILE" 2>/dev/null)
         if [ -n "$existing_pid" ] && kill -0 "$existing_pid" 2>/dev/null; then
             echo -e "${GREEN}Purple Lab already running (PID: $existing_pid)${NC}"
-            local url="http://${PURPLE_LAB_DEFAULT_HOST}:${port}"
+            local url="http://${PURPLE_LAB_DEFAULT_HOST}:${port}/lab/"
             echo -e "Open: ${CYAN}$url${NC}"
             if [ "$open_browser" = true ]; then
                 if command -v open &> /dev/null; then
@@ -3842,7 +3842,7 @@ cmd_web_start() {
     local retries=0
     local server_ready=false
     while [ $retries -lt 15 ]; do
-        if curl -s "http://${PURPLE_LAB_DEFAULT_HOST}:${port}/api/session/status" > /dev/null 2>&1; then
+        if curl -s "http://${PURPLE_LAB_DEFAULT_HOST}:${port}/lab/api/session/status" > /dev/null 2>&1; then
             server_ready=true
             break
         fi
@@ -3857,7 +3857,7 @@ cmd_web_start() {
         exit 1
     fi
-    local url="http://${PURPLE_LAB_DEFAULT_HOST}:${port}"
+    local url="http://${PURPLE_LAB_DEFAULT_HOST}:${port}/lab/"
     if [ "$server_ready" = true ]; then
         echo -e "${GREEN}Purple Lab running at: $url${NC} (PID: $pid)"

package/dashboard/__init__.py CHANGED Viewed

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
-__version__ = "7.5.28"
+__version__ = "7.5.29"
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md CHANGED Viewed

@@ -2,7 +2,7 @@
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
-**Version:** v7.5.28
+**Version:** v7.5.29
 ---

package/docs/MERGE-DEDUP-MAP.md ADDED Viewed

@@ -0,0 +1,420 @@
+# Purple Lab Into Dashboard: Deduplication Map (Phase Merge-2)
+**Status:** Audit complete. Doc-only output for Phase Merge-2 of the v7.5.29+ true-integration arc.
+**Date:** 2026-05-23
+**Scope:** Duplicated business logic, state stores, file paths, session models, WebSocket buses, and auth infrastructure between `dashboard/` and `web-app/`.
+This document is the source-of-truth deduplication roadmap. It enumerates every shared concept, identifies conflicts, and assigns a canonical version for each with the rationale. The merge into a single Loki Mode UI is Phase Merge-4. This audit completes the dependency analysis for Merge-5 (semantic dedup).
+---
+## 1. State Directory Paths
+| Path | Dashboard Usage | Purple Lab Usage | Same Data? | Conflict if Both Write? | Canonical |
+|---|---|---|---|---|---|
+| `~/.loki/state/` | Dashboard only: orchestrator.json, session.json, provider, prd | Web-app sets `LOKI_DIR` per project: `<project>/.loki/state/` | NO: Dashboard monitors global state; Lab creates per-project state | YES: Dashboard writes global state; Lab writes local state inside project | Dashboard: Keep global state in `~/.loki/state/`. Lab: Write per-project to `<project>/.loki/state/` (already does via env var). Explicit namespace separation. |
+| `~/.loki/dashboard/` | Token storage (tokens.json) at `dashboard/auth.py:32` | Purple Lab tokens stored at `web-app/server.py:7878` as `~/.loki/tokens/` | NO: Different files and locations | NO: Separate directories and files | Dashboard wins: keep `~/.loki/dashboard/tokens.json`. Lab redirects reads to Dashboard's auth endpoint (Merge-5). |
+| `~/.loki/dashboard/audit/` | Dashboard audit logs at `dashboard/audit.py:7` | Web-app writes audit logs to DB (models.py, AuditLog table) | NO: Dashboard is file-based; Lab is DB-based | NO: Different storage backends | Dashboard wins for CLI audit trail (file-based); Lab uses DB for web-UI audit (will unify in Merge-5 via Dashboard audit API). |
+| `~/.loki/purple-lab/child-pids.json` | N/A | Lab PID tracking at `web-app/server.py:223` | N/A | NO: Lab-specific, not written by Dashboard | Lab keeps this. Dashboard is unaware of Lab child processes. |
+| `<project>/.loki/` | N/A | Web-app sets `LOKI_DIR=<project>/.loki` at `web-app/server.py:2663` | N/A | NO: Per-project state, isolated | Lab keeps this. Dashboard never touches per-project state. |
+| `~/.loki/logs/` | Dashboard writes logs at `dashboard/control.py:32` | Web-app logs go to project-local dir (via LOKI_DIR) at `web-app/server.py` (implicit, via subprocess env) | NO: Different locations and scopes | NO: Separate directories | Dashboard: global logs. Lab: per-project logs. Both win (isolated scopes). |
+| `~/.loki/migrations/` | Migration state at `dashboard/migration_engine.py:183` | N/A | N/A | N/A | Dashboard only. |
+**Recommendation:** NO BREAKING CHANGES needed for Merge-4. The mount isolates via path prefix (`/lab/`). Lab's per-project state stays inside the project directory (via `LOKI_DIR` env var). Dashboard's global state stays at `~/.loki/`. The two trees do not collide because Dashboard reads global state and Lab reads per-project state.
+---
+## 2. Session Models (Pydantic)
+### Dashboard: `Session` (SQLAlchemy ORM)
+**File:** `dashboard/models.py:179-203`
+| Field | Type | Nullable | Notes |
+|---|---|---|---|
+| `id` | int (PK) | NO | Auto-increment |
+| `project_id` | int (FK) | NO | Foreign key to Project |
+| `status` | SessionStatus enum | NO | Values: ACTIVE, PAUSED, COMPLETED, FAILED |
+| `provider` | str | NO | Default: "claude" |
+| `model` | str | YES | Optional model override |
+| `started_at` | datetime | NO | Server default: now() |
+| `ended_at` | datetime | YES | NULL until session ends |
+| `logs` | text | YES | Session logs (JSON or text) |
+| Relationships | agents (1:N) | NO | Cascade delete |
+### Purple Lab: `Session` (SQLAlchemy ORM)
+**File:** `web-app/models.py:63-78`
+| Field | Type | Nullable | Notes |
+|---|---|---|---|
+| `id` | UUID | NO | Client-side generated |
+| `user_id` | UUID (FK) | NO | Foreign key to User |
+| `project_id` | UUID (FK) | YES | Foreign key to Project |
+| `prd_content` | text | YES | Full PRD stored in DB |
+| `provider` | str | NO | Default: "claude" |
+| `mode` | str | NO | Default: "standard" |
+| `status` | str | NO | Values: "created", "running", "paused", "completed", "failed" |
+| `started_at` | datetime | NO | Default: utcnow() |
+| `ended_at` | datetime | YES | NULL until session ends |
+| `metadata_json` | JSON | NO | Flexible metadata dict |
+| Relationships | user, project | NO | |
+### Compatibility Analysis
+| Aspect | Dashboard | Lab | Compatible? | Action |
+|---|---|---|---|---|
+| **Primary Key** | int (auto) | UUID | NO | Lab uses user-facing UUIDs; Dashboard uses internal integers. Separate DBs (Merge-4 mounts, so no shared DB). No conflict. |
+| **Status Field** | enum (SessionStatus) | string | PARTIAL | Dashboard: [ACTIVE, PAUSED, COMPLETED, FAILED]; Lab: "created", "running", "paused", "completed", "failed". Values drift. Map in API layer. |
+| **Provider** | str | str | YES | Both default "claude". Compatible. |
+| **Model** | optional str | NOT PRESENT | NO | Dashboard tracks model choice; Lab infers from provider. Add `model` field to Lab in Merge-5. |
+| **Started/Ended** | datetime (server default) | datetime (utcnow) | YES | Functionally equivalent. |
+| **Logs** | text field | NOT PRESENT | NO | Lab logs go to stdout/file, not DB. Store in metadata_json during Merge-5. |
+| **User Tracking** | NOT PRESENT | user_id (FK) | NO | Dashboard is single-user (CLI); Lab is multi-user. Don't merge. Keep Lab's user_id. |
+| **PRD Content** | NOT PRESENT | prd_content (text) | NO | Lab stores PRD in DB for re-use; Dashboard reads from file. Separate concerns. |
+**Recommendation:**
+- **DO NOT merge schemas.** Dashboard tracks **agent execution state** (provider, model, status, logs). Lab tracks **user sessions** (user, PRD, metadata).
+- **Create a bridge table** in Merge-5: `DashboardSession` references `Lab.Session` + stores Dashboard-specific fields (model, logs_path, agent_list).
+- **Status mapping layer:** Dashboard API wraps Lab session status strings into Dashboard enums for internal use.
+---
+## 3. WebSocket / Event Bus
+### Dashboard: `ConnectionManager` + Direct Broadcast
+**File:** `dashboard/server.py:394-436`
+```python
+class ConnectionManager:
+    active_connections: list[WebSocket] = []
+    async def connect(ws) -> bool
+    async def disconnect(ws)
+    async def broadcast(message: dict[str, Any])
+```
+**Events Broadcast:**
+- `state_update`: `.loki/` state changed (via file monitor at `:451-667`)
+- `skill-session-update`: Fall-back when `dashboard-state.json` is missing (`:554`)
+- PID-based liveness checks (`:515`)
+**Route:** `@app.websocket("/ws")` at `:1824`
+### Purple Lab: File Watcher + Broadcast Callback
+**File:** `web-app/server.py:420-530`
+```python
+class FileEventDebouncer(FileSystemEventHandler):
+    def __init__(self, project_dir, broadcast_fn, loop)
+    def on_any_event(event) -> None
+    def _schedule_broadcast() -> None
+```
+**Events Broadcast:**
+- File system changes: `{event_type, path, timestamp}`
+- Terminal output: `{type: "terminal", output, session_id}`
+- Dev server output: `{type: "backend_output", data, session_id}`
+**Routes:**
+- `@app.websocket("/ws")` at `:6290`
+- `@app.websocket("/ws/terminal/{session_id}")` at `:6370`
+### Compatibility Analysis
+| Aspect | Dashboard | Lab | Compatible? |
+|---|---|---|---|
+| **Connection Manager** | Simple broadcast to all | File-system event handler + selective broadcast | NO: Different models (poll vs file-watch) |
+| **Events** | State JSON changes, skill-session updates | File system + terminal output | NO: Different audiences |
+| **Clients** | Dashboard UI (browser) | Lab UI (browser) + Terminal client | YES, but separate concerns |
+| **Message Format** | `{message_type, data, ...}` | `{event_type, path, ...}` | PARTIAL: Different schemas |
+**Recommendation:**
+- **DO NOT unify in Merge-4.** Two distinct buses serve different purposes.
+- **Merge-4:** Lab's `/ws` becomes `/lab/ws` (mount prefixing).
+- **Merge-5:** Unify into a single **Unified Event Bus** (UEB):
+  - Dashboard clients listen to `/ws` for Dashboard state.
+  - Lab clients (mounted at `/lab`) listen to `/lab/ws` for Lab state.
+  - Eventually (Phase 7), cross-publish: Dashboard publishes `lab.session.started` events that Dashboard clients can consume for UI updates.
+---
+## 4. Auth / Session-Token Handling
+### Dashboard: Token-Based + OIDC (Optional)
+**File:** `dashboard/auth.py:1-695`
+- **Token storage:** `~/.loki/dashboard/tokens.json` (file-based, SHA256 hashed)
+- **Token format:** `loki_<urlsafe(32 bytes)>`
+- **Token validation:** `validate_token()` at `:346`
+- **Scope hierarchy:** `*` > `control` > `write` > `read` (at `:53`)
+- **OIDC support:** Optional via `LOKI_OIDC_ISSUER` + `LOKI_OIDC_CLIENT_ID` (`:36-41`)
+- **Auth dependency:** `get_current_token()` at `:618`
+- **CORS origins:** `LOKI_DASHBOARD_CORS` env var (server.py:732)
+- **Root path cookies:** Not set (token-based only)
+### Purple Lab: JWT + OAuth (GitHub, Google)
+**File:** `web-app/auth.py:1-210+` (truncated in read)
+- **Token storage:** `~/.loki/tokens/` (file-based)
+- **Token format:** JWT (via `python-jose`, `PURPLE_LAB_SECRET_KEY` at `:34`)
+- **Token creation:** `create_access_token()` at `:58`
+- **Token validation:** `verify_token()` at `:68`
+- **OAuth callbacks:** `github_oauth_callback()` (`:158`), `google_oauth_callback()` (`:209`)
+- **CORS origins:** `PURPLE_LAB_CORS_ORIGINS` env var (server.py:108)
+- **Root path cookies:** Not set (JWT bearer token only)
+### Compatibility Analysis
+| Aspect | Dashboard | Lab | Conflict if Both Write? |
+|---|---|---|---|
+| **Token Format** | `loki_<urlsafe>` (opaque) | JWT (introspectable) | NO: Different tokens, same purpose |
+| **Token Storage** | `~/.loki/dashboard/tokens.json` | `~/.loki/tokens/` (implied) | NO: Different files |
+| **Scope Model** | Role-based (admin, operator, viewer, auditor) | NOT PRESENT in web-app (all OIDC users get `["*"]`) | NO: Dashboard owns scopes. Lab uses DB users. |
+| **OIDC Support** | Optional, via env vars | Implicit (OAuth), NOT OIDC | PARTIAL: Dashboard uses OIDC; Lab uses OAuth. |
+| **Cookies** | NOT SET | NOT SET | NO: Both are stateless (token-based). |
+| **Root-Path Auth** | Optional via `require_scope()` dependency | Optional via `get_current_user()` dependency | NO: Both use Bearer tokens. Same origin after mount means CORS becomes redundant. |
+**Recommendation:**
+- **DO NOT merge auth systems in Merge-4.** They serve different clients (CLI + Dashboard vs Web app).
+- **Merge-4 action:** Dashboard's CORS middleware is redundant after mount (same origin). Remove `CORSMiddleware` from Lab when mounted.
+- **Merge-5 action:** Unify token storage and validation:
+  - Canonical: Dashboard's `~/.loki/dashboard/tokens.json` for CLI API tokens.
+  - Lab users: Stored in DB (models.py:User table). Lab auth looks up user in DB, not file.
+  - No cross-auth: Dashboard API tokens ≠ Lab DB users. Separate realms.
+---
+## 5. CORS Middleware
+| Server | CORS Enabled? | Origins | Env Var | Conflict? |
+|---|---|---|---|---|
+| **Dashboard** | YES | `http://localhost:57374,http://127.0.0.1:57374` (default) | `LOKI_DASHBOARD_CORS` | YES: Redundant after mount (same origin) |
+| **Purple Lab** | YES | `http://localhost:57374,http://127.0.0.1:57374` (default) | `PURPLE_LAB_CORS_ORIGINS` | YES: Redundant after mount (same origin) |
+**Code References:**
+- Dashboard: `dashboard/server.py:728-746`
+- Lab: `web-app/server.py:104-124`
+**Recommendation:**
+- **Merge-4:** Remove `CORSMiddleware` from Lab's FastAPI app when mounted. Dashboard's CORS middleware at root (`/`) handles the browser's same-origin policy.
+- **Rationale:** After mount, Lab is at `/lab/*` and Dashboard is at `/` + `/api/*` + `/dashboard/*`. All served from the same origin (same host/port), so CORS is unnecessary.
+---
+## 6. Lifespan / Startup Events
+### Dashboard
+**File:** `dashboard/server.py`
+- **No `@app.on_event("startup")` found.** (grep returned empty)
+- **Database init:** Via `init_db()` dependency injected at app scope (database.py, implicit)
+- **Activity logger init:** `get_activity_logger()` called ad-hoc (activity_logger.py:31+)
+- **Telemetry init:** `_telemetry` module imported, not explicitly initialized (telemetry.py:54)
+### Purple Lab
+**File:** `web-app/server.py`
+- **No `@app.on_event("startup")` found.** (grep returned empty)
+- **Database init:** Via `init_db()` called in `database.py` (models.py:116-140)
+- **Dev server managers init:** `dev_server_manager` and `dev_server_manager_v2` instantiated at module level (server.py:1571+)
+- **Terminal manager init:** `terminals_manager` instantiated at module level (server.py:211)
+- **PID tracker init:** `session = SessionState()` at module level (server.py:217)
+### Compatibility Analysis
+| Component | Dashboard | Lab | Action |
+|---|---|---|---|
+| **Database init** | Via ORM session factory | Via async engine + async_session_factory | COMPATIBLE: Both async. No ordering required. |
+| **Process managers** | N/A | Global instances (DevServerManager, TerminalManager) | NO CONFLICT: Lab-specific, not used by Dashboard. |
+| **Activity logger** | Ad-hoc initialization | Not present | NO CONFLICT: Dashboard-only. |
+| **Startup ordering** | Implicit (DB auto-init) | Implicit (global instances) | SAFE: No explicit hooks to compose. |
+**Recommendation:**
+- **Merge-4:** No changes needed. Both servers initialize implicitly via module-level globals and ORM lazy-loading.
+- **Safe to mount:** Neither server has explicit lifespan hooks that could conflict.
+---
+## 7. Shared Python Utilities
+### Shared Modules (Used by Both)
+| Module | Dashboard Import | Lab Import | Conflict? | Canonical |
+|---|---|---|---|---|
+| `memory/` | `dashboard/server.py:2376` reads `.loki/memory/` | `web-app/server.py:3121` reads `.loki/memory/` | NO: Both read-only, same path | Both. Memory system is read-only for both servers. |
+| `events/` | `dashboard/control.py:422` (`emit_event()`) | NOT FOUND in web-app | NO: Dashboard-only event bus | Dashboard. Lab does not emit to dashboard event bus. |
+| `providers/` | Used via CLI (loki start), not in server code | Used via subprocess (loki start) | NO: CLI-level, not server-level | N/A (both invoke CLI) |
+### Utility Functions
+**Dashboard-only utilities:**
+- `dashboard/control.py`: `atomic_write_json()` (`:41`), `get_status()` (`:60`), `emit_event()` (`:422`), `start_session()` (`:367`)
+- `dashboard/registry.py`: Registry management for projects
+- `dashboard/migration_engine.py`: Migration orchestration
+- `dashboard/audit.py`: Audit logging
+**Lab-only utilities:**
+- `web-app/server.py`: `SessionState` (`:132`), `DevServerManager` (`:577`), `TerminalManager`, `ProjectFileManager`
+- `web-app/models.py`: Async DB session factory
+**No overlap detected.**
+**Recommendation:**
+- **DO NOT create shared utility modules in Merge-4.** Each server has distinct responsibilities.
+- **Merge-5:** If cross-server calls are needed (e.g., Lab needs to call Dashboard's `get_status()`), use HTTP API, not shared Python modules.
+---
+## 8. Duplicated Business Functions
+### Critical Duplicates Found
+#### `start_session()` -- DUPLICATED
+| Aspect | Dashboard (control.py:367) | Purple Lab (server.py:2606) | Conflict? |
+|---|---|---|---|
+| **Purpose** | Start loki autonomy via run.sh (CLI-driven) | Start loki session via loki start/quick (Lab-driven) | YES: Different triggering paths for same action |
+| **Input** | `StartRequest` (prd path, provider, options) | `StartRequest` (prd content as string, provider, mode) | PARTIAL: Different fields (prd_path vs prd_content) |
+| **Process** | Spawns `run.sh` subprocess directly | Spawns `loki start` via CLI (which runs run.sh) | YES: Dashboard invokes run.sh; Lab invokes CLI which invokes run.sh |
+| **State Tracking** | Saves provider to `STATE_DIR / "provider"` | Sets `LOKI_DIR` env var per project | PARTIAL: Different state models |
+| **Event Emission** | Calls `emit_event("session_start", {...})` | No event emission (implicit via subprocess) | NO: Dashboard has event infrastructure; Lab doesn't |
+**Impact:** Both try to start the same underlying `run.sh` process, but from different code paths:
+- Dashboard: CLI → `loki dashboard` → Dashboard Server (FastAPI) → `start_session()` → `run.sh`
+- Lab: Web UI → Lab Server (FastAPI) → `start_session()` → `loki start` → `run.sh`
+**Problem:** After mount, both `/api/control/start` (Dashboard) and `/lab/api/session/start` (Lab) invoke the same `run.sh`. They compete for:
+- Global state at `~/.loki/state/`
+- Single global session (only one can run at a time per Dashboard design)
+**Recommendation:**
+- **Merge-4 DECISION POINT:** Choose ONE `start_session()` entry point.
+  - **Option A** (recommended): Lab wins. Dashboard's `/api/control/start` becomes a thin wrapper calling `/lab/api/session/start` via HTTP (Merge-5).
+  - **Option B:** Dashboard wins. Lab's route is removed or deprecated in favor of Dashboard's `start_session()` (breaks Lab's standalone mode).
+- **Rationale for Option A:** Lab's `start_session()` is more feature-complete (project directory, PRD content, quick mode). Dashboard's version is simpler. Unify on Lab's logic; Dashboard can call it via HTTP API.
+---
+### Other Business Functions
+#### `get_status()` / Status Endpoints
+| Aspect | Dashboard | Lab | Duplicate? |
+|---|---|---|---|
+| **Endpoint** | `@app.get("/api/status")` (server.py:850) | No `/status` endpoint (only `/api/session/status`) | PARTIAL: Different scope |
+| **Purpose** | System-wide status (PID, agent count, session count, DB connected) | Session status (running, paused, error) | NO: Different concepts |
+**Recommendation:** NO DEDUP NEEDED. Dashboard reports system health. Lab reports session state. Different concerns.
+---
+## 9. Cookie / Session-Token Namespace
+| Aspect | Dashboard | Lab | Conflict? |
+|---|---|---|---|
+| **Cookie-based sessions** | NOT USED (token-based only) | NOT USED (JWT bearer token only) | NO: Both stateless. No cookies set at root path. |
+| **Cookie domain** | N/A | N/A | NO: No cookies to conflict. |
+| **Token scope** | Bearer token in Authorization header | Bearer token in Authorization header | COMPATIBLE: Same transport, different validation. |
+**Recommendation:**
+- **Safe to mount.** Neither server sets cookies. Both use stateless Bearer tokens in `Authorization: Bearer <token>` header.
+- **Merge-4:** No changes needed.
+---
+## 10. Summary Table: Duplicate Canonical Versions
+| Duplicate | Location | Dashboard | Lab | Canonical | Reason |
+|---|---|---|---|---|---|
+| **start_session()** | control.py:367 vs server.py:2606 | Subprocess run.sh, state file tracking | Subprocess loki start, per-project state | **Lab wins** (more complete, feature-rich). Dashboard calls via HTTP (Merge-5). | Lab version handles projects, PRD content, quick mode. Dashboard version simpler. Unify on richer implementation. |
+| **Session model** | models.py (both) | Execution state (provider, model, logs) | User session state (user_id, PRD, metadata) | **Keep separate** (different domains). | Dashboard tracks agent runs. Lab tracks user sessions. Bridge in Merge-5 via DashboardSession FK to Lab.Session. |
+| **WebSocket bus** | server.py:394 vs server.py:420 | State polling + broadcast | File watch + event debouncer | **Keep separate** (different audiences). | Dashboard UI monitors .loki/ changes. Lab UI monitors project file changes. Unify message schema in Merge-5 (one UEB). |
+| **Token auth** | auth.py (both) | Opaque loki_ tokens + OIDC | JWT tokens + OAuth | **Keep separate** (different clients). | Dashboard tokens for CLI API. Lab tokens for web users. Unify in Merge-5 at API layer (Dashboard token auth calls Lab JWT validation). |
+| **CORS middleware** | server.py (both) | Enabled, port 57374 | Enabled, port 57374 | **Remove Lab's CORS** (redundant after mount). | Same origin after mount makes CORS unnecessary. Simplify. |
+| **State paths** | Various | ~/.loki/state/ (global) | <project>/.loki/state/ (per-project) | **Keep both** (explicit namespace separation). | Dashboard state is global. Lab state is per-project. No collision. |
+---
+## Phase Merge-2 Deliverables
+- [x] State directory path audit (section 1)
+- [x] Session model compatibility analysis (section 2)
+- [x] WebSocket/event bus architecture (section 3)
+- [x] Auth/token namespace audit (section 4)
+- [x] CORS middleware redundancy check (section 5)
+- [x] Lifespan/startup hooks composition (section 6)
+- [x] Shared utilities discovery (section 7)
+- [x] Duplicate business functions (section 8)
+- [x] Cookie/session-token conflicts (section 9)
+- [x] Deduplication recommendations with canonical versions (section 10)
+---
+## Honest Acknowledgements
+### What Was NOT Audited (and Why)
+1. **Frontend code duplication** (TypeScript/React):
+   - Dashboard UI (`dashboard-ui/src/`) and Lab UI (`web-app/dist/` or source) likely have overlapping components (session cards, status displays, log viewers).
+   - Scope: This audit covers Python backend only. Frontend audit deferred to UI design review in Merge-3 (Vite rebuild).
+2. **Database schema migrations and compatibility:**
+   - Dashboard uses SQLAlchemy ORM with explicit schema (models.py).
+   - Lab uses Alembic migrations (migrations/versions/).
+   - No shared database in Merge-4 (separate instances). DB unification is a Merge-5+ decision.
+   - Scope: This audit assumes separate DBs per server (no merge needed in Merge-4).
+3. **Subprocess environment variables and cross-server communication:**
+   - Lab sets `LOKI_DIR` when spawning `loki start`. Dashboard sets environment for `run.sh`.
+   - No audit of whether subprocess reads Dashboard state or vice versa.
+   - Scope: Assumed to be isolated per server (no cross-reading of env vars).
+4. **Test suite duplication:**
+   - `dashboard/tests/` and `web-app/tests/` may have duplicate test cases.
+   - Scope: Not audited. Test refactoring in Phase Merge-8 (regression).
+5. **API endpoint overlap beyond routes:**
+   - Phase Merge-1 confirmed NO /api/* route collisions (paths are distinct).
+   - This audit did not deep-dive into semantic overlap (e.g., both have "get session info" but different response schemas).
+   - Scope: Merge-1 route audit sufficient. Semantic overlap is Merge-5 work.
+6. **Configuration file conflicts:**
+   - `.env`, `.loki/config.json`, or other config files may conflict.
+   - Scope: Not audited. Assumed env vars and filesystem state isolation is sufficient for Merge-4.
+7. **Dependency version skew:**
+   - Both servers require `fastapi`, `pydantic`, `sqlalchemy`, etc. Version mismatches not audited.
+   - Scope: Assumed CI/poetry lock files handle version alignment.
+8. **Logging output verbosity and timestamp format:**
+   - Dashboard logs go to `~/.loki/logs/`. Lab logs go to project-local or stdout.
+   - Log format (JSON, plain text, timestamps) not audited.
+   - Scope: Not critical for Merge-4 mount. Unify in Merge-5 via structured logging.
+---
+## Next Phases
+**Merge-3:** Vite rebuild with `base: '/lab/'` (frontend routing setup).
+**Merge-4:** FastAPI mount Lab into Dashboard (no code changes needed based on this audit).
+**Merge-5 Deep Dedup Tasks (after Merge-4 mount is live):**
+1. Unify `start_session()` entry points (recommendation: Lab wins).
+2. Bridge Dashboard and Lab session models (DashboardSession FK).
+3. Unify event bus into single Loki Mode UEB (with routing by prefix).
+4. Consolidate CORS/auth at Dashboard root level.
+5. Map session status strings (Dashboard enum ↔ Lab string).
+---
+**Audit completed by:** SDET (Senior Development Engineer in Test)
+**Confidence:** HIGH (source code inspection + pattern matching)
+**Blockers for Merge-4:** NONE. Mount is safe to proceed.

package/docs/MERGE-ROUTE-MAP.md ADDED Viewed

@@ -0,0 +1,139 @@
+# Purple Lab Into Dashboard: Route Map (Phase Merge-1)
+**Status:** Audit complete. Doc-only output for Phase Merge-1 of the v7.5.29+ true-integration arc.
+**Date:** 2026-05-23
+**Source:** `dashboard/server.py` (133 routes) and `web-app/server.py` (112 routes), audited from HEAD.
+This document is the source-of-truth route-collision analysis for the Purple Lab merge into Dashboard. It enumerates every route in both servers, identifies collisions, and defines the namespace strategy for Phases Merge-2 through Merge-7.
+## Top-Level Summary
+| Metric | Value |
+|---|---|
+| Dashboard routes -- main `app` decorators | 133 |
+| Dashboard routes -- `api_v2_router` (mounted at `/api/v2/*` via `include_router`) | 24 |
+| Dashboard routes -- total | **157** |
+| Dashboard `/api/*` routes | 135 |
+| Purple Lab routes (total) | 112 |
+| Purple Lab `/api/*` routes | 100 |
+| Purple Lab routers (`APIRouter` / `include_router`) | 0 |
+| Exact collisions (method + path) | **3** |
+| Path-only collisions | **3** |
+| `/api/*` collisions (any method) | **0** |
+| `/api/v2/*` collisions vs Purple Lab | **0** (Purple Lab has no `/api/v2/*` routes) |
+| Surviving uncollided Purple Lab routes | **109** |
+**Result:** The merge is structurally clean. Only 3 infrastructure paths collide; all 100 of Purple Lab's `/api/*` routes have distinct paths from Dashboard's 135 `/api/*` routes. The `api_v2_router` (24 routes at `/api/v2/tenants`, `/api/v2/runs`, `/api/v2/api-keys`, `/api/v2/policies`, `/api/v2/audit`) is enterprise multi-tenant surface that Purple Lab does not currently expose.
+## The 3 Collisions
+| Method | Path | Dashboard purpose | Purple Lab purpose | Resolution |
+|---|---|---|---|---|
+| `GET` | `/health` | Dashboard health check | Purple Lab health check | Single `/health` on Dashboard wins. Lab's becomes `/lab/health`. |
+| `GET` | `/{full_path:path}` | Dashboard SPA catch-all (serves `dashboard/static/index.html`) | Purple Lab SPA catch-all (serves `web-app/dist/index.html`) | Dashboard catch-all wins at root. Lab's becomes `/lab/{full_path:path}` -- triggered only inside the mount. |
+| `WS` | `/ws` | Dashboard WebSocket bus | Purple Lab WebSocket bus | Dashboard `/ws` wins. Lab's becomes `/lab/ws`. Long term: unify into a single bus (Phase Merge-5). |
+All three collisions resolve automatically when Lab's FastAPI app is mounted at `/lab` via Starlette `app.mount("/lab", purple_lab_app)`. No code dedup needed in Merge-1 -- the mount provides path isolation.
+## Namespace Strategy
+Single rule: **Purple Lab's entire FastAPI app mounts under `/lab/`**. No route renames inside the Lab app itself -- the mount handles prefixing.
+- Lab route `/api/sessions/{id}/chat` becomes externally visible as `/lab/api/sessions/{id}/chat`.
+- Lab static asset `/assets/index-BN52-GQT.js` becomes `/lab/assets/index-BN52-GQT.js`.
+- Lab WebSocket `/ws` becomes `/lab/ws`.
+The Vite build (Phase Merge-3) is rebuilt with `base: '/lab/'` so the bundled JS naturally calls `/lab/api/*` and the HTML loads `/lab/assets/*`. No runtime base-href shimming needed.
+## Web-App Route Inventory (by category)
+| Category | Count | Sample paths |
+|---|---|---|
+| `/api/sessions/*` | 61 | `/api/sessions/{session_id}/chat/{task_id}/stream`, `/api/sessions/{session_id}/checkpoints` |
+| `/api/session/*` | 18 | `/api/session/start`, `/api/session/quick-start`, `/api/session/status` |
+| `/api/deploy/*` | 6 | `/api/deploy/{provider}` |
+| `/api/magic/*` | 5 | `/api/magic/components`, `/api/magic/generate` |
+| `/api/auth/*` | 5 | (auth endpoints) |
+| `/api/teams/*` | 4 | (team management) |
+| `/api/secrets/*` | 3 | (secrets management) |
+| `/api/templates/*` | 2 | `/api/templates`, `/api/templates/{filename}` |
+| `/api/provider/*` | 2 | `/api/provider/current`, `/api/provider/set` |
+| `/api/audit-log` | 1 | (audit log endpoint) |
+| `/proxy/{session_id}` | 1 | (legacy proxy) |
+| `/ws/*` | 2 | `/ws`, `/ws/terminal` |
+| `/health` | 1 | (health check) |
+| `/{full_path:path}` | 1 | (SPA catch-all) |
+| **Total** | **112** | |
+## Dashboard Route Inventory (by category, top 20)
+| Category | Count |
+|---|---|
+| `/api/memory/*` | 14 |
+| `/api/registry/*` | 10 |
+| `/api/learning/*` | 9 |
+| `/api/migration/*` | 8 |
+| `/api/council/*` | 8 |
+| `/api/tasks/*` | 6 |
+| `/api/enterprise/*` | 6 |
+| `/api/projects/*` | 5 |
+| `/api/control/*` | 5 |
+| `/api/checklist/*` | 5 |
+| `/api/notifications/*` | 4 |
+| `/api/agents/*` | 4 |
+| `/api/managed/*` | 3 |
+| `/api/github/*` | 3 |
+| `/api/focus/*` | 3 |
+| `/api/checkpoints/*` | 3 |
+| (etc., 89 more under /api/) | -- |
+| **Total** | **133** |
+## Semantic Overlap (Candidates for Dedup in Phase Merge-5)
+After path-suffix analysis, only one path-suffix is genuinely shared between the two servers:
+- `github/status` -- appears as `/api/github/status` (Dashboard) and inside Lab's session endpoints. Not a collision (different paths), but functional overlap worth investigation in Phase Merge-5.
+The bigger semantic overlap is at the conceptual level:
+| Concept | Dashboard endpoint | Purple Lab endpoint | Merge-5 decision needed |
+|---|---|---|---|
+| Session lifecycle (start/stop/status) | `/api/control/*` (5 routes) | `/api/session/*` (18 routes) + `/api/sessions/{id}/*` (61 routes) | Likely: Lab keeps richer session CRUD; Dashboard's `/api/control/*` becomes thin wrappers calling Lab's. Or: unify on Lab's surface and retire Dashboard's. Decide in Merge-5. |
+| Memory access | `/api/memory/*` (14 routes) | `/api/session/{id}/memory` (1 route) | Dashboard owns the rich surface; Lab's becomes a thin wrapper. |
+| Checkpoints | `/api/checkpoints/*` (3 routes) | `/api/sessions/{id}/checkpoints` (2 routes) | Dashboard owns the global view; Lab's per-session view consumes Dashboard's. |
+| Council / quality | `/api/council/*` (8) + `/api/quality-score/*` (2) | -- | Dashboard-only. Lab needs to surface this via UI, not duplicate endpoints. |
+| Provider routing | `/api/provider/*` (?) | `/api/provider/current`, `/api/provider/set` | Likely same routes already; verify in Merge-2. |
+None of these block the mount in Merge-4. They become refactor targets in Merge-5.
+## Phase Dependencies (Confirmed by This Audit)
+- **Merge-2** (state/business-logic dedup audit): Doable in parallel with Merge-3. Operates on `.loki/state/` and Python modules, not routes.
+- **Merge-3** (Vite rebuild with `base: '/lab/'`): Single-file config change in `web-app/vite.config.ts` + `npm run build`. No route changes needed because the mount handles prefixing.
+- **Merge-4** (FastAPI mount): The 3 infrastructure collisions resolve naturally via mount path isolation. No route renames inside `web-app/server.py`.
+- **Merge-5** (deep dedup): Only required for the 4 conceptual overlaps above. Each becomes a separate sub-task.
+- **Merge-6** (sidebar entry): Pure dashboard-UI work, no backend route changes.
+- **Merge-7** (deprecate `loki web` standalone): Keep `loki web` working for 2 minor versions per user-safety Rule 0. Standalone uvicorn entrypoint is preserved; only `loki dashboard` gains the mount.
+## NOT Decided In This Phase
+1. **Cookie / session-token namespace.** If Lab and Dashboard both set cookies at root path, mount may cause conflicts. Audit needed in Merge-2.
+2. **CORS middleware.** Lab has CORS middleware at line 119 of `web-app/server.py`. After mount, this becomes redundant (same origin). Remove in Merge-4.
+3. **Lifespan / startup events.** Lab's startup hooks (if any) must compose with Dashboard's. Audit in Merge-4.
+4. **Auth headers.** If Lab requires its own auth token and Dashboard requires another, the mount may double-auth or break. Audit in Merge-2.
+These are not blockers for Merge-1 sign-off; they are explicit followups.
+## Cleanup
+Audit artifacts in `/tmp/loki-merge-audit/` may be removed:
+```bash
+rm -rf /tmp/loki-merge-audit
+```
+## Honest Acknowledgements
+- The "0 /api/* collisions" finding holds for the route-table inspection only. Two routes with distinct paths can still share a backing function or `.loki/` file, and that semantic overlap is what Phase Merge-2 must catalog.
+- Initial audit used `grep -nE '^@app\.(get|post|put|delete|patch|websocket)\(' ...` which missed `include_router` mounts. Followup audit found Dashboard's `api_v2_router` at `dashboard/api_v2.py` (24 routes, prefix `/api/v2`) and confirmed Purple Lab has zero `APIRouter` / `include_router` registrations. The summary table reflects the corrected total of 157 Dashboard routes.
+- `app.add_api_route(...)` is also a dynamic registration pattern. `grep -n "add_api_route" web-app/server.py dashboard/server.py` returns nothing -- both servers use decorator-style registration exclusively.
+- No fixture-based runtime collision test was performed. Phase Merge-4 must add a route-table dump test that runs the mounted app and asserts the surviving route set against this doc's expected output.