loki-mode 7.7.20 → 7.7.21

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.7.20
+# Loki Mode v7.7.21
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -381,4 +381,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.7.20 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.7.21 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.7.20
+7.7.21

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.7.20"
+__version__ = "7.7.21"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -2638,16 +2638,115 @@ async def get_skill(skill_id: str):
     raise HTTPException(status_code=404, detail="Skill not found")
 
 
-@app.get("/api/memory/economics")
+@app.get("/api/memory/economics", dependencies=[Depends(auth.require_scope("read"))])
 async def get_token_economics():
-    """Get token usage economics."""
-    econ_file = _get_loki_dir() / "memory" / "token_economics.json"
+    """Get token usage economics (v7.7.21: normalized + hit_rate + top_patterns).
+
+    Excellence bar 5: per-retrieval cost + hit rate + top patterns visible.
+    Reads token_economics.json (written by memory.token_economics.save())
+    which has shape {session_id, metrics:{discovery_tokens, read_tokens,
+    cache_hits, cache_misses, ...}, ratio, savings_percent}. Computes a
+    cache hit_rate + surfaces the most-accessed episodes/patterns. The
+    pre-v7.7.21 endpoint returned camelCase keys that did not match the
+    snake_case file; the `raw` field preserves the original document for
+    backward compat while the top-level fields are normalized.
+    """
+    loki_dir = _get_loki_dir()
+    econ_file = loki_dir / "memory" / "token_economics.json"
+    raw = {}
     if econ_file.exists():
         try:
-            return json.loads(econ_file.read_text())
+            raw = json.loads(econ_file.read_text())
         except Exception:
-            pass
-    return {"discoveryTokens": 0, "readTokens": 0, "savingsPercent": 0}
+            raw = {}
+
+    metrics = raw.get("metrics", {}) if isinstance(raw, dict) else {}
+    cache_hits = int(metrics.get("cache_hits", 0) or 0)
+    cache_misses = int(metrics.get("cache_misses", 0) or 0)
+    cache_total = cache_hits + cache_misses
+    hit_rate = round(cache_hits / cache_total, 4) if cache_total > 0 else 0.0
+    discovery_tokens = int(metrics.get("discovery_tokens", 0) or 0)
+    read_tokens = int(metrics.get("read_tokens", 0) or 0)
+
+    # Top-accessed memories: scan episodic + semantic, rank by access_count
+    # then importance.
+    # v7.7.21 council fix (Opus 1 + Opus 2):
+    #   - os.walk(followlinks=False) instead of recursive glob: does NOT
+    #     descend symlinked dirs (prevents traversal/exfil + DoS-amplify
+    #     via a symlink to a huge tree).
+    #   - realpath containment: every candidate file must resolve to a
+    #     path under mem_root (mirrors the sibling get_skill endpoint).
+    #   - hard cap on files SCANNED (not just surfaced): stop after
+    #     MAX_SCAN files per subdir so a large store cannot make this
+    #     request unboundedly slow even with the 30s auto-refresh.
+    top_patterns = []
+    try:
+        import os as _os
+        mem_root = (loki_dir / "memory").resolve()
+        MAX_SCAN = 300
+        candidates = []
+        for sub in ("episodic", "semantic"):
+            sub_root = mem_root / sub
+            if not sub_root.is_dir():
+                continue
+            scanned = 0
+            stop = False
+            for dirpath, dirnames, filenames in _os.walk(str(sub_root), followlinks=False):
+                if stop:
+                    break
+                for fn in filenames:
+                    if not fn.endswith(".json"):
+                        continue
+                    fp = _os.path.join(dirpath, fn)
+                    # Containment: resolved path must stay under mem_root.
+                    try:
+                        rp = _os.path.realpath(fp)
+                        if _os.path.commonpath([rp, str(mem_root)]) != str(mem_root):
+                            continue
+                    except (OSError, ValueError):
+                        continue
+                    try:
+                        with open(fp) as fh:
+                            d = json.load(fh)
+                        candidates.append({
+                            "id": d.get("id", ""),
+                            "kind": sub,
+                            "access_count": int(d.get("access_count", 0) or 0),
+                            "importance": float(d.get("importance", 0.0) or 0.0),
+                            "summary": str(
+                                d.get("summary")
+                                or d.get("pattern")
+                                or d.get("context", {}).get("goal", "")
+                            )[:160],
+                        })
+                    except Exception:
+                        continue
+                    scanned += 1
+                    if scanned >= MAX_SCAN:
+                        stop = True
+                        break
+        candidates.sort(key=lambda c: (c["access_count"], c["importance"]), reverse=True)
+        top_patterns = candidates[:10]
+    except Exception:
+        top_patterns = []
+
+    return {
+        "session_id": raw.get("session_id"),
+        "discovery_tokens": discovery_tokens,
+        "read_tokens": read_tokens,
+        "total_tokens": discovery_tokens + read_tokens,
+        "cache_hits": cache_hits,
+        "cache_misses": cache_misses,
+        "hit_rate": hit_rate,
+        "ratio": raw.get("ratio", 0.0),
+        "savings_percent": raw.get("savings_percent", 0.0),
+        "top_patterns": top_patterns,
+        # Backward-compat aliases (pre-v7.7.21 camelCase consumers)
+        "discoveryTokens": discovery_tokens,
+        "readTokens": read_tokens,
+        "savingsPercent": raw.get("savings_percent", 0.0),
+        "raw": raw,
+    }
 
 
 @app.post("/api/memory/consolidate", dependencies=[Depends(auth.require_scope("control"))])

package/dashboard/static/index.html

@@ -632,6 +632,55 @@
           <div>
             <h3 style="font-family: 'DM Serif Display', Georgia, serif; font-size: 1.15rem; font-weight: 400; color: var(--loki-text-primary); margin-bottom: 12px;">Memory</h3>
             <loki-memory-browser id="memory-browser" tab="summary"></loki-memory-browser>
+            <!-- v7.7.21 token economics tile: hit rate + tokens + top patterns -->
+            <div id="memory-economics-tile" style="margin-top: 12px; background: var(--loki-bg-card, #1a1a1a); border: 1px solid var(--loki-border, #333); border-radius: 5px; padding: 12px;">
+              <div style="font-size: 11px; color: var(--loki-text-muted, #888); margin-bottom: 8px;">Token Economics</div>
+              <div id="memory-economics-metrics" style="display: grid; grid-template-columns: repeat(3, 1fr); gap: 8px; font-size: 13px;">
+                <div><span style="color: var(--loki-text-muted, #888);">Hit rate</span><br><strong id="econ-hit-rate">--</strong></div>
+                <div><span style="color: var(--loki-text-muted, #888);">Total tokens</span><br><strong id="econ-total-tokens">--</strong></div>
+                <div><span style="color: var(--loki-text-muted, #888);">Savings</span><br><strong id="econ-savings">--</strong></div>
+              </div>
+              <div id="memory-economics-top" style="margin-top: 10px; font-size: 12px; color: var(--loki-text-muted, #888);"></div>
+            </div>
+            <script>
+              (function(){
+                function loadEconomics(){
+                  fetch('/api/memory/economics').then(function(r){ return r.json(); }).then(function(j){
+                    var hr = document.getElementById('econ-hit-rate');
+                    var tt = document.getElementById('econ-total-tokens');
+                    var sv = document.getElementById('econ-savings');
+                    var top = document.getElementById('memory-economics-top');
+                    if (hr) hr.textContent = ((j.hit_rate || 0) * 100).toFixed(1) + '%';
+                    if (tt) tt.textContent = (j.total_tokens || 0).toLocaleString();
+                    if (sv) sv.textContent = (j.savings_percent || 0).toFixed(1) + '%';
+                    if (top) {
+                      var patterns = j.top_patterns || [];
+                      // v7.7.21 council fix (Opus 1): build DOM with
+                      // textContent (NOT innerHTML single-char escape) so
+                      // agent/PRD-derived summaries cannot inject markup.
+                      while (top.firstChild) top.removeChild(top.firstChild);
+                      if (patterns.length === 0) {
+                        top.textContent = 'No retrieval patterns yet. Run sessions to accumulate.';
+                      } else {
+                        var header = document.createElement('div');
+                        header.style.marginBottom = '4px';
+                        header.textContent = 'Top retrieved:';
+                        top.appendChild(header);
+                        patterns.slice(0, 5).forEach(function(p){
+                          var row = document.createElement('div');
+                          // textContent escapes everything; no markup injection.
+                          row.textContent = (p.access_count || 0) + 'x · ' +
+                            (p.summary || p.id || '');
+                          top.appendChild(row);
+                        });
+                      }
+                    }
+                  }).catch(function(){ /* endpoint not available; tile stays at -- */ });
+                }
+                loadEconomics();
+                setInterval(loadEconomics, 30000);
+              })();
+            </script>
           </div>
           <div>
             <h3 style="font-family: 'DM Serif Display', Georgia, serif; font-size: 1.15rem; font-weight: 400; color: var(--loki-text-primary); margin-bottom: 12px;">Memory Files</h3>

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.7.20
+**Version:** v7.7.21
 
 ---
 

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var _7=Object.defineProperty;var I7=(K)=>K;function P7(K,$){this[K]=I7.bind(null,$)}var v=(K,$)=>{for(var Q in $)_7(K,Q,{get:$[Q],enumerable:!0,configurable:!0,set:P7.bind($,Q)})};var R=(K,$)=>()=>(K&&($=K(K=0)),$);var t=import.meta.require;var e1={};v(e1,{lokiDir:()=>P,homeLokiDir:()=>k1,findRepoRootForVersion:()=>N1,REPO_ROOT:()=>p});import{resolve as u,dirname as S1}from"path";import{fileURLToPath as L7}from"url";import{existsSync as J1}from"fs";import{homedir as R7}from"os";function E7(){let K=i1;for(let $=0;$<6;$++){if(J1(u(K,"VERSION"))&&J1(u(K,"autonomy/run.sh")))return K;let Q=S1(K);if(Q===K)break;K=Q}return u(i1,"..","..","..")}function N1(K){let $=K;for(let Q=0;Q<6;Q++){if(J1(u($,"VERSION"))&&J1(u($,"autonomy/run.sh")))return $;let X=S1($);if(X===$)break;$=X}return u(K,"..","..","..")}function P(){return process.env.LOKI_DIR??u(process.cwd(),".loki")}function k1(){return u(R7(),".loki")}var i1,p;var g=R(()=>{i1=S1(L7(import.meta.url));p=E7()});import{readFileSync as F7}from"fs";import{resolve as w7,dirname as x7}from"path";import{fileURLToPath as S7}from"url";function G1(){if(o!==null)return o;let K="7.7.20";if(typeof K==="string"&&K.length>0)return o=K,o;try{let $=x7(S7(import.meta.url)),Q=N1($);o=F7(w7(Q,"VERSION"),"utf-8").trim()}catch{o="unknown"}return o}var o=null;var D1=R(()=>{g()});var $0={};v($0,{runOrThrow:()=>N7,run:()=>k,commandVersion:()=>D7,commandExists:()=>h,ShellError:()=>C1});async function k(K,$={}){let Q=Bun.spawn({cmd:[...K],stdout:"pipe",stderr:"pipe",env:$.env?{...process.env,...$.env}:process.env,cwd:$.cwd}),X,Z;if($.timeoutMs&&$.timeoutMs>0)X=setTimeout(()=>{try{Q.kill("SIGTERM")}catch{}Z=setTimeout(()=>{try{Q.kill("SIGKILL")}catch{}},2000)},$.timeoutMs);try{let[W,z,q]=await Promise.all([new Response(Q.stdout).text(),new Response(Q.stderr).text(),Q.exited]);return{stdout:W,stderr:z,exitCode:q}}finally{if(X)clearTimeout(X);if(Z)clearTimeout(Z)}}async function N7(K,$={}){let Q=await k(K,$);if(Q.exitCode!==0)throw new C1(`command failed (${Q.exitCode}): ${K.join(" ")}`,Q.exitCode,Q.stdout,Q.stderr);return Q}async function h(K){let $=k7(K),Q=await k(["sh","-c",`command -v ${$}`],{timeoutMs:5000});if(Q.exitCode===0)return Q.stdout.trim()||null;return null}function k7(K){if(!/^[A-Za-z0-9._/-]+$/.test(K))throw Error(`refused to shell-escape suspect token: ${K}`);return K}async function D7(K,$="--version"){if(!await h(K))return null;let X=await k([K,$],{timeoutMs:5000});if(X.exitCode!==0)return null;return((X.stdout||X.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var C1;var n=R(()=>{C1=class C1 extends Error{message;exitCode;stdout;stderr;constructor(K,$,Q,X){super(K);this.message=K;this.exitCode=$;this.stdout=Q;this.stderr=X;this.name="ShellError"}}});function c(K){return C7?"":K}var C7,E,b,F,T6,O,D,w,H;var a=R(()=>{C7=(process.env.NO_COLOR??"").length>0;E=c("\x1B[0;31m"),b=c("\x1B[0;32m"),F=c("\x1B[1;33m"),T6=c("\x1B[0;34m"),O=c("\x1B[0;36m"),D=c("\x1B[1m"),w=c("\x1B[2m"),H=c("\x1B[0m")});import{existsSync as c7}from"fs";async function i(){if(X1!==void 0)return X1;let K="/opt/homebrew/bin/python3.12";if(c7(K))return X1=K,K;let $=await h("python3.12");if($)return X1=$,$;let Q=await h("python3");return X1=Q,Q}async function s(K,$={}){let Q=await i();if(!Q)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Q,"-c",K],$)}var X1;var Z1=R(()=>{n()});var G0={};v(G0,{runStatus:()=>Q5});import{existsSync as N,readFileSync as W1,readdirSync as W0,statSync as H0}from"fs";import{resolve as x,basename as a7}from"path";async function r7(){if(await h("jq"))return!0;return process.stdout.write(`${E}Error: jq is required but not installed.${H}
+var _7=Object.defineProperty;var I7=(K)=>K;function P7(K,$){this[K]=I7.bind(null,$)}var v=(K,$)=>{for(var Q in $)_7(K,Q,{get:$[Q],enumerable:!0,configurable:!0,set:P7.bind($,Q)})};var R=(K,$)=>()=>(K&&($=K(K=0)),$);var t=import.meta.require;var e1={};v(e1,{lokiDir:()=>P,homeLokiDir:()=>k1,findRepoRootForVersion:()=>N1,REPO_ROOT:()=>p});import{resolve as u,dirname as S1}from"path";import{fileURLToPath as L7}from"url";import{existsSync as J1}from"fs";import{homedir as R7}from"os";function E7(){let K=i1;for(let $=0;$<6;$++){if(J1(u(K,"VERSION"))&&J1(u(K,"autonomy/run.sh")))return K;let Q=S1(K);if(Q===K)break;K=Q}return u(i1,"..","..","..")}function N1(K){let $=K;for(let Q=0;Q<6;Q++){if(J1(u($,"VERSION"))&&J1(u($,"autonomy/run.sh")))return $;let X=S1($);if(X===$)break;$=X}return u(K,"..","..","..")}function P(){return process.env.LOKI_DIR??u(process.cwd(),".loki")}function k1(){return u(R7(),".loki")}var i1,p;var g=R(()=>{i1=S1(L7(import.meta.url));p=E7()});import{readFileSync as F7}from"fs";import{resolve as w7,dirname as x7}from"path";import{fileURLToPath as S7}from"url";function G1(){if(o!==null)return o;let K="7.7.21";if(typeof K==="string"&&K.length>0)return o=K,o;try{let $=x7(S7(import.meta.url)),Q=N1($);o=F7(w7(Q,"VERSION"),"utf-8").trim()}catch{o="unknown"}return o}var o=null;var D1=R(()=>{g()});var $0={};v($0,{runOrThrow:()=>N7,run:()=>k,commandVersion:()=>D7,commandExists:()=>h,ShellError:()=>C1});async function k(K,$={}){let Q=Bun.spawn({cmd:[...K],stdout:"pipe",stderr:"pipe",env:$.env?{...process.env,...$.env}:process.env,cwd:$.cwd}),X,Z;if($.timeoutMs&&$.timeoutMs>0)X=setTimeout(()=>{try{Q.kill("SIGTERM")}catch{}Z=setTimeout(()=>{try{Q.kill("SIGKILL")}catch{}},2000)},$.timeoutMs);try{let[W,z,q]=await Promise.all([new Response(Q.stdout).text(),new Response(Q.stderr).text(),Q.exited]);return{stdout:W,stderr:z,exitCode:q}}finally{if(X)clearTimeout(X);if(Z)clearTimeout(Z)}}async function N7(K,$={}){let Q=await k(K,$);if(Q.exitCode!==0)throw new C1(`command failed (${Q.exitCode}): ${K.join(" ")}`,Q.exitCode,Q.stdout,Q.stderr);return Q}async function h(K){let $=k7(K),Q=await k(["sh","-c",`command -v ${$}`],{timeoutMs:5000});if(Q.exitCode===0)return Q.stdout.trim()||null;return null}function k7(K){if(!/^[A-Za-z0-9._/-]+$/.test(K))throw Error(`refused to shell-escape suspect token: ${K}`);return K}async function D7(K,$="--version"){if(!await h(K))return null;let X=await k([K,$],{timeoutMs:5000});if(X.exitCode!==0)return null;return((X.stdout||X.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var C1;var n=R(()=>{C1=class C1 extends Error{message;exitCode;stdout;stderr;constructor(K,$,Q,X){super(K);this.message=K;this.exitCode=$;this.stdout=Q;this.stderr=X;this.name="ShellError"}}});function c(K){return C7?"":K}var C7,E,b,F,T6,O,D,w,H;var a=R(()=>{C7=(process.env.NO_COLOR??"").length>0;E=c("\x1B[0;31m"),b=c("\x1B[0;32m"),F=c("\x1B[1;33m"),T6=c("\x1B[0;34m"),O=c("\x1B[0;36m"),D=c("\x1B[1m"),w=c("\x1B[2m"),H=c("\x1B[0m")});import{existsSync as c7}from"fs";async function i(){if(X1!==void 0)return X1;let K="/opt/homebrew/bin/python3.12";if(c7(K))return X1=K,K;let $=await h("python3.12");if($)return X1=$,$;let Q=await h("python3");return X1=Q,Q}async function s(K,$={}){let Q=await i();if(!Q)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Q,"-c",K],$)}var X1;var Z1=R(()=>{n()});var G0={};v(G0,{runStatus:()=>Q5});import{existsSync as N,readFileSync as W1,readdirSync as W0,statSync as H0}from"fs";import{resolve as x,basename as a7}from"path";async function r7(){if(await h("jq"))return!0;return process.stdout.write(`${E}Error: jq is required but not installed.${H}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -585,4 +585,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${$}
 `),process.stderr.write(j7),2}}process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var X6=await Q6(Bun.argv.slice(2));process.exit(X6);
 
-//# debugId=E25419B4237E69C764756E2164756E21
+//# debugId=0F0FAE2834FF534B64756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.7.20'
+__version__ = '7.7.21'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "7.7.20",
+  "version": "7.7.21",
   "description": "Loki Mode by Autonomi. Multi-agent autonomous SDLC framework. Spec to deployed app: PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief. 4 AI providers (Claude Code, OpenAI Codex, Cline, Aider). 11 quality gates.",
   "keywords": [
     "agent",