loki-mode 7.71.0 → 7.72.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.71.0
+# Loki Mode v7.72.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -406,4 +406,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.71.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.72.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.71.0
+7.72.0

package/autonomy/loki

@@ -5207,42 +5207,14 @@ cmd_web_status() {
     echo "Purple Lab is not running."
 }
 
-# Open the running app preview (the app Loki built and started locally).
-# Surfaces the existing app-runner state; does not start or change the app.
-cmd_preview() {
-    local open_browser=true
-    case "${1:-}" in
-        --help|-h|help)
-            echo -e "${BOLD}Loki Mode -- open the running app preview${NC}"
-            echo ""
-            echo "Usage: loki preview [--no-open]"
-            echo "       loki open      (alias)"
-            echo ""
-            echo "Prints the URL of the app Loki built and started locally, then"
-            echo "opens it in your browser. The app runner starts the app after the"
-            echo "first successful build iteration. This serves a real local build"
-            echo "from localhost on your machine; it is not hosted."
-            echo ""
-            echo "Options:"
-            echo "  --no-open    Print the URL and status only; do not open a browser"
-            echo "  --help, -h   Show this help and exit"
-            return 0
-            ;;
-        --no-open)
-            open_browser=false
-            ;;
-    esac
-
-    local state_file="${LOKI_DIR}/app-runner/state.json"
-    if [ ! -f "$state_file" ]; then
-        echo "No app running. The app runner starts after the first successful build iteration."
-        echo "Run 'loki status' to check the current run."
-        return 0
-    fi
-
-    # Parse url/status/port. Prefer python3 (used throughout); fall back to grep.
-    # Pass the path as argv (not inline interpolation) so a path with quotes
-    # cannot break the script, and parse all three fields in one invocation.
+# Read app-runner state.json and echo url, status, port (one per line, in that
+# order). Shared by the plain preview browser path and the --public tunnel path
+# so there is no parse drift between them. Path is passed as argv (not inline
+# interpolation) so a path with quotes cannot break the script. Always exits 0;
+# callers re-split with sed -n '1p/2p/3p'. Logic is byte-identical to the
+# original inline parse in cmd_preview (do not "clean up" -- behavior-neutral).
+_read_app_state() {
+    local state_file="$1"
     local url status port parsed
     if command -v python3 &> /dev/null; then
         parsed=$(python3 -c "import json,sys
@@ -5261,6 +5233,404 @@ except Exception:
         status=$(grep -oE '"status"[[:space:]]*:[[:space:]]*"[^"]*"' "$state_file" 2>/dev/null | head -1 | sed 's/.*"status"[[:space:]]*:[[:space:]]*"//;s/"$//')
         port=$(grep -oE '"port"[[:space:]]*:[[:space:]]*[0-9]+' "$state_file" 2>/dev/null | head -1 | grep -oE '[0-9]+$')
     fi
+    printf '%s\n%s\n%s\n' "$url" "$status" "$port"
+}
+
+# Pure extractor: pull the first cloudflared quick-tunnel URL out of a log file.
+# Reads a FILE (not a live process) so it is unit-testable. Echoes the URL or
+# nothing. Always returns 0 -- a no-match must not abort the caller under
+# `set -o pipefail` (grep exits 1 on no match, so the pipeline is `|| true`d).
+_extract_tunnel_url_cloudflared() {
+    local logfile="${1:-}"
+    [ -f "$logfile" ] || return 0
+    grep -oE 'https://[a-z0-9-]+\.trycloudflare\.com' "$logfile" 2>/dev/null | head -1 || true
+}
+
+# Pure extractor: pull the public_url out of an ngrok 4040 API JSON dump.
+# Reads a FILE so it is unit-testable. Prefers the https tunnel. Uses python3
+# json (path passed as argv -- no shell interpolation into the heredoc), with a
+# grep fallback if python3 is absent or the parse fails. Echoes URL or nothing;
+# always returns 0.
+_extract_tunnel_url_ngrok() {
+    local json_file="${1:-}"
+    [ -f "$json_file" ] || return 0
+    local out=""
+    if command -v python3 >/dev/null 2>&1; then
+        out=$(python3 - "$json_file" <<'PYEXTRACT' 2>/dev/null || true
+import json, sys
+try:
+    with open(sys.argv[1]) as fh:
+        data = json.load(fh)
+except Exception:
+    sys.exit(0)
+tunnels = data.get("tunnels", []) if isinstance(data, dict) else []
+urls = [t.get("public_url", "") for t in tunnels if isinstance(t, dict) and t.get("public_url")]
+https = [u for u in urls if u.startswith("https://")]
+chosen = https[0] if https else (urls[0] if urls else "")
+if chosen:
+    print(chosen)
+PYEXTRACT
+)
+    fi
+    if [ -z "$out" ]; then
+        # Grep fallback: take https public_url values first, else any public_url.
+        out=$(grep -oE '"public_url"[[:space:]]*:[[:space:]]*"https://[^"]*"' "$json_file" 2>/dev/null | head -1 | grep -oE 'https://[^"]*' || true)
+        if [ -z "$out" ]; then
+            out=$(grep -oE '"public_url"[[:space:]]*:[[:space:]]*"[^"]*"' "$json_file" 2>/dev/null | head -1 | sed 's/.*"public_url"[[:space:]]*:[[:space:]]*"//;s/"$//' || true)
+        fi
+    fi
+    printf '%s' "$out"
+}
+
+# Teardown for a launched tunnel: TERM, brief grace, then KILL, then remove the
+# log. All steps are `|| true` so the EXIT/INT/TERM trap is set -e safe and never
+# leaves an orphaned public tunnel. Args: tunnel_pid [logfile].
+_preview_public_teardown() {
+    local tunnel_pid="${1:-}"
+    local logfile="${2:-}"
+    if [ -n "$tunnel_pid" ]; then
+        kill -TERM "$tunnel_pid" 2>/dev/null || true
+        sleep 1
+        kill -KILL "$tunnel_pid" 2>/dev/null || true
+    fi
+    if [ -n "$logfile" ]; then
+        rm -f "$logfile" 2>/dev/null || true
+    fi
+}
+
+# Expose the already-running local app over a PUBLIC URL by wrapping the user's
+# OWN tunnel CLI (cloudflared or ngrok). Consent-gated, default-OFF. Loki never
+# proxies traffic and never bundles a binary. Args: provider yes no_host_rewrite.
+# Returns non-zero on any precondition failure or declined/refused consent
+# (except an interactive decline, which is a clean exit 0).
+_preview_public() {
+    local provider="${1:-}"
+    local assume_yes="${2:-false}"
+    local no_host_rewrite="${3:-false}"
+
+    local state_file="${LOKI_DIR}/app-runner/state.json"
+
+    # Precondition 1: state.json must exist.
+    if [ ! -f "$state_file" ]; then
+        echo "No app running. Nothing to expose." >&2
+        echo "Start a build (loki start) or check status (loki status) first." >&2
+        return 1
+    fi
+
+    # Read url/status/port via the shared helper (same parse as plain preview).
+    local _state url status port
+    _state=$(_read_app_state "$state_file")
+    url=$(printf '%s\n' "$_state" | sed -n '1p')
+    status=$(printf '%s\n' "$_state" | sed -n '2p')
+    port=$(printf '%s\n' "$_state" | sed -n '3p')
+
+    # Precondition 2: status must be running.
+    if [ "$status" != "running" ]; then
+        echo "App is not running (status: ${status:-unknown}). Refusing to expose." >&2
+        echo "The app runner starts the app after a successful build iteration." >&2
+        return 1
+    fi
+
+    # Precondition 3: resolve URL/port (fallback mirrors the plain path).
+    if [ -z "$url" ]; then
+        url="http://localhost:${port:-3000}"
+    fi
+    local probe_port="${port:-3000}"
+
+    # Precondition 4: PORT must actually be reachable. Never tunnel a dead port.
+    # Reuses the curl-readiness poll pattern (autonomy/loki:4979).
+    local retries=0
+    local port_ready=false
+    while [ $retries -lt 6 ]; do
+        if curl -s "http://localhost:${probe_port}" > /dev/null 2>&1; then
+            port_ready=true
+            break
+        fi
+        sleep 0.5
+        retries=$((retries + 1))
+    done
+    if [ "$port_ready" != true ]; then
+        echo "Port ${probe_port} is not responding. Refusing to expose a dead port." >&2
+        echo "Confirm the app is up locally (loki preview) before sharing it." >&2
+        return 1
+    fi
+
+    # Consent (default-OFF). Print the full warning every time (even with --yes).
+    echo "WARNING: This makes the app running on THIS machine reachable by ANYONE who has"
+    echo "the URL, over the public internet, using YOUR tunnel account."
+    echo "- The app may have NO authentication. Anyone with the link can use it."
+    echo "- Traffic flows through your own cloudflared/ngrok account, not through Loki."
+    echo "- This stays up until you stop it. Stop it when you are done."
+    echo ""
+
+    if [ "$assume_yes" = true ]; then
+        : # --yes: warning printed above; skip the prompt.
+    elif [ -t 0 ]; then
+        # Interactive TTY. Default-N: only ^[Yy] proceeds. (Deliberately NOT the
+        # default-Y idiom at :1894 -- public exposure is unsafe by default.)
+        local confirm=""
+        echo -e "Expose this app publicly? [y/N] \c"
+        read -r confirm || true
+        if [[ ! "$confirm" =~ ^[Yy] ]]; then
+            echo "Aborted. App was not exposed."
+            return 0
+        fi
+    else
+        # Non-TTY without --yes: never silently expose.
+        echo "Refusing to expose a public tunnel non-interactively without --yes." >&2
+        return 1
+    fi
+
+    # === SEAM (Agent B): provider detection + tunnel launch + URL extraction ===
+
+    # Provider detection (SS5). command -v based so a PATH stub works in tests.
+    # If $provider was requested, require exactly that one; else prefer
+    # cloudflared (no account needed for quick tunnels) then ngrok.
+    local chosen_provider=""
+    if [ -n "$provider" ]; then
+        # Allowlist: only cloudflared/ngrok are supported. Without this guard an
+        # arbitrary on-PATH binary name (e.g. --provider ls) would set
+        # chosen_provider and fall through to the ngrok launch branch below.
+        case "$provider" in
+            cloudflared|ngrok) ;;
+            *)
+                echo -e "${RED}Unsupported tunnel provider: ${provider}${NC}" >&2
+                echo "Supported providers: cloudflared, ngrok" >&2
+                return 1
+                ;;
+        esac
+        if command -v "$provider" >/dev/null 2>&1; then
+            chosen_provider="$provider"
+        fi
+    else
+        if command -v cloudflared >/dev/null 2>&1; then
+            chosen_provider="cloudflared"
+        elif command -v ngrok >/dev/null 2>&1; then
+            chosen_provider="ngrok"
+        fi
+    fi
+
+    if [ -z "$chosen_provider" ]; then
+        # Honest install hint (mirrors the gh-missing block). Never pretend
+        # success, never download a binary. Loki wraps YOUR OWN client.
+        if [ -n "$provider" ]; then
+            echo -e "${RED}Requested tunnel provider not found: ${provider}${NC}" >&2
+        else
+            echo -e "${RED}No tunnel CLI found (cloudflared or ngrok)${NC}" >&2
+        fi
+        echo "" >&2
+        echo "Loki wraps YOUR OWN tunnel client. It never downloads or bundles one." >&2
+        echo "Install one of the following, then re-run:" >&2
+        echo "" >&2
+        echo "  cloudflared (no account needed for quick tunnels):" >&2
+        echo "    brew install cloudflared                        # macOS" >&2
+        echo "    https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/  # all platforms" >&2
+        echo "" >&2
+        echo "  ngrok (needs a free authtoken):" >&2
+        echo "    brew install ngrok                              # macOS" >&2
+        echo "    https://ngrok.com/download                      # all platforms" >&2
+        return 1
+    fi
+
+    # State dir, parallel to app-runner/.
+    mkdir -p "${LOKI_DIR}/preview" 2>/dev/null || true
+    local log_file="${LOKI_DIR}/preview/${chosen_provider}.log"
+
+    # Build the launch command (SS7/SS8). Host-header rewrite is default-ON to
+    # fix the #1 dev-server "Invalid Host header" failure; --no-host-rewrite
+    # opts out.
+    local -a tunnel_cmd=()
+    if [ "$chosen_provider" = "cloudflared" ]; then
+        tunnel_cmd=(cloudflared tunnel --url "http://localhost:${probe_port}")
+        if [ "$no_host_rewrite" != true ]; then
+            tunnel_cmd+=(--http-host-header localhost)
+        fi
+    else
+        # ngrok
+        tunnel_cmd=(ngrok http "${probe_port}")
+        if [ "$no_host_rewrite" != true ]; then
+            tunnel_cmd+=(--host-header=rewrite)
+        fi
+    fi
+
+    echo ""
+    echo "Starting ${chosen_provider} tunnel for http://localhost:${probe_port} ..."
+
+    # Launch redirected to a log, in the background; capture its pid.
+    "${tunnel_cmd[@]}" > "$log_file" 2>&1 &
+    local tunnel_pid=$!
+
+    # Install teardown immediately so no exit path leaves an orphaned tunnel.
+    trap '_preview_public_teardown "$tunnel_pid" "$log_file"' EXIT INT TERM
+
+    # Poll for the public URL. cloudflared writes it to its log; ngrok exposes
+    # it via the local 4040 API. Bounded loop (~20 x sleep 0.5 = ~10s). Also
+    # detect early tunnel-process death so we fail honestly instead of hanging.
+    local public_url=""
+    local tries=0
+    while [ $tries -lt 20 ]; do
+        # Early death detection: if the tunnel process is gone, report and bail.
+        if ! kill -0 "$tunnel_pid" 2>/dev/null; then
+            echo -e "${RED}${chosen_provider} exited; see ${log_file}${NC}" >&2
+            # Surface the tail of the log for context.
+            tail -n 10 "$log_file" 2>/dev/null >&2 || true
+            if [ "$chosen_provider" = "ngrok" ]; then
+                echo "If this is an auth error, add your token: ngrok config add-authtoken <token>" >&2
+            fi
+            # The EXIT trap fires at SHELL exit, not function return, so reap the
+            # process now and clear the trap. Keep the log for inspection (the
+            # message points at it), so omit the log arg to teardown.
+            _preview_public_teardown "$tunnel_pid"
+            trap - EXIT INT TERM
+            return 1
+        fi
+
+        if [ "$chosen_provider" = "cloudflared" ]; then
+            public_url=$(_extract_tunnel_url_cloudflared "$log_file")
+        else
+            local api_json="${LOKI_DIR}/preview/ngrok-api.json"
+            if curl -s "http://127.0.0.1:4040/api/tunnels" -o "$api_json" 2>/dev/null; then
+                public_url=$(_extract_tunnel_url_ngrok "$api_json")
+            fi
+            rm -f "$api_json" 2>/dev/null || true
+        fi
+
+        if [ -n "$public_url" ]; then
+            break
+        fi
+        sleep 0.5
+        tries=$((tries + 1))
+    done
+
+    if [ -z "$public_url" ]; then
+        echo -e "${RED}Timed out waiting for a public URL from ${chosen_provider}.${NC}" >&2
+        tail -n 10 "$log_file" 2>/dev/null >&2 || true
+        if [ "$chosen_provider" = "ngrok" ]; then
+            echo "ngrok may be missing an authtoken: ngrok config add-authtoken <token>" >&2
+        fi
+        # Reap now (the EXIT trap fires only at shell exit, not function return,
+        # which would orphan the tunnel back in cmd_preview/main). Keep the log
+        # for inspection, so omit the log arg.
+        _preview_public_teardown "$tunnel_pid"
+        trap - EXIT INT TERM
+        return 1
+    fi
+
+    # URL captured. Print it clearly and re-print the live warning.
+    echo ""
+    echo -e "${GREEN}Public preview URL:${NC} ${public_url}"
+    echo ""
+    echo "WARNING: This URL is live and reachable by ANYONE who has it, over the"
+    echo "public internet, through YOUR ${chosen_provider} account. The app may have no"
+    echo "authentication. This stays up until you stop it."
+    echo ""
+    echo "Press Ctrl+C to stop sharing."
+
+    # Foreground-block on the tunnel. Ctrl+C delivers INT -> trap -> teardown.
+    # `wait` returns 130 on signal; guard so set -e does not abort the clean exit.
+    wait "$tunnel_pid" 2>/dev/null || true
+
+    # Idempotent final teardown (the INT trap may already have run) + remove the
+    # log on this success/Ctrl+C path. Clear the trap so it does not re-fire at
+    # shell exit with out-of-scope locals.
+    _preview_public_teardown "$tunnel_pid" "$log_file"
+    trap - EXIT INT TERM
+
+    echo ""
+    echo "Tunnel stopped."
+    return 0
+}
+
+# Open the running app preview (the app Loki built and started locally).
+# Surfaces the existing app-runner state; does not start or change the app.
+cmd_preview() {
+    local open_browser=true
+    local public=false
+    local provider=""
+    local assume_yes=false
+    local no_host_rewrite=false
+
+    # Parse options. Loop so flag combos like `--public --yes` work; preserve
+    # the existing leniency on unknown args (no hard error -> no behavior drift).
+    while [ $# -gt 0 ]; do
+        case "${1:-}" in
+            --help|-h|help)
+                echo -e "${BOLD}Loki Mode -- open the running app preview${NC}"
+                echo ""
+                echo "Usage: loki preview [--no-open]"
+                echo "       loki preview --public [--provider cloudflared|ngrok] [--yes] [--no-host-rewrite]"
+                echo "       loki open      (alias)"
+                echo ""
+                echo "Prints the URL of the app Loki built and started locally, then"
+                echo "opens it in your browser. The app runner starts the app after the"
+                echo "first successful build iteration. This serves a real local build"
+                echo "from localhost on your machine; it is not hosted."
+                echo ""
+                echo "Options:"
+                echo "  --no-open          Print the URL and status only; do not open a browser"
+                echo "  --public           Expose the running app over a PUBLIC URL via your own"
+                echo "                     tunnel CLI (cloudflared or ngrok). Consent-gated,"
+                echo "                     default-OFF. Loki never proxies traffic or bundles a"
+                echo "                     binary; it wraps YOUR OWN tunnel client."
+                echo "  --provider NAME    Tunnel provider for --public: cloudflared or ngrok"
+                echo "                     (default: auto-detect, cloudflared first)"
+                echo "  --yes              Skip the --public consent prompt (warning is still"
+                echo "                     printed). Required to use --public non-interactively"
+                echo "  --no-host-rewrite  Do not rewrite the Host header on the tunnel"
+                echo "  --help, -h         Show this help and exit"
+                echo ""
+                echo "WARNING (--public): exposes THIS machine's app to ANYONE with the URL,"
+                echo "over the public internet, through your own tunnel account. The app may"
+                echo "have no authentication. It stays up until you stop it."
+                return 0
+                ;;
+            --no-open)
+                open_browser=false
+                ;;
+            --public)
+                public=true
+                ;;
+            --provider)
+                provider="${2:-}"
+                # Guard the value-consuming shift: if --provider is the LAST arg
+                # (no value), an unguarded shift here plus the loop's trailing
+                # shift would underflow and abort under set -e. Only consume a
+                # value when one is actually present.
+                [ $# -ge 2 ] && shift
+                ;;
+            --yes)
+                assume_yes=true
+                ;;
+            --no-host-rewrite)
+                no_host_rewrite=true
+                ;;
+        esac
+        shift
+    done
+
+    # --public branches into the tunnel path BEFORE the browser-open logic.
+    # Capture the exit code (set -e safe: a bare non-zero return on the call
+    # line would trip set -e before `return` runs).
+    if [ "$public" = true ]; then
+        local rc=0
+        _preview_public "$provider" "$assume_yes" "$no_host_rewrite" || rc=$?
+        return $rc
+    fi
+
+    local state_file="${LOKI_DIR}/app-runner/state.json"
+    if [ ! -f "$state_file" ]; then
+        echo "No app running. The app runner starts after the first successful build iteration."
+        echo "Run 'loki status' to check the current run."
+        return 0
+    fi
+
+    # Parse url/status/port via the shared helper, then re-split (same logic the
+    # inline parse used; behavior-neutral for the plain preview path).
+    local url status port _state
+    _state=$(_read_app_state "$state_file")
+    url=$(printf '%s\n' "$_state" | sed -n '1p')
+    status=$(printf '%s\n' "$_state" | sed -n '2p')
+    port=$(printf '%s\n' "$_state" | sed -n '3p')
 
     if [ "$status" != "running" ]; then
         echo "App is not running (status: ${status:-unknown})."

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.71.0"
+__version__ = "7.72.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.71.0
+**Version:** v7.72.0
 
 ---
 
@@ -395,7 +395,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.71.0 start ./my-spec.md
+  asklokesh/loki-mode:7.72.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/docs/PREVIEW-LINK-PLAN.md

@@ -0,0 +1,77 @@
+# PREVIEW-LINK-PLAN.md -- Public Preview Link (BYO-tunnel)
+
+## Product Owner scope locks (decided 2026-06-18)
+1. Command surface: `loki preview --public` (a flag on the existing command, NOT a new top-level command and NOT `loki share preview` which is a deprecated alias to report-gist). Respects the CLI-consolidation mandate.
+2. Lifecycle: FOREGROUND-blocking with a trap teardown + "Press Ctrl+C to stop sharing." (Safer than background+pidfile: no orphaned public tunnel a user forgets about.)
+3. Default provider / detection order: cloudflared first (quick tunnels need NO account), ngrok second (needs authtoken). `--provider cloudflared|ngrok` override.
+4. Host-header rewrite: default-ON (cloudflared `--http-host-header localhost`, ngrok `--host-header=rewrite`) with a `--no-host-rewrite` escape. Fixes the #1 dev-server "Invalid Host header" failure.
+5. Bun parity: bash-only is acceptable for v7.72.0 (HUD precedent; the Bun runner is dormant for the live path). No loki-ts mirror required now.
+6. Consent: explicit, default-NO. Interactive `[y/N]` on a TTY (only ^[Yy] proceeds); `--yes` skips the prompt but still prints the warning; non-TTY without `--yes` REFUSES.
+
+## 1. Goal
+Loki builds + runs the app locally and `loki preview` (cmd_preview, autonomy/loki:5212) opens it at http://localhost:PORT. There is no way to share the running app. Add a consent-gated `--public` path that creates a PUBLIC URL for the already-running local app by wrapping the USER'S OWN tunnel CLI (cloudflared or ngrok). The app + the user's creds stay on their machine; Loki never proxies traffic and never bundles/downloads a binary. Delivers the "share what was built" wow (Replit/Lovable/Bolt have it) without breaking "your keys, nothing leaves your network."
+
+## 2. Command surface + dispatch
+`loki preview --public` (+ `--provider`, `--yes`, `--no-host-rewrite`). The `preview)` dispatch arm (autonomy/loki:14596 -> cmd_preview "$@") already forwards args; no dispatch-table change. Add the flags to cmd_preview's arg parser (~:5214); `--public` branches into a new `_preview_public` helper BEFORE the existing browser-open logic. Update cmd_preview --help (~:5216-5229).
+
+## 3. Precondition checks (REUSE cmd_preview state.json read)
+Refactor the inline parse at autonomy/loki:5246-5263 into a shared `_read_app_state <state_file>` echoing url/status/port/primary_service; both the existing browser-open path and `--public` call it (no drift). Then, in order, each with honest degrade + non-zero exit:
+1. state.json exists (${LOKI_DIR}/app-runner/state.json) -> else "No app running. loki start / loki status".
+2. status == running (mirror :5265) -> else "App is not running (status: X)".
+3. URL/port resolved (fallback http://localhost:${port:-3000} per :5271-5273).
+4. PORT reachability (NEW): poll with the curl-readiness pattern at autonomy/loki:4979 (curl -s http://localhost:PORT >/dev/null, few retries, sleep 0.5, retries=$((retries+1))). Dead port -> "not exposing a dead port", non-zero. Never tunnel a dead port.
+
+## 4. Consent (load-bearing, default-OFF)
+- Interactive TTY ([ -t 0 ]): print the full warning (SS9), prompt `Expose this app publicly? [y/N] ` via `read -r` (idiom at :1897-1902) but DEFAULT-N (only ^[Yy] proceeds; deliberately NOT the default-Y at :1894 -- public exposure is unsafe).
+- --yes: skips the prompt; warning still PRINTED.
+- Non-TTY without --yes: REFUSE ("Refusing to expose a public tunnel non-interactively without --yes"), non-zero. Never silently expose.
+
+## 5. BYO-CLI detection + install hint (command -v based, so a PATH stub works in CI)
+Order (override with --provider): cloudflared, then ngrok, else honest install hint + non-zero. NEVER pretend success, NEVER download a binary. Hint mirrors the gh-missing block at :28304-28311; names brew + official URLs for both; states Loki wraps YOUR OWN client.
+
+## 6. URL extraction (pure, testable: read from file/string, not a live process)
+- cloudflared (`cloudflared tunnel --url http://localhost:PORT [--http-host-header localhost]`): quick-tunnel URL prints to stderr/log. Redirect stdout+stderr to ${LOKI_DIR}/preview/cloudflared.log; poll (bounded ~20 x sleep 0.5, tries=$((tries+1))) `grep -oE 'https://[a-z0-9-]+\.trycloudflare\.com'` first match. Timeout no-match -> teardown + non-zero.
+- ngrok (`ngrok http PORT [--host-header=rewrite]`): scrape the local API `curl -s http://127.0.0.1:4040/api/tunnels` -> .tunnels[].public_url (prefer https); python3 json parse, grep fallback; bounded poll. No authtoken -> 4040 never comes up -> honest "ngrok config add-authtoken" hint, non-zero.
+Factor `_extract_tunnel_url_cloudflared <logfile>` and `_extract_tunnel_url_ngrok <json-file-or-string>` as PURE functions for the stub test.
+
+## 7. Lifecycle (foreground + trap, per lock #2)
+- `tunnel_cmd ... > "$log" 2>&1 & tunnel_pid=$!`
+- `trap '_preview_public_teardown "$tunnel_pid"' EXIT INT TERM` immediately. Teardown: `kill -TERM "$tunnel_pid" 2>/dev/null || true; sleep 1; kill -KILL "$tunnel_pid" 2>/dev/null || true` + remove log/pidfile (all || true, set -e safe).
+- After URL capture: print public URL + live warning + "Press Ctrl+C to stop sharing." Then `wait "$tunnel_pid"`. Ctrl+C -> trap -> clean teardown.
+- State dir ${LOKI_DIR}/preview/ (mkdir -p), parallel to app-runner/.
+
+## 8. Host-header (default-ON, lock #4; escape --no-host-rewrite)
+Dev servers (Vite/Next dev/webpack/Django ALLOWED_HOSTS) reject a tunneled Host: <random>.trycloudflare.com with "Invalid Host header". cloudflared `--http-host-header localhost`; ngrok `--host-header=rewrite`. Verify the exact flag against the installed CLI version at runtime; do not hardcode blindly. Document that production-style servers may still need the tunnel host added to their allowlist.
+
+## 9. Help + warning copy (honest, no fabricated safety claims)
+Help appended to cmd_preview --help: --public, --provider, --yes, --no-host-rewrite (per SS2). Warning printed before the prompt every time:
+```
+WARNING: This makes the app running on THIS machine reachable by ANYONE who has
+the URL, over the public internet, using YOUR tunnel account.
+- The app may have NO authentication. Anyone with the link can use it.
+- Traffic flows through your own cloudflared/ngrok account, not through Loki.
+- This stays up until you stop it. Stop it when you are done.
+```
+No "secure"/"encrypted" claims beyond what the tunnel CLI itself provides.
+
+## 10. Degrade / error table (all set -e safe)
+state.json absent / status!=running / dead port / no CLI / non-TTY-no-yes / URL-capture-timeout / ngrok-no-authtoken -> honest message + non-zero. Consent declined -> "Aborted. App was not exposed." exit 0. Ctrl+C -> trap teardown + "Tunnel stopped." exit 0.
+
+## 11. Test plan (no real tunnel in CI; FAKE binary on PATH + pure extractors)
+1. Consent: pipe `n` -> Aborted, no spawn; `y` (fake bin) -> proceeds; --yes skips prompt but prints warning; non-TTY no --yes -> refuse + non-zero.
+2. CLI-absent: PATH without cloudflared/ngrok -> install hint + non-zero, no download.
+3. URL extraction: cloudflared stub script prints a fixed trycloudflare URL to its log -> assert extractor returns it (+ a real-format log fixture); ngrok extractor against a fixture 4040 JSON -> assert public_url; empty log -> timeout path tears down + non-zero.
+4. Preconditions: missing state.json; status=building; unreachable port -> each right message + non-zero.
+5. Teardown: SIGINT to the fake-bin run -> child pid gone, log/pidfile cleaned, no orphan.
+6. set -e / lint: bash parity + shellcheck/local-ci over the new code (x=$((x+1)), escaped $ in python heredocs, path as argv).
+Mirror the existing CLI test harness that covers cmd_preview/gist-share.
+
+## 12. Task list
+Agent A (surface, consent, preconditions): extract _read_app_state from :5246-5263 + repoint the existing browser path (regression-test plain `loki preview`); add flags to arg parse; branch --public into _preview_public; preconditions incl port poll (:4979 pattern); consent (warning + default-N + non-TTY/--yes); update --help.
+Agent B (detection, extraction, lifecycle): command -v detection + order + hint; pure _extract_tunnel_url_cloudflared / _extract_tunnel_url_ngrok; foreground launch + trap teardown; host-header flags + --no-host-rewrite.
+Both: tests per SS11; local-ci/parity gate; v7.72.0 bump + changelog (integrator); no commit/push unless asked.
+
+## Critical files
+- autonomy/loki (cmd_preview :5212; arg parse :5214; help :5216-5229; state read to extract :5246-5263; dispatch :14596; consent prompt :1897; nohup/pidfile :4964-4968; curl poll :4979; pgid teardown :2221)
+- autonomy/app-runner.sh (state.json writer :104-135 -- url/status/port/primary_service source of truth)
+- The bash test harness covering cmd_preview (mirror its PATH-stub + fixture style)

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var t6=Object.defineProperty;var i6=($)=>$;function e6($,Q){this[$]=i6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)t6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:e6.bind(Q,Z)})};var P=($,Q)=>()=>($&&(Q=$($=0)),Q);var q$=import.meta.require;var D1={};h(D1,{lokiDir:()=>j,homeLokiDir:()=>r$,findRepoRootForVersion:()=>s$,REPO_ROOT:()=>g});import{resolve as a,dirname as a$}from"path";import{fileURLToPath as $Q}from"url";import{existsSync as F$}from"fs";import{homedir as QQ}from"os";function ZQ(){let $=S1;for(let Q=0;Q<6;Q++){if(F$(a($,"VERSION"))&&F$(a($,"autonomy/run.sh")))return $;let Z=a$($);if(Z===$)break;$=Z}return a(S1,"..","..","..")}function s$($){let Q=$;for(let Z=0;Z<6;Z++){if(F$(a(Q,"VERSION"))&&F$(a(Q,"autonomy/run.sh")))return Q;let z=a$(Q);if(z===Q)break;Q=z}return a($,"..","..","..")}function j(){return process.env.LOKI_DIR??a(process.cwd(),".loki")}function r$(){return a(QQ(),".loki")}var S1,g;var b=P(()=>{S1=a$($Q(import.meta.url));g=ZQ()});import{readFileSync as zQ}from"fs";import{resolve as XQ,dirname as KQ}from"path";import{fileURLToPath as qQ}from"url";function R$(){if(Q$!==null)return Q$;let $="7.71.0";if(typeof $==="string"&&$.length>0)return Q$=$,Q$;try{let Q=KQ(qQ(import.meta.url)),Z=s$(Q);Q$=zQ(XQ(Z,"VERSION"),"utf-8").trim()}catch{Q$="unknown"}return Q$}var Q$=null;var t$=P(()=>{b()});var b1={};h(b1,{runOrThrow:()=>VQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>i$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function VQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new i$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=JQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function JQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var i$;var d=P(()=>{i$=class i$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function s($){return UQ?"":$}var UQ,T,S,_,_Z,I,x,y,V;var c=P(()=>{UQ=(process.env.NO_COLOR??"").length>0;T=s("\x1B[0;31m"),S=s("\x1B[0;32m"),_=s("\x1B[1;33m"),_Z=s("\x1B[0;34m"),I=s("\x1B[0;36m"),x=s("\x1B[1m"),y=s("\x1B[2m"),V=s("\x1B[0m")});import{existsSync as _Q}from"fs";async function Z$(){if(Y$!==void 0)return Y$;let $="/opt/homebrew/bin/python3.12";if(_Q($))return Y$=$,$;let Q=await f("python3.12");if(Q)return Y$=Q,Q;let Z=await f("python3");return Y$=Z,Z}async function z$($,Q={}){let Z=await Z$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var Y$;var V$=P(()=>{d()});var e1={};h(e1,{runStatus:()=>cQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as D,basename as CQ}from"path";import{homedir as bQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*x$/Q);if(X>x$)X=x$;let q=x$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${x}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function yQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
+var t6=Object.defineProperty;var i6=($)=>$;function e6($,Q){this[$]=i6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)t6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:e6.bind(Q,Z)})};var P=($,Q)=>()=>($&&(Q=$($=0)),Q);var q$=import.meta.require;var D1={};h(D1,{lokiDir:()=>j,homeLokiDir:()=>r$,findRepoRootForVersion:()=>s$,REPO_ROOT:()=>g});import{resolve as a,dirname as a$}from"path";import{fileURLToPath as $Q}from"url";import{existsSync as F$}from"fs";import{homedir as QQ}from"os";function ZQ(){let $=S1;for(let Q=0;Q<6;Q++){if(F$(a($,"VERSION"))&&F$(a($,"autonomy/run.sh")))return $;let Z=a$($);if(Z===$)break;$=Z}return a(S1,"..","..","..")}function s$($){let Q=$;for(let Z=0;Z<6;Z++){if(F$(a(Q,"VERSION"))&&F$(a(Q,"autonomy/run.sh")))return Q;let z=a$(Q);if(z===Q)break;Q=z}return a($,"..","..","..")}function j(){return process.env.LOKI_DIR??a(process.cwd(),".loki")}function r$(){return a(QQ(),".loki")}var S1,g;var b=P(()=>{S1=a$($Q(import.meta.url));g=ZQ()});import{readFileSync as zQ}from"fs";import{resolve as XQ,dirname as KQ}from"path";import{fileURLToPath as qQ}from"url";function R$(){if(Q$!==null)return Q$;let $="7.72.0";if(typeof $==="string"&&$.length>0)return Q$=$,Q$;try{let Q=KQ(qQ(import.meta.url)),Z=s$(Q);Q$=zQ(XQ(Z,"VERSION"),"utf-8").trim()}catch{Q$="unknown"}return Q$}var Q$=null;var t$=P(()=>{b()});var b1={};h(b1,{runOrThrow:()=>VQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>i$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function VQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new i$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=JQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function JQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var i$;var d=P(()=>{i$=class i$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function s($){return UQ?"":$}var UQ,T,S,_,_Z,I,x,y,V;var c=P(()=>{UQ=(process.env.NO_COLOR??"").length>0;T=s("\x1B[0;31m"),S=s("\x1B[0;32m"),_=s("\x1B[1;33m"),_Z=s("\x1B[0;34m"),I=s("\x1B[0;36m"),x=s("\x1B[1m"),y=s("\x1B[2m"),V=s("\x1B[0m")});import{existsSync as _Q}from"fs";async function Z$(){if(Y$!==void 0)return Y$;let $="/opt/homebrew/bin/python3.12";if(_Q($))return Y$=$,$;let Q=await f("python3.12");if(Q)return Y$=Q,Q;let Z=await f("python3");return Y$=Z,Z}async function z$($,Q={}){let Z=await Z$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var Y$;var V$=P(()=>{d()});var e1={};h(e1,{runStatus:()=>cQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as D,basename as CQ}from"path";import{homedir as bQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*x$/Q);if(X>x$)X=x$;let q=x$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${x}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function yQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -793,4 +793,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(r6),2}}l1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var qZ=await KZ(Bun.argv.slice(2));process.exit(qZ);
 
-//# debugId=BBA47536FE0B2AB264756E2164756E21
+//# debugId=7A89607799C5087964756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.71.0'
+__version__ = '7.72.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.71.0",
+  "version": "7.72.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.71.0",
+  "version": "7.72.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 8 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",