LoopTroop Files

Added

• Added expanded runtime diagnostics, output-normalization documentation, operations guidance, configuration reference material, and refreshed onboarding docs.
• Added richer ticket/workspace surfaces for setup-plan review, regenerated approval versions, raw/rejected artifact inspection, live phase logs, GitHub links, and completed-ticket worktree cleanup.
• Added broader test coverage across middleware, routes, workflow phases, logs, structured output repair, UI components, dev maintenance, and diagnostics.

Changed

• Refined the planning flow around interview/PRD approval edits, member-specific council artifacts, winner-model context, coverage warnings, and beads planning.
• Improved dashboard and workspace ergonomics with tighter status chrome, clearer phase summaries, better artifact rendering, keyboard/menu fixes, and more resilient ticket normalization.
• Updated development maintenance behavior so dependency sync, npm audit remediation, and OpenCode maintenance are coordinated through the startup preflight.

Security & Reliability

• npm run dev now restores daily startup dependency/audit/OpenCode maintenance while gating npm dependency updates to releases that are at least 7 days old; if latest is too fresh, dependency sync installs the newest eligible older version instead, and audit remediation holds the whole fix when any proposed package version is too fresh. OpenCode CLI and @opencode-ai/sdk updates remain immediate.
• Fixed timing side-channel in API token comparison: constantTimeEquals now always runs timingSafeEqual even when token lengths differ, preventing length-leak via response timing.
• SSE authentication: apiToken query parameter now accepted exclusively on /api/stream (the only endpoint where browser EventSource clients cannot set custom headers); all other endpoints reject query-param tokens.
• Vite dev proxy now injects the ephemeral LOOPTROOP_API_TOKEN server-side for same-origin /api requests, keeping the token out of the frontend bundle while preserving protected local development.
• LOOPTROOP_ALLOW_UNAUTHENTICATED=1 only bypasses auth when no API token is configured; non-loopback binds still require LOOPTROOP_API_TOKEN.
• Request body size limit now enforced while reading chunked requests without a Content-Length header, preventing memory exhaustion via large unbounded bodies.
• validateJson middleware now validates JSON syntax early and returns 400 rather than allowing handlers to surface unhandled 500 errors.
• Fixed permanent memory leak in SSE stream handler: await new Promise(() => {}) replaced with a resolvable promise; stream now cleanly resolves on client disconnect.
• Fixed race condition in SSE double-cleanup: added cleanedUp guard to prevent broadcaster.removeClient from running twice on concurrent abort and error, including initial write/replay failures.
• Project SQLite database cache now evicts the oldest entry when it exceeds 50 entries, preventing unbounded memory and file-descriptor growth.
• startingTickets set now cleaned up in a finally block, preventing permanent blocking of ticket starts after unexpected errors.
• isLoopbackHost and isLocalhostRequest now recognise IPv4-mapped IPv6 loopback addresses (::ffff:127.0.0.1, ::ffff:7f00:1).
• Basic auth header builder now validates that the username does not contain : (RFC 7617 compliance).

Performance

• OpenCode text/reasoning live AI detail updates now use a 10ms live cadence with no large-growth bypass, making thinking/model output feel closer to tool-call responsiveness while keeping streaming upserts out of persisted log files until a final row is emitted.
• npm run dev startup logs are quieter by default: held dependency/audit details, raw npm install output, socket snapshots, and the full service plan now require LOOPTROOP_DEV_VERBOSE=1.
• Dev port inspection now avoids netstat unless earlier inspectors cannot identify the listener, removing noisy platform warnings during normal startup while preserving fallback diagnostics in verbose mode.
• contextCache in contextBuilder.ts now evicts stale entries on cache misses, preventing unbounded accumulation in long-running processes.
• persistedFingerprintsByTicket map capped at 100 entries to prevent unbounded memory growth.
• Pre-compiled credential-redaction regex in errorDiagnostics.ts (was re-created on every call).
• errorDiagnostics modelId and similar fields now computed once and reused instead of double-sanitising.

Bug Fixes

• OpenCode live AI detail streaming now reads the SDK global event feed and filters it back to the active session, restoring real-time thinking/tool/output rows after the @opencode-ai/sdk 1.14.48 event behavior change while keeping the existing streaming throttle.
• AI detail logs now backfill finalized thinking, tool, and step rows from all OpenCode assistant message parts for the completed prompt, so AI/model tabs can restore extended tool-use histories even when the browser was not open during the phase or the live event stream closed early.
• Ticket dashboards now normalize partially cached ticket runtime/action/model data before rendering, preventing a full-page crash during fast start and workflow phase transitions.
• isRecord type guard now correctly excludes Date, Map, and Set instances.
• parsePort now accepts only digit-only TCP port strings so malformed values like "3000abc", "123.4", or "300e0" fall back instead of being partially accepted.
• isBeforeExecution in workflowMeta.ts now has a recursion depth guard to prevent stack overflow on cyclic workflow states.
• useSSE stale-closure bug fixed: ticketIdRef used inside onerror/onopen handlers instead of the captured closure variable.
• AIQuestionContext polling interval no longer restarts on every render; activeTicketKey is now computed inside a stable useMemo.
• readYamlArray JSON Lines fallback now falls through to YAML parsing on parse failure instead of returning null.
• App SQLite database now uses lazy initialization via Proxy, preventing DB file creation at module import time.
• drizzle.project.config.ts default DB path now resolved relative to the config file instead of the current working directory.
• DraftView state sync moved into useEffect to prevent React anti-pattern of setting state during render.
• DropdownPicker now repositions on window resize and scroll while open.
• KeyboardShortcuts ? shortcut now suppressed on contentEditable elements and <select> in addition to <input>/<textarea>.
• dev-preflight.mjs deduplicated: now delegates to tsx scripts/dev-preflight.ts instead of duplicating utility functions.
• Completed log entries are no longer entry-count capped in the log API or browser cache; server log files remain the durable source of truth, while streaming partials are still folded to avoid repeated in-progress snapshots.

Configuration

• vitest.config.ts: all test projects now use isolate: true to prevent test state leakage.
• tsconfig.json: scripts/ directory added to include so dev scripts are fully type-checked.