# Dev workflow `shrk dev` is the safe, deterministic AI-assisted development loop. It guides a feature request from a one-line task all the way to an audit-trail report, without ever writing source files, calling a model, or running an untrusted command. The flow: ``` shrk dev start "" ↓ shrk dev plan --template --name [--var k=v ...] ↓ (auto-runs plan review on saved plans) shrk apply --verify-signature ← the human-approval step ↓ (session-aware: signature/divergence/conflicts persisted) shrk dev validate ↓ shrk dev report ``` ## Session-aware apply When you run `shrk apply` against a plan that lives under `.sharkcraft/sessions//plans/`, the CLI automatically updates the session's `session.json` after a successful apply: - adds an entry to `appliedPlans[]` with the changed files - records the signature status (`verified` / `unsigned` / `invalid` / `not-checked`) - records whether the live plan diverged from the saved plan - promotes the plan entry to `applied` - recomputes the session phase and `nextAction` The same is true for `shrk apply --validate`: the validation report lands under `/reports/`, the session's `validations[]` array gets a new entry, the phase is set to `validated` (or `validation_failed` on failure), and `nextAction` is recomputed. The rules are conservative — refused divergence, conflicts, dry-runs, and failed apply runs leave the session metadata untouched. To attach a plan that does not live under the session directory, pass `--session ` explicitly. ## Repairing session metadata If you ran the workflow manually (eg. via `shrk gen` + `shrk apply` without a session), you can patch the session's metadata after the fact: ```bash shrk dev mark-applied [--note "..."] shrk dev mark-validated [--report path] [--status passed|failed] [--note "..."] ``` Both commands are metadata-only — they never write source files. They verify that the session exists, that the plan file exists when provided, and they recompute the phase + `nextAction`. ## Convenience commands ```bash shrk dev open # print paths inside the session shrk dev plans # list plans tracked in session.json shrk dev reports # list reports under reports/ shrk dev commands # print a copy-pasteable command list shrk dev diff # diff two sessions (phase / plans / packet) shrk dev list # list all sessions with phase + next action shrk dev archive # move to .sharkcraft/sessions-archive/ shrk dev clean --older-than 14d [--archive] [--write] [--include-active] ``` `dev clean` is **dry-run by default**. It never deletes active or incomplete sessions unless you pass `--include-active` explicitly. ## HTML report ```bash shrk dev report --html # writes final-report.html shrk dev open --html # writes final-report.html only shrk dev open --serve --port 8765 # localhost-only HTTP server shrk dev open --serve --live # SSE + auto-refresh shrk dev open --serve --live --open # also open the URL (macOS) shrk dev open --serve --live --port 0 # random free port ``` See [`docs/session-html-report.md`](session-html-report.md) for details. The server binds to `127.0.0.1` by default; pass `--host` explicitly to expose it elsewhere — the CLI prints a warning when you do. With `--live` the server exposes a `GET /events` Server-Sent Events endpoint and the rendered HTML includes a tiny script that reloads the page on every `change` event. A `` fallback keeps things working even when SSE isn't supported by the browser. The server watches `session.json`, `plans/`, and `reports/` and debounces changes (≈200ms). Only `GET` / `HEAD` are accepted — every other verb returns `405`. There are no write endpoints. No POST. No PUT. No DELETE. The local **dashboard** (`shrk dashboard`) exposes the same session data under `/api/sessions` and `/api/sessions/:id`, plus a live SSE feed at `/api/sessions/:id/events` and a sandboxed HTML report at `/api/sessions/:id/report.html`. The session detail page in the UI auto-refreshes on SSE events and inlines the HTML report in an `