loki-mode 5.35.0 → 5.36.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with zero human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v5.35.0
+# Loki Mode v5.36.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -260,4 +260,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v5.35.0 | checkpoint/restore, GitHub Action provider-agnostic | ~260 lines core**
+**v5.36.0 | security hardening: auth wiring, salted hashing, non-root Docker, shell injection fix | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-5.35.0
+5.36.0

package/autonomy/run.sh

@@ -3333,7 +3333,24 @@ check_staged_autonomy() {
 }
 
 check_command_allowed() {
-    # Check if a command is in the blocked list
+    # Check if a command string contains any blocked patterns from BLOCKED_COMMANDS.
+    #
+    # SECURITY NOTE: This function is intentionally NOT called by run.sh because
+    # run.sh does not directly execute arbitrary shell commands from user or agent
+    # input. Command execution is handled by the AI CLI's own permission model:
+    #   - Claude Code: --dangerously-skip-permissions (with its own allowlist)
+    #   - Codex CLI: --full-auto or exec --dangerously-bypass-approvals-and-sandbox
+    #   - Gemini CLI: --approval-mode=yolo
+    #
+    # HUMAN_INPUT.md content is injected as a text prompt to the AI agent (not
+    # executed as a shell command), and is already guarded by:
+    #   - LOKI_PROMPT_INJECTION=false by default (disabled unless explicitly enabled)
+    #   - Symlink rejection (prevents path traversal attacks)
+    #   - 1MB file size limit
+    #
+    # This function is retained as a utility for external callers (sandbox.sh,
+    # custom hooks, or user scripts) that may need to validate commands against
+    # the BLOCKED_COMMANDS list before execution.
     local command="$1"
 
     IFS=',' read -ra BLOCKED_ARRAY <<< "$BLOCKED_COMMANDS"

package/autonomy/sandbox.sh

@@ -727,7 +727,7 @@ docker_desktop_sandbox_prompt() {
     docker sandbox exec -w "$PROJECT_DIR" \
         ${DESKTOP_ENV_ARGS[@]+"${DESKTOP_ENV_ARGS[@]}"} \
         "$DESKTOP_SANDBOX_NAME" \
-        bash -c "echo '$message' > ${PROJECT_DIR}/.loki/HUMAN_INPUT.md"
+        bash -c "printf '%s\n' \"\$1\" > ${PROJECT_DIR}/.loki/HUMAN_INPUT.md" -- "$message"
 
     log_success "Prompt sent to sandbox"
 }

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "5.35.0"
+__version__ = "5.36.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/auth.py

@@ -53,9 +53,20 @@ def _save_tokens(tokens: dict) -> None:
         json.dump(tokens, f, indent=2, default=str)
 
 
-def _hash_token(token: str) -> str:
-    """Hash a token for storage."""
-    return hashlib.sha256(token.encode()).hexdigest()
+def _hash_token(token: str, salt: str = None) -> tuple[str, str]:
+    """Hash a token for storage with a per-token random salt.
+
+    Args:
+        token: The raw token string to hash.
+        salt: Optional salt. If None, a new random salt is generated.
+
+    Returns:
+        Tuple of (hex_digest, salt).
+    """
+    if salt is None:
+        salt = secrets.token_hex(16)
+    digest = hashlib.sha256((salt + token).encode()).hexdigest()
+    return digest, salt
 
 
 def _constant_time_compare(a: str, b: str) -> bool:
@@ -94,7 +105,7 @@ def generate_token(
 
     # Generate secure random token
     raw_token = f"loki_{secrets.token_urlsafe(32)}"
-    token_hash = _hash_token(raw_token)
+    token_hash, token_salt = _hash_token(raw_token)
     token_id = token_hash[:12]
 
     tokens = _load_tokens()
@@ -114,6 +125,7 @@ def generate_token(
         "id": token_id,
         "name": name,
         "hash": token_hash,
+        "salt": token_salt,
         "scopes": scopes or ["*"],
         "created_at": datetime.now(timezone.utc).isoformat(),
         "expires_at": expires_at,
@@ -229,11 +241,12 @@ def validate_token(raw_token: str) -> Optional[dict]:
     if not raw_token or not raw_token.startswith("loki_"):
         return None
 
-    token_hash = _hash_token(raw_token)
     tokens = _load_tokens()
 
     # Find matching token (using constant-time comparison to prevent timing attacks)
     for token in tokens["tokens"].values():
+        stored_salt = token.get("salt", "")
+        token_hash, _ = _hash_token(raw_token, salt=stored_salt)
         if _constant_time_compare(token["hash"], token_hash):
             # Check if revoked
             if token.get("revoked"):

package/dashboard/requirements.txt

@@ -1,8 +1,8 @@
 # Loki Mode Dashboard Dependencies
-fastapi>=0.109.0
-uvicorn[standard]>=0.27.0
-sqlalchemy>=2.0.0
-aiosqlite>=0.19.0
-greenlet>=3.0.0
-pydantic>=2.0.0
-websockets>=12.0
+fastapi==0.115.6
+uvicorn[standard]==0.34.0
+sqlalchemy==2.0.36
+aiosqlite==0.20.0
+greenlet==3.1.1
+pydantic==2.10.4
+websockets==14.1

package/dashboard/server.py

@@ -8,6 +8,8 @@ import asyncio
 import json
 import logging
 import os
+import time
+from collections import defaultdict
 from contextlib import asynccontextmanager
 from datetime import datetime, timedelta, timezone
 from pathlib import Path as _Path
@@ -43,6 +45,29 @@ from . import registry
 from . import auth
 from . import audit
 
+# ---------------------------------------------------------------------------
+# Simple in-memory rate limiter for control endpoints
+# ---------------------------------------------------------------------------
+
+class _RateLimiter:
+    """Simple in-memory rate limiter for control endpoints."""
+
+    def __init__(self, max_calls: int = 10, window_seconds: int = 60):
+        self._max_calls = max_calls
+        self._window = window_seconds
+        self._calls: dict[str, list[float]] = defaultdict(list)
+
+    def check(self, key: str) -> bool:
+        now = time.time()
+        self._calls[key] = [t for t in self._calls[key] if now - t < self._window]
+        if len(self._calls[key]) >= self._max_calls:
+            return False
+        self._calls[key].append(now)
+        return True
+
+
+_control_limiter = _RateLimiter(max_calls=10, window_seconds=60)
+
 # Set up logging
 logger = logging.getLogger(__name__)
 
@@ -440,7 +465,7 @@ async def get_project(
     )
 
 
-@app.put("/api/projects/{project_id}", response_model=ProjectResponse)
+@app.put("/api/projects/{project_id}", response_model=ProjectResponse, dependencies=[Depends(auth.require_scope("control"))])
 async def update_project(
     project_id: int,
     project_update: ProjectUpdate,
@@ -486,7 +511,7 @@ async def update_project(
     )
 
 
-@app.delete("/api/projects/{project_id}", status_code=204)
+@app.delete("/api/projects/{project_id}", status_code=204, dependencies=[Depends(auth.require_scope("control"))])
 async def delete_project(
     project_id: int,
     db: AsyncSession = Depends(get_db),
@@ -662,7 +687,7 @@ async def get_task(
     return TaskResponse.model_validate(task)
 
 
-@app.put("/api/tasks/{task_id}", response_model=TaskResponse)
+@app.put("/api/tasks/{task_id}", response_model=TaskResponse, dependencies=[Depends(auth.require_scope("control"))])
 async def update_task(
     task_id: int,
     task_update: TaskUpdate,
@@ -703,7 +728,7 @@ async def update_task(
     return TaskResponse.model_validate(task)
 
 
-@app.delete("/api/tasks/{task_id}", status_code=204)
+@app.delete("/api/tasks/{task_id}", status_code=204, dependencies=[Depends(auth.require_scope("control"))])
 async def delete_task(
     task_id: int,
     db: AsyncSession = Depends(get_db),
@@ -890,7 +915,7 @@ async def get_registered_project(identifier: str):
     return project
 
 
-@app.delete("/api/registry/projects/{identifier}", status_code=204)
+@app.delete("/api/registry/projects/{identifier}", status_code=204, dependencies=[Depends(auth.require_scope("control"))])
 async def unregister_project(identifier: str):
     """Remove a project from the registry."""
     if not registry.unregister_project(identifier):
@@ -1028,7 +1053,7 @@ async def list_tokens(include_revoked: bool = False):
     return auth.list_tokens(include_revoked=include_revoked)
 
 
-@app.delete("/api/enterprise/tokens/{identifier}")
+@app.delete("/api/enterprise/tokens/{identifier}", dependencies=[Depends(auth.require_scope("admin"))])
 async def revoke_token(identifier: str, permanent: bool = False):
     """
     Revoke or delete a token (enterprise only).
@@ -1606,18 +1631,22 @@ def _read_events(time_range: str = "7d") -> list:
 
 
 # Session control endpoints (proxy to control.py functions)
-@app.post("/api/control/pause")
+@app.post("/api/control/pause", dependencies=[Depends(auth.require_scope("control"))])
 async def pause_session():
     """Pause the current session by creating PAUSE file."""
+    if not _control_limiter.check("control"):
+        raise HTTPException(status_code=429, detail="Rate limit exceeded")
     pause_file = _get_loki_dir() / "PAUSE"
     pause_file.parent.mkdir(parents=True, exist_ok=True)
     pause_file.write_text(datetime.now(timezone.utc).isoformat())
     return {"success": True, "message": "Session paused"}
 
 
-@app.post("/api/control/resume")
+@app.post("/api/control/resume", dependencies=[Depends(auth.require_scope("control"))])
 async def resume_session():
     """Resume a paused session by removing PAUSE/STOP files."""
+    if not _control_limiter.check("control"):
+        raise HTTPException(status_code=429, detail="Rate limit exceeded")
     for fname in ["PAUSE", "STOP"]:
         fpath = _get_loki_dir() / fname
         try:
@@ -1627,9 +1656,11 @@ async def resume_session():
     return {"success": True, "message": "Session resumed"}
 
 
-@app.post("/api/control/stop")
+@app.post("/api/control/stop", dependencies=[Depends(auth.require_scope("control"))])
 async def stop_session():
     """Stop the session by creating STOP file and sending SIGTERM."""
+    if not _control_limiter.check("control"):
+        raise HTTPException(status_code=429, detail="Rate limit exceeded")
     stop_file = _get_loki_dir() / "STOP"
     stop_file.parent.mkdir(parents=True, exist_ok=True)
     stop_file.write_text(datetime.now(timezone.utc).isoformat())
@@ -2132,7 +2163,7 @@ async def create_checkpoint(body: CheckpointCreate = None):
 # =============================================================================
 
 @app.get("/api/agents")
-async def get_agents():
+async def get_agents(token: Optional[dict] = Depends(auth.get_current_token)):
     """Get all active and recent agents."""
     agents_file = _get_loki_dir() / "state" / "agents.json"
     agents = []
@@ -2187,9 +2218,11 @@ async def get_agents():
     return agents
 
 
-@app.post("/api/agents/{agent_id}/kill")
+@app.post("/api/agents/{agent_id}/kill", dependencies=[Depends(auth.require_scope("control"))])
 async def kill_agent(agent_id: str):
     """Kill a specific agent by ID."""
+    if not _control_limiter.check("control"):
+        raise HTTPException(status_code=429, detail="Rate limit exceeded")
     agent_id = _sanitize_agent_id(agent_id)
     agents_file = _get_loki_dir() / "state" / "agents.json"
     if not agents_file.exists():
@@ -2234,9 +2267,11 @@ async def kill_agent(agent_id: str):
         )
 
 
-@app.post("/api/agents/{agent_id}/pause")
+@app.post("/api/agents/{agent_id}/pause", dependencies=[Depends(auth.require_scope("control"))])
 async def pause_agent(agent_id: str):
     """Pause a specific agent by writing a pause signal."""
+    if not _control_limiter.check("control"):
+        raise HTTPException(status_code=429, detail="Rate limit exceeded")
     agent_id = _sanitize_agent_id(agent_id)
     signal_dir = _get_loki_dir() / "signals"
     signal_dir.mkdir(parents=True, exist_ok=True)
@@ -2246,9 +2281,11 @@ async def pause_agent(agent_id: str):
     return {"success": True, "message": f"Pause signal sent to agent {agent_id}"}
 
 
-@app.post("/api/agents/{agent_id}/resume")
+@app.post("/api/agents/{agent_id}/resume", dependencies=[Depends(auth.require_scope("control"))])
 async def resume_agent(agent_id: str):
     """Resume a paused agent."""
+    if not _control_limiter.check("control"):
+        raise HTTPException(status_code=429, detail="Rate limit exceeded")
     agent_id = _sanitize_agent_id(agent_id)
     signal_file = _get_loki_dir() / "signals" / f"PAUSE_AGENT_{agent_id}"
     try:
@@ -2259,7 +2296,7 @@ async def resume_agent(agent_id: str):
 
 
 @app.get("/api/logs")
-async def get_logs(lines: int = 100):
+async def get_logs(lines: int = 100, token: Optional[dict] = Depends(auth.get_current_token)):
     """Get recent log entries from session log files."""
     log_dir = _get_loki_dir() / "logs"
     entries = []

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 Complete installation instructions for all platforms and use cases.
 
-**Version:** v5.35.0
+**Version:** v5.36.0
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "5.35.0",
+  "version": "5.36.0",
   "description": "Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "claude",