loki-mode 5.37.0 → 5.37.1

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with zero human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v5.37.0
+# Loki Mode v5.37.1
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -260,4 +260,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v5.37.0 | enterprise: TLS, OIDC/SSO, audit default-on, budget controls, watchdog, secrets, OpenClaw | ~260 lines core**
+**v5.37.1 | security: WebSocket auth, RBAC roles, syslog forwarding, sandbox hardening | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-5.37.0
+5.37.1

package/autonomy/sandbox.sh

@@ -820,8 +820,8 @@ start_sandbox() {
         "--security-opt=no-new-privileges:true"
         "--cap-drop=ALL"
         "--cap-add=CHOWN"
-        "--cap-add=SETUID"
-        "--cap-add=SETGID"
+        # SETUID/SETGID intentionally omitted: container runs as non-root (UID 1000)
+        # and should not be able to change UID/GID, which would undermine isolation
 
         # Network
         "--network=$SANDBOX_NETWORK"

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "5.37.0"
+__version__ = "5.37.1"
 
 # Expose the control app for easy import
 try:

package/dashboard/audit.py

@@ -5,10 +5,19 @@ Enabled by default. Disable with LOKI_AUDIT_DISABLED=true environment variable.
 Legacy env var LOKI_ENTERPRISE_AUDIT=true always enables audit (backward compat).
 
 Audit logs: ~/.loki/dashboard/audit/
+
+Syslog forwarding (optional):
+  Set LOKI_AUDIT_SYSLOG_HOST to enable forwarding to a centralized syslog server.
+  LOKI_AUDIT_SYSLOG_PORT defaults to 514.
+  LOKI_AUDIT_SYSLOG_PROTO defaults to "udp" (also supports "tcp").
 """
 
 import json
+import logging
+import logging.handlers
 import os
+import socket
+import sys
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Optional
@@ -25,6 +34,38 @@ AUDIT_DIR = Path.home() / ".loki" / "dashboard" / "audit"
 MAX_LOG_SIZE_MB = int(os.environ.get("LOKI_AUDIT_MAX_SIZE_MB", "10"))
 MAX_LOG_FILES = int(os.environ.get("LOKI_AUDIT_MAX_FILES", "10"))
 
+# Syslog forwarding (optional, off by default)
+_SYSLOG_HOST = os.environ.get("LOKI_AUDIT_SYSLOG_HOST", "").strip()
+_SYSLOG_PORT = int(os.environ.get("LOKI_AUDIT_SYSLOG_PORT", "514"))
+_SYSLOG_PROTO = os.environ.get("LOKI_AUDIT_SYSLOG_PROTO", "udp").lower().strip()
+
+# Actions considered security-relevant (logged at WARNING level in syslog)
+_SECURITY_ACTIONS = frozenset({
+    "delete", "kill", "stop", "login", "logout",
+    "create_token", "revoke_token",
+})
+
+_syslog_handler: logging.handlers.SysLogHandler | None = None
+SYSLOG_ENABLED: bool = False
+
+if _SYSLOG_HOST:
+    try:
+        _socktype = socket.SOCK_STREAM if _SYSLOG_PROTO == "tcp" else socket.SOCK_DGRAM
+        _syslog_handler = logging.handlers.SysLogHandler(
+            address=(_SYSLOG_HOST, _SYSLOG_PORT),
+            facility=logging.handlers.SysLogHandler.LOG_LOCAL0,
+            socktype=_socktype,
+        )
+        _syslog_handler.setFormatter(logging.Formatter("loki-audit: %(message)s"))
+        SYSLOG_ENABLED = True
+    except Exception as _exc:
+        print(
+            f"[loki-audit] WARNING: Failed to configure syslog handler "
+            f"({_SYSLOG_HOST}:{_SYSLOG_PORT}/{_SYSLOG_PROTO}): {_exc}",
+            file=sys.stderr,
+        )
+        _syslog_handler = None
+
 
 def _ensure_audit_dir() -> None:
     """Ensure the audit directory exists."""
@@ -68,6 +109,30 @@ def _cleanup_old_logs() -> None:
         oldest.unlink()
 
 
+def _forward_to_syslog(entry: dict) -> None:
+    """Forward an audit entry to syslog if configured. Fire-and-forget."""
+    if _syslog_handler is None:
+        return
+    try:
+        message = json.dumps(entry, separators=(",", ":"))
+        action = entry.get("action", "")
+        is_security = action in _SECURITY_ACTIONS or not entry.get("success", True)
+        level = logging.WARNING if is_security else logging.INFO
+        record = logging.LogRecord(
+            name="loki-audit",
+            level=level,
+            pathname="",
+            lineno=0,
+            msg=message,
+            args=(),
+            exc_info=None,
+        )
+        _syslog_handler.emit(record)
+    except Exception:
+        # Fire-and-forget: never block the main audit write path
+        pass
+
+
 def log_event(
     action: str,
     resource_type: str,
@@ -121,6 +186,9 @@ def log_event(
     with open(log_file, "a") as f:
         f.write(json.dumps(entry) + "\n")
 
+    # Forward to syslog if configured
+    _forward_to_syslog(entry)
+
     return entry
 
 

package/dashboard/auth.py

@@ -35,6 +35,23 @@ OIDC_CLIENT_ID = os.environ.get("LOKI_OIDC_CLIENT_ID", "")
 OIDC_AUDIENCE = os.environ.get("LOKI_OIDC_AUDIENCE", "")  # Usually same as client_id
 OIDC_ENABLED = bool(OIDC_ISSUER and OIDC_CLIENT_ID)
 
+# Role-to-scope mapping (predefined roles)
+ROLES = {
+    "admin": ["*"],  # Full access
+    "operator": ["control", "read", "write"],  # Start/stop/pause, view+edit dashboard
+    "viewer": ["read"],  # Read-only dashboard access
+    "auditor": ["read", "audit"],  # Read dashboard + audit logs
+}
+
+# Scope hierarchy: higher scopes implicitly grant lower ones (single-level lookup).
+# * -> control -> write -> read
+# Each scope explicitly lists ALL scopes it grants (no transitive resolution).
+_SCOPE_HIERARCHY = {
+    "*": {"control", "write", "read", "audit", "admin"},
+    "control": {"write", "read"},
+    "write": {"read"},
+}
+
 if OIDC_ENABLED:
     import logging as _logging
     _logging.getLogger("loki.auth").warning(
@@ -98,10 +115,39 @@ def _constant_time_compare(a: str, b: str) -> bool:
     return secrets.compare_digest(a.encode(), b.encode())
 
 
+def resolve_scopes(role_or_scopes) -> list[str]:
+    """Resolve a role name or scope list into a concrete list of scopes.
+
+    Args:
+        role_or_scopes: Either a role name (str), a single scope (str),
+                        or a list of scopes.
+
+    Returns:
+        List of scope strings.
+    """
+    if isinstance(role_or_scopes, list):
+        return role_or_scopes
+    if isinstance(role_or_scopes, str):
+        if role_or_scopes in ROLES:
+            return list(ROLES[role_or_scopes])
+        return [role_or_scopes]
+    return ["*"]
+
+
+def list_roles() -> dict[str, list[str]]:
+    """Return the predefined role-to-scope mapping.
+
+    Returns:
+        Dict mapping role names to their scope lists.
+    """
+    return dict(ROLES)
+
+
 def generate_token(
     name: str,
     scopes: Optional[list[str]] = None,
     expires_days: Optional[int] = None,
+    role: Optional[str] = None,
 ) -> dict:
     """
     Generate a new API token.
@@ -110,12 +156,16 @@ def generate_token(
         name: Human-readable name for the token
         scopes: Optional list of permission scopes (default: all)
         expires_days: Optional expiration in days (None = never expires)
+        role: Optional role name (admin, operator, viewer, auditor).
+              If provided, scopes are resolved from the role.
+              Cannot be combined with explicit scopes.
 
     Returns:
         Dict with token info (includes raw token - only shown once)
 
     Raises:
-        ValueError: If name is empty/too long or expires_days is invalid
+        ValueError: If name is empty/too long, expires_days is invalid,
+                    or role is unrecognized
     """
     # Validate inputs
     if not name or not name.strip():
@@ -124,9 +174,19 @@ def generate_token(
         raise ValueError("Token name too long (max 255 characters)")
     if expires_days is not None and expires_days <= 0:
         raise ValueError("expires_days must be positive (or None for no expiration)")
+    if role is not None and role not in ROLES:
+        raise ValueError(
+            f"Unknown role '{role}'. Valid roles: {', '.join(ROLES.keys())}"
+        )
 
     name = name.strip()
 
+    # Resolve scopes: role takes precedence if provided
+    if role is not None:
+        resolved_scopes = resolve_scopes(role)
+    else:
+        resolved_scopes = scopes
+
     # Generate secure random token
     raw_token = f"loki_{secrets.token_urlsafe(32)}"
     token_hash, token_salt = _hash_token(raw_token)
@@ -150,12 +210,14 @@ def generate_token(
         "name": name,
         "hash": token_hash,
         "salt": token_salt,
-        "scopes": scopes or ["*"],
+        "scopes": resolved_scopes or ["*"],
         "created_at": datetime.now(timezone.utc).isoformat(),
         "expires_at": expires_at,
         "last_used": None,
         "revoked": False,
     }
+    if role is not None:
+        token_entry["role"] = role
 
     tokens["tokens"][token_id] = token_entry
     _save_tokens(tokens)
@@ -247,6 +309,8 @@ def list_tokens(include_revoked: bool = False) -> list[dict]:
             "last_used": token.get("last_used"),
             "revoked": token.get("revoked", False),
         }
+        if "role" in token:
+            safe_token["role"] = token["role"]
         result.append(safe_token)
 
     return result
@@ -297,17 +361,32 @@ def validate_token(raw_token: str) -> Optional[dict]:
 
 def has_scope(token_info: dict, required_scope: str) -> bool:
     """
-    Check if a token has a required scope.
+    Check if a token has a required scope, respecting scope hierarchy.
+
+    Hierarchy (higher scopes implicitly grant lower ones):
+        * -> control -> write -> read
+        * also grants audit, admin, and all other scopes
 
     Args:
         token_info: Token metadata from validate_token
         required_scope: The scope to check
 
     Returns:
-        True if token has the scope (or wildcard)
+        True if token has the scope (directly or via hierarchy)
     """
     scopes = token_info.get("scopes", [])
-    return "*" in scopes or required_scope in scopes
+
+    # Direct match
+    if required_scope in scopes:
+        return True
+
+    # Check hierarchy: does any held scope implicitly grant the required one?
+    for scope in scopes:
+        implied = _SCOPE_HIERARCHY.get(scope, set())
+        if required_scope in implied:
+            return True
+
+    return False
 
 
 # ---------------------------------------------------------------------------

package/dashboard/server.py

@@ -246,7 +246,13 @@ app = FastAPI(
 # Add CORS middleware - restricted to localhost by default.
 # Set LOKI_DASHBOARD_CORS to override (comma-separated origins).
 _cors_default = "http://localhost:57374,http://127.0.0.1:57374"
-_cors_origins = os.environ.get("LOKI_DASHBOARD_CORS", _cors_default).split(",")
+_cors_raw = os.environ.get("LOKI_DASHBOARD_CORS", _cors_default)
+if _cors_raw.strip() == "*":
+    logger.warning(
+        "LOKI_DASHBOARD_CORS is set to '*' -- all origins are allowed. "
+        "This is insecure for production deployments."
+    )
+_cors_origins = _cors_raw.split(",")
 app.add_middleware(
     CORSMiddleware,
     allow_origins=[o.strip() for o in _cors_origins if o.strip()],
@@ -827,7 +833,36 @@ async def move_task(
 # WebSocket endpoint
 @app.websocket("/ws")
 async def websocket_endpoint(websocket: WebSocket) -> None:
-    """WebSocket endpoint for real-time updates."""
+    """WebSocket endpoint for real-time updates.
+
+    When enterprise auth or OIDC is enabled, a valid token must be passed
+    as a query parameter: ``/ws?token=loki_xxx`` (or a JWT for OIDC).
+    Browsers cannot send Authorization headers on WebSocket upgrade
+    requests, so query-parameter auth is the standard approach.
+    """
+    # --- WebSocket authentication gate ---
+    # NOTE: Query-parameter auth is used because browsers cannot send
+    # Authorization headers on WS upgrade. Tokens may appear in reverse
+    # proxy access logs -- configure log sanitization for /ws in production.
+    # FastAPI Depends() is not supported on @app.websocket() routes.
+    if auth.is_enterprise_mode() or auth.is_oidc_mode():
+        ws_token: Optional[str] = websocket.query_params.get("token")
+        if not ws_token:
+            await websocket.close(code=1008)  # Policy Violation
+            return
+
+        token_info: Optional[dict] = None
+        # Try OIDC first for JWT-style tokens
+        if auth.is_oidc_mode() and not ws_token.startswith("loki_"):
+            token_info = auth.validate_oidc_token(ws_token)
+        # Fall back to enterprise token auth
+        if token_info is None and auth.is_enterprise_mode():
+            token_info = auth.validate_token(ws_token)
+
+        if token_info is None:
+            await websocket.close(code=1008)  # Policy Violation
+            return
+
     await manager.connect(websocket)
     try:
         # Send initial connection confirmation

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 Complete installation instructions for all platforms and use cases.
 
-**Version:** v5.37.0
+**Version:** v5.37.1
 
 ---
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "5.37.0",
+  "version": "5.37.1",
   "description": "Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "claude",

package/providers/gemini.sh

@@ -49,7 +49,7 @@ PROVIDER_MAX_PARALLEL=1
 
 # Model Configuration
 # Gemini CLI supports --model flag to specify model
-# Primary: gemini-3-pro-preview (latest as of Jan 2026)
+# Primary: gemini-3-pro-preview (preview names - may change when GA is released)
 # Fallback: gemini-3-flash-preview (for rate limit scenarios)
 PROVIDER_MODEL="gemini-3-pro-preview"
 PROVIDER_MODEL_FALLBACK="gemini-3-flash-preview"
@@ -69,7 +69,9 @@ PROVIDER_TASK_MODEL_VALUES=()
 # Context and Limits
 PROVIDER_CONTEXT_WINDOW=1000000  # Gemini 3 has 1M context
 PROVIDER_MAX_OUTPUT_TOKENS=65536
-PROVIDER_RATE_LIMIT_RPM=60
+# Rate limit varies by tier: Free=5-15 RPM, Tier1=150+ RPM, Tier2=500+ RPM
+# Default to conservative free-tier value; override with LOKI_GEMINI_RPM env var
+PROVIDER_RATE_LIMIT_RPM="${LOKI_GEMINI_RPM:-15}"
 
 # Cost (USD per 1K tokens, approximate for Gemini 3 Pro)
 PROVIDER_COST_INPUT_PLANNING=0.00125