loki-mode 5.46.0 → 5.48.0

package/README.md

@@ -13,7 +13,7 @@
 [![HumanEval](https://img.shields.io/badge/HumanEval-98.17%25%20Pass%401-brightgreen)](benchmarks/results/)
 [![SWE-bench](https://img.shields.io/badge/SWE--bench-99.67%25%20Patch%20Gen-brightgreen)](benchmarks/results/)
 
-**Current Version: v5.46.0**
+**Current Version: v5.47.0**
 
 **[Autonomi](https://www.autonomi.dev/)** | **[Documentation](https://www.autonomi.dev/docs)** | **[GitHub](https://github.com/asklokesh/loki-mode)**
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with zero human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v5.46.0
+# Loki Mode v5.48.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -262,4 +262,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v5.46.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v5.48.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-5.46.0
+5.48.0

package/autonomy/app-runner.sh

@@ -395,8 +395,9 @@ _install_node_deps() {
 _install_python_deps() {
     local dir="$1"
     if [ -f "$dir/requirements.txt" ]; then
-        log_step "App Runner: installing Python dependencies (background)..."
-        (cd "$dir" && pip install -r requirements.txt >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+        log_step "App Runner: installing Python dependencies..."
+        (cd "$dir" && pip install -r requirements.txt >> "$_APP_RUNNER_DIR/app.log" 2>&1) || \
+            log_warn "App Runner: pip install failed, app may not start"
     fi
 }
 
@@ -425,14 +426,18 @@ app_runner_start() {
     _rotate_app_log
 
     # Start the process in a new process group
-    (cd "$dir" && setsid bash -c "$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+    if command -v setsid >/dev/null 2>&1; then
+        (cd "$dir" && setsid bash -c "$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+    else
+        (cd "$dir" && bash -c "$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+    fi
     _APP_RUNNER_PID=$!
 
     # Write PID file
     echo "$_APP_RUNNER_PID" > "$_APP_RUNNER_DIR/app.pid"
 
     # Capture initial git diff hash for change detection
-    _GIT_DIFF_HASH=$(cd "$dir" && git diff --stat 2>/dev/null | md5sum 2>/dev/null | awk '{print $1}' || echo "none")
+    _GIT_DIFF_HASH=$(cd "$dir" && git diff --stat 2>/dev/null | (md5sum 2>/dev/null || md5 -r 2>/dev/null) | awk '{print $1}' || echo "none")
 
     # Brief pause for process to initialize
     sleep 2
@@ -557,7 +562,7 @@ app_runner_should_restart() {
 
     # Get current git diff hash
     local current_hash
-    current_hash=$(cd "$dir" && git diff --stat 2>/dev/null | md5sum 2>/dev/null | awk '{print $1}' || echo "none")
+    current_hash=$(cd "$dir" && git diff --stat 2>/dev/null | (md5sum 2>/dev/null || md5 -r 2>/dev/null) | awk '{print $1}' || echo "none")
 
     # No change
     if [ "$current_hash" = "$_GIT_DIFF_HASH" ]; then
@@ -631,7 +636,7 @@ app_runner_watchdog() {
     # Clear PID and restart
     rm -f "$_APP_RUNNER_DIR/app.pid"
     _APP_RUNNER_PID=""
-    app_runner_start
+    app_runner_start || log_warn "App Runner: auto-restart failed"
 }
 
 #===============================================================================

package/autonomy/checklist-verify.py

@@ -32,7 +32,7 @@ from pathlib import Path
 
 # Allowed characters in check paths and patterns (security: prevent injection)
 _SAFE_PATH_RE = re.compile(r'^[a-zA-Z0-9_\-./\*\[\]{}?]+$')
-_SAFE_PATTERN_RE = re.compile(r'^[a-zA-Z0-9_\-./\*\[\]{}?|\\()+^$\s]+$')
+_SAFE_PATTERN_RE = re.compile(r'^[a-zA-Z0-9_\-./\*\[\]{}?|\\()+^$\s:=<>@#"\'`,;!&%]+$')
 
 
 def _validate_path(path: str, project_dir: str) -> str:
@@ -170,7 +170,8 @@ def run_check(check: dict, project_dir: str, timeout: int) -> dict:
         elif check_type == "http_check":
             path = check.get("path", "/")
             # Validate path is safe
-            if path and not _SAFE_PATH_RE.match(path.lstrip("/")):
+            stripped = path.lstrip("/")
+            if stripped and not _SAFE_PATH_RE.match(stripped):
                 result["passed"] = None
                 result["output"] = f"Unsafe path rejected: {path!r}"
             else:

package/autonomy/completion-council.sh

@@ -461,6 +461,124 @@ try:
 except: print('Results unavailable')
 " >> "$evidence_file" 2>/dev/null || echo "Playwright data unavailable" >> "$evidence_file"
     fi
+
+    # Add hard gate status
+    if [ -f "$COUNCIL_STATE_DIR/gate-block.json" ]; then
+        echo "" >> "$evidence_file"
+        echo "## Hard Gate Status: BLOCKED" >> "$evidence_file"
+        echo "Critical checklist items are failing. Completion is blocked until resolved." >> "$evidence_file"
+        cat "$COUNCIL_STATE_DIR/gate-block.json" >> "$evidence_file"
+    fi
+}
+
+#===============================================================================
+# Council Reverify Checklist - Re-run checklist before evaluation
+#===============================================================================
+
+# Re-verify checklist before council evaluation to ensure fresh data
+council_reverify_checklist() {
+    if type checklist_verify &>/dev/null && [ -f ".loki/checklist/checklist.json" ]; then
+        log_info "[Council] Re-verifying checklist before evaluation..."
+        checklist_verify 2>/dev/null || true
+    fi
+}
+
+#===============================================================================
+# Council Checklist Hard Gate - Block completion on critical failures
+#===============================================================================
+
+# Council hard gate: blocks completion if critical checklist items are failing
+# Returns 0 if gate passes (ok to complete), 1 if gate blocks (critical failures exist)
+council_checklist_gate() {
+    local results_file=".loki/checklist/verification-results.json"
+    local waivers_file=".loki/checklist/waivers.json"
+
+    # No checklist = no gate (backwards compatible)
+    if [ ! -f "$results_file" ]; then
+        return 0
+    fi
+
+    # Check for critical failures, excluding waived items
+    local gate_result
+    gate_result=$(_RESULTS_FILE="$results_file" _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, sys, os
+
+results_file = os.environ['_RESULTS_FILE']
+waivers_file = os.environ.get('_WAIVERS_FILE', '')
+
+try:
+    with open(results_file) as f:
+        results = json.load(f)
+except (json.JSONDecodeError, IOError, KeyError):
+    print('PASS')
+    sys.exit(0)
+
+# Load waivers
+waived_ids = set()
+if waivers_file and os.path.exists(waivers_file):
+    try:
+        with open(waivers_file) as f:
+            waivers = json.load(f)
+        waived_ids = {w['item_id'] for w in waivers.get('waivers', []) if w.get('active', True)}
+    except (json.JSONDecodeError, KeyError):
+        pass
+
+# Find critical failures not waived
+critical_failures = []
+for cat in results.get('categories', []):
+    for item in cat.get('items', []):
+        if item.get('priority') == 'critical' and item.get('status') == 'failing':
+            if item.get('id') not in waived_ids:
+                critical_failures.append(item.get('title', item.get('id', 'unknown')))
+
+if critical_failures:
+    print('BLOCK:' + '|'.join(critical_failures[:5]))
+    sys.exit(0)
+else:
+    print('PASS')
+    sys.exit(0)
+" 2>/dev/null || echo "PASS")
+
+    if [[ "$gate_result" == BLOCK:* ]]; then
+        local failures="${gate_result#BLOCK:}"
+        log_warn "[Council] Hard gate BLOCKED: critical checklist failures: ${failures//|/, }"
+
+        # Write gate block to council state (atomic write via temp file)
+        local gate_file="$COUNCIL_STATE_DIR/gate-block.json"
+        local gate_tmp="${gate_file}.tmp"
+        local timestamp
+        timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        local failures_json
+        failures_json=$(_FAILURES="$failures" python3 -c "
+import json, os
+items = os.environ['_FAILURES'].split('|')
+print(json.dumps(items))
+" 2>/dev/null || echo '[]')
+        local critical_count
+        critical_count=$(_FAILURES="$failures" python3 -c "
+import os
+print(len(os.environ['_FAILURES'].split('|')))
+" 2>/dev/null || echo '0')
+        cat > "$gate_tmp" << GATE_EOF
+{
+    "status": "blocked",
+    "blocked": true,
+    "blocked_at": "$timestamp",
+    "iteration": ${ITERATION_COUNT:-0},
+    "reason": "critical_checklist_failures",
+    "critical_failures": $critical_count,
+    "failures": $failures_json
+}
+GATE_EOF
+        mv "$gate_tmp" "$gate_file"
+        return 1
+    fi
+
+    # Gate passes
+    if [ -f "$COUNCIL_STATE_DIR/gate-block.json" ]; then
+        rm -f "$COUNCIL_STATE_DIR/gate-block.json"
+    fi
+    return 0
 }
 
 #===============================================================================
@@ -1019,6 +1137,15 @@ council_evaluate() {
 
     log_info "Running council evaluation pipeline (round $ITERATION_COUNT)..."
 
+    # Phase 4: Re-verify checklist for fresh data
+    council_reverify_checklist
+
+    # Phase 4: Hard gate check - block if critical checklist items failing
+    if ! council_checklist_gate; then
+        log_info "[Council] Completion blocked by checklist hard gate"
+        return 1  # CONTINUE - can't complete with critical failures
+    fi
+
     # Step 1: Aggregate votes from all members
     local aggregate_result
     aggregate_result=$(council_aggregate_votes)
@@ -1082,8 +1209,8 @@ council_should_stop() {
         return 1  # Not time to check yet
     fi
 
-    # Run the council vote
-    if council_vote; then
+    # Run the council evaluation (includes hard gate + aggregate votes + devil's advocate)
+    if council_evaluate; then
         log_header "COMPLETION COUNCIL: PROJECT APPROVED"
         log_info "The council has determined this project is complete."
 

package/autonomy/loki

@@ -820,6 +820,14 @@ cmd_resume() {
 
 # Show current status
 cmd_status() {
+    # Check for --json flag
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --json) cmd_status_json; return $? ;;
+            *) shift ;;
+        esac
+    done
+
     require_jq
 
     if [ ! -d "$LOKI_DIR" ]; then
@@ -3123,7 +3131,7 @@ cmd_api() {
             if [ -n "${LOKI_TLS_CERT:-}" ] && [ -n "${LOKI_TLS_KEY:-}" ]; then
                 uvicorn_args="$uvicorn_args --ssl-certfile ${LOKI_TLS_CERT} --ssl-keyfile ${LOKI_TLS_KEY}"
             fi
-            LOKI_DIR="$LOKI_DIR" nohup python3 -m uvicorn dashboard.server:app $uvicorn_args > "$LOKI_DIR/logs/api.log" 2>&1 &
+            LOKI_DIR="$LOKI_DIR" PYTHONPATH="$SKILL_DIR" nohup python3 -m uvicorn dashboard.server:app $uvicorn_args > "$LOKI_DIR/logs/api.log" 2>&1 &
             local new_pid=$!
             echo "$new_pid" > "$pid_file"
 

package/autonomy/prd-checklist.sh

@@ -158,7 +158,9 @@ checklist_summary() {
         return 0
     fi
 
-    _CHECKLIST_RESULTS="$CHECKLIST_RESULTS_FILE" python3 -c "
+    _CHECKLIST_RESULTS="$CHECKLIST_RESULTS_FILE" \
+    _CHECKLIST_WAIVERS="${CHECKLIST_DIR:-".loki/checklist"}/waivers.json" \
+    python3 -c "
 import json, sys, os
 try:
     fpath = os.environ.get('_CHECKLIST_RESULTS', '')
@@ -168,18 +170,39 @@ try:
     verified = s.get('verified', 0)
     failing = s.get('failing', 0)
     pending = s.get('pending', 0)
+
+    # Load waivers
+    waived_ids = set()
+    waivers_path = os.environ.get('_CHECKLIST_WAIVERS', '')
+    if waivers_path and os.path.exists(waivers_path):
+        try:
+            with open(waivers_path) as wf:
+                wdata = json.load(wf)
+            for w in wdata.get('waivers', []):
+                if w.get('active', True):
+                    waived_ids.add(w['item_id'])
+        except Exception:
+            pass
+
+    # Count waived items and adjust failing list
+    waived_count = 0
     if total == 0:
         print('')
     else:
         failing_items = []
         for cat in data.get('categories', []):
             for item in cat.get('items', []):
+                item_id = item.get('id', '')
+                if item_id in waived_ids:
+                    waived_count += 1
+                    continue
                 if item.get('status') == 'failing' and item.get('priority') in ('critical', 'major'):
                     failing_items.append(item.get('title', item.get('id', '?')))
         detail = ''
         if failing_items:
             detail = ' FAILING: ' + ', '.join(failing_items[:5])
-        print(f'{verified}/{total} verified, {failing} failing, {pending} pending.{detail}')
+        waived_str = f', {waived_count} waived' if waived_count > 0 else ''
+        print(f'{verified}/{total} verified, {failing} failing{waived_str}, {pending} pending.{detail}')
 except Exception:
     print('', file=sys.stderr)
 " 2>/dev/null || echo ""
@@ -221,3 +244,141 @@ except Exception:
 " 2>/dev/null || echo "Checklist data unavailable"
     } >> "${evidence_file:-/dev/stdout}"
 }
+
+#===============================================================================
+# Waiver Support (Phase 4)
+#===============================================================================
+
+# Load waivers from .loki/checklist/waivers.json
+# Returns waived item IDs (one per line) to stdout
+checklist_waiver_load() {
+    local waivers_file="${CHECKLIST_DIR:-".loki/checklist"}/waivers.json"
+    if [ ! -f "$waivers_file" ]; then
+        return 0
+    fi
+    _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, sys, os
+try:
+    waivers_file = os.environ['_WAIVERS_FILE']
+    with open(waivers_file) as f:
+        waivers = json.load(f)
+    for w in waivers.get('waivers', []):
+        if w.get('active', True):
+            print(w['item_id'])
+except Exception:
+    pass
+" 2>/dev/null || true
+}
+
+# Add a waiver for a checklist item
+# Usage: checklist_waiver_add <item_id> <reason> [waived_by]
+checklist_waiver_add() {
+    local item_id="${1:?item_id required}"
+    local reason="${2:?reason required}"
+    local waived_by="${3:-manual}"
+    local waivers_file="${CHECKLIST_DIR:-".loki/checklist"}/waivers.json"
+    local timestamp
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+    _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, os, sys
+
+waivers_file = os.environ['_WAIVERS_FILE']
+item_id = sys.argv[1]
+reason = sys.argv[2]
+waived_by = sys.argv[3]
+timestamp = sys.argv[4]
+
+# Load existing or create new
+waivers = {'waivers': []}
+if os.path.exists(waivers_file):
+    try:
+        with open(waivers_file) as f:
+            waivers = json.load(f)
+    except (json.JSONDecodeError, IOError):
+        pass
+
+# Check for duplicate
+for w in waivers.get('waivers', []):
+    if w.get('item_id') == item_id and w.get('active', True):
+        print(f'Waiver already exists for {item_id}')
+        sys.exit(0)
+
+# Add new waiver
+waivers.setdefault('waivers', []).append({
+    'item_id': item_id,
+    'reason': reason,
+    'waived_by': waived_by,
+    'waived_at': timestamp,
+    'active': True
+})
+
+# Atomic write
+tmp = waivers_file + '.tmp'
+with open(tmp, 'w') as f:
+    json.dump(waivers, f, indent=2)
+os.replace(tmp, waivers_file)
+print(f'Waiver added for {item_id}')
+" "$item_id" "$reason" "$waived_by" "$timestamp" 2>/dev/null
+}
+
+# Remove (deactivate) a waiver for a checklist item
+# Usage: checklist_waiver_remove <item_id>
+checklist_waiver_remove() {
+    local item_id="${1:?item_id required}"
+    local waivers_file="${CHECKLIST_DIR:-".loki/checklist"}/waivers.json"
+
+    if [ ! -f "$waivers_file" ]; then
+        echo "No waivers file found"
+        return 1
+    fi
+
+    _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, os, sys
+
+waivers_file = os.environ['_WAIVERS_FILE']
+item_id = sys.argv[1]
+
+with open(waivers_file) as f:
+    waivers = json.load(f)
+
+found = False
+for w in waivers.get('waivers', []):
+    if w.get('item_id') == item_id and w.get('active', True):
+        w['active'] = False
+        found = True
+
+if not found:
+    print(f'No active waiver found for {item_id}')
+    sys.exit(1)
+
+tmp = waivers_file + '.tmp'
+with open(tmp, 'w') as f:
+    json.dump(waivers, f, indent=2)
+os.replace(tmp, waivers_file)
+print(f'Waiver removed for {item_id}')
+" "$item_id" 2>/dev/null
+}
+
+# List all active waivers
+checklist_waiver_list() {
+    local waivers_file="${CHECKLIST_DIR:-".loki/checklist"}/waivers.json"
+
+    if [ ! -f "$waivers_file" ]; then
+        echo "No waivers configured"
+        return 0
+    fi
+
+    _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, os
+waivers_file = os.environ['_WAIVERS_FILE']
+with open(waivers_file) as f:
+    waivers = json.load(f)
+active = [w for w in waivers.get('waivers', []) if w.get('active', True)]
+if not active:
+    print('No active waivers')
+else:
+    for w in active:
+        print(f\"  {w['item_id']}: {w.get('reason', 'no reason')} (by {w.get('waived_by', 'unknown')} at {w.get('waived_at', '?')})\")
+" 2>/dev/null
+}

package/autonomy/run.sh

@@ -698,7 +698,7 @@ print(json.dumps(event))
     if [ -z "$json_event" ]; then
         # Escape quotes and special chars for JSON
         local escaped_data
-        escaped_data=$(echo "$event_data" | sed 's/"/\\"/g' | tr -d '\n')
+        escaped_data=$(printf '%s' "$event_data" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/\\t/g' | tr -d '\n')
         json_event="{\"timestamp\":\"$timestamp\",\"type\":\"$event_type\",\"data\":\"$escaped_data\"}"
     fi
 
@@ -733,8 +733,8 @@ emit_event_json() {
         if [[ "$value" =~ ^[0-9]+$ ]] || [[ "$value" =~ ^(true|false|null)$ ]]; then
             json_data+="\"$key\":$value"
         else
-            # Escape quotes in value
-            value=$(echo "$value" | sed 's/"/\\"/g')
+            # Escape backslashes, quotes, and special chars in value
+            value=$(printf '%s' "$value" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/\\t/g')
             json_data+="\"$key\":\"$value\""
         fi
         shift
@@ -3511,8 +3511,10 @@ update_agents_state() {
 
     agents_json="${agents_json}]"
 
-    # Write aggregated data
-    echo "$agents_json" > "$output_file"
+    # Write aggregated data (atomic via temp file + mv)
+    local tmp_file="${output_file}.tmp.$$"
+    echo "$agents_json" > "$tmp_file"
+    mv -f "$tmp_file" "$output_file" 2>/dev/null || rm -f "$tmp_file"
 }
 
 #===============================================================================
@@ -5874,7 +5876,7 @@ save_state() {
     "status": "$status",
     "lastExitCode": $exit_code,
     "lastRun": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
-    "prdPath": "${PRD_PATH:-}",
+    "prdPath": "$(printf '%s' "${PRD_PATH:-}" | sed 's/\\/\\\\/g; s/"/\\"/g')",
     "pid": $$,
     "maxRetries": $MAX_RETRIES,
     "baseWait": $BASE_WAIT
@@ -6843,7 +6845,9 @@ check_human_intervention() {
     if [ -f "$loki_dir/signals/COUNCIL_REVIEW_REQUESTED" ]; then
         log_info "Council force-review requested from dashboard"
         rm -f "$loki_dir/signals/COUNCIL_REVIEW_REQUESTED"
-        if type council_vote &>/dev/null && council_vote; then
+        if type council_checklist_gate &>/dev/null && ! council_checklist_gate; then
+            log_info "Council force-review: blocked by checklist hard gate"
+        elif type council_vote &>/dev/null && council_vote; then
             log_header "COMPLETION COUNCIL: FORCE REVIEW - PROJECT COMPLETE"
             # BUG #17 fix: Write COMPLETED marker, generate council report, and
             # run memory consolidation (matching the normal council approval path
@@ -7452,6 +7456,9 @@ main() {
     audit_agent_action "session_stop" "Session ended" "result=$result,iterations=$ITERATION_COUNT"
 
     # Cleanup
+    if type app_runner_cleanup &>/dev/null; then
+        app_runner_cleanup
+    fi
     stop_dashboard
     stop_status_monitor
     rm -f .loki/loki.pid 2>/dev/null

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "5.46.0"
+__version__ = "5.48.0"
 
 # Expose the control app for easy import
 try: