loki-mode 5.47.0 → 5.48.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with zero human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v5.47.0
+# Loki Mode v5.48.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -262,4 +262,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v5.47.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v5.48.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-5.47.0
+5.48.0

package/autonomy/loki

@@ -820,6 +820,14 @@ cmd_resume() {
 
 # Show current status
 cmd_status() {
+    # Check for --json flag
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --json) cmd_status_json; return $? ;;
+            *) shift ;;
+        esac
+    done
+
     require_jq
 
     if [ ! -d "$LOKI_DIR" ]; then
@@ -3123,7 +3131,7 @@ cmd_api() {
             if [ -n "${LOKI_TLS_CERT:-}" ] && [ -n "${LOKI_TLS_KEY:-}" ]; then
                 uvicorn_args="$uvicorn_args --ssl-certfile ${LOKI_TLS_CERT} --ssl-keyfile ${LOKI_TLS_KEY}"
             fi
-            LOKI_DIR="$LOKI_DIR" nohup python3 -m uvicorn dashboard.server:app $uvicorn_args > "$LOKI_DIR/logs/api.log" 2>&1 &
+            LOKI_DIR="$LOKI_DIR" PYTHONPATH="$SKILL_DIR" nohup python3 -m uvicorn dashboard.server:app $uvicorn_args > "$LOKI_DIR/logs/api.log" 2>&1 &
             local new_pid=$!
             echo "$new_pid" > "$pid_file"
 

package/autonomy/run.sh

@@ -698,7 +698,7 @@ print(json.dumps(event))
     if [ -z "$json_event" ]; then
         # Escape quotes and special chars for JSON
         local escaped_data
-        escaped_data=$(echo "$event_data" | sed 's/"/\\"/g' | tr -d '\n')
+        escaped_data=$(printf '%s' "$event_data" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/\\t/g' | tr -d '\n')
         json_event="{\"timestamp\":\"$timestamp\",\"type\":\"$event_type\",\"data\":\"$escaped_data\"}"
     fi
 
@@ -733,8 +733,8 @@ emit_event_json() {
         if [[ "$value" =~ ^[0-9]+$ ]] || [[ "$value" =~ ^(true|false|null)$ ]]; then
             json_data+="\"$key\":$value"
         else
-            # Escape quotes in value
-            value=$(echo "$value" | sed 's/"/\\"/g')
+            # Escape backslashes, quotes, and special chars in value
+            value=$(printf '%s' "$value" | sed 's/\\/\\\\/g; s/"/\\"/g; s/	/\\t/g')
             json_data+="\"$key\":\"$value\""
         fi
         shift
@@ -3511,8 +3511,10 @@ update_agents_state() {
 
     agents_json="${agents_json}]"
 
-    # Write aggregated data
-    echo "$agents_json" > "$output_file"
+    # Write aggregated data (atomic via temp file + mv)
+    local tmp_file="${output_file}.tmp.$$"
+    echo "$agents_json" > "$tmp_file"
+    mv -f "$tmp_file" "$output_file" 2>/dev/null || rm -f "$tmp_file"
 }
 
 #===============================================================================
@@ -5874,7 +5876,7 @@ save_state() {
     "status": "$status",
     "lastExitCode": $exit_code,
     "lastRun": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
-    "prdPath": "${PRD_PATH:-}",
+    "prdPath": "$(printf '%s' "${PRD_PATH:-}" | sed 's/\\/\\\\/g; s/"/\\"/g')",
     "pid": $$,
     "maxRetries": $MAX_RETRIES,
     "baseWait": $BASE_WAIT

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "5.47.0"
+__version__ = "5.48.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -62,6 +62,15 @@ except ImportError:
 LOKI_TLS_CERT = os.environ.get("LOKI_TLS_CERT", "")  # Path to PEM certificate
 LOKI_TLS_KEY = os.environ.get("LOKI_TLS_KEY", "")    # Path to PEM private key
 
+
+def _safe_int_env(name: str, default: int) -> int:
+    """Read an integer from an environment variable, returning *default* on bad values."""
+    try:
+        return int(os.environ.get(name, str(default)))
+    except (ValueError, TypeError):
+        return default
+
+
 # ---------------------------------------------------------------------------
 # Simple in-memory rate limiter for control endpoints
 # ---------------------------------------------------------------------------
@@ -214,7 +223,10 @@ class StatusResponse(BaseModel):
 class ConnectionManager:
     """Manages WebSocket connections for real-time updates."""
 
-    MAX_CONNECTIONS = int(os.environ.get("LOKI_MAX_WS_CONNECTIONS", "100"))
+    try:
+        MAX_CONNECTIONS = int(os.environ.get("LOKI_MAX_WS_CONNECTIONS", "100"))
+    except (ValueError, TypeError):
+        MAX_CONNECTIONS = 100
 
     def __init__(self):
         self.active_connections: list[WebSocket] = []
@@ -493,7 +505,7 @@ async def list_projects(
     return response
 
 
-@app.post("/api/projects", response_model=ProjectResponse, status_code=201)
+@app.post("/api/projects", response_model=ProjectResponse, status_code=201, dependencies=[Depends(auth.require_scope("control"))])
 async def create_project(
     project: ProjectCreate,
     db: AsyncSession = Depends(get_db),
@@ -718,7 +730,7 @@ async def list_tasks(
     return all_tasks
 
 
-@app.post("/api/tasks", response_model=TaskResponse, status_code=201)
+@app.post("/api/tasks", response_model=TaskResponse, status_code=201, dependencies=[Depends(auth.require_scope("control"))])
 async def create_task(
     task: TaskCreate,
     db: AsyncSession = Depends(get_db),
@@ -1041,7 +1053,7 @@ async def list_registered_projects(include_inactive: bool = False):
     return projects
 
 
-@app.post("/api/registry/projects", response_model=RegisteredProjectResponse, status_code=201)
+@app.post("/api/registry/projects", response_model=RegisteredProjectResponse, status_code=201, dependencies=[Depends(auth.require_scope("control"))])
 async def register_project(request: RegisterProjectRequest):
     """Register a new project."""
     try:
@@ -1087,7 +1099,7 @@ async def get_project_health(identifier: str):
     return health
 
 
-@app.post("/api/registry/projects/{identifier}/access")
+@app.post("/api/registry/projects/{identifier}/access", dependencies=[Depends(auth.require_scope("control"))])
 async def update_project_access(identifier: str):
     """Update the last accessed timestamp for a project."""
     project = registry.update_last_accessed(identifier)
@@ -1104,7 +1116,7 @@ async def discover_projects(max_depth: int = Query(default=3, ge=1, le=10)):
     return discovered
 
 
-@app.post("/api/registry/sync", response_model=SyncResponse)
+@app.post("/api/registry/sync", response_model=SyncResponse, dependencies=[Depends(auth.require_scope("control"))])
 async def sync_registry():
     """Sync the registry with discovered projects."""
     if not _read_limiter.check("registry_sync"):
@@ -1792,7 +1804,17 @@ async def trigger_aggregation():
 
     if events_file.exists():
         try:
-            for raw_line in events_file.read_text().strip().split("\n"):
+            # Guard against unbounded reads: if file > 10 MB, read only the tail
+            _MAX_EVENTS_BYTES = 10 * 1024 * 1024  # 10 MB
+            _fsize = events_file.stat().st_size
+            if _fsize > _MAX_EVENTS_BYTES:
+                with open(events_file, "rb") as _fh:
+                    _fh.seek(-_MAX_EVENTS_BYTES, 2)
+                    _fh.readline()  # discard partial first line
+                    _raw_text = _fh.read().decode("utf-8", errors="replace")
+            else:
+                _raw_text = events_file.read_text()
+            for raw_line in _raw_text.strip().split("\n"):
                 if not raw_line.strip():
                     continue
                 try:
@@ -2396,8 +2418,8 @@ async def get_council_convergence():
     convergence_file = _get_loki_dir() / "council" / "convergence.log"
     data_points = []
     if convergence_file.exists():
-        try:
-            for line in convergence_file.read_text().strip().split("\n"):
+        for line in convergence_file.read_text().strip().split("\n"):
+            try:
                 parts = line.split("|")
                 if len(parts) >= 5:
                     data_points.append({
@@ -2407,8 +2429,8 @@ async def get_council_convergence():
                         "no_change_streak": int(parts[3]),
                         "done_signals": int(parts[4]),
                     })
-        except Exception:
-            pass
+            except Exception:
+                continue
     return {"dataPoints": data_points}
 
 
@@ -3002,7 +3024,7 @@ async def get_github_status(token: Optional[dict] = Depends(auth.get_current_tok
         "pr_enabled": os.environ.get("LOKI_GITHUB_PR", "false") == "true",
         "labels_filter": os.environ.get("LOKI_GITHUB_LABELS", ""),
         "milestone_filter": os.environ.get("LOKI_GITHUB_MILESTONE", ""),
-        "limit": int(os.environ.get("LOKI_GITHUB_LIMIT", "100")),
+        "limit": _safe_int_env("LOKI_GITHUB_LIMIT", 100),
         "imported_tasks": 0,
         "synced_updates": 0,
         "repo": None,
@@ -3232,7 +3254,7 @@ def _build_metrics_text() -> str:
     lines.append("")
 
     # 3. loki_iteration_max (gauge) -------------------------------------------
-    max_iterations = int(os.environ.get("LOKI_MAX_ITERATIONS", "1000"))
+    max_iterations = _safe_int_env("LOKI_MAX_ITERATIONS", 1000)
     lines.append("# HELP loki_iteration_max Maximum configured iterations")
     lines.append("# TYPE loki_iteration_max gauge")
     lines.append(f"loki_iteration_max {max_iterations}")
@@ -3720,7 +3742,7 @@ def run_server(host: str = None, port: int = None) -> None:
         # Default to localhost-only for security
         host = os.environ.get("LOKI_DASHBOARD_HOST", "127.0.0.1")
     if port is None:
-        port = int(os.environ.get("LOKI_DASHBOARD_PORT", "57374"))
+        port = _safe_int_env("LOKI_DASHBOARD_PORT", 57374)
 
     uvicorn_kwargs = {
         "host": host,

package/dashboard/static/index.html

@@ -5000,7 +5000,7 @@ var LokiDashboard=(()=>{var X=Object.defineProperty;var gt=Object.getOwnProperty
         <p>App runner not started</p>
         <p class="hint">App runner will start after the first successful build iteration.</p>
       </div>
-    `}_attachEventListeners(){let t=this.shadowRoot;if(!t)return;let e=t.querySelector('[data-action="restart"]'),a=t.querySelector('[data-action="stop"]');e&&e.addEventListener("click",()=>this._handleRestart()),a&&a.addEventListener("click",()=>this._handleStop())}_escapeHtml(t){return t?String(t).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;"):""}};customElements.define("loki-app-status",J);var Ct={opus:{input:5,output:25,label:"Opus 4.6",provider:"claude"},sonnet:{input:3,output:15,label:"Sonnet 4.5",provider:"claude"},haiku:{input:1,output:5,label:"Haiku 4.5",provider:"claude"},"gpt-5.3-codex":{input:1.5,output:12,label:"GPT-5.3 Codex",provider:"codex"},"gemini-3-pro":{input:1.25,output:10,label:"Gemini 3 Pro",provider:"gemini"},"gemini-3-flash":{input:.1,output:.4,label:"Gemini 3 Flash",provider:"gemini"}},K=class extends c{static get observedAttributes(){return["api-url","theme"]}constructor(){super(),this._data={total_input_tokens:0,total_output_tokens:0,estimated_cost_usd:0,by_phase:{},by_model:{},budget_limit:null,budget_used:0,budget_remaining:null,connected:!1},this._api=null,this._pollInterval=null,this._modelPricing={...Ct}}connectedCallback(){super.connectedCallback(),this._setupApi(),this._loadPricing(),this._loadCost(),this._startPolling()}disconnectedCallback(){super.disconnectedCallback(),this._stopPolling()}attributeChangedCallback(t,e,a){e!==a&&(t==="api-url"&&this._api&&(this._api.baseUrl=a,this._loadCost()),t==="theme"&&this._applyTheme())}_setupApi(){let t=this.getAttribute("api-url")||window.location.origin;this._api=u({baseUrl:t})}async _loadPricing(){try{let t=await this._api.getPricing();if(t&&t.models){let e={};for(let[a,i]of Object.entries(t.models))e[a]={input:i.input,output:i.output,label:i.label||a,provider:i.provider||"unknown"};this._modelPricing=e,this._pricingSource=t.source||"api",this._pricingDate=t.updated||"",this._activeProvider=t.provider||"claude",this.render()}}catch{}}async _loadCost(){try{let t=await this._api.getCost();this._updateFromCost(t)}catch{this._data.connected=!1,this.render()}}_updateFromCost(t){t&&(this._data={...this._data,connected:!0,total_input_tokens:t.total_input_tokens||0,total_output_tokens:t.total_output_tokens||0,estimated_cost_usd:t.estimated_cost_usd||0,by_phase:t.by_phase||{},by_model:t.by_model||{},budget_limit:t.budget_limit,budget_used:t.budget_used||0,budget_remaining:t.budget_remaining},this.render())}_startPolling(){this._pollInterval=setInterval(async()=>{try{let t=await this._api.getCost();this._updateFromCost(t)}catch{this._data.connected=!1,this.render()}},5e3)}_stopPolling(){this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null)}_formatTokens(t){return!t||t===0?"0":t>=1e6?(t/1e6).toFixed(2)+"M":t>=1e3?(t/1e3).toFixed(1)+"K":String(t)}_formatUSD(t){return!t||t===0?"$0.00":t<.01?"<$0.01":"$"+t.toFixed(2)}_getBudgetPercent(){return!this._data.budget_limit||this._data.budget_limit<=0?0:Math.min(100,this._data.budget_used/this._data.budget_limit*100)}_getBudgetStatusClass(){let t=this._getBudgetPercent();return t>=90?"critical":t>=70?"warning":"ok"}_renderPhaseRows(){let t=this._data.by_phase;return!t||Object.keys(t).length===0?'<tr><td colspan="4" class="empty-cell">No phase data yet</td></tr>':Object.entries(t).map(([e,a])=>{let i=a.input_tokens||0,s=a.output_tokens||0,r=a.cost_usd||0;return`
+    `}_attachEventListeners(){let t=this.shadowRoot;if(!t)return;let e=t.querySelector('[data-action="restart"]'),a=t.querySelector('[data-action="stop"]');e&&e.addEventListener("click",()=>this._handleRestart()),a&&a.addEventListener("click",()=>this._handleStop())}_escapeHtml(t){return t?String(t).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;"):""}};customElements.define("loki-app-status",J);var Ct={opus:{input:5,output:25,label:"Opus 4.6",provider:"claude"},sonnet:{input:3,output:15,label:"Sonnet 4.5",provider:"claude"},haiku:{input:1,output:5,label:"Haiku 4.5",provider:"claude"},"gpt-5.3-codex":{input:1.5,output:12,label:"GPT-5.3 Codex",provider:"codex"},"gemini-3-pro":{input:1.25,output:10,label:"Gemini 3 Pro",provider:"gemini"},"gemini-3-flash":{input:.1,output:.4,label:"Gemini 3 Flash",provider:"gemini"}},K=class extends c{static get observedAttributes(){return["api-url","theme"]}constructor(){super(),this._data={total_input_tokens:0,total_output_tokens:0,estimated_cost_usd:0,by_phase:{},by_model:{},budget_limit:null,budget_used:0,budget_remaining:null,connected:!1},this._api=null,this._pollInterval=null,this._modelPricing={...Ct}}connectedCallback(){super.connectedCallback(),this._setupApi(),this._loadPricing(),this._loadCost(),this._startPolling()}disconnectedCallback(){super.disconnectedCallback(),this._stopPolling()}attributeChangedCallback(t,e,a){e!==a&&(t==="api-url"&&this._api&&(this._api.baseUrl=a,this._loadCost()),t==="theme"&&this._applyTheme())}_setupApi(){let t=this.getAttribute("api-url")||window.location.origin;this._api=u({baseUrl:t})}async _loadPricing(){try{let t=await this._api.getPricing();if(t&&t.models){let e={};for(let[a,i]of Object.entries(t.models))e[a]={input:i.input,output:i.output,label:i.label||a,provider:i.provider||"unknown"};this._modelPricing=e,this._pricingSource=t.source||"api",this._pricingDate=t.updated||"",this._activeProvider=t.provider||"claude",this.render()}}catch{}}async _loadCost(){try{let t=await this._api.getCost();this._updateFromCost(t)}catch{this._data.connected=!1,this.render()}}_updateFromCost(t){t&&(this._data={...this._data,connected:!0,total_input_tokens:t.total_input_tokens||0,total_output_tokens:t.total_output_tokens||0,estimated_cost_usd:t.estimated_cost_usd||0,by_phase:t.by_phase||{},by_model:t.by_model||{},budget_limit:t.budget_limit,budget_used:t.budget_used||0,budget_remaining:t.budget_remaining},this.render())}_startPolling(){this._pollInterval=setInterval(async()=>{try{let t=await this._api.getCost();this._updateFromCost(t)}catch{this._data.connected=!1,this.render()}},5e3),this._visibilityHandler=()=>{document.hidden?this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null):this._pollInterval||(this._loadCost(),this._pollInterval=setInterval(async()=>{try{let t=await this._api.getCost();this._updateFromCost(t)}catch{this._data.connected=!1,this.render()}},5e3))},document.addEventListener("visibilitychange",this._visibilityHandler)}_stopPolling(){this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null),this._visibilityHandler&&(document.removeEventListener("visibilitychange",this._visibilityHandler),this._visibilityHandler=null)}_formatTokens(t){return!t||t===0?"0":t>=1e6?(t/1e6).toFixed(2)+"M":t>=1e3?(t/1e3).toFixed(1)+"K":String(t)}_formatUSD(t){return!t||t===0?"$0.00":t<.01?"<$0.01":"$"+t.toFixed(2)}_getBudgetPercent(){return!this._data.budget_limit||this._data.budget_limit<=0?0:Math.min(100,this._data.budget_used/this._data.budget_limit*100)}_getBudgetStatusClass(){let t=this._getBudgetPercent();return t>=90?"critical":t>=70?"warning":"ok"}_renderPhaseRows(){let t=this._data.by_phase;return!t||Object.keys(t).length===0?'<tr><td colspan="4" class="empty-cell">No phase data yet</td></tr>':Object.entries(t).map(([e,a])=>{let i=a.input_tokens||0,s=a.output_tokens||0,r=a.cost_usd||0;return`
         <tr>
           <td class="phase-name">${this._escapeHTML(e)}</td>
           <td class="mono-cell">${this._formatTokens(i)}</td>
@@ -5690,7 +5690,7 @@ var LokiDashboard=(()=>{var X=Object.defineProperty;var gt=Object.getOwnProperty
         color: var(--loki-red);
         font-size: 12px;
       }
-    `}};customElements.get("loki-checkpoint-viewer")||customElements.define("loki-checkpoint-viewer",V);var Y=class extends c{static get observedAttributes(){return["api-url","theme"]}constructor(){super(),this._data=null,this._connected=!1,this._activeTab="gauge",this._api=null,this._pollInterval=null}connectedCallback(){super.connectedCallback(),this._setupApi(),this._loadContext(),this._startPolling()}disconnectedCallback(){super.disconnectedCallback(),this._stopPolling()}attributeChangedCallback(t,e,a){e!==a&&(t==="api-url"&&this._api&&(this._api.baseUrl=a,this._loadContext()),t==="theme"&&this._applyTheme())}_setupApi(){let t=this.getAttribute("api-url")||window.location.origin;this._api=u({baseUrl:t})}async _loadContext(){try{let t=this.getAttribute("api-url")||window.location.origin,e=await fetch(t+"/api/context");e.ok&&(this._data=await e.json(),this._connected=!0)}catch{this._connected=!1}this.render()}_startPolling(){this._pollInterval=setInterval(()=>{this._loadContext()},5e3)}_stopPolling(){this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null)}_setTab(t){this._activeTab=t,this.render()}_formatTokens(t){return!t||t===0?"0":t>=1e6?(t/1e6).toFixed(2)+"M":t>=1e3?(t/1e3).toFixed(1)+"K":String(t)}_formatUSD(t){return!t||t===0?"$0.00":t<.01?"<$0.01":"$"+t.toFixed(2)}_escapeHTML(t){return t?String(t).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;"):""}_getGaugeColor(t){return t>80?"var(--loki-red)":t>=60?"var(--loki-yellow)":"var(--loki-green)"}_getGaugeColorClass(t){return t>80?"gauge-red":t>=60?"gauge-yellow":"gauge-green"}_renderGaugeTab(){let t=this._data?.current||{},e=this._data?.totals||{},a=t.context_window_pct||0,i=this._getGaugeColor(a),s=this._getGaugeColorClass(a),r=70,o=2*Math.PI*r,l=o-a/100*o;return`
+    `}};customElements.get("loki-checkpoint-viewer")||customElements.define("loki-checkpoint-viewer",V);var Y=class extends c{static get observedAttributes(){return["api-url","theme"]}constructor(){super(),this._data=null,this._connected=!1,this._activeTab="gauge",this._api=null,this._pollInterval=null}connectedCallback(){super.connectedCallback(),this._setupApi(),this._loadContext(),this._startPolling()}disconnectedCallback(){super.disconnectedCallback(),this._stopPolling()}attributeChangedCallback(t,e,a){e!==a&&(t==="api-url"&&this._api&&(this._api.baseUrl=a,this._loadContext()),t==="theme"&&this._applyTheme())}_setupApi(){let t=this.getAttribute("api-url")||window.location.origin;this._api=u({baseUrl:t})}async _loadContext(){try{let t=this.getAttribute("api-url")||window.location.origin,e=await fetch(t+"/api/context");e.ok&&(this._data=await e.json(),this._connected=!0)}catch{this._connected=!1}this.render()}_startPolling(){this._pollInterval=setInterval(()=>{this._loadContext()},5e3),this._visibilityHandler=()=>{document.hidden?this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null):this._pollInterval||(this._loadContext(),this._pollInterval=setInterval(()=>this._loadContext(),5e3))},document.addEventListener("visibilitychange",this._visibilityHandler)}_stopPolling(){this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null),this._visibilityHandler&&(document.removeEventListener("visibilitychange",this._visibilityHandler),this._visibilityHandler=null)}_setTab(t){this._activeTab=t,this.render()}_formatTokens(t){return!t||t===0?"0":t>=1e6?(t/1e6).toFixed(2)+"M":t>=1e3?(t/1e3).toFixed(1)+"K":String(t)}_formatUSD(t){return!t||t===0?"$0.00":t<.01?"<$0.01":"$"+t.toFixed(2)}_escapeHTML(t){return t?String(t).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;"):""}_getGaugeColor(t){return t>80?"var(--loki-red)":t>=60?"var(--loki-yellow)":"var(--loki-green)"}_getGaugeColorClass(t){return t>80?"gauge-red":t>=60?"gauge-yellow":"gauge-green"}_renderGaugeTab(){let t=this._data?.current||{},e=this._data?.totals||{},a=t.context_window_pct||0,i=this._getGaugeColor(a),s=this._getGaugeColorClass(a),r=70,o=2*Math.PI*r,l=o-a/100*o;return`
       <div class="gauge-tab">
         <div class="gauge-container">
           <svg class="gauge-svg" viewBox="0 0 180 180" aria-label="Context window usage: ${a.toFixed(1)}%">

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v5.47.0
+**Version:** v5.48.0
 
 ---
 

package/mcp/__init__.py

@@ -21,4 +21,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '5.47.0'
+__version__ = '5.48.0'

package/memory/embeddings.py

@@ -819,6 +819,7 @@ class EmbeddingEngine:
 
         # Cache
         self._cache: Dict[str, np.ndarray] = {}
+        self._max_cache_size = 10000
         self._quality_cache: Dict[str, EmbeddingQuality] = {}
 
         # Metrics
@@ -1008,6 +1009,10 @@ class EmbeddingEngine:
 
         # Cache result
         if self.config.cache_enabled:
+            if len(self._cache) >= self._max_cache_size:
+                # Remove oldest entry (first key in dict - insertion order in Python 3.7+)
+                oldest_key = next(iter(self._cache))
+                del self._cache[oldest_key]
             self._cache[cache_key] = embedding
 
         # Track latency

package/memory/engine.py

@@ -820,7 +820,8 @@ class MemoryEngine:
             })
 
         index["last_updated"] = datetime.now(timezone.utc).isoformat()
-        index["total_memories"] = index.get("total_memories", 0) + 1
+        if not topic_found:
+            index["total_memories"] = index.get("total_memories", 0) + 1
 
         self.storage.write_json("index.json", index)
 

package/memory/retrieval.py

@@ -912,6 +912,7 @@ class MemoryRetrieval:
 
         for collection, items in results_by_collection.items():
             for item in items:
+                item = dict(item)  # shallow copy to avoid mutating original
                 # Ensure source is set
                 if "_source" not in item:
                     item["_source"] = collection

package/memory/token_economics.py

@@ -568,13 +568,24 @@ class TokenEconomics:
 
         Writes to {base_path}/token_economics.json
         """
+        import tempfile
+
         file_path = Path(self.base_path) / "token_economics.json"
         file_path.parent.mkdir(parents=True, exist_ok=True)
 
         data = self.get_summary()
 
-        with open(file_path, "w", encoding="utf-8") as f:
-            json.dump(data, f, indent=2)
+        tmp_fd, tmp_path = tempfile.mkstemp(dir=str(file_path.parent), suffix='.tmp')
+        try:
+            with os.fdopen(tmp_fd, 'w', encoding='utf-8') as f:
+                json.dump(data, f, indent=2)
+            os.replace(tmp_path, str(file_path))
+        except Exception:
+            try:
+                os.unlink(tmp_path)
+            except OSError:
+                pass
+            raise
 
     def load(self) -> None:
         """

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "5.47.0",
+  "version": "5.48.0",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "autonomi",