loki-mode 5.49.4 → 5.50.0

package/README.md

@@ -11,7 +11,7 @@
 [![Agent Types](https://img.shields.io/badge/Agent%20Types-41-blue)]()
 [![Benchmarks](https://img.shields.io/badge/Benchmarks-Infrastructure%20Ready-blue)](benchmarks/)
 
-**Current Version: v5.49.4**
+**Current Version: v5.50.0**
 
 **[Autonomi](https://www.autonomi.dev/)** | **[Documentation](https://www.autonomi.dev/docs)** | **[GitHub](https://github.com/asklokesh/loki-mode)**
 
@@ -85,7 +85,7 @@ gemini
 ### Verify Installation
 
 ```bash
-loki --version    # Should print 5.49.4
+loki --version    # Should print 5.50.0
 loki doctor       # Check skill symlinks and provider availability
 ```
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v5.49.4
+# Loki Mode v5.50.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -263,4 +263,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v5.49.4 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v5.50.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-5.49.4
+5.50.0

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "5.49.4"
+__version__ = "5.50.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v5.49.4
+**Version:** v5.50.0
 
 ---
 

package/docs/alternative-installations.md

@@ -28,7 +28,7 @@ ln -sf ~/.claude/skills/loki-mode/autonomy/loki /usr/local/bin/loki
 
 ## Docker
 
-**Status:** Image exists on Docker Hub. Tags: `latest`, version-specific (e.g., `5.49.4`).
+**Status:** Image exists on Docker Hub. Tags: `latest`, version-specific (e.g., `5.50.0`).
 
 ```bash
 docker pull asklokesh/loki-mode:latest
@@ -108,8 +108,8 @@ jobs:
 
 ```bash
 # Download and extract to skills directory
-curl -sL https://github.com/asklokesh/loki-mode/archive/refs/tags/v5.49.4.tar.gz | tar xz
-mv loki-mode-5.49.4 ~/.claude/skills/loki-mode
+curl -sL https://github.com/asklokesh/loki-mode/archive/refs/tags/v5.50.0.tar.gz | tar xz
+mv loki-mode-5.50.0 ~/.claude/skills/loki-mode
 ```
 
 **Best for:** Offline or air-gapped environments, pinned version deployments.

package/mcp/__init__.py

@@ -21,4 +21,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '5.49.4'
+__version__ = '5.50.0'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "5.49.4",
+  "version": "5.50.0",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "autonomi",
@@ -45,13 +45,14 @@
     "dashboard/static/",
     "dashboard/requirements.txt",
     "mcp/",
-    "completions/"
+    "completions/",
+    "src/"
   ],
   "scripts": {
     "postinstall": "node bin/postinstall.js",
     "prepack": "find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; true",
     "prepublishOnly": "cd dashboard-ui && npm ci && npm run build:all",
-    "test": "bash -n autonomy/run.sh && bash -n autonomy/loki && bash -n autonomy/completion-council.sh && bash -n autonomy/app-runner.sh && bash -n autonomy/prd-checklist.sh && bash -n autonomy/playwright-verify.sh && echo 'All syntax checks passed'",
+    "test": "bash -n autonomy/run.sh && bash -n autonomy/loki && bash -n autonomy/completion-council.sh && bash -n autonomy/app-runner.sh && bash -n autonomy/prd-checklist.sh && bash -n autonomy/playwright-verify.sh && node --test 'tests/protocols/*.test.js' && node --test 'tests/protocols/a2a/*.test.js' && node --test 'tests/observability/*.test.js' && node --test 'tests/policies/*.test.js' && node --test 'tests/audit/*.test.js' && node --test 'tests/integrations/*.test.js' && node --test 'tests/integrations/jira/*.test.js' && node --test 'tests/integrations/github/*.test.js' && echo 'All checks passed'",
     "test:visual": "node --experimental-vm-modules node_modules/jest/bin/jest.js dashboard-ui/tests/visual-regression.test.js",
     "test:parity": "node --experimental-vm-modules dashboard-ui/scripts/check-parity.js",
     "test:parity:json": "node --experimental-vm-modules dashboard-ui/scripts/check-parity.js --json",

package/src/audit/compliance.js

@@ -0,0 +1,226 @@
+'use strict';
+
+var fs = require('fs');
+var path = require('path');
+var { AuditLog } = require('./log');
+
+/**
+ * SOC 2 Type II control mappings.
+ */
+var SOC2_CONTROLS = {
+  CC6_1: { name: 'Logical Access', description: 'Access to data and systems is restricted to authorized users' },
+  CC6_2: { name: 'System Operations', description: 'System operations are monitored for anomalies' },
+  CC6_3: { name: 'Change Management', description: 'Changes are authorized, tested, and approved before deployment' },
+  CC7_1: { name: 'Risk Assessment', description: 'Risks are identified and mitigated' },
+  CC7_2: { name: 'Monitoring', description: 'System components are monitored for anomalies' },
+  CC8_1: { name: 'Incident Response', description: 'Security incidents are identified and responded to' },
+};
+
+/**
+ * ISO 27001 Annex A control mappings.
+ */
+var ISO27001_CONTROLS = {
+  'A.9.2': { name: 'User Access Management', description: 'Formal access provisioning and de-provisioning' },
+  'A.12.4': { name: 'Logging and Monitoring', description: 'Events are recorded and evidence is generated' },
+  'A.12.5': { name: 'Control of Operational Software', description: 'Installation of software is controlled' },
+  'A.14.2': { name: 'Security in Development', description: 'Security requirements in SDLC' },
+  'A.16.1': { name: 'Incident Management', description: 'Consistent approach to security incidents' },
+  'A.18.1': { name: 'Compliance', description: 'Compliance with legal and contractual requirements' },
+};
+
+/**
+ * Map audit actions to SOC 2 controls.
+ */
+var ACTION_TO_SOC2 = {
+  'agent_start': ['CC6_1', 'CC6_2'],
+  'agent_stop': ['CC6_1', 'CC6_2'],
+  'file_write': ['CC6_3', 'CC7_2'],
+  'file_read': ['CC6_1'],
+  'command_execute': ['CC6_3', 'CC7_2'],
+  'deploy': ['CC6_3', 'CC8_1'],
+  'policy_evaluate': ['CC7_1', 'CC7_2'],
+  'approval_request': ['CC6_3'],
+  'approval_resolve': ['CC6_3'],
+  'test_run': ['CC6_3', 'CC7_1'],
+};
+
+/**
+ * Map audit actions to ISO 27001 controls.
+ */
+var ACTION_TO_ISO = {
+  'agent_start': ['A.9.2', 'A.12.4'],
+  'agent_stop': ['A.9.2', 'A.12.4'],
+  'file_write': ['A.12.5', 'A.14.2'],
+  'file_read': ['A.9.2'],
+  'command_execute': ['A.12.5', 'A.14.2'],
+  'deploy': ['A.12.5', 'A.14.2'],
+  'policy_evaluate': ['A.18.1'],
+  'approval_request': ['A.9.2', 'A.16.1'],
+  'approval_resolve': ['A.9.2', 'A.16.1'],
+  'test_run': ['A.14.2'],
+};
+
+/**
+ * Generate a SOC 2 Type II evidence report from audit log entries.
+ *
+ * @param {object[]} entries - Audit log entries
+ * @param {object} [opts]
+ * @param {string} [opts.projectName] - Project name for the report
+ * @param {string} [opts.period] - Reporting period description
+ * @returns {object} Structured SOC 2 report
+ */
+function generateSoc2Report(entries, opts) {
+  opts = opts || {};
+  var controlEvidence = {};
+
+  // Initialize all controls
+  Object.keys(SOC2_CONTROLS).forEach(function (id) {
+    controlEvidence[id] = {
+      control: SOC2_CONTROLS[id],
+      evidenceCount: 0,
+      sampleEntries: [],
+    };
+  });
+
+  // Map entries to controls
+  for (var i = 0; i < entries.length; i++) {
+    var entry = entries[i];
+    var controls = ACTION_TO_SOC2[entry.what] || [];
+    for (var j = 0; j < controls.length; j++) {
+      var cid = controls[j];
+      if (controlEvidence[cid]) {
+        controlEvidence[cid].evidenceCount++;
+        if (controlEvidence[cid].sampleEntries.length < 5) {
+          controlEvidence[cid].sampleEntries.push({
+            seq: entry.seq,
+            timestamp: entry.timestamp,
+            who: entry.who,
+            what: entry.what,
+          });
+        }
+      }
+    }
+  }
+
+  return {
+    reportType: 'SOC2_TYPE_II',
+    generatedAt: new Date().toISOString(),
+    projectName: opts.projectName || 'Loki Mode',
+    period: opts.period || 'Current',
+    totalAuditEntries: entries.length,
+    controls: controlEvidence,
+    chainIntegrity: null, // Caller should set after verifyChain()
+  };
+}
+
+/**
+ * Generate an ISO 27001 mapping report.
+ */
+function generateIso27001Report(entries, opts) {
+  opts = opts || {};
+  var controlEvidence = {};
+
+  Object.keys(ISO27001_CONTROLS).forEach(function (id) {
+    controlEvidence[id] = {
+      control: ISO27001_CONTROLS[id],
+      evidenceCount: 0,
+      sampleEntries: [],
+    };
+  });
+
+  for (var i = 0; i < entries.length; i++) {
+    var entry = entries[i];
+    var controls = ACTION_TO_ISO[entry.what] || [];
+    for (var j = 0; j < controls.length; j++) {
+      var cid = controls[j];
+      if (controlEvidence[cid]) {
+        controlEvidence[cid].evidenceCount++;
+        if (controlEvidence[cid].sampleEntries.length < 5) {
+          controlEvidence[cid].sampleEntries.push({
+            seq: entry.seq,
+            timestamp: entry.timestamp,
+            who: entry.who,
+            what: entry.what,
+          });
+        }
+      }
+    }
+  }
+
+  return {
+    reportType: 'ISO27001',
+    generatedAt: new Date().toISOString(),
+    projectName: opts.projectName || 'Loki Mode',
+    period: opts.period || 'Current',
+    totalAuditEntries: entries.length,
+    controls: controlEvidence,
+  };
+}
+
+/**
+ * Generate a GDPR data processing record.
+ */
+function generateGdprReport(entries, opts) {
+  opts = opts || {};
+
+  // Extract unique data subjects (actors) and processing activities
+  var subjects = {};
+  var activities = {};
+  var dataCategories = {};
+
+  for (var i = 0; i < entries.length; i++) {
+    var entry = entries[i];
+    subjects[entry.who] = (subjects[entry.who] || 0) + 1;
+    activities[entry.what] = (activities[entry.what] || 0) + 1;
+
+    // Categorize data types from metadata
+    if (entry.metadata) {
+      if (entry.metadata.dataType) {
+        dataCategories[entry.metadata.dataType] = true;
+      }
+      if (entry.metadata.containsPii) {
+        dataCategories['personal_data'] = true;
+      }
+    }
+  }
+
+  return {
+    reportType: 'GDPR_DATA_PROCESSING_RECORD',
+    generatedAt: new Date().toISOString(),
+    projectName: opts.projectName || 'Loki Mode',
+    controller: opts.controller || 'Organization',
+    purposes: ['Autonomous software development', 'Quality assurance', 'Deployment'],
+    legalBasis: 'Legitimate interest (automated software development)',
+    dataSubjects: Object.keys(subjects).map(function (s) {
+      return { id: s, activityCount: subjects[s] };
+    }),
+    processingActivities: Object.keys(activities).map(function (a) {
+      return { activity: a, count: activities[a] };
+    }),
+    dataCategories: Object.keys(dataCategories),
+    retentionPolicy: opts.retentionDays ? opts.retentionDays + ' days' : 'Project lifetime',
+    securityMeasures: [
+      'Hash-chain tamper evidence on audit log',
+      'Policy-based access controls',
+      'Data residency enforcement',
+    ],
+  };
+}
+
+/**
+ * Export a report as JSON string.
+ */
+function exportReportJson(report) {
+  return JSON.stringify(report, null, 2);
+}
+
+module.exports = {
+  generateSoc2Report: generateSoc2Report,
+  generateIso27001Report: generateIso27001Report,
+  generateGdprReport: generateGdprReport,
+  exportReportJson: exportReportJson,
+  SOC2_CONTROLS: SOC2_CONTROLS,
+  ISO27001_CONTROLS: ISO27001_CONTROLS,
+  ACTION_TO_SOC2: ACTION_TO_SOC2,
+  ACTION_TO_ISO: ACTION_TO_ISO,
+};

package/src/audit/index.js

@@ -0,0 +1,147 @@
+'use strict';
+
+/**
+ * Loki Mode Audit Trail - Public API
+ *
+ * Enterprise audit logging with tamper-evident hash chains,
+ * compliance report generation, and data residency enforcement.
+ *
+ * Usage:
+ *   var audit = require('./src/audit');
+ *   audit.init('/path/to/project');
+ *   audit.record({ who: 'agent-1', what: 'file_write', where: 'src/app.js', why: 'implement feature' });
+ *   var result = audit.verifyChain();
+ *   var report = audit.generateReport('soc2');
+ *   var allowed = audit.checkProvider('anthropic', 'us');
+ */
+
+var { AuditLog } = require('./log');
+var compliance = require('./compliance');
+var { ResidencyController } = require('./residency');
+
+var _log = null;
+var _residency = null;
+var _initialized = false;
+var _projectDir = null;
+
+/**
+ * Initialize the audit trail system.
+ */
+function init(projectDir) {
+  var dir = projectDir || process.cwd();
+  if (_initialized && _projectDir === dir) return;
+  if (_initialized) destroy();
+
+  _projectDir = dir;
+  _log = new AuditLog({ projectDir: dir });
+  _residency = new ResidencyController({ projectDir: dir });
+  _initialized = true;
+}
+
+/**
+ * Record an audit entry.
+ */
+function record(entry) {
+  if (!_initialized) init();
+  return _log.record(entry);
+}
+
+/**
+ * Verify the hash chain integrity.
+ */
+function verifyChain() {
+  if (!_initialized) init();
+  return _log.verifyChain();
+}
+
+/**
+ * Generate a compliance report.
+ * @param {string} type - 'soc2', 'iso27001', or 'gdpr'
+ * @param {object} [opts] - Report options
+ */
+function generateReport(type, opts) {
+  if (!_initialized) init();
+  var entries = _log.readEntries();
+  switch (type) {
+    case 'soc2':
+      return compliance.generateSoc2Report(entries, opts);
+    case 'iso27001':
+      return compliance.generateIso27001Report(entries, opts);
+    case 'gdpr':
+      return compliance.generateGdprReport(entries, opts);
+    default:
+      throw new Error('Unknown report type: ' + type + '. Supported: soc2, iso27001, gdpr');
+  }
+}
+
+/**
+ * Export a report as JSON string.
+ */
+function exportReport(type, opts) {
+  var report = generateReport(type, opts);
+  return compliance.exportReportJson(report);
+}
+
+/**
+ * Check if a provider is allowed by data residency policy.
+ */
+function checkProvider(provider, region) {
+  if (!_initialized) init();
+  return _residency.checkProvider(provider, region);
+}
+
+/**
+ * Check if air-gapped mode is enabled.
+ */
+function isAirGapped() {
+  if (!_initialized) init();
+  return _residency.isAirGapped();
+}
+
+/**
+ * Read filtered audit entries.
+ */
+function readEntries(filter) {
+  if (!_initialized) init();
+  return _log.readEntries(filter);
+}
+
+/**
+ * Get audit log summary.
+ */
+function getSummary() {
+  if (!_initialized) init();
+  return _log.getSummary();
+}
+
+/**
+ * Flush pending entries to disk.
+ */
+function flush() {
+  if (_log) _log.flush();
+}
+
+/**
+ * Destroy audit trail (for testing).
+ */
+function destroy() {
+  if (_log) _log.destroy();
+  _log = null;
+  _residency = null;
+  _initialized = false;
+  _projectDir = null;
+}
+
+module.exports = {
+  init: init,
+  record: record,
+  verifyChain: verifyChain,
+  generateReport: generateReport,
+  exportReport: exportReport,
+  checkProvider: checkProvider,
+  isAirGapped: isAirGapped,
+  readEntries: readEntries,
+  getSummary: getSummary,
+  flush: flush,
+  destroy: destroy,
+};

package/src/audit/log.js

@@ -0,0 +1,153 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const MAX_MEMORY_ENTRIES = 1000;
+const HASH_ALGO = 'sha256';
+
+class AuditLog {
+  constructor(opts) {
+    const projectDir = (opts && opts.projectDir) || process.cwd();
+    this._logDir = (opts && opts.logDir) || path.join(projectDir, '.loki', 'audit');
+    this._logFile = path.join(this._logDir, 'audit.jsonl');
+    this._entries = [];
+    this._lastHash = 'GENESIS';
+    this._entryCount = 0;
+    this._loadChainTip();
+  }
+
+  record(entry) {
+    if (!entry || !entry.who || !entry.what) {
+      throw new Error('Audit entry requires at least "who" and "what" fields');
+    }
+    var auditEntry = {
+      seq: this._entryCount,
+      timestamp: new Date().toISOString(),
+      who: String(entry.who),
+      what: String(entry.what),
+      where: entry.where ? String(entry.where) : null,
+      why: entry.why ? String(entry.why) : null,
+      metadata: entry.metadata ? JSON.parse(JSON.stringify(entry.metadata)) : null,
+      previousHash: this._lastHash,
+      hash: null,
+    };
+    auditEntry.hash = this._computeHash(auditEntry);
+    this._lastHash = auditEntry.hash;
+    this._entryCount++;
+    this._entries.push(auditEntry);
+    if (this._entries.length >= MAX_MEMORY_ENTRIES) {
+      this.flush();
+    }
+    return auditEntry;
+  }
+
+  flush() {
+    if (this._entries.length === 0) return;
+    if (!fs.existsSync(this._logDir)) {
+      fs.mkdirSync(this._logDir, { recursive: true });
+    }
+    var lines = this._entries.map(function (e) { return JSON.stringify(e); }).join('\n') + '\n';
+    fs.appendFileSync(this._logFile, lines, 'utf8');
+    this._entries = [];
+  }
+
+  verifyChain() {
+    this.flush();
+    if (!fs.existsSync(this._logFile)) {
+      return { valid: true, entries: 0, brokenAt: null, error: null };
+    }
+    var content = fs.readFileSync(this._logFile, 'utf8').trim();
+    if (!content) {
+      return { valid: true, entries: 0, brokenAt: null, error: null };
+    }
+    var lines = content.split('\n');
+    var expectedPrevHash = 'GENESIS';
+    var count = 0;
+    for (var i = 0; i < lines.length; i++) {
+      var entry;
+      try { entry = JSON.parse(lines[i]); } catch (e) {
+        return { valid: false, entries: count, brokenAt: i, error: 'Invalid JSON at line ' + i };
+      }
+      if (entry.previousHash !== expectedPrevHash) {
+        return { valid: false, entries: count, brokenAt: i,
+          error: 'Hash chain broken at entry ' + i };
+      }
+      var computedHash = this._computeHash(entry);
+      if (computedHash !== entry.hash) {
+        return { valid: false, entries: count, brokenAt: i,
+          error: 'Hash mismatch at entry ' + i + ': entry has been tampered with' };
+      }
+      expectedPrevHash = entry.hash;
+      count++;
+    }
+    return { valid: true, entries: count, brokenAt: null, error: null };
+  }
+
+  readEntries(filter) {
+    this.flush();
+    if (!fs.existsSync(this._logFile)) return [];
+    var content = fs.readFileSync(this._logFile, 'utf8').trim();
+    if (!content) return [];
+    var entries = content.split('\n').map(function (line) {
+      try { return JSON.parse(line); } catch (_) { return null; }
+    }).filter(Boolean);
+    if (filter) {
+      if (filter.who) entries = entries.filter(function (e) { return e.who === filter.who; });
+      if (filter.what) entries = entries.filter(function (e) { return e.what === filter.what; });
+      if (filter.since) entries = entries.filter(function (e) { return e.timestamp >= filter.since; });
+      if (filter.until) entries = entries.filter(function (e) { return e.timestamp <= filter.until; });
+    }
+    return entries;
+  }
+
+  getSummary() {
+    var entries = this.readEntries();
+    var actors = {};
+    var actions = {};
+    for (var i = 0; i < entries.length; i++) {
+      actors[entries[i].who] = true;
+      actions[entries[i].what] = true;
+    }
+    return {
+      totalEntries: entries.length,
+      actors: Object.keys(actors),
+      actions: Object.keys(actions),
+      firstEntry: entries.length > 0 ? entries[0].timestamp : null,
+      lastEntry: entries.length > 0 ? entries[entries.length - 1].timestamp : null,
+    };
+  }
+
+  destroy() {
+    this.flush();
+    this._entries = [];
+  }
+
+  _computeHash(entry) {
+    var data = JSON.stringify({
+      seq: entry.seq, timestamp: entry.timestamp, who: entry.who,
+      what: entry.what, where: entry.where, why: entry.why,
+      metadata: entry.metadata, previousHash: entry.previousHash,
+    });
+    return crypto.createHash(HASH_ALGO).update(data).digest('hex');
+  }
+
+  _loadChainTip() {
+    if (!fs.existsSync(this._logFile)) return;
+    try {
+      var content = fs.readFileSync(this._logFile, 'utf8').trim();
+      if (!content) return;
+      var lines = content.split('\n');
+      var lastLine = lines[lines.length - 1];
+      var lastEntry = JSON.parse(lastLine);
+      this._lastHash = lastEntry.hash;
+      this._entryCount = (lastEntry.seq || 0) + 1;
+    } catch (_) {
+      console.warn('[audit] Warning: corrupted chain tip detected, starting fresh chain');
+      this._chainCorrupted = true;
+    }
+  }
+}
+
+module.exports = { AuditLog, HASH_ALGO, MAX_MEMORY_ENTRIES };