loki-mode 6.36.3 → 6.36.5

package/LICENSE

@@ -1,21 +1,123 @@
-MIT License
-
-Copyright (c) 2025 Loki Mode Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+Business Source License 1.1
+
+Parameters
+
+Licensor:             Autonomi, Inc. (autonomi.dev)
+Licensed Work:        Loki Mode and all associated components, including but not
+                      limited to its multi-agent orchestration engine, agent
+                      coordination protocols, review and verification systems,
+                      documentation, research, architectural patterns, and any
+                      rebranded or successor versions of this software.
+                      The Licensed Work is (c) 2024-2026 Autonomi, Inc.
+                      All rights reserved.
+Additional Use Grant: You may make production use of the Licensed Work, provided
+                      that such use does not include offering the Licensed Work,
+                      or any derivative work or adaptation of it, to third parties
+                      as a commercial product, hosted service, managed service, or
+                      embedded component of a commercial offering that competes
+                      with any product or service provided by the Licensor.
+
+                      For purposes of this license, "compete" means offering a
+                      product or service that provides substantially the same or
+                      similar functionality as the Licensed Work to third parties,
+                      whether for a fee or free of charge, including but not
+                      limited to:
+                      (a) multi-agent AI development orchestration platforms or
+                          frameworks;
+                      (b) autonomous software development products or services;
+                      (c) AI-powered code generation, review, or deployment
+                          services that incorporate or replicate the Licensed
+                          Work's orchestration, review, verification, or agent
+                          coordination systems; or
+                      (d) products or services that substantially replicate the
+                          Licensed Work's core architectural patterns, including
+                          the RARV (Reason-Act-Reflect-Verify) cycle, Completion
+                          Council peer review system, or multi-agent swarm
+                          coordination model.
+
+                      The following uses are permitted without a commercial license:
+                      (i)   individual and non-commercial use;
+                      (ii)  internal business use where the Licensed Work is used
+                            as a tool and is not itself the product or service
+                            being offered to third parties;
+                      (iii) academic, educational, and research use;
+                      (iv)  evaluation and testing in non-production environments;
+                      (v)   contributions back to the Licensed Work under a signed
+                            Contributor License Agreement.
+
+Change Date:          March 19, 2030
+Change License:       Apache License, Version 2.0
+
+For information about alternative licensing arrangements for the Licensed Work,
+please contact: founder@autonomi.dev
+
+Intellectual Property Notice
+
+The Licensed Work embodies proprietary methodologies, architectural patterns,
+and research developed by the Licensor. These include, without limitation, the
+RARV execution cycle, the Completion Council consensus-based review system,
+context persistence mechanisms for long-running autonomous sessions, multi-
+provider orchestration protocols, and swarm-based agent coordination models.
+Use of these methodologies, whether through the Licensed Work's code or through
+independent reimplementation based on the Licensed Work's documentation or
+published research, is subject to the terms of this License.
+
+Contributions
+
+External contributions to the Licensed Work are accepted only under a signed
+Contributor License Agreement (CLA) that assigns sufficient rights to the
+Licensor to sublicense, relicense, and commercially distribute the contribution
+as part of the Licensed Work. Contributing code to the Licensed Work without a
+signed CLA does not grant the Licensor any rights to the contribution, and such
+contributions may be removed.
+
+Notice
+
+The Business Source License (this document, or the "License") is not an Open
+Source license. However, the Licensed Work will eventually be made available
+under an Open Source License, as stated in this License.
+
+License text copyright (c) 2017 MariaDB Corporation Ab, All Rights Reserved.
+"Business Source License" is a trademark of MariaDB Corporation Ab.
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited production
+use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph above
+terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of
+the Licensed Work, are subject to this License. This License applies separately
+for each version of the Licensed Work and the Change Date may vary for each
+version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or modified
+form from a third party, the terms and conditions set forth in this License
+apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of Licensor
+or its affiliates (provided that you may use a trademark or logo of Licensor
+as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v6.36.3
+# Loki Mode v6.36.5
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -267,4 +267,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v6.36.3 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v6.36.5 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-6.36.3
+6.36.5

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "6.36.3"
+__version__ = "6.36.5"
 
 # Expose the control app for easy import
 try:

package/dashboard/auth.py

@@ -595,7 +595,7 @@ def require_scope(scope: str):
     """
     async def check_scope(token_info: Optional[dict] = Security(get_current_token)):
         if not ENTERPRISE_AUTH_ENABLED and not OIDC_ENABLED:
-            return  # No auth required
+            return True  # Auth disabled - allow access with explicit truthy value
 
         if not token_info:
             raise HTTPException(status_code=401, detail="Authentication required")

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v6.36.3
+**Version:** v6.36.5
 
 ---
 

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '6.36.3'
+__version__ = '6.36.5'

package/mcp/server.py

@@ -88,6 +88,23 @@ def _get_mcp_state_manager():
     return _state_manager
 
 
+def cleanup_mcp_singletons():
+    """Clean up module-level singletons to prevent resource leaks on restart.
+
+    Call this before restarting the MCP server to release file handles
+    held by the StateManager and LearningCollector instances.
+    """
+    global _state_manager, _learning_collector
+    if _state_manager is not None:
+        if hasattr(_state_manager, 'close'):
+            _state_manager.close()
+        _state_manager = None
+    if _learning_collector is not None:
+        if hasattr(_learning_collector, 'close'):
+            _learning_collector.close()
+        _learning_collector = None
+
+
 # ============================================================
 # PATH SECURITY - Prevent path traversal attacks
 # ============================================================
@@ -1679,6 +1696,7 @@ Use loki_state_get and loki_task_queue_list to gather data."""
 
 def main():
     import argparse
+    import atexit
     parser = argparse.ArgumentParser(description='Loki Mode MCP Server')
     parser.add_argument('--transport', choices=['stdio', 'http'], default='stdio',
                        help='Transport mechanism (default: stdio)')
@@ -1686,6 +1704,9 @@ def main():
                        help='Port for HTTP transport (default: 8421)')
     args = parser.parse_args()
 
+    # Register cleanup to prevent file handle leaks on shutdown/restart
+    atexit.register(cleanup_mcp_singletons)
+
     logger.info(f"Starting Loki Mode MCP server (transport: {args.transport})")
 
     if args.transport == 'http':

package/memory/consolidation.py

@@ -81,7 +81,7 @@ class Cluster:
     def to_dict(self) -> Dict[str, Any]:
         """Convert to dictionary for JSON serialization."""
         return {
-            "episode_ids": [ep.id if hasattr(ep, 'id') else ep.get('id', '') for ep in self.episodes],
+            "episode_ids": [getattr(ep, 'id', '') if not isinstance(ep, dict) else ep.get('id', '') for ep in self.episodes],
             "label": self.label,
             "size": len(self.episodes),
         }

package/memory/engine.py

@@ -5,11 +5,14 @@
 from __future__ import annotations
 
 import json
+import logging
 import os
 from datetime import datetime, timedelta, timezone
 from pathlib import Path
 from typing import Any, Callable, Dict, List, Optional, Union
 
+logger = logging.getLogger(__name__)
+
 # Import schemas - these are expected to be created in parallel
 from .schemas import (
     ActionEntry,
@@ -598,6 +601,13 @@ class MemoryEngine:
         """
         if self._embedding_func is None:
             # Fall back to keyword matching if no embeddings
+            if not getattr(self, '_embedding_warning_logged', False):
+                logger.warning(
+                    "Vector search unavailable: numpy or sentence-transformers "
+                    "not installed. Falling back to keyword matching. "
+                    "Install with: pip install numpy sentence-transformers"
+                )
+                self._embedding_warning_logged = True
             return self._keyword_search(query, collection, top_k)
 
         # Use embeddings for similarity search

package/memory/retrieval.py

@@ -18,11 +18,14 @@ See references/memory-system.md for full documentation.
 from __future__ import annotations
 
 import json
+import logging
 import re
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Callable, Dict, List, Optional, Protocol, Tuple, Union, TYPE_CHECKING
 
+logger = logging.getLogger(__name__)
+
 # numpy is optional - only required for vector operations
 try:
     import numpy as np
@@ -30,6 +33,10 @@ try:
 except ImportError:
     np = None  # type: ignore
     NUMPY_AVAILABLE = False
+    logger.warning(
+        "numpy not installed. Vector operations in memory retrieval will be "
+        "degraded. Install with: pip install numpy"
+    )
 
 # Import from sibling modules
 from .schemas import EpisodeTrace, SemanticPattern, ProceduralSkill

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "6.36.3",
+  "version": "6.36.5",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "agent",

package/web-app/server.py

@@ -44,9 +44,20 @@ DIST_DIR = SCRIPT_DIR / "dist"
 
 app = FastAPI(title="Purple Lab", docs_url=None, redoc_url=None)
 
+_default_cors_origins = [
+    f"http://127.0.0.1:{PORT}",
+    f"http://localhost:{PORT}",
+]
+_cors_env = os.environ.get("PURPLE_LAB_CORS_ORIGINS", "")
+_cors_origins = (
+    [o.strip() for o in _cors_env.split(",") if o.strip()]
+    if _cors_env
+    else _default_cors_origins
+)
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["http://127.0.0.1:57375", "http://localhost:57375"],
+    allow_origins=_cors_origins,
     allow_methods=["*"],
     allow_headers=["*"],
 )
@@ -149,12 +160,25 @@ def _loki_dir() -> Path:
 
 
 def _safe_resolve(base: Path, requested: str) -> Optional[Path]:
-    """Resolve a path ensuring it stays within base (path traversal protection)."""
+    """Resolve a path ensuring it stays within base (path traversal protection).
+
+    Uses os.path.commonpath to avoid the startswith prefix collision where
+    /tmp/proj would incorrectly pass a check against /tmp/projother.
+    Also rejects symlinks that escape the base directory.
+    """
     try:
         resolved = (base / requested).resolve()
         base_resolved = base.resolve()
-        if str(resolved).startswith(str(base_resolved)):
-            return resolved
+        # Ensure resolved is strictly inside base_resolved
+        resolved.relative_to(base_resolved)
+        # Reject if any component is a symlink pointing outside base
+        check = base_resolved
+        for part in resolved.relative_to(base_resolved).parts:
+            check = check / part
+            if check.is_symlink():
+                link_target = check.resolve()
+                link_target.relative_to(base_resolved)  # raises ValueError if outside
+        return resolved
     except (ValueError, OSError):
         pass
     return None