loki-mode 6.37.3 → 6.37.5

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v6.37.3
+# Loki Mode v6.37.5
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -267,4 +267,4 @@ The following features are documented in skill modules but not yet fully automat
 | Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
 | Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
 
-**v6.37.3 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v6.37.5 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-6.37.3
+6.37.5

package/autonomy/loki

@@ -1365,6 +1365,15 @@ cmd_pause() {
     fi
 
     if is_session_running; then
+        # Warn if running in perpetual mode where PAUSE is auto-cleared (#84)
+        local current_mode="${LOKI_AUTONOMY_MODE:-perpetual}"
+        local perpetual_flag="${LOKI_PERPETUAL_MODE:-false}"
+        if [ "$current_mode" = "perpetual" ] || [ "$perpetual_flag" = "true" ]; then
+            echo -e "${YELLOW}Warning: Session is running in perpetual mode.${NC}"
+            echo -e "${YELLOW}PAUSE signals are auto-cleared in perpetual mode and will be ignored.${NC}"
+            echo -e "Use ${CYAN}loki stop${NC} to halt a perpetual session, or switch autonomy mode first:"
+            echo -e "  ${DIM}loki config set autonomy_mode checkpoint${NC}"
+        fi
         touch "$LOKI_DIR/PAUSE"
         # Emit session pause event
         emit_event session cli pause "reason=user_requested"
@@ -4476,6 +4485,13 @@ cmd_watch() {
         return 1
     fi
 
+    # Verify the PRD file is readable (#67)
+    if [ ! -r "$prd_path" ]; then
+        echo -e "${RED}PRD file is not readable: $prd_path${NC}"
+        echo "Check file permissions: ls -la $prd_path"
+        return 1
+    fi
+
     # Resolve to absolute path
     prd_path="$(cd "$(dirname "$prd_path")" && pwd)/$(basename "$prd_path")"
     local prd_basename
@@ -5001,7 +5017,11 @@ cmd_config_set() {
             ;;
         budget)
             if ! echo "$value" | grep -qE '^[0-9]+(\.[0-9]+)?$'; then
-                echo -e "${RED}Invalid budget: $value (expected: numeric USD amount)${NC}"; return 1
+                echo -e "${RED}Invalid budget: $value (expected: positive numeric USD amount)${NC}"; return 1
+            fi
+            # Reject zero and negative values (#68)
+            if echo "$value" | grep -qE '^0+(\.0+)?$'; then
+                echo -e "${RED}Invalid budget: $value (must be greater than 0)${NC}"; return 1
             fi
             ;;
         model.planning|model.development|model.fast)
@@ -7788,6 +7808,36 @@ print(json.dumps({'id': manifest.id, 'dir': str(pipeline.migration_dir)}))
         phases_to_run=("understand" "guardrail" "migrate" "verify")
     fi
 
+    # Validate prerequisite artifacts exist before running phases (#81)
+    for p in "${phases_to_run[@]}"; do
+        case "$p" in
+            guardrail)
+                if [ ! -f "${migration_dir}/docs/analysis.md" ] || [ ! -f "${migration_dir}/seams.json" ]; then
+                    echo -e "${RED}Error: Phase 'guardrail' requires artifacts from 'understand' phase${NC}"
+                    echo -e "${DIM}  Missing: analysis.md or seams.json in ${migration_dir}${NC}"
+                    echo "Run: loki migrate ${codebase_path} --target ${target} --phase understand"
+                    return 1
+                fi
+                ;;
+            migrate)
+                if [ ! -f "${migration_dir}/features.json" ]; then
+                    echo -e "${RED}Error: Phase 'migrate' requires artifacts from 'guardrail' phase${NC}"
+                    echo -e "${DIM}  Missing: features.json in ${migration_dir}${NC}"
+                    echo "Run: loki migrate ${codebase_path} --target ${target} --phase guardrail"
+                    return 1
+                fi
+                ;;
+            verify)
+                if [ ! -f "${migration_dir}/migration-plan.json" ]; then
+                    echo -e "${RED}Error: Phase 'verify' requires migration-plan.json from 'migrate' phase${NC}"
+                    echo -e "${DIM}  Missing: migration-plan.json in ${migration_dir}${NC}"
+                    echo "Run: loki migrate ${codebase_path} --target ${target} --phase migrate"
+                    return 1
+                fi
+                ;;
+        esac
+    done
+
     # Execute phases
     for p in "${phases_to_run[@]}"; do
         echo -e "${CYAN}[Phase: ${p}]${NC} Starting..."
@@ -12595,24 +12645,32 @@ cmd_council() {
 
             if [ -f "$council_dir/state.json" ]; then
                 LOKI_COUNCIL_STATE="$council_dir/state.json" python3 -c "
-import json, os
-with open(os.environ['LOKI_COUNCIL_STATE']) as f:
-    state = json.load(f)
-print(f\"Enabled: {state.get('initialized', False)}\")
-print(f\"Total votes: {state.get('total_votes', 0)}\")
-print(f\"Approve votes: {state.get('approve_votes', 0)}\")
-print(f\"Reject votes: {state.get('reject_votes', 0)}\")
-print(f\"Stagnation streak: {state.get('consecutive_no_change', 0)}\")
-print(f\"Done signals: {state.get('done_signals', 0)}\")
-print(f\"Last check: iteration {state.get('last_check_iteration', 'none')}\")
-verdicts = state.get('verdicts', [])
-if verdicts:
-    print(f\"\nRecent verdicts:\")
-    for v in verdicts[-5:]:
-        print(f\"  Iteration {v['iteration']}: {v['result']} ({v['approve']} approve / {v['reject']} reject)\")
-else:
-    print(f\"\nNo verdicts yet\")
-" 2>/dev/null
+import json, os, sys
+try:
+    with open(os.environ['LOKI_COUNCIL_STATE']) as f:
+        state = json.load(f)
+    print(f\"Enabled: {state.get('initialized', False)}\")
+    print(f\"Total votes: {state.get('total_votes', 0)}\")
+    print(f\"Approve votes: {state.get('approve_votes', 0)}\")
+    print(f\"Reject votes: {state.get('reject_votes', 0)}\")
+    print(f\"Stagnation streak: {state.get('consecutive_no_change', 0)}\")
+    print(f\"Done signals: {state.get('done_signals', 0)}\")
+    print(f\"Last check: iteration {state.get('last_check_iteration', 'none')}\")
+    verdicts = state.get('verdicts', [])
+    if verdicts:
+        print(f\"\nRecent verdicts:\")
+        for v in verdicts[-5:]:
+            print(f\"  Iteration {v['iteration']}: {v['result']} ({v['approve']} approve / {v['reject']} reject)\")
+    else:
+        print(f\"\nNo verdicts yet\")
+except (json.JSONDecodeError, KeyError, TypeError) as e:
+    print(f'Error: Council state file is corrupted or invalid: {e}', file=sys.stderr)
+    print('Delete .loki/council/state.json and restart the session to reset.')
+    sys.exit(1)
+except Exception as e:
+    print(f'Error reading council state: {e}', file=sys.stderr)
+    sys.exit(1)
+" 2>&1
             else
                 echo "Council state file not found"
             fi
@@ -12623,9 +12681,14 @@ else:
 
             if [ -f "$council_dir/state.json" ]; then
                 LOKI_COUNCIL_STATE="$council_dir/state.json" python3 -c "
-import json, os
-with open(os.environ['LOKI_COUNCIL_STATE']) as f:
-    state = json.load(f)
+import json, os, sys
+try:
+    with open(os.environ['LOKI_COUNCIL_STATE']) as f:
+        state = json.load(f)
+except (json.JSONDecodeError, KeyError, TypeError) as e:
+    print(f'Error: Council state file is corrupted: {e}', file=sys.stderr)
+    print('Delete .loki/council/state.json and restart the session to reset.')
+    sys.exit(1)
 verdicts = state.get('verdicts', [])
 if not verdicts:
     print('No decisions recorded yet')
@@ -14674,33 +14737,40 @@ for a in agents:
             echo -e "${DIM}Persona: ${persona:0:80}...${NC}"
             echo ""
 
-            # Invoke current provider
+            # Invoke current provider and capture exit code (#72)
             local provider="${LOKI_PROVIDER:-claude}"
             if [ -f ".loki/state/provider" ]; then
                 provider=$(cat ".loki/state/provider" 2>/dev/null)
             fi
 
+            local agent_exit=0
             case "$provider" in
                 claude)
-                    claude -p "$full_prompt" 2>&1
+                    claude -p "$full_prompt" 2>&1 || agent_exit=$?
                     ;;
                 codex)
-                    codex exec --full-auto "$full_prompt" 2>&1
+                    codex exec --full-auto "$full_prompt" 2>&1 || agent_exit=$?
                     ;;
                 gemini)
-                    gemini --approval-mode=yolo "$full_prompt" 2>&1
+                    gemini --approval-mode=yolo "$full_prompt" 2>&1 || agent_exit=$?
                     ;;
                 cline)
-                    cline -y "$full_prompt" 2>&1
+                    cline -y "$full_prompt" 2>&1 || agent_exit=$?
                     ;;
                 aider)
-                    aider --message "$full_prompt" --yes-always --no-auto-commits < /dev/null 2>&1
+                    aider --message "$full_prompt" --yes-always --no-auto-commits < /dev/null 2>&1 || agent_exit=$?
                     ;;
                 *)
                     echo -e "${RED}Unknown provider: $provider${NC}"
                     return 1
                     ;;
             esac
+
+            if [ "$agent_exit" -ne 0 ]; then
+                echo ""
+                echo -e "${RED}Agent exited with code $agent_exit${NC}"
+                return "$agent_exit"
+            fi
             ;;
 
         start)

package/autonomy/run.sh

@@ -1243,6 +1243,7 @@ detect_complexity() {
     if [ -n "$prd_path" ] && [ -f "$prd_path" ]; then
         local prd_words=$(wc -w < "$prd_path" | tr -d ' ')
         local feature_count=0
+        local prd_lines=$(wc -l < "$prd_path" | tr -d ' ')
 
         # Detect PRD format and count features accordingly
         if [[ "$prd_path" == *.json ]]; then
@@ -1262,14 +1263,23 @@ detect_complexity() {
             feature_count=$(grep -c "^##\|^- \[" "$prd_path" 2>/dev/null || echo "0")
         fi
 
-        if [ "$prd_words" -lt 200 ] && [ "$feature_count" -lt 5 ]; then
+        # Count distinct sections (h2/h3 headers) for structural complexity (#74)
+        local section_count=0
+        if [[ "$prd_path" != *.json ]]; then
+            section_count=$(grep -c "^##\|^###" "$prd_path" 2>/dev/null || echo "0")
+        fi
+
+        # PRD complexity uses content length, feature count, AND structural depth (#74)
+        # A PRD with multiple sections or substantial content is not "simple" even with few project files
+        if [ "$prd_words" -lt 200 ] && [ "$feature_count" -lt 5 ] && [ "$section_count" -lt 3 ]; then
             prd_complexity="simple"
-        elif [ "$prd_words" -gt 1000 ] || [ "$feature_count" -gt 15 ]; then
+        elif [ "$prd_words" -gt 1000 ] || [ "$feature_count" -gt 15 ] || [ "$section_count" -gt 10 ]; then
             prd_complexity="complex"
         fi
     fi
 
     # Determine final complexity
+    # A non-simple PRD always prevents "simple" classification regardless of file count (#74)
     if [ "$file_count" -le 5 ] && [ "$prd_complexity" = "simple" ] && \
        [ "$has_external" = "false" ] && [ "$has_microservices" = "false" ]; then
         DETECTED_COMPLEXITY="simple"
@@ -1280,7 +1290,7 @@ detect_complexity() {
         DETECTED_COMPLEXITY="standard"
     fi
 
-    log_info "Detected complexity: $DETECTED_COMPLEXITY (files: $file_count, external: $has_external, microservices: $has_microservices)"
+    log_info "Detected complexity: $DETECTED_COMPLEXITY (files: $file_count, prd: $prd_complexity, external: $has_external, microservices: $has_microservices)"
 }
 
 # Get phases based on complexity tier
@@ -2824,6 +2834,9 @@ init_loki_dir() {
     mkdir -p .loki/artifacts/{releases,reports,backups}
     mkdir -p .loki/memory/{ledgers,handoffs,learnings,episodic,semantic,skills}
     mkdir -p .loki/metrics/{efficiency,rewards}
+    # Clear stale metrics from previous sessions so loki metrics shows current run data (#75)
+    rm -f .loki/metrics/efficiency/iteration-*.json 2>/dev/null || true
+    rm -f .loki/metrics/rewards/*.json 2>/dev/null || true
     mkdir -p .loki/rules
     mkdir -p .loki/signals
 
@@ -5502,10 +5515,11 @@ run_code_review() {
     log_info "Selecting 3 specialist reviewers from pool..."
 
     # Write diff/files to temp files for python to read (avoid env var size limits)
+    # Use printf to prevent shell variable expansion in diff content (#78)
     local diff_file="$review_dir/$review_id/diff.txt"
     local files_file="$review_dir/$review_id/files.txt"
-    echo "$diff_content" > "$diff_file"
-    echo "$changed_files" > "$files_file"
+    printf '%s\n' "$diff_content" > "$diff_file"
+    printf '%s\n' "$changed_files" > "$files_file"
 
     # Select specialists via keyword scoring (python3 reads files, not env vars)
     # Loads from agents/types.json when available, falls back to hardcoded pool (v6.7.0)
@@ -5881,11 +5895,11 @@ run_adversarial_testing() {
     local changed_files
     changed_files=$(git -C "${TARGET_DIR:-.}" diff --name-only HEAD~1 2>/dev/null || git -C "${TARGET_DIR:-.}" diff --name-only --cached 2>/dev/null || echo "")
 
-    # Write analysis files
+    # Write analysis files -- use printf to prevent shell variable expansion (#78)
     local diff_file="$adversarial_dir/$test_id/diff.txt"
     local files_file="$adversarial_dir/$test_id/files.txt"
-    echo "$diff_content" > "$diff_file"
-    echo "$changed_files" > "$files_file"
+    printf '%s\n' "$diff_content" > "$diff_file"
+    printf '%s\n' "$changed_files" > "$files_file"
 
     # Build adversarial prompt -- use heredoc with quoted delimiter to prevent
     # shell variable expansion in diff content (fixes #78)

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "6.37.3"
+__version__ = "6.37.5"
 
 # Expose the control app for easy import
 try:

package/dashboard/auth.py

@@ -59,17 +59,29 @@ _SCOPE_HIERARCHY = {
 if OIDC_ENABLED:
     import logging as _logging
     _logger = _logging.getLogger("loki.auth")
+    _pyjwt_available = False
+    try:
+        import jwt as _pyjwt_check  # noqa: F401
+        from jwt import PyJWKClient as _PyJWKClient_check  # noqa: F401
+        _pyjwt_available = True
+    except ImportError:
+        _pyjwt_available = False
+
     if OIDC_SKIP_SIGNATURE_VERIFY:
         _logger.critical(
             "OIDC/SSO signature verification DISABLED (LOKI_OIDC_SKIP_SIGNATURE_VERIFY=true). "
             "This is INSECURE and allows forged JWTs. Only use for local testing. "
             "For production, install PyJWT + cryptography and remove this env var."
         )
+    elif _pyjwt_available:
+        _logger.info(
+            "OIDC/SSO enabled with PyJWT cryptographic signature verification (RS256/RS384/RS512)."
+        )
     else:
-        _logger.warning(
-            "OIDC/SSO enabled (EXPERIMENTAL). Claims-based validation only -- "
-            "JWT signatures are NOT cryptographically verified. Install PyJWT + "
-            "cryptography for production signature verification."
+        _logger.critical(
+            "OIDC/SSO enabled but PyJWT is NOT installed. Tokens will be REJECTED "
+            "unless LOKI_OIDC_SKIP_SIGNATURE_VERIFY=true is set. "
+            "Install PyJWT + cryptography: pip install PyJWT cryptography"
         )
 
 # OIDC JWKS cache (issuer URL -> (keys_dict, fetch_timestamp))
@@ -526,14 +538,18 @@ def validate_oidc_token(token_str: str) -> Optional[dict]:
             "issuer": decoded.get("iss"),
         }
     except ImportError:
-        # PyJWT not installed -- fall through to claims-only path with loud warning
-        _warning_msg = (
-            "WARNING: OIDC JWT signatures are NOT cryptographically verified. "
-            "Install PyJWT with 'pip install PyJWT cryptography' for production use."
+        # PyJWT not installed -- only allow claims-only path if explicitly opted in
+        if not OIDC_SKIP_SIGNATURE_VERIFY:
+            _auth_logger.error(
+                "OIDC token rejected: PyJWT not installed and "
+                "LOKI_OIDC_SKIP_SIGNATURE_VERIFY is not set. "
+                "Install PyJWT: pip install PyJWT cryptography"
+            )
+            return None
+        _auth_logger.warning(
+            "PyJWT not installed -- using claims-only validation "
+            "(LOKI_OIDC_SKIP_SIGNATURE_VERIFY=true). This is INSECURE."
         )
-        _auth_logger.warning(_warning_msg)
-        # Also print to stderr so operators notice even without log config
-        print(_warning_msg, file=sys.stderr)
     except Exception as exc:
         _auth_logger.error("PyJWT signature verification failed: %s", exc)
         return None

package/dashboard/server.py

@@ -30,7 +30,7 @@ from fastapi import (
 )
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse, PlainTextResponse
-from pydantic import BaseModel, Field
+from pydantic import BaseModel, Field, field_validator
 from sqlalchemy import select, update, delete
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
@@ -75,6 +75,27 @@ def _safe_int_env(name: str, default: int) -> int:
         return default
 
 
+def _safe_json_read(path: _Path, default: Any = None) -> Any:
+    """Read a JSON file with retry on partial/corrupt data from concurrent writes."""
+    for attempt in range(2):
+        try:
+            text = path.read_text(encoding="utf-8", errors="replace")
+            return json.loads(text)
+        except json.JSONDecodeError:
+            if attempt == 0:
+                time.sleep(0.1)
+                continue
+            return default
+        except (OSError, IOError):
+            return default
+    return default
+
+
+def _safe_read_text(path: _Path) -> str:
+    """Read a text file with UTF-8 encoding, replacing non-UTF-8 bytes."""
+    return open(path, encoding="utf-8", errors="replace").read()
+
+
 # ---------------------------------------------------------------------------
 # Simple in-memory rate limiter for control endpoints
 # ---------------------------------------------------------------------------
@@ -98,12 +119,12 @@ class _RateLimiter:
         for k in empty_keys:
             del self._calls[k]
 
-        # Evict oldest keys if max_keys exceeded
+        # Evict least-recently-accessed keys if max_keys exceeded
         if len(self._calls) > self._max_keys:
-            # Sort by oldest timestamp, remove oldest keys
+            # Sort by last-access time (most recent timestamp), evict least recent
             sorted_keys = sorted(
                 self._calls.items(),
-                key=lambda x: min(x[1]) if x[1] else 0
+                key=lambda x: max(x[1]) if x[1] else 0
             )
             keys_to_remove = len(self._calls) - self._max_keys
             for k, _ in sorted_keys[:keys_to_remove]:
@@ -123,12 +144,30 @@ logger = logging.getLogger(__name__)
 
 
 # Pydantic schemas for API
+def _sanitize_text_field(value: str) -> str:
+    """Strip/reject control characters from text fields."""
+    import unicodedata
+    # Remove control characters (except common whitespace like space)
+    cleaned = "".join(
+        ch for ch in value if unicodedata.category(ch)[0] != "C" or ch in (" ",)
+    )
+    cleaned = cleaned.strip()
+    if not cleaned:
+        raise ValueError("Field must not be empty after removing control characters")
+    return cleaned
+
+
 class ProjectCreate(BaseModel):
     """Schema for creating a project."""
     name: str = Field(..., min_length=1, max_length=255)
     description: Optional[str] = None
     prd_path: Optional[str] = None
 
+    @field_validator("name")
+    @classmethod
+    def validate_name(cls, v: str) -> str:
+        return _sanitize_text_field(v)
+
 
 class ProjectUpdate(BaseModel):
     """Schema for updating a project."""
@@ -165,6 +204,11 @@ class TaskCreate(BaseModel):
     parent_task_id: Optional[int] = None
     estimated_duration: Optional[int] = None
 
+    @field_validator("title")
+    @classmethod
+    def validate_title(cls, v: str) -> str:
+        return _sanitize_text_field(v)
+
 
 class TaskUpdate(BaseModel):
     """Schema for updating a task."""
@@ -315,7 +359,7 @@ async def _push_loki_state_loop() -> None:
                 if mtime != last_mtime:
                     last_mtime = mtime
                     try:
-                        raw = json.loads(state_file.read_text())
+                        raw = _safe_json_read(state_file, {})
                         # Transform to StatusResponse-compatible format
                         agents_list = raw.get("agents", [])
                         running_agents = len(agents_list) if isinstance(agents_list, list) else 0
@@ -515,10 +559,10 @@ async def get_status() -> StatusResponse:
     pending_tasks = 0
     running_agents = 0
 
-    # Read dashboard state
+    # Read dashboard state (with retry for concurrent writes)
     if state_file.exists():
         try:
-            state = json.loads(state_file.read_text())
+            state = _safe_json_read(state_file, {})
             phase = state.get("phase", "")
             iteration = state.get("iteration", 0)
             complexity = state.get("complexity", "standard")
@@ -561,7 +605,7 @@ async def get_status() -> StatusResponse:
     # Also check session.json for skill-invoked sessions
     if not running and session_file.exists():
         try:
-            sd = json.loads(session_file.read_text())
+            sd = _safe_json_read(session_file, {})
             if sd.get("status") == "running":
                 running = True
         except (json.JSONDecodeError, KeyError):
@@ -673,21 +717,41 @@ async def get_status() -> StatusResponse:
 @app.get("/api/projects", response_model=list[ProjectResponse])
 async def list_projects(
     status: Optional[str] = Query(None),
+    limit: int = Query(default=50, ge=1, le=500),
+    offset: int = Query(default=0, ge=0),
     db: AsyncSession = Depends(get_db),
 ) -> list[ProjectResponse]:
-    """List all projects."""
-    query = select(Project).options(selectinload(Project.tasks))
+    """List projects with pagination. Does not eager-load tasks for efficiency."""
+    from sqlalchemy import func as sa_func
+
+    query = select(Project)
     if status:
         query = query.where(Project.status == status)
-    query = query.order_by(Project.created_at.desc())
+    query = query.order_by(Project.created_at.desc()).offset(offset).limit(limit)
 
     result = await db.execute(query)
     projects = result.scalars().all()
 
+    # Batch-fetch task counts instead of N+1 eager loading
+    project_ids = [p.id for p in projects]
     response = []
+    if project_ids:
+        count_query = (
+            select(
+                Task.project_id,
+                sa_func.count().label("total"),
+                sa_func.count().filter(Task.status == TaskStatus.DONE).label("done"),
+            )
+            .where(Task.project_id.in_(project_ids))
+            .group_by(Task.project_id)
+        )
+        count_result = await db.execute(count_query)
+        counts = {row.project_id: (row.total, row.done) for row in count_result}
+    else:
+        counts = {}
+
     for project in projects:
-        task_count = len(project.tasks)
-        completed_count = len([t for t in project.tasks if t.status == TaskStatus.DONE])
+        total, done = counts.get(project.id, (0, 0))
         response.append(
             ProjectResponse(
                 id=project.id,
@@ -697,8 +761,8 @@ async def list_projects(
                 status=project.status,
                 created_at=project.created_at,
                 updated_at=project.updated_at,
-                task_count=task_count,
-                completed_task_count=completed_count,
+                task_count=total,
+                completed_task_count=done,
             )
         )
     return response
@@ -1066,12 +1130,29 @@ async def create_task(
                 Task.project_id == task.project_id
             )
         )
-        if not result.scalar_one_or_none():
+        parent = result.scalar_one_or_none()
+        if not parent:
             raise HTTPException(
                 status_code=400,
                 detail="Parent task not found or belongs to different project"
             )
 
+        # Detect circular reference: walk parent chain
+        visited = set()
+        current_parent_id = task.parent_task_id
+        while current_parent_id is not None:
+            if current_parent_id in visited:
+                raise HTTPException(
+                    status_code=422,
+                    detail="Circular reference detected in parent task chain"
+                )
+            visited.add(current_parent_id)
+            parent_result = await db.execute(
+                select(Task.parent_task_id).where(Task.id == current_parent_id)
+            )
+            row = parent_result.scalar_one_or_none()
+            current_parent_id = row if row else None
+
     db_task = Task(
         project_id=task.project_id,
         title=task.title,
@@ -1192,6 +1273,15 @@ async def delete_task(
     })
 
 
+# Valid status transitions for task state machine
+_TASK_STATE_MACHINE: dict[TaskStatus, set[TaskStatus]] = {
+    TaskStatus.BACKLOG: {TaskStatus.PENDING},
+    TaskStatus.PENDING: {TaskStatus.IN_PROGRESS},
+    TaskStatus.IN_PROGRESS: {TaskStatus.REVIEW, TaskStatus.DONE},
+    TaskStatus.REVIEW: {TaskStatus.DONE, TaskStatus.IN_PROGRESS},
+}
+
+
 @app.post("/api/tasks/{task_id}/move", response_model=TaskResponse, dependencies=[Depends(auth.require_scope("control"))])
 async def move_task(
     task_id: int,
@@ -1208,6 +1298,18 @@ async def move_task(
         raise HTTPException(status_code=404, detail="Task not found")
 
     old_status = task.status
+
+    # Validate status transition
+    if move.status != old_status:
+        allowed = _TASK_STATE_MACHINE.get(old_status, set())
+        if move.status not in allowed:
+            raise HTTPException(
+                status_code=422,
+                detail=f"Invalid status transition: {old_status.value} -> {move.status.value}. "
+                       f"Allowed transitions from {old_status.value}: "
+                       f"{', '.join(s.value for s in allowed) if allowed else 'none'}",
+            )
+
     task.status = move.status
     task.position = move.position
 
@@ -1252,8 +1354,9 @@ async def websocket_endpoint(websocket: WebSocket) -> None:
     # proxy access logs -- configure log sanitization for /ws in production.
     # FastAPI Depends() is not supported on @app.websocket() routes.
 
-    # Rate limit WebSocket connections by IP
-    client_ip = websocket.client.host if websocket.client else "unknown"
+    # Rate limit WebSocket connections by IP (use unique key when client info unavailable)
+    import uuid as _uuid
+    client_ip = websocket.client.host if websocket.client else f"ws-{_uuid.uuid4().hex}"
     if not _read_limiter.check(f"ws_{client_ip}"):
         await websocket.close(code=1008)  # Policy Violation
         return
@@ -1447,7 +1550,13 @@ async def sync_registry():
     if not _read_limiter.check("registry_sync"):
         raise HTTPException(status_code=429, detail="Rate limit exceeded")
 
-    result = registry.sync_registry_with_discovery()
+    try:
+        result = await asyncio.wait_for(
+            asyncio.get_event_loop().run_in_executor(None, registry.sync_registry_with_discovery),
+            timeout=30.0,
+        )
+    except asyncio.TimeoutError:
+        raise HTTPException(status_code=504, detail="Registry sync timed out after 30 seconds")
     return {
         "added": result["added"],
         "updated": result["updated"],
@@ -1815,11 +1924,14 @@ async def list_episodes(limit: int = Query(default=50, ge=1, le=1000)):
         except Exception:
             pass
 
-    # Fallback to JSON files
+    # Fallback to JSON files -- use heapq to avoid sorting all files
+    import heapq
     ep_dir = _get_loki_dir() / "memory" / "episodic"
     episodes = []
     if ep_dir.exists():
-        files = sorted(ep_dir.glob("*.json"), reverse=True)[:limit]
+        all_files = ep_dir.glob("*.json")
+        # nlargest by filename (timestamps sort lexicographically) avoids full sort
+        files = heapq.nlargest(limit, all_files, key=lambda f: f.name)
         for f in files:
             try:
                 episodes.append(json.loads(f.read_text()))
@@ -3525,7 +3637,7 @@ async def get_logs(lines: int = 100, token: Optional[dict] = Depends(auth.get_cu
                 file_mtime = datetime.fromtimestamp(log_file.stat().st_mtime, tz=timezone.utc).strftime(
                     "%Y-%m-%dT%H:%M:%S"
                 )
-                content = log_file.read_text()
+                content = _safe_read_text(log_file)
                 for raw_line in content.strip().split("\n")[-lines:]:
                     timestamp = ""
                     level = "info"
@@ -4310,7 +4422,7 @@ async def get_app_runner_logs(lines: int = Query(default=100, ge=1, le=1000)):
     if not log_file.exists():
         return {"lines": []}
     try:
-        all_lines = log_file.read_text().splitlines()
+        all_lines = _safe_read_text(log_file).splitlines()
         return {"lines": all_lines[-lines:]}
     except OSError:
         return {"lines": []}
@@ -4573,25 +4685,16 @@ async def serve_index():
         if os.path.isfile(index_path):
             return FileResponse(index_path, media_type="text/html")
 
-    # Return helpful error message
-    return HTMLResponse(
-        content="""
-        <html>
-        <head><title>Loki Dashboard</title></head>
-        <body style="font-family: system-ui; padding: 40px; max-width: 600px; margin: 0 auto;">
-            <h1>Dashboard Frontend Not Found</h1>
-            <p>The dashboard API is running, but the frontend files were not found.</p>
-            <p>To fix this, run:</p>
-            <pre style="background: #f5f5f5; padding: 15px; border-radius: 5px;">cd dashboard-ui && npm run build</pre>
-            <p><strong>API Endpoints:</strong></p>
-            <ul>
-                <li><a href="/health">/health</a> - Health check</li>
-                <li><a href="/docs">/docs</a> - API documentation</li>
-            </ul>
-        </body>
-        </html>
-        """,
-        status_code=200
+    # Return 503 when frontend files are not found
+    return JSONResponse(
+        content={
+            "error": "dashboard_frontend_not_found",
+            "detail": "The dashboard API is running, but the frontend files were not found. "
+                      "Run: cd dashboard-ui && npm run build",
+            "api_docs": "/docs",
+            "health": "/health",
+        },
+        status_code=503,
     )
 
 

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v6.37.3
+**Version:** v6.37.5
 
 ---
 

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '6.37.3'
+__version__ = '6.37.5'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "6.37.3",
+  "version": "6.37.5",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "agent",