loki-mode 7.26.0 → 7.28.0

package/README.md

@@ -18,7 +18,7 @@
 
 ---
 
-> **How it works:** Drop a spec -- a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief. Loki Mode classifies complexity (`run.sh:detect_complexity()`), assembles an agent team from 41 specialized types across 8 swarms, and runs autonomous RARV cycles (Reason - Act - Reflect - Verify, see `run.sh:run_autonomous()`) with 11 quality gates (see `skills/quality-gates.md`). Code is not "done" until it passes automated verification. Output is a Git repo with source, tests, configs, and audit logs.
+> **How it works:** Drop a spec -- a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief. Loki Mode classifies complexity (`run.sh:detect_complexity()`), assembles an agent team from 41 specialized agent roles across 8 domains - prompt-defined specifications the orchestrator adopts per phase, with parallel review (blind council) and optional worktree streams on Claude Code, sequential on other providers - and runs autonomous RARV cycles (Reason - Act - Reflect - Verify, see `run.sh:run_autonomous()`) with 11 quality gates (see `skills/quality-gates.md`). Code is not "done" until it passes automated verification. Output is a Git repo with source, tests, configs, and audit logs.
 
 ---
 
@@ -26,6 +26,8 @@
 
 - **Spec-driven, autonomous, with a built-in trust layer** -- Hand Loki a spec, walk away, come back to working code with tests. The full RARV-C closure loop (Reason - Act - Reflect - Verify - Close) runs until the work is actually done, not just attempted. The verified-completion evidence gate (`skills/quality-gates.md`) refuses any "done" claim on an empty git diff against the run-start commit, and blocks completion when tests run red, so "complete" means proven, not promised.
 - **Production quality built in** -- 11 quality gates (`skills/quality-gates.md`), blind 3-reviewer code review (`run.sh:run_code_review()`), anti-sycophancy checks
+- **Standalone verification: `loki verify`** -- Run Loki's deterministic gates (build, tests, static analysis, secret scan, dependency audit) against any branch or PR diff, including code written by other agents or humans. CI-ready exit codes (0 VERIFIED, 1 CONCERNS, 2 BLOCKED), machine-readable evidence at `.loki/verify/evidence.json`. Inconclusive evidence is never reported as VERIFIED (v7.27.0).
+- **Living spec and pre-build interrogation** -- `loki spec` locks a spec and detects drift deterministically (`spec.lock`, `drift-report.json`, and a `SPEC_DRIFT` finding in `loki verify` with CI exit codes), so you can tell when the build diverges from what was agreed. `loki grill` runs a Devil's-Advocate interrogation of the spec before you build, surfacing gaps and contradictions early (v7.28.0).
 - **Live App Preview** -- The dashboard embeds the locally-running app in an iframe so you can interact with it immediately during a build. Use `loki preview` (alias `loki open`) to print the URL and open it in your browser. Local-first: no hosted service, no vendor lock (v7.24.0).
 - **Compose-first fullstack** -- When a spec needs more than one service (web + database + cache) Loki generates a 12-factor `docker-compose.yml` with healthchecks, `depends_on` wiring, env-var config, and a `.env.example`. The Live App Preview surfaces the web service URL (not a database port), and health reflects the web service's Docker healthcheck so a crashed app shows as crashed even when the database stays up. Single-service apps stay on a plain run command. All local-first, no hosted service (v7.26.0).
 - **Intelligent `loki start`** -- For interactive foreground runs the dashboard auto-opens in the browser (cross-platform; skipped in CI, SSH-without-TTY, and piped runs; opt out with `LOKI_NO_AUTO_OPEN=1`). The completion summary shows "Your app is live at <url>" so you know exactly where to try what Loki just built. The autonomous loop passes Claude Code's `--effort`, `--max-budget-usd`, and `--fallback-model` on every iteration (each gated on CLI support and individual opt-out env vars) for better long-run unattended execution (v7.25.0).
@@ -47,7 +49,7 @@ Loki drives a coding agent CLI and orchestrates real builds, so it needs a few t
 
 Required:
 
-- An agent provider CLI (at least one): [Claude Code](https://docs.claude.com/en/docs/claude-code) (`claude`, Tier 1, recommended), or OpenAI Codex CLI (`codex`), Cline, or Aider.
+- An agent provider CLI: [Claude Code](https://docs.claude.com/en/docs/claude-code) (`claude`, Tier 1, recommended and E2E-verified - the provider Loki Mode is built for). Codex, Cline, and Aider are supported as experimental providers (wiring in place; not yet E2E-verified by us).
 - Python 3.10+ (`python3`) for the dashboard, memory system, and orchestration helpers.
 - Git 2.x (`git`) for checkpoints and worktrees.
 - `curl` for installation and network calls.
@@ -87,9 +89,9 @@ loki quick "build a landing page with a signup form"
 
 | Method | Command | Notes |
 |--------|---------|-------|
-| **Bun (recommended)** | `bun install -g loki-mode` | Fastest. v8 will be Bun-only. |
+| **Bun (recommended)** | `bun install -g loki-mode` | Fastest startup for CLI commands. |
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` | Auto-installs Bun as a dep |
-| **Docker** | `docker pull asklokesh/loki-mode:7.7.31 && docker run --rm asklokesh/loki-mode:7.7.31 start prd.md` | Bun pre-installed in image |
+| **Docker** | `docker pull asklokesh/loki-mode:7.28.0 && docker run --rm asklokesh/loki-mode:7.28.0 start prd.md` | Bun pre-installed in image |
 | **npm (compat)** | `npm install -g loki-mode` | Works without Bun (bash fallback). Migrate any time with `loki self-update --to bun`. |
 
 **Upgrading:**
@@ -108,7 +110,7 @@ See the [Installation Guide](docs/INSTALLATION.md) for the long form.
 
 ## Runtime Architecture
 
-Loki Mode is in a phased migration from a Bash-based runtime to a TypeScript/Bun runtime. The migration has merged to `main` and ships incrementally with each release.
+Loki Mode runs a dual runtime by deliberate design: the battle-tested Bash engine is the stable core (the autonomous loop, quality gates, and completion council stay on it; it receives bug fixes and hardening), and new product surfaces are built TypeScript/Bun-first as modules that wrap the engine rather than reimplement it. An earlier plan to make v8 Bun-only has been superseded by this stable-engine approach: rewriting the verified trust layer would risk the exact guarantees this product exists to provide, for no capability gain. Bash support is not going away.
 
 **What ships today:**
 
@@ -149,7 +151,7 @@ The next major release sunsets the Bash runtime entirely. There is no firm calen
 | Method | Command |
 |--------|---------|
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` |
-| **Docker** | `docker pull asklokesh/loki-mode:7.7.31` |
+| **Docker** | `docker pull asklokesh/loki-mode:7.28.0` |
 | **Inside Claude Code** | `claude --dangerously-skip-permissions` then type "Loki Mode" |
 | **Git clone** | `git clone https://github.com/asklokesh/loki-mode.git` |
 
@@ -227,8 +229,8 @@ Every iteration: **Reason** (read state) - **Act** (execute, commit) - **Reflect
 </td>
 <td width="33%" valign="top">
 
-### 41 Agent Types
-8 swarms: engineering, operations, business, data, product, growth, review, orchestration. Auto-composed by PRD complexity.
+### 41 Agent Roles
+8 domains: engineering, operations, business, data, product, growth, review, orchestration. These are prompt-defined role specifications the orchestrator adopts per phase, auto-composed by PRD complexity; parallelism comes from the blind review council, the adversarial reviewer, and optional git-worktree streams on Claude Code, sequential on other providers.
 
 [Agent Types](references/agent-types.md)
 
@@ -331,14 +333,14 @@ Loki's autonomy and quality loop are the product; the underlying coding CLI is s
 
 | Provider | Status | Autonomous Flag | Parallel Agents | Install |
 |----------|--------|:-:|:-:|---------|
-| **Claude Code** | Active (Tier 1) | `--dangerously-skip-permissions` | Yes (10+) | `npm i -g @anthropic-ai/claude-code` |
-| **Codex CLI** | Active (Tier 3) | `--full-auto` | Sequential | `npm i -g @openai/codex` |
-| **Cline CLI** | Active (Tier 2) | `--auto-approve` | Sequential | `npm i -g @anthropic-ai/cline` |
-| **Aider** | Active (Tier 3) | `--yes-always` | Sequential | `pip install aider-chat` |
+| **Claude Code** | Active (Tier 1, E2E-verified) | `--dangerously-skip-permissions` | Yes (10+) | `npm i -g @anthropic-ai/claude-code` |
+| **Codex CLI** | Experimental (Tier 3) | `--full-auto --skip-git-repo-check` | Sequential | `npm i -g @openai/codex` |
+| **Cline CLI** | Experimental (Tier 2) | `-y` | Sequential | `npm i -g @anthropic-ai/cline` |
+| **Aider** | Experimental (Tier 3) | `--yes-always` | Sequential | `pip install aider-chat` |
 | **Google Gemini CLI** | DEPRECATED v7.5.18 | -- | -- | Upstream deprecated; runtime removed. `LOKI_PROVIDER=gemini` exits with migration message. |
 | **Anthropic Antigravity CLI** | Coming soon | -- | -- | Integration planned. |
 
-Claude gets full features (subagents, parallelization, MCP, Task tool). Other active providers run sequentially. Auto-failover switches providers when rate-limited. See [Provider Guide](skills/providers.md).
+Status legend: "E2E-verified" means we run real spec-to-code builds on it ourselves. Claude Code is the primary, fully supported provider and the one Loki Mode is built for; it gets full features (subagents, parallelization, MCP, Task tool). "Experimental" means the wiring is in place but we have not produced an end-to-end verified build ourselves; treat as community-tested. Experimental providers run sequentially. Auto-failover switches providers when rate-limited. See [Provider Guide](skills/providers.md).
 
 ---
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.26.0
+# Loki Mode v7.28.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -335,6 +335,15 @@ See `references/core-workflow.md` for the full RARV-C contract.
 
 ---
 
+## Trust-layer additions (v7.28.0)
+
+Two completion-trust features extend the verification gates. Full details in `skills/quality-gates.md`.
+
+- **Held-out spec evals:** ~25% of checklist items (deterministic `sha256(id)` order, `N >= 4`) are reserved into `.loki/checklist/held-out.json` and excluded from the build prompt feed; the completion council blocks if a held-out item fails. Opt out with `LOKI_HELDOUT_GATE=0`. Honest limit: this guards the prompt feed, not a sandbox; the reservation file is on disk and an agent with filesystem access can read it.
+- **Inconclusive-baseline disclosure:** when the evidence gate cannot establish a diff baseline (`no_git_repo` / `no_run_start_sha`) it writes `.loki/state/evidence-inconclusive.json` and `COMPLETION.txt` carries an honest "not independently verified" line. It never blocks non-git projects; red tests still block.
+
+---
+
 ## Concurrency and Security Hardening (v7.5.7 - v7.5.13)
 
 Three back-to-back patches closed cross-process and security gaps. No user-facing behavior change on the default flow; verify via the cited paths.
@@ -383,4 +392,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.26.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.28.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.26.0
+7.28.0

package/autonomy/completion-council.sh

@@ -752,6 +752,18 @@ with open(state_file, 'w') as f:
         "threshold=$effective_threshold" \
         "result=$([ $approve_count -ge $effective_threshold ] && echo 'APPROVED' || echo 'REJECTED')" 2>/dev/null || true
 
+    # Trust-metrics: durable per-vote record for the council rejection / split
+    # rate. The council state.json verdicts[] array is per-run only; this log is
+    # the cross-run corpus. Additive, best-effort, stdout-silent.
+    if type record_trust_event_bash &>/dev/null; then
+        record_trust_event_bash "council_vote" \
+            "approve=$approve_count" \
+            "reject=$reject_count" \
+            "threshold=$effective_threshold" \
+            "result=$([ $approve_count -ge $effective_threshold ] && echo 'APPROVED' || echo 'REJECTED')" \
+            >/dev/null 2>&1 || true
+    fi
+
     # Write transcript for this council round (Path A: council_vote path)
     local _ct_outcome
     _ct_outcome=$([ $approve_count -ge $effective_threshold ] && echo "APPROVED" || echo "REJECTED")
@@ -1086,19 +1098,24 @@ council_reverify_checklist() {
 council_checklist_gate() {
     local results_file=".loki/checklist/verification-results.json"
     local waivers_file=".loki/checklist/waivers.json"
+    local heldout_file=".loki/checklist/held-out.json"
 
     # No checklist = no gate (backwards compatible)
     if [ ! -f "$results_file" ]; then
         return 0
     fi
 
-    # Check for critical failures, excluding waived items
+    # Check for critical failures, excluding waived AND held-out items. Held-out
+    # items (v7.28.0) must NOT block here: they are evaluated separately by
+    # council_heldout_gate at the ship gate, and surfacing them in this gate's
+    # block report would leak their identity back into the build loop.
     local gate_result
-    gate_result=$(_RESULTS_FILE="$results_file" _WAIVERS_FILE="$waivers_file" python3 -c "
+    gate_result=$(_RESULTS_FILE="$results_file" _WAIVERS_FILE="$waivers_file" _HELDOUT_FILE="$heldout_file" python3 -c "
 import json, sys, os
 
 results_file = os.environ['_RESULTS_FILE']
 waivers_file = os.environ.get('_WAIVERS_FILE', '')
+heldout_file = os.environ.get('_HELDOUT_FILE', '')
 
 try:
     with open(results_file) as f:
@@ -1117,12 +1134,22 @@ if waivers_file and os.path.exists(waivers_file):
     except (json.JSONDecodeError, KeyError):
         pass
 
-# Find critical failures not waived
+# Load held-out item ids (excluded from this gate)
+heldout_ids = set()
+if heldout_file and os.path.exists(heldout_file):
+    try:
+        with open(heldout_file) as f:
+            heldout_ids = set(json.load(f).get('held_out', []))
+    except (json.JSONDecodeError, KeyError):
+        pass
+
+# Find critical failures not waived and not held-out
 critical_failures = []
 for cat in results.get('categories', []):
     for item in cat.get('items', []):
         if item.get('priority') == 'critical' and item.get('status') == 'failing':
-            if item.get('id') not in waived_ids:
+            iid = item.get('id')
+            if iid not in waived_ids and iid not in heldout_ids:
                 critical_failures.append(item.get('title', item.get('id', 'unknown')))
 
 if critical_failures:
@@ -1175,6 +1202,221 @@ GATE_EOF
     return 0
 }
 
+#===============================================================================
+# Council Held-out Spec Eval Gate (v7.28.0) - anti-reward-hacking
+#===============================================================================
+# Held-out checklist items are reserved at PRD-checklist generation time and are
+# excluded from the prompt feed the build loop sees (checklist_summary, the build
+# prompt, and council_checklist_gate). The completion council evaluates them only
+# here, at the ship gate. Scope of the guarantee: this protects the prompt feed,
+# not a sandbox. .loki/checklist/held-out.json is plain on-disk JSON, so a
+# non-cooperative agent with filesystem tools can read the reservation directly;
+# the protection is against feeding held-out items to the loop, not isolation.
+# The gate uses the SAME verification machinery the
+# checklist already uses: council_reverify_checklist re-runs checklist-verify.py
+# over the FULL checklist (including held-out items), so this gate just reads
+# the held-out items' freshly-computed statuses from verification-results.json.
+#
+# A held-out item with status 'failing' blocks completion exactly like the
+# evidence gate (return 1 = CONTINUE). Pending/inconclusive items pass through.
+# Default-on ONLY when held-out items exist; opt out with LOKI_HELDOUT_GATE=0
+# (byte-identical to prior behavior: no read, no write).
+council_heldout_gate() {
+    # Knob first: opt-out is exact-as-today, before any file read or write.
+    [ "${LOKI_HELDOUT_GATE:-1}" = "0" ] && return 0
+
+    local results_file=".loki/checklist/verification-results.json"
+    local heldout_file=".loki/checklist/held-out.json"
+    local waivers_file=".loki/checklist/waivers.json"
+
+    # No held-out reservation = no gate (default-off when nothing reserved).
+    if [ ! -f "$heldout_file" ] || [ ! -f "$results_file" ]; then
+        return 0
+    fi
+
+    if [ -z "${COUNCIL_STATE_DIR:-}" ]; then
+        COUNCIL_STATE_DIR="${TARGET_DIR:-.}/.loki/council"
+    fi
+
+    # Evaluate held-out items against their freshly-verified statuses. Output is
+    # a single line "<verdict> <pass> <fail>" where verdict is NONE (no held-out
+    # items reserved, gate inert), STALE (ids reserved but ZERO matched current
+    # items -> reservation orphaned by a checklist regeneration), PASS, or BLOCK.
+    # The failing titles are NOT carried in this line (a checklist title may
+    # contain ':' or '|'); they are read separately from the held-out JSON block
+    # below in the BLOCK branch.
+    local gate_result
+    gate_result=$(_RESULTS_FILE="$results_file" _HELDOUT_FILE="$heldout_file" _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, sys, os
+
+results_file = os.environ['_RESULTS_FILE']
+heldout_file = os.environ['_HELDOUT_FILE']
+waivers_file = os.environ.get('_WAIVERS_FILE', '')
+
+try:
+    with open(results_file) as f:
+        results = json.load(f)
+    with open(heldout_file) as f:
+        heldout_ids = set(json.load(f).get('held_out', []))
+except (json.JSONDecodeError, IOError, KeyError):
+    print('NONE 0 0')
+    sys.exit(0)
+
+# No held-out items reserved (e.g. N<4): gate is inert. Emit NONE so the caller
+# skips the trust-event entirely (no no-op heldout_eval pollution per round).
+if not heldout_ids:
+    print('NONE 0 0')
+    sys.exit(0)
+
+# Waived held-out items are not counted as failures (operator override path).
+waived_ids = set()
+if waivers_file and os.path.exists(waivers_file):
+    try:
+        with open(waivers_file) as f:
+            waived_ids = {w['item_id'] for w in json.load(f).get('waivers', []) if w.get('active', True)}
+    except (json.JSONDecodeError, KeyError):
+        pass
+
+# HIGH-1(b): track how many held-out ids actually matched a current item. If the
+# reservation lists ids but ZERO matched (orphaned after a checklist regen), the
+# gate must NOT report PASS (that reads as evaluated-and-passed). 'matched' is
+# distinct from passed/failed: an all-pending matched set legitimately yields
+# passed=0 failed=0 and must stay PASS/pass-through, not STALE.
+matched = 0
+passed = 0
+failed = 0
+for cat in results.get('categories', []):
+    for item in cat.get('items', []):
+        iid = item.get('id', '')
+        if iid not in heldout_ids:
+            continue
+        matched += 1
+        if iid in waived_ids:
+            continue
+        status = item.get('status')
+        if status == 'verified':
+            passed += 1
+        elif status == 'failing':
+            failed += 1
+        # pending/inconclusive: pass-through (not counted as pass or fail block)
+
+if matched == 0:
+    # Reservation is stale: ids exist but none map to a current item. Selection-
+    # side repair (checklist_select_heldout) fixes this next iteration; emit STALE
+    # so this round is recorded honestly rather than as a silent PASS.
+    print('STALE 0 0')
+    sys.exit(0)
+
+verdict = 'BLOCK' if failed > 0 else 'PASS'
+print('%s %d %d' % (verdict, passed, failed))
+" 2>/dev/null || echo "NONE 0 0")
+
+    local verdict pass_count fail_count
+    read -r verdict pass_count fail_count <<< "$gate_result"
+    [ -z "$verdict" ] && verdict="NONE"
+    [ -z "$pass_count" ] && pass_count=0
+    [ -z "$fail_count" ] && fail_count=0
+
+    # NONE: no held-out items reserved -> gate inert, no trust-event, no block.
+    # LOW-5: still clear any stale block report so a prior BLOCK does not linger
+    # after the reservation is emptied (matches the PASS branch cleanup).
+    if [ "$verdict" = "NONE" ]; then
+        if [ -n "${COUNCIL_STATE_DIR:-}" ] && [ -f "$COUNCIL_STATE_DIR/heldout-block.json" ]; then
+            rm -f "$COUNCIL_STATE_DIR/heldout-block.json"
+        fi
+        return 0
+    fi
+
+    # STALE: reservation orphaned by a checklist regeneration (ids reserved but
+    # zero matched current items). Emit a STALE trust event so the round is not
+    # silently counted as a pass, warn, clear any stale block file (LOW-5), and
+    # return 0 (pass-through): blocking here would loop forever, and the
+    # selection-side repair re-selects valid ids on the next iteration.
+    if [ "$verdict" = "STALE" ]; then
+        log_warn "[Council] Held-out reservation is stale (checklist regenerated; reserved ids match no current item). Selection will re-select next iteration; not treating this as an evaluated PASS."
+        if type record_trust_event_bash &>/dev/null; then
+            record_trust_event_bash "heldout_eval" \
+                "verdict=STALE" \
+                "pass=0" \
+                "fail=0" \
+                >/dev/null 2>&1 || true
+        fi
+        if [ -n "${COUNCIL_STATE_DIR:-}" ] && [ -f "$COUNCIL_STATE_DIR/heldout-block.json" ]; then
+            rm -f "$COUNCIL_STATE_DIR/heldout-block.json"
+        fi
+        return 0
+    fi
+
+    # Trust-metrics: durable per-evaluation record (pass/fail counts). Emitted
+    # only when held-out items actually exist (verdict PASS or BLOCK).
+    if type record_trust_event_bash &>/dev/null; then
+        record_trust_event_bash "heldout_eval" \
+            "verdict=$verdict" \
+            "pass=$pass_count" \
+            "fail=$fail_count" \
+            >/dev/null 2>&1 || true
+    fi
+
+    if [ "$verdict" = "BLOCK" ]; then
+        # Read failing held-out titles directly from the data (colon/pipe-safe).
+        local titles_json titles_display
+        titles_json=$(_RESULTS_FILE="$results_file" _HELDOUT_FILE="$heldout_file" _WAIVERS_FILE="$waivers_file" python3 -c "
+import json, os
+results = json.load(open(os.environ['_RESULTS_FILE']))
+heldout_ids = set(json.load(open(os.environ['_HELDOUT_FILE'])).get('held_out', []))
+waived_ids = set()
+wf = os.environ.get('_WAIVERS_FILE', '')
+if wf and os.path.exists(wf):
+    try:
+        waived_ids = {w['item_id'] for w in json.load(open(wf)).get('waivers', []) if w.get('active', True)}
+    except Exception:
+        pass
+titles = []
+for cat in results.get('categories', []):
+    for item in cat.get('items', []):
+        iid = item.get('id', '')
+        if iid in heldout_ids and iid not in waived_ids and item.get('status') == 'failing':
+            titles.append(item.get('title', iid))
+print(json.dumps(titles[:5]))
+" 2>/dev/null || echo '[]')
+        titles_display=$(_T="$titles_json" python3 -c "
+import json, os
+try:
+    print(', '.join(json.loads(os.environ['_T'])))
+except Exception:
+    print('')
+" 2>/dev/null || echo "")
+        log_warn "[Council] Held-out gate BLOCKED: ${fail_count} held-out acceptance check(s) failing: ${titles_display}"
+        log_warn "[Council] Held-out checks are hidden from the build loop and verified only at completion. To opt out: set LOKI_HELDOUT_GATE=0"
+
+        mkdir -p "$COUNCIL_STATE_DIR" 2>/dev/null || true
+        local ho_file="$COUNCIL_STATE_DIR/heldout-block.json"
+        local ho_tmp="${ho_file}.tmp"
+        local timestamp
+        timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        cat > "$ho_tmp" << HELDOUT_EOF
+{
+    "status": "blocked",
+    "blocked": true,
+    "blocked_at": "$timestamp",
+    "iteration": ${ITERATION_COUNT:-0},
+    "reason": "held_out_checks_failing",
+    "passed": $pass_count,
+    "failed": $fail_count,
+    "failures": $titles_json
+}
+HELDOUT_EOF
+        mv "$ho_tmp" "$ho_file"
+        return 1
+    fi
+
+    # Gate passes: remove any stale block report.
+    if [ -f "$COUNCIL_STATE_DIR/heldout-block.json" ]; then
+        rm -f "$COUNCIL_STATE_DIR/heldout-block.json"
+    fi
+    return 0
+}
+
 #===============================================================================
 # Council Evidence Hard Gate (v7.19.1) - "verified completion"
 #===============================================================================
@@ -1212,13 +1454,20 @@ council_evidence_gate() {
     # read, so none is tracked (avoids SC2034 dead-assignment).
     local diff_fails="false"
     local diff_files=0
+    # v7.28.0: track WHY the diff baseline could not be established, so the
+    # inconclusive case is surfaced honestly instead of passing through silently.
+    # diff_inconclusive stays "false" on the conclusive branch below.
+    local diff_inconclusive="false"
+    local diff_inconclusive_reason=""
     if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
         # No git repo => cannot prove fabrication => inconclusive => pass-through.
-        :
+        diff_inconclusive="true"
+        diff_inconclusive_reason="no_git_repo"
     elif [ -z "$base_sha" ]; then
         # No baseline captured (non-git/zero-commit run, or never set) =>
         # inconclusive => pass-through. Never false-block a legit first run.
-        :
+        diff_inconclusive="true"
+        diff_inconclusive_reason="no_run_start_sha"
     else
         # Count the UNION of three change sources (auto-commit is not guaranteed,
         # so committed-only would false-block a dirty-but-real working tree):
@@ -1296,6 +1545,40 @@ else:
     # Missing test-results.json (the else of the -f check) likewise leaves
     # test_fails="false" => inconclusive => pass-through (no file = no gate).
 
+    # --- v7.28.0: inconclusive-baseline lifecycle -------------------------------
+    # When the gate cannot establish a diff baseline (no git repo, or no run-start
+    # SHA) it does NOT block (would break non-git projects), but completion is no
+    # longer independently verified. Record that fact durably so the completion
+    # summary can surface one honest line, and emit a trust-event. The record is
+    # about the DIFF baseline only, so it is written regardless of the test
+    # outcome. On any CONCLUSIVE baseline we remove a stale record.
+    local inconclusive_file="${TARGET_DIR:-.}/.loki/state/evidence-inconclusive.json"
+    if [ "$diff_inconclusive" = "true" ]; then
+        mkdir -p "${TARGET_DIR:-.}/.loki/state" 2>/dev/null || true
+        local inc_tmp="${inconclusive_file}.tmp"
+        local inc_ts
+        inc_ts=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        cat > "$inc_tmp" << INCONCLUSIVE_EOF
+{
+    "inconclusive": true,
+    "recorded_at": "$inc_ts",
+    "iteration": ${ITERATION_COUNT:-0},
+    "reason": "$diff_inconclusive_reason"
+}
+INCONCLUSIVE_EOF
+        mv "$inc_tmp" "$inconclusive_file" 2>/dev/null || rm -f "$inc_tmp" 2>/dev/null || true
+        if type record_trust_event_bash &>/dev/null; then
+            record_trust_event_bash "evidence_inconclusive" \
+                "reason=$diff_inconclusive_reason" \
+                >/dev/null 2>&1 || true
+        fi
+    else
+        # Conclusive baseline: clear any stale inconclusive record.
+        if [ -f "$inconclusive_file" ]; then
+            rm -f "$inconclusive_file"
+        fi
+    fi
+
     # --- Block decision: block iff DIFF FAILS or TEST FAILS ---
     if [ "$diff_fails" != "true" ] && [ "$test_fails" != "true" ]; then
         # Gate passes: remove any stale block report.
@@ -1366,6 +1649,19 @@ print(json.dumps(items[:5]))
 }
 EVIDENCE_EOF
     mv "$ev_tmp" "$ev_file"
+
+    # Trust-metrics: durable per-block record. evidence-block.json is a single
+    # state file that is DELETED the moment the gate next passes, so it cannot
+    # be the cross-run corpus for the block rate. Append an event here, where a
+    # block is definitely happening. Additive, best-effort, stdout-silent.
+    if type record_trust_event_bash &>/dev/null; then
+        record_trust_event_bash "evidence_block" \
+            "reason=$reason" \
+            "diff_ok=$diff_ok" \
+            "tests_ok=$tests_ok" \
+            >/dev/null 2>&1 || true
+    fi
+
     return 1
 }
 
@@ -2000,6 +2296,14 @@ council_evaluate() {
         return 1  # CONTINUE - can't complete with critical failures
     fi
 
+    # v7.28.0: held-out spec eval gate - verify the hidden acceptance checks the
+    # build loop never saw. Runs after the visible-checklist gate, using the
+    # statuses council_reverify_checklist just recomputed over the full checklist.
+    if ! council_heldout_gate; then
+        log_info "[Council] Completion blocked by held-out spec eval gate"
+        return 1  # CONTINUE - cannot complete with failing held-out checks
+    fi
+
     # Phase 2.5 (v7.19.1): evidence hard gate - block completion unless there is
     # real evidence that files changed AND tests are green.
     if ! council_evidence_gate; then

package/autonomy/context-tracker.py

@@ -21,6 +21,7 @@ Usage:
 import argparse
 import json
 import os
+import re
 import sys
 from datetime import datetime, timezone
 from pathlib import Path
@@ -61,13 +62,31 @@ def get_pricing(provider):
     return PRICING_BY_PROVIDER.get(provider, PRICING_BY_PROVIDER["claude"])
 
 
-def derive_project_slug():
-    """Derive Claude's project slug from cwd (matches Claude's naming convention)."""
-    cwd = os.getcwd()
-    # Claude uses: /Users/name/project -> -Users-name-project
+def derive_naive_project_slug():
+    """Legacy slug rule: replace only '/' with '-'.
+
+    Kept for backward compatibility: stale sessions created before the
+    sanitization fix live under this naming. find_session_file falls back to
+    it when the correctly-sanitized slug dir does not exist.
+    """
+    cwd = os.path.realpath(os.getcwd())
     return "-" + cwd.lstrip("/").replace("/", "-")
 
 
+def derive_project_slug():
+    """Derive Claude's project slug from cwd.
+
+    Claude Code sanitizes EVERY non-alphanumeric character in the realpath to
+    '-' (rule: re.sub(r'[^a-zA-Z0-9]', '-', path)). The earlier implementation
+    replaced only '/', so any path with underscores, dots, or other special
+    characters produced a slug that did not match Claude's real session dir,
+    silently zeroing token/cost capture. realpath resolves symlinks (e.g.
+    /tmp -> /private/tmp) to match Claude's own keying.
+    """
+    cwd = os.path.realpath(os.getcwd())
+    return "-" + re.sub(r"[^a-zA-Z0-9]", "-", cwd.lstrip("/"))
+
+
 def find_session_file(provider, session_file_arg=None):
     """Find the most recently modified session file for the given provider.
 
@@ -84,10 +103,16 @@ def find_session_file(provider, session_file_arg=None):
         return path if path.exists() else None
 
     if provider == "claude":
-        project_slug = derive_project_slug()
-        session_dir = Path.home() / ".claude" / "projects" / project_slug
+        projects_root = Path.home() / ".claude" / "projects"
+        session_dir = projects_root / derive_project_slug()
+        # Backward compatibility: if the correctly-sanitized slug dir does not
+        # exist but a stale session under the old naive slug does, use it.
         if not session_dir.is_dir():
-            return None
+            naive_dir = projects_root / derive_naive_project_slug()
+            if naive_dir.is_dir():
+                session_dir = naive_dir
+            else:
+                return None
         jsonl_files = sorted(session_dir.glob("*.jsonl"), key=lambda p: p.stat().st_mtime, reverse=True)
         return jsonl_files[0] if jsonl_files else None