loki-mode 7.32.2 → 7.33.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.32.2
+# Loki Mode v7.33.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.32.2 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.33.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.32.2
+7.33.0

package/autonomy/completion-council.sh

@@ -1759,7 +1759,23 @@ ISSUES: CRITICAL:description (optional, one per line per issue)"
         claude)
             if command -v claude &>/dev/null; then
                 local council_model="${PROVIDER_MODEL_FAST:-haiku}"
-                verdict=$(echo "$prompt" | claude --model "$council_model" -p 2>/dev/null | tail -20)
+                # EMBED 2 + 3 (v7.33.0). Council member completion vote. The
+                # $prompt is fully self-contained (evidence + instructions +
+                # strict VOTE/REASON/ISSUES output format, piped via stdin) and
+                # the verdict is captured. So --bare (cheap, no hooks/LSP/CLAUDE.
+                # md/MCP) and --disallowedTools (a voting reviewer must never
+                # mutate the tree) both apply. Gated + opt-out
+                # LOKI_BARE_SUBCALLS=0 / LOKI_REVIEW_TOOL_GUARD=0. Helpers may be
+                # out of scope when this file is sourced standalone, so each is
+                # type-guarded (degrades to the prior bare invocation).
+                local _cm_argv=("--model" "$council_model")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _cm_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _cm_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                verdict=$(echo "$prompt" | claude "${_cm_argv[@]}" -p 2>/dev/null | tail -20)
             fi
             ;;
         codex)
@@ -1842,7 +1858,19 @@ REASON: your reasoning"
         claude)
             if command -v claude &>/dev/null; then
                 local council_model="${PROVIDER_MODEL_FAST:-haiku}"
-                verdict=$(echo "$prompt" | claude --model "$council_model" -p 2>/dev/null | tail -20)
+                # EMBED 2 + 3 (v7.33.0). Contrarian (devil's-advocate) vote --
+                # an adversarial reviewer. Self-contained $prompt via stdin,
+                # verdict captured. --bare + --disallowedTools both apply (a
+                # reviewer must never mutate the tree). Gated + opt-out
+                # LOKI_BARE_SUBCALLS=0 / LOKI_REVIEW_TOOL_GUARD=0; type-guarded.
+                local _co_argv=("--model" "$council_model")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _co_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _co_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                verdict=$(echo "$prompt" | claude "${_co_argv[@]}" -p 2>/dev/null | tail -20)
             fi
             ;;
         codex)

package/autonomy/council-v2.sh

@@ -263,7 +263,20 @@ Respond ONLY with a valid JSON object. No markdown fencing."
     case "${PROVIDER_NAME:-claude}" in
         claude)
             if command -v claude &>/dev/null; then
-                result=$(echo "$full_prompt" | claude --model haiku -p 2>/dev/null || echo '{"verdict":"REJECT","reasoning":"review execution failed","issues":[]}')
+                # EMBED 2 + 3 (v7.33.0). Council-v2 reviewer verdict. $full_prompt
+                # is self-contained (evidence + PRD + strict JSON output, via
+                # stdin) and the JSON result is captured. --bare + --disallowedTools
+                # both apply (a reviewer must never mutate the tree). Gated +
+                # opt-out LOKI_BARE_SUBCALLS=0 / LOKI_REVIEW_TOOL_GUARD=0;
+                # type-guarded for standalone sourcing.
+                local _c2_argv=("--model" "haiku")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _c2_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _c2_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                result=$(echo "$full_prompt" | claude "${_c2_argv[@]}" -p 2>/dev/null || echo '{"verdict":"REJECT","reasoning":"review execution failed","issues":[]}')
             else
                 result='{"verdict":"REJECT","reasoning":"reviewer CLI unavailable","issues":[]}'
             fi

package/autonomy/grill.sh

@@ -38,6 +38,16 @@ GRILL_EXIT_ERROR=3
 GRILL_DIR_DEFAULT=".loki/grill"
 GRILL_REPORT_NAME="report.md"
 
+# Source the claude-flags helper (idempotent, guarded) so the v7.33.0 embeds
+# (--bare / --disallowedTools) are available in grill's standalone invocation
+# path. Best-effort: if the file is missing the type-guards at the call site
+# degrade to the prior bare invocation.
+_grill_flags_helper="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/lib/claude-flags.sh"
+if [ -f "$_grill_flags_helper" ]; then
+    # shellcheck disable=SC1090
+    . "$_grill_flags_helper"
+fi
+
 _grill_log() { printf '[grill] %s\n' "$*" >&2; }
 _grill_err() { printf '[grill][error] %s\n' "$*" >&2; }
 
@@ -178,8 +188,24 @@ grill_invoke_provider() {
             local out
             # Single-shot, non-interactive. Same pattern as the in-loop
             # adversarial reviewer (run.sh:7807) and USAGE regen (run.sh:9832).
+            # EMBED 2 + 3 (v7.33.0). The devil's-advocate grill is a cheap
+            # self-contained adversarial subcall (the entire spec + interrogation
+            # instructions are in $prompt, piped via -p -; output captured). So:
+            #   EMBED 2 (--bare): no hooks/LSP/CLAUDE.md/MCP needed; cheaper.
+            #     Opt out LOKI_BARE_SUBCALLS=0.
+            #   EMBED 3 (--disallowedTools): a grill agent interrogates a spec and
+            #     must never mutate the tree (defense-in-depth). Deny Edit/Write/
+            #     NotebookEdit + git mutations. Opt out LOKI_REVIEW_TOOL_GUARD=0.
+            # Type-guarded so an environment without the helper degrades cleanly.
+            local _gr_argv=("--dangerously-skip-permissions" "--model" "${LOKI_GRILL_MODEL:-sonnet}")
+            if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                _gr_argv+=("--bare")
+            fi
+            if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                _gr_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+            fi
             out="$(printf '%s' "$prompt" \
-                | _grill_with_timeout "${LOKI_GRILL_TIMEOUT:-180}" claude --dangerously-skip-permissions --model "${LOKI_GRILL_MODEL:-sonnet}" -p - 2>/dev/null)"
+                | _grill_with_timeout "${LOKI_GRILL_TIMEOUT:-180}" claude "${_gr_argv[@]}" -p - 2>/dev/null)"
             if [ -z "$out" ]; then
                 _grill_err "provider returned no output (timeout or invocation error)"
                 return $GRILL_EXIT_ERROR

package/autonomy/lib/claude-flags.sh

@@ -130,3 +130,99 @@ loki_claude_flag_supported() {
         *) return 1 ;;
     esac
 }
+
+# ---------- v7.33.0 cheap-subcall + reviewer-guard flag emitters ----------
+# These centralize three Claude Code 2.1.170 embeds so every cheap NON-MAIN
+# subcall site emits the same gated flags. Each emitter prints its flags to
+# stdout (space-free per element via one-per-line is not needed; callers read
+# them into an array with command substitution + word-splitting on the single
+# token they emit, OR append the function output as additional argv elements).
+# All are default-ON, opt-out via env, and gated on loki_claude_flag_supported
+# so an older CLI degrades gracefully (emits nothing).
+
+# EMBED 2 -- --bare (cheap NON-MAIN subcalls only). Minimal mode. Per
+# `claude --help` it SKIPS hooks, LSP, plugin sync, attribution, auto-memory,
+# background prefetches, keychain reads, and CLAUDE.md AUTO-discovery. It does
+# NOT nullify explicit --mcp-config/--settings/--agents (the help lists those as
+# the way to "explicitly provide context" UNDER --bare); what it drops is the
+# IMPLICIT/auto-discovered context. Therefore --bare is ONLY safe on subcalls
+# whose prompt is fully self-contained (the entire instruction set + context is
+# passed via -p), and NEVER on the main RARV loop or on any call that relies on
+# auto-discovered CLAUDE.md / hooks / auto-memory.
+#
+# AUTH GATE (critical): --bare sets CLAUDE_CODE_SIMPLE=1 and per `claude --help`
+# reads Anthropic auth STRICTLY from ANTHROPIC_API_KEY or an apiKeyHelper via
+# --settings -- "OAuth and keychain are never read". A subscription/OAuth user
+# (no ANTHROPIC_API_KEY) gets "Not logged in" on every --bare subcall, which
+# exits 0 with the error on stdout, so a council vote parses as the default
+# REJECT and the loop silently corrupts. So --bare is enabled ONLY when an
+# API-key auth path exists (ANTHROPIC_API_KEY set, or an apiKeyHelper configured
+# in settings); otherwise it emits nothing and the subcall runs full-auth, the
+# same as before this embed. Subscription users are thus unaffected by default.
+# Default-ON (when auth-safe); opt out entirely with LOKI_BARE_SUBCALLS=0.
+# Predicate so call sites can append "--bare" to their argv array uniformly:
+#   loki_subcall_bare_enabled && argv+=("--bare")
+loki_subcall_bare_enabled() {
+    [ "${LOKI_BARE_SUBCALLS:-1}" = "0" ] && return 1
+    # API-key auth required (see AUTH GATE above). ANTHROPIC_API_KEY is the
+    # common case; apiKeyHelper covers the settings-configured helper. Anything
+    # else (OAuth/keychain subscription) must NOT use --bare. Trim the key so a
+    # whitespace-only value does not count as set (it would fail --bare auth).
+    local _key
+    _key="$(printf '%s' "${ANTHROPIC_API_KEY:-}" | tr -d '[:space:]')"
+    if [ -z "$_key" ] && ! _loki_apikey_helper_configured; then
+        return 1
+    fi
+    loki_claude_flag_supported "--bare"
+}
+
+# True when an apiKeyHelper is configured in any Claude settings source, which
+# (unlike OAuth/keychain) IS honored under --bare. Best-effort, read-only.
+_loki_apikey_helper_configured() {
+    local f
+    for f in "$HOME/.claude/settings.json" "$HOME/.config/claude/settings.json" \
+             "${CLAUDE_CONFIG_DIR:-$HOME/.claude}/settings.json" \
+             "$PWD/.claude/settings.json" "$PWD/.claude/settings.local.json"; do
+        [ -f "$f" ] || continue
+        # Require "apiKeyHelper" : "<non-empty value>" (a real key:value pair),
+        # not the bare token in a comment/prose. Tolerates whitespace around the
+        # colon. Not a full JSON parse, but rejects the obvious false-positives.
+        grep -Eq '"apiKeyHelper"[[:space:]]*:[[:space:]]*"[^"]+"' "$f" 2>/dev/null && return 0
+    done
+    return 1
+}
+
+# EMBED 3 -- --disallowedTools (reviewer / adversarial subcalls). Motivation: a
+# parallel agent once ran `git reset --hard` and wiped uncommitted work, so a
+# reviewer/voter subcall should not casually mutate the tree. Per `claude --help`
+# the value is a comma-or-space-separated list of tool names (e.g. "Bash(git *)
+# Edit"); Bash(...) matching is command-PREFIX based (the `cmd:*` form).
+#
+# SCOPE / LIMITS (honest -- this is a denylist, NOT a sandbox):
+#   - Denies the direct file-mutation tools (Edit, Write, NotebookEdit).
+#   - Denies the common git MUTATION forms: the bare subcommand (`git reset:*`)
+#     AND the global-flag-prefixed evasions (`git -C:*`, `git --git-dir:*`,
+#     `git -c:*`) that slip a flag before the subcommand so the bare prefix
+#     does not match. Read-only git (diff/log/show/status) stays allowed.
+#   - It does NOT and cannot block every mutation path: a determined agent can
+#     still write via `Bash(echo > f)`, `sed -i`, `cp/mv/tee`, `python -c`, etc.
+#     This is a guardrail that raises the cost of the casual/common destructive
+#     command, not a guarantee the tree is immutable. The real safety net is
+#     that the integrator commits before any agent wave (see CLAUDE.md).
+# The flag is variadic (<tools...>), so we emit ONE comma-separated token to
+# avoid swallowing the following -p prompt as additional tool names.
+# Default-ON; opt out with LOKI_REVIEW_TOOL_GUARD=0.
+# Predicate + denylist so call sites append uniformly:
+#   if loki_review_guard_enabled; then
+#       argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+#   fi
+loki_review_guard_enabled() {
+    [ "${LOKI_REVIEW_TOOL_GUARD:-1}" = "0" ] && return 1
+    loki_claude_flag_supported "--disallowedTools"
+}
+loki_review_guard_denylist() {
+    # Comma-separated single token. Bash(cmd:*) is command-prefix matching.
+    # The `git -C:*` / `git --git-dir:*` / `git -c:*` entries close the
+    # global-flag-before-subcommand evasion of the bare git-mutation rules.
+    printf '%s' "Edit,Write,NotebookEdit,Bash(git commit:*),Bash(git reset:*),Bash(git push:*),Bash(git checkout:*),Bash(git clean:*),Bash(git rm:*),Bash(git stash:*),Bash(git -C:*),Bash(git --git-dir:*),Bash(git -c:*)"
+}

package/autonomy/run.sh

@@ -3248,7 +3248,18 @@ Output ONLY the resolved file content with no conflict markers. No explanations.
 
         case "${PROVIDER_NAME:-claude}" in
             claude)
-                resolution=$(claude --dangerously-skip-permissions -p "$conflict_prompt" --output-format text 2>/dev/null)
+                # EMBED 2 (v7.33.0): --bare on this cheap NON-MAIN subcall.
+                # Reasoning: $conflict_prompt is fully self-contained -- it
+                # carries the complete instruction set AND the entire conflicted
+                # file content inline, and the agent's output is captured to a
+                # variable (the shell, not the agent, writes the resolved file).
+                # It needs no hooks, LSP, CLAUDE.md auto-discovery, or MCP, so
+                # --bare is safe and cheaper. Gated + opt-out LOKI_BARE_SUBCALLS=0.
+                local _cr_argv=("--dangerously-skip-permissions")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _cr_argv+=("--bare")
+                fi
+                resolution=$(claude "${_cr_argv[@]}" -p "$conflict_prompt" --output-format text 2>/dev/null)
                 ;;
             codex)
                 resolution=$(codex exec --full-auto --skip-git-repo-check "$conflict_prompt" 2>/dev/null)
@@ -4543,7 +4554,14 @@ _loki_hash_stdin() {
 # Compute a cheap, clone-stable signature of the codebase so we can tell whether
 # it changed since the generated PRD was last written. Git repos: HEAD sha +
 # dirty flag (.loki/.git churn filtered out). Non-git: a hash of sorted
-# path+size pairs (size, not mtime, so it is clone-stable). Echoes the signature.
+# path+size pairs PLUS file content (v7.32.3, #569: path+size alone was blind to
+# a same-size content edit, so a stale PRD could be silently reused with a
+# false "codebase unchanged" disclosure). Content hashing is clone-stable
+# (mtime is not, which is why mtime was never used). Trees larger than
+# LOKI_PRD_SIG_CONTENT_BUDGET bytes (default 50MB) skip the content pass and
+# emit a "files-shallow:" signature so startup stays fast; the safe failure
+# mode there is unchanged-from-before (size-blind), never a false "changed".
+# Echoes the signature.
 compute_codebase_signature() {
     local dir="${1:-.}"
     ( cd "$dir" 2>/dev/null || exit 0
@@ -4558,7 +4576,7 @@ compute_codebase_signature() {
           fi
           echo "git:${head}:${dirty}"
       else
-          local listing count
+          local listing count total_sz budget
           listing=$(find . \
               -type d \( -name .loki -o -name .git -o -name node_modules -o -name dist \
                          -o -name build -o -name .next -o -name target -o -name vendor \
@@ -4569,8 +4587,26 @@ compute_codebase_signature() {
                     sz=$(stat -f%z "$f" 2>/dev/null || stat -c%s "$f" 2>/dev/null || echo 0)
                     printf '%s\t%s\n' "$f" "$sz"
                 done | LC_ALL=C sort)
-          count=$(printf '%s\n' "$listing" | grep -c . || echo 0)
-          echo "files:$(printf '%s' "$listing" | _loki_hash_stdin):${count}"
+          # grep -c prints 0 itself on no match (exit 1); '|| true' avoids the
+          # old '|| echo 0' double-zero that embedded a newline on empty trees
+          count=$(printf '%s\n' "$listing" | grep -c . || true)
+          total_sz=$(printf '%s\n' "$listing" | awk -F'\t' '{s+=$2} END {printf "%d", s}')
+          budget="${LOKI_PRD_SIG_CONTENT_BUDGET:-52428800}"
+          if [ "${total_sz:-0}" -le "$budget" ] 2>/dev/null; then
+              # Content pass: stream all file contents through one hash in the
+              # same sorted order as the listing. Detects same-size edits.
+              # xargs -0 batches the reads into a handful of cat invocations,
+              # so cost scales with BYTES (which the budget above bounds), not
+              # file count: a fork-per-file loop here measured ~38s of added
+              # startup on a 30k-small-file tree. Renames and content swaps
+              # are still caught by the listing hash (paths+sizes) below.
+              local content_hash
+              content_hash=$(printf '%s\n' "$listing" | cut -f1 | tr '\n' '\0' \
+                  | xargs -0 cat 2>/dev/null | _loki_hash_stdin)
+              echo "files:$(printf '%s' "$listing" | _loki_hash_stdin):${count}:${content_hash}"
+          else
+              echo "files-shallow:$(printf '%s' "$listing" | _loki_hash_stdin):${count}"
+          fi
       fi
     )
 }
@@ -4644,6 +4680,25 @@ except Exception:
     if [ "$stored" = "$current" ]; then
         echo "reuse"
     else
+        # v7.32.3 format transition (#569): a stored pre-content-hash signature
+        # ("files:<listing>:<count>", 3 fields) compared against the new 4-field
+        # format would falsely claim "codebase changed" on the first post-upgrade
+        # run. When the new signature extends the stored one (same listing
+        # fields), the tree is unchanged at the old format's trust level: reuse,
+        # honestly. The next persist upgrades the stored format. A same-size edit
+        # made BEFORE the upgrade stays invisible for this one run, exactly as it
+        # was on the old version (no regression, no false disclosure).
+        case "$stored" in
+            files:*:*)
+                # Require the legitimate old 3-field format (files:HASH:COUNT,
+                # exactly 2 colons), not a truncated/corrupted 2-field value
+                # (council hardening: corruption must fall to update, as before).
+                if [ "$(printf '%s' "$stored" | tr -dc ':' | wc -c | tr -d ' ')" = "2" ] \
+                   && [ "${current#"${stored}":}" != "$current" ]; then
+                    echo "reuse"; return 0
+                fi
+                ;;
+        esac
         echo "update"
     fi
 }
@@ -4692,7 +4747,16 @@ try:
 except Exception:
     prev = {}
 prev_at = prev.get('generated_at') if isinstance(prev, dict) else None
-if prev_at and prev.get('signature') == sig:
+prev_sig = prev.get('signature') if isinstance(prev, dict) else None
+# Unchanged, OR the v7.32.3 files-signature format upgrade (#569): the new
+# 4-field signature extends an old 3-field one whose listing fields match.
+# Preserve the date in both cases; the PRD content did not change.
+_legacy_upgrade = (
+    isinstance(prev_sig, str) and prev_sig.startswith('files:')
+    and prev_sig.count(':') == 2
+    and sig.startswith(prev_sig + ':')
+)
+if prev_at and (prev_sig == sig or _legacy_upgrade):
     generated_at = prev_at
 else:
     generated_at = datetime.datetime.now(datetime.timezone.utc).isoformat().replace('+00:00','Z')
@@ -7750,7 +7814,31 @@ BUILD_PROMPT
                     # Mythos 5 (Project Glasswing), not Fable. If a future change
                     # adds --model here, the security-sentinel reviewer must be
                     # pinned to opus, never fable.
-                    claude --dangerously-skip-permissions -p "$prompt_text" \
+                    # EMBED 2 + 3 (v7.33.0). This is a 3-reviewer council
+                    # subcall. $prompt_text is fully self-contained (built above
+                    # into $review_prompt_file with the diff, changed files,
+                    # checks, and strict VERDICT/FINDINGS output format), output
+                    # is captured to $review_output, and it deliberately does NOT
+                    # pass --model or go through buildAutoFlags. So:
+                    #   EMBED 2 (--bare): the prompt needs no hooks/LSP/CLAUDE.md/
+                    #     MCP discovery, so --bare is safe and cheaper. Opt out
+                    #     LOKI_BARE_SUBCALLS=0.
+                    #   EMBED 3 (--disallowedTools): raise the cost of a reviewer
+                    #     casually mutating the tree (a parallel agent once ran
+                    #     `git reset --hard` and wiped uncommitted work). Deny
+                    #     Edit/Write/NotebookEdit + git mutation forms (incl. the
+                    #     git -C / --git-dir evasions); read-only git stays allowed.
+                    #     Guardrail, not a sandbox -- echo>/sed -i/etc. remain; the
+                    #     real net is commit-before-agent-wave. Opt out
+                    #     LOKI_REVIEW_TOOL_GUARD=0. See loki_review_guard_denylist.
+                    local _rv_argv=("--dangerously-skip-permissions")
+                    if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                        _rv_argv+=("--bare")
+                    fi
+                    if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                        _rv_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                    fi
+                    claude "${_rv_argv[@]}" -p "$prompt_text" \
                         --output-format text > "$review_output" 2>/dev/null
                     ;;
                 codex)
@@ -7963,7 +8051,25 @@ ADVERSARIAL_EOF
     case "${PROVIDER_NAME:-claude}" in
         claude)
             if command -v claude &>/dev/null; then
-                claude --dangerously-skip-permissions -p "$adversarial_prompt" \
+                # EMBED 2 + 3 (v7.33.0). Adversarial probe subcall.
+                # $adversarial_prompt is fully self-contained (instructions +
+                # changed files + diff inlined via the heredoc above) and output
+                # is captured to $result_file. So:
+                #   EMBED 2 (--bare): no hooks/LSP/CLAUDE.md/MCP needed; cheaper.
+                #     Opt out LOKI_BARE_SUBCALLS=0.
+                #   EMBED 3 (--disallowedTools): keep an adversarial agent from
+                #     casually mutating the tree. Deny Edit/Write/NotebookEdit +
+                #     git mutation forms (incl. git -C / --git-dir evasions);
+                #     read-only git stays allowed. Guardrail, not a sandbox.
+                #     Opt out LOKI_REVIEW_TOOL_GUARD=0.
+                local _adv_argv=("--dangerously-skip-permissions")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _adv_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _adv_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                claude "${_adv_argv[@]}" -p "$adversarial_prompt" \
                     --output-format text > "$result_file" 2>/dev/null || true
             fi
             ;;
@@ -9988,9 +10094,21 @@ ${_commits}"
 
     # Use haiku for cheap, fast generation. --dangerously-skip-permissions
     # because this is a one-shot non-interactive call.
+    # EMBED 2 (v7.33.0): --bare on this cheap NON-MAIN haiku subcall. The
+    # USAGE.md-regen prompt ($_ic_prompt, piped via -p -) is fully self-contained
+    # (project tree + manifests + entrypoint contents + commits inlined) and the
+    # output is captured, not written by the agent. No hooks/LSP/CLAUDE.md/MCP
+    # needed, so --bare is safe and cheaper. Opt out LOKI_BARE_SUBCALLS=0.
+    # Always at least --dangerously-skip-permissions, so the array is never
+    # empty (empty "${arr[@]}" under set -u errors on bash 3.2, stock macOS).
+    local _ic_argv=("--dangerously-skip-permissions")
+    if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+        _ic_argv+=("--bare")
+    fi
+    _ic_argv+=("--model" "haiku")
     local _ic_out
     _ic_out=$(printf '%s' "$_ic_prompt" \
-        | timeout 60 claude --dangerously-skip-permissions --model haiku -p - 2>/dev/null \
+        | timeout 60 claude "${_ic_argv[@]}" -p - 2>/dev/null \
         | head -200)
     # Sanity check: response must look like Markdown (starts with # or ##).
     if [ -z "$_ic_out" ] || ! printf '%s' "$_ic_out" | head -1 | grep -qE '^#'; then

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.32.2"
+__version__ = "7.33.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.32.2
+**Version:** v7.33.0
 
 ---
 

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.32.2";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.33.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=F7A4FD0C7A94555A64756E2164756E21
+//# debugId=27D659E047A7DB5564756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.32.2'
+__version__ = '7.33.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.32.2",
+  "version": "7.33.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 11 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/providers/claude.sh

@@ -190,6 +190,20 @@ _loki_build_claude_auto_flags() {
             for _mcp_path in $_mcp_argv; do
                 _LOKI_CLAUDE_AUTO_FLAGS+=("$_mcp_path")
             done
+            # EMBED 1 (v7.33.0): --strict-mcp-config. ONLY emitted alongside an
+            # actual --mcp-config bundle (never bare). Per `claude --help` it
+            # makes the agent load servers ONLY from --mcp-config, ignoring ALL
+            # other MCP sources (auto-discovered project .mcp.json AND any
+            # settings-injected configs). Note the bundle already includes the
+            # user's ~/.claude/mcp.json overlay explicitly, so the common
+            # user-MCP case is preserved; what is dropped is any MCP config not
+            # in the explicit bundle, making the run reproducible.
+            # Default-ON; opt out with LOKI_STRICT_MCP=0. Gated on CLI support so
+            # an older claude degrades gracefully.
+            if [ "${LOKI_STRICT_MCP:-1}" != "0" ] \
+               && loki_claude_flag_supported "--strict-mcp-config"; then
+                _LOKI_CLAUDE_AUTO_FLAGS+=("--strict-mcp-config")
+            fi
         fi
     fi