loki-mode 7.32.3 → 7.34.0

package/README.md

@@ -36,7 +36,7 @@
 - **Intelligent `loki start`** -- For interactive foreground runs the dashboard auto-opens in the browser (cross-platform; skipped in CI, SSH-without-TTY, and piped runs; opt out with `LOKI_NO_AUTO_OPEN=1`). The completion summary shows "Your app is live at <url>" so you know exactly where to try what Loki just built. The autonomous loop passes Claude Code's `--effort`, `--max-budget-usd`, and `--fallback-model` on every iteration (each gated on CLI support and individual opt-out env vars) for better long-run unattended execution (v7.25.0).
 - **Cross-project memory** -- Episodic/semantic/procedural memory with vector search; knowledge learned on one project surfaces on the next (v5.15.0+, see `memory/engine.py`)
 - **Self-hosted and private** -- Your keys, your infrastructure, no data leaves your network
-- **Legacy system healing** -- `loki heal` archaeology/stabilize/isolate/modernize/validate phases (v6.67.0, see `skills/healing.md`)
+- **Legacy system healing** -- `loki modernize heal` archaeology/stabilize/isolate/modernize/validate phases (v6.67.0, see `skills/healing.md`)
 - **MCP server** -- 34 tools (including ChromaDB code search) plus 3 resources and 2 prompts (`mcp/server.py`, with magic tools registered from `mcp/magic_tools.py` and the managed-memory tool from `mcp/managed_tools.py`). Of the 34, 33 are always available; `loki_memory_redact` is registered but only succeeds when `LOKI_MANAGED_AGENTS=true` and `LOKI_MANAGED_MEMORY=true`. Launch with `loki mcp` (bootstraps the Python MCP SDK on first run).
 - **Full-stack output** -- Source code, tests, Docker Compose stacks (multi-service with healthchecks), CI/CD pipelines, audit logs
 - **Provider-agnostic** -- runs on Claude, Codex, Cline, or Aider with automatic failover (`loki-ts/src/runner/providers.ts`); no vendor lock-in. Gemini CLI deprecated v7.5.18; Antigravity CLI coming soon.
@@ -366,17 +366,17 @@ Status legend: "E2E-verified" means we run real spec-to-code builds on it oursel
 |---------|-------------|
 | `loki start [PRD]` | Start with optional PRD file (also accepts an issue ref; replaces deprecated `loki run`). Auto-opens the dashboard in the browser for interactive runs and passes native `--effort`/`--max-budget-usd`/`--fallback-model` for resilience (v7.25.0) |
 | `loki stop` | Stop execution |
-| `loki heal <path>` | Legacy system healing (archaeology, stabilize, isolate, modernize, validate -- v6.67.0) |
+| `loki modernize heal <path>` | Legacy system healing (archaeology, stabilize, isolate, modernize, validate -- v6.67.0; was: `loki heal`) |
 | `loki pause` / `resume` | Pause/resume after current session |
 | `loki status` | Show current status |
 | `loki dashboard` | Open web dashboard |
-| `loki preview` / `loki open` | Print running app URL and open in browser (Live App Preview, v7.24.0) |
+| `loki preview` | Print running app URL and open in browser (Live App Preview, v7.24.0; was: `loki open`) |
 | `loki web` | Launch Purple Lab web UI |
 | `loki doctor` | Check environment and dependencies |
 | `loki plan [PRD]` | Pre-execution analysis: complexity, cost, iterations |
 | `loki review [--staged\|--diff]` | AI-powered code review with severity filtering |
 | `loki test [--file\|--dir\|--changed]` | AI test generation (8 languages, 9 frameworks) |
-| `loki onboard [path]` | Project analysis and CLAUDE.md generation |
+| `loki analyze onboard [path]` | Project analysis and CLAUDE.md generation (was: `loki onboard`) |
 | `loki import` | Import GitHub issues as tasks |
 | `loki ci` | CI/CD quality gate integration |
 | `loki failover` | Cross-provider auto-failover management |

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.32.3
+# Loki Mode v7.34.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.32.3 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.34.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.32.3
+7.34.0

package/autonomy/completion-council.sh

@@ -1759,7 +1759,23 @@ ISSUES: CRITICAL:description (optional, one per line per issue)"
         claude)
             if command -v claude &>/dev/null; then
                 local council_model="${PROVIDER_MODEL_FAST:-haiku}"
-                verdict=$(echo "$prompt" | claude --model "$council_model" -p 2>/dev/null | tail -20)
+                # EMBED 2 + 3 (v7.33.0). Council member completion vote. The
+                # $prompt is fully self-contained (evidence + instructions +
+                # strict VOTE/REASON/ISSUES output format, piped via stdin) and
+                # the verdict is captured. So --bare (cheap, no hooks/LSP/CLAUDE.
+                # md/MCP) and --disallowedTools (a voting reviewer must never
+                # mutate the tree) both apply. Gated + opt-out
+                # LOKI_BARE_SUBCALLS=0 / LOKI_REVIEW_TOOL_GUARD=0. Helpers may be
+                # out of scope when this file is sourced standalone, so each is
+                # type-guarded (degrades to the prior bare invocation).
+                local _cm_argv=("--model" "$council_model")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _cm_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _cm_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                verdict=$(echo "$prompt" | claude "${_cm_argv[@]}" -p 2>/dev/null | tail -20)
             fi
             ;;
         codex)
@@ -1842,7 +1858,19 @@ REASON: your reasoning"
         claude)
             if command -v claude &>/dev/null; then
                 local council_model="${PROVIDER_MODEL_FAST:-haiku}"
-                verdict=$(echo "$prompt" | claude --model "$council_model" -p 2>/dev/null | tail -20)
+                # EMBED 2 + 3 (v7.33.0). Contrarian (devil's-advocate) vote --
+                # an adversarial reviewer. Self-contained $prompt via stdin,
+                # verdict captured. --bare + --disallowedTools both apply (a
+                # reviewer must never mutate the tree). Gated + opt-out
+                # LOKI_BARE_SUBCALLS=0 / LOKI_REVIEW_TOOL_GUARD=0; type-guarded.
+                local _co_argv=("--model" "$council_model")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _co_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _co_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                verdict=$(echo "$prompt" | claude "${_co_argv[@]}" -p 2>/dev/null | tail -20)
             fi
             ;;
         codex)

package/autonomy/context-tracker.py

@@ -304,7 +304,13 @@ def update_tracking(loki_dir, iteration, window_size, provider="claude",
         if result["new_offset"] == last_offset:
             return  # Nothing new
 
-        # Update session ID and offset
+        # Update session ID and offset.
+        # v7.34.0 Phase 1: when LOKI_SESSION_STAMP=1, run.sh passes a
+        # per-iteration --session-id, so claude names the JSONL after that uuid
+        # and jsonl_path.stem is that uuid rather than a claude-minted one. This
+        # is just a string label for the tracking record; any value (uuid or
+        # otherwise) is fine here, so no reconcile/parse is needed and there is
+        # no crash path from the id differing.
         tracking["session_id"] = jsonl_path.stem
         tracking["updated_at"] = datetime.now(timezone.utc).isoformat()
         offset_file.write_text(str(result["new_offset"]))

package/autonomy/council-v2.sh

@@ -263,7 +263,20 @@ Respond ONLY with a valid JSON object. No markdown fencing."
     case "${PROVIDER_NAME:-claude}" in
         claude)
             if command -v claude &>/dev/null; then
-                result=$(echo "$full_prompt" | claude --model haiku -p 2>/dev/null || echo '{"verdict":"REJECT","reasoning":"review execution failed","issues":[]}')
+                # EMBED 2 + 3 (v7.33.0). Council-v2 reviewer verdict. $full_prompt
+                # is self-contained (evidence + PRD + strict JSON output, via
+                # stdin) and the JSON result is captured. --bare + --disallowedTools
+                # both apply (a reviewer must never mutate the tree). Gated +
+                # opt-out LOKI_BARE_SUBCALLS=0 / LOKI_REVIEW_TOOL_GUARD=0;
+                # type-guarded for standalone sourcing.
+                local _c2_argv=("--model" "haiku")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _c2_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _c2_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                result=$(echo "$full_prompt" | claude "${_c2_argv[@]}" -p 2>/dev/null || echo '{"verdict":"REJECT","reasoning":"review execution failed","issues":[]}')
             else
                 result='{"verdict":"REJECT","reasoning":"reviewer CLI unavailable","issues":[]}'
             fi

package/autonomy/grill.sh

@@ -38,6 +38,16 @@ GRILL_EXIT_ERROR=3
 GRILL_DIR_DEFAULT=".loki/grill"
 GRILL_REPORT_NAME="report.md"
 
+# Source the claude-flags helper (idempotent, guarded) so the v7.33.0 embeds
+# (--bare / --disallowedTools) are available in grill's standalone invocation
+# path. Best-effort: if the file is missing the type-guards at the call site
+# degrade to the prior bare invocation.
+_grill_flags_helper="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/lib/claude-flags.sh"
+if [ -f "$_grill_flags_helper" ]; then
+    # shellcheck disable=SC1090
+    . "$_grill_flags_helper"
+fi
+
 _grill_log() { printf '[grill] %s\n' "$*" >&2; }
 _grill_err() { printf '[grill][error] %s\n' "$*" >&2; }
 
@@ -178,8 +188,24 @@ grill_invoke_provider() {
             local out
             # Single-shot, non-interactive. Same pattern as the in-loop
             # adversarial reviewer (run.sh:7807) and USAGE regen (run.sh:9832).
+            # EMBED 2 + 3 (v7.33.0). The devil's-advocate grill is a cheap
+            # self-contained adversarial subcall (the entire spec + interrogation
+            # instructions are in $prompt, piped via -p -; output captured). So:
+            #   EMBED 2 (--bare): no hooks/LSP/CLAUDE.md/MCP needed; cheaper.
+            #     Opt out LOKI_BARE_SUBCALLS=0.
+            #   EMBED 3 (--disallowedTools): a grill agent interrogates a spec and
+            #     must never mutate the tree (defense-in-depth). Deny Edit/Write/
+            #     NotebookEdit + git mutations. Opt out LOKI_REVIEW_TOOL_GUARD=0.
+            # Type-guarded so an environment without the helper degrades cleanly.
+            local _gr_argv=("--dangerously-skip-permissions" "--model" "${LOKI_GRILL_MODEL:-sonnet}")
+            if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                _gr_argv+=("--bare")
+            fi
+            if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                _gr_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+            fi
             out="$(printf '%s' "$prompt" \
-                | _grill_with_timeout "${LOKI_GRILL_TIMEOUT:-180}" claude --dangerously-skip-permissions --model "${LOKI_GRILL_MODEL:-sonnet}" -p - 2>/dev/null)"
+                | _grill_with_timeout "${LOKI_GRILL_TIMEOUT:-180}" claude "${_gr_argv[@]}" -p - 2>/dev/null)"
             if [ -z "$out" ]; then
                 _grill_err "provider returned no output (timeout or invocation error)"
                 return $GRILL_EXIT_ERROR

package/autonomy/lib/claude-flags.sh

@@ -130,3 +130,160 @@ loki_claude_flag_supported() {
         *) return 1 ;;
     esac
 }
+
+# ---------- v7.33.0 cheap-subcall + reviewer-guard flag emitters ----------
+# These centralize three Claude Code 2.1.170 embeds so every cheap NON-MAIN
+# subcall site emits the same gated flags. Each emitter prints its flags to
+# stdout (space-free per element via one-per-line is not needed; callers read
+# them into an array with command substitution + word-splitting on the single
+# token they emit, OR append the function output as additional argv elements).
+# All are default-ON, opt-out via env, and gated on loki_claude_flag_supported
+# so an older CLI degrades gracefully (emits nothing).
+
+# EMBED 2 -- --bare (cheap NON-MAIN subcalls only). Minimal mode. Per
+# `claude --help` it SKIPS hooks, LSP, plugin sync, attribution, auto-memory,
+# background prefetches, keychain reads, and CLAUDE.md AUTO-discovery. It does
+# NOT nullify explicit --mcp-config/--settings/--agents (the help lists those as
+# the way to "explicitly provide context" UNDER --bare); what it drops is the
+# IMPLICIT/auto-discovered context. Therefore --bare is ONLY safe on subcalls
+# whose prompt is fully self-contained (the entire instruction set + context is
+# passed via -p), and NEVER on the main RARV loop or on any call that relies on
+# auto-discovered CLAUDE.md / hooks / auto-memory.
+#
+# AUTH GATE (critical): --bare sets CLAUDE_CODE_SIMPLE=1 and per `claude --help`
+# reads Anthropic auth STRICTLY from ANTHROPIC_API_KEY or an apiKeyHelper via
+# --settings -- "OAuth and keychain are never read". A subscription/OAuth user
+# (no ANTHROPIC_API_KEY) gets "Not logged in" on every --bare subcall, which
+# exits 0 with the error on stdout, so a council vote parses as the default
+# REJECT and the loop silently corrupts. So --bare is enabled ONLY when an
+# API-key auth path exists (ANTHROPIC_API_KEY set, or an apiKeyHelper configured
+# in settings); otherwise it emits nothing and the subcall runs full-auth, the
+# same as before this embed. Subscription users are thus unaffected by default.
+# Default-ON (when auth-safe); opt out entirely with LOKI_BARE_SUBCALLS=0.
+# Predicate so call sites can append "--bare" to their argv array uniformly:
+#   loki_subcall_bare_enabled && argv+=("--bare")
+loki_subcall_bare_enabled() {
+    [ "${LOKI_BARE_SUBCALLS:-1}" = "0" ] && return 1
+    # API-key auth required (see AUTH GATE above). ANTHROPIC_API_KEY is the
+    # common case; apiKeyHelper covers the settings-configured helper. Anything
+    # else (OAuth/keychain subscription) must NOT use --bare. Trim the key so a
+    # whitespace-only value does not count as set (it would fail --bare auth).
+    local _key
+    _key="$(printf '%s' "${ANTHROPIC_API_KEY:-}" | tr -d '[:space:]')"
+    if [ -z "$_key" ] && ! _loki_apikey_helper_configured; then
+        return 1
+    fi
+    loki_claude_flag_supported "--bare"
+}
+
+# True when an apiKeyHelper is configured in any Claude settings source, which
+# (unlike OAuth/keychain) IS honored under --bare. Best-effort, read-only.
+_loki_apikey_helper_configured() {
+    local f
+    for f in "$HOME/.claude/settings.json" "$HOME/.config/claude/settings.json" \
+             "${CLAUDE_CONFIG_DIR:-$HOME/.claude}/settings.json" \
+             "$PWD/.claude/settings.json" "$PWD/.claude/settings.local.json"; do
+        [ -f "$f" ] || continue
+        # Require "apiKeyHelper" : "<non-empty value>" (a real key:value pair),
+        # not the bare token in a comment/prose. Tolerates whitespace around the
+        # colon. Not a full JSON parse, but rejects the obvious false-positives.
+        grep -Eq '"apiKeyHelper"[[:space:]]*:[[:space:]]*"[^"]+"' "$f" 2>/dev/null && return 0
+    done
+    return 1
+}
+
+# EMBED 3 -- --disallowedTools (reviewer / adversarial subcalls). Motivation: a
+# parallel agent once ran `git reset --hard` and wiped uncommitted work, so a
+# reviewer/voter subcall should not casually mutate the tree. Per `claude --help`
+# the value is a comma-or-space-separated list of tool names (e.g. "Bash(git *)
+# Edit"); Bash(...) matching is command-PREFIX based (the `cmd:*` form).
+#
+# SCOPE / LIMITS (honest -- this is a denylist, NOT a sandbox):
+#   - Denies the direct file-mutation tools (Edit, Write, NotebookEdit).
+#   - Denies the common git MUTATION forms: the bare subcommand (`git reset:*`)
+#     AND the global-flag-prefixed evasions (`git -C:*`, `git --git-dir:*`,
+#     `git -c:*`) that slip a flag before the subcommand so the bare prefix
+#     does not match. Read-only git (diff/log/show/status) stays allowed.
+#   - It does NOT and cannot block every mutation path: a determined agent can
+#     still write via `Bash(echo > f)`, `sed -i`, `cp/mv/tee`, `python -c`, etc.
+#     This is a guardrail that raises the cost of the casual/common destructive
+#     command, not a guarantee the tree is immutable. The real safety net is
+#     that the integrator commits before any agent wave (see CLAUDE.md).
+# The flag is variadic (<tools...>), so we emit ONE comma-separated token to
+# avoid swallowing the following -p prompt as additional tool names.
+# Default-ON; opt out with LOKI_REVIEW_TOOL_GUARD=0.
+# Predicate + denylist so call sites append uniformly:
+#   if loki_review_guard_enabled; then
+#       argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+#   fi
+loki_review_guard_enabled() {
+    [ "${LOKI_REVIEW_TOOL_GUARD:-1}" = "0" ] && return 1
+    loki_claude_flag_supported "--disallowedTools"
+}
+loki_review_guard_denylist() {
+    # Comma-separated single token. Bash(cmd:*) is command-prefix matching.
+    # The `git -C:*` / `git --git-dir:*` / `git -c:*` entries close the
+    # global-flag-before-subcommand evasion of the bare git-mutation rules.
+    printf '%s' "Edit,Write,NotebookEdit,Bash(git commit:*),Bash(git reset:*),Bash(git push:*),Bash(git checkout:*),Bash(git clean:*),Bash(git rm:*),Bash(git stash:*),Bash(git -C:*),Bash(git --git-dir:*),Bash(git -c:*)"
+}
+
+# ---------- v7.34.0 Claude session-id stamping (Phase 1, correlation-only) -----
+# Derive a deterministic per-run UUID from the existing trust-run-id so the same
+# run always maps to the same claude session UUID, and the bash + Bun routes
+# produce BYTE-IDENTICAL uuids for the same run id. We use RFC-4122 UUIDv5
+# (SHA-1 over a stable namespace + the name). The namespace below is a fixed,
+# Loki-specific constant; never change it (changing it re-keys every run's uuid).
+# The TS mirror is loki-ts/src/providers/claude_flags.ts claudeSessionUuid().
+#
+# Phase 1 is correlation-only: the uuid is written to a metadata file and (only
+# when LOKI_SESSION_STAMP=1) emitted as a PER-ITERATION --session-id on the main
+# loop. It NEVER pins one id across the run (that is Phase 2 continuity, which
+# would accumulate transcript and compete with Loki's own injected memory).
+LOKI_CLAUDE_SESSION_NS="b6f3c7a2-9d41-5e8b-9c2a-3f7d6e1a4b50"
+
+# UUIDv5 over the Loki session namespace + an arbitrary name string. Pure
+# (stdout only), deterministic, no side effects. Uses python3 (always present on
+# the bash route; every other helper here already depends on it). Emits empty on
+# any failure so the caller degrades to metadata-only without breaking the run.
+_loki_uuid5() {
+    local name="${1:-}"
+    [ -z "$name" ] && return 0
+    command -v python3 >/dev/null 2>&1 || return 0
+    LOKI_CLAUDE_SESSION_NS="$LOKI_CLAUDE_SESSION_NS" _LOKI_UUID5_NAME="$name" \
+    python3 - <<'UUID5_PY' 2>/dev/null || true
+import os, uuid
+ns = uuid.UUID(os.environ["LOKI_CLAUDE_SESSION_NS"])
+print(uuid.uuid5(ns, os.environ["_LOKI_UUID5_NAME"]))
+UUID5_PY
+}
+
+# The stable per-run claude session UUID: UUIDv5 of the trust-run-id. Same run
+# id -> same uuid, on every route. Emits empty when no run id is resolvable.
+_loki_claude_session_uuid() {
+    local run_id="${1:-${LOKI_TRUST_RUN_ID:-}}"
+    [ -z "$run_id" ] && return 0
+    _loki_uuid5 "$run_id"
+}
+
+# The PER-ITERATION session UUID emitted on the main loop when LOKI_SESSION_STAMP=1.
+# UUIDv5 of "<run-id>:<iteration>", so every iteration gets a DISTINCT, deterministic
+# id. This is deliberately NOT the stable per-run uuid: a single pinned id reused
+# across iterations would make claude RESUME (accumulate transcript), which is
+# Phase 2 continuity, explicitly out of scope here. Distinct-per-iteration keeps
+# each iteration a fresh stateless session (byte-identical default behavior to
+# v7.33 except for the added correlation flag).
+_loki_claude_iteration_session_uuid() {
+    local run_id="${1:-${LOKI_TRUST_RUN_ID:-}}"
+    local iteration="${2:-${ITERATION_COUNT:-0}}"
+    [ -z "$run_id" ] && return 0
+    _loki_uuid5 "${run_id}:${iteration}"
+}
+
+# Predicate: emit the per-iteration --session-id ARGV flag? CONSERVATIVE DEFAULT
+# is OFF (metadata-file-only) so the default claude argv stays byte-identical to
+# v7.33 (the UX-monotonicity requirement). Opt IN with LOKI_SESSION_STAMP=1.
+# Gated on CLI support so an older claude degrades gracefully (no flag emitted).
+loki_session_stamp_enabled() {
+    [ "${LOKI_SESSION_STAMP:-0}" = "1" ] || return 1
+    loki_claude_flag_supported "--session-id"
+}

package/autonomy/loki

@@ -685,7 +685,7 @@ show_help() {
     echo "  modernize [cmd]  Legacy modernization: heal|migrate"
     echo ""
     echo "Config:"
-    echo "  config [cmd]     Manage configuration + provider (show|set|get|provider)"
+    echo "  config [cmd]     Manage configuration (show|init|edit|path|set|get)"
     echo "  doctor [--json]  Check system prerequisites and skill symlinks"
     echo ""
     echo "  version          Show version"
@@ -2888,8 +2888,8 @@ cmd_status() {
     fi
 
     echo ""
-    echo -e "${DIM}  Tip: loki context show   - detailed token breakdown${NC}"
-    echo -e "${DIM}  Tip: loki code overview   - codebase intelligence${NC}"
+    echo -e "${DIM}  Tip: loki analyze context show   - detailed token breakdown${NC}"
+    echo -e "${DIM}  Tip: loki analyze code overview  - codebase intelligence${NC}"
 }
 
 # JSON output for loki status --json

package/autonomy/run.sh

@@ -3248,7 +3248,18 @@ Output ONLY the resolved file content with no conflict markers. No explanations.
 
         case "${PROVIDER_NAME:-claude}" in
             claude)
-                resolution=$(claude --dangerously-skip-permissions -p "$conflict_prompt" --output-format text 2>/dev/null)
+                # EMBED 2 (v7.33.0): --bare on this cheap NON-MAIN subcall.
+                # Reasoning: $conflict_prompt is fully self-contained -- it
+                # carries the complete instruction set AND the entire conflicted
+                # file content inline, and the agent's output is captured to a
+                # variable (the shell, not the agent, writes the resolved file).
+                # It needs no hooks, LSP, CLAUDE.md auto-discovery, or MCP, so
+                # --bare is safe and cheaper. Gated + opt-out LOKI_BARE_SUBCALLS=0.
+                local _cr_argv=("--dangerously-skip-permissions")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _cr_argv+=("--bare")
+                fi
+                resolution=$(claude "${_cr_argv[@]}" -p "$conflict_prompt" --output-format text 2>/dev/null)
                 ;;
             codex)
                 resolution=$(codex exec --full-auto --skip-git-repo-check "$conflict_prompt" 2>/dev/null)
@@ -7803,7 +7814,31 @@ BUILD_PROMPT
                     # Mythos 5 (Project Glasswing), not Fable. If a future change
                     # adds --model here, the security-sentinel reviewer must be
                     # pinned to opus, never fable.
-                    claude --dangerously-skip-permissions -p "$prompt_text" \
+                    # EMBED 2 + 3 (v7.33.0). This is a 3-reviewer council
+                    # subcall. $prompt_text is fully self-contained (built above
+                    # into $review_prompt_file with the diff, changed files,
+                    # checks, and strict VERDICT/FINDINGS output format), output
+                    # is captured to $review_output, and it deliberately does NOT
+                    # pass --model or go through buildAutoFlags. So:
+                    #   EMBED 2 (--bare): the prompt needs no hooks/LSP/CLAUDE.md/
+                    #     MCP discovery, so --bare is safe and cheaper. Opt out
+                    #     LOKI_BARE_SUBCALLS=0.
+                    #   EMBED 3 (--disallowedTools): raise the cost of a reviewer
+                    #     casually mutating the tree (a parallel agent once ran
+                    #     `git reset --hard` and wiped uncommitted work). Deny
+                    #     Edit/Write/NotebookEdit + git mutation forms (incl. the
+                    #     git -C / --git-dir evasions); read-only git stays allowed.
+                    #     Guardrail, not a sandbox -- echo>/sed -i/etc. remain; the
+                    #     real net is commit-before-agent-wave. Opt out
+                    #     LOKI_REVIEW_TOOL_GUARD=0. See loki_review_guard_denylist.
+                    local _rv_argv=("--dangerously-skip-permissions")
+                    if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                        _rv_argv+=("--bare")
+                    fi
+                    if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                        _rv_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                    fi
+                    claude "${_rv_argv[@]}" -p "$prompt_text" \
                         --output-format text > "$review_output" 2>/dev/null
                     ;;
                 codex)
@@ -8016,7 +8051,25 @@ ADVERSARIAL_EOF
     case "${PROVIDER_NAME:-claude}" in
         claude)
             if command -v claude &>/dev/null; then
-                claude --dangerously-skip-permissions -p "$adversarial_prompt" \
+                # EMBED 2 + 3 (v7.33.0). Adversarial probe subcall.
+                # $adversarial_prompt is fully self-contained (instructions +
+                # changed files + diff inlined via the heredoc above) and output
+                # is captured to $result_file. So:
+                #   EMBED 2 (--bare): no hooks/LSP/CLAUDE.md/MCP needed; cheaper.
+                #     Opt out LOKI_BARE_SUBCALLS=0.
+                #   EMBED 3 (--disallowedTools): keep an adversarial agent from
+                #     casually mutating the tree. Deny Edit/Write/NotebookEdit +
+                #     git mutation forms (incl. git -C / --git-dir evasions);
+                #     read-only git stays allowed. Guardrail, not a sandbox.
+                #     Opt out LOKI_REVIEW_TOOL_GUARD=0.
+                local _adv_argv=("--dangerously-skip-permissions")
+                if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+                    _adv_argv+=("--bare")
+                fi
+                if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
+                    _adv_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
+                fi
+                claude "${_adv_argv[@]}" -p "$adversarial_prompt" \
                     --output-format text > "$result_file" 2>/dev/null || true
             fi
             ;;
@@ -10041,9 +10094,21 @@ ${_commits}"
 
     # Use haiku for cheap, fast generation. --dangerously-skip-permissions
     # because this is a one-shot non-interactive call.
+    # EMBED 2 (v7.33.0): --bare on this cheap NON-MAIN haiku subcall. The
+    # USAGE.md-regen prompt ($_ic_prompt, piped via -p -) is fully self-contained
+    # (project tree + manifests + entrypoint contents + commits inlined) and the
+    # output is captured, not written by the agent. No hooks/LSP/CLAUDE.md/MCP
+    # needed, so --bare is safe and cheaper. Opt out LOKI_BARE_SUBCALLS=0.
+    # Always at least --dangerously-skip-permissions, so the array is never
+    # empty (empty "${arr[@]}" under set -u errors on bash 3.2, stock macOS).
+    local _ic_argv=("--dangerously-skip-permissions")
+    if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
+        _ic_argv+=("--bare")
+    fi
+    _ic_argv+=("--model" "haiku")
     local _ic_out
     _ic_out=$(printf '%s' "$_ic_prompt" \
-        | timeout 60 claude --dangerously-skip-permissions --model haiku -p - 2>/dev/null \
+        | timeout 60 claude "${_ic_argv[@]}" -p - 2>/dev/null \
         | head -200)
     # Sanity check: response must look like Markdown (starts with # or ##).
     if [ -z "$_ic_out" ] || ! printf '%s' "$_ic_out" | head -1 | grep -qE '^#'; then
@@ -12259,6 +12324,26 @@ except Exception:
         LOKI_TRUST_RUN_ID="$(_loki_trust_run_id --new)"
         export LOKI_TRUST_RUN_ID
         record_trust_event_bash "run_start" "start_sha=${_LOKI_RUN_START_SHA:-}" 2>/dev/null || true
+
+        # v7.34.0 Phase 1 (correlation-only): write a deterministic claude
+        # session UUID derived from the trust-run-id to .loki/state/claude-session.json.
+        # mode is "stamp" (Phase 1); Phase 2 continuity is a separate, opt-in arc.
+        # Best-effort: the helper is in scope via providers/claude.sh sourcing
+        # claude-flags.sh; if absent (e.g. non-claude provider, no python3) we
+        # skip silently and never fail the run. The dashboard reads this file to
+        # surface it for correlating the run with its Claude session JSONL.
+        if type _loki_claude_session_uuid >/dev/null 2>&1; then
+            local _loki_session_uuid
+            _loki_session_uuid="$(_loki_claude_session_uuid "$LOKI_TRUST_RUN_ID")"
+            if [ -n "$_loki_session_uuid" ]; then
+                local _loki_session_created
+                _loki_session_created="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+                mkdir -p ".loki/state" 2>/dev/null || true
+                printf '{"run_id":"%s","claude_session_uuid":"%s","mode":"stamp","created_at":"%s"}\n' \
+                    "$LOKI_TRUST_RUN_ID" "$_loki_session_uuid" "$_loki_session_created" \
+                    > ".loki/state/claude-session.json" 2>/dev/null || true
+            fi
+        fi
     fi
 
     # Notify dashboard of active project directory (for AI Chat cross-directory usage)
@@ -12654,6 +12739,20 @@ except Exception as exc:
            && loki_claude_flag_supported "--include-partial-messages"; then
             _loki_claude_argv+=("--include-partial-messages")
         fi
+        # v7.34.0 Phase 1 (correlation-only): per-iteration --session-id. OPT-IN
+        # via LOKI_SESSION_STAMP=1 (CONSERVATIVE DEFAULT is OFF so the default
+        # argv stays byte-identical to v7.33 -- the UX-monotonicity requirement).
+        # The id is a DISTINCT, deterministic UUIDv5 of "<run-id>:<iteration>",
+        # never one pinned id across the run: a reused id would make claude RESUME
+        # and accumulate transcript (Phase 2 continuity, out of scope). This keeps
+        # each iteration a fresh stateless session while making its ~/.claude
+        # JSONL name predictable for dashboard correlation. Gated on CLI support.
+        if type loki_session_stamp_enabled >/dev/null 2>&1 \
+           && loki_session_stamp_enabled; then
+            local _loki_iter_session_uuid
+            _loki_iter_session_uuid="$(_loki_claude_iteration_session_uuid "${LOKI_TRUST_RUN_ID:-}" "$ITERATION_COUNT")"
+            [ -n "$_loki_iter_session_uuid" ] && _loki_claude_argv+=("--session-id" "$_loki_iter_session_uuid")
+        fi
         # ---- Bash<->Bun invocation-flag convergence ledger (v7.25.0) ----------
         # The fixture corpus covers build_prompt/stats output, NOT this claude
         # argv, so drift here is invisible to parity tests. Keep this ledger
@@ -12664,8 +12763,13 @@ except Exception as exc:
         # today.
         # Bash argv (canonical, live): --dangerously-skip-permissions --model M
         #   [--append-system-prompt] [--setting-sources] [--include-partial-messages]
+        #   [--session-id UUID (only when LOKI_SESSION_STAMP=1, v7.34.0)]
         #   [--effort] [--max-budget-usd] [--fallback-model] -p PROMPT
         #   --output-format stream-json --verbose
+        # v7.34.0: --session-id is emitted ONLY on this MAIN loop, only under
+        #   LOKI_SESSION_STAMP=1, as a per-iteration distinct UUIDv5; the DEFAULT
+        #   argv (knob unset) is byte-identical to v7.33. Bun mirror lives in
+        #   loki-ts/src/runner/providers.ts (sessionStampArgv).
         # Bun buildAutoFlags also emits: --exclude-dynamic-system-prompt-sections
         #   (cost-only), --mcp-config (bash gets MCP via --setting-sources +
         #   .mcp.json discovery; a how-difference, likely behavior-equivalent),

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.32.3"
+__version__ = "7.34.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -387,6 +387,11 @@ class StatusResponse(BaseModel):
     mode: str = ""
     provider: str = "claude"
     current_task: str = ""
+    # v7.34.0 Phase 1: the deterministic per-run Claude session UUID derived from
+    # the trust-run-id (read from .loki/state/claude-session.json). Surfaced so a
+    # user can correlate the run with its Claude session JSONL (in ~/.claude/projects). Empty when
+    # the run predates this field or no claude session was stamped.
+    claude_session_id: str = ""
     # Concurrent sessions (v6.4.0)
     sessions: list[SessionInfo] = []
 
@@ -954,6 +959,26 @@ async def get_status() -> StatusResponse:
     pending_tasks = 0
     running_agents = 0
 
+    # v7.34.0 Phase 1: the deterministic per-run Claude session UUID, written at
+    # run-start by run.sh (correlation-only). Best-effort read; empty when the
+    # file is absent (run predates the field, or a non-claude provider).
+    claude_session_id = ""
+    claude_session_file = loki_dir / "state" / "claude-session.json"
+    if claude_session_file.exists():
+        try:
+            _cs = _safe_json_read(claude_session_file, {})
+            # Guard against a syntactically-valid non-object JSON (array, string,
+            # number) that would make .get() raise AttributeError, AND a
+            # non-string VALUE that would fail StatusResponse's str validation
+            # (both -> 500). The normal writer (run.sh) always emits an object
+            # with a string uuid, so this only triggers on external file
+            # corruption, but /api/status must never 500 on it.
+            if isinstance(_cs, dict):
+                _v = _cs.get("claude_session_uuid", "")
+                claude_session_id = _v if isinstance(_v, str) else ""
+        except (json.JSONDecodeError, OSError, KeyError, AttributeError):
+            pass
+
     # Read dashboard state (with retry for concurrent writes)
     _has_dashboard_state = False
     if state_file.exists():
@@ -1206,6 +1231,7 @@ async def get_status() -> StatusResponse:
         mode=mode,
         provider=provider,
         current_task=current_task,
+        claude_session_id=claude_session_id,
         sessions=active_session_list,
     )
 

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.32.3
+**Version:** v7.34.0
 
 ---
 
@@ -534,7 +534,7 @@ Loki Mode uses two network ports for different services:
 LOKI_DASHBOARD_PORT=57374 loki dashboard start
 
 # API port (default: 57374)
-loki serve --port 57374
+loki api start --port 57374   # was: loki serve
 ```
 
 ### CORS Configuration

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.32.3";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.34.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -42,8 +42,8 @@ var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null
 `)}let J=D($,"state","context-usage.json");if(v(J)){let B=a1(J,"window_size",200000),O=a1(J,"used_tokens",0),M=0;if(B>0)M=Math.floor(O*100/B);process.stdout.write(`${w}Context:${q} ${M}% (${O} / ${B} tokens)
 `)}let G=[D($,"dashboard","dashboard.pid"),D(NQ(),".loki","dashboard","dashboard.pid")].find((B)=>v(B))??"";if(G&&v(G)){let B=R$(G);if(B!==null&&k$(B)){let O=D(G,".."),M=(_,k)=>{let u=D(O,_);try{return v(u)?U$(u,"utf-8").trim()||k:k}catch{return k}},x=M("scheme","http"),N=M("host","127.0.0.1"),b=M("port",process.env.LOKI_DASHBOARD_PORT||"57374");if(N==="0.0.0.0")N="127.0.0.1";process.stdout.write(`${w}Dashboard:${q} ${x}://${N}:${b}/
 `)}}return await hQ($),process.stdout.write(`
-`),process.stdout.write(`${y}  Tip: loki context show   - detailed token breakdown${q}
-`),process.stdout.write(`${y}  Tip: loki code overview   - codebase intelligence${q}
+`),process.stdout.write(`${y}  Tip: loki analyze context show   - detailed token breakdown${q}
+`),process.stdout.write(`${y}  Tip: loki analyze code overview  - codebase intelligence${q}
 `),0}async function hQ($){let Q=D($,"state"),Z=yQ(Q),z=D(Q,"relevant-learnings.json"),X=D($,"escalations"),W=Z.length>0,K=v(z),U=v(X);if(!W&&!K&&!U)return;if(process.stdout.write(`
 ${w}Phase 1 artifacts:${q}
 `),W){let V=Z[Z.length-1],H=s1(V);if(H&&Array.isArray(H.findings)){let J={Critical:0,High:0,Medium:0,Low:0};for(let G of H.findings){let B=String(G.severity??"");if(B in J)J[B]=(J[B]??0)+1}let Y=Object.entries(J).filter(([,G])=>G>0).map(([G,B])=>`${B} ${G.toLowerCase()}`).join(", ");process.stdout.write(`  Findings (iter ${H.iteration??"?"}): ${Y||"none"} -- ${H.findings.length} total
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=E69BF9B144A89A3864756E2164756E21
+//# debugId=C89D42E5B326555264756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.32.3'
+__version__ = '7.34.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.32.3",
+  "version": "7.34.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 11 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/providers/claude.sh

@@ -190,6 +190,20 @@ _loki_build_claude_auto_flags() {
             for _mcp_path in $_mcp_argv; do
                 _LOKI_CLAUDE_AUTO_FLAGS+=("$_mcp_path")
             done
+            # EMBED 1 (v7.33.0): --strict-mcp-config. ONLY emitted alongside an
+            # actual --mcp-config bundle (never bare). Per `claude --help` it
+            # makes the agent load servers ONLY from --mcp-config, ignoring ALL
+            # other MCP sources (auto-discovered project .mcp.json AND any
+            # settings-injected configs). Note the bundle already includes the
+            # user's ~/.claude/mcp.json overlay explicitly, so the common
+            # user-MCP case is preserved; what is dropped is any MCP config not
+            # in the explicit bundle, making the run reproducible.
+            # Default-ON; opt out with LOKI_STRICT_MCP=0. Gated on CLI support so
+            # an older claude degrades gracefully.
+            if [ "${LOKI_STRICT_MCP:-1}" != "0" ] \
+               && loki_claude_flag_supported "--strict-mcp-config"; then
+                _LOKI_CLAUDE_AUTO_FLAGS+=("--strict-mcp-config")
+            fi
         fi
     fi
 
@@ -233,6 +247,17 @@ _loki_build_claude_auto_flags() {
        && loki_claude_flag_supported "--include-partial-messages"; then
         _LOKI_CLAUDE_AUTO_FLAGS+=("--include-partial-messages")
     fi
+
+    # --no-session-persistence (v7.34.0): boolean flag that disables Claude's
+    # own session persistence (it would otherwise write transcript JSONL under
+    # ~/.claude/projects). OPT-IN only via LOKI_NO_SESSION_PERSIST=1; DEFAULT OFF
+    # so this is zero behavior change (the flag is never emitted unless the user
+    # asks for it). Useful for ephemeral/CI runs that do not want on-disk
+    # transcripts. Gated on CLI support so an older claude degrades gracefully.
+    if [ "${LOKI_NO_SESSION_PERSIST:-0}" = "1" ] \
+       && loki_claude_flag_supported "--no-session-persistence"; then
+        _LOKI_CLAUDE_AUTO_FLAGS+=("--no-session-persistence")
+    fi
 }
 
 # The system-prompt text that authorizes autonomous operation and resolves