loki-mode 7.35.0 → 7.36.0

package/LICENSE

@@ -1,5 +1,3 @@
-SPDX-License-Identifier: BUSL-1.1
-
 Business Source License 1.1
 
 Parameters
@@ -12,40 +10,13 @@ Licensed Work:        Loki Mode and all associated components, including but not
                       rebranded or successor versions of this software.
                       The Licensed Work is (c) 2024-2026 Autonomi, Inc.
                       All rights reserved.
-Additional Use Grant: You may make production use of the Licensed Work, provided
-                      that such use does not include offering the Licensed Work,
-                      or any derivative work or adaptation of it, to third parties
-                      as a commercial product, hosted service, managed service, or
-                      embedded component of a commercial offering that competes
-                      with any product or service provided by the Licensor.
-
-                      For purposes of this license, "compete" means offering a
-                      product or service that provides substantially the same or
-                      similar functionality as the Licensed Work to third parties,
-                      whether for a fee or free of charge, including but not
-                      limited to:
-                      (a) multi-agent AI development orchestration platforms or
-                          frameworks;
-                      (b) autonomous software development products or services;
-                      (c) AI-powered code generation, review, or deployment
-                          services that incorporate or replicate the Licensed
-                          Work's orchestration, review, verification, or agent
-                          coordination systems; or
-                      (d) products or services that substantially replicate the
-                          Licensed Work's core architectural patterns, including
-                          the RARV (Reason-Act-Reflect-Verify) cycle, Completion
-                          Council peer review system, or multi-agent swarm
-                          coordination model.
-
-                      The following uses are permitted without a commercial license:
-                      (i)   individual and non-commercial use;
-                      (ii)  internal business use where the Licensed Work is used
-                            as a tool and is not itself the product or service
-                            being offered to third parties;
-                      (iii) academic, educational, and research use;
-                      (iv)  evaluation and testing in non-production environments;
-                      (v)   contributions back to the Licensed Work under a signed
-                            Contributor License Agreement.
+Additional Use Grant: You may make production use of the Licensed Work for
+                      individual, non-commercial, internal-business (as a tool,
+                      not as a product offered to third parties), academic, and
+                      evaluation purposes, subject to the full scope, the
+                      definition of "compete," and the Intellectual Property and
+                      Contributions terms set out in COMMERCIAL-TERMS.md, which is
+                      incorporated into this Additional Use Grant by reference.
 
 Change Date:          March 19, 2030
 Change License:       Apache License, Version 2.0
@@ -53,25 +24,8 @@ Change License:       Apache License, Version 2.0
 For information about alternative licensing arrangements for the Licensed Work,
 please contact: founder@autonomi.dev
 
-Intellectual Property Notice
-
-The Licensed Work embodies proprietary methodologies, architectural patterns,
-and research developed by the Licensor. These include, without limitation, the
-RARV execution cycle, the Completion Council consensus-based review system,
-context persistence mechanisms for long-running autonomous sessions, multi-
-provider orchestration protocols, and swarm-based agent coordination models.
-Use of these methodologies, whether through the Licensed Work's code or through
-independent reimplementation based on the Licensed Work's documentation or
-published research, is subject to the terms of this License.
-
-Contributions
-
-External contributions to the Licensed Work are accepted only under a signed
-Contributor License Agreement (CLA) that assigns sufficient rights to the
-Licensor to sublicense, relicense, and commercially distribute the contribution
-as part of the Licensed Work. Contributing code to the Licensed Work without a
-signed CLA does not grant the Licensor any rights to the contribution, and such
-contributions may be removed.
+The Intellectual Property Notice and Contributions (CLA) terms that supplement
+this License are set out in COMMERCIAL-TERMS.md.
 
 Notice
 

package/README.md

@@ -4,11 +4,12 @@
 
 ### The spec-driven autonomous builder with verified completion.
 
+_The free, source-available autonomous coding agent by [Autonomi](https://www.autonomi.dev/). Same Loki CLI, SDK, and MCP for everyone; the commercial editions for teams and enterprises are sold under the **Autonomi** brand (Autonomi Cloud, Autonomi Enterprise)._
+
 **Hand it a spec. It does not accept "done" on an empty diff or failing tests.**
 
 [![npm version](https://img.shields.io/npm/v/loki-mode?style=for-the-badge&logo=npm&logoColor=white&color=553DE9)](https://www.npmjs.com/package/loki-mode)
 [![npm downloads](https://img.shields.io/npm/dt/loki-mode?style=for-the-badge&logo=npm&logoColor=white&color=1FC5A8&label=downloads)](https://www.npmjs.com/package/loki-mode)
-[![GitHub stars](https://badgen.net/github/stars/asklokesh/loki-mode?label=Stars&color=553DE9&icon=github)](https://github.com/asklokesh/loki-mode/stargazers)
 [![Docker Pulls](https://img.shields.io/docker/pulls/asklokesh/loki-mode?style=for-the-badge&logo=docker&logoColor=white&color=2F71E3)](https://hub.docker.com/r/asklokesh/loki-mode)
 [![License](https://img.shields.io/badge/License-BUSL--1.1-36342E?style=for-the-badge)](LICENSE)
 
@@ -289,7 +290,7 @@ TLS, OIDC/SSO, RBAC, OTEL tracing, policy engine, audit trails. Activated via en
 
 ## Purple Lab
 
-The hosted development platform. A Replit-like web UI for visual PRD-to-code workflow with AI chat for iterative development.
+The hosted development platform. A Replit-like web UI for visual PRD-to-code workflow, with the Loki agent for iterative development. The same software is free and source-available as the local Loki Mode dashboard; offered managed to teams and enterprises under the **Autonomi** brand (Autonomi Cloud).
 
 ```bash
 loki web                           # launches at http://localhost:57375

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.35.0
+# Loki Mode v7.36.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.35.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.36.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.35.0
+7.36.0

package/autonomy/lib/claude-flags.sh

@@ -227,6 +227,61 @@ loki_review_guard_denylist() {
     printf '%s' "Edit,Write,NotebookEdit,Bash(git commit:*),Bash(git reset:*),Bash(git push:*),Bash(git checkout:*),Bash(git clean:*),Bash(git rm:*),Bash(git stash:*),Bash(git -C:*),Bash(git --git-dir:*),Bash(git -c:*)"
 }
 
+# EMBED 3b (v7.35.0, GitHub #167) -- --allowedTools POSITIVE ALLOWLIST for the
+# reviewer / adversarial / council subcalls. Complements the v7.33 denylist with
+# a least-privilege grant: the value lists ONLY the read/inspect tools a voter
+# needs (Read, Grep, Glob, read-only git, and a small set of read-only shell
+# commands). Per `claude --help` and the official permission docs
+# (https://code.claude.com/docs/en/cli-reference,
+#  https://code.claude.com/docs/en/permissions) --allowedTools entries are
+# permission ALLOW rules ("tools that execute without prompting"), using the same
+# Tool / Tool(specifier) / Bash(cmd:*) prefix syntax as --disallowedTools.
+#
+# PRECEDENCE (proven empirically + documented): the docs state rules are
+# "evaluated in order: deny, then ask, then allow ... the first match in that
+# order determines the outcome", and "if a tool is denied at any level, no other
+# level can allow it." Verified live against claude 2.1.177 on 2026-06-13 with a
+# clean minimal env (temp git dir, --strict-mcp-config --mcp-config
+# '{"mcpServers":{}}', --advisor opus to dodge the Fable-pinned default advisor
+# tool, --tools "Bash,Read"):
+#   - allow-only  Bash(git status:*)                -> PERMITTED  (control)
+#   - deny-only   Bash(git status:*)                -> BLOCKED    (control)
+#   - allow + deny BOTH on Bash(git status:*)       -> BLOCKED    (deny wins)
+#   - allow + deny BOTH, under --dangerously-skip-permissions -> BLOCKED
+# So DENY PRECEDENCE holds even in bypassPermissions mode (the mode every council
+# subcall uses). This is the SAFE outcome: the allowlist and the denylist can be
+# emitted TOGETHER. The denylist still blocks every mutation form even though the
+# allowlist names read-only git; the allowlist additionally narrows the surface
+# to least-privilege. They are NOT mutually exclusive; we ship both.
+#
+# This is a GUARDRAIL, not a sandbox (same caveat as the denylist): --allowedTools
+# governs whether a tool runs WITHOUT A PROMPT, and these subcalls already run
+# under --dangerously-skip-permissions, so the practical effect is to restrict the
+# in-context tool surface to the allowlisted set while the denylist hard-blocks
+# the dangerous forms. echo>/sed -i/python -c style writes are not enumerable and
+# remain possible; the real net is commit-before-agent-wave (see CLAUDE.md).
+#
+# DEFAULT OFF (opt-in LOKI_REVIEW_ALLOWLIST=1) so the default argv on BOTH routes
+# stays byte-identical to v7.34. Gated on CLI support so an older claude degrades
+# gracefully (emits nothing). Predicate + token so call sites append uniformly:
+#   if loki_review_allowlist_enabled; then
+#       argv+=("--allowedTools" "$(loki_review_allowlist)")
+#   fi
+loki_review_allowlist_enabled() {
+    [ "${LOKI_REVIEW_ALLOWLIST:-0}" = "1" ] || return 1
+    loki_claude_flag_supported "--allowedTools"
+}
+loki_review_allowlist() {
+    # Comma-separated single token (the flag is variadic; one token keeps the
+    # following -p prompt from being swallowed as additional tool names). Grants
+    # ONLY read/inspect tools: the file-read tools (Read/Grep/Glob), read-only
+    # git (diff/log/show/status/ls-files/rev-parse/blame), and a small set of
+    # read-only shell commands a reviewer uses to inspect the tree. No Edit,
+    # Write, NotebookEdit, or any mutation form. Kept BYTE-IDENTICAL to
+    # REVIEW_ALLOWLIST_TOKEN in loki-ts/src/providers/claude_flags.ts.
+    printf '%s' "Read,Grep,Glob,Bash(git diff:*),Bash(git log:*),Bash(git show:*),Bash(git status:*),Bash(git ls-files:*),Bash(git rev-parse:*),Bash(git blame:*),Bash(cat:*),Bash(ls:*),Bash(grep:*),Bash(rg:*),Bash(find:*),Bash(head:*),Bash(tail:*),Bash(wc:*)"
+}
+
 # ---------- v7.34.0 Claude session-id stamping (Phase 1, correlation-only) -----
 # Derive a deterministic per-run UUID from the existing trust-run-id so the same
 # run always maps to the same claude session UUID, and the bash + Bun routes
@@ -287,3 +342,39 @@ loki_session_stamp_enabled() {
     [ "${LOKI_SESSION_STAMP:-0}" = "1" ] || return 1
     loki_claude_flag_supported "--session-id"
 }
+
+# ---------- v7.36.0 ultrareview (cloud multi-agent review) gates ----------
+# `claude ultrareview [options] [target]` (Claude Code 2.1.x) runs a
+# cloud-hosted multi-agent code review of the current branch / a PR number / a
+# base branch and prints the findings. It is a PAID CLOUD operation billed by
+# Anthropic, SEPARATE from local model spend, and can take up to 30 minutes.
+#
+# These two predicates are the ONLY policy surface for the optional `loki review
+# --ultra` tier (issue #168). Both are read-only and side-effect-free.
+#
+# DESIGN (issue #168, architected):
+#   - This is an EXPLICIT, on-demand user action (`loki review --ultra`), NEVER
+#     an automatic completion-council voice. The council runs many times per
+#     build; auto-running a paid cloud call there would be a silent-billing
+#     footgun. The user typing "ultra" IS the consent signal; a confirmation
+#     prompt (or --yes / LOKI_ULTRAREVIEW=1) is still required before any spend.
+#   - There is NO price API, so we CANNOT show a dollar figure. We disclose the
+#     cost-CLASS (paid cloud op) and require confirmation. Never claim to show
+#     an estimated dollar amount here (that would be a lie).
+
+# Capability gate: does the installed `claude` CLI ship the `ultrareview`
+# subcommand? loki_claude_flag_supported greps `claude --help`, whose top-level
+# command list includes "ultrareview", so it matches subcommands too. Returns 0
+# when supported, 1 otherwise (so callers can emit an honest upgrade message).
+loki_ultrareview_supported() {
+    loki_claude_flag_supported "ultrareview"
+}
+
+# Non-interactive opt-in: is LOKI_ULTRAREVIEW=1 set? This is the env equivalent
+# of passing --yes to THIS command only. It is deliberately NOT wired into the
+# completion council or any auto path -- it only suppresses the interactive
+# confirmation prompt for an explicit `loki review --ultra` invocation. Any
+# other value (unset, 0, "true", etc.) returns 1 so only the exact "1" opts in.
+loki_ultrareview_enabled() {
+    [ "${LOKI_ULTRAREVIEW:-0}" = "1" ]
+}

package/autonomy/loki

@@ -13898,6 +13898,7 @@ if show_json:
             'recommended': recommended_provider,
             'reason': provider_reason,
         },
+        'moat': {'verified_completion': True, 'cost_honest': True},
     }
     if show_verbose:
         result['iteration_details'] = iteration_plan
@@ -14034,6 +14035,12 @@ if show_verbose:
 
 print(f'\n{DIM}This is an estimate. Actual usage depends on PRD complexity,')
 print(f'code review cycles, and test failures.{NC}')
+
+print(f'\n{CYAN}Why this estimate is trustworthy{NC}')
+print(f'{DIM}Verified completion. The completion council refuses to call work done')
+print(f'without evidence - a real diff and green tests, or it blocks.{NC}')
+print(f'{DIM}Cost honesty. The model quoted here is the model the run dispatches')
+print(f'and the dashboard reports. Quote, dashboard, and dispatch agree.{NC}')
 print()
 " "$prd_path" "$show_json" "$show_verbose"
 }
@@ -14520,6 +14527,117 @@ main() {
             ;;
     esac
 }
+# v7.36.0 (issue #168): optional cloud multi-agent review tier (`loki review
+# --ultra`). Wraps the upstream `claude ultrareview` subcommand. ALWAYS opt-in,
+# cost-disclosed, default OFF, and advisory only (it does NOT block any gate).
+#
+# Consent model (modeled on cmd_demo's cost-confirm, autonomy/loki ~9488-9540):
+#   - The disclosure ALWAYS prints (paid cloud op + may take up to 30 min).
+#   - There is NO price API: we disclose the cost-CLASS, never a dollar figure.
+#   - Interactive TTY without --yes: prompt, default NO.
+#   - Non-TTY/CI without --yes (and no LOKI_ULTRAREVIEW=1): REFUSE with exit 2
+#     and ZERO ultrareview calls (the no-silent-bill guard). Never hang on read.
+#   - --yes or LOKI_ULTRAREVIEW=1 proceeds without prompting (this command only).
+# Args: <format> <assume_yes> <timeout_minutes> <target>
+_review_ultra() {
+    local fmt="${1:-text}"
+    local assume_yes="${2:-false}"
+    local timeout_min="${3:-}"
+    local target="${4:-}"
+
+    # Make the ultrareview gate predicates available even though autonomy/loki
+    # does not source claude-flags.sh globally (same on-demand pattern as
+    # autonomy/lib/voter-agents.sh). Degrade honestly if the lib is missing.
+    if ! declare -F loki_ultrareview_supported >/dev/null 2>&1; then
+        local _ur_lib=""
+        if [ -f "${_LOKI_SCRIPT_DIR}/lib/claude-flags.sh" ]; then
+            _ur_lib="${_LOKI_SCRIPT_DIR}/lib/claude-flags.sh"
+        elif [ -f "$(dirname "$0")/lib/claude-flags.sh" ]; then
+            _ur_lib="$(dirname "$0")/lib/claude-flags.sh"
+        fi
+        if [ -n "$_ur_lib" ]; then
+            # shellcheck source=autonomy/lib/claude-flags.sh
+            . "$_ur_lib" 2>/dev/null || true
+        fi
+    fi
+
+    # 1. claude CLI present at all?
+    if ! command -v claude >/dev/null 2>&1; then
+        echo -e "${RED}Error: 'claude' CLI not found on PATH.${NC}" >&2
+        echo "loki review --ultra requires the Claude Code CLI (2.1.x) for cloud review." >&2
+        return 1
+    fi
+
+    # 2. Capability gate: does this claude support the ultrareview subcommand?
+    #    If absent, honest message + clean exit, never a half-feature.
+    if ! declare -F loki_ultrareview_supported >/dev/null 2>&1 \
+       || ! loki_ultrareview_supported; then
+        echo -e "${RED}Error: your 'claude' CLI does not support 'ultrareview'.${NC}" >&2
+        echo "Cloud multi-agent review needs Claude Code 2.1.x or newer; please upgrade." >&2
+        return 1
+    fi
+
+    # 3. Cost disclosure -- ALWAYS printed, even with --yes, so spend is never
+    #    hidden. NO dollar figure (there is no price API); cost-CLASS only.
+    echo -e "${BOLD}loki review --ultra${NC} - cloud multi-agent code review (optional, paid)" >&2
+    echo "" >&2
+    echo -e "${YELLOW}ultrareview is a PAID cloud operation billed by Anthropic, separate${NC}" >&2
+    echo -e "${YELLOW}from local model spend. It may take up to 30 minutes.${NC}" >&2
+    echo "Findings are advisory only and do not block Loki's completion gate." >&2
+    echo "" >&2
+
+    # 4. Consent. LOKI_ULTRAREVIEW=1 is the non-interactive opt-in equivalent of
+    #    --yes for THIS command only (never a council auto-trigger).
+    local proceed=false
+    if [ "$assume_yes" = true ]; then
+        proceed=true
+    elif declare -F loki_ultrareview_enabled >/dev/null 2>&1 && loki_ultrareview_enabled; then
+        proceed=true
+    else
+        # Interactive only when stdin is a real TTY and CI is not forcing
+        # non-interactive (matches the project's first-run gate semantics).
+        local ultra_interactive=true
+        if [ ! -t 0 ] || [ -n "${CI:-}" ]; then
+            ultra_interactive=false
+        fi
+        if [ "$ultra_interactive" = true ]; then
+            local ans=""
+            echo -n "Run cloud ultrareview now? [y/N] " >&2
+            read -r ans </dev/tty 2>/dev/null || ans=""
+            if [[ "$ans" =~ ^[Yy] ]]; then
+                proceed=true
+            else
+                echo "Cancelled. Nothing was spent." >&2
+                return 0
+            fi
+        else
+            # Non-TTY/CI without --yes: never hang; refuse with exit 2 and make
+            # ZERO ultrareview calls (the no-silent-bill guard).
+            echo "ultrareview needs confirmation; re-run with --yes (or set LOKI_ULTRAREVIEW=1) to proceed non-interactively" >&2
+            return 2
+        fi
+    fi
+
+    [ "$proceed" = true ] || { echo "Cancelled. Nothing was spent." >&2; return 0; }
+
+    # 5. Invoke `claude ultrareview [--json] [--timeout N] [target]` exactly once.
+    local ur_argv=("ultrareview")
+    if [ "$fmt" = "json" ]; then
+        ur_argv+=("--json")
+    fi
+    if [ -n "$timeout_min" ]; then
+        ur_argv+=("--timeout" "$timeout_min")
+    fi
+    if [ -n "$target" ]; then
+        ur_argv+=("$target")
+    fi
+
+    echo -e "${DIM}Running: claude ${ur_argv[*]}${NC}" >&2
+    echo "" >&2
+    claude "${ur_argv[@]}"
+    return $?
+}
+
 # Standalone code review - diff-based quality gates (v6.20.0)
 cmd_review() {
     local review_staged=false
@@ -14528,6 +14646,9 @@ cmd_review() {
     local review_target=""
     local review_format="text"
     local review_severity="all"
+    local review_ultra=false
+    local review_assume_yes=false
+    local review_timeout=""
 
     while [[ $# -gt 0 ]]; do
         case "$1" in
@@ -14548,6 +14669,15 @@ cmd_review() {
                 echo "Options:"
                 echo "  --format json        Output as JSON (for CI integration)"
                 echo "  --severity <level>   Filter: critical, high, medium, low, info (shows level+above)"
+                echo "  --ultra              Run an OPTIONAL cloud multi-agent review via"
+                echo "                       'claude ultrareview' (PAID cloud op, opt-in,"
+                echo "                       default OFF, advisory only). Requires"
+                echo "                       confirmation; --yes or LOKI_ULTRAREVIEW=1 to"
+                echo "                       skip the prompt. Optional [file-or-dir] is"
+                echo "                       passed as the ultrareview target (branch / PR"
+                echo "                       number / base branch)."
+                echo "  --yes, -y            Skip the --ultra confirmation prompt"
+                echo "  --timeout <minutes>  --ultra: max minutes to wait (default 30)"
                 echo "  --help, -h           Show this help"
                 echo ""
                 echo "Exit codes:"
@@ -14563,8 +14693,22 @@ cmd_review() {
                 echo "  loki review --since HEAD~5       # Changes in last 5 commits"
                 echo "  loki review --format json        # JSON output for CI"
                 echo "  loki review --severity high      # Only HIGH+ findings"
+                echo "  loki review --ultra              # Cloud multi-agent review (paid, opt-in)"
+                echo "  loki review --ultra 42           # Cloud review of GitHub PR #42"
+                echo "  loki review --ultra --yes        # Skip confirmation (e.g. in a script)"
                 return 0
                 ;;
+            --ultra) review_ultra=true; shift ;;
+            --yes|-y) review_assume_yes=true; shift ;;
+            --timeout)
+                shift
+                review_timeout="${1:-}"
+                if [ -z "$review_timeout" ]; then
+                    echo -e "${RED}Error: --timeout requires a value in minutes${NC}"
+                    return 1
+                fi
+                shift
+                ;;
             --staged) review_staged=true; shift ;;
             --pr)
                 shift
@@ -14600,6 +14744,16 @@ cmd_review() {
         esac
     done
 
+    # v7.36.0 (issue #168): optional cloud multi-agent review tier. This is an
+    # explicit, on-demand, opt-in, cost-disclosed path that wraps the existing
+    # `claude ultrareview` subcommand. It short-circuits the local-only review
+    # below: --ultra is a different operation (paid cloud), not a flag that
+    # augments the local static analysis.
+    if [ "$review_ultra" = true ]; then
+        _review_ultra "$review_format" "$review_assume_yes" "$review_timeout" "$review_target"
+        return $?
+    fi
+
     # Severity level ordering (higher number = more severe)
     _review_sev_level() {
         case "$1" in

package/autonomy/run.sh

@@ -4557,10 +4557,21 @@ _loki_hash_stdin() {
 # path+size pairs PLUS file content (v7.32.3, #569: path+size alone was blind to
 # a same-size content edit, so a stale PRD could be silently reused with a
 # false "codebase unchanged" disclosure). Content hashing is clone-stable
-# (mtime is not, which is why mtime was never used). Trees larger than
-# LOKI_PRD_SIG_CONTENT_BUDGET bytes (default 50MB) skip the content pass and
-# emit a "files-shallow:" signature so startup stays fast; the safe failure
-# mode there is unchanged-from-before (size-blind), never a false "changed".
+# (mtime is not, which is why mtime was never used). Three content tiers:
+#   1. full content hash ("files:") when the tree is both at-or-under
+#      LOKI_PRD_SIG_CONTENT_BUDGET bytes (default 50MB) AND at-or-under
+#      LOKI_PRD_SIG_CONTENT_MAXFILES files (default 20000). Detects any edit.
+#   2. sampled content hash ("files-sampled:", #171) when the tree exceeds
+#      either bound: hashes the head + tail (first 4096 + last 4096 bytes) of
+#      every file. Catches same-size edits at the start or end of a file
+#      without a full read of a huge tree. Residual honest gap: a same-size
+#      edit in the MIDDLE of a large file (>8192 bytes) that touches neither
+#      4KB window is still invisible. Far narrower than the old size-blind
+#      fallback, which missed ALL same-size edits.
+#   3. (historical) "files-shallow:" was the old content-blind fallback. It is
+#      no longer emitted, but is still ACCEPTED when read from a stored pre-#171
+#      signature so the first post-upgrade run reuses instead of falsely
+#      claiming "codebase changed" (one-run format-transition, see consumer).
 # Echoes the signature.
 compute_codebase_signature() {
     local dir="${1:-.}"
@@ -4576,7 +4587,7 @@ compute_codebase_signature() {
           fi
           echo "git:${head}:${dirty}"
       else
-          local listing count total_sz budget
+          local listing count total_sz budget maxfiles
           listing=$(find . \
               -type d \( -name .loki -o -name .git -o -name node_modules -o -name dist \
                          -o -name build -o -name .next -o -name target -o -name vendor \
@@ -4592,20 +4603,35 @@ compute_codebase_signature() {
           count=$(printf '%s\n' "$listing" | grep -c . || true)
           total_sz=$(printf '%s\n' "$listing" | awk -F'\t' '{s+=$2} END {printf "%d", s}')
           budget="${LOKI_PRD_SIG_CONTENT_BUDGET:-52428800}"
-          if [ "${total_sz:-0}" -le "$budget" ] 2>/dev/null; then
-              # Content pass: stream all file contents through one hash in the
-              # same sorted order as the listing. Detects same-size edits.
-              # xargs -0 batches the reads into a handful of cat invocations,
-              # so cost scales with BYTES (which the budget above bounds), not
-              # file count: a fork-per-file loop here measured ~38s of added
-              # startup on a 30k-small-file tree. Renames and content swaps
-              # are still caught by the listing hash (paths+sizes) below.
+          maxfiles="${LOKI_PRD_SIG_CONTENT_MAXFILES:-20000}"
+          if [ "${total_sz:-0}" -le "$budget" ] 2>/dev/null \
+             && [ "${count:-0}" -le "$maxfiles" ] 2>/dev/null; then
+              # Tier 1 -- full content pass: stream all file contents through one
+              # hash in the same sorted order as the listing. Detects any edit,
+              # including same-size ones. xargs -0 batches the reads into a
+              # handful of cat invocations, so cost scales with BYTES (which the
+              # budget above bounds), not file count: a fork-per-file loop here
+              # measured ~38s of added startup on a 30k-small-file tree. Renames
+              # and content swaps are still caught by the listing hash below.
               local content_hash
               content_hash=$(printf '%s\n' "$listing" | cut -f1 | tr '\n' '\0' \
                   | xargs -0 cat 2>/dev/null | _loki_hash_stdin)
               echo "files:$(printf '%s' "$listing" | _loki_hash_stdin):${count}:${content_hash}"
           else
-              echo "files-shallow:$(printf '%s' "$listing" | _loki_hash_stdin):${count}"
+              # Tier 2 -- sampled content pass (#171): the tree is over the byte
+              # budget OR over the file-count cap, so a full read would be slow.
+              # Hash the head + tail (first 4096 + last 4096 bytes) of every file
+              # instead. This catches same-size edits at the start or end of a
+              # file (which the old size-blind "files-shallow:" missed entirely),
+              # at a fixed <=8KB-per-file cost. -n 64 batches files per sh fork
+              # to avoid a fork-per-file storm on large trees. Same sorted order
+              # as the listing keeps the hash deterministic. Residual honest gap:
+              # a same-size edit in the middle of a >8KB file is still invisible.
+              local sample_hash
+              sample_hash=$(printf '%s\n' "$listing" | cut -f1 | tr '\n' '\0' \
+                  | xargs -0 -n 64 sh -c 'for f in "$@"; do head -c 4096 -- "$f" 2>/dev/null; tail -c 4096 -- "$f" 2>/dev/null; done' _ 2>/dev/null \
+                  | _loki_hash_stdin)
+              echo "files-sampled:$(printf '%s' "$listing" | _loki_hash_stdin):${count}:${sample_hash}"
           fi
       fi
     )
@@ -4698,6 +4724,30 @@ except Exception:
                     echo "reuse"; return 0
                 fi
                 ;;
+            files-shallow:*:*)
+                # #171 format transition: a stored pre-#171 size-blind signature
+                # ("files-shallow:<listing>:<count>", 3 fields) compared against
+                # the new sampled signature ("files-sampled:<listing>:<count>:
+                # <samplehash>") would falsely claim "codebase changed" on the
+                # first post-upgrade run. When the listing-hash and count match
+                # (i.e. the stored value with its prefix swapped to files-sampled:
+                # is a prefix of the current sampled signature), the tree is
+                # unchanged at the OLD format's trust level (paths+sizes): reuse,
+                # honestly. The next persist upgrades the stored format to the
+                # sampled tier. A same-size edit made BEFORE the upgrade stays
+                # invisible for this one run, exactly as on the old version (no
+                # regression, no false disclosure).
+                if [ "$(printf '%s' "$stored" | tr -dc ':' | wc -c | tr -d ' ')" = "2" ]; then
+                    local stored_sampled="files-sampled:${stored#files-shallow:}"
+                    case "$current" in
+                        files-sampled:*)
+                            if [ "${current#"${stored_sampled}":}" != "$current" ]; then
+                                echo "reuse"; return 0
+                            fi
+                            ;;
+                    esac
+                fi
+                ;;
         esac
         echo "update"
     fi
@@ -4756,7 +4806,16 @@ _legacy_upgrade = (
     and prev_sig.count(':') == 2
     and sig.startswith(prev_sig + ':')
 )
-if prev_at and (prev_sig == sig or _legacy_upgrade):
+# #171 format upgrade: a stored pre-#171 size-blind 'files-shallow:<listing>:
+# <count>' (3 fields) reused into the new sampled 'files-sampled:<listing>:
+# <count>:<samplehash>' whose listing fields match. Same trust level (the
+# decide returned reuse), so the PRD content did not change: preserve the date.
+_sampled_upgrade = (
+    isinstance(prev_sig, str) and prev_sig.startswith('files-shallow:')
+    and prev_sig.count(':') == 2
+    and sig.startswith('files-sampled:' + prev_sig[len('files-shallow:'):] + ':')
+)
+if prev_at and (prev_sig == sig or _legacy_upgrade or _sampled_upgrade):
     generated_at = prev_at
 else:
     generated_at = datetime.datetime.now(datetime.timezone.utc).isoformat().replace('+00:00','Z')
@@ -7838,6 +7897,16 @@ BUILD_PROMPT
                     if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
                         _rv_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
                     fi
+                    #   EMBED 3b (--allowedTools, #167): positive least-privilege
+                    #     allowlist. DEFAULT OFF (opt-in LOKI_REVIEW_ALLOWLIST=1).
+                    #     Emitted ALONGSIDE the denylist: verified live (claude
+                    #     2.1.177) that deny precedence holds even under
+                    #     --dangerously-skip-permissions, so the denylist still
+                    #     hard-blocks mutations while this narrows the surface to
+                    #     read/inspect tools. See loki_review_allowlist.
+                    if type loki_review_allowlist_enabled >/dev/null 2>&1 && loki_review_allowlist_enabled; then
+                        _rv_argv+=("--allowedTools" "$(loki_review_allowlist)")
+                    fi
                     claude "${_rv_argv[@]}" -p "$prompt_text" \
                         --output-format text > "$review_output" 2>/dev/null
                     ;;
@@ -8069,6 +8138,14 @@ ADVERSARIAL_EOF
                 if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
                     _adv_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
                 fi
+                #   EMBED 3b (--allowedTools, #167): positive least-privilege
+                #     allowlist. DEFAULT OFF (opt-in LOKI_REVIEW_ALLOWLIST=1).
+                #     Emitted ALONGSIDE the denylist (deny precedence verified
+                #     live, holds under --dangerously-skip-permissions). See
+                #     loki_review_allowlist.
+                if type loki_review_allowlist_enabled >/dev/null 2>&1 && loki_review_allowlist_enabled; then
+                    _adv_argv+=("--allowedTools" "$(loki_review_allowlist)")
+                fi
                 claude "${_adv_argv[@]}" -p "$adversarial_prompt" \
                     --output-format text > "$result_file" 2>/dev/null || true
             fi

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.35.0"
+__version__ = "7.36.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.35.0
+**Version:** v7.36.0
 
 ---
 

package/docs/LICENSE-CHANGE-NOTICE.md

@@ -0,0 +1,65 @@
+<!-- SPDX-License-Identifier: BUSL-1.1 -->
+
+# License Change Notice
+
+## Summary
+
+Effective March 19, 2026, Loki Mode transitioned from the MIT License to the
+Business Source License 1.1 (BSL 1.1). The Licensed Work is owned by
+Autonomi, Inc. (autonomi.dev).
+
+## What this means
+
+**If you are using Loki Mode for personal projects, learning, research, or
+internal tooling:** Nothing changes for you. You can continue using, modifying,
+and redistributing Loki Mode freely.
+
+**If you are building a competing commercial product or service:** You need a
+commercial license. Contact founder@autonomi.dev.
+
+## What counts as "competing"
+
+Offering a product or service to third parties that provides substantially
+the same or similar functionality as Loki Mode, including multi-agent AI
+development orchestration, autonomous software development services, AI code
+generation or deployment services that incorporate or replicate Loki Mode's
+orchestration, review, verification, or agent coordination systems, or
+products that substantially replicate core architectural patterns such as the
+RARV cycle, Completion Council, or swarm coordination model.
+
+## What does NOT require a commercial license
+
+- Using Loki Mode to build your own software products
+- Internal company use where Loki Mode is a tool, not the product
+- Academic, educational, and research use
+- Personal and non-commercial use
+- Evaluation and testing in non-production environments
+- Contributing improvements back under a signed CLA
+
+## Contributing
+
+All external contributions require a signed Contributor License Agreement
+(CLA). This ensures Autonomi maintains the rights needed to license and
+distribute the Licensed Work, including in commercial contexts. Contributions
+submitted without a signed CLA may be removed from the codebase.
+
+## Intellectual Property
+
+Loki Mode embodies proprietary methodologies and architectural patterns
+developed by Autonomi, including the RARV execution cycle, the Completion
+Council consensus review system, context persistence for long-running
+autonomous sessions, multi-provider orchestration protocols, and swarm-based
+agent coordination. These are protected under this License regardless of
+whether they are used via the code directly or reimplemented independently
+from the documentation.
+
+## Open Source Conversion
+
+On March 19, 2030 (or four years from the release date of each version,
+whichever comes first), each version automatically converts to the
+Apache License 2.0.
+
+## Contact
+
+founder@autonomi.dev for commercial licensing, partnership inquiries, or
+questions about permitted use.

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.35.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.36.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=4A51F9C635720B1064756E2164756E21
+//# debugId=948D8F6B9A2EE4AF64756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.35.0'
+__version__ = '7.36.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.35.0",
+  "version": "7.36.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 11 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",