loki-mode 7.37.1 → 7.39.0

package/.claude-plugin/marketplace.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-marketplace.json",
+  "name": "loki-mode",
+  "owner": {
+    "name": "Autonomi"
+  },
+  "description": "Autonomi marketplace: Loki Mode, the autonomous spec-to-product build system with a built-in trust layer.",
+  "plugins": [
+    {
+      "name": "loki-mode",
+      "source": "./plugins/loki-mode",
+      "description": "Autonomous spec-to-product build system with a built-in trust layer. Ships Loki's spec-hardening (grill), living-spec drift detection, and deterministic PR verification commands, plus the Loki MCP server (memory, task queue, code search, build management). Requires the loki-mode CLI on PATH (npm install -g loki-mode or brew install).",
+      "homepage": "https://github.com/asklokesh/loki-mode",
+      "repository": "https://github.com/asklokesh/loki-mode",
+      "license": "SEE LICENSE IN LICENSE",
+      "category": "automation",
+      "keywords": [
+        "autonomous",
+        "agent",
+        "spec-driven",
+        "verification",
+        "code-review",
+        "mcp",
+        "loki"
+      ]
+    }
+  ]
+}

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.37.1
+# Loki Mode v7.39.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.37.1 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.39.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.37.1
+7.39.0

package/autonomy/lib/claude-flags.sh

@@ -261,14 +261,18 @@ loki_review_guard_denylist() {
 # the dangerous forms. echo>/sed -i/python -c style writes are not enumerable and
 # remain possible; the real net is commit-before-agent-wave (see CLAUDE.md).
 #
-# DEFAULT OFF (opt-in LOKI_REVIEW_ALLOWLIST=1) so the default argv on BOTH routes
-# stays byte-identical to v7.34. Gated on CLI support so an older claude degrades
-# gracefully (emits nothing). Predicate + token so call sites append uniformly:
+# DEFAULT ON (safety-additive least-privilege; opt OUT with LOKI_REVIEW_ALLOWLIST=0).
+# Flipped default-on because deny precedence (verified live) means the denylist
+# still hard-blocks every mutation form while this allowlist only narrows the
+# reviewer surface to read/inspect tools -- pure safety win, no surprise spend, no
+# egress. The escape hatch (LOKI_REVIEW_ALLOWLIST=0) restores the prior off state.
+# Gated on CLI support so an older claude degrades gracefully (emits nothing).
+# Predicate + token so call sites append uniformly:
 #   if loki_review_allowlist_enabled; then
 #       argv+=("--allowedTools" "$(loki_review_allowlist)")
 #   fi
 loki_review_allowlist_enabled() {
-    [ "${LOKI_REVIEW_ALLOWLIST:-0}" = "1" ] || return 1
+    [ "${LOKI_REVIEW_ALLOWLIST:-1}" = "0" ] && return 1
     loki_claude_flag_supported "--allowedTools"
 }
 loki_review_allowlist() {
@@ -379,6 +383,105 @@ loki_ultrareview_enabled() {
     [ "${LOKI_ULTRAREVIEW:-0}" = "1" ]
 }
 
+# ---------- v7.38.0 Dynamic Workflows (ultracode) gates ----------
+# Claude Code "Dynamic Workflows" are JS orchestration scripts Claude writes that
+# fan out into many background subagents. They are triggered by the `ultracode`
+# keyword in a prompt and fire under `claude -p` (verified empirically: a headless
+# workflow returned "The workflow finished"). They are:
+#   - Claude-PROVIDER-ONLY (no Codex/Cline/Aider equivalent),
+#   - require claude CLI >= 2.1.154,
+#   - cost meaningfully MORE than a normal run (a trivial workflow observed at
+#     ~$0.71 vs ~$0.01 for a plain read; there is NO price API so we never quote
+#     a dollar figure -- we disclose the cost CLASS only),
+#   - disablable via CLAUDE_CODE_DISABLE_WORKFLOWS=1 or the `disableWorkflows`
+#     setting in any Claude settings.json.
+#
+# These predicates mirror loki_ultrareview_supported/enabled exactly: read-only,
+# side-effect free, the ONLY policy surface for the optional `loki ultracode`
+# passthrough and the Phase 2 opt-in analysis dispatch. The user typing
+# `loki ultracode` (or setting LOKI_USE_CLAUDE_WORKFLOWS=1) IS the consent signal.
+
+# Minimum claude CLI version that ships Dynamic Workflows.
+LOKI_WORKFLOWS_MIN_VERSION="${LOKI_WORKFLOWS_MIN_VERSION:-2.1.154}"
+
+# Parse the installed claude CLI semantic version (e.g. "2.1.177") to stdout, or
+# empty on any failure. Mirrors the `claude --version | sed` pattern already used
+# at autonomy/loki:7888. Cached per-process so we do not shell out repeatedly.
+_loki_claude_version() {
+    if [ -z "${__LOKI_CLAUDE_VERSION_CACHE:-}" ]; then
+        if command -v claude >/dev/null 2>&1; then
+            __LOKI_CLAUDE_VERSION_CACHE="$(claude --version 2>/dev/null | head -1 | sed 's/[^0-9.]//g' | head -1)"
+        fi
+        # Sentinel so an empty real result does not re-shell every call.
+        __LOKI_CLAUDE_VERSION_CACHE="${__LOKI_CLAUDE_VERSION_CACHE:-__none__}"
+        export __LOKI_CLAUDE_VERSION_CACHE
+    fi
+    [ "$__LOKI_CLAUDE_VERSION_CACHE" = "__none__" ] && return 0
+    printf '%s' "$__LOKI_CLAUDE_VERSION_CACHE"
+}
+
+# Dotted-version >= compare: returns 0 when $1 >= $2, 1 otherwise. Pure, no
+# external tools beyond awk (always present). Pads missing components with 0.
+_loki_version_ge() {
+    local have="${1:-}" want="${2:-}"
+    [ -z "$have" ] && return 1
+    [ -z "$want" ] && return 0
+    awk -v a="$have" -v b="$want" '
+    function cmp(x, y,   na, nb, i, n, xi, yi) {
+        na = split(x, A, ".")
+        nb = split(y, B, ".")
+        n = (na > nb) ? na : nb
+        for (i = 1; i <= n; i++) {
+            xi = (i <= na) ? A[i] + 0 : 0
+            yi = (i <= nb) ? B[i] + 0 : 0
+            if (xi > yi) return 1
+            if (xi < yi) return -1
+        }
+        return 0
+    }
+    BEGIN { exit (cmp(a, b) >= 0) ? 0 : 1 }
+    '
+}
+
+# True when CLAUDE_CODE_DISABLE_WORKFLOWS=1 OR a `disableWorkflows` setting is
+# active in any Claude settings source. Best-effort, read-only (not a full JSON
+# parse, but rejects the obvious cases). Returns 0 (disabled) / 1 (not disabled).
+_loki_workflows_disabled() {
+    [ "${CLAUDE_CODE_DISABLE_WORKFLOWS:-0}" = "1" ] && return 0
+    local f
+    for f in "$HOME/.claude/settings.json" "$HOME/.config/claude/settings.json" \
+             "${CLAUDE_CONFIG_DIR:-$HOME/.claude}/settings.json" \
+             "$PWD/.claude/settings.json" "$PWD/.claude/settings.local.json"; do
+        [ -f "$f" ] || continue
+        # Match "disableWorkflows": true (tolerating whitespace around the colon).
+        grep -Eq '"disableWorkflows"[[:space:]]*:[[:space:]]*true' "$f" 2>/dev/null && return 0
+    done
+    return 1
+}
+
+# Capability gate: is the active provider Claude AND the claude CLI present AND
+# version >= the workflows minimum AND workflows not disabled? Returns 0 when
+# workflows can run, 1 otherwise (so callers emit an honest message + clean exit).
+loki_workflows_supported() {
+    # Provider must be Claude (Tier 1). Workflows are Claude-only.
+    [ "${LOKI_PROVIDER:-claude}" = "claude" ] || return 1
+    command -v claude >/dev/null 2>&1 || return 1
+    _loki_workflows_disabled && return 1
+    local ver
+    ver="$(_loki_claude_version)"
+    _loki_version_ge "$ver" "$LOKI_WORKFLOWS_MIN_VERSION" || return 1
+    return 0
+}
+
+# Non-interactive opt-in: is LOKI_USE_CLAUDE_WORKFLOWS=1 set? This is the env knob
+# that turns ON the Phase 2 read-only-analysis workflow dispatch. Default OFF. Any
+# value other than the exact "1" returns 1 so only an explicit opt-in counts. This
+# is independent of the `loki ultracode` passthrough (which is itself an explicit
+# user invocation and does not require this flag).
+loki_workflows_enabled() {
+    [ "${LOKI_USE_CLAUDE_WORKFLOWS:-0}" = "1" ]
+}
+
 # ---------------------------------------------------------------------------
 # Session-continuity Phase 2 (GitHub #165) -- LOKI_RESUME_SESSION recovery resume
 #

package/autonomy/loki

@@ -649,13 +649,18 @@ show_help() {
     # do NOT appear here; they live in the collapsed footer below and in
     # `loki help aliases`. The full long-tail surface is still dispatchable and
     # documented per-command via `loki <command> --help`.
+    #
+    # v7.39.0: trimmed three lower-traffic canonical entries off the front page
+    # to hold the lean target after `ultracode` (v7.38.0) joined Verify/trust:
+    # grill (pre-build spec interrogation, advanced), spec (living-spec drift,
+    # advanced), and cleanup (orphaned-process recovery, rare). They remain
+    # fully canonical (NOT aliases), dispatchable, and listed in the "More
+    # commands" footer below + documented via `loki <command> --help`.
     echo "Commands:"
     echo ""
     echo "Build:"
     echo "  start [SPEC]     Start a build (PRD file, GitHub issue, or no arg)"
     echo "  plan <PRD-file>  Dry-run analysis: complexity, cost, execution plan"
-    echo "  grill [SPEC]     Devil's-advocate spec interrogation before you build"
-    echo "  spec [cmd]       Living spec: lock|status|sync (drift detection)"
     echo "  quickstart [idea]  Guided first build: setup, idea, template, plan, go"
     echo ""
     echo "Session:"
@@ -663,11 +668,11 @@ show_help() {
     echo "  stop             Stop execution immediately"
     echo "  pause            Pause after current session"
     echo "  resume           Resume paused execution"
-    echo "  cleanup          Kill orphaned processes from crashed sessions"
     echo ""
     echo "Verify / trust:"
     echo "  verify [base]    Deterministic PR verification (CI-gate exit codes)"
     echo "  review [opts]    Standalone code review with quality gates"
+    echo "  ultracode \"task\" Run a task as a native Claude Code Dynamic Workflow (opt-in, Claude-only)"
     echo "  trust [cmd]      Visible trust trajectory; 'trust detail' for metrics"
     echo ""
     echo "Observe:"
@@ -691,10 +696,10 @@ show_help() {
     echo "  version          Show version"
     echo "  help             Show this help ('loki help aliases' for old names)"
     echo ""
-    echo "More commands (init, watch, demo, web, api, logs, github,"
-    echo "import, council, proof, audit, agent, template, magic, docs, wiki, ci,"
-    echo "test, bench, secrets, telemetry, crash, worktree, failover, monitor,"
-    echo "remote, ...) are dispatchable and documented via"
+    echo "More commands (grill, spec, cleanup, init, watch, demo, web, api,"
+    echo "logs, github, import, council, proof, audit, agent, template, magic,"
+    echo "docs, wiki, ci, test, bench, secrets, telemetry, crash, worktree,"
+    echo "failover, monitor, remote, ...) are dispatchable and documented via"
     echo "'loki <command> --help'."
     echo ""
     echo "Aliases (deprecated): older command names still work; they print a"
@@ -14354,6 +14359,9 @@ main() {
         review)
             cmd_review "$@"
             ;;
+        ultracode)
+            cmd_ultracode "$@"
+            ;;
         optimize)
             cmd_optimize "$@"
             ;;
@@ -14638,6 +14646,182 @@ _review_ultra() {
     return $?
 }
 
+# v7.38.0: optional native Claude Code Dynamic Workflow passthrough
+# (`loki ultracode "<task>"`). Structurally identical to _review_ultra (issue
+# #168): opt-in, capability-gated, cost-class disclosed, Claude-provider-only,
+# clean exit on any unsupported path. PURE passthrough -- Loki adds NO
+# orchestration of its own; it prepends the `ultracode` keyword to the prompt and
+# routes through `claude -p`, which fires the workflow runtime.
+#
+# Consent model (mirrors _review_ultra):
+#   - The cost-CLASS disclosure ALWAYS prints. There is NO price API, so we never
+#     quote a dollar figure (that would be a lie).
+#   - Interactive TTY without --yes: prompt, default NO.
+#   - Non-TTY/CI without --yes (and no LOKI_USE_CLAUDE_WORKFLOWS=1): REFUSE with
+#     exit 2 and ZERO workflow invocation (the no-silent-bill guard).
+#   - --yes or LOKI_USE_CLAUDE_WORKFLOWS=1 proceeds without prompting.
+# Args: <assume_yes> <task...>
+_run_ultracode() {
+    local assume_yes="${1:-false}"
+    shift || true
+    local task="$*"
+
+    if [ -z "$task" ]; then
+        echo -e "${RED}Error: loki ultracode requires a task description.${NC}" >&2
+        echo "Usage: loki ultracode \"<task>\" [--yes]" >&2
+        return 1
+    fi
+
+    # Make the workflow gate predicates available even though autonomy/loki does
+    # not source claude-flags.sh globally (same on-demand pattern as
+    # _review_ultra). Degrade honestly if the lib is missing.
+    if ! declare -F loki_workflows_supported >/dev/null 2>&1; then
+        local _wf_lib=""
+        if [ -f "${_LOKI_SCRIPT_DIR}/lib/claude-flags.sh" ]; then
+            _wf_lib="${_LOKI_SCRIPT_DIR}/lib/claude-flags.sh"
+        elif [ -f "$(dirname "$0")/lib/claude-flags.sh" ]; then
+            _wf_lib="$(dirname "$0")/lib/claude-flags.sh"
+        fi
+        if [ -n "$_wf_lib" ]; then
+            # shellcheck source=autonomy/lib/claude-flags.sh
+            . "$_wf_lib" 2>/dev/null || true
+        fi
+    fi
+
+    # 1. Provider gate: workflows are Claude-only. On Codex/Cline/Aider, print the
+    #    honest message and exit CLEANLY (0) with ZERO invocation. Never break the
+    #    other providers.
+    local _provider="${LOKI_PROVIDER:-claude}"
+    if [ "$_provider" != "claude" ]; then
+        echo -e "${YELLOW}loki ultracode: Claude provider only.${NC}" >&2
+        echo "Workflows need the Claude provider and claude CLI >= 2.1.154." >&2
+        echo "Active provider is '${_provider}'; nothing was run." >&2
+        return 0
+    fi
+
+    # 2. claude CLI present at all?
+    if ! command -v claude >/dev/null 2>&1; then
+        echo -e "${RED}Error: 'claude' CLI not found on PATH.${NC}" >&2
+        echo "Workflows need the Claude provider and claude CLI >= 2.1.154." >&2
+        return 1
+    fi
+
+    # 3. Capability gate: provider==claude AND CLI present AND version >= 2.1.154
+    #    AND workflows not disabled. Honest message + clean exit if unsupported.
+    if ! declare -F loki_workflows_supported >/dev/null 2>&1 \
+       || ! loki_workflows_supported; then
+        echo -e "${YELLOW}loki ultracode: workflows unavailable on this setup.${NC}" >&2
+        echo "Workflows need the Claude provider and claude CLI >= 2.1.154" >&2
+        echo "(and must not be disabled via CLAUDE_CODE_DISABLE_WORKFLOWS or the" >&2
+        echo "disableWorkflows setting). Nothing was run." >&2
+        return 0
+    fi
+
+    # 4. Cost-CLASS disclosure -- ALWAYS printed, even with --yes, so spend is
+    #    never hidden. NO dollar figure (there is no price API); cost-CLASS only.
+    echo -e "${BOLD}loki ultracode${NC} - native Claude Code Dynamic Workflow (optional)" >&2
+    echo "" >&2
+    echo -e "${YELLOW}Workflows spawn many agents and cost meaningfully more than a normal${NC}" >&2
+    echo -e "${YELLOW}run; this is a Claude Code feature billed as normal usage.${NC}" >&2
+    echo "" >&2
+
+    # 5. Consent. LOKI_USE_CLAUDE_WORKFLOWS=1 is the non-interactive opt-in
+    #    equivalent of --yes for THIS command.
+    local proceed=false
+    if [ "$assume_yes" = true ]; then
+        proceed=true
+    elif declare -F loki_workflows_enabled >/dev/null 2>&1 && loki_workflows_enabled; then
+        proceed=true
+    else
+        local uc_interactive=true
+        if [ ! -t 0 ] || [ -n "${CI:-}" ]; then
+            uc_interactive=false
+        fi
+        if [ "$uc_interactive" = true ]; then
+            local ans=""
+            echo -n "Run the workflow now? [y/N] " >&2
+            read -r ans </dev/tty 2>/dev/null || ans=""
+            if [[ "$ans" =~ ^[Yy] ]]; then
+                proceed=true
+            else
+                echo "Cancelled. Nothing was spent." >&2
+                return 0
+            fi
+        else
+            # Non-TTY/CI without --yes: never hang; refuse with exit 2 and make
+            # ZERO workflow calls (the no-silent-bill guard).
+            echo "workflows need confirmation; re-run with --yes (or set LOKI_USE_CLAUDE_WORKFLOWS=1) to proceed non-interactively" >&2
+            return 2
+        fi
+    fi
+
+    [ "$proceed" = true ] || { echo "Cancelled. Nothing was spent." >&2; return 0; }
+
+    # 6. Invoke the Claude provider once with the prompt PREFIXED by "ultracode: "
+    #    so the workflow runtime fires. ALWAYS opus per project policy (planning-
+    #    grade fan-out). The keyword prefix is the only supported, stable trigger;
+    #    Loki never authors a workflow script itself.
+    local uc_prompt="ultracode: ${task}"
+    local uc_argv=("-p" "$uc_prompt" "--model" "opus")
+
+    echo -e "${DIM}Running: claude -p \"ultracode: ...\" --model opus${NC}" >&2
+    echo "" >&2
+    claude "${uc_argv[@]}"
+    return $?
+}
+
+# v7.38.0: `loki ultracode "<task>"` command. Thin opt-in surface that routes a
+# task through a native Claude Code Dynamic Workflow. See _run_ultracode.
+cmd_ultracode() {
+    local uc_assume_yes=false
+    local uc_args=()
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --help|-h)
+                echo -e "${BOLD}loki ultracode${NC} - run a task as a native Claude Code Dynamic Workflow"
+                echo ""
+                echo "Usage: loki ultracode \"<task>\" [--yes]"
+                echo ""
+                echo "Prepends the 'ultracode' keyword to your task and routes it through"
+                echo "the Claude provider, firing Claude Code's Dynamic Workflow runtime"
+                echo "(many background subagents fanning out on a read/research/audit task)."
+                echo ""
+                echo "This is a PASSTHROUGH: Loki adds no orchestration of its own. It is"
+                echo "OPT-IN, default OFF, and Claude-provider-only. The council, the 11"
+                echo "quality gates, the evidence gate, and the RARV loop are untouched."
+                echo ""
+                echo "Requirements:"
+                echo "  - Active provider is Claude (Tier 1)"
+                echo "  - claude CLI >= 2.1.154"
+                echo "  - Workflows not disabled (CLAUDE_CODE_DISABLE_WORKFLOWS / disableWorkflows)"
+                echo "On any unmet requirement: an honest message prints and nothing runs."
+                echo ""
+                echo "Cost: workflows spawn many agents and cost meaningfully more than a"
+                echo "normal run; this is a Claude Code feature billed as normal usage."
+                echo "There is no price API, so no dollar figure is shown."
+                echo ""
+                echo "Options:"
+                echo "  --yes, -y    Skip the confirmation prompt (consent to the cost)"
+                echo "  --help, -h   Show this help"
+                echo ""
+                echo "Environment:"
+                echo "  LOKI_USE_CLAUDE_WORKFLOWS=1   Non-interactive opt-in (like --yes)"
+                echo "  CLAUDE_CODE_DISABLE_WORKFLOWS=1  Disable workflows entirely"
+                echo ""
+                echo "Examples:"
+                echo "  loki ultracode \"audit this repo for dead code\""
+                echo "  loki ultracode \"research the top 5 auth libraries for Node\" --yes"
+                return 0
+                ;;
+            --yes|-y) uc_assume_yes=true; shift ;;
+            --) shift; while [[ $# -gt 0 ]]; do uc_args+=("$1"); shift; done ;;
+            *) uc_args+=("$1"); shift ;;
+        esac
+    done
+    _run_ultracode "$uc_assume_yes" "${uc_args[@]}"
+    return $?
+}
+
 # Standalone code review - diff-based quality gates (v6.20.0)
 cmd_review() {
     local review_staged=false

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.37.1"
+__version__ = "7.39.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.37.1
+**Version:** v7.39.0
 
 ---
 

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.37.1";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.39.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=4D62C09E1CA3E64A64756E2164756E21
+//# debugId=0053955F19A92CF864756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.37.1'
+__version__ = '7.39.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.37.1",
+  "version": "7.39.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 11 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",
@@ -67,6 +67,8 @@
     "VERSION",
     "assets/",
     "tools/",
+    "plugins/",
+    ".claude-plugin/marketplace.json",
     "autonomy/",
     "providers/",
     "agents/",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
+  "name": "loki-mode",
+  "displayName": "Loki Mode",
+  "version": "7.39.0",
+  "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 11 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
+  "author": {
+    "name": "Autonomi",
+    "url": "https://www.autonomi.dev/"
+  },
+  "homepage": "https://github.com/asklokesh/loki-mode",
+  "repository": "https://github.com/asklokesh/loki-mode",
+  "license": "SEE LICENSE IN LICENSE",
+  "keywords": [
+    "autonomous",
+    "agent",
+    "spec-driven",
+    "verification",
+    "code-review",
+    "mcp",
+    "loki"
+  ],
+  "commands": [
+    "./commands/"
+  ],
+  "mcpServers": "./.mcp.json",
+  "hooks": "./hooks/hooks.json"
+}

package/plugins/loki-mode/.mcp.json

@@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "loki-mode": {
+      "command": "loki",
+      "args": ["mcp", "--transport", "stdio"],
+      "env": {
+        "LOKI_MCP_AUTO_BOOTSTRAP": "1"
+      }
+    }
+  }
+}

package/plugins/loki-mode/README.md

@@ -0,0 +1,88 @@
+# Loki Mode plugin for Claude Code
+
+Loki Mode is the autonomous spec-to-product build system with a built-in trust
+layer (RARV-C closure loop, 11 quality gates, completion council). This plugin
+brings Loki's spec-hardening, drift-detection, and deterministic PR verification
+into Claude Code as slash commands, and wires up the Loki MCP server.
+
+Homepage: https://github.com/asklokesh/loki-mode
+
+## Install
+
+The plugin is published through the Autonomi marketplace, which lives in this
+same repository.
+
+1. Add the marketplace (one time):
+
+   ```
+   /plugin marketplace add asklokesh/loki-mode
+   ```
+
+2. Install the plugin:
+
+   ```
+   /plugin install loki-mode@loki-mode
+   ```
+
+That is it. The commands below become available immediately.
+
+## What you get
+
+Slash commands (namespaced as `loki-mode:<command>`):
+
+- `loki-mode:loki-grill` - interrogate a spec with Loki's Devil's-Advocate
+  grill before building, and summarize the hardest questions it surfaces.
+- `loki-mode:loki-spec-status` - check whether the spec has drifted from its
+  lock using deterministic living-spec drift detection.
+- `loki-mode:loki-verify` - run Loki's deterministic PR verification on the
+  current change and summarize the evidence verdict.
+
+MCP server (`loki-mode`): exposes Loki's tools (memory, task queue, code
+search, build management) to Claude Code.
+
+## Requirement: the loki-mode CLI must be installed
+
+The slash commands run `loki ...` subcommands, and the MCP server is launched
+via `loki mcp`. Both require the `loki` binary to be on your PATH. Install it
+once:
+
+```
+npm install -g loki-mode
+```
+
+or with Homebrew:
+
+```
+brew install asklokesh/tap/loki-mode
+```
+
+The plugin ships the commands, MCP wiring, and an optional guard hook. It does
+not bundle the Loki runtime itself, because a marketplace plugin is copied into
+an isolated cache and cannot reach the rest of the repository. The CLI on PATH
+is what provides the runtime.
+
+On the MCP server's first launch, if the Python MCP SDK is not present, the
+bundled config sets `LOKI_MCP_AUTO_BOOTSTRAP=1` as written, in-advance consent
+so the server can create a project-local virtualenv at `.loki/mcp-venv` and
+install its dependencies non-interactively. Remove that env var from
+`.mcp.json` if you prefer to bootstrap manually (run `loki mcp` once in a
+terminal and follow the printed instructions).
+
+## Optional Bash guard hook (off by default)
+
+The plugin ships a `PreToolUse` hook for the Bash tool that is a no-op unless
+you opt in. Set `LOKI_GUARD=1` in your environment to enable it. When enabled it
+blocks a small set of clearly destructive Bash commands that have bitten Loki
+runs before:
+
+- `rm -rf` on `/tmp/loki-*` while a live Loki run may be staging files there
+- `rm -rf` of a filesystem or `$HOME` root
+- `git add -A` / `git add .` (Loki convention: stage files individually)
+
+With `LOKI_GUARD` unset the hook always allows the command through, so it never
+interferes unless you ask it to.
+
+## License
+
+SEE LICENSE IN LICENSE (BUSL-1.1, source-available). See the LICENSE file at the
+repository root.

package/plugins/loki-mode/commands/loki-grill.md

@@ -0,0 +1,47 @@
+---
+description: Interrogate a spec with Loki's Devil's-Advocate grill before building, and summarize the hardest questions it surfaces.
+argument-hint: "[spec-path] (default: prd.md / .loki/generated-prd.md)"
+allowed-tools: Bash(loki grill:*), Read
+---
+
+Harden a spec before any code is written. Loki's grill invokes the provider
+once with a Devil's-Advocate prompt to surface the 10-15 hardest questions that
+expose ambiguities, missing acceptance criteria, unstated assumptions, and
+security/scale blind spots. A grilled spec is a better Reason input to the
+RARV-C loop.
+
+Steps:
+
+1. Run the interrogation on the spec ($ARGUMENTS, or the default resolution
+   prd.md / .loki/generated-prd.md if empty):
+
+   ```
+   loki grill $ARGUMENTS
+   ```
+
+   It writes `.loki/grill/report.md`. It requires a provider CLI and fails
+   cleanly (exit 3) when none is available: it never fabricates questions.
+
+2. Read `.loki/grill/report.md` and present the findings to the user grouped by
+   category:
+   - Ambiguities and missing acceptance criteria
+   - Unstated assumptions
+   - Security blind spots
+   - Scale and reliability blind spots
+
+3. For each hard question, suggest a concrete way to resolve it in the spec
+   (a precise acceptance criterion, an explicit assumption made explicit, a
+   security control, a stated limit). Do not silently answer them yourself;
+   the point is to harden the human's intent.
+
+4. If the user wants the questions embedded in the spec for the record, offer:
+
+   ```
+   loki grill --apply $ARGUMENTS
+   ```
+
+   which appends a "Grill findings" section to the spec file. Ask before
+   modifying the spec.
+
+Report only what the grill produced. If the provider was unavailable, say so
+plainly and do not invent questions.

package/plugins/loki-mode/commands/loki-spec-status.md

@@ -0,0 +1,48 @@
+---
+description: Check whether the spec has drifted from its lock using Loki's living-spec drift detection, and summarize the report.
+argument-hint: "[spec-path] (default: prd.md / .loki/generated-prd.md)"
+allowed-tools: Bash(loki spec:*), Read
+---
+
+Check whether the spec is still true: the spec is the contract; Loki keeps it
+true. This runs deterministic drift detection (no LLM cost) comparing the
+current spec against its lock.
+
+Steps:
+
+1. If there is no lock yet, the status command will say so. In that case, offer
+   to create one:
+
+   ```
+   loki spec lock $ARGUMENTS
+   ```
+
+   The lock (`.loki/spec/spec.lock`) is a deterministic map of spec
+   requirements (checklist items and headings) to content hashes, plus repo
+   HEAD at lock time.
+
+2. Run the drift check:
+
+   ```
+   loki spec status $ARGUMENTS
+   ```
+
+   Exit 0 means in sync (SPEC-TRUE); exit 1 means drift detected
+   (SPEC-DRIFTED). It writes `.loki/spec/drift-report.json`.
+
+3. Read `.loki/spec/drift-report.json` and summarize for the user:
+   - The verdict: SPEC-TRUE or SPEC-DRIFTED.
+   - Counts of ADDED, REMOVED, and CHANGED requirements, then list each one.
+   - Whether code changed since the locked HEAD (files, insertions, deletions).
+
+4. If drifted, explain the choice clearly:
+   - If the code is the source of truth and the spec should follow, the human
+     updates the spec, then runs `loki spec sync $ARGUMENTS` to re-lock.
+   - If the spec is correct and the code lags, the change set is incomplete.
+
+   This MVP never auto-rewrites the spec. Re-locking via `loki spec sync` is an
+   explicit human action after review. Do not run `sync` automatically; ask
+   first.
+
+Report only what the drift report shows. Do not infer requirements that are not
+in the spec.

package/plugins/loki-mode/commands/loki-verify.md

@@ -0,0 +1,38 @@
+---
+description: Run Loki's deterministic PR verification on the current change and summarize the evidence verdict.
+argument-hint: "[base-ref] (default: main)"
+allowed-tools: Bash(loki verify:*), Read
+---
+
+Run Loki's Autonomi Verify on the current working tree and report the verdict
+with its evidence, not just an opinion in chat. The differentiator is the
+auditable artifact: a verdict that refuses to silently pass on inconclusive
+evidence.
+
+Steps:
+
+1. Run the verifier against the base ref ($ARGUMENTS, or `main` if empty):
+
+   ```
+   loki verify $ARGUMENTS
+   ```
+
+   It computes the PR-style delta merge-base(base, HEAD)..HEAD and runs
+   deterministic gates (build, tests, static analysis, secret scan, dependency
+   audit, and spec drift when a spec lock exists). Exit codes:
+   0 VERIFIED, 1 CONCERNS, 2 BLOCKED, 3 verifier error.
+
+2. Read the evidence artifacts it wrote:
+   - `.loki/verify/evidence.json` (machine-readable: schema, gates, findings)
+   - `.loki/verify/report.md` (human verdict + findings table)
+
+3. Summarize for the user:
+   - The verdict (VERIFIED / CONCERNS / BLOCKED) and exit code.
+   - Each gate and its status (pass / fail / inconclusive / skipped).
+   - Every finding: severity, category, file:line, and whether it is blocking.
+   - If the verdict is CONCERNS or BLOCKED, list exactly what to fix.
+
+Be honest about inconclusive evidence: an inconclusive gate (for example a test
+runner that could not run) is never upgraded to VERIFIED. If the diff is empty,
+the verdict is CONCERNS (nothing to verify), not VERIFIED. Do not claim the
+change is verified unless the evidence says VERIFIED.

package/plugins/loki-mode/hooks/hooks.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"${CLAUDE_PLUGIN_ROOT}\"/scripts/loki-guard.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/loki-mode/scripts/loki-guard.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+# Loki Mode opt-in Bash guard (PreToolUse hook).
+#
+# DEFAULT: OFF. This hook is a no-op pass-through unless the user explicitly
+# opts in by setting LOKI_GUARD=1 (or true/yes/on, case-insensitive) in their
+# environment. With the guard disabled the hook always exits 0 immediately, so
+# it never interferes with a user's Bash tool calls.
+#
+# When enabled, it inspects the proposed Bash command (read from the PreToolUse
+# event JSON on stdin) and blocks a small set of clearly destructive patterns
+# that have bitten Loki runs in the past:
+#   - rm -rf on /tmp/loki-* globs while a live run may be staging there
+#   - rm -rf of / or $HOME roots
+#   - git add -A / git add . (Loki convention: stage files individually)
+#
+# Blocking contract (Claude Code hooks): to deny a tool call, emit a JSON object
+# on stdout with permissionDecision "deny" and a reason, and exit 0. Anything
+# else (empty object, exit 0) allows the call. We never hard-fail the hook so a
+# parsing hiccup can never wedge the session.
+#
+# This script depends only on bash builtins plus python3 (already required by
+# Loki) for robust JSON parsing. If python3 is missing it degrades to allow.
+
+set -u
+
+# 1. Opt-in gate. Unset / empty / anything-not-truthy => pass through.
+guard_on=0
+case "$(printf '%s' "${LOKI_GUARD:-}" | tr '[:upper:]' '[:lower:]')" in
+  1 | true | yes | on | y) guard_on=1 ;;
+  *) guard_on=0 ;;
+esac
+
+if [ "$guard_on" -ne 1 ]; then
+  # Disabled: allow without comment.
+  printf '{}'
+  exit 0
+fi
+
+# 2. Read the event JSON from stdin (PreToolUse provides tool_input.command).
+event="$(cat 2>/dev/null || true)"
+
+# 3. Extract the proposed command. Prefer python3; degrade to allow on any error.
+cmd=""
+if command -v python3 >/dev/null 2>&1; then
+  cmd="$(printf '%s' "$event" | python3 -c '
+import sys, json
+try:
+    e = json.load(sys.stdin)
+except Exception:
+    sys.exit(0)
+ti = e.get("tool_input") or {}
+c = ti.get("command")
+if isinstance(c, str):
+    sys.stdout.write(c)
+' 2>/dev/null || true)"
+fi
+
+# No command parsed => allow.
+if [ -z "$cmd" ]; then
+  printf '{}'
+  exit 0
+fi
+
+deny() {
+  # $1 = reason. Emit a deny decision and exit 0 (the hook itself succeeded).
+  reason="$1"
+  printf '%s' "$reason" | python3 -c '
+import sys, json
+reason = sys.stdin.read()
+print(json.dumps({
+    "hookSpecificOutput": {
+        "hookEventName": "PreToolUse",
+        "permissionDecision": "deny",
+        "permissionDecisionReason": reason
+    }
+}))
+'
+  exit 0
+}
+
+# 4. Destructive-pattern checks (only reached when guard is ON).
+
+# 4a. rm -rf targeting /tmp/loki-* while a live run may be staging there.
+if printf '%s' "$cmd" | grep -Eq 'rm[[:space:]]+(-[A-Za-z]*r[A-Za-z]*f|-[A-Za-z]*f[A-Za-z]*r|-rf|-fr)[[:space:]].*/tmp/loki-'; then
+  if command -v pgrep >/dev/null 2>&1 && pgrep -f 'loki-run-' >/dev/null 2>&1; then
+    deny "LOKI_GUARD: refusing rm -rf on /tmp/loki-* while a live loki run is staging there (pgrep -f loki-run- matched). Scope cleanup to known-dead paths, or stop the run first."
+  fi
+fi
+
+# 4b. rm -rf of filesystem root or HOME root.
+# shellcheck disable=SC2016  # the regex matches the literal text $HOME in the command, no expansion intended
+if printf '%s' "$cmd" | grep -Eq 'rm[[:space:]]+-[A-Za-z]*[rf][A-Za-z]*[[:space:]]+(-[A-Za-z]+[[:space:]]+)*(/|/\*|"\$HOME"|\$HOME|~)([[:space:]]|$)'; then
+  deny "LOKI_GUARD: refusing rm -rf of a filesystem or HOME root. This is almost certainly a mistake."
+fi
+
+# 4c. git add -A / git add . (Loki convention: stage files individually).
+if printf '%s' "$cmd" | grep -Eq 'git[[:space:]]+add[[:space:]]+(-A|--all|\.)([[:space:]]|$)'; then
+  deny "LOKI_GUARD: 'git add -A' / 'git add .' is blocked by Loki convention. Stage files individually by name."
+fi
+
+# 5. Nothing matched => allow.
+printf '{}'
+exit 0