loki-mode 7.38.0 → 7.39.0

package/.claude-plugin/marketplace.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-marketplace.json",
+  "name": "loki-mode",
+  "owner": {
+    "name": "Autonomi"
+  },
+  "description": "Autonomi marketplace: Loki Mode, the autonomous spec-to-product build system with a built-in trust layer.",
+  "plugins": [
+    {
+      "name": "loki-mode",
+      "source": "./plugins/loki-mode",
+      "description": "Autonomous spec-to-product build system with a built-in trust layer. Ships Loki's spec-hardening (grill), living-spec drift detection, and deterministic PR verification commands, plus the Loki MCP server (memory, task queue, code search, build management). Requires the loki-mode CLI on PATH (npm install -g loki-mode or brew install).",
+      "homepage": "https://github.com/asklokesh/loki-mode",
+      "repository": "https://github.com/asklokesh/loki-mode",
+      "license": "SEE LICENSE IN LICENSE",
+      "category": "automation",
+      "keywords": [
+        "autonomous",
+        "agent",
+        "spec-driven",
+        "verification",
+        "code-review",
+        "mcp",
+        "loki"
+      ]
+    }
+  ]
+}

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.38.0
+# Loki Mode v7.39.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.38.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.39.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.38.0
+7.39.0

package/autonomy/lib/claude-flags.sh

@@ -261,14 +261,18 @@ loki_review_guard_denylist() {
 # the dangerous forms. echo>/sed -i/python -c style writes are not enumerable and
 # remain possible; the real net is commit-before-agent-wave (see CLAUDE.md).
 #
-# DEFAULT OFF (opt-in LOKI_REVIEW_ALLOWLIST=1) so the default argv on BOTH routes
-# stays byte-identical to v7.34. Gated on CLI support so an older claude degrades
-# gracefully (emits nothing). Predicate + token so call sites append uniformly:
+# DEFAULT ON (safety-additive least-privilege; opt OUT with LOKI_REVIEW_ALLOWLIST=0).
+# Flipped default-on because deny precedence (verified live) means the denylist
+# still hard-blocks every mutation form while this allowlist only narrows the
+# reviewer surface to read/inspect tools -- pure safety win, no surprise spend, no
+# egress. The escape hatch (LOKI_REVIEW_ALLOWLIST=0) restores the prior off state.
+# Gated on CLI support so an older claude degrades gracefully (emits nothing).
+# Predicate + token so call sites append uniformly:
 #   if loki_review_allowlist_enabled; then
 #       argv+=("--allowedTools" "$(loki_review_allowlist)")
 #   fi
 loki_review_allowlist_enabled() {
-    [ "${LOKI_REVIEW_ALLOWLIST:-0}" = "1" ] || return 1
+    [ "${LOKI_REVIEW_ALLOWLIST:-1}" = "0" ] && return 1
     loki_claude_flag_supported "--allowedTools"
 }
 loki_review_allowlist() {

package/autonomy/loki

@@ -649,13 +649,18 @@ show_help() {
     # do NOT appear here; they live in the collapsed footer below and in
     # `loki help aliases`. The full long-tail surface is still dispatchable and
     # documented per-command via `loki <command> --help`.
+    #
+    # v7.39.0: trimmed three lower-traffic canonical entries off the front page
+    # to hold the lean target after `ultracode` (v7.38.0) joined Verify/trust:
+    # grill (pre-build spec interrogation, advanced), spec (living-spec drift,
+    # advanced), and cleanup (orphaned-process recovery, rare). They remain
+    # fully canonical (NOT aliases), dispatchable, and listed in the "More
+    # commands" footer below + documented via `loki <command> --help`.
     echo "Commands:"
     echo ""
     echo "Build:"
     echo "  start [SPEC]     Start a build (PRD file, GitHub issue, or no arg)"
     echo "  plan <PRD-file>  Dry-run analysis: complexity, cost, execution plan"
-    echo "  grill [SPEC]     Devil's-advocate spec interrogation before you build"
-    echo "  spec [cmd]       Living spec: lock|status|sync (drift detection)"
     echo "  quickstart [idea]  Guided first build: setup, idea, template, plan, go"
     echo ""
     echo "Session:"
@@ -663,7 +668,6 @@ show_help() {
     echo "  stop             Stop execution immediately"
     echo "  pause            Pause after current session"
     echo "  resume           Resume paused execution"
-    echo "  cleanup          Kill orphaned processes from crashed sessions"
     echo ""
     echo "Verify / trust:"
     echo "  verify [base]    Deterministic PR verification (CI-gate exit codes)"
@@ -692,10 +696,10 @@ show_help() {
     echo "  version          Show version"
     echo "  help             Show this help ('loki help aliases' for old names)"
     echo ""
-    echo "More commands (init, watch, demo, web, api, logs, github,"
-    echo "import, council, proof, audit, agent, template, magic, docs, wiki, ci,"
-    echo "test, bench, secrets, telemetry, crash, worktree, failover, monitor,"
-    echo "remote, ...) are dispatchable and documented via"
+    echo "More commands (grill, spec, cleanup, init, watch, demo, web, api,"
+    echo "logs, github, import, council, proof, audit, agent, template, magic,"
+    echo "docs, wiki, ci, test, bench, secrets, telemetry, crash, worktree,"
+    echo "failover, monitor, remote, ...) are dispatchable and documented via"
     echo "'loki <command> --help'."
     echo ""
     echo "Aliases (deprecated): older command names still work; they print a"

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.38.0"
+__version__ = "7.39.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.38.0
+**Version:** v7.39.0
 
 ---
 

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.38.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.39.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=CD214D71C449250864756E2164756E21
+//# debugId=0053955F19A92CF864756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.38.0'
+__version__ = '7.39.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.38.0",
+  "version": "7.39.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 11 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",
@@ -67,6 +67,8 @@
     "VERSION",
     "assets/",
     "tools/",
+    "plugins/",
+    ".claude-plugin/marketplace.json",
     "autonomy/",
     "providers/",
     "agents/",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -0,0 +1,28 @@
+{
+  "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
+  "name": "loki-mode",
+  "displayName": "Loki Mode",
+  "version": "7.39.0",
+  "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 11 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
+  "author": {
+    "name": "Autonomi",
+    "url": "https://www.autonomi.dev/"
+  },
+  "homepage": "https://github.com/asklokesh/loki-mode",
+  "repository": "https://github.com/asklokesh/loki-mode",
+  "license": "SEE LICENSE IN LICENSE",
+  "keywords": [
+    "autonomous",
+    "agent",
+    "spec-driven",
+    "verification",
+    "code-review",
+    "mcp",
+    "loki"
+  ],
+  "commands": [
+    "./commands/"
+  ],
+  "mcpServers": "./.mcp.json",
+  "hooks": "./hooks/hooks.json"
+}

package/plugins/loki-mode/.mcp.json

@@ -0,0 +1,11 @@
+{
+  "mcpServers": {
+    "loki-mode": {
+      "command": "loki",
+      "args": ["mcp", "--transport", "stdio"],
+      "env": {
+        "LOKI_MCP_AUTO_BOOTSTRAP": "1"
+      }
+    }
+  }
+}

package/plugins/loki-mode/README.md

@@ -0,0 +1,88 @@
+# Loki Mode plugin for Claude Code
+
+Loki Mode is the autonomous spec-to-product build system with a built-in trust
+layer (RARV-C closure loop, 11 quality gates, completion council). This plugin
+brings Loki's spec-hardening, drift-detection, and deterministic PR verification
+into Claude Code as slash commands, and wires up the Loki MCP server.
+
+Homepage: https://github.com/asklokesh/loki-mode
+
+## Install
+
+The plugin is published through the Autonomi marketplace, which lives in this
+same repository.
+
+1. Add the marketplace (one time):
+
+   ```
+   /plugin marketplace add asklokesh/loki-mode
+   ```
+
+2. Install the plugin:
+
+   ```
+   /plugin install loki-mode@loki-mode
+   ```
+
+That is it. The commands below become available immediately.
+
+## What you get
+
+Slash commands (namespaced as `loki-mode:<command>`):
+
+- `loki-mode:loki-grill` - interrogate a spec with Loki's Devil's-Advocate
+  grill before building, and summarize the hardest questions it surfaces.
+- `loki-mode:loki-spec-status` - check whether the spec has drifted from its
+  lock using deterministic living-spec drift detection.
+- `loki-mode:loki-verify` - run Loki's deterministic PR verification on the
+  current change and summarize the evidence verdict.
+
+MCP server (`loki-mode`): exposes Loki's tools (memory, task queue, code
+search, build management) to Claude Code.
+
+## Requirement: the loki-mode CLI must be installed
+
+The slash commands run `loki ...` subcommands, and the MCP server is launched
+via `loki mcp`. Both require the `loki` binary to be on your PATH. Install it
+once:
+
+```
+npm install -g loki-mode
+```
+
+or with Homebrew:
+
+```
+brew install asklokesh/tap/loki-mode
+```
+
+The plugin ships the commands, MCP wiring, and an optional guard hook. It does
+not bundle the Loki runtime itself, because a marketplace plugin is copied into
+an isolated cache and cannot reach the rest of the repository. The CLI on PATH
+is what provides the runtime.
+
+On the MCP server's first launch, if the Python MCP SDK is not present, the
+bundled config sets `LOKI_MCP_AUTO_BOOTSTRAP=1` as written, in-advance consent
+so the server can create a project-local virtualenv at `.loki/mcp-venv` and
+install its dependencies non-interactively. Remove that env var from
+`.mcp.json` if you prefer to bootstrap manually (run `loki mcp` once in a
+terminal and follow the printed instructions).
+
+## Optional Bash guard hook (off by default)
+
+The plugin ships a `PreToolUse` hook for the Bash tool that is a no-op unless
+you opt in. Set `LOKI_GUARD=1` in your environment to enable it. When enabled it
+blocks a small set of clearly destructive Bash commands that have bitten Loki
+runs before:
+
+- `rm -rf` on `/tmp/loki-*` while a live Loki run may be staging files there
+- `rm -rf` of a filesystem or `$HOME` root
+- `git add -A` / `git add .` (Loki convention: stage files individually)
+
+With `LOKI_GUARD` unset the hook always allows the command through, so it never
+interferes unless you ask it to.
+
+## License
+
+SEE LICENSE IN LICENSE (BUSL-1.1, source-available). See the LICENSE file at the
+repository root.

package/plugins/loki-mode/commands/loki-grill.md

@@ -0,0 +1,47 @@
+---
+description: Interrogate a spec with Loki's Devil's-Advocate grill before building, and summarize the hardest questions it surfaces.
+argument-hint: "[spec-path] (default: prd.md / .loki/generated-prd.md)"
+allowed-tools: Bash(loki grill:*), Read
+---
+
+Harden a spec before any code is written. Loki's grill invokes the provider
+once with a Devil's-Advocate prompt to surface the 10-15 hardest questions that
+expose ambiguities, missing acceptance criteria, unstated assumptions, and
+security/scale blind spots. A grilled spec is a better Reason input to the
+RARV-C loop.
+
+Steps:
+
+1. Run the interrogation on the spec ($ARGUMENTS, or the default resolution
+   prd.md / .loki/generated-prd.md if empty):
+
+   ```
+   loki grill $ARGUMENTS
+   ```
+
+   It writes `.loki/grill/report.md`. It requires a provider CLI and fails
+   cleanly (exit 3) when none is available: it never fabricates questions.
+
+2. Read `.loki/grill/report.md` and present the findings to the user grouped by
+   category:
+   - Ambiguities and missing acceptance criteria
+   - Unstated assumptions
+   - Security blind spots
+   - Scale and reliability blind spots
+
+3. For each hard question, suggest a concrete way to resolve it in the spec
+   (a precise acceptance criterion, an explicit assumption made explicit, a
+   security control, a stated limit). Do not silently answer them yourself;
+   the point is to harden the human's intent.
+
+4. If the user wants the questions embedded in the spec for the record, offer:
+
+   ```
+   loki grill --apply $ARGUMENTS
+   ```
+
+   which appends a "Grill findings" section to the spec file. Ask before
+   modifying the spec.
+
+Report only what the grill produced. If the provider was unavailable, say so
+plainly and do not invent questions.

package/plugins/loki-mode/commands/loki-spec-status.md

@@ -0,0 +1,48 @@
+---
+description: Check whether the spec has drifted from its lock using Loki's living-spec drift detection, and summarize the report.
+argument-hint: "[spec-path] (default: prd.md / .loki/generated-prd.md)"
+allowed-tools: Bash(loki spec:*), Read
+---
+
+Check whether the spec is still true: the spec is the contract; Loki keeps it
+true. This runs deterministic drift detection (no LLM cost) comparing the
+current spec against its lock.
+
+Steps:
+
+1. If there is no lock yet, the status command will say so. In that case, offer
+   to create one:
+
+   ```
+   loki spec lock $ARGUMENTS
+   ```
+
+   The lock (`.loki/spec/spec.lock`) is a deterministic map of spec
+   requirements (checklist items and headings) to content hashes, plus repo
+   HEAD at lock time.
+
+2. Run the drift check:
+
+   ```
+   loki spec status $ARGUMENTS
+   ```
+
+   Exit 0 means in sync (SPEC-TRUE); exit 1 means drift detected
+   (SPEC-DRIFTED). It writes `.loki/spec/drift-report.json`.
+
+3. Read `.loki/spec/drift-report.json` and summarize for the user:
+   - The verdict: SPEC-TRUE or SPEC-DRIFTED.
+   - Counts of ADDED, REMOVED, and CHANGED requirements, then list each one.
+   - Whether code changed since the locked HEAD (files, insertions, deletions).
+
+4. If drifted, explain the choice clearly:
+   - If the code is the source of truth and the spec should follow, the human
+     updates the spec, then runs `loki spec sync $ARGUMENTS` to re-lock.
+   - If the spec is correct and the code lags, the change set is incomplete.
+
+   This MVP never auto-rewrites the spec. Re-locking via `loki spec sync` is an
+   explicit human action after review. Do not run `sync` automatically; ask
+   first.
+
+Report only what the drift report shows. Do not infer requirements that are not
+in the spec.

package/plugins/loki-mode/commands/loki-verify.md

@@ -0,0 +1,38 @@
+---
+description: Run Loki's deterministic PR verification on the current change and summarize the evidence verdict.
+argument-hint: "[base-ref] (default: main)"
+allowed-tools: Bash(loki verify:*), Read
+---
+
+Run Loki's Autonomi Verify on the current working tree and report the verdict
+with its evidence, not just an opinion in chat. The differentiator is the
+auditable artifact: a verdict that refuses to silently pass on inconclusive
+evidence.
+
+Steps:
+
+1. Run the verifier against the base ref ($ARGUMENTS, or `main` if empty):
+
+   ```
+   loki verify $ARGUMENTS
+   ```
+
+   It computes the PR-style delta merge-base(base, HEAD)..HEAD and runs
+   deterministic gates (build, tests, static analysis, secret scan, dependency
+   audit, and spec drift when a spec lock exists). Exit codes:
+   0 VERIFIED, 1 CONCERNS, 2 BLOCKED, 3 verifier error.
+
+2. Read the evidence artifacts it wrote:
+   - `.loki/verify/evidence.json` (machine-readable: schema, gates, findings)
+   - `.loki/verify/report.md` (human verdict + findings table)
+
+3. Summarize for the user:
+   - The verdict (VERIFIED / CONCERNS / BLOCKED) and exit code.
+   - Each gate and its status (pass / fail / inconclusive / skipped).
+   - Every finding: severity, category, file:line, and whether it is blocking.
+   - If the verdict is CONCERNS or BLOCKED, list exactly what to fix.
+
+Be honest about inconclusive evidence: an inconclusive gate (for example a test
+runner that could not run) is never upgraded to VERIFIED. If the diff is empty,
+the verdict is CONCERNS (nothing to verify), not VERIFIED. Do not claim the
+change is verified unless the evidence says VERIFIED.

package/plugins/loki-mode/hooks/hooks.json

@@ -0,0 +1,15 @@
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "\"${CLAUDE_PLUGIN_ROOT}\"/scripts/loki-guard.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/plugins/loki-mode/scripts/loki-guard.sh

@@ -0,0 +1,103 @@
+#!/usr/bin/env bash
+# Loki Mode opt-in Bash guard (PreToolUse hook).
+#
+# DEFAULT: OFF. This hook is a no-op pass-through unless the user explicitly
+# opts in by setting LOKI_GUARD=1 (or true/yes/on, case-insensitive) in their
+# environment. With the guard disabled the hook always exits 0 immediately, so
+# it never interferes with a user's Bash tool calls.
+#
+# When enabled, it inspects the proposed Bash command (read from the PreToolUse
+# event JSON on stdin) and blocks a small set of clearly destructive patterns
+# that have bitten Loki runs in the past:
+#   - rm -rf on /tmp/loki-* globs while a live run may be staging there
+#   - rm -rf of / or $HOME roots
+#   - git add -A / git add . (Loki convention: stage files individually)
+#
+# Blocking contract (Claude Code hooks): to deny a tool call, emit a JSON object
+# on stdout with permissionDecision "deny" and a reason, and exit 0. Anything
+# else (empty object, exit 0) allows the call. We never hard-fail the hook so a
+# parsing hiccup can never wedge the session.
+#
+# This script depends only on bash builtins plus python3 (already required by
+# Loki) for robust JSON parsing. If python3 is missing it degrades to allow.
+
+set -u
+
+# 1. Opt-in gate. Unset / empty / anything-not-truthy => pass through.
+guard_on=0
+case "$(printf '%s' "${LOKI_GUARD:-}" | tr '[:upper:]' '[:lower:]')" in
+  1 | true | yes | on | y) guard_on=1 ;;
+  *) guard_on=0 ;;
+esac
+
+if [ "$guard_on" -ne 1 ]; then
+  # Disabled: allow without comment.
+  printf '{}'
+  exit 0
+fi
+
+# 2. Read the event JSON from stdin (PreToolUse provides tool_input.command).
+event="$(cat 2>/dev/null || true)"
+
+# 3. Extract the proposed command. Prefer python3; degrade to allow on any error.
+cmd=""
+if command -v python3 >/dev/null 2>&1; then
+  cmd="$(printf '%s' "$event" | python3 -c '
+import sys, json
+try:
+    e = json.load(sys.stdin)
+except Exception:
+    sys.exit(0)
+ti = e.get("tool_input") or {}
+c = ti.get("command")
+if isinstance(c, str):
+    sys.stdout.write(c)
+' 2>/dev/null || true)"
+fi
+
+# No command parsed => allow.
+if [ -z "$cmd" ]; then
+  printf '{}'
+  exit 0
+fi
+
+deny() {
+  # $1 = reason. Emit a deny decision and exit 0 (the hook itself succeeded).
+  reason="$1"
+  printf '%s' "$reason" | python3 -c '
+import sys, json
+reason = sys.stdin.read()
+print(json.dumps({
+    "hookSpecificOutput": {
+        "hookEventName": "PreToolUse",
+        "permissionDecision": "deny",
+        "permissionDecisionReason": reason
+    }
+}))
+'
+  exit 0
+}
+
+# 4. Destructive-pattern checks (only reached when guard is ON).
+
+# 4a. rm -rf targeting /tmp/loki-* while a live run may be staging there.
+if printf '%s' "$cmd" | grep -Eq 'rm[[:space:]]+(-[A-Za-z]*r[A-Za-z]*f|-[A-Za-z]*f[A-Za-z]*r|-rf|-fr)[[:space:]].*/tmp/loki-'; then
+  if command -v pgrep >/dev/null 2>&1 && pgrep -f 'loki-run-' >/dev/null 2>&1; then
+    deny "LOKI_GUARD: refusing rm -rf on /tmp/loki-* while a live loki run is staging there (pgrep -f loki-run- matched). Scope cleanup to known-dead paths, or stop the run first."
+  fi
+fi
+
+# 4b. rm -rf of filesystem root or HOME root.
+# shellcheck disable=SC2016  # the regex matches the literal text $HOME in the command, no expansion intended
+if printf '%s' "$cmd" | grep -Eq 'rm[[:space:]]+-[A-Za-z]*[rf][A-Za-z]*[[:space:]]+(-[A-Za-z]+[[:space:]]+)*(/|/\*|"\$HOME"|\$HOME|~)([[:space:]]|$)'; then
+  deny "LOKI_GUARD: refusing rm -rf of a filesystem or HOME root. This is almost certainly a mistake."
+fi
+
+# 4c. git add -A / git add . (Loki convention: stage files individually).
+if printf '%s' "$cmd" | grep -Eq 'git[[:space:]]+add[[:space:]]+(-A|--all|\.)([[:space:]]|$)'; then
+  deny "LOKI_GUARD: 'git add -A' / 'git add .' is blocked by Loki convention. Stage files individually by name."
+fi
+
+# 5. Nothing matched => allow.
+printf '{}'
+exit 0