loki-mode 7.40.0 → 7.41.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 11 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.40.0
+# Loki Mode v7.41.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -398,4 +398,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.40.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.41.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.40.0
+7.41.0

package/autonomy/completion-council.sh

@@ -1775,7 +1775,15 @@ ISSUES: CRITICAL:description (optional, one per line per issue)"
                 if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
                     _cm_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
                 fi
-                verdict=$(echo "$prompt" | claude "${_cm_argv[@]}" -p 2>/dev/null | tail -20)
+                # caveman HARD-SUPPRESS (parsed output): this council vote is
+                # parsed for "VOTE: APPROVE|REJECT|CANNOT_VALIDATE". A globally-
+                # active caveman would compress/reword that line and silently flip
+                # the vote to the default REJECT, corrupting completion detection.
+                # Disable caveman UNCONDITIONALLY with CAVEMAN_DEFAULT_MODE=off.
+                # Set inline (not via a helper) so the carve-out holds even when
+                # this file is sourced standalone and the helpers are out of scope.
+                # Inlined on `claude` only (does not cross the pipe). No-op absent.
+                verdict=$(echo "$prompt" | env CAVEMAN_DEFAULT_MODE=off claude "${_cm_argv[@]}" -p 2>/dev/null | tail -20)
             fi
             ;;
         codex)
@@ -1870,7 +1878,11 @@ REASON: your reasoning"
                 if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
                     _co_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
                 fi
-                verdict=$(echo "$prompt" | claude "${_co_argv[@]}" -p 2>/dev/null | tail -20)
+                # caveman HARD-SUPPRESS (parsed output): the devil's-advocate
+                # (contrarian) vote is parsed for "VOTE:". Disable caveman
+                # unconditionally so compression cannot flip the contrarian vote.
+                # Inlined on `claude` only (does not cross the pipe). No-op absent.
+                verdict=$(echo "$prompt" | env CAVEMAN_DEFAULT_MODE=off claude "${_co_argv[@]}" -p 2>/dev/null | tail -20)
             fi
             ;;
         codex)

package/autonomy/council-v2.sh

@@ -276,7 +276,16 @@ Respond ONLY with a valid JSON object. No markdown fencing."
                 if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
                     _c2_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
                 fi
-                result=$(echo "$full_prompt" | claude "${_c2_argv[@]}" -p 2>/dev/null || echo '{"verdict":"REJECT","reasoning":"review execution failed","issues":[]}')
+                # caveman HARD-SUPPRESS (parsed output, v7.41.0): this reviewer
+                # verdict is captured and parsed for the JSON "verdict" field. A
+                # globally-active caveman would compress/reword that JSON and
+                # silently flip the verdict to the REJECT fallback. The tree-wide
+                # default-off export in claude-flags.sh already covers this (the
+                # whole subprocess tree inherits CAVEMAN_DEFAULT_MODE=off); the
+                # inline prefix here is belt-and-suspenders so the carve-out is
+                # self-documenting and robust to sourcing order. No-op when caveman
+                # is absent.
+                result=$(echo "$full_prompt" | CAVEMAN_DEFAULT_MODE=off claude "${_c2_argv[@]}" -p 2>/dev/null || echo '{"verdict":"REJECT","reasoning":"review execution failed","issues":[]}')
             else
                 result='{"verdict":"REJECT","reasoning":"reviewer CLI unavailable","issues":[]}'
             fi

package/autonomy/grill.sh

@@ -204,8 +204,16 @@ grill_invoke_provider() {
             if type loki_review_guard_enabled >/dev/null 2>&1 && loki_review_guard_enabled; then
                 _gr_argv+=("--disallowedTools" "$(loki_review_guard_denylist)")
             fi
+            # caveman HARD-SUPPRESS (parsed output, v7.41.0): the grill output is
+            # parsed downstream by loki-grill (and written to report.md as the
+            # hardest spec questions). Treat it as parsed: a globally-active
+            # caveman would compress/reword the questions. The tree-wide default-off
+            # export in claude-flags.sh (sourced at grill.sh:45) already covers
+            # this; the inline `env` prefix is belt-and-suspenders. `env` is used
+            # (not a bare VAR=val prefix) because the call goes through
+            # _grill_with_timeout, where the first token is exec'd as the command.
             out="$(printf '%s' "$prompt" \
-                | _grill_with_timeout "${LOKI_GRILL_TIMEOUT:-180}" claude "${_gr_argv[@]}" -p - 2>/dev/null)"
+                | _grill_with_timeout "${LOKI_GRILL_TIMEOUT:-180}" env CAVEMAN_DEFAULT_MODE=off claude "${_gr_argv[@]}" -p - 2>/dev/null)"
             if [ -z "$out" ]; then
                 _grill_err "provider returned no output (timeout or invocation error)"
                 return $GRILL_EXIT_ERROR

package/autonomy/lib/claude-flags.sh

@@ -482,6 +482,275 @@ loki_workflows_enabled() {
     [ "${LOKI_USE_CLAUDE_WORKFLOWS:-0}" = "1" ]
 }
 
+# ---------- v7.x caveman output-token compressor gates ----------
+# caveman (https://github.com/JuliusBrussee/caveman, MIT, vendor-less pin) is a
+# Claude Code SKILL + SessionStart hook that instructs the model to compress its
+# OUTPUT TOKENS only (prose style: lite / full / ultra / wenyan), keeping all
+# technical substance. It wraps NO API, needs NO key, has NO network of its own.
+# Once installed it activates GLOBALLY in Claude Code via a SessionStart hook
+# that reads getDefaultMode() (env CAVEMAN_DEFAULT_MODE > repo .caveman config >
+# user config > "full") and, unless the mode is "off", injects its ruleset.
+#
+# THE MOAT RISK (central, why this is wired the way it is): Loki's trust gates
+# parse EXACT model prose -- council "VOTE: APPROVE|REJECT|CANNOT_VALIDATE", code
+# review "^VERDICT:", the legacy completion-promise grep, the evidence-gate
+# sentinels. A globally-active caveman would compress those subcall outputs and
+# silently flip a verdict to the default (REJECT / not-complete), corrupting the
+# loop. This is the same failure class as the --bare OAuth footgun documented at
+# claude-flags.sh:152-161.
+#
+# THE DESIGN (off by construction, not by convention):
+#   - ACTIVATE compression only on FREE-FORM generation (main RARV dev loop +
+#     read-only codebase-analysis): inline `CAVEMAN_DEFAULT_MODE=<level> claude`.
+#   - HARD-SUPPRESS on EVERY parsed-output subcall (council vote, ^VERDICT:
+#     review, adversarial probe, conflict-merge, USAGE regen): inline
+#     `CAVEMAN_DEFAULT_MODE=off claude`. The activate hook then deletes its flag
+#     and emits nothing (verified: `CAVEMAN_DEFAULT_MODE=off node
+#     caveman-activate.js` prints "OK" with no ruleset).
+#
+# Suppression is UNCONDITIONAL and UNGATED (see loki_caveman_suppress_env): it is
+# a harmless no-op env value when caveman is absent and the essential carve-out
+# when caveman is globally present (surface b, or a user's own install) even with
+# LOKI_CAVEMAN=0. NEVER gate suppression on supported/enabled -- that would leave
+# the trust gates unprotected exactly when a user has caveman on but Loki off.
+#
+# Disclosure (honest, no fabricated figures): caveman compresses OUTPUT tokens
+# only, not input/thinking; savings are real but bounded. There is no price API,
+# so we disclose the savings CLASS, never a dollar amount (same posture as the
+# ultrareview/workflows gates).
+
+# Version pin (vendor-less). Upgrade by bumping this. The upstream installer pins
+# its hook downloads to PINNED_REF = CAVEMAN_REF || 'v1.9.0' (a git tag), and the
+# curl|bash path delegates to `npx -y github:JuliusBrussee/caveman#<ref>`. We
+# default to 1.9.0 and derive the `v`-prefixed tag in the bootstrap helper.
+LOKI_CAVEMAN_VERSION="${LOKI_CAVEMAN_VERSION:-1.9.0}"
+
+# The compression level for free-form activation. Maps directly to caveman's
+# CAVEMAN_DEFAULT_MODE values: lite | full | ultra | wenyan | wenyan-lite |
+# wenyan-full | wenyan-ultra. Default "full" (the founder-locked global default).
+# Never "off" here -- "off" is the suppression value, not an activation level.
+LOKI_CAVEMAN_LEVEL="${LOKI_CAVEMAN_LEVEL:-full}"
+
+# ---------- DEFAULT-SUPPRESS: off by construction, tree-wide ----------
+# THE MOAT GUARANTEE (v7.41.0 council fix): instead of hand-enumerating every
+# parsed-output trust-gate subcall and remembering to prefix each with
+# CAVEMAN_DEFAULT_MODE=off (a missed site silently corrupts a verdict -- caveman
+# exits 0 with mangled prose and the `|| REJECT` fallback never fires), we flip
+# the ENTIRE process tree to suppressed at the one module every tree sources.
+#
+# claude-flags.sh is sourced by EVERY tree that can spawn a parsed claude
+# subcall: the run.sh orchestrator (via providers/claude.sh), grill.sh (standalone
+# `loki grill`), lib/voter-agents.sh (Phase C agent-dispatch voters), and the
+# loki standalone review/workflows commands (on-demand). council-v2.sh carries no
+# source of its own but only ever runs inside completion-council.sh, which is in
+# the run.sh tree, so it inherits this export too. Exporting off HERE makes the
+# whole spawned subprocess tree inherit suppression -- caveman's SessionStart
+# hook reads process.env CAVEMAN_DEFAULT_MODE -- closing council-v2.sh,
+# voter-agents.sh, grill.sh, every existing parsed subcall, and any FUTURE one by
+# construction. ACTIVATION on the handful of free-form generation sites overrides
+# this per-invocation (CAVEMAN_DEFAULT_MODE=<level> claude ...).
+#
+# Capture the user's pre-existing global CAVEMAN_DEFAULT_MODE BEFORE we clobber
+# it, so the activation path can respect (never RAISE) a user's lower level (see
+# loki_caveman_activate_env). Guarded on UNSET (not empty): a child process that
+# inherits our exported LOKI_CAVEMAN_USER_MODE="" (user had no global mode) and
+# re-sources this file must NOT recapture the now-exported CAVEMAN_DEFAULT_MODE=off
+# as the user mode. ${var+x} is empty only when var is genuinely unset, so the
+# capture runs exactly once across the whole process tree, never recapturing "off".
+if [ -z "${LOKI_CAVEMAN_USER_MODE+x}" ]; then
+    LOKI_CAVEMAN_USER_MODE="${CAVEMAN_DEFAULT_MODE:-}"
+fi
+export LOKI_CAVEMAN_USER_MODE
+export CAVEMAN_DEFAULT_MODE=off
+
+# Rank a caveman mode by compression aggressiveness for the no-raise comparison.
+# Higher number = more aggressive (drops more nuance). "off" is the floor; unknown
+# or empty modes rank as -1 (treated as "no opinion", so they never win a min()).
+# The wenyan-* variants mirror their plain counterparts' aggressiveness.
+_loki_caveman_level_rank() {
+    case "${1:-}" in
+        off)                      printf '0' ;;
+        lite|wenyan-lite)         printf '1' ;;
+        full|wenyan|wenyan-full)  printf '2' ;;
+        ultra|wenyan-ultra)       printf '3' ;;
+        *)                        printf '%s' '-1' ;;
+    esac
+}
+
+# Caveman config dir resolution mirrors caveman-config.js getConfigDir(): honors
+# CLAUDE_CONFIG_DIR for the flag file location used to detect an existing install.
+_loki_caveman_claude_dir() {
+    printf '%s' "${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
+}
+
+# True (0) when caveman appears installed: its SessionStart hook file exists in
+# the resolved Claude config dir. Best-effort, read-only. We check the hook the
+# upstream installer writes to ~/.claude/hooks/caveman-activate.js (standalone)
+# OR a plugin install marker. Either presence means activation will fire.
+_loki_caveman_installed() {
+    local dir
+    dir="$(_loki_caveman_claude_dir)"
+    [ -f "$dir/hooks/caveman-activate.js" ] && return 0
+    # Plugin install: the activate hook lives under a plugin root; the flag file
+    # path is stable. Treat a prior-session flag file as a weaker install signal.
+    [ -f "$dir/.caveman-active" ] && return 0
+    return 1
+}
+
+# Capability gate: can caveman compression be USED on this run? Provider is
+# Claude AND the claude CLI is present AND caveman is installed-or-bootstrappable
+# AND it is not disabled by the LOKI_CAVEMAN knob. Returns 0 when usable, 1
+# otherwise (callers emit an honest message + degrade to an uncompressed run).
+# Mirrors loki_workflows_supported's shape (provider + CLI + not-disabled).
+loki_caveman_supported() {
+    # Provider must be Claude (Tier 1). caveman is Claude-Code-only.
+    [ "${LOKI_PROVIDER:-claude}" = "claude" ] || return 1
+    command -v claude >/dev/null 2>&1 || return 1
+    # Opt-out knob also suppresses the capability (no activation when off).
+    [ "${LOKI_CAVEMAN:-1}" = "0" ] && return 1
+    # Installed now, OR bootstrappable (node + npx present so the pin can install
+    # on demand). Either way activation can take effect this run or the next.
+    if _loki_caveman_installed; then
+        return 0
+    fi
+    command -v node >/dev/null 2>&1 && command -v npx >/dev/null 2>&1 && return 0
+    return 1
+}
+
+# Activation knob: is caveman compression ENABLED for free-form subcalls?
+# DEFAULT ON (LOKI_CAVEMAN unset or 1). Opt out with LOKI_CAVEMAN=0.
+#
+# CROSS-COUPLING GUARD (moat safety): when LOKI_LEGACY_COMPLETION_MATCH=true the
+# runner detects completion by grepping the MAIN-loop prose for the completion
+# promise (run.sh:9641). Compressing the main loop would mangle that prose and
+# break the legacy detector, so caveman activation is DISABLED whenever the
+# legacy prose-match path is in use. The default completion path (the
+# loki_complete_task MCP tool / COMPLETION_REQUESTED signal file) is immune to
+# compression, so the default config keeps caveman on.
+loki_caveman_enabled() {
+    [ "${LOKI_CAVEMAN:-1}" = "0" ] && return 1
+    [ "${LOKI_LEGACY_COMPLETION_MATCH:-false}" = "true" ] && return 1
+    return 0
+}
+
+# The activation env VALUE for a free-form subcall: the configured level, or
+# empty when activation is not warranted (caveman unsupported or disabled). The
+# caller inlines it as a per-invocation env prefix (NEVER `export` -- a persisted
+# export would bleed into later parsed subcalls and defeat the carve-out):
+#   _cm_lvl="$(loki_caveman_activate_env)"
+#   if [ -n "$_cm_lvl" ]; then
+#       CAVEMAN_DEFAULT_MODE="$_cm_lvl" claude ...   # free-form only
+#   else
+#       claude ...
+#   fi
+#
+# NO-RAISE (v7.41.0 R2 finding 4): the level returned is the configured Loki
+# level, EXCEPT we never silently RAISE a user who set a LOWER global caveman
+# level. If the user globally chose "lite" (less aggressive, preserves more
+# nuance) we honor "lite" rather than forcing "full" on their free-form output.
+# We only ever lower toward the user's preference, never above it; the activation
+# level itself is the conservative-for-accuracy ceiling. The user's global mode is
+# captured at source time into LOKI_CAVEMAN_USER_MODE before the default-off
+# export clobbers CAVEMAN_DEFAULT_MODE. Unknown / empty user modes (rank -1) are
+# ignored so a malformed value can never accidentally suppress activation.
+loki_caveman_activate_env() {
+    loki_caveman_supported || return 0
+    loki_caveman_enabled   || return 0
+    local level="${LOKI_CAVEMAN_LEVEL:-full}"
+    # Respect (never exceed) a user's explicitly-lower global level. A user who
+    # globally set CAVEMAN_DEFAULT_MODE=off opted OUT of compression entirely;
+    # honor that by activating nothing (empty -> bare claude invocation).
+    local user_mode="${LOKI_CAVEMAN_USER_MODE:-}"
+    if [ "$user_mode" = "off" ]; then
+        return 0
+    fi
+    if [ -n "$user_mode" ]; then
+        local user_rank level_rank
+        user_rank="$(_loki_caveman_level_rank "$user_mode")"
+        level_rank="$(_loki_caveman_level_rank "$level")"
+        # Only defer to the user when their mode is a recognized, lower level.
+        if [ "$user_rank" -ge 0 ] && [ "$level_rank" -ge 0 ] && [ "$user_rank" -lt "$level_rank" ]; then
+            level="$user_mode"
+        fi
+    fi
+    printf '%s' "$level"
+}
+
+# The suppression env VALUE for a parsed-output subcall: ALWAYS "off",
+# UNCONDITIONALLY. Not gated on supported/enabled (see the design note above):
+# it must hard-disable caveman on a trust-gate subcall even when a user has
+# caveman globally on but LOKI_CAVEMAN=0, and it is a harmless no-op env value
+# when caveman is absent. Every parsed-output call site uses this ONE helper so
+# the carve-out is uniform:
+#   CAVEMAN_DEFAULT_MODE="$(loki_caveman_suppress_env)" claude ...
+loki_caveman_suppress_env() {
+    printf '%s' "off"
+}
+
+# Idempotent on-demand bootstrap of caveman at the pinned version. Best-effort:
+# installs once per machine, caches a marker under .loki/ so repeat runs are a
+# no-op, degrades cleanly (run proceeds UNCOMPRESSED) with an honest stderr line
+# if anything is missing or the upstream installer is unreachable. NEVER blocks
+# or fails the run. Returns 0 if caveman is (now) installed, 1 on clean degrade.
+#
+# Opt out with LOKI_CAVEMAN_AUTO_BOOTSTRAP=0. Only attempts when provider==claude
+# and the LOKI_CAVEMAN knob is on.
+#
+# GLOBAL SIDE EFFECT (disclosed): caveman installs GLOBALLY -- the upstream
+# installer adds a SessionStart hook to ~/.claude/settings.json (or
+# $CLAUDE_CONFIG_DIR) that affects EVERY Claude Code session on this machine, not
+# only Loki runs. This is caveman's only install mode. The bootstrap therefore
+# runs the upstream installer exactly as a user's own `curl|bash` would; we do
+# not author or vendor any caveman file. The one-time stderr line below names
+# this so the operator is never surprised.
+#
+# HARDENING: the npx call is forced non-interactive (--non-interactive, plus
+# </dev/null so no stdin read can ever block) and time-bounded (timeout when
+# available) so a stalled network or an unexpected prompt can never hang a user's
+# first `loki start`. caveman's installer is already auto-non-interactive without
+# a TTY, but we belt-and-suspenders it.
+loki_caveman_bootstrap() {
+    [ "${LOKI_CAVEMAN:-1}" = "0" ] && return 1
+    [ "${LOKI_CAVEMAN_AUTO_BOOTSTRAP:-1}" = "0" ] && return 1
+    [ "${LOKI_PROVIDER:-claude}" = "claude" ] || return 1
+    # Already installed -> nothing to do.
+    if _loki_caveman_installed; then
+        return 0
+    fi
+    local ver="${LOKI_CAVEMAN_VERSION:-1.9.0}"
+    local marker_dir=".loki/state"
+    local marker="$marker_dir/caveman-bootstrap-${ver}.done"
+    # Cached attempt marker: do not re-attempt a failed install over and over
+    # within the same project tree (idempotent one-shot per pinned version).
+    if [ -f "$marker" ]; then
+        _loki_caveman_installed && return 0 || return 1
+    fi
+    if ! command -v node >/dev/null 2>&1 || ! command -v npx >/dev/null 2>&1; then
+        printf '%s\n' "[caveman] node>=18 + npx required to bootstrap; skipping (run proceeds uncompressed). Install Node or set LOKI_CAVEMAN=0 to silence." >&2
+        mkdir -p "$marker_dir" 2>/dev/null && : > "$marker" 2>/dev/null || true
+        return 1
+    fi
+    printf '%s\n' "[caveman] bootstrapping output-token compressor v${ver} (one-time, pinned). NOTE: caveman installs GLOBALLY (a Claude Code SessionStart hook in ~/.claude affecting every Claude Code session). Loki applies it only to free-form generation, NEVER to trust-gate subcalls. Opt out: LOKI_CAVEMAN=0." >&2
+    # Pin via the git tag (v-prefixed) on the npx ref AND CAVEMAN_REF so the
+    # downloaded hooks match the pinned release. Default install (no --all) wires
+    # the Claude Code hook for the detected `claude` CLI. A timeout backstops a
+    # network stall; </dev/null guarantees no interactive stdin read blocks.
+    local _cm_runner="npx"
+    if command -v timeout >/dev/null 2>&1; then
+        _cm_runner="timeout 120 npx"
+    fi
+    if CAVEMAN_REF="v${ver}" $_cm_runner -y "github:JuliusBrussee/caveman#v${ver}" -- --non-interactive >/dev/null 2>&1 </dev/null; then
+        mkdir -p "$marker_dir" 2>/dev/null && : > "$marker" 2>/dev/null || true
+        if _loki_caveman_installed; then
+            printf '%s\n' "[caveman] installed v${ver}." >&2
+            return 0
+        fi
+    fi
+    printf '%s\n' "[caveman] bootstrap unavailable (upstream unreachable, timed out, or install failed); run proceeds uncompressed." >&2
+    mkdir -p "$marker_dir" 2>/dev/null && : > "$marker" 2>/dev/null || true
+    return 1
+}
+
 # ---------------------------------------------------------------------------
 # Session-continuity Phase 2 (GitHub #165) -- LOKI_RESUME_SESSION recovery resume
 #

package/autonomy/lib/voter-agents.sh

@@ -250,7 +250,13 @@ loki_council_dispatch_agents() {
     local rc=0
     local stderr_log="$COUNCIL_STATE_DIR/votes/dispatch-stderr-${iteration}.log"
     mkdir -p "$(dirname "$stderr_log")" 2>/dev/null || true
-    response=$(claude --dangerously-skip-permissions \
+    # caveman HARD-SUPPRESS (parsed output, v7.41.0): the response is parsed for
+    # findings[].vote against the JSON Schema. A globally-active caveman would
+    # compress/reword it and break the schema match or flip a vote. The tree-wide
+    # default-off export in claude-flags.sh (sourced above) already covers this;
+    # the inline prefix is belt-and-suspenders, self-documenting, and a no-op when
+    # caveman is absent.
+    response=$(CAVEMAN_DEFAULT_MODE=off claude --dangerously-skip-permissions \
                       -p "$prompt" \
                       --agents "$agents_json" \
                       --json-schema "$schema_path" 2>"$stderr_log") || rc=$?

package/autonomy/run.sh

@@ -3050,9 +3050,24 @@ spawn_worktree_session() {
         # Provider-specific invocation for parallel sessions
         case "${PROVIDER_NAME:-claude}" in
             claude)
-                claude --dangerously-skip-permissions \
-                    -p "Loki Mode: $task_prompt. Read .loki/CONTINUITY.md for context." \
-                    >> "$log_file" 2>&1 || _wt_exit=$?
+                # caveman ACTIVATION (free-form): a parallel worktree dev stream
+                # is free-form generation; its output goes to a log, not a parsed
+                # sentinel. Activate compression at the configured level when
+                # warranted (empty -> bare invocation, byte-identical to before).
+                # Type-guarded; inlined per-invocation (not exported).
+                local _loki_wt_cm=""
+                if type loki_caveman_activate_env >/dev/null 2>&1; then
+                    _loki_wt_cm="$(loki_caveman_activate_env)"
+                fi
+                if [ -n "$_loki_wt_cm" ]; then
+                    CAVEMAN_DEFAULT_MODE="$_loki_wt_cm" claude --dangerously-skip-permissions \
+                        -p "Loki Mode: $task_prompt. Read .loki/CONTINUITY.md for context." \
+                        >> "$log_file" 2>&1 || _wt_exit=$?
+                else
+                    claude --dangerously-skip-permissions \
+                        -p "Loki Mode: $task_prompt. Read .loki/CONTINUITY.md for context." \
+                        >> "$log_file" 2>&1 || _wt_exit=$?
+                fi
                 ;;
             codex)
                 codex exec --full-auto --skip-git-repo-check \
@@ -3264,7 +3279,11 @@ Output ONLY the resolved file content with no conflict markers. No explanations.
                 if type loki_subcall_bare_enabled >/dev/null 2>&1 && loki_subcall_bare_enabled; then
                     _cr_argv+=("--bare")
                 fi
-                resolution=$(claude "${_cr_argv[@]}" -p "$conflict_prompt" --output-format text 2>/dev/null)
+                # caveman HARD-SUPPRESS (parsed output): the output is captured as
+                # the EXACT resolved file content (the shell writes it verbatim).
+                # Compressing prose into the merged source would corrupt the file,
+                # so disable caveman unconditionally here. No-op when absent.
+                resolution=$(CAVEMAN_DEFAULT_MODE=off claude "${_cr_argv[@]}" -p "$conflict_prompt" --output-format text 2>/dev/null)
                 ;;
             codex)
                 resolution=$(codex exec --full-auto --skip-git-repo-check "$conflict_prompt" 2>/dev/null)
@@ -7912,6 +7931,15 @@ BUILD_PROMPT
                     if type loki_review_allowlist_enabled >/dev/null 2>&1 && loki_review_allowlist_enabled; then
                         _rv_argv+=("--allowedTools" "$(loki_review_allowlist)")
                     fi
+                    # caveman HARD-SUPPRESS (parsed output): this is a trust-gate
+                    # subcall whose output is parsed for "^VERDICT:" + findings. A
+                    # globally-active caveman would compress/reword that line and
+                    # silently flip the verdict, so we UNCONDITIONALLY disable
+                    # caveman here with CAVEMAN_DEFAULT_MODE=off (the activate hook
+                    # then deletes its flag and emits nothing). Set inline, not via
+                    # the helper, so the carve-out holds even when the helper is
+                    # out of scope. No-op when caveman is absent.
+                    CAVEMAN_DEFAULT_MODE=off \
                     claude "${_rv_argv[@]}" -p "$prompt_text" \
                         --output-format text > "$review_output" 2>/dev/null
                     ;;
@@ -8151,6 +8179,11 @@ ADVERSARIAL_EOF
                 if type loki_review_allowlist_enabled >/dev/null 2>&1 && loki_review_allowlist_enabled; then
                     _adv_argv+=("--allowedTools" "$(loki_review_allowlist)")
                 fi
+                # caveman HARD-SUPPRESS (parsed output): the adversarial probe's
+                # output is parsed for findings/severity. Disable caveman
+                # unconditionally (CAVEMAN_DEFAULT_MODE=off) so compression cannot
+                # drop or reword a finding. No-op when caveman is absent.
+                CAVEMAN_DEFAULT_MODE=off \
                 claude "${_adv_argv[@]}" -p "$adversarial_prompt" \
                     --output-format text > "$result_file" 2>/dev/null || true
             fi
@@ -10188,9 +10221,14 @@ ${_commits}"
         _ic_argv+=("--bare")
     fi
     _ic_argv+=("--model" "haiku")
+    # caveman HARD-SUPPRESS (parsed output): the regen output is validated to be
+    # Markdown (grep '^#') and written verbatim to USAGE.md. Compressed prose
+    # would fail that check or produce caveman-style USAGE text, so disable
+    # caveman unconditionally. Inlined on `claude` only (does not cross the pipe
+    # to head). No-op when caveman is absent.
     local _ic_out
     _ic_out=$(printf '%s' "$_ic_prompt" \
-        | timeout 60 claude "${_ic_argv[@]}" -p - 2>/dev/null \
+        | timeout 60 env CAVEMAN_DEFAULT_MODE=off claude "${_ic_argv[@]}" -p - 2>/dev/null \
         | head -200)
     # Sanity check: response must look like Markdown (starts with # or ##).
     if [ -z "$_ic_out" ] || ! printf '%s' "$_ic_out" | head -1 | grep -qE '^#'; then
@@ -13049,9 +13087,40 @@ except Exception as exc:
                 # result-cost file under the correct iteration index.
                 export LOKI_CURRENT_MODEL="$tier_param"
                 export LOKI_ITERATION="$ITERATION_COUNT"
+                # caveman ACTIVATION (free-form): the main RARV dev loop is
+                # free-form generation, so we ask caveman to compress its OUTPUT
+                # tokens at the configured level. Inlined as a per-invocation env
+                # prefix (NOT exported) so it applies ONLY to `claude` (and the
+                # SessionStart hook it spawns inherits it) and never bleeds into
+                # later parsed subcalls. Empty when caveman is unsupported /
+                # disabled / the legacy completion-prose match is active, in which
+                # case the invocation is byte-identical to before. Type-guarded so
+                # an older runtime without the helper degrades cleanly.
+                local _loki_cm_level=""
+                if type loki_caveman_activate_env >/dev/null 2>&1; then
+                    _loki_cm_level="$(loki_caveman_activate_env)"
+                fi
+                # Best-effort one-time bootstrap when activation is warranted but
+                # caveman is not yet installed (idempotent, non-blocking, clean
+                # degrade). The level stays usable next run even if this run is
+                # uncompressed.
+                if [ -n "$_loki_cm_level" ] && type loki_caveman_bootstrap >/dev/null 2>&1; then
+                    loki_caveman_bootstrap || true
+                fi
+                # NOTE: an EMPTY CAVEMAN_DEFAULT_MODE is NOT inert -- caveman's
+                # getDefaultMode() treats empty as unset and falls back to the
+                # user's global default (often "full"). So when activation is not
+                # warranted we must NOT set the var at all (the bare branch),
+                # keeping the invocation byte-identical to pre-caveman behavior.
                 { \
+                if [ -n "$_loki_cm_level" ]; then
+                CAVEMAN_DEFAULT_MODE="$_loki_cm_level" \
+                claude "${_loki_claude_argv[@]}" -p "$prompt" \
+            --output-format stream-json --verbose 2>&1
+                else
                 claude "${_loki_claude_argv[@]}" -p "$prompt" \
-            --output-format stream-json --verbose 2>&1 | \
+            --output-format stream-json --verbose 2>&1
+                fi | \
             tee -a "$log_file" "$agent_log" "$iter_output" | \
             python3 -u -c '
 import sys

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.40.0"
+__version__ = "7.41.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.40.0
+**Version:** v7.41.0
 
 ---
 
@@ -30,6 +30,20 @@ setting any flag to `0`.
   in `loki status --json`).
 - See `skills/quality-gates.md` for full schema and reachability notes.
 
+### Output-token compressor (caveman, default-on, Claude-only)
+Loki integrates [caveman](https://github.com/JuliusBrussee/caveman), an optional
+Claude Code skill that compresses the model's OUTPUT tokens only (keeping all
+technical substance). It activates on free-form generation (the main RARV dev
+loop) and is HARD-SUPPRESSED on every trust-gate subcall (council votes, code
+review verdict, evidence-related parses) so determinism is never affected.
+- Claude-provider-only; runs are byte-identical on Codex / Cline / Aider.
+- Default on; opt out with `LOKI_CAVEMAN=0`.
+- Level: `LOKI_CAVEMAN_LEVEL` (default `full`; also `lite`, `ultra`, `wenyan*`).
+- Pinned + vendor-less: `LOKI_CAVEMAN_VERSION` (default `1.9.0`); Loki bootstraps
+  the pinned version on demand (opt out `LOKI_CAVEMAN_AUTO_BOOTSTRAP=0`).
+- Savings are output-token-only and bounded; Loki never quotes a dollar figure.
+- See `skills/quality-gates.md` (Output-token compressor) for details.
+
 ### Earlier highlights still in scope
 - Bash-to-Bun runtime migration in progress (see `UPGRADING.md`)
 - Provider-agnostic runtime: Claude (full), Codex, Cline, Aider (no vendor lock-in)

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.40.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.41.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=CE2296A3A5523BAE64756E2164756E21
+//# debugId=02B592B55ABCECB264756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.40.0'
+__version__ = '7.41.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.40.0",
+  "version": "7.41.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 11 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.40.0",
+  "version": "7.41.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 11 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",

package/skills/quality-gates.md

@@ -128,6 +128,39 @@ LOKI_CODE_INDEX_AUTOREINDEX=1    # auto incremental re-index of the semantic
                                  # Hybrid Codebase Search)
 ```
 
+## Output-token compressor (caveman, default-on, Claude-only)
+
+[caveman](https://github.com/JuliusBrussee/caveman) is a Claude Code skill that
+instructs the model to compress its OUTPUT tokens only (prose style), keeping all
+technical substance. Loki ACTIVATES it on free-form generation (the main RARV dev
+loop) and HARD-SUPPRESSES it on every parsed-output trust-gate subcall (council
+votes, the code-review `^VERDICT:`, the adversarial probe, the merge-conflict
+resolver, the USAGE.md regen). The suppression is by construction (one shared
+helper sets `CAVEMAN_DEFAULT_MODE=off` on every parsed call site), so compression
+can NEVER flip a verdict or completion decision.
+
+Claude-provider-only: on Codex / Cline / Aider the run is byte-identical to
+before. Vendor-less: Loki ships no copy of caveman and bootstraps the pinned
+version on demand (idempotent, cached under `.loki/`). Savings are real but
+bounded (output tokens only); there is no price API, so Loki discloses the
+savings CLASS, never a dollar figure.
+
+```bash
+LOKI_CAVEMAN=0                  # opt out (default on). Disables activation; the
+                                # parsed-subcall suppression still runs (it is a
+                                # harmless no-op when caveman is absent).
+LOKI_CAVEMAN_LEVEL=full         # compression level: lite | full (default) |
+                                # ultra | wenyan | wenyan-lite|full|ultra
+LOKI_CAVEMAN_VERSION=1.9.0      # pinned caveman version (upgrade by bumping)
+LOKI_CAVEMAN_AUTO_BOOTSTRAP=0   # disable the on-demand pinned install
+```
+
+Note: when `LOKI_LEGACY_COMPLETION_MATCH=true` (the legacy prose-grep completion
+path), main-loop activation is automatically disabled so compression cannot
+mangle the prose completion-promise. The default completion path (the
+`loki_complete_task` MCP tool / completion signal file) is immune to compression
+and keeps caveman on.
+
 ## Verified-completion evidence gate (v7.19.1, default-on)
 
 The completion council will not accept a "done" claim without evidence. Before