loki-mode 7.46.0 → 7.47.0

package/dashboard/auth.py

@@ -477,6 +477,111 @@ def _base64url_decode(data: str) -> bytes:
     return base64.urlsafe_b64decode(data)
 
 
+# Role precedence (highest privilege first). When a token carries multiple
+# recognized role claims, the highest-privilege match wins.
+_ROLE_PRECEDENCE = ("admin", "operator", "auditor", "viewer")
+
+
+def _normalize_claim_values(value) -> set[str]:
+    """Normalize an OIDC claim value into a lowercased set of strings.
+
+    Claim values may be a single string, a space-separated string, or a
+    list of strings (different providers use different shapes). All are
+    flattened into a set of lowercased tokens for matching against ROLES.
+    """
+    out: set[str] = set()
+    if value is None:
+        return out
+    if isinstance(value, str):
+        for part in value.split():
+            if part:
+                out.add(part.strip().lower())
+    elif isinstance(value, (list, tuple, set)):
+        for item in value:
+            if isinstance(item, str):
+                s = item.strip().lower()
+                if s:
+                    out.add(s)
+    return out
+
+
+def _collect_role_claims(claims: dict) -> set[str]:
+    """Collect candidate role/group values from standard OIDC claim shapes.
+
+    Recognized sources (case-insensitive values flattened into one set):
+    - A configurable claim named by LOKI_OIDC_ROLES_CLAIM (supports a dotted
+      path for nested claims, e.g. "realm_access.roles" for Keycloak).
+    - "roles" (generic)
+    - "groups" (generic)
+    - "realm_access.roles" (Keycloak)
+    - "cognito:groups" (AWS Cognito)
+
+    Note: "groups"/"cognito:groups" typically carry arbitrary group names,
+    not Loki role names. Only values that exactly match one of the four
+    built-in role names (admin/operator/viewer/auditor, case-insensitive)
+    grant a role. Everything else is ignored and the default role applies.
+    """
+    candidates: set[str] = set()
+
+    def _read_dotted(path: str):
+        node = claims
+        for key in path.split("."):
+            if isinstance(node, dict) and key in node:
+                node = node[key]
+            else:
+                return None
+        return node
+
+    configured = os.environ.get("LOKI_OIDC_ROLES_CLAIM", "").strip()
+    sources = []
+    if configured:
+        sources.append(configured)
+    sources.extend(["roles", "groups", "realm_access.roles", "cognito:groups"])
+
+    for src in sources:
+        if "." in src:
+            val = _read_dotted(src)
+        else:
+            val = claims.get(src)
+        candidates |= _normalize_claim_values(val)
+
+    return candidates
+
+
+def _default_oidc_role() -> str:
+    """Return the configured default OIDC role, validated against ROLES.
+
+    Defaults to the least-privileged role ("viewer"). If LOKI_OIDC_DEFAULT_ROLE
+    is set to an unrecognized value, falls back to "viewer" (never admin).
+    """
+    configured = os.environ.get("LOKI_OIDC_DEFAULT_ROLE", "").strip().lower()
+    if configured in ROLES:
+        return configured
+    return "viewer"
+
+
+def _scopes_from_claims(claims: dict) -> tuple[list[str], str]:
+    """Map OIDC token claims to Loki scopes via the existing ROLES mapping.
+
+    Returns a tuple of (scopes, role_name). If no recognized role claim is
+    present, the safe default role (viewer, or LOKI_OIDC_DEFAULT_ROLE) is
+    applied. This function NEVER returns ["*"]/admin by default: full access
+    is granted only when an explicit admin role claim is present.
+    """
+    candidate_values = _collect_role_claims(claims)
+
+    matched_role = None
+    for role in _ROLE_PRECEDENCE:
+        if role in candidate_values:
+            matched_role = role
+            break
+
+    if matched_role is None:
+        matched_role = _default_oidc_role()
+
+    return resolve_scopes(matched_role), matched_role
+
+
 def validate_oidc_token(token_str: str) -> Optional[dict]:
     """Validate an OIDC JWT token.
 
@@ -489,6 +594,12 @@ def validate_oidc_token(token_str: str) -> Optional[dict]:
     - Audience matches OIDC_AUDIENCE or OIDC_CLIENT_ID
     - Token is not expired
 
+    On success, role/group claims are mapped to Loki roles (admin/operator/
+    viewer/auditor) via _scopes_from_claims. When no recognized role claim is
+    present, the least-privileged default role (viewer, configurable via
+    LOKI_OIDC_DEFAULT_ROLE) is applied. OIDC users are never granted ["*"]
+    unless an explicit admin role claim is present.
+
     SECURITY CRITICAL: Without PyJWT, JWT signatures are NOT cryptographically
     verified. An attacker can forge tokens with arbitrary claims. For any
     production deployment, you MUST install PyJWT + cryptography so that
@@ -529,11 +640,13 @@ def validate_oidc_token(token_str: str) -> Optional[dict]:
             issuer=OIDC_ISSUER,
         )
 
+        scopes, role = _scopes_from_claims(decoded)
         return {
             "id": decoded.get("sub", ""),
             "name": decoded.get("name", decoded.get("email", decoded.get("sub", ""))),
             "email": decoded.get("email", ""),
-            "scopes": ["*"],  # OIDC users get full access
+            "scopes": scopes,  # mapped from OIDC role/group claims
+            "role": role,
             "auth_method": "oidc",
             "issuer": decoded.get("iss"),
         }
@@ -602,11 +715,13 @@ def validate_oidc_token(token_str: str) -> Optional[dict]:
             return None
 
         # Return user info from claims
+        scopes, role = _scopes_from_claims(claims)
         return {
             "id": claims.get("sub", ""),
             "name": claims.get("name", claims.get("email", claims.get("sub", ""))),
             "email": claims.get("email", ""),
-            "scopes": ["*"],  # OIDC users get full access
+            "scopes": scopes,  # mapped from OIDC role/group claims
+            "role": role,
             "auth_method": "oidc",
             "issuer": claims.get("iss"),
         }

package/docs/ACKNOWLEDGEMENTS.md

@@ -336,7 +336,7 @@ Based on research synthesis, the following improvements are planned:
 
 This acknowledgements file documents the research and resources that influenced Loki Mode's design. All referenced works retain their original licenses and copyrights.
 
-Loki Mode itself is released under the MIT License.
+Loki Mode itself is released under the Business Source License 1.1 (BUSL-1.1), a source-available license.
 
 ---
 

package/docs/COMPETITIVE-ANALYSIS.md

@@ -45,7 +45,7 @@ GSD is the closest competitor -- a context engineering system that spawns fresh
 | **Enterprise Security** | `--dangerously-skip-permissions` | MCP sandboxed | Sandboxed | Audit logs, RBAC | Staged autonomy | Sandboxed |
 | **Cross-Project Learning** | No | AgentDB | No | No | No | Limited |
 | **Observability** | Dashboard + STATUS.txt | Real-time tracing | Logs | Full tracing | Built-in | Full |
-| **Pricing** | Free (OSS) | Free (OSS) | Free (OSS) | $25+/mo | $20-400/mo | $20-500/mo |
+| **Pricing** | Free (source-available) | Free (OSS) | Free (OSS) | $25+/mo | $20-400/mo | $20-500/mo |
 | **Production Ready** | Experimental | Production | Production | Production | Production | Production |
 | **Resource Monitoring** | Yes (v2.18.5) | Unknown | No | No | No | No |
 | **State Recovery** | Yes (checkpoints) | Yes (AgentDB) | Limited | Yes | Git worktrees | Yes |

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.46.0
+**Version:** v7.47.0
 
 ---
 
@@ -389,7 +389,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.46.0 start ./my-spec.md
+  asklokesh/loki-mode:7.47.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/docs/OPEN-CORE-BOUNDARY.md

@@ -1,15 +1,16 @@
 # Loki Mode open-core boundary
 
-Loki Mode is and stays open source. This document draws the line between what is
-free forever and what hosted/paid/enterprise plans would add on top. R9 ships
+Loki Mode is and stays source-available (BUSL-1.1) and free to self-host. This
+document draws the line between what is free forever and what
+hosted/paid/enterprise plans would add on top. R9 ships
 the SEAMS for that line; it does not ship a hosted backend, a license server, or
 any paywall on existing functionality.
 
 ## Principle
 
-OSS is fully functional with zero hosted backend. Every capability Loki has
-today runs locally, free, with no account, no license key, and no network call
-to any Loki service. Hosted/paid features are ADDITIVE convenience and
+The free self-hosted tier is fully functional with zero hosted backend. Every
+capability Loki has today runs locally, free, with no account, no license key,
+and no network call to any Loki service. Hosted/paid features are ADDITIVE convenience and
 team/enterprise layers, never a removal or gating of something that is free
 today.
 

package/docs/P2-SPEC-ROBUSTNESS-PLAN.md

@@ -0,0 +1,192 @@
+# P2 Spec Robustness Plan (P2-1 spec interrogation gate + P2-2 assumption ledger)
+
+Status: design for implementation. No version bump, no commit in this arc.
+
+## Goal
+
+Loki must stay accurate even when the input spec is WRONG, ambiguous, or
+incomplete. Today two building blocks already detect spec defects but neither
+feeds the autonomous loop:
+
+- `autonomy/grill.sh` invokes the provider once with a Devil's-Advocate prompt
+  and writes 10-15 hardest spec questions to `.loki/grill/report.md`. It is
+  CLI-only (`grep grill autonomy/run.sh` = 0 invocations) and nothing reads its
+  output.
+- `autonomy/prd-analyzer.py` detects missing PRD dimensions and has a
+  deterministic `_make_assumption()` map, writing `.loki/prd-observations.md`,
+  which nothing reads. Its interactive Q&A is inert in non-TTY (autonomous) runs.
+
+The fix: run interrogation automatically in DISCOVERY, classify the findings,
+record every spec gap as a first-class ASSUMPTION in a tracked ledger, BLOCK
+completion while high-severity assumptions are unconfirmed-and-unacknowledged,
+and surface the ledger in the proof-of-done output. Defects are SURFACED as
+recorded assumptions, never silently autocorrected.
+
+## Core design decision: auto-acknowledgment lifecycle (prevents the trap)
+
+A naive "block completion while any high-severity assumption is unconfirmed"
+hard-blocks EVERY ambiguous run to max-iterations, because in autonomous
+(non-TTY) mode no human can ever set `confirmed=yes`. We never reach the
+"done, plus here is what I assumed" output the goal demands.
+
+Resolution: split the gate from the lifecycle.
+
+- The gate `council_assumption_ledger_gate` is a PURE function of ledger state.
+  It blocks iff an entry has `severity=high AND confirmed=false AND
+  acknowledged=false`.
+- The auto-acknowledgment lifecycle lives in run.sh (NOT in the gate). Once an
+  assumption has been written into the ledger AND injected into the build prompt
+  at least once, run.sh marks it `acknowledged=true`. Default-on; opt-out
+  `LOKI_ASSUMPTIONS_REQUIRE_CONFIRM=1` keeps a human-in-the-loop path where only
+  `confirmed=true` clears the block.
+
+This is the OPPOSITE of silent autocorrect: the assumption is recorded,
+injected into the agent's prompt, and surfaced in proof-of-done. Acknowledgment
+records "Loki has SEEN this gap and proceeded with a stated default", not "Loki
+hid it". The gate still has teeth on the first iteration (high-sev unacknowledged
+blocks) and in the require-confirm path.
+
+## Severity rule (deterministic, no LLM)
+
+grill emits no severity. Classify by section / keyword on the read side:
+
+- HIGH: security blind spots; scale/reliability blind spots; missing or
+  untestable acceptance criteria; any line containing contradiction keywords
+  (contradict, conflict, inconsistent, mutually exclusive).
+- MEDIUM: ambiguities; unstated assumptions; underspecified behavior; all
+  prd-analyzer missing-dimension assumptions.
+
+This guarantees a HIGH tier exists (so the gate has teeth) and is fully
+deterministic (so tests are reproducible).
+
+## Taxonomy mapping (classification, read-side only)
+
+grill section -> finding class:
+- "Ambiguities and missing acceptance criteria" -> ambiguous (HIGH if the line
+  references acceptance criteria / testable / measurable; else MEDIUM)
+- "Unstated assumptions" -> underspecified (MEDIUM)
+- "Security blind spots" -> missing (HIGH)
+- "Scale and reliability blind spots" -> missing (HIGH)
+- any line with a contradiction keyword (any section) -> contradictory (HIGH)
+- prd-analyzer missing dimensions -> missing (MEDIUM, deterministic default)
+
+"None identified." lines are skipped (no fabricated findings).
+
+grill output contract is NOT changed (it is parsed by the loki-grill skill).
+We classify a COPY of its markdown; grill.sh stays byte-identical.
+
+## No-fabrication rule for ledger content
+
+A grill finding is a QUESTION, not a resolution. The ledger `assumption` field
+for a grill-derived gap is an honest "spec gives no answer; proceeding with the
+implementer default for <area>" plus `affects=<area>`. We do NOT invent a
+specific resolution the build will not actually follow. prd-analyzer assumptions
+reuse its existing deterministic `_make_assumption()` text verbatim.
+
+## Ledger schema (`.loki/assumptions/`)
+
+One JSON file per assumption: `.loki/assumptions/<id>.json`, plus a
+human-readable `.loki/assumptions/ledger.md` rollup regenerated on each write.
+Each entry:
+
+```json
+{
+  "id": "a-0001",
+  "gap": "<the spec defect / unanswered question, verbatim>",
+  "assumption": "<honest stated default Loki proceeds with>",
+  "why": "<why this assumption / where the gap came from: grill|prd-analyzer>",
+  "severity": "high|medium",
+  "class": "ambiguous|contradictory|underspecified|missing",
+  "affects": "<area, e.g. security, acceptance-criteria, data-model>",
+  "source": "grill|prd-analyzer",
+  "confirmed": false,
+  "acknowledged": false,
+  "created_at": "<iso8601>"
+}
+```
+
+Stable id = `a-` + zero-padded counter over existing files (idempotent: a second
+DISCOVERY run with the same findings does not duplicate; dedupe on the `gap`
+text hash).
+
+## Build surface (files + functions)
+
+1. NEW `autonomy/spec-interrogation.sh` (sourced by run.sh; standalone-testable):
+   - `spec_interrogation_classify_report <report.md path>`: pure classifier.
+     Reads grill markdown, emits one TSV/JSON finding per question line with
+     class + severity. Takes a file so a fixture report drives the test with no
+     `claude` call.
+   - `spec_interrogation_severity_for <section> <line>`: deterministic severity.
+   - `spec_ledger_write <gap> <assumption> <why> <severity> <class> <affects>
+     <source>`: idempotent writer (dedupe on gap hash) -> `.loki/assumptions/`.
+   - `spec_ledger_rebuild_md`: regenerate `.loki/assumptions/ledger.md`.
+   - `spec_ledger_high_unresolved_count`: count entries with
+     `severity=high AND confirmed=false AND acknowledged=false` (gate input;
+     also reused by the summary).
+   - `spec_ledger_acknowledge_all`: set `acknowledged=true` on all entries
+     (auto-ack lifecycle helper; default path).
+   - `spec_interrogation_run <spec_path>`: orchestrator. Default-on
+     (`LOKI_SPEC_GRILL=0` opts out). Provider-aware: source grill.sh, call
+     `grill_check_provider`; if provider absent, log honest message, skip the
+     grill subcall (NO fabricated questions), but STILL fold prd-analyzer
+     missing-dimension assumptions into the ledger so degrade surfaces something
+     non-blocking. On provider present: run `grill_main` (writes report.md),
+     classify it, write ledger entries. Always non-fatal to the run.
+
+2. `autonomy/run.sh` DISCOVERY (~13056, after prd-analyzer + council_init,
+   before the iteration loop): source spec-interrogation.sh and call
+   `spec_interrogation_run "$prd_path"`. This is the grep-able grill invocation
+   the task requires. Best-effort (`|| true`), never blocks startup.
+
+3. `autonomy/run.sh` auto-ack lifecycle: after the build prompt is constructed
+   each iteration (assumptions are injected into the prompt via build_prompt),
+   call `spec_ledger_acknowledge_all` UNLESS
+   `LOKI_ASSUMPTIONS_REQUIRE_CONFIRM=1`. Inject the high-severity assumption
+   list into the build prompt (so the agent sees the gaps it must respect).
+
+4. `autonomy/completion-council.sh` `council_assumption_ledger_gate` (new),
+   slotted into `council_evaluate` right after `council_evidence_gate`
+   (mirrors 2510-2513). Same defensive `COUNCIL_STATE_DIR` default, opt-out
+   `LOKI_ASSUMPTION_GATE=0`. Blocks iff `spec_ledger_high_unresolved_count > 0`.
+   Writes `.loki/council/assumption-block.json` on block, removes it on pass.
+   Also wired into the completion-promise route in run.sh (~14525 pattern) and
+   the code_review gate chain (~15013) so the promise path cannot bypass it.
+
+5. `autonomy/run.sh` `build_completion_summary` (~2637): emit an
+   "Assumptions recorded: N (M high-severity)" block into COMPLETION.txt and the
+   ledger list, plus the count into completion.json. So "done" means "done, plus
+   here are the N places your spec was ambiguous and what I assumed."
+
+6. NEW `tests/test-spec-interrogation.sh` (bash convention, ok/bad counters,
+   source the module, mktemp fixtures):
+   - (a) classifier on a fixture grill report writes classified findings to the
+     ledger (ambiguous/contradictory/underspecified/missing + high/medium).
+   - (b) a ledger with one high/confirmed:false/acknowledged:false entry makes
+     `council_assumption_ledger_gate` return 1 (BLOCK) and write
+     assumption-block.json.
+   - (c) clean spec (no high-sev entries, or all acknowledged) -> gate returns 0
+     (no spurious block), no block file.
+   - (d) no provider -> `spec_interrogation_run` degrades cleanly: honest
+     message, prd-analyzer assumptions still folded (medium, non-blocking), run
+     proceeds, gate passes.
+
+## Gate reachability (resolved open question)
+
+The existing gates fire from THREE sites: `council_evaluate` (~2510), the
+completion-promise route (~14525), and the code_review gate chain (~15013). The
+new gate is wired into all three so high-sev unacknowledged assumptions cannot
+slip through the promise path.
+
+## Opt-out knobs (all default-on, intelligent)
+
+- `LOKI_SPEC_GRILL=0` -> skip interrogation entirely.
+- `LOKI_ASSUMPTION_GATE=0` -> gate is pass-through.
+- `LOKI_ASSUMPTIONS_REQUIRE_CONFIRM=1` -> require human `confirmed=true`
+  (disables auto-ack); the human-in-the-loop path.
+
+No "user must decide the type" knob. Classification + severity are automatic.
+
+## Constraints
+
+No emojis, no em dashes, no version bump, no commit, no push. Provider-aware,
+degrade cleanly, no fabricated questions when provider absent.

package/docs/R9-OPEN-CORE-HOOKS-PLAN.md

@@ -3,8 +3,8 @@
 Status: SEAMS implemented (this worktree). NOT a live hosted backend.
 
 R9 in the competitive-stickiness arc is the open-core monetization layer: keep
-Loki fully open source and free, while adding the SEAMS where hosted, enterprise,
-and paid plans would attach later. R9 ships the seams only. There is no Loki
+Loki fully source-available (BUSL-1.1) and free to self-host, while adding the
+SEAMS where hosted, enterprise, and paid plans would attach later. R9 ships the seams only. There is no Loki
 hosted service, no license-verification backend, and no paid gate on any
 existing feature. Every honest stub is labeled as such.
 

package/docs/auto-claude-comparison.md

@@ -239,7 +239,7 @@ Loki Mode now incorporates proven patterns from Cursor's large-scale agent deplo
 3. **Anti-Sycophancy** - Blind review prevents false positives
 4. **Full SDLC** - Business, marketing, growth automation
 5. **Published Benchmarks** - Verify claims with reproducible tests
-6. **MIT License** - More adoption-friendly
+6. **Source-available (BUSL-1.1)** - Inspect and self-host the full code
 
 ---
 
@@ -256,7 +256,7 @@ Loki Mode now incorporates proven patterns from Cursor's large-scale agent deplo
 - Full spec-to-product lifecycle (not just coding)
 - 41 specialized agent roles
 - Anti-sycophancy measures
-- MIT license
+- Source-available (BUSL-1.1) license
 - No subscription requirement
 - Verified benchmarks
 

package/docs/certification/README.md

@@ -73,7 +73,7 @@ docs/certification/
 
 ## Cost and Licensing
 
-This certification program is **free and open source**, released under the same license as Loki Mode. No registration or payment is required.
+This certification program is **free and source-available**, released under the same license as Loki Mode (BUSL-1.1). No registration or payment is required.
 
 ## Version
 

package/docs/competitive/bolt-new-analysis.md

@@ -529,7 +529,7 @@ The "vibe coding" market -- AI tools that generate code from natural language --
 | Lovable | Lovable | $100M ARR in 8 months | Design-quality prototypes |
 | Vercel | v0 | Part of Vercel ($3.5B+) | UI component generator |
 | Replit | Replit | $1.16B valuation | Browser IDE + AI |
-| Autonomi | Loki Mode | Open source, early stage | PRD-to-production system |
+| Autonomi | Loki Mode | Source-available (BUSL-1.1), early stage | PRD-to-production system |
 
 ### 11.4 Strategic Implication for Loki Mode
 

package/docs/competitive/emergence-others-analysis.md

@@ -280,7 +280,7 @@ Developers who value open-source tooling, speed, and terminal-native workflows.
 | Feature | Emergence AI (Agent-E) | Rork | Claude Code CLI | Codex CLI | Loki Mode |
 |---------|:---------------------:|:----:|:--------------:|:---------:|:---------:|
 | **Primary Focus** | Web automation | Mobile apps | Coding assistant | Coding assistant | PRD-to-deploy |
-| **Open Source** | Partial (Agent-E only) | No | Source-available | Yes (Apache-2.0) | Yes |
+| **Open Source / Source model** | Partial (Agent-E only) | No | Source-available | Yes (Apache-2.0) | Source-available (BUSL-1.1) |
 | **Multi-Provider** | Yes (OpenAI, Azure, Ollama) | Yes (Gemini, Claude) | Partial (Claude models via Bedrock/Vertex/Foundry) | No (GPT only) | Yes (5 providers, 3+ model families) |
 | **Multi-Agent** | Yes (2-agent model) | No | Yes (coordinated teams) | Yes (experimental) | Yes (41 agent types) |
 | **Autonomous Iteration** | No (task-level) | No | Partial (/loop, /schedule) | No (requires prompting) | Yes (RARV loop + completion council) |
@@ -454,7 +454,7 @@ This positioning highlights three unique capabilities no competitor offers toget
 | Dimension | Codex CLI | Loki Mode |
 |-----------|-----------|-----------|
 | Autonomy | Assisted (human prompts each task) | Fully autonomous |
-| Open source | Yes (Apache-2.0) | Yes |
+| Source model | Open source (Apache-2.0) | Source-available (BUSL-1.1) |
 | Speed | 240+ tokens/sec | Depends on provider |
 | Providers | OpenAI only | 5 providers |
 | Multi-agent | Experimental (isolated) | 41 agent types, 8 domains |
@@ -467,8 +467,8 @@ This positioning highlights three unique capabilities no competitor offers toget
 | Focus | Web/workflow automation | Software development |
 | Pricing | Enterprise contracts | Free + API costs |
 | Self-hosted | VPC option | Fully self-hosted |
-| Open source | Partial | Yes |
-| **Loki Mode advantage:** | Purpose-built for software, open source, accessible pricing |
+| Source-available | Partial | Yes (BUSL-1.1) |
+| **Loki Mode advantage:** | Purpose-built for software, source-available, accessible pricing |
 
 #### vs. Rork
 | Dimension | Rork | Loki Mode |
@@ -485,7 +485,7 @@ This positioning highlights three unique capabilities no competitor offers toget
 "You already use AI for coding. Loki Mode makes it autonomous -- give it a PRD, and it handles planning, implementation, testing, code review, and deployment. Keep using Claude or Codex under the hood."
 
 **For engineering leaders evaluating AI tooling:**
-"Loki Mode is the only open-source system with enterprise-grade quality gates (8 gates, 3-reviewer blind review, anti-sycophancy checks) that runs autonomously on any AI provider. Self-hosted, no vendor lock-in."
+"Loki Mode is the only source-available system with enterprise-grade quality gates (8 gates, 3-reviewer blind review, anti-sycophancy checks) that runs autonomously on any AI provider. Self-hosted, no vendor lock-in."
 
 **For startups and solo developers:**
 "Go from idea to deployed product overnight. Write a PRD, invoke Loki Mode, and let it build, test, and deploy while you sleep. Works with your existing Claude or OpenAI API key."
@@ -558,7 +558,7 @@ The most significant near-term competitive threat is Anthropic's Agent SDK (http
 **However, Loki Mode's structural advantages remain:**
 1. **Multi-provider:** Agent SDK is Claude-only. Loki Mode works with any provider.
 2. **Battle-tested pipeline:** 8 quality gates, completion council, healing, memory -- these took months to build and validate. A new Agent SDK project starts from zero.
-3. **Open source and self-hosted:** No dependency on Anthropic's platform decisions.
+3. **Source-available and self-hosted:** No dependency on Anthropic's platform decisions.
 4. **Research foundation:** Built on patterns from OpenAI, DeepMind, Anthropic, and academic research. Not just engineering, but applied AI safety research (Constitutional AI, anti-sycophancy, alignment faking detection).
 
 ---

package/docs/competitive/replit-lovable-analysis.md

@@ -26,8 +26,8 @@ Replit and Lovable represent two dominant players in the "vibe coding" / AI app
 
 | Metric | Replit | Lovable | Loki Mode |
 |--------|--------|---------|-----------|
-| Valuation | $9B (Mar 2026) | $6.6B (Dec 2025) | Open source |
-| ARR | $265M+ (targeting $1B) | $400M+ (Feb 2026) | N/A (open source) |
+| Valuation | $9B (Mar 2026) | $6.6B (Dec 2025) | Source-available (BUSL-1.1) |
+| ARR | $265M+ (targeting $1B) | $400M+ (Feb 2026) | N/A (source-available) |
 | Users | 50M+ registered | 8M+ users | Developer community |
 | Total Funding | $650M+ | $653M | $0 |
 | Employees | ~1,000+ | ~817 | Solo maintainer |
@@ -376,7 +376,7 @@ Replit Agent has evolved rapidly through four major versions:
 
 | Metric | Replit Agent | Lovable.dev | Loki Mode |
 |--------|:-----------:|:-----------:|:---------:|
-| Free tier | Yes (limited) | Yes (30 credits/mo) | Yes (open source, free) |
+| Free tier | Yes (limited) | Yes (30 credits/mo) | Yes (source-available, free to self-host) |
 | Entry paid | $20/mo (Core) | $25/mo (Pro) | $0 (bring your own API key) |
 | Team plan | $100/mo (Pro) | $50/mo (Business) | $0 |
 | Cost model | Effort-based credits | Per-prompt credits | API key costs only |
@@ -585,7 +585,7 @@ The term "vibe coding" (coined by Andrej Karpathy) has driven explosive growth i
 
 **Medium-term (12 months):** Moderate threat -- as Replit/Lovable improve production quality and add enterprise features, they will attract more professional developers. Loki Mode must ship deployment, dashboard, and Figma integration.
 
-**Long-term (24 months):** High convergence risk -- all platforms will trend toward autonomous, production-grade, multi-agent systems. Loki Mode's quality gates, memory system, and brownfield support will be critical differentiators. The open-source model is an enduring advantage if the community grows.
+**Long-term (24 months):** High convergence risk -- all platforms will trend toward autonomous, production-grade, multi-agent systems. Loki Mode's quality gates, memory system, and brownfield support will be critical differentiators. The source-available, self-hostable model is an enduring advantage if the community grows.
 
 ---
 

package/docs/enterprise/security.md

@@ -68,11 +68,51 @@ For organizations using identity providers (Okta, Auth0, Azure AD), Loki Mode su
 ```bash
 export LOKI_OIDC_ISSUER="https://your-idp.okta.com/oauth2/default"
 export LOKI_OIDC_CLIENT_ID="your-client-id"
-export LOKI_OIDC_CLIENT_SECRET="your-client-secret"
-export LOKI_OIDC_REDIRECT_URI="http://localhost:57374/auth/callback"
+# Optional: audience override (defaults to LOKI_OIDC_CLIENT_ID)
+export LOKI_OIDC_AUDIENCE="your-api-audience"
 ```
 
-The system validates OIDC tokens against the issuer's JWKS endpoint and maps claims to Loki Mode roles.
+The system validates OIDC bearer tokens (presented as `Authorization: Bearer <jwt>`)
+against the issuer's JWKS endpoint. When PyJWT + cryptography are installed, the
+JWT signature is cryptographically verified (RS256/RS384/RS512) along with the
+issuer, audience, and expiry. Without PyJWT, tokens are rejected unless
+`LOKI_OIDC_SKIP_SIGNATURE_VERIFY=true` is set explicitly (insecure, local testing
+only).
+
+**Claims-to-roles mapping:**
+
+On a valid token, role/group claims are mapped to the four built-in Loki roles
+(`admin`, `operator`, `viewer`, `auditor`). The resolved role's scopes are then
+enforced through the same scope hierarchy used for API tokens. OIDC users are
+NOT granted full access by default.
+
+Recognized claim sources (case-insensitive; values may be a string,
+space-separated string, or list):
+
+| Claim | Provider |
+|-------|----------|
+| value of `LOKI_OIDC_ROLES_CLAIM` (supports dotted paths, e.g. `realm_access.roles`) | configurable |
+| `roles` | generic |
+| `groups` | generic |
+| `realm_access.roles` | Keycloak |
+| `cognito:groups` | AWS Cognito |
+
+Only claim values that exactly match a built-in role name (`admin`, `operator`,
+`viewer`, `auditor`) grant that role. Arbitrary group names (common in `groups`
+or `cognito:groups`) do not map to a role and fall through to the default.
+
+When multiple recognized roles are present, the highest-privilege match wins
+(precedence: `admin` > `operator` > `auditor` > `viewer`).
+
+**Default role (when no recognized role claim is present):**
+
+```bash
+# Defaults to the least-privileged role (viewer). Never admin.
+export LOKI_OIDC_DEFAULT_ROLE="viewer"
+```
+
+If `LOKI_OIDC_DEFAULT_ROLE` is unset or set to an unrecognized value, it falls
+back to `viewer`. The default is never `admin` / full access.
 
 ## Authorization
 

package/docs/show-hn-post.md

@@ -24,7 +24,7 @@ I built Loki Mode because I got tired of the copy-paste loop between AI coding a
 
 **Test suite:** 683 npm tests, 631 pytest tests, 16 shell tests. Self-reported HumanEval score of 162/164 (98.78%).
 
-Built solo. MIT licensed.
+Built solo. BUSL-1.1 source-available.
 
 ## Try it
 

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.46.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>m});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,m;var C=L(()=>{N1=l$(t6(import.meta.url));m=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.47.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>gQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=7B01911F8947B6CD64756E2164756E21
+//# debugId=3DD935606FD979EE64756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.46.0'
+__version__ = '7.47.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.46.0",
+  "version": "7.47.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",