loki-mode 7.46.0 → 7.48.0

package/README.md

@@ -502,4 +502,4 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 
 ## Star History
 
-[![Star History Chart](https://api.star-history.com/chart?repos=asklokesh/loki-mode&type=timeline&logscale&legend=bottom-right)](https://www.star-history.com/?repos=asklokesh%2Floki-mode&type=timeline&logscale=&legend=bottom-right)
+[![Star History Chart](https://api.star-history.com/chart?repos=asklokesh/loki-mode&type=timeline&legend=bottom-right)](https://www.star-history.com/?repos=asklokesh%2Floki-mode&type=timeline&legend=bottom-right)

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.46.0
+# Loki Mode v7.48.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -407,4 +407,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.46.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.48.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.46.0
+7.48.0

package/autonomy/completion-council.sh

@@ -1721,6 +1721,111 @@ EVIDENCE_EOF
     return 1
 }
 
+#===============================================================================
+# P2-2 Assumption ledger gate (spec-robustness).
+#
+# Blocks completion while any high-severity assumption is unresolved, where
+# unresolved means: severity=high AND confirmed=false AND acknowledged=false.
+# This is the completion-side teeth for the spec-interrogation feature: when the
+# spec was ambiguous and Loki had to assume something high-impact, "done" cannot
+# be declared until that assumption has at least been acknowledged (auto-ack
+# lifecycle in run.sh, default-on) or human-confirmed
+# (LOKI_ASSUMPTIONS_REQUIRE_CONFIRM=1).
+#
+# By-design timing: in DEFAULT autonomous mode run.sh auto-acknowledges entries
+# every iteration right after injecting them into the build prompt, so by the
+# time the council reaches this gate (>= COUNCIL_MIN_ITERATIONS) they are already
+# acknowledged and the gate passes. That is intentional: a permanent block on
+# "unconfirmed" in a non-TTY run would just die at max-iterations and never reach
+# the proof-of-done. The PERSISTENT block lives in the
+# LOKI_ASSUMPTIONS_REQUIRE_CONFIRM=1 path (auto-ack disabled, only human
+# confirmed=true clears it). In BOTH modes the assumptions are unconditionally
+# SURFACED in proof-of-done (build_completion_summary reads counts ignoring
+# ack/confirm state), so "done" always means "done, plus here is what I assumed."
+#
+# The block COUNT comes from spec_ledger_high_unresolved_count() in
+# autonomy/spec-interrogation.sh. The gate sources that module if it is not
+# already loaded, so it works both inside run.sh (already sourced) and in
+# standalone tests (sources it here). When the module / ledger is absent the
+# count is 0 and the gate passes -- a project with no recorded assumptions is
+# never blocked (no spurious block on clean specs).
+#
+# Mirrors council_evidence_gate: opt-out knob first, defensive COUNCIL_STATE_DIR
+# default, writes .loki/council/assumption-block.json on block (removed on pass).
+#
+# Returns 0 (pass / OK to complete) or 1 (block / CONTINUE).
+#===============================================================================
+council_assumption_ledger_gate() {
+    # Knob first: opt-out is exact-as-today, before any file read or write.
+    [ "${LOKI_ASSUMPTION_GATE:-1}" = "0" ] && return 0
+
+    if [ -z "${COUNCIL_STATE_DIR:-}" ]; then
+        COUNCIL_STATE_DIR="${TARGET_DIR:-.}/.loki/council"
+    fi
+
+    # Source the spec-interrogation module if its counter is not already defined
+    # (standalone tests / completion-promise route). Best-effort.
+    if ! type spec_ledger_high_unresolved_count >/dev/null 2>&1; then
+        local _si_helper
+        _si_helper="$(dirname "${BASH_SOURCE[0]}")/spec-interrogation.sh"
+        if [ -f "$_si_helper" ]; then
+            # shellcheck disable=SC1090
+            . "$_si_helper" 2>/dev/null || true
+        fi
+    fi
+
+    # No module => no ledger => nothing to block on (pass-through).
+    if ! type spec_ledger_high_unresolved_count >/dev/null 2>&1; then
+        if [ -f "$COUNCIL_STATE_DIR/assumption-block.json" ]; then
+            rm -f "$COUNCIL_STATE_DIR/assumption-block.json"
+        fi
+        return 0
+    fi
+
+    local unresolved
+    unresolved="$(spec_ledger_high_unresolved_count 2>/dev/null || echo 0)"
+    # Defensive: coerce to an integer.
+    case "$unresolved" in
+        ''|*[!0-9]*) unresolved=0 ;;
+    esac
+
+    if [ "$unresolved" -eq 0 ]; then
+        # Gate passes: remove any stale block report.
+        if [ -f "$COUNCIL_STATE_DIR/assumption-block.json" ]; then
+            rm -f "$COUNCIL_STATE_DIR/assumption-block.json"
+        fi
+        return 0
+    fi
+
+    log_warn "[Council] Assumption ledger gate BLOCKED: ${unresolved} high-severity spec assumption(s) unresolved (the spec was ambiguous in ${unresolved} high-impact place(s))."
+    log_warn "[Council] Resolve by confirming them in .loki/assumptions/ (set confirmed=true), or opt out with LOKI_ASSUMPTION_GATE=0."
+
+    mkdir -p "$COUNCIL_STATE_DIR" 2>/dev/null || true
+    local ab_file="$COUNCIL_STATE_DIR/assumption-block.json"
+    local ab_tmp="${ab_file}.tmp"
+    local timestamp
+    timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+    cat > "$ab_tmp" << ASSUMPTION_EOF
+{
+    "status": "blocked",
+    "blocked": true,
+    "blocked_at": "$timestamp",
+    "iteration": ${ITERATION_COUNT:-0},
+    "reason": "high_severity_assumptions_unresolved",
+    "high_unresolved": $unresolved
+}
+ASSUMPTION_EOF
+    mv "$ab_tmp" "$ab_file" 2>/dev/null || rm -f "$ab_tmp" 2>/dev/null || true
+
+    if type record_trust_event_bash &>/dev/null; then
+        record_trust_event_bash "assumption_block" \
+            "high_unresolved=$unresolved" \
+            >/dev/null 2>&1 || true
+    fi
+
+    return 1
+}
+
 #===============================================================================
 # Council Member Review - Individual member evaluation
 #===============================================================================
@@ -2512,6 +2617,14 @@ council_evaluate() {
         return 1  # CONTINUE - cannot complete without real evidence
     fi
 
+    # P2-2: assumption ledger gate - block completion while high-severity spec
+    # assumptions are unresolved (the spec was ambiguous in a high-impact place
+    # and Loki had to assume something that has not been acknowledged/confirmed).
+    if ! council_assumption_ledger_gate; then
+        log_info "[Council] Completion blocked by assumption ledger gate"
+        return 1  # CONTINUE - cannot complete with unresolved high-sev assumptions
+    fi
+
     # Compute threshold using the same ceiling(2/3) formula as council_vote and council_aggregate_votes
     local _eval_threshold=$(( (COUNCIL_SIZE * 2 + 2) / 3 ))
 

package/autonomy/crash.sh

@@ -1,19 +1,27 @@
 #!/usr/bin/env bash
 # Loki Mode crash-reporting bash helpers (Phase 0: local-only, zero egress).
 #
-# This module is the single source of truth for the unified opt-out that gates
-# BOTH PostHog usage telemetry and local crash capture. It is sourceable for
-# helpers only; it executes nothing on source.
+# This module is the single source of truth for the unified OPT-IN gate that
+# controls BOTH PostHog usage telemetry and local crash capture. It is
+# sourceable for helpers only; it executes nothing on source.
 #
-# Opt-out (any one disables collection):
+# Collection is OPT-IN and OFF by default. Nothing is collected, written, or
+# sent unless the user explicitly opts in. A default install cannot phone home,
+# which makes air-gapped, GDPR, and FedRAMP deployments safe out of the box.
+#
+# Opt-in (collection is enabled ONLY when one of these is present):
+#   - LOKI_TELEMETRY=on             (case-insensitive, exact word "on")
+#   - ~/.loki/config line: TELEMETRY_ENABLED=true   (written by: loki telemetry on)
+#
+# Opt-out always wins over opt-in (belt and suspenders for users who set both):
 #   - LOKI_TELEMETRY=off            (case-insensitive)
 #   - LOKI_TELEMETRY_DISABLED=true
 #   - DO_NOT_TRACK=1
 #   - ~/.loki/config line: TELEMETRY_DISABLED=true
 #
 # All capture is best-effort: it never blocks the parent and always returns 0.
-# Phase 0 has zero network egress, so local capture is always safe and useful
-# for the user to self-inspect what WOULD be sent.
+# Phase 0 has zero network egress; local capture is also gated by opt-in so a
+# default install writes nothing at all.
 
 # Double-source guard.
 if [ -n "${_LOKI_CRASH_SH_SOURCED:-}" ]; then
@@ -25,26 +33,42 @@ _LOKI_CRASH_SH_SOURCED=1
 _LOKI_CRASH_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 _LOKI_CRASH_CAPTURE_PY="${_LOKI_CRASH_DIR}/lib/crash_capture.py"
 
-# loki_collection_enabled: returns 0 (enabled) unless disabled by any switch.
-# This is the SINGLE source of truth for telemetry + crash collection state.
+# loki_collection_enabled: returns 0 (enabled) ONLY when the user has opted in
+# and has not also opted out. Opt-out always wins. Default is OFF (return 1).
+# This is the SINGLE source of truth for telemetry + crash collection state, and
+# its precedence MUST be mirrored by _is_enabled in dashboard/telemetry.py and
+# _loki_telemetry_enabled in autonomy/telemetry.sh.
+#
+# Precedence:
+#   1. Any opt-out flag present  -> OFF (hard kill, always wins)
+#   2. Else any opt-in flag present -> ON
+#   3. Else (default)            -> OFF (no egress, no local capture)
 loki_collection_enabled() {
-    # Env: LOKI_TELEMETRY=off (case-insensitive)
     local telem_lower
     telem_lower="$(printf '%s' "${LOKI_TELEMETRY:-}" | tr '[:upper:]' '[:lower:]')"
-    [ "$telem_lower" = "off" ] && return 1
 
+    # --- 1. Opt-out always wins ---
+    # Env: LOKI_TELEMETRY=off (case-insensitive)
+    [ "$telem_lower" = "off" ] && return 1
     # Env: LOKI_TELEMETRY_DISABLED=true
     [ "${LOKI_TELEMETRY_DISABLED:-}" = "true" ] && return 1
-
     # Env: DO_NOT_TRACK=1 (community standard)
     [ "${DO_NOT_TRACK:-}" = "1" ] && return 1
-
-    # Persistent opt-out in ~/.loki/config (matches autonomy/run.sh:643 format).
+    # Persistent opt-out in ~/.loki/config.
     if [ -f "${HOME}/.loki/config" ] && grep -q "^TELEMETRY_DISABLED=true" "${HOME}/.loki/config" 2>/dev/null; then
         return 1
     fi
 
-    return 0
+    # --- 2. Opt-in required to enable ---
+    # Env: LOKI_TELEMETRY=on (case-insensitive, exact word "on").
+    [ "$telem_lower" = "on" ] && return 0
+    # Persistent opt-in in ~/.loki/config (written by: loki telemetry on).
+    if [ -f "${HOME}/.loki/config" ] && grep -q "^TELEMETRY_ENABLED=true" "${HOME}/.loki/config" 2>/dev/null; then
+        return 0
+    fi
+
+    # --- 3. Default: OFF ---
+    return 1
 }
 
 # _loki_crash_python: resolve a python3 interpreter, or return 1 if absent.
@@ -144,15 +168,17 @@ loki_show_disclosure_once() {
         return 0
     fi
 
-    # Disclosure copy (plan section 6a, verbatim; no emojis, no em dashes).
+    # Disclosure copy (opt-in framing; no emojis, no em dashes).
     {
         echo ""
-        echo "Loki Mode auto-creates the issues you hit at github.com/asklokesh/loki-mode"
-        echo "and tries to auto-resolve them. If it cannot, we encourage you to open an"
-        echo "issue for anything causing hesitation."
-        echo "We send anonymous diagnostics only (os, arch, version, error type, sanitized"
-        echo "stack signatures). Never your code, prompts, paths, keys, or repo names."
-        echo "See docs/PRIVACY.md. Turn this off anytime with: loki telemetry off"
+        echo "Loki Mode anonymous diagnostics are OFF by default. Nothing is collected"
+        echo "or sent unless you opt in, so a default install sends us no telemetry"
+        echo "or diagnostics. Air-gapped and enterprise deployments are safe out of"
+        echo "the box."
+        echo "If you opt in, we send anonymous diagnostics only (os, arch, version,"
+        echo "error type, sanitized stack signatures). Never your code, prompts, paths,"
+        echo "keys, or repo names."
+        echo "See docs/PRIVACY.md. Opt in anytime with: loki telemetry on"
         echo ""
     } >&2
 

package/autonomy/loki

@@ -4494,14 +4494,19 @@ cmd_dashboard_open() {
 
 # Welcome opener (the "magic opener"). Shows a branded welcome page in the
 # browser, or a terminal welcome when no browser is available (headless,
-# Docker, CI). Honors telemetry opt-out (LOKI_TELEMETRY_DISABLED / DO_NOT_TRACK):
-# when opted out, the page is loaded with ?telemetry=off so its form is
-# disabled and no analytics are ever sent.
+# Docker, CI). Analytics are OPT-IN and OFF by default: unless the user has
+# opted in via the unified gate (loki_collection_enabled), the page is loaded
+# with ?telemetry=off so its form is inert and no analytics are ever sent.
 WELCOME_MARKER="${HOME}/.loki/.welcomed"
 
-_loki_telemetry_off() {
-    [ "${LOKI_TELEMETRY_DISABLED:-}" = "true" ] && return 0
-    [ "${DO_NOT_TRACK:-}" = "1" ] && return 0
+# _loki_welcome_analytics_on: true only when the unified opt-in gate is on.
+# Falls back to "off" (no analytics) if the gate function is unavailable, which
+# keeps a default install from ever phoning home.
+_loki_welcome_analytics_on() {
+    if type loki_collection_enabled &>/dev/null; then
+        loki_collection_enabled && return 0
+        return 1
+    fi
     return 1
 }
 
@@ -4522,11 +4527,12 @@ cmd_welcome_terminal() {
     echo -e "  Quick start:  ${BOLD}loki start ./prd.md${NC}"
     echo -e "  Docs:         ${BOLD}https://www.autonomi.dev/docs${NC}"
     echo ""
-    if _loki_telemetry_off; then
-        echo -e "  ${DIM}Analytics are off for this session. Nothing is sent.${NC}"
+    if _loki_welcome_analytics_on; then
+        echo -e "  ${DIM}Anonymous usage analytics are ON (you opted in). We never collect${NC}"
+        echo -e "  ${DIM}prompts, PRDs, or code. Opt out: loki telemetry off${NC}"
     else
-        echo -e "  ${DIM}Anonymous usage analytics help us improve the product. We never${NC}"
-        echo -e "  ${DIM}collect prompts, PRDs, or code. Opt out: LOKI_TELEMETRY_DISABLED=true${NC}"
+        echo -e "  ${DIM}Anonymous analytics are off by default. Nothing is sent unless you${NC}"
+        echo -e "  ${DIM}opt in with: loki telemetry on${NC}"
     fi
     echo ""
 }
@@ -4537,14 +4543,16 @@ cmd_welcome() {
 
     local welcome_file="${SKILL_DIR}/assets/welcome/welcome.html"
 
-    # Build the file URL with params: version, opt-out, and the existing
+    # Build the file URL with params: version, opt-in state, and the existing
     # anonymous telemetry distinct-id (so browser + install share one id).
+    # Analytics are OFF by default: pass telemetry=off (inert form) UNLESS the
+    # user has opted in via the unified gate.
     local q="v=${ver}"
-    if _loki_telemetry_off; then
-        q="${q}&telemetry=off"
-    else
+    if _loki_welcome_analytics_on; then
         local idfile="${HOME}/.loki-telemetry-id"
         [ -f "$idfile" ] && q="${q}&did=$(cat "$idfile" 2>/dev/null | tr -d '[:space:]')"
+    else
+        q="${q}&telemetry=off"
     fi
 
     # Headless / Docker / CI / no-browser: print the terminal welcome only.
@@ -19742,12 +19750,13 @@ try {
 
             # Unified collection state (PostHog usage telemetry + crash reporting).
             # loki_collection_enabled is the single source of truth (crash.sh).
+            # Collection is OPT-IN: OFF by default, enabled only after opt-in.
             echo ""
             if type loki_collection_enabled &>/dev/null; then
                 if loki_collection_enabled; then
-                    echo -e "  Collection: ${GREEN}enabled${NC} (anonymous diagnostics; turn off with: loki telemetry off)"
+                    echo -e "  Collection: ${GREEN}enabled${NC} (you opted in; anonymous diagnostics; opt out with: loki telemetry off)"
                 else
-                    echo -e "  Collection: ${YELLOW}disabled${NC} (re-enable with: loki telemetry on)"
+                    echo -e "  Collection: ${YELLOW}off by default${NC} (nothing sent; opt in with: loki telemetry on)"
                 fi
             fi
 
@@ -19828,13 +19837,17 @@ TELEM_DISABLE_PY
         stop|off)
             # Persistent opt-out across all sessions. This is the unified
             # opt-out: it gates BOTH PostHog usage telemetry AND crash reporting.
+            # Collection is opt-in (off by default), so this is mainly belt and
+            # suspenders for users who previously opted in: it removes the
+            # positive consent marker AND writes a hard opt-out that always wins.
             local global_config="${HOME}/.loki/config"
             mkdir -p "${HOME}/.loki"
 
-            # Remove existing TELEMETRY_DISABLED line if present, then add
-            # (idempotent).
+            # Remove existing TELEMETRY_ENABLED and TELEMETRY_DISABLED lines so we
+            # never end up with both, then add the opt-out (idempotent).
             if [ -f "$global_config" ]; then
-                grep -v "^TELEMETRY_DISABLED=" "$global_config" > "${global_config}.tmp" 2>/dev/null || true
+                grep -v "^TELEMETRY_ENABLED=" "$global_config" \
+                    | grep -v "^TELEMETRY_DISABLED=" > "${global_config}.tmp" 2>/dev/null || true
                 mv "${global_config}.tmp" "$global_config"
             fi
             echo "TELEMETRY_DISABLED=true" >> "$global_config"
@@ -19843,20 +19856,27 @@ TELEM_DISABLE_PY
             echo ""
             echo "  Opt-out saved to: $global_config"
             echo "  This persists across all sessions and new runs."
-            echo "  Run 'loki telemetry on' to re-enable."
+            echo "  Run 'loki telemetry on' to opt back in."
             ;;
 
         start|on)
-            # Remove persistent opt-out
+            # Persistent OPT-IN across all sessions. Collection is off by default;
+            # this records explicit consent that the unified gate reads. Remove any
+            # prior opt-out and the old marker, then write the positive consent.
             local global_config="${HOME}/.loki/config"
+            mkdir -p "${HOME}/.loki"
             if [ -f "$global_config" ]; then
-                grep -v "^TELEMETRY_DISABLED=" "$global_config" > "${global_config}.tmp" 2>/dev/null || true
+                grep -v "^TELEMETRY_ENABLED=" "$global_config" \
+                    | grep -v "^TELEMETRY_DISABLED=" > "${global_config}.tmp" 2>/dev/null || true
                 mv "${global_config}.tmp" "$global_config"
             fi
+            echo "TELEMETRY_ENABLED=true" >> "$global_config"
 
-            echo -e "${BOLD}Telemetry and crash reporting re-enabled${NC}"
+            echo -e "${BOLD}Telemetry and crash reporting enabled${NC}"
             echo ""
-            echo "  Anonymous diagnostics collection is on again."
+            echo "  Opt-in saved to: $global_config"
+            echo "  Anonymous diagnostics collection is now ON for this user."
+            echo "  Run 'loki telemetry off' to opt back out at any time."
             echo "  OTEL tracing can be configured with 'loki telemetry enable [endpoint]'."
             ;;
 
@@ -19869,10 +19889,13 @@ TELEM_DISABLE_PY
             echo "  status              Show OTEL config + collection state + pending crash reports"
             echo "  enable [endpoint]   Enable OTEL (default: http://localhost:4318)"
             echo "  disable             Disable OTEL for current project"
+            echo "  on                  Opt in to anonymous diagnostics (off by default)"
             echo "  off                 Opt out of all anonymous diagnostics (telemetry + crash)"
-            echo "  on                  Re-enable anonymous diagnostics"
-            echo "  stop                Alias for 'off' (permanent opt-out across all sessions)"
-            echo "  start               Alias for 'on' (remove persistent opt-out)"
+            echo "  start               Alias for 'on' (persistent opt-in across all sessions)"
+            echo "  stop                Alias for 'off' (persistent opt-out across all sessions)"
+            echo ""
+            echo "Anonymous diagnostics are OFF by default. Nothing is collected or"
+            echo "sent unless you opt in. See docs/PRIVACY.md for the full disclosure."
             echo ""
             ;;
         *)