loki-mode 7.48.0 → 7.49.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.48.0
+# Loki Mode v7.49.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -407,4 +407,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.48.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.49.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.48.0
+7.49.0

package/autonomy/completion-council.sh

@@ -1569,6 +1569,19 @@ council_evidence_gate() {
     local test_fails="false"
     local test_runner="none"
     local test_pass="true"
+    # P1-1 (evidence-gate loophole): track WHY the test signal is not conclusive
+    # positive evidence, mirroring diff_inconclusive. A project that ran NO test
+    # suite (runner=="none") must NOT count as affirmative "tests are green"
+    # evidence -- absence of tests is not proof of correctness. We classify it as
+    # INCONCLUSIVE (not FAIL: a no-tests project is still allowed to complete, it
+    # just may not lean on tests as positive proof), so the no-tests "done" routes
+    # to the completion council's affirmative vote instead of silently passing on
+    # diff-alone. test_inconclusive is pass-through by construction: it never sets
+    # test_fails and never writes evidence-block.json, exactly like
+    # diff_inconclusive. Opt-out (LOKI_EVIDENCE_NO_TESTS_AFFIRMATIVE=1) reverts to
+    # the historical behavior where runner=="none" was an affirmative PASS.
+    local test_inconclusive="false"
+    local test_inconclusive_reason=""
     if [ -f "$tr_file" ]; then
         local test_status
         test_status=$(_TR_FILE="$tr_file" python3 -c "
@@ -1597,9 +1610,25 @@ else:
             test_fails="true"
         fi
         # INCONCLUSIVE => test_fails stays "false" => pass-through.
+        # No test suite ran: a present results file that records runner=="none"
+        # is not affirmative evidence. Route to council (inconclusive), not a
+        # silent diff-alone pass. Default-on; LOKI_EVIDENCE_NO_TESTS_AFFIRMATIVE=1
+        # restores the old affirmative-PASS behavior.
+        if [ "$test_runner" = "none" ] && [ "${LOKI_EVIDENCE_NO_TESTS_AFFIRMATIVE:-0}" != "1" ]; then
+            test_inconclusive="true"
+            test_inconclusive_reason="no_test_runner"
+        fi
+    else
+        # Missing test-results.json: no suite was recorded at all. Like the
+        # runner=="none" case this is not affirmative evidence, so classify it
+        # inconclusive (still pass-through: test_fails stays "false"). Preserves
+        # the historical "no file = no gate" non-blocking behavior while making
+        # the absence auditable instead of silently affirmative.
+        if [ "${LOKI_EVIDENCE_NO_TESTS_AFFIRMATIVE:-0}" != "1" ]; then
+            test_inconclusive="true"
+            test_inconclusive_reason="no_test_results"
+        fi
     fi
-    # Missing test-results.json (the else of the -f check) likewise leaves
-    # test_fails="false" => inconclusive => pass-through (no file = no gate).
 
     # --- v7.28.0: inconclusive-baseline lifecycle -------------------------------
     # When the gate cannot establish a diff baseline (no git repo, or no run-start
@@ -1635,12 +1664,63 @@ INCONCLUSIVE_EOF
         fi
     fi
 
+    # --- P1-1: durable, auditable evidence-gate details -------------------------
+    # Persist the full evidence picture on EVERY gate run (pass and block) so any
+    # completion claim is auditable after the fact: diff status, test runner +
+    # status, both inconclusive reasons, and the final verdict. Atomic temp+mv,
+    # under .loki/council/ (already excluded from the diff union by the gate's own
+    # ^\.loki/ filter, so it never makes the gate toothless). Best-effort: a write
+    # failure never changes the gate's decision. _write_evidence_details <verdict>
+    # where verdict is one of pass|block (the caller passes the decided verdict).
+    _write_evidence_details() {
+        local _verdict="$1"
+        mkdir -p "$COUNCIL_STATE_DIR" 2>/dev/null || true
+        local _det_file="$COUNCIL_STATE_DIR/evidence-gate-details.json"
+        local _det_tmp="${_det_file}.tmp"
+        local _det_ts
+        _det_ts=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        local _diff_ok _tests_ok
+        if [ "$diff_fails" = "true" ]; then _diff_ok="false"; else _diff_ok="true"; fi
+        if [ "$test_fails" = "true" ]; then _tests_ok="false"; else _tests_ok="true"; fi
+        cat > "$_det_tmp" << DETAILS_EOF
+{
+    "recorded_at": "$_det_ts",
+    "iteration": ${ITERATION_COUNT:-0},
+    "verdict": "$_verdict",
+    "diff": {
+        "ok": $_diff_ok,
+        "base_sha": "${base_sha:-}",
+        "files_changed": $diff_files,
+        "inconclusive": $diff_inconclusive,
+        "inconclusive_reason": "$diff_inconclusive_reason"
+    },
+    "tests": {
+        "ok": $_tests_ok,
+        "runner": "$test_runner",
+        "pass": $test_pass,
+        "inconclusive": $test_inconclusive,
+        "inconclusive_reason": "$test_inconclusive_reason"
+    }
+}
+DETAILS_EOF
+        mv "$_det_tmp" "$_det_file" 2>/dev/null || rm -f "$_det_tmp" 2>/dev/null || true
+    }
+
     # --- Block decision: block iff DIFF FAILS or TEST FAILS ---
     if [ "$diff_fails" != "true" ] && [ "$test_fails" != "true" ]; then
         # Gate passes: remove any stale block report.
         if [ -f "$COUNCIL_STATE_DIR/evidence-block.json" ]; then
             rm -f "$COUNCIL_STATE_DIR/evidence-block.json"
         fi
+        # P1-1: when the gate passes ONLY because no test suite ran, say so out
+        # loud. The pass is pass-through (no-tests must not deadlock), but a
+        # completion that is not backed by any test evidence should never slip by
+        # silently. The durable detail is in evidence-gate-details.json; this is
+        # the human-visible honesty at the pass site.
+        if [ "$test_inconclusive" = "true" ]; then
+            log_warn "[Council] Evidence gate: completion not backed by test evidence (${test_inconclusive_reason}). Pass-through; set LOKI_EVIDENCE_NO_TESTS_AFFIRMATIVE=1 to treat no-tests as affirmative."
+        fi
+        _write_evidence_details "pass"
         return 0
     fi
 
@@ -1718,6 +1798,9 @@ EVIDENCE_EOF
             >/dev/null 2>&1 || true
     fi
 
+    # P1-1: durable audit record for the block path too (see _write_evidence_details).
+    _write_evidence_details "block"
+
     return 1
 }
 

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.48.0"
+__version__ = "7.49.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/api_v2.py

@@ -20,6 +20,7 @@ from typing import Any, Optional
 from fastapi import APIRouter, Depends, HTTPException, Query, Request
 from fastapi.responses import StreamingResponse
 from pydantic import BaseModel, Field
+from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from . import auth
@@ -28,6 +29,7 @@ from . import api_keys
 from . import tenants as tenants_mod
 from . import runs as runs_mod
 from .database import get_db
+from .models import Project, Run
 
 
 # ---------------------------------------------------------------------------
@@ -120,6 +122,178 @@ def _audit_context(request: Request, token_info: Optional[dict] = None) -> dict:
     }
 
 
+# ---------------------------------------------------------------------------
+# Tenant isolation (P3-7)
+# ---------------------------------------------------------------------------
+#
+# The audit (backlog P3-7) flagged that API-level cross-tenant access was NOT
+# enforced: any authenticated caller with the `read` scope could list every
+# tenant and read any tenant's projects, regardless of which tenant they
+# belong to. A caller authenticated for tenant A could read tenant B's data.
+#
+# The caller's tenant MUST come from the trusted, server-validated token --
+# never from a client-supplied request header, which the caller could simply
+# set to a victim tenant's id and bypass the boundary entirely. The auth layer
+# (dashboard/auth.py) has no dedicated tenant field, but a validated token's
+# `scopes` list IS trusted: it is returned by validate_token() (from the
+# server-side token store) and by validate_oidc_token() (from
+# cryptographically/issuer-validated claims). We therefore bind a token to a
+# tenant via a `tenant:<id>` scope, parsed out of token_info["scopes"]. To
+# scope a token to tenant 5, mint it with that scope in its scope list, e.g.
+# via the API-key endpoint or auth.generate_token:
+#
+#     POST /api/v2/api-keys  {"name": "...", "scopes": ["read", "tenant:5"]}
+#     auth.generate_token(name="...", scopes=["read", "tenant:5"])
+#
+# A token's scopes decide crossing rights:
+#
+#   * A global admin (scope `*`, i.e. the admin role) may cross any tenant.
+#   * A non-admin token is pinned to the tenant in its `tenant:<id>` scope;
+#     a request that targets a different tenant is denied with 403.
+#   * When auth is disabled (no enterprise token auth and no OIDC) there is no
+#     caller identity to isolate -- this is single-user local mode -- so access
+#     is not restricted.
+#
+# This boundary is deliberately fail-closed for authenticated non-admin
+# callers: a token with no `tenant:<id>` scope cannot reach ANY tenant-scoped
+# resource (every cross-tenant check fails), so an un-scoped token is not
+# silently granted access to a tenant it was never bound to.
+
+TENANT_SCOPE_PREFIX = "tenant:"
+
+
+class TenantContext:
+    """Resolved tenant boundary for the current caller.
+
+    Attributes:
+        tenant_id: The tenant the caller's token is bound to (parsed from its
+            trusted `tenant:<id>` scope), or None if the token carries no
+            tenant scope.
+        is_global_admin: True if the caller holds admin scope and may
+            legitimately cross tenant boundaries.
+        auth_enabled: True if any auth method (token or OIDC) is active.
+    """
+
+    __slots__ = ("tenant_id", "is_global_admin", "auth_enabled")
+
+    def __init__(
+        self,
+        tenant_id: Optional[int],
+        is_global_admin: bool,
+        auth_enabled: bool,
+    ) -> None:
+        self.tenant_id = tenant_id
+        self.is_global_admin = is_global_admin
+        self.auth_enabled = auth_enabled
+
+    def enforce(self, target_tenant_id: int) -> None:
+        """Raise 403 if the caller may not access the given tenant's resources.
+
+        A global admin may access any tenant. When auth is disabled there is
+        no caller to isolate, so access is allowed. Otherwise the caller's
+        token-bound tenant must exactly match the target tenant.
+        """
+        if self.is_global_admin or not self.auth_enabled:
+            return
+        if self.tenant_id is None or self.tenant_id != target_tenant_id:
+            raise HTTPException(
+                status_code=403,
+                detail="Cross-tenant access denied",
+            )
+
+
+def _tenant_id_from_token(token_info: Optional[dict]) -> Optional[int]:
+    """Extract the caller's tenant id from a validated token's scopes.
+
+    Looks for a single `tenant:<id>` scope in the (trusted) token scope list.
+    Returns None if the token carries no such scope. If the token carries
+    conflicting tenant scopes (more than one distinct tenant), access is
+    denied (403) rather than silently picking one.
+    """
+    if not token_info:
+        return None
+    found: set[int] = set()
+    for scope in token_info.get("scopes", []):
+        if isinstance(scope, str) and scope.startswith(TENANT_SCOPE_PREFIX):
+            raw = scope[len(TENANT_SCOPE_PREFIX):].strip()
+            try:
+                found.add(int(raw))
+            except (TypeError, ValueError):
+                # Malformed tenant scope -- ignore it (does not grant access).
+                continue
+    if not found:
+        return None
+    if len(found) > 1:
+        raise HTTPException(
+            status_code=403,
+            detail="Token carries conflicting tenant scopes",
+        )
+    return next(iter(found))
+
+
+def resolve_tenant_context(
+    token_info: Optional[dict] = Depends(auth.get_current_token),
+) -> TenantContext:
+    """FastAPI dependency that resolves the caller's tenant boundary.
+
+    The caller's tenant is derived solely from the trusted, server-validated
+    token (its `tenant:<id>` scope); whether the caller is a global admin (and
+    may cross tenants) is read from the same token's scopes. No client-supplied
+    header is consulted, so a caller cannot impersonate another tenant.
+    """
+    auth_enabled = auth.is_enterprise_mode() or auth.is_oidc_mode()
+    is_global_admin = bool(token_info) and auth.has_scope(token_info, "admin")
+    tenant_id = _tenant_id_from_token(token_info)
+    return TenantContext(
+        tenant_id=tenant_id,
+        is_global_admin=is_global_admin,
+        auth_enabled=auth_enabled,
+    )
+
+
+async def _enforce_project_tenant(
+    db: AsyncSession, tenant_ctx: TenantContext, project_id: int
+) -> None:
+    """Enforce the tenant boundary for a project referenced by id.
+
+    Loads the project's tenant_id and applies tenant_ctx.enforce. A missing
+    project yields 404 (so existence is not leaked across tenants any more
+    than the boundary already allows). For a global admin / auth-disabled
+    caller this is a cheap pass-through that does not need the lookup.
+    """
+    if tenant_ctx.is_global_admin or not tenant_ctx.auth_enabled:
+        return
+    result = await db.execute(
+        select(Project.tenant_id).where(Project.id == project_id)
+    )
+    owner_tenant_id = result.scalar_one_or_none()
+    if owner_tenant_id is None:
+        raise HTTPException(status_code=404, detail="Project not found")
+    tenant_ctx.enforce(owner_tenant_id)
+
+
+async def _enforce_run_tenant(
+    db: AsyncSession, tenant_ctx: TenantContext, run_id: int
+) -> None:
+    """Enforce the tenant boundary for a run referenced by id.
+
+    A run belongs to a project, which belongs to a tenant. We resolve the
+    run -> project -> tenant chain and apply the boundary. A missing run
+    yields 404.
+    """
+    if tenant_ctx.is_global_admin or not tenant_ctx.auth_enabled:
+        return
+    result = await db.execute(
+        select(Project.tenant_id)
+        .join(Run, Run.project_id == Project.id)
+        .where(Run.id == run_id)
+    )
+    owner_tenant_id = result.scalar_one_or_none()
+    if owner_tenant_id is None:
+        raise HTTPException(status_code=404, detail="Run not found")
+    tenant_ctx.enforce(owner_tenant_id)
+
+
 # ===========================================================================
 # TENANT ENDPOINTS
 # ===========================================================================
@@ -149,18 +323,33 @@ async def create_tenant(
 @router.get("/tenants", dependencies=[Depends(auth.require_scope("read"))])
 async def list_tenants(
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """List all tenants."""
+    """List tenants visible to the caller.
+
+    A global admin sees every tenant. A tenant-scoped caller sees only their
+    own tenant (and an empty list if the token carries no `tenant:<id>`
+    scope). When auth is disabled, all tenants are returned (single-user
+    local mode).
+    """
     items = await tenants_mod.list_tenants(db)
-    return [tenants_mod._tenant_to_response(t) for t in items]
+    if tenant_ctx.is_global_admin or not tenant_ctx.auth_enabled:
+        return [tenants_mod._tenant_to_response(t) for t in items]
+    return [
+        tenants_mod._tenant_to_response(t)
+        for t in items
+        if t.id == tenant_ctx.tenant_id
+    ]
 
 
 @router.get("/tenants/{tenant_id}", dependencies=[Depends(auth.require_scope("read"))])
 async def get_tenant(
     tenant_id: int,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Get a tenant by ID."""
+    """Get a tenant by ID, scoped to the caller's tenant boundary."""
+    tenant_ctx.enforce(tenant_id)
     tenant = await tenants_mod.get_tenant(db, tenant_id)
     if tenant is None:
         raise HTTPException(status_code=404, detail="Tenant not found")
@@ -175,8 +364,10 @@ async def update_tenant(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
     """Update an existing tenant."""
+    tenant_ctx.enforce(tenant_id)
     tenant = await tenants_mod.update_tenant(
         db, tenant_id,
         name=body.name, description=body.description, settings=body.settings,
@@ -199,8 +390,10 @@ async def delete_tenant(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
     """Delete a tenant."""
+    tenant_ctx.enforce(tenant_id)
     deleted = await tenants_mod.delete_tenant(db, tenant_id)
     if not deleted:
         raise HTTPException(status_code=404, detail="Tenant not found")
@@ -216,8 +409,10 @@ async def delete_tenant(
 async def get_tenant_projects(
     tenant_id: int,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """List all projects for a tenant."""
+    """List all projects for a tenant, scoped to the caller's tenant boundary."""
+    tenant_ctx.enforce(tenant_id)
     tenant = await tenants_mod.get_tenant(db, tenant_id)
     if tenant is None:
         raise HTTPException(status_code=404, detail="Tenant not found")
@@ -248,8 +443,10 @@ async def create_run(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Create a new run."""
+    """Create a new run, scoped to the caller's tenant boundary."""
+    await _enforce_project_tenant(db, tenant_ctx, body.project_id)
     run_resp = await runs_mod.create_run(
         db, project_id=body.project_id, trigger=body.trigger, config=body.config,
     )
@@ -268,19 +465,62 @@ async def list_runs(
     limit: int = Query(50, ge=1, le=1000),
     offset: int = Query(0, ge=0),
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """List runs with optional filters."""
-    return await runs_mod.list_runs(
-        db, project_id=project_id, status=status, limit=limit, offset=offset,
+    """List runs with optional filters, scoped to the caller's tenant.
+
+    A global admin / auth-disabled caller sees all runs. A tenant-scoped
+    caller only ever sees runs whose project belongs to their tenant: an
+    explicit project_id is enforced against the boundary, and an unscoped
+    listing is narrowed to the caller's own projects.
+    """
+    if tenant_ctx.is_global_admin or not tenant_ctx.auth_enabled:
+        return await runs_mod.list_runs(
+            db, project_id=project_id, status=status, limit=limit, offset=offset,
+        )
+
+    if project_id is not None:
+        # Targeting a specific project: enforce it belongs to the caller.
+        await _enforce_project_tenant(db, tenant_ctx, project_id)
+        return await runs_mod.list_runs(
+            db, project_id=project_id, status=status, limit=limit, offset=offset,
+        )
+
+    # No project filter: restrict to the caller's own projects. A caller with
+    # no tenant binding sees nothing (fail-closed).
+    if tenant_ctx.tenant_id is None:
+        return []
+    proj_result = await db.execute(
+        select(Project.id).where(Project.tenant_id == tenant_ctx.tenant_id)
     )
+    owned_project_ids = [row[0] for row in proj_result]
+    if not owned_project_ids:
+        return []
+    # Collect this tenant's runs across all its projects, then apply the
+    # caller's limit/offset ONCE over the globally-sorted result so pagination
+    # is correct (not per-project). We over-fetch up to limit+offset per
+    # project to guarantee the merged top window is complete, then sort by
+    # created_at desc and slice. Isolation is unconditional regardless.
+    fetch_cap = limit + offset
+    collected: list = []
+    for pid in owned_project_ids:
+        collected.extend(
+            await runs_mod.list_runs(
+                db, project_id=pid, status=status, limit=fetch_cap, offset=0,
+            )
+        )
+    collected.sort(key=lambda r: r.created_at, reverse=True)
+    return collected[offset:offset + limit]
 
 
 @router.get("/runs/{run_id}", dependencies=[Depends(auth.require_scope("read"))])
 async def get_run(
     run_id: int,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Get run details by ID."""
+    """Get run details by ID, scoped to the caller's tenant boundary."""
+    await _enforce_run_tenant(db, tenant_ctx, run_id)
     run_resp = await runs_mod.get_run(db, run_id)
     if run_resp is None:
         raise HTTPException(status_code=404, detail="Run not found")
@@ -294,8 +534,10 @@ async def cancel_run(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Cancel a running run."""
+    """Cancel a running run, scoped to the caller's tenant boundary."""
+    await _enforce_run_tenant(db, tenant_ctx, run_id)
     run_resp = await runs_mod.cancel_run(db, run_id)
     if run_resp is None:
         raise HTTPException(status_code=404, detail="Run not found")
@@ -313,8 +555,10 @@ async def replay_run(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Replay a run."""
+    """Replay a run, scoped to the caller's tenant boundary."""
+    await _enforce_run_tenant(db, tenant_ctx, run_id)
     run_resp = await runs_mod.replay_run(db, run_id)
     if run_resp is None:
         raise HTTPException(status_code=404, detail="Run not found")
@@ -329,8 +573,10 @@ async def replay_run(
 async def get_run_timeline(
     run_id: int,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Get the timeline of events for a run."""
+    """Get the timeline of events for a run, scoped to the caller's tenant."""
+    await _enforce_run_tenant(db, tenant_ctx, run_id)
     timeline = await runs_mod.get_run_timeline(db, run_id)
     if timeline is None:
         return {"run_id": run_id, "phases": [], "current_phase": None, "events": []}

package/dashboard/server.py

@@ -55,6 +55,11 @@ from . import app_secrets as secrets_mod
 from . import telemetry as _telemetry
 from .control import atomic_write_json, find_skill_dir, is_process_running
 from .activity_logger import get_activity_logger
+from .api_v2 import (
+    TenantContext,
+    _enforce_project_tenant,
+    resolve_tenant_context,
+)
 
 try:
     from . import __version__ as _version
@@ -267,6 +272,7 @@ class ProjectResponse(BaseModel):
     description: Optional[str]
     prd_path: Optional[str]
     status: str
+    tenant_id: int
     created_at: datetime
     updated_at: datetime
     task_count: int = 0
@@ -1255,14 +1261,25 @@ async def list_projects(
     limit: int = Query(default=50, ge=1, le=500),
     offset: int = Query(default=0, ge=0),
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> list[ProjectResponse]:
-    """List projects with pagination. Does not eager-load tasks for efficiency."""
+    """List projects with pagination. Does not eager-load tasks for efficiency.
+
+    Tenant isolation (P3-7): a non-admin authenticated caller only sees
+    projects belonging to their declared tenant (X-Loki-Tenant-ID). A global
+    admin and single-user local mode (auth disabled) see all projects.
+    """
     try:
         from sqlalchemy import func as sa_func
 
         query = select(Project)
         if status:
             query = query.where(Project.status == status)
+        if not tenant_ctx.is_global_admin and tenant_ctx.auth_enabled:
+            # Pin to the caller's tenant. A None tenant_id yields no matches,
+            # which is the correct fail-closed behaviour for a scoped caller
+            # that did not declare a tenant.
+            query = query.where(Project.tenant_id == tenant_ctx.tenant_id)
         query = query.order_by(Project.created_at.desc()).offset(offset).limit(limit)
 
         result = await db.execute(query)
@@ -1295,6 +1312,7 @@ async def list_projects(
                     description=project.description,
                     prd_path=project.prd_path,
                     status=project.status,
+                    tenant_id=project.tenant_id,
                     created_at=project.created_at,
                     updated_at=project.updated_at,
                     task_count=total,
@@ -1311,8 +1329,14 @@ async def list_projects(
 async def create_project(
     project: ProjectCreate,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> ProjectResponse:
-    """Create a new project."""
+    """Create a new project.
+
+    Tenant isolation (P3-7): a non-admin caller may only create projects in
+    their own declared tenant; targeting another tenant returns 403.
+    """
+    tenant_ctx.enforce(project.tenant_id)
     # Validate tenant exists
     tenant_result = await db.execute(
         select(Tenant).where(Tenant.id == project.tenant_id)
@@ -1342,6 +1366,7 @@ async def create_project(
         description=db_project.description,
         prd_path=db_project.prd_path,
         status=db_project.status,
+        tenant_id=db_project.tenant_id,
         created_at=db_project.created_at,
         updated_at=db_project.updated_at,
         task_count=0,
@@ -1353,8 +1378,9 @@ async def create_project(
 async def get_project(
     project_id: int,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> ProjectResponse:
-    """Get a project by ID."""
+    """Get a project by ID, scoped to the caller's tenant boundary."""
     result = await db.execute(
         select(Project)
         .options(selectinload(Project.tasks))
@@ -1365,6 +1391,8 @@ async def get_project(
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
 
+    tenant_ctx.enforce(project.tenant_id)
+
     task_count = len(project.tasks)
     completed_count = len([t for t in project.tasks if t.status == TaskStatus.DONE])
 
@@ -1374,6 +1402,7 @@ async def get_project(
         description=project.description,
         prd_path=project.prd_path,
         status=project.status,
+        tenant_id=project.tenant_id,
         created_at=project.created_at,
         updated_at=project.updated_at,
         task_count=task_count,
@@ -1386,8 +1415,9 @@ async def update_project(
     project_id: int,
     project_update: ProjectUpdate,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> ProjectResponse:
-    """Update a project."""
+    """Update a project, scoped to the caller's tenant boundary."""
     result = await db.execute(
         select(Project)
         .options(selectinload(Project.tasks))
@@ -1398,6 +1428,8 @@ async def update_project(
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
 
+    tenant_ctx.enforce(project.tenant_id)
+
     update_data = project_update.model_dump(exclude_unset=True)
     for field, value in update_data.items():
         setattr(project, field, value)
@@ -1420,6 +1452,7 @@ async def update_project(
         description=project.description,
         prd_path=project.prd_path,
         status=project.status,
+        tenant_id=project.tenant_id,
         created_at=project.created_at,
         updated_at=project.updated_at,
         task_count=task_count,
@@ -1432,8 +1465,9 @@ async def delete_project(
     project_id: int,
     request: Request,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> None:
-    """Delete a project."""
+    """Delete a project, scoped to the caller's tenant boundary."""
     result = await db.execute(
         select(Project).where(Project.id == project_id)
     )
@@ -1442,6 +1476,8 @@ async def delete_project(
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
 
+    tenant_ctx.enforce(project.tenant_id)
+
     audit.log_event(
         action="delete",
         resource_type="project",
@@ -1702,8 +1738,11 @@ async def list_tasks(
 async def create_task(
     task: TaskCreate,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> TaskResponse:
-    """Create a new task."""
+    """Create a new task, scoped to the caller's tenant boundary."""
+    # Enforce the tenant boundary on the target project (also 404s if missing).
+    await _enforce_project_tenant(db, tenant_ctx, task.project_id)
     # Verify project exists
     result = await db.execute(
         select(Project).where(Project.id == task.project_id)
@@ -1777,8 +1816,9 @@ async def create_task(
 async def get_task(
     task_id: int,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> TaskResponse:
-    """Get a task by ID."""
+    """Get a task by ID, scoped to the caller's tenant boundary."""
     result = await db.execute(
         select(Task).where(Task.id == task_id)
     )
@@ -1787,6 +1827,8 @@ async def get_task(
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
 
+    await _enforce_project_tenant(db, tenant_ctx, task.project_id)
+
     return _task_response_from_db(task)
 
 
@@ -1795,8 +1837,9 @@ async def update_task(
     task_id: int,
     task_update: TaskUpdate,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> TaskResponse:
-    """Update a task."""
+    """Update a task, scoped to the caller's tenant boundary."""
     result = await db.execute(
         select(Task).where(Task.id == task_id)
     )
@@ -1805,6 +1848,8 @@ async def update_task(
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
 
+    await _enforce_project_tenant(db, tenant_ctx, task.project_id)
+
     update_data = task_update.model_dump(exclude_unset=True)
 
     # Handle status change to/from completed
@@ -1844,8 +1889,9 @@ async def delete_task(
     task_id: int,
     request: Request,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> None:
-    """Delete a task."""
+    """Delete a task, scoped to the caller's tenant boundary."""
     result = await db.execute(
         select(Task).where(Task.id == task_id)
     )
@@ -1854,6 +1900,8 @@ async def delete_task(
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
 
+    await _enforce_project_tenant(db, tenant_ctx, task.project_id)
+
     project_id = task.project_id
 
     audit.log_event(
@@ -1888,8 +1936,12 @@ async def move_task(
     task_id: int,
     move: TaskMove,
     db: AsyncSession = Depends(get_db),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ) -> TaskResponse:
-    """Move a task to a new status/position (for Kanban drag-and-drop)."""
+    """Move a task to a new status/position (for Kanban drag-and-drop).
+
+    Scoped to the caller's tenant boundary.
+    """
     result = await db.execute(
         select(Task).where(Task.id == task_id)
     )
@@ -1898,6 +1950,8 @@ async def move_task(
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
 
+    await _enforce_project_tenant(db, tenant_ctx, task.project_id)
+
     old_status = task.status
 
     # Validate status transition

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.48.0
+**Version:** v7.49.0
 
 ---
 
@@ -396,7 +396,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.48.0 start ./my-spec.md
+  asklokesh/loki-mode:7.49.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>g});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,g;var C=L(()=>{N1=l$(t6(import.meta.url));g=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.48.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>mQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
+var n6=Object.defineProperty;var a6=($)=>$;function s6($,Q){this[$]=a6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)n6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:s6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var S1={};h(S1,{lokiDir:()=>P,homeLokiDir:()=>o$,findRepoRootForVersion:()=>d$,REPO_ROOT:()=>g});import{resolve as n,dirname as l$}from"path";import{fileURLToPath as t6}from"url";import{existsSync as P$}from"fs";import{homedir as r6}from"os";function i6(){let $=N1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=l$($);if(Z===$)break;$=Z}return n(N1,"..","..","..")}function d$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=l$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function o$(){return n(r6(),".loki")}var N1,g;var C=L(()=>{N1=l$(t6(import.meta.url));g=i6()});import{readFileSync as e6}from"fs";import{resolve as $Q,dirname as QQ}from"path";import{fileURLToPath as ZQ}from"url";function F$(){if($$!==null)return $$;let $="7.49.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=QQ(ZQ(import.meta.url)),Z=d$(Q);$$=e6($Q(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var n$=L(()=>{C()});var C1={};h(C1,{runOrThrow:()=>zQ,run:()=>j,commandVersion:()=>KQ,commandExists:()=>f,ShellError:()=>a$});async function j($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[W,K,U]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:W,stderr:K,exitCode:U}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function zQ($,Q={}){let Z=await j($,Q);if(Z.exitCode!==0)throw new a$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=XQ($),Z=await j(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function XQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function KQ($,Q="--version"){if(!await f($))return null;let z=await j([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var a$;var d=L(()=>{a$=class a$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return WQ?"":$}var WQ,T,S,I,TZ,w,R,y,q;var c=L(()=>{WQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),I=a("\x1B[1;33m"),TZ=a("\x1B[0;34m"),w=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),q=a("\x1B[0m")});import{existsSync as TQ}from"fs";async function Q$(){if(B$!==void 0)return B$;let $="/opt/homebrew/bin/python3.12";if(TQ($))return B$=$,$;let Q=await f("python3.12");if(Q)return B$=Q,Q;let Z=await f("python3");return B$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return j([Z,"-c",$],Q)}var B$;var W$=L(()=>{d()});var t1={};h(t1,{runStatus:()=>mQ});import{existsSync as v,readFileSync as U$,readdirSync as l1,statSync as d1}from"fs";import{resolve as D,basename as xQ}from"path";import{homedir as NQ}from"os";async function DQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${q}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -789,4 +789,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(o6),2}}p1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var ZZ=await QZ(Bun.argv.slice(2));process.exit(ZZ);
 
-//# debugId=98FDC89DEB1F99C464756E2164756E21
+//# debugId=4C07FED5B6B5F4A164756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.48.0'
+__version__ = '7.49.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.48.0",
+  "version": "7.49.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.48.0",
+  "version": "7.49.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 8 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",