loki-mode 7.5.7 → 7.5.8

package/README.md

@@ -18,16 +18,19 @@
 
 ---
 
-> **How it works:** You provide a PRD. Loki Mode classifies complexity, assembles an agent team from 41 specialized types across 8 swarms, and runs autonomous RARV cycles (Reason - Act - Reflect - Verify) with 9 quality gates. Code is not "done" until it passes automated verification. Output is a Git repo with source, tests, configs, and audit logs.
+> **How it works:** You provide a PRD. Loki Mode classifies complexity (`run.sh:detect_complexity()`), assembles an agent team from 41 specialized types across 8 swarms, and runs autonomous RARV cycles (Reason - Act - Reflect - Verify, see `run.sh:run_autonomous()`) with 11 quality gates (see `skills/quality-gates.md`). Code is not "done" until it passes automated verification. Output is a Git repo with source, tests, configs, and audit logs.
 
 ---
 
 ## Why Loki Mode?
 
 - **Truly autonomous** -- Describe what you want, walk away, come back to working code with tests
-- **Production quality built in** -- 9 quality gates, blind 3-reviewer code review, anti-sycophancy checks
+- **Production quality built in** -- 11 quality gates (`skills/quality-gates.md`), blind 3-reviewer code review (`run.sh:run_code_review()`), anti-sycophancy checks
 - **Self-hosted and private** -- Your keys, your infrastructure, no data leaves your network
-- **5 AI providers** -- Claude, Codex, Gemini, Cline, Aider with automatic failover
+- **5 AI providers** -- Claude, Codex, Gemini, Cline, Aider with automatic failover (`loki-ts/src/runner/providers.ts`)
+- **Legacy system healing** -- `loki heal` archaeology/stabilize/isolate/modernize/validate phases (v6.67.0, see `skills/healing.md`)
+- **Memory system** -- Episodic/semantic/procedural with vector search (v5.15.0, see `memory/engine.py`)
+- **MCP server** -- 15 tools including ChromaDB code search (`mcp/server.py`)
 - **Full-stack output** -- Source code, tests, Docker configs, CI/CD pipelines, audit logs
 - **Open source** -- Free for personal, internal, and academic use. No vendor lock-in.
 
@@ -61,7 +64,7 @@ loki quick "build a landing page with a signup form"
 |--------|---------|-------|
 | **Bun (recommended)** | `bun install -g loki-mode` | Fastest. v8 will be Bun-only. |
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` | Auto-installs Bun as a dep |
-| **Docker** | `docker pull asklokesh/loki-mode && docker run --rm asklokesh/loki-mode start prd.md` | Bun pre-installed in image |
+| **Docker** | `docker pull asklokesh/loki-mode:7.5.7 && docker run --rm asklokesh/loki-mode:7.5.7 start prd.md` | Bun pre-installed in image |
 | **npm (compat)** | `npm install -g loki-mode` | Works without Bun (bash fallback). Migrate any time with `loki self-update --to bun`. |
 
 **Upgrading:**
@@ -121,7 +124,7 @@ The next major release sunsets the Bash runtime entirely. There is no firm calen
 | Method | Command |
 |--------|---------|
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` |
-| **Docker** | `docker pull asklokesh/loki-mode` |
+| **Docker** | `docker pull asklokesh/loki-mode:7.5.7` |
 | **Inside Claude Code** | `claude --dangerously-skip-permissions` then type "Loki Mode" |
 | **Git clone** | `git clone https://github.com/asklokesh/loki-mode.git` |
 
@@ -184,8 +187,8 @@ Every iteration: **Reason** (read state) - **Act** (execute, commit) - **Reflect
 </td>
 <td width="33%" valign="top">
 
-### 9 Quality Gates
-Blind review, anti-sycophancy, severity blocking, mock/mutation detection. Code does not ship until all gates pass.
+### 11 Quality Gates
+Blind review, anti-sycophancy, severity blocking, mock/mutation detection, backward compatibility (gate 10, v6.67.0), documentation coverage (gate 11, v7.5.0). Code does not ship until all gates pass.
 
 [Quality Gates](skills/quality-gates.md)
 
@@ -262,7 +265,7 @@ loki web                           # launches at http://localhost:57375
 |---------|:---------:|:--------:|:------:|:-------:|
 | Self-hosted / your keys | Yes | No | No | No |
 | 5 AI provider failover | Yes | No | No | No |
-| 9 quality gates | Yes | No | No | No |
+| 11 quality gates | Yes | No | No | No |
 | Blind code review | Yes | No | No | No |
 | Enterprise auth (SSO/RBAC) | Yes | No | Yes | No |
 | Air-gapped deployment | Yes | No | No | No |
@@ -295,8 +298,9 @@ Claude gets full features (subagents, parallelization, MCP, Task tool). Other pr
 
 | Command | Description |
 |---------|-------------|
-| `loki start [PRD]` | Start with optional PRD file |
+| `loki start [PRD]` | Start with optional PRD file (also accepts an issue ref; replaces deprecated `loki run`) |
 | `loki stop` | Stop execution |
+| `loki heal <path>` | Legacy system healing (archaeology, stabilize, isolate, modernize, validate -- v6.67.0) |
 | `loki pause` / `resume` | Pause/resume after current session |
 | `loki status` | Show current status |
 | `loki dashboard` | Open web dashboard |
@@ -383,7 +387,7 @@ See [benchmarks/](benchmarks/) for methodology.
 |------|-----------|---------------------|
 | **Code Gen** | Full-stack apps from PRDs | Complex domain logic may need human review |
 | **Deploy** | Generates configs, Dockerfiles, CI/CD | Does not deploy -- human runs deploy commands |
-| **Testing** | 9 automated quality gates | Test quality depends on AI assertions |
+| **Testing** | 11 automated quality gates | Test quality depends on AI assertions |
 | **Providers** | 5 providers with auto-failover | Non-Claude providers lack parallel agents |
 | **Dashboard** | Real-time single-machine monitoring | No multi-node clustering |
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.5.7
+# Loki Mode v7.5.8
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -89,7 +89,7 @@ These rules guide autonomous operation. Test results and code quality always tak
 
 ## Model Selection
 
-**Default (v5.3.0):** Haiku disabled for quality. Use `--allow-haiku` or `LOKI_ALLOW_HAIKU=true` to enable.
+**Default since v5.3.0 (reaffirmed in v7.5.8):** Haiku disabled for quality. Use `--allow-haiku` or `LOKI_ALLOW_HAIKU=true` to enable.
 
 | Task Type | Tier | Claude (default) | Claude (--allow-haiku) | Codex (GPT-5.3) | Gemini |
 |-----------|------|------------------|------------------------|------------------|--------|
@@ -160,7 +160,9 @@ GROWTH ──[continuous improvement loop]──> GROWTH
 
 ---
 
-## Module Loading Protocol
+## Module Loading Protocol (Skills)
+
+This protocol governs **skill module** loading -- task-scoped instruction files in `skills/`. It is distinct from the Memory System Progressive Disclosure (see below), which governs persistent **memory layers** in `.loki/memory/`.
 
 ```
 1. Read skills/00-index.md (once per session)
@@ -179,6 +181,8 @@ GROWTH ──[continuous improvement loop]──> GROWTH
 5. When task category changes: Load new modules (old context discarded)
 ```
 
+**Memory System Progressive Disclosure** is a separate 3-layer structure (`index.json` -> `timeline.json` -> `episodic/*.json`) for retrieving past episodes/patterns. See `skills/memory.md` and `references/memory-system.md`.
+
 ---
 
 ## Invocation
@@ -311,15 +315,54 @@ See `skills/memory.md` for the full integration guide.
 
 ---
 
-## Planned Features
+## Phase 1 RARV-C Closure (v7.5.x)
+
+The current track wires real evidence into RARV-C feedback. Documented here and in `loki internal --help`:
+
+| Env Var | Effect |
+|---------|--------|
+| `LOKI_INJECT_FINDINGS=true` | Injects council findings + gate failures into the next REASON prompt |
+| `LOKI_OVERRIDE_COUNCIL=true` | Promotes real provider judges over fakes when available |
+| `LOKI_AUTO_LEARNINGS=true` | Auto-extracts learnings into semantic memory after VERIFY |
+| `LOKI_HANDOFF_MD=true` | Emits a `handoff.md` continuity doc at session boundaries |
+
+See `references/core-workflow.md` for the full RARV-C contract.
 
-The following features are documented in skill modules but not yet fully automated:
+---
 
-| Feature | Status | Notes |
+## Implemented Features
+
+| Feature | Added | Notes |
+|---------|-------|-------|
+| Multi-provider support (5 providers) | v5.0.0 | claude, codex, gemini, cline, aider -- see `providers/` |
+| CONTINUITY.md working memory | v5.35.0 | Auto-managed by run.sh, updated each iteration |
+| Quality gates 3-reviewer system | v5.35.0 | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
+| Memory System (episodic/semantic/procedural) | v5.15.0 | Full implementation in `memory/` |
+| Context Window Tracking | v5.40.0 | Dashboard gauge, per-agent breakdown at `GET /api/context` |
+| Notification Triggers | v5.40.0 | `GET/PUT /api/notifications/triggers` |
+| GitHub integration | v5.42.2 | Import, sync-back, PR creation, export. CLI: `loki github`, API: `/api/github/*` |
+| Legacy System Healing | v6.67.0 | `loki heal <path>` -- friction-as-semantics, characterization tests |
+| Unified `loki start` | v6.84.0 | Auto-detects PRD vs issue input |
+| Managed Agents (memory mirror) | v7.2.0 | Opt-in via `LOKI_MANAGED_AGENTS` -- see Managed Agents section |
+| Bun runtime (Phase 1) | v7.3.0 | Read-only commands routed through `bin/loki`; `LOKI_LEGACY_BASH=1` to revert |
+| Phase 1 RARV-C closure | v7.5.x | Findings injection, real judges, auto-learnings, handoff.md |
+
+## Planned / In-Progress Features
+
+| Feature | Target | Notes |
 |---------|--------|-------|
-| CONTINUITY.md working memory | Implemented (v5.35.0) | Auto-managed by run.sh, updated each iteration |
-| GitHub integration | Implemented (v5.42.2) | Import, sync-back, PR creation, export. CLI: `loki github`, API: `/api/github/*` |
-| Quality gates 3-reviewer system | Implemented (v5.35.0) | 5 specialist reviewers in `skills/quality-gates.md`; execution in run.sh |
-| Benchmarks (HumanEval, SWE-bench) | Infrastructure only | Runner scripts and datasets exist in `benchmarks/`; no published results |
+| Bun runtime (Phase 2+) | TBD | Migrate write-path commands; tracked on `feat/bun-migration` |
+| Managed Agents multiagent path | TBD | `LOKI_EXPERIMENTAL_MANAGED_*` flags -- RESEARCH PREVIEW, not on live API |
+| Benchmarks (HumanEval, SWE-bench) | TBD | Runner scripts and datasets exist in `benchmarks/`; no published results |
+| `loki run` removal | next major | Currently a deprecated alias for `loki start` |
+
+## Deprecated
+
+| Item | Deprecated In | Notes |
+|------|---------------|-------|
+| `loki run <issue>` | v6.84.0 | Alias for `loki start`. Will be removed in next major. |
+| VSCode extension (`vscode-extension/`) | v7.2.0 | No longer actively maintained; dashboard web UI is the supported front-end. |
+
+---
 
-**v7.5.7 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.5.8 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.5.7
+7.5.8

package/autonomy/app-runner.sh

@@ -64,11 +64,32 @@ _json_escape() {
     printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g; s/\t/\\t/g' | tr -d '\n'
 }
 
-# Validate a command string: reject shell metacharacters that enable injection
+# Validate a command string: reject shell metacharacters that enable injection.
+#
+# Trust contract:
+#   - $_APP_RUNNER_METHOD is either (a) auto-detected by app_runner_init from a
+#     fixed set of internal templates (npm run dev, docker compose up -d, etc.)
+#     or (b) supplied verbatim by the operator via the LOKI_APP_COMMAND env
+#     variable. Auto-detected strings are trusted; LOKI_APP_COMMAND is an
+#     external operator-controlled input that may be set in CI, .envrc, or by
+#     a hostile parent process.
+#   - This validator is the only line of defense for the LOKI_APP_COMMAND path.
+#     It runs BEFORE the value is assigned to _APP_RUNNER_METHOD and BEFORE
+#     it is interpolated into `bash -lc -- "$_APP_RUNNER_METHOD"` at startup.
+#   - Allow only a strict whitelist: A-Z a-z 0-9 _ . / - = and a single ASCII
+#     space (0x20). Tabs, newlines, glob, redirects, command separators, and
+#     command substitution are all rejected.
 _validate_app_command() {
     local cmd="$1"
-    # Allow alphanumeric, spaces, hyphens, underscores, dots, slashes, colons, equals
-    # Reject semicolons, pipes, backticks, $(), &&, ||, redirects used for injection
+    # Strict whitelist: alphanumerics, underscore, dot, slash, hyphen, equals,
+    # and ASCII space. Anything else (including tabs, newlines, ;, |, &, <, >,
+    # $, `, (, ), {, }, [, ], *, ?, ~, ", ', \) is rejected.
+    if [[ ! "$cmd" =~ ^[A-Za-z0-9_./=\ -]+$ ]]; then
+        log_error "App Runner: command rejected (only [A-Za-z0-9_./= -] allowed): $cmd"
+        return 1
+    fi
+    # Belt-and-braces: also explicitly reject the legacy injection set so a
+    # future regex regression cannot silently re-allow these.
     if echo "$cmd" | grep -qE '[;|`$]|&&|\|\||>>|<<'; then
         log_error "App Runner: command rejected (unsafe characters): $cmd"
         return 1
@@ -440,7 +461,10 @@ app_runner_start() {
         # Use setsid with a PID file so we capture the actual child PID (the process
         # group leader) rather than the subshell PID, which would orphan the app.
         local _pgid_file="$_APP_RUNNER_DIR/app.pgid.$$"
-        (cd "$dir" && setsid bash -c 'echo $$ > "'"$_pgid_file"'"; exec '"$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+        # Note: $_APP_RUNNER_METHOD has passed _validate_app_command (whitelist).
+        # The `--` after `bash -lc` prevents flag injection if the assembled
+        # script string ever begins with a `-`.
+        (cd "$dir" && setsid bash -lc -- 'echo $$ > "'"$_pgid_file"'"; exec '"$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
         local _subshell_pid=$!
         # Wait briefly for the pgid file to appear, then read the real PGID
         local _pgid_wait=0
@@ -456,7 +480,9 @@ app_runner_start() {
         rm -f "$_pgid_file"
     else
         _APP_RUNNER_HAS_SETSID=false
-        (cd "$dir" && bash -c "$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+        # Note: $_APP_RUNNER_METHOD has passed _validate_app_command (whitelist).
+        # The `--` after `bash -lc` prevents flag injection.
+        (cd "$dir" && bash -lc -- "$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
         _APP_RUNNER_PID=$!
     fi
     # Register with central PID registry if available

package/autonomy/run.sh

@@ -4061,10 +4061,19 @@ generate_dashboard() {
     local project_path=$(pwd)
 
     if [ -f "$skill_dashboard" ]; then
+        # v7.5.8: Escape sed-special chars in project_name/project_path before
+        # interpolating into the substitution RHS. Without this, a project
+        # whose path contains '|' (the chosen sed delimiter), '&' (RHS
+        # backref), '\' or '/' would either break the substitution or allow
+        # attacker-controlled text to be smuggled into the served HTML.
+        local project_name_sed project_path_sed
+        project_name_sed=$(printf '%s' "$project_name" | sed -e 's/[\\&|/]/\\&/g')
+        project_path_sed=$(printf '%s' "$project_path" | sed -e 's/[\\&|/]/\\&/g')
+
         # Copy and inject project info
-        sed -e "s|Loki Mode</title>|Loki Mode - $project_name</title>|g" \
-            -e "s|<div class=\"project-name\" id=\"project-name\">--|<div class=\"project-name\" id=\"project-name\">$project_name|g" \
-            -e "s|<div class=\"project-path\" id=\"project-path\" title=\"\">--|<div class=\"project-path\" id=\"project-path\" title=\"$project_path\">$project_path|g" \
+        sed -e "s|Loki Mode</title>|Loki Mode - ${project_name_sed}</title>|g" \
+            -e "s|<div class=\"project-name\" id=\"project-name\">--|<div class=\"project-name\" id=\"project-name\">${project_name_sed}|g" \
+            -e "s|<div class=\"project-path\" id=\"project-path\" title=\"\">--|<div class=\"project-path\" id=\"project-path\" title=\"${project_path_sed}\">${project_path_sed}|g" \
             "$skill_dashboard" > .loki/dashboard/index.html
         log_info "Dashboard copied from skill installation"
         log_info "Project: $project_name ($project_path)"
@@ -4422,8 +4431,8 @@ generate_dashboard() {
                     <div class="agent-status ${status}">${status}</div>
                     <div class="agent-work">${currentTask}</div>
                     <div class="agent-meta">
-                        <span>⏱ ${duration}</span>
-                        <span>✓ ${tasksCount} tasks</span>
+                        <span>${duration}</span>
+                        <span>${tasksCount} tasks</span>
                     </div>
                 </div>
             `;
@@ -5757,10 +5766,23 @@ enforce_test_coverage() {
         if [ "$is_monorepo" = "true" ]; then
             # Allow env override
             if [ -n "${LOKI_MONOREPO_TEST_CMD:-}" ]; then
-                test_runner="monorepo-custom"
-                local output
-                output=$(cd "${TARGET_DIR:-.}" && eval "$LOKI_MONOREPO_TEST_CMD" 2>&1) || test_passed=false
-                details="monorepo-custom: $(echo "$output" | tail -3 | tr '\n' ' ')"
+                # v7.5.8: Strict whitelist before eval (mirrors app-runner.sh
+                # _validate_app_command hardening). Reject anything outside
+                # [A-Za-z0-9_./= -] so command separators (; | & `), redirects,
+                # subshells, and command substitution can't be smuggled in via
+                # an env var. Failing input is treated as inconclusive (gate
+                # skipped) rather than executed.
+                if [[ ! "$LOKI_MONOREPO_TEST_CMD" =~ ^[A-Za-z0-9_./=\ -]+$ ]] || \
+                   echo "$LOKI_MONOREPO_TEST_CMD" | grep -qE '[;|`$]|&&|\|\||>>|<<'; then
+                    log_error "LOKI_MONOREPO_TEST_CMD rejected (only [A-Za-z0-9_./= -] allowed): $LOKI_MONOREPO_TEST_CMD"
+                    test_runner="monorepo-custom-rejected"
+                    details="monorepo-custom: rejected by whitelist (gate skipped, inconclusive)"
+                else
+                    test_runner="monorepo-custom"
+                    local output
+                    output=$(cd "${TARGET_DIR:-.}" && eval "$LOKI_MONOREPO_TEST_CMD" 2>&1) || test_passed=false
+                    details="monorepo-custom: $(echo "$output" | tail -3 | tr '\n' ' ')"
+                fi
             else
                 # Scan workspace packages for test runners
                 local workspace_runner=""

package/autonomy/sandbox.sh

@@ -1320,7 +1320,19 @@ sandbox_run() {
     fi
 
     log_info "Running command in sandbox: $cmd"
-    docker exec -it "$CONTAINER_NAME" bash -c "cd /workspace && $cmd"
+    # Trust contract: $cmd is the operator's CLI argv (`loki sandbox run <cmd>`),
+    # and the operator is the same person who is running the sandbox container
+    # on their own machine. Shell metacharacters are intentionally allowed so
+    # the operator can run pipelines, redirects, etc. inside the sandbox -- but
+    # the sandbox is the security boundary, not this shell-out. We:
+    #   1. set the working dir via `docker exec -w` instead of `cd && $cmd`,
+    #      so the user command cannot break out of the cd via metacharacters
+    #      that confuse the wrapper (e.g. unmatched quotes affecting cd);
+    #   2. pass `--` to bash so the user string cannot be re-interpreted as a
+    #      bash flag if it begins with `-`;
+    #   3. pass the user string as a separate argv element to bash -lc so it
+    #      is treated as the script body, not concatenated into a wrapper.
+    docker exec -it -w /workspace "$CONTAINER_NAME" bash -lc -- "$cmd"
 }
 
 # Start a dev server inside the sandbox

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.5.7"
+__version__ = "7.5.8"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -622,15 +622,21 @@ app = FastAPI(
 # Set LOKI_DASHBOARD_CORS to override (comma-separated origins).
 _cors_default = "http://localhost:57374,http://127.0.0.1:57374"
 _cors_raw = os.environ.get("LOKI_DASHBOARD_CORS", _cors_default)
-if _cors_raw.strip() == "*":
+_cors_origins = [o.strip() for o in _cors_raw.split(",") if o.strip()]
+if "*" in _cors_origins or _cors_raw.strip() == "*":
+    if os.environ.get("LOKI_ENV") == "production":
+        raise RuntimeError(
+            "Wildcard CORS ('*') is not allowed in production. "
+            "Set LOKI_DASHBOARD_CORS to a specific origin list, "
+            "or set LOKI_ENV != production."
+        )
     logger.warning(
         "LOKI_DASHBOARD_CORS is set to '*' -- all origins are allowed. "
         "This is insecure for production deployments."
     )
-_cors_origins = _cors_raw.split(",")
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=[o.strip() for o in _cors_origins if o.strip()],
+    allow_origins=_cors_origins,
     allow_credentials=True,
     allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"],
     allow_headers=["Content-Type", "Authorization", "X-Requested-With"],
@@ -2244,7 +2250,7 @@ def _sanitize_agent_id(agent_id: str) -> str:
         )
     return agent_id
 
-@app.get("/api/memory/summary")
+@app.get("/api/memory/summary", dependencies=[Depends(auth.require_scope("read"))])
 async def get_memory_summary():
     """Get memory system summary from .loki/memory/."""
     # Try SQLite backend first for accurate counts
@@ -2371,7 +2377,7 @@ async def list_episodes(limit: int = Query(default=50, ge=1, le=1000)):
     return episodes
 
 
-@app.get("/api/memory/episodes/{episode_id}")
+@app.get("/api/memory/episodes/{episode_id}", dependencies=[Depends(auth.require_scope("read"))])
 async def get_episode(episode_id: str):
     """Get a specific episodic memory entry."""
     # Try SQLite first
@@ -2432,7 +2438,7 @@ async def list_patterns():
     return []
 
 
-@app.get("/api/memory/patterns/{pattern_id}")
+@app.get("/api/memory/patterns/{pattern_id}", dependencies=[Depends(auth.require_scope("read"))])
 async def get_pattern(pattern_id: str):
     """Get a specific semantic pattern."""
     patterns = await list_patterns()
@@ -2471,7 +2477,7 @@ async def list_skills():
     return skills
 
 
-@app.get("/api/memory/skills/{skill_id}")
+@app.get("/api/memory/skills/{skill_id}", dependencies=[Depends(auth.require_scope("read"))])
 async def get_skill(skill_id: str):
     """Get a specific procedural skill."""
     loki_dir = _get_loki_dir()
@@ -2510,7 +2516,7 @@ async def consolidate_memory(hours: int = 24):
     return {"status": "ok", "message": f"Consolidation for last {hours}h", "consolidated": 0, "patternsCreated": 0, "patternsMerged": 0, "episodesProcessed": 0}
 
 
-@app.post("/api/memory/retrieve")
+@app.post("/api/memory/retrieve", dependencies=[Depends(auth.require_scope("control"))])
 async def retrieve_memory(query: dict = None):
     """Search memories by query."""
     return {"results": [], "query": query}
@@ -2678,7 +2684,7 @@ def _read_learning_signals(signal_type: Optional[str] = None, limit: int = 50) -
     return signals[:limit]
 
 
-@app.get("/api/learning/metrics")
+@app.get("/api/learning/metrics", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_metrics(
     timeRange: str = Query("7d", pattern=r"^\d{1,4}[hdm]$"),
     signalType: Optional[str] = None,
@@ -2747,7 +2753,7 @@ async def get_learning_metrics(
     }
 
 
-@app.get("/api/learning/trends")
+@app.get("/api/learning/trends", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_trends(
     timeRange: str = Query("7d", pattern=r"^\d{1,4}[hdm]$"),
     signalType: Optional[str] = None,
@@ -2767,7 +2773,7 @@ async def get_learning_trends(
     return {"dataPoints": data_points, "maxValue": max_val, "period": timeRange}
 
 
-@app.get("/api/learning/signals")
+@app.get("/api/learning/signals", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_signals(
     timeRange: str = Query("7d", pattern=r"^\d{1,4}[hdm]$"),
     signalType: Optional[str] = None,
@@ -2793,7 +2799,7 @@ async def get_learning_signals(
     return combined[offset:offset + limit]
 
 
-@app.get("/api/learning/aggregation")
+@app.get("/api/learning/aggregation", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_aggregation():
     """Get latest learning aggregation result, merging file-based aggregation with live signals."""
     result = {"preferences": [], "error_patterns": [], "success_patterns": [], "tool_efficiencies": []}
@@ -2976,7 +2982,7 @@ async def trigger_aggregation():
     return result
 
 
-@app.get("/api/learning/preferences")
+@app.get("/api/learning/preferences", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_preferences(limit: int = Query(default=50, ge=1, le=1000)):
     """Get aggregated user preferences from events and learning signals directory."""
     events = _read_events("30d")
@@ -2988,7 +2994,7 @@ async def get_learning_preferences(limit: int = Query(default=50, ge=1, le=1000)
     return combined[:limit]
 
 
-@app.get("/api/learning/errors")
+@app.get("/api/learning/errors", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_errors(limit: int = Query(default=50, ge=1, le=1000)):
     """Get aggregated error patterns from events and learning signals directory."""
     events = _read_events("30d")
@@ -3000,7 +3006,7 @@ async def get_learning_errors(limit: int = Query(default=50, ge=1, le=1000)):
     return combined[:limit]
 
 
-@app.get("/api/learning/success")
+@app.get("/api/learning/success", dependencies=[Depends(auth.require_scope("read"))])
 async def get_learning_success(limit: int = Query(default=50, ge=1, le=1000)):
     """Get aggregated success patterns from events and learning signals directory."""
     events = _read_events("30d")
@@ -3012,7 +3018,7 @@ async def get_learning_success(limit: int = Query(default=50, ge=1, le=1000)):
     return combined[:limit]
 
 
-@app.get("/api/learning/tools")
+@app.get("/api/learning/tools", dependencies=[Depends(auth.require_scope("read"))])
 async def get_tool_efficiency(limit: int = Query(default=50, ge=1, le=1000)):
     """Get tool efficiency rankings from events and learning signals directory."""
     events = _read_events("30d")
@@ -5882,13 +5888,20 @@ async def list_escalations():
 @app.get("/api/escalations/{filename}")
 async def get_escalation(filename: str):
     """Read one handoff document. Path-traversal-safe."""
-    if "/" in filename or "\\" in filename or filename.startswith("."):
+    if "\\" in filename or filename.startswith("."):
         raise HTTPException(status_code=400, detail="invalid filename")
     if not filename.endswith(".md"):
         raise HTTPException(status_code=400,
                             detail="only .md handoffs are served")
-    base = _get_loki_dir()
-    path = base / "escalations" / filename
+    escalations_dir = str(_get_loki_dir() / "escalations")
+    # Resolve symlinks on both sides to catch symlink traversal that the
+    # router-level "/" rejection misses (e.g. a symlink whose target
+    # escapes the escalations directory).
+    target = os.path.realpath(os.path.join(escalations_dir, filename))
+    base = os.path.realpath(escalations_dir)
+    if not target.startswith(base + os.sep):
+        raise HTTPException(status_code=400, detail="Invalid filename")
+    path = _Path(target)
     if not path.exists():
         raise HTTPException(status_code=404,
                             detail=f"handoff not found: {filename}")

package/docs/INSTALLATION.md

@@ -2,26 +2,32 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.5.7
+**Version:** v7.5.8
 
 ---
 
-## What's New in v7.5.0
+## What's New in v7.5.x
+
+### Phase 1 RARV-C closure (shipped v7.5.0, default-on as of v7.5.3)
+Phase 1 closure features now activate automatically when you run
+`loki start` -- no env flags required. Power users can opt out by
+setting any flag to `0`.
 
-### Phase 1 RARV-C closure (Bun route, default-off feature flags)
 - `findings_injector.ts` -- structured per-finding records (severity, file,
   line, reviewer) injected into the next iteration's prompt instead of bare
-  comma-separated tokens. Enable with `LOKI_INJECT_FINDINGS=1`.
-- `counter_evidence.ts` -- 3-judge override council. Drop a
+  comma-separated tokens. Default: ON. Opt out with `LOKI_INJECT_FINDINGS=0`.
+- `counter_evidence.ts` -- override council. Drop a
   `.loki/state/counter-evidence-<iter>.json` to dispute reviewer findings;
-  2-of-3 approval lifts the BLOCK. Enable with `LOKI_OVERRIDE_COUNCIL=1`
-  (requires `LOKI_INJECT_FINDINGS=1`).
+  approval lifts the BLOCK. Default: ON. Opt out with `LOKI_OVERRIDE_COUNCIL=0`.
 - `learnings_writer.ts` -- automatic structured learnings to
   `.loki/state/relevant-learnings.json` on every code_review failure.
-  Enable with `LOKI_AUTO_LEARNINGS=1`.
+  Default: ON. Opt out with `LOKI_AUTO_LEARNINGS=0`.
 - `escalation_handoff.ts` -- structured human-handoff doc to
-  `.loki/escalations/handoff-*.md` before PAUSE. Enable with
-  `LOKI_HANDOFF_MD=1`.
+  `.loki/escalations/handoff-*.md` before PAUSE. Default: ON. Opt out
+  with `LOKI_HANDOFF_MD=0`.
+- `loki status` shows a "Phase 1 artifacts" section when findings,
+  learnings, or escalations exist (added v7.5.5; see the `phase1` block
+  in `loki status --json`).
 - See `skills/quality-gates.md` for full schema and reachability notes.
 
 ### Earlier highlights still in scope

package/docs/architecture/ADR-001-runtime-migration.md

@@ -1,7 +1,28 @@
 # ADR-001: Migrate Loki orchestrator off bash
 
-**Status:** Proposed (feature/bun-migration branch)
-**Date:** 2026-04-25
+**Status:** Accepted -- Phases 1-5 shipped; Phase 6 (bash sunset) gated on 30-day clean soak
+**Date:** 2026-04-25 (proposed) / 2026-04-29 (status updated for v7.5.7)
+**Last reviewed:** 2026-04-29 against v7.5.7
+
+## Phase status (as of v7.5.7, 2026-04-29)
+
+| Phase | Description | Status | Shipped in |
+|---|---|---|---|
+| 1 | Scaffold `loki-ts/`, `ts-version` POC, CI matrix | DONE | v7.0.x |
+| 2 | Read-only sub-commands ported (provider show, status, stats, memory list) | DONE | v7.1.x |
+| 3 | Build/release tooling on Bun (`bun publish`, `bun build`, `bun test`) | DONE | v7.2.0 |
+| 4 | `build_prompt` + `run_autonomous` outer loop ported; `LOKI_LEGACY_BASH=1` fallback live | DONE | v7.3.0 |
+| 5 | `council_should_stop`, `run_code_review` ported; side-by-side parity verified | DONE | v7.3.0 -- v7.4.x |
+| 6 | Sunset bash: remove `LOKI_LEGACY_BASH`, delete `autonomy/run.sh` + `autonomy/loki` | **GATED** | Pending 30-day clean soak from v7.3.0 GA |
+
+**Phase 6 entry criteria (per founder call 2026-04-25, release_strategy memory):**
+- 30 consecutive days with zero parity-diff regressions on the Bun route
+- All 14 CLI tests passing on both routes (`tests/test-cli-commands.sh`)
+- Bun-parity matrix green on every workflow (added after v7.4.18 doctor-text drift bug)
+- No `LOKI_LEGACY_BASH=1` fallback invocations observed in telemetry over the soak window
+- Local CI gate (`scripts/local-ci.sh`) green on every push
+
+When all criteria are met, Phase 6 PR (#159 per release_strategy) opens for council review.
 **Decision driver:** `autonomy/run.sh` is 11,327 lines of bash and `autonomy/loki` is 22,304 lines. Both are fragile, hard to refactor, untyped, and the upstream RARV-C audit (v6.81 plan) flagged them as the single biggest architectural debt.
 
 ## Context: facts the user asked me to verify
@@ -162,10 +183,11 @@ Reasons:
 - Port `council_should_stop` and `run_code_review` to TypeScript
 - Same validation discipline
 
-### Phase 6: Sunset bash (only after 30 days clean in production)
+### Phase 6: Sunset bash (only after 30 days clean in production) -- GATED as of v7.5.7
 - Remove `LOKI_LEGACY_BASH` flag
 - Delete `autonomy/run.sh` and `autonomy/loki` (keep in git history)
-- Bash → Bun migration complete
+- Bash -> Bun migration complete
+- **Status (2026-04-29):** awaiting 30-day clean soak. Soak clock started with v7.3.0 GA. See "Phase status" table at top of this ADR for entry criteria.
 
 ## What we can do better for releases (Anthropic owns Bun → leverage)