loki-mode 7.5.9 → 7.5.10

package/README.md

@@ -64,7 +64,7 @@ loki quick "build a landing page with a signup form"
 |--------|---------|-------|
 | **Bun (recommended)** | `bun install -g loki-mode` | Fastest. v8 will be Bun-only. |
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` | Auto-installs Bun as a dep |
-| **Docker** | `docker pull asklokesh/loki-mode:7.5.7 && docker run --rm asklokesh/loki-mode:7.5.7 start prd.md` | Bun pre-installed in image |
+| **Docker** | `docker pull asklokesh/loki-mode:7.5.9 && docker run --rm asklokesh/loki-mode:7.5.9 start prd.md` | Bun pre-installed in image |
 | **npm (compat)** | `npm install -g loki-mode` | Works without Bun (bash fallback). Migrate any time with `loki self-update --to bun`. |
 
 **Upgrading:**
@@ -124,7 +124,7 @@ The next major release sunsets the Bash runtime entirely. There is no firm calen
 | Method | Command |
 |--------|---------|
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` |
-| **Docker** | `docker pull asklokesh/loki-mode:7.5.7` |
+| **Docker** | `docker pull asklokesh/loki-mode:7.5.9` |
 | **Inside Claude Code** | `claude --dangerously-skip-permissions` then type "Loki Mode" |
 | **Git clone** | `git clone https://github.com/asklokesh/loki-mode.git` |
 

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Multi-agent autonomous startup system. Triggers on "Loki Mode". Takes PRD to deployed product with minimal human intervention. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.5.9
+# Loki Mode v7.5.10
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -89,7 +89,7 @@ These rules guide autonomous operation. Test results and code quality always tak
 
 ## Model Selection
 
-**Default since v5.3.0 (reaffirmed in v7.5.9):** Haiku disabled for quality. Use `--allow-haiku` or `LOKI_ALLOW_HAIKU=true` to enable.
+**Default since v5.3.0 (reaffirmed in v7.5.10):** Haiku disabled for quality. Use `--allow-haiku` or `LOKI_ALLOW_HAIKU=true` to enable.
 
 | Task Type | Tier | Claude (default) | Claude (--allow-haiku) | Codex (GPT-5.3) | Gemini |
 |-----------|------|------------------|------------------------|------------------|--------|
@@ -330,6 +330,19 @@ See `references/core-workflow.md` for the full RARV-C contract.
 
 ---
 
+## Concurrency and Security Hardening (v7.5.7 - v7.5.10)
+
+Three back-to-back patches closed cross-process and security gaps. No user-facing behavior change on the default flow; verify via the cited paths.
+
+- **Cross-process file locks** on append-or-rewrite state, so parallel runs / dashboard / MCP do not corrupt shared files: gate counter (`autonomy/run.sh` gate-counter writes), task queues (`autonomy/run.sh` queue read-modify-write), checkpoint index (`autonomy/run.sh` checkpoint index updates), `events.jsonl` append (event emission paths in `events/emit.sh` and `autonomy/run.sh`), human intervention signal files (`autonomy/run.sh:check_human_intervention()` at line ~8059 / 7897 per state-machine doc).
+- **MCP path validation** -- file/path arguments to `mcp/server.py` tools are normalized and rejected if they escape the project root (path-traversal fix from v7.5.8).
+- **Dashboard auth** now required on `/api/memory/*`, `/api/learning/*`, and `/api/status` in `dashboard/server.py` (previously unauthenticated read paths).
+- **Bash quoting hardening** across `autonomy/run.sh` and `autonomy/loki` -- variable expansions inside command substitution and `[ ]` tests quoted to prevent word-splitting on paths with spaces.
+
+See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.10] for the per-fix list and reviewer sign-off.
+
+---
+
 ## Implemented Features
 
 | Feature | Added | Notes |
@@ -365,4 +378,4 @@ See `references/core-workflow.md` for the full RARV-C contract.
 
 ---
 
-**v7.5.9 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.5.10 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.5.9
+7.5.10

package/autonomy/run.sh

@@ -477,6 +477,18 @@ parse_yaml_with_yq() {
 load_config_file
 
 # Load JSON settings from loki config set (v6.0.0)
+#
+# SECURITY NOTE (v7.5.10, L12#2 audit): The eval below is intentional and safe.
+# The Python script's output is constrained to a fixed template:
+#     [ -z "${VAR:-}" ] && export VAR=<value>
+# where:
+#   - VAR is a hardcoded env var name from the `mapping` dict (NOT user-controlled).
+#   - <value> is produced by shlex.quote(), which emits POSIX-shell-safe single-
+#     quoted strings even for adversarial input (e.g. quotes, semicolons, $()).
+#   - Non-string values from settings.json are skipped (isinstance check).
+# Therefore no user-controlled bytes can break out of the quoted value or alter
+# the surrounding shell syntax. Do NOT remove the shlex.quote() call or relax
+# the isinstance(val, str) guard without re-auditing this eval.
 _load_json_settings() {
     local settings_file="${TARGET_DIR:-.}/.loki/config/settings.json"
     [ -f "$settings_file" ] || return 0
@@ -7100,13 +7112,31 @@ rollback_to_checkpoint() {
     done
 
     # Log the rollback (use python3 for safe JSON serialization)
-    local timestamp
+    # v7.5.10: route through safe_append_event_jsonl() so parallel-worktree
+    # rollbacks cannot interleave partial JSONL lines (POSIX append is
+    # only atomic for <PIPE_BUF and not all platforms honor it).
+    local timestamp rb_event
     timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-    _RB_CPID="$checkpoint_id" _RB_SHA="$git_sha" _RB_TS="$timestamp" \
+    rb_event=$(_RB_CPID="$checkpoint_id" _RB_SHA="$git_sha" _RB_TS="$timestamp" \
     python3 -c "
 import json,os
 print(json.dumps({'event':'rollback','checkpoint':os.environ['_RB_CPID'],'git_sha':os.environ['_RB_SHA'],'timestamp':os.environ['_RB_TS']}))
-" >> ".loki/events.jsonl" 2>/dev/null || true
+" 2>/dev/null) || rb_event=""
+    if [ -n "$rb_event" ]; then
+        # Source the emit lib once per call to get safe_append_event_jsonl.
+        # Lib-only mode skips the emit script's normal CLI execution.
+        # shellcheck disable=SC1091
+        if [ -z "${_LOKI_EMIT_LIB_LOADED:-}" ]; then
+            LOKI_EMIT_LIB_ONLY=1 . "$(dirname "${BASH_SOURCE[0]}")/../events/emit.sh" 2>/dev/null \
+                && _LOKI_EMIT_LIB_LOADED=1
+        fi
+        if declare -f safe_append_event_jsonl >/dev/null 2>&1; then
+            safe_append_event_jsonl ".loki/events.jsonl" "$rb_event" 2>/dev/null || true
+        else
+            # Last-resort fallback: bare append (preserves prior behavior).
+            printf '%s\n' "$rb_event" >> ".loki/events.jsonl" 2>/dev/null || true
+        fi
+    fi
 
     log_info "State files restored from checkpoint: ${checkpoint_id}"
 

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.5.9"
+__version__ = "7.5.10"
 
 # Expose the control app for easy import
 try:

package/dashboard/server.py

@@ -740,7 +740,7 @@ async def agent_card() -> dict:
 
 
 # Status endpoint - reads from .loki/ flat files (primary) + DB (fallback)
-@app.get("/api/status", response_model=StatusResponse)
+@app.get("/api/status", response_model=StatusResponse, dependencies=[Depends(auth.require_scope("read"))])
 async def get_status() -> StatusResponse:
     """Get system status from .loki/ session files."""
     loki_dir = _get_loki_dir()

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.5.9
+**Version:** v7.5.10
 
 ---
 

package/events/emit.sh

@@ -11,6 +11,82 @@
 #
 # Environment:
 #   LOKI_DIR - Path to .loki directory (default: .loki)
+#
+# Sourcing:
+#   This script can also be sourced (LOKI_EMIT_LIB_ONLY=1) to expose the
+#   safe_append_event_jsonl() helper without performing an emit.
+
+# safe_append_event_jsonl <events_jsonl_path> <line>
+#
+# Cross-process serialized append to .loki/events.jsonl. POSIX append is
+# atomic only for writes <PIPE_BUF (typically 4KB) and not all filesystems
+# honor it; under parallel-worktree contention bare `>>` can interleave
+# partial JSONL lines. This helper serializes appends across processes.
+#
+# Strategy (v7.5.10):
+#   - Prefer flock(1) when available (Linux, util-linux). Uses an
+#     exclusive lock on a sentinel FD bound to <events>.lock so the lock
+#     is released automatically when the subshell exits.
+#   - Fall back to a mkdir() mutex on macOS / BSDs where flock is not
+#     installed by default. mkdir is atomic on POSIX -- exactly one
+#     concurrent caller wins the create. We retry with backoff up to
+#     ~5s, and treat a stale lockdir (>30s old) as abandonable.
+#   - The newline is appended by the helper -- callers pass the JSON
+#     payload only.
+safe_append_event_jsonl() {
+    local events_path="$1"
+    local line="$2"
+    local lock_target="${events_path}.lock"
+    local events_dir
+    events_dir="$(dirname "$events_path")"
+    mkdir -p "$events_dir" 2>/dev/null || true
+
+    if command -v flock >/dev/null 2>&1; then
+        # flock path: bind FD 9 to the sentinel file (created if absent),
+        # take an exclusive lock, append, release on subshell exit.
+        (
+            flock -x 9
+            printf '%s\n' "$line" >> "$events_path"
+        ) 9>"$lock_target"
+        return $?
+    fi
+
+    # Fallback: mkdir-based mutex. mkdir is atomic on POSIX.
+    local lock_dir="${events_path}.lockdir"
+    local attempts=0
+    local max_attempts=500   # ~5s at 10ms sleep
+    while ! mkdir "$lock_dir" 2>/dev/null; do
+        attempts=$((attempts + 1))
+        if [ "$attempts" -ge "$max_attempts" ]; then
+            # Stale lock: if the dir is older than 30s, force-remove it.
+            local age
+            age=$(( $(date +%s) - $(stat -f%m "$lock_dir" 2>/dev/null \
+                                    || stat -c%Y "$lock_dir" 2>/dev/null \
+                                    || echo 0) ))
+            if [ "$age" -gt 30 ]; then
+                rmdir "$lock_dir" 2>/dev/null || rm -rf "$lock_dir" 2>/dev/null || true
+                attempts=0
+                continue
+            fi
+            # Give up -- best-effort write so observability never blocks.
+            printf '%s\n' "$line" >> "$events_path" 2>/dev/null || true
+            return 1
+        fi
+        # Sleep ~10ms (perl avoids `sleep 0.01` portability issues).
+        perl -e 'select(undef,undef,undef,0.01)' 2>/dev/null || sleep 1
+    done
+    # Critical section.
+    printf '%s\n' "$line" >> "$events_path"
+    local rc=$?
+    rmdir "$lock_dir" 2>/dev/null || true
+    return $rc
+}
+
+# Library-only mode: source this file to get safe_append_event_jsonl
+# without executing the emit logic below.
+if [ "${LOKI_EMIT_LIB_ONLY:-0}" = "1" ]; then
+    return 0 2>/dev/null || exit 0
+fi
 
 set -euo pipefail
 

package/loki-ts/dist/loki.js

@@ -423,7 +423,7 @@ Subcommands:
 
 This command is invoked by autonomy/run.sh between iterations. Users
 should not run it directly -- run \`loki start\` instead.
-`,T5;var $6=w(()=>{m();T1();T5=c1});m();import{readFileSync as U6}from"fs";import{resolve as q6,dirname as H6}from"path";import{fileURLToPath as G6}from"url";var o=null;function r1(){if(o!==null)return o;let $="7.5.9";if(typeof $==="string"&&$.length>0)return o=$,o;try{let Q=H6(G6(import.meta.url)),z=E1(Q);o=U6(q6(z,"VERSION"),"utf-8").trim()}catch{o="unknown"}return o}function s1(){return process.stdout.write(`Loki Mode v${r1()}
+`,T5;var $6=w(()=>{m();T1();T5=c1});m();import{readFileSync as U6}from"fs";import{resolve as q6,dirname as H6}from"path";import{fileURLToPath as G6}from"url";var o=null;function r1(){if(o!==null)return o;let $="7.5.10";if(typeof $==="string"&&$.length>0)return o=$,o;try{let Q=H6(G6(import.meta.url)),z=E1(Q);o=U6(q6(z,"VERSION"),"utf-8").trim()}catch{o="unknown"}return o}function s1(){return process.stdout.write(`Loki Mode v${r1()}
 `),0}p();n();m();import{readFileSync as A6,existsSync as T6}from"fs";import{resolve as O6}from"path";var j6=["claude","codex","gemini","cline","aider"];function i1(){let $=O6(P(),"state","provider");if(!T6($))return"";try{return A6($,"utf-8").trim()}catch{return""}}function _6($,Q){return $||Q||process.env.LOKI_PROVIDER||"claude"}function I6($){let Q=i1(),z=_6($,Q);switch(process.stdout.write(`${D}Current Provider${W}
 `),process.stdout.write(`
 `),process.stdout.write(`${A}Provider:${W} ${z}
@@ -506,4 +506,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(z6),2}}process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var _5=await j5(Bun.argv.slice(2));process.exit(_5);
 
-//# debugId=CACEACF76B85BD5C64756E2164756E21
+//# debugId=70EC2B659E43E8E764756E2164756E21

package/loki-ts/package.json

@@ -5,7 +5,8 @@
   "private": true,
   "type": "module",
   "engines": {
-    "bun": ">=1.3.0"
+    "bun": ">=1.3.0",
+    "node": ">=20.0.0"
   },
   "scripts": {
     "version": "bun src/cli.ts version",

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.5.9'
+__version__ = '7.5.10'

package/memory/retrieval.py

@@ -295,6 +295,42 @@ class MemoryRetrieval:
         """Get the current namespace."""
         return self._namespace
 
+    # Track which legacy entries we've already warned about to avoid log spam.
+    _LEGACY_WARN_LIMIT = 5
+    _legacy_warned_count: int = 0
+
+    def _belongs_to_namespace(self, result: Dict[str, Any]) -> bool:
+        """
+        Check if a memory result belongs to the current namespace.
+
+        Cross-namespace leak defense (v7.5.10). Storage layer should isolate
+        files by directory, but this filter provides defense-in-depth and
+        handles cases where vector indices span namespaces.
+
+        Behavior:
+        - If self._namespace is None, accept all (backward compat for unscoped retrieval).
+        - If result has "_namespace" matching, accept.
+        - If result lacks "_namespace" (legacy entry written before stamping),
+          log a deprecation warning (rate-limited) and ACCEPT for backward compat.
+        - Otherwise, reject.
+        """
+        if self._namespace is None:
+            return True
+        result_ns = result.get("_namespace")
+        if result_ns is None:
+            # Legacy entry without namespace stamp; accept for backward compat
+            # but warn so operators can re-save to add stamps.
+            if MemoryRetrieval._legacy_warned_count < MemoryRetrieval._LEGACY_WARN_LIMIT:
+                logger.warning(
+                    "Memory entry id=%s lacks '_namespace' stamp (legacy "
+                    "entry). Including in results for backward compatibility. "
+                    "Re-save this entry to enable namespace isolation.",
+                    result.get("id", "<unknown>"),
+                )
+                MemoryRetrieval._legacy_warned_count += 1
+            return True
+        return result_ns == self._namespace
+
     def with_namespace(self, namespace: str) -> "MemoryRetrieval":
         """
         Create a new MemoryRetrieval instance with a different namespace.
@@ -761,7 +797,10 @@ class MemoryRetrieval:
             item["id"] = item_id
             item["_score"] = float(score)
             item["_source"] = collection
-            items.append(item)
+            # Cross-namespace leak defense (v7.5.10): vector indices may be
+            # shared across namespaces, so filter here too.
+            if self._belongs_to_namespace(item):
+                items.append(item)
 
         return items
 
@@ -810,7 +849,8 @@ class MemoryRetrieval:
                     )
                     if data:
                         data["_source"] = "episodic"
-                        results.append(data)
+                        if self._belongs_to_namespace(data):
+                            results.append(data)
 
         # Filter semantic patterns by last_used
         patterns_data = self.storage.read_json("semantic/patterns.json") or {}
@@ -831,7 +871,8 @@ class MemoryRetrieval:
 
                     if since <= last_used_dt <= until:
                         pattern["_source"] = "semantic"
-                        results.append(pattern)
+                        if self._belongs_to_namespace(pattern):
+                            results.append(pattern)
                 except (ValueError, TypeError):
                     continue
 
@@ -1428,7 +1469,8 @@ class MemoryRetrieval:
                     data_copy = dict(data)
                     data_copy["_score"] = score
                     data_copy["_source"] = "episodic"
-                    results.append(data_copy)
+                    if self._belongs_to_namespace(data_copy):
+                        results.append(data_copy)
 
         return results
 
@@ -1457,7 +1499,8 @@ class MemoryRetrieval:
                 pattern_copy = dict(pattern)
                 pattern_copy["_score"] = score
                 pattern_copy["_source"] = "semantic"
-                results.append(pattern_copy)
+                if self._belongs_to_namespace(pattern_copy):
+                    results.append(pattern_copy)
 
         return results
 
@@ -1486,7 +1529,8 @@ class MemoryRetrieval:
                 data_copy = dict(data)
                 data_copy["_score"] = score
                 data_copy["_source"] = "skills"
-                results.append(data_copy)
+                if self._belongs_to_namespace(data_copy):
+                    results.append(data_copy)
 
         return results
 
@@ -1511,7 +1555,8 @@ class MemoryRetrieval:
                 anti_copy = dict(anti)
                 anti_copy["_score"] = score
                 anti_copy["_source"] = "anti_patterns"
-                results.append(anti_copy)
+                if self._belongs_to_namespace(anti_copy):
+                    results.append(anti_copy)
 
         return results
 

package/memory/storage.py

@@ -391,6 +391,11 @@ class MemoryStorage:
         episode_id = episode_data.get("id") or self._generate_id("episode")
         episode_data["id"] = episode_id
 
+        # Stamp namespace so retrieval can verify isolation (cross-namespace
+        # leak defense, v7.5.10). Defaults to DEFAULT_NAMESPACE for unscoped
+        # storage instances.
+        episode_data["_namespace"] = self._namespace or DEFAULT_NAMESPACE
+
         # Determine storage path based on date
         timestamp = episode_data.get("timestamp", datetime.now(timezone.utc).isoformat())
         if isinstance(timestamp, str):
@@ -557,6 +562,8 @@ class MemoryStorage:
             "created_at",
             datetime.now(timezone.utc).isoformat()
         )
+        # Stamp namespace for cross-namespace leak defense (v7.5.10).
+        pattern_data["_namespace"] = self._namespace or DEFAULT_NAMESPACE
 
         patterns_path = self.base_path / "semantic" / "patterns.json"
 
@@ -750,6 +757,8 @@ class MemoryStorage:
             "created_at",
             datetime.now(timezone.utc).isoformat()
         )
+        # Stamp namespace for cross-namespace leak defense (v7.5.10).
+        skill_data["_namespace"] = self._namespace or DEFAULT_NAMESPACE
 
         # Use skill name for filename if available, otherwise use ID
         skill_name = skill_data.get("name", skill_id)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "loki-mode",
-  "version": "7.5.9",
+  "version": "7.5.10",
   "description": "Loki Mode by Autonomi - Multi-agent autonomous startup system for Claude Code, Codex CLI, and Gemini CLI",
   "keywords": [
     "agent",
@@ -102,7 +102,7 @@
   ],
   "scripts": {
     "prepack": "find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null; find . -name '*.pyc' -delete 2>/dev/null; if command -v bun >/dev/null 2>&1; then (cd loki-ts && bun install --production && bun run build) || echo 'WARN: loki-ts build failed, using existing dist if present'; else echo 'WARN: bun not on PATH, skipping loki-ts build (using committed dist if present)'; fi; true",
-    "prepublishOnly": "cd dashboard-ui && npm ci && npm run build:all",
+    "prepublishOnly": "cd dashboard-ui && npm ci && npm run build:all && test -f ../dashboard/static/index.html",
     "test": "bash -n autonomy/run.sh && bash -n autonomy/loki && bash -n autonomy/completion-council.sh && bash -n autonomy/app-runner.sh && bash -n autonomy/prd-checklist.sh && bash -n autonomy/playwright-verify.sh && node --test tests/protocols/*.test.js && node --test tests/protocols/a2a/*.test.js && node --test tests/observability/*.test.js && node --test tests/policies/*.test.js && node --test tests/audit/*.test.js && node --test tests/integrations/*.test.js && node --test tests/integrations/jira/*.test.js && node --test tests/integrations/github/*.test.js && node --test tests/integrations/slack/*.test.js && bash tests/managed_memory/test_flag_matrix.sh && bash tests/managed_memory/test_sdk_isolation.sh && bash tests/managed_memory/test_kill_switch.sh && python3 -m unittest tests.managed_memory.test_shadow_write_mock tests.managed_memory.test_retrieve_mock && echo 'All checks passed'",
     "test:visual": "node --experimental-vm-modules node_modules/jest/bin/jest.js dashboard-ui/tests/visual-regression.test.js",
     "test:parity": "node --experimental-vm-modules dashboard-ui/scripts/check-parity.js",
@@ -111,7 +111,7 @@
     "test:integration": "bash tests/integration/run_integration_suite.sh"
   },
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "os": [
     "darwin",
@@ -124,7 +124,7 @@
     "@opentelemetry/exporter-trace-otlp-http": "^0.57.0"
   },
   "overrides": {
-    "protobufjs": ">=7.5.9"
+    "protobufjs": ">=7.5.6"
   },
   "devDependencies": {
     "@types/node": "^25.2.0",

package/skills/healing.md

@@ -505,3 +505,15 @@ loki heal --report
 # Strict mode: block any behavioral change without approval
 LOKI_HEAL_STRICT=true loki heal ./legacy-app
 ```
+
+## Checkpoint metadata hardening (v7.5.8)
+
+As defense-in-depth for the healing checkpoint store, the checkpoint
+writer now rejects ASCII control characters (U+0000-U+001F except TAB,
+LF, CR, plus U+007F) anywhere in checkpoint metadata keys or values
+before persisting `.loki/healing/checkpoints/<phase>.json`. This blocks
+log-injection and JSON-poisoning vectors where adapter output, friction
+notes, or institutional-knowledge excerpts could smuggle terminal
+escapes or NUL bytes into the resume path. Rejected writes raise a
+typed error and never partially overwrite the prior checkpoint, so
+`loki heal --resume` always restarts from a clean, validated state.

package/skills/quality-gates.md

@@ -160,6 +160,16 @@ are silently dropped at load time. The override council uses a stub
 judge in v7.5.x that approves any of those six trusted proofTypes;
 real provider-backed judges land in Phase 2 of Part B.
 
+**Cross-process gate counter (v7.5.5+)**: the per-iteration gate counter
+at `.loki/state/gate-counter-<iter>.json` is now incremented under a
+cross-process file lock via `withFileLockSync` in
+`loki-ts/src/util/atomic.ts`. Concurrent gate runs (parallel worktrees,
+overlapping `runQualityGates` invocations) no longer race the
+read-modify-write, so override-council quotas and per-finding counters
+remain consistent across processes. The lock file lives at
+`.loki/state/gate-counter-<iter>.json.lock` and is released even on
+crash via the primitive's `finally` cleanup.
+
 ---
 
 ## Guardrails Execution Modes

package/web-app/requirements.txt

@@ -25,3 +25,6 @@ passlib[bcrypt]>=1.7.4
 # Encryption (optional) -- Fernet encryption for user secrets.
 # Needed only for the /api/secrets endpoints in cloud mode.
 cryptography>=41.0.0
+
+# YAML parsing -- used by server.py for config loading
+pyyaml>=6.0