loki-mode 7.54.0 → 7.55.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.54.0
+# Loki Mode v7.55.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -406,4 +406,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.54.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.55.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.54.0
+7.55.0

package/autonomy/run.sh

@@ -8402,6 +8402,87 @@ _semantic_gate_and_surface() {
     return "$_rc"
 }
 
+# P1-4 invariant/property gate (bash-route parity, v7.51.0). The Bun route
+# ships an invariant toggle (loki-ts/src/runner/quality_gates.ts:2057,
+# `invariants: flag("LOKI_GATE_INVARIANTS", false)`) running
+# tests/detect-invariant-violations.sh --strict; the bash route had NO
+# counterpart, so the bash/Bun parity test reported "Only in bun:
+# LOKI_GATE_INVARIANTS". This wires the bash side, mirroring
+# enforce_semantic_integrity's structure byte-for-byte:
+#   - detector --strict exit-code contract (tests/detect-invariant-violations.sh
+#     :347-353): rc 1 iff CRITICAL/HIGH present, rc 0 otherwise.
+#   - detector honors LOKI_SCAN_DIR (tests/detect-invariant-violations.sh:123),
+#     so the wrapper exports it to the TARGET project (cwd alone does NOT
+#     redirect the scan).
+# The PLURAL token LOKI_GATE_INVARIANTS is used deliberately to match the Bun
+# readToggles flag name; the detector's own reference comment suggests a
+# singular default-on variant (no trailing S), which is NOT used here (parity
+# needs the plural, and this gate is OPT-IN / default OFF like the semantic
+# gate).
+enforce_invariant_integrity() {
+    local loki_dir="${TARGET_DIR:-.}/.loki"
+    local quality_dir="$loki_dir/quality"
+    mkdir -p "$quality_dir"
+    local findings_file="$quality_dir/invariant-findings.txt"
+    local detector="$SCRIPT_DIR/../tests/detect-invariant-violations.sh"
+    local gate_timeout="${LOKI_GATE_TIMEOUT:-300}"
+
+    if [ ! -f "$detector" ]; then
+        log_info "Invariant gate: detector not found, skipping (inconclusive)"
+        rm -f "$findings_file" 2>/dev/null || true
+        return 0
+    fi
+
+    local output rc
+    # --strict exits 1 iff CRITICAL/HIGH present; 0 otherwise (clean wrapper).
+    output=$(cd "${TARGET_DIR:-.}" && LOKI_SCAN_DIR="${TARGET_DIR:-.}" \
+        timeout "$gate_timeout" bash "$detector" --strict 2>&1)
+    rc=$?
+
+    # timeout exit 124 -- inconclusive, never block on a hang (deny-filter)
+    if [ "$rc" -eq 124 ]; then
+        log_warn "Invariant gate: detector timed out after ${gate_timeout}s -- inconclusive"
+        rm -f "$findings_file" 2>/dev/null || true
+        return 0
+    fi
+
+    if [ "$rc" -eq 1 ]; then
+        # rc 1 == one or more CRITICAL/HIGH findings. Persist per-finding text.
+        {
+            echo "# Invariant findings (CRITICAL/HIGH block this completion)"
+            echo "$output" | grep -E '\[(CRITICAL|HIGH|MEDIUM|LOW)\]' || true
+        } > "$findings_file"
+        log_warn "Invariant gate: CRITICAL/HIGH invariant violations detected -- BLOCK"
+        return 1
+    fi
+
+    # rc 0 (and any other non-1, non-124 code, e.g. a malformed run) -> PASS.
+    # Route any MED/LOW advisory findings to the injection file, else clear it.
+    local med_low
+    med_low=$(echo "$output" | grep -E '\[(MEDIUM|LOW)\]' || true)
+    if [ -n "$med_low" ]; then
+        {
+            echo "# Invariant advisory findings (MED/LOW, non-blocking)"
+            echo "$med_low"
+        } > "$findings_file"
+    else
+        rm -f "$findings_file" 2>/dev/null || true
+    fi
+    log_info "Invariant gate: PASS"
+    return 0
+}
+
+# Thin wrapper mirroring _semantic_gate_and_surface so the completion-promise
+# elif arm reads cleanly (`! _invariant_gate_and_surface`). Returns nonzero
+# ONLY when enforce_invariant_integrity saw an rc-1 (CRITICAL/HIGH) result; all
+# deny-filter cases already collapse to 0 inside enforce_invariant_integrity,
+# so this never blocks a clean run.
+_invariant_gate_and_surface() {
+    local _rc=0
+    enforce_invariant_integrity || _rc=$?
+    return "$_rc"
+}
+
 # ============================================================================
 # 3-Reviewer Parallel Code Review (v5.35.0)
 # Specialist pool from skills/quality-gates.md with blind review
@@ -15467,6 +15548,22 @@ else:
                 log_warn "Completion claim rejected: semantic test-authenticity gate found CRITICAL/HIGH fake-test problem(s)."
                 log_warn "  Details under .loki/quality/semantic-findings.txt ; opt-in gate -- disable with LOKI_GATE_SEMANTIC_TESTS=false"
                 # Fall through; keep iterating until the fake tests are fixed.
+            # P1-4: invariant/property gate (OPT-IN, default OFF). Mirrors the
+            # semantic arm above and the Bun route's invariants toggle
+            # (loki-ts/src/runner/quality_gates.ts:2057). Guarded by
+            # LOKI_GATE_INVARIANTS (PLURAL, to match the Bun readToggles flag
+            # name; the detector's reference-comment singular default-on variant
+            # without the trailing S is deliberately NOT used). Accepts "true" or
+            # "1"; default OFF means the arm never runs (zero cost, never
+            # blocks). When enabled it runs detect-invariant-violations.sh
+            # --strict and rejects completion ONLY on a CRITICAL/HIGH (rc 1)
+            # finding; clean / detector-absent / timeout / malformed all
+            # collapse to a pass inside _invariant_gate_and_surface, so the
+            # autonomous loop can never deadlock on a clean run.
+            elif [ "$_completion_claimed" = 1 ] && { [ "${LOKI_GATE_INVARIANTS:-false}" = "true" ] || [ "${LOKI_GATE_INVARIANTS:-false}" = "1" ]; } && type _invariant_gate_and_surface &>/dev/null && ! _invariant_gate_and_surface; then
+                log_warn "Completion claim rejected: invariant gate found CRITICAL/HIGH invariant/property violation(s)."
+                log_warn "  Details under .loki/quality/invariant-findings.txt ; opt-in gate -- disable with LOKI_GATE_INVARIANTS=false"
+                # Fall through; keep iterating until the invariant violations are fixed.
             elif [ "$_completion_claimed" = 1 ]; then
                 echo ""
                 if [ -n "$COMPLETION_PROMISE" ]; then

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.54.0"
+__version__ = "7.55.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.54.0
+**Version:** v7.55.0
 
 ---
 
@@ -395,7 +395,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.54.0 start ./my-spec.md
+  asklokesh/loki-mode:7.55.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.54.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
+var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.55.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -790,4 +790,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(s6),2}}l1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var KZ=await XZ(Bun.argv.slice(2));process.exit(KZ);
 
-//# debugId=45D73957F12E90DF64756E2164756E21
+//# debugId=75540993435DE5C864756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.54.0'
+__version__ = '7.55.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.54.0",
+  "version": "7.55.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.54.0",
+  "version": "7.55.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 8 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",

package/src/audit/crosslink.js

@@ -42,6 +42,8 @@ var { execFileSync } = require('child_process');
 var { AuditLog } = require('./log');
 
 var CROSSLINK_ACTION = 'audit_crosslink';
+var MANIFEST_LINK_ACTION = 'audit_manifest_link';
+var MANIFEST_FILE = 'loki-run.json';
 var WITNESS_FILE = 'witness.jsonl';
 var PY_GENESIS = '0'.repeat(64);
 
@@ -400,6 +402,185 @@ function verifyUnified(opts) {
   };
 }
 
+/**
+ * Resolve the path to the run manifest (bill-of-materials) written by
+ * autonomy/run.sh at <project>/.loki/loki-run.json. Override via
+ * opts.manifestPath for tests / non-standard layouts (mirrors the
+ * explicit-override idiom used by witnessFile / dashboardAuditDir).
+ */
+function defaultManifestPath(opts) {
+  opts = opts || {};
+  if (opts.manifestPath) return opts.manifestPath;
+  return path.join((opts.projectDir || process.cwd()), '.loki', MANIFEST_FILE);
+}
+
+/**
+ * Hash the manifest exactly as run.sh's _loki_sha256 does: sha256 over the
+ * raw file BYTES. We deliberately do NOT JSON.parse-then-re-stringify
+ * (that would diverge from the on-disk bytes run.sh hashes and be fragile
+ * to formatting). We additionally best-effort parse the bytes only to lift
+ * the manifest `schema` field into anchor metadata; a malformed manifest
+ * still hashes its bytes and records schema:null rather than aborting.
+ *
+ * @returns {object} { present, sha256, schema } -- present:false when the
+ *   file is absent (no fabricated hash).
+ */
+function hashManifest(manifestPath) {
+  if (!manifestPath || !fs.existsSync(manifestPath)) {
+    return { present: false, sha256: null, schema: null };
+  }
+  var buf = fs.readFileSync(manifestPath);
+  var sha = crypto.createHash('sha256').update(buf).digest('hex');
+  var schema = null;
+  try {
+    var parsed = JSON.parse(buf.toString('utf8'));
+    if (parsed && typeof parsed.schema === 'string') schema = parsed.schema;
+  } catch (_) { /* malformed manifest: hash bytes anyway, schema stays null */ }
+  return { present: true, sha256: sha, schema: schema };
+}
+
+/**
+ * Link the run manifest (loki-run.json, the build bill-of-materials) into
+ * the agent audit chain so the manifest becomes tamper-evident and
+ * verifiable against the evidence chain.
+ *
+ * The manifest already embeds sha256 hashes of the evidence files
+ * (test_results, coverage, ...) computed by run.sh. By recording the
+ * manifest's OWN byte-hash as an `audit_manifest_link` entry, the anchor
+ * is protected by the agent chain's hash linkage, and the evidence hashes
+ * inside the manifest become transitively tamper-evident (mutating the
+ * manifest to point at different evidence changes its byte-hash, which no
+ * longer matches the anchored hash; mutating the anchor breaks chain
+ * verification). We hash the manifest itself only -- we do NOT re-hash the
+ * evidence files here (run.sh already did, and the manifest pins them).
+ *
+ * HONEST behavior:
+ *   - Manifest absent  -> no-op, returns { linked:false, present:false }.
+ *     No fabricated link is recorded.
+ *   - Manifest present -> hash recorded as an anchor; returns
+ *     { linked:true, present:true, anchor, manifestSha256, ... }.
+ *
+ * Note: this records tamper-EVIDENCE (in-place edits are detected), not
+ * tamper-PROOF against a full downstream chain rewrite -- that is what
+ * writeWitness (external witness) is for.
+ *
+ * NOT auto-invoked from run.sh in this wave (integration is the run.sh
+ * owner's territory). Intended call site: after run.sh writes
+ * .loki/loki-run.json in build_completion_summary (autonomy/run.sh ~2895,
+ * just after os.replace(tmp, out)), call
+ *   node -e "require('./src/audit').linkManifest({projectDir:'<dir>'})"
+ * (or the JS API audit.linkManifest()) on every terminal path.
+ *
+ * @param {object} [opts]
+ * @param {string} [opts.projectDir]   project dir for the agent log + manifest
+ * @param {string} [opts.logDir]       explicit agent log dir (tests)
+ * @param {string} [opts.manifestPath] explicit manifest path (tests)
+ * @param {string} [opts.who]          actor recorded on the anchor
+ * @returns {object}
+ */
+function linkManifest(opts) {
+  opts = opts || {};
+  var manifestPath = defaultManifestPath(opts);
+  var h = hashManifest(manifestPath);
+  if (!h.present) {
+    return {
+      linked: false, present: false, manifestPath: manifestPath,
+      reason: 'run manifest absent (no-op)',
+    };
+  }
+  var log = new AuditLog(opts);
+  var anchor = log.record({
+    who: opts.who || 'audit-manifest-link',
+    what: MANIFEST_LINK_ACTION,
+    where: manifestPath,
+    why: 'link run manifest (bill-of-materials) into agent audit chain',
+    metadata: {
+      manifestPath: manifestPath,
+      manifestSha256: h.sha256,
+      manifestSchema: h.schema,
+    },
+  });
+  log.flush();
+  log.destroy();
+  return {
+    linked: true, present: true, manifestPath: manifestPath,
+    manifestSha256: h.sha256, manifestSchema: h.schema, anchor: anchor,
+  };
+}
+
+/**
+ * Verify the run-manifest link against the evidence chain.
+ *
+ * Composes TWO checks (mirroring verifyUnified rather than a bare disk-vs
+ * -recorded compare):
+ *   1. Agent chain integrity (AuditLog.verifyChain()). This catches an
+ *      edit to the ANCHOR entry itself (e.g. someone rewrites the recorded
+ *      manifestSha256), not just an edit to the manifest file.
+ *   2. Manifest reconciliation: re-hash the on-disk manifest and require
+ *      it to equal the hash recorded by the MOST RECENT manifest-link
+ *      anchor. A mutated manifest no longer matches -> tamper detected.
+ *
+ * HONEST empty cases (distinguishable from a real pass via `present`):
+ *   - No anchor recorded yet -> { present:false, valid:true, reason:... }.
+ *   - Anchor exists but the manifest file is now gone -> manifest.valid
+ *     is false (the pinned manifest is missing/cannot be reconciled).
+ *
+ * @param {object} [opts] projectDir / logDir / manifestPath as linkManifest.
+ * @returns {object} { valid, present, chain, manifest }
+ */
+function verifyManifestLink(opts) {
+  opts = opts || {};
+  var manifestPath = defaultManifestPath(opts);
+
+  var log = new AuditLog(opts);
+  var chain = log.verifyChain();
+  var entries = log.readEntries();
+  log.destroy();
+
+  var anchors = entries.filter(function (e) {
+    return e.what === MANIFEST_LINK_ACTION;
+  });
+
+  if (anchors.length === 0) {
+    return {
+      valid: !!chain.valid, present: false, chain: chain,
+      manifest: { present: false, valid: true, reason: 'no manifest-link anchor recorded' },
+    };
+  }
+
+  // Most recent anchor pins the current manifest state.
+  var anchor = anchors[anchors.length - 1];
+  var pinned = (anchor.metadata && anchor.metadata.manifestSha256) || null;
+
+  var current = hashManifest(manifestPath);
+  var manifest = {
+    present: true,
+    valid: true,
+    manifestPath: manifestPath,
+    pinnedSha256: pinned,
+    currentSha256: current.sha256,
+    anchorSeq: anchor.seq,
+    error: null,
+  };
+
+  if (!current.present) {
+    manifest.valid = false;
+    manifest.error = 'manifest pinned by anchor seq ' + anchor.seq +
+      ' is missing on disk';
+  } else if (current.sha256 !== pinned) {
+    manifest.valid = false;
+    manifest.error = 'manifest hash mismatch at anchor seq ' + anchor.seq +
+      ' (manifest tampered after linking)';
+  }
+
+  return {
+    valid: !!chain.valid && manifest.valid,
+    present: true,
+    chain: chain,
+    manifest: manifest,
+  };
+}
+
 module.exports = {
   crossLink: crossLink,
   verifyUnified: verifyUnified,
@@ -409,5 +590,10 @@ module.exports = {
   agentChainTip: agentChainTip,
   unifiedRoot: unifiedRoot,
   defaultDashboardAuditDir: defaultDashboardAuditDir,
+  linkManifest: linkManifest,
+  verifyManifestLink: verifyManifestLink,
+  hashManifest: hashManifest,
+  defaultManifestPath: defaultManifestPath,
   CROSSLINK_ACTION: CROSSLINK_ACTION,
+  MANIFEST_LINK_ACTION: MANIFEST_LINK_ACTION,
 };

package/src/audit/index.js

@@ -228,6 +228,27 @@ function writeWitness(opts) {
   return crosslink.writeWitness(Object.assign({ projectDir: _projectDir }, opts || {}));
 }
 
+/**
+ * Link the run manifest (loki-run.json bill-of-materials) into the agent
+ * audit chain so it becomes tamper-evident and verifiable against the
+ * evidence chain. No-op (honest) when the manifest is absent.
+ * See src/audit/crosslink.js (linkManifest).
+ */
+function linkManifest(opts) {
+  if (!_initialized) init();
+  return crosslink.linkManifest(Object.assign({ projectDir: _projectDir }, opts || {}));
+}
+
+/**
+ * Verify the run-manifest link: agent chain integrity AND the on-disk
+ * manifest still matching the hash pinned by the most recent
+ * manifest-link anchor. See src/audit/crosslink.js (verifyManifestLink).
+ */
+function verifyManifestLink(opts) {
+  if (!_initialized) init();
+  return crosslink.verifyManifestLink(Object.assign({ projectDir: _projectDir }, opts || {}));
+}
+
 /**
  * Destroy audit trail (for testing).
  */
@@ -255,6 +276,8 @@ module.exports = {
   crossLink: crossLink,
   verifyUnified: verifyUnified,
   writeWitness: writeWitness,
+  linkManifest: linkManifest,
+  verifyManifestLink: verifyManifestLink,
 };
 
 // CLI entry point: `node src/audit/index.js report <type> <projectDir>`.