loki-mode 7.58.1 → 7.60.0

package/README.md

@@ -106,7 +106,7 @@ loki quick "build a landing page with a signup form"
 | **Bun (recommended)** | `bun install -g loki-mode` | Fastest startup for CLI commands. |
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` | Auto-installs Bun as a dep |
 | **Docker (easiest)** | `loki docker start prd.md` | Host wrapper: runs loki in the published image with zero config. Bind-mounts the current folder so `.loki` state, resume, and continuity work exactly like local. Auto-detects auth (`ANTHROPIC_API_KEY`, else your host Claude Code login). Needs loki + Docker on the host. See DOCKER_README.md |
-| **Docker (raw)** | `docker pull asklokesh/loki-mode:7.50.0 && docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" asklokesh/loki-mode:7.50.0 start prd.md` | Bun + Claude CLI pre-installed; needs an API key, or use docker compose with a .env file, see DOCKER_README.md |
+| **Docker (raw)** | `docker pull asklokesh/loki-mode:7.58.1 && docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" asklokesh/loki-mode:7.58.1 start prd.md` | Bun + Claude CLI pre-installed; needs an API key, or use docker compose with a .env file, see DOCKER_README.md |
 | **npm (compat)** | `npm install -g loki-mode` | Works without Bun (bash fallback). Migrate any time with `loki self-update --to bun`. |
 
 **Upgrading:**
@@ -166,7 +166,7 @@ The next major release sunsets the Bash runtime entirely. There is no firm calen
 | Method | Command |
 |--------|---------|
 | **Homebrew** | `brew tap asklokesh/tap && brew install loki-mode` |
-| **Docker** | `docker pull asklokesh/loki-mode:7.50.0` |
+| **Docker** | `docker pull asklokesh/loki-mode:7.58.1` |
 | **Inside Claude Code** | `claude --dangerously-skip-permissions` then type "Loki Mode" |
 | **Git clone** | `git clone https://github.com/asklokesh/loki-mode.git` |
 
@@ -481,8 +481,8 @@ See [benchmarks/](benchmarks/) for methodology.
 
 ```bash
 git clone https://github.com/asklokesh/loki-mode.git && cd loki-mode
-npm install && npm test              # 683 tests
-python3 -m pytest                    # 631 tests
+npm install && npm test              # CLI + Node test suites
+python3 -m pytest                    # Python test suite
 ```
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.58.1
+# Loki Mode v7.60.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -406,4 +406,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.58.1 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.60.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.58.1
+7.60.0

package/autonomy/app-runner.sh

@@ -312,6 +312,26 @@ _app_runner_reconcile_port() {
         iter=$(( iter + 1 ))
     done
 
+    # No serving keyword line in the log: the app may sit behind a reverse proxy
+    # or bind quietly on a port we did not choose. Probe app-scoped candidate
+    # ports for a real listener and surface only a port that ACTUALLY responds
+    # (never fabricate a URL for a dead port). Conservative: app-scoped candidates
+    # only, no blind well-known-port scan. See _probe_app_url.
+    if [ -z "$real_port" ]; then
+        local probed
+        probed=$(_probe_app_url "$_APP_RUNNER_PORT")
+        if [ -n "$probed" ]; then
+            local probed_port="${probed##*:}"
+            if [ "$probed_port" != "$_APP_RUNNER_PORT" ]; then
+                log_info "App Runner: surfaced live port $probed_port via probe (reverse-proxy/quiet-bind); recorded was $_APP_RUNNER_PORT"
+                _APP_RUNNER_PORT="$probed_port"
+                _APP_RUNNER_URL="$probed"
+                _rewrite_detection_port
+            fi
+        fi
+        return 0
+    fi
+
     [ -n "$real_port" ] || return 0
     if [ "$real_port" != "$_APP_RUNNER_PORT" ]; then
         # Liveness guard: only overwrite the recorded port when the reconciled
@@ -489,6 +509,64 @@ sys.exit(0)
 ' 2>/dev/null || return 0
 }
 
+# Detect a Next.js standalone build (next.config output: 'standalone'). A
+# standalone build emits a self-contained `.next/standalone/server.js` that is
+# launched with `node server.js` (NOT `next start`) and listens on PORT (default
+# 3000). The presence of `.next/standalone/server.js` is a specific, safe signal:
+# a normal `.next/` build does NOT create that path, so this never false-positives
+# on an ordinary Next.js project. Echoes the run method (relative to TARGET_DIR,
+# which the launcher cd's into) on success, nothing otherwise. The run method is
+# `node .next/standalone/server.js`; modern Next standalone resolves its asset
+# paths from the server.js __dirname, not cwd, so a TARGET_DIR-relative launch is
+# correct without an extra chdir. The `output: 'standalone'` next.config grep is
+# a weaker secondary signal (the build may not have run yet); the built artifact
+# path is authoritative, which is why we key on the file existing.
+_detect_nextjs_standalone() {
+    local dir="${1:-${TARGET_DIR:-.}}"
+    if [ -f "$dir/.next/standalone/server.js" ]; then
+        printf 'node .next/standalone/server.js\n'
+        return 0
+    fi
+    return 0
+}
+
+# Probe app-scoped candidate ports for a live HTTP listener and echo the first
+# port that actually responds, nothing if none do. This handles the case where
+# the app sits behind a reverse proxy or otherwise binds a port we did not
+# choose: rather than fabricate a URL for a port nothing is listening on, we
+# verify liveness with a real HTTP probe before surfacing anything.
+#
+# Conservatism, in order of importance:
+#   - Candidates are APP-SCOPED only (PORT env, the recorded port, and the
+#     framework default passed by the caller). We deliberately do NOT blind-scan
+#     well-known ports like 80/443/8080, because some unrelated local service
+#     answering there is its own form of fabrication.
+#   - Liveness uses the same contract as _app_runner_reconcile_port (curl -s
+#     -o /dev/null -m 2, no -f): any HTTP response (incl. 404/401/500) proves a
+#     server is bound; a connection error (dead/unbound port) is a non-zero exit.
+#   - curl-less hosts cannot verify, so we surface NOTHING (we never guess a URL
+#     we could not probe). This is the conservative direction for this helper:
+#     its whole job is "probe before surfacing", so no curl == no claim.
+# Args: $1 = framework default port (may be empty). Reads $LOKI_APP_PORT and
+# $_APP_RUNNER_PORT from the environment as additional candidates.
+_probe_app_url() {
+    local default_port="$1"
+    command -v curl >/dev/null 2>&1 || return 0
+    local cand seen=" "
+    for cand in "${LOKI_APP_PORT:-}" "${_APP_RUNNER_PORT:-}" "$default_port"; do
+        [ -n "$cand" ] || continue
+        [[ "$cand" =~ ^[0-9]+$ ]] || continue
+        [ "$cand" -ge 1 ] 2>/dev/null && [ "$cand" -le 65535 ] 2>/dev/null || continue
+        case "$seen" in *" $cand "*) continue ;; esac
+        seen="$seen$cand "
+        if curl -s -o /dev/null -m 2 "http://localhost:${cand}/" 2>/dev/null; then
+            printf 'http://localhost:%s\n' "$cand"
+            return 0
+        fi
+    done
+    return 0
+}
+
 # Detect port from project files
 _detect_port() {
     local method="$1"
@@ -644,6 +722,20 @@ app_runner_init() {
     # 3-4. package.json (dev or start)
     if [ -f "$dir/package.json" ]; then
         _install_node_deps "$dir"
+        # 3a. Next.js standalone build (output: 'standalone'). The built artifact
+        #     `.next/standalone/server.js` is a stronger signal than the dev/start
+        #     scripts: when present, the app is launched with `node server.js`
+        #     (listens on PORT, default 3000) rather than `next dev`/`next start`.
+        local njs_method
+        njs_method=$(_detect_nextjs_standalone "$dir")
+        if [ -n "$njs_method" ]; then
+            _APP_RUNNER_METHOD="$njs_method"
+            _detect_port "npm"
+            _write_detection "nextjs-standalone" "$_APP_RUNNER_METHOD"
+            log_info "App Runner: detected Next.js standalone server"
+            _APP_RUNNER_URL="http://localhost:${_APP_RUNNER_PORT}"
+            return 0
+        fi
         if grep -q '"dev"' "$dir/package.json" 2>/dev/null; then
             _APP_RUNNER_METHOD="npm run dev"
             _detect_port "$_APP_RUNNER_METHOD"

package/autonomy/completion-council.sh

@@ -566,8 +566,14 @@ print(str(rc) + ' ' + json.dumps(new_state))
 #     conservative outcome (REJECT / re-iterate).
 _council_parse_vote() {
     local raw="$1"
-    # markdown/whitespace/quote class allowed around the keyword and colon
-    local _pat='[*_> [:space:]]*VOTE[*_ [:space:]]*:[*_> [:space:]]*(APPROVE|REJECT|CANNOT_VALIDATE)([^A-Za-z0-9_]|$)'
+    # markdown/whitespace/quote class allowed around the keyword and colon.
+    # The leading (^|[^A-Za-z0-9_]) anchor is a LEFT word boundary on VOTE so a
+    # VOTE-suffixed token ("REVOTE: APPROVE", "PROVOTE: REJECT") is NOT parsed as
+    # a canonical vote (it previously matched because the keyword had no left
+    # boundary). Mirrors the existing right boundary; "\b" stays avoided for
+    # BSD/GNU grep parity. The second grep below isolates the verdict word, so the
+    # extra captured boundary char is harmless.
+    local _pat='(^|[^A-Za-z0-9_])[*_> [:space:]]*VOTE[*_ [:space:]]*:[*_> [:space:]]*(APPROVE|REJECT|CANNOT_VALIDATE)([^A-Za-z0-9_]|$)'
     printf '%s' "$raw" \
         | grep -oE "$_pat" \
         | grep -oE "APPROVE|REJECT|CANNOT_VALIDATE" \
@@ -739,8 +745,20 @@ print('true' if ratio > budget else 'false')
         else
             log_warn "Anti-sycophancy: Devil's advocate did not confirm unanimous approval (verdict: ${contrarian_vote:-unparseable})"
             log_warn "Overriding to require one more iteration for verification"
-            approve_count=$((approve_count - 1))
-            reject_count=$((reject_count + 1))
+            # The veto MUST drive the verdict below the completion threshold, not
+            # merely decrement by one. A bare `-1` left approve_count at
+            # COUNCIL_SIZE-1, which for any council of size >= 3 is still
+            # >= effective_threshold (ceil(2/3*SIZE)), so the override returned
+            # DONE anyway and the anti-sycophancy check was a silent no-op
+            # (it only happened to work for the size-2 council). Force
+            # approve_count to threshold-1 so the decision at the bottom of this
+            # function returns CONTINUE, and keep approve+reject == COUNCIL_SIZE
+            # so the cumulative state.json sums and transcript stay consistent.
+            # This is the same forced-CONTINUE outcome the parallel
+            # council_evaluate() path already delivers on a DA veto (return 1).
+            approve_count=$((effective_threshold - 1))
+            [ "$approve_count" -lt 0 ] && approve_count=0
+            reject_count=$((COUNCIL_SIZE - approve_count))
             _da_flipped="true"
         fi
     fi

package/autonomy/hooks/migration-hooks.sh

@@ -137,6 +137,35 @@ is_no_test_cmd() {
     [[ "${1:-}" == "__LOKI_NO_TEST_CMD__" ]]
 }
 
+# Resolve the directory used to store pre-edit snapshots for the migration
+# (non-healing) hooks. Prefers LOKI_MIGRATION_DIR; falls back to a per-codebase
+# .loki/migration dir so the snapshot/revert pair works even when no migration
+# dir was exported. Echoes the resolved directory.
+_migration_snapshot_dir() {
+    local codebase_path="${LOKI_CODEBASE_PATH:-.}"
+    local migration_dir="${LOKI_MIGRATION_DIR:-}"
+    if [[ -n "$migration_dir" ]]; then
+        printf '%s' "$migration_dir"
+    else
+        printf '%s' "${codebase_path}/.loki/migration"
+    fi
+}
+
+# Hook: pre_file_edit - runs BEFORE ANY agent modifies a source file.
+# Captures a pre-edit snapshot so post_file_edit can revert ONLY the edit on
+# test failure (instead of a blanket `git checkout` that nukes unrelated
+# uncommitted changes and silently no-ops for untracked files). Mirrors the
+# pairing contract of hook_pre_healing_modify / hook_post_healing_modify.
+hook_pre_file_edit() {
+    local file_path="${1:-}"
+    [[ "${HOOK_POST_FILE_EDIT_ENABLED:-true}" != "true" ]] && return 0
+    [[ -z "$file_path" ]] && return 0
+    local snap_base
+    snap_base=$(_migration_snapshot_dir)
+    _heal_snapshot_save "$snap_base" "$file_path"
+    return 0
+}
+
 # Hook: post_file_edit - runs after ANY agent modifies a source file
 hook_post_file_edit() {
     local file_path="${1:-}"
@@ -165,9 +194,15 @@ hook_post_file_edit() {
 
         case "${HOOK_POST_FILE_EDIT_ON_FAILURE}" in
             block_and_rollback)
-                # Revert the file change
-                git -C "$codebase_path" checkout -- "$file_path" 2>/dev/null || true
-                echo "HOOK_BLOCKED: Tests failed after editing ${file_path}. Change reverted."
+                # Revert ONLY the edit using the pre-edit snapshot captured by
+                # hook_pre_file_edit. Do NOT use `git checkout -- "$file_path"`:
+                # that discards ALL uncommitted changes to the file (not just
+                # this edit) and silently no-ops for an untracked file while
+                # still claiming the change was reverted. Report what happened.
+                local snap_base revert_msg
+                snap_base=$(_migration_snapshot_dir)
+                revert_msg=$(_heal_snapshot_restore "$snap_base" "$file_path") || true
+                echo "HOOK_BLOCKED: Tests failed after editing ${file_path}. ${revert_msg}"
                 echo "Test output: ${test_output}"
                 return 1
                 ;;
@@ -433,7 +468,7 @@ _heal_snapshot_restore() {
         # Pre-edit content snapshot exists: restore exactly that content, which
         # preserves any unrelated uncommitted changes present before the edit.
         if cp "$snap" "$file_path" 2>/dev/null; then
-            echo "Healing edit reverted to pre-edit snapshot."
+            echo "Edit reverted to pre-edit snapshot."
             return 0
         fi
         echo "Could not restore pre-edit snapshot for ${file_path}; file left as-is."
@@ -441,17 +476,17 @@ _heal_snapshot_restore() {
     fi
 
     if [[ -f "$snap.absent" ]]; then
-        # File did not exist pre-edit: the healing edit created it. Remove only
-        # that file, not unrelated state.
+        # File did not exist pre-edit: the edit created it. Remove only that
+        # file, not unrelated state.
         if [[ ! -e "$file_path" ]]; then
-            echo "Healing-added file ${file_path} no longer present; nothing to remove."
+            echo "Added file ${file_path} no longer present; nothing to remove."
             return 0
         fi
         if rm -f "$file_path" 2>/dev/null; then
-            echo "Healing-added file ${file_path} removed."
+            echo "Added file ${file_path} removed."
             return 0
         fi
-        echo "Could not remove healing-added file ${file_path}; file left as-is."
+        echo "Could not remove added file ${file_path}; file left as-is."
         return 1
     fi
 

package/autonomy/lib/proof_redact.py

@@ -79,6 +79,33 @@ _PATTERNS = [
 # Bearer tokens: keep the scheme, redact the credential.
 _BEARER = re.compile(r"(Bearer\s+)[A-Za-z0-9._~+/=-]{20,}")
 
+# HTTP auth/cookie HEADER lines: redact the credential VALUE for the whole line.
+# This owns the header-line form of Authorization (any scheme: Basic, Bearer,
+# Digest, raw token) plus Cookie / Set-Cookie, which the keyword-based
+# _ENV_ASSIGN rule does not cover (Authorization is excluded there via the
+# AUTH(?!ORIZATION) lookahead, and Cookie/session are not secret keywords).
+#
+# Anchored with (?im):
+#   - re.IGNORECASE so "authorization"/"Authorization"/"COOKIE" all match.
+#   - re.MULTILINE so an interior header line inside a multi-line blob (crash
+#     reports, stack traces, env dumps) matches, not just offset 0. "." does
+#     not cross newlines, so the value run stops at end-of-line and adjacent
+#     normal lines are left untouched.
+#
+# Group layout:
+#   1 -> line prefix up through the "header:" separator (leading whitespace +
+#        header name + colon + following whitespace), preserved verbatim.
+#   2 -> optional auth scheme word (Basic/Bearer/Digest/Negotiate/NTLM) plus
+#        its trailing space, preserved so "Authorization: Basic [REDACTED]"
+#        keeps the scheme. Empty for Cookie / raw-token forms.
+# Everything after that (the credential) is replaced with [REDACTED].
+_AUTH_HEADER = re.compile(
+    r"(?im)"
+    r"^([ \t]*(?:authorization|cookie|set-cookie)[ \t]*:[ \t]*)"   # 1: header prefix
+    r"((?:Basic|Bearer|Digest|Negotiate|NTLM)[ \t]+)?"             # 2: optional scheme
+    r"\S.*$"                                                        # the credential value
+)
+
 # PEM PRIVATE KEY blocks (any -----BEGIN ... PRIVATE KEY----- ... END block).
 # DOTALL so the body spanning newlines is matched and dropped whole.
 _PEM = re.compile(
@@ -131,6 +158,14 @@ _ENV_ASSIGN = re.compile(
 )
 
 
+def _auth_header_sub(m):
+    """Redact an HTTP auth/cookie header VALUE, keeping the header name and
+    (when present) the auth scheme word. Group 1 is the "header:" prefix, group
+    2 is the optional scheme (with trailing space) or None."""
+    prefix, scheme = m.group(1), m.group(2)
+    return prefix + (scheme or "") + "[REDACTED]"
+
+
 def _env_assign_sub(m):
     """Redact a secret assignment value, preserving key, separator and quotes.
 
@@ -231,6 +266,12 @@ def _redact_value(s):
     )
     total += n
 
+    # HTTP auth/cookie header lines: redact the whole credential value before
+    # token-level rules run, so a token inside the header value is not matched
+    # (and double-counted) separately. Keeps the header name + scheme word.
+    s, n = _AUTH_HEADER.subn(_auth_header_sub, s)
+    total += n
+
     # Token patterns (ordered most-specific-first).
     for pat, repl in _PATTERNS:
         s, n = pat.subn(repl, s)

package/autonomy/loki

@@ -2889,12 +2889,26 @@ cmd_status() {
     # Check orchestrator state
     if [ -f "$LOKI_DIR/state/orchestrator.json" ]; then
         echo -e "${CYAN}Orchestrator State:${NC}"
-        jq -r '.currentPhase // "unknown"' "$LOKI_DIR/state/orchestrator.json" 2>/dev/null || echo "unknown"
+        local orch_phase
+        # An empty orchestrator.json makes jq exit 0 with no output, so the
+        # `|| echo unknown` fallback never fires and the phase line is blank.
+        # Capture and normalize an empty result to "unknown".
+        orch_phase=$(jq -r '.currentPhase // "unknown"' "$LOKI_DIR/state/orchestrator.json" 2>/dev/null || echo "unknown")
+        [ -n "$orch_phase" ] || orch_phase="unknown"
+        echo "$orch_phase"
     fi
 
     # Check pending tasks
     if [ -f "$LOKI_DIR/queue/pending.json" ]; then
-        local task_count=$(jq 'if type == "array" then length elif .tasks then .tasks | length else 0 end' "$LOKI_DIR/queue/pending.json" 2>/dev/null || echo "0")
+        local task_count
+        task_count=$(jq 'if type == "array" then length elif .tasks then .tasks | length else 0 end' "$LOKI_DIR/queue/pending.json" 2>/dev/null || echo "0")
+        # An empty or whitespace-only pending.json makes jq exit 0 while
+        # printing nothing, so the `|| echo 0` fallback never fires and the
+        # status line renders a blank count. Normalize any non-numeric result
+        # (empty string, null, parse noise) back to 0.
+        case "$task_count" in
+            ''|*[!0-9]*) task_count=0 ;;
+        esac
         echo -e "${CYAN}Pending Tasks:${NC} $task_count"
     fi
 
@@ -16502,6 +16516,9 @@ with open(p, 'w') as f:
             if [ -f "$LOKI_DIR/queue/failed.json" ]; then
                 local count
                 count=$(jq 'length' "$LOKI_DIR/queue/failed.json" 2>/dev/null || echo "?")
+                # An empty failed.json makes jq exit 0 with no output, so the
+                # `|| echo "?"` fallback never fires; normalize the blank result.
+                [ -n "$count" ] || count="?"
                 rm -f "$LOKI_DIR/queue/failed.json"
                 echo "[]" > "$LOKI_DIR/queue/failed.json"
                 echo -e "${GREEN}Cleared $count failed tasks${NC}"
@@ -16859,7 +16876,11 @@ PYEOF
         export)
             local output="${2:-learnings-export.json}"
 
-            LOKI_LEARNINGS_DIR="$learnings_dir" python3 -c "
+            # BUG-PU-010: pass the output filename via an environment variable
+            # rather than interpolating $output into the python -c source, so a
+            # filename containing quotes/backslashes/newlines cannot break out of
+            # the string literal or inject python.
+            LOKI_LEARNINGS_DIR="$learnings_dir" LOKI_LEARNINGS_OUT="$output" python3 -c "
 import json
 import os
 
@@ -16877,9 +16898,10 @@ for category in ['patterns', 'mistakes', 'successes']:
                         result[category].append(e)
                 except: pass
 
-with open('$output', 'w') as f:
+_out = os.environ['LOKI_LEARNINGS_OUT']
+with open(_out, 'w') as f:
     json.dump(result, f, indent=2)
-print(f'Exported to $output')
+print(f'Exported to {_out}')
 " 2>/dev/null
             ;;
 
@@ -25227,8 +25249,14 @@ generate_component(
 
     # 4. Register in registry
     log_info "Registering component"
+    # BUG-PU-010: pass free-text description/tags via environment variables and
+    # read them with os.environ in the python body, instead of interpolating raw
+    # user input into the python -c source (a value containing triple-quotes,
+    # backslashes, newlines, or $(...) would crash the script or inject code).
+    # Mirrors the LOKI_MEM_QUERY pattern in the memory-search path.
+    LOKI_MAGIC_DESC="$description" LOKI_MAGIC_TAGS="$tags" \
     PYTHONPATH="$(_magic_pypath)" "$py" -c "
-import sys
+import os, sys
 try:
     from magic.core.registry import register_component
 except Exception as exc:
@@ -25242,8 +25270,8 @@ register_component(
     react_path='.loki/magic/generated/react/${name}.tsx' if '$target' in ('react','both') else '',
     webcomponent_path='.loki/magic/generated/webcomponent/${name}.js' if '$target' in ('webcomponent','both') else '',
     test_path='.loki/magic/generated/tests/${name}.test.tsx',
-    description='''$description'''.strip(),
-    tags=[t.strip() for t in '''$tags'''.split(',') if t.strip()],
+    description=os.environ.get('LOKI_MAGIC_DESC', '').strip(),
+    tags=[t.strip() for t in os.environ.get('LOKI_MAGIC_TAGS', '').split(',') if t.strip()],
     placement='${placement}' or None,
 )
 " || {
@@ -25288,13 +25316,22 @@ _magic_update() {
         esac
     done
 
+    # BUG-PU-010: validate --name (defense in depth, mirroring _magic_generate)
+    # so a malicious value cannot reach the python body, AND pass it via an
+    # environment variable instead of interpolating it into the python -c source.
+    if [ -n "$name" ] && ! _magic_valid_name "$name"; then
+        log_error "Invalid component name: '$name' (must start with a letter, contain only letters, digits, _ or -)"
+        return 1
+    fi
+
     _magic_ensure_dirs
     local py
     py=$(_magic_python)
 
     log_info "Updating components from specs (name=${name:-<all>}, force=$force)"
+    LOKI_MAGIC_NAME="$name" \
     PYTHONPATH="$(_magic_pypath)" "$py" -c "
-import sys
+import os, sys
 try:
     from magic.core.generator import update_components
 except Exception as exc:
@@ -25302,7 +25339,7 @@ except Exception as exc:
     sys.exit(2)
 update_components(
     registry_path='.loki/magic/registry.json',
-    name='${name}' or None,
+    name=os.environ.get('LOKI_MAGIC_NAME', '') or None,
     force=$([ "$force" = "true" ] && echo True || echo False),
 )
 " || {

package/autonomy/run.sh

@@ -13718,6 +13718,100 @@ _loki_sentrux_iteration_end() {
     return 0
 }
 
+# show_run_start_estimate <prd_path>
+#
+# C4 (v7.x): before any real spend, the user must SEE (a) the budget-guard
+# state and (b) a cost/time estimate -- honestly, with no fabricated dollar
+# figures. This is the run.sh-side complement to the loki CLI's auto-plan:
+#
+#   - Budget guard: the hard cap is enforced by check_budget_limit (which
+#     touches .loki/PAUSE at the cap). This helper only DISPLAYS the state;
+#     it never sets a default BUDGET_LIMIT (doing so would change pause
+#     behavior for every user). If BUDGET_LIMIT is set we show the cap and
+#     the pause-at-cap promise; if not, we state plainly that no cap is set
+#     and how to set one. Always shown -- the guard disclosure is universal.
+#
+#   - Estimate: `loki start` on a TTY already prints the estimate via
+#     maybe_show_auto_plan -> show_prd_plan. The genuine gap is the non-TTY
+#     route (Docker, dashboard, piped invocation): there the CLI skips the
+#     plan, so we fill it here. We gate on stdout NOT being a TTY because
+#     run.sh has no signal that `loki start` already showed the plan (no env
+#     marker exists and `loki` is out of scope to edit), and the non-TTY test
+#     is the only one that is both reliable and free of duplication.
+#     KNOWN LIMITATION: a direct `./autonomy/run.sh <prd>` run in a terminal
+#     (TTY, not launched via `loki start`) skips the estimate here AND was
+#     never shown one by the CLI. The budget-guard disclosure above is still
+#     always shown; only the cost/time estimate is missing on that one
+#     power-user path. Closing it cleanly needs a "plan already shown" marker
+#     set in the loki CLI, which is owned elsewhere.
+#     The estimate is best-effort: it shells out to the loki binary with a
+#     hard timeout, parses only real numbers, and prints an honest
+#     "estimate unavailable" line on any failure. It NEVER fails the run and
+#     NEVER fabricates a figure.
+show_run_start_estimate() {
+    local prd_path="$1"
+
+    # --- Budget-guard disclosure (always) ---
+    if [ -n "$BUDGET_LIMIT" ]; then
+        log_info "Budget guard: hard cap \$$BUDGET_LIMIT (run pauses via .loki/PAUSE at the cap; warning at 80%)."
+    else
+        log_info "Budget guard: no cap set (no automatic spend stop). Set LOKI_BUDGET_LIMIT=<usd> to pause at a cap."
+    fi
+
+    # --- Estimate (non-TTY gap only; the loki CLI shows it on a TTY) ---
+    if [ -t 1 ]; then
+        return 0
+    fi
+    # No PRD on disk (codebase-analysis mode) -> nothing to estimate from.
+    [ -n "$prd_path" ] && [ -f "$prd_path" ] || return 0
+
+    local loki_bin="${SCRIPT_DIR}/loki"
+    [ -x "$loki_bin" ] || { command -v loki >/dev/null 2>&1 && loki_bin="loki" || return 0; }
+
+    local plan_json=""
+    plan_json=$(timeout 30 "$loki_bin" plan "$prd_path" --json 2>/dev/null) || plan_json=""
+    [ -n "$plan_json" ] || { log_info "Estimate: unavailable (estimator did not return a result); the run continues."; return 0; }
+
+    # Parse REAL numbers only. argv keeps the JSON out of the script body so
+    # there is no $<digit> heredoc footgun, and a missing field prints nothing.
+    local parsed
+    parsed=$(printf '%s' "$plan_json" | python3 -c '
+import json, sys
+try:
+    d = json.load(sys.stdin)
+except Exception:
+    sys.exit(1)
+cost = d.get("cost", {}).get("total_usd")
+time_est = d.get("time", {}).get("estimated")
+iters = d.get("iterations", {}).get("estimated")
+tier = d.get("complexity", {}).get("tier", "")
+if cost is None or time_est is None or iters is None:
+    sys.exit(1)
+print("{:.2f}".format(float(cost)))
+print(time_est)
+print(iters)
+print(tier)
+' 2>/dev/null) || parsed=""
+
+    if [ -z "$parsed" ]; then
+        log_info "Estimate: unavailable (estimator did not return a result); the run continues."
+        return 0
+    fi
+
+    local est_cost est_time est_iters est_tier
+    est_cost=$(printf '%s' "$parsed" | sed -n '1p')
+    est_time=$(printf '%s' "$parsed" | sed -n '2p')
+    est_iters=$(printf '%s' "$parsed" | sed -n '3p')
+    est_tier=$(printf '%s' "$parsed" | sed -n '4p')
+
+    if [ -n "$est_tier" ]; then
+        log_info "Estimate (${est_tier} tier): ~\$${est_cost}, ~${est_time}, ~${est_iters} iterations. Actual usage varies with complexity, review cycles, and test failures."
+    else
+        log_info "Estimate: ~\$${est_cost}, ~${est_time}, ~${est_iters} iterations. Actual usage varies with complexity, review cycles, and test failures."
+    fi
+    return 0
+}
+
 run_autonomous() {
     local prd_path="$1"
 
@@ -13819,9 +13913,10 @@ except Exception:
     log_info "Base wait: ${BASE_WAIT}s"
     log_info "Max wait: ${MAX_WAIT}s"
     log_info "Autonomy mode: $AUTONOMY_MODE"
-    if [ -n "$BUDGET_LIMIT" ]; then
-        log_info "Budget limit: \$$BUDGET_LIMIT"
-    fi
+    # C4: always surface the budget-guard state (and, on the non-TTY route, a
+    # cost/time estimate) BEFORE any real spend. This subsumes the old bare
+    # "Budget limit" line so there is exactly one honest disclosure.
+    show_run_start_estimate "$prd_path"
     # Only show Claude-specific features for Claude provider
     if [ "${PROVIDER_NAME:-claude}" = "claude" ]; then
         log_info "Prompt repetition (Haiku): $PROMPT_REPETITION"

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.58.1"
+__version__ = "7.60.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/api_v2.py

@@ -251,6 +251,25 @@ def resolve_tenant_context(
     )
 
 
+def _require_global_admin(tenant_ctx: TenantContext) -> None:
+    """Gate a tenant-lifecycle operation behind global-admin authority.
+
+    Creating, updating, or deleting a tenant is a global-admin-only operation:
+    it manages the isolation boundaries themselves, so a tenant-scoped caller
+    (even one holding the `control` scope, which does NOT imply `admin`) must
+    not perform it. A global admin is allowed. When auth is disabled there is
+    no caller identity to isolate -- single-user local mode -- so the operation
+    is permitted, mirroring TenantContext.enforce so legitimate single-tenant
+    and local flows are not broken.
+    """
+    if tenant_ctx.is_global_admin or not tenant_ctx.auth_enabled:
+        return
+    raise HTTPException(
+        status_code=403,
+        detail="Tenant lifecycle operations require global admin",
+    )
+
+
 async def _enforce_project_tenant(
     db: AsyncSession, tenant_ctx: TenantContext, project_id: int
 ) -> None:
@@ -306,8 +325,10 @@ async def create_tenant(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Create a new tenant."""
+    """Create a new tenant (global-admin only)."""
+    _require_global_admin(tenant_ctx)
     tenant = await tenants_mod.create_tenant(
         db, name=body.name, description=body.description, settings=body.settings,
     )
@@ -366,8 +387,8 @@ async def update_tenant(
     token_info: Optional[dict] = Depends(auth.get_current_token),
     tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Update an existing tenant."""
-    tenant_ctx.enforce(tenant_id)
+    """Update an existing tenant (global-admin only)."""
+    _require_global_admin(tenant_ctx)
     tenant = await tenants_mod.update_tenant(
         db, tenant_id,
         name=body.name, description=body.description, settings=body.settings,
@@ -392,8 +413,8 @@ async def delete_tenant(
     token_info: Optional[dict] = Depends(auth.get_current_token),
     tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Delete a tenant."""
-    tenant_ctx.enforce(tenant_id)
+    """Delete a tenant (global-admin only)."""
+    _require_global_admin(tenant_ctx)
     deleted = await tenants_mod.delete_tenant(db, tenant_id)
     if not deleted:
         raise HTTPException(status_code=404, detail="Tenant not found")

package/dashboard/control.py

@@ -21,11 +21,41 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Optional
 
-from fastapi import FastAPI, HTTPException
+from fastapi import Depends, FastAPI, HTTPException
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import StreamingResponse
 from pydantic import BaseModel
 
+# Auth gating for the standalone control app.
+#
+# This module also defines a self-contained FastAPI `app` whose own docstring
+# invites operators to expose it via `uvicorn dashboard.control:app`. When that
+# happens the state-mutating endpoints (start/stop/pause/resume) MUST honor the
+# same scope checks as the primary dashboard (dashboard/server.py), otherwise a
+# user who follows the docstring stands up an unauthenticated control plane that
+# can launch arbitrary builds and kill running sessions even when
+# LOKI_ENTERPRISE_AUTH / OIDC are configured.
+#
+# auth.require_scope is a no-op (allows access) when no auth method is enabled,
+# so this import is safe for the default anonymous-localhost workflow and only
+# enforces when the operator has explicitly turned auth on. The import is
+# defensive: if the package context is unavailable (e.g. the file is run from a
+# path where the relative import fails) we fall back to a gate that always
+# allows, preserving the prior behavior rather than crashing import.
+try:
+    from . import auth as _auth
+
+    def _require_control_scope():
+        return Depends(_auth.require_scope("control"))
+except Exception:  # pragma: no cover - defensive fallback for non-package runs
+    def _require_control_scope():
+        async def _noop() -> bool:
+            return True
+
+        return Depends(_noop)
+
+_CONTROL_DEP = _require_control_scope()
+
 # Configuration
 LOKI_DIR = Path(os.environ.get("LOKI_DIR", ".loki"))
 STATE_DIR = LOKI_DIR / "state"
@@ -363,7 +393,7 @@ async def get_session_status():
     return get_status()
 
 
-@app.post("/api/control/start", response_model=ControlResponse)
+@app.post("/api/control/start", response_model=ControlResponse, dependencies=[_CONTROL_DEP])
 async def start_session(request: StartRequest):
     """
     Start a Loki Mode session.
@@ -435,7 +465,7 @@ async def start_session(request: StartRequest):
         raise HTTPException(status_code=500, detail=str(e))
 
 
-@app.post("/api/control/stop", response_model=ControlResponse)
+@app.post("/api/control/stop", response_model=ControlResponse, dependencies=[_CONTROL_DEP])
 async def stop_session():
     """
     Stop the current Loki Mode session.
@@ -484,7 +514,7 @@ async def stop_session():
     )
 
 
-@app.post("/api/control/pause", response_model=ControlResponse)
+@app.post("/api/control/pause", response_model=ControlResponse, dependencies=[_CONTROL_DEP])
 async def pause_session():
     """
     Pause the current Loki Mode session.
@@ -513,7 +543,7 @@ async def pause_session():
     )
 
 
-@app.post("/api/control/resume", response_model=ControlResponse)
+@app.post("/api/control/resume", response_model=ControlResponse, dependencies=[_CONTROL_DEP])
 async def resume_session():
     """
     Resume a paused Loki Mode session.

package/dashboard/server.py

@@ -6867,6 +6867,23 @@ def _resolve_process_state(pid: Optional[int], last_status: str = "",
                 started_dt = started_dt.replace(tzinfo=timezone.utc)
         except (ValueError, AttributeError):
             pass
+
+    # PID-reuse guard. os.kill(pid, 0) only proves *some* process owns this
+    # numeric pid -- not that it is OUR process. After our process exits the OS
+    # can recycle its pid for an unrelated program, and a bare existence probe
+    # would then report that stranger as our live run forever. Cross-check the
+    # live pid's real OS start time against the recorded `started` reference: a
+    # genuine process was launched at or before we recorded it, so a live pid
+    # whose start time is comfortably AFTER the reference must be a recycled pid
+    # belonging to someone else. Only downgrade on positive evidence (start time
+    # readable AND reference parseable); if either is missing we keep the prior
+    # best-effort behavior rather than guess, biasing against false downgrades.
+    if pid_alive and started_dt is not None:
+        pid_start = _pid_start_time(pid)
+        if pid_start is not None:
+            reference_epoch = started_dt.timestamp()
+            if pid_start > reference_epoch + _APP_RUNNER_PID_RECYCLE_MARGIN_SECONDS:
+                pid_alive = False
     if heartbeat:
         try:
             heartbeat_dt = datetime.fromisoformat(heartbeat.replace("Z", "+00:00"))
@@ -7805,6 +7822,30 @@ def _compose_service_labels(svc):
     return {}
 
 
+def _pick_web_port(ports):
+    """From a service's published host ports, pick the one most likely to be HTTP.
+
+    A single service can publish several host ports (e.g. a Spring Boot app that
+    exposes 8080 for HTTP and 8081 for the actuator/management endpoint, or a
+    stack that maps both a debug and a web port). Blindly taking ports[0] is
+    order-dependent and can surface the management/debug port instead of the
+    reachable web URL. Prefer the first port that appears in
+    _COMPOSE_COMMON_WEB_PORTS precedence order (so 8080 wins over a non-common
+    8081), and only fall back to ports[0] when none is a recognized web port.
+
+    This is why Spring Boot's 8080-over-8081 case resolves correctly without
+    parsing application.properties / server.port: the runtime published host
+    port (from compose ps Publishers) is matched against the known web-port
+    family. Returns a port string, or None if ports is empty. Never raises.
+    """
+    if not ports:
+        return None
+    for cp in _COMPOSE_COMMON_WEB_PORTS:
+        if cp in ports:
+            return cp
+    return ports[0]
+
+
 def _identify_compose_web_service(config_services, running_by_service):
     """Pick the primary web service and its published host port.
 
@@ -7818,6 +7859,12 @@ def _identify_compose_web_service(config_services, running_by_service):
     only running, published containers can yield a real URL. Returns
     (service_name, port_str) or (None, None). Never raises.
 
+    When a chosen service publishes MULTIPLE host ports, _pick_web_port selects
+    the HTTP one (common web port over a management/debug port) rather than the
+    arbitrary first-listed port -- so a Spring Boot service exposing 8080+8081
+    surfaces 8080, and a stack whose web service is not first in the compose file
+    is still resolved by name (rule 2) or by common-port match (rule 3).
+
     config_services: dict {service_name: service_config_dict} (may be empty).
     running_by_service: dict {service_name: [published_port_str, ...]} for
         currently-running containers with at least one published host port.
@@ -7832,26 +7879,30 @@ def _identify_compose_web_service(config_services, running_by_service):
         labels = _compose_service_labels(svc)
         if str(labels.get("loki.primary", "")).lower() == "true":
             ports = running_by_service.get(name)
-            if ports:
-                return (name, ports[0])
+            picked = _pick_web_port(ports)
+            if picked:
+                return (name, picked)
 
     # (2) service named web/app
     for cand in ("web", "app"):
         ports = running_by_service.get(cand)
-        if ports:
-            return (cand, ports[0])
+        picked = _pick_web_port(ports)
+        if picked:
+            return (cand, picked)
 
-    # (3) service publishing a common web port
+    # (3) service publishing a common web port. Iterate services in sorted order
+    # so selection is deterministic when more than one service is a candidate.
     for cp in _COMPOSE_COMMON_WEB_PORTS:
-        for name, ports in running_by_service.items():
-            if cp in ports:
+        for name in sorted(running_by_service.keys()):
+            if cp in running_by_service[name]:
                 return (name, cp)
 
-    # (4) first running service with any published port. Sort for determinism.
+    # (4) first running service with any published port. Sort for determinism;
+    # pick that service's HTTP-most port (not necessarily its first-listed one).
     for name in sorted(running_by_service.keys()):
-        ports = running_by_service[name]
-        if ports:
-            return (name, ports[0])
+        picked = _pick_web_port(running_by_service[name])
+        if picked:
+            return (name, picked)
 
     return (None, None)
 

package/dashboard/static/index.html

@@ -3450,10 +3450,10 @@ var LokiDashboard=(()=>{var Ee=Object.defineProperty;var rt=Object.getOwnPropert
           </div>
         </div>
       </div>
-    `;this.shadowRoot.innerHTML=`
+    `,d=this.shadowRoot.activeElement,p=d&&d.id==="spec-input",h=p?d.selectionStart:null,b=p?d.selectionEnd:null;if(this.shadowRoot.innerHTML=`
       ${o}
       ${e?n:l}
-    `,this._attachEventListeners()}_attachEventListeners(){let e=this.shadowRoot.getElementById("pause-btn"),t=this.shadowRoot.getElementById("resume-btn"),i=this.shadowRoot.getElementById("stop-btn"),a=this.shadowRoot.getElementById("start-btn");e&&e.addEventListener("click",()=>this._triggerPause()),t&&t.addEventListener("click",()=>this._triggerResume()),i&&i.addEventListener("click",()=>this._triggerStop()),a&&a.addEventListener("click",()=>this._triggerStart());let s=this.shadowRoot.getElementById("model-select");s&&s.addEventListener("change",o=>this._onModelChange(o.target.value));let r=this.shadowRoot.getElementById("spec-input");r&&r.addEventListener("input",o=>this._onSpecInput(o.target.value))}};customElements.get("loki-session-control")||customElements.define("loki-session-control",J);var qe={info:{color:"var(--loki-blue)",label:"INFO"},success:{color:"var(--loki-green)",label:"SUCCESS"},warning:{color:"var(--loki-yellow)",label:"WARN"},error:{color:"var(--loki-red)",label:"ERROR"},step:{color:"var(--loki-purple)",label:"STEP"},agent:{color:"var(--loki-accent)",label:"AGENT"},debug:{color:"var(--loki-text-muted)",label:"DEBUG"}},G=class extends u{static get observedAttributes(){return["api-url","max-lines","auto-scroll","theme","log-file"]}constructor(){super(),this._logs=[],this._maxLines=500,this._autoScroll=!0,this._filter="",this._levelFilter="all",this._api=null,this._pollInterval=null,this._logMessageHandler=null}connectedCallback(){super.connectedCallback(),this._maxLines=parseInt(this.getAttribute("max-lines"))||500,this._autoScroll=this.hasAttribute("auto-scroll"),this._setupApi(),this._startLogPolling()}disconnectedCallback(){super.disconnectedCallback(),this._stopLogPolling(),this._api&&this._logMessageHandler&&this._api.removeEventListener(v.LOG_MESSAGE,this._logMessageHandler)}attributeChangedCallback(e,t,i){if(t!==i)switch(e){case"api-url":this._api&&(this._api.baseUrl=i);break;case"max-lines":this._maxLines=parseInt(i)||500,this._trimLogs(),this.render();break;case"auto-scroll":this._autoScroll=this.hasAttribute("auto-scroll"),this.render();break;case"theme":this._applyTheme();break}}_setupApi(){let e=this.getAttribute("api-url")||window.location.origin;this._api=g({baseUrl:e}),this._logMessageHandler=t=>this._addLog(t.detail),this._api.addEventListener(v.LOG_MESSAGE,this._logMessageHandler)}_startLogPolling(){let e=this.getAttribute("log-file");e?this._pollLogFile(e):this._pollApiLogs()}async _pollApiLogs(){let e=0,t=async()=>{try{let i=await this._api.getLogs(200);if(Array.isArray(i)&&i.length>e){let a=i.slice(e);for(let s of a)s.message&&s.message.trim()&&this._addLog({message:s.message,level:s.level||"info",timestamp:s.timestamp||new Date().toLocaleTimeString()});e=i.length}}catch{}};t(),this._apiPollInterval=setInterval(t,2e3)}async _pollLogFile(e){let t=0,i=async()=>{try{let a=await fetch(`${e}?t=${Date.now()}`,{credentials:"include"});if(!a.ok)return;let r=(await a.text()).split(`
+    `,this._attachEventListeners(),p){let m=this.shadowRoot.getElementById("spec-input");if(m&&!m.disabled){m.focus();try{m.setSelectionRange(h,b)}catch{}}}}_attachEventListeners(){let e=this.shadowRoot.getElementById("pause-btn"),t=this.shadowRoot.getElementById("resume-btn"),i=this.shadowRoot.getElementById("stop-btn"),a=this.shadowRoot.getElementById("start-btn");e&&e.addEventListener("click",()=>this._triggerPause()),t&&t.addEventListener("click",()=>this._triggerResume()),i&&i.addEventListener("click",()=>this._triggerStop()),a&&a.addEventListener("click",()=>this._triggerStart());let s=this.shadowRoot.getElementById("model-select");s&&s.addEventListener("change",o=>this._onModelChange(o.target.value));let r=this.shadowRoot.getElementById("spec-input");r&&r.addEventListener("input",o=>this._onSpecInput(o.target.value))}};customElements.get("loki-session-control")||customElements.define("loki-session-control",J);var qe={info:{color:"var(--loki-blue)",label:"INFO"},success:{color:"var(--loki-green)",label:"SUCCESS"},warning:{color:"var(--loki-yellow)",label:"WARN"},error:{color:"var(--loki-red)",label:"ERROR"},step:{color:"var(--loki-purple)",label:"STEP"},agent:{color:"var(--loki-accent)",label:"AGENT"},debug:{color:"var(--loki-text-muted)",label:"DEBUG"}},G=class extends u{static get observedAttributes(){return["api-url","max-lines","auto-scroll","theme","log-file"]}constructor(){super(),this._logs=[],this._maxLines=500,this._autoScroll=!0,this._filter="",this._levelFilter="all",this._api=null,this._pollInterval=null,this._logMessageHandler=null}connectedCallback(){super.connectedCallback(),this._maxLines=parseInt(this.getAttribute("max-lines"))||500,this._autoScroll=this.hasAttribute("auto-scroll"),this._setupApi(),this._startLogPolling()}disconnectedCallback(){super.disconnectedCallback(),this._stopLogPolling(),this._api&&this._logMessageHandler&&this._api.removeEventListener(v.LOG_MESSAGE,this._logMessageHandler)}attributeChangedCallback(e,t,i){if(t!==i)switch(e){case"api-url":this._api&&(this._api.baseUrl=i);break;case"max-lines":this._maxLines=parseInt(i)||500,this._trimLogs(),this.render();break;case"auto-scroll":this._autoScroll=this.hasAttribute("auto-scroll"),this.render();break;case"theme":this._applyTheme();break}}_setupApi(){let e=this.getAttribute("api-url")||window.location.origin;this._api=g({baseUrl:e}),this._logMessageHandler=t=>this._addLog(t.detail),this._api.addEventListener(v.LOG_MESSAGE,this._logMessageHandler)}_startLogPolling(){let e=this.getAttribute("log-file");e?this._pollLogFile(e):this._pollApiLogs()}async _pollApiLogs(){let e=0,t=async()=>{try{let i=await this._api.getLogs(200);if(Array.isArray(i)&&i.length>e){let a=i.slice(e);for(let s of a)s.message&&s.message.trim()&&this._addLog({message:s.message,level:s.level||"info",timestamp:s.timestamp||new Date().toLocaleTimeString()});e=i.length}}catch{}};t(),this._apiPollInterval=setInterval(t,2e3)}async _pollLogFile(e){let t=0,i=async()=>{try{let a=await fetch(`${e}?t=${Date.now()}`,{credentials:"include"});if(!a.ok)return;let r=(await a.text()).split(`
 `);if(r.length>t){let o=r.slice(t);for(let n of o)n.trim()&&this._addLog(this._parseLine(n));t=r.length}}catch{}};i(),this._pollInterval=setInterval(i,1e3)}_stopLogPolling(){this._pollInterval&&(clearInterval(this._pollInterval),this._pollInterval=null),this._apiPollInterval&&(clearInterval(this._apiPollInterval),this._apiPollInterval=null)}_parseLine(e){let t=e.match(/^\[([^\]]+)\]\s*\[([^\]]+)\]\s*(.+)$/);if(t)return{timestamp:t[1],level:t[2].toLowerCase(),message:t[3]};let i=e.match(/^(\d{2}:\d{2}:\d{2})\s+(\w+)\s+(.+)$/);return i?{timestamp:i[1],level:i[2].toLowerCase(),message:i[3]}:{timestamp:new Date().toLocaleTimeString(),level:"info",message:e}}_addLog(e){if(!e)return;let t={id:Date.now()+Math.random(),timestamp:e.timestamp||new Date().toLocaleTimeString(),level:(e.level||"info").toLowerCase(),message:e.message||e};this._logs.push(t),this._trimLogs(),this.dispatchEvent(new CustomEvent("log-received",{detail:t})),this._renderLogs(),this._autoScroll&&this._scrollToBottom()}_trimLogs(){this._logs.length>this._maxLines&&(this._logs=this._logs.slice(-this._maxLines))}_clearLogs(){this._logs=[],this.dispatchEvent(new CustomEvent("logs-cleared")),this._renderLogs()}_toggleAutoScroll(){this._autoScroll=!this._autoScroll,this.render(),this._autoScroll&&this._scrollToBottom()}_scrollToBottom(){requestAnimationFrame(()=>{let e=this.shadowRoot.getElementById("log-output");e&&(e.scrollTop=e.scrollHeight)})}_downloadLogs(){let e=this._logs.map(s=>`[${s.timestamp}] [${s.level.toUpperCase()}] ${s.message}`).join(`
 `),t=new Blob([e],{type:"text/plain"}),i=URL.createObjectURL(t),a=document.createElement("a");a.href=i,a.download=`loki-logs-${new Date().toISOString().split("T")[0]}.txt`,a.click(),URL.revokeObjectURL(i)}_setFilter(e){this._filter=e.toLowerCase(),this._renderLogs()}_setLevelFilter(e){this._levelFilter=e,this._renderLogs()}_getFilteredLogs(){return this._logs.filter(e=>!(this._levelFilter!=="all"&&e.level!==this._levelFilter||this._filter&&!e.message.toLowerCase().includes(this._filter)))}_renderLogs(){let e=this.shadowRoot.getElementById("log-output");if(!e)return;let t=this._getFilteredLogs();if(t.length===0){e.innerHTML='<div class="log-empty">No log output yet. Terminal will update when Loki Mode is running.</div>';return}e.innerHTML=t.map(i=>{let a=qe[i.level]||qe.info;return`
         <div class="log-line">

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.58.1
+**Version:** v7.60.0
 
 ---
 
@@ -395,7 +395,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.58.1 start ./my-spec.md
+  asklokesh/loki-mode:7.60.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/events/bus.py

@@ -79,9 +79,32 @@ class LokiEvent:
 
         Handles compound types like 'session_start' by splitting on underscore
         and using the first token as the event type.
+
+        Tolerates two on-disk schemas:
+          - The pending/archive schema written by bus.py / bus.ts / emit.sh:
+            ``{id, type, source, timestamp, payload, version}``.
+          - The flat events.jsonl schema written by run.sh's emit_event /
+            emit_event_json (and read by the dashboard):
+            ``{timestamp, type, data: {...}}`` -- here ``source`` lives inside
+            ``data`` (or is absent) and the body is ``data``, not ``payload``.
+        Without this fallback, import_from_jsonl() would coerce every
+        run.sh-written line to source=cli with an empty payload, silently
+        dropping the source attribution and the entire event body.
         """
         raw_type = data.get('type', '')
+
+        # Body: prefer the canonical `payload`; fall back to the flat
+        # events.jsonl `data` object so run.sh-written lines keep their fields.
+        payload = data.get('payload')
+        nested = data.get('data')
+        if payload is None:
+            payload = nested if isinstance(nested, dict) else {}
+
+        # Source: prefer top-level `source`; otherwise lift it from the nested
+        # `data.source` used by the flat events.jsonl schema.
         raw_source = data.get('source', '')
+        if not raw_source and isinstance(nested, dict):
+            raw_source = nested.get('source', '')
 
         # Parse event type, handling compound values like "session_start"
         try:
@@ -105,7 +128,7 @@ class LokiEvent:
             type=event_type,
             source=event_source,
             timestamp=data.get('timestamp', ''),
-            payload=data.get('payload', {}),
+            payload=payload,
             version=data.get('version', '1.0')
         )
 

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.58.1";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
+var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.60.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -790,4 +790,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(s6),2}}l1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var KZ=await XZ(Bun.argv.slice(2));process.exit(KZ);
 
-//# debugId=D9E2CF477FD688DE64756E2164756E21
+//# debugId=B963F5BED7BF3C2664756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.58.1'
+__version__ = '7.60.0'

package/mcp/server.py

@@ -1715,6 +1715,13 @@ async def loki_code_search(
 
     collection = _get_chroma_collection()
     if collection is None:
+        # Emit 'complete' to balance the 'start' above. Without this the
+        # per-tool start-time stack in _tool_call_start_times leaks one entry
+        # per call (and ChromaDB-unavailable is the common default path), and
+        # a later successful call would pop a stale start time, producing a
+        # wildly wrong execution_time_ms learning signal.
+        _emit_tool_event_async('loki_code_search', 'complete',
+                               result_status='error', error='ChromaDB not available')
         return json.dumps({
             "error": "ChromaDB not available. Start it with: docker start loki-chroma",
             "hint": "Re-index with: python3.12 tools/index-codebase.py --reset"
@@ -2188,12 +2195,27 @@ async def loki_get_co_changes(
         with safe_open(co_changes_path, 'r') as f:
             pairs = json.load(f)
 
-        # Filter pairs involving the requested file
+        # Filter pairs involving the requested file. The co-changes.json
+        # producer lives outside this repo, so treat its shape as an external
+        # contract: skip malformed entries (not a 2-element pair) instead of
+        # letting one bad row raise and abort the whole tool, and skip
+        # self-pairs (a file is not its own co-change partner) which would
+        # otherwise report file_path against itself.
         results = []
-        for pair_files, count in pairs:
-            if file_path in pair_files:
-                partner = pair_files[0] if pair_files[1] == file_path else pair_files[1]
-                results.append({"partner": partner, "co_changes": count})
+        for entry in pairs:
+            try:
+                pair_files, count = entry
+            except (ValueError, TypeError):
+                continue
+            if not isinstance(pair_files, (list, tuple)) or len(pair_files) != 2:
+                continue
+            a, b = pair_files[0], pair_files[1]
+            if a == b:
+                continue
+            if a == file_path:
+                results.append({"partner": b, "co_changes": count})
+            elif b == file_path:
+                results.append({"partner": a, "co_changes": count})
 
         # Sort by co-change count descending
         results.sort(key=lambda x: x["co_changes"], reverse=True)

package/memory/embeddings.py

@@ -257,8 +257,12 @@ def compute_quality_score(
     non_zero = np.count_nonzero(embedding)
     density = non_zero / len(embedding) if len(embedding) > 0 else 0
 
-    # Variance: measure of embedding diversity
-    variance = float(np.var(embedding))
+    # Variance: measure of embedding diversity. np.var of an empty array is NaN,
+    # and NaN would silently propagate through min(variance * 10, 1.0) (which
+    # returns NaN) into the final score, where min(1.0, NaN) yields a bogus
+    # perfect score of 1.0 for an empty embedding. Treat an empty vector as
+    # zero-variance so the score reflects its (lack of) content.
+    variance = float(np.var(embedding)) if len(embedding) > 0 else 0.0
 
     # Coverage: estimate based on text length vs max tokens
     # Rough estimate: 4 chars per token
@@ -1192,6 +1196,14 @@ class EmbeddingEngine:
         if corpus_embeddings.size == 0:
             return []
 
+        # A single corpus vector may arrive 1-D (shape (dimension,)) instead of
+        # the documented 2-D (n, dimension). Without this promotion, np.dot of a
+        # 1-D corpus with the 1-D query collapses to a 0-d scalar, and the
+        # subsequent len(similarities) raises an opaque
+        # "object of type 'numpy.float32' has no len()". atleast_2d is a no-op
+        # on an already-2-D corpus.
+        corpus_embeddings = np.atleast_2d(corpus_embeddings)
+
         # Normalize
         query_norm = self._normalize(query_embedding)
         corpus_norm = self._normalize(corpus_embeddings)

package/memory/engine.py

@@ -917,9 +917,16 @@ class MemoryEngine:
 
         category = pattern.get("category", "general")
 
+        # An index.json that is valid JSON but missing the "topics" key (e.g.
+        # written by an older/partial writer, or hand-edited) would crash here
+        # on index["topics"] because the `or {...}` default only fires when the
+        # whole file is falsy. setdefault matches the defensive pattern used in
+        # the sibling _update_index_with_episode.
+        topics = index.setdefault("topics", [])
+
         # Find or create topic
         topic_found = False
-        for topic in index["topics"]:
+        for topic in topics:
             if topic.get("id") == category:
                 topic["last_accessed"] = datetime.now(timezone.utc).isoformat()
                 topic["relevance_score"] = max(
@@ -930,7 +937,7 @@ class MemoryEngine:
                 break
 
         if not topic_found:
-            index["topics"].append({
+            topics.append({
                 "id": category,
                 "summary": f"Patterns for {category}",
                 "relevance_score": pattern.get("confidence", 0.5),
@@ -970,7 +977,17 @@ class MemoryEngine:
             # Handle ISO format with Z suffix
             if timestamp_str.endswith("Z"):
                 timestamp_str = timestamp_str[:-1]
-            timestamp = datetime.fromisoformat(timestamp_str)
+            # A single corrupt/non-ISO timestamp on one episode file must not
+            # crash the whole scan (get_recent_episodes -> retrieve_relevant is
+            # on the RARV hot path). Fall back to now() for the unparseable one.
+            try:
+                timestamp = datetime.fromisoformat(timestamp_str)
+            except ValueError:
+                logger.warning(
+                    "Episode %s has unparseable timestamp %r; using current time",
+                    data.get("id", "<unknown>"), timestamp_str,
+                )
+                timestamp = datetime.now(timezone.utc)
             if timestamp.tzinfo is None:
                 timestamp = timestamp.replace(tzinfo=timezone.utc)
         elif isinstance(timestamp_str, datetime):

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.58.1",
+  "version": "7.60.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.58.1",
+  "version": "7.60.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 8 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",

package/providers/claude.sh

@@ -284,7 +284,11 @@ provider_invoke() {
     local prompt="$1"
     shift
     _loki_build_claude_auto_flags "development" "${LOKI_COMPLEXITY:-standard}" ""
-    claude --dangerously-skip-permissions "${_LOKI_CLAUDE_AUTO_FLAGS[@]}" -p "$prompt" "$@"
+    # Guard the auto-flag array expansion: when the builder emits zero flags the
+    # array is empty, and a bare "${arr[@]}" under `set -u` aborts with "unbound
+    # variable" on bash 3.2 (stock macOS /bin/bash). ${arr[@]+...} expands to
+    # nothing when unset/empty and preserves spaced elements otherwise.
+    claude --dangerously-skip-permissions "${_LOKI_CLAUDE_AUTO_FLAGS[@]+"${_LOKI_CLAUDE_AUTO_FLAGS[@]}"}" -p "$prompt" "$@"
 }
 
 # Model tier to Task tool model parameter value
@@ -443,5 +447,8 @@ provider_invoke_with_tier() {
     local model
     model=$(resolve_model_for_tier "$tier")
     _loki_build_claude_auto_flags "$tier" "${LOKI_COMPLEXITY:-standard}" "$model"
-    claude --dangerously-skip-permissions --model "$model" "${_LOKI_CLAUDE_AUTO_FLAGS[@]}" -p "$prompt" "$@"
+    # Guard empty auto-flag array under `set -u` on bash 3.2 (stock macOS): a bare
+    # "${arr[@]}" on an empty array aborts with "unbound variable". ${arr[@]+...}
+    # expands to nothing when empty and preserves spaced elements otherwise.
+    claude --dangerously-skip-permissions --model "$model" "${_LOKI_CLAUDE_AUTO_FLAGS[@]+"${_LOKI_CLAUDE_AUTO_FLAGS[@]}"}" -p "$prompt" "$@"
 }

package/providers/cline.sh

@@ -111,7 +111,11 @@ provider_invoke() {
     local model="${LOKI_CLINE_MODEL:-}"
     local model_args=()
     [[ -n "$model" ]] && model_args=("-m" "$model")
-    cline -y "${model_args[@]}" "$prompt" "$@" 2>&1
+    # Guard the model_args array expansion: when LOKI_CLINE_MODEL is unset the
+    # array is empty, and a bare "${arr[@]}" under `set -u` aborts with "unbound
+    # variable" on bash 3.2 (stock macOS /bin/bash). ${arr[@]+...} expands to
+    # nothing when empty and preserves spaced elements otherwise.
+    cline -y "${model_args[@]+"${model_args[@]}"}" "$prompt" "$@" 2>&1
 }
 
 # Model tier to parameter (Cline uses single model, returns model name)

package/providers/codex.sh

@@ -232,10 +232,14 @@ provider_invoke_with_tier() {
 
     LOKI_CODEX_REASONING_EFFORT="$effort" \
     CODEX_MODEL_REASONING_EFFORT="$effort" \
+    # Guard the extra_flags array expansion: with no web-search / output-last
+    # knobs the array is empty, and a bare "${arr[@]}" under `set -u` aborts with
+    # "unbound variable" on bash 3.2 (stock macOS /bin/bash). ${arr[@]+...}
+    # expands to nothing when empty and preserves spaced elements otherwise.
     codex exec \
         --sandbox workspace-write \
         --skip-git-repo-check \
         --model "$model" \
-        "${extra_flags[@]}" \
+        "${extra_flags[@]+"${extra_flags[@]}"}" \
         "$prompt" "$@"
 }

package/src/policies/check.js

@@ -24,9 +24,38 @@ var engine;
 try {
     engine = new PolicyEngine(projectDir);
 } catch (e) {
-    // No policies configured - allow by default
-    process.stdout.write(JSON.stringify({ allowed: true, decision: 'ALLOW', reason: 'No policies configured' }));
-    process.exit(0);
+    // A security control that cannot instantiate must FAIL CLOSED (deny),
+    // never allow by default. An unexpected error here means we cannot make
+    // a sound policy decision, so we deny rather than silently disable
+    // enforcement.
+    process.stdout.write(JSON.stringify({
+        allowed: false,
+        decision: 'DENY',
+        reason: 'Policy engine failed to initialize: ' + e.message,
+        requiresApproval: false,
+        violations: [],
+    }));
+    process.stderr.write('Policy engine failed to initialize: ' + e.message + '\n');
+    process.exit(1);
+}
+
+// Fail-closed on a present-but-unparseable policy file. If a policy file
+// exists on disk but could not be loaded (corrupt JSON / bad YAML), the engine
+// records the error and leaves _policies null. Falling through to evaluate()
+// would return the misleading "No policies configured" ALLOW, silently
+// disabling all policy enforcement. A security control that disables itself on
+// malformed config is fail-open; deny instead.
+if (engine.hasLoadErrors()) {
+    var loadErrors = engine.getValidationErrors();
+    process.stdout.write(JSON.stringify({
+        allowed: false,
+        decision: 'DENY',
+        reason: 'Policy file present but could not be loaded (fail-closed): ' + loadErrors.join('; '),
+        requiresApproval: false,
+        violations: [],
+    }));
+    process.stderr.write('Policy file present but could not be loaded; denying (fail-closed): ' + loadErrors.join('; ') + '\n');
+    process.exit(1);
 }
 
 var result = engine.evaluate(enforcementPoint, context);

package/src/policies/engine.js

@@ -590,6 +590,26 @@ class PolicyEngine {
     return this._validationErrors;
   }
 
+  /**
+   * Whether a policy file is present on disk but could not be parsed/loaded
+   * into a usable policy object.
+   *
+   * This is the fail-closed discriminator: it is true only when a policy file
+   * exists (_policyPath set) yet parsing failed (_policies === null). It is
+   * deliberately NOT keyed off getValidationErrors() length, because a valid
+   * policy file can still carry soft warnings (e.g. an unrecognized rule
+   * string) while parsing cleanly into a non-null _policies object. Those
+   * warnings must not disable enforcement.
+   *
+   * When no policy file exists at all, _policyPath is null and this returns
+   * false, preserving the legitimate "no policies -> allow" behavior.
+   *
+   * @returns {boolean}
+   */
+  hasLoadErrors() {
+    return this._policyPath !== null && this._policies === null;
+  }
+
   /**
    * Stop watching the policy file.
    */