loki-mode 7.59.2 → 7.60.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.59.2
+# Loki Mode v7.60.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -406,4 +406,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.59.2 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.60.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.59.2
+7.60.0

package/autonomy/lib/proof_redact.py

@@ -79,6 +79,33 @@ _PATTERNS = [
 # Bearer tokens: keep the scheme, redact the credential.
 _BEARER = re.compile(r"(Bearer\s+)[A-Za-z0-9._~+/=-]{20,}")
 
+# HTTP auth/cookie HEADER lines: redact the credential VALUE for the whole line.
+# This owns the header-line form of Authorization (any scheme: Basic, Bearer,
+# Digest, raw token) plus Cookie / Set-Cookie, which the keyword-based
+# _ENV_ASSIGN rule does not cover (Authorization is excluded there via the
+# AUTH(?!ORIZATION) lookahead, and Cookie/session are not secret keywords).
+#
+# Anchored with (?im):
+#   - re.IGNORECASE so "authorization"/"Authorization"/"COOKIE" all match.
+#   - re.MULTILINE so an interior header line inside a multi-line blob (crash
+#     reports, stack traces, env dumps) matches, not just offset 0. "." does
+#     not cross newlines, so the value run stops at end-of-line and adjacent
+#     normal lines are left untouched.
+#
+# Group layout:
+#   1 -> line prefix up through the "header:" separator (leading whitespace +
+#        header name + colon + following whitespace), preserved verbatim.
+#   2 -> optional auth scheme word (Basic/Bearer/Digest/Negotiate/NTLM) plus
+#        its trailing space, preserved so "Authorization: Basic [REDACTED]"
+#        keeps the scheme. Empty for Cookie / raw-token forms.
+# Everything after that (the credential) is replaced with [REDACTED].
+_AUTH_HEADER = re.compile(
+    r"(?im)"
+    r"^([ \t]*(?:authorization|cookie|set-cookie)[ \t]*:[ \t]*)"   # 1: header prefix
+    r"((?:Basic|Bearer|Digest|Negotiate|NTLM)[ \t]+)?"             # 2: optional scheme
+    r"\S.*$"                                                        # the credential value
+)
+
 # PEM PRIVATE KEY blocks (any -----BEGIN ... PRIVATE KEY----- ... END block).
 # DOTALL so the body spanning newlines is matched and dropped whole.
 _PEM = re.compile(
@@ -131,6 +158,14 @@ _ENV_ASSIGN = re.compile(
 )
 
 
+def _auth_header_sub(m):
+    """Redact an HTTP auth/cookie header VALUE, keeping the header name and
+    (when present) the auth scheme word. Group 1 is the "header:" prefix, group
+    2 is the optional scheme (with trailing space) or None."""
+    prefix, scheme = m.group(1), m.group(2)
+    return prefix + (scheme or "") + "[REDACTED]"
+
+
 def _env_assign_sub(m):
     """Redact a secret assignment value, preserving key, separator and quotes.
 
@@ -231,6 +266,12 @@ def _redact_value(s):
     )
     total += n
 
+    # HTTP auth/cookie header lines: redact the whole credential value before
+    # token-level rules run, so a token inside the header value is not matched
+    # (and double-counted) separately. Keeps the header name + scheme word.
+    s, n = _AUTH_HEADER.subn(_auth_header_sub, s)
+    total += n
+
     # Token patterns (ordered most-specific-first).
     for pat, repl in _PATTERNS:
         s, n = pat.subn(repl, s)

package/autonomy/loki

@@ -16876,7 +16876,11 @@ PYEOF
         export)
             local output="${2:-learnings-export.json}"
 
-            LOKI_LEARNINGS_DIR="$learnings_dir" python3 -c "
+            # BUG-PU-010: pass the output filename via an environment variable
+            # rather than interpolating $output into the python -c source, so a
+            # filename containing quotes/backslashes/newlines cannot break out of
+            # the string literal or inject python.
+            LOKI_LEARNINGS_DIR="$learnings_dir" LOKI_LEARNINGS_OUT="$output" python3 -c "
 import json
 import os
 
@@ -16894,9 +16898,10 @@ for category in ['patterns', 'mistakes', 'successes']:
                         result[category].append(e)
                 except: pass
 
-with open('$output', 'w') as f:
+_out = os.environ['LOKI_LEARNINGS_OUT']
+with open(_out, 'w') as f:
     json.dump(result, f, indent=2)
-print(f'Exported to $output')
+print(f'Exported to {_out}')
 " 2>/dev/null
             ;;
 
@@ -25244,8 +25249,14 @@ generate_component(
 
     # 4. Register in registry
     log_info "Registering component"
+    # BUG-PU-010: pass free-text description/tags via environment variables and
+    # read them with os.environ in the python body, instead of interpolating raw
+    # user input into the python -c source (a value containing triple-quotes,
+    # backslashes, newlines, or $(...) would crash the script or inject code).
+    # Mirrors the LOKI_MEM_QUERY pattern in the memory-search path.
+    LOKI_MAGIC_DESC="$description" LOKI_MAGIC_TAGS="$tags" \
     PYTHONPATH="$(_magic_pypath)" "$py" -c "
-import sys
+import os, sys
 try:
     from magic.core.registry import register_component
 except Exception as exc:
@@ -25259,8 +25270,8 @@ register_component(
     react_path='.loki/magic/generated/react/${name}.tsx' if '$target' in ('react','both') else '',
     webcomponent_path='.loki/magic/generated/webcomponent/${name}.js' if '$target' in ('webcomponent','both') else '',
     test_path='.loki/magic/generated/tests/${name}.test.tsx',
-    description='''$description'''.strip(),
-    tags=[t.strip() for t in '''$tags'''.split(',') if t.strip()],
+    description=os.environ.get('LOKI_MAGIC_DESC', '').strip(),
+    tags=[t.strip() for t in os.environ.get('LOKI_MAGIC_TAGS', '').split(',') if t.strip()],
     placement='${placement}' or None,
 )
 " || {
@@ -25305,13 +25316,22 @@ _magic_update() {
         esac
     done
 
+    # BUG-PU-010: validate --name (defense in depth, mirroring _magic_generate)
+    # so a malicious value cannot reach the python body, AND pass it via an
+    # environment variable instead of interpolating it into the python -c source.
+    if [ -n "$name" ] && ! _magic_valid_name "$name"; then
+        log_error "Invalid component name: '$name' (must start with a letter, contain only letters, digits, _ or -)"
+        return 1
+    fi
+
     _magic_ensure_dirs
     local py
     py=$(_magic_python)
 
     log_info "Updating components from specs (name=${name:-<all>}, force=$force)"
+    LOKI_MAGIC_NAME="$name" \
     PYTHONPATH="$(_magic_pypath)" "$py" -c "
-import sys
+import os, sys
 try:
     from magic.core.generator import update_components
 except Exception as exc:
@@ -25319,7 +25339,7 @@ except Exception as exc:
     sys.exit(2)
 update_components(
     registry_path='.loki/magic/registry.json',
-    name='${name}' or None,
+    name=os.environ.get('LOKI_MAGIC_NAME', '') or None,
     force=$([ "$force" = "true" ] && echo True || echo False),
 )
 " || {

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.59.2"
+__version__ = "7.60.0"
 
 # Expose the control app for easy import
 try:

package/dashboard/api_v2.py

@@ -251,6 +251,25 @@ def resolve_tenant_context(
     )
 
 
+def _require_global_admin(tenant_ctx: TenantContext) -> None:
+    """Gate a tenant-lifecycle operation behind global-admin authority.
+
+    Creating, updating, or deleting a tenant is a global-admin-only operation:
+    it manages the isolation boundaries themselves, so a tenant-scoped caller
+    (even one holding the `control` scope, which does NOT imply `admin`) must
+    not perform it. A global admin is allowed. When auth is disabled there is
+    no caller identity to isolate -- single-user local mode -- so the operation
+    is permitted, mirroring TenantContext.enforce so legitimate single-tenant
+    and local flows are not broken.
+    """
+    if tenant_ctx.is_global_admin or not tenant_ctx.auth_enabled:
+        return
+    raise HTTPException(
+        status_code=403,
+        detail="Tenant lifecycle operations require global admin",
+    )
+
+
 async def _enforce_project_tenant(
     db: AsyncSession, tenant_ctx: TenantContext, project_id: int
 ) -> None:
@@ -306,8 +325,10 @@ async def create_tenant(
     db: AsyncSession = Depends(get_db),
     _auth: None = Depends(auth.require_scope("control")),
     token_info: Optional[dict] = Depends(auth.get_current_token),
+    tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Create a new tenant."""
+    """Create a new tenant (global-admin only)."""
+    _require_global_admin(tenant_ctx)
     tenant = await tenants_mod.create_tenant(
         db, name=body.name, description=body.description, settings=body.settings,
     )
@@ -366,8 +387,8 @@ async def update_tenant(
     token_info: Optional[dict] = Depends(auth.get_current_token),
     tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Update an existing tenant."""
-    tenant_ctx.enforce(tenant_id)
+    """Update an existing tenant (global-admin only)."""
+    _require_global_admin(tenant_ctx)
     tenant = await tenants_mod.update_tenant(
         db, tenant_id,
         name=body.name, description=body.description, settings=body.settings,
@@ -392,8 +413,8 @@ async def delete_tenant(
     token_info: Optional[dict] = Depends(auth.get_current_token),
     tenant_ctx: TenantContext = Depends(resolve_tenant_context),
 ):
-    """Delete a tenant."""
-    tenant_ctx.enforce(tenant_id)
+    """Delete a tenant (global-admin only)."""
+    _require_global_admin(tenant_ctx)
     deleted = await tenants_mod.delete_tenant(db, tenant_id)
     if not deleted:
         raise HTTPException(status_code=404, detail="Tenant not found")

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.59.2
+**Version:** v7.60.0
 
 ---
 
@@ -395,7 +395,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.59.2 start ./my-spec.md
+  asklokesh/loki-mode:7.60.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.59.2";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
+var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.60.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -790,4 +790,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(s6),2}}l1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var KZ=await XZ(Bun.argv.slice(2));process.exit(KZ);
 
-//# debugId=6FFE51233FAA69E664756E2164756E21
+//# debugId=B963F5BED7BF3C2664756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.59.2'
+__version__ = '7.60.0'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.59.2",
+  "version": "7.60.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.59.2",
+  "version": "7.60.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 8 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",

package/src/policies/check.js

@@ -24,9 +24,38 @@ var engine;
 try {
     engine = new PolicyEngine(projectDir);
 } catch (e) {
-    // No policies configured - allow by default
-    process.stdout.write(JSON.stringify({ allowed: true, decision: 'ALLOW', reason: 'No policies configured' }));
-    process.exit(0);
+    // A security control that cannot instantiate must FAIL CLOSED (deny),
+    // never allow by default. An unexpected error here means we cannot make
+    // a sound policy decision, so we deny rather than silently disable
+    // enforcement.
+    process.stdout.write(JSON.stringify({
+        allowed: false,
+        decision: 'DENY',
+        reason: 'Policy engine failed to initialize: ' + e.message,
+        requiresApproval: false,
+        violations: [],
+    }));
+    process.stderr.write('Policy engine failed to initialize: ' + e.message + '\n');
+    process.exit(1);
+}
+
+// Fail-closed on a present-but-unparseable policy file. If a policy file
+// exists on disk but could not be loaded (corrupt JSON / bad YAML), the engine
+// records the error and leaves _policies null. Falling through to evaluate()
+// would return the misleading "No policies configured" ALLOW, silently
+// disabling all policy enforcement. A security control that disables itself on
+// malformed config is fail-open; deny instead.
+if (engine.hasLoadErrors()) {
+    var loadErrors = engine.getValidationErrors();
+    process.stdout.write(JSON.stringify({
+        allowed: false,
+        decision: 'DENY',
+        reason: 'Policy file present but could not be loaded (fail-closed): ' + loadErrors.join('; '),
+        requiresApproval: false,
+        violations: [],
+    }));
+    process.stderr.write('Policy file present but could not be loaded; denying (fail-closed): ' + loadErrors.join('; ') + '\n');
+    process.exit(1);
 }
 
 var result = engine.evaluate(enforcementPoint, context);

package/src/policies/engine.js

@@ -590,6 +590,26 @@ class PolicyEngine {
     return this._validationErrors;
   }
 
+  /**
+   * Whether a policy file is present on disk but could not be parsed/loaded
+   * into a usable policy object.
+   *
+   * This is the fail-closed discriminator: it is true only when a policy file
+   * exists (_policyPath set) yet parsing failed (_policies === null). It is
+   * deliberately NOT keyed off getValidationErrors() length, because a valid
+   * policy file can still carry soft warnings (e.g. an unrecognized rule
+   * string) while parsing cleanly into a non-null _policies object. Those
+   * warnings must not disable enforcement.
+   *
+   * When no policy file exists at all, _policyPath is null and this returns
+   * false, preserving the legitimate "no policies -> allow" behavior.
+   *
+   * @returns {boolean}
+   */
+  hasLoadErrors() {
+    return this._policyPath !== null && this._policies === null;
+  }
+
   /**
    * Stop watching the policy file.
    */