loki-mode 7.61.0 → 7.62.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.61.0
+# Loki Mode v7.62.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -406,4 +406,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.61.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.62.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.61.0
+7.62.0

package/autonomy/app-runner.sh

@@ -1374,20 +1374,59 @@ app_runner_health_check() {
         return 1
     fi
 
-    # For HTTP apps, try an HTTP health check
+    # For HTTP apps, try an HTTP health check.
     if [ -n "$_APP_RUNNER_PORT" ] && [ "$_APP_RUNNER_PORT" -gt 0 ] 2>/dev/null; then
-        if curl -sf -o /dev/null -m 5 "http://localhost:${_APP_RUNNER_PORT}/" 2>/dev/null; then
+        # The health signal is "is the server answering HTTP at all", NOT "does /
+        # return 2xx". Loki generates plenty of apps that legitimately serve a
+        # non-2xx on the root path (an API-only FastAPI/Express backend 404s on
+        # `/`, anything behind auth 401s). Those are serving correctly, so a
+        # status-strict probe (curl -f, which fails on >=400) would mark a healthy
+        # backend unhealthy and trigger a needless restart -> a restart storm /
+        # false crash. What genuinely means "no longer serving" -- a hung event
+        # loop, a deadlock, a wedged dev server -- is a connection that times out
+        # or is refused, i.e. NO HTTP response at all. So we read the HTTP status
+        # code: any code returned (2xx/3xx/4xx/5xx) means the server answered and
+        # is alive; "000" is curl's sentinel for connect-failure/timeout/reset
+        # and is the only thing we treat as a crash.
+        # If curl is unavailable we cannot probe HTTP at all; fall back to the
+        # old, more tolerant signal (PID alive == healthy) rather than declaring
+        # every HTTP app wedged and triggering a restart storm. curl is the only
+        # HTTP client this function uses.
+        if ! command -v curl >/dev/null 2>&1; then
             _write_health "true"
             _write_app_state "running"
             return 0
-        else
-            # HTTP failed but process alive -- may be a non-HTTP app or still starting
+        fi
+        # On connect-failure/timeout curl already prints "000" via %{http_code}
+        # and exits non-zero; do NOT append our own "000" (a `|| echo 000` would
+        # concatenate to "000000"). The trailing `|| true` swallows the non-zero
+        # exit (matching this file's guarded command-substitution convention, e.g.
+        # the _GIT_DIFF_HASH / port reads) so the watchdog never aborts under a
+        # future `set -e`; the empty fallback then maps to "000".
+        local _http_code
+        _http_code=$(curl -s -o /dev/null -m 5 -w '%{http_code}' \
+            "http://localhost:${_APP_RUNNER_PORT}/" 2>/dev/null || true)
+        _http_code="${_http_code:-000}"
+        if [ "$_http_code" != "000" ]; then
             _write_health "true"
+            _write_app_state "running"
             return 0
+        else
+            # No HTTP response: the process is alive (kill -0 passed above) but is
+            # not serving on its declared port -- a wedged/hung/deadlocked server.
+            # Previously this branch wrote ok:true unconditionally, so the HTTP
+            # signal could never report a failure and a wedged server stayed
+            # "healthy" forever. Report the failure honestly so the watchdog can
+            # act on it. We deliberately do NOT flip state.json to "crashed" here
+            # (mirroring the dead-PID precedent above at the kill -0 check); the
+            # watchdog owns the crashed transition after its circuit breaker, so a
+            # single transient blip does not prematurely mark the app crashed.
+            _write_health "false"
+            return 1
         fi
     fi
 
-    # Non-HTTP: PID alive is sufficient
+    # Non-HTTP: PID alive is sufficient (no URL/port to probe)
     _write_health "true"
     return 0
 }
@@ -1477,17 +1516,35 @@ app_runner_watchdog() {
         return 0
     fi
 
-    # Process alive, nothing to do
+    # Process alive: kill -0 only proves the PID exists, not that the app is
+    # actually serving. A hung event loop, a deadlock, or a wedged dev server
+    # all pass kill -0 forever while never answering a request, so the old
+    # "alive == healthy" shortcut let a wedged HTTP app run un-restarted and
+    # left health.json stale. Mirror the compose branch: defer to
+    # app_runner_health_check (HTTP-aware for apps that declared a port), and
+    # treat an unhealthy-but-alive process as a crash so the same circuit
+    # breaker + backoff + restart path handles it.
     if kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
-        # BUG 3 fix: a confirmed-alive observation clears the accumulated crash
-        # count so the breaker fires only on 5 CONSECUTIVE deaths, not on 5
-        # cumulative crashes that were each successfully recovered over a long
-        # session (which would trip the breaker on a HEALTHY app).
-        _APP_RUNNER_CRASH_COUNT=0
-        return 0
+        if app_runner_health_check; then
+            # BUG 3 fix: a confirmed-healthy observation clears the accumulated
+            # crash count so the breaker fires only on 5 CONSECUTIVE failures,
+            # not on 5 cumulative crashes that were each successfully recovered
+            # over a long session (which would trip the breaker on a HEALTHY app).
+            _APP_RUNNER_CRASH_COUNT=0
+            return 0
+        fi
+        # Alive but not healthy (e.g. HTTP probe failed for an app that declared
+        # a port). Fall through to the crash path below, but first terminate the
+        # wedged process: it is still bound to the port, so app_runner_start's
+        # port-conflict guard would otherwise refuse to start and the breaker
+        # would trip while the orphan keeps serving hung responses (a restart
+        # storm). app_runner_stop performs a full process-tree teardown and
+        # clears _APP_RUNNER_PID / app.pid, leaving a clean slate for restart.
+        log_warn "App Runner: process alive but unhealthy (not serving) -- treating as crash"
+        app_runner_stop
     fi
 
-    # Process is dead
+    # Process is dead (or was just torn down because it was alive-but-wedged)
     _APP_RUNNER_CRASH_COUNT=$(( _APP_RUNNER_CRASH_COUNT + 1 ))
     log_warn "App Runner: process died (crash #$_APP_RUNNER_CRASH_COUNT)"
 

package/autonomy/run.sh

@@ -9809,9 +9809,16 @@ CPEOF
             old_cp="${checkpoint_dir}/${old_cp}"
             rm -rf "$old_cp" 2>/dev/null || true
         done
-        # Rebuild index atomically from remaining checkpoints (sorted by epoch)
+        # Rebuild index atomically from remaining checkpoints (sorted by epoch).
+        # BUG-ST-012: sort on the checkpoint dir BASENAME, not the full path.
+        # Checkpoint ids are cp-<iter>-<epoch> so basename field 3 is the epoch,
+        # but a full path like .../loki-mode/.loki/.../cp-N-EPOCH/metadata.json has
+        # extra hyphens (e.g. the loki-mode cwd) that shift the epoch out of field 3.
+        # Prefix each path with a basename-derived key, sort on it, then strip it.
         local tmp_index="${index_file}.tmp.$$"
-        for remaining in $(find "$checkpoint_dir" -maxdepth 2 -name "metadata.json" -path "*/cp-*/*" 2>/dev/null | sort -t'-' -k3 -n); do
+        for remaining in $(find "$checkpoint_dir" -maxdepth 2 -name "metadata.json" -path "*/cp-*/*" 2>/dev/null \
+            | while read -r mp; do printf '%s\t%s\n' "$(basename "$(dirname "$mp")")" "$mp"; done \
+            | sort -t'-' -k3 -n | cut -f2-); do
             [ -f "$remaining" ] || continue
             _CP_META="$remaining" python3 -c "
 import json,os

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.61.0"
+__version__ = "7.62.0"
 
 # Expose the control app for easy import
 try:

package/docs/INSTALLATION.md

@@ -2,7 +2,7 @@
 
 The flagship product of [Autonomi](https://www.autonomi.dev/). Loki Mode is a spec-driven autonomous builder with a built-in trust layer that takes any spec to a deployed product and verifies completion with evidence (quality gates plus a completion council), not just a "done" claim. Complete installation instructions for all platforms and use cases.
 
-**Version:** v7.61.0
+**Version:** v7.62.0
 
 ---
 
@@ -395,7 +395,7 @@ provider works inside the container. Provide auth with your Anthropic API key:
 # Run Loki Mode in Docker (Claude provider, API-key auth)
 docker run --rm -e ANTHROPIC_API_KEY="$ANTHROPIC_API_KEY" \
   -v $(pwd):/workspace -w /workspace \
-  asklokesh/loki-mode:7.61.0 start ./my-spec.md
+  asklokesh/loki-mode:7.62.0 start ./my-spec.md
 ```
 
 ##### docker compose + .env (no host install)

package/loki-ts/dist/loki.js

@@ -1,5 +1,5 @@
 // @bun
-var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.61.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
+var r6=Object.defineProperty;var t6=($)=>$;function i6($,Q){this[$]=t6.bind(null,Q)}var h=($,Q)=>{for(var Z in Q)r6($,Z,{get:Q[Z],enumerable:!0,configurable:!0,set:i6.bind(Q,Z)})};var L=($,Q)=>()=>($&&(Q=$($=0)),Q);var K$=import.meta.require;var D1={};h(D1,{lokiDir:()=>P,homeLokiDir:()=>n$,findRepoRootForVersion:()=>o$,REPO_ROOT:()=>g});import{resolve as n,dirname as d$}from"path";import{fileURLToPath as e6}from"url";import{existsSync as P$}from"fs";import{homedir as $Q}from"os";function QQ(){let $=S1;for(let Q=0;Q<6;Q++){if(P$(n($,"VERSION"))&&P$(n($,"autonomy/run.sh")))return $;let Z=d$($);if(Z===$)break;$=Z}return n(S1,"..","..","..")}function o$($){let Q=$;for(let Z=0;Z<6;Z++){if(P$(n(Q,"VERSION"))&&P$(n(Q,"autonomy/run.sh")))return Q;let z=d$(Q);if(z===Q)break;Q=z}return n($,"..","..","..")}function P(){return process.env.LOKI_DIR??n(process.cwd(),".loki")}function n$(){return n($Q(),".loki")}var S1,g;var b=L(()=>{S1=d$(e6(import.meta.url));g=QQ()});import{readFileSync as ZQ}from"fs";import{resolve as zQ,dirname as XQ}from"path";import{fileURLToPath as KQ}from"url";function j$(){if($$!==null)return $$;let $="7.62.0";if(typeof $==="string"&&$.length>0)return $$=$,$$;try{let Q=XQ(KQ(import.meta.url)),Z=o$(Q);$$=ZQ(zQ(Z,"VERSION"),"utf-8").trim()}catch{$$="unknown"}return $$}var $$=null;var a$=L(()=>{b()});var b1={};h(b1,{runOrThrow:()=>qQ,run:()=>k,commandVersion:()=>WQ,commandExists:()=>f,ShellError:()=>s$});async function k($,Q={}){let Z=Bun.spawn({cmd:[...$],stdout:"pipe",stderr:"pipe",env:Q.env?{...process.env,...Q.env}:process.env,cwd:Q.cwd}),z,X;if(Q.timeoutMs&&Q.timeoutMs>0)z=setTimeout(()=>{try{Z.kill("SIGTERM")}catch{}X=setTimeout(()=>{try{Z.kill("SIGKILL")}catch{}},2000)},Q.timeoutMs);try{let[q,K,W]=await Promise.all([new Response(Z.stdout).text(),new Response(Z.stderr).text(),Z.exited]);return{stdout:q,stderr:K,exitCode:W}}finally{if(z)clearTimeout(z);if(X)clearTimeout(X)}}async function qQ($,Q={}){let Z=await k($,Q);if(Z.exitCode!==0)throw new s$(`command failed (${Z.exitCode}): ${$.join(" ")}`,Z.exitCode,Z.stdout,Z.stderr);return Z}async function f($){let Q=VQ($),Z=await k(["sh","-c",`command -v ${Q}`],{timeoutMs:5000});if(Z.exitCode===0)return Z.stdout.trim()||null;return null}function VQ($){if(!/^[A-Za-z0-9._/-]+$/.test($))throw Error(`refused to shell-escape suspect token: ${$}`);return $}async function WQ($,Q="--version"){if(!await f($))return null;let z=await k([$,Q],{timeoutMs:5000});if(z.exitCode!==0)return null;return((z.stdout||z.stderr).split(/\r?\n/)[0]?.trim()??"")||null}var s$;var d=L(()=>{s$=class s$ extends Error{message;exitCode;stdout;stderr;constructor($,Q,Z,z){super($);this.message=$;this.exitCode=Q;this.stdout=Z;this.stderr=z;this.name="ShellError"}}});function a($){return JQ?"":$}var JQ,T,S,_,wZ,I,R,y,V;var c=L(()=>{JQ=(process.env.NO_COLOR??"").length>0;T=a("\x1B[0;31m"),S=a("\x1B[0;32m"),_=a("\x1B[1;33m"),wZ=a("\x1B[0;34m"),I=a("\x1B[0;36m"),R=a("\x1B[1m"),y=a("\x1B[2m"),V=a("\x1B[0m")});import{existsSync as wQ}from"fs";async function Q$(){if(G$!==void 0)return G$;let $="/opt/homebrew/bin/python3.12";if(wQ($))return G$=$,$;let Q=await f("python3.12");if(Q)return G$=Q,Q;let Z=await f("python3");return G$=Z,Z}async function Z$($,Q={}){let Z=await Q$();if(!Z)return{stdout:"",stderr:"python3 not found",exitCode:127};return k([Z,"-c",$],Q)}var G$;var q$=L(()=>{d()});var e1={};h(e1,{runStatus:()=>uQ});import{existsSync as v,readFileSync as W$,readdirSync as d1,statSync as o1}from"fs";import{resolve as C,basename as DQ}from"path";import{homedir as CQ}from"os";function n1($){let Q=Math.trunc($);if(Q>=1e6)return`${(Math.trunc(Q/1e6*10)/10).toFixed(1)}M`;if(Q>=1000)return`${(Math.trunc(Q/1000*10)/10).toFixed(1)}K`;return String(Q)}function a1($,Q,Z){if(Q===0)return null;let z=Math.trunc($*100/Q),X=Math.trunc($*k$/Q);if(X>k$)X=k$;let q=k$-X,K=S;if(z>=80)K=T;else if(z>=50)K=_;let W="=".repeat(Math.max(0,X))+" ".repeat(Math.max(0,q)),J=n1($),U=n1(Q);return`  ${R}${Z}${V} ${K}[${W}]${V} ${z}% (${J} / ${U})`}async function hQ(){if(await f("jq"))return!0;return process.stdout.write(`${T}Error: jq is required but not installed.${V}
 `),process.stdout.write(`Install with:
 `),process.stdout.write(`  brew install jq    (macOS)
 `),process.stdout.write(`  apt install jq     (Debian/Ubuntu)
@@ -790,4 +790,4 @@ Set LOKI_LEGACY_BASH=1 to force the bash CLI for every command.
 `),2}default:return process.stderr.write(`Unknown command: ${Q}
 `),process.stderr.write(s6),2}}l1();process.on("SIGINT",()=>process.exit(130));process.on("SIGTERM",()=>process.exit(143));var KZ=await XZ(Bun.argv.slice(2));process.exit(KZ);
 
-//# debugId=81578235FF4BA7E564756E2164756E21
+//# debugId=77DAD44E0F11F25F64756E2164756E21

package/mcp/__init__.py

@@ -57,4 +57,4 @@ try:
 except ImportError:
     __all__ = ['mcp']
 
-__version__ = '7.61.0'
+__version__ = '7.62.0'

package/memory/cross_project.py

@@ -45,7 +45,7 @@ class CrossProjectIndex:
                         'path': str(child),
                         'name': child.name,
                         'memory_dir': str(memory_dir),
-                        'discovered_at': datetime.now(timezone.utc).isoformat() + 'Z',
+                        'discovered_at': datetime.now(timezone.utc).isoformat(),
                     })
         return projects
 
@@ -58,7 +58,7 @@ class CrossProjectIndex:
         projects = self.discover_projects()
         index = {
             'projects': [],
-            'built_at': datetime.now(timezone.utc).isoformat() + 'Z',
+            'built_at': datetime.now(timezone.utc).isoformat(),
             'total_episodes': 0,
             'total_patterns': 0,
             'total_skills': 0,

package/memory/knowledge_graph.py

@@ -46,7 +46,7 @@ class OrganizationKnowledgeGraph:
                     with open(pattern_file) as f:
                         pattern = json.load(f)
                     pattern['_source_project'] = str(project_dir)
-                    pattern['_extracted_at'] = datetime.now(timezone.utc).isoformat() + 'Z'
+                    pattern['_extracted_at'] = datetime.now(timezone.utc).isoformat()
                     all_patterns.append(pattern)
                 except (json.JSONDecodeError, IOError):
                     continue
@@ -112,7 +112,7 @@ class OrganizationKnowledgeGraph:
         graph = {
             'nodes': [],
             'edges': [],
-            'built_at': datetime.now(timezone.utc).isoformat() + 'Z',
+            'built_at': datetime.now(timezone.utc).isoformat(),
         }
 
         for project_dir in project_dirs:

package/memory/layers/index_layer.py

@@ -26,15 +26,26 @@ class Topic:
     Attributes:
         id: Unique identifier for the topic
         summary: Brief summary of the topic content
-        relevance_score: How relevant this topic is (0.0 to 1.0)
+        relevance_score: How relevant this topic is (0.0 to 1.0). This is the
+            STORED value and is what to_dict() persists.
         token_count: Estimated tokens in the full memory
         last_accessed: When this topic was last accessed
+        match_score: Transient, per-query ranking score (stored relevance
+            plus a keyword-match boost). None when no query boost applies.
+            Never persisted by to_dict(); used only for ranking/threshold
+            decisions within a single retrieval call.
     """
     id: str
     summary: str
     relevance_score: float = 0.5
     token_count: int = 0
     last_accessed: Optional[str] = None
+    match_score: Optional[float] = None
+
+    @property
+    def effective_score(self) -> float:
+        """Ranking score for this query: match_score when set, else stored relevance."""
+        return self.match_score if self.match_score is not None else self.relevance_score
 
     def to_dict(self) -> Dict[str, Any]:
         """Convert to dictionary for JSON serialization."""
@@ -80,12 +91,17 @@ class IndexLayer:
         """
         self.base_path = Path(base_path)
         self.index_path = self.base_path / "index.json"
-        self._cache: Optional[Dict[str, Any]] = None
 
     def load(self) -> Dict[str, Any]:
         """
         Load index.json from disk.
 
+        Always re-reads from disk: these files are tiny (~100 token target)
+        and are written by separate processes (the dashboard reads
+        index.json via server.py while the orchestrator writes it), so an
+        in-memory cache cannot be invalidated correctly across processes.
+        An honest fresh read beats a stale cache for retrieval accuracy.
+
         Returns:
             Index dictionary with version, topics, and metadata
         """
@@ -94,8 +110,7 @@ class IndexLayer:
 
         try:
             with open(self.index_path, "r") as f:
-                self._cache = json.load(f)
-                return self._cache
+                return json.load(f)
         except (json.JSONDecodeError, IOError):
             return self._create_empty_index()
 
@@ -133,8 +148,6 @@ class IndexLayer:
                 pass
             raise
 
-        self._cache = index
-
     def update(self, memories: List[Dict[str, Any]]) -> None:
         """
         Rebuild index from a list of memories.
@@ -216,19 +229,22 @@ class IndexLayer:
             summary_lower = topic.summary.lower()
             summary_words = set(summary_lower.split())
 
-            # Calculate match score based on word overlap
+            # Calculate match score based on word overlap.
+            # The boost is applied to a SEPARATE transient match_score, never
+            # to the stored relevance_score, so callers still see the stored
+            # value while ranking and the Layer-3 gate use the boosted score.
             common_words = query_words & summary_words
-            if common_words:
-                # Boost relevance based on word matches
+            if common_words and query_words:
                 match_boost = len(common_words) / len(query_words) * 0.3
-                topic.relevance_score = min(1.0, topic.relevance_score + match_boost)
+                topic.match_score = min(1.0, topic.relevance_score + match_boost)
                 relevant.append(topic)
             elif topic.relevance_score >= 0.8:
-                # Include high-relevance topics even without exact match
+                # Include high-relevance topics even without exact match.
+                # No keyword boost: ranking falls back to stored relevance.
                 relevant.append(topic)
 
-        # Sort by relevance score, descending
-        relevant.sort(key=lambda t: t.relevance_score, reverse=True)
+        # Sort by effective (match-or-stored) score, descending
+        relevant.sort(key=lambda t: t.effective_score, reverse=True)
 
         return relevant
 

package/memory/layers/loader.py

@@ -140,33 +140,42 @@ class ProgressiveLoader:
             self._metrics.calculate_savings(index.get("total_tokens_available", 0))
             return memories, self._metrics
 
-        # Layer 2: Load timeline for relevant topics
+        # Layer 2: Load timeline for relevant topics.
+        # Affordability gate: the timeline must fit the remaining budget. If the
+        # full timeline costs more than we can afford, loading and appending all
+        # of it would drive remaining_tokens negative and violate max_tokens
+        # (Layer 3 already has this guard; Layer 2 did not). When it does not
+        # fit, skip the timeline-as-sufficient-context shortcut and fall through
+        # to the budget-aware Layer 3 path instead of overspending.
         timeline = self.timeline_layer.load()
         layer2_tokens = self.timeline_layer.get_token_count()
-        self._metrics.layer2_tokens = layer2_tokens
-        remaining_tokens -= layer2_tokens
-
-        # Collect timeline context for each relevant topic
-        topic_ids = {t.id for t in relevant_topics}
-        timeline_context: Dict[str, List[Dict[str, Any]]] = {}
-
-        for topic in relevant_topics:
-            topic_entries = self.timeline_layer.get_recent_for_topic(topic.id)
-            if topic_entries:
-                timeline_context[topic.id] = topic_entries
-
-        # Check if timeline provides sufficient context
-        if self.sufficient_context(timeline_context, query):
-            # Add timeline entries as context
-            for topic_id, entries in timeline_context.items():
-                for entry in entries:
-                    memories.append({
-                        "id": topic_id,
-                        "type": "timeline",
-                        "content": entry,
-                    })
-            self._metrics.calculate_savings(index.get("total_tokens_available", 0))
-            return memories, self._metrics
+        timeline_affordable = layer2_tokens <= remaining_tokens
+
+        if timeline_affordable:
+            self._metrics.layer2_tokens = layer2_tokens
+            remaining_tokens -= layer2_tokens
+
+            # Collect timeline context for each relevant topic
+            topic_ids = {t.id for t in relevant_topics}
+            timeline_context: Dict[str, List[Dict[str, Any]]] = {}
+
+            for topic in relevant_topics:
+                topic_entries = self.timeline_layer.get_recent_for_topic(topic.id)
+                if topic_entries:
+                    timeline_context[topic.id] = topic_entries
+
+            # Check if timeline provides sufficient context
+            if self.sufficient_context(timeline_context, query):
+                # Add timeline entries as context
+                for topic_id, entries in timeline_context.items():
+                    for entry in entries:
+                        memories.append({
+                            "id": topic_id,
+                            "type": "timeline",
+                            "content": entry,
+                        })
+                self._metrics.calculate_savings(index.get("total_tokens_available", 0))
+                return memories, self._metrics
 
         # Layer 3: Load full memories for high-relevance topics
         if remaining_tokens > 0:

package/memory/layers/timeline_layer.py

@@ -37,12 +37,17 @@ class TimelineLayer:
         """
         self.base_path = Path(base_path)
         self.timeline_path = self.base_path / "timeline.json"
-        self._cache: Optional[Dict[str, Any]] = None
 
     def load(self) -> Dict[str, Any]:
         """
         Load timeline.json from disk.
 
+        Always re-reads from disk: these files are tiny (~500 token target)
+        and are written by separate processes (the dashboard reads
+        timeline.json via server.py while the orchestrator writes it), so an
+        in-memory cache cannot be invalidated correctly across processes.
+        An honest fresh read beats a stale cache for retrieval accuracy.
+
         Returns:
             Timeline dictionary with actions, decisions, and context
         """
@@ -51,8 +56,7 @@ class TimelineLayer:
 
         try:
             with open(self.timeline_path, "r") as f:
-                self._cache = json.load(f)
-                return self._cache
+                return json.load(f)
         except (json.JSONDecodeError, IOError):
             return self._create_empty_timeline()
 
@@ -94,8 +98,6 @@ class TimelineLayer:
                 pass
             raise
 
-        self._cache = timeline
-
     def add_action(
         self,
         action: str,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "loki-mode",
   "mcpName": "io.github.asklokesh/loki-mode",
-  "version": "7.61.0",
+  "version": "7.62.0",
   "description": "Loki Mode by Autonomi. Autonomous spec-to-product system: takes a PRD, GitHub issue, OpenAPI/JSON/YAML, or one-line brief to a deployed app via the RARV-C closure loop with 8 quality gates. Provider-agnostic (Claude Code, OpenAI Codex, Cline, Aider).",
   "keywords": [
     "agent",

package/plugins/loki-mode/.claude-plugin/plugin.json

@@ -2,7 +2,7 @@
   "$schema": "https://json.schemastore.org/claude-code-plugin-manifest.json",
   "name": "loki-mode",
   "displayName": "Loki Mode",
-  "version": "7.61.0",
+  "version": "7.62.0",
   "description": "Autonomous spec-to-product build system with a built-in trust layer (RARV-C closure loop, 8 quality gates, completion council). Ships Loki's spec-hardening, drift-detection, and deterministic PR verification commands plus the Loki MCP server.",
   "author": {
     "name": "Autonomi",

package/src/audit/crosslink.js

@@ -508,10 +508,48 @@ function linkManifest(opts) {
   };
 }
 
+/**
+ * Read the witnessed agent-chain high-water mark.
+ *
+ * The witness file (witness.jsonl) records, on each append, the agent
+ * chain's `agentEntries` count at witness time. Because the file is
+ * append-only and the agent chain only grows, the MAX recorded
+ * `agentEntries` is a lower bound on how long the agent chain has ever
+ * legitimately been. If the live chain is now SHORTER than that, the
+ * trailing portion of the chain was truncated -- which a bare
+ * verifyChain() (genesis-to-tip linkage with no count anchor) cannot
+ * detect, because a truncated prefix re-links cleanly.
+ *
+ * @returns {object} { present, highWater } -- highWater:0 and
+ *   present:false when no witness file / no usable counts exist.
+ */
+function witnessAgentHighWater(opts) {
+  opts = opts || {};
+  var witnessFile = opts.witnessFile ||
+    path.join((opts.projectDir || process.cwd()), '.loki', 'audit', WITNESS_FILE);
+  if (!fs.existsSync(witnessFile)) {
+    return { present: false, highWater: 0, witnessFile: witnessFile };
+  }
+  var content = fs.readFileSync(witnessFile, 'utf8').trim();
+  if (!content) return { present: false, highWater: 0, witnessFile: witnessFile };
+  var lines = content.split('\n');
+  var high = 0;
+  var sawCount = false;
+  for (var i = 0; i < lines.length; i++) {
+    var rec;
+    try { rec = JSON.parse(lines[i]); } catch (_) { continue; }
+    if (rec && typeof rec.agentEntries === 'number') {
+      sawCount = true;
+      if (rec.agentEntries > high) high = rec.agentEntries;
+    }
+  }
+  return { present: sawCount, highWater: high, witnessFile: witnessFile };
+}
+
 /**
  * Verify the run-manifest link against the evidence chain.
  *
- * Composes TWO checks (mirroring verifyUnified rather than a bare disk-vs
+ * Composes THREE checks (mirroring verifyUnified rather than a bare disk-vs
  * -recorded compare):
  *   1. Agent chain integrity (AuditLog.verifyChain()). This catches an
  *      edit to the ANCHOR entry itself (e.g. someone rewrites the recorded
@@ -519,14 +557,30 @@ function linkManifest(opts) {
  *   2. Manifest reconciliation: re-hash the on-disk manifest and require
  *      it to equal the hash recorded by the MOST RECENT manifest-link
  *      anchor. A mutated manifest no longer matches -> tamper detected.
+ *   3. Trailing-truncation detection via the append-only witness file.
+ *      verifyChain() validates previousHash linkage from genesis with NO
+ *      count anchor, so an attacker who edits .loki/loki-run.json AND
+ *      truncates .loki/audit/audit.jsonl to drop the trailing
+ *      manifest-link anchor leaves a SHORTER but internally-consistent
+ *      chain that verifies clean (and reports present:false, which a
+ *      caller must NOT read as a pass). We cross-check the witness file's
+ *      recorded agentEntries high-water mark against the live chain
+ *      length: if the chain is now shorter than a previously-witnessed
+ *      count, the trail was truncated and we return valid:false with
+ *      truncationSuspected:true.
  *
- * HONEST empty cases (distinguishable from a real pass via `present`):
- *   - No anchor recorded yet -> { present:false, valid:true, reason:... }.
+ * HONEST empty cases (distinguishable from a real pass via `present` and
+ * `truncationSuspected`):
+ *   - No anchor recorded yet -> { present:false, ... }. valid is true ONLY
+ *     when no witness exists or the chain still meets the witnessed
+ *     high-water mark; a witnessed-then-truncated chain reports
+ *     valid:false + truncationSuspected:true even on this absent-anchor
+ *     path, so an absent anchor can never be silently read as verified.
  *   - Anchor exists but the manifest file is now gone -> manifest.valid
  *     is false (the pinned manifest is missing/cannot be reconciled).
  *
  * @param {object} [opts] projectDir / logDir / manifestPath as linkManifest.
- * @returns {object} { valid, present, chain, manifest }
+ * @returns {object} { valid, present, truncationSuspected, chain, manifest, witness }
  */
 function verifyManifestLink(opts) {
   opts = opts || {};
@@ -537,14 +591,39 @@ function verifyManifestLink(opts) {
   var entries = log.readEntries();
   log.destroy();
 
+  // Trailing-truncation guard: compare the live chain length against the
+  // highest agentEntries count any witness ever recorded. A shrink means
+  // the chain was truncated below a point it provably once reached.
+  var hw = witnessAgentHighWater(opts);
+  var chainLen = typeof chain.entries === 'number' ? chain.entries : entries.length;
+  var truncationSuspected = hw.present && chainLen < hw.highWater;
+  var witnessInfo = {
+    present: hw.present,
+    witnessedHighWater: hw.highWater,
+    currentChainLength: chainLen,
+    truncationSuspected: truncationSuspected,
+  };
+
   var anchors = entries.filter(function (e) {
     return e.what === MANIFEST_LINK_ACTION;
   });
 
   if (anchors.length === 0) {
     return {
-      valid: !!chain.valid, present: false, chain: chain,
-      manifest: { present: false, valid: true, reason: 'no manifest-link anchor recorded' },
+      valid: !!chain.valid && !truncationSuspected,
+      present: false,
+      truncationSuspected: truncationSuspected,
+      chain: chain,
+      witness: witnessInfo,
+      manifest: {
+        present: false,
+        valid: !truncationSuspected,
+        reason: truncationSuspected
+          ? 'audit chain truncated below witnessed length ' + hw.highWater +
+            ' (current ' + chainLen + '); manifest-link anchor may have been ' +
+            'dropped by trailing-truncation -- absent anchor is NOT a pass'
+          : 'no manifest-link anchor recorded',
+      },
     };
   }
 
@@ -574,9 +653,11 @@ function verifyManifestLink(opts) {
   }
 
   return {
-    valid: !!chain.valid && manifest.valid,
+    valid: !!chain.valid && manifest.valid && !truncationSuspected,
     present: true,
+    truncationSuspected: truncationSuspected,
     chain: chain,
+    witness: witnessInfo,
     manifest: manifest,
   };
 }
@@ -592,6 +673,7 @@ module.exports = {
   defaultDashboardAuditDir: defaultDashboardAuditDir,
   linkManifest: linkManifest,
   verifyManifestLink: verifyManifestLink,
+  witnessAgentHighWater: witnessAgentHighWater,
   hashManifest: hashManifest,
   defaultManifestPath: defaultManifestPath,
   CROSSLINK_ACTION: CROSSLINK_ACTION,

package/templates/README.md

@@ -18,39 +18,60 @@ loki init my-project --template saas-starter
 
 ## Templates
 
+The tier below is the complexity that Loki Mode's `detect_complexity` routine
+(`autonomy/run.sh`) actually assigns to each PRD. Complexity is auto-detected
+from the PRD's structure (its section count and length), not from the size of
+the finished product. A short, lightly-sectioned spec like `simple-todo-app`
+detects as Simple; a richly-sectioned spec (more than 10 h2/h3 sections, or
+more than 1000 words) detects as Complex, even when the app it describes is a
+single static page. So a few visually small projects (for example
+`static-landing-page`) land under Complex purely because their PRD is deeply
+sectioned. The Est. Time column reflects build effort, which does not always
+track the detected tier.
+
 ### Simple
 
+PRD detects as Simple: fewer than 3 sections, fewer than 5 features, and under
+200 words.
+
 | Template | Description | Tech Stack | Est. Time |
 |----------|-------------|------------|-----------|
-| [simple-todo-app.md](simple-todo-app.md) | Minimal todo app for testing Loki Mode basics | React, Express, SQLite | 15-20 min |
-| [static-landing-page.md](static-landing-page.md) | SaaS landing page with hero, features, pricing, FAQ | HTML, CSS, vanilla JS | 10-15 min |
-| [api-only.md](api-only.md) | REST API for notes with full CRUD and tests | Express, in-memory, Vitest | 15-20 min |
+| [simple-todo-app.md](simple-todo-app.md) | Minimal todo app for testing Loki Mode basics | HTML, CSS, vanilla JS (localStorage) | 15-20 min |
 
 ### Standard
 
+PRD detects as Standard: between the Simple and Complex thresholds (roughly
+3 to 10 sections and under 1000 words).
+
 | Template | Description | Tech Stack | Est. Time |
 |----------|-------------|------------|-----------|
-| [rest-api.md](rest-api.md) | REST API with CRUD, pagination, filtering, Swagger docs (no auth) | Express, TypeScript, Prisma, SQLite | 25-35 min |
-| [rest-api-auth.md](rest-api-auth.md) | REST API with JWT auth, registration, login, refresh, rate limiting | Express/FastAPI, PostgreSQL, JWT, bcrypt | 30-45 min |
-| [cli-tool.md](cli-tool.md) | File organizer CLI with subcommands, config, watch mode, undo | Node.js, Commander.js, chalk, chokidar | 30-45 min |
-| [discord-bot.md](discord-bot.md) | Moderation bot with slash commands, auto-mod, reaction roles | discord.js, SQLite, node-cron | 45-60 min |
-| [chrome-extension.md](chrome-extension.md) | Tab manager extension with groups, sessions, search, memory monitor | Manifest V3, vanilla JS, Chrome APIs | 30-45 min |
-| [blog-platform.md](blog-platform.md) | Blog with markdown CMS, categories, RSS feed, SEO | Next.js, CodeMirror, SQLite, TailwindCSS | 45-60 min |
-| [full-stack-demo.md](full-stack-demo.md) | Bookmark manager with tags, search, and filtering | React, Express, SQLite, TailwindCSS | 30-60 min |
-| [web-scraper.md](web-scraper.md) | Configurable scraper with pagination, robots.txt, multi-format export | Python, httpx, BeautifulSoup4, SQLite | 30-45 min |
-| [data-pipeline.md](data-pipeline.md) | ETL pipeline with multi-source ingestion, transforms, monitoring | Python, Pydantic, SQLAlchemy, Click | 30-45 min |
 | [dashboard.md](dashboard.md) | Real-time analytics dashboard with charts, tables, drag-and-drop layout | React, Recharts, TanStack Table, WebSocket | 45-60 min |
+| [data-pipeline.md](data-pipeline.md) | ETL pipeline with multi-source ingestion, transforms, monitoring | Python, Pydantic, SQLAlchemy, Click | 30-45 min |
 | [game.md](game.md) | Browser-based 2D game with enemy AI, scoring, levels, high scores | HTML5 Canvas, TypeScript, Web Audio API | 30-45 min |
-| [slack-bot.md](slack-bot.md) | Slack bot with slash commands, events, interactive messages, scheduling | Node.js, Bolt SDK, SQLite | 30-45 min |
-| [npm-library.md](npm-library.md) | npm package with TypeScript, dual ESM/CJS, tree shaking, auto docs | TypeScript, tsup, Vitest, typedoc | 30-45 min |
 | [microservice.md](microservice.md) | Containerized service with health checks, logging, Prometheus metrics | Express, TypeScript, Docker, Prisma, pino | 30-45 min |
+| [npm-library.md](npm-library.md) | npm package with TypeScript, dual ESM/CJS, tree shaking, auto docs | TypeScript, tsup, Vitest, typedoc | 30-45 min |
+| [web-scraper.md](web-scraper.md) | Configurable scraper with pagination, robots.txt, multi-format export | Python, httpx, BeautifulSoup4, SQLite | 30-45 min |
 
 ### Complex
 
+PRD detects as Complex: more than 10 sections, OR more than 15 features, OR
+more than 1000 words. Most templates land here because their PRDs are deeply
+sectioned, regardless of the finished app's size.
+
 | Template | Description | Tech Stack | Est. Time |
 |----------|-------------|------------|-----------|
+| [api-only.md](api-only.md) | REST API for notes with full CRUD and tests | Express, in-memory, Vitest | 15-20 min |
+| [static-landing-page.md](static-landing-page.md) | SaaS landing page with hero, features, pricing, FAQ | HTML, CSS, vanilla JS | 10-15 min |
+| [slack-bot.md](slack-bot.md) | Slack bot with slash commands, events, interactive messages, scheduling | Node.js, Bolt SDK, SQLite | 30-45 min |
+| [full-stack-demo.md](full-stack-demo.md) | Bookmark manager with tags, search, and filtering | React, Express, SQLite, TailwindCSS | 30-60 min |
+| [cli-tool.md](cli-tool.md) | File organizer CLI with subcommands, config, watch mode, undo | Node.js, Commander.js, chalk, chokidar | 30-45 min |
+| [discord-bot.md](discord-bot.md) | Moderation bot with slash commands, auto-mod, reaction roles | discord.js, SQLite, node-cron | 45-60 min |
+| [chrome-extension.md](chrome-extension.md) | Tab manager extension with groups, sessions, search, memory monitor | Manifest V3, vanilla JS, Chrome APIs | 30-45 min |
 | [mobile-app.md](mobile-app.md) | Habit tracker with streaks, reminders, calendar, charts | React Native (Expo), Zustand, AsyncStorage | 45-60 min |
 | [saas-starter.md](saas-starter.md) | SaaS app with auth, OAuth, Stripe billing, admin dashboard | Next.js, Prisma, PostgreSQL, Stripe, NextAuth | 60-90 min |
+| [blog-platform.md](blog-platform.md) | Blog with markdown CMS, categories, RSS feed, SEO | Next.js, CodeMirror, SQLite, TailwindCSS | 45-60 min |
+| [rest-api.md](rest-api.md) | REST API with CRUD, pagination, filtering, Swagger docs (no auth) | Express, TypeScript, Prisma, SQLite | 25-35 min |
+| [rest-api-auth.md](rest-api-auth.md) | REST API with JWT auth, registration, login, refresh, rate limiting | Express/FastAPI, PostgreSQL, JWT, bcrypt | 30-45 min |
 | [e-commerce.md](e-commerce.md) | Storefront with catalog, cart, Stripe checkout, order management | Next.js, Prisma, PostgreSQL, Stripe | 60-90 min |
 | [ai-chatbot.md](ai-chatbot.md) | RAG chatbot with document upload, vector search, streaming responses | Next.js, OpenAI API, ChromaDB, Vercel AI SDK | 60-90 min |
 
@@ -74,7 +95,7 @@ Every template follows a consistent structure:
 
 ## Choosing a Template
 
-**First time using Loki Mode?** Start with `simple-todo-app.md` or `api-only.md`. These complete quickly and validate your setup.
+**First time using Loki Mode?** Start with `simple-todo-app.md` (the one Simple-tier template) or `api-only.md`. Both complete quickly and validate your setup. Note that `api-only.md` detects as Complex despite finishing fast, because its PRD is heavily sectioned.
 
 **Testing full capabilities?** Use `full-stack-demo.md`. It exercises frontend, backend, database, and code review agents without taking too long.