loki-mode 7.66.1 → 7.67.0

package/SKILL.md

@@ -3,7 +3,7 @@ name: loki-mode
 description: Autonomous spec-driven build system with a built-in trust layer. It does not call work done until it is verified (RARV-C closure loop, 8 quality gates, completion council, verified-completion evidence gate). Triggers on "Loki Mode". Takes a spec (PRD, GitHub issue, OpenAPI doc, etc.) to deployed product with minimal human intervention. Provider-agnostic. Requires --dangerously-skip-permissions flag.
 ---
 
-# Loki Mode v7.66.1
+# Loki Mode v7.67.0
 
 **You are an autonomous agent. You make decisions. You do not ask questions. You do not stop.**
 
@@ -406,4 +406,4 @@ See `CHANGELOG.md` entries [7.5.7], [7.5.8], [7.5.13] for the per-fix list and r
 
 ---
 
-**v7.66.1 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**
+**v7.67.0 | [Autonomi](https://www.autonomi.dev/) flagship product | ~260 lines core**

package/VERSION

@@ -1 +1 @@
-7.66.1
+7.67.0

package/autonomy/app-runner.sh

@@ -778,7 +778,12 @@ app_runner_init() {
             local _project_hash
             _project_hash=$(echo "$dir" | (md5sum 2>/dev/null || md5 -r 2>/dev/null || echo "$$") | cut -c1-8)
             _APP_RUNNER_DOCKER_CONTAINER="loki-app-${_project_hash}"
-            _APP_RUNNER_METHOD="docker build -t loki-app . && docker run -d -p ${_APP_RUNNER_PORT}:${_APP_RUNNER_PORT} --name ${_APP_RUNNER_DOCKER_CONTAINER} loki-app"
+            # Hash the image tag the same way the container name is hashed so two
+            # Dockerfile-based projects do not clobber each other's image (an
+            # unhashed `loki-app` tag would be shared across every project). Build
+            # tag and run image arg MUST stay identical.
+            local _image_tag="loki-app-${_project_hash}"
+            _APP_RUNNER_METHOD="docker build -t ${_image_tag} . && docker run -d -p ${_APP_RUNNER_PORT}:${_APP_RUNNER_PORT} --name ${_APP_RUNNER_DOCKER_CONTAINER} ${_image_tag}"
             _APP_RUNNER_IS_DOCKER=true
             _write_detection "dockerfile" "$_APP_RUNNER_METHOD"
             log_info "App Runner: detected Dockerfile"
@@ -1012,6 +1017,59 @@ _app_runner_compose_running_count() {
     return 0
 }
 
+# Decide whether to prepend `exec` to the launched method. `exec` replaces the
+# bash wrapper with the command so the captured PID is the app itself (PID
+# identity for npm start / python app.py etc.). That is ONLY valid for a SINGLE
+# command. A compound method like `docker build ... && docker run ...` must NOT
+# be exec'd: `exec docker build` would replace the shell and the `&& docker run`
+# half would never run (the verified HIGH-1 bug -- image builds, no container).
+# Detection runs on the METHOD STRING ONLY, never the assembled launch line: the
+# assembled line always contains `;` (from the PORT env prefix and the pgid
+# `echo $$`), so testing it would mark every method compound and silently drop
+# the exec optimization for single commands.
+# Echoes "exec " for a single command, or "" (empty) for a compound command.
+_app_runner_exec_prefix() {
+    local method="$1"
+    case "$method" in
+        *"&&"*|*"||"*|*";"*)
+            # Compound: let bash run the full sequence as a child (no exec).
+            printf '%s' ""
+            ;;
+        *)
+            printf '%s' "exec "
+            ;;
+    esac
+}
+
+# Liveness predicate for the Dockerfile (single-image `docker run -d`) path,
+# which -- unlike compose -- has a project-hashed container name in
+# $_APP_RUNNER_DOCKER_CONTAINER. The method is a compound `docker build && docker
+# run -d` launched WITHOUT exec, so the captured PID is the short-lived bash
+# wrapper: it stays alive for the (possibly multi-minute) build, then exits right
+# after `docker run -d` detaches. Therefore liveness is:
+#   alive  = container running  OR  wrapper PID still alive (build in progress)
+#   dead   = wrapper PID dead   AND container not running
+# This tolerates a slow-but-succeeding build while a genuinely broken Dockerfile
+# still trips the watchdog breaker (wrapper dies, no container, 5x). Returns 0
+# when alive, 1 when dead. Never hard-fails (guarded for set -u / future set -e).
+_app_runner_dockerfile_container_running() {
+    local _name="${_APP_RUNNER_DOCKER_CONTAINER:-}"
+    [ -z "$_name" ] && return 1
+    if command -v docker >/dev/null 2>&1; then
+        local _state
+        _state=$(docker inspect -f '{{.State.Running}}' "$_name" 2>/dev/null || true)
+        if [ "$_state" = "true" ]; then
+            return 0
+        fi
+    fi
+    # Container not (yet) running: the build may still be in progress. The wrapper
+    # PID being alive is the build-in-progress signal.
+    if [ -n "${_APP_RUNNER_PID:-}" ] && kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
+        return 0
+    fi
+    return 1
+}
+
 # Read the RUNTIME published host port of the identified primary web service from
 # `docker compose ps` (the live mapping), as opposed to the config-declared port
 # from `docker compose config`. The config port is correct for fixed mappings
@@ -1127,6 +1185,25 @@ app_runner_start() {
         _port_env_prefix="export PORT=$_APP_RUNNER_PORT HTTP_PORT=$_APP_RUNNER_PORT SERVER_PORT=$_APP_RUNNER_PORT APP_PORT=$_APP_RUNNER_PORT; "
     fi
 
+    # Conditional exec (HIGH-1 fix): only `exec` a SINGLE command. A compound
+    # method (`docker build ... && docker run ...`) must run as a child so BOTH
+    # halves execute -- `exec docker build` would replace the shell and never
+    # reach `&& docker run`. Computed on the method string ONLY (see
+    # _app_runner_exec_prefix), not the assembled launch line.
+    local _exec_prefix
+    _exec_prefix=$(_app_runner_exec_prefix "$_APP_RUNNER_METHOD")
+
+    # Dockerfile path: `docker run --name <hashed>` fails if a stale (exited)
+    # container with that name still exists. This happens on a watchdog restart
+    # (the prior run's container was stopped, not removed) and would make every
+    # auto-restart fail with "name already in use". Remove any stale container
+    # by name before launch. Idempotent and safe when none exists. Compose has no
+    # _APP_RUNNER_DOCKER_CONTAINER, so this is Dockerfile-path only.
+    if [ "$_APP_RUNNER_IS_DOCKER" = true ] && [ -n "${_APP_RUNNER_DOCKER_CONTAINER:-}" ] \
+       && command -v docker >/dev/null 2>&1; then
+        docker rm -f "$_APP_RUNNER_DOCKER_CONTAINER" >/dev/null 2>&1 || true
+    fi
+
     # Start the process in a new process group
     if command -v setsid >/dev/null 2>&1; then
         _APP_RUNNER_HAS_SETSID=true
@@ -1136,7 +1213,7 @@ app_runner_start() {
         # Note: $_APP_RUNNER_METHOD has passed _validate_app_command (whitelist).
         # The `--` after `bash -lc` prevents flag injection if the assembled
         # script string ever begins with a `-`.
-        (cd "$dir" && setsid bash -lc -- "$_port_env_prefix"'echo $$ > "'"$_pgid_file"'"; exec '"$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+        (cd "$dir" && setsid bash -lc -- "$_port_env_prefix"'echo $$ > "'"$_pgid_file"'"; '"$_exec_prefix$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
         local _subshell_pid=$!
         # Wait briefly for the pgid file to appear, then read the real PGID
         local _pgid_wait=0
@@ -1154,7 +1231,7 @@ app_runner_start() {
         _APP_RUNNER_HAS_SETSID=false
         # Note: $_APP_RUNNER_METHOD has passed _validate_app_command (whitelist).
         # The `--` after `bash -lc` prevents flag injection.
-        (cd "$dir" && bash -lc -- "${_port_env_prefix}exec $_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
+        (cd "$dir" && bash -lc -- "${_port_env_prefix}${_exec_prefix}$_APP_RUNNER_METHOD" >> "$_APP_RUNNER_DIR/app.log" 2>&1) &
         _APP_RUNNER_PID=$!
     fi
     # Register with central PID registry if available
@@ -1212,6 +1289,24 @@ app_runner_start() {
             _write_app_state "failed"
             return 1
         fi
+    elif [ "$_APP_RUNNER_IS_DOCKER" = true ] && [ -n "${_APP_RUNNER_DOCKER_CONTAINER:-}" ]; then
+        # Dockerfile path (HIGH-1): `docker build && docker run -d` is compound, so
+        # it is launched WITHOUT exec and the captured PID is the short-lived bash
+        # wrapper that exits once the detached container is up. Liveness keys on the
+        # container (or the wrapper still building), NOT the wrapper PID -- the same
+        # reasoning as the compose branch above. Port mapping is the fixed
+        # `-p PORT:PORT` from detection and the URL is already set, so no port
+        # reconciliation or PID identity token is needed here.
+        if _app_runner_dockerfile_container_running; then
+            _write_app_state "running"
+            log_info "App Runner: Dockerfile container '$_APP_RUNNER_DOCKER_CONTAINER' starting/running on port $_APP_RUNNER_PORT"
+            return 0
+        else
+            log_error "App Runner: Dockerfile container failed to start (no running container, build wrapper exited)"
+            _APP_RUNNER_CRASH_COUNT=$(( _APP_RUNNER_CRASH_COUNT + 1 ))
+            _write_app_state "failed"
+            return 1
+        fi
     elif kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
         # Reconcile recorded port with the port the app actually bound (finding
         # #597), so state.json / detection.json / the preview URL point at the
@@ -1456,6 +1551,23 @@ app_runner_health_check() {
         return 0
     fi
 
+    # Dockerfile path (HIGH-1): the detached `docker run -d` container's liveness
+    # is the container running (or the build wrapper still building), NOT the
+    # ephemeral bash wrapper PID. Without this branch the wrapper PID dies after
+    # the build detaches the container and the PID check below would report the
+    # live container as crashed -> watchdog tears it down and rebuilds forever.
+    if [ "$_APP_RUNNER_IS_DOCKER" = true ] && [ -n "${_APP_RUNNER_DOCKER_CONTAINER:-}" ]; then
+        if _app_runner_dockerfile_container_running; then
+            _write_health "true"
+            _write_app_state "running"
+            return 0
+        else
+            _write_health "false"
+            _write_app_state "crashed"
+            return 1
+        fi
+    fi
+
     # Check PID is alive (non-docker-compose methods)
     if ! kill -0 "$_APP_RUNNER_PID" 2>/dev/null; then
         _write_health "false"
@@ -1580,7 +1692,16 @@ app_runner_watchdog() {
     # This is what makes the service-aware health logic actually fire in the
     # live monitoring loop (not just in isolation). On an unhealthy web service
     # it restarts the stack under the same crash-count circuit breaker.
-    if [ "$_APP_RUNNER_IS_DOCKER" = true ] && echo "$_APP_RUNNER_METHOD" | grep -q "docker compose"; then
+    # Detached-docker paths (compose stacks AND the Dockerfile `docker run -d`
+    # container) both exit their captured wrapper PID once the container is up, so
+    # `kill -0` is the wrong liveness signal. Delegate to app_runner_health_check,
+    # whose container-aware branches (compose web service / hashed Dockerfile
+    # container) own the real liveness check, under the same crash-count circuit
+    # breaker. Without including the Dockerfile container here, the wrapper PID
+    # would read as dead after the build detaches and the watchdog would tear the
+    # live container down and rebuild forever (the HIGH-1 symptom).
+    if [ "$_APP_RUNNER_IS_DOCKER" = true ] && \
+       { echo "$_APP_RUNNER_METHOD" | grep -q "docker compose" || [ -n "${_APP_RUNNER_DOCKER_CONTAINER:-}" ]; }; then
         if app_runner_health_check; then
             # BUG 3 fix: the breaker is meant to fire on 5 CONSECUTIVE failures.
             # A confirmed-healthy observation clears any accumulated count so a
@@ -1590,7 +1711,7 @@ app_runner_watchdog() {
             return 0
         fi
         _APP_RUNNER_CRASH_COUNT=$(( _APP_RUNNER_CRASH_COUNT + 1 ))
-        log_warn "App Runner: compose web service unhealthy (crash #$_APP_RUNNER_CRASH_COUNT)"
+        log_warn "App Runner: docker container unhealthy (crash #$_APP_RUNNER_CRASH_COUNT)"
         if [ "$_APP_RUNNER_CRASH_COUNT" -ge 5 ]; then
             log_error "App Runner: crash limit reached (5), marking as crashed"
             tail -20 "$_APP_RUNNER_DIR/app.log" 2>/dev/null | while IFS= read -r line; do
@@ -1601,9 +1722,9 @@ app_runner_watchdog() {
         fi
         local _c_backoff=$(( 1 << _APP_RUNNER_CRASH_COUNT ))
         [ "$_c_backoff" -gt 30 ] && _c_backoff=30
-        log_info "App Runner: restarting compose stack in ${_c_backoff}s..."
+        log_info "App Runner: restarting docker app in ${_c_backoff}s..."
         sleep "$_c_backoff"
-        app_runner_start || log_warn "App Runner: compose auto-restart failed"
+        app_runner_start || log_warn "App Runner: docker auto-restart failed"
         return 0
     fi
 

package/autonomy/loki

@@ -2204,6 +2204,72 @@ _kill_pid() {
     fi
 }
 
+# v7.7.34 group-kill, factored (loki-stop-F1). Reaps the orchestrator's whole
+# process group via the recorded pgid so the autonomous agent (claude/codex/
+# aider), which shares the orchestrator group and would otherwise reparent to
+# init and keep editing files, is killed atomically. This is the SAME logic the
+# no-arg `loki stop` path used inline; it is now shared so the by-id path
+# (`loki stop <session-id>`) gets identical reaping instead of skipping it.
+#
+# Args: one or more pgid-file paths. Each is read, validated (numeric, > 1, NOT
+# this shell's own group), and group-killed; the file is removed after. A
+# protected-pid conflict (dashboard / app-runner / registered pids that happen
+# to share the group) downgrades the kill to a per-pid kill that excludes the
+# protected pids, so a group-kill never tears down the dashboard. Every kill is
+# `|| true` guarded -- safe under set -e (killing an already-dead member, or an
+# empty group, returns non-zero legitimately).
+_stop_group_by_pgid_files() {
+    local _stop_pgid_file
+    for _stop_pgid_file in "$@"; do
+        [ -f "$_stop_pgid_file" ] || continue
+        local _spgid
+        _spgid=$(cat "$_stop_pgid_file" 2>/dev/null | tr -d ' ')
+        case "$_spgid" in ''|*[!0-9]*) continue ;; esac
+        [ "$_spgid" -gt 1 ] 2>/dev/null || continue
+        local _my_pgid
+        _my_pgid=$(ps -o pgid= -p $$ 2>/dev/null | tr -d ' ')
+        [ "$_spgid" = "$_my_pgid" ] && continue   # never kill our own group
+        # Collect protected pids (dashboard, app-runner, registered pids) so
+        # a group-kill never takes down the dashboard if it happens to share
+        # the orchestrator group. Mirrors the dashboard Python route.
+        local _protected=" "
+        local _pf
+        if [ -d "$LOKI_DIR/pids" ]; then
+            for _pf in "$LOKI_DIR/pids"/*.json; do
+                [ -f "$_pf" ] || continue
+                _protected="${_protected}$(basename "$_pf" .json) "
+            done
+        fi
+        for _pf in "$LOKI_DIR/dashboard/dashboard.pid" "${HOME}/.loki/dashboard/dashboard.pid"; do
+            [ -f "$_pf" ] && _protected="${_protected}$(cat "$_pf" 2>/dev/null | tr -d ' ') "
+        done
+        # Does any protected pid share this group?
+        local _conflict=0 _gp
+        for _gp in $(ps -axo pid=,pgid= 2>/dev/null | awk -v g="$_spgid" '$2==g{print $1}'); do
+            case "$_protected" in *" $_gp "*) _conflict=1; break ;; esac
+        done
+        if [ "$_conflict" = "1" ]; then
+            # Per-pid kill of group members EXCLUDING protected pids.
+            for _gp in $(ps -axo pid=,pgid= 2>/dev/null | awk -v g="$_spgid" '$2==g{print $1}'); do
+                case "$_protected" in *" $_gp "*) continue ;; esac
+                [ "$_gp" = "$$" ] && continue
+                kill -TERM "$_gp" 2>/dev/null || true
+            done
+            sleep 1
+            for _gp in $(ps -axo pid=,pgid= 2>/dev/null | awk -v g="$_spgid" '$2==g{print $1}'); do
+                case "$_protected" in *" $_gp "*) continue ;; esac
+                [ "$_gp" = "$$" ] && continue
+                kill -KILL "$_gp" 2>/dev/null || true
+            done
+        else
+            kill -TERM -- -"$_spgid" 2>/dev/null || true
+            sleep 1
+            kill -KILL -- -"$_spgid" 2>/dev/null || true
+        fi
+        rm -f "$_stop_pgid_file" 2>/dev/null || true
+    done
+}
+
 # Stop a specific session by its session ID
 _stop_session_by_id() {
     local sid="$1"
@@ -2296,6 +2362,29 @@ cmd_stop() {
     # Stop a specific session by ID
     if [ -n "$target_session" ]; then
         if is_session_running "$target_session"; then
+            # loki-stop-F1: group-kill FIRST (v7.7.34 discipline), scoped to THIS
+            # session's recorded pgid. Without this the by-id path reaped only the
+            # orchestrator pid (via _stop_session_by_id -> _kill_pid), leaving the
+            # autonomous agent (claude/codex/aider) -- which shares the
+            # orchestrator's process group -- to reparent to init and keep editing
+            # files. That is exactly the v7.7.34 orphaned-agent bug, reopened on
+            # the by-id path. The pgid is session-scoped: run.sh writes it next to
+            # the session pid as ${pid_file%.pid}.pgid, so we only ever touch THIS
+            # session's group (modern sessions/<id>/loki.pgid + legacy
+            # run-<id>.pgid), never a sibling session or another folder.
+            #
+            # Deliberately NOT mirrored from the no-arg path: the docker reap,
+            # session.json->stopped, and dashboard registry mark are folder/global
+            # side effects (the docker container is named by workspace sha with no
+            # per-session container; registry.mark_project_stopped marks the whole
+            # project; session.json is the folder-level skill session). Firing them
+            # on a by-id stop would mismark the project / kill a docker run while a
+            # sibling session in the same folder is still building. The group-kill
+            # alone closes the stated orphaned-agent hole; folder-global teardown
+            # stays on the no-arg / --all paths.
+            _stop_group_by_pgid_files \
+                "$LOKI_DIR/sessions/$target_session/loki.pgid" \
+                "$LOKI_DIR/run-${target_session}.pgid"
             _stop_session_by_id "$target_session"
             echo "Stopped session: $target_session"
         else
@@ -2381,56 +2470,9 @@ cmd_stop() {
         # session leader), so signaling the whole group reaps the orchestrator
         # AND the agent child atomically. Killing only the orchestrator pid lets
         # the agent reparent to init and keep editing files -- the reported bug.
-        # Guards: only a numeric pgid > 1 that is NOT this shell's own group.
-        local _stop_pgid_file
-        for _stop_pgid_file in "$LOKI_DIR/loki.pgid" "$LOKI_DIR/run.pgid"; do
-            [ -f "$_stop_pgid_file" ] || continue
-            local _spgid
-            _spgid=$(cat "$_stop_pgid_file" 2>/dev/null | tr -d ' ')
-            case "$_spgid" in ''|*[!0-9]*) continue ;; esac
-            [ "$_spgid" -gt 1 ] 2>/dev/null || continue
-            local _my_pgid
-            _my_pgid=$(ps -o pgid= -p $$ 2>/dev/null | tr -d ' ')
-            [ "$_spgid" = "$_my_pgid" ] && continue   # never kill our own group
-            # Collect protected pids (dashboard, app-runner, registered pids) so
-            # a group-kill never takes down the dashboard if it happens to share
-            # the orchestrator group. Mirrors the dashboard Python route.
-            local _protected=" "
-            local _pf
-            if [ -d "$LOKI_DIR/pids" ]; then
-                for _pf in "$LOKI_DIR/pids"/*.json; do
-                    [ -f "$_pf" ] || continue
-                    _protected="${_protected}$(basename "$_pf" .json) "
-                done
-            fi
-            for _pf in "$LOKI_DIR/dashboard/dashboard.pid" "${HOME}/.loki/dashboard/dashboard.pid"; do
-                [ -f "$_pf" ] && _protected="${_protected}$(cat "$_pf" 2>/dev/null | tr -d ' ') "
-            done
-            # Does any protected pid share this group?
-            local _conflict=0 _gp
-            for _gp in $(ps -axo pid=,pgid= 2>/dev/null | awk -v g="$_spgid" '$2==g{print $1}'); do
-                case "$_protected" in *" $_gp "*) _conflict=1; break ;; esac
-            done
-            if [ "$_conflict" = "1" ]; then
-                # Per-pid kill of group members EXCLUDING protected pids.
-                for _gp in $(ps -axo pid=,pgid= 2>/dev/null | awk -v g="$_spgid" '$2==g{print $1}'); do
-                    case "$_protected" in *" $_gp "*) continue ;; esac
-                    [ "$_gp" = "$$" ] && continue
-                    kill -TERM "$_gp" 2>/dev/null || true
-                done
-                sleep 1
-                for _gp in $(ps -axo pid=,pgid= 2>/dev/null | awk -v g="$_spgid" '$2==g{print $1}'); do
-                    case "$_protected" in *" $_gp "*) continue ;; esac
-                    [ "$_gp" = "$$" ] && continue
-                    kill -KILL "$_gp" 2>/dev/null || true
-                done
-            else
-                kill -TERM -- -"$_spgid" 2>/dev/null || true
-                sleep 1
-                kill -KILL -- -"$_spgid" 2>/dev/null || true
-            fi
-            rm -f "$_stop_pgid_file" 2>/dev/null || true
-        done
+        # Factored into _stop_group_by_pgid_files (loki-stop-F1) so the by-id stop
+        # path performs identical reaping. Here we pass the GLOBAL pgid files.
+        _stop_group_by_pgid_files "$LOKI_DIR/loki.pgid" "$LOKI_DIR/run.pgid"
 
         local killed_pid=""
         for pid_file in "$LOKI_DIR/loki.pid" "$LOKI_DIR/run.pid"; do

package/autonomy/run.sh

@@ -1725,12 +1725,25 @@ detect_complexity() {
             # Markdown PRD: count headers and checkboxes
             feature_count=$(grep -c "^##\|^- \[" "$prd_path" 2>/dev/null || echo "0")
         fi
+        # WAVE8 FIX run.sh-provider-F1 (HIGH): grep -c prints "0" AND exits 1 on
+        # zero matches; with the '|| echo "0"' fallback that yields "0\n0", which
+        # crashes the integer tests below ([: 0\n0: integer expression expected)
+        # and silently drops complexity from simple->standard. Strip to digits
+        # after every assignment path (jq, both greps), mirroring file_count:1688.
+        # "0\n0" -> "00" -> arithmetically 0.
+        feature_count="${feature_count:-0}"
+        feature_count="${feature_count//[^0-9]/}"
+        feature_count="${feature_count:-0}"
 
         # Count distinct sections (h2/h3 headers) for structural complexity (#74)
         local section_count=0
         if [[ "$prd_path" != *.json ]]; then
             section_count=$(grep -c "^##\|^###" "$prd_path" 2>/dev/null || echo "0")
         fi
+        # WAVE8 FIX run.sh-provider-F1: same grep -c double-output guard.
+        section_count="${section_count:-0}"
+        section_count="${section_count//[^0-9]/}"
+        section_count="${section_count:-0}"
 
         # PRD complexity uses content length, feature count, AND structural depth (#74)
         # A PRD with multiple sections or substantial content is not "simple" even with few project files
@@ -8927,6 +8940,63 @@ _dispatch_reviewer() {
     esac
 }
 
+# WAVE8 FIX run.sh-F1/F3 (CRITICAL/HIGH): SAFE-DEFAULT verdict classification.
+# Given a reviewer file, extract the VERDICT: line (tolerant of leading
+# markdown like '**VERDICT:**' or '# VERDICT:' so fewer reviewers fall to
+# NO_VERDICT) and classify it as one of: FAIL, PASS, AMBIGUOUS, NONE.
+#   FAIL   -> verdict text contains FAIL/REJECT/BLOCK (verbose suffixes like
+#             "FAIL - [Critical] SQLi", "FAIL.", "FAIL (3 criticals)" all match)
+#   PASS   -> verdict text contains PASS/APPROVE (and NOT a fail token); this
+#             preserves the deliberate "PASS with concerns" = pass semantics.
+#   AMBIGUOUS -> a VERDICT: line exists but matches neither (unparseable token).
+#                Callers MUST treat this as non-passing (safe direction), never pass.
+#   NONE   -> no parseable VERDICT: line at all (empty / missing).
+# FAIL-first ordering means a verdict naming both (rare) blocks -- the safe way.
+# Mirrors the council's _council_parse_vote: parse-miss defaults to the safe
+# (blocking) direction, never to pass.
+_classify_verdict() {
+    local file="$1"
+    [ -f "$file" ] && [ -s "$file" ] || { echo "NONE"; return 0; }
+    local verdict
+    # Tolerant anchor: optional leading whitespace, then optional markdown
+    # markers (* # >), then optional whitespace, then VERDICT:. This rescues
+    # '**VERDICT:** FAIL', '# VERDICT: PASS', '> VERDICT: FAIL' that the strict
+    # '^VERDICT:' anchor missed (those previously became NO_VERDICT and dropped
+    # the reviewer's dissent).
+    verdict=$(grep -iE "^[[:space:]]*[*#>]*[[:space:]]*VERDICT:" "$file" \
+        | head -1 \
+        | sed -E 's/^[[:space:]]*[*#>]*[[:space:]]*[Vv][Ee][Rr][Dd][Ii][Cc][Tt]:[*[:space:]]*//' \
+        | tr '[:lower:]' '[:upper:]')
+    # Classify on the FIRST verdict TOKEN only, not a substring scan of the whole
+    # despaced line. A whole-line scan is asymmetric and wrong: "PASS, no failures
+    # found" or "PASS - no blocking issues" contain FAIL/BLOCK as substrings and
+    # would misclassify a valid PASS as FAIL (a false-block, and worse, it breaks
+    # the unanimous-PASS Devil's-Advocate trigger -> indirect false-PASS). Take
+    # the leading alphabetic run as the verdict word: "FAIL - [Critical] x" ->
+    # FAIL, "PASS, no failures" -> PASS. Strip leading markdown emphasis first.
+    verdict=$(printf '%s' "$verdict" | sed -E 's/^[*_`[:space:]]+//')
+    local _vtok
+    _vtok=$(printf '%s' "$verdict" | sed -E 's/[^A-Z].*$//')
+    if [ -z "$_vtok" ]; then echo "NONE"; return 0; fi
+    case "$_vtok" in
+        FAIL|FAILED|FAILURE|REJECT|REJECTED|BLOCK|BLOCKED) echo "FAIL" ;;
+        PASS|PASSED|APPROVE|APPROVED|OK)                   echo "PASS" ;;
+        *)                                                  echo "AMBIGUOUS" ;;
+    esac
+}
+
+# WAVE8 FIX run.sh-F2 (HIGH): SAFE-DEFAULT severity detection. Returns 0
+# (blocking) if the reviewer file names a Critical or High severity finding in
+# any realistic emitted form: bracketed '[Critical]', bold '**Critical**',
+# 'Severity: High', or a bullet line '- Critical' / '* High'. The strict
+# bracket-only match previously missed unbracketed forms, so a FAIL naming an
+# unbracketed Critical was treated as non-blocking. BSD/GNU portable (no \b).
+_severity_is_blocking() {
+    local file="$1"
+    [ -f "$file" ] || return 1
+    grep -qiE '(\[(critical|high)\])|(\*\*[[:space:]]*(critical|high)[[:space:]]*\*\*)|(severity:?[[:space:]]*(critical|high))|(^[[:space:]]*[-*][[:space:]]+(critical|high)([[:space:]:.,*]|$))' "$file"
+}
+
 run_code_review() {
     local loki_dir="${TARGET_DIR:-.}/.loki"
     local review_dir="$loki_dir/quality/reviews"
@@ -9284,21 +9354,27 @@ BUILD_PROMPT
             continue
         fi
 
-        # Extract verdict
+        # Extract + classify verdict (WAVE8 FIX run.sh-F1/F3). _classify_verdict
+        # uses a markdown-tolerant anchor (rescues '**VERDICT:** FAIL') and a
+        # SAFE-DEFAULT contract: FAIL=any FAIL/REJECT/BLOCK token (so verbose
+        # "FAIL - [Critical] SQLi" / "FAIL." / "FAIL (3 criticals)" all count as
+        # FAIL, previously mis-counted as PASS); PASS=PASS/APPROVE; AMBIGUOUS=a
+        # verdict line that parses to neither; NONE=no parseable verdict line.
         local verdict
-        verdict=$(grep -i "^VERDICT:" "$review_output" | head -1 | sed 's/^VERDICT:[[:space:]]*//' | tr '[:lower:]' '[:upper:]' | tr -d '[:space:]')
-
-        # FIX A2: a "real verdict" is the PRESENCE of a non-empty VERDICT: line,
-        # not a specific token. A non-empty file with NO VERDICT line (garbage or
-        # a truncated reply) previously counted as PASS and could approve the gate
-        # on a meaningless file; now it is a non-verdict (not real, not a pass).
-        # We deliberately keep the original non-FAIL=pass semantics for any file
-        # that DOES carry a verdict line (PASS, APPROVE, "PASS with concerns",
-        # etc. all count as pass) so verbose-but-real verdicts are never
-        # false-blocked. The only added block relative to shipped behavior is the
-        # zero-real-verdicts (all-empty) case.
-        if [ -z "$verdict" ]; then
-            log_warn "Reviewer $reviewer_name produced no VERDICT line (empty or unparseable reply)"
+        verdict=$(_classify_verdict "$review_output")
+
+        # FIX A2 + WAVE8 FIX run.sh-F1/F3: a "real verdict" is a parseable
+        # VERDICT line that classifies cleanly to PASS or FAIL. NONE (no usable
+        # verdict line) AND AMBIGUOUS (a verdict line whose token is neither PASS
+        # nor FAIL, e.g. "VERDICT: UNCLEAR") are BOTH routed to the NO_VERDICT
+        # path. This is the SAFE-DEFAULT contract: an unparseable token must NOT
+        # silently pass. It cannot count toward pass_count, and merely bumping
+        # fail_count would be inert (only has_blocking / review_inconclusive gate
+        # the return). So we treat it as a non-real verdict; the
+        # real_verdict_count < reviewer_count check below then makes the review
+        # inconclusive -> bounded retry -> block (FIX 3 machinery).
+        if [ "$verdict" = "NONE" ] || [ "$verdict" = "AMBIGUOUS" ]; then
+            log_warn "Reviewer $reviewer_name returned no usable verdict (empty, unparseable, or ambiguous token)"
             verdicts_summary="${verdicts_summary}${reviewer_name}:NO_VERDICT "
             ((no_output_count++))
             continue
@@ -9306,8 +9382,9 @@ BUILD_PROMPT
         ((real_verdict_count++))
         if [ "$verdict" = "FAIL" ]; then
             ((fail_count++))
-            # Check for Critical/High severity findings
-            if grep -qiE "\[(Critical|High)\]" "$review_output"; then
+            # Check for Critical/High severity findings (bracketed OR unbracketed
+            # OR bold OR 'Severity:' OR bullet form -- WAVE8 FIX run.sh-F2).
+            if _severity_is_blocking "$review_output"; then
                 has_blocking=true
                 log_error "BLOCKING: $reviewer_name found Critical/High severity issues"
             else
@@ -9320,16 +9397,25 @@ BUILD_PROMPT
         verdicts_summary="${verdicts_summary}${reviewer_name}:${verdict:-UNKNOWN} "
     done
 
-    # Finding #596 FIX A2: zero real verdicts when reviewers were expected =>
-    # INCONCLUSIVE => blocking. Optional bounded retry first (LOKI_REVIEW_RETRY=1,
-    # default on) so a transient empty-output blip does not hard-block; the retry
-    # re-runs the whole review with the (now .loki-excluded) diff. Opt out of the
-    # block entirely with LOKI_REVIEW_INCONCLUSIVE_BLOCK=0 (records, never blocks).
+    # Finding #596 FIX A2 + WAVE8 FIX run.sh-F3: a review is INCONCLUSIVE (=>
+    # blocking) whenever FEWER reviewers returned a usable verdict than were
+    # dispatched. The original gate only fired on real_verdict_count==0 (ALL
+    # reviewers empty); a MIXED review (e.g. 1 of 3 NO_VERDICT, 2 PASS) silently
+    # passed on the surviving majority and dropped the malformed reviewer's
+    # potential dissent (Devil's Advocate never fired). Now ANY NO_VERDICT
+    # reviewer makes the review inconclusive: a dropped reviewer is a dropped
+    # vote, and the safe direction is to refuse to pass on a partial council.
+    # The markdown-tolerant anchor in _classify_verdict already rescues most
+    # real-but-wrapped verdicts, so this fires only on genuinely unusable output.
+    # Optional bounded retry first (LOKI_REVIEW_RETRY=1, default on) so a
+    # transient empty-output blip does not hard-block; the retry re-runs the
+    # whole review with the (now .loki-excluded) diff. Opt out of the block
+    # entirely with LOKI_REVIEW_INCONCLUSIVE_BLOCK=0 (records, never blocks).
     local review_inconclusive=false
-    if [ "$reviewer_count" -gt 0 ] && [ "$real_verdict_count" -eq 0 ]; then
+    if [ "$reviewer_count" -gt 0 ] && [ "$real_verdict_count" -lt "$reviewer_count" ]; then
         review_inconclusive=true
-        log_error "CODE REVIEW INCONCLUSIVE: 0 of $reviewer_count reviewers returned a usable verdict (no_output=$no_output_count)"
-        log_error "  An all-empty review proves nothing; refusing to pass the gate on zero real verdicts."
+        log_error "CODE REVIEW INCONCLUSIVE: only $real_verdict_count of $reviewer_count reviewers returned a usable verdict (no_output=$no_output_count)"
+        log_error "  A partial review drops dissent; refusing to pass the gate without every reviewer's verdict."
         if [ "${LOKI_REVIEW_RETRY:-1}" = "1" ] && [ "${_LOKI_REVIEW_RETRYING:-0}" != "1" ]; then
             log_warn "  Retrying code review once (LOKI_REVIEW_RETRY=1)..."
             _LOKI_REVIEW_RETRYING=1 run_code_review
@@ -9437,9 +9523,12 @@ BUILD_DA_PROMPT
             _dispatch_reviewer "$da_prompt_text" "$da_output" || true
 
             if [ -f "$da_output" ] && [ -s "$da_output" ]; then
+                # WAVE8 FIX run.sh-F1/F2: classify with the shared SAFE-DEFAULT
+                # helpers so a verbose DA "VERDICT: FAIL - [Critical] ..." (and
+                # AMBIGUOUS tokens) and an unbracketed Critical/High both block.
                 local da_verdict
-                da_verdict=$(grep -i "^VERDICT:" "$da_output" | head -1 | sed 's/^VERDICT:[[:space:]]*//' | tr '[:lower:]' '[:upper:]' | tr -d '[:space:]')
-                if [ "$da_verdict" = "FAIL" ] && grep -qiE "\[(Critical|High)\]" "$da_output"; then
+                da_verdict=$(_classify_verdict "$da_output")
+                if { [ "$da_verdict" = "FAIL" ] || [ "$da_verdict" = "AMBIGUOUS" ]; } && _severity_is_blocking "$da_output"; then
                     has_blocking=true
                     # Audit accuracy: aggregate.json was written above (line ~8429)
                     # with has_blocking=false (entering this block requires a
@@ -9465,7 +9554,7 @@ DA_AGG_PATCH
                     log_error "DEVIL'S ADVOCATE: found Critical/High issue the unanimous council missed -- BLOCK"
                     {
                         echo "DEVILS_ADVOCATE_BLOCK: Critical/High found after unanimous PASS"
-                        grep -iE "\[(Critical|High)\]" "$da_output" || true
+                        grep -iE '(\[(critical|high)\])|(\*\*[[:space:]]*(critical|high)[[:space:]]*\*\*)|(severity:?[[:space:]]*(critical|high))|(^[[:space:]]*[-*][[:space:]]+(critical|high)([[:space:]:.,*]|$))' "$da_output" || true
                     } >> "$review_dir/$review_id/anti-sycophancy.txt"
                 else
                     log_info "Devil's Advocate: no additional Critical/High issues found"
@@ -9487,16 +9576,16 @@ DA_AGG_PATCH
         return 1
     fi
 
-    # Finding #596 FIX A2: an inconclusive review (zero real verdicts, retry
-    # already exhausted or disabled) blocks unless explicitly opted out. This is
-    # the 'verified before done' promise: a review that produced no usable verdict
-    # cannot stand in for a real review.
+    # Finding #596 FIX A2 + WAVE8 FIX run.sh-F3: an inconclusive review (fewer
+    # usable verdicts than reviewers, retry already exhausted or disabled) blocks
+    # unless explicitly opted out. This is the 'verified before done' promise: a
+    # review missing any reviewer's verdict cannot stand in for a full review.
     if [ "$review_inconclusive" = "true" ]; then
         if [ "${LOKI_REVIEW_INCONCLUSIVE_BLOCK:-1}" = "0" ]; then
-            log_warn "Code review inconclusive (0/$reviewer_count real verdicts) but LOKI_REVIEW_INCONCLUSIVE_BLOCK=0 - not blocking"
+            log_warn "Code review inconclusive ($real_verdict_count/$reviewer_count real verdicts) but LOKI_REVIEW_INCONCLUSIVE_BLOCK=0 - not blocking"
             return 0
         fi
-        log_error "CODE REVIEW BLOCKED: inconclusive (0/$reviewer_count reviewers returned a usable verdict)"
+        log_error "CODE REVIEW BLOCKED: inconclusive ($real_verdict_count/$reviewer_count reviewers returned a usable verdict)"
         log_error "  Review details: $review_dir/$review_id/ ; opt out with LOKI_REVIEW_INCONCLUSIVE_BLOCK=0"
         return 1
     fi

package/dashboard/__init__.py

@@ -7,7 +7,7 @@ Modules:
     control: Session control API (start/stop/pause/resume)
 """
 
-__version__ = "7.66.1"
+__version__ = "7.67.0"
 
 # Expose the control app for easy import
 try: