@aria_asi/cli 0.2.0

package/hooks/aria-pre-tool-gate.mjs

@@ -0,0 +1,596 @@
+#!/usr/bin/env node
+// Aria pre-tool-use gate — enforces cognition use before destructive tool calls.
+//
+// Runs as a Claude Code PreToolUse hook on every Bash invocation. For
+// commands matching destructive-verb patterns, requires the most recent
+// assistant turn to contain a structured <verify> block. Without it, the
+// tool call is blocked with a corrective message that names the missing
+// fields.
+//
+// Doctrine being enforced (from /tmp/aria-harness-full.txt):
+//   - mizan_prestage_rule: "Before drafting, check niyyah/pre-state: am I
+//     present, truthful, specific, grounded in verified substrate?"
+//   - drift_guard_rule: "Before answering, restate internally: current
+//     goal, current blocker, current stage, and next committed action."
+//   - axiom_runtime_rule.admit_ignorance + reflection_before_action
+//   - llm_worker_rule: "External LLMs are hands/renderers/reviewers.
+//     Aria memory, cognition, frames, Mizan, and Garden are the shared
+//     brain substrate."
+//
+// The gate is the *forcing function* that converts those rules from text
+// instructions into actual enforcement. The harness already declares
+// them; this hook is what makes them gate-real for Claude Code.
+//
+// Escape valves (v3 — Hamza 2026-04-26: "why is there an ability to
+// bypass? doesnt that fundamentally void the purpose of the harness?"
+// Per-command bypass was removed entirely — every prior bypass was
+// traceable to a gate bug, not a legitimate exception.):
+//   - Trivial-bash whitelist: short read-only commands (ls/cat/grep/etc.)
+//     pass without cognition.
+//   - Set env ARIA_PRE_TOOL_GATE=off to disable globally (kill-switch).
+//     Setting an env var is a deliberate, audit-trailed override —
+//     deliberate enough that it's not the model's reflex.
+//   - When the gate misfires on legitimate work: fix the gate. The
+//     misfire IS the bug. Don't route around it.
+//
+// Audit log: every gate decision (allow / block / kill-switch) is
+// appended to ~/.claude/aria-pre-tool-gate.log.
+
+import { readFileSync, appendFileSync, existsSync, mkdirSync } from 'node:fs';
+import { dirname } from 'node:path';
+
+const HOME = process.env.HOME || '/tmp';
+const LOG = `${HOME}/.claude/aria-pre-tool-gate.log`;
+
+// Bypass-counter (kept for historical visibility — past audit-log
+// entries are still useful even though no new bypass entries can be
+// created in v3 since the per-command bypass code path was removed).
+// V1 added the WARN line at 5+/hour as a drift instrument; that line
+// will only appear if old log entries spanning before v3 still fall
+// in the rolling window.
+const BYPASS_WARN_THRESHOLD_PER_HOUR = 5;
+
+function readRecentBypassCount() {
+  try {
+    if (!existsSync(LOG)) return 0;
+    const cutoffMs = Date.now() - 60 * 60 * 1000;
+    const lines = readFileSync(LOG, 'utf-8').split('\n').filter(Boolean);
+    let n = 0;
+    // Walk backward — bypasses are recent if at all.
+    for (let i = lines.length - 1; i >= 0; i--) {
+      const line = lines[i];
+      if (!line.includes('bypass')) continue;
+      const tsEnd = line.indexOf(' ');
+      if (tsEnd < 0) continue;
+      const ts = Date.parse(line.slice(0, tsEnd));
+      if (!Number.isFinite(ts)) continue;
+      if (ts < cutoffMs) break;
+      n++;
+    }
+    return n;
+  } catch {
+    return 0;
+  }
+}
+
+function audit(decision, summary) {
+  try {
+    if (!existsSync(dirname(LOG))) mkdirSync(dirname(LOG), { recursive: true });
+    appendFileSync(LOG, `${new Date().toISOString()} ${decision} ${summary}\n`);
+    // If this audit is itself a bypass, check the bypass-rate. A
+    // separate WARN line gets emitted (and surfaces via tail) when
+    // we exceed the per-hour threshold. The agent can't quietly
+    // drift back to bypass-as-default — drift is visible.
+    if (decision.startsWith('bypass')) {
+      const count = readRecentBypassCount();
+      if (count > BYPASS_WARN_THRESHOLD_PER_HOUR) {
+        appendFileSync(
+          LOG,
+          `${new Date().toISOString()} WARN-BYPASS-RATE ${count} bypasses in last hour (threshold ${BYPASS_WARN_THRESHOLD_PER_HOUR}) — drift check\n`,
+        );
+      }
+    }
+  } catch {}
+}
+
+// Kill-switch
+if (process.env.ARIA_PRE_TOOL_GATE === 'off') {
+  audit('bypass-killswitch', 'env ARIA_PRE_TOOL_GATE=off');
+  process.exit(0);
+}
+
+// Destructive-verb patterns. Tuned for tonight's failure modes; extend
+// over time as new patterns surface.
+const DESTRUCTIVE_PATTERNS = [
+  // sudo only when it's a command verb (start of line or after shell
+  // separator), not when it appears as an argument to another command
+  // (e.g. `echo "sudo …"` or `grep sudo`). The specific verb patterns
+  // below catch the actual destructive operations regardless of sudo
+  // prefix; this rule is the catch-all for arbitrary privilege elevation.
+  { rx: /(?:^|[;&|]\s*|\$\(\s*|`\s*)sudo\s+\S/, name: 'sudo' },
+  { rx: /systemctl\s+(disable|stop|mask|reset-failed|kill)/, name: 'systemctl-state-change' },
+  { rx: /\brm\s+-[rRfF]+/, name: 'rm-recursive-or-force' },
+  { rx: /\bgit\s+push\b.*\b--force\b/, name: 'git-push-force' },
+  { rx: /\bgit\s+reset\s+--hard\b/, name: 'git-reset-hard' },
+  { rx: /\bgit\s+checkout\s+--\b/, name: 'git-checkout-discard' },
+  { rx: /\b--no-verify\b/, name: 'commit-no-verify' },
+  { rx: /\b--no-gpg-sign\b/, name: 'commit-no-gpg-sign' },
+  { rx: /\bkill\s+-(9|KILL|TERM|HUP|INT)\b/, name: 'kill-signal' },
+  { rx: /\bpkill\b/, name: 'pkill' },
+  { rx: /\b(DROP|TRUNCATE)\s+(TABLE|DATABASE|SCHEMA|INDEX)\b/i, name: 'sql-drop-or-truncate' },
+  { rx: /\bkubectl\s+delete\b/, name: 'kubectl-delete' },
+  { rx: /\bkubectl\s+(scale|rollout)\s+(undo|restart)\b/, name: 'kubectl-rollback' },
+];
+
+// The verify-block contract. All five fields required.
+const VERIFY_BLOCK_RX =
+  /<verify>[\s\S]*?target\s*:[\s\S]*?role\s*:[\s\S]*?verified\s*:[\s\S]*?rollback\s*:[\s\S]*?axiom\s*:[\s\S]*?<\/verify>/i;
+
+// 8-lens cognition block per EIGHT_LENS_DOCTRINE.md. Required on
+// non-trivial Bash regardless of whether the command is destructive.
+// Threshold: at least 4 of the 8 lens names must appear inside the
+// block AND each must have substantive content (≥20 chars after the
+// colon, not a placeholder template). The substance check (added
+// 2026-04-26) defeats ritual emission — `nur: ok` no longer counts.
+const COGNITION_BLOCK_RX = /<cognition>([\s\S]*?)<\/cognition>/i;
+const LENS_NAMES = ['nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah'];
+const REQUIRED_LENSES = 4;
+const SUBSTANCE_MIN_CHARS = 20;
+// Placeholder patterns from the gate's own correction message + the
+// COMPACT_CONTINUITY_DOCTRINE template — content matching these is
+// not "thinking," it's a copy-paste of the prompt template.
+const PLACEHOLDER_RX = /^\s*<[^<>]+>\s*$/;
+
+// Trivial reads that don't require a cognition block.
+const TRIVIAL_BASH_RX = /^\s*(?:ls|cat|head|tail|grep|find|echo|wc|stat|which|pwd|date|file|du|df|ss|ps)\s/;
+const SHORT_BASH_LIMIT = 30;
+
+// V3 doctrine (2026-04-26, Hamza): "why is there an ability to bypass?
+// doesnt that fundamentally void the purpose of the harness?" — yes.
+// Per-command bypass is removed entirely. Every bypass this session
+// was traceable to a gate bug, not a legitimate exception. Compliance
+// is the only path for non-trivial work; the kill-switch env remains
+// as the explicit emergency override. When the gate misfires, fix
+// the gate.
+//
+// (DOCTRINE_BYPASS_RX, findBypassDirective, validateStructuredBypass,
+// REQUIRED_BYPASS_FIELDS, BYPASS_FIELD_MIN_CHARS, BYPASS_HARD_LIMIT_PER_HOUR
+// were removed in this commit. The bypass-rate-counter +
+// readRecentBypassCount stay for historical visibility — past audit-log
+// entries are still useful — but no new bypass entries can be created
+// because the bypass code path is gone.)
+
+// Inline command cognition (v2 — added 2026-04-26): cognition
+// embedded in the bash command itself as structured comments.
+// Solves the same-message visibility problem (the transcript-flush
+// race that made same-message cognition invisible to PreToolUse).
+//
+// Two accepted formats:
+//   (a) Per-lens lines: `# nur: <substantive thought>\n# mizan: ...`
+//   (b) Single-line:    `# cognition: nur=<text>; mizan=<text>; ...`
+//
+// Substance check applies (≥SUBSTANCE_MIN_CHARS, not a `<placeholder>`).
+// 4+ substantive lenses inline → gate passes, no transcript scan
+// needed. Cognition becomes a property of THE ACTION, not of some
+// message somewhere — the deepest reading of "cognition before action."
+const INLINE_LENS_LINE_RX_GLOBAL = /^\s*#\s*(nur|mizan|hikma|tafakkur|tadabbur|ilham|wahi|firasah)\s*:\s*(.+)$/gim;
+const INLINE_COGNITION_HEADER_RX = /^\s*#\s*cognition\s*:\s*(.+)$/im;
+
+function detectInlineCognition(cmd) {
+  const names = [];
+  // Per-lens line form
+  const lineMatches = [...cmd.matchAll(INLINE_LENS_LINE_RX_GLOBAL)];
+  for (const m of lineMatches) {
+    const lens = m[1].toLowerCase();
+    const content = (m[2] || '').trim();
+    if (content.length < SUBSTANCE_MIN_CHARS) continue;
+    if (PLACEHOLDER_RX.test(content)) continue;
+    if (!names.includes(lens)) names.push(lens);
+  }
+  // Single-line `# cognition: nur=...; mizan=...` form
+  const headerMatch = cmd.match(INLINE_COGNITION_HEADER_RX);
+  if (headerMatch) {
+    const inlineBody = headerMatch[1];
+    for (const lens of LENS_NAMES) {
+      const lensRx = new RegExp(`\\b${lens}\\s*=\\s*([^;\\n]+)`, 'i');
+      const m = inlineBody.match(lensRx);
+      if (!m) continue;
+      const content = (m[1] || '').trim();
+      if (content.length < SUBSTANCE_MIN_CHARS) continue;
+      if (PLACEHOLDER_RX.test(content)) continue;
+      if (!names.includes(lens)) names.push(lens);
+    }
+  }
+  return { count: names.length, names };
+}
+
+// Substance-checking lens detection (added 2026-04-26 per Hamza's
+// gate-improvement doctrine: form-only emission must not satisfy
+// the gate). For each lens, look for `<lens>: <content>` and verify
+// content is ≥SUBSTANCE_MIN_CHARS of non-placeholder text. Bare
+// `nur` mentions in prose, or `nur: ok`, no longer count — must be
+// substantive thought.
+function detectCognitionLenses(text) {
+  if (!text) return { count: 0, names: [], blockBody: '' };
+  const block = text.match(COGNITION_BLOCK_RX);
+  const searchSpace = block ? block[1] : text;
+  const blockBody = block ? block[1] : '';
+  const names = [];
+  for (const lens of LENS_NAMES) {
+    // Match `lens: <content>` where content extends until the next
+    // lens label, the closing </cognition> tag, or a blank-line break.
+    const lensRx = new RegExp(
+      `\\b${lens}\\s*:\\s*([^\\n]*(?:\\n(?!\\s*(?:${LENS_NAMES.join('|')})\\s*:|<\\/cognition>)[^\\n]*)*)`,
+      'i',
+    );
+    const m = searchSpace.match(lensRx);
+    if (!m) continue;
+    const content = (m[1] || '').trim();
+    if (content.length < SUBSTANCE_MIN_CHARS) continue;
+    if (PLACEHOLDER_RX.test(content)) continue;
+    names.push(lens);
+  }
+  return { count: names.length, names, blockBody };
+}
+
+// Backwards-compat shim — count-only path used by older callers.
+function countCognitionLenses(text) {
+  return detectCognitionLenses(text).count;
+}
+
+// Hive cognition-logging v1.2 — fire-and-forget HTTP push to
+// /api/cognition/log so every gate decision joins the corpus.
+// Failures are silent: the local audit log is the durable record;
+// the network push is additive signal for compounding evolution.
+//
+// Per no-timeouts doctrine (feedback_no_timeouts_doctrine.md): no
+// AbortController deadline. Pile-up protection is structural —
+// in-flight counter caps concurrent pushes. Real network errors
+// drive the catch path; slow responses complete naturally.
+const HARNESS_URL = process.env.ARIA_HARNESS_URL || 'http://192.168.4.25:30080';
+const HARNESS_TOKEN = process.env.ARIA_HARNESS_TOKEN || '';
+const LOG_PUSH_DISABLED = process.env.ARIA_COGNITION_PUSH === 'off';
+const MAX_IN_FLIGHT = 16;
+let inFlight = 0;
+
+function pushCognitionEvent(payload) {
+  if (LOG_PUSH_DISABLED) return;
+  if (inFlight >= MAX_IN_FLIGHT) return;  // structural backpressure, not a deadline
+  try {
+    const body = JSON.stringify(payload);
+    const url = `${HARNESS_URL}/api/cognition/log`;
+    inFlight++;
+    fetch(url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(HARNESS_TOKEN ? { Authorization: `Bearer ${HARNESS_TOKEN}` } : {}),
+      },
+      body,
+    })
+      .catch(() => {/* real transport error — silent, audit log is durable */})
+      .finally(() => { inFlight--; });
+  } catch {
+    // pre-fetch errors (malformed JSON, env issue) — silent
+  }
+}
+
+// Read event JSON from stdin (Claude Code spec).
+let input = '';
+for await (const chunk of process.stdin) input += chunk;
+
+let event;
+try {
+  event = JSON.parse(input);
+} catch {
+  audit('allow-parse-error', 'stdin not JSON');
+  process.exit(0);  // fail-open on malformed input
+}
+
+const toolName = event.tool_name ?? event.toolName ?? '';
+const toolInput = event.tool_input ?? event.toolInput ?? {};
+
+// Gate every action tool — every tool that mutates state must go through
+// cognition challenge. Hamza 2026-04-26: "regardless if u arent even
+// compliant with it how do we expect workers to be? i truly nees to
+// ship this and ur non compliance is blocking." Per
+// feedback_full_harness_binding_must_be_structural.md the dispatcher
+// (the orchestrator wielding the tool) owns compliance, not the worker
+// that receives a dispatched task. Read/Glob/Grep observe state without
+// changing it, so they remain ungated.
+const ACTION_TOOLS = new Set(['Bash', 'Edit', 'Write', 'NotebookEdit']);
+if (!ACTION_TOOLS.has(toolName)) {
+  process.exit(0);
+}
+
+const cmd = toolName === 'Bash' ? String(toolInput.command ?? '') : '';
+const filePath = toolName !== 'Bash'
+  ? String(toolInput.file_path ?? toolInput.notebook_path ?? '')
+  : '';
+const cmdPreview = toolName === 'Bash'
+  ? cmd.slice(0, 80).replace(/\s+/g, ' ')
+  : `${toolName} ${filePath || '(no path)'}`.slice(0, 80);
+
+// V3: per-command bypass removed entirely. The only escape valves are:
+//   (1) Kill-switch env ARIA_PRE_TOOL_GATE=off — handled at top of file
+//   (2) Trivial-bash whitelist — short read-only commands pass without cognition
+// Compliance is the only path for non-trivial work.
+
+// V2 primary path — inline command cognition. If the command carries
+// 4+ substantive lenses inline, gate passes immediately (still need
+// verify block from transcript for destructive ops, see below).
+const inlineCog = detectInlineCognition(cmd);
+if (inlineCog.count >= REQUIRED_LENSES) {
+  // For destructive commands, still require a verify block in the
+  // recent transcript (verify is fundamentally about pre-action
+  // verification of state, not about the command's own thought).
+  // We'll do that check below alongside the existing flow but skip
+  // the cognition-from-transcript check entirely since we have it
+  // inline.
+}
+
+// Destructive-pattern + trivial-read + short-command shortcuts apply
+// only to Bash. Edit / Write / NotebookEdit always require cognition —
+// they have no triviality concept (you don't "trivially" mutate a file)
+// and no command-text to inspect for destructive verbs (the destructive
+// shape is "this Edit might overwrite something important," which is
+// exactly what cognition is for).
+const matched = toolName === 'Bash'
+  ? DESTRUCTIVE_PATTERNS.find(({ rx }) => rx.test(cmd))
+  : null;
+const isTrivialRead = toolName === 'Bash' && TRIVIAL_BASH_RX.test(cmd) && cmd.length < 200;
+const isShort = toolName === 'Bash' && cmd.length < SHORT_BASH_LIMIT;
+
+if (!matched && (isTrivialRead || isShort)) {
+  // Not destructive AND trivial — allow without further checks. Only
+  // reachable for Bash because both flags are forced false otherwise.
+  process.exit(0);
+}
+
+// Read recent assistant turns for both verify + cognition blocks.
+//
+// Doctrine being implemented: cognition is *turn-scoped*, not
+// message-scoped. A model that emits a <cognition> block once at the
+// top of a turn and then executes 20 tool_use round-trips has done
+// its 8-lens application — gating each individual message would be
+// performative, not enforcement.
+//
+// Algorithm: walk back from the most recent transcript entry,
+// accumulating assistant text. Stop after crossing exactly ONE user
+// message — that captures "everything the model said this turn" plus
+// the immediately-prior assistant turn's tail (so cognition that
+// carried over a turn boundary still counts). Hard cap at 30
+// messages to bound work on huge transcripts.
+//
+// Compact robustness: Claude Code rewrites the transcript with a
+// summary stub as the most recent assistant entry. We recognize and
+// skip those by content heuristic so they don't poison the search.
+const COMPACT_SUMMARY_RX = /(this session is being continued|conversation that ran out of context|primary request and intent|all user messages)/i;
+// System-reminder messages are stored with role=user but are runtime-
+// injected (PreToolUse blocks for any tool, Stop blocks, task-
+// notifications, gentle reminders, harness packet preview chunks).
+// Counting them as turn boundaries evaporated the cognition lookback
+// in client-tonight sessions where the harness packet preview alone
+// is 36k chars per turn — old `length < 4000` skip threshold trapped
+// every reminder as a boundary. Now: PERCENTAGE-OF-CONTENT skip via
+// total reminder-span coverage as a fraction of total content length.
+// ≥60% reminder coverage → skip as runtime-injected.
+const SYSTEM_REMINDER_RX = /<system-reminder>[\s\S]*?<\/system-reminder>|<task-notification>[\s\S]*?<\/task-notification>|🔐 Aria Harness|task-notification|PreToolUse:[A-Z][A-Za-z]* hook blocking error|Stop hook blocking error/g;
+const SYSTEM_REMINDER_THRESHOLD = 0.6;
+const HARD_LOOKBACK_CAP = 50;
+// Bumped from 2 → 5 (2026-04-26): client-tonight session has many
+// system-reminder injections per turn (block errors, task-list
+// reminders, harness packet preview). Tight boundary count plus
+// the broken length-based reminder skip evaporated cognition lookback
+// even when cognition was emitted in the prior assistant text. Per
+// Hamza directive "fix the gate, don't route around it" — widen the
+// window since the substance check defends quality regardless.
+const USER_BOUNDARIES_TO_CROSS = 5;
+
+const transcriptPath = event.transcript_path ?? event.transcriptPath;
+const recentAssistantTexts = [];
+if (transcriptPath && existsSync(transcriptPath)) {
+  try {
+    const lines = readFileSync(transcriptPath, 'utf-8').split('\n').filter(Boolean);
+    let userBoundariesCrossed = 0;
+    let scanned = 0;
+    for (let i = lines.length - 1; i >= 0 && scanned < HARD_LOOKBACK_CAP; i--) {
+      try {
+        const m = JSON.parse(lines[i]);
+        const role = m.message?.role ?? m.role;
+        if (role === 'user') {
+          // Skip messages that aren't real user input:
+          //   (a) tool_result blocks (runtime feeding back tool output)
+          //   (b) system-reminder injections (PreToolUse blocks,
+          //       task-notifications, gentle reminders) — runtime-
+          //       authored, not user voice. Counting them eats the
+          //       cognition lookback in tool-heavy or block-heavy turns.
+          const content = m.message?.content ?? m.content ?? [];
+          const isToolResultOnly =
+            Array.isArray(content) &&
+            content.length > 0 &&
+            content.every((b) => b && b.type === 'tool_result');
+          if (isToolResultOnly) continue;
+          // Inspect text content for system-reminder patterns.
+          const textContent = Array.isArray(content)
+            ? content.filter((b) => b && b.type === 'text').map((b) => b.text || '').join('\n')
+            : (typeof content === 'string' ? content : '');
+          if (textContent) {
+            // Compute reminder-span coverage as fraction of total
+            // content. The /g flag on SYSTEM_REMINDER_RX returns ALL
+            // spans; sum their lengths and compare to total.
+            const reminderMatches = textContent.match(SYSTEM_REMINDER_RX) || [];
+            if (reminderMatches.length > 0) {
+              const reminderChars = reminderMatches.reduce((sum, s) => sum + s.length, 0);
+              const fraction = reminderChars / Math.max(1, textContent.length);
+              if (fraction >= SYSTEM_REMINDER_THRESHOLD) continue;
+              // Otherwise (user wrote substantive text alongside the
+              // reminder — the non-reminder portion is >40% of content)
+              // fall through and count as a real boundary.
+            }
+          }
+          userBoundariesCrossed++;
+          if (userBoundariesCrossed > USER_BOUNDARIES_TO_CROSS) break;
+          continue;
+        }
+        if (role !== 'assistant') continue;
+        scanned++;
+        const content = m.message?.content ?? m.content ?? [];
+        if (!Array.isArray(content)) continue;
+        const text = content
+          .filter((b) => b.type === 'text')
+          .map((b) => b.text)
+          .join('\n');
+        if (!text) continue;
+        // Skip compact-summary stubs — they live where assistant turns
+        // used to be but are system-authored, not the model's voice.
+        if (COMPACT_SUMMARY_RX.test(text) && text.length > 4000) continue;
+        recentAssistantTexts.push(text);
+      } catch {}
+    }
+  } catch {}
+}
+
+// Detect cognition / verify across the recent assistant window. Lenses
+// from any of the last N turns count; the gate is checking whether
+// cognition has been done recently, not whether it was done in the
+// literal last message (which can be a tool-only turn or a stub).
+const unionText = recentAssistantTexts.join('\n\n');
+const transcriptCog = detectCognitionLenses(unionText);
+// Combine inline-command cognition (preferred — action-coupled) with
+// transcript scan (fallback). Inline takes precedence on lens names;
+// counts merge for the threshold check.
+const mergedLensSet = new Set([...inlineCog.names, ...transcriptCog.names]);
+const lensCount = mergedLensSet.size;
+const lensNames = [...mergedLensSet];
+const cogBlockBody = transcriptCog.blockBody;
+const hasVerify = VERIFY_BLOCK_RX.test(unionText);
+const hasCognition = lensCount >= REQUIRED_LENSES;
+const cognitionSource = inlineCog.count >= REQUIRED_LENSES
+  ? 'inline-command'
+  : (transcriptCog.count >= REQUIRED_LENSES ? 'transcript-scan' : 'merged-or-insufficient');
+
+// Best-effort session id for the corpus push. Claude Code passes
+// session_id in the event payload; fall back to transcript file
+// basename so events from the same session cluster.
+const sessionId =
+  event.session_id ??
+  event.sessionId ??
+  (transcriptPath ? transcriptPath.split('/').pop()?.replace(/\.[^.]+$/, '') : null) ??
+  'claude-code-unknown';
+
+function pushDecision(decision, reasonText) {
+  pushCognitionEvent({
+    sessionId,
+    client: 'claude-code',
+    surface: 'pre-tool-gate',
+    rawBlock: cogBlockBody ? `<cognition>${cogBlockBody}</cognition>` : null,
+    lensesApplied: lensNames,
+    blockChars: unionText.length,
+    nextActionKind: toolName === 'Bash' ? 'bash' : toolName.toLowerCase(),
+    nextActionSummary: cmdPreview,
+    gateName: 'aria-pre-tool-gate',
+    gateDecision: decision,
+    gateReason: reasonText,
+    metadata: {
+      destructivePattern: matched?.name ?? null,
+      hasVerify,
+      hasCognition,
+    },
+  });
+}
+
+if (matched) {
+  // Destructive — require BOTH verify (from transcript) AND cognition
+  // (inline command preferred; transcript fallback). Verify stays
+  // transcript-only because it's about pre-action substrate
+  // verification, not about the command's own thought.
+  if (hasVerify && hasCognition) {
+    audit(`allow-verified-cognition ${matched.name} lenses=${lensCount} via=${cognitionSource}`, cmdPreview);
+    pushDecision('allow', `verified+cognition for ${matched.name} (${cognitionSource})`);
+    process.exit(0);
+  }
+  // Block with appropriate corrective message.
+  const reason = !hasVerify
+    ? `Aria pre-tool gate: destructive pattern '${matched.name}' detected. Per harness mizan_prestage_rule + axiom_runtime_rule (admit_ignorance, reflection_before_action), include a <verify> block in your assistant response BEFORE the tool call.
+
+<verify>
+  target: <exactly what is being changed>
+  role: <what that target does — verified, not assumed>
+  verified: <how you verified: tool output / file read / DB query / asked user>
+  rollback: <exact command to reverse this change>
+  axiom: <which harness rule applies>
+</verify>
+
+Re-issue after producing the block. Bypass: '# doctrine-authorized: <reason>' inline. Kill: ARIA_PRE_TOOL_GATE=off.`
+    : `Aria pre-tool gate: destructive pattern '${matched.name}' has its <verify> block, but the <cognition> block is missing or shows only ${lensCount}/${REQUIRED_LENSES}+ required lenses. Per EIGHT_LENS_DOCTRINE.md every non-trivial action requires visible 8-lens application.
+
+<cognition>
+  nur:      <what you see plainly, specific to this task>
+  mizan:    <what's out of proportion / risk profile>
+  hikma:    <what memory or principle applies>
+  tafakkur: <deep structural read>
+  tadabbur: <if-then chain>
+  ilham:    <distant connection>
+  wahi:     <what just landed in this turn>
+  firasah:  <what user actually needs>
+</cognition>
+
+At least 4 substantive lenses required. Bypass: '# doctrine-authorized: <reason>' inline.`;
+  audit(`block ${matched.name} verify=${hasVerify} cognition=${lensCount}`, cmdPreview);
+  pushDecision('block', `destructive ${matched.name} missing ${!hasVerify ? 'verify' : 'cognition'}`);
+  console.log(JSON.stringify({ decision: 'block', reason }));
+  process.exit(2);
+}
+
+// Non-trivial but not destructive — require cognition. For Bash the
+// inline-comment path is preferred (action-coupled). For Edit / Write /
+// NotebookEdit there's no command field, so transcript-scan cognition
+// is the only path.
+if (!hasCognition) {
+  const isBash = toolName === 'Bash';
+  const header = isBash
+    ? `Aria pre-tool gate: non-trivial Bash command without ${REQUIRED_LENSES}+ substantive cognition lenses. Found ${lensCount}/${REQUIRED_LENSES}+ (inline=${inlineCog.count}, transcript=${transcriptCog.count}).`
+    : `Aria pre-tool gate: ${toolName} call without ${REQUIRED_LENSES}+ substantive cognition lenses in the recent transcript. Found ${lensCount}/${REQUIRED_LENSES}+ (transcript-scan only — ${toolName} has no inline-cognition path).`;
+
+  const guidance = isBash
+    ? `PREFERRED (v2 — action-coupled): inline cognition in the command itself —
+  # nur: <real perception, ≥${SUBSTANCE_MIN_CHARS} chars, no <placeholder>>
+  # mizan: <real risk read>
+  # hikma: <doctrine that applies>
+  # tafakkur: <deep structural read>
+  <your actual command here>
+
+This solves the same-message visibility problem and couples cognition to THIS specific action.
+
+FALLBACK: emit a <cognition>...</cognition> block in your assistant text with ${REQUIRED_LENSES}+ substantive lenses. Substance check applies: each lens must have ≥${SUBSTANCE_MIN_CHARS} chars of non-placeholder content.`
+    : `Emit a <cognition>...</cognition> block in your assistant text BEFORE this ${toolName} call, with ${REQUIRED_LENSES}+ substantive lenses. Substance check: each lens must have ≥${SUBSTANCE_MIN_CHARS} chars of non-placeholder content. Cognition is turn-scoped — one block at the start of a turn covers all ${toolName} calls in that turn.
+
+  <cognition>
+    nur:      <what you see plainly, specific to this edit>
+    mizan:    <what's out of proportion — what could this overwrite or break?>
+    hikma:    <doctrine that applies (name the source)>
+    tafakkur: <deep structural read>
+    tadabbur: <if-then chain — what follows from this edit>
+    ilham:    <distant connection a less-careful editor would miss>
+    wahi:     <what just landed in this turn that justifies this edit>
+    firasah:  <what user actually needs underneath>
+  </cognition>`;
+
+  const reason = `${header}
+
+${guidance}
+
+No per-tool bypass available (v3 doctrine — the harness's whole purpose is no exceptions). Kill-switch: ARIA_PRE_TOOL_GATE=off (logged, emergency only). If the gate misfires on legitimate cognition, fix the gate.`;
+
+  audit(`block ${toolName.toLowerCase()} cognition=${lensCount}`, cmdPreview);
+  pushDecision('block', `${toolName.toLowerCase()} missing cognition (${lensCount}/${REQUIRED_LENSES})`);
+  console.log(JSON.stringify({ decision: 'block', reason }));
+  process.exit(2);
+}
+
+// Non-trivial action with cognition (inline for Bash, transcript for
+// Edit/Write/NotebookEdit) — allow.
+audit(`allow-cognition ${toolName.toLowerCase()} lenses=${lensCount} via=${cognitionSource}`, cmdPreview);
+pushDecision('allow', `${toolName.toLowerCase()} with ${lensCount} lenses (${cognitionSource})`);
+process.exit(0);