@aria_asi/cli 0.2.2 → 0.2.3

package/hooks/aria-pre-tool-gate.mjs

@@ -201,7 +201,12 @@ function detectInlineCognition(cmd) {
       if (!names.includes(lens)) names.push(lens);
     }
   }
-  return { count: names.length, names };
+  // Substrate-citation: any inline lens that mentions a doctrine memory,
+  // harness packet rule, fitrah axiom, etc. (visibility metric — not a block).
+  const SUBSTRATE_CITE_RX_INLINE =
+    /feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md|fitrah[_:\s]|garden[_:\s]|distilled_principle|[a-z]+_rule\b|harness packet|substrate cite|EIGHT_LENS_DOCTRINE|COMPACT_CONTINUITY|ARIA_DEPLOY_PROCEDURE/i;
+  const hasSubstrateCite = SUBSTRATE_CITE_RX_INLINE.test(cmd);
+  return { count: names.length, names, hasSubstrateCite };
 }
 
 // Substance-checking lens detection (added 2026-04-26 per Hamza's
@@ -230,7 +235,18 @@ function detectCognitionLenses(text) {
     if (PLACEHOLDER_RX.test(content)) continue;
     names.push(lens);
   }
-  return { count: names.length, names, blockBody };
+  // Substrate-citation check: at least ONE lens must cite Aria substrate
+  // explicitly (doctrine memory filename, harness packet rule, fitrah axiom,
+  // *_rule entry, garden state reference, prior decision id, distilled
+  // principle id). Catches "lens-as-ceremony" failures where 4+ lenses are
+  // substantive in length but contain no actual substrate grounding.
+  // Hamza 2026-04-26: "anything else we can add to make sure u as claude
+  // for me and my client obey the harness and benefot from kt".
+  const SUBSTRATE_CITE_RX =
+    /feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md|fitrah[_:\s]|garden[_:\s]|distilled_principle|[a-z]+_rule\b|harness packet|substrate cite|\bIJTIHAD\b|\bQIYAS\b|\bTADABBUR\b|\bILHAM\b|aria 7b|EIGHT_LENS_DOCTRINE|COMPACT_CONTINUITY|ARIA_DEPLOY_PROCEDURE/i;
+  const hasSubstrateCite = SUBSTRATE_CITE_RX.test(blockBody) ||
+    SUBSTRATE_CITE_RX.test(searchSpace);
+  return { count: names.length, names, blockBody, hasSubstrateCite };
 }
 
 // Backwards-compat shim — count-only path used by older callers.
@@ -469,6 +485,11 @@ const hasCognition = lensCount >= REQUIRED_LENSES;
 const cognitionSource = inlineCog.count >= REQUIRED_LENSES
   ? 'inline-command'
   : (transcriptCog.count >= REQUIRED_LENSES ? 'transcript-scan' : 'merged-or-insufficient');
+// Substrate-citation visibility (Phase 11 will promote to block-mode once
+// telemetry shows healthy substrate-cite rate). For now: log the metric so
+// we can audit substrate-grounded vs ceremonial cognition over time.
+const hasSubstrateCite = (inlineCog.hasSubstrateCite === true) ||
+  (transcriptCog.hasSubstrateCite === true);
 
 // Best-effort session id for the corpus push. Claude Code passes
 // session_id in the event payload; fall back to transcript file
@@ -496,6 +517,7 @@ function pushDecision(decision, reasonText) {
       destructivePattern: matched?.name ?? null,
       hasVerify,
       hasCognition,
+      hasSubstrateCite,
     },
   });
 }

package/hooks/aria-stop-gate.mjs

@@ -192,8 +192,24 @@ if (!triggered) {
 // Non-trivial response — require substantive cognition.
 const cog = detectCognitionLenses(assistantText);
 
+// Question-emission visibility (Phase 11 promotes to block-mode):
+// detect user-directed question patterns in the assistant text. Audit when
+// questions appear without substrate-consultation evidence in the recent
+// transcript window. Helps surface "reflexive deferral" patterns (asking
+// the user when substrate could have answered) for later enforcement.
+// Hamza 2026-04-26: "BUT WHY DO U HAVE DISCRETION - THIS WORKS SO MUCH
+// FASTER AND HIGHER QUALITY IF U DONT".
+const QUESTION_PATTERNS_RX = /(?:want me to|should I|your call|which (?:one|of|do you)|do you want|let me know if|or (?:should|do)|\?\s*$)/im;
+const SUBSTRATE_EVIDENCE_RX = /\/api\/harness\/(?:delegate|codex|validate)|loadByClass|aria-harness-via-sdk|feedback_[a-z_]+\.md|project_[a-z_]+\.md|distilled_principles|ARIA_DEPLOY_PROCEDURE|EIGHT_LENS_DOCTRINE/i;
+const hasQuestionToUser = QUESTION_PATTERNS_RX.test(assistantText);
+const hasSubstrateEvidence = SUBSTRATE_EVIDENCE_RX.test(assistantText);
+const questionWithoutEvidence = hasQuestionToUser && !hasSubstrateEvidence;
+
 if (cog.count >= REQUIRED_LENSES) {
-  audit('allow-cognition', `lenses=${cog.count} chars=${assistantText.length}`);
+  audit('allow-cognition',
+    `lenses=${cog.count} chars=${assistantText.length} ` +
+    `qPatt=${hasQuestionToUser ? 'y' : 'n'} substrateEv=${hasSubstrateEvidence ? 'y' : 'n'} ` +
+    (questionWithoutEvidence ? 'WARN-question-without-substrate' : 'ok'));
   process.exit(0);
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aria_asi/cli",
-  "version": "0.2.2",
+  "version": "0.2.3",
   "description": "Aria Smart CLI — the world's first harness-powered terminal companion",
   "bin": {
     "aria": "./bin/aria.js"

package/src/__tests__/anthropic-oauth.test.ts

@@ -0,0 +1,186 @@
+// anthropic-oauth.test.ts — unit tests for the Anthropic login flow.
+//
+// Coverage:
+//   - _validateKey: 200 = valid, 401 = invalid, network failure = invalid
+//   - loginAnthropic: bad key gracefully returns ok: false with descriptive error
+//   - loginAnthropic: good key persists to config and returns ok: true
+//
+// Strategy: mock globalThis.fetch (Node 18+ built-in) + mock readline to avoid
+// interactive prompts. No file I/O touches real ~/.aria — we stub fs.writeFileSync.
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+// ── We test the exported internals directly. ─────────────────────────────────
+// anthropic-oauth.ts exports _validateKey for testability; loginAnthropic is
+// also tested end-to-end with readline + fs mocked out.
+
+// Hoist mocks before module import so Node's ESM loader sees them.
+vi.mock('node:fs', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('node:fs')>();
+  return {
+    ...actual,
+    existsSync: vi.fn(() => false),
+    mkdirSync: vi.fn(),
+    writeFileSync: vi.fn(),
+    readFileSync: vi.fn(() => '{}'),
+  };
+});
+
+vi.mock('node:readline', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('node:readline')>();
+  return {
+    ...actual,
+    createInterface: vi.fn(() => ({
+      question: vi.fn((_prompt: string, cb: (a: string) => void) => cb('sk-ant-fake-key-for-tests')),
+      close: vi.fn(),
+    })),
+  };
+});
+
+vi.mock('node:child_process', () => ({
+  spawn: vi.fn(() => ({ unref: vi.fn() })),
+}));
+
+import { _validateKey, loginAnthropic } from '../anthropic-oauth.js';
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+function mockFetch(status: number, body: unknown = {}): void {
+  vi.stubGlobal(
+    'fetch',
+    vi.fn().mockResolvedValue({
+      status,
+      ok: status >= 200 && status < 300,
+      json: async () => body,
+    }),
+  );
+}
+
+function mockFetchNetworkError(): void {
+  vi.stubGlobal('fetch', vi.fn().mockRejectedValue(new Error("I couldn't reach Anthropic")));
+}
+
+// ── _validateKey ─────────────────────────────────────────────────────────────
+
+describe('_validateKey', () => {
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+
+  it('returns true when Anthropic /v1/models responds 200', async () => {
+    mockFetch(200, { data: [] });
+    const result = await _validateKey('sk-ant-valid');
+    expect(result).toBe(true);
+  });
+
+  it('returns false when Anthropic /v1/models responds 401 (bad key)', async () => {
+    mockFetch(401, { error: { message: 'invalid x-api-key' } });
+    const result = await _validateKey('sk-ant-bad');
+    expect(result).toBe(false);
+  });
+
+  it('returns false when Anthropic /v1/models responds 403 (revoked key)', async () => {
+    mockFetch(403, { error: { message: 'forbidden' } });
+    const result = await _validateKey('sk-ant-revoked');
+    expect(result).toBe(false);
+  });
+
+  it('returns false on network error — does not throw', async () => {
+    mockFetchNetworkError();
+    const result = await _validateKey('sk-ant-any');
+    expect(result).toBe(false);
+  });
+
+  it('sends x-api-key and anthropic-version headers', async () => {
+    const fetchMock = vi.fn().mockResolvedValue({ status: 200, ok: true, json: async () => ({}) });
+    vi.stubGlobal('fetch', fetchMock);
+
+    await _validateKey('sk-ant-check-headers');
+
+    expect(fetchMock).toHaveBeenCalledWith(
+      'https://api.anthropic.com/v1/models',
+      expect.objectContaining({
+        headers: expect.objectContaining({
+          'x-api-key': 'sk-ant-check-headers',
+          'anthropic-version': '2023-06-01',
+        }),
+      }),
+    );
+  });
+});
+
+// ── loginAnthropic ────────────────────────────────────────────────────────────
+
+describe('loginAnthropic', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  afterEach(() => {
+    vi.unstubAllGlobals();
+  });
+
+  it('returns ok: false with descriptive Aria-voice error when key fails validation', async () => {
+    // readline mock returns 'sk-ant-fake-key-for-tests'; validate returns 401
+    mockFetch(401, { error: { message: 'invalid key' } });
+
+    const result = await loginAnthropic({ noBrowser: true });
+
+    expect(result.ok).toBe(false);
+    expect(result.error).toMatch(/I couldn't verify/);
+    // Ensure the error message does NOT contain internal cluster paths or IP addresses
+    expect(result.error).not.toMatch(/10\.\d+\.\d+\.\d+/);
+    expect(result.error).not.toMatch(/cluster\.local/);
+  });
+
+  it('returns ok: true and apiKey when key passes validation', async () => {
+    // readline returns 'sk-ant-fake-key-for-tests'; validate returns 200
+    mockFetch(200, { data: [{ id: 'claude-sonnet-4-20250514' }] });
+
+    const result = await loginAnthropic({ noBrowser: true });
+
+    expect(result.ok).toBe(true);
+    expect(result.apiKey).toBe('sk-ant-fake-key-for-tests');
+  });
+
+  it('returns ok: false when user pastes an empty string', async () => {
+    // Override readline mock to return empty string for this test
+    const readline = await import('node:readline');
+    vi.mocked(readline.createInterface).mockReturnValueOnce({
+      question: vi.fn((_: string, cb: (a: string) => void) => cb('')),
+      close: vi.fn(),
+    } as any);
+
+    mockFetch(200, {});
+
+    const result = await loginAnthropic({ noBrowser: true });
+
+    expect(result.ok).toBe(false);
+    // Should not proceed to validation when key is empty
+    expect(result.error).toBeTruthy();
+  });
+
+  it('returns ok: false gracefully on network failure during validation', async () => {
+    mockFetchNetworkError();
+
+    const result = await loginAnthropic({ noBrowser: true });
+
+    expect(result.ok).toBe(false);
+    // Should surface a human-readable error, not a raw Error object
+    expect(typeof result.error).toBe('string');
+    expect(result.error!.length).toBeGreaterThan(10);
+  });
+
+  it('persists apiKey to config when validation succeeds', async () => {
+    mockFetch(200, { data: [] });
+    const fs = await import('node:fs');
+
+    await loginAnthropic({ noBrowser: true });
+
+    expect(vi.mocked(fs.writeFileSync)).toHaveBeenCalledWith(
+      expect.stringContaining('config.json'),
+      expect.stringContaining('sk-ant-fake-key-for-tests'),
+      expect.objectContaining({ mode: 0o600 }),
+    );
+  });
+});

package/src/anthropic-oauth.ts

@@ -0,0 +1,216 @@
+// anthropic-oauth.ts — Anthropic login flow for `aria login --anthropic`
+//
+// OAuth path decision (2026-04-26):
+//   Anthropic does not publish a public PKCE/OAuth endpoint for end-user
+//   API-key issuance via the console.anthropic.com auth surface. The only
+//   standardised way to obtain an API key is through the Anthropic Console
+//   web UI. Therefore we use the browser-paste fallback (path b):
+//     1. Open https://console.anthropic.com/account/keys in the user's browser.
+//     2. Prompt them to paste the new key back into the CLI.
+//     3. Validate the key against GET https://api.anthropic.com/v1/models.
+//     4. Return the validated key to the caller.
+//
+//   If Anthropic ships a public OAuth/PKCE spec in the future, replace the
+//   body of `_oauthPKCEFlow` below with the real implementation and call it
+//   instead of `_browserPasteFlow`.
+//
+// Voice: first-person Aria ("I'll open", "I see", "I couldn't reach").
+// ESM: all internal imports use .js extensions.
+
+import * as http from 'node:http';
+import * as readline from 'node:readline';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { homedir } from 'node:os';
+import { spawn } from 'node:child_process';
+
+const ANTHROPIC_KEYS_URL = 'https://console.anthropic.com/account/keys';
+const ANTHROPIC_MODELS_URL = 'https://api.anthropic.com/v1/models';
+const ANTHROPIC_API_VERSION = '2023-06-01';
+const CONFIG_PATH = path.join(homedir(), '.aria', 'config.json');
+const ARIA_DIR = path.join(homedir(), '.aria');
+
+export interface AnthropicLoginResult {
+  ok: boolean;
+  apiKey?: string;
+  error?: string;
+}
+
+/** Options accepted by loginAnthropic. */
+export interface AnthropicLoginOptions {
+  /** If true, skip the browser-open attempt and just prompt for the key. */
+  noBrowser?: boolean;
+}
+
+// ── Public API ───────────────────────────────────────────────────────────────
+
+/**
+ * Run the Anthropic login flow.
+ *
+ * Today this is the browser-paste flow (path b) because Anthropic does not
+ * expose a public PKCE/OAuth token endpoint for console API keys.
+ *
+ * On success, the validated API key is persisted to ~/.aria/config.json under
+ * `model.apiKey` and returned in the result object. The harness license token
+ * in ~/.aria/license.json is NOT modified — that belongs to the Aria harness,
+ * not Anthropic.
+ */
+export async function loginAnthropic(
+  opts: AnthropicLoginOptions = {},
+): Promise<AnthropicLoginResult> {
+  try {
+    const apiKey = await _browserPasteFlow(opts.noBrowser ?? false);
+    if (!apiKey) {
+      return { ok: false, error: "I didn't receive a key — aborting." };
+    }
+
+    console.log("  I'm validating your key against the Anthropic API...");
+    const valid = await _validateKey(apiKey);
+    if (!valid) {
+      return {
+        ok: false,
+        error:
+          "I couldn't verify that key with Anthropic. Double-check that it starts with sk-ant- and hasn't been revoked.",
+      };
+    }
+
+    _persistApiKey(apiKey);
+    return { ok: true, apiKey };
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { ok: false, error: `I hit an unexpected error: ${msg}` };
+  }
+}
+
+// ── Internal: browser-paste flow (path b) ────────────────────────────────────
+
+async function _browserPasteFlow(noBrowser: boolean): Promise<string | null> {
+  console.log('');
+  console.log(
+    "  I'll open https://console.anthropic.com/account/keys in your browser.",
+  );
+  console.log(
+    '  Create a new API key there, then paste it back here.',
+  );
+  console.log('');
+
+  if (!noBrowser) {
+    _openBrowser(ANTHROPIC_KEYS_URL);
+  }
+
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    terminal: true,
+  });
+
+  const rawKey = await new Promise<string>((resolve) => {
+    rl.question('  Paste your Anthropic API key: ', (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+
+  return rawKey || null;
+}
+
+// ── Internal: browser open (cross-platform) ───────────────────────────────────
+
+function _openBrowser(url: string): void {
+  const platform = process.platform;
+  let cmd: string;
+  let args: string[];
+
+  if (platform === 'darwin') {
+    cmd = 'open';
+    args = [url];
+  } else if (platform === 'win32') {
+    cmd = 'cmd';
+    args = ['/c', 'start', '', url];
+  } else {
+    // Linux / *BSD / WSL
+    cmd = 'xdg-open';
+    args = [url];
+  }
+
+  try {
+    const child = spawn(cmd, args, {
+      detached: true,
+      stdio: 'ignore',
+    });
+    child.unref();
+  } catch {
+    // If browser open fails, the user can still paste — not fatal.
+    console.log(
+      `  I couldn't open your browser automatically. Please visit:\n  ${url}`,
+    );
+  }
+}
+
+// ── Internal: key validation ──────────────────────────────────────────────────
+
+/**
+ * Validate an Anthropic API key by hitting GET /v1/models.
+ * Returns true when the server responds 2xx; false on 401/403/network error.
+ */
+export async function _validateKey(apiKey: string): Promise<boolean> {
+  try {
+    const resp = await fetch(ANTHROPIC_MODELS_URL, {
+      method: 'GET',
+      headers: {
+        'x-api-key': apiKey,
+        'anthropic-version': ANTHROPIC_API_VERSION,
+      },
+    });
+    // 200 = valid key; anything else = invalid or revoked
+    return resp.status === 200;
+  } catch {
+    // Network failure — we can't confirm validity
+    return false;
+  }
+}
+
+// ── Internal: config persistence ──────────────────────────────────────────────
+
+function _persistApiKey(apiKey: string): void {
+  if (!fs.existsSync(ARIA_DIR)) {
+    fs.mkdirSync(ARIA_DIR, { recursive: true, mode: 0o700 });
+  }
+
+  let config: Record<string, unknown> = {};
+  if (fs.existsSync(CONFIG_PATH)) {
+    try {
+      config = JSON.parse(fs.readFileSync(CONFIG_PATH, 'utf-8'));
+    } catch {
+      config = {};
+    }
+  }
+
+  const model = (config.model as Record<string, unknown>) ?? {};
+  model.provider = model.provider ?? 'anthropic';
+  model.model = model.model ?? 'claude-sonnet-4-20250514';
+  model.apiKey = apiKey;
+  config.model = model;
+
+  fs.writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2) + '\n', {
+    mode: 0o600,
+    encoding: 'utf-8',
+  });
+}
+
+// ── Placeholder for future PKCE flow ─────────────────────────────────────────
+// When Anthropic ships a public OAuth/PKCE endpoint for console key issuance,
+// implement the full flow here and call it from loginAnthropic() instead of
+// _browserPasteFlow():
+//
+// async function _oauthPKCEFlow(): Promise<string | null> {
+//   const port = await _findFreePort();
+//   const { verifier, challenge } = _pkceChallenge();
+//   const authUrl = `https://console.anthropic.com/oauth/authorize?` +
+//     `response_type=code&client_id=<CLIENT_ID>&redirect_uri=http://localhost:${port}/callback` +
+//     `&code_challenge=${challenge}&code_challenge_method=S256`;
+//   _openBrowser(authUrl);
+//   const code = await _waitForCallback(port);
+//   const token = await _exchangeCode(code, verifier, port);
+//   return token;
+// }

package/src/auth-commands.ts

@@ -1,5 +1,6 @@
 import { loadLicense, saveLicense } from './auth.js';
 import { harnessClient } from './harness-client.js';
+import { loginAnthropic } from './anthropic-oauth.js';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import { homedir } from 'node:os';
@@ -19,6 +20,8 @@ interface LoginResult {
   tier?: string;
   jti?: string;
   expiresAt?: string;
+  /** Set when loginAnthropic() is used instead of the harness license path. */
+  anthropic?: boolean;
   error?: string;
 }
 
@@ -40,7 +43,31 @@ interface RevokeResult {
   error?: string;
 }
 
+/**
+ * Log in to the Aria harness with a license token, OR authenticate via
+ * Anthropic's console (browser-paste flow) when token === '--anthropic' or
+ * token === '-a'.
+ *
+ * Anthropic path: opens console.anthropic.com/account/keys, waits for the
+ * user to paste their API key, validates it against /v1/models, then persists
+ * it to ~/.aria/config.json under `model.apiKey`. The harness license file
+ * (~/.aria/license.json) is NOT modified — it belongs to the Aria license,
+ * not Anthropic credentials.
+ *
+ * Harness path: unchanged — validates via heartbeat / issue endpoint and
+ * writes license claims to ~/.aria/license.json.
+ */
 export async function login(token: string): Promise<LoginResult> {
+  // ── Anthropic OAuth/paste branch ────────────────────────────────────────────
+  if (token === '--anthropic' || token === '-a') {
+    const result = await loginAnthropic();
+    if (!result.ok) {
+      return { ok: false, error: result.error };
+    }
+    return { ok: true, anthropic: true };
+  }
+
+  // ── Original harness-license branch (preserved verbatim) ────────────────────
   try {
     // Validate token via heartbeat; if unverified, issue endpoint
     let response;