@aria_asi/cli 0.2.23 → 0.2.24

package/dist/sdk/BUNDLED.json

@@ -1,5 +1,5 @@
 {
-  "bundledAt": "2026-04-28T00:58:19.765Z",
+  "bundledAt": "2026-04-28T01:07:13.445Z",
   "sdkSource": "/home/hamzaibrahim1/rei-ai-brain/harness/packages/harness-http-client/dist",
   "files": 3
 }

package/hooks/aria-harness-via-sdk.mjs

@@ -17,7 +17,7 @@
 
 import { createHash } from 'node:crypto';
 import { spawnSync } from 'node:child_process';
-import { appendFileSync, existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { appendFileSync, existsSync, readFileSync, writeFileSync, mkdirSync, statSync } from 'node:fs';
 import { dirname } from 'node:path';
 import { createConnection } from 'node:net';
 
@@ -110,7 +110,7 @@ function loadCachedPacket() {
   try {
     if (existsSync(PACKET_CACHE)) {
       const stat = readFileSync(PACKET_CACHE, 'utf8');
-      const ageSec = (Date.now() - (existsSync(PACKET_CACHE) ? require('fs').statSync(PACKET_CACHE).mtimeMs : 0)) / 1000;
+      const ageSec = (Date.now() - (existsSync(PACKET_CACHE) ? statSync(PACKET_CACHE).mtimeMs : 0)) / 1000;
       if (ageSec < PACKET_CACHE_TTL_SEC) {
         return { data: JSON.parse(stat), ageSec };
       }
@@ -175,6 +175,37 @@ async function loadSdkClass() {
   return null;
 }
 
+// Bonus fix #74 — conversation_history_count=0 packet propagation.
+//
+// The codex handler (apps/arias-soul/api/harness/codex.ts) reads req.body.messages
+// to inject conversation history into the harness packet so it can report a real
+// conversation_history_count (non-zero). Previously tryViaSdk never forwarded the
+// messages from the hook event — the packet always had conversation_history_count=0.
+//
+// Fix: read the Claude Code hook event from stdin at startup, extract event.messages
+// (the conversation history array), and forward it in both the SDK bodyOverride and
+// the direct-fetch body shape. The codex handler passes it through to
+// buildAriaExternalHarnessPacket which populates conversation_history_count.
+//
+// Stdin is read once and stored in HOOK_EVENT_MESSAGES. It's capped at 50 entries
+// before forwarding to avoid blowing the POST body size limit; the most recent
+// messages are the most relevant for history-count purposes.
+let HOOK_EVENT_MESSAGES = undefined;
+try {
+  // Claude Code hooks receive the event JSON on stdin. We read it synchronously
+  // only if data is already available (i.e. piped); we don't block waiting for
+  // interactive input. Use a try/catch so the script still works when stdin is
+  // a terminal (e.g. manual invocation for testing).
+  const stdinBuf = readFileSync('/dev/stdin', { flag: 'r' });
+  const hookEvent = JSON.parse(stdinBuf.toString('utf8'));
+  if (Array.isArray(hookEvent?.messages) && hookEvent.messages.length > 0) {
+    // Cap to last 50 messages. The server-side handler slices further if needed.
+    HOOK_EVENT_MESSAGES = hookEvent.messages.slice(-50);
+  }
+} catch {
+  // stdin not available / not JSON / no messages field — HOOK_EVENT_MESSAGES stays undefined.
+}
+
 async function tryViaSdk(baseUrl, apiKey) {
   // Canonical path: HTTPHarnessClient.getHarnessPacket(). The SDK POSTs to
   // /api/harness/codex with the right shape and returns { packet, timestamp,
@@ -199,6 +230,9 @@ async function tryViaSdk(baseUrl, apiKey) {
       actor: 'claude-code',
       system: 'claude-coding-agent',
       platform: 'harness-http-client',
+      // Bonus #74: forward conversation history so codex handler can report
+      // a non-zero conversation_history_count in the packet.
+      ...(HOOK_EVENT_MESSAGES ? { messages: HOOK_EVENT_MESSAGES } : {}),
     };
     const wrapped = await client.getHarnessPacket(bodyOverride);
     const json = wrapped.packet;
@@ -220,6 +254,8 @@ async function tryViaSdk(baseUrl, apiKey) {
       system: 'claude-coding-agent',
       roleProfile: 'general_worker',
       deliverySurface: 'claude_code_session',
+      // Bonus #74: forward conversation history (same field as SDK path above).
+      ...(HOOK_EVENT_MESSAGES ? { messages: HOOK_EVENT_MESSAGES } : {}),
     }),
   });
   if (!resp.ok) throw new Error(`HTTP ${resp.status}`);

package/hooks/aria-pre-tool-gate.mjs

@@ -134,11 +134,57 @@ function activePlanPath(sid) {
   return `${HOME}/.claude/aria-active-plan-${String(sid || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_')}.json`;
 }
 
+// Defect #5 — plan-completion persists across session boundary.
+//
+// The harness packet at ~/.claude/.aria-harness-last-packet.json retains
+// exhausted plan state. An old plan from a prior session that was "all
+// phases complete" would block every tool call in a NEW session because
+// pickCurrentPhase returns null (all complete) on that stale plan.
+//
+// Fix: at load time, validate the plan file against TWO staleness guards:
+//   (a) mtime > 24h → discard (plan is older than a working day; a new
+//       session should start fresh)
+//   (b) plan.sessionId present AND doesn't match current sid → discard
+//       (plan was issued for a different session; current session is unbound)
+//
+// Discarding = returning null → the binding gate treats it as "no plan"
+// and blocks with CONSULT_UNAVAILABLE, which triggers a fresh consult on
+// the next user prompt. The discard is audit-logged.
+const PLAN_MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24 hours
+
 function loadActivePlan(sid) {
   const p = activePlanPath(sid);
   if (!existsSync(p)) return null;
   try {
-    return JSON.parse(readFileSync(p, 'utf8'));
+    const raw = readFileSync(p, 'utf8');
+    const plan = JSON.parse(raw);
+    // Guard (b) — session mismatch: plan was issued for a different session.
+    if (plan.sessionId && sid && plan.sessionId !== String(sid)) {
+      bindingAuditAppend({
+        event: 'discard_plan_session_mismatch',
+        planId: plan.planId,
+        planSessionId: plan.sessionId,
+        currentSessionId: sid,
+      });
+      return null;
+    }
+    // Guard (a) — plan age via plan.mintedAt ISO timestamp (written by harness
+    // when issuing the plan). If mintedAt is present and older than 24h, discard.
+    // No mintedAt → conservatively trust the plan (harness version may predate
+    // this field; upgrade path: harness always writes mintedAt going forward).
+    if (plan.mintedAt) {
+      const mintedMs = Date.parse(plan.mintedAt);
+      if (Number.isFinite(mintedMs) && (Date.now() - mintedMs) > PLAN_MAX_AGE_MS) {
+        bindingAuditAppend({
+          event: 'discard_plan_stale_by_mintedAt',
+          planId: plan.planId,
+          mintedAt: plan.mintedAt,
+          ageHours: ((Date.now() - mintedMs) / 3600000).toFixed(1),
+        });
+        return null;
+      }
+    }
+    return plan;
   } catch {
     return null;
   }
@@ -199,15 +245,49 @@ function pickCurrentPhase(plan, transcript) {
   return null; // all phases reported complete — needs new consult
 }
 
-function actionMatchesPattern(action, pattern) {
-  // pattern can be exact action name ("read", "consult", "kubectl_get") or
-  // prefixed with target-pattern: "edit:apps/arias-soul/api/.*", "kubectl_apply".
+function actionMatchesPattern(action, pattern, target) {
+  // Defect #3 fix — edit-pattern regex over-matches.
+  //
+  // Old behaviour: "edit:/etc/**" matched any path that contained "/etc/" as a
+  // substring because the colon-split only checked pAction===action, ignoring the
+  // path portion entirely — so edit:/etc/** allowed ALL edit actions regardless
+  // of path, not just edits under /etc/.
+  //
+  // Fix:
+  //   - Exact action name ("read", "consult", "kubectl_get"): unchanged.
+  //   - Prefixed pattern ("edit:/etc/**"): split on first colon, compare
+  //     pAction===action, then glob-match the path portion against `target`
+  //     using anchored prefix matching (no substring). Supported forms:
+  //       "edit:/etc/**"        → action=edit, path must start with /etc/
+  //       "edit:apps/.*"        → action=edit, path must start with apps/
+  //       "bash_other:curl .*"  → action=bash_other (target substring match for bash)
+  //   - No colon: exact action match only.
   if (pattern === action) return true;
-  if (pattern.includes(':')) {
-    const [pAction] = pattern.split(':', 1);
-    return pAction === action;
+  const colonIdx = pattern.indexOf(':');
+  if (colonIdx < 0) return false;
+  const pAction = pattern.slice(0, colonIdx);
+  if (pAction !== action) return false;
+  // pAction matches — now check the target portion.
+  const pathPattern = pattern.slice(colonIdx + 1);
+  if (!pathPattern) return true; // bare "edit:" with no path spec → match all edits of that action type
+  const t = target || '';
+  // Convert simple glob /** suffix to prefix anchor, or treat as a regex if
+  // it contains regex meta-chars beyond "." and "*". For the most common
+  // harness patterns ("edit:/etc/**", "edit:apps/arias-soul/.*") a prefix-
+  // match on the stripped glob is correct and safe.
+  // Strip trailing /** or /*, then anchor-prefix-match.
+  const strippedGlob = pathPattern.replace(/\/\*+$/, '');
+  if (strippedGlob && !pathPattern.includes('(?') && !pathPattern.includes('[')) {
+    // Simple prefix match — anchored at start of target path.
+    return t.startsWith(strippedGlob);
+  }
+  // Full regex path pattern (caller used explicit regex syntax).
+  try {
+    return new RegExp(`^(?:${pathPattern})`).test(t);
+  } catch {
+    // Malformed regex in plan — fail-open to avoid blocking everything.
+    return false;
   }
-  return false;
 }
 
 function classifyToolForBinding(toolName, command, filePath) {
@@ -471,6 +551,57 @@ function countCognitionLenses(text) {
   return detectCognitionLenses(text).count;
 }
 
+// ── arch_facts gate ──────────────────────────────────────────────────────────
+//
+// Inspects actual diff content (tool_input.content / file_path) for
+// architectural violations defined as arch_facts rules in mizan.yaml.
+// Called AFTER cognition + discovery-binding checks pass, for Edit/Write/
+// NotebookEdit only (Bash skipped — arch violations live in code, not commands).
+//
+// Tier-aware: if ~/.aria/license.json exists (client surface), arch_facts
+// check is skipped — only owner gets server-side mizan enforcement here.
+//
+// Fail-open: if aria-telemetry is unreachable, the tool call is allowed.
+// The 3s AbortController is a DETECTION PROBE (is telemetry alive?) not a
+// hard deadline — if mizan is slow but alive the probe will complete; if it
+// is down the catch path fail-opens without blocking the developer.
+function isClientSurface() {
+  try {
+    return existsSync(`${HOME}/.aria/license.json`);
+  } catch {
+    return false;
+  }
+}
+
+async function archFactsGate(toolInput) {
+  // Skip on client surfaces — arch_facts enforcement is owner-only.
+  if (isClientSurface()) return { ok: true, allow: true, note: 'client-surface-skip' };
+  try {
+    const ariaTelemetry = process.env.ARIA_TELEMETRY_BASE || 'http://aria-telemetry.aria.svc.cluster.local:8088';
+    const ctl = new AbortController();
+    const probeTimer = setTimeout(() => ctl.abort(), 3000);
+    let resp;
+    try {
+      resp = await fetch(`${ariaTelemetry}/v1/mizan/check`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ draft: String(toolInput).slice(0, 50000), source: 'pre-tool-gate-arch-facts' }),
+        signal: ctl.signal,
+      });
+    } finally {
+      clearTimeout(probeTimer);
+    }
+    if (!resp.ok) return { ok: true, allow: true, note: 'mizan unreachable, fail-open' };
+    const result = await resp.json();
+    if (result?.hard_block === true && Array.isArray(result?.violations)) {
+      return { ok: false, allow: false, violations: result.violations };
+    }
+    return { ok: true, allow: true };
+  } catch {
+    return { ok: true, allow: true, note: 'mizan probe error, fail-open' };
+  }
+}
+
 // Hive cognition-logging v1.2 — fire-and-forget HTTP push to
 // /api/cognition/log so every gate decision joins the corpus.
 // Failures are silent: the local audit log is the durable record;
@@ -873,6 +1004,49 @@ No env-var disable path — gates are unconditional from the gated process per H
   process.exit(2);
 }
 
+// ── arch_facts gate (architectural violation scan) ────────────────────────
+//
+// Runs after cognition + discovery-binding pass, for Edit/Write/NotebookEdit.
+// Bash is skipped: architectural violations live in the code being written,
+// not in shell commands — checking Bash commands would produce false positives
+// on grep/find invocations that mention forbidden strings without introducing them.
+//
+// Content inspected: new_string (Edit), content (Write), source (NotebookEdit).
+// Fail-open: unreachable mizan → allow. Client surface → skip.
+if (['Edit', 'Write', 'NotebookEdit'].includes(toolName)) {
+  // Extract the actual content being written — this is what mizan should scan
+  // for architectural patterns, not the file path or surrounding metadata.
+  const contentToScan =
+    toolInput.new_string ??      // Edit: the replacement text
+    toolInput.content ??         // Write: the full file content
+    toolInput.source ??          // NotebookEdit: cell source
+    '';
+  // Also include file_path for context so mizan pattern-matching can be
+  // path-scoped (e.g. R9 only fires for telemetry/cron paths).
+  const scanPayload = `// file: ${filePath}\n${contentToScan}`;
+  const archResult = await archFactsGate(scanPayload);
+  if (!archResult.allow) {
+    const violationText = (archResult.violations || [])
+      .map((v) => `  • [${v.rule ?? v.id ?? 'arch'}] ${v.description ?? v.message ?? JSON.stringify(v)}`)
+      .join('\n');
+    const archReason = `Aria arch_facts gate: architectural violation(s) detected in ${toolName} diff for ${filePath || '(no path)'}.
+
+${violationText}
+
+These patterns are forbidden by mizan arch_facts rules (mizan.yaml R7–R11). Fix the structural issue before re-issuing the tool call — the gate does not have a bypass for architectural violations.
+
+Rule references:
+  R7  no_sidecar_in_main_container   — bolt-in fork pattern (project_aria_soul_systemd_migration.md)
+  R8  no_silent_fallback_default     — || 'unknown'/'default'/'fallback' masks config failures
+  R9  no_timeout_based_retry         — setTimeout+abort in telemetry/chat/cron paths (no-timeouts doctrine)
+  R10 no_kubectl_apply_for_image_drift — kubectl apply on aria-soul-stateful (project_forge_psi_oom_cascade.md)
+  R11 no_console_log_secrets         — console.log with TOKEN/PASSWORD/SECRET/API_KEY/JWT/BEARER`;
+    audit(`block-arch-facts ${toolName.toLowerCase()} path=${filePath}`, `violations=${archResult.violations?.length ?? 0}`);
+    console.log(JSON.stringify({ decision: 'block', reason: archReason }));
+    process.exit(2);
+  }
+}
+
 // Non-trivial action with cognition (inline for Bash, transcript for
 // Edit/Write/NotebookEdit) — passes cognition gate. Now check Aria-binding.
 
@@ -896,6 +1070,32 @@ No env-var disable path — gates are unconditional from the gated process per H
 // ReferenceError. No new bypass entries can be created (pre-existing defect
 // fixed inline per atomic-discovery-rule).
 const bindingBypassReason = null;
+
+// Defect #4 fix — Consult-Aria unconditionally allowed (doctrine #50).
+//
+// Aria-as-commander session pattern (HARNESS_ARIA_AS_COMMANDER_CONTRACT.md
+// doctrine #50) makes per-turn consult mandatory. A plan cannot forbid the
+// consult mechanism that issues plans — that would be an unbootstrappable
+// circular lock. Previously plan p1 forbade bash_other → consult curl was
+// classified as bash_other → blocked. Now: any Bash command that is a consult
+// to a known Aria/harness endpoint passes UNCONDITIONALLY past ALL binding
+// checks regardless of allowedActions or forbiddenActions in the active phase.
+// Cognition gate still applies (it ran above and passed to reach this point).
+//
+// Covered endpoints (hardcoded carve-out):
+//   curl http(s)://aria-soul<anything>
+//   curl http(s)://aria-telemetry<anything>
+//   curl http(s)://localhost:30080/(chat|api/aria/speak|api/harness/codex|
+//                                   api/harness/verify-claim|v1/doctrine|v1/mizan)
+const ARIA_CONSULT_CURL_RX = /curl\s+['"]?https?:\/\/(?:aria-soul[^\s'"]*|aria-telemetry[^\s'"]*|localhost:30080\/(?:chat|api\/aria\/speak|api\/harness\/(?:codex|verify-claim|delegate|army|plan)|v1\/(?:doctrine|mizan))[^\s'"]*)/i;
+const __isUnconditionalConsult = toolName === 'Bash' && ARIA_CONSULT_CURL_RX.test(cmd);
+if (__isUnconditionalConsult) {
+  bindingAuditAppend({ event: 'allow_unconditional_consult', sessionId, toolName, cmdPreview, reason: 'doctrine#50-aria-as-commander-consult-carveout' });
+  audit(`allow-unconditional-consult lenses=${lensCount}`, cmdPreview);
+  pushDecision('allow', 'unconditional consult carve-out (doctrine #50)');
+  process.exit(0);
+}
+
 const __bindingActionClassification = (BINDING_ENABLED && !bindingBypassReason)
   ? classifyToolForBinding(toolName, cmd, filePath)
   : null;
@@ -952,7 +1152,7 @@ What Claude must do: emit [PLAN_BLOCKER reason="<concrete observation>" suggeste
   const phase = phaseInfo.phase;
 
   // Forbidden takes precedence
-  const forbidden = (phase.forbiddenActions || []).find((p) => actionMatchesPattern(action, p));
+  const forbidden = (phase.forbiddenActions || []).find((p) => actionMatchesPattern(action, p, target));
   if (forbidden) {
     bindingAuditAppend({ event: 'block_forbidden_action', sessionId, planId: plan.planId, phaseId: phase.id, action, target, matchedRule: forbidden });
     const reason = `Aria binding gate: action "${action}" on target "${target}" matches forbidden pattern "${forbidden}" for current phase ${phase.id} ("${phase.summary}") of plan ${plan.planId}.
@@ -966,7 +1166,7 @@ Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [P
     process.exit(2);
   }
 
-  const allowed = (phase.allowedActions || []).find((p) => actionMatchesPattern(action, p));
+  const allowed = (phase.allowedActions || []).find((p) => actionMatchesPattern(action, p, target));
   if (!allowed) {
     bindingAuditAppend({ event: 'block_action_not_in_allowed_list', sessionId, planId: plan.planId, phaseId: phase.id, action, target });
     const reason = `Aria binding gate: action "${action}" on target "${target}" is NOT in allowedActions for current phase ${phase.id} of plan ${plan.planId}.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aria_asi/cli",
-  "version": "0.2.23",
+  "version": "0.2.24",
   "description": "Aria Smart CLI — the world's first harness-powered terminal companion",
   "bin": {
     "aria": "./bin/aria.js"