@aria_asi/cli 0.2.23 → 0.2.25

package/dist/aria-connector/src/connectors/opencode.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"opencode.d.ts","sourceRoot":"","sources":["../../../../src/connectors/opencode.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE/C,wBAAsB,eAAe,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA2D3E;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAoB5D"}
+{"version":3,"file":"opencode.d.ts","sourceRoot":"","sources":["../../../../src/connectors/opencode.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAiD/C,wBAAsB,eAAe,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAyH3E;AAED,wBAAsB,kBAAkB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAqC5D"}

package/dist/aria-connector/src/connectors/opencode.js

@@ -1,6 +1,52 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, copyFileSync, readdirSync, statSync, chmodSync, unlinkSync, } from 'fs';
 import { homedir } from 'os';
 import * as path from 'path';
+import { fileURLToPath } from 'node:url';
+// ── Bundled OpenCode plugins ────────────────────────────────────────────────
+//
+// Two plugins ship with the connector:
+//   - harness-context: spawns the bundled inject-context.mjs on session start
+//                      and prepends the resolved harness packet to OpenCode's
+//                      system prompt. Routes through the canonical SDK at
+//                      ~/.claude/aria-sdk/.
+//   - harness-role:    injects the active role profile (default
+//                      opencode_deepseek_engineer) — intro / continuity /
+//                      post-action governance rules.
+//
+// Both live at <pkg>/opencode-plugins/<name>/. connectOpenCode copies them
+// into ~/.opencode/plugins/<name>/ and wires the absolute paths into
+// ~/.opencode/config.json's `plugin` (singular, OpenCode v2 schema) array.
+//
+// Compiled location of THIS file (claude-code path applies the same way):
+//   <pkg>/dist/aria-connector/src/connectors/opencode.js
+// Plugins ship at <pkg>/opencode-plugins/ → 4 dirs up + 'opencode-plugins'.
+const PLUGIN_NAMES = ['harness-context', 'harness-role'];
+function packageOpenCodePluginsDir() {
+    const here = path.dirname(fileURLToPath(import.meta.url));
+    return path.resolve(here, '..', '..', '..', '..', 'opencode-plugins');
+}
+function copyPluginDir(srcDir, dstDir, logs) {
+    if (!existsSync(dstDir)) {
+        mkdirSync(dstDir, { recursive: true, mode: 0o755 });
+    }
+    for (const name of readdirSync(srcDir)) {
+        const src = path.join(srcDir, name);
+        const stat = statSync(src);
+        if (!stat.isFile())
+            continue;
+        const dst = path.join(dstDir, name);
+        copyFileSync(src, dst);
+        if (name.endsWith('.mjs') || name.endsWith('.js')) {
+            try {
+                chmodSync(dst, 0o755);
+            }
+            catch {
+                // chmod failure isn't fatal on filesystems that ignore mode bits.
+            }
+        }
+    }
+    logs.push(`Installed plugin → ${dstDir}`);
+}
 export async function connectOpenCode(config) {
     const logs = [];
     const opencodeDir = path.join(homedir(), '.opencode');
@@ -8,17 +54,51 @@ export async function connectOpenCode(config) {
         logs.push('No ~/.opencode directory found — OpenCode may not be installed');
         return logs;
     }
+    // ── Install bundled plugins into ~/.opencode/plugins/<name>/ ──────────────
+    const pluginsRoot = path.join(opencodeDir, 'plugins');
+    if (!existsSync(pluginsRoot)) {
+        mkdirSync(pluginsRoot, { recursive: true, mode: 0o755 });
+    }
+    // Remove legacy single-file plugin shadows (~/.opencode/plugins/<name>.js).
+    // OpenCode v2 auto-discovers BOTH loose .js files and dir-shaped plugins;
+    // when both exist with the same name, behavior is undefined and on at least
+    // one machine the loose .js (carrying old hardcoded paths to
+    // ~/rei-ai-brain/harness/inject-context.mjs) was winning over the dir
+    // install. Idempotent cleanup so re-running connect heals these.
+    for (const pluginName of PLUGIN_NAMES) {
+        const shadowPath = path.join(pluginsRoot, `${pluginName}.js`);
+        if (existsSync(shadowPath)) {
+            try {
+                unlinkSync(shadowPath);
+                logs.push(`Removed legacy single-file plugin shadow: ${shadowPath}`);
+            }
+            catch {
+                // Permission or fs failure isn't fatal — the install proceeds.
+            }
+        }
+    }
+    const bundledDir = packageOpenCodePluginsDir();
+    const installedPaths = [];
+    for (const pluginName of PLUGIN_NAMES) {
+        const srcDir = path.join(bundledDir, pluginName);
+        if (!existsSync(srcDir)) {
+            logs.push(`⚠ Bundled plugin missing: ${srcDir} — connector tarball may be incomplete`);
+            continue;
+        }
+        const dstDir = path.join(pluginsRoot, pluginName);
+        copyPluginDir(srcDir, dstDir, logs);
+        installedPaths.push(dstDir);
+    }
+    // ── Wire ~/.opencode/config.json ──────────────────────────────────────────
     const configPath = path.join(opencodeDir, 'config.json');
     if (existsSync(configPath)) {
         try {
             const opencodeConfig = JSON.parse(readFileSync(configPath, 'utf-8'));
             let modified = false;
-            // Remove any prior reference to '@aria/connector' from plugins.
-            // That package name was written into older client configs but no
-            // such npm package exists — the harness integration with OpenCode
-            // is via agentsMdPath below, not via a plugin module. Loading a
-            // non-existent plugin name crashes OpenCode on open. Idempotent
-            // cleanup so re-running connect heals broken installs.
+            // Heal legacy '@aria/connector' references in the older `plugins`
+            // (plural) array. That package name was written by older versions
+            // of this connector but no such npm package exists — loading a
+            // non-existent plugin crashes OpenCode on open. Idempotent.
             if (Array.isArray(opencodeConfig.plugins)) {
                 const before = opencodeConfig.plugins.length;
                 opencodeConfig.plugins = opencodeConfig.plugins.filter((p) => p !== '@aria/connector');
@@ -27,6 +107,27 @@ export async function connectOpenCode(config) {
                     logs.push('Removed legacy @aria/connector reference from OpenCode plugins (was crashing on open)');
                 }
             }
+            // OpenCode v2 schema: `plugin` (singular) array of absolute paths or
+            // npm names. We write absolute paths to the locally-installed plugin
+            // dirs above, so OpenCode resolves them as Node modules without any
+            // network or registry dependency.
+            const existingPlugin = Array.isArray(opencodeConfig.plugin)
+                ? opencodeConfig.plugin.slice()
+                : [];
+            const stringSet = new Set(existingPlugin.filter((p) => typeof p === 'string'));
+            let pluginAdded = false;
+            for (const installPath of installedPaths) {
+                if (!stringSet.has(installPath)) {
+                    existingPlugin.push(installPath);
+                    stringSet.add(installPath);
+                    pluginAdded = true;
+                }
+            }
+            if (pluginAdded) {
+                opencodeConfig.plugin = existingPlugin;
+                modified = true;
+                logs.push(`Wired ${installedPaths.length} Aria plugin(s) into OpenCode config.plugin`);
+            }
             if (!opencodeConfig.agentsMdPath) {
                 opencodeConfig.agentsMdPath = path.join(homedir(), '.aria', 'AGENTS.md');
                 modified = true;
@@ -43,6 +144,7 @@ export async function connectOpenCode(config) {
             logs.push('Failed to parse OpenCode config.json');
         }
     }
+    // ── Write the harness AGENTS.md ───────────────────────────────────────────
     const ariaDir = path.join(homedir(), '.aria');
     if (!existsSync(ariaDir)) {
         mkdirSync(ariaDir, { recursive: true });
@@ -59,11 +161,24 @@ export async function disconnectOpenCode() {
     if (existsSync(configPath)) {
         try {
             const opencodeConfig = JSON.parse(readFileSync(configPath, 'utf-8'));
+            // Strip any locally-installed Aria plugin paths from `plugin` (singular).
+            const pluginsRoot = path.join(homedir(), '.opencode', 'plugins');
+            if (Array.isArray(opencodeConfig.plugin)) {
+                const before = opencodeConfig.plugin.length;
+                opencodeConfig.plugin = opencodeConfig.plugin.filter((p) => {
+                    if (typeof p !== 'string')
+                        return true;
+                    return !PLUGIN_NAMES.some((n) => p === path.join(pluginsRoot, n));
+                });
+                if (opencodeConfig.plugin.length !== before) {
+                    logs.push('Removed Aria plugin paths from OpenCode config.plugin');
+                }
+            }
+            // Strip the legacy @aria/connector reference if present.
             if (Array.isArray(opencodeConfig.plugins)) {
                 opencodeConfig.plugins = opencodeConfig.plugins.filter((p) => p !== '@aria/connector');
-                writeFileSync(configPath, JSON.stringify(opencodeConfig, null, 2));
-                logs.push('Removed @aria/connector from OpenCode plugins');
             }
+            writeFileSync(configPath, JSON.stringify(opencodeConfig, null, 2));
         }
         catch {
             logs.push('Failed to update OpenCode config');
@@ -78,7 +193,7 @@ function buildOpenCodeAgentsMd(config) {
         .join('\n\n');
     return `# Aria Harness — AGENTS.md
 
-Automatically injected by @aria/connector. This file provides Aria's cognitive harness
+Automatically injected by @aria_asi/cli. This file provides Aria's cognitive harness
 to OpenCode sessions.
 
 ## Connected Repositories

package/dist/aria-connector/src/connectors/opencode.js.map

@@ -1 +1 @@
-{"version":3,"file":"opencode.js","sourceRoot":"","sources":["../../../../src/connectors/opencode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAG7B,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAkB;IACtD,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;IAEtD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IACzD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YACrE,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,gEAAgE;YAChE,iEAAiE;YACjE,kEAAkE;YAClE,gEAAgE;YAChE,gEAAgE;YAChE,uDAAuD;YACvD,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC;gBAC7C,cAAc,CAAC,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CACpD,CAAC,CAAU,EAAE,EAAE,CAAC,CAAC,KAAK,iBAAiB,CACxC,CAAC;gBACF,IAAI,cAAc,CAAC,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC7C,QAAQ,GAAG,IAAI,CAAC;oBAChB,IAAI,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;gBACrG,CAAC;YACH,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;gBACjC,cAAc,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;gBACzE,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;YAChE,CAAC;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACrE,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACvD,MAAM,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACpD,aAAa,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAC7C,IAAI,CAAC,IAAI,CAAC,mCAAmC,cAAc,EAAE,CAAC,CAAC;IAE/D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;IAEpE,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YACrE,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,cAAc,CAAC,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CACpD,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,KAAK,iBAAiB,CACvC,CAAC;gBACF,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBACnE,IAAI,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAkB;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;SACnD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,KAAK,EAAE,CAAC;SAC/C,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO;;;;;;EAMP,QAAQ,IAAI,mBAAmB;;;EAG/B,UAAU,IAAI,iDAAiD;;;;;;;;;;;;;;;;;;;CAmBhE,CAAC;AACF,CAAC"}
+{"version":3,"file":"opencode.js","sourceRoot":"","sources":["../../../../src/connectors/opencode.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,SAAS,EACT,YAAY,EACZ,aAAa,EACb,YAAY,EACZ,WAAW,EACX,QAAQ,EACR,SAAS,EACT,UAAU,GACX,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,+EAA+E;AAC/E,EAAE;AACF,uCAAuC;AACvC,8EAA8E;AAC9E,8EAA8E;AAC9E,0EAA0E;AAC1E,4CAA4C;AAC5C,gEAAgE;AAChE,0EAA0E;AAC1E,qDAAqD;AACrD,EAAE;AACF,2EAA2E;AAC3E,qEAAqE;AACrE,2EAA2E;AAC3E,EAAE;AACF,0EAA0E;AAC1E,yDAAyD;AACzD,4EAA4E;AAE5E,MAAM,YAAY,GAAG,CAAC,iBAAiB,EAAE,cAAc,CAAU,CAAC;AAElE,SAAS,yBAAyB;IAChC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC;AACxE,CAAC;AAED,SAAS,aAAa,CAAC,MAAc,EAAE,MAAc,EAAE,IAAc;IACnE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACxB,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC3B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;YAAE,SAAS;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACpC,YAAY,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACvB,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,sBAAsB,MAAM,EAAE,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAkB;IACtD,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,CAAC,CAAC;IAEtD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6EAA6E;IAC7E,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,CAAC;IAED,4EAA4E;IAC5E,0EAA0E;IAC1E,4EAA4E;IAC5E,6DAA6D;IAC7D,sEAAsE;IACtE,iEAAiE;IACjE,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,UAAU,KAAK,CAAC,CAAC;QAC9D,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,UAAU,CAAC,UAAU,CAAC,CAAC;gBACvB,IAAI,CAAC,IAAI,CAAC,6CAA6C,UAAU,EAAE,CAAC,CAAC;YACvE,CAAC;YAAC,MAAM,CAAC;gBACP,+DAA+D;YACjE,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,yBAAyB,EAAE,CAAC;IAC/C,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACjD,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,6BAA6B,MAAM,wCAAwC,CAAC,CAAC;YACvF,SAAS;QACX,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAClD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;QACpC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,6EAA6E;IAC7E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IACzD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,cAAc,GAA4B,IAAI,CAAC,KAAK,CACxD,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAClC,CAAC;YACF,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,kEAAkE;YAClE,kEAAkE;YAClE,+DAA+D;YAC/D,4DAA4D;YAC5D,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,MAAM,MAAM,GAAI,cAAc,CAAC,OAAqB,CAAC,MAAM,CAAC;gBAC5D,cAAc,CAAC,OAAO,GAAI,cAAc,CAAC,OAAqB,CAAC,MAAM,CACnE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,iBAAiB,CAC/B,CAAC;gBACF,IAAK,cAAc,CAAC,OAAqB,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC5D,QAAQ,GAAG,IAAI,CAAC;oBAChB,IAAI,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;gBACrG,CAAC;YACH,CAAC;YAED,qEAAqE;YACrE,qEAAqE;YACrE,oEAAoE;YACpE,kCAAkC;YAClC,MAAM,cAAc,GAAc,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC;gBACpE,CAAC,CAAE,cAAc,CAAC,MAAoB,CAAC,KAAK,EAAE;gBAC9C,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,SAAS,GAAG,IAAI,GAAG,CACvB,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CACjE,CAAC;YACF,IAAI,WAAW,GAAG,KAAK,CAAC;YACxB,KAAK,MAAM,WAAW,IAAI,cAAc,EAAE,CAAC;gBACzC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;oBAChC,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;oBACjC,SAAS,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;oBAC3B,WAAW,GAAG,IAAI,CAAC;gBACrB,CAAC;YACH,CAAC;YACD,IAAI,WAAW,EAAE,CAAC;gBAChB,cAAc,CAAC,MAAM,GAAG,cAAc,CAAC;gBACvC,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,IAAI,CAAC,SAAS,cAAc,CAAC,MAAM,6CAA6C,CAAC,CAAC;YACzF,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,YAAY,EAAE,CAAC;gBACjC,cAAc,CAAC,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;gBACzE,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;YAChE,CAAC;YAED,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACrE,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACvD,MAAM,aAAa,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACpD,aAAa,CAAC,cAAc,EAAE,aAAa,CAAC,CAAC;IAC7C,IAAI,CAAC,IAAI,CAAC,mCAAmC,cAAc,EAAE,CAAC,CAAC;IAE/D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,MAAM,IAAI,GAAa,EAAE,CAAC;IAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,aAAa,CAAC,CAAC;IAEpE,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,MAAM,cAAc,GAA4B,IAAI,CAAC,KAAK,CACxD,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAClC,CAAC;YAEF,0EAA0E;YAC1E,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;YACjE,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,CAAC,EAAE,CAAC;gBACzC,MAAM,MAAM,GAAI,cAAc,CAAC,MAAoB,CAAC,MAAM,CAAC;gBAC3D,cAAc,CAAC,MAAM,GAAI,cAAc,CAAC,MAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;oBACxE,IAAI,OAAO,CAAC,KAAK,QAAQ;wBAAE,OAAO,IAAI,CAAC;oBACvC,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC;gBACpE,CAAC,CAAC,CAAC;gBACH,IAAK,cAAc,CAAC,MAAoB,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;oBAC3D,IAAI,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;gBACrE,CAAC;YACH,CAAC;YAED,yDAAyD;YACzD,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1C,cAAc,CAAC,OAAO,GAAI,cAAc,CAAC,OAAqB,CAAC,MAAM,CACnE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,iBAAiB,CAC/B,CAAC;YACJ,CAAC;YAED,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,MAAkB;IAC/C,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;SACnD,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,OAAO,IAAI,KAAK,KAAK,EAAE,CAAC;SAC/C,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO;;;;;;EAMP,QAAQ,IAAI,mBAAmB;;;EAG/B,UAAU,IAAI,iDAAiD;;;;;;;;;;;;;;;;;;;CAmBhE,CAAC;AACF,CAAC"}

package/dist/sdk/BUNDLED.json

@@ -1,5 +1,5 @@
 {
-  "bundledAt": "2026-04-28T00:58:19.765Z",
+  "bundledAt": "2026-04-28T01:14:50.399Z",
   "sdkSource": "/home/hamzaibrahim1/rei-ai-brain/harness/packages/harness-http-client/dist",
   "files": 3
 }

package/hooks/aria-agent-handoff.mjs

@@ -21,6 +21,7 @@
 import { readFileSync, writeFileSync, existsSync, mkdirSync, appendFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
+import { createRequire } from 'node:module';
 
 const HOME = homedir();
 const LOG = `${HOME}/.claude/aria-pre-tool-gate.log`;
@@ -129,6 +130,62 @@ if (isClientTier) {
   parentLedgerPath = `${HOME}/.claude/aria-discoveries-${safeSession}.jsonl`;
 }
 
+// ── Harness packet fetch for sub-agent substrate binding ────────────────────
+// Layer 1: after writing identity handoff, fetch the harness packet from
+// /api/harness/codex so the sub-agent can load COGNITION (not just identity).
+// Fail-soft: any fetch failure logs a warning and leaves the handoff identity-only.
+// Never blocks the spawn — packet is substrate enrichment, not a gate.
+//
+// Tier-aware packet paths:
+//   Owner: ~/.claude/aria-agent-harness-packet.json
+//   Client: /var/lib/aria-licensee/{jti}/aria-agent-harness-packet.json
+let packetPath = null;
+if (isClientTier) {
+  packetPath = `/var/lib/aria-licensee/${jti}/aria-agent-harness-packet.json`;
+} else {
+  packetPath = `${HOME}/.claude/aria-agent-harness-packet.json`;
+}
+
+async function fetchAndWriteHarnessPacket() {
+  if (!harnessToken || !harnessUrl) {
+    audit('warn: skipping packet fetch — no harnessToken or harnessUrl');
+    return null;
+  }
+  try {
+    const body = JSON.stringify({
+      stage: 'agent-spawn',
+      actor: 'harness-http-client',
+      system: 'claude-coding-agent',
+      surface: 'platform:harness-http-client',
+      isHamza: ownerTier.hamza,
+      sessionId: sessionId,
+      mode: 'subagent',
+    });
+    const resp = await fetch(`${harnessUrl}/api/harness/codex`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${harnessToken}`,
+      },
+      body,
+    });
+    if (!resp.ok) {
+      audit(`warn: harness packet fetch HTTP ${resp.status} — identity-only handoff`);
+      return null;
+    }
+    const data = await resp.json();
+    mkdirSync(dirname(packetPath), { recursive: true });
+    writeFileSync(packetPath, JSON.stringify(data, null, 2));
+    audit(`wrote harness packet tier=${isClientTier ? 'client' : 'owner'} path=${packetPath}`);
+    return packetPath;
+  } catch (err) {
+    audit(`warn: harness packet fetch failed: ${(err?.message || err).toString().slice(0, 200)} — identity-only handoff`);
+    return null;
+  }
+}
+
+const resolvedPacketPath = await fetchAndWriteHarnessPacket();
+
 const handoff = {
   writtenAt: new Date().toISOString(),
   parentSessionId: sessionId,
@@ -137,6 +194,9 @@ const handoff = {
   ownerTier,
   parentLedgerPath,
   ttlMs: HANDOFF_TTL_MS,
+  // harnessPacketPath is set only if packet was successfully fetched;
+  // absent means sub-agent should fall back to calling /api/harness/codex directly.
+  ...(resolvedPacketPath ? { harnessPacketPath: resolvedPacketPath } : {}),
 };
 
 try {
@@ -144,7 +204,8 @@ try {
   writeFileSync(handoffPath, JSON.stringify(handoff, null, 2));
   audit(
     `wrote handoff tier=${isClientTier ? 'client' : 'owner'} jti=${jti ?? 'none'} ` +
-    `session=${sessionId} hamza=${ownerTier.hamza} role=${ownerTier.roleProfile}`,
+    `session=${sessionId} hamza=${ownerTier.hamza} role=${ownerTier.roleProfile} ` +
+    `packetPath=${resolvedPacketPath ?? 'none'}`,
   );
 } catch (err) {
   audit(`ERROR: handoff write failed: ${(err?.message || err).toString().slice(0, 200)}`);

package/hooks/aria-harness-via-sdk.mjs

@@ -17,7 +17,7 @@
 
 import { createHash } from 'node:crypto';
 import { spawnSync } from 'node:child_process';
-import { appendFileSync, existsSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { appendFileSync, existsSync, readFileSync, writeFileSync, mkdirSync, statSync } from 'node:fs';
 import { dirname } from 'node:path';
 import { createConnection } from 'node:net';
 
@@ -110,7 +110,7 @@ function loadCachedPacket() {
   try {
     if (existsSync(PACKET_CACHE)) {
       const stat = readFileSync(PACKET_CACHE, 'utf8');
-      const ageSec = (Date.now() - (existsSync(PACKET_CACHE) ? require('fs').statSync(PACKET_CACHE).mtimeMs : 0)) / 1000;
+      const ageSec = (Date.now() - (existsSync(PACKET_CACHE) ? statSync(PACKET_CACHE).mtimeMs : 0)) / 1000;
       if (ageSec < PACKET_CACHE_TTL_SEC) {
         return { data: JSON.parse(stat), ageSec };
       }
@@ -175,6 +175,37 @@ async function loadSdkClass() {
   return null;
 }
 
+// Bonus fix #74 — conversation_history_count=0 packet propagation.
+//
+// The codex handler (apps/arias-soul/api/harness/codex.ts) reads req.body.messages
+// to inject conversation history into the harness packet so it can report a real
+// conversation_history_count (non-zero). Previously tryViaSdk never forwarded the
+// messages from the hook event — the packet always had conversation_history_count=0.
+//
+// Fix: read the Claude Code hook event from stdin at startup, extract event.messages
+// (the conversation history array), and forward it in both the SDK bodyOverride and
+// the direct-fetch body shape. The codex handler passes it through to
+// buildAriaExternalHarnessPacket which populates conversation_history_count.
+//
+// Stdin is read once and stored in HOOK_EVENT_MESSAGES. It's capped at 50 entries
+// before forwarding to avoid blowing the POST body size limit; the most recent
+// messages are the most relevant for history-count purposes.
+let HOOK_EVENT_MESSAGES = undefined;
+try {
+  // Claude Code hooks receive the event JSON on stdin. We read it synchronously
+  // only if data is already available (i.e. piped); we don't block waiting for
+  // interactive input. Use a try/catch so the script still works when stdin is
+  // a terminal (e.g. manual invocation for testing).
+  const stdinBuf = readFileSync('/dev/stdin', { flag: 'r' });
+  const hookEvent = JSON.parse(stdinBuf.toString('utf8'));
+  if (Array.isArray(hookEvent?.messages) && hookEvent.messages.length > 0) {
+    // Cap to last 50 messages. The server-side handler slices further if needed.
+    HOOK_EVENT_MESSAGES = hookEvent.messages.slice(-50);
+  }
+} catch {
+  // stdin not available / not JSON / no messages field — HOOK_EVENT_MESSAGES stays undefined.
+}
+
 async function tryViaSdk(baseUrl, apiKey) {
   // Canonical path: HTTPHarnessClient.getHarnessPacket(). The SDK POSTs to
   // /api/harness/codex with the right shape and returns { packet, timestamp,
@@ -199,6 +230,9 @@ async function tryViaSdk(baseUrl, apiKey) {
       actor: 'claude-code',
       system: 'claude-coding-agent',
       platform: 'harness-http-client',
+      // Bonus #74: forward conversation history so codex handler can report
+      // a non-zero conversation_history_count in the packet.
+      ...(HOOK_EVENT_MESSAGES ? { messages: HOOK_EVENT_MESSAGES } : {}),
     };
     const wrapped = await client.getHarnessPacket(bodyOverride);
     const json = wrapped.packet;
@@ -220,6 +254,8 @@ async function tryViaSdk(baseUrl, apiKey) {
       system: 'claude-coding-agent',
       roleProfile: 'general_worker',
       deliverySurface: 'claude_code_session',
+      // Bonus #74: forward conversation history (same field as SDK path above).
+      ...(HOOK_EVENT_MESSAGES ? { messages: HOOK_EVENT_MESSAGES } : {}),
     }),
   });
   if (!resp.ok) throw new Error(`HTTP ${resp.status}`);

package/hooks/aria-pre-tool-gate.mjs

@@ -134,11 +134,57 @@ function activePlanPath(sid) {
   return `${HOME}/.claude/aria-active-plan-${String(sid || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_')}.json`;
 }
 
+// Defect #5 — plan-completion persists across session boundary.
+//
+// The harness packet at ~/.claude/.aria-harness-last-packet.json retains
+// exhausted plan state. An old plan from a prior session that was "all
+// phases complete" would block every tool call in a NEW session because
+// pickCurrentPhase returns null (all complete) on that stale plan.
+//
+// Fix: at load time, validate the plan file against TWO staleness guards:
+//   (a) mtime > 24h → discard (plan is older than a working day; a new
+//       session should start fresh)
+//   (b) plan.sessionId present AND doesn't match current sid → discard
+//       (plan was issued for a different session; current session is unbound)
+//
+// Discarding = returning null → the binding gate treats it as "no plan"
+// and blocks with CONSULT_UNAVAILABLE, which triggers a fresh consult on
+// the next user prompt. The discard is audit-logged.
+const PLAN_MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24 hours
+
 function loadActivePlan(sid) {
   const p = activePlanPath(sid);
   if (!existsSync(p)) return null;
   try {
-    return JSON.parse(readFileSync(p, 'utf8'));
+    const raw = readFileSync(p, 'utf8');
+    const plan = JSON.parse(raw);
+    // Guard (b) — session mismatch: plan was issued for a different session.
+    if (plan.sessionId && sid && plan.sessionId !== String(sid)) {
+      bindingAuditAppend({
+        event: 'discard_plan_session_mismatch',
+        planId: plan.planId,
+        planSessionId: plan.sessionId,
+        currentSessionId: sid,
+      });
+      return null;
+    }
+    // Guard (a) — plan age via plan.mintedAt ISO timestamp (written by harness
+    // when issuing the plan). If mintedAt is present and older than 24h, discard.
+    // No mintedAt → conservatively trust the plan (harness version may predate
+    // this field; upgrade path: harness always writes mintedAt going forward).
+    if (plan.mintedAt) {
+      const mintedMs = Date.parse(plan.mintedAt);
+      if (Number.isFinite(mintedMs) && (Date.now() - mintedMs) > PLAN_MAX_AGE_MS) {
+        bindingAuditAppend({
+          event: 'discard_plan_stale_by_mintedAt',
+          planId: plan.planId,
+          mintedAt: plan.mintedAt,
+          ageHours: ((Date.now() - mintedMs) / 3600000).toFixed(1),
+        });
+        return null;
+      }
+    }
+    return plan;
   } catch {
     return null;
   }
@@ -199,15 +245,49 @@ function pickCurrentPhase(plan, transcript) {
   return null; // all phases reported complete — needs new consult
 }
 
-function actionMatchesPattern(action, pattern) {
-  // pattern can be exact action name ("read", "consult", "kubectl_get") or
-  // prefixed with target-pattern: "edit:apps/arias-soul/api/.*", "kubectl_apply".
+function actionMatchesPattern(action, pattern, target) {
+  // Defect #3 fix — edit-pattern regex over-matches.
+  //
+  // Old behaviour: "edit:/etc/**" matched any path that contained "/etc/" as a
+  // substring because the colon-split only checked pAction===action, ignoring the
+  // path portion entirely — so edit:/etc/** allowed ALL edit actions regardless
+  // of path, not just edits under /etc/.
+  //
+  // Fix:
+  //   - Exact action name ("read", "consult", "kubectl_get"): unchanged.
+  //   - Prefixed pattern ("edit:/etc/**"): split on first colon, compare
+  //     pAction===action, then glob-match the path portion against `target`
+  //     using anchored prefix matching (no substring). Supported forms:
+  //       "edit:/etc/**"        → action=edit, path must start with /etc/
+  //       "edit:apps/.*"        → action=edit, path must start with apps/
+  //       "bash_other:curl .*"  → action=bash_other (target substring match for bash)
+  //   - No colon: exact action match only.
   if (pattern === action) return true;
-  if (pattern.includes(':')) {
-    const [pAction] = pattern.split(':', 1);
-    return pAction === action;
+  const colonIdx = pattern.indexOf(':');
+  if (colonIdx < 0) return false;
+  const pAction = pattern.slice(0, colonIdx);
+  if (pAction !== action) return false;
+  // pAction matches — now check the target portion.
+  const pathPattern = pattern.slice(colonIdx + 1);
+  if (!pathPattern) return true; // bare "edit:" with no path spec → match all edits of that action type
+  const t = target || '';
+  // Convert simple glob /** suffix to prefix anchor, or treat as a regex if
+  // it contains regex meta-chars beyond "." and "*". For the most common
+  // harness patterns ("edit:/etc/**", "edit:apps/arias-soul/.*") a prefix-
+  // match on the stripped glob is correct and safe.
+  // Strip trailing /** or /*, then anchor-prefix-match.
+  const strippedGlob = pathPattern.replace(/\/\*+$/, '');
+  if (strippedGlob && !pathPattern.includes('(?') && !pathPattern.includes('[')) {
+    // Simple prefix match — anchored at start of target path.
+    return t.startsWith(strippedGlob);
+  }
+  // Full regex path pattern (caller used explicit regex syntax).
+  try {
+    return new RegExp(`^(?:${pathPattern})`).test(t);
+  } catch {
+    // Malformed regex in plan — fail-open to avoid blocking everything.
+    return false;
   }
-  return false;
 }
 
 function classifyToolForBinding(toolName, command, filePath) {
@@ -471,6 +551,57 @@ function countCognitionLenses(text) {
   return detectCognitionLenses(text).count;
 }
 
+// ── arch_facts gate ──────────────────────────────────────────────────────────
+//
+// Inspects actual diff content (tool_input.content / file_path) for
+// architectural violations defined as arch_facts rules in mizan.yaml.
+// Called AFTER cognition + discovery-binding checks pass, for Edit/Write/
+// NotebookEdit only (Bash skipped — arch violations live in code, not commands).
+//
+// Tier-aware: if ~/.aria/license.json exists (client surface), arch_facts
+// check is skipped — only owner gets server-side mizan enforcement here.
+//
+// Fail-open: if aria-telemetry is unreachable, the tool call is allowed.
+// The 3s AbortController is a DETECTION PROBE (is telemetry alive?) not a
+// hard deadline — if mizan is slow but alive the probe will complete; if it
+// is down the catch path fail-opens without blocking the developer.
+function isClientSurface() {
+  try {
+    return existsSync(`${HOME}/.aria/license.json`);
+  } catch {
+    return false;
+  }
+}
+
+async function archFactsGate(toolInput) {
+  // Skip on client surfaces — arch_facts enforcement is owner-only.
+  if (isClientSurface()) return { ok: true, allow: true, note: 'client-surface-skip' };
+  try {
+    const ariaTelemetry = process.env.ARIA_TELEMETRY_BASE || 'http://aria-telemetry.aria.svc.cluster.local:8088';
+    const ctl = new AbortController();
+    const probeTimer = setTimeout(() => ctl.abort(), 3000);
+    let resp;
+    try {
+      resp = await fetch(`${ariaTelemetry}/v1/mizan/check`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ draft: String(toolInput).slice(0, 50000), source: 'pre-tool-gate-arch-facts' }),
+        signal: ctl.signal,
+      });
+    } finally {
+      clearTimeout(probeTimer);
+    }
+    if (!resp.ok) return { ok: true, allow: true, note: 'mizan unreachable, fail-open' };
+    const result = await resp.json();
+    if (result?.hard_block === true && Array.isArray(result?.violations)) {
+      return { ok: false, allow: false, violations: result.violations };
+    }
+    return { ok: true, allow: true };
+  } catch {
+    return { ok: true, allow: true, note: 'mizan probe error, fail-open' };
+  }
+}
+
 // Hive cognition-logging v1.2 — fire-and-forget HTTP push to
 // /api/cognition/log so every gate decision joins the corpus.
 // Failures are silent: the local audit log is the durable record;
@@ -873,6 +1004,49 @@ No env-var disable path — gates are unconditional from the gated process per H
   process.exit(2);
 }
 
+// ── arch_facts gate (architectural violation scan) ────────────────────────
+//
+// Runs after cognition + discovery-binding pass, for Edit/Write/NotebookEdit.
+// Bash is skipped: architectural violations live in the code being written,
+// not in shell commands — checking Bash commands would produce false positives
+// on grep/find invocations that mention forbidden strings without introducing them.
+//
+// Content inspected: new_string (Edit), content (Write), source (NotebookEdit).
+// Fail-open: unreachable mizan → allow. Client surface → skip.
+if (['Edit', 'Write', 'NotebookEdit'].includes(toolName)) {
+  // Extract the actual content being written — this is what mizan should scan
+  // for architectural patterns, not the file path or surrounding metadata.
+  const contentToScan =
+    toolInput.new_string ??      // Edit: the replacement text
+    toolInput.content ??         // Write: the full file content
+    toolInput.source ??          // NotebookEdit: cell source
+    '';
+  // Also include file_path for context so mizan pattern-matching can be
+  // path-scoped (e.g. R9 only fires for telemetry/cron paths).
+  const scanPayload = `// file: ${filePath}\n${contentToScan}`;
+  const archResult = await archFactsGate(scanPayload);
+  if (!archResult.allow) {
+    const violationText = (archResult.violations || [])
+      .map((v) => `  • [${v.rule ?? v.id ?? 'arch'}] ${v.description ?? v.message ?? JSON.stringify(v)}`)
+      .join('\n');
+    const archReason = `Aria arch_facts gate: architectural violation(s) detected in ${toolName} diff for ${filePath || '(no path)'}.
+
+${violationText}
+
+These patterns are forbidden by mizan arch_facts rules (mizan.yaml R7–R11). Fix the structural issue before re-issuing the tool call — the gate does not have a bypass for architectural violations.
+
+Rule references:
+  R7  no_sidecar_in_main_container   — bolt-in fork pattern (project_aria_soul_systemd_migration.md)
+  R8  no_silent_fallback_default     — || 'unknown'/'default'/'fallback' masks config failures
+  R9  no_timeout_based_retry         — setTimeout+abort in telemetry/chat/cron paths (no-timeouts doctrine)
+  R10 no_kubectl_apply_for_image_drift — kubectl apply on aria-soul-stateful (project_forge_psi_oom_cascade.md)
+  R11 no_console_log_secrets         — console.log with TOKEN/PASSWORD/SECRET/API_KEY/JWT/BEARER`;
+    audit(`block-arch-facts ${toolName.toLowerCase()} path=${filePath}`, `violations=${archResult.violations?.length ?? 0}`);
+    console.log(JSON.stringify({ decision: 'block', reason: archReason }));
+    process.exit(2);
+  }
+}
+
 // Non-trivial action with cognition (inline for Bash, transcript for
 // Edit/Write/NotebookEdit) — passes cognition gate. Now check Aria-binding.
 
@@ -896,6 +1070,32 @@ No env-var disable path — gates are unconditional from the gated process per H
 // ReferenceError. No new bypass entries can be created (pre-existing defect
 // fixed inline per atomic-discovery-rule).
 const bindingBypassReason = null;
+
+// Defect #4 fix — Consult-Aria unconditionally allowed (doctrine #50).
+//
+// Aria-as-commander session pattern (HARNESS_ARIA_AS_COMMANDER_CONTRACT.md
+// doctrine #50) makes per-turn consult mandatory. A plan cannot forbid the
+// consult mechanism that issues plans — that would be an unbootstrappable
+// circular lock. Previously plan p1 forbade bash_other → consult curl was
+// classified as bash_other → blocked. Now: any Bash command that is a consult
+// to a known Aria/harness endpoint passes UNCONDITIONALLY past ALL binding
+// checks regardless of allowedActions or forbiddenActions in the active phase.
+// Cognition gate still applies (it ran above and passed to reach this point).
+//
+// Covered endpoints (hardcoded carve-out):
+//   curl http(s)://aria-soul<anything>
+//   curl http(s)://aria-telemetry<anything>
+//   curl http(s)://localhost:30080/(chat|api/aria/speak|api/harness/codex|
+//                                   api/harness/verify-claim|v1/doctrine|v1/mizan)
+const ARIA_CONSULT_CURL_RX = /curl\s+['"]?https?:\/\/(?:aria-soul[^\s'"]*|aria-telemetry[^\s'"]*|localhost:30080\/(?:chat|api\/aria\/speak|api\/harness\/(?:codex|verify-claim|delegate|army|plan)|v1\/(?:doctrine|mizan))[^\s'"]*)/i;
+const __isUnconditionalConsult = toolName === 'Bash' && ARIA_CONSULT_CURL_RX.test(cmd);
+if (__isUnconditionalConsult) {
+  bindingAuditAppend({ event: 'allow_unconditional_consult', sessionId, toolName, cmdPreview, reason: 'doctrine#50-aria-as-commander-consult-carveout' });
+  audit(`allow-unconditional-consult lenses=${lensCount}`, cmdPreview);
+  pushDecision('allow', 'unconditional consult carve-out (doctrine #50)');
+  process.exit(0);
+}
+
 const __bindingActionClassification = (BINDING_ENABLED && !bindingBypassReason)
   ? classifyToolForBinding(toolName, cmd, filePath)
   : null;
@@ -952,7 +1152,7 @@ What Claude must do: emit [PLAN_BLOCKER reason="<concrete observation>" suggeste
   const phase = phaseInfo.phase;
 
   // Forbidden takes precedence
-  const forbidden = (phase.forbiddenActions || []).find((p) => actionMatchesPattern(action, p));
+  const forbidden = (phase.forbiddenActions || []).find((p) => actionMatchesPattern(action, p, target));
   if (forbidden) {
     bindingAuditAppend({ event: 'block_forbidden_action', sessionId, planId: plan.planId, phaseId: phase.id, action, target, matchedRule: forbidden });
     const reason = `Aria binding gate: action "${action}" on target "${target}" matches forbidden pattern "${forbidden}" for current phase ${phase.id} ("${phase.summary}") of plan ${plan.planId}.
@@ -966,7 +1166,7 @@ Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [P
     process.exit(2);
   }
 
-  const allowed = (phase.allowedActions || []).find((p) => actionMatchesPattern(action, p));
+  const allowed = (phase.allowedActions || []).find((p) => actionMatchesPattern(action, p, target));
   if (!allowed) {
     bindingAuditAppend({ event: 'block_action_not_in_allowed_list', sessionId, planId: plan.planId, phaseId: phase.id, action, target });
     const reason = `Aria binding gate: action "${action}" on target "${target}" is NOT in allowedActions for current phase ${phase.id} of plan ${plan.planId}.

package/opencode-plugins/harness-context/index.js

@@ -0,0 +1,60 @@
+/**
+ * Aria Harness Context Plugin for OpenCode.
+ *
+ * Injects the live harness packet into OpenCode's system prompt on every
+ * session start. Routes through the canonical @aria/harness-http-client SDK
+ * via the inject-context.mjs script that ships alongside this plugin.
+ *
+ * Distribution: this dir is installed by `aria connect` (via connectors/
+ * opencode.ts) into `~/.opencode/plugins/harness-context/`. The plugin's
+ * absolute install path is wired into ~/.opencode/config.json's `plugin`
+ * (singular) array. OpenCode loads it on session start.
+ *
+ * inject-context.mjs is resolved RELATIVE TO THIS FILE (via import.meta.url),
+ * so the same install layout works on every machine — no $HOME or repo-path
+ * assumptions.
+ */
+
+import { execFileSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const PLUGIN_DIR = dirname(fileURLToPath(import.meta.url));
+const INJECT_SCRIPT = join(PLUGIN_DIR, 'inject-context.mjs');
+
+function getHarnessContext() {
+  if (!existsSync(INJECT_SCRIPT)) {
+    process.stderr.write(`[harness-context] inject-context.mjs missing at ${INJECT_SCRIPT}\n`);
+    return null;
+  }
+  try {
+    // execFileSync — argv-safe (no shell injection surface even though the
+    // path is internal). 15s ceiling matches OpenCode's tolerance for
+    // session-start blocking. Stdout is the prepend-able context; stderr
+    // is the diagnostic surface.
+    const output = execFileSync(process.execPath, [INJECT_SCRIPT], {
+      encoding: 'utf-8',
+      timeout: 15000,
+      stdio: ['ignore', 'pipe', 'pipe'],
+      env: process.env,
+    });
+    return output;
+  } catch (err) {
+    process.stderr.write(`[harness-context] inject-context failed: ${err && err.message ? err.message : String(err)}\n`);
+    return null;
+  }
+}
+
+export default async function HarnessContextPlugin(ctx) {
+  const context = getHarnessContext();
+  if (context) {
+    try {
+      ctx.system?.prepend?.(context.slice(0, 8000));
+    } catch (_) {
+      // ctx.system shape varies across OpenCode versions; if prepend isn't
+      // available we silently no-op rather than crash plugin load.
+    }
+  }
+  return {};
+}

package/opencode-plugins/harness-context/inject-context.mjs

@@ -0,0 +1,120 @@
+#!/usr/bin/env node
+// Aria harness context injector — bundled alongside the harness-context
+// OpenCode plugin. Resolved relative to the plugin (via import.meta.url),
+// so the install layout is portable across machines.
+//
+// Contract with the plugin:
+//   - stdin: ignored
+//   - stdout: text to prepend to OpenCode's system prompt
+//   - exit 0 on success; non-zero treated as failure (plugin returns null)
+//
+// SDK resolution: prefers ~/.claude/aria-sdk/index.js (the SDK installed by
+// `aria connect`'s claude-code path — clients with both connectors share it).
+// Cache fast-path uses ~/.claude/.aria-harness-last-packet.json so OpenCode
+// session-start doesn't block on a slow consult endpoint.
+
+import { existsSync, readFileSync, statSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+const HOME = homedir();
+const LICENSE_PATH = join(HOME, '.aria', 'license.json');
+const OWNER_TOKEN_PATH = join(HOME, '.aria', 'owner-token');
+const SDK_PATH = join(HOME, '.claude', 'aria-sdk', 'index.js');
+const PACKET_CACHE_PATH = join(HOME, '.claude', '.aria-harness-last-packet.json');
+const PACKET_CACHE_TTL_SEC = Number(process.env.ARIA_HARNESS_CACHE_TTL_SEC || '60');
+
+function fail(reason) {
+  process.stderr.write(`[inject-context] ${reason}\n`);
+  process.exit(1);
+}
+
+function resolveApiKey() {
+  if (process.env.ARIA_API_KEY) return process.env.ARIA_API_KEY;
+  if (process.env.ARIA_HARNESS_TOKEN) return process.env.ARIA_HARNESS_TOKEN;
+  if (process.env.ARIA_MASTER_TOKEN) return process.env.ARIA_MASTER_TOKEN;
+  if (existsSync(OWNER_TOKEN_PATH)) {
+    try {
+      const v = readFileSync(OWNER_TOKEN_PATH, 'utf8').trim();
+      if (v) return v;
+    } catch {}
+  }
+  if (existsSync(LICENSE_PATH)) {
+    try {
+      const j = JSON.parse(readFileSync(LICENSE_PATH, 'utf8'));
+      if (j.token) return j.token;
+    } catch {}
+  }
+  return '';
+}
+
+function resolveBaseUrl() {
+  if (process.env.ARIA_HARNESS_BASE_URL) return process.env.ARIA_HARNESS_BASE_URL.replace(/\/+$/, '');
+  if (process.env.ARIA_SOUL_URL) return process.env.ARIA_SOUL_URL.replace(/\/+$/, '');
+  return 'http://localhost:30080';
+}
+
+function loadCachedPacket() {
+  try {
+    if (!existsSync(PACKET_CACHE_PATH)) return null;
+    const ageSec = (Date.now() - statSync(PACKET_CACHE_PATH).mtimeMs) / 1000;
+    if (ageSec > PACKET_CACHE_TTL_SEC) return null;
+    return JSON.parse(readFileSync(PACKET_CACHE_PATH, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function formatPacketAsContext(packet) {
+  if (typeof packet === 'string') return packet;
+  if (packet && typeof packet === 'object') {
+    if (packet.packet && typeof packet.packet === 'object') {
+      return JSON.stringify(packet.packet, null, 2);
+    }
+    if (packet.harness && typeof packet.harness === 'string') return packet.harness;
+    return JSON.stringify(packet, null, 2);
+  }
+  return '';
+}
+
+async function fetchViaSdk(baseUrl, apiKey) {
+  if (!existsSync(SDK_PATH)) {
+    fail(`SDK not found at ${SDK_PATH} — run \`aria connect\` to install`);
+  }
+  const mod = await import(SDK_PATH);
+  const Client = mod.HTTPHarnessClient;
+  if (!Client) fail('SDK loaded but HTTPHarnessClient not exported — bundle is broken');
+  const client = new Client({ baseUrl, apiKey, workspaceRoot: process.cwd() });
+  return client.getHarnessPacket({
+    stage: 'session-start',
+    actor: 'opencode',
+    system: 'opencode',
+    platform: 'opencode',
+  });
+}
+
+async function main() {
+  // Cache fast-path first — don't block OpenCode startup on a slow consult.
+  const cached = loadCachedPacket();
+  if (cached) {
+    process.stdout.write(formatPacketAsContext(cached));
+    return;
+  }
+
+  const apiKey = resolveApiKey();
+  if (!apiKey) {
+    fail('no API key — set ARIA_API_KEY or run `aria login`');
+  }
+  const baseUrl = resolveBaseUrl();
+
+  try {
+    const packet = await fetchViaSdk(baseUrl, apiKey);
+    process.stdout.write(formatPacketAsContext(packet));
+  } catch (err) {
+    fail(`SDK fetch failed: ${err && err.message ? err.message : String(err)}`);
+  }
+}
+
+main().catch((err) => {
+  fail(`unexpected: ${err && err.message ? err.message : String(err)}`);
+});

package/opencode-plugins/harness-context/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "harness-context",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "./index.js",
+  "exports": {
+    ".": "./index.js"
+  }
+}

package/opencode-plugins/harness-role/index.js

@@ -0,0 +1,77 @@
+/**
+ * Aria Harness Role Plugin for OpenCode.
+ *
+ * Resolves the active role profile on session start and injects lane-specific
+ * governance rules (intro, continuity, post-action). Default profile is
+ * opencode_deepseek_engineer; override with OPENCODE_ARIA_ROLE_PROFILE env.
+ *
+ * Distribution: installed by `aria connect` (via connectors/opencode.ts) into
+ * `~/.opencode/plugins/harness-role/`. The plugin's absolute install path is
+ * wired into ~/.opencode/config.json's `plugin` array.
+ */
+
+const ROLE_PROFILES = [
+  {
+    id: 'opencode_deepseek_engineer',
+    label: 'DeepSeek Engineer',
+    authority: 'full_write',
+    destructiveAllowed: false,
+    contractRequired: true,
+    ruleIntro: 'You are an engineering execution lane. Prefer exact files, commands, state transitions, and verification over explanation.',
+    ruleContinuity: 'Continue the active plan. Update issue/task ledger after meaningful state changes. Keep exact files, commands, evidence, and blockers visible.',
+    rulePostAction: 'After work, write outcome, verification, deploy state, residual risk, and next action.',
+  },
+  {
+    id: 'opencode_code_reviewer',
+    label: 'Code Reviewer',
+    authority: 'read_only',
+    destructiveAllowed: false,
+    contractRequired: true,
+    ruleIntro: 'You are a quality gate, not a generic explainer. Prioritize contradictions, missing evidence, regressions, and unverifiable completion claims.',
+    ruleContinuity: 'If output is not proven, fail it cleanly and say what evidence or fix is missing.',
+    rulePostAction: 'After review, record findings, severity, and specific fix recommendations.',
+  },
+  {
+    id: 'opencode_infra_operator',
+    label: 'Infra Operator',
+    authority: 'destructive',
+    destructiveAllowed: true,
+    contractRequired: true,
+    ruleIntro: 'You are an infra/execution lane. Prefer exact commands, state transitions, and verification. Never report success from intent alone.',
+    ruleContinuity: 'Report only what was executed, observed, changed, or still blocked. Bind every action to a tracked issue.',
+    rulePostAction: 'Record deploy state, rollback plan, residual risk, and verification evidence.',
+  },
+];
+
+function resolveRole() {
+  const envRole = (process.env.OPENCODE_ARIA_ROLE_PROFILE || '').trim().toLowerCase();
+  if (envRole) {
+    const found = ROLE_PROFILES.find(p => p.id === envRole);
+    if (found) return found;
+  }
+  return ROLE_PROFILES.find(p => p.id === 'opencode_deepseek_engineer');
+}
+
+export default async function HarnessRolePlugin(ctx) {
+  const role = resolveRole();
+  const systemBlock = [
+    `=== ARIA LANE: ${role.label} ===`,
+    `Role: ${role.id} | Authority: ${role.authority} | Contract Required: ${role.contractRequired}`,
+    '',
+    role.ruleIntro,
+    '',
+    role.ruleContinuity,
+    '',
+    role.rulePostAction,
+  ].join('\n');
+
+  process.stderr.write(`[harness-role] Active role: ${role.id} (${role.label})\n`);
+  process.stderr.write(`[harness-role] Authority: ${role.authority} | Destructive: ${role.destructiveAllowed} | Contract: ${role.contractRequired}\n`);
+
+  try {
+    ctx.system?.prepend?.(systemBlock);
+  } catch (_) {
+    // Silent — different OpenCode versions expose ctx differently.
+  }
+  return {};
+}

package/opencode-plugins/harness-role/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "harness-role",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "./index.js",
+  "exports": {
+    ".": "./index.js"
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aria_asi/cli",
-  "version": "0.2.23",
+  "version": "0.2.25",
   "description": "Aria Smart CLI — the world's first harness-powered terminal companion",
   "bin": {
     "aria": "./bin/aria.js"
@@ -37,7 +37,8 @@
     "bin",
     "dist",
     "src",
-    "hooks"
+    "hooks",
+    "opencode-plugins"
   ],
   "engines": {
     "node": ">=20.0.0"

package/src/connectors/opencode.ts

@@ -1,8 +1,66 @@
-import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  writeFileSync,
+  copyFileSync,
+  readdirSync,
+  statSync,
+  chmodSync,
+  unlinkSync,
+} from 'fs';
 import { homedir } from 'os';
 import * as path from 'path';
+import { fileURLToPath } from 'node:url';
 import type { AriaConfig } from '../config.js';
 
+// ── Bundled OpenCode plugins ────────────────────────────────────────────────
+//
+// Two plugins ship with the connector:
+//   - harness-context: spawns the bundled inject-context.mjs on session start
+//                      and prepends the resolved harness packet to OpenCode's
+//                      system prompt. Routes through the canonical SDK at
+//                      ~/.claude/aria-sdk/.
+//   - harness-role:    injects the active role profile (default
+//                      opencode_deepseek_engineer) — intro / continuity /
+//                      post-action governance rules.
+//
+// Both live at <pkg>/opencode-plugins/<name>/. connectOpenCode copies them
+// into ~/.opencode/plugins/<name>/ and wires the absolute paths into
+// ~/.opencode/config.json's `plugin` (singular, OpenCode v2 schema) array.
+//
+// Compiled location of THIS file (claude-code path applies the same way):
+//   <pkg>/dist/aria-connector/src/connectors/opencode.js
+// Plugins ship at <pkg>/opencode-plugins/ → 4 dirs up + 'opencode-plugins'.
+
+const PLUGIN_NAMES = ['harness-context', 'harness-role'] as const;
+
+function packageOpenCodePluginsDir(): string {
+  const here = path.dirname(fileURLToPath(import.meta.url));
+  return path.resolve(here, '..', '..', '..', '..', 'opencode-plugins');
+}
+
+function copyPluginDir(srcDir: string, dstDir: string, logs: string[]): void {
+  if (!existsSync(dstDir)) {
+    mkdirSync(dstDir, { recursive: true, mode: 0o755 });
+  }
+  for (const name of readdirSync(srcDir)) {
+    const src = path.join(srcDir, name);
+    const stat = statSync(src);
+    if (!stat.isFile()) continue;
+    const dst = path.join(dstDir, name);
+    copyFileSync(src, dst);
+    if (name.endsWith('.mjs') || name.endsWith('.js')) {
+      try {
+        chmodSync(dst, 0o755);
+      } catch {
+        // chmod failure isn't fatal on filesystems that ignore mode bits.
+      }
+    }
+  }
+  logs.push(`Installed plugin → ${dstDir}`);
+}
+
 export async function connectOpenCode(config: AriaConfig): Promise<string[]> {
   const logs: string[] = [];
   const opencodeDir = path.join(homedir(), '.opencode');
@@ -12,29 +70,91 @@ export async function connectOpenCode(config: AriaConfig): Promise<string[]> {
     return logs;
   }
 
+  // ── Install bundled plugins into ~/.opencode/plugins/<name>/ ──────────────
+  const pluginsRoot = path.join(opencodeDir, 'plugins');
+  if (!existsSync(pluginsRoot)) {
+    mkdirSync(pluginsRoot, { recursive: true, mode: 0o755 });
+  }
+
+  // Remove legacy single-file plugin shadows (~/.opencode/plugins/<name>.js).
+  // OpenCode v2 auto-discovers BOTH loose .js files and dir-shaped plugins;
+  // when both exist with the same name, behavior is undefined and on at least
+  // one machine the loose .js (carrying old hardcoded paths to
+  // ~/rei-ai-brain/harness/inject-context.mjs) was winning over the dir
+  // install. Idempotent cleanup so re-running connect heals these.
+  for (const pluginName of PLUGIN_NAMES) {
+    const shadowPath = path.join(pluginsRoot, `${pluginName}.js`);
+    if (existsSync(shadowPath)) {
+      try {
+        unlinkSync(shadowPath);
+        logs.push(`Removed legacy single-file plugin shadow: ${shadowPath}`);
+      } catch {
+        // Permission or fs failure isn't fatal — the install proceeds.
+      }
+    }
+  }
+
+  const bundledDir = packageOpenCodePluginsDir();
+  const installedPaths: string[] = [];
+  for (const pluginName of PLUGIN_NAMES) {
+    const srcDir = path.join(bundledDir, pluginName);
+    if (!existsSync(srcDir)) {
+      logs.push(`⚠ Bundled plugin missing: ${srcDir} — connector tarball may be incomplete`);
+      continue;
+    }
+    const dstDir = path.join(pluginsRoot, pluginName);
+    copyPluginDir(srcDir, dstDir, logs);
+    installedPaths.push(dstDir);
+  }
+
+  // ── Wire ~/.opencode/config.json ──────────────────────────────────────────
   const configPath = path.join(opencodeDir, 'config.json');
   if (existsSync(configPath)) {
     try {
-      const opencodeConfig = JSON.parse(readFileSync(configPath, 'utf-8'));
+      const opencodeConfig: Record<string, unknown> = JSON.parse(
+        readFileSync(configPath, 'utf-8'),
+      );
       let modified = false;
 
-      // Remove any prior reference to '@aria/connector' from plugins.
-      // That package name was written into older client configs but no
-      // such npm package exists — the harness integration with OpenCode
-      // is via agentsMdPath below, not via a plugin module. Loading a
-      // non-existent plugin name crashes OpenCode on open. Idempotent
-      // cleanup so re-running connect heals broken installs.
+      // Heal legacy '@aria/connector' references in the older `plugins`
+      // (plural) array. That package name was written by older versions
+      // of this connector but no such npm package exists — loading a
+      // non-existent plugin crashes OpenCode on open. Idempotent.
       if (Array.isArray(opencodeConfig.plugins)) {
-        const before = opencodeConfig.plugins.length;
-        opencodeConfig.plugins = opencodeConfig.plugins.filter(
-          (p: unknown) => p !== '@aria/connector',
+        const before = (opencodeConfig.plugins as unknown[]).length;
+        opencodeConfig.plugins = (opencodeConfig.plugins as unknown[]).filter(
+          (p) => p !== '@aria/connector',
         );
-        if (opencodeConfig.plugins.length !== before) {
+        if ((opencodeConfig.plugins as unknown[]).length !== before) {
           modified = true;
           logs.push('Removed legacy @aria/connector reference from OpenCode plugins (was crashing on open)');
         }
       }
 
+      // OpenCode v2 schema: `plugin` (singular) array of absolute paths or
+      // npm names. We write absolute paths to the locally-installed plugin
+      // dirs above, so OpenCode resolves them as Node modules without any
+      // network or registry dependency.
+      const existingPlugin: unknown[] = Array.isArray(opencodeConfig.plugin)
+        ? (opencodeConfig.plugin as unknown[]).slice()
+        : [];
+      const stringSet = new Set(
+        existingPlugin.filter((p): p is string => typeof p === 'string'),
+      );
+      let pluginAdded = false;
+      for (const installPath of installedPaths) {
+        if (!stringSet.has(installPath)) {
+          existingPlugin.push(installPath);
+          stringSet.add(installPath);
+          pluginAdded = true;
+        }
+      }
+      if (pluginAdded) {
+        opencodeConfig.plugin = existingPlugin;
+        modified = true;
+        logs.push(`Wired ${installedPaths.length} Aria plugin(s) into OpenCode config.plugin`);
+      }
+
       if (!opencodeConfig.agentsMdPath) {
         opencodeConfig.agentsMdPath = path.join(homedir(), '.aria', 'AGENTS.md');
         modified = true;
@@ -51,11 +171,11 @@ export async function connectOpenCode(config: AriaConfig): Promise<string[]> {
     }
   }
 
+  // ── Write the harness AGENTS.md ───────────────────────────────────────────
   const ariaDir = path.join(homedir(), '.aria');
   if (!existsSync(ariaDir)) {
     mkdirSync(ariaDir, { recursive: true });
   }
-
   const ariaAgentsPath = path.join(ariaDir, 'AGENTS.md');
   const agentsContent = buildOpenCodeAgentsMd(config);
   writeFileSync(ariaAgentsPath, agentsContent);
@@ -70,14 +190,31 @@ export async function disconnectOpenCode(): Promise<string[]> {
 
   if (existsSync(configPath)) {
     try {
-      const opencodeConfig = JSON.parse(readFileSync(configPath, 'utf-8'));
+      const opencodeConfig: Record<string, unknown> = JSON.parse(
+        readFileSync(configPath, 'utf-8'),
+      );
+
+      // Strip any locally-installed Aria plugin paths from `plugin` (singular).
+      const pluginsRoot = path.join(homedir(), '.opencode', 'plugins');
+      if (Array.isArray(opencodeConfig.plugin)) {
+        const before = (opencodeConfig.plugin as unknown[]).length;
+        opencodeConfig.plugin = (opencodeConfig.plugin as unknown[]).filter((p) => {
+          if (typeof p !== 'string') return true;
+          return !PLUGIN_NAMES.some((n) => p === path.join(pluginsRoot, n));
+        });
+        if ((opencodeConfig.plugin as unknown[]).length !== before) {
+          logs.push('Removed Aria plugin paths from OpenCode config.plugin');
+        }
+      }
+
+      // Strip the legacy @aria/connector reference if present.
       if (Array.isArray(opencodeConfig.plugins)) {
-        opencodeConfig.plugins = opencodeConfig.plugins.filter(
-          (p: string) => p !== '@aria/connector',
+        opencodeConfig.plugins = (opencodeConfig.plugins as unknown[]).filter(
+          (p) => p !== '@aria/connector',
         );
-        writeFileSync(configPath, JSON.stringify(opencodeConfig, null, 2));
-        logs.push('Removed @aria/connector from OpenCode plugins');
       }
+
+      writeFileSync(configPath, JSON.stringify(opencodeConfig, null, 2));
     } catch {
       logs.push('Failed to update OpenCode config');
     }
@@ -94,7 +231,7 @@ function buildOpenCodeAgentsMd(config: AriaConfig): string {
 
   return `# Aria Harness — AGENTS.md
 
-Automatically injected by @aria/connector. This file provides Aria's cognitive harness
+Automatically injected by @aria_asi/cli. This file provides Aria's cognitive harness
 to OpenCode sessions.
 
 ## Connected Repositories