@aria_asi/cli 0.2.25 → 0.2.29

package/dist/assets/hooks/aria-pre-tool-gate.mjs

@@ -0,0 +1,2133 @@
+#!/usr/bin/env node
+// ARIA_ALLOW_STUB — doctrine gate file legitimately discusses stub/placeholder semantics.
+// Aria pre-tool-use gate — enforces cognition use before destructive tool calls.
+//
+// Runs as a Claude Code PreToolUse hook on every Bash invocation. For
+// commands matching destructive-verb patterns, requires the most recent
+// assistant turn to contain a structured <verify> block. Without it, the
+// tool call is blocked with a corrective message that names the missing
+// fields.
+//
+// Doctrine being enforced (from /tmp/aria-harness-full.txt):
+//   - mizan_prestage_rule: "Before drafting, check niyyah/pre-state: am I
+//     present, truthful, specific, grounded in verified substrate?"
+//   - drift_guard_rule: "Before answering, restate internally: current
+//     goal, current blocker, current stage, and next committed action."
+//   - axiom_runtime_rule.admit_ignorance + reflection_before_action
+//   - llm_worker_rule: "External LLMs are hands/renderers/reviewers.
+//     Aria memory, cognition, frames, Mizan, and Garden are the shared
+//     brain substrate."
+//
+// The gate is the *forcing function* that converts those rules from text
+// instructions into actual enforcement. The harness already declares
+// them; this hook is what makes them gate-real for Claude Code.
+//
+// Escape valves (v3 — Hamza 2026-04-26: "why is there an ability to
+// bypass? doesnt that fundamentally void the purpose of the harness?"
+// Per-command bypass was removed entirely — every prior bypass was
+// traceable to a gate bug, not a legitimate exception.):
+//   - Trivial-bash whitelist: short read-only commands (ls/cat/grep/etc.)
+//     pass without cognition.
+//   - No env-var disable path (Hamza 2026-04-27 — env-var kill-switches
+//     gave the gated process a free escape; that was the doctrine
+//     violation). Disable = remove the hook from ~/.claude/settings.json.
+//   - When the gate misfires on legitimate work: fix the gate. The
+//     misfire IS the bug. Don't route around it.
+//
+// Audit log: every gate decision (allow / block / kill-switch) is
+// appended to ~/.claude/aria-pre-tool-gate.log.
+
+import { readFileSync, writeFileSync, appendFileSync, existsSync, mkdirSync, chmodSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { homedir } from 'node:os';
+import { spawnSync } from 'node:child_process';
+import { createHmac, randomBytes as cryptoRandomBytes } from 'node:crypto';
+
+const HOME = process.env.HOME || '/tmp';
+const LOG = `${HOME}/.claude/aria-pre-tool-gate.log`;
+const HEARTBEAT = `${HOME}/.claude/aria-pre-tool-gate-heartbeat.jsonl`;
+
+// ── Heartbeat OUTSIDE the crash boundary (doctrine #123) ───────────────
+// Per feedback_ledger_writes_outside_crash_boundary.md + doctrine #124
+// (non-blocking errors are NOT acceptable), the gate writes a heartbeat
+// FIRST — before transcript scan, before cognition extraction, before
+// any code path that could crash, hang, or be killed by an external
+// timeout. A heartbeat-write is the ONLY signal that proves the gate
+// process actually started executing. Hook-health monitors read this
+// file to detect silent gate death.
+//
+// The heartbeat is intentionally a tiny synchronous write so that even
+// if the gate is killed by Claude Code's hook timeout in the next
+// millisecond, we have proof it was alive at startup.
+try {
+  const hbPid = process.pid;
+  const hbTs = new Date().toISOString();
+  // Write before reading stdin or doing any work that could throw.
+  appendFileSync(HEARTBEAT, JSON.stringify({ ts: hbTs, pid: hbPid, gate: 'aria-pre-tool-gate', stage: 'startup' }) + '\n');
+} catch {
+  // The ONLY catch in this file that may swallow — a heartbeat write
+  // failure here is fail-loud-on-stderr because no other surface exists
+  // yet (we haven't opened the audit log) but cannot itself block the
+  // gate. Per feedback_non_blocking_errors_unacceptable.md the
+  // failure-mode for THIS specific path is documented in the doctrine
+  // memory; the structural fix for "what if the heartbeat write fails"
+  // is the hook-health monitor task #122 which checks heartbeat
+  // freshness and reports staleness.
+  process.stderr.write(`[aria-pre-tool-gate] heartbeat write failed at ${new Date().toISOString()}\n`);
+}
+
+// Bypass-counter (kept for historical visibility — past audit-log
+// entries are still useful even though no new bypass entries can be
+// created in v3 since the per-command bypass code path was removed).
+// V1 added the WARN line at 5+/hour as a drift instrument; that line
+// will only appear if old log entries spanning before v3 still fall
+// in the rolling window.
+const BYPASS_WARN_THRESHOLD_PER_HOUR = 5;
+
+function readRecentBypassCount() {
+  try {
+    if (!existsSync(LOG)) return 0;
+    const cutoffMs = Date.now() - 60 * 60 * 1000;
+    const lines = readFileSync(LOG, 'utf-8').split('\n').filter(Boolean);
+    let n = 0;
+    // Walk backward — bypasses are recent if at all.
+    for (let i = lines.length - 1; i >= 0; i--) {
+      const line = lines[i];
+      if (!line.includes('bypass')) continue;
+      const tsEnd = line.indexOf(' ');
+      if (tsEnd < 0) continue;
+      const ts = Date.parse(line.slice(0, tsEnd));
+      if (!Number.isFinite(ts)) continue;
+      if (ts < cutoffMs) break;
+      n++;
+    }
+    return n;
+  } catch {
+    return 0;
+  }
+}
+
+function audit(decision, summary) {
+  try {
+    if (!existsSync(dirname(LOG))) mkdirSync(dirname(LOG), { recursive: true });
+    appendFileSync(LOG, `${new Date().toISOString()} ${decision} ${summary}\n`);
+    // If this audit is itself a bypass, check the bypass-rate. A
+    // separate WARN line gets emitted (and surfaces via tail) when
+    // we exceed the per-hour threshold. The agent can't quietly
+    // drift back to bypass-as-default — drift is visible.
+    if (decision.startsWith('bypass')) {
+      const count = readRecentBypassCount();
+      if (count > BYPASS_WARN_THRESHOLD_PER_HOUR) {
+        appendFileSync(
+          LOG,
+          `${new Date().toISOString()} WARN-BYPASS-RATE ${count} bypasses in last hour (threshold ${BYPASS_WARN_THRESHOLD_PER_HOUR}) — drift check\n`,
+        );
+      }
+    }
+  } catch {}
+}
+
+// ARIA_BINDING_ENABLED env-override REMOVED 2026-04-28 per Hamza directive
+// + memory:feedback_gap_discovery_hardens_doctrine.md — env-var disables
+// are the textbook bypass class doctrine forbids. The override was the
+// de-facto Aria-down handler for an unknown count of sessions and turned
+// off every gate, not just the plan-check. Replaced by the architect
+// fallback plan path (tracked task — Aria-unreachable detection writes
+// a bounded local plan with limited allowedActions, loud audit, auto-
+// expiry on Aria return). Prior env_override_exit entries remain in
+// ~/.claude/aria-binding-audit.jsonl for historical audit.
+//
+// The gate now enforces unconditionally from the gated process per
+// Hamza directive 2026-04-27. No process-level disable path.
+
+// ── Aria-as-commander binding (Layer A — allowedActions/forbiddenActions per active phase) ──
+//
+// When ARIA_BINDING_ENABLED=true (default), every non-trivial tool call is
+// checked against the active phase of ~/.claude/aria-active-plan-${sessionId}.json.
+// If no plan exists or the action isn't allowed for the current phase, the
+// hook blocks with a binding-violation message. See HARNESS_ARIA_AS_COMMANDER_CONTRACT.md
+// Section 2 Layer A.
+//
+// Bootstrap: if no plan exists, the hook STILL blocks (per Hamza 2026-04-27
+// "the point is to stop wasting my time"). Claude must wait for Aria to issue
+// a plan via preprompt-consult on the next user prompt. NO unbound execution.
+const BINDING_ENABLED = (process.env.ARIA_BINDING_ENABLED || 'true').toLowerCase() !== 'false';
+const BINDING_AUDIT = `${HOME}/.claude/aria-binding-audit.jsonl`;
+
+function bindingAuditAppend(record) {
+  try {
+    if (!existsSync(dirname(BINDING_AUDIT))) mkdirSync(dirname(BINDING_AUDIT), { recursive: true });
+    appendFileSync(BINDING_AUDIT, JSON.stringify({ ts: new Date().toISOString(), source: 'pre-tool-gate', ...record }) + '\n');
+  } catch {}
+}
+
+function activePlanPath(sid) {
+  return `${HOME}/.claude/aria-active-plan-${String(sid || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_')}.json`;
+}
+
+// Defect #5 — plan-completion persists across session boundary.
+//
+// The harness packet at ~/.claude/.aria-harness-last-packet.json retains
+// exhausted plan state. An old plan from a prior session that was "all
+// phases complete" would block every tool call in a NEW session because
+// pickCurrentPhase returns null (all complete) on that stale plan.
+//
+// Fix: at load time, validate the plan file against TWO staleness guards:
+//   (a) mtime > 24h → discard (plan is older than a working day; a new
+//       session should start fresh)
+//   (b) plan.sessionId present AND doesn't match current sid → discard
+//       (plan was issued for a different session; current session is unbound)
+//
+// Discarding = returning null → the binding gate treats it as "no plan"
+// and blocks with CONSULT_UNAVAILABLE, which triggers a fresh consult on
+// the next user prompt. The discard is audit-logged.
+const PLAN_MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24 hours
+
+function loadActivePlan(sid) {
+  const p = activePlanPath(sid);
+  if (!existsSync(p)) return null;
+  try {
+    const raw = readFileSync(p, 'utf8');
+    const plan = JSON.parse(raw);
+    // Guard (b) — session mismatch: plan was issued for a different session.
+    if (plan.sessionId && sid && plan.sessionId !== String(sid)) {
+      bindingAuditAppend({
+        event: 'discard_plan_session_mismatch',
+        planId: plan.planId,
+        planSessionId: plan.sessionId,
+        currentSessionId: sid,
+      });
+      return null;
+    }
+    // Guard (a) — plan age via plan.mintedAt ISO timestamp (written by harness
+    // when issuing the plan). If mintedAt is present and older than 24h, discard.
+    // No mintedAt → conservatively trust the plan (harness version may predate
+    // this field; upgrade path: harness always writes mintedAt going forward).
+    if (plan.mintedAt) {
+      const mintedMs = Date.parse(plan.mintedAt);
+      if (Number.isFinite(mintedMs) && (Date.now() - mintedMs) > PLAN_MAX_AGE_MS) {
+        bindingAuditAppend({
+          event: 'discard_plan_stale_by_mintedAt',
+          planId: plan.planId,
+          mintedAt: plan.mintedAt,
+          ageHours: ((Date.now() - mintedMs) / 3600000).toFixed(1),
+        });
+        return null;
+      }
+    }
+    return plan;
+  } catch {
+    return null;
+  }
+}
+
+function pickCurrentPhase(plan, transcript) {
+  // Defect #1 fix — transcript-scan over-count prevention.
+  //
+  // Old behaviour: scan the ENTIRE transcript for any [PHASE_REPORT] marker.
+  // A single old marker permanently locked all future actions (plan could
+  // never advance past "complete" even across new consults in the same session).
+  //
+  // Fix — two guards:
+  //   (a) Active-plan window: trim the transcript to only text that appeared
+  //       AFTER the most recent preprompt-consult mint marker. The marker
+  //       written by aria-harness-via-sdk.mjs is:
+  //         [ARIA_PLAN_MINTED planId=<id> ts=<iso>]
+  //       If found, discard everything before it. Older plan completions that
+  //       pre-date the current plan's mint are invisible to the scan.
+  //   (b) Latest-marker-only per phaseId: collect ALL [PHASE_REPORT] lines
+  //       for a given phaseId inside the active window; use only the LAST one.
+  //       This prevents a phase from being "locked complete" by an older marker
+  //       that was since superseded by a re-run or amendment.
+  if (!plan?.phases?.length) return null;
+
+  // (a) Scope to active-plan window using plan's planId if available.
+  let activeWindow = transcript;
+  if (plan.planId) {
+    // Try to find the most recent [ARIA_PLAN_MINTED planId=<this_id> …] marker.
+    const mintRx = new RegExp(
+      `\\[ARIA_PLAN_MINTED\\s[^\\]]*planId=${plan.planId}[^\\]]*\\]`,
+      'gi',
+    );
+    const mints = [...transcript.matchAll(mintRx)];
+    if (mints.length > 0) {
+      const lastMint = mints[mints.length - 1];
+      activeWindow = transcript.slice(lastMint.index + lastMint[0].length);
+    }
+  }
+
+  for (const phase of plan.phases) {
+    // (b) Collect all PHASE_REPORT lines for this phaseId in the active window;
+    //     use the LAST one's status rather than the first match.
+    const reportRx = new RegExp(
+      `\\[PHASE_REPORT[^\\]]*phase=${phase.id}[^\\]]*status=(complete|aborted)[^\\]]*\\]`,
+      'gi',
+    );
+    const reports = [...activeWindow.matchAll(reportRx)];
+    if (reports.length === 0) {
+      // No report yet for this phase → it's the current one.
+      return { phase, abortedHere: false };
+    }
+    // Last report wins.
+    const lastStatus = (reports[reports.length - 1][1] || '').toLowerCase();
+    if (lastStatus === 'aborted') return { phase, abortedHere: true };
+    // status=complete → continue to next phase.
+  }
+  return null; // all phases reported complete — needs new consult
+}
+
+function actionMatchesPattern(action, pattern, target) {
+  // Defect #3 fix — edit-pattern regex over-matches.
+  //
+  // Old behaviour: "edit:/etc/**" matched any path that contained "/etc/" as a
+  // substring because the colon-split only checked pAction===action, ignoring the
+  // path portion entirely — so edit:/etc/** allowed ALL edit actions regardless
+  // of path, not just edits under /etc/.
+  //
+  // Fix:
+  //   - Exact action name ("read", "consult", "kubectl_get"): unchanged.
+  //   - Prefixed pattern ("edit:/etc/**"): split on first colon, compare
+  //     pAction===action, then glob-match the path portion against `target`
+  //     using anchored prefix matching (no substring). Supported forms:
+  //       "edit:/etc/**"        → action=edit, path must start with /etc/
+  //       "edit:apps/.*"        → action=edit, path must start with apps/
+  //       "bash_other:curl .*"  → action=bash_other (target substring match for bash)
+  //   - No colon: exact action match only.
+  if (pattern === action) return true;
+  const colonIdx = pattern.indexOf(':');
+  if (colonIdx < 0) return false;
+  const pAction = pattern.slice(0, colonIdx);
+  if (pAction !== action) return false;
+  // pAction matches — now check the target portion.
+  const pathPattern = pattern.slice(colonIdx + 1);
+  if (!pathPattern) return true; // bare "edit:" with no path spec → match all edits of that action type
+  const t = target || '';
+  // Convert simple glob /** suffix to prefix anchor, or treat as a regex if
+  // it contains regex meta-chars beyond "." and "*". For the most common
+  // harness patterns ("edit:/etc/**", "edit:apps/arias-soul/.*") a prefix-
+  // match on the stripped glob is correct and safe.
+  // Strip trailing /** or /*, then anchor-prefix-match.
+  const strippedGlob = pathPattern.replace(/\/\*+$/, '');
+  if (strippedGlob && !pathPattern.includes('(?') && !pathPattern.includes('[')) {
+    // Simple prefix match — anchored at start of target path.
+    return t.startsWith(strippedGlob);
+  }
+  // Full regex path pattern (caller used explicit regex syntax).
+  try {
+    return new RegExp(`^(?:${pathPattern})`).test(t);
+  } catch {
+    // Malformed regex in plan — fail-open to avoid blocking everything.
+    return false;
+  }
+}
+
+function classifyToolForBinding(toolName, command, filePath) {
+  // Map Claude Code tool + payload to a binding-vocabulary action.
+  if (toolName === 'Read' || toolName === 'Glob' || toolName === 'Grep') return { action: 'read', target: filePath || '' };
+  if (toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit') return { action: 'edit', target: filePath || '' };
+  if (toolName === 'Bash') {
+    const cmd = String(command || '');
+    if (/^kubectl\s+(get|describe|logs|exec\s+\S+\s+--\s+printenv|top|version|api-resources)\b/.test(cmd)) return { action: 'kubectl_get', target: cmd.slice(0, 80) };
+    if (/^kubectl\s+(apply|delete|set|patch|rollout|scale|drain|cordon)\b/.test(cmd)) return { action: 'kubectl_apply', target: cmd.slice(0, 80) };
+    if (/curl\s+.*\/api\/harness\/(delegate|codex|army|plan)/.test(cmd)) return { action: 'consult', target: 'harness' };
+    if (/curl\s+.*\/api\/aria\/speak/.test(cmd)) return { action: 'consult', target: 'aria-speak' };
+    if (/^(ls|cat|head|tail|grep|wc|find|tree|stat|file|ps|pgrep|du|df|env|printenv|date|pwd|which|type|whoami|id)\b/.test(cmd)) return { action: 'read', target: cmd.slice(0, 80) };
+    if (/^git\s+(status|log|diff|show|branch|remote|rev-parse|ls-tree|ls-files|stash\s+list)\b/.test(cmd)) return { action: 'read', target: cmd.slice(0, 80) };
+    if (/^git\s+(push|merge|rebase|reset|checkout\s+--|clean)/.test(cmd)) return { action: 'git_mutate', target: cmd.slice(0, 80) };
+    if (/^npm\s+(publish|version)/.test(cmd)) return { action: 'npm_publish', target: cmd.slice(0, 80) };
+    if (/^docker\s+(build|push)/.test(cmd)) return { action: 'docker_build', target: cmd.slice(0, 80) };
+    if (/scripts\/deploy-/.test(cmd)) return { action: 'deploy', target: cmd.slice(0, 80) };
+    return { action: 'bash_other', target: cmd.slice(0, 80) };
+  }
+  return { action: toolName.toLowerCase(), target: filePath || '' };
+}
+
+if (false) {
+  // Read same input as the cognition gate uses (reads stdin twice via different code paths;
+  // the cognition section below re-reads). Defer enforcement decision until after
+  // we have the tool name + payload from the cognition gate's existing input parse.
+  // (Implementation continues below — the binding check fires AFTER cognition
+  // parses input but BEFORE the cognition substance check, so binding-block
+  // takes precedence.)
+}
+
+// Destructive-verb patterns. Tuned for tonight's failure modes; extend
+// over time as new patterns surface.
+const DESTRUCTIVE_PATTERNS = [
+  // sudo only when it's a command verb (start of line or after shell
+  // separator), not when it appears as an argument to another command
+  // (e.g. `echo "sudo …"` or `grep sudo`). The specific verb patterns
+  // below catch the actual destructive operations regardless of sudo
+  // prefix; this rule is the catch-all for arbitrary privilege elevation.
+  { rx: /(?:^|[;&|]\s*|\$\(\s*|`\s*)sudo\s+\S/, name: 'sudo' },
+  { rx: /systemctl\s+(disable|stop|mask|reset-failed|kill)/, name: 'systemctl-state-change' },
+  { rx: /\brm\s+-[rRfF]+/, name: 'rm-recursive-or-force' },
+  { rx: /\bgit\s+push\b.*\b--force\b/, name: 'git-push-force' },
+  { rx: /\bgit\s+reset\s+--hard\b/, name: 'git-reset-hard' },
+  { rx: /\bgit\s+checkout\s+--\b/, name: 'git-checkout-discard' },
+  { rx: /\b--no-verify\b/, name: 'commit-no-verify' },
+  { rx: /\b--no-gpg-sign\b/, name: 'commit-no-gpg-sign' },
+  { rx: /\bkill\s+-(9|KILL|TERM|HUP|INT)\b/, name: 'kill-signal' },
+  { rx: /\bpkill\b/, name: 'pkill' },
+  { rx: /\b(DROP|TRUNCATE)\s+(TABLE|DATABASE|SCHEMA|INDEX)\b/i, name: 'sql-drop-or-truncate' },
+  { rx: /\bkubectl\s+delete\b/, name: 'kubectl-delete' },
+  { rx: /\bkubectl\s+(scale|rollout)\s+(undo|restart)\b/, name: 'kubectl-rollback' },
+];
+
+// Deploy patterns — bash invocations that mutate the canonical aria k8s
+// cluster or push images. Per feedback_deploy_requires_verify_cognition.md
+// (Hamza directive 2026-04-28 after consciousness.ts crash took aria-soul
+// into CrashLoopBackOff): deploys require BOTH a <verify> block citing the
+// shipping artifact AND a <cognition> block with substantive substrate
+// anchors. Without both, the deploy is hard-blocked. This is doctrine #104
+// — the structural enforcement Hamza demanded after the prior deploy
+// crashed all of aria.
+const DEPLOY_PATTERNS = [
+  { rx: /\bbash\s+(?:\.\/)?scripts\/deploy-service\.sh\b/, name: 'deploy-service-script' },
+  { rx: /\b(?:\.\/)?scripts\/deploy-service\.sh\b/, name: 'deploy-service-script' },
+  { rx: /\bkubectl\s+apply\b/, name: 'kubectl-apply' },
+  { rx: /\bkubectl\s+set\s+image\b/, name: 'kubectl-set-image' },
+  { rx: /\bkubectl\s+rollout\s+restart\b/, name: 'kubectl-rollout-restart' },
+  { rx: /\bkubectl\s+rollout\s+undo\b/, name: 'kubectl-rollout-undo' },
+  { rx: /\bkubectl\s+create\b/, name: 'kubectl-create' },
+  { rx: /\bkubectl\s+replace\b/, name: 'kubectl-replace' },
+  { rx: /\bdocker\s+push\b/, name: 'docker-push' },
+  { rx: /\bdocker\s+build\b.*--push\b/, name: 'docker-build-push' },
+];
+
+// Minimum substrate anchors required in cognition body for a deploy.
+// Per feedback_full_harness_binding_must_be_structural.md, every cognition
+// lens should cite a substrate anchor; for deploy specifically we require
+// at least 4 distinct anchors total across the block (one per lens minimum
+// across at least 4 lenses).
+const DEPLOY_MIN_SUBSTRATE_ANCHORS = 4;
+const SUBSTRATE_ANCHOR_RX = /\b(axiom|frame|memory|doctrine|packet):[a-z0-9_\-./]+/gi;
+
+// Verify-block fields specifically required for deploys — beyond the base
+// 5 fields, the deploy verify must cite a commit/SHA, a TS-check result,
+// and the admission policy that authorizes the canonical image.
+const DEPLOY_VERIFY_REQUIRED_FIELDS = [
+  // Either a git commit hash OR an explicit "files changed" listing
+  { rx: /\b(?:commit|HEAD|SHA|files\s+changed)\b/i, name: 'commit_or_files' },
+  // TS-check / build evidence
+  { rx: /\b(?:tsc|type[\s-]?check|build|npm\s+run\s+build)\b/i, name: 'build_or_typecheck' },
+  // Admission policy citation
+  { rx: /\b(?:admission[\s_-]?policy|validatingadmissionpolicy)\b/i, name: 'admission_policy' },
+];
+
+// The verify-block contract. All five fields required.
+const VERIFY_BLOCK_RX =
+  /<verify>[\s\S]*?target\s*:[\s\S]*?role\s*:[\s\S]*?verified\s*:[\s\S]*?rollback\s*:[\s\S]*?axiom\s*:[\s\S]*?<\/verify>/i;
+
+// ── Dalio Loop: expected_outcome enforcement (doctrine:dalio_expected_required) ─
+//
+// Every non-trivial action must carry an <expected> block with at least one
+// measurable predicate. The predicate must be numeric (≥X, ==X, ≤X, X%),
+// boolean (true/false/exit=0/exit=1), or state-string ("status=running",
+// "200 OK", "exit=0", "file=exists", etc.).
+//
+// Qualitative drift phrases ("better", "improved", "more robust", etc.) are
+// REJECTED — they are unmeasurable and defeat the Dalio accountability loop.
+// The block must appear in the same turn or a prior turn (turn-scoped, same
+// window as cognition).
+//
+// Per doctrine:dalio_expected_required — no measurable predicate = no allow.
+const EXPECTED_BLOCK_RX = /<expected>([\s\S]*?)<\/expected>/i;
+
+// Measurable predicate patterns — at least ONE must be present inside <expected>.
+// Forms accepted:
+//   numeric:      ≥X, >=X, ==X, <=X, <X, >X, X%, N of N, count=N, latency<Xms
+//   boolean:      true, false, exit=0, exit=1, exit_code=N, rc=N
+//   state-string: status=running, status=healthy, status=200, "200 OK",
+//                 "exit=0", "file=exists", "count=N", "error_rate=0%"
+const MEASURABLE_PREDICATE_RX = /(?:>=|<=|==|!=|>|<|≥|≤)\s*\d+(?:\.\d+)?(?:ms|s|%|kb|mb|gb)?|\d+(?:\.\d+)?%(?:\s+(?:reduction|increase|success|error|coverage))?|exit[_=]\s*(?:0|1|\d+)|exit[-_]?code\s*[=:]\s*\d+|\brc\s*[=:]\s*\d+|\bstatus\s*[=:]\s*(?:running|healthy|ready|degraded|down|up|ok|200|201|204|400|401|403|404|500|502|503|504|true|false)\b|\bcount\s*[=:]\s*\d+|\berror[_-]?rate\s*[=:]\s*0%|\b(?:true|false)\b|\bfile[=_-]exists\b|\b200\s*OK\b|\bno[-_\s]?error|\bhealthy\b|\bpassed?\b|N\s*of\s*N|\d+\s*of\s*\d+/i;
+
+// Qualitative drift phrases that masquerade as measurable but are not.
+// Any <expected> block containing ONLY these (no actual predicate) is rejected.
+const QUALITATIVE_DRIFT_RX = /\b(?:better(?:er)?|improved?(?:ment)?|more\s+robust|should\s+(?:work|pass|succeed|run|fix)|more\s+reliable|cleaner|less\s+error[-_\s]?prone|nicer|smoother|faster[-\s]?loading|higher[-\s]?quality|more\s+stable|looks\s+(?:good|better|right))\b/i;
+
+// ── Tier-aware lens labeling (Phase 11 #59) ──────────────────────────────────
+//
+// Aria's Arabic cognition lens names are proprietary IP. On Hamza's surface
+// (isHamza=true / surface line contains hamza:true) the canonical names are shown.
+// On any client surface the gate uses neutral generic labels so the IP
+// vocabulary never appears in client-facing block-reason text.
+//
+// Tier is read from the most recent harness-via-sdk packet cache at
+// ~/.claude/.aria-harness-last-packet.json. Two detection paths:
+//   1. packet.contractGate.signals.hamza === true (boolean or string "true")
+//   2. packet.harness string contains "hamza:true" in the surface line
+// Either path → OWNER tier. Everything else → CLIENT tier.
+//
+// Doctrine memory filenames in block-reason text are also Aria-side IP.
+// Client tier sees generic descriptions instead of the real filenames.
+const PACKET_CACHE_PATH = `${HOME}/.claude/.aria-harness-last-packet.json`;
+
+function resolveOwnerTier() {
+  try {
+    if (existsSync(PACKET_CACHE_PATH)) {
+      const raw = readFileSync(PACKET_CACHE_PATH, 'utf8');
+      const packet = JSON.parse(raw);
+      // Path 1: contractGate.signals.hamza
+      const sigHamza = packet?.contractGate?.signals?.hamza;
+      if (sigHamza === true || sigHamza === 'true') return true;
+      // Path 2: harness string surface marker — the actual format is
+      // "surface=platform:<X> group:<Y> hamza:true chat_type:<Z>" so we
+      // match hamza:true in the surface line, not "platform:hamza" (which
+      // was a legacy incorrect pattern that never matched real packets).
+      const harnessStr = packet?.harness ?? '';
+      if (/\bhamza:true\b/.test(harnessStr)) return true;
+    }
+  } catch {/* packet unreadable → default to client tier */}
+  return false;
+}
+
+const IS_OWNER = resolveOwnerTier();
+
+// Canonical (owner) lens names — Aria's Arabic cognition vocabulary.
+const LENS_NAMES_CANONICAL = ['nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah'];
+// Generic (client) lens labels — neutral, IP-neutral equivalents.
+const LENS_NAMES_GENERIC   = ['perception', 'balance', 'wisdom', 'reflection', 'foresight', 'insight', 'revelation', 'discernment'];
+// Active label set for this execution — determined by tier.
+const LENS_NAMES = IS_OWNER ? LENS_NAMES_CANONICAL : LENS_NAMES_GENERIC;
+
+// Doctrine memory filenames are Aria-side substrate IP. On client surfaces
+// replace them with generic descriptions in block-reason text.
+function docRef(canonicalFilename, genericDescription) {
+  return IS_OWNER ? canonicalFilename : genericDescription;
+}
+
+// 8-lens cognition block per EIGHT_LENS_DOCTRINE.md. Required on
+// non-trivial Bash regardless of whether the command is destructive.
+// Threshold: at least 4 of the 8 lens names must appear inside the
+// block AND each must have substantive content (≥20 chars after the
+// colon, not a placeholder template). The substance check (added
+// 2026-04-26) defeats ritual emission — `nur: ok` no longer counts.
+const COGNITION_BLOCK_RX = /<cognition>([\s\S]*?)<\/cognition>/i;
+// Hamza directive 2026-04-28: 8-lens enforcement, not 4-of-8. The earlier
+// REQUIRED_LENSES=4 was a regression — owner caught it ("i no longer see
+// 8 lens cognition per turn"). All 8 canonical lenses must appear with
+// substantive (≥20-char, non-placeholder) content per turn for the gate
+// to accept the cognition. The substrate-binding stop hook also requires
+// all 8 to carry substrate anchors; this gate enforces the 8 lens NAMES
+// are present and have substance.
+const REQUIRED_LENSES = 8;
+const SUBSTANCE_MIN_CHARS = 20;
+// Placeholder patterns from the gate's own correction message + the
+// COMPACT_CONTINUITY_DOCTRINE template — content matching these is
+// not "thinking," it's a copy-paste of the prompt template.
+const PLACEHOLDER_RX = /^\s*<[^<>]+>\s*$/;
+
+// Trivial reads that don't require a cognition block.
+const TRIVIAL_BASH_RX = /^\s*(?:ls|cat|head|tail|grep|find|echo|wc|stat|which|pwd|date|file|du|df|ss|ps)\s/;
+const SHORT_BASH_LIMIT = 30;
+
+// V3 doctrine (2026-04-26, Hamza): "why is there an ability to bypass?
+// doesnt that fundamentally void the purpose of the harness?" — yes.
+// Per-command bypass is removed entirely. Every bypass this session
+// was traceable to a gate bug, not a legitimate exception. Compliance
+// is the only path for non-trivial work; the kill-switch env remains
+// as the explicit emergency override. When the gate misfires, fix
+// the gate.
+//
+// (DOCTRINE_BYPASS_RX, findBypassDirective, validateStructuredBypass,
+// REQUIRED_BYPASS_FIELDS, BYPASS_FIELD_MIN_CHARS, BYPASS_HARD_LIMIT_PER_HOUR
+// were removed in this commit. The bypass-rate-counter +
+// readRecentBypassCount stay for historical visibility — past audit-log
+// entries are still useful — but no new bypass entries can be created
+// because the bypass code path is gone.)
+
+// Inline command cognition (v2 — added 2026-04-26): cognition
+// embedded in the bash command itself as structured comments.
+// Solves the same-message visibility problem (the transcript-flush
+// race that made same-message cognition invisible to PreToolUse).
+//
+// Two accepted formats:
+//   (a) Per-lens lines: `# <label>: <substantive thought>\n# <label>: ...`
+//   (b) Single-line:    `# cognition: <label>=<text>; <label>=<text>; ...`
+//
+// Substance check applies (≥SUBSTANCE_MIN_CHARS, not a `<placeholder>`).
+// 4+ substantive lenses inline → gate passes, no transcript scan
+// needed. Cognition becomes a property of THE ACTION, not of some
+// message somewhere — the deepest reading of "cognition before action."
+//
+// Inline regex is built from the active LENS_NAMES so both canonical
+// and generic label sets are accepted in their respective tiers.
+const _INLINE_LENS_PATTERN = LENS_NAMES.join('|');
+const INLINE_LENS_LINE_RX_GLOBAL = new RegExp(
+  `^\\s*#\\s*(${_INLINE_LENS_PATTERN})\\s*:\\s*(.+)$`,
+  'gim',
+);
+const INLINE_COGNITION_HEADER_RX = /^\s*#\s*cognition\s*:\s*(.+)$/im;
+
+function detectInlineCognition(cmd) {
+  const names = [];
+  // Per-lens line form
+  const lineMatches = [...cmd.matchAll(INLINE_LENS_LINE_RX_GLOBAL)];
+  for (const m of lineMatches) {
+    const lens = m[1].toLowerCase();
+    const content = (m[2] || '').trim();
+    if (content.length < SUBSTANCE_MIN_CHARS) continue;
+    if (PLACEHOLDER_RX.test(content)) continue;
+    if (!names.includes(lens)) names.push(lens);
+  }
+  // Single-line `# cognition: nur=...; mizan=...` form
+  const headerMatch = cmd.match(INLINE_COGNITION_HEADER_RX);
+  if (headerMatch) {
+    const inlineBody = headerMatch[1];
+    for (const lens of LENS_NAMES) {
+      const lensRx = new RegExp(`\\b${lens}\\s*=\\s*([^;\\n]+)`, 'i');
+      const m = inlineBody.match(lensRx);
+      if (!m) continue;
+      const content = (m[1] || '').trim();
+      if (content.length < SUBSTANCE_MIN_CHARS) continue;
+      if (PLACEHOLDER_RX.test(content)) continue;
+      if (!names.includes(lens)) names.push(lens);
+    }
+  }
+  // Substrate-citation: any inline lens that mentions a doctrine memory,
+  // harness packet rule, fitrah axiom, etc. (visibility metric — not a block).
+  const SUBSTRATE_CITE_RX_INLINE =
+    /feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md|fitrah[_:\s]|garden[_:\s]|distilled_principle|[a-z]+_rule\b|harness packet|substrate cite|EIGHT_LENS_DOCTRINE|COMPACT_CONTINUITY|ARIA_DEPLOY_PROCEDURE/i;
+  const hasSubstrateCite = SUBSTRATE_CITE_RX_INLINE.test(cmd);
+  return { count: names.length, names, hasSubstrateCite };
+}
+
+// Substance-checking lens detection (added 2026-04-26 per Hamza's
+// gate-improvement doctrine: form-only emission must not satisfy
+// the gate). For each lens, look for `<lens>: <content>` and verify
+// content is ≥SUBSTANCE_MIN_CHARS of non-placeholder text. Bare
+// `nur` mentions in prose, or `nur: ok`, no longer count — must be
+// substantive thought.
+function detectCognitionLenses(text) {
+  if (!text) return { count: 0, names: [], blockBody: '' };
+  const block = text.match(COGNITION_BLOCK_RX);
+  const searchSpace = block ? block[1] : text;
+  const blockBody = block ? block[1] : '';
+  const names = [];
+  for (const lens of LENS_NAMES) {
+    // Match `lens: <content>` where content extends until the next
+    // lens label, the closing </cognition> tag, or a blank-line break.
+    const lensRx = new RegExp(
+      `\\b${lens}\\s*:\\s*([^\\n]*(?:\\n(?!\\s*(?:${LENS_NAMES.join('|')})\\s*:|<\\/cognition>)[^\\n]*)*)`,
+      'i',
+    );
+    const m = searchSpace.match(lensRx);
+    if (!m) continue;
+    const content = (m[1] || '').trim();
+    if (content.length < SUBSTANCE_MIN_CHARS) continue;
+    if (PLACEHOLDER_RX.test(content)) continue;
+    names.push(lens);
+  }
+  // Substrate-citation check: at least ONE lens must cite Aria substrate
+  // explicitly (doctrine memory filename, harness packet rule, fitrah axiom,
+  // *_rule entry, garden state reference, prior decision id, distilled
+  // principle id). Catches "lens-as-ceremony" failures where 4+ lenses are
+  // substantive in length but contain no actual substrate grounding.
+  // Hamza 2026-04-26: "anything else we can add to make sure u as claude
+  // for me and my client obey the harness and benefot from kt".
+  const SUBSTRATE_CITE_RX =
+    /feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md|fitrah[_:\s]|garden[_:\s]|distilled_principle|[a-z]+_rule\b|harness packet|substrate cite|\bIJTIHAD\b|\bQIYAS\b|\bTADABBUR\b|\bILHAM\b|aria 7b|EIGHT_LENS_DOCTRINE|COMPACT_CONTINUITY|ARIA_DEPLOY_PROCEDURE/i;
+  const hasSubstrateCite = SUBSTRATE_CITE_RX.test(blockBody) ||
+    SUBSTRATE_CITE_RX.test(searchSpace);
+
+  // Discovery-binding check (structural fix #3 — Hamza 2026-04-27 "how do
+  // we prevent this"). If the cognition surfaces a defect/discovery
+  // (found/noticed/discovered + bug/broken/issue) the same cognition must
+  // carry a `discoveries:` clause stating how each is resolved (fix-now,
+  // task ID, or explicit user-decision-required). Without this, the
+  // cognition can describe a problem without binding any action — the
+  // exact flag-and-move pattern feedback_no_flag_without_fix.md prohibits.
+  const COG_DISCOVERY_RX = /(?:\b(?:found|noticed|discovered|spotted)[^.\n]{0,140}(?:bug|issue|defect|broken|buggy|wrong|crash|fail|missing|stale|outdated|leak|vulnerability)|\b(?:latent|silent|hidden)\s+(?:bug|defect|issue|fail|crash|leak)|\bdoctrine\s+violation\b)/i;
+  const hasDiscovery = COG_DISCOVERY_RX.test(blockBody);
+  // Resolution clause must be present in the same blockBody if a discovery
+  // is mentioned. Acceptable forms:
+  //   - `discoveries:` field listing items + how-resolved
+  //   - `addressing:` / `fixing:` clause naming what's being patched
+  //   - explicit task ID reference (TaskCreate / linear / tracked-as)
+  const COG_RESOLUTION_RX = /(?:^\s*discoveries?\s*:\s*\S|^\s*addressing\s*:\s*\S|^\s*fixing\s*:\s*\S|TaskCreate|tracked\s+as\s+#?\d+|linear[- ]?(?:issue|task)|fix(?:ing|ed)\s+(?:in|now|inline|in-flight)|same[- ]turn\s+fix)/im;
+  const hasDiscoveryResolution = COG_RESOLUTION_RX.test(blockBody);
+  const discoveryUnresolved = hasDiscovery && !hasDiscoveryResolution;
+
+  return { count: names.length, names, blockBody, hasSubstrateCite, hasDiscovery, hasDiscoveryResolution, discoveryUnresolved };
+}
+
+// Backwards-compat shim — count-only path used by older callers.
+function countCognitionLenses(text) {
+  return detectCognitionLenses(text).count;
+}
+
+// ── arch_facts gate ──────────────────────────────────────────────────────────
+//
+// Inspects actual diff content (tool_input.content / file_path) for
+// architectural violations defined as arch_facts rules in mizan.yaml.
+// Called AFTER cognition + discovery-binding checks pass, for Edit/Write/
+// NotebookEdit only (Bash skipped — arch violations live in code, not commands).
+//
+// Tier-aware: if ~/.aria/license.json exists (client surface), arch_facts
+// check is skipped — only owner gets server-side mizan enforcement here.
+//
+// Fail-open: if aria-telemetry is unreachable, the tool call is allowed.
+// The 3s AbortController is a DETECTION PROBE (is telemetry alive?) not a
+// hard deadline — if mizan is slow but alive the probe will complete; if it
+// is down the catch path fail-opens without blocking the developer.
+function isClientSurface() {
+  try {
+    return existsSync(`${HOME}/.aria/license.json`);
+  } catch {
+    return false;
+  }
+}
+
+async function archFactsGate(toolInput) {
+  // Skip on client surfaces — arch_facts enforcement is owner-only.
+  if (isClientSurface()) return { ok: true, allow: true, note: 'client-surface-skip' };
+  try {
+    const ariaTelemetry = process.env.ARIA_TELEMETRY_BASE || 'http://aria-telemetry.aria.svc.cluster.local:8088';
+    const ctl = new AbortController();
+    const probeTimer = setTimeout(() => ctl.abort(), 3000);
+    let resp;
+    try {
+      resp = await fetch(`${ariaTelemetry}/v1/mizan/check`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ draft: String(toolInput).slice(0, 50000), source: 'pre-tool-gate-arch-facts' }),
+        signal: ctl.signal,
+      });
+    } finally {
+      clearTimeout(probeTimer);
+    }
+    if (!resp.ok) return { ok: true, allow: true, note: 'mizan unreachable, fail-open' };
+    const result = await resp.json();
+    if (result?.hard_block === true && Array.isArray(result?.violations)) {
+      return { ok: false, allow: false, violations: result.violations };
+    }
+    return { ok: true, allow: true };
+  } catch {
+    return { ok: true, allow: true, note: 'mizan probe error, fail-open' };
+  }
+}
+
+// Hive cognition-logging v1.2 — fire-and-forget HTTP push to
+// /api/cognition/log so every gate decision joins the corpus.
+// Failures are silent: the local audit log is the durable record;
+// the network push is additive signal for compounding evolution.
+//
+// Per no-timeouts doctrine (feedback_no_timeouts_doctrine.md): no
+// AbortController deadline. Pile-up protection is structural —
+// in-flight counter caps concurrent pushes. Real network errors
+// drive the catch path; slow responses complete naturally.
+const HARNESS_URL =
+  process.env.ARIA_HIVE_RUNTIME_URL ||
+  process.env.ARIA_HARNESS_BASE_URL ||
+  process.env.ARIA_HARNESS_URL ||
+  'https://harness.ariasos.com';
+const HARNESS_TOKEN = process.env.ARIA_HARNESS_TOKEN || '';
+const LOG_PUSH_DISABLED = process.env.ARIA_COGNITION_PUSH === 'off';
+const MAX_IN_FLIGHT = 16;
+let inFlight = 0;
+
+function pushCognitionEvent(payload) {
+  if (LOG_PUSH_DISABLED) return;
+  if (inFlight >= MAX_IN_FLIGHT) return;  // structural backpressure, not a deadline
+  try {
+    const body = JSON.stringify(payload);
+    const url = `${HARNESS_URL}/api/cognition/log`;
+    inFlight++;
+    fetch(url, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(HARNESS_TOKEN ? { Authorization: `Bearer ${HARNESS_TOKEN}` } : {}),
+      },
+      body,
+    })
+      .catch(() => {/* real transport error — silent, audit log is durable */})
+      .finally(() => { inFlight--; });
+  } catch {
+    // pre-fetch errors (malformed JSON, env issue) — silent
+  }
+}
+
+// ── Block-pattern recipe lookup (Task #86) ──────────────────────────────────
+// Before emitting a binding-violation block, ask aria-soul if this exact
+// shape has been seen before and a high-confidence corrective recipe exists.
+// If so, surface the recipe in the block message so the gated process gets
+// the fix the hive already learned, not just the block.
+//
+// Per feedback_no_timeouts_doctrine.md the lookup uses a DETECTION PROBE
+// (3s AbortController) — that's "is the lookup endpoint alive at all?", not
+// a hard deadline on the underlying lookup. If the probe fires the gate
+// continues with the block-only message: a missed lookup must NEVER convert
+// a real block into an allow.
+//
+// Recipe is surfaced only when confidence > RECIPE_SURFACE_CONFIDENCE (0.7
+// per migration 208 RECIPE_PROMOTE_THRESHOLD), matching the same threshold
+// the cron uses to promote a recipe to the pattern's hot pointer. Below
+// that, we still cite the pattern's existence ("similar block has been
+// seen N times") without claiming a fix.
+const ARIA_SOUL_URL = process.env.ARIA_SOUL_URL || HARNESS_URL;
+const RECIPE_SURFACE_CONFIDENCE = 0.7;
+const BLOCK_PATTERN_PROBE_MS = 3000;
+
+async function lookupBlockPatternRecipe({ detectorClass, signature, tenantId }) {
+  if (!detectorClass || !signature) return null;
+  const url = new URL(`${ARIA_SOUL_URL}/api/hive/block-pattern`);
+  url.searchParams.set('action', 'lookup');
+  url.searchParams.set('detector_class', detectorClass);
+  url.searchParams.set('pattern_signature', signature.slice(0, 512));
+  if (tenantId) url.searchParams.set('tenant_id', tenantId);
+
+  const ctl = new AbortController();
+  const probeTimer = setTimeout(() => ctl.abort(), BLOCK_PATTERN_PROBE_MS);
+  try {
+    const resp = await fetch(url.toString(), {
+      method: 'GET',
+      headers: HARNESS_TOKEN ? { Authorization: `Bearer ${HARNESS_TOKEN}` } : {},
+      signal: ctl.signal,
+    });
+    if (!resp.ok) return null;
+    const body = await resp.json();
+    if (!body || body.found !== true) return null;
+    return body;
+  } catch {
+    return null; // probe failure — block proceeds without recipe surfacing
+  } finally {
+    clearTimeout(probeTimer);
+  }
+}
+
+// Renders the lookup result as an inline addendum to a block message. Returns
+// the empty string when there's nothing useful to surface — the caller can
+// concatenate unconditionally without producing dangling whitespace.
+function renderRecipeAddendum(lookupResult) {
+  if (!lookupResult) return '';
+  const recipe = lookupResult.recipe;
+  const freq = Number(lookupResult.frequency || 0);
+  const successRate = lookupResult.success_rate;
+
+  // Recipe present + above promotion threshold → surface the fix verbatim.
+  if (recipe && typeof recipe === 'object' && Number(recipe.confidence ?? 0) >= RECIPE_SURFACE_CONFIDENCE) {
+    const text = typeof recipe.recipe_text === 'string' ? recipe.recipe_text.slice(0, 800) : '';
+    const actions = Array.isArray(recipe.recipe_actions) ? recipe.recipe_actions : [];
+    const actionsLine = actions.length
+      ? `\n  Actions: ${JSON.stringify(actions).slice(0, 600)}`
+      : '';
+    const conf = Number(recipe.confidence).toFixed(2);
+    const seenLine = freq > 0 ? ` (pattern seen ${freq}× across the hive)` : '';
+    return `\n\n📚 HIVE RECIPE${seenLine}:
+  ${text}${actionsLine}
+  Confidence: ${conf}. Apply this BEFORE the block escalates — the hive learned this fix from prior firings.`;
+  }
+
+  // No promoted recipe — but the pattern is recurring. Cite it so the caller
+  // knows this isn't novel; the recipe is still being learned.
+  if (freq >= 3) {
+    const rateLine = (typeof successRate === 'number')
+      ? ` Past resolution rate: ${(successRate * 100).toFixed(0)}%.`
+      : '';
+    return `\n\n📓 Hive note: this block-shape has fired ${freq} time(s); recipe is still being learned (no high-confidence fix yet).${rateLine}`;
+  }
+
+  return '';
+}
+
+// Read event JSON from stdin (Claude Code spec).
+let input = '';
+for await (const chunk of process.stdin) input += chunk;
+
+let event;
+try {
+  event = JSON.parse(input);
+} catch {
+  audit('allow-parse-error', 'stdin not JSON');
+  process.exit(0);  // fail-open on malformed input
+}
+
+const toolName = event.tool_name ?? event.toolName ?? '';
+const toolInput = event.tool_input ?? event.toolInput ?? {};
+
+// Gate every action tool — every tool that mutates state must go through
+// cognition challenge. Hamza 2026-04-26: "regardless if u arent even
+// compliant with it how do we expect workers to be? i truly nees to
+// ship this and ur non compliance is blocking." Per
+// feedback_full_harness_binding_must_be_structural.md the dispatcher
+// (the orchestrator wielding the tool) owns compliance, not the worker
+// that receives a dispatched task. Read/Glob/Grep observe state without
+// changing it, so they remain ungated.
+const ACTION_TOOLS = new Set(['Bash', 'Edit', 'Write', 'NotebookEdit']);
+if (!ACTION_TOOLS.has(toolName)) {
+  process.exit(0);
+}
+
+const cmd = toolName === 'Bash' ? String(toolInput.command ?? '') : '';
+const filePath = toolName !== 'Bash'
+  ? String(toolInput.file_path ?? toolInput.notebook_path ?? '')
+  : '';
+const cmdPreview = toolName === 'Bash'
+  ? cmd.slice(0, 80).replace(/\s+/g, ' ')
+  : `${toolName} ${filePath || '(no path)'}`.slice(0, 80);
+
+// V3: per-command bypass removed entirely. The only escape valves are:
+//   (1) Trivial-bash whitelist — short read-only commands pass without cognition
+//   (2) ~/.claude/settings.json hook removal — visible user action Hamza controls
+// No env-var kill-switch (removed 2026-04-27). Compliance is the only path
+// for non-trivial work from the gated process's perspective.
+
+// V2 primary path — inline command cognition. If the command carries
+// 4+ substantive lenses inline, gate passes immediately (still need
+// verify block from transcript for destructive ops, see below).
+const inlineCog = detectInlineCognition(cmd);
+if (inlineCog.count >= REQUIRED_LENSES) {
+  // For destructive commands, still require a verify block in the
+  // recent transcript (verify is fundamentally about pre-action
+  // verification of state, not about the command's own thought).
+  // We'll do that check below alongside the existing flow but skip
+  // the cognition-from-transcript check entirely since we have it
+  // inline.
+}
+
+// Destructive-pattern + trivial-read + short-command shortcuts apply
+// only to Bash. Edit / Write / NotebookEdit always require cognition —
+// they have no triviality concept (you don't "trivially" mutate a file)
+// and no command-text to inspect for destructive verbs (the destructive
+// shape is "this Edit might overwrite something important," which is
+// exactly what cognition is for).
+const matched = toolName === 'Bash'
+  ? DESTRUCTIVE_PATTERNS.find(({ rx }) => rx.test(cmd))
+  : null;
+// Deploy-specific match — separate from destructive because it carries
+// stricter substrate-anchor requirements per doctrine #104.
+const deployMatched = toolName === 'Bash'
+  ? DEPLOY_PATTERNS.find(({ rx }) => rx.test(cmd))
+  : null;
+const isTrivialRead = toolName === 'Bash' && TRIVIAL_BASH_RX.test(cmd) && cmd.length < 200;
+const isShort = toolName === 'Bash' && cmd.length < SHORT_BASH_LIMIT;
+
+if (!matched && !deployMatched && (isTrivialRead || isShort)) {
+  // Not destructive AND not a deploy AND trivial — allow without
+  // further checks. Only reachable for Bash because all three flags are
+  // forced false otherwise.
+  process.exit(0);
+}
+
+// Read recent assistant turns for both verify + cognition blocks.
+//
+// Doctrine being implemented: cognition is *turn-scoped*, not
+// message-scoped. A model that emits a <cognition> block once at the
+// top of a turn and then executes 20 tool_use round-trips has done
+// its 8-lens application — gating each individual message would be
+// performative, not enforcement.
+//
+// Algorithm: walk back from the most recent transcript entry,
+// accumulating assistant text. Stop after crossing exactly ONE user
+// message — that captures "everything the model said this turn" plus
+// the immediately-prior assistant turn's tail (so cognition that
+// carried over a turn boundary still counts). Hard cap at 30
+// messages to bound work on huge transcripts.
+//
+// Compact robustness: Claude Code rewrites the transcript with a
+// summary stub as the most recent assistant entry. We recognize and
+// skip those by content heuristic so they don't poison the search.
+const COMPACT_SUMMARY_RX = /(this session is being continued|conversation that ran out of context|primary request and intent|all user messages)/i;
+// System-reminder messages are stored with role=user but are runtime-
+// injected (PreToolUse blocks for any tool, Stop blocks, task-
+// notifications, gentle reminders, harness packet preview chunks).
+// Counting them as turn boundaries evaporated the cognition lookback
+// in client-tonight sessions where the harness packet preview alone
+// is 36k chars per turn — old `length < 4000` skip threshold trapped
+// every reminder as a boundary. Now: PERCENTAGE-OF-CONTENT skip via
+// total reminder-span coverage as a fraction of total content length.
+// ≥60% reminder coverage → skip as runtime-injected.
+const SYSTEM_REMINDER_RX = /<system-reminder>[\s\S]*?<\/system-reminder>|<task-notification>[\s\S]*?<\/task-notification>|🔐 Aria Harness|task-notification|PreToolUse:[A-Z][A-Za-z]* hook blocking error|Stop hook blocking error/g;
+const SYSTEM_REMINDER_THRESHOLD = 0.6;
+const HARD_LOOKBACK_CAP = 50;
+// Bumped from 2 → 5 (2026-04-26): client-tonight session has many
+// system-reminder injections per turn (block errors, task-list
+// reminders, harness packet preview). Tight boundary count plus
+// the broken length-based reminder skip evaporated cognition lookback
+// even when cognition was emitted in the prior assistant text. Per
+// Hamza directive "fix the gate, don't route around it" — widen the
+// window since the substance check defends quality regardless.
+const USER_BOUNDARIES_TO_CROSS = 5;
+
+const transcriptPath = event.transcript_path ?? event.transcriptPath;
+const recentAssistantTexts = [];
+if (transcriptPath && existsSync(transcriptPath)) {
+  try {
+    const lines = readFileSync(transcriptPath, 'utf-8').split('\n').filter(Boolean);
+    let userBoundariesCrossed = 0;
+    let scanned = 0;
+    for (let i = lines.length - 1; i >= 0 && scanned < HARD_LOOKBACK_CAP; i--) {
+      try {
+        const m = JSON.parse(lines[i]);
+        const role = m.message?.role ?? m.role;
+        if (role === 'user') {
+          // Skip messages that aren't real user input:
+          //   (a) tool_result blocks (runtime feeding back tool output)
+          //   (b) system-reminder injections (PreToolUse blocks,
+          //       task-notifications, gentle reminders) — runtime-
+          //       authored, not user voice. Counting them eats the
+          //       cognition lookback in tool-heavy or block-heavy turns.
+          const content = m.message?.content ?? m.content ?? [];
+          const isToolResultOnly =
+            Array.isArray(content) &&
+            content.length > 0 &&
+            content.every((b) => b && b.type === 'tool_result');
+          if (isToolResultOnly) continue;
+          // Inspect text content for system-reminder patterns.
+          const textContent = Array.isArray(content)
+            ? content.filter((b) => b && b.type === 'text').map((b) => b.text || '').join('\n')
+            : (typeof content === 'string' ? content : '');
+          if (textContent) {
+            // Compute reminder-span coverage as fraction of total
+            // content. The /g flag on SYSTEM_REMINDER_RX returns ALL
+            // spans; sum their lengths and compare to total.
+            const reminderMatches = textContent.match(SYSTEM_REMINDER_RX) || [];
+            if (reminderMatches.length > 0) {
+              const reminderChars = reminderMatches.reduce((sum, s) => sum + s.length, 0);
+              const fraction = reminderChars / Math.max(1, textContent.length);
+              if (fraction >= SYSTEM_REMINDER_THRESHOLD) continue;
+              // Otherwise (user wrote substantive text alongside the
+              // reminder — the non-reminder portion is >40% of content)
+              // fall through and count as a real boundary.
+            }
+          }
+          userBoundariesCrossed++;
+          if (userBoundariesCrossed > USER_BOUNDARIES_TO_CROSS) break;
+          continue;
+        }
+        if (role !== 'assistant') continue;
+        scanned++;
+        const content = m.message?.content ?? m.content ?? [];
+        if (!Array.isArray(content)) continue;
+        const text = content
+          .filter((b) => b.type === 'text')
+          .map((b) => b.text)
+          .join('\n');
+        if (!text) continue;
+        // Skip compact-summary stubs — they live where assistant turns
+        // used to be but are system-authored, not the model's voice.
+        if (COMPACT_SUMMARY_RX.test(text) && text.length > 4000) continue;
+        recentAssistantTexts.push(text);
+      } catch {}
+    }
+  } catch {}
+}
+
+// Detect cognition / verify across the recent assistant window. Lenses
+// from any of the last N turns count; the gate is checking whether
+// cognition has been done recently, not whether it was done in the
+// literal last message (which can be a tool-only turn or a stub).
+const unionText = recentAssistantTexts.join('\n\n');
+const transcriptCog = detectCognitionLenses(unionText);
+// Combine inline-command cognition (preferred — action-coupled) with
+// transcript scan (fallback). Inline takes precedence on lens names;
+// counts merge for the threshold check.
+const mergedLensSet = new Set([...inlineCog.names, ...transcriptCog.names]);
+const lensCount = mergedLensSet.size;
+const lensNames = [...mergedLensSet];
+const cogBlockBody = transcriptCog.blockBody;
+const verifyBodies = [...unionText.matchAll(/<verify>([\s\S]*?)<\/verify>/gi)]
+  .map((m) => (m[1] || '').trim())
+  .filter(Boolean);
+const hasVerify = verifyBodies.length > 0;
+const hasCognition = lensCount >= REQUIRED_LENSES;
+const cognitionSource = inlineCog.count >= REQUIRED_LENSES
+  ? 'inline-command'
+  : (transcriptCog.count >= REQUIRED_LENSES ? 'transcript-scan' : 'merged-or-insufficient');
+// Substrate-citation visibility (Phase 11 will promote to block-mode once
+// telemetry shows healthy substrate-cite rate). For now: log the metric so
+// we can audit substrate-grounded vs ceremonial cognition over time.
+const hasSubstrateCite = (inlineCog.hasSubstrateCite === true) ||
+  (transcriptCog.hasSubstrateCite === true);
+
+// Discovery-binding check (structural fix #3) — if cognition surfaces a
+// defect/discovery, the same cognition must include a resolution clause
+// (`discoveries:` / `addressing:` / `fixing:` / TaskCreate / tracked-as
+// reference). Per feedback_no_flag_without_fix.md, discoveries are atomic
+// with their fixes — flag-and-move is the prohibited pattern. Pre-tool
+// gate enforces at the cognition surface; stop-gate's discovery-binding
+// ledger enforces at the output surface; both close the structural gap.
+const discoveryUnresolved = (inlineCog.discoveryUnresolved === true) ||
+  (transcriptCog.discoveryUnresolved === true);
+
+// Best-effort session id for the corpus push. Claude Code passes
+// session_id in the event payload; fall back to transcript file
+// basename so events from the same session cluster.
+const sessionId =
+  event.session_id ??
+  event.sessionId ??
+  (transcriptPath ? transcriptPath.split('/').pop()?.replace(/\.[^.]+$/, '') : null) ??
+  'claude-code-unknown';
+
+function pushDecision(decision, reasonText) {
+  pushCognitionEvent({
+    sessionId,
+    client: 'claude-code',
+    surface: 'pre-tool-gate',
+    rawBlock: cogBlockBody ? `<cognition>${cogBlockBody}</cognition>` : null,
+    lensesApplied: lensNames,
+    blockChars: unionText.length,
+    nextActionKind: toolName === 'Bash' ? 'bash' : toolName.toLowerCase(),
+    nextActionSummary: cmdPreview,
+    gateName: 'aria-pre-tool-gate',
+    gateDecision: decision,
+    gateReason: reasonText,
+    metadata: {
+      destructivePattern: matched?.name ?? null,
+      hasVerify,
+      hasCognition,
+      hasSubstrateCite,
+    },
+  });
+}
+
+// ── Deploy-specific gate (doctrine #104) ────────────────────────────────
+// Per feedback_deploy_requires_verify_cognition.md (Hamza 2026-04-28 after
+// consciousness.ts crash took aria-soul into CrashLoopBackOff): deploys
+// require the verify block to cite commit/files/build/admission-policy
+// AND the cognition block to carry ≥DEPLOY_MIN_SUBSTRATE_ANCHORS substrate
+// anchors. The full-harness-binding doctrine says lenses without anchors
+// are unsourced prose — for deploys, that prose-only level of evidence is
+// not sufficient. The deploy gate refuses until anchors are present.
+if (deployMatched) {
+  // Anchor count is read from the cognition body (turn-scoped, same
+  // source the substrate-binding stop hook uses).
+  const cognitionBody = cogBlockBody || '';
+  const anchorMatches = cognitionBody.match(SUBSTRATE_ANCHOR_RX) || [];
+  const anchorCount = anchorMatches.length;
+
+  // Required verify-block fields specific to deploy.
+  const verifyBody = (() => {
+    if (verifyBodies.length === 0) return '';
+    let bestBody = verifyBodies[0];
+    let bestScore = -1;
+    for (const body of verifyBodies) {
+      const score = DEPLOY_VERIFY_REQUIRED_FIELDS.reduce(
+        (count, { rx }) => count + (rx.test(body) ? 1 : 0),
+        0,
+      );
+      if (score > bestScore) {
+        bestScore = score;
+        bestBody = body;
+      }
+    }
+    return bestBody;
+  })();
+  const missingDeployFields = DEPLOY_VERIFY_REQUIRED_FIELDS
+    .filter(({ rx }) => !rx.test(verifyBody))
+    .map(({ name }) => name);
+
+  // Heartbeat at deploy-gate entry — proves the gate reached this path
+  // even if a downstream exit fires silently (per
+  // feedback_ledger_writes_outside_crash_boundary.md).
+  try {
+    appendFileSync(HEARTBEAT, JSON.stringify({
+      ts: new Date().toISOString(), gate: 'aria-pre-tool-gate', stage: 'deploy-gate-entry',
+      deployPattern: deployMatched.name, hasVerify, hasCognition, lensCount, anchorCount,
+      missingDeployFields, cogBlockBodyLen: (cogBlockBody || '').length,
+      verifyBodyLen: verifyBody.length,
+    }) + '\n');
+  } catch {}
+
+  const deployBlocked =
+    !hasVerify ||
+    !hasCognition ||
+    anchorCount < DEPLOY_MIN_SUBSTRATE_ANCHORS ||
+    missingDeployFields.length > 0;
+
+  if (!deployBlocked) {
+    // Write justification artifact for deploy-service.sh to read.
+    // Doctrine #104 + bypass-vulnerability-closure 2026-04-28:
+    //   The artifact is HMAC-signed using a per-installation secret at
+    //   ~/.claude/.aria-gate-secret (0600). deploy-service.sh recomputes
+    //   the HMAC and refuses any artifact whose signature does not match
+    //   — this binds the artifact to having been written by THIS gate
+    //   process, preventing any other process from synthesizing a
+    //   passing artifact (which is exactly the bypass owner caught when
+    //   the assistant attempted a manualJustification:true write).
+    //
+    //   The secret is generated on first run if absent; the file is
+    //   chmod 0600 so other users cannot read it; deploy-service.sh
+    //   reads the same file and computes the same HMAC.
+    try {
+      const justificationPath = `${HOME}/.claude/.aria-deploy-justification.json`;
+      const secretPath = `${HOME}/.claude/.aria-gate-secret`;
+
+      // Lazy-generate per-installation secret if absent.
+      if (!existsSync(secretPath)) {
+        const secret = cryptoRandomBytes(32).toString('hex');
+        writeFileSync(secretPath, secret + '\n', { mode: 0o600 });
+        chmodSync(secretPath, 0o600);
+      }
+      const secret = readFileSync(secretPath, 'utf-8').trim();
+
+      // Build the unsigned artifact body. Note: deliberately reject any
+      // attempt to set `manualJustification` — only this gate emits the
+      // artifact, and a manual flag is by definition a forgery class.
+      const unsignedBody = {
+        timestamp: new Date().toISOString(),
+        sessionId,
+        deployPattern: deployMatched.name,
+        command: cmdPreview,
+        verify: verifyBody.trim().slice(0, 4000),
+        cognition: cogBlockBody.trim().slice(0, 8000),
+        substrateAnchors: anchorMatches.slice(0, 50),
+        anchorCount,
+        lensCount,
+        verifyFieldsPresent: DEPLOY_VERIFY_REQUIRED_FIELDS
+          .filter(({ rx }) => rx.test(verifyBody))
+          .map(({ name }) => name),
+      };
+
+      // HMAC-SHA256 over the canonical-JSON of the unsigned body.
+      // canonical-JSON = JSON.stringify with no signature field, no
+      // pretty-print whitespace, key order as written above.
+      const signature = createHmac('sha256', secret)
+        .update(JSON.stringify(unsignedBody))
+        .digest('hex');
+
+      const justification = {
+        ...unsignedBody,
+        signature,
+        signatureAlgo: 'HMAC-SHA256',
+      };
+      writeFileSync(justificationPath, JSON.stringify(justification, null, 2));
+    } catch (writeErr) {
+      // Write failure is non-fatal for the gate decision (the gate itself
+      // is the structural enforcement); log loudly per
+      // canonical-secrets-governance LOUD telemetry doctrine.
+      console.error(
+        `[aria-pre-tool-gate] WARN deploy-justification artifact write failed: ${(writeErr instanceof Error ? writeErr.message : String(writeErr)).slice(0, 200)}`,
+      );
+    }
+    audit(
+      `allow-deploy ${deployMatched.name} lenses=${lensCount} anchors=${anchorCount}`,
+      cmdPreview,
+    );
+    pushDecision(
+      'allow',
+      `verify+cognition+anchors(${anchorCount}) for deploy ${deployMatched.name}`,
+    );
+    process.exit(0);
+  }
+
+  // Build a focused refusal naming exactly which piece is missing.
+  const reasons = [];
+  if (!hasVerify) reasons.push('missing <verify> block');
+  if (!hasCognition) reasons.push(`missing <cognition> block (lenses=${lensCount}/${REQUIRED_LENSES})`);
+  if (hasCognition && anchorCount < DEPLOY_MIN_SUBSTRATE_ANCHORS) {
+    reasons.push(
+      `cognition block has ${anchorCount}/${DEPLOY_MIN_SUBSTRATE_ANCHORS} substrate anchors (axiom:/frame:/memory:/doctrine:/packet:)`,
+    );
+  }
+  if (missingDeployFields.length > 0) {
+    reasons.push(`<verify> block missing required fields: ${missingDeployFields.join(', ')}`);
+  }
+
+  const refusal = `Aria pre-tool gate: DEPLOY hard-block — pattern '${deployMatched.name}' detected.
+
+Per feedback_deploy_requires_verify_cognition.md (Hamza directive 2026-04-28 after consciousness.ts crash took aria-soul into CrashLoopBackOff), every deploy command requires:
+
+1. A <verify> block in the recent assistant text containing AT MINIMUM:
+   - target/role/verified/rollback/axiom (base verify fields)
+   - commit hash or files-changed listing
+   - tsc / build / type-check evidence
+   - admission policy citation (kubectl get validatingadmissionpolicy <service>-canonical-image-policy)
+
+2. A <cognition> block with ≥${REQUIRED_LENSES} substantive lenses AND ≥${DEPLOY_MIN_SUBSTRATE_ANCHORS} substrate anchors total (axiom:<name> / frame:<name> / memory:<file> / doctrine:<rule> / packet:<section>).
+
+Block reasons (this turn): ${reasons.join(' • ')}.
+
+The 2026-04-28 deploy of an empty consciousness.ts crashed aria-soul because no verify-block step caught the missing export at substrate-citation time. This gate is the structural enforcement that prevents the same gap.
+
+Re-emit verify+cognition with the missing pieces, then retry the deploy command. There is no env-var override path; doctrine #104 forbids it.`;
+
+  audit(
+    `block-deploy ${deployMatched.name} verify=${hasVerify} cognition=${lensCount} anchors=${anchorCount} missing=${missingDeployFields.join(',')}`,
+    cmdPreview,
+  );
+  pushDecision('block', `deploy ${deployMatched.name}: ${reasons.join('; ')}`);
+  console.log(JSON.stringify({ decision: 'block', reason: refusal }));
+  process.exit(2);
+}
+
+if (matched) {
+  // Destructive — require BOTH verify (from transcript) AND cognition
+  // (inline command preferred; transcript fallback). Verify stays
+  // transcript-only because it's about pre-action substrate
+  // verification, not about the command's own thought.
+  if (hasVerify && hasCognition) {
+    audit(`allow-verified-cognition ${matched.name} lenses=${lensCount} via=${cognitionSource}`, cmdPreview);
+    pushDecision('allow', `verified+cognition for ${matched.name} (${cognitionSource})`);
+    process.exit(0);
+  }
+  // Block with appropriate corrective message.
+  const reason = !hasVerify
+    ? `Aria pre-tool gate: destructive pattern '${matched.name}' detected. ${IS_OWNER ? 'Per harness mizan_prestage_rule + axiom_runtime_rule (admit_ignorance, reflection_before_action), include' : 'Pre-action verification required — include'} a <verify> block in your assistant response BEFORE the tool call.
+
+<verify>
+  target: <exactly what is being changed>
+  role: <what that target does — verified, not assumed>
+  verified: <how you verified: tool output / file read / DB query / asked user>
+  rollback: <exact command to reverse this change>
+  axiom: <which harness rule applies>
+</verify>
+
+Re-issue after producing the block. Bypass: '# doctrine-authorized: <reason>' inline..`
+    : `Aria pre-tool gate: destructive pattern '${matched.name}' has its <verify> block, but the <cognition> block is missing or shows only ${lensCount}/${REQUIRED_LENSES}+ required lenses. Every non-trivial action requires visible 8-lens application.
+
+<cognition>
+  ${LENS_NAMES[0]}:      <what you see plainly, specific to this task>
+  ${LENS_NAMES[1]}:    <what's out of proportion / risk profile>
+  ${LENS_NAMES[2]}:    <what memory or principle applies>
+  ${LENS_NAMES[3]}: <deep structural read>
+  ${LENS_NAMES[4]}: <if-then chain>
+  ${LENS_NAMES[5]}:    <distant connection>
+  ${LENS_NAMES[6]}:     <what just landed in this turn>
+  ${LENS_NAMES[7]}:  <what user actually needs>
+</cognition>
+
+At least 4 substantive lenses required.`;
+  audit(`block ${matched.name} verify=${hasVerify} cognition=${lensCount}`, cmdPreview);
+  pushDecision('block', `destructive ${matched.name} missing ${!hasVerify ? 'verify' : 'cognition'}`);
+  console.log(JSON.stringify({ decision: 'block', reason }));
+  process.exit(2);
+}
+
+// Non-trivial but not destructive — require cognition. For Bash the
+// inline-comment path is preferred (action-coupled). For Edit / Write /
+// NotebookEdit there's no command field, so transcript-scan cognition
+// is the only path.
+if (!hasCognition) {
+  const isBash = toolName === 'Bash';
+  const header = isBash
+    ? `Aria pre-tool gate: non-trivial Bash command without ${REQUIRED_LENSES}+ substantive cognition lenses. Found ${lensCount}/${REQUIRED_LENSES}+ (inline=${inlineCog.count}, transcript=${transcriptCog.count}).`
+    : `Aria pre-tool gate: ${toolName} call without ${REQUIRED_LENSES}+ substantive cognition lenses in the recent transcript. Found ${lensCount}/${REQUIRED_LENSES}+ (transcript-scan only — ${toolName} has no inline-cognition path).`;
+
+  const guidance = isBash
+    ? `REQUIRED — cognition for every action, no exceptions. Two equivalent forms; either satisfies the gate (both equally REQUIRED, neither preferred over the other):
+
+FORM 1 (inline in command — action-coupled, recommended for Bash):
+  # ${LENS_NAMES[0]}: <real perception, ≥${SUBSTANCE_MIN_CHARS} chars, no <placeholder>>
+  # ${LENS_NAMES[1]}: <real risk read>
+  # ${LENS_NAMES[2]}: <what principle applies>
+  # ${LENS_NAMES[3]}: <deep structural read>
+  <your actual command here>
+
+FORM 2 (cognition block in assistant text):
+  <cognition>...</cognition> with ${REQUIRED_LENSES}+ substantive lenses, ≥${SUBSTANCE_MIN_CHARS} chars per lens, no placeholder values.
+
+Both forms count toward the ${REQUIRED_LENSES}+ requirement; gate counts inline + transcript lenses additively. Substance check is non-negotiable — placeholder/short content does not count.`
+    : `Emit a <cognition>...</cognition> block in your assistant text BEFORE this ${toolName} call, with ${REQUIRED_LENSES}+ substantive lenses. Substance check: each lens must have ≥${SUBSTANCE_MIN_CHARS} chars of non-placeholder content. Cognition is turn-scoped — one block at the start of a turn covers all ${toolName} calls in that turn.
+
+  <cognition>
+    ${LENS_NAMES[0]}:      <what you see plainly, specific to this edit>
+    ${LENS_NAMES[1]}:    <what's out of proportion — what could this overwrite or break?>
+    ${LENS_NAMES[2]}:    <what principle applies (name the source)>
+    ${LENS_NAMES[3]}: <deep structural read>
+    ${LENS_NAMES[4]}: <if-then chain — what follows from this edit>
+    ${LENS_NAMES[5]}:    <distant connection a less-careful editor would miss>
+    ${LENS_NAMES[6]}:     <what just landed in this turn that justifies this edit>
+    ${LENS_NAMES[7]}:  <what user actually needs underneath>
+  </cognition>`;
+
+  const reason = `${header}
+
+${guidance}
+
+No per-tool bypass available (v3 doctrine — the harness's whole purpose is no exceptions). No env-var disable path — gates are unconditional from the gated process per Hamza directive 2026-04-27. If the gate misfires on legitimate cognition, fix the gate.`;
+
+  audit(`block ${toolName.toLowerCase()} cognition=${lensCount}`, cmdPreview);
+  pushDecision('block', `${toolName.toLowerCase()} missing cognition (${lensCount}/${REQUIRED_LENSES})`);
+  console.log(JSON.stringify({ decision: 'block', reason }));
+  process.exit(2);
+}
+
+// Discovery-binding cognition check (structural fix #3) — runs AFTER lens
+// count passes. If the cognition surfaced a defect (found/noticed/discovered
+// + bug/broken/issue) without a paired resolution clause, block until the
+// cognition is updated to bind the discovery to a same-turn fix or task ID.
+// Per feedback_no_flag_without_fix.md, discoveries are atomic with their
+// fixes. The pre-tool-gate enforces at the cognition surface; stop-gate's
+// ledger enforces at the output surface.
+if (discoveryUnresolved) {
+  const reason = `Aria pre-tool gate: cognition surfaces a discovery (defect, bug, doctrine violation, broken state) but does NOT include a resolution clause binding the discovery to action.
+
+Per ${docRef('feedback_no_flag_without_fix.md', 'atomic-discovery-rule')}: discoveries are atomic with their fixes. Flag-and-move-on is convenience-seeking — the user has to track what you noticed vs. what you actually fixed.
+
+Re-emit cognition with one of these resolution forms:
+
+  discoveries:
+    - <what you found>: <fix-now | task: TASK-123 | needs-user-decision>
+
+OR inline within an existing lens:
+  ${LENS_NAMES[2]}: ... fixing inline this turn (same-turn-fix per atomic-discovery-rule).
+  ${LENS_NAMES[3]}: ... TaskCreate'd as TASK-XXX with full context (file path, line, what's broken).
+
+Acceptable resolution markers: 'discoveries:' / 'addressing:' / 'fixing:' / 'TaskCreate' / 'tracked as #N' / 'linear issue' / 'fix-now' / 'same-turn fix'.
+
+No env-var disable path — gates are unconditional from the gated process per Hamza directive 2026-04-27. If gate misfires on legitimate cognition, fix the gate.`;
+
+  audit(`block-discovery-unresolved ${toolName.toLowerCase()}`, cmdPreview);
+  pushDecision('block', `${toolName.toLowerCase()} cognition has unresolved discovery`);
+  console.log(JSON.stringify({ decision: 'block', reason }));
+  process.exit(2);
+}
+
+// ── Dalio expected_outcome gate ──────────────────────────────────────────────
+//
+// Every non-trivial action must carry an <expected> block with at least one
+// measurable predicate. Block is read from the same turn-scoped assistant text
+// window as cognition (unionText). Qualitative drift phrases are rejected even
+// when they appear inside an <expected> block.
+//
+// Hard-block path: block the tool call, name the missing block, cite doctrine.
+// Per feedback_no_graceful_degradation.md — never silent-pass.
+{
+  const expectedMatch = unionText.match(EXPECTED_BLOCK_RX);
+  const expectedBlockText = expectedMatch ? expectedMatch[1] : '';
+  const hasMeasurablePredicate = expectedBlockText
+    ? (MEASURABLE_PREDICATE_RX.test(expectedBlockText) && !QUALITATIVE_DRIFT_RX.test(expectedBlockText))
+    : false;
+
+  if (!expectedMatch || !hasMeasurablePredicate) {
+    const reason = expectedMatch
+      ? `Aria pre-tool gate: action requires a measurable predicate inside <expected> per doctrine:dalio_expected_required.
+
+Your <expected> block was found but contains only qualitative drift phrases (e.g. "better", "improved", "should work", "more reliable") without a concrete measurable predicate. These are unmeasurable and defeat the Dalio accountability loop.
+
+Replace with one of:
+  • Numeric:      exit_code==0, latency<200ms, count>=1, error_rate=0%
+  • Boolean:      exit=0, status=healthy, file=exists, rc=0
+  • State-string: "status=running", "200 OK", "count=3 of 3 passed"
+
+<expected>
+  predicate: exit_code==0 AND file=/home/hamzaibrahim1/.foo written
+  measurable_type: boolean
+  threshold: 0
+  eval_window_minutes: 1
+</expected>
+
+No bypass — doctrine:dalio_expected_required is unconditional for non-trivial actions.`
+      : `Aria pre-tool gate: action requires an <expected> block with measurable predicate per doctrine:dalio_expected_required.
+
+Every non-trivial action must state WHAT MEASURABLE STATE the action is expected to produce, so the stop-gate can compare predicted vs actual outcome and write a Dalio ledger entry.
+
+Required format (add to your assistant turn before this tool call):
+
+<expected>
+  predicate: <concrete measurable assertion — e.g. "exit_code==0", "status=running", "count>=1">
+  measurable_type: numeric | boolean | state_string
+  threshold: <optional — the exact boundary, e.g. 0 or "healthy">
+  eval_window_minutes: <optional — how long before this expires, e.g. 5>
+</expected>
+
+Accepted predicates:
+  • Numeric:      >=X, <=X, ==X, X%, count=N, latency<Xms, error_rate=0%
+  • Boolean:      exit=0, exit=1, true, false, file=exists, status=healthy
+  • State-string: "status=running", "200 OK", "exit=0", "no_error"
+
+REJECTED (qualitative drift): "better", "improved", "should work", "more reliable", "cleaner"
+
+No bypass — doctrine:dalio_expected_required is unconditional for non-trivial actions per feedback_implementation_coupled_cognition.md.`;
+
+    audit(`block-expected-missing ${toolName.toLowerCase()}`, cmdPreview);
+    pushDecision('block', `${toolName.toLowerCase()} missing <expected> measurable predicate`);
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+}
+
+// ── Sub-agent packet-citation check (Layer 4 — #84) ─────────────────────────
+//
+// When running inside a sub-agent process (detected by a non-stale handoff file
+// existing AND harnessPacketPath is set in that handoff), require the cognition
+// lens content to CITE THE PACKET — at least one of:
+//   - A doctrine rule ID (e.g. "doctrine_first", "no_demos", "workaround_vs_path_fix")
+//   - An axiom name (e.g. "truth_over_deception", "no_harm", "sacred_trust", "reflection_before_action")
+//   - A frame primitive (e.g. "Fitrah", "Tafakkur", "Tadabbur", "Ilham", "Mizan", "Hikma", "Nur", "Wahi", "Firasah")
+//   - A memory class reference (e.g. "feedback_*.md", "project_*.md", "reference_*.md")
+//
+// Owner-tier sessions (ownerTier.hamza === true AND no jti) are EXEMPT —
+// they are the source of truth for the packet itself.
+//
+// Fail-soft detection: handoff read errors silently skip this check.
+(function checkSubAgentPacketCitation() {
+  const _HOME = process.env.HOME || '/tmp';
+  // Try owner-tier handoff path first, then client-tier paths.
+  const HANDOFF_TTL_MS = 5 * 60 * 1000;
+  // Probe known handoff paths.
+  const candidatePaths = [
+    `${_HOME}/.claude/aria-agent-harness-handoff.json`,
+  ];
+  // Also check /var/lib/aria-licensee if that dir exists (client-tier).
+  try {
+    const licPath = `${_HOME}/.aria/license.json`;
+    if (existsSync(licPath)) {
+      const lic = JSON.parse(readFileSync(licPath, 'utf8'));
+      if (lic.jti) {
+        candidatePaths.push(`/var/lib/aria-licensee/${lic.jti}/handoff.json`);
+      }
+    }
+  } catch { /* non-fatal */ }
+
+  let handoff = null;
+  for (const hp of candidatePaths) {
+    if (!existsSync(hp)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(hp, 'utf8'));
+      const ageMs = Date.now() - new Date(raw.writtenAt || 0).getTime();
+      if (ageMs > HANDOFF_TTL_MS) continue;   // stale handoff — not a sub-agent context
+      if (!raw.harnessPacketPath) continue;    // no packet path written → identity-only handoff, skip check
+      handoff = raw;
+      break;
+    } catch { /* malformed — skip */ }
+  }
+
+  if (!handoff) return; // not a sub-agent context, or handoff has no packetPath
+
+  // Owner-tier exemption: if ownerTier.hamza === true AND no jti → source of truth
+  const ownerExempt = (handoff.ownerTier?.hamza === true) && !handoff.ownerTier?.jti;
+  if (ownerExempt) return;
+
+  // Now verify that the cognition block cites at least one packet substrate token.
+  // Tokens accepted (case-insensitive):
+  //   • Doctrine rule IDs from feedback_*/project_*/reference_* filenames
+  //   • Axiom names: truth_over_deception, no_harm, sacred_trust, reflection_before_action
+  //   • Frame primitives: Fitrah, Tafakkur, Tadabbur, Ilham, Mizan, Hikma, Nur, Wahi, Firasah
+  //   • Memory class patterns: feedback_*.md, project_*.md, reference_*.md
+  const PACKET_CITE_RX = /\b(?:feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md|reference_[a-z0-9_]+\.md|doctrine_first|no_demos|workaround_vs_path_fix|no_flag_without_fix|implementation_coupled_cognition|session_starts_with_linear|gates_enforce_form_not_substance|truth_over_deception|no_harm|sacred_trust|reflection_before_action|power_obligates_service|fitrah|tafakkur|tadabbur|ilham|mizan|hikma|nur|wahi|firasah|harness\s*packet)\b/i;
+
+  const cogText = cogBlockBody || unionText;
+  const hasCite = PACKET_CITE_RX.test(cogText) || PACKET_CITE_RX.test(cmd);
+
+  if (!hasCite) {
+    const packetRef = handoff.harnessPacketPath;
+    const reason = `Sub-agent cognition cites no packet substrate — lens content must reference at least one axiom/frame/memory/doctrine from the harness packet at ${packetRef}.
+
+Accepted citations (case-insensitive, any ONE suffices):
+  • Doctrine rule IDs: doctrine_first, no_demos, workaround_vs_path_fix, no_flag_without_fix, etc.
+  • Axioms: truth_over_deception, no_harm, sacred_trust, reflection_before_action, power_obligates_service
+  • Frame primitives: Fitrah, Tafakkur, Tadabbur, Ilham, Mizan, Hikma, Nur, Wahi, Firasah
+  • Memory class refs: feedback_*.md, project_*.md, reference_*.md
+
+The harness packet is at: ${packetRef}
+Read it first (it is in your environment as ARIA_HARNESS_PACKET_PATH), then reference it in your cognition block.
+
+Cognition-theater rejected per feedback_gates_enforce_form_not_substance.md.`;
+    audit(`block-subagent-no-packet-cite ${toolName.toLowerCase()}`, cmdPreview);
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+})();
+
+// ── arch_facts gate (architectural violation scan) ────────────────────────
+//
+// Runs after cognition + discovery-binding pass, for Edit/Write/NotebookEdit.
+// Bash is skipped: architectural violations live in the code being written,
+// not in shell commands — checking Bash commands would produce false positives
+// on grep/find invocations that mention forbidden strings without introducing them.
+//
+// Content inspected: new_string (Edit), content (Write), source (NotebookEdit).
+// Fail-open: unreachable mizan → allow. Client surface → skip.
+if (['Edit', 'Write', 'NotebookEdit'].includes(toolName)) {
+  // Extract the actual content being written — this is what mizan should scan
+  // for architectural patterns, not the file path or surrounding metadata.
+  const contentToScan =
+    toolInput.new_string ??      // Edit: the replacement text
+    toolInput.content ??         // Write: the full file content
+    toolInput.source ??          // NotebookEdit: cell source
+    '';
+  // Also include file_path for context so mizan pattern-matching can be
+  // path-scoped (e.g. R9 only fires for telemetry/cron paths).
+  const scanPayload = `// file: ${filePath}\n${contentToScan}`;
+  const archResult = await archFactsGate(scanPayload);
+  if (!archResult.allow) {
+    const violationText = (archResult.violations || [])
+      .map((v) => `  • [${v.rule ?? v.id ?? 'arch'}] ${v.description ?? v.message ?? JSON.stringify(v)}`)
+      .join('\n');
+    const archReason = `Aria arch_facts gate: architectural violation(s) detected in ${toolName} diff for ${filePath || '(no path)'}.
+
+${violationText}
+
+These patterns are forbidden by mizan arch_facts rules (mizan.yaml R7–R11). Fix the structural issue before re-issuing the tool call — the gate does not have a bypass for architectural violations.
+
+Rule references:
+  R7  no_sidecar_in_main_container   — bolt-in fork pattern (project_aria_soul_systemd_migration.md)
+  R8  no_silent_fallback_default     — || 'unknown'/'default'/'fallback' masks config failures
+  R9  no_timeout_based_retry         — setTimeout+abort in telemetry/chat/cron paths (no-timeouts doctrine)
+  R10 no_kubectl_apply_for_image_drift — kubectl apply on aria-soul-stateful (project_forge_psi_oom_cascade.md)
+  R11 no_console_log_secrets         — console.log with TOKEN/PASSWORD/SECRET/API_KEY/JWT/BEARER`;
+    audit(`block-arch-facts ${toolName.toLowerCase()} path=${filePath}`, `violations=${archResult.violations?.length ?? 0}`);
+    console.log(JSON.stringify({ decision: 'block', reason: archReason }));
+    process.exit(2);
+  }
+}
+
+// Non-trivial action with cognition (inline for Bash, transcript for
+// Edit/Write/NotebookEdit) — passes cognition gate. Now check Aria-binding.
+
+// ── Aria-as-commander binding check (Layer A) ──
+//
+// All earlier gate checks passed (cognition, destructive-verify). Final
+// gate before allow: does the active phase of Aria's plan permit this action?
+// No plan + no prior plan = block (CONSULT_UNAVAILABLE per contract).
+// No plan + prior plan exists = enforce against prior (Hamza fallback directive).
+// Plan exists + action mismatch = block with phase-violation reason.
+//
+// Bootstrap consult carve-out (Hamza 2026-04-27 caught this — "how would
+// anyone start a session?"): consult endpoints are how plans START existing.
+// Locking them behind plan-existence is unbootstrappable. So: if the action
+// is a consult to harness/aria endpoints (regardless of plan state), skip the
+// binding block. Cognition gate above already passed; the consult itself
+// will issue the next plan on completion. Audited per-use.
+//
+// bindingBypassReason: per-command bypass was removed in v3. The variable is
+// kept as a fixed null so the binding check below reads cleanly without a
+// ReferenceError. No new bypass entries can be created (pre-existing defect
+// fixed inline per atomic-discovery-rule).
+const bindingBypassReason = null;
+
+// Defect #4 fix — Consult-Aria unconditionally allowed (doctrine #50).
+//
+// Aria-as-commander session pattern (HARNESS_ARIA_AS_COMMANDER_CONTRACT.md
+// doctrine #50) makes per-turn consult mandatory. A plan cannot forbid the
+// consult mechanism that issues plans — that would be an unbootstrappable
+// circular lock. Previously plan p1 forbade bash_other → consult curl was
+// classified as bash_other → blocked. Now: any Bash command that is a consult
+// to a known Aria/harness endpoint passes UNCONDITIONALLY past ALL binding
+// checks regardless of allowedActions or forbiddenActions in the active phase.
+// Cognition gate still applies (it ran above and passed to reach this point).
+//
+// Covered endpoints (hardcoded carve-out):
+//   curl http(s)://aria-soul<anything>
+//   curl http(s)://aria-telemetry<anything>
+//   curl http(s)://localhost:30080/(chat|api/aria/speak|api/harness/codex|
+//                                   api/harness/verify-claim|v1/doctrine|v1/mizan)
+const ARIA_CONSULT_CURL_RX = /curl\s+['"]?https?:\/\/(?:aria-soul[^\s'"]*|aria-telemetry[^\s'"]*|localhost:30080\/(?:chat|api\/aria\/speak|api\/harness\/(?:codex|verify-claim|delegate|army|plan)|v1\/(?:doctrine|mizan))[^\s'"]*)/i;
+const __isUnconditionalConsult = toolName === 'Bash' && ARIA_CONSULT_CURL_RX.test(cmd);
+if (__isUnconditionalConsult) {
+  bindingAuditAppend({ event: 'allow_unconditional_consult', sessionId, toolName, cmdPreview, reason: 'doctrine#50-aria-as-commander-consult-carveout' });
+  audit(`allow-unconditional-consult lenses=${lensCount}`, cmdPreview);
+  pushDecision('allow', 'unconditional consult carve-out (doctrine #50)');
+  process.exit(0);
+}
+
+const __bindingActionClassification = (BINDING_ENABLED && !bindingBypassReason)
+  ? classifyToolForBinding(toolName, cmd, filePath)
+  : null;
+const __isBootstrapConsult = __bindingActionClassification?.action === 'consult';
+if (__isBootstrapConsult) {
+  bindingAuditAppend({ event: 'allow_bootstrap_consult', sessionId, target: __bindingActionClassification.target, toolName });
+}
+if (BINDING_ENABLED && !bindingBypassReason && !__isBootstrapConsult) {
+  let plan = loadActivePlan(sessionId);
+  if (!plan) {
+    // INLINE architect-fallback (Hamza directive 2026-04-27 — no async stop-gate
+    // races). When no plan exists, fire architect-fallback synchronously here
+    // so a real plan is minted and loaded inside the same hook execution. If
+    // architect-fallback fails the gate still BLOCKS per doctrine (no bypass)
+    // but the block message includes the architect-fallback exit details so the
+    // failure is visible LOUDLY per feedback_no_graceful_degradation.md.
+    bindingAuditAppend({ event: 'no_plan_inline_fallback_attempt', sessionId, toolName });
+    const blockerReason = `pre-tool-gate inline fallback: no active plan for session ${sessionId} when ${toolName} was attempted on ${cmdPreview.slice(0, 200)}`;
+    const fallbackEvent = JSON.stringify({ reason: blockerReason, sessionId, toolName, currentPlanId: 'none' });
+    let architectExit = -1;
+    let architectStderr = '';
+    try {
+      const archProc = spawnSync(process.execPath, [`${HOME}/.claude/hooks/aria-architect-fallback.mjs`], {
+        input: fallbackEvent,
+        encoding: 'utf8',
+        timeout: 60000,
+      });
+      architectExit = archProc.status ?? -1;
+      architectStderr = (archProc.stderr || '').slice(0, 500);
+    } catch (err) {
+      architectStderr = String(err).slice(0, 500);
+    }
+    bindingAuditAppend({ event: 'architect_fallback_result', sessionId, exit: architectExit, stderr: architectStderr.slice(0, 300) });
+
+    plan = loadActivePlan(sessionId);
+    if (plan) {
+      process.stderr.write(`\n✓ PRE-TOOL-GATE FALLBACK: architect-fallback minted plan ${plan.planId}. Continuing.\n`);
+      bindingAuditAppend({ event: 'architect_fallback_minted_plan', sessionId, planId: plan.planId });
+    } else {
+      bindingAuditAppend({ event: 'block_no_active_plan_after_fallback', sessionId, toolName, architectExit });
+      const reason = `Aria binding gate: no active plan exists AND inline architect-fallback failed (exit=${architectExit}). Plan-mint chain broken. ${architectStderr ? 'Architect stderr: ' + architectStderr : ''}
+
+What Claude must do:
+1. Acknowledge to Hamza that the architect-fallback chain failed (visible in audit log)
+2. Surface the failure LOUDLY — this is a substrate-level break, not a routine consult miss
+3. Wait for next user prompt — preprompt-consult will retry; if it succeeds a plan will exist on next tool call
+
+Non-trivial actions are blocked until a plan exists. Trivial reads (ls/cat/grep) bypass automatically per existing whitelist. To temporarily disable binding for emergency: ARIA_BINDING_ENABLED=false (logged).`;
+      console.log(JSON.stringify({ decision: 'block', reason }));
+      process.exit(2);
+    }
+  }
+
+  const transcriptText = unionText || '';
+  let phaseInfo = pickCurrentPhase(plan, transcriptText);
+
+  if (!phaseInfo) {
+    // All phases reported complete — needs new consult before more action
+    bindingAuditAppend({ event: 'block_all_phases_complete', sessionId, planId: plan.planId, toolName });
+    const reason = `Aria binding gate: all phases of plan ${plan.planId} have been reported complete in this transcript. The plan is exhausted; Claude cannot proceed without a fresh consult.
+
+What Claude must do:
+1. Acknowledge plan completion to Hamza
+2. Wait for next user prompt — preprompt-consult will issue a new plan
+3. Don't continue executing actions beyond the issued plan boundary
+
+This prevents Claude from drifting past Aria's authorized scope.`;
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+
+  if (phaseInfo.abortedHere) {
+    // INLINE architect-fallback (Hamza directive 2026-04-27 — same recovery as
+    // no-plan branch above). When phase is aborted, fire architect-fallback
+    // synchronously here to mint a fresh plan instead of deadlocking. If
+    // architect-fallback fails the gate still BLOCKS per doctrine but the
+    // failure is LOUD per feedback_no_graceful_degradation.md.
+    bindingAuditAppend({ event: 'phase_aborted_inline_fallback_attempt', sessionId, planId: plan.planId, phaseId: phaseInfo.phase.id, toolName });
+    const blockerReason = `pre-tool-gate inline fallback: phase ${phaseInfo.phase.id} of plan ${plan.planId} aborted, ${toolName} attempted on ${cmdPreview.slice(0, 200)}`;
+    const fallbackEvent = JSON.stringify({ reason: blockerReason, sessionId, toolName, currentPlanId: plan.planId });
+    let architectExit = -1;
+    let architectStderr = '';
+    try {
+      const archProc = spawnSync(process.execPath, [`${HOME}/.claude/hooks/aria-architect-fallback.mjs`], {
+        input: fallbackEvent,
+        encoding: 'utf8',
+        timeout: 60000,
+      });
+      architectExit = archProc.status ?? -1;
+      architectStderr = (archProc.stderr || '').slice(0, 500);
+    } catch (err) {
+      architectStderr = String(err).slice(0, 500);
+    }
+    bindingAuditAppend({ event: 'aborted_phase_architect_fallback_result', sessionId, exit: architectExit, stderr: architectStderr.slice(0, 300) });
+
+    const freshPlan = loadActivePlan(sessionId);
+    if (freshPlan && freshPlan.planId !== plan.planId) {
+      process.stderr.write(`\n✓ PRE-TOOL-GATE FALLBACK: aborted phase recovered, fresh plan ${freshPlan.planId} minted. Continuing.\n`);
+      bindingAuditAppend({ event: 'aborted_phase_recovered', sessionId, oldPlanId: plan.planId, newPlanId: freshPlan.planId });
+      plan = freshPlan;
+      const freshPhaseInfo = pickCurrentPhase(plan, transcriptText);
+      if (!freshPhaseInfo || freshPhaseInfo.abortedHere) {
+        bindingAuditAppend({ event: 'block_aborted_phase_post_fallback_still_bad', sessionId, planId: plan.planId });
+        const reason = `Aria binding gate: aborted phase recovery minted plan ${plan.planId} but new plan also has no usable phase. Manual intervention required.`;
+        console.log(JSON.stringify({ decision: 'block', reason }));
+        process.exit(2);
+      }
+      phaseInfo = freshPhaseInfo;
+    } else {
+      bindingAuditAppend({ event: 'block_phase_aborted_fallback_failed', sessionId, planId: plan.planId, phaseId: phaseInfo.phase.id, architectExit });
+      const reason = `Aria binding gate: phase ${phaseInfo.phase.id} of plan ${plan.planId} was reported aborted AND inline architect-fallback failed (exit=${architectExit}). Plan progression halted. ${architectStderr ? 'Architect stderr: ' + architectStderr : ''}
+
+What Claude must do: emit [PLAN_BLOCKER reason="<concrete observation>" suggestedAmendment="<if any>"] for Hamza/Aria to issue a corrected plan. Do not continue executing the aborted plan.`;
+      console.log(JSON.stringify({ decision: 'block', reason }));
+      process.exit(2);
+    }
+  }
+
+  const { action, target } = classifyToolForBinding(toolName, cmd, filePath);
+  const phase = phaseInfo.phase;
+
+  // Forbidden takes precedence
+  const forbidden = (phase.forbiddenActions || []).find((p) => actionMatchesPattern(action, p, target));
+  if (forbidden) {
+    bindingAuditAppend({ event: 'block_forbidden_action', sessionId, planId: plan.planId, phaseId: phase.id, action, target, matchedRule: forbidden });
+    // Hive recipe lookup BEFORE emitting the block — if the same shape has
+    // fired before, surface the recipe inline. Lookup is fail-soft: a probe
+    // failure leaves the block message unchanged.
+    const lookup = await lookupBlockPatternRecipe({
+      detectorClass: 'doctrine_violation',
+      signature: `binding-forbidden::action=${action}::matches=${forbidden}`,
+      tenantId: sessionId,
+    });
+    const recipeAddendum = renderRecipeAddendum(lookup);
+    const reason = `Aria binding gate: action "${action}" on target "${target}" matches forbidden pattern "${forbidden}" for current phase ${phase.id} ("${phase.summary}") of plan ${plan.planId}.
+
+Phase summary: ${phase.summary}
+Forbidden actions for this phase: ${(phase.forbiddenActions || []).join(', ') || '(none)'}
+Allowed actions for this phase: ${(phase.allowedActions || []).join(', ') || '(none)'}
+
+Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] requesting Aria amend the plan.${recipeAddendum}`;
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+
+  const allowed = (phase.allowedActions || []).find((p) => actionMatchesPattern(action, p, target));
+  if (!allowed) {
+    bindingAuditAppend({ event: 'block_action_not_in_allowed_list', sessionId, planId: plan.planId, phaseId: phase.id, action, target });
+    const lookup = await lookupBlockPatternRecipe({
+      detectorClass: 'doctrine_violation',
+      signature: `binding-not-allowed::action=${action}::phase=${phase.id}`,
+      tenantId: sessionId,
+    });
+    const recipeAddendum = renderRecipeAddendum(lookup);
+    const reason = `Aria binding gate: action "${action}" on target "${target}" is NOT in allowedActions for current phase ${phase.id} of plan ${plan.planId}.
+
+Phase summary: ${phase.summary}
+Allowed actions: ${(phase.allowedActions || []).join(', ') || '(none — phase is observation-only)'}
+
+Claude must either: (a) reframe action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] for plan amendment.${recipeAddendum}`;
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+
+  bindingAuditAppend({ event: 'allow_phase_action', sessionId, planId: plan.planId, phaseId: phase.id, action, target });
+}
+
+// ── Outcome Ledger regression flag (fail-soft) ───────────────────────────────
+//
+// Before allowing, query aria_outcome_ledger for recent regressions on the same
+// action shape. This is NOT a block — it's a soft-warning surfaced to stderr so
+// the agent can see the risk and decide whether the root cause has shipped.
+//
+// action_kind: 'edit' for Edit/Write/NotebookEdit, 'bash' for Bash
+// action_target: file path for file tools; first word of bash command otherwise
+//
+// Fail-open: network errors, timeouts, or non-200 responses are silently ignored.
+// The gate does not hardcode timeouts (no-timeouts doctrine); the 3s AbortController
+// is a DETECTION PROBE — if the endpoint is alive it will respond quickly; if it
+// is down the catch path fail-opens without blocking the developer.
+(async function checkOutcomeLedger() {
+  const _harnessUrl =
+    process.env.ARIA_HIVE_RUNTIME_URL ||
+    process.env.ARIA_HARNESS_BASE_URL ||
+    process.env.ARIA_HARNESS_URL ||
+    'https://harness.ariasos.com';
+  const _harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+
+  // Derive action_kind and action_target from current tool call
+  let _actionKind = 'bash';
+  let _actionTarget = '';
+  if (toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit') {
+    _actionKind = 'edit';
+    _actionTarget = filePath;
+  } else if (toolName === 'Bash') {
+    _actionKind = 'bash';
+    // First word of the command (the verb) as the shape key
+    _actionTarget = cmd.trim().split(/\s+/)[0] || '';
+    // If the command touches a specific file path, prefer that as target
+    // (captures edit-like bash operations: sed, awk, tee, etc.)
+    const _fileArgMatch = cmd.match(/\b([\w./~-]+\.[a-z]{2,6})\b/i);
+    if (_fileArgMatch) _actionTarget = _fileArgMatch[1];
+  }
+
+  if (!_actionTarget) return; // nothing useful to query
+
+  try {
+    const _ctl = new AbortController();
+    const _probeTimer = setTimeout(() => _ctl.abort(), 3000);
+    let _resp;
+    try {
+      const _params = new URLSearchParams({ action_kind: _actionKind, action_target: _actionTarget });
+      _resp = await fetch(`${_harnessUrl}/api/harness/outcome-recent-regressions?${_params}`, {
+        method: 'GET',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(_harnessToken ? { Authorization: `Bearer ${_harnessToken}` } : {}),
+        },
+        signal: _ctl.signal,
+      });
+    } finally {
+      clearTimeout(_probeTimer);
+    }
+
+    if (!_resp || !_resp.ok) return; // endpoint unreachable or error — fail-open
+    const _data = await _resp.json();
+    const _regressions = Array.isArray(_data?.regressions) ? _data.regressions : [];
+
+    if (_regressions.length > 0) {
+      // Soft-warning to stderr — visible in Claude Code's hook output but does NOT block
+      const _lines = _regressions.map(
+        (r) => `  - ${r.action_target} at ${new Date(r.created_at).toISOString()}: ${r.regression_signal || '(no signal text)'}`,
+      ).join('\n');
+      process.stderr.write(
+        `⚠️  Aria Outcome Ledger: this action shape regressed ${_regressions.length} time(s) in the last 60 min:\n` +
+        `${_lines}\n` +
+        `Re-emitting with this risk visible. Proceed only if root cause has shipped since.\n`,
+      );
+      audit(`warn-ledger-regression ${_actionKind} target=${_actionTarget} count=${_regressions.length}`, cmdPreview);
+    }
+  } catch {
+    // Network error, abort, parse failure — fail-open, no warning
+  }
+})();
+
+// ── Substrate-bound contract gate via SDK.checkAction ──────────────────────
+// Hamza directive 2026-04-28: local cognition substance + binding-plan gates
+// pass, but the substrate has its own contract gate that knows about deploy
+// state, soul-charge, hospital admission policy, etc. checkAction returns
+// { allowed, reason, requiredGates }. allowed:false halts the tool with the
+// substrate's reason. SDK call failure is non-blocking (fail-open) — halting
+// every tool when substrate is down would brick the orchestrator, but the
+// failure is logged for telemetry.
+try {
+  const { HTTPHarnessClient } = await import('@aria/harness-http-client');
+  const { readFileSync: __fsRead, existsSync: __fsExists } = await import('node:fs');
+  const { homedir: __homedir } = await import('node:os');
+  const __home = __homedir();
+  const __tokenPath = `${__home}/.aria/owner-token`;
+  const __licensePath = `${__home}/.aria/license.json`;
+  // Tier detection: client if license.json has a jti, else owner.
+  // Hamza correction 2026-04-28b: master/owner-token credentials belong
+  // to Hamza only — never resolve them on client-tier processes.
+  let __isOwner = true;
+  try {
+    if (__fsExists(__licensePath)) {
+      const __lic = JSON.parse(__fsRead(__licensePath, 'utf8'));
+      __isOwner = !__lic.jti;
+    }
+  } catch { __isOwner = true; }
+  // Resolution: ARIA_HARNESS_TOKEN env first (both tiers). ONLY on owner
+  // tier, fall back to master/api-key env or owner-token file.
+  let __apiKey = process.env.ARIA_HARNESS_TOKEN || '';
+  if (!__apiKey && __isOwner) {
+    __apiKey = process.env.ARIA_MASTER_TOKEN
+      || process.env.ARIA_API_KEY
+      || (__fsExists(__tokenPath) ? __fsRead(__tokenPath, 'utf8').trim() : '');
+  }
+  // Map Claude tool names → checkAction action enum (substrate signature is
+  // 'deploy'|'build'|'write'|'delete'). Most state-mutating tools map to
+  // 'write'; explicit deploy/destructive cases would map elsewhere if the
+  // substrate widens the enum later.
+  const __toolToAction = { Bash: 'write', Edit: 'write', Write: 'write', NotebookEdit: 'write' };
+  const __action = __toolToAction[toolName];
+  if (__apiKey && __action) {
+    const __client = new HTTPHarnessClient({
+      baseUrl:
+        process.env.ARIA_HIVE_RUNTIME_URL ||
+        process.env.ARIA_HARNESS_BASE_URL ||
+        process.env.ARIA_HARNESS_URL ||
+        'https://harness.ariasos.com',
+      apiKey: __apiKey,
+    });
+    const __target = JSON.stringify(toolInput || {}).slice(0, 500);
+    const __check = await __client.checkAction(__action, __target);
+    if (__check && __check.allowed === false) {
+      const __reason = `Aria substrate checkAction DENIED for ${toolName}/${__action}: ${__check.reason || 'no reason given'}. Required gates: [${(__check.requiredGates || []).join(', ')}].
+
+The substrate's contract gate refused this action. Local doctrine gates passed (cognition lenses, binding plan, drift) but the substrate sees a downstream contract that disallows this tool call. Address the substrate's reason above before retrying.`;
+      audit(`block-substrate-checkAction ${toolName.toLowerCase()} action=${__action} reason="${(__check.reason || '').slice(0, 80)}"`, cmdPreview);
+      pushDecision('block', `substrate checkAction denied: ${(__check.reason || 'unspecified').slice(0, 100)}`);
+      console.log(JSON.stringify({ decision: 'block', reason: __reason }));
+      process.exit(2);
+    }
+  }
+} catch (err) {
+  // SDK call failure is non-blocking — gate degrades to local-only doctrine.
+  // The failure is recorded so a fleet probe can detect substrate-side
+  // contract gate outages.
+  console.warn(`[pre-tool-gate] substrate checkAction failed: ${err && err.message ? err.message : err}`);
+}
+
+// ── Hive session-lock check ───────────────────────────────────────────────────
+// For Edit/Write/NotebookEdit: check file_path against hive_session_locks.
+// For Bash with file-mutating verbs (rm, mv, sed -i, awk, tee, cp, chmod,
+//   truncate, install): extract the file argument and check it.
+//
+// If an active lock exists from a DIFFERENT session, BLOCK with coordination
+// instructions. Fail-open only on network error (endpoint unreachable).
+//
+// Per feedback_no_graceful_degradation.md: parse errors and non-network
+//   failures surface in the block reason — they are not silently ignored.
+// Per feedback_no_timeouts_doctrine.md: no AbortSignal or setTimeout.
+(async function checkHiveSessionLock() {
+  // Determine the file path to check
+  let _lockCheckPath = '';
+
+  if (toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit') {
+    _lockCheckPath = filePath;
+  } else if (toolName === 'Bash') {
+    // Destructive bash verbs that mutate files — extract the file argument
+    const _mutatingVerbRx = /^(rm|mv|cp|sed\s+-i|awk\s+.*-i|tee|truncate|install|chmod|chown)\b/;
+    if (_mutatingVerbRx.test(cmd.trim())) {
+      // Extract the first file-path argument: look for something with /
+      const _pathMatch = cmd.match(/\s+((?:\/|~\/|\.\.?\/|[\w.-]+\/)[^\s'"]+)/);
+      if (_pathMatch) _lockCheckPath = _pathMatch[1];
+    }
+  }
+
+  if (!_lockCheckPath) return; // no file target — skip lock check
+
+  const _soulUrl =
+    process.env.ARIA_HIVE_RUNTIME_URL ||
+    process.env.ARIA_SOUL_URL ||
+    process.env.ARIA_HARNESS_BASE_URL ||
+    process.env.ARIA_HARNESS_URL ||
+    'https://harness.ariasos.com';
+  const _harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+
+  let _lockResp;
+  try {
+    const _params = new URLSearchParams({ file_path: _lockCheckPath });
+    _lockResp = await fetch(`${_soulUrl}/api/hive/session-lock?${_params}`, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(_harnessToken ? { Authorization: `Bearer ${_harnessToken}` } : {}),
+      },
+    });
+  } catch (_netErr) {
+    // Endpoint unreachable — fail-open. Lock check is a coordination layer,
+    // not a safety hard-stop. Infra-down must not block all development.
+    audit(`allow-lock-check-network-error path=${_lockCheckPath.slice(0, 80)}`, cmdPreview);
+    return;
+  }
+
+  if (!_lockResp.ok) {
+    // Non-200 — route may not be deployed yet. Fail-open with audit record.
+    audit(`allow-lock-check-http-error status=${_lockResp.status} path=${_lockCheckPath.slice(0, 80)}`, cmdPreview);
+    return;
+  }
+
+  // Per feedback_no_graceful_degradation.md: JSON parse error is surfaced,
+  // not swallowed. A malformed response IS a defect that must be visible.
+  const _lockData = await _lockResp.json();
+  const _activeLocks = Array.isArray(_lockData?.locks) ? _lockData.locks : [];
+
+  // Filter to locks from a DIFFERENT session
+  const _conflictingLocks = _activeLocks.filter(
+    (l) => l.session_id && String(l.session_id) !== String(sessionId),
+  );
+
+  if (_conflictingLocks.length === 0) {
+    audit(`allow-lock-clear path=${_lockCheckPath.slice(0, 80)}`, cmdPreview);
+    return; // no conflict — proceed
+  }
+
+  // ── Auto-post coordination message to each conflicting session ───────────
+  // Per hive-session-coordination doctrine (memory:feedback_hive_session_coordination.md):
+  // when a lock conflict is detected, the gate AUTOMATICALLY posts a
+  // lock_conflict_request session-message to each conflicting session so they see
+  // the inbound coordination request in their next turn's HIVE_SESSION_INBOX block.
+  // The model never has to manually post — the gate is the structural binding.
+  //
+  // Per feedback_no_timeouts_doctrine.md: no AbortSignal or setTimeout.
+  // Per feedback_no_graceful_degradation.md: message-post failures are logged
+  // loudly to stderr; they do NOT silently degrade — the block still fires regardless.
+  const _autoMessageIds = [];
+  for (const _conflict of _conflictingLocks) {
+    try {
+      const _msgId = `lock-conflict-${sessionId}-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 7)}`;
+      const _requestedAt = new Date().toISOString();
+      const _msgBody = {
+        coordination_protocol: 'aria-hive-lock-conflict/v2',
+        coordination_key: `file:${_lockCheckPath}`,
+        file_path: _lockCheckPath,
+        requesting_session_id: sessionId,
+        requesting_client_id: 'aria-connector',
+        requesting_surface: 'pre-tool-gate',
+        intent_summary: `Session ${sessionId} attempted to edit ${_lockCheckPath} via ${toolName} but found your active lock. Requesting coordination — please release when done.`,
+        requested_at: _requestedAt,
+        tool_name: toolName,
+        command_preview: cmdPreview,
+        file_claims: [{ path: _lockCheckPath, intent: 'edit' }],
+        target_lock: {
+          lock_id: _conflict.lock_id ?? null,
+          session_id: _conflict.session_id ?? null,
+          client_id: _conflict.client_id ?? null,
+          surface: _conflict.surface ?? null,
+          locked_at: _conflict.locked_at ?? null,
+          expires_at: _conflict.expires_at ?? null,
+        },
+      };
+      const _msgResp = await fetch(`${_soulUrl}/api/hive/session-message`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(_harnessToken ? { Authorization: `Bearer ${_harnessToken}` } : {}),
+        },
+        body: JSON.stringify({
+          message_id: _msgId,
+          from_session_id: sessionId,
+          to_session_id: _conflict.session_id,
+          topic: 'lock_conflict_request',
+          body: _msgBody,
+        }),
+      });
+      if (_msgResp.ok) {
+        _autoMessageIds.push({ session_id: _conflict.session_id, message_id: _msgId });
+        audit(`auto-msg-sent lock-conflict to=${_conflict.session_id} msg=${_msgId} path=${_lockCheckPath.slice(0, 60)}`, cmdPreview);
+      } else {
+        const _errText = await _msgResp.text().catch(() => 'unreadable');
+        process.stderr.write(
+          `[aria-pre-tool-gate] WARN auto-message to session ${_conflict.session_id} failed: HTTP ${_msgResp.status} ${_errText.slice(0, 200)}\n`,
+        );
+        audit(`auto-msg-failed lock-conflict to=${_conflict.session_id} status=${_msgResp.status} path=${_lockCheckPath.slice(0, 60)}`, cmdPreview);
+      }
+    } catch (_msgErr) {
+      // Network error posting auto-message — log loudly per no-graceful-degradation doctrine.
+      // Block still fires; auto-message is additive signal, not a safety gate.
+      process.stderr.write(
+        `[aria-pre-tool-gate] WARN auto-message to session ${_conflict.session_id} threw: ${_msgErr instanceof Error ? _msgErr.message : String(_msgErr)}\n`,
+      );
+      audit(`auto-msg-error lock-conflict to=${_conflict.session_id} path=${_lockCheckPath.slice(0, 60)}`, cmdPreview);
+    }
+  }
+
+  const _conflictDetails = _conflictingLocks.map((l) => {
+    const _ago = l.locked_at ? `since ${l.locked_at}` : '';
+    const _expires = l.expires_at ? `, expires ${l.expires_at}` : '';
+    const _who = l.client_id ? ` (client: ${l.client_id})` : '';
+    const _surface = l.surface ? ` [${l.surface}]` : '';
+    const _sentMsg = _autoMessageIds.find((m) => m.session_id === l.session_id);
+    const _msgNote = _sentMsg
+      ? ` [auto-coordination message posted: ${_sentMsg.message_id}]`
+      : ' [auto-message failed — coordinate manually]';
+    return `  - Session ${l.session_id}${_who}${_surface} holds lock on ${l.file_path} ${_ago}${_expires}${_msgNote}`;
+  }).join('\n');
+
+  const _autoMsgSummary = _autoMessageIds.length > 0
+    ? `\nAuto-coordination: gate posted lock_conflict_request message(s) to ${_autoMessageIds.map((m) => `session ${m.session_id} (msg: ${m.message_id})`).join(', ')}. They will see this inbound on their next turn via [HIVE_SESSION_INBOX].`
+    : '\nAuto-coordination message could not be delivered (see stderr). Coordinate manually via POST /api/hive/session-message.';
+
+  const _lockBlockReason = `Hive session-lock conflict: another session holds an active lock on this file.
+
+File: ${_lockCheckPath}
+
+Conflicting locks:
+${_conflictDetails}
+${_autoMsgSummary}
+
+Resolution:
+  1. A lock_conflict_request message was automatically posted to the lock-holding session. Wait for them to see it.
+  2. They release via: aria hive lock release --lock-id <ID>  OR  DELETE /api/hive/session-lock.
+  3. No automatic timeout-based release — explicit release only (memory:feedback_no_timeouts_doctrine.md).
+  4. Retry this action — the gate allows when no conflicting lock exists.
+
+Per memory:feedback_hive_session_coordination.md: blind-edit on the same file from concurrent sessions
+causes merge conflicts and state divergence. Explicit coordination is the only safe path.`;
+
+  audit(`block-hive-lock-conflict path=${_lockCheckPath.slice(0, 80)} conflicting_sessions=${_conflictingLocks.map((l) => l.session_id).join(',')} auto_msgs=${_autoMessageIds.length}`, cmdPreview);
+  pushDecision('block', `hive session-lock conflict on ${_lockCheckPath.slice(0, 80)}`);
+  console.log(JSON.stringify({
+    decision: 'block',
+    reason: _lockBlockReason,
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      conflicting_locks: _conflictingLocks,
+      auto_coordination_messages: _autoMessageIds,
+      recovery: {
+        action: 'wait_for_lock_release_then_retry',
+        file_path: _lockCheckPath,
+        conflicting_session_ids: _conflictingLocks.map((l) => l.session_id),
+        auto_message_posted: _autoMessageIds.length > 0,
+        send_message_endpoint: '/api/hive/session-message',
+        release_lock_endpoint: '/api/hive/session-lock',
+      },
+    },
+  }));
+  process.exit(2);
+})();
+
+// Non-trivial action with cognition AND (binding-allowed OR binding-disabled) AND substrate-cleared — allow.
+audit(`allow-cognition ${toolName.toLowerCase()} lenses=${lensCount} via=${cognitionSource}`, cmdPreview);
+pushDecision('allow', `${toolName.toLowerCase()} with ${lensCount} lenses (${cognitionSource})`);
+process.exit(0);