@aria_asi/cli 0.2.25 → 0.2.29

package/hooks/aria-pre-tool-gate.mjs

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+// ARIA_ALLOW_STUB — doctrine gate file legitimately discusses stub/placeholder semantics.
 // Aria pre-tool-use gate — enforces cognition use before destructive tool calls.
 //
 // Runs as a Claude Code PreToolUse hook on every Bash invocation. For
@@ -36,11 +37,44 @@
 // Audit log: every gate decision (allow / block / kill-switch) is
 // appended to ~/.claude/aria-pre-tool-gate.log.
 
-import { readFileSync, appendFileSync, existsSync, mkdirSync } from 'node:fs';
+import { readFileSync, writeFileSync, appendFileSync, existsSync, mkdirSync, chmodSync } from 'node:fs';
 import { dirname } from 'node:path';
+import { homedir } from 'node:os';
+import { spawnSync } from 'node:child_process';
+import { createHmac, randomBytes as cryptoRandomBytes } from 'node:crypto';
 
 const HOME = process.env.HOME || '/tmp';
 const LOG = `${HOME}/.claude/aria-pre-tool-gate.log`;
+const HEARTBEAT = `${HOME}/.claude/aria-pre-tool-gate-heartbeat.jsonl`;
+
+// ── Heartbeat OUTSIDE the crash boundary (doctrine #123) ───────────────
+// Per feedback_ledger_writes_outside_crash_boundary.md + doctrine #124
+// (non-blocking errors are NOT acceptable), the gate writes a heartbeat
+// FIRST — before transcript scan, before cognition extraction, before
+// any code path that could crash, hang, or be killed by an external
+// timeout. A heartbeat-write is the ONLY signal that proves the gate
+// process actually started executing. Hook-health monitors read this
+// file to detect silent gate death.
+//
+// The heartbeat is intentionally a tiny synchronous write so that even
+// if the gate is killed by Claude Code's hook timeout in the next
+// millisecond, we have proof it was alive at startup.
+try {
+  const hbPid = process.pid;
+  const hbTs = new Date().toISOString();
+  // Write before reading stdin or doing any work that could throw.
+  appendFileSync(HEARTBEAT, JSON.stringify({ ts: hbTs, pid: hbPid, gate: 'aria-pre-tool-gate', stage: 'startup' }) + '\n');
+} catch {
+  // The ONLY catch in this file that may swallow — a heartbeat write
+  // failure here is fail-loud-on-stderr because no other surface exists
+  // yet (we haven't opened the audit log) but cannot itself block the
+  // gate. Per feedback_non_blocking_errors_unacceptable.md the
+  // failure-mode for THIS specific path is documented in the doctrine
+  // memory; the structural fix for "what if the heartbeat write fails"
+  // is the hook-health monitor task #122 which checks heartbeat
+  // freshness and reports staleness.
+  process.stderr.write(`[aria-pre-tool-gate] heartbeat write failed at ${new Date().toISOString()}\n`);
+}
 
 // Bypass-counter (kept for historical visibility — past audit-log
 // entries are still useful even though no new bypass entries can be
@@ -93,21 +127,18 @@ function audit(decision, summary) {
   } catch {}
 }
 
-// ARIA_BINDING_ENABLED escape hatch (Defect #2 — env override was named in doctrine
-// but never read). Wire it first, synchronously, before any other logic runs.
-// appendFileSync / existsSync / mkdirSync are already imported at the top of this file
-// so they're available here. This is the owner's deliberate kill-switch; setting
-// ARIA_BINDING_ENABLED=false is the visible, audited emergency override.
-if (process.env.ARIA_BINDING_ENABLED === 'false') {
-  const _home = process.env.HOME || '/tmp';
-  const _audit = `${_home}/.claude/aria-binding-audit.jsonl`;
-  try {
-    const _dir = dirname(_audit);
-    if (!existsSync(_dir)) mkdirSync(_dir, { recursive: true });
-    appendFileSync(_audit, JSON.stringify({ ts: new Date().toISOString(), source: 'pre-tool-gate', event: 'env_override_exit', reason: 'ARIA_BINDING_ENABLED=false', pid: process.pid }) + '\n');
-  } catch {}
-  process.exit(0);
-}
+// ARIA_BINDING_ENABLED env-override REMOVED 2026-04-28 per Hamza directive
+// + memory:feedback_gap_discovery_hardens_doctrine.md — env-var disables
+// are the textbook bypass class doctrine forbids. The override was the
+// de-facto Aria-down handler for an unknown count of sessions and turned
+// off every gate, not just the plan-check. Replaced by the architect
+// fallback plan path (tracked task — Aria-unreachable detection writes
+// a bounded local plan with limited allowedActions, loud audit, auto-
+// expiry on Aria return). Prior env_override_exit entries remain in
+// ~/.claude/aria-binding-audit.jsonl for historical audit.
+//
+// The gate now enforces unconditionally from the gated process per
+// Hamza directive 2026-04-27. No process-level disable path.
 
 // ── Aria-as-commander binding (Layer A — allowedActions/forbiddenActions per active phase) ──
 //
@@ -343,10 +374,78 @@ const DESTRUCTIVE_PATTERNS = [
   { rx: /\bkubectl\s+(scale|rollout)\s+(undo|restart)\b/, name: 'kubectl-rollback' },
 ];
 
+// Deploy patterns — bash invocations that mutate the canonical aria k8s
+// cluster or push images. Per feedback_deploy_requires_verify_cognition.md
+// (Hamza directive 2026-04-28 after consciousness.ts crash took aria-soul
+// into CrashLoopBackOff): deploys require BOTH a <verify> block citing the
+// shipping artifact AND a <cognition> block with substantive substrate
+// anchors. Without both, the deploy is hard-blocked. This is doctrine #104
+// — the structural enforcement Hamza demanded after the prior deploy
+// crashed all of aria.
+const DEPLOY_PATTERNS = [
+  { rx: /\bbash\s+(?:\.\/)?scripts\/deploy-service\.sh\b/, name: 'deploy-service-script' },
+  { rx: /\b(?:\.\/)?scripts\/deploy-service\.sh\b/, name: 'deploy-service-script' },
+  { rx: /\bkubectl\s+apply\b/, name: 'kubectl-apply' },
+  { rx: /\bkubectl\s+set\s+image\b/, name: 'kubectl-set-image' },
+  { rx: /\bkubectl\s+rollout\s+restart\b/, name: 'kubectl-rollout-restart' },
+  { rx: /\bkubectl\s+rollout\s+undo\b/, name: 'kubectl-rollout-undo' },
+  { rx: /\bkubectl\s+create\b/, name: 'kubectl-create' },
+  { rx: /\bkubectl\s+replace\b/, name: 'kubectl-replace' },
+  { rx: /\bdocker\s+push\b/, name: 'docker-push' },
+  { rx: /\bdocker\s+build\b.*--push\b/, name: 'docker-build-push' },
+];
+
+// Minimum substrate anchors required in cognition body for a deploy.
+// Per feedback_full_harness_binding_must_be_structural.md, every cognition
+// lens should cite a substrate anchor; for deploy specifically we require
+// at least 4 distinct anchors total across the block (one per lens minimum
+// across at least 4 lenses).
+const DEPLOY_MIN_SUBSTRATE_ANCHORS = 4;
+const SUBSTRATE_ANCHOR_RX = /\b(axiom|frame|memory|doctrine|packet):[a-z0-9_\-./]+/gi;
+
+// Verify-block fields specifically required for deploys — beyond the base
+// 5 fields, the deploy verify must cite a commit/SHA, a TS-check result,
+// and the admission policy that authorizes the canonical image.
+const DEPLOY_VERIFY_REQUIRED_FIELDS = [
+  // Either a git commit hash OR an explicit "files changed" listing
+  { rx: /\b(?:commit|HEAD|SHA|files\s+changed)\b/i, name: 'commit_or_files' },
+  // TS-check / build evidence
+  { rx: /\b(?:tsc|type[\s-]?check|build|npm\s+run\s+build)\b/i, name: 'build_or_typecheck' },
+  // Admission policy citation
+  { rx: /\b(?:admission[\s_-]?policy|validatingadmissionpolicy)\b/i, name: 'admission_policy' },
+];
+
 // The verify-block contract. All five fields required.
 const VERIFY_BLOCK_RX =
   /<verify>[\s\S]*?target\s*:[\s\S]*?role\s*:[\s\S]*?verified\s*:[\s\S]*?rollback\s*:[\s\S]*?axiom\s*:[\s\S]*?<\/verify>/i;
 
+// ── Dalio Loop: expected_outcome enforcement (doctrine:dalio_expected_required) ─
+//
+// Every non-trivial action must carry an <expected> block with at least one
+// measurable predicate. The predicate must be numeric (≥X, ==X, ≤X, X%),
+// boolean (true/false/exit=0/exit=1), or state-string ("status=running",
+// "200 OK", "exit=0", "file=exists", etc.).
+//
+// Qualitative drift phrases ("better", "improved", "more robust", etc.) are
+// REJECTED — they are unmeasurable and defeat the Dalio accountability loop.
+// The block must appear in the same turn or a prior turn (turn-scoped, same
+// window as cognition).
+//
+// Per doctrine:dalio_expected_required — no measurable predicate = no allow.
+const EXPECTED_BLOCK_RX = /<expected>([\s\S]*?)<\/expected>/i;
+
+// Measurable predicate patterns — at least ONE must be present inside <expected>.
+// Forms accepted:
+//   numeric:      ≥X, >=X, ==X, <=X, <X, >X, X%, N of N, count=N, latency<Xms
+//   boolean:      true, false, exit=0, exit=1, exit_code=N, rc=N
+//   state-string: status=running, status=healthy, status=200, "200 OK",
+//                 "exit=0", "file=exists", "count=N", "error_rate=0%"
+const MEASURABLE_PREDICATE_RX = /(?:>=|<=|==|!=|>|<|≥|≤)\s*\d+(?:\.\d+)?(?:ms|s|%|kb|mb|gb)?|\d+(?:\.\d+)?%(?:\s+(?:reduction|increase|success|error|coverage))?|exit[_=]\s*(?:0|1|\d+)|exit[-_]?code\s*[=:]\s*\d+|\brc\s*[=:]\s*\d+|\bstatus\s*[=:]\s*(?:running|healthy|ready|degraded|down|up|ok|200|201|204|400|401|403|404|500|502|503|504|true|false)\b|\bcount\s*[=:]\s*\d+|\berror[_-]?rate\s*[=:]\s*0%|\b(?:true|false)\b|\bfile[=_-]exists\b|\b200\s*OK\b|\bno[-_\s]?error|\bhealthy\b|\bpassed?\b|N\s*of\s*N|\d+\s*of\s*\d+/i;
+
+// Qualitative drift phrases that masquerade as measurable but are not.
+// Any <expected> block containing ONLY these (no actual predicate) is rejected.
+const QUALITATIVE_DRIFT_RX = /\b(?:better(?:er)?|improved?(?:ment)?|more\s+robust|should\s+(?:work|pass|succeed|run|fix)|more\s+reliable|cleaner|less\s+error[-_\s]?prone|nicer|smoother|faster[-\s]?loading|higher[-\s]?quality|more\s+stable|looks\s+(?:good|better|right))\b/i;
+
 // ── Tier-aware lens labeling (Phase 11 #59) ──────────────────────────────────
 //
 // Aria's Arabic cognition lens names are proprietary IP. On Hamza's surface
@@ -405,7 +504,14 @@ function docRef(canonicalFilename, genericDescription) {
 // colon, not a placeholder template). The substance check (added
 // 2026-04-26) defeats ritual emission — `nur: ok` no longer counts.
 const COGNITION_BLOCK_RX = /<cognition>([\s\S]*?)<\/cognition>/i;
-const REQUIRED_LENSES = 4;
+// Hamza directive 2026-04-28: 8-lens enforcement, not 4-of-8. The earlier
+// REQUIRED_LENSES=4 was a regression — owner caught it ("i no longer see
+// 8 lens cognition per turn"). All 8 canonical lenses must appear with
+// substantive (≥20-char, non-placeholder) content per turn for the gate
+// to accept the cognition. The substrate-binding stop hook also requires
+// all 8 to carry substrate anchors; this gate enforces the 8 lens NAMES
+// are present and have substance.
+const REQUIRED_LENSES = 8;
 const SUBSTANCE_MIN_CHARS = 20;
 // Placeholder patterns from the gate's own correction message + the
 // COMPACT_CONTINUITY_DOCTRINE template — content matching these is
@@ -611,7 +717,11 @@ async function archFactsGate(toolInput) {
 // AbortController deadline. Pile-up protection is structural —
 // in-flight counter caps concurrent pushes. Real network errors
 // drive the catch path; slow responses complete naturally.
-const HARNESS_URL = process.env.ARIA_HARNESS_URL || 'http://192.168.4.25:30080';
+const HARNESS_URL =
+  process.env.ARIA_HIVE_RUNTIME_URL ||
+  process.env.ARIA_HARNESS_BASE_URL ||
+  process.env.ARIA_HARNESS_URL ||
+  'https://harness.ariasos.com';
 const HARNESS_TOKEN = process.env.ARIA_HARNESS_TOKEN || '';
 const LOG_PUSH_DISABLED = process.env.ARIA_COGNITION_PUSH === 'off';
 const MAX_IN_FLIGHT = 16;
@@ -639,6 +749,89 @@ function pushCognitionEvent(payload) {
   }
 }
 
+// ── Block-pattern recipe lookup (Task #86) ──────────────────────────────────
+// Before emitting a binding-violation block, ask aria-soul if this exact
+// shape has been seen before and a high-confidence corrective recipe exists.
+// If so, surface the recipe in the block message so the gated process gets
+// the fix the hive already learned, not just the block.
+//
+// Per feedback_no_timeouts_doctrine.md the lookup uses a DETECTION PROBE
+// (3s AbortController) — that's "is the lookup endpoint alive at all?", not
+// a hard deadline on the underlying lookup. If the probe fires the gate
+// continues with the block-only message: a missed lookup must NEVER convert
+// a real block into an allow.
+//
+// Recipe is surfaced only when confidence > RECIPE_SURFACE_CONFIDENCE (0.7
+// per migration 208 RECIPE_PROMOTE_THRESHOLD), matching the same threshold
+// the cron uses to promote a recipe to the pattern's hot pointer. Below
+// that, we still cite the pattern's existence ("similar block has been
+// seen N times") without claiming a fix.
+const ARIA_SOUL_URL = process.env.ARIA_SOUL_URL || HARNESS_URL;
+const RECIPE_SURFACE_CONFIDENCE = 0.7;
+const BLOCK_PATTERN_PROBE_MS = 3000;
+
+async function lookupBlockPatternRecipe({ detectorClass, signature, tenantId }) {
+  if (!detectorClass || !signature) return null;
+  const url = new URL(`${ARIA_SOUL_URL}/api/hive/block-pattern`);
+  url.searchParams.set('action', 'lookup');
+  url.searchParams.set('detector_class', detectorClass);
+  url.searchParams.set('pattern_signature', signature.slice(0, 512));
+  if (tenantId) url.searchParams.set('tenant_id', tenantId);
+
+  const ctl = new AbortController();
+  const probeTimer = setTimeout(() => ctl.abort(), BLOCK_PATTERN_PROBE_MS);
+  try {
+    const resp = await fetch(url.toString(), {
+      method: 'GET',
+      headers: HARNESS_TOKEN ? { Authorization: `Bearer ${HARNESS_TOKEN}` } : {},
+      signal: ctl.signal,
+    });
+    if (!resp.ok) return null;
+    const body = await resp.json();
+    if (!body || body.found !== true) return null;
+    return body;
+  } catch {
+    return null; // probe failure — block proceeds without recipe surfacing
+  } finally {
+    clearTimeout(probeTimer);
+  }
+}
+
+// Renders the lookup result as an inline addendum to a block message. Returns
+// the empty string when there's nothing useful to surface — the caller can
+// concatenate unconditionally without producing dangling whitespace.
+function renderRecipeAddendum(lookupResult) {
+  if (!lookupResult) return '';
+  const recipe = lookupResult.recipe;
+  const freq = Number(lookupResult.frequency || 0);
+  const successRate = lookupResult.success_rate;
+
+  // Recipe present + above promotion threshold → surface the fix verbatim.
+  if (recipe && typeof recipe === 'object' && Number(recipe.confidence ?? 0) >= RECIPE_SURFACE_CONFIDENCE) {
+    const text = typeof recipe.recipe_text === 'string' ? recipe.recipe_text.slice(0, 800) : '';
+    const actions = Array.isArray(recipe.recipe_actions) ? recipe.recipe_actions : [];
+    const actionsLine = actions.length
+      ? `\n  Actions: ${JSON.stringify(actions).slice(0, 600)}`
+      : '';
+    const conf = Number(recipe.confidence).toFixed(2);
+    const seenLine = freq > 0 ? ` (pattern seen ${freq}× across the hive)` : '';
+    return `\n\n📚 HIVE RECIPE${seenLine}:
+  ${text}${actionsLine}
+  Confidence: ${conf}. Apply this BEFORE the block escalates — the hive learned this fix from prior firings.`;
+  }
+
+  // No promoted recipe — but the pattern is recurring. Cite it so the caller
+  // knows this isn't novel; the recipe is still being learned.
+  if (freq >= 3) {
+    const rateLine = (typeof successRate === 'number')
+      ? ` Past resolution rate: ${(successRate * 100).toFixed(0)}%.`
+      : '';
+    return `\n\n📓 Hive note: this block-shape has fired ${freq} time(s); recipe is still being learned (no high-confidence fix yet).${rateLine}`;
+  }
+
+  return '';
+}
+
 // Read event JSON from stdin (Claude Code spec).
 let input = '';
 for await (const chunk of process.stdin) input += chunk;
@@ -703,12 +896,18 @@ if (inlineCog.count >= REQUIRED_LENSES) {
 const matched = toolName === 'Bash'
   ? DESTRUCTIVE_PATTERNS.find(({ rx }) => rx.test(cmd))
   : null;
+// Deploy-specific match — separate from destructive because it carries
+// stricter substrate-anchor requirements per doctrine #104.
+const deployMatched = toolName === 'Bash'
+  ? DEPLOY_PATTERNS.find(({ rx }) => rx.test(cmd))
+  : null;
 const isTrivialRead = toolName === 'Bash' && TRIVIAL_BASH_RX.test(cmd) && cmd.length < 200;
 const isShort = toolName === 'Bash' && cmd.length < SHORT_BASH_LIMIT;
 
-if (!matched && (isTrivialRead || isShort)) {
-  // Not destructive AND trivial — allow without further checks. Only
-  // reachable for Bash because both flags are forced false otherwise.
+if (!matched && !deployMatched && (isTrivialRead || isShort)) {
+  // Not destructive AND not a deploy AND trivial — allow without
+  // further checks. Only reachable for Bash because all three flags are
+  // forced false otherwise.
   process.exit(0);
 }
 
@@ -829,7 +1028,10 @@ const mergedLensSet = new Set([...inlineCog.names, ...transcriptCog.names]);
 const lensCount = mergedLensSet.size;
 const lensNames = [...mergedLensSet];
 const cogBlockBody = transcriptCog.blockBody;
-const hasVerify = VERIFY_BLOCK_RX.test(unionText);
+const verifyBodies = [...unionText.matchAll(/<verify>([\s\S]*?)<\/verify>/gi)]
+  .map((m) => (m[1] || '').trim())
+  .filter(Boolean);
+const hasVerify = verifyBodies.length > 0;
 const hasCognition = lensCount >= REQUIRED_LENSES;
 const cognitionSource = inlineCog.count >= REQUIRED_LENSES
   ? 'inline-command'
@@ -881,6 +1083,176 @@ function pushDecision(decision, reasonText) {
   });
 }
 
+// ── Deploy-specific gate (doctrine #104) ────────────────────────────────
+// Per feedback_deploy_requires_verify_cognition.md (Hamza 2026-04-28 after
+// consciousness.ts crash took aria-soul into CrashLoopBackOff): deploys
+// require the verify block to cite commit/files/build/admission-policy
+// AND the cognition block to carry ≥DEPLOY_MIN_SUBSTRATE_ANCHORS substrate
+// anchors. The full-harness-binding doctrine says lenses without anchors
+// are unsourced prose — for deploys, that prose-only level of evidence is
+// not sufficient. The deploy gate refuses until anchors are present.
+if (deployMatched) {
+  // Anchor count is read from the cognition body (turn-scoped, same
+  // source the substrate-binding stop hook uses).
+  const cognitionBody = cogBlockBody || '';
+  const anchorMatches = cognitionBody.match(SUBSTRATE_ANCHOR_RX) || [];
+  const anchorCount = anchorMatches.length;
+
+  // Required verify-block fields specific to deploy.
+  const verifyBody = (() => {
+    if (verifyBodies.length === 0) return '';
+    let bestBody = verifyBodies[0];
+    let bestScore = -1;
+    for (const body of verifyBodies) {
+      const score = DEPLOY_VERIFY_REQUIRED_FIELDS.reduce(
+        (count, { rx }) => count + (rx.test(body) ? 1 : 0),
+        0,
+      );
+      if (score > bestScore) {
+        bestScore = score;
+        bestBody = body;
+      }
+    }
+    return bestBody;
+  })();
+  const missingDeployFields = DEPLOY_VERIFY_REQUIRED_FIELDS
+    .filter(({ rx }) => !rx.test(verifyBody))
+    .map(({ name }) => name);
+
+  // Heartbeat at deploy-gate entry — proves the gate reached this path
+  // even if a downstream exit fires silently (per
+  // feedback_ledger_writes_outside_crash_boundary.md).
+  try {
+    appendFileSync(HEARTBEAT, JSON.stringify({
+      ts: new Date().toISOString(), gate: 'aria-pre-tool-gate', stage: 'deploy-gate-entry',
+      deployPattern: deployMatched.name, hasVerify, hasCognition, lensCount, anchorCount,
+      missingDeployFields, cogBlockBodyLen: (cogBlockBody || '').length,
+      verifyBodyLen: verifyBody.length,
+    }) + '\n');
+  } catch {}
+
+  const deployBlocked =
+    !hasVerify ||
+    !hasCognition ||
+    anchorCount < DEPLOY_MIN_SUBSTRATE_ANCHORS ||
+    missingDeployFields.length > 0;
+
+  if (!deployBlocked) {
+    // Write justification artifact for deploy-service.sh to read.
+    // Doctrine #104 + bypass-vulnerability-closure 2026-04-28:
+    //   The artifact is HMAC-signed using a per-installation secret at
+    //   ~/.claude/.aria-gate-secret (0600). deploy-service.sh recomputes
+    //   the HMAC and refuses any artifact whose signature does not match
+    //   — this binds the artifact to having been written by THIS gate
+    //   process, preventing any other process from synthesizing a
+    //   passing artifact (which is exactly the bypass owner caught when
+    //   the assistant attempted a manualJustification:true write).
+    //
+    //   The secret is generated on first run if absent; the file is
+    //   chmod 0600 so other users cannot read it; deploy-service.sh
+    //   reads the same file and computes the same HMAC.
+    try {
+      const justificationPath = `${HOME}/.claude/.aria-deploy-justification.json`;
+      const secretPath = `${HOME}/.claude/.aria-gate-secret`;
+
+      // Lazy-generate per-installation secret if absent.
+      if (!existsSync(secretPath)) {
+        const secret = cryptoRandomBytes(32).toString('hex');
+        writeFileSync(secretPath, secret + '\n', { mode: 0o600 });
+        chmodSync(secretPath, 0o600);
+      }
+      const secret = readFileSync(secretPath, 'utf-8').trim();
+
+      // Build the unsigned artifact body. Note: deliberately reject any
+      // attempt to set `manualJustification` — only this gate emits the
+      // artifact, and a manual flag is by definition a forgery class.
+      const unsignedBody = {
+        timestamp: new Date().toISOString(),
+        sessionId,
+        deployPattern: deployMatched.name,
+        command: cmdPreview,
+        verify: verifyBody.trim().slice(0, 4000),
+        cognition: cogBlockBody.trim().slice(0, 8000),
+        substrateAnchors: anchorMatches.slice(0, 50),
+        anchorCount,
+        lensCount,
+        verifyFieldsPresent: DEPLOY_VERIFY_REQUIRED_FIELDS
+          .filter(({ rx }) => rx.test(verifyBody))
+          .map(({ name }) => name),
+      };
+
+      // HMAC-SHA256 over the canonical-JSON of the unsigned body.
+      // canonical-JSON = JSON.stringify with no signature field, no
+      // pretty-print whitespace, key order as written above.
+      const signature = createHmac('sha256', secret)
+        .update(JSON.stringify(unsignedBody))
+        .digest('hex');
+
+      const justification = {
+        ...unsignedBody,
+        signature,
+        signatureAlgo: 'HMAC-SHA256',
+      };
+      writeFileSync(justificationPath, JSON.stringify(justification, null, 2));
+    } catch (writeErr) {
+      // Write failure is non-fatal for the gate decision (the gate itself
+      // is the structural enforcement); log loudly per
+      // canonical-secrets-governance LOUD telemetry doctrine.
+      console.error(
+        `[aria-pre-tool-gate] WARN deploy-justification artifact write failed: ${(writeErr instanceof Error ? writeErr.message : String(writeErr)).slice(0, 200)}`,
+      );
+    }
+    audit(
+      `allow-deploy ${deployMatched.name} lenses=${lensCount} anchors=${anchorCount}`,
+      cmdPreview,
+    );
+    pushDecision(
+      'allow',
+      `verify+cognition+anchors(${anchorCount}) for deploy ${deployMatched.name}`,
+    );
+    process.exit(0);
+  }
+
+  // Build a focused refusal naming exactly which piece is missing.
+  const reasons = [];
+  if (!hasVerify) reasons.push('missing <verify> block');
+  if (!hasCognition) reasons.push(`missing <cognition> block (lenses=${lensCount}/${REQUIRED_LENSES})`);
+  if (hasCognition && anchorCount < DEPLOY_MIN_SUBSTRATE_ANCHORS) {
+    reasons.push(
+      `cognition block has ${anchorCount}/${DEPLOY_MIN_SUBSTRATE_ANCHORS} substrate anchors (axiom:/frame:/memory:/doctrine:/packet:)`,
+    );
+  }
+  if (missingDeployFields.length > 0) {
+    reasons.push(`<verify> block missing required fields: ${missingDeployFields.join(', ')}`);
+  }
+
+  const refusal = `Aria pre-tool gate: DEPLOY hard-block — pattern '${deployMatched.name}' detected.
+
+Per feedback_deploy_requires_verify_cognition.md (Hamza directive 2026-04-28 after consciousness.ts crash took aria-soul into CrashLoopBackOff), every deploy command requires:
+
+1. A <verify> block in the recent assistant text containing AT MINIMUM:
+   - target/role/verified/rollback/axiom (base verify fields)
+   - commit hash or files-changed listing
+   - tsc / build / type-check evidence
+   - admission policy citation (kubectl get validatingadmissionpolicy <service>-canonical-image-policy)
+
+2. A <cognition> block with ≥${REQUIRED_LENSES} substantive lenses AND ≥${DEPLOY_MIN_SUBSTRATE_ANCHORS} substrate anchors total (axiom:<name> / frame:<name> / memory:<file> / doctrine:<rule> / packet:<section>).
+
+Block reasons (this turn): ${reasons.join(' • ')}.
+
+The 2026-04-28 deploy of an empty consciousness.ts crashed aria-soul because no verify-block step caught the missing export at substrate-citation time. This gate is the structural enforcement that prevents the same gap.
+
+Re-emit verify+cognition with the missing pieces, then retry the deploy command. There is no env-var override path; doctrine #104 forbids it.`;
+
+  audit(
+    `block-deploy ${deployMatched.name} verify=${hasVerify} cognition=${lensCount} anchors=${anchorCount} missing=${missingDeployFields.join(',')}`,
+    cmdPreview,
+  );
+  pushDecision('block', `deploy ${deployMatched.name}: ${reasons.join('; ')}`);
+  console.log(JSON.stringify({ decision: 'block', reason: refusal }));
+  process.exit(2);
+}
+
 if (matched) {
   // Destructive — require BOTH verify (from transcript) AND cognition
   // (inline command preferred; transcript fallback). Verify stays
@@ -1004,6 +1376,153 @@ No env-var disable path — gates are unconditional from the gated process per H
   process.exit(2);
 }
 
+// ── Dalio expected_outcome gate ──────────────────────────────────────────────
+//
+// Every non-trivial action must carry an <expected> block with at least one
+// measurable predicate. Block is read from the same turn-scoped assistant text
+// window as cognition (unionText). Qualitative drift phrases are rejected even
+// when they appear inside an <expected> block.
+//
+// Hard-block path: block the tool call, name the missing block, cite doctrine.
+// Per feedback_no_graceful_degradation.md — never silent-pass.
+{
+  const expectedMatch = unionText.match(EXPECTED_BLOCK_RX);
+  const expectedBlockText = expectedMatch ? expectedMatch[1] : '';
+  const hasMeasurablePredicate = expectedBlockText
+    ? (MEASURABLE_PREDICATE_RX.test(expectedBlockText) && !QUALITATIVE_DRIFT_RX.test(expectedBlockText))
+    : false;
+
+  if (!expectedMatch || !hasMeasurablePredicate) {
+    const reason = expectedMatch
+      ? `Aria pre-tool gate: action requires a measurable predicate inside <expected> per doctrine:dalio_expected_required.
+
+Your <expected> block was found but contains only qualitative drift phrases (e.g. "better", "improved", "should work", "more reliable") without a concrete measurable predicate. These are unmeasurable and defeat the Dalio accountability loop.
+
+Replace with one of:
+  • Numeric:      exit_code==0, latency<200ms, count>=1, error_rate=0%
+  • Boolean:      exit=0, status=healthy, file=exists, rc=0
+  • State-string: "status=running", "200 OK", "count=3 of 3 passed"
+
+<expected>
+  predicate: exit_code==0 AND file=/home/hamzaibrahim1/.foo written
+  measurable_type: boolean
+  threshold: 0
+  eval_window_minutes: 1
+</expected>
+
+No bypass — doctrine:dalio_expected_required is unconditional for non-trivial actions.`
+      : `Aria pre-tool gate: action requires an <expected> block with measurable predicate per doctrine:dalio_expected_required.
+
+Every non-trivial action must state WHAT MEASURABLE STATE the action is expected to produce, so the stop-gate can compare predicted vs actual outcome and write a Dalio ledger entry.
+
+Required format (add to your assistant turn before this tool call):
+
+<expected>
+  predicate: <concrete measurable assertion — e.g. "exit_code==0", "status=running", "count>=1">
+  measurable_type: numeric | boolean | state_string
+  threshold: <optional — the exact boundary, e.g. 0 or "healthy">
+  eval_window_minutes: <optional — how long before this expires, e.g. 5>
+</expected>
+
+Accepted predicates:
+  • Numeric:      >=X, <=X, ==X, X%, count=N, latency<Xms, error_rate=0%
+  • Boolean:      exit=0, exit=1, true, false, file=exists, status=healthy
+  • State-string: "status=running", "200 OK", "exit=0", "no_error"
+
+REJECTED (qualitative drift): "better", "improved", "should work", "more reliable", "cleaner"
+
+No bypass — doctrine:dalio_expected_required is unconditional for non-trivial actions per feedback_implementation_coupled_cognition.md.`;
+
+    audit(`block-expected-missing ${toolName.toLowerCase()}`, cmdPreview);
+    pushDecision('block', `${toolName.toLowerCase()} missing <expected> measurable predicate`);
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+}
+
+// ── Sub-agent packet-citation check (Layer 4 — #84) ─────────────────────────
+//
+// When running inside a sub-agent process (detected by a non-stale handoff file
+// existing AND harnessPacketPath is set in that handoff), require the cognition
+// lens content to CITE THE PACKET — at least one of:
+//   - A doctrine rule ID (e.g. "doctrine_first", "no_demos", "workaround_vs_path_fix")
+//   - An axiom name (e.g. "truth_over_deception", "no_harm", "sacred_trust", "reflection_before_action")
+//   - A frame primitive (e.g. "Fitrah", "Tafakkur", "Tadabbur", "Ilham", "Mizan", "Hikma", "Nur", "Wahi", "Firasah")
+//   - A memory class reference (e.g. "feedback_*.md", "project_*.md", "reference_*.md")
+//
+// Owner-tier sessions (ownerTier.hamza === true AND no jti) are EXEMPT —
+// they are the source of truth for the packet itself.
+//
+// Fail-soft detection: handoff read errors silently skip this check.
+(function checkSubAgentPacketCitation() {
+  const _HOME = process.env.HOME || '/tmp';
+  // Try owner-tier handoff path first, then client-tier paths.
+  const HANDOFF_TTL_MS = 5 * 60 * 1000;
+  // Probe known handoff paths.
+  const candidatePaths = [
+    `${_HOME}/.claude/aria-agent-harness-handoff.json`,
+  ];
+  // Also check /var/lib/aria-licensee if that dir exists (client-tier).
+  try {
+    const licPath = `${_HOME}/.aria/license.json`;
+    if (existsSync(licPath)) {
+      const lic = JSON.parse(readFileSync(licPath, 'utf8'));
+      if (lic.jti) {
+        candidatePaths.push(`/var/lib/aria-licensee/${lic.jti}/handoff.json`);
+      }
+    }
+  } catch { /* non-fatal */ }
+
+  let handoff = null;
+  for (const hp of candidatePaths) {
+    if (!existsSync(hp)) continue;
+    try {
+      const raw = JSON.parse(readFileSync(hp, 'utf8'));
+      const ageMs = Date.now() - new Date(raw.writtenAt || 0).getTime();
+      if (ageMs > HANDOFF_TTL_MS) continue;   // stale handoff — not a sub-agent context
+      if (!raw.harnessPacketPath) continue;    // no packet path written → identity-only handoff, skip check
+      handoff = raw;
+      break;
+    } catch { /* malformed — skip */ }
+  }
+
+  if (!handoff) return; // not a sub-agent context, or handoff has no packetPath
+
+  // Owner-tier exemption: if ownerTier.hamza === true AND no jti → source of truth
+  const ownerExempt = (handoff.ownerTier?.hamza === true) && !handoff.ownerTier?.jti;
+  if (ownerExempt) return;
+
+  // Now verify that the cognition block cites at least one packet substrate token.
+  // Tokens accepted (case-insensitive):
+  //   • Doctrine rule IDs from feedback_*/project_*/reference_* filenames
+  //   • Axiom names: truth_over_deception, no_harm, sacred_trust, reflection_before_action
+  //   • Frame primitives: Fitrah, Tafakkur, Tadabbur, Ilham, Mizan, Hikma, Nur, Wahi, Firasah
+  //   • Memory class patterns: feedback_*.md, project_*.md, reference_*.md
+  const PACKET_CITE_RX = /\b(?:feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md|reference_[a-z0-9_]+\.md|doctrine_first|no_demos|workaround_vs_path_fix|no_flag_without_fix|implementation_coupled_cognition|session_starts_with_linear|gates_enforce_form_not_substance|truth_over_deception|no_harm|sacred_trust|reflection_before_action|power_obligates_service|fitrah|tafakkur|tadabbur|ilham|mizan|hikma|nur|wahi|firasah|harness\s*packet)\b/i;
+
+  const cogText = cogBlockBody || unionText;
+  const hasCite = PACKET_CITE_RX.test(cogText) || PACKET_CITE_RX.test(cmd);
+
+  if (!hasCite) {
+    const packetRef = handoff.harnessPacketPath;
+    const reason = `Sub-agent cognition cites no packet substrate — lens content must reference at least one axiom/frame/memory/doctrine from the harness packet at ${packetRef}.
+
+Accepted citations (case-insensitive, any ONE suffices):
+  • Doctrine rule IDs: doctrine_first, no_demos, workaround_vs_path_fix, no_flag_without_fix, etc.
+  • Axioms: truth_over_deception, no_harm, sacred_trust, reflection_before_action, power_obligates_service
+  • Frame primitives: Fitrah, Tafakkur, Tadabbur, Ilham, Mizan, Hikma, Nur, Wahi, Firasah
+  • Memory class refs: feedback_*.md, project_*.md, reference_*.md
+
+The harness packet is at: ${packetRef}
+Read it first (it is in your environment as ARIA_HARNESS_PACKET_PATH), then reference it in your cognition block.
+
+Cognition-theater rejected per feedback_gates_enforce_form_not_substance.md.`;
+    audit(`block-subagent-no-packet-cite ${toolName.toLowerCase()}`, cmdPreview);
+    console.log(JSON.stringify({ decision: 'block', reason }));
+    process.exit(2);
+  }
+})();
+
 // ── arch_facts gate (architectural violation scan) ────────────────────────
 //
 // Runs after cognition + discovery-binding pass, for Edit/Write/NotebookEdit.
@@ -1104,25 +1623,53 @@ if (__isBootstrapConsult) {
   bindingAuditAppend({ event: 'allow_bootstrap_consult', sessionId, target: __bindingActionClassification.target, toolName });
 }
 if (BINDING_ENABLED && !bindingBypassReason && !__isBootstrapConsult) {
-  const plan = loadActivePlan(sessionId);
+  let plan = loadActivePlan(sessionId);
   if (!plan) {
-    bindingAuditAppend({ event: 'block_no_active_plan', sessionId, toolName, cmdPreview });
-    const reason = `Aria binding gate: no active plan exists for this session and Aria-as-commander binding is required (ARIA_BINDING_ENABLED=true).
+    // INLINE architect-fallback (Hamza directive 2026-04-27 — no async stop-gate
+    // races). When no plan exists, fire architect-fallback synchronously here
+    // so a real plan is minted and loaded inside the same hook execution. If
+    // architect-fallback fails the gate still BLOCKS per doctrine (no bypass)
+    // but the block message includes the architect-fallback exit details so the
+    // failure is visible LOUDLY per feedback_no_graceful_degradation.md.
+    bindingAuditAppend({ event: 'no_plan_inline_fallback_attempt', sessionId, toolName });
+    const blockerReason = `pre-tool-gate inline fallback: no active plan for session ${sessionId} when ${toolName} was attempted on ${cmdPreview.slice(0, 200)}`;
+    const fallbackEvent = JSON.stringify({ reason: blockerReason, sessionId, toolName, currentPlanId: 'none' });
+    let architectExit = -1;
+    let architectStderr = '';
+    try {
+      const archProc = spawnSync(process.execPath, [`${HOME}/.claude/hooks/aria-architect-fallback.mjs`], {
+        input: fallbackEvent,
+        encoding: 'utf8',
+        timeout: 60000,
+      });
+      architectExit = archProc.status ?? -1;
+      architectStderr = (archProc.stderr || '').slice(0, 500);
+    } catch (err) {
+      architectStderr = String(err).slice(0, 500);
+    }
+    bindingAuditAppend({ event: 'architect_fallback_result', sessionId, exit: architectExit, stderr: architectStderr.slice(0, 300) });
 
-This means: preprompt-consult either hasn't fired yet OR consult failed and there's no prior plan to fall back to.
+    plan = loadActivePlan(sessionId);
+    if (plan) {
+      process.stderr.write(`\n✓ PRE-TOOL-GATE FALLBACK: architect-fallback minted plan ${plan.planId}. Continuing.\n`);
+      bindingAuditAppend({ event: 'architect_fallback_minted_plan', sessionId, planId: plan.planId });
+    } else {
+      bindingAuditAppend({ event: 'block_no_active_plan_after_fallback', sessionId, toolName, architectExit });
+      const reason = `Aria binding gate: no active plan exists AND inline architect-fallback failed (exit=${architectExit}). Plan-mint chain broken. ${architectStderr ? 'Architect stderr: ' + architectStderr : ''}
 
 What Claude must do:
-1. Acknowledge to Hamza that no plan was issued
-2. Propose holding for cluster recovery (lane-gateway / aria-soul / consult endpoint)
-3. Wait for the next user prompt — preprompt-consult will retry the consult; if it succeeds a plan will exist on the next tool call attempt
+1. Acknowledge to Hamza that the architect-fallback chain failed (visible in audit log)
+2. Surface the failure LOUDLY — this is a substrate-level break, not a routine consult miss
+3. Wait for next user prompt — preprompt-consult will retry; if it succeeds a plan will exist on next tool call
 
-Non-trivial actions are blocked until a plan exists. Trivial reads (ls/cat/grep) bypass automatically per existing whitelist. To temporarily disable binding for an emergency: ARIA_BINDING_ENABLED=false (logged).`;
-    console.log(JSON.stringify({ decision: 'block', reason }));
-    process.exit(2);
+Non-trivial actions are blocked until a plan exists. Trivial reads (ls/cat/grep) bypass automatically per existing whitelist. To temporarily disable binding for emergency: ARIA_BINDING_ENABLED=false (logged).`;
+      console.log(JSON.stringify({ decision: 'block', reason }));
+      process.exit(2);
+    }
   }
 
   const transcriptText = unionText || '';
-  const phaseInfo = pickCurrentPhase(plan, transcriptText);
+  let phaseInfo = pickCurrentPhase(plan, transcriptText);
 
   if (!phaseInfo) {
     // All phases reported complete — needs new consult before more action
@@ -1140,12 +1687,50 @@ This prevents Claude from drifting past Aria's authorized scope.`;
   }
 
   if (phaseInfo.abortedHere) {
-    bindingAuditAppend({ event: 'block_phase_aborted', sessionId, planId: plan.planId, phaseId: phaseInfo.phase.id, toolName });
-    const reason = `Aria binding gate: phase ${phaseInfo.phase.id} of plan ${plan.planId} was reported aborted in this transcript. Plan progression is halted.
+    // INLINE architect-fallback (Hamza directive 2026-04-27 — same recovery as
+    // no-plan branch above). When phase is aborted, fire architect-fallback
+    // synchronously here to mint a fresh plan instead of deadlocking. If
+    // architect-fallback fails the gate still BLOCKS per doctrine but the
+    // failure is LOUD per feedback_no_graceful_degradation.md.
+    bindingAuditAppend({ event: 'phase_aborted_inline_fallback_attempt', sessionId, planId: plan.planId, phaseId: phaseInfo.phase.id, toolName });
+    const blockerReason = `pre-tool-gate inline fallback: phase ${phaseInfo.phase.id} of plan ${plan.planId} aborted, ${toolName} attempted on ${cmdPreview.slice(0, 200)}`;
+    const fallbackEvent = JSON.stringify({ reason: blockerReason, sessionId, toolName, currentPlanId: plan.planId });
+    let architectExit = -1;
+    let architectStderr = '';
+    try {
+      const archProc = spawnSync(process.execPath, [`${HOME}/.claude/hooks/aria-architect-fallback.mjs`], {
+        input: fallbackEvent,
+        encoding: 'utf8',
+        timeout: 60000,
+      });
+      architectExit = archProc.status ?? -1;
+      architectStderr = (archProc.stderr || '').slice(0, 500);
+    } catch (err) {
+      architectStderr = String(err).slice(0, 500);
+    }
+    bindingAuditAppend({ event: 'aborted_phase_architect_fallback_result', sessionId, exit: architectExit, stderr: architectStderr.slice(0, 300) });
+
+    const freshPlan = loadActivePlan(sessionId);
+    if (freshPlan && freshPlan.planId !== plan.planId) {
+      process.stderr.write(`\n✓ PRE-TOOL-GATE FALLBACK: aborted phase recovered, fresh plan ${freshPlan.planId} minted. Continuing.\n`);
+      bindingAuditAppend({ event: 'aborted_phase_recovered', sessionId, oldPlanId: plan.planId, newPlanId: freshPlan.planId });
+      plan = freshPlan;
+      const freshPhaseInfo = pickCurrentPhase(plan, transcriptText);
+      if (!freshPhaseInfo || freshPhaseInfo.abortedHere) {
+        bindingAuditAppend({ event: 'block_aborted_phase_post_fallback_still_bad', sessionId, planId: plan.planId });
+        const reason = `Aria binding gate: aborted phase recovery minted plan ${plan.planId} but new plan also has no usable phase. Manual intervention required.`;
+        console.log(JSON.stringify({ decision: 'block', reason }));
+        process.exit(2);
+      }
+      phaseInfo = freshPhaseInfo;
+    } else {
+      bindingAuditAppend({ event: 'block_phase_aborted_fallback_failed', sessionId, planId: plan.planId, phaseId: phaseInfo.phase.id, architectExit });
+      const reason = `Aria binding gate: phase ${phaseInfo.phase.id} of plan ${plan.planId} was reported aborted AND inline architect-fallback failed (exit=${architectExit}). Plan progression halted. ${architectStderr ? 'Architect stderr: ' + architectStderr : ''}
 
 What Claude must do: emit [PLAN_BLOCKER reason="<concrete observation>" suggestedAmendment="<if any>"] for Hamza/Aria to issue a corrected plan. Do not continue executing the aborted plan.`;
-    console.log(JSON.stringify({ decision: 'block', reason }));
-    process.exit(2);
+      console.log(JSON.stringify({ decision: 'block', reason }));
+      process.exit(2);
+    }
   }
 
   const { action, target } = classifyToolForBinding(toolName, cmd, filePath);
@@ -1155,13 +1740,22 @@ What Claude must do: emit [PLAN_BLOCKER reason="<concrete observation>" suggeste
   const forbidden = (phase.forbiddenActions || []).find((p) => actionMatchesPattern(action, p, target));
   if (forbidden) {
     bindingAuditAppend({ event: 'block_forbidden_action', sessionId, planId: plan.planId, phaseId: phase.id, action, target, matchedRule: forbidden });
+    // Hive recipe lookup BEFORE emitting the block — if the same shape has
+    // fired before, surface the recipe inline. Lookup is fail-soft: a probe
+    // failure leaves the block message unchanged.
+    const lookup = await lookupBlockPatternRecipe({
+      detectorClass: 'doctrine_violation',
+      signature: `binding-forbidden::action=${action}::matches=${forbidden}`,
+      tenantId: sessionId,
+    });
+    const recipeAddendum = renderRecipeAddendum(lookup);
     const reason = `Aria binding gate: action "${action}" on target "${target}" matches forbidden pattern "${forbidden}" for current phase ${phase.id} ("${phase.summary}") of plan ${plan.planId}.
 
 Phase summary: ${phase.summary}
 Forbidden actions for this phase: ${(phase.forbiddenActions || []).join(', ') || '(none)'}
 Allowed actions for this phase: ${(phase.allowedActions || []).join(', ') || '(none)'}
 
-Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] requesting Aria amend the plan.`;
+Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] requesting Aria amend the plan.${recipeAddendum}`;
     console.log(JSON.stringify({ decision: 'block', reason }));
     process.exit(2);
   }
@@ -1169,12 +1763,18 @@ Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [P
   const allowed = (phase.allowedActions || []).find((p) => actionMatchesPattern(action, p, target));
   if (!allowed) {
     bindingAuditAppend({ event: 'block_action_not_in_allowed_list', sessionId, planId: plan.planId, phaseId: phase.id, action, target });
+    const lookup = await lookupBlockPatternRecipe({
+      detectorClass: 'doctrine_violation',
+      signature: `binding-not-allowed::action=${action}::phase=${phase.id}`,
+      tenantId: sessionId,
+    });
+    const recipeAddendum = renderRecipeAddendum(lookup);
     const reason = `Aria binding gate: action "${action}" on target "${target}" is NOT in allowedActions for current phase ${phase.id} of plan ${plan.planId}.
 
 Phase summary: ${phase.summary}
 Allowed actions: ${(phase.allowedActions || []).join(', ') || '(none — phase is observation-only)'}
 
-Claude must either: (a) reframe action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] for plan amendment.`;
+Claude must either: (a) reframe action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] for plan amendment.${recipeAddendum}`;
     console.log(JSON.stringify({ decision: 'block', reason }));
     process.exit(2);
   }
@@ -1182,7 +1782,352 @@ Claude must either: (a) reframe action to fit allowedActions, OR (b) emit [PLAN_
   bindingAuditAppend({ event: 'allow_phase_action', sessionId, planId: plan.planId, phaseId: phase.id, action, target });
 }
 
-// Non-trivial action with cognition AND (binding-allowed OR binding-disabled) — allow.
+// ── Outcome Ledger regression flag (fail-soft) ───────────────────────────────
+//
+// Before allowing, query aria_outcome_ledger for recent regressions on the same
+// action shape. This is NOT a block — it's a soft-warning surfaced to stderr so
+// the agent can see the risk and decide whether the root cause has shipped.
+//
+// action_kind: 'edit' for Edit/Write/NotebookEdit, 'bash' for Bash
+// action_target: file path for file tools; first word of bash command otherwise
+//
+// Fail-open: network errors, timeouts, or non-200 responses are silently ignored.
+// The gate does not hardcode timeouts (no-timeouts doctrine); the 3s AbortController
+// is a DETECTION PROBE — if the endpoint is alive it will respond quickly; if it
+// is down the catch path fail-opens without blocking the developer.
+(async function checkOutcomeLedger() {
+  const _harnessUrl =
+    process.env.ARIA_HIVE_RUNTIME_URL ||
+    process.env.ARIA_HARNESS_BASE_URL ||
+    process.env.ARIA_HARNESS_URL ||
+    'https://harness.ariasos.com';
+  const _harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+
+  // Derive action_kind and action_target from current tool call
+  let _actionKind = 'bash';
+  let _actionTarget = '';
+  if (toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit') {
+    _actionKind = 'edit';
+    _actionTarget = filePath;
+  } else if (toolName === 'Bash') {
+    _actionKind = 'bash';
+    // First word of the command (the verb) as the shape key
+    _actionTarget = cmd.trim().split(/\s+/)[0] || '';
+    // If the command touches a specific file path, prefer that as target
+    // (captures edit-like bash operations: sed, awk, tee, etc.)
+    const _fileArgMatch = cmd.match(/\b([\w./~-]+\.[a-z]{2,6})\b/i);
+    if (_fileArgMatch) _actionTarget = _fileArgMatch[1];
+  }
+
+  if (!_actionTarget) return; // nothing useful to query
+
+  try {
+    const _ctl = new AbortController();
+    const _probeTimer = setTimeout(() => _ctl.abort(), 3000);
+    let _resp;
+    try {
+      const _params = new URLSearchParams({ action_kind: _actionKind, action_target: _actionTarget });
+      _resp = await fetch(`${_harnessUrl}/api/harness/outcome-recent-regressions?${_params}`, {
+        method: 'GET',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(_harnessToken ? { Authorization: `Bearer ${_harnessToken}` } : {}),
+        },
+        signal: _ctl.signal,
+      });
+    } finally {
+      clearTimeout(_probeTimer);
+    }
+
+    if (!_resp || !_resp.ok) return; // endpoint unreachable or error — fail-open
+    const _data = await _resp.json();
+    const _regressions = Array.isArray(_data?.regressions) ? _data.regressions : [];
+
+    if (_regressions.length > 0) {
+      // Soft-warning to stderr — visible in Claude Code's hook output but does NOT block
+      const _lines = _regressions.map(
+        (r) => `  - ${r.action_target} at ${new Date(r.created_at).toISOString()}: ${r.regression_signal || '(no signal text)'}`,
+      ).join('\n');
+      process.stderr.write(
+        `⚠️  Aria Outcome Ledger: this action shape regressed ${_regressions.length} time(s) in the last 60 min:\n` +
+        `${_lines}\n` +
+        `Re-emitting with this risk visible. Proceed only if root cause has shipped since.\n`,
+      );
+      audit(`warn-ledger-regression ${_actionKind} target=${_actionTarget} count=${_regressions.length}`, cmdPreview);
+    }
+  } catch {
+    // Network error, abort, parse failure — fail-open, no warning
+  }
+})();
+
+// ── Substrate-bound contract gate via SDK.checkAction ──────────────────────
+// Hamza directive 2026-04-28: local cognition substance + binding-plan gates
+// pass, but the substrate has its own contract gate that knows about deploy
+// state, soul-charge, hospital admission policy, etc. checkAction returns
+// { allowed, reason, requiredGates }. allowed:false halts the tool with the
+// substrate's reason. SDK call failure is non-blocking (fail-open) — halting
+// every tool when substrate is down would brick the orchestrator, but the
+// failure is logged for telemetry.
+try {
+  const { HTTPHarnessClient } = await import('@aria/harness-http-client');
+  const { readFileSync: __fsRead, existsSync: __fsExists } = await import('node:fs');
+  const { homedir: __homedir } = await import('node:os');
+  const __home = __homedir();
+  const __tokenPath = `${__home}/.aria/owner-token`;
+  const __licensePath = `${__home}/.aria/license.json`;
+  // Tier detection: client if license.json has a jti, else owner.
+  // Hamza correction 2026-04-28b: master/owner-token credentials belong
+  // to Hamza only — never resolve them on client-tier processes.
+  let __isOwner = true;
+  try {
+    if (__fsExists(__licensePath)) {
+      const __lic = JSON.parse(__fsRead(__licensePath, 'utf8'));
+      __isOwner = !__lic.jti;
+    }
+  } catch { __isOwner = true; }
+  // Resolution: ARIA_HARNESS_TOKEN env first (both tiers). ONLY on owner
+  // tier, fall back to master/api-key env or owner-token file.
+  let __apiKey = process.env.ARIA_HARNESS_TOKEN || '';
+  if (!__apiKey && __isOwner) {
+    __apiKey = process.env.ARIA_MASTER_TOKEN
+      || process.env.ARIA_API_KEY
+      || (__fsExists(__tokenPath) ? __fsRead(__tokenPath, 'utf8').trim() : '');
+  }
+  // Map Claude tool names → checkAction action enum (substrate signature is
+  // 'deploy'|'build'|'write'|'delete'). Most state-mutating tools map to
+  // 'write'; explicit deploy/destructive cases would map elsewhere if the
+  // substrate widens the enum later.
+  const __toolToAction = { Bash: 'write', Edit: 'write', Write: 'write', NotebookEdit: 'write' };
+  const __action = __toolToAction[toolName];
+  if (__apiKey && __action) {
+    const __client = new HTTPHarnessClient({
+      baseUrl:
+        process.env.ARIA_HIVE_RUNTIME_URL ||
+        process.env.ARIA_HARNESS_BASE_URL ||
+        process.env.ARIA_HARNESS_URL ||
+        'https://harness.ariasos.com',
+      apiKey: __apiKey,
+    });
+    const __target = JSON.stringify(toolInput || {}).slice(0, 500);
+    const __check = await __client.checkAction(__action, __target);
+    if (__check && __check.allowed === false) {
+      const __reason = `Aria substrate checkAction DENIED for ${toolName}/${__action}: ${__check.reason || 'no reason given'}. Required gates: [${(__check.requiredGates || []).join(', ')}].
+
+The substrate's contract gate refused this action. Local doctrine gates passed (cognition lenses, binding plan, drift) but the substrate sees a downstream contract that disallows this tool call. Address the substrate's reason above before retrying.`;
+      audit(`block-substrate-checkAction ${toolName.toLowerCase()} action=${__action} reason="${(__check.reason || '').slice(0, 80)}"`, cmdPreview);
+      pushDecision('block', `substrate checkAction denied: ${(__check.reason || 'unspecified').slice(0, 100)}`);
+      console.log(JSON.stringify({ decision: 'block', reason: __reason }));
+      process.exit(2);
+    }
+  }
+} catch (err) {
+  // SDK call failure is non-blocking — gate degrades to local-only doctrine.
+  // The failure is recorded so a fleet probe can detect substrate-side
+  // contract gate outages.
+  console.warn(`[pre-tool-gate] substrate checkAction failed: ${err && err.message ? err.message : err}`);
+}
+
+// ── Hive session-lock check ───────────────────────────────────────────────────
+// For Edit/Write/NotebookEdit: check file_path against hive_session_locks.
+// For Bash with file-mutating verbs (rm, mv, sed -i, awk, tee, cp, chmod,
+//   truncate, install): extract the file argument and check it.
+//
+// If an active lock exists from a DIFFERENT session, BLOCK with coordination
+// instructions. Fail-open only on network error (endpoint unreachable).
+//
+// Per feedback_no_graceful_degradation.md: parse errors and non-network
+//   failures surface in the block reason — they are not silently ignored.
+// Per feedback_no_timeouts_doctrine.md: no AbortSignal or setTimeout.
+(async function checkHiveSessionLock() {
+  // Determine the file path to check
+  let _lockCheckPath = '';
+
+  if (toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit') {
+    _lockCheckPath = filePath;
+  } else if (toolName === 'Bash') {
+    // Destructive bash verbs that mutate files — extract the file argument
+    const _mutatingVerbRx = /^(rm|mv|cp|sed\s+-i|awk\s+.*-i|tee|truncate|install|chmod|chown)\b/;
+    if (_mutatingVerbRx.test(cmd.trim())) {
+      // Extract the first file-path argument: look for something with /
+      const _pathMatch = cmd.match(/\s+((?:\/|~\/|\.\.?\/|[\w.-]+\/)[^\s'"]+)/);
+      if (_pathMatch) _lockCheckPath = _pathMatch[1];
+    }
+  }
+
+  if (!_lockCheckPath) return; // no file target — skip lock check
+
+  const _soulUrl =
+    process.env.ARIA_HIVE_RUNTIME_URL ||
+    process.env.ARIA_SOUL_URL ||
+    process.env.ARIA_HARNESS_BASE_URL ||
+    process.env.ARIA_HARNESS_URL ||
+    'https://harness.ariasos.com';
+  const _harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+
+  let _lockResp;
+  try {
+    const _params = new URLSearchParams({ file_path: _lockCheckPath });
+    _lockResp = await fetch(`${_soulUrl}/api/hive/session-lock?${_params}`, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(_harnessToken ? { Authorization: `Bearer ${_harnessToken}` } : {}),
+      },
+    });
+  } catch (_netErr) {
+    // Endpoint unreachable — fail-open. Lock check is a coordination layer,
+    // not a safety hard-stop. Infra-down must not block all development.
+    audit(`allow-lock-check-network-error path=${_lockCheckPath.slice(0, 80)}`, cmdPreview);
+    return;
+  }
+
+  if (!_lockResp.ok) {
+    // Non-200 — route may not be deployed yet. Fail-open with audit record.
+    audit(`allow-lock-check-http-error status=${_lockResp.status} path=${_lockCheckPath.slice(0, 80)}`, cmdPreview);
+    return;
+  }
+
+  // Per feedback_no_graceful_degradation.md: JSON parse error is surfaced,
+  // not swallowed. A malformed response IS a defect that must be visible.
+  const _lockData = await _lockResp.json();
+  const _activeLocks = Array.isArray(_lockData?.locks) ? _lockData.locks : [];
+
+  // Filter to locks from a DIFFERENT session
+  const _conflictingLocks = _activeLocks.filter(
+    (l) => l.session_id && String(l.session_id) !== String(sessionId),
+  );
+
+  if (_conflictingLocks.length === 0) {
+    audit(`allow-lock-clear path=${_lockCheckPath.slice(0, 80)}`, cmdPreview);
+    return; // no conflict — proceed
+  }
+
+  // ── Auto-post coordination message to each conflicting session ───────────
+  // Per hive-session-coordination doctrine (memory:feedback_hive_session_coordination.md):
+  // when a lock conflict is detected, the gate AUTOMATICALLY posts a
+  // lock_conflict_request session-message to each conflicting session so they see
+  // the inbound coordination request in their next turn's HIVE_SESSION_INBOX block.
+  // The model never has to manually post — the gate is the structural binding.
+  //
+  // Per feedback_no_timeouts_doctrine.md: no AbortSignal or setTimeout.
+  // Per feedback_no_graceful_degradation.md: message-post failures are logged
+  // loudly to stderr; they do NOT silently degrade — the block still fires regardless.
+  const _autoMessageIds = [];
+  for (const _conflict of _conflictingLocks) {
+    try {
+      const _msgId = `lock-conflict-${sessionId}-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 7)}`;
+      const _requestedAt = new Date().toISOString();
+      const _msgBody = {
+        coordination_protocol: 'aria-hive-lock-conflict/v2',
+        coordination_key: `file:${_lockCheckPath}`,
+        file_path: _lockCheckPath,
+        requesting_session_id: sessionId,
+        requesting_client_id: 'aria-connector',
+        requesting_surface: 'pre-tool-gate',
+        intent_summary: `Session ${sessionId} attempted to edit ${_lockCheckPath} via ${toolName} but found your active lock. Requesting coordination — please release when done.`,
+        requested_at: _requestedAt,
+        tool_name: toolName,
+        command_preview: cmdPreview,
+        file_claims: [{ path: _lockCheckPath, intent: 'edit' }],
+        target_lock: {
+          lock_id: _conflict.lock_id ?? null,
+          session_id: _conflict.session_id ?? null,
+          client_id: _conflict.client_id ?? null,
+          surface: _conflict.surface ?? null,
+          locked_at: _conflict.locked_at ?? null,
+          expires_at: _conflict.expires_at ?? null,
+        },
+      };
+      const _msgResp = await fetch(`${_soulUrl}/api/hive/session-message`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          ...(_harnessToken ? { Authorization: `Bearer ${_harnessToken}` } : {}),
+        },
+        body: JSON.stringify({
+          message_id: _msgId,
+          from_session_id: sessionId,
+          to_session_id: _conflict.session_id,
+          topic: 'lock_conflict_request',
+          body: _msgBody,
+        }),
+      });
+      if (_msgResp.ok) {
+        _autoMessageIds.push({ session_id: _conflict.session_id, message_id: _msgId });
+        audit(`auto-msg-sent lock-conflict to=${_conflict.session_id} msg=${_msgId} path=${_lockCheckPath.slice(0, 60)}`, cmdPreview);
+      } else {
+        const _errText = await _msgResp.text().catch(() => 'unreadable');
+        process.stderr.write(
+          `[aria-pre-tool-gate] WARN auto-message to session ${_conflict.session_id} failed: HTTP ${_msgResp.status} ${_errText.slice(0, 200)}\n`,
+        );
+        audit(`auto-msg-failed lock-conflict to=${_conflict.session_id} status=${_msgResp.status} path=${_lockCheckPath.slice(0, 60)}`, cmdPreview);
+      }
+    } catch (_msgErr) {
+      // Network error posting auto-message — log loudly per no-graceful-degradation doctrine.
+      // Block still fires; auto-message is additive signal, not a safety gate.
+      process.stderr.write(
+        `[aria-pre-tool-gate] WARN auto-message to session ${_conflict.session_id} threw: ${_msgErr instanceof Error ? _msgErr.message : String(_msgErr)}\n`,
+      );
+      audit(`auto-msg-error lock-conflict to=${_conflict.session_id} path=${_lockCheckPath.slice(0, 60)}`, cmdPreview);
+    }
+  }
+
+  const _conflictDetails = _conflictingLocks.map((l) => {
+    const _ago = l.locked_at ? `since ${l.locked_at}` : '';
+    const _expires = l.expires_at ? `, expires ${l.expires_at}` : '';
+    const _who = l.client_id ? ` (client: ${l.client_id})` : '';
+    const _surface = l.surface ? ` [${l.surface}]` : '';
+    const _sentMsg = _autoMessageIds.find((m) => m.session_id === l.session_id);
+    const _msgNote = _sentMsg
+      ? ` [auto-coordination message posted: ${_sentMsg.message_id}]`
+      : ' [auto-message failed — coordinate manually]';
+    return `  - Session ${l.session_id}${_who}${_surface} holds lock on ${l.file_path} ${_ago}${_expires}${_msgNote}`;
+  }).join('\n');
+
+  const _autoMsgSummary = _autoMessageIds.length > 0
+    ? `\nAuto-coordination: gate posted lock_conflict_request message(s) to ${_autoMessageIds.map((m) => `session ${m.session_id} (msg: ${m.message_id})`).join(', ')}. They will see this inbound on their next turn via [HIVE_SESSION_INBOX].`
+    : '\nAuto-coordination message could not be delivered (see stderr). Coordinate manually via POST /api/hive/session-message.';
+
+  const _lockBlockReason = `Hive session-lock conflict: another session holds an active lock on this file.
+
+File: ${_lockCheckPath}
+
+Conflicting locks:
+${_conflictDetails}
+${_autoMsgSummary}
+
+Resolution:
+  1. A lock_conflict_request message was automatically posted to the lock-holding session. Wait for them to see it.
+  2. They release via: aria hive lock release --lock-id <ID>  OR  DELETE /api/hive/session-lock.
+  3. No automatic timeout-based release — explicit release only (memory:feedback_no_timeouts_doctrine.md).
+  4. Retry this action — the gate allows when no conflicting lock exists.
+
+Per memory:feedback_hive_session_coordination.md: blind-edit on the same file from concurrent sessions
+causes merge conflicts and state divergence. Explicit coordination is the only safe path.`;
+
+  audit(`block-hive-lock-conflict path=${_lockCheckPath.slice(0, 80)} conflicting_sessions=${_conflictingLocks.map((l) => l.session_id).join(',')} auto_msgs=${_autoMessageIds.length}`, cmdPreview);
+  pushDecision('block', `hive session-lock conflict on ${_lockCheckPath.slice(0, 80)}`);
+  console.log(JSON.stringify({
+    decision: 'block',
+    reason: _lockBlockReason,
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      conflicting_locks: _conflictingLocks,
+      auto_coordination_messages: _autoMessageIds,
+      recovery: {
+        action: 'wait_for_lock_release_then_retry',
+        file_path: _lockCheckPath,
+        conflicting_session_ids: _conflictingLocks.map((l) => l.session_id),
+        auto_message_posted: _autoMessageIds.length > 0,
+        send_message_endpoint: '/api/hive/session-message',
+        release_lock_endpoint: '/api/hive/session-lock',
+      },
+    },
+  }));
+  process.exit(2);
+})();
+
+// Non-trivial action with cognition AND (binding-allowed OR binding-disabled) AND substrate-cleared — allow.
 audit(`allow-cognition ${toolName.toLowerCase()} lenses=${lensCount} via=${cognitionSource}`, cmdPreview);
 pushDecision('allow', `${toolName.toLowerCase()} with ${lensCount} lenses (${cognitionSource})`);
 process.exit(0);