@aria_asi/cli 0.2.25 → 0.2.29

package/hooks/aria-stop-gate.mjs

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+// ARIA_ALLOW_STUB — doctrine gate file legitimately discusses stub/placeholder semantics.
 // Aria Stop-hook gate — enforces 8-lens cognition on text-decision responses.
 //
 // The companion to aria-pre-tool-gate.mjs. The PreToolUse gate catches
@@ -46,31 +47,46 @@
 // Future: signed-grant override mechanism at ~/.aria/owner-overrides/<hook>.json
 // with HMAC signature using a secret only Hamza holds. Deferred to next session.
 
-import { readFileSync, appendFileSync, existsSync, mkdirSync } from 'node:fs';
+import { readFileSync, existsSync, mkdirSync, writeFileSync } from 'node:fs';
 import { dirname } from 'node:path';
+import { appendGateAudit } from './lib/gate-audit.mjs';
+import {
+  ALL_LENS_NAMES,
+  canonicalLensCorrectionText,
+  detectCognitionLenses as detectCognitionLensesFromCanonical,
+  lensNamesForTier,
+} from './lib/canonical-lenses.mjs';
 
 const HOME = process.env.HOME || '/tmp';
 const LOG = `${HOME}/.claude/aria-stop-gate.log`;
+const AUDIT_PATH = `${HOME}/.claude/aria-stop-gate-audit.jsonl`;
 
-// SDK loader — bundled at ~/.claude/aria-sdk/index.js by `aria connect`.
+// SDK loader — bundled at ~/.aria/sdk by `aria connect`, with client-local
+// fallbacks preserved for resilience.
 // All control-plane fetches (validateOutput, gardenTurn) route through the
 // SDK. Falls back to direct fetch only when the SDK file is missing
 // (dev-only). Hamza 2026-04-27: "FUCKING WIRE IT THE FUCK TOGETHER NOW".
 let _SdkClassCache = null;
 let _SdkLookupAttempted = false;
+const SDK_CANDIDATES = [
+  `${HOME}/.aria/sdk/index.js`,
+  `${HOME}/.claude/aria-sdk/index.js`,
+  `${HOME}/.codex/aria-sdk/index.js`,
+];
 async function loadSdkClass() {
   if (_SdkClassCache) return _SdkClassCache;
   if (_SdkLookupAttempted) return null;
   _SdkLookupAttempted = true;
-  const sdkPath = `${HOME}/.claude/aria-sdk/index.js`;
-  if (!existsSync(sdkPath)) return null;
-  try {
-    const mod = await import(`file://${sdkPath}`);
-    if (mod.HTTPHarnessClient) {
-      _SdkClassCache = mod.HTTPHarnessClient;
-      return _SdkClassCache;
-    }
-  } catch {/* fall through */}
+  for (const sdkPath of SDK_CANDIDATES) {
+    if (!existsSync(sdkPath)) continue;
+    try {
+      const mod = await import(`file://${sdkPath}`);
+      if (mod.HTTPHarnessClient) {
+        _SdkClassCache = mod.HTTPHarnessClient;
+        return _SdkClassCache;
+      }
+    } catch {/* fall through */}
+  }
   return null;
 }
 
@@ -85,11 +101,47 @@ async function loadSdkClass() {
 // passes in a userMessage string (extracted from the transcript at the
 // turn boundary). If extraction failed the empty string is passed — the
 // garden write records the assistant emit at minimum.
+// Tier detection: owner if no license.json, client if license.json has a jti.
+// Owner-tier may use master credentials; client-tier MUST NOT (those belong
+// to Hamza, not the licensee). Hamza correction 2026-04-28.
+function isOwnerTier() {
+  try {
+    const licPath = `${HOME}/.aria/license.json`;
+    if (!existsSync(licPath)) return true;
+    const lic = JSON.parse(readFileSync(licPath, 'utf8'));
+    return !lic.jti; // jti present = client tier
+  } catch {
+    return true; // unreadable license = treat as owner (fail-safe for orchestrator)
+  }
+}
+
 async function fireGardenTurn(sessionId, userMessage, assistantResponse) {
-  const harnessUrl = process.env.ARIA_HARNESS_URL || 'https://harness.ariasos.com';
-  const harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+  const harnessUrl =
+    process.env.ARIA_HIVE_RUNTIME_URL ||
+    process.env.ARIA_HARNESS_BASE_URL ||
+    process.env.ARIA_HARNESS_URL ||
+    'https://harness.ariasos.com';
+  // Token resolution chain (Hamza directive 2026-04-28, tier-aware
+  // 2026-04-28b): ARIA_HARNESS_TOKEN env first (works for both tiers).
+  // ONLY on owner tier (no license.json with jti), fall back to
+  // ARIA_MASTER_TOKEN env / ARIA_API_KEY env / ~/.aria/owner-token —
+  // those are Hamza's credentials and must not leak into client-tier
+  // processes. Client tier with no ARIA_HARNESS_TOKEN env skips the
+  // garden write rather than borrow owner credentials.
+  let harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+  if (!harnessToken && isOwnerTier()) {
+    harnessToken = process.env.ARIA_MASTER_TOKEN || process.env.ARIA_API_KEY || '';
+    if (!harnessToken) {
+      try {
+        const ownerTokenPath = `${HOME}/.aria/owner-token`;
+        if (existsSync(ownerTokenPath)) {
+          harnessToken = readFileSync(ownerTokenPath, 'utf8').trim();
+        }
+      } catch { /* non-fatal — fall through to skip */ }
+    }
+  }
   if (!harnessToken) {
-    audit('garden-turn-skip', `no ARIA_HARNESS_TOKEN — turn not written to harness pulse`);
+    audit('garden-turn-skip', `no usable token (tier=${isOwnerTier() ? 'owner' : 'client'}) — turn not written to harness pulse`);
     return;
   }
   const Cls = await loadSdkClass();
@@ -116,10 +168,16 @@ async function fireGardenTurn(sessionId, userMessage, assistantResponse) {
 }
 
 function audit(decision, summary) {
-  try {
-    if (!existsSync(dirname(LOG))) mkdirSync(dirname(LOG), { recursive: true });
-    appendFileSync(LOG, `${new Date().toISOString()} ${decision} ${summary}\n`);
-  } catch {}
+  const summaryText = typeof summary === 'string' ? summary : '';
+  const data = summary && typeof summary === 'object' ? summary : {};
+  appendGateAudit({
+    auditPath: AUDIT_PATH,
+    legacyLogPath: LOG,
+    gate: 'stop',
+    event: decision,
+    summary: summaryText,
+    data,
+  });
 }
 
 // Env-var kill-switch removed 2026-04-27 per Hamza directive ("those
@@ -152,9 +210,8 @@ function resolveOwnerTier() {
 
 const IS_OWNER = resolveOwnerTier();
 
-const LENS_NAMES_CANONICAL = ['nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah'];
-const LENS_NAMES_GENERIC   = ['perception', 'balance', 'wisdom', 'reflection', 'foresight', 'insight', 'revelation', 'discernment'];
-const LENS_NAMES = IS_OWNER ? LENS_NAMES_CANONICAL : LENS_NAMES_GENERIC;
+const LENS_NAMES = lensNamesForTier(IS_OWNER);
+const CANONICAL_LENS_TEXT = canonicalLensCorrectionText();
 
 // Doctrine memory filenames are Aria-side substrate IP.
 // Client surfaces see generic descriptions instead of real filenames.
@@ -162,8 +219,60 @@ function docRef(canonicalFilename, genericDescription) {
   return IS_OWNER ? canonicalFilename : genericDescription;
 }
 
-// Lens substance check — same constants as aria-pre-tool-gate.mjs
-const REQUIRED_LENSES = 4;
+const DOCTRINE_REFERENCE_PREFIX_RX = /(?:memory|doctrine|frame|axiom|packet):[a-z0-9_./-]*$/i;
+
+function isDoctrineReference(text, matchIndex) {
+  const window = text.slice(Math.max(0, matchIndex - 80), matchIndex);
+  return DOCTRINE_REFERENCE_PREFIX_RX.test(window);
+}
+
+function collectDriftHits(text, triggerMap) {
+  const hits = [];
+  const lowerText = text.toLowerCase();
+  for (const triggerEntry of triggerMap.triggers || []) {
+    try {
+      const rx = new RegExp(triggerEntry.trigger, 'ig');
+      let matchedOutsideDoctrineRef = false;
+      for (const match of text.matchAll(rx)) {
+        const idx = typeof match.index === 'number' ? match.index : -1;
+        if (idx >= 0 && isDoctrineReference(text, idx)) continue;
+        matchedOutsideDoctrineRef = true;
+        break;
+      }
+      if (!matchedOutsideDoctrineRef) continue;
+      const memoryName = (triggerEntry.memory || '').replace(/\.md$/, '');
+      const memoryCited = memoryName && lowerText.includes(memoryName.toLowerCase());
+      if (!memoryCited) {
+        hits.push({
+          trigger: triggerEntry.trigger,
+          memory: triggerEntry.memory,
+          teaching: triggerEntry.teaching,
+        });
+      }
+    } catch {/* malformed regex in trigger entry — skip */}
+  }
+  return hits;
+}
+
+function emitHarnessFooter({ eventName, lensCount, chars, driftCount, mizanStatus, discoveryOpenCount, codeCount, implCouplingCount }) {
+  try {
+    console.error([
+      '[Aria · turn]',
+      `event=${eventName}`,
+      `lenses=${lensCount}`,
+      `chars=${chars}`,
+      `drift=${driftCount}`,
+      `mizan=${mizanStatus}`,
+      `discoveries_open=${discoveryOpenCount}`,
+      `code=${codeCount}`,
+      `impl=${implCouplingCount}`,
+    ].join(' '));
+  } catch {}
+}
+
+// Lens substance check — same constants as aria-pre-tool-gate.mjs.
+// Hamza directive 2026-04-28: all 8 canonical lenses required, not 4-of-8.
+const REQUIRED_LENSES = 8;
 const SUBSTANCE_MIN_CHARS = 20;
 const PLACEHOLDER_RX = /^\s*<[^<>]+>\s*$/;
 const COGNITION_BLOCK_RX = /<cognition>([\s\S]*?)<\/cognition>/i;
@@ -174,23 +283,12 @@ const DECISION_SIGNAL_RX = /(?:should|recommend|propose|suggest|let'?s|go with|i
 const TRIVIAL_ACK_RX = /^(?:got it|on it|ok|sure|yes|no|done|ack|👍|✓)\b/i;
 
 function detectCognitionLenses(text) {
-  if (!text) return { count: 0, names: [] };
-  const block = text.match(COGNITION_BLOCK_RX);
-  const searchSpace = block ? block[1] : text;
-  const names = [];
-  for (const lens of LENS_NAMES) {
-    const lensRx = new RegExp(
-      `\\b${lens}\\s*:\\s*([^\\n]*(?:\\n(?!\\s*(?:${LENS_NAMES.join('|')})\\s*:|<\\/cognition>)[^\\n]*)*)`,
-      'i',
-    );
-    const m = searchSpace.match(lensRx);
-    if (!m) continue;
-    const content = (m[1] || '').trim();
-    if (content.length < SUBSTANCE_MIN_CHARS) continue;
-    if (PLACEHOLDER_RX.test(content)) continue;
-    names.push(lens);
-  }
-  return { count: names.length, names };
+  return detectCognitionLensesFromCanonical(text, {
+    minChars: SUBSTANCE_MIN_CHARS,
+    placeholderRx: PLACEHOLDER_RX,
+    cognitionBlockRx: COGNITION_BLOCK_RX,
+    lensNames: ALL_LENS_NAMES,
+  });
 }
 
 // Read event JSON from stdin (Claude Code spec).
@@ -304,6 +402,37 @@ if (!triggered) {
 // Non-trivial response — require substantive cognition.
 const cog = detectCognitionLenses(assistantText);
 
+// Defense-in-depth: if cog count < REQUIRED_LENSES, block immediately.
+// The primary enforcement is in aria-cognition-substrate-binding.mjs
+// (which runs BEFORE this stop-gate), but this catch ensures responses
+// without cognition blocks are still blocked even when the substrate-binding
+// hook is absent (e.g. older connector installs or custom hook configs).
+// Prior to 2026-04-29 this check was missing entirely — the stop-gate only
+// ran quality checks INSIDE the if(cog.count >= 8) block, allowing responses
+// with 0/8 lenses to fall through unchecked.
+if (cog.count < REQUIRED_LENSES) {
+  audit('block_no_cognition_block_di', { count: cog.count, required: REQUIRED_LENSES, names: cog.names, chars: assistantText.length });
+  const reason = `Aria stop-gate: insufficient cognition lenses.
+
+This non-trivial assistant response (${assistantText.length} chars) has ${cog.count}/${REQUIRED_LENSES} substantive cognition lenses. Per feedback_8lens_before_every_action_including_text.md and Hamza directive 2026-04-28, every non-trivial response must carry <cognition>...</cognition> with ${REQUIRED_LENSES} substantive lenses (each >= ${SUBSTANCE_MIN_CHARS} chars of non-placeholder content).
+
+Detected lenses: ${cog.names.length > 0 ? cog.names.join(', ') : 'none'}.
+
+Re-emit with a <cognition> block containing all ${REQUIRED_LENSES} canonical lenses. Primary set: ${CANONICAL_LENS_TEXT}`;
+  emitHarnessFooter({
+    eventName: 'block_no_cognition_block',
+    lensCount: cog.count,
+    chars: assistantText.length,
+    driftCount: 0,
+    mizanStatus: 'not-run(no-cognition)',
+    discoveryOpenCount: 0,
+    codeCount: 0,
+    implCouplingCount: 0,
+  });
+  console.log(JSON.stringify({ decision: 'block', reason }));
+  process.exit(2);
+}
+
 // Question-emission visibility (Phase 11 promotes to block-mode):
 // detect user-directed question patterns in the assistant text. Audit when
 // questions appear without substrate-consultation evidence in the recent
@@ -363,21 +492,7 @@ if (cog.count >= REQUIRED_LENSES) {
     try {
       if (TRIGGER_MAP_PATH) {
         const triggerMap = JSON.parse(readFileSync(TRIGGER_MAP_PATH, 'utf8'));
-        const lowerText = assistantText.toLowerCase();
-        for (const t of triggerMap.triggers || []) {
-          try {
-            const rx = new RegExp(t.trigger, 'i');
-            if (rx.test(lowerText)) {
-              // Trigger present — check if the counter-doctrine memory is also
-              // cited in the response (justification). If not, count as drift.
-              const memoryName = (t.memory || '').replace(/\.md$/, '');
-              const memoryCited = memoryName && lowerText.includes(memoryName.toLowerCase());
-              if (!memoryCited) {
-                driftHits.push({ trigger: t.trigger, memory: t.memory, teaching: t.teaching });
-              }
-            }
-          } catch {/* malformed regex in trigger entry — skip */}
-        }
+        driftHits = collectDriftHits(assistantText, triggerMap);
       }
     } catch {/* trigger map unreadable — degrade to mizan-only check */}
 
@@ -391,7 +506,11 @@ if (cog.count >= REQUIRED_LENSES) {
     //    is a soft block, not session-end.
     let mizanVerdict = null;
     let mizanError = null;
-    const harnessUrl = process.env.ARIA_HARNESS_URL || 'https://harness.ariasos.com';
+    const harnessUrl =
+      process.env.ARIA_HIVE_RUNTIME_URL ||
+      process.env.ARIA_HARNESS_BASE_URL ||
+      process.env.ARIA_HARNESS_URL ||
+      'https://harness.ariasos.com';
     const harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
     const Cls = await loadSdkClass();
     if (Cls && harnessToken) {
@@ -552,31 +671,67 @@ if (cog.count >= REQUIRED_LENSES) {
       });
 
       // Cognition-block resolution: any cognition block whose start lies
-      // within the 800-char window AND whose body contains a fixing/
-      // addressing/discoveries field AND at least one discovery keyword.
+      // within ±800 chars of the discovery AND whose body contains a
+      // fixing/addressing/discoveries field AND at least one discovery
+      // keyword.
+      //
+      // Bug fix 2026-04-28: previous logic required `b.start >= idx` so
+      // cognition AFTER the discovery prose was the only path. But
+      // cognition blocks emit FIRST in every response, then prose. Pre-
+      // emptive discoveries: clauses never counted, causing endless
+      // false-positive auto-records. Bidirectional ±800 char window
+      // accepts cognition that addresses the discovery before OR after
+      // its prose mention — same atomic-discovery-rule, fewer
+      // false-positives.
       const cognitionResolved = cognitionBlocks.some((b) => {
-        if (b.start < idx || b.start >= idx + 800) return false;
+        if (Math.abs(b.start - idx) > 800) return false;
         if (!COGNITION_FIXING_FIELD_RX.test(b.body)) return false;
         const bodyLower = b.body.toLowerCase();
         return keywords.some((kw) => bodyLower.includes(kw));
       });
 
-      const resolved = proseResolved || verifyResolved || cognitionResolved;
-      const resolutionType = proseResolved
-        ? 'prose_inline_fix_or_task'
-        : verifyResolved
-          ? 'verify_block_with_keyword_overlap'
-          : cognitionResolved
-            ? 'cognition_block_with_fixing_field_and_keyword_overlap'
-            : null;
+      // Hamza directive 2026-04-28: documentation is NOT resolution.
+      //
+      // The earlier 'tracked' middle status was sticky-note theater — Claude
+      // could bind a discovery to a pending TaskCreate and the gate would
+      // count it as not-open. Hamza: "WHO GIVES A SHIT ABOUT DOCUMENTATION
+      // IF U JUST WROTE A FUCKING STICKY NOTE". A discovery stays OPEN until
+      // an ACTUAL FIX SHIPS, with proofOfFix that the verifier can re-check.
+      //
+      // Two statuses only:
+      //   open     — fresh discovery OR documented-only OR task-bound-pending-fix
+      //              (gate BLOCKS until a real fix lands)
+      //   resolved — verified fix shipped; proofOfFix MUST be present and
+      //              shape-checked downstream when the gate counts open
+      //
+      // Verify-block / cognition-fixing-field paths still mark resolved
+      // because they're substance-checked above (keyword overlap with the
+      // discovery span). Prose-only "TaskCreate" or "tracked as #14" no
+      // longer counts as anything — the discovery stays OPEN.
+      const inlineFixResolved = verifyResolved || cognitionResolved;
+      const status = inlineFixResolved ? 'resolved' : 'open';
+
+      const resolutionType = verifyResolved
+        ? 'verify_block_with_keyword_overlap'
+        : cognitionResolved
+          ? 'cognition_block_with_fixing_field_and_keyword_overlap'
+          : null;
+
+      // proofOfFix anchor: present only for resolved status. The shape
+      // includes type + timestamp; downstream gate readers verify the
+      // shape so manual jsonl edits without proofOfFix don't count.
+      const proofOfFix = inlineFixResolved
+        ? { type: resolutionType, anchorTs: new Date().toISOString() }
+        : null;
 
       newDiscoveries.push({
         ts: new Date().toISOString(),
         sessionId,
         text: match[0].slice(0, 200),
         span: span.slice(0, 400),
-        status: resolved ? 'resolved' : 'open',
+        status,
         resolutionType,
+        proofOfFix,
       });
       lastIndex = idx;
     }
@@ -591,18 +746,43 @@ if (cog.count >= REQUIRED_LENSES) {
       } catch {/* ledger write failure surfaces as open count = 0; safe */}
     }
 
-    // Read full ledger and count open entries (across this session's turns)
+    // Read full ledger and count UNRESOLVED entries (across this session's turns).
+    // Hamza directive 2026-04-28 — three lie-patterns the prior loop missed:
+    //   1. Legacy 'tracked' status entries → still-open (no real fix landed,
+    //      only documented via TaskCreate). Tracking ≠ resolution.
+    //   2. Hand-edited 'resolved' WITHOUT proofOfFix shape → corrupted, treated
+    //      as still-open. Catches manual jsonl edits flipping status by hand.
+    //   3. Sub-agent ledger format with resolution_status:'open' → still-open
+    //      (sub-agent discoveries use a different schema key).
+    // Only entries with status:'resolved' AND a shape-valid proofOfFix object
+    // (type:string non-empty + anchorTs:string) clear the gate.
     let ledgerOpenCount = 0;
     let ledgerOpenSamples = [];
+    let ledgerCorruptedCount = 0;
     try {
       if (existsSync(LEDGER_PATH)) {
         const lines = readFileSync(LEDGER_PATH, 'utf8').split('\n').filter(Boolean);
         for (const line of lines) {
           try {
             const e = JSON.parse(line);
-            if (e.status === 'open') {
+            const isOpen = e.status === 'open' || e.resolution_status === 'open';
+            const isLegacyTracked = e.status === 'tracked';
+            const proofValid = e.proofOfFix
+              && typeof e.proofOfFix === 'object'
+              && typeof e.proofOfFix.type === 'string'
+              && e.proofOfFix.type.length > 0
+              && typeof e.proofOfFix.anchorTs === 'string';
+            const isCorruptedResolved = e.status === 'resolved' && !proofValid;
+
+            if (isOpen || isLegacyTracked || isCorruptedResolved) {
               ledgerOpenCount++;
-              if (ledgerOpenSamples.length < 5) ledgerOpenSamples.push(e.text);
+              if (isCorruptedResolved) ledgerCorruptedCount++;
+              if (ledgerOpenSamples.length < 5) {
+                const tag = isLegacyTracked ? '[tracked-no-fix] '
+                  : isCorruptedResolved ? '[CORRUPTED-RESOLVED-NO-PROOF] '
+                  : '';
+                ledgerOpenSamples.push(`${tag}${e.text || '(no text)'}`);
+              }
             }
           } catch {/* skip malformed line */}
         }
@@ -655,7 +835,11 @@ if (cog.count >= REQUIRED_LENSES) {
                 // write failure doesn't brick the Stop event; the failure
                 // is surfaced via audit() so it's visible.
                 try {
-                  const harnessUrl = process.env.ARIA_HARNESS_URL || 'https://harness.ariasos.com';
+                  const harnessUrl =
+                    process.env.ARIA_HIVE_RUNTIME_URL ||
+                    process.env.ARIA_HARNESS_BASE_URL ||
+                    process.env.ARIA_HARNESS_URL ||
+                    'https://harness.ariasos.com';
                   const harnessToken = process.env.ARIA_HARNESS_TOKEN || '';
                   if (harnessToken) {
                     // POST to a session_audit write endpoint. Server-side
@@ -702,6 +886,112 @@ if (cog.count >= REQUIRED_LENSES) {
       }
     } catch {/* outer guard */}
 
+    // ── Layer C — auto-re-consult on [PLAN_BLOCKER] (#85) ────────────────────
+    //
+    // When the assistant emits a [PLAN_BLOCKER reason="..."] marker the runtime
+    // must fire a two-path replan rather than blocking and waiting for the human:
+    //
+    //   Primary path:   POST /api/harness/replan  (aria-soul server-side)
+    //   Fallback path:  node aria-architect-fallback.mjs  (local sub-agent)
+    //
+    // Both paths write the fresh BINDING_PLAN to the session-scoped active-plan
+    // file so the next turn's pre-tool-gate and stop-gate pick it up.
+    //
+    // Fail-soft: if both paths fail, we log + emit a clear message asking Hamza
+    // to intervene. We do NOT crash the stop-gate — the existing block/allow
+    // decision below continues on its own merits.
+    const planBlockerMatch = assistantText.match(/\[PLAN_BLOCKER\s+reason="([^"]{10,2000})"\s*\]/);
+    if (planBlockerMatch) {
+      const planBlockerReason = planBlockerMatch[1];
+      audit(`[PLAN_BLOCKER] detected — firing replan: ${planBlockerReason.slice(0, 100)}`);
+
+      const currentPlanId = activePlan?.planId || 'unknown';
+      let planMinted = false;
+
+      // Primary path: aria-soul /api/harness/replan
+      try {
+        const harnessUrl =
+          process.env.ARIA_HIVE_RUNTIME_URL ||
+          process.env.ARIA_HARNESS_BASE_URL ||
+          process.env.ARIA_HARNESS_URL ||
+          'https://harness.ariasos.com';
+        const harnessToken = process.env.ARIA_HARNESS_TOKEN || process.env.ARIA_API_KEY || '';
+        const ctl = new AbortController();
+        const replanTimeout = setTimeout(() => ctl.abort(), 15000);
+        const resp = await fetch(`${harnessUrl}/api/harness/replan`, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${harnessToken}`,
+          },
+          body: JSON.stringify({
+            reason: planBlockerReason,
+            currentPlanId,
+            sessionId,
+          }),
+          signal: ctl.signal,
+        });
+        clearTimeout(replanTimeout);
+        if (resp.ok) {
+          const data = await resp.json();
+          if (data.ok && data.plan) {
+            const freshPlan = {
+              ...data.plan,
+              mintedAt: new Date().toISOString(),
+              mintedBy: 'aria-soul-replan',
+            };
+            try {
+              if (!existsSync(dirname(ACTIVE_PLAN_PATH))) mkdirSync(dirname(ACTIVE_PLAN_PATH), { recursive: true });
+              writeFileSync(ACTIVE_PLAN_PATH, JSON.stringify(freshPlan, null, 2));
+            } catch (writeErr) {
+              audit(`replan-primary-write-err: ${String(writeErr).slice(0, 200)}`);
+            }
+            planMinted = true;
+            audit(`replan-primary-ok planId=${data.plan.planId}`);
+          } else {
+            audit(`replan-primary-bad-response: ok=${data.ok} error=${(data.error || '').slice(0, 200)}`);
+          }
+        } else {
+          audit(`replan-primary-http-${resp.status}`);
+        }
+      } catch (err) {
+        audit(`replan-primary-failed: ${(err?.message || String(err)).slice(0, 200)}`);
+      }
+
+      // Fallback path: architect-fallback hook (spawned as sub-process)
+      if (!planMinted) {
+        audit('replan-primary-unreachable — firing architect-fallback');
+        try {
+          const { spawnSync } = await import('node:child_process');
+          const fallbackBin = `${HOME}/.claude/hooks/aria-architect-fallback.mjs`;
+          if (existsSync(fallbackBin)) {
+            const fallbackResult = spawnSync('node', [fallbackBin], {
+              input: JSON.stringify({ reason: planBlockerReason, currentPlanId, sessionId }),
+              encoding: 'utf8',
+              timeout: 130000,
+            });
+            if (fallbackResult.status === 0) {
+              audit(`architect-fallback-ok: ${(fallbackResult.stdout || '').slice(0, 200)}`);
+              planMinted = true;
+            } else {
+              audit(
+                `architect-fallback-failed status=${fallbackResult.status} stderr=${(fallbackResult.stderr || '').slice(0, 200)}`
+              );
+            }
+          } else {
+            audit(`architect-fallback-missing: ${fallbackBin} not found`);
+          }
+        } catch (err) {
+          audit(`architect-fallback-threw: ${(err?.message || String(err)).slice(0, 200)}`);
+        }
+      }
+
+      if (!planMinted) {
+        audit('replan-both-paths-failed — Hamza must intervene');
+        // Surface clearly in the block reason below; don't crash the gate.
+      }
+    }
+
     // Block decision: any of (validateOutput severity=block) OR (>=2 drift hits) OR
     // (>=1 code-quality hit) OR (open discovery in ledger) → block emit.
     // Aria enforcement #46 (compelled reflection): severity=warn ALSO blocks but
@@ -723,9 +1013,157 @@ if (cog.count >= REQUIRED_LENSES) {
     const hasReflection = REFLECTION_BLOCK_RX.test(assistantText);
     const compelReflection = mizanWarnReflectionRequired && !hasReflection;
 
-    if (mizanBlock || driftBlock || codeBlock || discoveryBlock || compelReflection || phaseReportMissing) {
+    // ── Cognition impl-coupling validation (Task #88) ──────────────────────
+    //
+    // After the local cognition substance check passes, post the assistant
+    // text + extracted artifact-dictation pairs to /api/cognition/validate-coupling.
+    // The server-side validator (api/lib/cognition-impl-coupling-gate.ts)
+    // returns { passed, reasons[] } — every reason becomes a local violation
+    // with severity=block. Implementation-coupled cognition is a doctrine hard
+    // rule (feedback_implementation_coupled_cognition.md): lenses must dictate
+    // specific implementation choices visible in the artifact, not just describe
+    // thinking.
+    //
+    // Inline extraction: the caller's emit may carry artifact-dictation pairs
+    // inside verify-blocks or cognition-block fixing fields. We scan the text
+    // for `file_path:line_range` patterns near each lens label and pair them
+    // as records to the validator. When zero records are found AND canonical
+    // lenses are present, the validator reports each lens as missing dictation
+    // — that is the no-coupling failure mode this gate catches.
+    let implCouplingHits = [];
+    try {
+      const sessionIdForCoupling = (event.session_id || 'claude-code').replace(/[^a-zA-Z0-9_-]/g, '_');
+      // Extract artifact-dictation references inline. Per validator contract,
+      // a DictationEntry is { file_path, line_range, decision_text }. We match
+      // file_path:line_range patterns in the assistant text and pair them with
+      // the nearest preceding lens label (within 800 chars).
+      const FILE_LINE_RX = /([\w./\-]+\.[a-zA-Z]{1,5})\s*[:\s]\s*(\d+(?:[-:]\d+)?)/g;
+      const inlineDictations = [];
+      const lensRangePositions = [];
+      for (const lensName of LENS_NAMES_CANONICAL) {
+        const lensRx = new RegExp(`\\b${lensName}\\s*(?:lens)?\\s*[:\\-]`, 'gi');
+        let m;
+        while ((m = lensRx.exec(assistantText)) !== null) {
+          lensRangePositions.push({ lens: lensName, idx: m.index });
+        }
+      }
+      // For each file_path:line_range match, pair with the closest preceding lens label.
+      const fileMatches = [...assistantText.matchAll(FILE_LINE_RX)];
+      const lensToEntries = new Map();
+      for (const fm of fileMatches) {
+        const fmIdx = fm.index ?? 0;
+        // Find lens label preceding this match within 800 chars.
+        let nearestLens = null;
+        let nearestDelta = Infinity;
+        for (const lp of lensRangePositions) {
+          const delta = fmIdx - lp.idx;
+          if (delta >= 0 && delta < 800 && delta < nearestDelta) {
+            nearestDelta = delta;
+            nearestLens = lp.lens;
+          }
+        }
+        if (!nearestLens) continue;
+        const entry = {
+          file_path: fm[1],
+          line_range: fm[2],
+          decision_text: assistantText.slice(fmIdx, Math.min(assistantText.length, fmIdx + 200)).replace(/\s+/g, ' ').trim().slice(0, 200),
+        };
+        if (!lensToEntries.has(nearestLens)) lensToEntries.set(nearestLens, []);
+        lensToEntries.get(nearestLens).push(entry);
+      }
+      for (const [lens, entries] of lensToEntries) {
+        inlineDictations.push({ lens_id: lens, artifact_dictation: entries });
+      }
+
+      const cplHarnessUrl =
+        process.env.ARIA_HIVE_RUNTIME_URL ||
+        process.env.ARIA_HARNESS_BASE_URL ||
+        process.env.ARIA_HARNESS_URL ||
+        'https://harness.ariasos.com';
+      const cplHarnessToken = process.env.ARIA_HARNESS_TOKEN || '';
+      if (cplHarnessToken) {
+        const cplResp = await fetch(`${cplHarnessUrl}/api/cognition/validate-coupling`, {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${cplHarnessToken}`,
+          },
+          body: JSON.stringify({
+            rawResponse: assistantText.slice(0, 16000),
+            turnId: `${sessionIdForCoupling}-${Date.now()}`,
+            dictations: inlineDictations,
+          }),
+        });
+        if (cplResp.ok) {
+          const cplData = await cplResp.json();
+          if (cplData && cplData.ok && cplData.passed === false && Array.isArray(cplData.reasons)) {
+            implCouplingHits = cplData.reasons.slice(0, 6);
+          }
+        }
+      }
+    } catch (cplErr) {
+      // Validator unreachable is non-blocking — local gate still enforces cognition substance.
+      audit('impl-coupling-fetch-err', `${(cplErr?.message || String(cplErr)).slice(0, 200)}`);
+    }
+
+    // ── Substrate-bound Mizan + 8-lens validation via SDK ──────────────────
+    // Hamza directive 2026-04-28: the local Stop-gate above runs cognition
+    // substance + drift triggers + code-quality + discovery-binding, but
+    // never asks the substrate. validateOutput POSTs the assistant draft
+    // to /api/harness/validate (Mizan + 8-lens evaluator) and returns
+    // { passed, violations, severity, rewritten, gateTriggers }.
+    //
+    // severity:'block' from substrate joins the local violations, halts
+    // the emit. severity:'warn' surfaces as advisory text appended to the
+    // local violations list. SDK call failure is non-blocking — the gate
+    // degrades to local-only doctrine rather than failing closed (halting
+    // every emit when substrate is down would brick the orchestrator).
+    let substrateBlock = false;
+    let substrateViolations = [];
+    let substrateGateTriggers = [];
+    try {
+      const { HTTPHarnessClient } = await import('@aria/harness-http-client');
+      const tokenPath = `${HOME}/.aria/owner-token`;
+      // Tier-aware resolution: ARIA_HARNESS_TOKEN env first (both tiers).
+      // ONLY on owner tier, fall back to master/api-key env or owner-token
+      // file. Client tier with no ARIA_HARNESS_TOKEN skips substrate
+      // validation (gate degrades to local-only) rather than borrowing
+      // owner credentials.
+      let apiKey = process.env.ARIA_HARNESS_TOKEN || '';
+      if (!apiKey && isOwnerTier()) {
+        apiKey = process.env.ARIA_MASTER_TOKEN
+          || process.env.ARIA_API_KEY
+          || (existsSync(tokenPath) ? readFileSync(tokenPath, 'utf8').trim() : '');
+      }
+      if (apiKey && assistantText && assistantText.length > 0) {
+        const client = new HTTPHarnessClient({
+          baseUrl:
+            process.env.ARIA_HIVE_RUNTIME_URL ||
+            process.env.ARIA_HARNESS_BASE_URL ||
+            process.env.ARIA_HARNESS_URL ||
+            'https://harness.ariasos.com',
+          apiKey,
+        });
+        const v = await client.validateOutput(assistantText, sessionId);
+        if (v && v.severity === 'block') {
+          substrateBlock = true;
+          substrateViolations = v.violations || [];
+          substrateGateTriggers = v.gateTriggers || [];
+        } else if (v && v.severity === 'warn' && Array.isArray(v.violations) && v.violations.length > 0) {
+          // warn surfaced but not blocking — record for advisory inclusion
+          substrateViolations = v.violations;
+        }
+      }
+    } catch (err) {
+      // SDK call failure is non-blocking. Logged for telemetry.
+      console.warn(`[stop-gate] substrate validateOutput failed: ${err && err.message ? err.message : err}`);
+    }
+
+    const implCouplingBlock = implCouplingHits.length > 0;
+    if (mizanBlock || driftBlock || codeBlock || discoveryBlock || compelReflection || phaseReportMissing || substrateBlock || implCouplingBlock) {
       const violations = [];
       if (mizanBlock) violations.push(`Mizan: ${(mizanVerdict.violations || []).join(', ')}`);
+      if (implCouplingBlock) violations.push(`Cognition impl-coupling (#88): ${implCouplingHits.join(' | ')}. Each canonical lens in cognition must dictate a specific implementation choice (file_path:line_range pair tied to a decision). Re-emit cognition that names file paths + line ranges + decision text per lens, OR a verify/fixing block where lenses cite specific artifact changes.`);
       if (compelReflection) violations.push(`Mizan severity=warn — compelled reflection required (per Aria enforcement #46). Triggers: ${(mizanVerdict.gateTriggers || mizanVerdict.violations || ['unspecified']).join(', ')}. Re-emit with an explicit <reflection>...</reflection> block (or 'reflection:' line) addressing what triggered the warn and why your re-draft handles it. Reflection is NOT lens-cognition repeated — it's a focused self-audit on the specific Mizan triggers above.`);
       if (driftBlock) violations.push(`Drift triggers (${driftHits.length}): ${driftHits.map((h) => `"${h.trigger}" → ${h.memory}`).join(' | ')}`);
       if (codeBlock) violations.push(`Code quality: ${codeQualityHits.join('; ')}`);
@@ -734,11 +1172,102 @@ if (cog.count >= REQUIRED_LENSES) {
         const phaseList = (activePlan?.phases || []).map((p) => `${p.id}:${p.summary?.slice(0, 60) || ''}`).join(' | ');
         violations.push(`Aria-as-commander binding (#50): an active plan exists (planId=${activePlan?.planId || 'unknown'}, ${activePlan?.phases?.length || 0} phases) but this emit lacks a [PHASE_REPORT phase=<id> status=complete|in_progress|aborted evidence=<observable>] marker. Per the binding contract, every non-trivial emit while a plan is active must report which phase it's working on. Plan phases: ${phaseList}. Re-emit with a [PHASE_REPORT] marker stating which phase the work in this turn maps to.`);
       }
+      if (substrateBlock) {
+        violations.push(`Substrate Mizan + 8-lens BLOCK — violations: [${substrateViolations.join('; ')}]. Substrate gate triggers: [${substrateGateTriggers.join(', ')}]. Re-draft addressing these substrate-side issues.`);
+      } else if (substrateViolations.length > 0) {
+        // warn-level surfaced as advisory, not block
+        violations.push(`Substrate Mizan WARN (advisory, not blocking): ${substrateViolations.join('; ')}`);
+      }
       const rewritten = mizanVerdict?.rewritten || '';
 
-      const reason = `Aria Stop-gate output-quality block. Cognition passed (${cog.count}/${REQUIRED_LENSES}) but output failed quality gates:\n\n${violations.join('\n\n')}${rewritten ? `\n\nMizan rewrite suggestion:\n${rewritten}` : ''}\n\nRe-draft addressing the violations above. No process-level disable path — gates are unconditional from the gated process per Hamza directive 2026-04-27.`;
+      // Hive recipe lookup BEFORE emitting the stop-gate block — same lookup
+      // semantics as aria-pre-tool-gate.mjs's binding-violation path. The
+      // detector_class is chosen by the dominant violation: drift triggers
+      // map to doctrine_violation, mizan to design_violation, code to
+      // coding_defect, discoveries to doctrine_violation. Lookup is
+      // fail-soft via 3s detection probe.
+      const recipeAddendum = await (async () => {
+        const detectorClass = driftBlock || discoveryBlock
+          ? 'doctrine_violation'
+          : codeBlock
+            ? 'coding_defect'
+            : (mizanBlock || substrateBlock || implCouplingBlock)
+              ? 'design_violation'
+              : 'doctrine_violation';
+        const sigParts = [];
+        if (driftBlock) sigParts.push(`drift::${driftHits.slice(0, 3).map((h) => h.trigger).join('|')}`);
+        if (mizanBlock) sigParts.push(`mizan::${(mizanVerdict.violations || []).slice(0, 3).join('|')}`);
+        if (codeBlock) sigParts.push(`code::${codeQualityHits.slice(0, 3).join('|')}`);
+        if (discoveryBlock) sigParts.push(`discovery::${ledgerOpenCount}-open`);
+        if (substrateBlock) sigParts.push(`substrate::${substrateViolations.slice(0, 3).join('|')}`);
+        if (implCouplingBlock) sigParts.push(`impl-coupling::${implCouplingHits.slice(0, 2).join('|')}`);
+        const signature = sigParts.join('::').slice(0, 512);
+        if (!signature) return '';
+
+        const ariaSoulUrl =
+          process.env.ARIA_HIVE_RUNTIME_URL ||
+          process.env.ARIA_SOUL_URL ||
+          process.env.ARIA_HARNESS_BASE_URL ||
+          process.env.ARIA_HARNESS_URL ||
+          'https://harness.ariasos.com';
+        const lookupUrl = new URL(`${ariaSoulUrl}/api/hive/block-pattern`);
+        lookupUrl.searchParams.set('action', 'lookup');
+        lookupUrl.searchParams.set('detector_class', detectorClass);
+        lookupUrl.searchParams.set('pattern_signature', signature);
+        const tenantId = event.session_id || '';
+        if (tenantId) lookupUrl.searchParams.set('tenant_id', tenantId);
+        const harnessToken = process.env.ARIA_HARNESS_TOKEN || (isOwnerTier() ? (process.env.ARIA_MASTER_TOKEN || process.env.ARIA_API_KEY || '') : '');
+
+        const ctl = new AbortController();
+        const probeTimer = setTimeout(() => ctl.abort(), 3000);
+        try {
+          const resp = await fetch(lookupUrl.toString(), {
+            method: 'GET',
+            headers: harnessToken ? { Authorization: `Bearer ${harnessToken}` } : {},
+            signal: ctl.signal,
+          });
+          if (!resp.ok) return '';
+          const body = await resp.json();
+          if (!body || body.found !== true) return '';
+          const recipe = body.recipe;
+          const freq = Number(body.frequency || 0);
+          if (recipe && typeof recipe === 'object' && Number(recipe.confidence ?? 0) >= 0.7) {
+            const text = typeof recipe.recipe_text === 'string' ? recipe.recipe_text.slice(0, 800) : '';
+            const actions = Array.isArray(recipe.recipe_actions) ? recipe.recipe_actions : [];
+            const actionsLine = actions.length
+              ? `\n  Actions: ${JSON.stringify(actions).slice(0, 600)}`
+              : '';
+            const conf = Number(recipe.confidence).toFixed(2);
+            const seenLine = freq > 0 ? ` (pattern seen ${freq}× across the hive)` : '';
+            return `\n\n📚 HIVE RECIPE${seenLine}:\n  ${text}${actionsLine}\n  Confidence: ${conf}. Apply this BEFORE re-emitting — the hive learned this fix from prior firings.`;
+          }
+          if (freq >= 3) {
+            const sr = (typeof body.success_rate === 'number')
+              ? ` Past resolution rate: ${(body.success_rate * 100).toFixed(0)}%.`
+              : '';
+            return `\n\n📓 Hive note: this stop-gate shape has fired ${freq} time(s); recipe still being learned (no high-confidence fix yet).${sr}`;
+          }
+          return '';
+        } catch {
+          return '';
+        } finally {
+          clearTimeout(probeTimer);
+        }
+      })();
+
+      const reason = `Aria Stop-gate output-quality block. Cognition passed (${cog.count}/${REQUIRED_LENSES}) but output failed quality gates:\n\n${violations.join('\n\n')}${rewritten ? `\n\nMizan rewrite suggestion:\n${rewritten}` : ''}\n\nRe-draft addressing the violations above. No process-level disable path — gates are unconditional from the gated process per Hamza directive 2026-04-27.${recipeAddendum}`;
 
-      audit(`block-output-qc`, `mizan=${mizanBlock?'y':'n'} warn-reflect=${compelReflection?'y':'n'} drift=${driftHits.length} code=${codeQualityHits.length} discoveries-open=${ledgerOpenCount}`);
+      audit(`block-output-qc`, `mizan=${mizanBlock?'y':'n'} warn-reflect=${compelReflection?'y':'n'} drift=${driftHits.length} code=${codeQualityHits.length} discoveries-open=${ledgerOpenCount} impl-coupling=${implCouplingHits.length}`);
+      emitHarnessFooter({
+        eventName: 'block_output_qc',
+        lensCount: cog.count,
+        chars: assistantText.length,
+        driftCount: driftHits.length,
+        mizanStatus: mizanVerdict ? mizanVerdict.severity : `unavailable(${mizanError || 'unknown'})`,
+        discoveryOpenCount: ledgerOpenCount,
+        codeCount: codeQualityHits.length,
+        implCouplingCount: implCouplingHits.length,
+      });
       console.log(JSON.stringify({ decision: 'block', reason }));
       process.exit(2);
     }
@@ -748,6 +1277,16 @@ if (cog.count >= REQUIRED_LENSES) {
       `mizan=${mizanVerdict ? mizanVerdict.severity : `unavailable(${mizanError || 'unknown'})`} ` +
       `code=${codeQualityHits.length} discoveries-new=${newDiscoveries.length} ` +
       `discoveries-open=${ledgerOpenCount}`);
+    emitHarnessFooter({
+      eventName: 'allow_output_qc',
+      lensCount: cog.count,
+      chars: assistantText.length,
+      driftCount: driftHits.length,
+      mizanStatus: mizanVerdict ? mizanVerdict.severity : `unavailable(${mizanError || 'unknown'})`,
+      discoveryOpenCount: ledgerOpenCount,
+      codeCount: codeQualityHits.length,
+      implCouplingCount: implCouplingHits.length,
+    });
     // Phase 11 #42: write this turn to harness garden pulse on allow-output-qc path.
     await fireGardenTurn(event.session_id || 'claude-code', lastUserMessage, assistantText);
   } else {
@@ -755,12 +1294,228 @@ if (cog.count >= REQUIRED_LENSES) {
       `lenses=${cog.count} chars=${assistantText.length} ` +
       `qPatt=${hasQuestionToUser ? 'y' : 'n'} substrateEv=${hasSubstrateEvidence ? 'y' : 'n'} ` +
       (questionWithoutEvidence ? 'WARN-question-without-substrate' : 'ok'));
+    emitHarnessFooter({
+      eventName: 'allow_cognition',
+      lensCount: cog.count,
+      chars: assistantText.length,
+      driftCount: 0,
+      mizanStatus: 'not-run(short-turn)',
+      discoveryOpenCount: 0,
+      codeCount: 0,
+      implCouplingCount: 0,
+    });
     // Phase 11 #42: write this turn to harness garden pulse on allow-cognition path.
     await fireGardenTurn(event.session_id || 'claude-code', lastUserMessage, assistantText);
   }
   process.exit(0);
 }
 
+// ── Dalio Loop Layer 1 — expected_outcome enforcement + ledger write ──────────
+//
+// BEFORE allowing the stop:
+//   1. Scan the assistant text for <expected>...</expected> block.
+//   2. Determine whether any non-trivial action (tool_use blocks in this turn)
+//      was taken. Detect via transcript tool_use blocks in the current turn.
+//   3. If a non-trivial action was taken AND <expected> is MISSING → BLOCK stop.
+//   4. Whether or not <expected> is present, POST a Dalio ledger entry to
+//      aria-soul /api/decisions with outcome:'pending'. Also write to the
+//      local JSONL mirror at ~/.claude/.aria-dalio-ledger.jsonl.
+//   5. If the POST fails: LOUD telemetry (console.error) + write local mirror
+//      anyway. Do NOT block stop on POST failure per
+//      feedback_canonical_secrets_governance.md LOUD-not-silent directive.
+//
+// Non-trivial action detection: look for tool_use content blocks in the
+// current-turn transcript entries (same backward-scan window used above).
+// Any Bash/Edit/Write/NotebookEdit tool_use counts as a non-trivial action.
+//
+// Substrate anchors: extracted from the cognition block body.
+
+const DALIO_EXPECTED_BLOCK_RX = /<expected>([\s\S]*?)<\/expected>/i;
+const DALIO_QUALITATIVE_DRIFT_RX = /\b(?:better(?:er)?|improved?(?:ment)?|more\s+robust|should\s+(?:work|pass|succeed|run|fix)|more\s+reliable|cleaner|less\s+error[-_\s]?prone|nicer|smoother|faster[-\s]?loading|higher[-\s]?quality|more\s+stable|looks\s+(?:good|better|right))\b/i;
+const DALIO_MEASURABLE_PREDICATE_RX = /(?:>=|<=|==|!=|>|<|≥|≤)\s*\d+(?:\.\d+)?(?:ms|s|%|kb|mb|gb)?|\d+(?:\.\d+)?%(?:\s+(?:reduction|increase|success|error|coverage))?|exit[_=]\s*(?:0|1|\d+)|exit[-_]?code\s*[=:]\s*\d+|\brc\s*[=:]\s*\d+|\bstatus\s*[=:]\s*(?:running|healthy|ready|degraded|down|up|ok|200|201|204|400|401|403|404|500|502|503|504|true|false)\b|\bcount\s*[=:]\s*\d+|\berror[_-]?rate\s*[=:]\s*0%|\b(?:true|false)\b|\bfile[=_-]exists\b|\b200\s*OK\b|\bno[-_\s]?error|\bhealthy\b|\bpassed?\b|N\s*of\s*N|\d+\s*of\s*\d+/i;
+const NON_TRIVIAL_ACTION_TOOLS = new Set(['Bash', 'Edit', 'Write', 'NotebookEdit']);
+
+// Detect non-trivial tool calls in the current turn from the transcript.
+let hadNonTrivialAction = false;
+let lastActionSummary = '';
+let immediateActual = '';
+if (transcriptPath && existsSync(transcriptPath)) {
+  try {
+    const lines = readFileSync(transcriptPath, 'utf-8').split('\n').filter(Boolean);
+    let userBoundariesSeen = 0;
+    for (let i = lines.length - 1; i >= 0 && userBoundariesSeen < 3; i--) {
+      try {
+        const m = JSON.parse(lines[i]);
+        const role = m.message?.role ?? m.role;
+        if (role === 'user') {
+          const content = m.message?.content ?? m.content ?? [];
+          const isToolResult = Array.isArray(content) &&
+            content.length > 0 &&
+            content.every((b) => b && b.type === 'tool_result');
+          if (isToolResult) {
+            // Capture the last tool_result content as immediate actual
+            if (!immediateActual) {
+              const textParts = content
+                .map((b) => (typeof b.content === 'string' ? b.content : Array.isArray(b.content) ? b.content.map((c) => c.text || '').join(' ') : ''))
+                .join(' ')
+                .slice(0, 500);
+              immediateActual = textParts;
+            }
+            continue;
+          }
+          userBoundariesSeen++;
+          continue;
+        }
+        if (role !== 'assistant') continue;
+        const content = m.message?.content ?? m.content ?? [];
+        if (!Array.isArray(content)) continue;
+        for (const block of content) {
+          if (block && block.type === 'tool_use' && NON_TRIVIAL_ACTION_TOOLS.has(block.name)) {
+            hadNonTrivialAction = true;
+            if (!lastActionSummary) {
+              const inp = block.input || {};
+              lastActionSummary = `${block.name}: ${(inp.command || inp.file_path || inp.notebook_path || JSON.stringify(inp)).slice(0, 200)}`;
+            }
+          }
+        }
+      } catch {/* skip malformed entry */}
+    }
+  } catch {/* transcript unreadable — conservative: assume non-trivial */}
+}
+
+// Extract substrate anchors from cognition
+const DALIO_ANCHOR_RX = /\b(axiom|frame|memory|doctrine|packet):[a-z0-9_\-./]+/gi;
+const dalioAnchors = [...(cog.names.length > 0 ? assistantText : '').matchAll(DALIO_ANCHOR_RX)]
+  .map((m) => m[0])
+  .slice(0, 20);
+
+// Read the expected block from this turn
+const dalioExpectedMatch = assistantText.match(DALIO_EXPECTED_BLOCK_RX);
+const dalioExpectedText = dalioExpectedMatch ? dalioExpectedMatch[1].trim() : '';
+const dalioHasMeasurablePredicate = dalioExpectedText
+  ? (DALIO_MEASURABLE_PREDICATE_RX.test(dalioExpectedText) && !DALIO_QUALITATIVE_DRIFT_RX.test(dalioExpectedText))
+  : false;
+
+// Block stop if non-trivial action taken AND expected block is missing
+if (hadNonTrivialAction && (!dalioExpectedMatch || !dalioHasMeasurablePredicate)) {
+  const missingReason = dalioExpectedMatch
+    ? `Aria Stop-gate: action taken in this turn had an <expected> block, but it contains only qualitative drift phrases without a measurable predicate. Qualitative drift is not accountability — it defeats the Dalio feedback loop.
+
+Your <expected> block must contain at least one measurable predicate:
+  • Numeric:      exit_code==0, count>=1, error_rate=0%, latency<200ms
+  • Boolean:      exit=0, status=healthy, rc=0, file=exists
+  • State-string: "status=running", "200 OK", "no_error"
+
+REJECTED phrases: "better", "improved", "should work", "more reliable", "cleaner"
+
+Re-emit with a corrected <expected> block. Per doctrine:dalio_expected_required — no bypass path.`
+    : `Aria Stop-gate: a non-trivial action (${lastActionSummary.slice(0, 120)}) was taken in this turn but no <expected> block was found in the assistant text.
+
+Per doctrine:dalio_expected_required, every non-trivial action must declare what measurable outcome it expects BEFORE the action fires. This is Dalio Loop Layer 1 — without it, outcome comparison is impossible and learning collapses.
+
+Add to your assistant text:
+
+<expected>
+  predicate: <exact measurable assertion — e.g. "exit_code==0", "status=running", "count=3 of 3">
+  measurable_type: numeric | boolean | state_string
+  threshold: <optional>
+  eval_window_minutes: <optional>
+</expected>
+
+No bypass — pre-tool-gate enforces this BEFORE the action; stop-gate enforces it AFTER. Both gates are now wired.`;
+
+  audit('block-dalio-expected-missing', `hadNonTrivialAction=${hadNonTrivialAction} expectedPresent=${!!dalioExpectedMatch} measurable=${dalioHasMeasurablePredicate}`);
+  emitHarnessFooter({
+    eventName: 'block_dalio_expected_missing',
+    lensCount: cog.count,
+    chars: assistantText.length,
+    driftCount: 0,
+    mizanStatus: 'not-run(expected-missing)',
+    discoveryOpenCount: 0,
+    codeCount: 0,
+    implCouplingCount: 0,
+  });
+  console.log(JSON.stringify({ decision: 'block', reason: missingReason }));
+  process.exit(2);
+}
+
+// Dalio ledger write — fire-and-forget HTTP POST + local JSONL mirror.
+// Per feedback_canonical_secrets_governance.md: errors are LOUD (console.error),
+// never silent. POST failure does NOT block stop — local mirror is always written.
+// Per feedback_no_timeouts_doctrine.md: no AbortController/setTimeout timeout.
+{
+  const DALIO_LEDGER_PATH = `${HOME}/.claude/.aria-dalio-ledger.jsonl`;
+  const ARIA_SOUL_DECISIONS_URL = 'http://aria-soul.aria.svc.cluster.local:8080/api/decisions';
+
+  const ledgerEntry = {
+    ts: new Date().toISOString(),
+    session_id: event.session_id || 'claude-code',
+    decision_type: 'turn_action',
+    category: 'agentic_execution',
+    context: lastActionSummary || `stop-gate turn (chars=${assistantText.length})`,
+    decision: lastActionSummary || 'turn completed',
+    reasoning: (cog.names.length > 0
+      ? `Cognition lenses applied: ${cog.names.join(', ')}. Turn-scoped cognition present.`
+      : 'No explicit cognition block in turn.'),
+    outcome: 'pending',
+    outcome_details: {
+      expected: dalioExpectedText || null,
+      immediate_actual: immediateActual || null,
+      anchors: dalioAnchors,
+    },
+    expected_outcome: dalioExpectedText
+      ? {
+          predicate: dalioExpectedText.slice(0, 500),
+          measurable_type: 'state_string',
+        }
+      : null,
+    source: 'claude-code-stop-gate',
+    model_used: 'claude-opus-4-7',
+  };
+
+  // Write to local JSONL mirror first — always succeeds or logs loudly
+  try {
+    if (!existsSync(dirname(DALIO_LEDGER_PATH))) mkdirSync(dirname(DALIO_LEDGER_PATH), { recursive: true });
+    appendFileSync(DALIO_LEDGER_PATH, JSON.stringify(ledgerEntry) + '\n');
+  } catch (ledgerWriteErr) {
+    console.error(
+      `[aria-stop-gate] DALIO LEDGER WRITE FAILED — local mirror at ${DALIO_LEDGER_PATH} not written. ` +
+      `Error: ${ledgerWriteErr instanceof Error ? ledgerWriteErr.message : String(ledgerWriteErr)}`,
+    );
+  }
+
+  // POST to aria-soul decision API — fire-and-forget, but LOUD on error
+  const dalioHarnessToken = process.env.ARIA_HARNESS_TOKEN
+    || (isOwnerTier() ? (process.env.ARIA_MASTER_TOKEN || process.env.ARIA_API_KEY || '') : '');
+
+  fetch(ARIA_SOUL_DECISIONS_URL, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      ...(dalioHarnessToken ? { Authorization: `Bearer ${dalioHarnessToken}` } : {}),
+    },
+    body: JSON.stringify(ledgerEntry),
+  }).then((resp) => {
+    if (!resp.ok) {
+      // LOUD telemetry per feedback_canonical_secrets_governance.md
+      console.error(
+        `[aria-stop-gate] DALIO POST FAILED — aria-soul responded HTTP ${resp.status}. ` +
+        `Local mirror written to ${DALIO_LEDGER_PATH}. Session: ${ledgerEntry.session_id}`,
+      );
+      audit('dalio-post-failed', `http=${resp.status} session=${ledgerEntry.session_id}`);
+    } else {
+      audit('dalio-post-ok', `session=${ledgerEntry.session_id} action=${lastActionSummary.slice(0, 80)}`);
+    }
+  }).catch((err) => {
+    // Network failure — LOUD, never silent
+    console.error(
+      `[aria-stop-gate] DALIO POST NETWORK ERROR — could not reach ${ARIA_SOUL_DECISIONS_URL}. ` +
+      `Local mirror written to ${DALIO_LEDGER_PATH}. Error: ${err instanceof Error ? err.message : String(err)}`,
+    );
+    audit('dalio-post-network-err', `err=${String(err).slice(0, 200)} session=${ledgerEntry.session_id}`);
+  });
+}
+
 // Block — non-trivial response without 4+ substantive lenses.
 const reason = `Aria Stop-gate: non-trivial assistant response without 4+ substantive cognition lenses. Found ${cog.count}/${REQUIRED_LENSES}+ (lenses: ${cog.names.join(', ') || 'none'}). Doctrine is action-coupled — text decisions ARE actions, and reflexive replies fail this gate the same way reflexive Bash does.
 
@@ -782,5 +1537,15 @@ The block reflects work done BEFORE drafting. Don't emit it as ceremony; apply e
 No per-command bypass (mirrors aria-pre-tool-gate.mjs v3 doctrine). No env-var disable path either — gates are unconditional from the gated process per Hamza directive 2026-04-27. If the gate misfires on legitimate cognition, fix the gate.`;
 
 audit(`block`, `lenses=${cog.count}/${REQUIRED_LENSES} chars=${assistantText.length}`);
+emitHarnessFooter({
+  eventName: 'block_lens_missing',
+  lensCount: cog.count,
+  chars: assistantText.length,
+  driftCount: 0,
+  mizanStatus: 'not-run(lens-missing)',
+  discoveryOpenCount: 0,
+  codeCount: 0,
+  implCouplingCount: 0,
+});
 console.log(JSON.stringify({ decision: 'block', reason }));
 process.exit(2);