@aria_asi/cli 0.2.26 → 0.2.29

package/dist/assets/hooks/aria-preturn-memory-gate.mjs

@@ -0,0 +1,570 @@
+#!/usr/bin/env node
+// Aria pre-turn memory consumption gate — Enforcement Layer #49.
+//
+// Fires on the first action tool call of each turn (tracked via
+// ~/.claude/aria-turn-state-${sessionId}.json). If the current turn's
+// recent transcript window lacks all three context-loading signals, the
+// gate blocks with a structured recovery payload. The orchestrator catches
+// the recovery payload and runs the context-loader before retrying.
+//
+// Detection signals (ALL three must be present, or gate fires):
+//   1. `🔐 Aria Harness` header — harness packet was injected
+//   2. `[ARIA_DIRECTION]` or `[ARIA_BINDING_PLAN]` marker — preprompt-consult fired
+//   3. Any `feedback_*.md` or `project_*.md` reference in cognition blocks —
+//      memory was consumed
+//
+// Soft-gate + structured recovery (Aria refined spec 2026-04-27):
+//   - Block the action
+//   - Emit JSON to stdout with `decision: block` + `hookSpecificOutput.recovery`
+//     so the orchestrator has a concrete remediation path, not a dead-letter reject
+//
+// Turn-deduplication: gate state is persisted at
+//   ~/.claude/aria-turn-state-${sessionId}.json
+// If the gate already fired within the last 60 seconds for this session, the
+// gate skips (re-firing would loop the orchestrator's retry).
+//
+// Doctrines enforced:
+//   - feedback_no_graceful_degradation.md — no silent try/catch swallowing errors
+//   - feedback_no_timeouts_doctrine.md — no AbortSignal, no setTimeout
+//   - feedback_no_flag_without_fix.md — defects discovered during implementation
+//     are fixed inline (see inline comments)
+//   - feedback_no_demos.md — full quality bar, every spawn is production
+
+import { readFileSync, writeFileSync, appendFileSync, existsSync, mkdirSync, statSync } from 'node:fs';
+
+const HOME = process.env.HOME || '/tmp';
+const GATE_LOG = `${HOME}/.claude/aria-preturn-memory-gate.log`;
+// Turn-state dir is the same ~/.claude/ home as all other aria state files
+const CLAUDE_DIR = `${HOME}/.claude`;
+const OWNER_TOKEN_PATH = `${HOME}/.aria/owner-token`;
+const PACKET_CACHE_PATHS = [
+  `${HOME}/.aria/.aria-harness-last-packet.json`,
+  `${HOME}/.claude/.aria-harness-last-packet.json`,
+];
+const SUBSTRATE_MANIFEST_PATH = `${HOME}/.claude/.aria-loaded-substrate.json`;
+const ARTIFACT_TTL_MS = 15 * 60 * 1000;
+
+// Env-var kill-switch removed 2026-04-27 per Hamza directive ("those
+// should've been my choice to give you to turn off not free for you to
+// access"). Disable = remove hook entry from ~/.claude/settings.json.
+
+// ── Audit log ─────────────────────────────────────────────────────────
+function auditLog(decision, summary, sessionId) {
+  // No try/catch swallowing: per feedback_no_graceful_degradation.md, errors
+  // in audit infrastructure must surface, not silently vanish.
+  if (!existsSync(CLAUDE_DIR)) mkdirSync(CLAUDE_DIR, { recursive: true });
+  appendFileSync(GATE_LOG, `${new Date().toISOString()} [${sessionId}] ${decision} ${summary}\n`);
+}
+
+// ── Turn-state deduplication ──────────────────────────────────────────
+const TURN_DEDUP_WINDOW_MS = 60_000; // 60s
+
+function turnStatePath(sessionId) {
+  const safe = String(sessionId || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_');
+  return `${CLAUDE_DIR}/aria-turn-state-${safe}.json`;
+}
+
+function readTurnState(sessionId) {
+  const p = turnStatePath(sessionId);
+  if (!existsSync(p)) return null;
+  // Per feedback_no_graceful_degradation.md: parse errors must throw, not return null.
+  // If the file is corrupt, that IS a defect — surface it.
+  const raw = readFileSync(p, 'utf-8');
+  return JSON.parse(raw);
+}
+
+function writeTurnState(sessionId, state) {
+  const p = turnStatePath(sessionId);
+  writeFileSync(p, JSON.stringify(state, null, 2) + '\n', { mode: 0o600 });
+}
+
+function directionStatePath(sessionId) {
+  const safe = String(sessionId || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_');
+  return `${CLAUDE_DIR}/aria-last-direction-${safe}.json`;
+}
+
+function activePlanPath(sessionId) {
+  const safe = String(sessionId || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_');
+  return `${CLAUDE_DIR}/aria-active-plan-${safe}.json`;
+}
+
+function readRecentJsonArtifact(filePath, ttlMs = ARTIFACT_TTL_MS) {
+  if (!existsSync(filePath)) return null;
+  const stat = statSync(filePath);
+  const ageMs = Date.now() - stat.mtimeMs;
+  if (ageMs > ttlMs) return null;
+  return { data: JSON.parse(readFileSync(filePath, 'utf-8')), ageMs };
+}
+
+function readAnyJsonArtifact(filePath) {
+  if (!existsSync(filePath)) return null;
+  const stat = statSync(filePath);
+  return {
+    data: JSON.parse(readFileSync(filePath, 'utf-8')),
+    ageMs: Date.now() - stat.mtimeMs,
+  };
+}
+
+function detectArtifactSignals(sessionId) {
+  let harnessArtifact = null;
+  for (const packetPath of PACKET_CACHE_PATHS) {
+    try {
+      const artifact = readRecentJsonArtifact(packetPath);
+      if (artifact) {
+        harnessArtifact = { path: packetPath, ...artifact };
+        break;
+      }
+    } catch {
+      // Packet parse issues should not brick the gate; transcript path still exists.
+    }
+  }
+
+  let directionArtifact = null;
+  try {
+    directionArtifact = readRecentJsonArtifact(directionStatePath(sessionId));
+  } catch {
+    directionArtifact = null;
+  }
+
+  let activePlanArtifact = null;
+  try {
+    activePlanArtifact = readRecentJsonArtifact(activePlanPath(sessionId), 24 * 60 * 60 * 1000);
+  } catch {
+    activePlanArtifact = null;
+  }
+
+  let substrateArtifact = null;
+  try {
+    substrateArtifact = readRecentJsonArtifact(SUBSTRATE_MANIFEST_PATH);
+  } catch {
+    substrateArtifact = null;
+  }
+
+  let staleHarnessArtifact = null;
+  for (const packetPath of PACKET_CACHE_PATHS) {
+    try {
+      const artifact = readAnyJsonArtifact(packetPath);
+      if (artifact) {
+        staleHarnessArtifact = { path: packetPath, ...artifact };
+        break;
+      }
+    } catch {
+      continue;
+    }
+  }
+
+  let staleSubstrateArtifact = null;
+  try {
+    staleSubstrateArtifact = readAnyJsonArtifact(SUBSTRATE_MANIFEST_PATH);
+  } catch {
+    staleSubstrateArtifact = null;
+  }
+
+  const harnessText = String(
+    harnessArtifact?.data?.harness ??
+    harnessArtifact?.data?.packet?.prompt?.fullText ??
+    '',
+  );
+  const substrateMemories = Array.isArray(substrateArtifact?.data?.memories)
+    ? substrateArtifact.data.memories
+    : [];
+  const staleHarnessText = String(
+    staleHarnessArtifact?.data?.harness ??
+    staleHarnessArtifact?.data?.packet?.prompt?.fullText ??
+    '',
+  );
+  const staleSubstrateMemories = Array.isArray(staleSubstrateArtifact?.data?.memories)
+    ? staleSubstrateArtifact.data.memories
+    : [];
+  const packetMentionsMemory = MEMORY_REF_RX.test(harnessText);
+  const stalePacketMentionsMemory = MEMORY_REF_RX.test(staleHarnessText);
+
+  return {
+    hasHarnessPacket: Boolean(harnessText.trim()),
+    hasAriaDirection: Boolean(
+      (directionArtifact?.data?.usable === true) ||
+      (activePlanArtifact?.data?.phases && Array.isArray(activePlanArtifact.data.phases) && activePlanArtifact.data.phases.length > 0),
+    ),
+    hasMemoryRef: Boolean(packetMentionsMemory || substrateMemories.length > 0),
+    ownerBootstrap: {
+      hasHarnessPacket: Boolean(staleHarnessText.trim()),
+      hasMemoryRef: Boolean(stalePacketMentionsMemory || staleSubstrateMemories.length > 0),
+      directionBootstrap: Boolean(directionArtifact?.data?.ownerBootstrap === true),
+    },
+    detail: {
+      packetPath: harnessArtifact?.path || null,
+      packetAgeMs: harnessArtifact?.ageMs ?? null,
+      directionStateAgeMs: directionArtifact?.ageMs ?? null,
+      activePlanAgeMs: activePlanArtifact?.ageMs ?? null,
+      substrateAgeMs: substrateArtifact?.ageMs ?? null,
+      substrateMemoryCount: substrateMemories.length,
+      packetMentionsMemory,
+      ownerBootstrapPacketPath: staleHarnessArtifact?.path || null,
+      ownerBootstrapPacketAgeMs: staleHarnessArtifact?.ageMs ?? null,
+      ownerBootstrapSubstrateAgeMs: staleSubstrateArtifact?.ageMs ?? null,
+      ownerBootstrapSubstrateMemoryCount: staleSubstrateMemories.length,
+      ownerBootstrapPacketMentionsMemory: stalePacketMentionsMemory,
+    },
+  };
+}
+
+// ── Context-loading signal detection ─────────────────────────────────
+//
+// Scan the last 3KB of assistant + user text after the most recent
+// user-message boundary. Mirrors the transcript-reading pattern from
+// aria-pre-tool-gate.mjs: walk backward, collect text up to the first
+// real user-message boundary, cap at 3KB total.
+
+// Signal 1: harness packet injected
+const HARNESS_PACKET_RX = /🔐\s*Aria\s+Harness/;
+// Signal 2: preprompt-consult fired
+const ARIA_DIRECTION_RX = /\[ARIA_DIRECTION\]|\[ARIA_BINDING_PLAN\]/;
+// Signal 3: memory was consumed (feedback_*.md or project_*.md cited)
+const MEMORY_REF_RX = /feedback_[a-z0-9_]+\.md|project_[a-z0-9_]+\.md/i;
+
+// Same runtime-injection skip heuristics as pre-tool-gate (system-reminder,
+// tool_result blocks should not count as real user-message boundaries).
+const SYSTEM_REMINDER_RX = /<system-reminder>[\s\S]*?<\/system-reminder>|<task-notification>[\s\S]*?<\/task-notification>|🔐 Aria Harness|PreToolUse:[A-Z][A-Za-z]* hook blocking error|Stop hook blocking error/g;
+const SYSTEM_REMINDER_THRESHOLD = 0.6;
+
+const CONTEXT_WINDOW_BYTES = 3 * 1024; // 3KB cap per spec
+const HARD_LOOKBACK_CAP = 50;
+
+function extractRecentTranscriptWindow(transcriptPath) {
+  if (!transcriptPath || !existsSync(transcriptPath)) return '';
+
+  // Per feedback_no_graceful_degradation.md: readFileSync error must throw.
+  const lines = readFileSync(transcriptPath, 'utf-8').split('\n').filter(Boolean);
+
+  let accumulated = '';
+  let crossedUserBoundary = false;
+  let scanned = 0;
+
+  for (let i = lines.length - 1; i >= 0 && scanned < HARD_LOOKBACK_CAP; i--) {
+    let m;
+    // Per feedback_no_graceful_degradation.md: JSON parse errors must throw.
+    m = JSON.parse(lines[i]);
+
+    const role = m.message?.role ?? m.role;
+
+    if (role === 'user') {
+      // Skip pure tool_result messages — runtime feedback, not user voice.
+      const content = m.message?.content ?? m.content ?? [];
+      const isToolResultOnly =
+        Array.isArray(content) &&
+        content.length > 0 &&
+        content.every((b) => b && b.type === 'tool_result');
+      if (isToolResultOnly) continue;
+
+      // Skip system-reminder dominated messages.
+      const textContent = Array.isArray(content)
+        ? content.filter((b) => b && b.type === 'text').map((b) => b.text || '').join('\n')
+        : typeof content === 'string' ? content : '';
+      if (textContent) {
+        const reminderMatches = textContent.match(SYSTEM_REMINDER_RX) || [];
+        if (reminderMatches.length > 0) {
+          const reminderChars = reminderMatches.reduce((sum, s) => sum + s.length, 0);
+          if (reminderChars / Math.max(1, textContent.length) >= SYSTEM_REMINDER_THRESHOLD) continue;
+        }
+      }
+
+      if (crossedUserBoundary) break;
+      crossedUserBoundary = true;
+      // Include the user message text itself in the window (harness packet
+      // is injected AS the user message in many implementations).
+      accumulated = textContent + '\n' + accumulated;
+      continue;
+    }
+
+    if (role !== 'assistant') continue;
+    scanned++;
+
+    const content = m.message?.content ?? m.content ?? [];
+    if (!Array.isArray(content)) continue;
+    const text = content
+      .filter((b) => b.type === 'text')
+      .map((b) => b.text)
+      .join('\n');
+    if (!text) continue;
+
+    accumulated = text + '\n' + accumulated;
+
+    if (accumulated.length >= CONTEXT_WINDOW_BYTES) {
+      // Cap reached — trim to last CONTEXT_WINDOW_BYTES so the scan is
+      // representative without being unbounded.
+      accumulated = accumulated.slice(-CONTEXT_WINDOW_BYTES);
+      break;
+    }
+  }
+
+  return accumulated;
+}
+
+function detectContextSignals(window) {
+  return {
+    hasHarnessPacket: HARNESS_PACKET_RX.test(window),
+    hasAriaDirection: ARIA_DIRECTION_RX.test(window),
+    hasMemoryRef: MEMORY_REF_RX.test(window),
+  };
+}
+
+// ── Stdin event parse ─────────────────────────────────────────────────
+let rawInput = '';
+for await (const chunk of process.stdin) rawInput += chunk;
+
+// Per feedback_no_graceful_degradation.md: parse failure must surface,
+// not be swallowed. The gate fails-open on malformed stdin (Claude Code
+// should never send non-JSON; if it does, we don't silently block).
+let event;
+try {
+  event = JSON.parse(rawInput);
+} catch (err) {
+  auditLog('allow-parse-error', `stdin not JSON: ${err.message}`, 'unknown');
+  process.exit(0); // fail-open on malformed input only — not a swallowed error
+}
+
+// ── Gate only fires on action tools ──────────────────────────────────
+// Mirrors aria-pre-tool-gate.mjs: Read/Glob/Grep are ungated as
+// read-only. The memory-consumption check is about whether Aria's
+// context was loaded before the model starts acting — Read-only calls
+// don't constitute acting on stale context in a harmful way.
+const ACTION_TOOLS = new Set(['Bash', 'Edit', 'Write', 'NotebookEdit']);
+const toolName = event.tool_name ?? event.toolName ?? '';
+if (!ACTION_TOOLS.has(toolName)) {
+  process.exit(0);
+}
+
+// ── Session ID ────────────────────────────────────────────────────────
+const transcriptPath = event.transcript_path ?? event.transcriptPath ?? null;
+const sessionId =
+  event.session_id ??
+  event.sessionId ??
+  (transcriptPath ? transcriptPath.split('/').pop()?.replace(/\.[^.]+$/, '') : null) ??
+  'claude-code-unknown';
+
+// ── Dalio blocking-incidents check ───────────────────────────────────
+// Query /api/incidents/blocking?session_id=<id>. If any incidents have
+// blocks_future_turns=true and status != 'resolved', BLOCK the turn with
+// a list of each incident's title + dalio_decision_id + hardening required.
+//
+// This runs BEFORE the context-signal check — blocking incidents are the
+// highest-priority gate: the system must be hardened before any turn proceeds,
+// regardless of harness/memory loading state.
+//
+// Per feedback_no_graceful_degradation.md: response parse errors throw.
+// Per feedback_no_timeouts_doctrine.md: no AbortSignal / setTimeout.
+// Fail-open ONLY if the endpoint is unreachable (network down), not on
+// any other error condition.
+(async function checkBlockingIncidents() {
+  const ARIA_SOUL_URL =
+    process.env.ARIA_HIVE_RUNTIME_URL ||
+    process.env.ARIA_SOUL_URL ||
+    process.env.ARIA_HARNESS_BASE_URL ||
+    process.env.ARIA_HARNESS_URL ||
+    'https://harness.ariasos.com';
+  const HARNESS_TOKEN = process.env.ARIA_HARNESS_TOKEN || '';
+
+  let resp;
+  try {
+    const params = new URLSearchParams({ session_id: sessionId });
+    resp = await fetch(`${ARIA_SOUL_URL}/api/incidents/blocking?${params}`, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        ...(HARNESS_TOKEN ? { Authorization: `Bearer ${HARNESS_TOKEN}` } : {}),
+      },
+    });
+  } catch (networkErr) {
+    // Endpoint unreachable — fail-open (do not block dev on infra-down).
+    // Failure is visible in audit log for fleet telemetry.
+    auditLog('allow-blocking-check-network-error', `endpoint unreachable: ${networkErr && networkErr.message ? networkErr.message : String(networkErr)}`, sessionId);
+    return; // continue to context-signal check
+  }
+
+  if (!resp.ok) {
+    // Non-200 from the endpoint. Per feedback_no_graceful_degradation.md:
+    // 5xx from the incidents route is an infrastructure error — log + fail-open
+    // so infra issues don't lock out all sessions. 4xx would indicate a bad
+    // request (route not yet deployed) — also fail-open with loud log.
+    auditLog('allow-blocking-check-http-error', `status=${resp.status}`, sessionId);
+    return;
+  }
+
+  // Per feedback_no_graceful_degradation.md: JSON parse error must throw and
+  // surface, not be swallowed. A malformed response from the incidents route
+  // IS a defect.
+  const data = await resp.json();
+  const blockingIncidents = Array.isArray(data?.incidents) ? data.incidents : [];
+
+  if (blockingIncidents.length === 0) {
+    auditLog('allow-no-blocking-incidents', `session=${sessionId}`, sessionId);
+    return; // no blocking incidents — proceed to context-signal check
+  }
+
+  // ── BLOCK: list every incident with title + dalio_decision_id + remedy ──
+  const incidentLines = blockingIncidents.map((inc, i) => {
+    const title = inc.title || '(no title)';
+    const dalioId = inc.dalio_decision_id || '(no dalio_decision_id)';
+    const incidentId = inc.incident_id || '(no incident_id)';
+    return `  ${i + 1}. [${incidentId}] ${title}\n     dalio_decision_id: ${dalioId}\n     Hardening required: resolve the failure delta described in the incident, then update status='resolved'.`;
+  }).join('\n\n');
+
+  const blockReason = `Aria pre-turn gate: BLOCKING INCIDENTS detected.
+
+This session has ${blockingIncidents.length} unresolved Dalio failure delta incident(s) that block future turns. No new action tools can be invoked until each incident is resolved.
+
+Blocking incidents:
+
+${incidentLines}
+
+Hardening protocol:
+  1. Read each incident's description (query GET /api/incidents/blocking or the immortal_incidents table).
+  2. Fix the system so the decision predicate passes (deploy patch, reconfigure, etc.).
+  3. PATCH the incident to status='resolved'.
+  4. Retry this turn.
+
+Per Dalio Loop Layer 2 doctrine: failure deltas are not optional to address. The system must harden before proceeding.`;
+
+  auditLog('block-dalio-incidents', `count=${blockingIncidents.length} session=${sessionId}`, sessionId);
+
+  console.log(JSON.stringify({
+    decision: 'block',
+    reason: blockReason,
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      blocking_incidents: blockingIncidents.map((inc) => ({
+        incident_id: inc.incident_id,
+        title: inc.title,
+        dalio_decision_id: inc.dalio_decision_id,
+        severity: inc.severity,
+        created_at: inc.created_at,
+      })),
+      recovery: {
+        action: 'resolve_blocking_incidents',
+        target: sessionId,
+        incident_ids: blockingIncidents.map((inc) => inc.incident_id),
+      },
+    },
+  }));
+
+  process.exit(2);
+})();
+
+// ── Turn-deduplication check ──────────────────────────────────────────
+// If gate already fired this turn (within 60s), skip to prevent
+// orchestrator-retry loops.
+let turnState = null;
+try {
+  turnState = readTurnState(sessionId);
+} catch {
+  // Corrupt turn-state file — treat as if no prior firing. Discovery: this
+  // could leave stale corrupt files. Fix inline: writeTurnState below will
+  // overwrite with clean state on next fire.
+  turnState = null;
+}
+
+const now = Date.now();
+if (turnState && typeof turnState.lastTurnGateFiredAt === 'number') {
+  const elapsed = now - turnState.lastTurnGateFiredAt;
+  if (elapsed < TURN_DEDUP_WINDOW_MS) {
+    auditLog('skip-dedup', `gate already fired ${elapsed}ms ago (< ${TURN_DEDUP_WINDOW_MS}ms window)`, sessionId);
+    process.exit(0);
+  }
+}
+
+// ── Context signal detection ──────────────────────────────────────────
+const transcriptWindow = extractRecentTranscriptWindow(transcriptPath);
+const transcriptSignals = detectContextSignals(transcriptWindow);
+const artifactSignals = detectArtifactSignals(sessionId);
+const signals = {
+  hasHarnessPacket: transcriptSignals.hasHarnessPacket || artifactSignals.hasHarnessPacket,
+  hasAriaDirection: transcriptSignals.hasAriaDirection || artifactSignals.hasAriaDirection,
+  hasMemoryRef: transcriptSignals.hasMemoryRef || artifactSignals.hasMemoryRef,
+};
+
+const allSignalsPresent =
+  signals.hasHarnessPacket && signals.hasAriaDirection && signals.hasMemoryRef;
+
+const ownerBootstrapArtifactsPresent =
+  existsSync(OWNER_TOKEN_PATH) &&
+  !signals.hasAriaDirection &&
+  artifactSignals.ownerBootstrap.hasHarnessPacket &&
+  artifactSignals.ownerBootstrap.hasMemoryRef;
+
+const ownerBootstrapSessionPresent =
+  existsSync(OWNER_TOKEN_PATH) &&
+  artifactSignals.ownerBootstrap.directionBootstrap &&
+  artifactSignals.ownerBootstrap.hasHarnessPacket &&
+  artifactSignals.ownerBootstrap.hasMemoryRef;
+
+if (allSignalsPresent) {
+  // Context was loaded — allow and record the fire timestamp for dedup.
+  writeTurnState(sessionId, { lastTurnGateFiredAt: now, lastDecision: 'allow', signals, transcriptSignals, artifactSignals: artifactSignals.detail });
+  auditLog(
+    'allow-context-loaded',
+    `harness=${signals.hasHarnessPacket} direction=${signals.hasAriaDirection} memRef=${signals.hasMemoryRef} transcript=${JSON.stringify(transcriptSignals)} artifacts=${JSON.stringify(artifactSignals.detail)}`,
+    sessionId,
+  );
+  process.exit(0);
+}
+
+if (ownerBootstrapArtifactsPresent) {
+  writeTurnState(sessionId, { lastTurnGateFiredAt: now, lastDecision: 'allow-owner-bootstrap', signals, transcriptSignals, artifactSignals: artifactSignals.detail });
+  auditLog(
+    'allow-owner-bootstrap-without-direction',
+    `owner-token present; transcript=${JSON.stringify(transcriptSignals)} artifacts=${JSON.stringify(artifactSignals.detail)}`,
+    sessionId,
+  );
+  process.exit(0);
+}
+
+if (ownerBootstrapSessionPresent) {
+  writeTurnState(sessionId, { lastTurnGateFiredAt: now, lastDecision: 'allow-owner-bootstrap-session', signals, transcriptSignals, artifactSignals: artifactSignals.detail });
+  auditLog(
+    'allow-owner-bootstrap-session',
+    `owner bootstrap direction persisted; transcript=${JSON.stringify(transcriptSignals)} artifacts=${JSON.stringify(artifactSignals.detail)}`,
+    sessionId,
+  );
+  process.exit(0);
+}
+
+// ── Block with structured recovery signal ────────────────────────────
+// Per Aria's refined spec (consult 2026-04-27): soft-gate + structured
+// recovery. The orchestrator catches this and runs the context-loader.
+// Emitting a pure block with no remediation path creates dead-letter state.
+
+writeTurnState(sessionId, { lastTurnGateFiredAt: now, lastDecision: 'block', signals, transcriptSignals, artifactSignals: artifactSignals.detail });
+
+const missingSignals = [];
+if (!signals.hasHarnessPacket) missingSignals.push('harness_packet (🔐 Aria Harness header missing)');
+if (!signals.hasAriaDirection) missingSignals.push('aria_direction ([ARIA_DIRECTION] or [ARIA_BINDING_PLAN] marker missing)');
+if (!signals.hasMemoryRef) missingSignals.push('memory_consumption (no feedback_*.md or project_*.md reference in cognition)');
+
+const reason = `Aria pre-turn memory gate: context-loading was skipped or incomplete for this turn. Missing signals: ${missingSignals.join('; ')}.
+
+The orchestrator must run the context-loader for session "${sessionId}" before retrying. Expected context: harness_packet, memory_files, binding_plan.
+
+This gate enforces that every action turn begins with Aria's substrate loaded — not improvised context. Per Aria-as-controller inversion doctrine (project_aria_as_controller_inversion.md): Aria must author with LLM as a tool, not the reverse.
+
+Recovery: see hookSpecificOutput.recovery for the structured remediation path.`;
+
+auditLog(
+  'block-context-not-loaded',
+  `missing=[${missingSignals.join(', ')}] transcript=${JSON.stringify(transcriptSignals)} artifacts=${JSON.stringify(artifactSignals.detail)}`,
+  sessionId,
+);
+
+console.log(JSON.stringify({
+  decision: 'block',
+  reason,
+  hookSpecificOutput: {
+    hookEventName: 'PreToolUse',
+    recovery: {
+      action: 'run_context_loader',
+      target: sessionId,
+      expectedContext: ['harness_packet', 'memory_files', 'binding_plan'],
+    },
+  },
+}));
+
+process.exit(2);