npm - @aria_asi/cli - Versions diffs - 0.2.26 → 0.2.30 - Mend

@aria_asi/cli 0.2.26 → 0.2.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (253) hide show

package/CLIENT-ONBOARDING.md +282 -0
package/bin/aria.js +1140 -14
package/dist/aria-connector/src/auth-commands.d.ts +1 -0
package/dist/aria-connector/src/auth-commands.d.ts.map +1 -1
package/dist/aria-connector/src/auth-commands.js +89 -41
package/dist/aria-connector/src/auth-commands.js.map +1 -1
package/dist/aria-connector/src/chat.d.ts +3 -0
package/dist/aria-connector/src/chat.d.ts.map +1 -1
package/dist/aria-connector/src/chat.js +146 -8
package/dist/aria-connector/src/chat.js.map +1 -1
package/dist/aria-connector/src/codebase-scanner.d.ts +2 -2
package/dist/aria-connector/src/codebase-scanner.d.ts.map +1 -1
package/dist/aria-connector/src/codebase-scanner.js +1 -1
package/dist/aria-connector/src/codebase-scanner.js.map +1 -1
package/dist/aria-connector/src/config.d.ts +12 -0
package/dist/aria-connector/src/config.d.ts.map +1 -1
package/dist/aria-connector/src/config.js +2 -0
package/dist/aria-connector/src/config.js.map +1 -1
package/dist/aria-connector/src/connectors/claude-code.d.ts.map +1 -1
package/dist/aria-connector/src/connectors/claude-code.js +80 -24
package/dist/aria-connector/src/connectors/claude-code.js.map +1 -1
package/dist/aria-connector/src/connectors/codebase-awareness.d.ts +37 -0
package/dist/aria-connector/src/connectors/codebase-awareness.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/codebase-awareness.js +335 -0
package/dist/aria-connector/src/connectors/codebase-awareness.js.map +1 -0
package/dist/aria-connector/src/connectors/codex.d.ts +3 -0
package/dist/aria-connector/src/connectors/codex.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/codex.js +248 -0
package/dist/aria-connector/src/connectors/codex.js.map +1 -0
package/dist/aria-connector/src/connectors/cognitive-skills.d.ts +2 -0
package/dist/aria-connector/src/connectors/cognitive-skills.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/cognitive-skills.js +47 -0
package/dist/aria-connector/src/connectors/cognitive-skills.js.map +1 -0
package/dist/aria-connector/src/connectors/opencode.d.ts.map +1 -1
package/dist/aria-connector/src/connectors/opencode.js +90 -4
package/dist/aria-connector/src/connectors/opencode.js.map +1 -1
package/dist/aria-connector/src/connectors/repo-git-hooks.d.ts +3 -0
package/dist/aria-connector/src/connectors/repo-git-hooks.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/repo-git-hooks.js +87 -0
package/dist/aria-connector/src/connectors/repo-git-hooks.js.map +1 -0
package/dist/aria-connector/src/connectors/repo-guard.d.ts +19 -0
package/dist/aria-connector/src/connectors/repo-guard.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/repo-guard.js +509 -0
package/dist/aria-connector/src/connectors/repo-guard.js.map +1 -0
package/dist/aria-connector/src/connectors/runtime.d.ts +2 -0
package/dist/aria-connector/src/connectors/runtime.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/runtime.js +330 -0
package/dist/aria-connector/src/connectors/runtime.js.map +1 -0
package/dist/aria-connector/src/connectors/shell.d.ts.map +1 -1
package/dist/aria-connector/src/connectors/shell.js +78 -13
package/dist/aria-connector/src/connectors/shell.js.map +1 -1
package/dist/aria-connector/src/connectors/syncd.d.ts +27 -0
package/dist/aria-connector/src/connectors/syncd.d.ts.map +1 -0
package/dist/aria-connector/src/connectors/syncd.js +405 -0
package/dist/aria-connector/src/connectors/syncd.js.map +1 -0
package/dist/aria-connector/src/decisions.d.ts +207 -0
package/dist/aria-connector/src/decisions.d.ts.map +1 -0
package/dist/aria-connector/src/decisions.js +291 -0
package/dist/aria-connector/src/decisions.js.map +1 -0
package/dist/aria-connector/src/garden-control-plane.d.ts.map +1 -1
package/dist/aria-connector/src/garden-control-plane.js +74 -17
package/dist/aria-connector/src/garden-control-plane.js.map +1 -1
package/dist/aria-connector/src/github-connect.d.ts +18 -0
package/dist/aria-connector/src/github-connect.d.ts.map +1 -0
package/dist/aria-connector/src/github-connect.js +117 -0
package/dist/aria-connector/src/github-connect.js.map +1 -0
package/dist/aria-connector/src/harness-client.d.ts +15 -0
package/dist/aria-connector/src/harness-client.d.ts.map +1 -1
package/dist/aria-connector/src/harness-client.js +106 -3
package/dist/aria-connector/src/harness-client.js.map +1 -1
package/dist/aria-connector/src/hive-client.d.ts +30 -0
package/dist/aria-connector/src/hive-client.d.ts.map +1 -1
package/dist/aria-connector/src/hive-client.js +124 -5
package/dist/aria-connector/src/hive-client.js.map +1 -1
package/dist/aria-connector/src/index.d.ts +13 -2
package/dist/aria-connector/src/index.d.ts.map +1 -1
package/dist/aria-connector/src/index.js +10 -1
package/dist/aria-connector/src/index.js.map +1 -1
package/dist/aria-connector/src/lib/aristotle-noor-wire.d.ts +102 -0
package/dist/aria-connector/src/lib/aristotle-noor-wire.d.ts.map +1 -0
package/dist/aria-connector/src/lib/aristotle-noor-wire.js +231 -0
package/dist/aria-connector/src/lib/aristotle-noor-wire.js.map +1 -0
package/dist/aria-connector/src/providers/types.d.ts +5 -0
package/dist/aria-connector/src/providers/types.d.ts.map +1 -1
package/dist/aria-connector/src/runtime-proof.d.ts +45 -0
package/dist/aria-connector/src/runtime-proof.d.ts.map +1 -0
package/dist/aria-connector/src/runtime-proof.js +340 -0
package/dist/aria-connector/src/runtime-proof.js.map +1 -0
package/dist/aria-connector/src/self-update.d.ts +2 -1
package/dist/aria-connector/src/self-update.d.ts.map +1 -1
package/dist/aria-connector/src/self-update.js +84 -8
package/dist/aria-connector/src/self-update.js.map +1 -1
package/dist/aria-connector/src/setup-wizard.d.ts.map +1 -1
package/dist/aria-connector/src/setup-wizard.js +34 -2
package/dist/aria-connector/src/setup-wizard.js.map +1 -1
package/dist/assets/hooks/aria-agent-handoff.mjs +224 -0
package/dist/assets/hooks/aria-agent-ledger-merge.mjs +164 -0
package/dist/assets/hooks/aria-architect-fallback.mjs +267 -0
package/dist/assets/hooks/aria-cognition-substrate-binding.mjs +668 -0
package/dist/assets/hooks/aria-discovery-record.mjs +101 -0
package/dist/assets/hooks/aria-harness-via-sdk.mjs +412 -0
package/dist/assets/hooks/aria-import-resolution-gate.mjs +330 -0
package/dist/assets/hooks/aria-outcome-record.mjs +84 -0
package/dist/assets/hooks/aria-pre-emit-dryrun.mjs +294 -0
package/dist/assets/hooks/aria-pre-text-gate.mjs +112 -0
package/dist/assets/hooks/aria-pre-tool-gate.mjs +2133 -0
package/dist/assets/hooks/aria-preprompt-consult.mjs +438 -0
package/dist/assets/hooks/aria-preturn-memory-gate.mjs +570 -0
package/dist/assets/hooks/aria-repo-doctrine-gate.mjs +397 -0
package/dist/assets/hooks/aria-stop-gate.mjs +1551 -0
package/dist/assets/hooks/aria-trigger-autolearn.mjs +229 -0
package/dist/assets/hooks/aria-userprompt-abandon-detect.mjs +192 -0
package/dist/assets/hooks/doctrine_trigger_map.json +479 -0
package/dist/assets/hooks/lib/canonical-lenses.mjs +64 -0
package/dist/assets/hooks/lib/gate-audit.mjs +43 -0
package/dist/assets/hooks/test-aria-preturn-memory-gate.mjs +245 -0
package/dist/assets/hooks/test-tier-lens-labeling.mjs +399 -0
package/dist/assets/opencode-plugins/harness-context/index.js +60 -0
package/dist/assets/opencode-plugins/harness-context/inject-context.mjs +179 -0
package/dist/assets/opencode-plugins/harness-context/package.json +9 -0
package/dist/assets/opencode-plugins/harness-gate/index.js +248 -0
package/dist/assets/opencode-plugins/harness-outcome/index.js +129 -0
package/dist/assets/opencode-plugins/harness-role/index.js +77 -0
package/dist/assets/opencode-plugins/harness-role/package.json +9 -0
package/dist/assets/opencode-plugins/harness-stop/index.js +241 -0
package/dist/runtime/discipline/CLAUDE.md +339 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-essence/SKILL.md +63 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-essence/references/domain-matrix.md +80 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-essence/references/evolution-loop.md +30 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-essence/references/readable-cognition.md +27 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-forge-guardrails/SKILL.md +35 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-forge-guardrails/references/checklist.md +31 -0
package/dist/runtime/discipline/skills/aria-cognition/aria-repo-doctrine/SKILL.md +39 -0
package/dist/runtime/discipline/skills/aria-cognition/forge-quality-rules/SKILL.md +43 -0
package/dist/runtime/discipline/skills/aria-cognition/ghazali-8lens/SKILL.md +38 -0
package/dist/runtime/discipline/skills/aria-cognition/istiqra-induction/SKILL.md +26 -0
package/dist/runtime/discipline/skills/aria-cognition/ladunni-22/SKILL.md +35 -0
package/dist/runtime/discipline/skills/aria-cognition/mizan/SKILL.md +72 -0
package/dist/runtime/discipline/skills/aria-cognition/nadia/SKILL.md +38 -0
package/dist/runtime/discipline/skills/aria-cognition/nadia-psi/SKILL.md +38 -0
package/dist/runtime/discipline/skills/aria-cognition/predictor/SKILL.md +25 -0
package/dist/runtime/discipline/skills/aria-cognition/qiyas-analogy/SKILL.md +26 -0
package/dist/runtime/discipline/skills/aria-cognition/soul-domains/SKILL.md +25 -0
package/dist/runtime/discipline/skills/aria-harness/aria-aristotle-intra-phase/SKILL.md +81 -0
package/dist/runtime/discipline/skills/aria-harness/aria-aristotle-post-phase/SKILL.md +98 -0
package/dist/runtime/discipline/skills/aria-harness/aria-aristotle-pre-phase/SKILL.md +99 -0
package/dist/runtime/discipline/skills/aria-harness/aria-harness-deploy/SKILL.md +127 -0
package/dist/runtime/discipline/skills/aria-harness/aria-harness-no-stripping/SKILL.md +117 -0
package/dist/runtime/discipline/skills/aria-harness/aria-harness-onboarding/SKILL.md +112 -0
package/dist/runtime/discipline/skills/aria-harness/aria-harness-output-discipline/SKILL.md +102 -0
package/dist/runtime/discipline/skills/aria-harness/aria-harness-substrate-binding/SKILL.md +121 -0
package/dist/runtime/doctor.mjs +23 -0
package/dist/runtime/local-phase.mjs +650 -0
package/dist/runtime/manifest.json +15 -0
package/dist/runtime/mizan-scheduler.mjs +331 -0
package/dist/runtime/package.json +6 -0
package/dist/runtime/provider-proxy.mjs +594 -0
package/dist/runtime/sdk/BUNDLED.json +5 -0
package/dist/runtime/sdk/index.d.ts +477 -0
package/dist/runtime/sdk/index.js +1469 -0
package/dist/runtime/sdk/index.js.map +1 -0
package/dist/runtime/sdk/package.json +8 -0
package/dist/runtime/sdk/runWithCognition.d.ts +77 -0
package/dist/runtime/sdk/runWithCognition.js +157 -0
package/dist/runtime/sdk/runWithCognition.js.map +1 -0
package/dist/runtime/service.mjs +3058 -0
package/dist/runtime/vendor/aria-gate-runtime/index.d.ts +53 -0
package/dist/runtime/vendor/aria-gate-runtime/index.d.ts.map +1 -0
package/dist/runtime/vendor/aria-gate-runtime/index.js +292 -0
package/dist/runtime/vendor/aria-gate-runtime/index.js.map +1 -0
package/dist/runtime/vendor/aria-gate-runtime/package.json +6 -0
package/dist/sdk/BUNDLED.json +2 -2
package/dist/sdk/index.d.ts +283 -0
package/dist/sdk/index.js +622 -85
package/dist/sdk/index.js.map +1 -1
package/dist/sdk/runWithCognition.d.ts +77 -0
package/dist/sdk/runWithCognition.js +157 -0
package/dist/sdk/runWithCognition.js.map +1 -0
package/hooks/aria-agent-handoff.mjs +11 -1
package/hooks/aria-architect-fallback.mjs +109 -40
package/hooks/aria-cognition-substrate-binding.mjs +668 -0
package/hooks/aria-harness-via-sdk.mjs +34 -21
package/hooks/aria-import-resolution-gate.mjs +330 -0
package/hooks/aria-outcome-record.mjs +5 -1
package/hooks/aria-pre-emit-dryrun.mjs +294 -0
package/hooks/aria-pre-tool-gate.mjs +828 -41
package/hooks/aria-preprompt-consult.mjs +113 -13
package/hooks/aria-preturn-memory-gate.mjs +298 -6
package/hooks/aria-repo-doctrine-gate.mjs +397 -0
package/hooks/aria-stop-gate.mjs +739 -76
package/hooks/aria-userprompt-abandon-detect.mjs +5 -1
package/hooks/doctrine_trigger_map.json +209 -15
package/hooks/lib/canonical-lenses.mjs +64 -0
package/hooks/lib/gate-audit.mjs +43 -0
package/opencode-plugins/harness-context/index.js +1 -1
package/opencode-plugins/harness-context/inject-context.mjs +82 -23
package/opencode-plugins/harness-gate/index.js +248 -0
package/opencode-plugins/harness-outcome/index.js +129 -0
package/opencode-plugins/harness-stop/index.js +241 -0
package/package.json +9 -3
package/runtime-src/doctor.mjs +23 -0
package/runtime-src/local-phase.mjs +650 -0
package/runtime-src/mizan-scheduler.mjs +331 -0
package/runtime-src/provider-proxy.mjs +594 -0
package/runtime-src/service.mjs +3058 -0
package/scripts/bundle-sdk.mjs +317 -0
package/scripts/install-client.sh +176 -0
package/scripts/publish-all.sh +344 -0
package/scripts/publish-docker.sh +27 -0
package/scripts/validate-hook-contracts.mjs +54 -0
package/scripts/validate-skill-prompts.mjs +95 -0
package/skills/aria-cognition/aria-essence/SKILL.md +63 -0
package/skills/aria-cognition/aria-essence/references/domain-matrix.md +80 -0
package/skills/aria-cognition/aria-essence/references/evolution-loop.md +30 -0
package/skills/aria-cognition/aria-essence/references/readable-cognition.md +27 -0
package/skills/aria-cognition/aria-forge-guardrails/SKILL.md +35 -0
package/skills/aria-cognition/aria-forge-guardrails/references/checklist.md +31 -0
package/skills/aria-cognition/aria-repo-doctrine/SKILL.md +39 -0
package/skills/aria-cognition/forge-quality-rules/SKILL.md +43 -0
package/skills/aria-cognition/ghazali-8lens/SKILL.md +38 -0
package/skills/aria-cognition/istiqra-induction/SKILL.md +26 -0
package/skills/aria-cognition/ladunni-22/SKILL.md +35 -0
package/skills/aria-cognition/mizan/SKILL.md +72 -0
package/skills/aria-cognition/nadia/SKILL.md +38 -0
package/skills/aria-cognition/nadia-psi/SKILL.md +38 -0
package/skills/aria-cognition/predictor/SKILL.md +25 -0
package/skills/aria-cognition/qiyas-analogy/SKILL.md +26 -0
package/skills/aria-cognition/soul-domains/SKILL.md +25 -0
package/src/auth-commands.ts +111 -45
package/src/chat.ts +174 -13
package/src/codebase-scanner.ts +4 -0
package/src/config.ts +15 -0
package/src/connectors/claude-code.ts +79 -25
package/src/connectors/codebase-awareness.ts +408 -0
package/src/connectors/codex.ts +274 -0
package/src/connectors/cognitive-skills.ts +51 -0
package/src/connectors/opencode.ts +93 -4
package/src/connectors/repo-git-hooks.ts +86 -0
package/src/connectors/repo-guard.ts +589 -0
package/src/connectors/runtime.ts +374 -0
package/src/connectors/shell.ts +83 -14
package/src/connectors/syncd.ts +488 -0
package/src/decisions.ts +469 -0
package/src/garden-control-plane.ts +101 -26
package/src/github-connect.ts +143 -0
package/src/harness-client.ts +128 -3
package/src/hive-client.ts +165 -5
package/src/index.ts +41 -2
package/src/lib/aristotle-noor-wire.ts +310 -0
package/src/providers/types.ts +6 -0
package/src/runtime-proof.ts +392 -0
package/src/self-update.ts +89 -8
package/src/setup-wizard.ts +37 -2

package/src/connectors/repo-guard.ts ADDED Viewed

@@ -0,0 +1,589 @@
+import chokidar from 'chokidar';
+import { execFileSync } from 'child_process';
+import { createHash } from 'crypto';
+import {
+  existsSync,
+  mkdirSync,
+  readdirSync,
+  readFileSync,
+  statSync,
+  renameSync,
+  writeFileSync,
+} from 'fs';
+import { homedir } from 'os';
+import * as path from 'path';
+import { fileURLToPath } from 'node:url';
+import type { AriaConfig } from '../config.js';
+import { loadConfig } from '../config.js';
+const ARIA_DIR = path.join(homedir(), '.aria');
+const BIN_DIR = path.join(ARIA_DIR, 'bin');
+const ENV_PATH = path.join(ARIA_DIR, 'repo-guard.env');
+const STATE_PATH = path.join(ARIA_DIR, 'repo-guard-state.json');
+const EVENTS_PATH = path.join(ARIA_DIR, 'repo-guard-events.jsonl');
+const LAST_ALERT_PATH = path.join(ARIA_DIR, 'repo-guard-last-alert.json');
+const SHADOW_ROOT = path.join(ARIA_DIR, 'repo-guard', 'shadow');
+const QUARANTINE_ROOT = path.join(ARIA_DIR, 'repo-guard', 'quarantine');
+const DEFAULT_DEBOUNCE_MS = Number(process.env.ARIA_REPO_GUARD_DEBOUNCE_MS || 350);
+const BLOCKING_MODE = !/^(0|false|no)$/i.test(process.env.ARIA_REPO_GUARD_BLOCKING || 'true');
+const DOCTRINE_PREFIXES = ['apps/', 'packages/', 'harness/', 'ops/', 'scripts/'];
+const DOCTRINE_EXTENSIONS = new Set([
+  '.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
+  '.py', '.sh', '.bash', '.zsh', '.rb', '.go',
+  '.rs', '.java', '.kt', '.cs', '.php', '.swift',
+  '.scala', '.yml', '.yaml',
+]);
+const IGNORED_SEGMENTS = new Set([
+  '.git',
+  'node_modules',
+  'dist',
+  'build',
+  '.next',
+  '.turbo',
+  '.cache',
+  'coverage',
+  'archive',
+  'generated',
+  'telegram_env',
+  'backup-opencode-config',
+  'training-data',
+]);
+type GuardStatus = 'idle' | 'watching' | 'violation' | 'error';
+interface GuardState {
+  status: GuardStatus;
+  watchedRepos: string[];
+  lastEvent: string | null;
+  lastViolation: string | null;
+  lastError: string | null;
+  updatedAt: string;
+}
+interface RepoGuardOptions {
+  repos?: string[];
+  debounceMs?: number;
+}
+interface AlertPayload {
+  title: string;
+  message: string;
+  repoRoot?: string;
+  relPath?: string;
+  action?: string;
+  detail?: string;
+  type: 'violation' | 'blocked-delete' | 'watcher-error' | 'status';
+}
+function writeState(update: Partial<GuardState>): GuardState {
+  const current = readGuardState();
+  const next: GuardState = {
+    ...current,
+    ...update,
+    updatedAt: new Date().toISOString(),
+  };
+  mkdirSync(ARIA_DIR, { recursive: true, mode: 0o700 });
+  writeFileSync(STATE_PATH, JSON.stringify(next, null, 2) + '\n', { mode: 0o600 });
+  return next;
+}
+export function readGuardState(): GuardState {
+  try {
+    const parsed = JSON.parse(readFileSync(STATE_PATH, 'utf8')) as Partial<GuardState>;
+    return {
+      status: parsed.status || 'idle',
+      watchedRepos: Array.isArray(parsed.watchedRepos) ? parsed.watchedRepos : [],
+      lastEvent: parsed.lastEvent || null,
+      lastViolation: parsed.lastViolation || null,
+      lastError: parsed.lastError || null,
+      updatedAt: parsed.updatedAt || new Date(0).toISOString(),
+    };
+  } catch {
+    return {
+      status: 'idle',
+      watchedRepos: [],
+      lastEvent: null,
+      lastViolation: null,
+      lastError: null,
+      updatedAt: new Date(0).toISOString(),
+    };
+  }
+}
+function appendEvent(payload: Record<string, unknown>): void {
+  mkdirSync(ARIA_DIR, { recursive: true, mode: 0o700 });
+  writeFileSync(EVENTS_PATH, JSON.stringify({
+    ts: new Date().toISOString(),
+    ...payload,
+  }) + '\n', { mode: 0o600, flag: 'a' });
+}
+function writeAlert(payload: AlertPayload): void {
+  mkdirSync(ARIA_DIR, { recursive: true, mode: 0o700 });
+  writeFileSync(LAST_ALERT_PATH, JSON.stringify({
+    ts: new Date().toISOString(),
+    ...payload,
+  }, null, 2) + '\n', { mode: 0o600 });
+}
+function tryDesktopNotify(title: string, message: string): void {
+  try {
+    execFileSync('notify-send', [title, message], { stdio: 'ignore' });
+  } catch {}
+}
+function emitAlert(payload: AlertPayload): void {
+  const lines = [
+    `[aria-repo-guard] ${payload.title}`,
+    payload.repoRoot && payload.relPath ? `path=${payload.repoRoot}:${payload.relPath}` : null,
+    payload.action ? `action=${payload.action}` : null,
+    payload.detail ? `detail=${payload.detail}` : null,
+    payload.message,
+  ].filter(Boolean);
+  writeAlert(payload);
+  console.error(lines.join('\n'));
+  tryDesktopNotify(payload.title, payload.repoRoot && payload.relPath
+    ? `${payload.relPath}\n${payload.message}`
+    : payload.message);
+}
+function writeWrapper(binPath: string, args: string[]): void {
+  const ariaBin = path.join(connectorPackageRoot(), 'bin', 'aria.js');
+  writeFileSync(
+    binPath,
+    `#!/usr/bin/env bash\nexec node "${ariaBin}" ${args.join(' ')} "$@"\n`,
+    { mode: 0o755 },
+  );
+}
+function connectorPackageRoot(): string {
+  const here = path.dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    path.resolve(here, '..', '..'),
+    path.resolve(here, '..', '..', '..', '..'),
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(path.join(candidate, 'bin', 'aria.js')) && existsSync(path.join(candidate, 'package.json'))) {
+      return candidate;
+    }
+  }
+  return candidates[candidates.length - 1];
+}
+function normalizeRel(input: string): string {
+  return input.split(path.sep).join('/');
+}
+function repoHash(repoRoot: string): string {
+  return createHash('sha256').update(repoRoot).digest('hex').slice(0, 16);
+}
+function shadowPath(repoRoot: string, relPath: string): string {
+  return path.join(SHADOW_ROOT, repoHash(repoRoot), relPath);
+}
+function quarantinePath(repoRoot: string, relPath: string): string {
+  const stamped = `${Date.now()}-${relPath.replace(/[\\/]/g, '__')}`;
+  return path.join(QUARANTINE_ROOT, repoHash(repoRoot), stamped);
+}
+function ensureParent(filePath: string): void {
+  mkdirSync(path.dirname(filePath), { recursive: true, mode: 0o755 });
+}
+function looksLikeRepoRoot(candidate: string): boolean {
+  return existsSync(path.join(candidate, '.git'));
+}
+function findRepoRoot(startDir: string): string | null {
+  let current = path.resolve(startDir);
+  while (true) {
+    if (looksLikeRepoRoot(current)) return current;
+    const parent = path.dirname(current);
+    if (parent === current) return null;
+    current = parent;
+  }
+}
+function resolveRepos(config?: AriaConfig, explicit?: string[], fallbackRepoPath?: string): string[] {
+  if (explicit?.length) return explicit.map((repo) => path.resolve(repo)).filter(looksLikeRepoRoot);
+  const envRepos = process.env.ARIA_REPO_GUARD_REPOS?.split(path.delimiter)
+    .map((repo) => repo.trim())
+    .filter(Boolean) || [];
+  if (envRepos.length) return envRepos.map((repo) => path.resolve(repo)).filter(looksLikeRepoRoot);
+  const loaded = config || loadConfig();
+  const configured = (loaded.repositories || [])
+    .map((repo) => path.resolve(repo.path))
+    .filter(looksLikeRepoRoot);
+  if (configured.length) return configured;
+  if (fallbackRepoPath) {
+    const resolvedFallback = findRepoRoot(fallbackRepoPath);
+    if (resolvedFallback) return [resolvedFallback];
+  }
+  const cwd = findRepoRoot(process.cwd());
+  return cwd ? [cwd] : [];
+}
+function isDoctrineBound(relPath: string): boolean {
+  const normalized = normalizeRel(relPath);
+  if (!DOCTRINE_PREFIXES.some((prefix) => normalized.startsWith(prefix))) return false;
+  if (!DOCTRINE_EXTENSIONS.has(path.extname(normalized))) return false;
+  const parts = normalized.split('/');
+  if (parts.some((part) => IGNORED_SEGMENTS.has(part))) return false;
+  if (normalized.endsWith('.map')) return false;
+  if (/package-lock\.json$|pnpm-lock\.yaml$|yarn\.lock$/i.test(normalized)) return false;
+  return true;
+}
+function walkDoctrineFiles(repoRoot: string): string[] {
+  const found: string[] = [];
+  function visit(absPath: string): void {
+    const stat = statSync(absPath);
+    if (stat.isDirectory()) {
+      const base = path.basename(absPath);
+      if (IGNORED_SEGMENTS.has(base)) return;
+      for (const child of readdirSync(absPath)) {
+        visit(path.join(absPath, child));
+      }
+      return;
+    }
+    const rel = path.relative(repoRoot, absPath);
+    if (isDoctrineBound(rel)) found.push(absPath);
+  }
+  for (const prefix of DOCTRINE_PREFIXES) {
+    const abs = path.join(repoRoot, prefix.slice(0, -1));
+    if (existsSync(abs)) visit(abs);
+  }
+  return found;
+}
+function gateFile(repoRoot: string, relPath: string): { ok: true } | { ok: false; detail: string } {
+  const hookPath = path.join(homedir(), '.claude', 'hooks', 'aria-repo-doctrine-gate.mjs');
+  try {
+    execFileSync('node', [hookPath, '--repo', repoRoot, '--paths', relPath], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      encoding: 'utf8',
+    });
+    return { ok: true };
+  } catch (error) {
+    const detail = error instanceof Error && 'stderr' in error
+      ? String((error as { stderr?: string }).stderr || (error as { stdout?: string }).stdout || error.message)
+      : String(error);
+    return { ok: false, detail: detail.trim() || 'aria repo doctrine gate rejected the file' };
+  }
+}
+function writeShadow(repoRoot: string, relPath: string, content: string): void {
+  const dst = shadowPath(repoRoot, relPath);
+  ensureParent(dst);
+  writeFileSync(dst, content, { mode: 0o600 });
+}
+function readShadowContent(repoRoot: string, relPath: string): string | null {
+  const shadow = shadowPath(repoRoot, relPath);
+  if (!existsSync(shadow)) return null;
+  try {
+    return readFileSync(shadow, 'utf8');
+  } catch {
+    return null;
+  }
+}
+function readTrackedContent(repoRoot: string, relPath: string): string | null {
+  try {
+    return execFileSync('git', ['-C', repoRoot, 'show', `HEAD:${normalizeRel(relPath)}`], {
+      stdio: ['ignore', 'pipe', 'ignore'],
+      encoding: 'utf8',
+    });
+  } catch {
+    return null;
+  }
+}
+function recoveryContent(repoRoot: string, relPath: string): string | null {
+  return readShadowContent(repoRoot, relPath) ?? readTrackedContent(repoRoot, relPath);
+}
+function restorePriorContent(repoRoot: string, absPath: string, relPath: string): 'restored' | 'moved' | 'none' {
+  const prior = recoveryContent(repoRoot, relPath);
+  if (prior !== null) {
+    ensureParent(absPath);
+    writeFileSync(absPath, prior, { mode: 0o644 });
+    writeShadow(repoRoot, relPath, prior);
+    return 'restored';
+  }
+  if (!existsSync(absPath)) return 'none';
+  const movedDst = quarantinePath(repoRoot, relPath);
+  ensureParent(movedDst);
+  renameSync(absPath, movedDst);
+  return 'moved';
+}
+function initializeBaseline(repoRoot: string): void {
+  for (const absPath of walkDoctrineFiles(repoRoot)) {
+    const relPath = path.relative(repoRoot, absPath);
+    try {
+      writeShadow(repoRoot, relPath, readFileSync(absPath, 'utf8'));
+    } catch {}
+  }
+}
+function handleViolation(repoRoot: string, absPath: string, relPath: string, detail: string): void {
+  const fileContent = existsSync(absPath) ? readFileSync(absPath, 'utf8') : '';
+  const quarantineDst = quarantinePath(repoRoot, relPath);
+  ensureParent(quarantineDst);
+  writeFileSync(quarantineDst, fileContent, { mode: 0o600 });
+  const action = BLOCKING_MODE ? restorePriorContent(repoRoot, absPath, relPath) : 'none';
+  const summary = `${repoRoot}:${relPath}`;
+  writeState({ status: 'violation', lastViolation: summary, lastEvent: summary, lastError: detail });
+  appendEvent({
+    type: 'violation',
+    repoRoot,
+    relPath,
+    quarantineDst,
+    blockingMode: BLOCKING_MODE,
+    action,
+    detail,
+  });
+  emitAlert({
+    type: 'violation',
+    title: 'Aria Repo Guard blocked a doctrine violation',
+    message: BLOCKING_MODE
+      ? 'The changed file was quarantined and the last known good content was restored.'
+      : 'A doctrine violation was detected while repo guard was in non-blocking mode.',
+    repoRoot,
+    relPath,
+    action,
+    detail,
+  });
+}
+function handleDeletedDoctrineFile(repoRoot: string, absPath: string, relPath: string): void {
+  const action = BLOCKING_MODE ? restorePriorContent(repoRoot, absPath, relPath) : 'none';
+  if (action === 'none') return;
+  const summary = `${repoRoot}:${relPath}`;
+  writeState({ status: 'violation', lastViolation: summary, lastEvent: summary, lastError: 'Doctrine-bound deletion blocked.' });
+  appendEvent({
+    type: 'blocked-delete',
+    repoRoot,
+    relPath,
+    blockingMode: BLOCKING_MODE,
+    action,
+  });
+  emitAlert({
+    type: 'blocked-delete',
+    title: 'Aria Repo Guard blocked a doctrine-bound deletion',
+    message: 'A doctrine-bound file deletion was intercepted and restored.',
+    repoRoot,
+    relPath,
+    action,
+    detail: 'Doctrine-bound deletion blocked.',
+  });
+}
+function shouldIgnoreWatch(absPath: string): boolean {
+  const parts = normalizeRel(absPath).split('/');
+  return parts.some((part) => IGNORED_SEGMENTS.has(part));
+}
+function findOwningRepo(repos: string[], absPath: string): string | null {
+  const resolved = path.resolve(absPath);
+  for (const repo of repos) {
+    if (resolved === repo || resolved.startsWith(`${repo}${path.sep}`)) return repo;
+  }
+  return null;
+}
+function processChangedFile(repoRoot: string, absPath: string): void {
+  const relPath = path.relative(repoRoot, absPath);
+  if (!isDoctrineBound(relPath)) return;
+  if (!existsSync(absPath)) {
+    handleDeletedDoctrineFile(repoRoot, absPath, relPath);
+    return;
+  }
+  if (statSync(absPath).isDirectory()) return;
+  const gate = gateFile(repoRoot, relPath);
+  if (gate.ok) {
+    writeShadow(repoRoot, relPath, readFileSync(absPath, 'utf8'));
+    const summary = `${repoRoot}:${relPath}`;
+    writeState({ status: 'watching', lastEvent: summary, lastError: null });
+    return;
+  }
+  handleViolation(repoRoot, absPath, relPath, gate.detail);
+}
+export async function startRepoGuardDaemon(options: RepoGuardOptions = {}): Promise<void> {
+  const repos = resolveRepos(undefined, options.repos);
+  if (!repos.length) {
+    writeState({ status: 'error', watchedRepos: [], lastError: 'No git repositories configured for repo guard.' });
+    throw new Error('No git repositories configured for repo guard.');
+  }
+  mkdirSync(SHADOW_ROOT, { recursive: true, mode: 0o700 });
+  mkdirSync(QUARANTINE_ROOT, { recursive: true, mode: 0o700 });
+  for (const repo of repos) initializeBaseline(repo);
+  writeState({ status: 'watching', watchedRepos: repos, lastError: null });
+  emitAlert({
+    type: 'status',
+    title: 'Aria Repo Guard watching repositories',
+    message: `Watching ${repos.length} repo(s) for doctrine-bound changes.`,
+  });
+  const pending = new Map<string, NodeJS.Timeout>();
+  const restoring = new Map<string, number>();
+  const debounceMs = options.debounceMs ?? DEFAULT_DEBOUNCE_MS;
+  const watcher = chokidar.watch(repos, {
+    ignoreInitial: true,
+    ignored: shouldIgnoreWatch,
+    awaitWriteFinish: {
+      stabilityThreshold: Math.max(200, debounceMs),
+      pollInterval: 50,
+    },
+  });
+  function schedule(absPath: string): void {
+    const repoRoot = findOwningRepo(repos, absPath);
+    if (!repoRoot) return;
+    const prior = pending.get(absPath);
+    if (prior) clearTimeout(prior);
+    const timer = setTimeout(() => {
+      pending.delete(absPath);
+      const restoredAt = restoring.get(absPath);
+      if (restoredAt && Date.now() - restoredAt < 1500) {
+        restoring.delete(absPath);
+        return;
+      }
+      const relPath = path.relative(repoRoot, absPath);
+      if (!isDoctrineBound(relPath)) return;
+      if (!existsSync(absPath)) {
+        handleDeletedDoctrineFile(repoRoot, absPath, relPath);
+        return;
+      }
+      const gate = gateFile(repoRoot, relPath);
+      if (gate.ok) {
+        if (!statSync(absPath).isDirectory()) {
+          writeShadow(repoRoot, relPath, readFileSync(absPath, 'utf8'));
+        }
+        writeState({ status: 'watching', lastEvent: `${repoRoot}:${relPath}`, lastError: null });
+        return;
+      }
+      restoring.set(absPath, Date.now());
+      handleViolation(repoRoot, absPath, relPath, gate.detail);
+    }, debounceMs);
+    pending.set(absPath, timer);
+  }
+  watcher
+    .on('add', schedule)
+    .on('change', schedule)
+    .on('unlink', schedule)
+    .on('error', (error) => {
+      const detail = error instanceof Error ? error.message : String(error);
+      writeState({ status: 'error', lastError: detail });
+      appendEvent({ type: 'watcher-error', detail });
+      emitAlert({
+        type: 'watcher-error',
+        title: 'Aria Repo Guard watcher error',
+        message: 'The repo guard watcher hit an error and needs attention.',
+        detail,
+      });
+    });
+}
+function writeRepoGuardEnv(repos: string[]): string {
+  mkdirSync(ARIA_DIR, { recursive: true, mode: 0o700 });
+  writeFileSync(
+    ENV_PATH,
+    [
+      `ARIA_REPO_GUARD_REPOS=${repos.join(path.delimiter)}`,
+      `ARIA_REPO_GUARD_DEBOUNCE_MS=${String(DEFAULT_DEBOUNCE_MS)}`,
+      'ARIA_REPO_GUARD_BLOCKING=true',
+      '',
+    ].join('\n'),
+    { mode: 0o600 },
+  );
+  return ENV_PATH;
+}
+function installSystemdUserService(logs: string[]): void {
+  const systemctlPath = '/bin/systemctl';
+  if (process.platform !== 'linux' || !existsSync(systemctlPath)) return;
+  const serviceDir = path.join(homedir(), '.config', 'systemd', 'user');
+  const servicePath = path.join(serviceDir, 'aria-repo-guard.service');
+  mkdirSync(serviceDir, { recursive: true, mode: 0o755 });
+  const unit = [
+    '[Unit]',
+    'Description=Aria Repo Doctrine Guard',
+    'After=network.target',
+    '',
+    '[Service]',
+    'Type=simple',
+    `EnvironmentFile=-${ENV_PATH}`,
+    `ExecStart=${path.join(BIN_DIR, 'aria-repo-guard')} start`,
+    'Restart=always',
+    'RestartSec=2',
+    '',
+    '[Install]',
+    'WantedBy=default.target',
+    '',
+  ].join('\n');
+  writeFileSync(servicePath, unit, { mode: 0o644 });
+  logs.push(`Installed systemd user unit → ${servicePath}`);
+  try {
+    execFileSync(systemctlPath, ['--user', 'daemon-reload'], { stdio: 'ignore' });
+    execFileSync(systemctlPath, ['--user', 'enable', '--now', 'aria-repo-guard.service'], { stdio: 'ignore' });
+    logs.push('Enabled and started systemd user service: aria-repo-guard.service');
+  } catch (error) {
+    logs.push(`⚠ repo guard service installed but not activated: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+export async function installRepoGuardDaemon(config?: AriaConfig, fallbackRepoPath?: string): Promise<string[]> {
+  const repos = resolveRepos(config, undefined, fallbackRepoPath);
+  const logs: string[] = [];
+  if (!repos.length) {
+    logs.push('Skipped repo guard install: no git repositories configured.');
+    return logs;
+  }
+  mkdirSync(BIN_DIR, { recursive: true, mode: 0o755 });
+  mkdirSync(SHADOW_ROOT, { recursive: true, mode: 0o700 });
+  mkdirSync(QUARANTINE_ROOT, { recursive: true, mode: 0o700 });
+  const envPath = writeRepoGuardEnv(repos);
+  writeWrapper(path.join(BIN_DIR, 'aria-repo-guard'), ['repo-guard']);
+  installSystemdUserService(logs);
+  logs.push(`Installed repo guard wrapper → ${path.join(BIN_DIR, 'aria-repo-guard')}`);
+  logs.push(`Installed repo guard env → ${envPath}`);
+  logs.push(`Repo guard watching ${repos.length} repos`);
+  return logs;
+}