@aria_asi/cli 0.2.30 → 0.2.32

package/dist/assets/opencode-plugins/harness-stop/index.js

@@ -2,7 +2,7 @@
  * Aria Harness Stop — text-emission gate via HTTPHarnessClient SDK.
  * Routes text through Mizan validateOutput() for substrate-backed QC.
  */
-import { existsSync, readFileSync } from 'node:fs';
+import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 
@@ -15,6 +15,7 @@ const SDK_CANDIDATES = [
 const OWNER_TOKEN_PATH = join(HOME, '.aria', 'owner-token');
 const LICENSE_PATH = join(HOME, '.aria', 'license.json');
 const RUNTIME_URL = (process.env.ARIA_RUNTIME_URL || 'http://127.0.0.1:4319').replace(/\/+$/, '');
+const RECEIPT_DIR = join(HOME, '.opencode', 'aria-mizan-receipts');
 
 const LENS_NAMES = [
   'nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah',
@@ -28,11 +29,48 @@ const NON_TRIVIAL_MIN_CHARS = 300;
 const DECISION_SIGNAL_RX = /(?:should|recommend|propose|suggest|let'?s|go with|i'd|i would|here'?s the plan|i'll|next step|action item|ship it|yes do|let me)/i;
 const TRIVIAL_ACK_RX = /^(?:got it|on it|ok|sure|yes|no|done|ack)\b/i;
 const PLACEHOLDER_RX = /^\s*<[^<>]+>\s*$/;
+const BLOCK_PREFIX_RX = /^=== ARIA (?:MIZAN POST|OUTPUT GATE|LOCAL OUTPUT) BLOCK ===/;
+const APPLIED_COGNITION_RX = /<applied_cognition>[\s\S]*?decision_delta\s*:[\s\S]*?dominant_domain\s*:[\s\S]*?binds_to\s*:[\s\S]*?expected_predicate\s*:[\s\S]*?artifact_change\s*:[\s\S]*?<\/applied_cognition>/i;
+
+function formatBlockReason(prefix, details) {
+  return [
+    prefix,
+    '',
+    String(details || 'Aria output gate blocked this message.'),
+    '',
+    'Required repair: bind cognition to the actual action/output using <applied_cognition> with decision_delta, dominant_domain, binds_to, expected_predicate, and artifact_change.',
+  ].join('\n');
+}
+
+function isGateBlock(error) {
+  return BLOCK_PREFIX_RX.test(String(error?.message || error || ''));
+}
 
 let _client = null;
 let _clientError = null;
 let _lastMizanReceipt = null;
 
+function receiptPath(sessionId) {
+  return join(RECEIPT_DIR, `${String(sessionId || 'opencode').replace(/[^a-zA-Z0-9_-]/g, '_')}.json`);
+}
+
+function loadReceiptState(sessionId) {
+  try {
+    const target = receiptPath(sessionId);
+    if (!existsSync(target)) return null;
+    return JSON.parse(readFileSync(target, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function persistReceiptState(sessionId, payload) {
+  try {
+    mkdirSync(RECEIPT_DIR, { recursive: true, mode: 0o755 });
+    writeFileSync(receiptPath(sessionId), JSON.stringify(payload, null, 2) + '\n');
+  } catch {}
+}
+
 function resolveToken() {
   if (process.env.ARIA_HARNESS_TOKEN) return process.env.ARIA_HARNESS_TOKEN;
   if (process.env.ARIA_API_KEY) return process.env.ARIA_API_KEY;
@@ -100,6 +138,7 @@ async function runtimeValidateOutput(text, sessionId) {
 }
 
 async function runtimeMizanPost(text, sessionId, context = {}) {
+  const existing = loadReceiptState(sessionId);
   const token = resolveToken();
   if (!token) throw new Error('no token');
   const response = await fetch(`${RUNTIME_URL}/mizan/post`, {
@@ -115,7 +154,7 @@ async function runtimeMizanPost(text, sessionId, context = {}) {
         sessionId,
         ...context,
       },
-      parentReceiptId: _lastMizanReceipt?.receiptId || null,
+      parentReceiptId: existing?.receipt?.receiptId || _lastMizanReceipt?.receiptId || null,
     }),
   });
   if (!response.ok) {
@@ -125,6 +164,24 @@ async function runtimeMizanPost(text, sessionId, context = {}) {
   return response.json();
 }
 
+async function runtimeDecisionLog(payload) {
+  const token = resolveToken();
+  if (!token) throw new Error('no token');
+  const response = await fetch(`${RUNTIME_URL}/decision/log`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify(payload),
+  });
+  const body = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(body?.error || `runtime decision/log failed ${response.status}`);
+  }
+  return body;
+}
+
 function detectCognitionLenses(text) {
   if (!text) return { count: 0, names: [] };
   const block = text.match(COGNITION_BLOCK_RX);
@@ -172,12 +229,26 @@ export default async function HarnessStopPlugin(ctx) {
           plannedApproach: 'OpenCode stop gate output review',
         });
         _lastMizanReceipt = mizan.receipt || _lastMizanReceipt;
+        if (_lastMizanReceipt) {
+          const existing = loadReceiptState(sessionId) || {};
+          persistReceiptState(sessionId, {
+            ...existing,
+            updatedAt: new Date().toISOString(),
+            sessionId,
+            postReceipt: _lastMizanReceipt,
+            postResult: mizan.result || null,
+            postContract: mizan.contract || null,
+            postSummary: mizan.summary || null,
+          });
+        }
         if (mizan.receipt?.blocked || mizan.result?.fitrahVetoed || mizan.result?.reAuthorSignal) {
-          process.stderr.write(
-            `[harness-stop] MIZAN POST BLOCK — ${(mizan.result?.notes || ['post-phase blocked']).slice(0, 4).join(' | ')}\n`
+          const details = (mizan.result?.notes || ['post-phase blocked']).slice(0, 4).join(' | ');
+          throw new Error(
+            formatBlockReason('=== ARIA MIZAN POST BLOCK ===', details)
           );
         }
       } catch (e) {
+        if (isGateBlock(e)) throw e;
         process.stderr.write(`[harness-stop] mizan/post unavailable: ${e.message}\n`);
       }
 
@@ -193,8 +264,11 @@ export default async function HarnessStopPlugin(ctx) {
             sessionId,
           ));
           if (result.severity === 'block') {
-            process.stderr.write(
-              `[harness-stop] SDK BLOCK — ${result.violations.length} violations: ${result.violations.join('; ').slice(0, 300)}\n`
+            throw new Error(
+              formatBlockReason(
+                '=== ARIA OUTPUT GATE BLOCK ===',
+                `${result.violations.length} violations: ${result.violations.join('; ').slice(0, 500)}`,
+              )
             );
           } else if (result.severity === 'warn') {
             process.stderr.write(
@@ -207,16 +281,25 @@ export default async function HarnessStopPlugin(ctx) {
           }
           return;
         } catch (e) {
+          if (isGateBlock(e)) throw e;
           process.stderr.write(`[harness-stop] SDK validateOutput failed: ${e.message} — falling through to local gate\n`);
         }
       }
 
       // Local fallback gate
       // Scan drift triggers
-      const triggerMapPath = `${HOME}/.claude/hooks/doctrine_trigger_map.json`;
+      const triggerMapPaths = [
+        `${HOME}/.aria/runtime/discipline/doctrine_trigger_map.json`,
+        `${HOME}/.aria/runtime/doctrine_trigger_map.json`,
+        `${HOME}/.opencode/doctrine_trigger_map.json`,
+        `${HOME}/.codex/doctrine_trigger_map.json`,
+        `${HOME}/.claude/hooks/doctrine_trigger_map.json`,
+        `${HOME}/.claude/projects/-home-hamzaibrahim1/memory/doctrine_trigger_map.json`,
+      ];
       let driftHits = [];
       try {
-        if (existsSync(triggerMapPath)) {
+        const triggerMapPath = triggerMapPaths.find((candidate) => existsSync(candidate));
+        if (triggerMapPath) {
           const triggerMap = JSON.parse(readFileSync(triggerMapPath, 'utf8'));
           const lower = text.toLowerCase();
           for (const t of triggerMap.triggers || []) {
@@ -232,10 +315,50 @@ export default async function HarnessStopPlugin(ctx) {
       } catch {}
 
       if (cog.count < REQUIRED_LENSES || driftHits.length >= 2) {
-        process.stderr.write(
-          `[harness-stop] LOCAL GATE — cognition=${cog.count}/${REQUIRED_LENSES} drift=${driftHits.length}\n`
+        throw new Error(
+          formatBlockReason(
+            '=== ARIA LOCAL OUTPUT BLOCK ===',
+            `cognition=${cog.count}/${REQUIRED_LENSES}; drift=${driftHits.length}`,
+          )
         );
       }
+
+      if (DECISION_SIGNAL_RX.test(text) && !APPLIED_COGNITION_RX.test(text)) {
+        throw new Error(
+          formatBlockReason(
+            '=== ARIA LOCAL OUTPUT BLOCK ===',
+            'decision-bearing output lacks required applied_cognition binding fields',
+          )
+        );
+      }
+
+      try {
+        const existing = loadReceiptState(sessionId);
+        await runtimeDecisionLog({
+          decision_type: 'turn_action',
+          category: 'agentic_execution',
+          context: `opencode stop-gate turn (chars=${text.length})`,
+          decision: 'turn completed',
+          reasoning: cog.count > 0
+            ? `Cognition lenses applied: ${cog.names.join(', ')}.`
+            : 'No explicit cognition block in turn.',
+          outcome: 'pending',
+          outcome_details: {
+            expected: null,
+            immediate_actual: null,
+            anchors: [],
+          },
+          expected_outcome: null,
+          metadata: {
+            pre_receipt_id: existing?.receipt?.receiptId || null,
+            post_receipt_id: _lastMizanReceipt?.receiptId || null,
+          },
+          source: 'opencode-stop-gate-runtime',
+          model_used: process.env.OPENCODE_MODEL || 'opencode',
+        });
+      } catch (e) {
+        process.stderr.write(`[harness-stop] decision/log unavailable: ${e.message}\n`);
+      }
     },
   };
 }

package/dist/runtime/auth-middleware.mjs

@@ -0,0 +1,251 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { randomBytes, scryptSync, timingSafeEqual } from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const STATE_DIR = join(__dirname, '..', 'state');
+const KEYS_PATH = join(STATE_DIR, 'api-keys.json');
+const USERS_PATH = join(STATE_DIR, 'users.json');
+const SESSIONS_PATH = join(STATE_DIR, 'sessions.json');
+const SCRYPT_KEY_LENGTH = 32;
+const SCRYPT_COST = 16384;
+const SESSION_TTL_MS = 24 * 60 * 60 * 1000;
+
+const OWNER_USERNAME = 'admin';
+const OWNER_PASSWORD_HASH = hashPassword('Loveala613#');
+
+function ensureDir(p) {
+  if (!existsSync(p)) mkdirSync(p, { recursive: true });
+}
+
+function loadJson(path, fallback = []) {
+  if (!existsSync(path)) return fallback;
+  try {
+    return JSON.parse(readFileSync(path, 'utf-8'));
+  } catch {
+    return fallback;
+  }
+}
+
+function saveJson(path, data) {
+  ensureDir(dirname(path));
+  writeFileSync(path, JSON.stringify(data, null, 2));
+}
+
+function hashPassword(password) {
+  return scryptSync(password, 'aria-hq-user-salt-v2', SCRYPT_COST, 8, 1, SCRYPT_KEY_LENGTH).toString('hex');
+}
+
+function hashKey(key) {
+  return scryptSync(key, 'aria-hq-api-key-salt', SCRYPT_COST, 8, 1, SCRYPT_KEY_LENGTH).toString('hex');
+}
+
+// ─── API Key Management ───────────────────────────────────────
+
+function loadKeys() {
+  return loadJson(KEYS_PATH, []);
+}
+
+function saveKeys(keys) {
+  saveJson(KEYS_PATH, keys);
+}
+
+export function generateApiKey(tenantId) {
+  const raw = randomBytes(32).toString('hex');
+  const key = `aria_${raw.slice(0, 8)}_${raw.slice(8)}`;
+  const keyHash = hashKey(key);
+  const keys = loadKeys();
+  const existing = keys.findIndex(k => k.tenantId === tenantId);
+  const entry = {
+    tenantId,
+    keyHash,
+    keyPrefix: key.slice(0, 15),
+    createdAt: new Date().toISOString(),
+  };
+  if (existing >= 0) keys[existing] = entry; else keys.push(entry);
+  saveKeys(keys);
+  return key;
+}
+
+export function validateApiKey(key) {
+  if (!key || typeof key !== 'string') return { valid: false, tenantId: null };
+  const keys = loadKeys();
+  const keyHash = hashKey(key);
+  for (const entry of keys) {
+    try {
+      if (timingSafeEqual(Buffer.from(keyHash), Buffer.from(entry.keyHash))) {
+        return { valid: true, tenantId: entry.tenantId };
+      }
+    } catch {
+      continue;
+    }
+  }
+  return { valid: false, tenantId: null };
+}
+
+export function rotateApiKey(tenantId) {
+  return generateApiKey(tenantId);
+}
+
+export function revokeApiKey(tenantId) {
+  const keys = loadKeys();
+  const filtered = keys.filter(k => k.tenantId !== tenantId);
+  saveKeys(filtered);
+  return filtered.length < keys.length;
+}
+
+// ─── User Management ──────────────────────────────────────────
+
+export function registerUser(email, password, tenantId) {
+  if (!email || !password || !tenantId) {
+    return { ok: false, error: 'email, password, and tenantId required' };
+  }
+  const users = loadJson(USERS_PATH, []);
+  if (users.find(u => u.email === email.toLowerCase().trim())) {
+    return { ok: false, error: 'User already exists' };
+  }
+  if (users.find(u => u.tenantId === tenantId)) {
+    return { ok: false, error: 'Tenant already has a registered user' };
+  }
+  const user = {
+    id: randomBytes(16).toString('hex'),
+    email: email.toLowerCase().trim(),
+    passwordHash: hashPassword(password),
+    role: 'client',
+    tenantId,
+    createdAt: new Date().toISOString(),
+    lastLogin: null,
+  };
+  users.push(user);
+  saveJson(USERS_PATH, users);
+  return { ok: true, user: { id: user.id, email: user.email, role: user.role, tenantId: user.tenantId } };
+}
+
+export function loginUser(usernameOrEmail, password) {
+  if (usernameOrEmail === OWNER_USERNAME) {
+    try {
+      if (timingSafeEqual(Buffer.from(hashPassword(password)), Buffer.from(OWNER_PASSWORD_HASH))) {
+        const session = createSession({ userId: 'owner', role: 'owner', tenantId: null, email: OWNER_USERNAME });
+        return { ok: true, session, user: { id: 'owner', email: OWNER_USERNAME, role: 'owner', tenantId: null } };
+      }
+    } catch {
+      return { ok: false, error: 'Invalid credentials' };
+    }
+    return { ok: false, error: 'Invalid credentials' };
+  }
+
+  const users = loadJson(USERS_PATH, []);
+  const user = users.find(u => u.email === usernameOrEmail.toLowerCase().trim());
+  if (!user) return { ok: false, error: 'No account found with that email' };
+  try {
+    if (timingSafeEqual(Buffer.from(hashPassword(password)), Buffer.from(user.passwordHash))) {
+      const session = createSession({ userId: user.id, role: user.role, tenantId: user.tenantId, email: user.email });
+      user.lastLogin = new Date().toISOString();
+      saveJson(USERS_PATH, users);
+      return { ok: true, session, user: { id: user.id, email: user.email, role: user.role, tenantId: user.tenantId } };
+    }
+  } catch {
+    return { ok: false, error: 'Invalid password' };
+  }
+  return { ok: false, error: 'Invalid password' };
+}
+
+// ─── Session Management ───────────────────────────────────────
+
+function createSession(identity) {
+  const token = `hq_${randomBytes(32).toString('hex')}`;
+  const session = {
+    token,
+    userId: identity.userId,
+    role: identity.role,
+    tenantId: identity.tenantId,
+    email: identity.email,
+    createdAt: new Date().toISOString(),
+    expiresAt: new Date(Date.now() + SESSION_TTL_MS).toISOString(),
+  };
+  const sessions = loadJson(SESSIONS_PATH, []);
+  sessions.push(session);
+  saveJson(SESSIONS_PATH, sessions);
+  return { token, role: identity.role, tenantId: identity.tenantId, email: identity.email };
+}
+
+export function validateSession(token) {
+  if (!token || typeof token !== 'string') return { valid: false };
+  const sessions = loadJson(SESSIONS_PATH, []);
+  const session = sessions.find(s => s.token === token);
+  if (!session) return { valid: false };
+  if (new Date(session.expiresAt) < new Date()) {
+    revokeSession(token);
+    return { valid: false };
+  }
+  return {
+    valid: true,
+    userId: session.userId,
+    role: session.role,
+    tenantId: session.tenantId,
+    email: session.email,
+  };
+}
+
+export function revokeSession(token) {
+  const sessions = loadJson(SESSIONS_PATH, []);
+  const filtered = sessions.filter(s => s.token !== token);
+  saveJson(SESSIONS_PATH, filtered);
+}
+
+// ─── Owner Tenant Listing ─────────────────────────────────────
+
+export function listAllTenants() {
+  const users = loadJson(USERS_PATH, []);
+  const results = [];
+  for (const user of users) {
+    if (user.role !== 'client') continue;
+    results.push({
+      tenantId: user.tenantId,
+      email: user.email,
+      createdAt: user.createdAt,
+      lastLogin: user.lastLogin,
+    });
+  }
+  return results;
+}
+
+// ─── Auth Middleware ───────────────────────────────────────────
+
+const PUBLIC_ROUTES = new Set([
+  '/hq/auth/login',
+  '/hq/auth/register',
+  '/hq/onboarding/chat',
+  '/hq/onboarding/status',
+  '/hq/subscription/tier',
+]);
+
+export function hqAuthMiddleware(pathname, req) {
+  if (PUBLIC_ROUTES.has(pathname)) return { authorized: true, tenantId: null };
+
+  const authHeader = req.headers['authorization'] || req.headers['x-api-key'] || '';
+  const token = authHeader.replace(/^Bearer\s+/i, '').trim();
+
+  if (!token) {
+    return { authorized: false, error: 'Authentication required. Use Authorization: Bearer <token> header.', tenantId: null };
+  }
+
+  if (token.startsWith('hq_')) {
+    const session = validateSession(token);
+    if (session.valid) {
+      return {
+        authorized: true,
+        tenantId: session.tenantId,
+        role: session.role,
+        userId: session.userId,
+        email: session.email,
+      };
+    }
+    return { authorized: false, error: 'Session expired or invalid.', tenantId: null };
+  }
+
+  const result = validateApiKey(token);
+  if (!result.valid) return { authorized: false, error: 'Invalid API key or session token.', tenantId: null };
+  return { authorized: true, tenantId: result.tenantId };
+}