@aria_asi/cli 0.2.30 → 0.2.32

package/hooks/aria-pre-tool-gate.mjs

@@ -42,10 +42,21 @@ import { dirname } from 'node:path';
 import { homedir } from 'node:os';
 import { spawnSync } from 'node:child_process';
 import { createHmac, randomBytes as cryptoRandomBytes } from 'node:crypto';
+import { lensNamesForTier } from './lib/canonical-lenses.mjs';
+import { registerGateBlock } from './lib/gate-loop-state.mjs';
+import {
+  collectRecentAssistantTextsFromMessages,
+  extractTextFromContent,
+  isMostlySystemReminder,
+  isToolResultOnlyContent,
+  normalizeContent,
+  normalizeRole,
+} from './lib/hook-message-window.mjs';
 
 const HOME = process.env.HOME || '/tmp';
 const LOG = `${HOME}/.claude/aria-pre-tool-gate.log`;
 const HEARTBEAT = `${HOME}/.claude/aria-pre-tool-gate-heartbeat.jsonl`;
+const GATE_LOOP_STATE_PATH = `${HOME}/.claude/.aria-gate-loop-state.json`;
 
 // ── Heartbeat OUTSIDE the crash boundary (doctrine #123) ───────────────
 // Per feedback_ledger_writes_outside_crash_boundary.md + doctrine #124
@@ -321,12 +332,29 @@ function actionMatchesPattern(action, pattern, target) {
   }
 }
 
+function isOperationalMaintenanceCommand(command) {
+  const cmd = String(command || '').trim().replace(/\s+/g, ' ');
+  if (!cmd || /[;&|`$()]/.test(cmd)) return false;
+
+  // A rollout restart requeues existing pod templates; it does not change images,
+  // manifests, or cluster policy. Keep this narrow so deploy/apply/delete still gate.
+  const kubectlGlobalFlag = String.raw`(?:--(?:namespace|context|kubeconfig|as|as-group|cluster|user|server|request-timeout|field-manager)(?:=|\s+)\S+|-[A-Za-z](?:\s+\S+)?)`;
+  const kubectlTailFlag = String.raw`(?:--(?:namespace|context|request-timeout|field-manager|selector)(?:=|\s+)\S+|-[A-Za-z](?:\s+\S+)?)`;
+  const workloadTarget = String.raw`(?:deploy(?:ment)?|statefulset|sts|daemonset|ds)(?:\/[^\s]+|\s+[^\s-][^\s]*)`;
+  const rolloutRestartRx = new RegExp(
+    String.raw`^kubectl(?:\s+${kubectlGlobalFlag})*\s+rollout\s+restart\s+${workloadTarget}(?:\s+${kubectlTailFlag})*$`,
+    'i',
+  );
+  return rolloutRestartRx.test(cmd);
+}
+
 function classifyToolForBinding(toolName, command, filePath) {
   // Map Claude Code tool + payload to a binding-vocabulary action.
   if (toolName === 'Read' || toolName === 'Glob' || toolName === 'Grep') return { action: 'read', target: filePath || '' };
   if (toolName === 'Edit' || toolName === 'Write' || toolName === 'NotebookEdit') return { action: 'edit', target: filePath || '' };
   if (toolName === 'Bash') {
     const cmd = String(command || '');
+    if (isOperationalMaintenanceCommand(cmd)) return { action: 'kubectl_maintenance', target: cmd.slice(0, 80) };
     if (/^kubectl\s+(get|describe|logs|exec\s+\S+\s+--\s+printenv|top|version|api-resources)\b/.test(cmd)) return { action: 'kubectl_get', target: cmd.slice(0, 80) };
     if (/^kubectl\s+(apply|delete|set|patch|rollout|scale|drain|cordon)\b/.test(cmd)) return { action: 'kubectl_apply', target: cmd.slice(0, 80) };
     if (/curl\s+.*\/api\/harness\/(delegate|codex|army|plan)/.test(cmd)) return { action: 'consult', target: 'harness' };
@@ -446,12 +474,11 @@ const MEASURABLE_PREDICATE_RX = /(?:>=|<=|==|!=|>|<|≥|≤)\s*\d+(?:\.\d+)?(?:m
 // Any <expected> block containing ONLY these (no actual predicate) is rejected.
 const QUALITATIVE_DRIFT_RX = /\b(?:better(?:er)?|improved?(?:ment)?|more\s+robust|should\s+(?:work|pass|succeed|run|fix)|more\s+reliable|cleaner|less\s+error[-_\s]?prone|nicer|smoother|faster[-\s]?loading|higher[-\s]?quality|more\s+stable|looks\s+(?:good|better|right))\b/i;
 
-// ── Tier-aware lens labeling (Phase 11 #59) ──────────────────────────────────
+// ── Canonical lens labeling (Phase 11 #59 corrected) ────────────────────────
 //
-// Aria's Arabic cognition lens names are proprietary IP. On Hamza's surface
-// (isHamza=true / surface line contains hamza:true) the canonical names are shown.
-// On any client surface the gate uses neutral generic labels so the IP
-// vocabulary never appears in client-facing block-reason text.
+// The lens names themselves carry meaning and must remain canonical on every
+// surface. Readability comes from the explanatory prose inside each lens, not
+// by swapping the lens label for a flattened stand-in.
 //
 // Tier is read from the most recent harness-via-sdk packet cache at
 // ~/.claude/.aria-harness-last-packet.json. Two detection paths:
@@ -484,12 +511,9 @@ function resolveOwnerTier() {
 
 const IS_OWNER = resolveOwnerTier();
 
-// Canonical (owner) lens names — Aria's Arabic cognition vocabulary.
-const LENS_NAMES_CANONICAL = ['nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah'];
-// Generic (client) lens labels — neutral, IP-neutral equivalents.
-const LENS_NAMES_GENERIC   = ['perception', 'balance', 'wisdom', 'reflection', 'foresight', 'insight', 'revelation', 'discernment'];
-// Active label set for this execution — determined by tier.
-const LENS_NAMES = IS_OWNER ? LENS_NAMES_CANONICAL : LENS_NAMES_GENERIC;
+// Active visible label set for this execution — canonical labels on every
+// surface. Tier only affects other policy surfaces, not lens semantics.
+const LENS_NAMES = lensNamesForTier(IS_OWNER);
 
 // Doctrine memory filenames are Aria-side substrate IP. On client surfaces
 // replace them with generic descriptions in block-reason text.
@@ -504,6 +528,7 @@ function docRef(canonicalFilename, genericDescription) {
 // colon, not a placeholder template). The substance check (added
 // 2026-04-26) defeats ritual emission — `nur: ok` no longer counts.
 const COGNITION_BLOCK_RX = /<cognition>([\s\S]*?)<\/cognition>/i;
+const APPLIED_COGNITION_BLOCK_RX = /<applied_cognition>([\s\S]*?)<\/applied_cognition>/i;
 // Hamza directive 2026-04-28: 8-lens enforcement, not 4-of-8. The earlier
 // REQUIRED_LENSES=4 was a regression — owner caught it ("i no longer see
 // 8 lens cognition per turn"). All 8 canonical lenses must appear with
@@ -547,18 +572,28 @@ const SHORT_BASH_LIMIT = 30;
 //   (b) Single-line:    `# cognition: <label>=<text>; <label>=<text>; ...`
 //
 // Substance check applies (≥SUBSTANCE_MIN_CHARS, not a `<placeholder>`).
-// 4+ substantive lenses inline → gate passes, no transcript scan
+// All required substantive lenses inline → gate passes, no transcript scan
 // needed. Cognition becomes a property of THE ACTION, not of some
 // message somewhere — the deepest reading of "cognition before action."
 //
-// Inline regex is built from the active LENS_NAMES so both canonical
-// and generic label sets are accepted in their respective tiers.
+// Inline regex is built from the active canonical LENS_NAMES. We do not
+// accept flattened generic aliases because they change the lens meaning.
 const _INLINE_LENS_PATTERN = LENS_NAMES.join('|');
 const INLINE_LENS_LINE_RX_GLOBAL = new RegExp(
   `^\\s*#\\s*(${_INLINE_LENS_PATTERN})\\s*:\\s*(.+)$`,
   'gim',
 );
 const INLINE_COGNITION_HEADER_RX = /^\s*#\s*cognition\s*:\s*(.+)$/im;
+const INLINE_EXPECTED_LINE_RX = /^\s*#\s*expected\s*:\s*(.+)$/gim;
+const INLINE_VERIFY_LINE_RX = /^\s*#\s*verify\s*:\s*(.+)$/gim;
+
+const VERIFY_REQUIRED_FIELDS = [
+  { rx: /\btarget\s*:/i, name: 'target' },
+  { rx: /\brole\s*:/i, name: 'role' },
+  { rx: /\bverified\s*:/i, name: 'verified' },
+  { rx: /\brollback\s*:/i, name: 'rollback' },
+  { rx: /\baxiom\s*:/i, name: 'axiom' },
+];
 
 function detectInlineCognition(cmd) {
   const names = [];
@@ -593,6 +628,152 @@ function detectInlineCognition(cmd) {
   return { count: names.length, names, hasSubstrateCite };
 }
 
+function validateAppliedCognitionContract(text, cmdText = '') {
+  const bodyText = `${String(text || '')}\n${String(cmdText || '')}`;
+  const block = bodyText.match(APPLIED_COGNITION_BLOCK_RX);
+  const inlineBody = String(cmdText || '')
+    .split('\n')
+    .filter((line) => /^\s*#\s*(?:decision[_ -]?delta|dominant[_ -]?domain|binds[_ -]?to|expected[_ -]?predicate|artifact[_ -]?change)\s*:/i.test(line))
+    .join('\n');
+  const contractBody = block ? block[1] : inlineBody;
+  if (!contractBody) return { ok: false, violations: ['missing <applied_cognition> contract or inline applied-cognition comments'] };
+  const required = [
+    ['decision_delta', /\bdecision[_ -]?delta\s*:/i],
+    ['dominant_domain', /\bdominant[_ -]?domain\s*:/i],
+    ['binds_to', /\bbinds[_ -]?to\s*:/i],
+    ['expected_predicate', /\bexpected[_ -]?predicate\s*:/i],
+    ['artifact_change', /\bartifact[_ -]?change\s*:/i],
+  ];
+  const violations = [];
+  for (const [name, rx] of required) {
+    if (!rx.test(contractBody)) violations.push(`missing ${name}`);
+  }
+  if (/decision[_ -]?delta\s*:\s*(?:none|n\/a|no change|unchanged|same)/i.test(contractBody)) {
+    violations.push('decision_delta says cognition changed nothing');
+  }
+  return { ok: violations.length === 0, violations, body: contractBody.trim() };
+}
+
+function normalizeInlineDirectiveBody(rawBody) {
+  if (!rawBody) return '';
+  const segments = String(rawBody)
+    .split(/;|\s+(?=[a-z_][a-z0-9_-]*\s*[=:])/i)
+    .map((segment) => segment.trim())
+    .filter(Boolean);
+  const lines = [];
+  for (const segment of segments) {
+    const match = segment.match(/^([a-z_][a-z0-9_-]*)\s*[=:]\s*(.+)$/i);
+    if (match) {
+      lines.push(`${match[1]}: ${match[2].trim()}`);
+      continue;
+    }
+    lines.push(segment);
+  }
+  return lines.join('\n').trim();
+}
+
+function extractInlineDirectiveBody(cmd, directiveRx) {
+  if (!cmd || !(directiveRx instanceof RegExp)) return '';
+  directiveRx.lastIndex = 0;
+  const lines = [];
+  let match;
+  while ((match = directiveRx.exec(cmd)) !== null) {
+    const normalized = normalizeInlineDirectiveBody(match[1]);
+    if (normalized) lines.push(normalized);
+  }
+  return lines.join('\n').trim();
+}
+
+function scoreVerifyFields(body, fields) {
+  if (!body) return 0;
+  return fields.reduce((count, { rx }) => count + (rx.test(body) ? 1 : 0), 0);
+}
+
+function extractCurrentTurnAssistantText(event, toolInput) {
+  const candidates = [
+    event.assistant_text,
+    event.assistantText,
+    event.draft,
+    event.text,
+    event.current_text,
+    event.currentText,
+    event.message,
+    event.prompt,
+    toolInput?.assistant_text,
+    toolInput?.assistantText,
+    toolInput?.text,
+  ];
+  const parts = [];
+  const seen = new Set();
+  for (const candidate of candidates) {
+    if (typeof candidate !== 'string') continue;
+    const text = candidate.trim();
+    if (!text || seen.has(text)) continue;
+    seen.add(text);
+    parts.push(text);
+  }
+  return parts.join('\n\n').trim();
+}
+
+function extractTextForUserCorrection(content) {
+  if (Array.isArray(content)) {
+    return content.filter((block) => block && block.type === 'text').map((block) => block.text || '').filter(Boolean).join('\n');
+  }
+  return typeof content === 'string' ? content : '';
+}
+
+function isRuntimeInjectedUserText(text) {
+  return /^\s*\[tool_result\b/i.test(text) ||
+    /(?:PreToolUse:[A-Za-z]+ hook blocking error|Stop hook feedback:|Aria pre-tool gate:|Aria stop-gate:|<system-reminder>|<task-notification>|task-notification)/i.test(text);
+}
+
+function collectRecentRealUserText(event, transcriptPath, limit = 6) {
+  const texts = [];
+  const seen = new Set();
+  const pushText = (text) => {
+    const normalized = String(text || '').trim();
+    if (!normalized || seen.has(normalized) || isRuntimeInjectedUserText(normalized)) return;
+    seen.add(normalized);
+    texts.push(normalized);
+  };
+  const messages = Array.isArray(event?.messages) ? event.messages : [];
+  for (let i = messages.length - 1; i >= 0 && texts.length < limit; i--) {
+    const role = messages[i]?.message?.role ?? messages[i]?.role ?? messages[i]?.type;
+    if (role !== 'user') continue;
+    const content = messages[i]?.message?.content ?? messages[i]?.content ?? [];
+    if (Array.isArray(content) && content.length > 0 && content.every((block) => block && block.type === 'tool_result')) continue;
+    pushText(extractTextForUserCorrection(content));
+  }
+  if (transcriptPath && existsSync(transcriptPath) && texts.length < limit) {
+    try {
+      const lines = readFileSync(transcriptPath, 'utf-8').split('\n').filter(Boolean);
+      for (let i = lines.length - 1; i >= 0 && texts.length < limit; i--) {
+        let entry;
+        try { entry = JSON.parse(lines[i]); } catch { continue; }
+        const role = entry?.message?.role ?? entry?.role ?? entry?.type;
+        if (role !== 'user') continue;
+        const content = entry?.message?.content ?? entry?.content ?? [];
+        if (Array.isArray(content) && content.length > 0 && content.every((block) => block && block.type === 'tool_result')) continue;
+        pushText(extractTextForUserCorrection(content));
+      }
+    } catch {}
+  }
+  return texts.join('\n\n');
+}
+
+function userCorrectionBlocksCommand(userText, command) {
+  const text = String(userText || '');
+  const cmd = String(command || '');
+  if (!text || !cmd) return null;
+  const k8sMutation = /\bkubectl\s+(?:apply|delete|set\s+image|patch|replace|create|scale|rollout\s+(?:restart|undo))\b|scripts\/deploy-|\bdocker\s+push\b/i.test(cmd);
+  const explicitStop = /\b(?:stop|do\s+not|don't|quit|cease)\b[\s\S]{0,160}\b(?:deploy|redeploy|restart|rollout|kubectl|command|pods?)\b/i.test(text);
+  if (explicitStop && k8sMutation) return 'recent user explicitly told the agent to stop deploy/restart command attempts';
+  const macTargetInCommand = /\bmlx-mac\b|\bdeployment\/mlx-mac|\bdeploy(?:ment)?\s+mlx-mac/i.test(cmd);
+  const macContradiction = /\b(?:mac\s+lanes?|mac\s+pods?|mlx-mac)\b[\s\S]{0,140}\b(?:not\s+pods?|no\s+such\s+thing|non[-\s]?existent|do(?:es)?\s+not\s+exist|don't\s+exist)\b|\b(?:no\s+such\s+thing|non[-\s]?existent|do(?:es)?\s+not\s+exist|don't\s+exist)\b[\s\S]{0,140}\b(?:mac\s+lanes?|mac\s+pods?|mlx-mac|pods?)\b/i.test(text);
+  if (macTargetInCommand && macContradiction) return 'recent user contradicted the mlx-mac Kubernetes-pod/deployment assumption';
+  return null;
+}
+
 // Substance-checking lens detection (added 2026-04-26 per Hamza's
 // gate-improvement doctrine: form-only emission must not satisfy
 // the gate). For each lens, look for `<lens>: <content>` and verify
@@ -722,6 +903,9 @@ const HARNESS_URL =
   process.env.ARIA_HARNESS_BASE_URL ||
   process.env.ARIA_HARNESS_URL ||
   'https://harness.ariasos.com';
+const RUNTIME_BASE_URL =
+  process.env.ARIA_RUNTIME_URL ||
+  'http://127.0.0.1:4319';
 const HARNESS_TOKEN = process.env.ARIA_HARNESS_TOKEN || '';
 const LOG_PUSH_DISABLED = process.env.ARIA_COGNITION_PUSH === 'off';
 const MAX_IN_FLIGHT = 16;
@@ -846,6 +1030,7 @@ try {
 
 const toolName = event.tool_name ?? event.toolName ?? '';
 const toolInput = event.tool_input ?? event.toolInput ?? {};
+const transcriptPath = event.transcript_path ?? event.transcriptPath;
 
 // Gate every action tool — every tool that mutates state must go through
 // cognition challenge. Hamza 2026-04-26: "regardless if u arent even
@@ -868,6 +1053,26 @@ const cmdPreview = toolName === 'Bash'
   ? cmd.slice(0, 80).replace(/\s+/g, ' ')
   : `${toolName} ${filePath || '(no path)'}`.slice(0, 80);
 
+if (toolName === 'Bash') {
+  const recentUserText = collectRecentRealUserText(event, transcriptPath);
+  const correctionBlockReason = userCorrectionBlocksCommand(recentUserText, cmd);
+  if (correctionBlockReason) {
+    const reason = `Aria pre-tool gate: USER-CORRECTION hard-block.
+
+${correctionBlockReason}.
+
+The next assistant response must stop the command loop, quote the user's correction in one sentence, and re-evaluate the target from substrate before any further mutation. Do not retry this Bash command shape.`;
+    audit('block-user-correction-override', cmdPreview);
+    emitBlock(reason, { source: 'pre-tool/user-correction' });
+    process.exit(2);
+  }
+}
+
+if (toolName === 'Bash' && isOperationalMaintenanceCommand(cmd)) {
+  audit('allow-operational-maintenance kubectl-rollout-restart', cmdPreview);
+  process.exit(0);
+}
+
 // V3: per-command bypass removed entirely. The only escape valves are:
 //   (1) Trivial-bash whitelist — short read-only commands pass without cognition
 //   (2) ~/.claude/settings.json hook removal — visible user action Hamza controls
@@ -951,8 +1156,27 @@ const HARD_LOOKBACK_CAP = 50;
 // window since the substance check defends quality regardless.
 const USER_BOUNDARIES_TO_CROSS = 5;
 
-const transcriptPath = event.transcript_path ?? event.transcriptPath;
 const recentAssistantTexts = [];
+const recentAssistantTextSet = new Set();
+function appendAssistantTexts(texts) {
+  for (const text of texts) {
+    if (!text || recentAssistantTextSet.has(text)) continue;
+    recentAssistantTexts.push(text);
+    recentAssistantTextSet.add(text);
+  }
+}
+
+const eventMessages = Array.isArray(event.messages) ? event.messages : [];
+const eventAssistantTexts = collectRecentAssistantTextsFromMessages(eventMessages, {
+  compactSummaryRx: COMPACT_SUMMARY_RX,
+  hardLookbackCap: HARD_LOOKBACK_CAP,
+  systemReminderRx: SYSTEM_REMINDER_RX,
+  systemReminderThreshold: SYSTEM_REMINDER_THRESHOLD,
+  userBoundariesToCross: USER_BOUNDARIES_TO_CROSS,
+});
+appendAssistantTexts(eventAssistantTexts);
+
+const transcriptAssistantTexts = [];
 if (transcriptPath && existsSync(transcriptPath)) {
   try {
     const lines = readFileSync(transcriptPath, 'utf-8').split('\n').filter(Boolean);
@@ -961,7 +1185,8 @@ if (transcriptPath && existsSync(transcriptPath)) {
     for (let i = lines.length - 1; i >= 0 && scanned < HARD_LOOKBACK_CAP; i--) {
       try {
         const m = JSON.parse(lines[i]);
-        const role = m.message?.role ?? m.role;
+        const role = normalizeRole(m);
+        const content = normalizeContent(m);
         if (role === 'user') {
           // Skip messages that aren't real user input:
           //   (a) tool_result blocks (runtime feeding back tool output)
@@ -969,57 +1194,36 @@ if (transcriptPath && existsSync(transcriptPath)) {
           //       task-notifications, gentle reminders) — runtime-
           //       authored, not user voice. Counting them eats the
           //       cognition lookback in tool-heavy or block-heavy turns.
-          const content = m.message?.content ?? m.content ?? [];
-          const isToolResultOnly =
-            Array.isArray(content) &&
-            content.length > 0 &&
-            content.every((b) => b && b.type === 'tool_result');
-          if (isToolResultOnly) continue;
+          if (isToolResultOnlyContent(content)) continue;
           // Inspect text content for system-reminder patterns.
-          const textContent = Array.isArray(content)
-            ? content.filter((b) => b && b.type === 'text').map((b) => b.text || '').join('\n')
-            : (typeof content === 'string' ? content : '');
-          if (textContent) {
-            // Compute reminder-span coverage as fraction of total
-            // content. The /g flag on SYSTEM_REMINDER_RX returns ALL
-            // spans; sum their lengths and compare to total.
-            const reminderMatches = textContent.match(SYSTEM_REMINDER_RX) || [];
-            if (reminderMatches.length > 0) {
-              const reminderChars = reminderMatches.reduce((sum, s) => sum + s.length, 0);
-              const fraction = reminderChars / Math.max(1, textContent.length);
-              if (fraction >= SYSTEM_REMINDER_THRESHOLD) continue;
-              // Otherwise (user wrote substantive text alongside the
-              // reminder — the non-reminder portion is >40% of content)
-              // fall through and count as a real boundary.
-            }
-          }
+          const textContent = extractTextFromContent(content);
+          if (isMostlySystemReminder(textContent, SYSTEM_REMINDER_RX, SYSTEM_REMINDER_THRESHOLD)) continue;
           userBoundariesCrossed++;
           if (userBoundariesCrossed > USER_BOUNDARIES_TO_CROSS) break;
           continue;
         }
         if (role !== 'assistant') continue;
         scanned++;
-        const content = m.message?.content ?? m.content ?? [];
-        if (!Array.isArray(content)) continue;
-        const text = content
-          .filter((b) => b.type === 'text')
-          .map((b) => b.text)
-          .join('\n');
+        const text = extractTextFromContent(content);
         if (!text) continue;
         // Skip compact-summary stubs — they live where assistant turns
         // used to be but are system-authored, not the model's voice.
         if (COMPACT_SUMMARY_RX.test(text) && text.length > 4000) continue;
-        recentAssistantTexts.push(text);
+        transcriptAssistantTexts.push(text);
       } catch {}
     }
   } catch {}
 }
+appendAssistantTexts(transcriptAssistantTexts);
+const currentTurnAssistantText = extractCurrentTurnAssistantText(event, toolInput);
+if (currentTurnAssistantText) appendAssistantTexts([currentTurnAssistantText]);
 
 // Detect cognition / verify across the recent assistant window. Lenses
 // from any of the last N turns count; the gate is checking whether
 // cognition has been done recently, not whether it was done in the
 // literal last message (which can be a tool-only turn or a stub).
 const unionText = recentAssistantTexts.join('\n\n');
+const eventCog = detectCognitionLenses(eventAssistantTexts.join('\n\n'));
 const transcriptCog = detectCognitionLenses(unionText);
 // Combine inline-command cognition (preferred — action-coupled) with
 // transcript scan (fallback). Inline takes precedence on lens names;
@@ -1028,14 +1232,36 @@ const mergedLensSet = new Set([...inlineCog.names, ...transcriptCog.names]);
 const lensCount = mergedLensSet.size;
 const lensNames = [...mergedLensSet];
 const cogBlockBody = transcriptCog.blockBody;
+const inlineVerifyBody = extractInlineDirectiveBody(cmd, INLINE_VERIFY_LINE_RX);
 const verifyBodies = [...unionText.matchAll(/<verify>([\s\S]*?)<\/verify>/gi)]
   .map((m) => (m[1] || '').trim())
   .filter(Boolean);
-const hasVerify = verifyBodies.length > 0;
+if (inlineVerifyBody) verifyBodies.push(inlineVerifyBody);
+const bestVerifyBody = (() => {
+  if (verifyBodies.length === 0) return '';
+  let bestBody = verifyBodies[0];
+  let bestScore = -1;
+  for (const body of verifyBodies) {
+    const score = scoreVerifyFields(body, VERIFY_REQUIRED_FIELDS);
+    if (score > bestScore) {
+      bestScore = score;
+      bestBody = body;
+    }
+  }
+  return bestBody;
+})();
+const hasVerify = scoreVerifyFields(bestVerifyBody, VERIFY_REQUIRED_FIELDS) === VERIFY_REQUIRED_FIELDS.length;
 const hasCognition = lensCount >= REQUIRED_LENSES;
+const appliedContract = validateAppliedCognitionContract(unionText, cmd);
 const cognitionSource = inlineCog.count >= REQUIRED_LENSES
   ? 'inline-command'
-  : (transcriptCog.count >= REQUIRED_LENSES ? 'transcript-scan' : 'merged-or-insufficient');
+  : eventCog.count >= REQUIRED_LENSES
+    ? 'event-messages'
+    : transcriptCog.count >= REQUIRED_LENSES
+      ? 'recent-assistant-window'
+      : lensCount >= REQUIRED_LENSES
+        ? 'merged-recent-window'
+        : 'merged-or-insufficient';
 // Substrate-citation visibility (Phase 11 will promote to block-mode once
 // telemetry shows healthy substrate-cite rate). For now: log the metric so
 // we can audit substrate-grounded vs ceremonial cognition over time.
@@ -1079,10 +1305,86 @@ function pushDecision(decision, reasonText) {
       hasVerify,
       hasCognition,
       hasSubstrateCite,
+      appliedCognitionContractOk: appliedContract.ok,
     },
   });
 }
 
+function withLoopDirective(reasonText, gateSignature) {
+  const loop = registerGateBlock({
+    gate: 'pre-tool',
+    sessionId,
+    signature: gateSignature,
+    statePath: GATE_LOOP_STATE_PATH,
+  });
+  if (!loop.loopDetected) return reasonText;
+  return `${reasonText}
+
+[LOOP_DETECTED gate=pre-tool repeats=${loop.totalCount}]
+Stop retrying the same action shape unchanged.
+Next response must do this in order:
+1. Name the exact gate failure in one line.
+2. Re-emit the missing pre-gate structure only: <cognition>, <verify>, and/or <expected> as required.
+3. Change the action plan before retrying the tool. Do not issue the same tool call in the same message as the diagnosis.
+4. If the blocker is stale gate state or ledger residue, say that explicitly instead of inventing fake proof.`;
+}
+
+function buildForceRedoActionReason(reasonText, { source = 'pre-tool-gate', tool = toolName || 'unknown', lensCount = 0, requiredLenses = REQUIRED_LENSES } = {}) {
+  if (String(reasonText || '').includes('ARIA FORCE_REDO_ACTION')) return reasonText;
+  return [
+    '=== ARIA FORCE_REDO_ACTION ===',
+    `source: ${source}`,
+    `tool: ${tool}`,
+    '',
+    'This is not a terminal error. It is a forced redo instruction before tool execution.',
+    'Do not retry the same tool call unchanged. Re-author the action with cognition, proof, and expected outcome first.',
+    '',
+    'TEACHING:',
+    '- Pre-tool gates exist to make the model think before acting, not to merely throw after a bad action shape.',
+    '- The redo must name the failed mechanism, cite the current substrate, and state why the next action is safe.',
+    '- Do not bypass by disabling tools, changing endpoints from memory, shortening runtime, or asking Hamza to solve saved-memory ambiguity.',
+    '',
+    'ORIGINAL GATE REASON:',
+    String(reasonText || '').trim(),
+    '',
+    'REQUIRED REDO SHAPE:',
+    '1. Emit/attach <cognition> with the required lenses before retrying the tool.',
+    '2. For Bash, prepend inline cognition comments to the command:',
+    '   # nur: <observed state and substrate, >=20 chars>',
+    '   # mizan: <risk/tradeoff and why this action is balanced, >=20 chars>',
+    '   # hikma: <doctrine applied and what it forbids, >=20 chars>',
+    '   # tafakkur: <second-order effects and expected result, >=20 chars>',
+    `3. Current cognition count: ${lensCount}/${requiredLenses}.`,
+    '4. If deploy/shared-infra: include <verify> with target, verified evidence, rollback, and axiom.',
+    '5. If non-trivial action: include <expected> with numeric/boolean/state-string predicate.',
+    '=== END FORCE_REDO_ACTION ===',
+  ].join('\n');
+}
+
+function emitBlock(reasonText, meta = {}) {
+  console.log(JSON.stringify({ decision: 'block', reason: buildForceRedoActionReason(reasonText, meta) }));
+}
+
+if (hasCognition && !appliedContract.ok) {
+  const reason = `Aria pre-tool gate: cognition exists but is not applied to the action.
+
+The harness no longer accepts cognition as decorative preface. Before a mutating tool call, cognition must produce an execution contract that changes or constrains the action.
+
+Violations:
+${appliedContract.violations.map((v) => `- ${v}`).join('\n')}
+
+Required contract, either in the assistant turn as <applied_cognition>...</applied_cognition> or inline Bash comments:
+decision_delta: <what changed because cognition ran; not "none">
+dominant_domain: <engineering_quality | trust | operations | security | product | ...>
+binds_to: <this exact tool call/action>
+expected_predicate: <numeric, boolean, or state-string predicate proving success>
+artifact_change: <how the artifact/action is different because cognition ran>`;
+  audit('block-applied-cognition-contract', cmdPreview);
+  pushDecision('block', `applied cognition contract missing: ${appliedContract.violations.join(', ')}`);
+  emitBlock(reason, { source: 'pre-tool/applied-cognition-contract', tool: toolName, lensCount, requiredLenses: REQUIRED_LENSES });
+  process.exit(2);
+}
+
 // ── Deploy-specific gate (doctrine #104) ────────────────────────────────
 // Per feedback_deploy_requires_verify_cognition.md (Hamza 2026-04-28 after
 // consciousness.ts crash took aria-soul into CrashLoopBackOff): deploys
@@ -1099,23 +1401,8 @@ if (deployMatched) {
   const anchorCount = anchorMatches.length;
 
   // Required verify-block fields specific to deploy.
-  const verifyBody = (() => {
-    if (verifyBodies.length === 0) return '';
-    let bestBody = verifyBodies[0];
-    let bestScore = -1;
-    for (const body of verifyBodies) {
-      const score = DEPLOY_VERIFY_REQUIRED_FIELDS.reduce(
-        (count, { rx }) => count + (rx.test(body) ? 1 : 0),
-        0,
-      );
-      if (score > bestScore) {
-        bestScore = score;
-        bestBody = body;
-      }
-    }
-    return bestBody;
-  })();
-  const missingDeployFields = DEPLOY_VERIFY_REQUIRED_FIELDS
+  const verifyBody = bestVerifyBody;
+  const missingDeployFields = [...VERIFY_REQUIRED_FIELDS, ...DEPLOY_VERIFY_REQUIRED_FIELDS]
     .filter(({ rx }) => !rx.test(verifyBody))
     .map(({ name }) => name);
 
@@ -1226,7 +1513,7 @@ if (deployMatched) {
     reasons.push(`<verify> block missing required fields: ${missingDeployFields.join(', ')}`);
   }
 
-  const refusal = `Aria pre-tool gate: DEPLOY hard-block — pattern '${deployMatched.name}' detected.
+  const refusal = withLoopDirective(`Aria pre-tool gate: DEPLOY hard-block — pattern '${deployMatched.name}' detected.
 
 Per feedback_deploy_requires_verify_cognition.md (Hamza directive 2026-04-28 after consciousness.ts crash took aria-soul into CrashLoopBackOff), every deploy command requires:
 
@@ -1242,14 +1529,14 @@ Block reasons (this turn): ${reasons.join(' • ')}.
 
 The 2026-04-28 deploy of an empty consciousness.ts crashed aria-soul because no verify-block step caught the missing export at substrate-citation time. This gate is the structural enforcement that prevents the same gap.
 
-Re-emit verify+cognition with the missing pieces, then retry the deploy command. There is no env-var override path; doctrine #104 forbids it.`;
+Re-emit verify+cognition with the missing pieces, then retry the deploy command. There is no env-var override path; doctrine #104 forbids it.`, `deploy:${deployMatched.name}:${missingDeployFields.join(',')}:${anchorCount}:${lensCount}`);
 
   audit(
     `block-deploy ${deployMatched.name} verify=${hasVerify} cognition=${lensCount} anchors=${anchorCount} missing=${missingDeployFields.join(',')}`,
     cmdPreview,
   );
   pushDecision('block', `deploy ${deployMatched.name}: ${reasons.join('; ')}`);
-  console.log(JSON.stringify({ decision: 'block', reason: refusal }));
+  emitBlock(refusal, { source: 'pre-tool/deploy', tool: toolName });
   process.exit(2);
 }
 
@@ -1264,7 +1551,7 @@ if (matched) {
     process.exit(0);
   }
   // Block with appropriate corrective message.
-  const reason = !hasVerify
+  const reason = withLoopDirective((!hasVerify
     ? `Aria pre-tool gate: destructive pattern '${matched.name}' detected. ${IS_OWNER ? 'Per harness mizan_prestage_rule + axiom_runtime_rule (admit_ignorance, reflection_before_action), include' : 'Pre-action verification required — include'} a <verify> block in your assistant response BEFORE the tool call.
 
 <verify>
@@ -1289,10 +1576,11 @@ Re-issue after producing the block. Bypass: '# doctrine-authorized: <reason>' in
   ${LENS_NAMES[7]}:  <what user actually needs>
 </cognition>
 
-At least 4 substantive lenses required.`;
+At least 4 substantive lenses required.`),
+  `destructive:${matched.name}:${hasVerify ? 'need-cognition' : 'need-verify'}:${toolName}:${filePath || cmdPreview}`);
   audit(`block ${matched.name} verify=${hasVerify} cognition=${lensCount}`, cmdPreview);
   pushDecision('block', `destructive ${matched.name} missing ${!hasVerify ? 'verify' : 'cognition'}`);
-  console.log(JSON.stringify({ decision: 'block', reason }));
+  emitBlock(reason, { source: 'pre-tool/destructive' });
   process.exit(2);
 }
 
@@ -1304,7 +1592,7 @@ if (!hasCognition) {
   const isBash = toolName === 'Bash';
   const header = isBash
     ? `Aria pre-tool gate: non-trivial Bash command without ${REQUIRED_LENSES}+ substantive cognition lenses. Found ${lensCount}/${REQUIRED_LENSES}+ (inline=${inlineCog.count}, transcript=${transcriptCog.count}).`
-    : `Aria pre-tool gate: ${toolName} call without ${REQUIRED_LENSES}+ substantive cognition lenses in the recent transcript. Found ${lensCount}/${REQUIRED_LENSES}+ (transcript-scan only — ${toolName} has no inline-cognition path).`;
+    : `Aria pre-tool gate: ${toolName} call without ${REQUIRED_LENSES}+ substantive cognition lenses in the recent assistant window. Found ${lensCount}/${REQUIRED_LENSES}+ (source=${cognitionSource} — ${toolName} has no inline-cognition path).`;
 
   const guidance = isBash
     ? `REQUIRED — cognition for every action, no exceptions. Two equivalent forms; either satisfies the gate (both equally REQUIRED, neither preferred over the other):
@@ -1333,15 +1621,15 @@ Both forms count toward the ${REQUIRED_LENSES}+ requirement; gate counts inline
     ${LENS_NAMES[7]}:  <what user actually needs underneath>
   </cognition>`;
 
-  const reason = `${header}
+  const reason = withLoopDirective(`${header}
 
 ${guidance}
 
-No per-tool bypass available (v3 doctrine — the harness's whole purpose is no exceptions). No env-var disable path — gates are unconditional from the gated process per Hamza directive 2026-04-27. If the gate misfires on legitimate cognition, fix the gate.`;
+No per-tool bypass available (v3 doctrine — the harness's whole purpose is no exceptions). No env-var disable path — gates are unconditional from the gated process per Hamza directive 2026-04-27. If the gate misfires on legitimate cognition, fix the gate.`, `cognition:${toolName}:${filePath || cmdPreview}:${cognitionSource}`);
 
   audit(`block ${toolName.toLowerCase()} cognition=${lensCount}`, cmdPreview);
   pushDecision('block', `${toolName.toLowerCase()} missing cognition (${lensCount}/${REQUIRED_LENSES})`);
-  console.log(JSON.stringify({ decision: 'block', reason }));
+  emitBlock(reason, { source: 'pre-tool/missing-cognition' });
   process.exit(2);
 }
 
@@ -1372,7 +1660,7 @@ No env-var disable path — gates are unconditional from the gated process per H
 
   audit(`block-discovery-unresolved ${toolName.toLowerCase()}`, cmdPreview);
   pushDecision('block', `${toolName.toLowerCase()} cognition has unresolved discovery`);
-  console.log(JSON.stringify({ decision: 'block', reason }));
+  emitBlock(reason, { source: 'pre-tool/discovery-binding' });
   process.exit(2);
 }
 
@@ -1387,16 +1675,17 @@ No env-var disable path — gates are unconditional from the gated process per H
 // Per feedback_no_graceful_degradation.md — never silent-pass.
 {
   const expectedMatch = unionText.match(EXPECTED_BLOCK_RX);
-  const expectedBlockText = expectedMatch ? expectedMatch[1] : '';
+  const inlineExpectedBody = extractInlineDirectiveBody(cmd, INLINE_EXPECTED_LINE_RX);
+  const expectedBlockText = expectedMatch ? expectedMatch[1] : inlineExpectedBody;
   const hasMeasurablePredicate = expectedBlockText
     ? (MEASURABLE_PREDICATE_RX.test(expectedBlockText) && !QUALITATIVE_DRIFT_RX.test(expectedBlockText))
     : false;
 
-  if (!expectedMatch || !hasMeasurablePredicate) {
-    const reason = expectedMatch
+  if (!expectedBlockText || !hasMeasurablePredicate) {
+    const reason = expectedBlockText
       ? `Aria pre-tool gate: action requires a measurable predicate inside <expected> per doctrine:dalio_expected_required.
 
-Your <expected> block was found but contains only qualitative drift phrases (e.g. "better", "improved", "should work", "more reliable") without a concrete measurable predicate. These are unmeasurable and defeat the Dalio accountability loop.
+Your expected-outcome structure was found but contains only qualitative drift phrases (e.g. "better", "improved", "should work", "more reliable") without a concrete measurable predicate. These are unmeasurable and defeat the Dalio accountability loop.
 
 Replace with one of:
   • Numeric:      exit_code==0, latency<200ms, count>=1, error_rate=0%
@@ -1411,7 +1700,7 @@ Replace with one of:
 </expected>
 
 No bypass — doctrine:dalio_expected_required is unconditional for non-trivial actions.`
-      : `Aria pre-tool gate: action requires an <expected> block with measurable predicate per doctrine:dalio_expected_required.
+      : `Aria pre-tool gate: action requires an <expected> block or inline '# expected:' directive with measurable predicate per doctrine:dalio_expected_required.
 
 Every non-trivial action must state WHAT MEASURABLE STATE the action is expected to produce, so the stop-gate can compare predicted vs actual outcome and write a Dalio ledger entry.
 
@@ -1435,7 +1724,7 @@ No bypass — doctrine:dalio_expected_required is unconditional for non-trivial
 
     audit(`block-expected-missing ${toolName.toLowerCase()}`, cmdPreview);
     pushDecision('block', `${toolName.toLowerCase()} missing <expected> measurable predicate`);
-    console.log(JSON.stringify({ decision: 'block', reason }));
+    emitBlock(reason, { source: 'pre-tool/discovery-binding' });
     process.exit(2);
   }
 }
@@ -1518,7 +1807,7 @@ Read it first (it is in your environment as ARIA_HARNESS_PACKET_PATH), then refe
 
 Cognition-theater rejected per feedback_gates_enforce_form_not_substance.md.`;
     audit(`block-subagent-no-packet-cite ${toolName.toLowerCase()}`, cmdPreview);
-    console.log(JSON.stringify({ decision: 'block', reason }));
+    emitBlock(reason, { source: 'pre-tool/architecture-facts' });
     process.exit(2);
   }
 })();
@@ -1561,7 +1850,7 @@ Rule references:
   R10 no_kubectl_apply_for_image_drift — kubectl apply on aria-soul-stateful (project_forge_psi_oom_cascade.md)
   R11 no_console_log_secrets         — console.log with TOKEN/PASSWORD/SECRET/API_KEY/JWT/BEARER`;
     audit(`block-arch-facts ${toolName.toLowerCase()} path=${filePath}`, `violations=${archResult.violations?.length ?? 0}`);
-    console.log(JSON.stringify({ decision: 'block', reason: archReason }));
+    emitBlock(archReason, { source: 'pre-tool/architecture-facts' });
     process.exit(2);
   }
 }
@@ -1663,7 +1952,7 @@ What Claude must do:
 3. Wait for next user prompt — preprompt-consult will retry; if it succeeds a plan will exist on next tool call
 
 Non-trivial actions are blocked until a plan exists. Trivial reads (ls/cat/grep) bypass automatically per existing whitelist. To temporarily disable binding for emergency: ARIA_BINDING_ENABLED=false (logged).`;
-      console.log(JSON.stringify({ decision: 'block', reason }));
+      emitBlock(reason, { source: 'pre-tool/substrate-binding' });
       process.exit(2);
     }
   }
@@ -1682,7 +1971,7 @@ What Claude must do:
 3. Don't continue executing actions beyond the issued plan boundary
 
 This prevents Claude from drifting past Aria's authorized scope.`;
-    console.log(JSON.stringify({ decision: 'block', reason }));
+    emitBlock(reason, { source: 'pre-tool/substrate-binding' });
     process.exit(2);
   }
 
@@ -1719,7 +2008,7 @@ This prevents Claude from drifting past Aria's authorized scope.`;
       if (!freshPhaseInfo || freshPhaseInfo.abortedHere) {
         bindingAuditAppend({ event: 'block_aborted_phase_post_fallback_still_bad', sessionId, planId: plan.planId });
         const reason = `Aria binding gate: aborted phase recovery minted plan ${plan.planId} but new plan also has no usable phase. Manual intervention required.`;
-        console.log(JSON.stringify({ decision: 'block', reason }));
+        emitBlock(reason, { source: 'pre-tool/dalio-expected' });
         process.exit(2);
       }
       phaseInfo = freshPhaseInfo;
@@ -1728,7 +2017,7 @@ This prevents Claude from drifting past Aria's authorized scope.`;
       const reason = `Aria binding gate: phase ${phaseInfo.phase.id} of plan ${plan.planId} was reported aborted AND inline architect-fallback failed (exit=${architectExit}). Plan progression halted. ${architectStderr ? 'Architect stderr: ' + architectStderr : ''}
 
 What Claude must do: emit [PLAN_BLOCKER reason="<concrete observation>" suggestedAmendment="<if any>"] for Hamza/Aria to issue a corrected plan. Do not continue executing the aborted plan.`;
-      console.log(JSON.stringify({ decision: 'block', reason }));
+      emitBlock(reason, { source: 'pre-tool/dalio-expected' });
       process.exit(2);
     }
   }
@@ -1756,7 +2045,7 @@ Forbidden actions for this phase: ${(phase.forbiddenActions || []).join(', ') ||
 Allowed actions for this phase: ${(phase.allowedActions || []).join(', ') || '(none)'}
 
 Claude must either: (a) reframe the action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] requesting Aria amend the plan.${recipeAddendum}`;
-    console.log(JSON.stringify({ decision: 'block', reason }));
+    emitBlock(reason, { source: 'pre-tool/output-claim' });
     process.exit(2);
   }
 
@@ -1775,7 +2064,7 @@ Phase summary: ${phase.summary}
 Allowed actions: ${(phase.allowedActions || []).join(', ') || '(none — phase is observation-only)'}
 
 Claude must either: (a) reframe action to fit allowedActions, OR (b) emit [PLAN_BLOCKER reason="..."] for plan amendment.${recipeAddendum}`;
-    console.log(JSON.stringify({ decision: 'block', reason }));
+    emitBlock(reason, { source: 'pre-tool/output-claim' });
     process.exit(2);
   }
 
@@ -1902,10 +2191,11 @@ try {
   if (__apiKey && __action) {
     const __client = new HTTPHarnessClient({
       baseUrl:
+        process.env.ARIA_RUNTIME_URL ||
         process.env.ARIA_HIVE_RUNTIME_URL ||
         process.env.ARIA_HARNESS_BASE_URL ||
         process.env.ARIA_HARNESS_URL ||
-        'https://harness.ariasos.com',
+        RUNTIME_BASE_URL,
       apiKey: __apiKey,
     });
     const __target = JSON.stringify(toolInput || {}).slice(0, 500);
@@ -1916,7 +2206,7 @@ try {
 The substrate's contract gate refused this action. Local doctrine gates passed (cognition lenses, binding plan, drift) but the substrate sees a downstream contract that disallows this tool call. Address the substrate's reason above before retrying.`;
       audit(`block-substrate-checkAction ${toolName.toLowerCase()} action=${__action} reason="${(__check.reason || '').slice(0, 80)}"`, cmdPreview);
       pushDecision('block', `substrate checkAction denied: ${(__check.reason || 'unspecified').slice(0, 100)}`);
-      console.log(JSON.stringify({ decision: 'block', reason: __reason }));
+      emitBlock(__reason, { source: 'pre-tool/final' });
       process.exit(2);
     }
   }
@@ -2109,7 +2399,7 @@ causes merge conflicts and state divergence. Explicit coordination is the only s
   pushDecision('block', `hive session-lock conflict on ${_lockCheckPath.slice(0, 80)}`);
   console.log(JSON.stringify({
     decision: 'block',
-    reason: _lockBlockReason,
+    reason: buildForceRedoActionReason(_lockBlockReason, { source: 'pre-tool/hive-lock-conflict', tool: toolName || 'unknown' }),
     hookSpecificOutput: {
       hookEventName: 'PreToolUse',
       conflicting_locks: _conflictingLocks,