@aria_asi/cli 0.2.30 → 0.2.32

package/src/connectors/doctrine-trigger-map.ts

@@ -0,0 +1,112 @@
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  statSync,
+  writeFileSync,
+} from 'fs';
+import { homedir } from 'os';
+import * as path from 'path';
+import { fileURLToPath } from 'node:url';
+
+export interface DoctrineMapSyncResult {
+  sourcePath: string | null;
+  targetCount: number;
+  updatedCount: number;
+}
+
+interface DoctrineMapCandidate {
+  path: string;
+  mtimeMs: number;
+  data: Record<string, unknown>;
+}
+
+function bundledDoctrineTriggerMapCandidates(): string[] {
+  const here = path.dirname(fileURLToPath(import.meta.url));
+  return [
+    path.resolve(here, '..', '..', '..', '..', 'hooks', 'doctrine_trigger_map.json'),
+    path.resolve(here, '..', '..', '..', 'assets', 'hooks', 'doctrine_trigger_map.json'),
+  ];
+}
+
+function installedDoctrineTriggerMapTargets(): string[] {
+  const home = homedir();
+  return [
+    path.join(home, '.aria', 'runtime', 'discipline', 'doctrine_trigger_map.json'),
+    path.join(home, '.aria', 'runtime', 'doctrine_trigger_map.json'),
+    path.join(home, '.claude', 'hooks', 'doctrine_trigger_map.json'),
+    path.join(home, '.claude', 'projects', '-home-hamzaibrahim1', 'memory', 'doctrine_trigger_map.json'),
+    path.join(home, '.codex', 'doctrine_trigger_map.json'),
+    path.join(home, '.opencode', 'doctrine_trigger_map.json'),
+  ];
+}
+
+function readCandidate(targetPath: string): DoctrineMapCandidate | null {
+  if (!existsSync(targetPath)) return null;
+  try {
+    const data = JSON.parse(readFileSync(targetPath, 'utf8')) as Record<string, unknown>;
+    if (!Array.isArray(data.triggers)) return null;
+    return {
+      path: targetPath,
+      mtimeMs: statSync(targetPath).mtimeMs,
+      data,
+    };
+  } catch {
+    return null;
+  }
+}
+
+function normalizeDoctrineMap(data: Record<string, unknown>): string {
+  return JSON.stringify(data, null, 2) + '\n';
+}
+
+export function syncDoctrineTriggerMap(logs: string[] = []): DoctrineMapSyncResult {
+  const targets = installedDoctrineTriggerMapTargets();
+  const readableCandidates = [
+    ...bundledDoctrineTriggerMapCandidates(),
+    ...targets,
+  ];
+
+  const candidates = readableCandidates
+    .map((targetPath) => readCandidate(targetPath))
+    .filter((candidate): candidate is DoctrineMapCandidate => candidate !== null)
+    .sort((a, b) => b.mtimeMs - a.mtimeMs);
+
+  if (candidates.length === 0) {
+    logs.push('⚠ doctrine trigger map missing from bundle and all installed targets');
+    return {
+      sourcePath: null,
+      targetCount: targets.length,
+      updatedCount: 0,
+    };
+  }
+
+  const source = candidates[0];
+  const normalized = normalizeDoctrineMap(source.data);
+  let updatedCount = 0;
+
+  for (const targetPath of targets) {
+    try {
+      const dirPath = path.dirname(targetPath);
+      if (!existsSync(dirPath)) {
+        mkdirSync(dirPath, { recursive: true, mode: 0o755 });
+      }
+      const current = existsSync(targetPath) ? readFileSync(targetPath, 'utf8') : null;
+      if (current === normalized) continue;
+      writeFileSync(targetPath, normalized, { mode: 0o644 });
+      updatedCount++;
+    } catch (error) {
+      logs.push(`⚠ doctrine trigger map sync failed at ${targetPath}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+
+  logs.push(
+    `Synced doctrine trigger map from ${source.path} to ${targets.length} installed target(s)`,
+  );
+
+  return {
+    sourcePath: source.path,
+    targetCount: targets.length,
+    updatedCount,
+  };
+}

package/src/connectors/must-read.ts

@@ -0,0 +1,117 @@
+export type MustReadSurface = 'claude' | 'codex' | 'opencode';
+
+function surfaceRoot(surface: MustReadSurface): string {
+  if (surface === 'claude') return '~/.claude';
+  if (surface === 'codex') return '~/.codex';
+  return '~/.aria';
+}
+
+function doctrineMapPath(surface: MustReadSurface): string {
+  if (surface === 'claude') return '~/.claude/hooks/doctrine_trigger_map.json';
+  if (surface === 'codex') return '~/.codex/doctrine_trigger_map.json';
+  return '~/.opencode/doctrine_trigger_map.json';
+}
+
+function surfaceSpecificFiles(surface: MustReadSurface): string[] {
+  if (surface === 'claude') {
+    return [
+      '~/.claude/hooks/aria-harness-via-sdk.mjs',
+      '~/.claude/hooks/aria-preprompt-consult.mjs',
+      '~/.claude/hooks/aria-pre-tool-gate.mjs',
+      '~/.claude/hooks/aria-preturn-memory-gate.mjs',
+      '~/.claude/hooks/aria-cognition-substrate-binding.mjs',
+      '~/.claude/hooks/aria-stop-gate.mjs',
+      '~/.claude/hooks/aria-pre-text-gate.mjs',
+    ];
+  }
+  if (surface === 'codex') {
+    return [
+      '~/.codex/AGENTS.md',
+      '~/.codex/config.toml',
+      '~/.aria/wrappers/codex',
+      '~/.aria/runtime/service.mjs',
+      '~/.codex/skills/aria-http-harness-client/SKILL.md',
+      '~/.codex/skills/aria-cognition/aria-repo-doctrine/SKILL.md',
+      '~/.codex/skills/aria-cognition/ghazali-8lens/SKILL.md',
+      '~/.codex/skills/aria-cognition/mizan/SKILL.md',
+    ];
+  }
+  return [
+    '~/.aria/AGENTS.md',
+    '~/.aria/runtime/discipline/skills/aria-harness/aria-harness-onboarding/SKILL.md',
+    '~/.aria/runtime/discipline/skills/aria-cognition/aria-repo-doctrine/SKILL.md',
+    '~/.aria/runtime/discipline/skills/aria-cognition/ghazali-8lens/SKILL.md',
+    '~/.aria/runtime/discipline/skills/aria-cognition/mizan/SKILL.md',
+  ];
+}
+
+export function buildMustReadGuide(surface: MustReadSurface): string {
+  const root = surfaceRoot(surface);
+  const coreFiles = [
+    `${root}/ARIA_MUST_READ.md`,
+    '~/.aria/runtime/discipline/CLAUDE.md',
+    '~/.aria/runtime/discipline/skills/aria-harness/aria-harness-onboarding/SKILL.md',
+    '~/.aria/runtime/discipline/skills/aria-harness/aria-harness-substrate-binding/SKILL.md',
+    doctrineMapPath(surface),
+  ];
+  const orderedFiles = [...coreFiles, ...surfaceSpecificFiles(surface)];
+
+  return `# Aria Agent Must-Read Order
+
+This file exists because weaker models and long sessions drift unless the reading order is explicit.
+Read these files in order before the first non-trivial action, and re-open the relevant gate file whenever a block fires.
+
+## Required Read Order
+
+${orderedFiles.map((filePath, index) => `${index + 1}. \`${filePath}\``).join('\n')}
+
+## What Each File Teaches
+
+1. \`${root}/ARIA_MUST_READ.md\`
+   The cross-surface reading order, recovery rules, and what to re-open after compaction or a block.
+
+2. \`~/.aria/runtime/discipline/CLAUDE.md\`
+   The full harness doctrine: L1/L2/L3, cognition requirements, deploy verify contract, drift triggers, and anti-loop rules.
+
+3. \`~/.aria/runtime/discipline/skills/aria-harness/aria-harness-onboarding/SKILL.md\`
+   The harness model in practical terms: packet, bind, and live gates.
+
+4. \`~/.aria/runtime/discipline/skills/aria-harness/aria-harness-substrate-binding/SKILL.md\`
+   The cognition contract and anchor discipline. Re-open this whenever cognition or stop-gate fails.
+
+5. \`${doctrineMapPath(surface)}\`
+   The live doctrine trigger map. This is what the runtime and stop gates actually match against.
+
+## Surface-Specific Re-Open Rules
+
+- If a pre-tool or write block fires:
+  Re-open the pre-tool surface file for this client plus \`aria-harness-substrate-binding\`.
+
+- If an output or stop-gate block fires:
+  Re-open \`~/.aria/runtime/discipline/CLAUDE.md\`, the doctrine trigger map, and the substrate-binding skill before re-authoring.
+
+- If transcript compaction or ledger deadlock happens:
+  Re-open items 1 through 4 first, then inspect the exact current hook or runtime file causing the block. Do not guess from stale memory.
+
+- If the model starts repeating itself:
+  Stop, re-open this file, and repair from the gate evidence instead of restating intent.
+
+## Non-Negotiables
+
+- Do not rename canonical cognition meaning into generic aliases.
+- Do not treat cognition as a gate password; use it to change the tool input, edit shape, review finding, answer structure, or evidence threshold.
+- Do not emit non-trivial output without \`<applied_cognition>\` containing \`decision_delta\`, \`dominant_domain\`, \`binds_to\`, \`expected_predicate\`, and \`artifact_change\`.
+- Do not let \`decision_delta\` say cognition changed nothing; that is performative cognition.
+- Do not cite substrate anchors that were not loaded in the current harness packet.
+- Do not say "good enough", "should work", or make unverified completion claims.
+- Do not treat skills as optional flavor text; they are the reading order and repair guide.
+- Do not proceed after a gate block without re-opening the file that owns that gate.
+`;
+}
+
+export function mustReadIntro(surface: MustReadSurface): string {
+  const root = surfaceRoot(surface);
+  return `## Must Read Order
+Read \`${root}/ARIA_MUST_READ.md\` before the first non-trivial action and re-open it after any gate block, compaction, or repeated drift.
+`;
+}

package/src/connectors/opencode.ts

@@ -16,6 +16,8 @@ import * as path from 'path';
 import { fileURLToPath } from 'node:url';
 import type { AriaConfig } from '../config.js';
 import { connectShell } from './shell.js';
+import { syncDoctrineTriggerMap } from './doctrine-trigger-map.js';
+import { buildMustReadGuide, mustReadIntro } from './must-read.js';
 
 // ── Bundled OpenCode plugins ────────────────────────────────────────────────
 //
@@ -139,6 +141,7 @@ export async function connectOpenCode(config: AriaConfig): Promise<string[]> {
     copyPluginDir(srcDir, dstDir, logs);
     installedPaths.push(dstDir);
   }
+  syncDoctrineTriggerMap(logs);
 
   // ── Wire ~/.opencode/config.json ──────────────────────────────────────────
   const configPath = path.join(opencodeDir, 'config.json');
@@ -337,14 +340,30 @@ ${schemaText || '(no schema images yet — run \`aria repo scan\`)'}
 - If a fix only works by weakening the contract, the mechanism is still broken. Debug the mechanism.
 
 ## 8-Lens Cognition
-Apply multi-perspective analysis for every decision:
-- Truth lens: Is this factually correct?
-- Harm lens: Could this cause damage?
-- Trust lens: Does this maintain sacred trust?
-- Power lens: Am I using capability responsibly?
-- Reflection lens: Have I thought deeply enough?
-- Context lens: Do I have full context?
-- Impact lens: What are second-order effects?
-- Beauty lens: Is this elegant and sustainable?
+Use Aria cognition as a work method, not a checklist:
+- Perceive the real substrate: user intent, repo/runtime state, loaded harness packet, memories, prior tool results, and uncertainty.
+- Infer constraints: what must be true, what must not be harmed, what prior doctrine changes, and what evidence is missing.
+- Shape the next action: choose the smallest useful tool call, edit, question, or answer that satisfies those constraints.
+- Improve the artifact: make the tool input, code change, review finding, or prose more specific because of the cognition.
+- Predict the observable result: define what would prove the action or answer succeeded before claiming it.
+- Report evidence: distinguish observed fact, bounded inference, unresolved risk, and next real action.
+
+Lens roles for decisions:
+- Truth lens: binds claims to observed evidence and missing evidence.
+- Harm lens: removes or changes actions that could damage state, trust, data, or runtime health.
+- Trust lens: preserves user intent, prior directives, and secret/infra boundaries.
+- Power lens: uses capability to serve the task, not convenience or control.
+- Reflection lens: catches mechanism failure, shortcut pressure, and repeated loops.
+- Context lens: integrates repo patterns, runtime state, and loaded substrate.
+- Impact lens: predicts downstream effects and verification predicates.
+- Beauty lens: prefers the simplest durable artifact that preserves the contract.
+
+## Structural Cognition Contract
+- Cognition is not a ceremony. It must change the next action, tool call, or output claim.
+- Each lens must affect work selection or artifact shape; do not write lenses after the decision is already made.
+- For every non-trivial output, include an \`<applied_cognition>\` block with \`decision_delta\`, \`dominant_domain\`, \`binds_to\`, \`expected_predicate\`, and \`artifact_change\`.
+- Tool-bound cognition must name the exact tool/action it constrains and the measurable predicate that proves the action succeeded.
+- Deploy or destructive actions still require \`<verify>\` and \`<expected>\` blocks before execution.
+- If cognition did not change anything, stop and re-think; \`decision_delta: none\` is treated as performative.
 `;
 }

package/src/connectors/runtime.ts

@@ -7,12 +7,14 @@ import {
   chmodSync,
   rmSync,
   writeFileSync,
+  readFileSync,
 } from 'fs';
 import { execFileSync } from 'child_process';
 import { homedir } from 'os';
 import * as path from 'path';
 import { fileURLToPath } from 'node:url';
 import { loadConfig, saveConfig } from '../config.js';
+import { syncDoctrineTriggerMap } from './doctrine-trigger-map.js';
 
 function packageRuntimeDir(): string {
   const here = path.dirname(fileURLToPath(import.meta.url));
@@ -50,6 +52,39 @@ function writeWrapper(binPath: string, targetScript: string): void {
   try { chmodSync(binPath, 0o755); } catch {}
 }
 
+function trimUrl(value: string): string {
+  return value.trim().replace(/\/+$/, '');
+}
+
+function isLocalHarnessDaemonUrl(value: string): boolean {
+  const normalized = trimUrl(value);
+  return normalized === 'http://127.0.0.1:8790' || normalized === 'http://localhost:8790';
+}
+
+function canonicalUpstreamHarnessUrl(): string {
+  const localSoulCandidates = existsSync('/etc/rancher/k3s/k3s.yaml')
+    ? ['http://127.0.0.1:30080', 'http://192.168.4.25:30080']
+    : [];
+  const candidates = [
+    process.env.ARIA_UPSTREAM_HARNESS_URL || '',
+    process.env.ARIA_HIVE_UPSTREAM_URL || '',
+    ...localSoulCandidates,
+    process.env.ARIA_SOUL_URL || '',
+    process.env.ARIAS_SOUL_URL || '',
+    process.env.ARIA_SOUL_BASE_URL || '',
+    ...(process.env.ARIA_HARNESS_FALLBACK_URLS || '').split(','),
+    'https://harness.ariasos.com',
+  ]
+    .map((entry) => trimUrl(String(entry || '')))
+    .filter(Boolean);
+
+  for (const candidate of candidates) {
+    if (!isLocalHarnessDaemonUrl(candidate)) return candidate;
+  }
+
+  return 'https://harness.ariasos.com';
+}
+
 function writeRuntimeEnv(runtimeDst: string): string {
   const envPath = path.join(runtimeDst, 'runtime.env');
   const config = loadConfig();
@@ -59,24 +94,46 @@ function writeRuntimeEnv(runtimeDst: string): string {
   const deepModel = runtimeProfiles.deepModel || 'deepseek-v4-pro';
   const xaiFallbackModel = runtimeProfiles.xaiFallbackModel || 'grok-4-2-reasoning';
   const nimFallbackModel = runtimeProfiles.nimFallbackModel || 'qwen/qwen3.5-122b-a10b';
-  const harnessUrl =
-    process.env.ARIA_HIVE_RUNTIME_URL ||
-    process.env.ARIA_HARNESS_BASE_URL ||
-    process.env.ARIA_HARNESS_URL ||
-    'https://harness.ariasos.com';
-  const forgeServiceUrl =
-    process.env.ARIA_FORGE_SERVICE_URL ||
-    process.env.FORGE_SERVICE_URL ||
-    `${harnessUrl.replace(/\/$/, '')}/api/forge/psi`;
+  const localHarnessUrl = 'http://127.0.0.1:8790';
+  const upstreamHarnessUrl = canonicalUpstreamHarnessUrl();
+  const harnessFallbackUrls = [
+    process.env.ARIA_HARNESS_FALLBACK_URLS || '',
+    process.env.ARIA_SOUL_URL || '',
+    process.env.ARIAS_SOUL_URL || '',
+    process.env.ARIA_SOUL_BASE_URL || '',
+    upstreamHarnessUrl,
+    'http://127.0.0.1:30080',
+    'http://192.168.4.25:30080',
+    'https://arias-soul-6zp3gtk2ca-uc.a.run.app',
+    'https://harness.ariasos.com',
+  ]
+    .flatMap((entry) => String(entry || '').split(','))
+    .map((entry) => trimUrl(String(entry || '')))
+    .filter((entry) => entry && !isLocalHarnessDaemonUrl(entry));
+  const forgeServiceUrl = `${localHarnessUrl}/api/forge/psi`;
+  const upstreamForgeServiceUrl =
+    process.env.ARIA_UPSTREAM_FORGE_SERVICE_URL ||
+    process.env.ARIA_FORGE_UPSTREAM_URL ||
+    `${upstreamHarnessUrl}/api/forge/psi`;
   writeFileSync(
     envPath,
     [
       'ARIA_RUNTIME_HOST=127.0.0.1',
       'ARIA_RUNTIME_PORT=4319',
       'ARIA_RUNTIME_URL=http://127.0.0.1:4319',
-      `ARIA_HIVE_RUNTIME_URL=${harnessUrl}`,
-      `ARIA_HARNESS_URL=${harnessUrl}`,
+      'ARIA_HARNESS_DAEMON_HOST=127.0.0.1',
+      'ARIA_HARNESS_DAEMON_PORT=8790',
+      `ARIA_HARNESS_DAEMON_URL=${localHarnessUrl}`,
+      'ARIA_CODEX_BRIDGE_HOST=127.0.0.1',
+      'ARIA_CODEX_BRIDGE_PORT=4320',
+      'ARIA_CODEX_DOWNSTREAM_PORT=4321',
+      `ARIA_HIVE_RUNTIME_URL=${localHarnessUrl}`,
+      `ARIA_HARNESS_BASE_URL=${localHarnessUrl}`,
+      `ARIA_HARNESS_URL=${localHarnessUrl}`,
+      `ARIA_UPSTREAM_HARNESS_URL=${upstreamHarnessUrl}`,
+      `ARIA_HARNESS_FALLBACK_URLS=${Array.from(new Set(harnessFallbackUrls)).join(',')}`,
       `ARIA_FORGE_SERVICE_URL=${forgeServiceUrl}`,
+      `ARIA_UPSTREAM_FORGE_SERVICE_URL=${upstreamForgeServiceUrl}`,
       'ARIA_QDRANT_URL=http://127.0.0.1:6333',
       'ARIA_QDRANT_COLLECTION=aria_garden_memory',
       `ARIA_RUNTIME_DEFAULT_PROVIDER=${defaultProvider}`,
@@ -230,7 +287,8 @@ function installSystemdUserService(ariaDir: string, logs: string[]): void {
   const unit = [
     '[Unit]',
     'Description=Aria Mounted Runtime',
-    'After=network.target',
+    'After=network.target aria-harnessd.service',
+    'Requires=aria-harnessd.service',
     '',
     '[Service]',
     'Type=simple',
@@ -256,13 +314,154 @@ function installSystemdUserService(ariaDir: string, logs: string[]): void {
   }
 }
 
+function installHarnessDaemonSystemdUserService(ariaDir: string, logs: string[]): void {
+  const systemctlPath = '/bin/systemctl';
+  if (process.platform !== 'linux' || !existsSync(systemctlPath)) {
+    return;
+  }
+
+  const serviceDir = path.join(homedir(), '.config', 'systemd', 'user');
+  const servicePath = path.join(serviceDir, 'aria-harnessd.service');
+  mkdirSync(serviceDir, { recursive: true, mode: 0o755 });
+
+  const unit = [
+    '[Unit]',
+    'Description=Aria Local Harness Daemon',
+    'After=network.target',
+    '',
+    '[Service]',
+    'Type=simple',
+    `EnvironmentFile=-${path.join(ariaDir, 'runtime', 'runtime.env')}`,
+    `ExecStart=${path.join(ariaDir, 'bin', 'aria-harnessd')}`,
+    'Restart=always',
+    'RestartSec=2',
+    '',
+    '[Install]',
+    'WantedBy=default.target',
+    '',
+  ].join('\n');
+
+  writeFileSync(servicePath, unit, { mode: 0o644 });
+  logs.push(`Installed systemd user unit → ${servicePath}`);
+
+  try {
+    execFileSync(systemctlPath, ['--user', 'daemon-reload'], { stdio: 'ignore' });
+    execFileSync(systemctlPath, ['--user', 'enable', '--now', 'aria-harnessd.service'], { stdio: 'ignore' });
+    logs.push('Enabled and started systemd user service: aria-harnessd.service');
+  } catch (error) {
+    logs.push(`⚠ local harness daemon installed but not activated: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
+function retireLegacySoulPortForwardServices(logs: string[]): void {
+  const systemctlPath = '/bin/systemctl';
+  if (process.platform !== 'linux' || !existsSync(systemctlPath)) {
+    return;
+  }
+
+  const serviceDir = path.join(homedir(), '.config', 'systemd', 'user');
+  const legacyUnits = ['aria-soul-portforward.service', 'aria-soul-forward.service'];
+  const dependencyNeedles = new Set(legacyUnits);
+
+  if (existsSync(serviceDir)) {
+    for (const name of readdirSync(serviceDir)) {
+      if (!name.endsWith('.service')) continue;
+      const unitPath = path.join(serviceDir, name);
+      if (!statSync(unitPath).isFile()) continue;
+      let current = '';
+      try {
+        current = readFileSync(unitPath, 'utf8');
+      } catch {
+        continue;
+      }
+      let next = current;
+      for (const needle of dependencyNeedles) {
+        next = next.replaceAll(needle, 'aria-harnessd.service');
+      }
+      if (next !== current) {
+        writeFileSync(unitPath, next, { mode: 0o644 });
+        logs.push(`Rebound legacy 8790 dependency → ${unitPath}`);
+      }
+    }
+  }
+
+  for (const unit of legacyUnits) {
+    const unitPath = path.join(serviceDir, unit);
+    const backupPath = `${unitPath}.legacy-disabled.bak`;
+    const disabledPath = `${unitPath}.disabled`;
+    try {
+      if (existsSync(unitPath) && statSync(unitPath).isFile() && !existsSync(backupPath)) {
+        copyFileSync(unitPath, backupPath);
+        logs.push(`Backed up legacy 8790 unit → ${backupPath}`);
+      }
+    } catch {}
+    try {
+      if (existsSync(unitPath) && statSync(unitPath).isFile()) {
+        rmSync(disabledPath, { force: true });
+        copyFileSync(unitPath, disabledPath);
+        rmSync(unitPath, { force: true });
+        logs.push(`Retired legacy 8790 unit file → ${disabledPath}`);
+      }
+    } catch {}
+    try {
+      execFileSync(systemctlPath, ['--user', 'disable', '--now', unit], { stdio: 'ignore' });
+      logs.push(`Disabled legacy 8790 unit: ${unit}`);
+    } catch {}
+    try {
+      execFileSync(systemctlPath, ['--user', 'mask', '--force', unit], { stdio: 'ignore' });
+      logs.push(`Masked legacy 8790 unit: ${unit}`);
+    } catch {}
+  }
+
+  try {
+    execFileSync(systemctlPath, ['--user', 'daemon-reload'], { stdio: 'ignore' });
+  } catch {}
+}
+
+function installCodexBridgeSystemdUserService(ariaDir: string, logs: string[]): void {
+  const systemctlPath = '/bin/systemctl';
+  if (process.platform !== 'linux' || !existsSync(systemctlPath)) {
+    return;
+  }
+
+  const serviceDir = path.join(homedir(), '.config', 'systemd', 'user');
+  const servicePath = path.join(serviceDir, 'aria-codex-bridge.service');
+  mkdirSync(serviceDir, { recursive: true, mode: 0o755 });
+
+  const unit = [
+    '[Unit]',
+    'Description=Aria Codex Enforcement Bridge',
+    'After=network.target aria-mounted-runtime.service',
+    'Requires=aria-mounted-runtime.service',
+    '',
+    '[Service]',
+    'Type=simple',
+    `EnvironmentFile=-${path.join(ariaDir, 'runtime', 'runtime.env')}`,
+    `ExecStart=${path.join(ariaDir, 'bin', 'aria-codex-bridge')}`,
+    'Restart=always',
+    'RestartSec=2',
+    '',
+    '[Install]',
+    'WantedBy=default.target',
+    '',
+  ].join('\n');
+
+  writeFileSync(servicePath, unit, { mode: 0o644 });
+  logs.push(`Installed systemd user unit → ${servicePath}`);
+
+  try {
+    execFileSync(systemctlPath, ['--user', 'daemon-reload'], { stdio: 'ignore' });
+    execFileSync(systemctlPath, ['--user', 'enable', '--now', 'aria-codex-bridge.service'], { stdio: 'ignore' });
+    logs.push('Enabled and started systemd user service: aria-codex-bridge.service');
+  } catch (error) {
+    logs.push(`⚠ codex bridge service installed but not activated: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+
 function installLaunchAgent(ariaDir: string, logs: string[]): void {
   if (process.platform !== 'darwin') return;
-  const harnessUrl =
-    process.env.ARIA_HIVE_RUNTIME_URL ||
-    process.env.ARIA_HARNESS_BASE_URL ||
-    process.env.ARIA_HARNESS_URL ||
-    'https://harness.ariasos.com';
+  const localHarnessUrl = 'http://127.0.0.1:8790';
+  const upstreamHarnessUrl = canonicalUpstreamHarnessUrl();
 
   const launchAgentDir = path.join(homedir(), 'Library', 'LaunchAgents');
   const plistPath = path.join(launchAgentDir, 'com.aria.mounted-runtime.plist');
@@ -286,10 +485,20 @@ function installLaunchAgent(ariaDir: string, logs: string[]): void {
     <string>4319</string>
     <key>ARIA_RUNTIME_URL</key>
     <string>http://127.0.0.1:4319</string>
-  <key>ARIA_HIVE_RUNTIME_URL</key>
-    <string>${harnessUrl}</string>
-  <key>ARIA_HARNESS_URL</key>
-    <string>${harnessUrl}</string>
+    <key>ARIA_HARNESS_DAEMON_URL</key>
+    <string>${localHarnessUrl}</string>
+    <key>ARIA_HIVE_RUNTIME_URL</key>
+    <string>${localHarnessUrl}</string>
+    <key>ARIA_HARNESS_BASE_URL</key>
+    <string>${localHarnessUrl}</string>
+    <key>ARIA_HARNESS_URL</key>
+    <string>${localHarnessUrl}</string>
+    <key>ARIA_UPSTREAM_HARNESS_URL</key>
+    <string>${upstreamHarnessUrl}</string>
+    <key>ARIA_FORGE_SERVICE_URL</key>
+    <string>${localHarnessUrl}/api/forge/psi</string>
+    <key>ARIA_UPSTREAM_FORGE_SERVICE_URL</key>
+    <string>${upstreamHarnessUrl}/api/forge/psi</string>
   </dict>
   <key>RunAtLoad</key>
   <true/>
@@ -351,20 +560,31 @@ export async function installSharedRuntime(): Promise<string[]> {
   }
 
   const startWrapper = path.join(binDir, 'aria-runtime');
+  const harnessDaemonWrapper = path.join(binDir, 'aria-harnessd');
+  const codexBridgeWrapper = path.join(binDir, 'aria-codex-bridge');
   const doctorWrapper = path.join(binDir, 'aria-runtime-doctor');
   writeWrapper(startWrapper, path.join(runtimeDst, 'service.mjs'));
+  writeWrapper(harnessDaemonWrapper, path.join(runtimeDst, 'harness-daemon.mjs'));
+  writeWrapper(codexBridgeWrapper, path.join(runtimeDst, 'codex-bridge.mjs'));
   writeWrapper(doctorWrapper, path.join(runtimeDst, 'doctor.mjs'));
   const envPath = writeRuntimeEnv(runtimeDst);
   installDisciplinePack(runtimeDst, logs);
+  syncDoctrineTriggerMap(logs);
   installLocalQdrantService(ariaDir, logs);
+  retireLegacySoulPortForwardServices(logs);
+  installHarnessDaemonSystemdUserService(ariaDir, logs);
   installSystemdUserService(ariaDir, logs);
+  installCodexBridgeSystemdUserService(ariaDir, logs);
   installLaunchAgent(ariaDir, logs);
 
   logs.push(`Installed shared Aria runtime → ${runtimeDst}`);
   logs.push(`Installed runtime wrapper → ${startWrapper}`);
+  logs.push(`Installed harness daemon wrapper → ${harnessDaemonWrapper}`);
+  logs.push(`Installed Codex bridge wrapper → ${codexBridgeWrapper}`);
   logs.push(`Installed runtime doctor → ${doctorWrapper}`);
   logs.push(`Installed runtime env → ${envPath}`);
   logs.push('Mount any client against ARIA_RUNTIME_URL=http://127.0.0.1:4319');
+  logs.push('Harness packet and local validation are served by aria-harnessd on http://127.0.0.1:8790.');
   logs.push('Local Qdrant memory is mounted at http://127.0.0.1:6333 for garden pulse persistence.');
   logs.push('Runtime lease is encrypted at rest and revalidated against /api/license/heartbeat');
   logs.push('Forge synthesis is relayed through the canonical Aria endpoint unless ARIA_FORGE_SERVICE_URL overrides it.');