@aria_asi/cli 0.2.31 → 0.2.33

package/runtime-src/harness-daemon.mjs

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 
 import { createServer } from 'node:http';
+import { createHash } from 'node:crypto';
 import { createRequire } from 'node:module';
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { fileURLToPath } from 'node:url';
@@ -35,6 +36,7 @@ const LOCAL_FIRST_PRINCIPLE = 'Truth over deception. No harm. Sacred trust. Powe
 
 let cachedPacketEnvelope = loadCachedPacketEnvelope();
 let refreshInFlight = null;
+let refreshInFlightKey = '';
 let lastRefreshError = null;
 let lastRefreshStartedAt = null;
 let lastRefreshCompletedAt = cachedPacketEnvelope?.timestamp || null;
@@ -99,6 +101,46 @@ function sanitizePacketEnvelope(raw) {
   };
 }
 
+function stableIdentityValue(value) {
+  return String(value || '').trim().toLowerCase();
+}
+
+function requestCacheKey(body = {}, apiKey = '') {
+  const identity = {
+    stage: stableIdentityValue(body.stage || body.packetRequest?.stage),
+    actor: stableIdentityValue(body.actor || body.packetRequest?.actor),
+    system: stableIdentityValue(body.system || body.packetRequest?.system),
+    platform: stableIdentityValue(body.platform || body.packetRequest?.platform),
+    roleProfile: stableIdentityValue(body.roleProfile || body.role_profile || body.packetRequest?.roleProfile || body.packetRequest?.role_profile),
+    token: apiKey ? createHash('sha256').update(apiKey).digest('hex').slice(0, 16) : '',
+  };
+  return createHash('sha256').update(JSON.stringify(identity)).digest('hex');
+}
+
+function extractPacketField(packet, field) {
+  if (!packet || typeof packet !== 'object') return '';
+  const direct = packet[field];
+  if (typeof direct === 'string' && direct.trim()) return stableIdentityValue(direct);
+  for (const source of [packet.adapter, packet.harness]) {
+    if (typeof source !== 'string') continue;
+    const match = source.match(new RegExp(`(?:^|\\n)\\s*${field}\\s*=\\s*([^\\n\\s]+)`, 'i'));
+    if (match?.[1]) return stableIdentityValue(match[1]);
+  }
+  return '';
+}
+
+function cachedPacketMatchesRequest(envelope, body = {}) {
+  const packet = envelope?.packet;
+  if (!packet || typeof packet !== 'object') return false;
+  for (const field of ['stage', 'actor', 'system']) {
+    const expected = stableIdentityValue(body[field] || body.packetRequest?.[field]);
+    if (!expected) continue;
+    const actual = extractPacketField(packet, field);
+    if (actual && actual !== expected) return false;
+  }
+  return true;
+}
+
 function loadCachedPacketEnvelope() {
   const candidates = [LOCAL_PACKET_CACHE_PATH, ...LEGACY_PACKET_CACHE_CANDIDATES];
   for (const candidate of candidates) {
@@ -220,10 +262,15 @@ async function fetchJsonWithRetry(url, init, attempts = 3) {
 }
 
 async function refreshPacket(body = {}, apiKey = '') {
-  if (refreshInFlight) return refreshInFlight;
+  const cacheKey = requestCacheKey(body, apiKey);
+  if (refreshInFlight && refreshInFlightKey === cacheKey) return refreshInFlight;
+  if (refreshInFlight) {
+    await refreshInFlight.catch(() => {});
+  }
   if (isLoopedUpstream(UPSTREAM_HARNESS_URL)) {
     throw new Error(`upstream harness URL loops back to local daemon: ${UPSTREAM_HARNESS_URL}`);
   }
+  refreshInFlightKey = cacheKey;
   lastRefreshStartedAt = new Date().toISOString();
   lastRefreshError = null;
   refreshInFlight = (async () => {
@@ -258,6 +305,7 @@ async function refreshPacket(body = {}, apiKey = '') {
     throw error;
   } finally {
     refreshInFlight = null;
+    refreshInFlightKey = '';
   }
 }
 
@@ -268,7 +316,7 @@ function queuePacketRefresh(body, apiKey) {
 }
 
 async function resolvePacketEnvelope(packetRequest = {}, apiKey = '', message = '') {
-  if (cachedPacketEnvelope) {
+  if (cachedPacketEnvelope && cachedPacketMatchesRequest(cachedPacketEnvelope, packetRequest)) {
     queuePacketRefresh(packetRequest, apiKey);
     return cachedPacketEnvelope;
   }
@@ -312,18 +360,45 @@ function forgeSynthesizeUrl() {
   return `${trimUrl(UPSTREAM_HARNESS_URL)}/forge/synthesize`;
 }
 
+const APPLIED_COGNITION_BLOCK_RX = /<applied_cognition>([\s\S]*?)<\/applied_cognition>/i;
+
+function validateAppliedCognitionContract(text) {
+  const match = String(text || '').match(APPLIED_COGNITION_BLOCK_RX);
+  if (!match) return { ok: false, violations: ['missing <applied_cognition> contract'] };
+  const body = match[1] || '';
+  const required = [
+    ['decision_delta', /\bdecision[_ -]?delta\s*:/i],
+    ['dominant_domain', /\bdominant[_ -]?domain\s*:/i],
+    ['binds_to', /\bbinds[_ -]?to\s*:/i],
+    ['expected_predicate', /\bexpected[_ -]?predicate\s*:/i],
+    ['artifact_change', /\bartifact[_ -]?change\s*:/i],
+  ];
+  const violations = [];
+  for (const [name, rx] of required) {
+    if (!rx.test(body)) violations.push(`missing ${name}`);
+  }
+  if (/decision[_ -]?delta\s*:\s*(?:none|n\/a|no change|unchanged|same)/i.test(body)) {
+    violations.push('decision_delta says cognition changed nothing');
+  }
+  return { ok: violations.length === 0, violations, contract: body.trim() };
+}
+
 function buildLocalValidation(text, packetEnvelope, requireCognitionBlock = false) {
   const layer3 = runFullChain(text, {
     substrate: packetToSubstrateSet(packetEnvelope),
     requireCognitionBlock,
   });
   const failures = Array.isArray(layer3?.failures) ? layer3.failures : [];
-  const hardFailures = failures.filter((failure) => failure?.severity === 'block');
+  const applied = validateAppliedCognitionContract(text);
+  const appliedFailures = applied.ok ? [] : applied.violations.map((detail) => ({ kind: 'applied-cognition-contract', severity: 'block', detail }));
+  const allFailures = [...failures, ...appliedFailures];
+  const hardFailures = allFailures.filter((failure) => failure?.severity === 'block');
   return {
     passed: hardFailures.length === 0,
     severity: hardFailures.length === 0 ? 'warn' : 'block',
-    violations: failures.map((failure) => failure?.detail || failure?.kind).filter(Boolean),
-    gateTriggers: failures.map((failure) => failure?.kind).filter(Boolean),
+    violations: allFailures.map((failure) => failure?.detail || failure?.kind).filter(Boolean),
+    gateTriggers: allFailures.map((failure) => failure?.kind).filter(Boolean),
+    appliedCognition: applied,
     local: true,
     summary: layer3?.summary || '',
     layer3,

package/runtime-src/service.mjs

@@ -68,6 +68,7 @@ const OFFLINE_BUNDLE_PATH = join(STATE_DIR, 'offline-policy-bundle.enc');
 const RUNTIME_META_PATH = join(STATE_DIR, 'runtime-meta.json');
 const AUTONOMY_STATE_PATH = join(STATE_DIR, 'autonomy.json');
 const COGNITION_STATE_PATH = join(STATE_DIR, 'cognition-state.enc');
+const HIVE_FILE_LEASES_PATH = join(STATE_DIR, 'hive-file-leases.json');
 const REVOCATION_LOCK_PATH = join(STATE_DIR, 'revoked.json');
 const CONFIG_PATH = join(process.env.HOME || '', '.aria', 'config.json');
 const CODEBASE_AWARENESS_STATE_PATH = join(process.env.HOME || '', '.aria', 'codebase-awareness-state.json');
@@ -906,6 +907,248 @@ function writeJsonFile(filePath, payload, mode = 0o600) {
   writeFileSync(filePath, JSON.stringify(payload, null, 2) + '\n', { mode });
 }
 
+function readHiveFileLeaseState() {
+  const state = readJsonFile(HIVE_FILE_LEASES_PATH, { leases: [] });
+  return {
+    leases: Array.isArray(state.leases) ? state.leases : [],
+  };
+}
+
+function writeHiveFileLeaseState(state) {
+  writeJsonFile(HIVE_FILE_LEASES_PATH, {
+    updatedAt: new Date().toISOString(),
+    leases: Array.isArray(state.leases) ? state.leases : [],
+  });
+}
+
+function normalizeLeasePath(value) {
+  const raw = String(value || '').trim();
+  if (!raw) return '';
+  return raw.replace(/\\/g, '/').replace(/\/+/g, '/');
+}
+
+function pathsOverlap(left, right) {
+  const a = normalizeLeasePath(left);
+  const b = normalizeLeasePath(right);
+  if (!a || !b) return false;
+  return a === b || a.startsWith(`${b}/`) || b.startsWith(`${a}/`);
+}
+
+function coerceTargetFiles(body) {
+  const files = [];
+  const push = (value) => {
+    const normalized = normalizeLeasePath(value);
+    if (normalized && !files.includes(normalized)) files.push(normalized);
+  };
+
+  if (Array.isArray(body.files)) body.files.forEach(push);
+  if (Array.isArray(body.targetFiles)) body.targetFiles.forEach(push);
+  if (typeof body.filePath === 'string') push(body.filePath);
+  if (typeof body.target === 'string') {
+    try {
+      const parsed = JSON.parse(body.target);
+      if (typeof parsed?.filePath === 'string') push(parsed.filePath);
+      if (Array.isArray(parsed?.files)) parsed.files.forEach(push);
+      if (Array.isArray(parsed?.targetFiles)) parsed.targetFiles.forEach(push);
+    } catch {}
+  }
+  return files;
+}
+
+function extractVerifyText(body) {
+  const candidates = [body.verifyText, body.verifyBlock, body.text, body.target];
+  for (const candidate of candidates) {
+    if (typeof candidate === 'string' && candidate.trim()) return candidate;
+  }
+  return '';
+}
+
+function actionRequiresExplicitVerify(action, body) {
+  if (body.requireVerify === true) return true;
+  return /^(?:delete|deploy|db_mutation|infra_mutation)$/i.test(String(action || ''));
+}
+
+function buildObservedVerify(action, files, sessionId, roleProfile) {
+  const observations = files.slice(0, 12).map((filePath) => {
+    try {
+      const stats = statSync(filePath);
+      return {
+        path: filePath,
+        exists: true,
+        isFile: stats.isFile(),
+        isDirectory: stats.isDirectory(),
+        size: stats.size,
+        mtimeMs: stats.mtimeMs,
+      };
+    } catch {
+      return { path: filePath, exists: false };
+    }
+  });
+  return {
+    target: files,
+    role: roleProfile || 'unknown',
+    verified: [
+      'runtime observed target file metadata before action',
+      'Hive file lease check completed before mutation',
+    ],
+    observations,
+    rollback: 'Use VCS diff or prior file snapshot for rollback; no destructive rollback was inferred by runtime.',
+    axiom: 'truth_over_deception/no_harm/sacred_trust/reflection_before_action',
+    sessionId,
+    action,
+  };
+}
+
+function acquireHiveFileLease({ sessionId, actor, roleProfile, action, files, ttlMs = 120000 }) {
+  const now = Date.now();
+  const expiresAt = new Date(now + ttlMs).toISOString();
+  const normalizedFiles = files.map(normalizeLeasePath).filter(Boolean);
+  const state = readHiveFileLeaseState();
+  const activeLeases = state.leases.filter((lease) => Date.parse(lease.expiresAt || '') > now);
+  const conflicts = activeLeases.filter((lease) => {
+    if (lease.sessionId === sessionId) return false;
+    const leaseFiles = Array.isArray(lease.files) ? lease.files : [];
+    return normalizedFiles.some((file) => leaseFiles.some((leaseFile) => pathsOverlap(file, leaseFile)));
+  });
+
+  if (conflicts.length > 0) {
+    writeHiveFileLeaseState({ leases: activeLeases });
+    return {
+      status: 'blocked',
+      leaseId: null,
+      expiresAt: null,
+      conflicts: conflicts.map((lease) => ({
+        leaseId: lease.leaseId,
+        sessionId: lease.sessionId,
+        actor: lease.actor,
+        roleProfile: lease.roleProfile,
+        action: lease.action,
+        files: lease.files,
+        expiresAt: lease.expiresAt,
+      })),
+    };
+  }
+
+  const existing = activeLeases.filter((lease) => lease.sessionId !== sessionId);
+  const lease = {
+    leaseId: `hive_lease_${randomUUID()}`,
+    sessionId,
+    actor: actor || 'unknown',
+    roleProfile: roleProfile || 'unknown',
+    action,
+    files: normalizedFiles,
+    grantedAt: new Date(now).toISOString(),
+    expiresAt,
+  };
+  writeHiveFileLeaseState({ leases: [...existing, lease] });
+  return { status: 'granted', leaseId: lease.leaseId, expiresAt, conflicts: [] };
+}
+
+function releaseHiveFileLease(sessionId, files = []) {
+  const normalizedFiles = files.map(normalizeLeasePath).filter(Boolean);
+  const state = readHiveFileLeaseState();
+  const now = Date.now();
+  const leases = state.leases.filter((lease) => {
+    if (Date.parse(lease.expiresAt || '') <= now) return false;
+    if (lease.sessionId !== sessionId) return true;
+    if (normalizedFiles.length === 0) return false;
+    const leaseFiles = Array.isArray(lease.files) ? lease.files : [];
+    return !normalizedFiles.some((file) => leaseFiles.some((leaseFile) => pathsOverlap(file, leaseFile)));
+  });
+  writeHiveFileLeaseState({ leases });
+  return { released: state.leases.length - leases.length, active: leases.length };
+}
+
+function validateVerifyAndHive({ req, body, action }) {
+  const sessionId = deriveSessionId(req, body, 'runtime-action');
+  const files = coerceTargetFiles(body);
+  const roleProfile = body.roleProfile || body.role_profile || body?.metadata?.roleProfile || body?.metadata?.role_profile || null;
+  const actor = body.actor || body?.metadata?.actor || req.headers['x-aria-actor'] || 'runtime-client';
+  const explicitVerifyRequired = actionRequiresExplicitVerify(action, body);
+  const verifyText = extractVerifyText(body);
+  const hasVerifyBlock = VERIFY_BLOCK_RX.test(verifyText);
+  const canUseObservedVerify = !explicitVerifyRequired && files.length > 0 && /^(?:write|edit|bash)$/i.test(String(action || ''));
+
+  if (explicitVerifyRequired && !hasVerifyBlock) {
+    return {
+      allowed: false,
+      reason: 'verify block required before this high-risk action. Include <verify> with target, role, verified, rollback, and axiom.',
+      requiredGates: ['verify-block'],
+      verify: { status: 'missing', required: true },
+      hive: { status: 'not_checked', conflicts: [] },
+    };
+  }
+
+  if (!hasVerifyBlock && !canUseObservedVerify && explicitVerifyRequired) {
+    return {
+      allowed: false,
+      reason: 'verify block required before mutation, or target files must be provided so runtime can perform observed verification.',
+      requiredGates: ['verify-block-or-observed-target-files'],
+      verify: { status: 'missing', required: true },
+      hive: { status: 'not_checked', conflicts: [] },
+    };
+  }
+
+  if (!hasVerifyBlock && !canUseObservedVerify && files.length === 0) {
+    return {
+      allowed: true,
+      reason: 'no target files supplied for Hive lease; remote action gate will still evaluate the action',
+      requiredGates: [],
+      verify: { status: 'skipped', required: false },
+      hive: { status: 'skipped', leaseId: null, expiresAt: null, conflicts: [] },
+    };
+  }
+
+  const hive = files.length > 0
+    ? acquireHiveFileLease({ sessionId, actor, roleProfile, action, files })
+    : { status: 'skipped', leaseId: null, expiresAt: null, conflicts: [] };
+  if (hive.status === 'blocked') {
+    const verify = hasVerifyBlock
+      ? { status: 'provided', required: explicitVerifyRequired }
+      : { status: 'observed', required: false, block: buildObservedVerify(action, files, sessionId, roleProfile) };
+    const queued = enqueueAutonomyJob({
+      kind: 'tool_lane:queued_action',
+      surface: 'tool_lane',
+      sessionId,
+      priority: 15,
+      message: 'Tool lane contention queued this action instead of failing it.',
+      payload: { action, files, verify },
+      metadata: {
+        actor,
+        roleProfile,
+        conflicts: hive.conflicts,
+        recovery: {
+          mode: 'queued_not_failed',
+          reason: 'overlapping_hive_file_lease',
+          next: 'Retry when the overlapping Hive lease expires or a tool-lane worker claims this queued action.',
+        },
+      },
+    });
+    return {
+      allowed: false,
+      queued: true,
+      queue: {
+        jobId: queued.job.jobId,
+        kind: queued.job.kind,
+        status: queued.job.status,
+        queueDepth: queued.stats.queued,
+      },
+      reason: `Tool lane queued this action because another active session is editing overlapping file(s): ${hive.conflicts.map((c) => `${c.sessionId}:${(c.files || []).join(',')}`).join(' | ')}`,
+      requiredGates: ['hive-file-lease'],
+      verify,
+      hive,
+    };
+  }
+
+  return {
+    allowed: true,
+    reason: 'verify and Hive pre-action checks passed',
+    requiredGates: [],
+    verify: hasVerifyBlock ? { status: 'provided', required: explicitVerifyRequired } : { status: 'observed', required: false, block: buildObservedVerify(action, files, sessionId, roleProfile) },
+    hive,
+  };
+}
+
 function ensureRuntimeMeta() {
   const existing = readJsonFile(RUNTIME_META_PATH, null);
   if (existing?.runtimeId) return existing;
@@ -972,6 +1215,33 @@ function queueStats(state) {
   };
 }
 
+function enqueueAutonomyJob(jobDef) {
+  const state = sweepAutonomyState(loadAutonomyState());
+  const now = new Date().toISOString();
+  const job = {
+    jobId: randomUUID(),
+    kind: jobDef.kind,
+    surface: jobDef.surface || 'tool_lane',
+    sessionId: jobDef.sessionId || null,
+    payload: jobDef.payload || {},
+    metadata: jobDef.metadata || {},
+    priority: Number.isFinite(Number(jobDef.priority)) ? Number(jobDef.priority) : 25,
+    status: 'queued',
+    attempts: 0,
+    maxAttempts: Number.isFinite(Number(jobDef.maxAttempts)) ? Number(jobDef.maxAttempts) : 3,
+    createdAt: now,
+    updatedAt: now,
+    workerId: null,
+    claimedAt: null,
+    claimExpiresAt: null,
+    progress: [{ at: now, status: 'queued', message: jobDef.message || 'Queued for tool lane execution.' }],
+    garden: null,
+  };
+  state.jobs.push(job);
+  saveAutonomyState(state);
+  return { job, stats: queueStats(state) };
+}
+
 function asJsonPayload(value) {
   if (value == null) return null;
   if (typeof value === 'string') {
@@ -1233,6 +1503,47 @@ function findVerifiedState(text) {
   return /(?:verified|confirmed|observed|tested|health[- ]check|response code|exit code|pod image|digest)/i.test(String(text || ''));
 }
 
+const APPLIED_COGNITION_BLOCK_RX = /<applied_cognition>([\s\S]*?)<\/applied_cognition>/i;
+
+function validateAppliedCognitionContract(text) {
+  const match = String(text || '').match(APPLIED_COGNITION_BLOCK_RX);
+  if (!match) return { ok: false, violations: ['missing <applied_cognition> contract'] };
+  const body = match[1] || '';
+  const required = [
+    ['decision_delta', /\bdecision[_ -]?delta\s*:/i],
+    ['dominant_domain', /\bdominant[_ -]?domain\s*:/i],
+    ['binds_to', /\bbinds[_ -]?to\s*:/i],
+    ['expected_predicate', /\bexpected[_ -]?predicate\s*:/i],
+    ['artifact_change', /\bartifact[_ -]?change\s*:/i],
+  ];
+  const violations = [];
+  for (const [name, rx] of required) {
+    if (!rx.test(body)) violations.push(`missing ${name}`);
+  }
+  if (/decision[_ -]?delta\s*:\s*(?:none|n\/a|no change|unchanged|same)/i.test(body)) {
+    violations.push('decision_delta says cognition changed nothing');
+  }
+  return { ok: violations.length === 0, violations, contract: body.trim() };
+}
+
+function mergeAppliedCognitionValidation(validation, applied) {
+  if (applied.ok) {
+    return {
+      ...validation,
+      appliedCognition: { ok: true, contract: applied.contract },
+      gateTriggers: [...new Set([...(validation.gateTriggers || []), 'applied-cognition-contract'])],
+    };
+  }
+  return {
+    ...validation,
+    passed: false,
+    severity: 'block',
+    violations: [...(validation.violations || []), ...applied.violations.map((v) => `applied_cognition: ${v}`)],
+    gateTriggers: [...new Set([...(validation.gateTriggers || []), 'applied-cognition-contract-missing'])],
+    appliedCognition: { ok: false, violations: applied.violations },
+  };
+}
+
 function toTelemetryEvent(payload, source = 'aria-mounted-runtime') {
   return {
     event_type: payload.event_type || 'runtime.cognition.turn',
@@ -1418,7 +1729,7 @@ function buildOwnerBypassPacket(message, reason = 'owner-local-bypass') {
 }
 
 async function loadRuntimePacket(req, body, client, packetRequest, message) {
-  if (body.packet) return body.packet;
+  if (body.packet) return enrichPacketWithCodebaseSnapshot(body.packet);
   const apiKey = resolveApiKey(req, body);
   ensureOfflineBundleSeeded(apiKey, leaseCache.get(hashKey(apiKey)) || loadEncryptedLease(apiKey));
   try {
@@ -1433,7 +1744,7 @@ async function loadRuntimePacket(req, body, client, packetRequest, message) {
       doctrineBundleHash: lease?.claims?.doctrine_bundle_hash || null,
       lastUpstreamError: null,
     });
-    return packet;
+    return enrichPacketWithCodebaseSnapshot(packet);
   } catch (error) {
     const bundle = ensureOfflineBundleSeeded(apiKey, leaseCache.get(hashKey(apiKey)) || loadEncryptedLease(apiKey)) || loadEncryptedOfflineBundle(apiKey);
     const bundleStatus = computeOfflineBundleStatus(bundle);
@@ -1445,19 +1756,52 @@ async function loadRuntimePacket(req, body, client, packetRequest, message) {
           lastUpstreamError: error instanceof Error ? error.message : String(error),
           lastUpstreamOkAt: bundle.lastUpstreamOkAt || bundle.cachedAt || new Date().toISOString(),
         });
-        return fallbackPacket;
+        return enrichPacketWithCodebaseSnapshot(fallbackPacket);
       }
     }
     if (!isOwnerBypassRequest(req, body)) {
       throw error;
     }
-    return buildOwnerBypassPacket(
+    return enrichPacketWithCodebaseSnapshot(buildOwnerBypassPacket(
       message || packetRequest?.message || '',
       error instanceof Error ? error.message : 'owner-local-bypass',
-    );
+    ));
   }
 }
 
+function enrichPacketWithCodebaseSnapshot(packet) {
+  if (!packet || typeof packet !== 'object') return packet;
+  const codebase = compactCodebaseSnapshot();
+  return {
+    ...packet,
+    runtime: {
+      ...(packet.runtime && typeof packet.runtime === 'object' ? packet.runtime : {}),
+      codebase_awareness: codebase,
+    },
+  };
+}
+
+function buildMizanPacketRequest(body = {}) {
+  const context = body.context && typeof body.context === 'object' ? body.context : body;
+  const existing = body.packetRequest && typeof body.packetRequest === 'object' ? body.packetRequest : {};
+  const message = String(
+    context.message ||
+    context.intendedAction ||
+    body.message ||
+    body.text ||
+    ''
+  );
+  const platform = String(context.platform || context.surface || body.platform || body.client || 'mounted-runtime');
+  return {
+    stage: 'preflight',
+    actor: String(context.actor || platform || 'mizan'),
+    system: String(context.system || platform || 'aria-mounted-runtime'),
+    platform,
+    message,
+    ...existing,
+  };
+}
+
 async function buildRuntimeTurnContext(req, body, client) {
   const sessionId = deriveSessionId(req, body, body.provider === 'anthropic' ? 'anthropic' : 'openai');
   const userId = deriveUserId(req, body);
@@ -2059,6 +2403,8 @@ function compactCodebaseSnapshot() {
     ? config.schemaImages
     : {};
   const repoSnapshots = Array.isArray(awareness.repoSnapshots) ? awareness.repoSnapshots : [];
+  const heartbeatAt = awareness?.daemon?.heartbeatAt || null;
+  const heartbeatAgeMs = heartbeatAt ? Date.now() - Date.parse(heartbeatAt) : null;
   return {
     repositories: repositories.slice(0, 6).map((repo) => ({
       name: repo?.name || null,
@@ -2071,6 +2417,8 @@ function compactCodebaseSnapshot() {
     awareness: {
       status: awareness.status || 'idle',
       updatedAt: awareness.updatedAt || null,
+      daemon: awareness.daemon || null,
+      stale: typeof heartbeatAgeMs === 'number' ? heartbeatAgeMs > 120000 : true,
       repoSnapshots: repoSnapshots.slice(0, 4).map((repo) => ({
         repoName: repo?.repoName || repo?.name || null,
         filesIndexed: repo?.filesIndexed || repo?.fileCount || null,
@@ -3288,7 +3636,10 @@ async function handleRoute(req, res) {
 
   let client;
   try {
-    client = createClient(req, body);
+    // HQ routes use their own auth middleware — skip the global API key gate
+    if (!url.pathname.startsWith('/hq/')) {
+      client = createClient(req, body);
+    }
   } catch (error) {
     return json(res, 401, { ok: false, error: error.message });
   }
@@ -3321,7 +3672,8 @@ async function handleRoute(req, res) {
 
     if (url.pathname === '/phase/pre' || url.pathname === '/mizan/pre') {
       const apiKey = resolveApiKey(req, body);
-      const packet = body.packet || await client.getHarnessPacket(body.packetRequest || {});
+      const packetRequest = buildMizanPacketRequest(body);
+      const packet = body.packet || await loadRuntimePacket(req, body, client, packetRequest, packetRequest.message || body.text || '');
       const bundle = evaluateMizanPre(packet, body.context || body, {
         sessionId: body.sessionId || body.context?.sessionId || deriveSessionId(req, body, 'mizan-pre'),
         runtimeId: ensureRuntimeMeta().runtimeId,
@@ -3341,7 +3693,8 @@ async function handleRoute(req, res) {
 
     if (url.pathname === '/phase/mid' || url.pathname === '/mizan/mid') {
       const apiKey = resolveApiKey(req, body);
-      const packet = body.packet || null;
+      const packetRequest = buildMizanPacketRequest(body);
+      const packet = body.packet || await loadRuntimePacket(req, body, client, packetRequest, packetRequest.message || body.message || '');
       const bundle = evaluateMizanMid(body.message || '', body.plannedApproach || '', packet, body.context || body, {
         sessionId: body.sessionId || body.context?.sessionId || deriveSessionId(req, body, 'mizan-mid'),
         runtimeId: ensureRuntimeMeta().runtimeId,
@@ -3361,7 +3714,8 @@ async function handleRoute(req, res) {
 
     if (url.pathname === '/phase/post' || url.pathname === '/mizan/post') {
       const apiKey = resolveApiKey(req, body);
-      const packet = body.packet || null;
+      const packetRequest = buildMizanPacketRequest(body);
+      const packet = body.packet || await loadRuntimePacket(req, body, client, packetRequest, packetRequest.message || body.text || '');
       const bundle = evaluateMizanPost(body.text || '', body.evidence || {}, packet, body.context || body, {
         sessionId: body.sessionId || body.context?.sessionId || deriveSessionId(req, body, 'mizan-post'),
         runtimeId: ensureRuntimeMeta().runtimeId,
@@ -3551,8 +3905,27 @@ async function handleRoute(req, res) {
     }
 
     if (url.pathname === '/check-action') {
-      const result = await client.checkAction(body.action, body.target || '');
-      return json(res, 200, { ok: true, ...result });
+      const action = body.action || 'write';
+      const localGate = validateVerifyAndHive({ req, body, action });
+      if (!localGate.allowed) {
+        return json(res, 200, { ok: true, allowed: false, ...localGate });
+      }
+      let result;
+      try {
+        result = await client.checkAction(action, body.target || '');
+      } catch (error) {
+        releaseHiveFileLease(deriveSessionId(req, body, 'runtime-action'), coerceTargetFiles(body));
+        throw error;
+      }
+      if (result?.allowed === false) {
+        releaseHiveFileLease(deriveSessionId(req, body, 'runtime-action'), coerceTargetFiles(body));
+      }
+      return json(res, 200, { ok: true, ...result, verify: localGate.verify, hive: localGate.hive });
+    }
+
+    if (url.pathname === '/hive/release') {
+      const sessionId = deriveSessionId(req, body, 'runtime-action');
+      return json(res, 200, { ok: true, hive: releaseHiveFileLease(sessionId, coerceTargetFiles(body)) });
     }
 
     if (url.pathname === '/validate-output' || url.pathname === '/api/harness/validate') {
@@ -3574,6 +3947,7 @@ async function handleRoute(req, res) {
           gateTriggers: ['owner-local-bypass'],
         };
       }
+      validation = mergeAppliedCognitionValidation(validation, validateAppliedCognitionContract(body.text));
       const response = { ok: true, validation };
 
       if (body.runLayer3 !== false) {