@aria_asi/cli 0.2.31 → 0.2.33

package/dist/assets/opencode-plugins/harness-gate/index.js

@@ -3,8 +3,10 @@
  * Routes through HTTPHarnessClient SDK for substrate-backed validation.
  */
 import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+import { evaluateSkillGate, formatSkillGateBlock } from './lib/skill-autoload-gate.js';
 
 const HOME = homedir();
 const SDK_CANDIDATES = [
@@ -42,7 +44,14 @@ const DEPLOY_PATTERNS = [
   { rx: /\bdocker\s+build\b.*--push\b/, name: 'docker-build-push' },
 ];
 
-const INLINE_LENS_RX = /^\s*#\s*(?:nur|mizan|hikma|tafakkur|tadabbur|ilham|wahi|firasah|truth|harm|trust|power|reflection|context|impact|beauty)\s*:\s*.{20,}/im;
+const INLINE_LENS_NAMES = [
+  'nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah',
+  'truth', 'harm', 'trust', 'power', 'reflection', 'context', 'impact', 'beauty',
+];
+const INLINE_LENS_RX = new RegExp(
+  `^\\s*#\\s*(?:${INLINE_LENS_NAMES.join('|')})\\s*:\\s*.{20,}`,
+  'gim',
+);
 const VERIFY_BLOCK_RX = /<verify>[\s\S]*?target\s*:[\s\S]*?verified\s*:[\s\S]*?axiom\s*:[\s\S]*?<\/verify>/i;
 const TRIVIAL_BASH_RX = /^\s*(?:ls|cat|head|tail|grep|find|echo|wc|stat|which|pwd|date|file|du|df|ss|ps)\s/;
 const SHORT_BASH_LIMIT = 30;
@@ -63,6 +72,28 @@ function persistReceipt(sessionId, payload) {
   } catch {}
 }
 
+function makeEvidenceRef(kind, value, metadata = {}) {
+  const raw = typeof value === 'string' ? value : JSON.stringify(value ?? null);
+  const sha256 = createHash('sha256').update(raw).digest('hex');
+  return {
+    evidenceId: `ev_${sha256.slice(0, 16)}`,
+    kind,
+    at: new Date().toISOString(),
+    sha256,
+    preview: raw.slice(0, 500),
+    metadata,
+  };
+}
+
+function countInlineCognitionLenses(text) {
+  const seen = new Set();
+  for (const match of String(text || '').matchAll(INLINE_LENS_RX)) {
+    const lens = match[0].match(/^\s*#\s*([a-z_ -]+)\s*:/i)?.[1]?.trim().toLowerCase();
+    if (lens) seen.add(lens);
+  }
+  return seen.size;
+}
+
 function resolveToken() {
   if (process.env.ARIA_HARNESS_TOKEN) return process.env.ARIA_HARNESS_TOKEN;
   if (process.env.ARIA_API_KEY) return process.env.ARIA_API_KEY;
@@ -111,7 +142,7 @@ async function getClient() {
   return _client;
 }
 
-async function runtimeCheckAction(action, target) {
+async function runtimeCheckAction(action, target, metadata = {}) {
   const token = resolveToken();
   if (!token) throw new Error('no token');
   const response = await fetch(`${RUNTIME_URL}/check-action`, {
@@ -120,7 +151,7 @@ async function runtimeCheckAction(action, target) {
       'Content-Type': 'application/json',
       Authorization: `Bearer ${token}`,
     },
-    body: JSON.stringify({ action, target }),
+    body: JSON.stringify({ action, target, ...metadata }),
   });
   if (!response.ok) {
     const body = await response.text().catch(() => response.statusText);
@@ -163,9 +194,6 @@ export default async function HarnessGatePlugin(ctx) {
       // Trivial reads pass
       if (toolName === 'Bash' && TRIVIAL_BASH_RX.test(cmd) && cmd.length < 200) return;
       if (toolName === 'Bash' && cmd.length < SHORT_BASH_LIMIT) return;
-      // Inline cognition in bash comments passes
-      if (toolName === 'Bash' && INLINE_LENS_RX.test(cmd)) return;
-
       const destructive = DESTRUCTIVE_PATTERNS.find(({ rx }) => rx.test(cmd));
       const deploy = DEPLOY_PATTERNS.find(({ rx }) => rx.test(cmd));
       const isFileMutation = ['Edit', 'Write', 'NotebookEdit'].includes(toolName) && filePath;
@@ -178,6 +206,25 @@ export default async function HarnessGatePlugin(ctx) {
       const label = destructive?.name || deploy?.name || `${toolName}:${filePath?.split('/').pop() || ''}`;
       const action = toolName === 'Bash' ? 'bash' : 'edit';
       const target = toolName === 'Bash' ? cmd.slice(0, 200) : filePath.slice(0, 200);
+      const skillGate = evaluateSkillGate({
+        sessionId,
+        surface: 'opencode-harness-gate',
+        text: JSON.stringify(input || {}),
+        action: cmd,
+        toolName,
+        filePath,
+        isDeploy: Boolean(deploy),
+        isMutation: Boolean(isFileMutation),
+        autoLoadAvailable: false,
+      });
+      if (!skillGate.ok) {
+        throw new Error(
+          `=== ARIA SKILL AUTOLOAD GATE: ${label} ===\n\n` +
+          `${formatSkillGateBlock(skillGate)}\n\n` +
+          `Required next step: call the skill loader for ${skillGate.missingSkills.join(', ')} before retrying this tool.`
+        );
+      }
+      const actionRef = makeEvidenceRef('opencode_tool_request', { toolName, action, target }, { sessionId, label });
       const rationale =
         destructive ? `High-risk action ${label} requested in OpenCode and must satisfy Mizan truth, protection, and quality before execution.`
           : deploy ? `Deployment action ${label} requested in OpenCode and must satisfy Mizan survivability before execution.`
@@ -188,10 +235,21 @@ export default async function HarnessGatePlugin(ctx) {
           sessionId,
           context: {
             sessionId,
+            actor: 'opencode',
+            system: 'opencode',
+            platform: 'opencode',
+            surface: 'opencode-harness-gate',
             message: cmdPreview,
             intendedAction: target || cmdPreview,
             rationale,
           },
+          packetRequest: {
+            stage: 'preflight',
+            actor: 'opencode',
+            system: 'opencode',
+            platform: 'opencode',
+            message: cmdPreview,
+          },
         });
         _lastMizanReceipt = pre.receipt || null;
         if (_lastMizanReceipt) {
@@ -202,6 +260,7 @@ export default async function HarnessGatePlugin(ctx) {
             preResult: pre.result || null,
             preContract: pre.contract || null,
             preSummary: pre.summary || null,
+            actionRef,
           });
         }
         _lastActionSummary = cmdPreview;
@@ -234,8 +293,25 @@ export default async function HarnessGatePlugin(ctx) {
 
       if (client) {
         try {
-          const check = await runtimeCheckAction(action, target).catch(() => client.checkAction(action, target));
+          const check = await runtimeCheckAction(action, target, {
+            sessionId,
+            actor: 'opencode',
+            roleProfile: process.env.OPENCODE_ARIA_ROLE_PROFILE || process.env.ARIA_ROLE_PROFILE || null,
+            files: filePath ? [filePath] : [],
+            requireVerify: Boolean(destructive || deploy),
+            verifyText: String(input.args?.verifyText || input.args?.verifyBlock || input.args?.verify || ''),
+          }).catch(() => client.checkAction(action, target));
           if (!check.allowed) {
+            if (check.queued) {
+              throw new Error(
+                `=== ARIA TOOL LANE QUEUED: ${label} ===\n\n` +
+                `Immediate execution paused; action was queued instead of failed.\n` +
+                `Reason: ${check.reason || 'tool lane contention'}\n` +
+                `Job: ${check.queue?.jobId || 'unknown'} (${check.queue?.status || 'queued'})\n` +
+                `Queue depth: ${check.queue?.queueDepth ?? 'unknown'}\n\n` +
+                `Recovery: retry after overlapping Hive lease expires, or let the tool-lane worker claim the queued job.`
+              );
+            }
             throw new Error(
               `=== ARIA SD GATE: ${label} ===\n\n` +
               `Blocked by substrate gate: ${check.reason || 'no reason provided'}\n` +
@@ -245,6 +321,7 @@ export default async function HarnessGatePlugin(ctx) {
           }
           return;
         } catch (e) {
+          if (e.message.startsWith('=== ARIA TOOL LANE QUEUED')) throw e;
           if (e.message.startsWith('=== ARIA SD GATE')) throw e;
           // SDK unreachable — fall through to local gate below
           process.stderr.write(`[harness-gate] SDK checkAction failed: ${e.message} — falling through to local gate\n`);

package/dist/assets/opencode-plugins/harness-gate/lib/skill-autoload-gate.js

@@ -0,0 +1 @@
+export * from '../../../../../ops/claude-hooks/lib/skill-autoload-gate.mjs';

package/dist/assets/opencode-plugins/harness-outcome/index.js

@@ -3,6 +3,7 @@
  * Routes through the canonical SDK for outcome/garden/ledger writes.
  */
 import { existsSync, readFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 
@@ -14,6 +15,7 @@ const SDK_CANDIDATES = [
 ];
 const OWNER_TOKEN_PATH = join(HOME, '.aria', 'owner-token');
 const LICENSE_PATH = join(HOME, '.aria', 'license.json');
+const RUNTIME_URL = (process.env.ARIA_RUNTIME_URL || 'http://127.0.0.1:4319').replace(/\/+$/, '');
 
 let _client = null;
 let _clientError = null;
@@ -46,6 +48,32 @@ function resolveSdkPath() {
   return SDK_CANDIDATES.find((candidate) => existsSync(candidate)) || '';
 }
 
+function makeEvidenceRef(kind, value, metadata = {}) {
+  const raw = typeof value === 'string' ? value : JSON.stringify(value ?? null);
+  const sha256 = createHash('sha256').update(raw).digest('hex');
+  return {
+    evidenceId: `ev_${sha256.slice(0, 16)}`,
+    kind,
+    at: new Date().toISOString(),
+    sha256,
+    preview: raw.slice(0, 500),
+    metadata,
+  };
+}
+
+async function releaseHiveLease(sessionId, files) {
+  const token = resolveToken();
+  if (!token || !Array.isArray(files) || files.length === 0) return;
+  await fetch(`${RUNTIME_URL}/hive/release`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${token}`,
+    },
+    body: JSON.stringify({ sessionId, files }),
+  }).catch(() => {});
+}
+
 async function getClient() {
   if (_client) return _client;
   if (_clientError) return null;
@@ -78,6 +106,15 @@ export default async function HarnessOutcomePlugin(ctx) {
         : String(input.args?.file_path ?? input.args?.notebook_path ?? '').slice(0, 200) || 'unknown';
       const success = !output?.error;
       const sessionId = process.env.ARIA_SESSION_ID || 'opencode';
+      const filePath = toolName !== 'Bash' ? String(input.args?.file_path ?? input.args?.notebook_path ?? '') : '';
+      await releaseHiveLease(sessionId, filePath ? [filePath] : []);
+      const outcomeRef = makeEvidenceRef('opencode_tool_outcome', {
+        toolName,
+        actionKind,
+        actionTarget,
+        success,
+        output: output ?? null,
+      }, { sessionId });
 
       // Try SDK first
       const client = await getClient();
@@ -86,6 +123,7 @@ export default async function HarnessOutcomePlugin(ctx) {
           await client.recordDiscovery({
             text: `${actionKind}: ${actionTarget} — ${success ? 'ok' : 'failed'}`,
             kind: success ? 'observation' : 'defect',
+            evidence: JSON.stringify(outcomeRef),
             source: 'opencode-outcome-plugin',
             resolution_status: success ? 'resolved' : 'open',
             sessionId,
@@ -122,6 +160,7 @@ export default async function HarnessOutcomePlugin(ctx) {
           actionKind,
           actionTarget,
           actionShape: { tool: toolName, success },
+          evidenceRef: outcomeRef,
         }),
       }).catch(() => {});
     },

package/dist/assets/opencode-plugins/harness-stop/index.js

@@ -3,8 +3,11 @@
  * Routes text through Mizan validateOutput() for substrate-backed QC.
  */
 import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
+import { analyzeDomainOutputQuality, extractCodeBlocks } from './lib/domain-output-quality.js';
+import { evaluateSkillGate, formatSkillGateBlock } from './lib/skill-autoload-gate.js';
 
 const HOME = homedir();
 const SDK_CANDIDATES = [
@@ -29,6 +32,22 @@ const NON_TRIVIAL_MIN_CHARS = 300;
 const DECISION_SIGNAL_RX = /(?:should|recommend|propose|suggest|let'?s|go with|i'd|i would|here'?s the plan|i'll|next step|action item|ship it|yes do|let me)/i;
 const TRIVIAL_ACK_RX = /^(?:got it|on it|ok|sure|yes|no|done|ack)\b/i;
 const PLACEHOLDER_RX = /^\s*<[^<>]+>\s*$/;
+const BLOCK_PREFIX_RX = /^=== ARIA (?:MIZAN POST|OUTPUT GATE|LOCAL OUTPUT) BLOCK ===/;
+const APPLIED_COGNITION_RX = /<applied_cognition>[\s\S]*?decision_delta\s*:[\s\S]*?dominant_domain\s*:[\s\S]*?binds_to\s*:[\s\S]*?expected_predicate\s*:[\s\S]*?artifact_change\s*:[\s\S]*?<\/applied_cognition>/i;
+
+function formatBlockReason(prefix, details) {
+  return [
+    prefix,
+    '',
+    String(details || 'Aria output gate blocked this message.'),
+    '',
+    'Required repair: bind cognition to the actual action/output using <applied_cognition> with decision_delta, dominant_domain, binds_to, expected_predicate, and artifact_change.',
+  ].join('\n');
+}
+
+function isGateBlock(error) {
+  return BLOCK_PREFIX_RX.test(String(error?.message || error || ''));
+}
 
 let _client = null;
 let _clientError = null;
@@ -55,6 +74,19 @@ function persistReceiptState(sessionId, payload) {
   } catch {}
 }
 
+function makeEvidenceRef(kind, value, metadata = {}) {
+  const raw = typeof value === 'string' ? value : JSON.stringify(value ?? null);
+  const sha256 = createHash('sha256').update(raw).digest('hex');
+  return {
+    evidenceId: `ev_${sha256.slice(0, 16)}`,
+    kind,
+    at: new Date().toISOString(),
+    sha256,
+    preview: raw.slice(0, 500),
+    metadata,
+  };
+}
+
 function resolveToken() {
   if (process.env.ARIA_HARNESS_TOKEN) return process.env.ARIA_HARNESS_TOKEN;
   if (process.env.ARIA_API_KEY) return process.env.ARIA_API_KEY;
@@ -121,7 +153,7 @@ async function runtimeValidateOutput(text, sessionId) {
   return payload.validation || payload.result || payload;
 }
 
-async function runtimeMizanPost(text, sessionId, context = {}) {
+async function runtimeMizanPost(text, sessionId, context = {}, evidence = {}) {
   const existing = loadReceiptState(sessionId);
   const token = resolveToken();
   if (!token) throw new Error('no token');
@@ -134,10 +166,22 @@ async function runtimeMizanPost(text, sessionId, context = {}) {
     body: JSON.stringify({
       sessionId,
       text,
+      evidence,
       context: {
         sessionId,
+        actor: 'opencode',
+        system: 'opencode',
+        platform: 'opencode',
+        surface: 'opencode-harness-stop',
         ...context,
       },
+      packetRequest: {
+        stage: 'preflight',
+        actor: 'opencode',
+        system: 'opencode',
+        platform: 'opencode',
+        message: String(context.message || text || '').slice(0, 1000),
+      },
       parentReceiptId: existing?.receipt?.receiptId || _lastMizanReceipt?.receiptId || null,
     }),
   });
@@ -207,10 +251,30 @@ export default async function HarnessStopPlugin(ctx) {
 
       const cog = detectCognitionLenses(text);
       const sessionId = process.env.ARIA_SESSION_ID || 'opencode';
+      const skillGate = evaluateSkillGate({
+        sessionId,
+        surface: 'opencode-harness-stop',
+        text: JSON.stringify(event || {}) + '\n' + text,
+        isOutputCloseout: true,
+        autoLoadAvailable: false,
+      });
+      if (!skillGate.ok) {
+        throw new Error(
+          formatBlockReason(
+            '=== ARIA SKILL AUTOLOAD GATE BLOCK ===',
+            `${formatSkillGateBlock(skillGate)}\nRequired next step: load ${skillGate.missingSkills.join(', ')} before re-emitting this output.`,
+          )
+        );
+      }
+      const outputRef = makeEvidenceRef('opencode_assistant_output', text.slice(0, 8000), { sessionId });
       try {
         const mizan = await runtimeMizanPost(text.slice(0, 8000), sessionId, {
           message: text.slice(0, 1000),
           plannedApproach: 'OpenCode stop gate output review',
+          outputRef,
+        }, {
+          output_ref: outputRef,
+          cognition_lens_count: cog.count,
         });
         _lastMizanReceipt = mizan.receipt || _lastMizanReceipt;
         if (_lastMizanReceipt) {
@@ -223,14 +287,17 @@ export default async function HarnessStopPlugin(ctx) {
             postResult: mizan.result || null,
             postContract: mizan.contract || null,
             postSummary: mizan.summary || null,
+            outputRef,
           });
         }
         if (mizan.receipt?.blocked || mizan.result?.fitrahVetoed || mizan.result?.reAuthorSignal) {
-          process.stderr.write(
-            `[harness-stop] MIZAN POST BLOCK — ${(mizan.result?.notes || ['post-phase blocked']).slice(0, 4).join(' | ')}\n`
+          const details = (mizan.result?.notes || ['post-phase blocked']).slice(0, 4).join(' | ');
+          throw new Error(
+            formatBlockReason('=== ARIA MIZAN POST BLOCK ===', details)
           );
         }
       } catch (e) {
+        if (isGateBlock(e)) throw e;
         process.stderr.write(`[harness-stop] mizan/post unavailable: ${e.message}\n`);
       }
 
@@ -246,8 +313,11 @@ export default async function HarnessStopPlugin(ctx) {
             sessionId,
           ));
           if (result.severity === 'block') {
-            process.stderr.write(
-              `[harness-stop] SDK BLOCK — ${result.violations.length} violations: ${result.violations.join('; ').slice(0, 300)}\n`
+            throw new Error(
+              formatBlockReason(
+                '=== ARIA OUTPUT GATE BLOCK ===',
+                `${result.violations.length} violations: ${result.violations.join('; ').slice(0, 500)}`,
+              )
             );
           } else if (result.severity === 'warn') {
             process.stderr.write(
@@ -260,6 +330,7 @@ export default async function HarnessStopPlugin(ctx) {
           }
           return;
         } catch (e) {
+          if (isGateBlock(e)) throw e;
           process.stderr.write(`[harness-stop] SDK validateOutput failed: ${e.message} — falling through to local gate\n`);
         }
       }
@@ -293,8 +364,30 @@ export default async function HarnessStopPlugin(ctx) {
       } catch {}
 
       if (cog.count < REQUIRED_LENSES || driftHits.length >= 2) {
-        process.stderr.write(
-          `[harness-stop] LOCAL GATE — cognition=${cog.count}/${REQUIRED_LENSES} drift=${driftHits.length}\n`
+        throw new Error(
+          formatBlockReason(
+            '=== ARIA LOCAL OUTPUT BLOCK ===',
+            `cognition=${cog.count}/${REQUIRED_LENSES}; drift=${driftHits.length}`,
+          )
+        );
+      }
+
+      if (DECISION_SIGNAL_RX.test(text) && !APPLIED_COGNITION_RX.test(text)) {
+        throw new Error(
+          formatBlockReason(
+            '=== ARIA LOCAL OUTPUT BLOCK ===',
+            'decision-bearing output lacks required applied_cognition binding fields',
+          )
+        );
+      }
+
+      const domainQuality = analyzeDomainOutputQuality(text, { codeBlocks: extractCodeBlocks(text) });
+      if (domainQuality.blockers.length > 0) {
+        throw new Error(
+          formatBlockReason(
+            '=== ARIA LOCAL OUTPUT BLOCK ===',
+            `domain output QA (${domainQuality.domains.join(', ') || 'general'}): ${domainQuality.blockers.join('; ')}`,
+          )
         );
       }
 
@@ -318,6 +411,7 @@ export default async function HarnessStopPlugin(ctx) {
           metadata: {
             pre_receipt_id: existing?.receipt?.receiptId || null,
             post_receipt_id: _lastMizanReceipt?.receiptId || null,
+            output_ref: outputRef,
           },
           source: 'opencode-stop-gate-runtime',
           model_used: process.env.OPENCODE_MODEL || 'opencode',

package/dist/assets/opencode-plugins/harness-stop/lib/domain-output-quality.js

@@ -0,0 +1,103 @@
+// Domain-aware output QA for Aria stop gates.
+// Deterministic local checks complement remote Mizan; they do not replace it.
+
+const DOMAIN_RULES = [
+  {
+    domain: 'code',
+    signal: /```|\b(?:function|class|interface|type|import|export|npm test|typecheck|eslint|jest|vitest|tsx?|jsx?|\.ts|\.tsx|\.js|\.py)\b/i,
+  },
+  {
+    domain: 'ui',
+    signal: /\b(?:ui|ux|frontend|react|component|page|screen|modal|form|button|layout|tailwind|css|html|mobile|responsive|accessib|aria-label|keyboard|focus state|dark mode)\b/i,
+  },
+  {
+    domain: 'beauty',
+    signal: /\b(?:beauty|beautiful|polish|visual|aesthetic|elegant|layout|typography|spacing|hierarchy|composition|brand|design language|modern|clean)\b/i,
+  },
+  {
+    domain: 'security',
+    signal: /\b(?:security|auth|token|secret|credential|password|jwt|oauth|csrf|xss|sql injection|permission|role|cors|sanitize|encrypt|webhook signature)\b/i,
+  },
+  {
+    domain: 'ops',
+    signal: /\b(?:deploy|rollout|rollback|kubernetes|kubectl|docker|image|pod|health check|slo|alert|log|metric|trace|env var|migration|release)\b/i,
+  },
+  {
+    domain: 'product',
+    signal: /\b(?:user flow|customer|workflow|conversion|pricing|onboarding|checkout|activation|retention|business|persona|job-to-be-done|acceptance criteria)\b/i,
+  },
+  {
+    domain: 'writing',
+    signal: /\b(?:summary|explain|docs|readme|copy|email|post|article|message|final answer|status report|release notes)\b/i,
+  },
+];
+
+function hasAny(text, patterns) {
+  return patterns.some((pattern) => pattern.test(text));
+}
+
+function lineHits(text, rx, label) {
+  const hits = [];
+  const lines = String(text || '').split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    if (rx.test(lines[i])) hits.push(`${label} at line ${i + 1}`);
+  }
+  return hits;
+}
+
+export function extractCodeBlocks(text) {
+  return [...String(text || '').matchAll(/```[a-z0-9_-]*\n([\s\S]*?)```/gi)].map((m) => m[1] || '');
+}
+
+export function analyzeDomainOutputQuality(text, options = {}) {
+  const source = String(text || '');
+  const lower = source.toLowerCase();
+  const codeBlocks = options.codeBlocks || extractCodeBlocks(source);
+  const domains = DOMAIN_RULES.filter((rule) => rule.signal.test(source)).map((rule) => rule.domain);
+  const blockers = [];
+  const warnings = [];
+
+  if (domains.includes('code')) {
+    for (const hit of lineHits(source, /\b(?:TODO|FIXME|XXX|implementation pending|not implemented|coming soon|placeholder)\b/i, 'code placeholder semantics')) blockers.push(hit);
+    for (const block of codeBlocks) {
+      if (/@ts-expect-error|@ts-ignore/.test(block)) blockers.push('code: type suppression instead of fixing the type contract');
+      if (/catch\s*\([^)]*\)\s*\{\s*(?:return\s+(?:''|""|null|undefined|\[\]|\{\})|\}\s*$|\/\/[^\n]*$)/m.test(block)) blockers.push('code: silent or empty catch block hides runtime failure');
+      if (/console\.log\(/.test(block) && !/\/\/\s*(?:debug|log)/i.test(block)) warnings.push('code: console.log appears in shipped code without debug intent');
+    }
+  }
+
+  if (domains.includes('ui')) {
+    if (!hasAny(source, [/\b(?:mobile|responsive|breakpoint|small screen|desktop)\b/i])) blockers.push('ui: UI/design output must address desktop and mobile responsiveness');
+    if (!hasAny(source, [/\b(?:accessib|aria-|keyboard|focus|screen reader|semantic html|label)\b/i])) blockers.push('ui: UI/design output must address accessibility, focus, labels, or semantic structure');
+    if (/\b(?:button|input|form|modal|menu|dialog)\b/i.test(source) && !/\b(?:focus|keyboard|aria-|label|escape|tab order)\b/i.test(source)) blockers.push('ui: interactive elements need keyboard/focus/accessibility behavior');
+  }
+
+  if (domains.includes('beauty')) {
+    if (/\b(?:clean|modern|beautiful|polished|nice|sleek)\b/i.test(source) && !hasAny(source, [/\b(?:spacing|typography|contrast|hierarchy|rhythm|composition|palette|motion|density|visual language)\b/i])) blockers.push('beauty: aesthetic claim lacks concrete visual language such as spacing, typography, contrast, hierarchy, palette, or composition');
+  }
+
+  if (domains.includes('security')) {
+    if (/\b(?:token|secret|credential|password|api key|jwt)\b/i.test(source) && !/\b(?:redact|mask|env|secret store|do not log|rotate|least privilege)\b/i.test(source)) blockers.push('security: secrets/tokens require redaction, env/secret-store handling, no logging, or rotation guidance');
+    if (/\b(?:auth|permission|role|admin|tenant)\b/i.test(source) && !/\b(?:authorize|authorization|least privilege|tenant isolation|deny by default|role check)\b/i.test(source)) warnings.push('security: auth/permission output should state authorization and isolation checks');
+  }
+
+  if (domains.includes('ops')) {
+    if (/\b(?:deploy|rollout|release|migration|kubectl|docker push)\b/i.test(source) && !/\b(?:rollback|health|smoke|verify|readiness|observability|monitor)\b/i.test(source)) blockers.push('ops: deploy/release output must include rollback plus health/smoke/readiness verification');
+    if (/\b(?:env var|config|secret)\b/i.test(source) && !/\b(?:scope|owner|runtime|restart|reload|secret)\b/i.test(source)) warnings.push('ops: runtime config changes should name scope and reload/restart expectations');
+  }
+
+  if (domains.includes('product')) {
+    if (!/\b(?:user|customer|operator|admin|persona|workflow|acceptance criteria|success metric|job-to-be-done)\b/i.test(source)) warnings.push('product: product output should bind to a user/workflow and success criterion');
+  }
+
+  if (domains.includes('writing')) {
+    if (/\b(?:done|fixed|verified|published|deployed|passed|complete)\b/i.test(lower) && !/\b(?:verified|observed|passed|evidence|output|registry|status|unverified|not verified)\b/i.test(lower)) blockers.push('writing: completion claim needs observed evidence or explicit unverified boundary');
+    if (/\b(?:should work|probably|presumably|i assume)\b/i.test(source)) blockers.push('writing: uncertainty must be stated as an evidence boundary, not an assumption');
+  }
+
+  return {
+    domains: [...new Set(domains)],
+    blockers: [...new Set(blockers)],
+    warnings: [...new Set(warnings)],
+  };
+}

package/dist/assets/opencode-plugins/harness-stop/lib/skill-autoload-gate.js

@@ -0,0 +1 @@
+export * from '../../../../../ops/claude-hooks/lib/skill-autoload-gate.mjs';