@aria_asi/cli 0.2.33 → 0.2.34

package/scripts/bundle-sdk.mjs

@@ -54,6 +54,7 @@ const REQUIRED_HOOK_FILES = [
 const REQUIRED_HOOK_HELPERS = [
   'lib/canonical-lenses.mjs',
   'lib/gate-audit.mjs',
+  'lib/skill-autoload-gate.mjs',
 ];
 const REQUIRED_OPENCODE_PLUGINS = [
   'harness-context',
@@ -293,6 +294,7 @@ if (existsSync(DOCTRINE_TRIGGER_MAP_SRC)) {
   copyFileSync(DOCTRINE_TRIGGER_MAP_SRC, join(RUNTIME_DST, 'doctrine_trigger_map.json'));
 }
 if (existsSync(CONNECTOR_HOOKS_SRC)) {
+  copyTree(CONNECTOR_HOOKS_SRC, join(RUNTIME_DST, 'hooks'));
   copyTree(CONNECTOR_HOOKS_SRC, join(DIST_ASSETS_DST, 'hooks'));
 }
 if (existsSync(OPENCODE_PLUGINS_SRC)) {

package/scripts/self-test-harness-gates.mjs

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { pathToFileURL } from 'node:url';
+
+const repoRoot = join(import.meta.dirname, '..', '..', '..');
+const gateModule = await import(pathToFileURL(join(repoRoot, 'ops/claude-hooks/lib/skill-autoload-gate.mjs')));
+
+assert.equal(typeof gateModule.evaluateSkillGate, 'function', 'evaluateSkillGate export missing');
+assert.equal(typeof gateModule.formatSkillGateBlock, 'function', 'formatSkillGateBlock export missing');
+
+const broadClaim = gateModule.evaluateSkillGate({
+  sessionId: 'self-test-broad-readiness',
+  surface: 'self-test-output',
+  isOutputCloseout: true,
+  text: 'This is production-ready in general for client npm packages, SDKs, runtimes, and harnesses.',
+  autoLoadAvailable: false,
+});
+assert.equal(broadClaim.ok, false, 'broad readiness claim must block without required skills');
+assert.ok(broadClaim.missingSkills.includes('architecture-decision'), 'architecture-decision must be required');
+assert.ok(broadClaim.missingSkills.includes('testing-strategy'), 'testing-strategy must be required');
+assert.ok(broadClaim.missingSkills.includes('aria-forge-guardrails'), 'aria-forge-guardrails must be required');
+
+const deployAction = gateModule.evaluateSkillGate({
+  sessionId: 'self-test-deploy',
+  surface: 'self-test-action',
+  isDeploy: true,
+  toolName: 'Bash',
+  action: 'bash scripts/deploy-service.sh aria-soul',
+  text: 'deploy service',
+  autoLoadAvailable: false,
+});
+assert.equal(deployAction.ok, false, 'deploy action must block without aria-harness-deploy');
+assert.ok(deployAction.missingSkills.includes('aria-harness-deploy'), 'aria-harness-deploy must be required');
+
+const missingProof = gateModule.evaluateSkillGate({
+  sessionId: 'self-test-missing-proof',
+  surface: 'self-test-output',
+  isOutputCloseout: true,
+  text: [
+    '<skill_content name="aria-harness-output-discipline"></skill_content>',
+    'Completed, but tests were not run and this still has a blocker.',
+  ].join('\n'),
+  autoLoadAvailable: false,
+});
+assert.equal(missingProof.ok, false, 'completion with failed/missing proof must block');
+assert.ok(missingProof.recoveryMissing.includes('successful proof from a concrete command/probe'), 'successful proof must be required');
+assert.ok(missingProof.recoveryMissing.includes('re-submission'), 're-submission must be required');
+assert.ok(missingProof.recoveryMissing.includes('re-write'), 're-write must be required');
+assert.ok(missingProof.recoveryMissing.includes('re-test'), 're-test must be required');
+assert.ok(missingProof.recoveryMissing.includes('ARIA console escalation'), 'ARIA console escalation must be required');
+
+const loaded = gateModule.evaluateSkillGate({
+  sessionId: 'self-test-loaded',
+  surface: 'self-test-output',
+  isOutputCloseout: true,
+  text: [
+    '<skill_content name="architecture-decision"></skill_content>',
+    '<skill_content name="testing-strategy"></skill_content>',
+    '<skill_content name="aria-forge-guardrails"></skill_content>',
+    '<skill_content name="aria-harness-output-discipline"></skill_content>',
+    'This production-ready statement is backed by a full readiness matrix. Verified: npm run check:hooks passed successfully.',
+  ].join('\n'),
+  autoLoadAvailable: false,
+});
+assert.equal(loaded.ok, true, gateModule.formatSkillGateBlock(loaded));
+
+const installedStop = await import(pathToFileURL(join(repoRoot, 'packages/aria-connector/opencode-plugins/harness-stop/index.js')));
+assert.equal(typeof installedStop.default, 'function', 'harness-stop default export missing');
+const installedGate = await import(pathToFileURL(join(repoRoot, 'packages/aria-connector/opencode-plugins/harness-gate/index.js')));
+assert.equal(typeof installedGate.default, 'function', 'harness-gate default export missing');
+
+const temp = mkdtempSync(join(tmpdir(), 'aria-harness-gates-'));
+rmSync(temp, { recursive: true, force: true });
+
+console.log('harness gate self-test passed');

package/src/connectors/codex.ts

@@ -90,6 +90,7 @@ function tomlString(value: string): string {
 
 function buildCodexHookRuntimeClient(): string {
   return `import { readFileSync, existsSync, mkdirSync, writeFileSync, unlinkSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
 import { createHash, randomUUID } from 'node:crypto';
 import { homedir } from 'node:os';
 import path from 'node:path';
@@ -98,6 +99,7 @@ import { HTTPHarnessClient } from '@aria_asi/harness-http-client';
 const HOME = homedir();
 const DEFAULT_RUNTIME_URL = (process.env.ARIA_RUNTIME_URL || 'http://127.0.0.1:4319').replace(/\\/+$/, '');
 const TURN_STATE_DIR = path.join(HOME, '.codex', 'tmp', 'aria-hook-turn-state');
+const GOVERNANCE_GATE_PATH = path.join(HOME, '.aria', 'bin', 'aria-governance-gate');
 
 function readToken() {
   const envToken = process.env.ARIA_API_KEY || process.env.ARIA_MASTER_TOKEN || process.env.OPENAI_API_KEY;
@@ -323,6 +325,22 @@ export function emitJson(payload, code = 0) {
   process.stdout.write(\`\${JSON.stringify(payload)}\\n\`);
   process.exit(code);
 }
+
+export function runGovernanceGate(payload = {}) {
+  if (!existsSync(GOVERNANCE_GATE_PATH)) return null;
+  const child = spawnSync(GOVERNANCE_GATE_PATH, {
+    input: \`\${JSON.stringify(payload)}\\n\`,
+    encoding: 'utf8',
+    maxBuffer: 1024 * 1024,
+  });
+  const stdout = String(child.stdout || '').trim();
+  let result = null;
+  try { result = stdout ? JSON.parse(stdout) : null; } catch {}
+  if (child.status !== 0 || result?.ok === false || result?.decision === 'block') {
+    throw new Error(stdout || child.stderr || 'aria-governance-gate blocked this Codex hook.');
+  }
+  return result;
+}
 `;
 }
 
@@ -339,6 +357,7 @@ import {
   runtimePost,
   loadTurnState,
   saveTurnState,
+  runGovernanceGate,
   emitJson,
 } from './lib/runtime-client.mjs';
 
@@ -357,6 +376,13 @@ try {
     message: userText || 'codex turn start',
   });
   const packetRef = makeEvidenceRef('harness_packet', packet, { sessionId, platform: 'codex' });
+  runGovernanceGate({
+    sessionId,
+    sourceRuntime: 'codex',
+    surface: 'codex-userprompt-submit',
+    text: userText.slice(0, 8000),
+    evidence: packetRef,
+  });
   const result = await runtimePost('/mizan/pre', {
     sessionId,
     packet,
@@ -408,6 +434,7 @@ import {
   loadTurnState,
   makeEvidenceRef,
   saveTurnState,
+  runGovernanceGate,
   emitJson,
 } from './lib/runtime-client.mjs';
 
@@ -433,6 +460,17 @@ try {
     });
   }
   const toolName = String(event?.tool_name || event?.toolName || '').trim() || null;
+  runGovernanceGate({
+    sessionId,
+    sourceRuntime: 'codex',
+    surface: 'codex-pre-tool-use',
+    text: JSON.stringify(event).slice(0, 8000),
+    action,
+    toolName,
+    isDeploy: action === 'deploy',
+    isMutation: action === 'write' || action === 'delete',
+    evidence: makeEvidenceRef('codex_tool_request', { action, toolName, target }, { sessionId }),
+  });
   const tools = Array.isArray(state?.tools) ? state.tools.slice(-24) : [];
   tools.push({
     at: new Date().toISOString(),
@@ -505,6 +543,7 @@ import {
   makeEvidenceRef,
   clearTurnState,
   formatValidationFailure,
+  runGovernanceGate,
   emitJson,
 } from './lib/runtime-client.mjs';
 
@@ -520,6 +559,14 @@ try {
   if (!text) {
     emitJson({ continue: true });
   }
+  runGovernanceGate({
+    sessionId,
+    sourceRuntime: 'codex',
+    surface: 'codex-stop',
+    text: text.slice(0, 8000),
+    isOutputCloseout: true,
+    evidence: outputRef,
+  });
   const validation = await runtimePost('/validate-output', {
     text,
     sessionId,