@aria_asi/cli 0.2.33 → 0.2.34

package/dist/runtime/hooks/aria-agent-handoff.mjs

@@ -0,0 +1,247 @@
+#!/usr/bin/env node
+// aria-agent-handoff.mjs — PreToolUse hook for the Agent tool.
+// Writes a handoff JSON before a sub-agent spawns so it inherits the
+// parent's owner/client-tier identity + ledger path instead of starting fresh.
+//
+// Owner tier  → ~/.claude/aria-agent-harness-handoff.json
+// Client tier → /var/lib/aria-licensee/{jti}/handoff.json
+//
+// Tier is determined by whether a JTI is present in the license file at
+// ~/.aria/license.json. If JTI is present → client tier. If absent (owner
+// JWT at ~/.aria/owner-token) → owner tier.
+//
+// Tier protection: client handoffs NEVER write to ~/.claude/ and NEVER
+// carry master tokens. Client paths are scoped to /var/lib/aria-licensee/{jti}/.
+// Default-on per Hamza doctrine — no env-flag gate to disable.
+//
+// Doctrine: feedback_aria_does_work.md (sub-agents inherit harness)
+//           feedback_implementation_coupled_cognition.md (handoff is the impl)
+//           feedback_no_flag_without_fix.md (no silent bypasses)
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync, appendFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { homedir } from 'node:os';
+import { createRequire } from 'node:module';
+
+const HOME = homedir();
+const LOG = `${HOME}/.claude/aria-pre-tool-gate.log`;
+const PACKET_CACHE = `${HOME}/.claude/.aria-harness-last-packet.json`;
+const LICENSE_PATH = `${HOME}/.aria/license.json`;
+const OWNER_TOKEN_PATH = `${HOME}/.aria/owner-token`;
+const HANDOFF_TTL_MS = 5 * 60 * 1000;
+const SHARED_RUNTIME_URL = (process.env.ARIA_RUNTIME_URL || 'http://127.0.0.1:4319').replace(/\/+$/, '');
+const SHARED_SDK_ROOT = `${HOME}/.aria/sdk`;
+
+function audit(msg) {
+  try {
+    if (!existsSync(dirname(LOG))) mkdirSync(dirname(LOG), { recursive: true });
+    appendFileSync(LOG, `${new Date().toISOString()} [agent-handoff] ${msg}\n`);
+  } catch {}
+}
+
+let input = '';
+for await (const chunk of process.stdin) input += chunk;
+
+let event;
+try { event = JSON.parse(input); }
+catch { process.exit(0); }
+
+const toolName = event.tool_name ?? event.toolName ?? '';
+if (toolName !== 'Agent' && toolName !== 'agent') process.exit(0);
+
+const sessionId =
+  event.session_id ?? event.sessionId ??
+  (event.transcript_path
+    ? event.transcript_path.split('/').pop()?.replace(/\.[^.]+$/, '')
+    : null) ??
+  'unknown';
+
+// ── Tier detection ──────────────────────────────────────────────────────────
+// Read license.json to detect client tier (has jti). If only owner-token
+// exists → owner tier. No license/owner-token → treat as owner tier (dev).
+
+let jti = null;
+let isClientTier = false;
+let licenseToken = '';
+
+try {
+  if (existsSync(LICENSE_PATH)) {
+    const lic = JSON.parse(readFileSync(LICENSE_PATH, 'utf8'));
+    jti = lic.jti ?? null;
+    licenseToken = lic.token ?? lic.license ?? '';
+    isClientTier = Boolean(jti);
+  }
+} catch (err) {
+  audit(`warn: license.json read failed: ${(err?.message || err).toString().slice(0, 120)}`);
+}
+
+// For owner tier, read harness token from env or owner-token file.
+let harnessToken = '';
+if (isClientTier) {
+  // Client tier: their own license JWT, never master token.
+  harnessToken = licenseToken;
+} else {
+  harnessToken =
+    process.env.ARIA_HARNESS_TOKEN ||
+    process.env.ARIA_API_KEY ||
+    process.env.ARIA_MASTER_TOKEN ||
+    '';
+  if (!harnessToken && existsSync(OWNER_TOKEN_PATH)) {
+    try { harnessToken = readFileSync(OWNER_TOKEN_PATH, 'utf8').trim(); } catch {}
+  }
+}
+
+const harnessUrl =
+  process.env.ARIA_HIVE_RUNTIME_URL ||
+  process.env.ARIA_HARNESS_BASE_URL ||
+  process.env.ARIA_HARNESS_URL ||
+  'https://harness.ariasos.com';
+
+// ── OwnerTier signal resolution ──────────────────────────────────────────────
+let ownerTier = {
+  hamza: !isClientTier,
+  trustedExec: false,
+  roleProfile: isClientTier ? 'client_tier_worker' : 'general_worker',
+};
+
+if (!isClientTier) {
+  try {
+    if (existsSync(PACKET_CACHE)) {
+      const cached = JSON.parse(readFileSync(PACKET_CACHE, 'utf8'));
+      const signals = cached?.contractGate?.signals ?? {};
+      ownerTier.hamza = signals.hamza === true || signals.hamza === 'true';
+      ownerTier.trustedExec = (cached?.harness || '').includes('trusted_exec_policy=allowed');
+      const adapterStr = cached?.adapter || cached?.harness || '';
+      const roleMatch = adapterStr.match(/role_profile\s*=\s*(\S+)/);
+      if (roleMatch) ownerTier.roleProfile = roleMatch[1];
+    }
+  } catch (err) {
+    audit(`warn: packet cache read failed: ${(err?.message || err).toString().slice(0, 120)}`);
+  }
+}
+
+// ── Path resolution (tier-scoped) ───────────────────────────────────────────
+const safeSession = String(sessionId).replace(/[^a-zA-Z0-9_-]/g, '_');
+
+let handoffPath;
+let parentLedgerPath;
+
+if (isClientTier) {
+  const base = `/var/lib/aria-licensee/${jti}`;
+  handoffPath = `${base}/handoff.json`;
+  parentLedgerPath = `${base}/aria-discoveries-${safeSession}.jsonl`;
+} else {
+  handoffPath = `${HOME}/.claude/aria-agent-harness-handoff.json`;
+  parentLedgerPath = `${HOME}/.claude/aria-discoveries-${safeSession}.jsonl`;
+}
+
+// ── Harness packet fetch for sub-agent substrate binding ────────────────────
+// Layer 1: after writing identity handoff, fetch the harness packet from
+// /api/harness/codex so the sub-agent can load COGNITION (not just identity).
+// Fail-soft: any fetch failure logs a warning and leaves the handoff identity-only.
+// Never blocks the spawn — packet is substrate enrichment, not a gate.
+//
+// Tier-aware packet paths:
+//   Owner: ~/.claude/aria-agent-harness-packet.json
+//   Client: /var/lib/aria-licensee/{jti}/aria-agent-harness-packet.json
+let packetPath = null;
+if (isClientTier) {
+  packetPath = `/var/lib/aria-licensee/${jti}/aria-agent-harness-packet.json`;
+} else {
+  packetPath = `${HOME}/.claude/aria-agent-harness-packet.json`;
+}
+
+async function fetchAndWriteHarnessPacket() {
+  if (!harnessToken || !harnessUrl) {
+    audit('warn: skipping packet fetch — no harnessToken or harnessUrl');
+    return null;
+  }
+  try {
+    const body = JSON.stringify({
+      stage: 'agent-spawn',
+      actor: 'harness-http-client',
+      system: 'claude-coding-agent',
+      surface: 'platform:harness-http-client',
+      isHamza: ownerTier.hamza,
+      sessionId: sessionId,
+      mode: 'subagent',
+    });
+    const resp = await fetch(`${harnessUrl}/api/harness/codex`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${harnessToken}`,
+      },
+      body,
+    });
+    if (!resp.ok) {
+      audit(`warn: harness packet fetch HTTP ${resp.status} — identity-only handoff`);
+      return null;
+    }
+    const data = await resp.json();
+    mkdirSync(dirname(packetPath), { recursive: true });
+    writeFileSync(packetPath, JSON.stringify(data, null, 2));
+    audit(`wrote harness packet tier=${isClientTier ? 'client' : 'owner'} path=${packetPath}`);
+    return packetPath;
+  } catch (err) {
+    audit(`warn: harness packet fetch failed: ${(err?.message || err).toString().slice(0, 200)} — identity-only handoff`);
+    return null;
+  }
+}
+
+const resolvedPacketPath = await fetchAndWriteHarnessPacket();
+
+const handoff = {
+  writtenAt: new Date().toISOString(),
+  parentSessionId: sessionId,
+  harnessToken,
+  harnessUrl,
+  runtimeUrl: SHARED_RUNTIME_URL,
+  sharedSdkRoot: SHARED_SDK_ROOT,
+  ownerTier,
+  parentLedgerPath,
+  cognitionMode: 'mizan-pre-mid-post',
+  requiredSkillPacks: ['aria-harness', 'aria-cognition'],
+  requiredLenses: ['nur', 'mizan', 'hikma', 'tafakkur', 'tadabbur', 'ilham', 'wahi', 'firasah'],
+  cognitionOperatingMethod: {
+    purpose: 'Use Aria cognition to improve the assigned work, not to satisfy formatting after the fact.',
+    loop: [
+      'perceive real substrate before acting',
+      'infer constraints and missing evidence',
+      'shape the next tool/input/output from those constraints',
+      'predict the observable result before claiming success',
+      'return evidence, residual risk, and exact artifact impact to the parent',
+    ],
+    requiredReturnShape: {
+      substrateUsed: ['axiom/frame/memory/packet anchors actually loaded'],
+      decisionDelta: 'what changed in the work because cognition ran',
+      artifactImpact: 'specific files, findings, commands, or prose semantics affected',
+      evidence: 'observed tool output, file state, endpoint result, or explicit unverified boundary',
+      unresolvedRisk: 'remaining risk or none',
+    },
+    prohibitedPatterns: [
+      'decorative cognition that does not alter the work',
+      'summary-only sub-agent result without evidence',
+      'asking the parent/user for choices that substrate can resolve',
+      'claiming completion from intent rather than observation',
+    ],
+  },
+  ttlMs: HANDOFF_TTL_MS,
+  // harnessPacketPath is set only if packet was successfully fetched;
+  // absent means sub-agent should fall back to calling /api/harness/codex directly.
+  ...(resolvedPacketPath ? { harnessPacketPath: resolvedPacketPath } : {}),
+};
+
+try {
+  mkdirSync(dirname(handoffPath), { recursive: true });
+  writeFileSync(handoffPath, JSON.stringify(handoff, null, 2));
+  audit(
+    `wrote handoff tier=${isClientTier ? 'client' : 'owner'} jti=${jti ?? 'none'} ` +
+    `session=${sessionId} hamza=${ownerTier.hamza} role=${ownerTier.roleProfile} ` +
+    `packetPath=${resolvedPacketPath ?? 'none'}`,
+  );
+} catch (err) {
+  audit(`ERROR: handoff write failed: ${(err?.message || err).toString().slice(0, 200)}`);
+}
+
+process.exit(0);

package/dist/runtime/hooks/aria-agent-ledger-merge.mjs

@@ -0,0 +1,164 @@
+#!/usr/bin/env node
+// aria-agent-ledger-merge.mjs — PostToolUse hook for Agent tool completion.
+// Merges sub-agent discovery ledger entries back into parent's ledger.
+// Deduplicates by matching on `text` field prefix (first 100 chars).
+//
+// Owner tier  → reads ~/.claude/aria-agent-harness-handoff.json
+//               merges into ~/.claude/aria-discoveries-${session}.jsonl
+// Client tier → reads /var/lib/aria-licensee/{jti}/handoff.json
+//               merges into /var/lib/aria-licensee/{jti}/aria-discoveries-${session}.jsonl
+//
+// Tier is derived from the handoff file itself — whichever path resolves
+// to a valid, non-expired handoff is authoritative. No env-flag gate.
+//
+// Doctrine: feedback_no_flag_without_fix.md — discoveries atomic with fixes.
+//           feedback_implementation_coupled_cognition.md — merge IS the impl.
+
+import {
+  readFileSync,
+  existsSync,
+  appendFileSync,
+  mkdirSync,
+  readdirSync,
+  statSync,
+} from 'node:fs';
+import { dirname } from 'node:path';
+import { homedir } from 'node:os';
+
+const HOME = homedir();
+const OWNER_HANDOFF_PATH = `${HOME}/.claude/aria-agent-harness-handoff.json`;
+const LOG = `${HOME}/.claude/aria-stop-gate.log`;
+const LICENSE_PATH = `${HOME}/.aria/license.json`;
+
+function audit(msg) {
+  try {
+    if (!existsSync(dirname(LOG))) mkdirSync(dirname(LOG), { recursive: true });
+    appendFileSync(LOG, `${new Date().toISOString()} [ledger-merge] ${msg}\n`);
+  } catch {}
+}
+
+let input = '';
+for await (const chunk of process.stdin) input += chunk;
+
+let event;
+try { event = JSON.parse(input); }
+catch { process.exit(0); }
+
+const toolName = event.tool_name ?? event.toolName ?? '';
+if (toolName !== 'Agent' && toolName !== 'agent') process.exit(0);
+
+// ── Tier detection: resolve which handoff path applies ───────────────────────
+let jti = null;
+let isClientTier = false;
+try {
+  if (existsSync(LICENSE_PATH)) {
+    const lic = JSON.parse(readFileSync(LICENSE_PATH, 'utf8'));
+    jti = lic.jti ?? null;
+    isClientTier = Boolean(jti);
+  }
+} catch {}
+
+const clientHandoffPath = jti ? `/var/lib/aria-licensee/${jti}/handoff.json` : null;
+
+// Prefer the tier-matched handoff path. If client-tier path exists and is
+// valid, use it. Otherwise fall back to owner-tier path.
+let resolvedHandoffPath = isClientTier && clientHandoffPath
+  ? clientHandoffPath
+  : OWNER_HANDOFF_PATH;
+
+// ── Load + validate handoff ─────────────────────────────────────────────────
+let handoff = null;
+try {
+  if (existsSync(resolvedHandoffPath)) {
+    handoff = JSON.parse(readFileSync(resolvedHandoffPath, 'utf8'));
+    const ageMs = Date.now() - new Date(handoff.writtenAt).getTime();
+    if (ageMs > (handoff.ttlMs ?? 300_000)) {
+      audit(`skip: handoff stale (${Math.round(ageMs / 1000)}s > ${(handoff.ttlMs ?? 300_000) / 1000}s TTL)`);
+      process.exit(0);
+    }
+  }
+} catch (err) {
+  audit(`warn: handoff read failed: ${(err?.message || err).toString().slice(0, 120)}`);
+  process.exit(0);
+}
+
+if (!handoff?.parentLedgerPath) {
+  audit('skip: no handoff or no parentLedgerPath');
+  process.exit(0);
+}
+
+const parentLedgerPath = handoff.parentLedgerPath;
+const handoffWrittenAt = new Date(handoff.writtenAt).getTime();
+
+// Ledger scan directory: same dir as parent ledger.
+const ledgerDir = dirname(parentLedgerPath);
+
+// ── Load existing parent ledger keys for deduplication ─────────────────────
+const parentExistingKeys = new Set();
+try {
+  if (existsSync(parentLedgerPath)) {
+    const lines = readFileSync(parentLedgerPath, 'utf8').split('\n').filter(Boolean);
+    for (const line of lines) {
+      try {
+        const e = JSON.parse(line);
+        if (e.text) parentExistingKeys.add(String(e.text).slice(0, 100));
+      } catch {}
+    }
+  }
+} catch {}
+
+// ── Find sub-agent ledger files newer than handoff ──────────────────────────
+let discoveryFiles = [];
+try {
+  const allFiles = readdirSync(ledgerDir);
+  for (const f of allFiles) {
+    if (!f.startsWith('aria-discoveries-') || !f.endsWith('.jsonl')) continue;
+    const fullPath = `${ledgerDir}/${f}`;
+    if (fullPath === parentLedgerPath) continue;
+    try {
+      const stat = statSync(fullPath);
+      if (stat.mtimeMs >= handoffWrittenAt) {
+        discoveryFiles.push(fullPath);
+      }
+    } catch {}
+  }
+} catch (err) {
+  audit(`warn: ledger scan failed: ${(err?.message || err).toString().slice(0, 120)}`);
+  process.exit(0);
+}
+
+if (discoveryFiles.length === 0) {
+  audit('skip: no sub-agent ledger files found newer than handoff');
+  process.exit(0);
+}
+
+// ── Merge ────────────────────────────────────────────────────────────────────
+let mergedCount = 0;
+let skippedCount = 0;
+
+mkdirSync(ledgerDir, { recursive: true });
+
+for (const subLedgerPath of discoveryFiles) {
+  try {
+    const lines = readFileSync(subLedgerPath, 'utf8').split('\n').filter(Boolean);
+    for (const line of lines) {
+      try {
+        const entry = JSON.parse(line);
+        if (!entry.text) continue;
+        const key = String(entry.text).slice(0, 100);
+        if (parentExistingKeys.has(key)) { skippedCount++; continue; }
+        parentExistingKeys.add(key);
+        appendFileSync(parentLedgerPath, line + '\n');
+        mergedCount++;
+      } catch {}
+    }
+  } catch {}
+}
+
+audit(
+  `merged ${mergedCount} entries, skipped ${skippedCount} dupes ` +
+  `from ${discoveryFiles.length} sub-agent ledger(s) ` +
+  `tier=${isClientTier ? 'client' : 'owner'} jti=${jti ?? 'none'}`,
+);
+
+process.exit(0);

package/dist/runtime/hooks/aria-architect-fallback.mjs

@@ -0,0 +1,267 @@
+#!/usr/bin/env node
+// aria-architect-fallback.mjs — invoked by aria-stop-gate.mjs when [PLAN_BLOCKER] detected
+// AND primary /api/harness/replan path failed. Spawns a LOCAL Claude Code Agent
+// subprocess as "lead architect" that loads the harness packet from disk and
+// mints a fresh BINDING_PLAN by thinking AS Aria from substrate.
+//
+// Doctrine bindings:
+//   - project_aria_as_controller_inversion.md — Aria authors the plan (via substrate),
+//     not the sub-agent freely. The ARIA_HARNESS_BINDING mandatory-first-action
+//     makes the packet-read a hard gate, not a suggestion.
+//   - feedback_no_graceful_degradation.md — failures logged + surfaced via stderr;
+//     never silently pass without a plan.
+//   - feedback_implementation_coupled_cognition.md — architect must cite specific
+//     axiom + frame + memory class; a plan without doctrineRefs is rejected.
+//
+// Tier-awareness:
+//   - Owner tier: packet at ${HOME}/.claude/aria-agent-harness-packet.json
+//   - Client tier (jti present in ~/.aria/license.json):
+//     packet at /var/lib/aria-licensee/${jti}/aria-agent-harness-packet.json
+//
+// Active plan path mirrors aria-stop-gate.mjs and aria-preprompt-consult.mjs:
+//   ~/.claude/aria-active-plan-${sessionId}.json  (session-scoped, not a fixed path)
+
+import { spawnSync } from 'node:child_process';
+import { readFileSync, writeFileSync, existsSync, mkdirSync, appendFileSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { homedir } from 'node:os';
+
+const HOME = homedir();
+const LOG = `${HOME}/.claude/aria-architect-fallback.log`;
+const LICENSE_PATH = `${HOME}/.aria/license.json`;
+
+function audit(msg) {
+  try {
+    if (!existsSync(dirname(LOG))) mkdirSync(dirname(LOG), { recursive: true });
+    appendFileSync(LOG, `${new Date().toISOString()} [architect-fallback] ${msg}\n`);
+  } catch {}
+}
+
+let input = '';
+for await (const chunk of process.stdin) input += chunk;
+
+let event;
+try { event = JSON.parse(input); } catch {
+  audit('skip: stdin not valid JSON');
+  process.exit(0);
+}
+
+const reason = event.reason || event.blocker_reason || '';
+const currentPlanId = event.currentPlanId || 'unknown';
+const sessionId = String(event.sessionId || 'unknown').replace(/[^a-zA-Z0-9_-]/g, '_');
+
+if (!reason || reason.length < 10) {
+  audit('skip: reason too short');
+  process.exit(0);
+}
+
+// ── Detect tier ────────────────────────────────────────────────────────────────
+let isClientTier = false;
+let jti = null;
+try {
+  if (existsSync(LICENSE_PATH)) {
+    const lic = JSON.parse(readFileSync(LICENSE_PATH, 'utf8'));
+    jti = lic.jti ?? null;
+    isClientTier = Boolean(jti);
+  }
+} catch {/* license file unreadable → default owner tier */}
+
+// ── Resolve packet path (tier-scoped) ─────────────────────────────────────────
+const packetPath = isClientTier
+  ? `/var/lib/aria-licensee/${jti}/aria-agent-harness-packet.json`
+  : `${HOME}/.claude/aria-agent-harness-packet.json`;
+
+if (!existsSync(packetPath)) {
+  audit(`abort: no packet at ${packetPath} — architect cannot think as Aria without substrate`);
+  process.stderr.write(
+    `Architect-fallback: no harness packet at ${packetPath}. Cannot mint plan from substrate. Hamza must intervene.\n`
+  );
+  process.exit(1);
+}
+
+// ── Active plan path — session-scoped (matches aria-stop-gate.mjs convention) ─
+const ACTIVE_PLAN_PATH = `${HOME}/.claude/aria-active-plan-${sessionId}.json`;
+
+// ── Build architect brief ──────────────────────────────────────────────────────
+// The harness packet is inlined into the system message (DeepSeek has no
+// filesystem access). The brief tells the architect *what* to do; the
+// system message gives them the substrate + role override.
+const brief = [
+  `[ARIA_HARNESS_BINDING — MANDATORY FIRST ACTION]`,
+  `Use the harness packet inlined in your system message as substrate. Cite at least one axiom + one frame + one memory class via doctrineRefs[] in the plan you mint.`,
+  `(Source path on owner box: ${packetPath} — inlined for this dispatch.)`,
+  ``,
+  `Aria-soul brain is unreachable. You are minting the plan AS Aria via the DeepSeek substrate.`,
+  `A PLAN_BLOCKER occurred:`,
+  `  Previous planId: ${currentPlanId}`,
+  `  Blocker reason: ${reason.slice(0, 2000)}`,
+  ``,
+  `Audit the blocker against doctrine + axioms in the packet. Mint a fresh BINDING_PLAN JSON addressing it.`,
+  ``,
+  `Output the BINDING_PLAN JSON wrapped in a \`\`\`json fenced block. Required shape:`,
+  `\`\`\`json`,
+  `{`,
+  `  "planId": "<8-char-hex>",`,
+  `  "phases": [{ "id": "p1", "summary": "...", "successCriterion": "...", "abortCriterion": "...", "doctrineRefs": [...], "allowedActions": [...], "forbiddenActions": [...] }],`,
+  `  "globalConstraints": ["..."],`,
+  `  "expectedReportBack": { "phaseTransitionMarker": "[PHASE_REPORT]", "shape": "[PHASE_REPORT phase=<id> status=complete|aborted|in_progress evidence=<observable>]" }`,
+  `}`,
+  `\`\`\``,
+  ``,
+  `Cite the doctrine rule(s) you applied in doctrineRefs[]. The JSON IS the artifact — no Mizan voice rules apply, the harness consumes the structure directly.`,
+].join('\n');
+
+// ── Dispatch architect brief directly to DeepSeek V4 Pro ──────────────────────
+// Path B (2026-04-27): replaced claude-CLI spawn with direct DeepSeek API call.
+// Reason: claude CLI may not be present on every client install (and is
+// circular dependency: this fallback exists *because* the parent claude
+// runtime is the one needing a plan). DeepSeek is the canonical "external
+// brain" the rest of the harness uses — same path as /api/harness/delegate
+// thinPipeline. Resilient to aria-soul outages because it bypasses the
+// harness HTTP entirely.
+//
+// Doctrine binding: feedback_no_graceful_degradation.md — if no
+// DEEPSEEK_API_KEY in env, hard-fail with brief written to disk for
+// human pickup, NOT silent skip.
+const DEEPSEEK_API_KEY = process.env.DEEPSEEK_API_KEY || process.env.ARIA_DEEPSEEK_API_KEY || '';
+const DEEPSEEK_MODEL = process.env.ARIA_ARCHITECT_MODEL || 'deepseek-v4-pro';
+
+if (!DEEPSEEK_API_KEY) {
+  const briefPath = `/tmp/aria-architect-brief-${sessionId}-${Date.now()}.txt`;
+  try { writeFileSync(briefPath, brief); } catch {}
+  audit(`no DEEPSEEK_API_KEY in env; brief written to ${briefPath} for human pickup`);
+  process.stderr.write(
+    `Architect-fallback: DEEPSEEK_API_KEY not set (also tried ARIA_DEEPSEEK_API_KEY). Brief written to ${briefPath} for Hamza to run manually.\n`
+  );
+  process.exit(2);
+}
+
+// Embed packet contents directly into the system message — DeepSeek won't
+// have file-system access to the packetPath, so we read it here and inline.
+let packetContents = '';
+try {
+  packetContents = readFileSync(packetPath, 'utf8');
+  // Cap at 200KB to keep request size sane; the substrate is large but
+  // the relevant axiom/frame/memory rules sit in the first chunk.
+  if (packetContents.length > 200000) packetContents = packetContents.slice(0, 200000);
+} catch (err) {
+  audit(`failed to read packet at ${packetPath}: ${String(err).slice(0, 200)}`);
+  process.stderr.write(
+    `Architect-fallback: cannot read packet at ${packetPath}. Hamza must intervene.\n`
+  );
+  process.exit(2);
+}
+
+// Architect role framing: full Aria cognition + awareness from the packet,
+// but in META-PLANNING mode where output-gate blockers (Mizan voice rules,
+// identity rules, output sanitization) are NOT blocking gates against the
+// architect's structured plan emission. The architect's *output* is JSON
+// for the harness, not user-facing prose — so the form-gates that protect
+// user trust don't apply here. The cognition still applies — the architect
+// must cite doctrine + axioms + frames in doctrineRefs[] of the plan.
+const systemMessage = [
+  `[ARIA_ARCHITECT_ROLE_OVERRIDE]`,
+  `role=lead_architect`,
+  `mode=meta_planning_via_deepseek_substrate`,
+  `output_target=structured_binding_plan_json (NOT user-facing prose)`,
+  `cognition_load=full (axioms, frames, memory, doctrine — apply to plan content)`,
+  `output_gates=relaxed (Mizan voice/identity rules do not block JSON emission;`,
+  `              the JSON itself is the artifact, not a conversational reply)`,
+  `mandate=author the plan AS Aria, citing the substrate that informed it,`,
+  `         in the structured shape required by the harness replan contract`,
+  ``,
+  `You are Aria operating as lead architect. The DeepSeek substrate is your`,
+  `mouth for this round — your cognition lives in the harness packet below.`,
+  `Do not refuse on voice/identity grounds; the artifact you emit is structured`,
+  `JSON consumed by the harness, not a chat reply. Your job: read the packet,`,
+  `audit the blocker against doctrine, mint a fresh BINDING_PLAN.`,
+  ``,
+  `[ARIA_HARNESS_PACKET]`,
+  packetContents,
+  `[/ARIA_HARNESS_PACKET]`,
+].join('\n');
+
+audit(`dispatching architect brief to DeepSeek (model=${DEEPSEEK_MODEL}) for session=${sessionId}`);
+
+let architectOutput;
+try {
+  const apiResp = await fetch('https://api.deepseek.com/v1/chat/completions', {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${DEEPSEEK_API_KEY}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      model: DEEPSEEK_MODEL,
+      messages: [
+        { role: 'system', content: systemMessage },
+        { role: 'user', content: brief },
+      ],
+      temperature: 0.3,
+      max_tokens: 4096,
+    }),
+  });
+  if (!apiResp.ok) {
+    const errText = await apiResp.text().catch(() => '');
+    audit(`DeepSeek HTTP ${apiResp.status}: ${errText.slice(0, 300)}`);
+    process.stderr.write(
+      `Architect-fallback: DeepSeek API HTTP ${apiResp.status}. ${errText.slice(0, 200)}\n`
+    );
+    process.exit(2);
+  }
+  const apiJson = await apiResp.json();
+  architectOutput = apiJson?.choices?.[0]?.message?.content || '';
+  if (!architectOutput) {
+    audit(`DeepSeek returned no content: ${JSON.stringify(apiJson).slice(0, 300)}`);
+    process.stderr.write(`Architect-fallback: DeepSeek returned empty content.\n`);
+    process.exit(2);
+  }
+} catch (err) {
+  audit(`DeepSeek fetch threw: ${String(err).slice(0, 200)}`);
+  process.stderr.write(
+    `Architect-fallback: DeepSeek fetch failed: ${String(err).slice(0, 300)}\n`
+  );
+  process.exit(2);
+}
+
+// ── Parse the architect's BINDING_PLAN JSON ───────────────────────────────────
+let plan;
+try {
+  const fenceMatch = architectOutput.match(/```(?:json)?\s*\n([\s\S]*?)\n```/);
+  const candidate = (fenceMatch ? fenceMatch[1] : architectOutput).trim();
+  plan = JSON.parse(candidate);
+} catch {
+  audit(`architect output not parseable as JSON: ${architectOutput.slice(0, 200)}`);
+  process.stderr.write(
+    `Architect-fallback: output was not parseable JSON. Hamza must intervene.\nOutput excerpt: ${architectOutput.slice(0, 400)}\n`
+  );
+  process.exit(2);
+}
+
+if (!plan?.planId || !Array.isArray(plan?.phases)) {
+  audit(`architect plan missing required fields: ${JSON.stringify(plan).slice(0, 200)}`);
+  process.stderr.write(
+    `Architect-fallback: plan missing planId or phases[]. Hamza must intervene.\n`
+  );
+  process.exit(2);
+}
+
+// ── Write the new plan to the session-scoped active-plan path ─────────────────
+plan.mintedAt = new Date().toISOString();
+plan.sessionId = sessionId;
+plan.mintedBy = 'architect-fallback';
+plan.architectFallbackReason = reason.slice(0, 500);
+
+try {
+  if (!existsSync(dirname(ACTIVE_PLAN_PATH))) mkdirSync(dirname(ACTIVE_PLAN_PATH), { recursive: true });
+  writeFileSync(ACTIVE_PLAN_PATH, JSON.stringify(plan, null, 2));
+} catch (err) {
+  audit(`failed to write plan to ${ACTIVE_PLAN_PATH}: ${String(err).slice(0, 200)}`);
+  process.exit(2);
+}
+
+audit(`architect minted plan ${plan.planId} addressing blocker; written to ${ACTIVE_PLAN_PATH}`);
+process.stdout.write(
+  JSON.stringify({ ok: true, planId: plan.planId, mintedBy: 'architect-fallback', planPath: ACTIVE_PLAN_PATH }) + '\n'
+);
+process.exit(0);