@aria_asi/cli 0.2.33 → 0.2.35

package/dist/runtime/hooks/aria-discovery-record.mjs

@@ -0,0 +1,101 @@
+#!/usr/bin/env node
+// aria-discovery-record.mjs — invoked by sub-agents via Bash to append findings
+// to their session ledger. Usage:
+//   echo '{"text":"defect found...","kind":"missing-export","refs":["file.ts:42"]}' | node ~/.claude/hooks/aria-discovery-record.mjs
+//
+// Tier-aware: client tier writes to /var/lib/aria-licensee/{jti}/aria-discoveries-{session}.jsonl,
+// owner tier writes to ~/.claude/aria-discoveries-{session}.jsonl.
+//
+// Session ID resolution priority:
+//   1. CLAUDE_SESSION_ID env (set by Claude Code in the sub-agent process)
+//   2. ARIA_SESSION_ID env (set by spawnSubAgent caller)
+//   3. ARIA_SUB_SESSION_ID env (explicit sub-session override)
+//   4. Derived from handoff parentSessionId suffixed with "-sub" to ensure
+//      the sub-agent ledger file differs from the parent file so ledger-merge
+//      picks it up (merge skips files whose path == parentLedgerPath).
+//
+// Doctrine: feedback_no_flag_without_fix.md — findings recorded, not deferred.
+//           feedback_implementation_coupled_cognition.md — write IS the impl.
+
+import { readFileSync, existsSync, appendFileSync, mkdirSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { homedir } from 'node:os';
+
+const HOME = homedir();
+const LICENSE_PATH = `${HOME}/.aria/license.json`;
+const HANDOFF_PATH = `${HOME}/.claude/aria-agent-harness-handoff.json`;
+
+let input = '';
+for await (const chunk of process.stdin) input += chunk;
+let entry;
+try { entry = JSON.parse(input); } catch {
+  process.stderr.write('discovery-record: invalid JSON on stdin\n');
+  process.exit(1);
+}
+
+if (!entry.text || typeof entry.text !== 'string' || entry.text.length < 4) {
+  process.stderr.write('discovery-record: text required (>=4 chars)\n');
+  process.exit(1);
+}
+
+// Detect tier + resolve JTI
+let isClientTier = false;
+let jti = null;
+try {
+  if (existsSync(LICENSE_PATH)) {
+    const lic = JSON.parse(readFileSync(LICENSE_PATH, 'utf8'));
+    jti = lic.jti ?? null;
+    isClientTier = Boolean(jti);
+  }
+} catch { /* non-fatal — treat as owner tier */ }
+
+// Session ID: prefer env var set by Claude Code, fall back to handoff derivation.
+// IMPORTANT: sub-agents MUST NOT use parentSessionId directly — that produces
+// the same ledger path as the parent, which aria-agent-ledger-merge.mjs skips.
+// We use CLAUDE_SESSION_ID (the sub-agent's own session) or suffix the parent
+// session with "-sub" so the file is distinct and mergeable.
+let sessionId =
+  process.env.CLAUDE_SESSION_ID ||
+  process.env.ARIA_SESSION_ID ||
+  process.env.ARIA_SUB_SESSION_ID ||
+  null;
+
+if (!sessionId) {
+  try {
+    if (existsSync(HANDOFF_PATH)) {
+      const handoff = JSON.parse(readFileSync(HANDOFF_PATH, 'utf8'));
+      const parentSession = handoff.parentSessionId;
+      // Derive a distinct sub-agent session so merge picks up this file.
+      sessionId = parentSession ? `${parentSession}-sub` : 'sub-unknown';
+    }
+  } catch { /* non-fatal */ }
+}
+sessionId = sessionId || 'sub-unknown';
+const safeSession = String(sessionId).replace(/[^a-zA-Z0-9_-]/g, '_');
+
+// Resolve ledger path (tier-scoped)
+const ledgerPath = isClientTier
+  ? `/var/lib/aria-licensee/${jti}/aria-discoveries-${safeSession}.jsonl`
+  : `${HOME}/.claude/aria-discoveries-${safeSession}.jsonl`;
+
+// Compose the row
+const row = {
+  at: new Date().toISOString(),
+  session: sessionId,
+  kind: entry.kind || 'observation',
+  text: entry.text,
+  refs: Array.isArray(entry.refs) ? entry.refs : [],
+  evidence: entry.evidence || null,
+  source: entry.source || 'sub-agent',
+  resolution_status: entry.resolution_status || 'open',
+};
+
+try {
+  mkdirSync(dirname(ledgerPath), { recursive: true });
+  appendFileSync(ledgerPath, JSON.stringify(row) + '\n');
+  process.stdout.write(JSON.stringify({ ok: true, ledger: ledgerPath, at: row.at }) + '\n');
+} catch (err) {
+  process.stderr.write(`discovery-record: write failed: ${err.message}\n`);
+  process.exit(2);
+}
+process.exit(0);

package/dist/runtime/hooks/aria-harness-via-sdk.mjs

@@ -0,0 +1,544 @@
+#!/usr/bin/env node
+// Aria harness fetch — via the canonical @aria_asi/harness-http-client SDK.
+//
+// Why this exists: doctrine says "use harness http client to be Aria's
+// control plane so you don't mess up". The earlier hook (aria-harness-fetch.sh)
+// hit /api/harness/codex with raw curl. Same network call, but it bypassed
+// the SDK and so wasn't auditable as "Claude went through the canonical
+// gateway." This script imports HTTPHarnessClient and uses it for every
+// fetch — same path any production caller takes.
+//
+// Output: JSON envelope for Claude Code with hookSpecificOutput.additionalContext
+// so the harness fullText is formally injected into the model context.
+//
+// Args:
+//   --mode session   (default: full text, ~2400 chars excerpt, cold fetch)
+//   --mode turn      (UserPromptSubmit: brief delta, ~300 chars excerpt)
+
+import { createHash } from 'node:crypto';
+import { spawnSync } from 'node:child_process';
+import { appendFileSync, existsSync, readFileSync, writeFileSync, mkdirSync, statSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { createConnection } from 'node:net';
+
+const HOME = process.env.HOME || '/tmp';
+const LOG_FILE = `${HOME}/.claude/aria-harness-history.log`;
+const LAST_URL_CACHE = `${HOME}/.claude/.aria-harness-last-url`;
+const PACKET_CACHE = `${HOME}/.claude/.aria-harness-last-packet.json`;
+const SHARED_PACKET_CACHE = `${HOME}/.aria/.aria-harness-last-packet.json`;
+const MIZAN_RECEIPT_DIR = `${HOME}/.claude/.aria-mizan-receipts`;
+const HEADER_PREFIX = '🔐 Aria Harness';
+const DEFAULT_RUNTIME_URL = process.env.ARIA_RUNTIME_URL || 'http://127.0.0.1:4319';
+const RUNTIME_PACKET_SUFFIX = '/packet';
+
+const args = process.argv.slice(2);
+const MODE = args.includes('--mode') ? args[args.indexOf('--mode') + 1] : 'session';
+const HOOK_EVENT_NAME = process.env.HOOK_EVENT_NAME || (MODE === 'turn' ? 'UserPromptSubmit' : 'SessionStart');
+
+const isTurn = MODE === 'turn';
+// Doctrine: no policy timeouts. Reachability is detected via real network
+// errors (ECONNREFUSED, EHOSTUNREACH, DNS failure — these arrive instantly
+// from the OS on the connect attempt). For black-hole IPs the OS itself
+// bounds the connect via SYN-retry; that's network behavior, not policy.
+// Slow-but-eventually-OK endpoints get a chance to respond instead of being
+// cut off by an arbitrary deadline. URLs are raced in parallel — the
+// fastest healthy responder wins, hung URLs don't block the others.
+const PACKET_CACHE_TTL_SEC = Number(process.env.ARIA_HARNESS_CACHE_TTL_SEC || '30');
+// No stale-cache cutoff. Doctrine: robust error handling + recovery + self-heal,
+// never strip identity/cognition/gates. If a cached packet exists at all, we
+// inject it when the fresh path fails — the header stamps the age and the
+// upstream last_err so the model can judge how stale the world view is, but
+// the harness body always reaches the model. The fresh-fetch path retries
+// every turn, so the cache is self-healing as soon as any URL responds.
+// Hamza 2026-04-26 directive: deliver the FULL packet every turn, no
+// rotation, no fetch tool, no clever throttling. The harness's whole
+// purpose is "remind the model from this harness every round" (packet
+// non_negotiable line) — and a 300-char excerpt was 0.8% of a 36,912-char
+// packet. Raised to 40,000 to sit comfortably above current packet size
+// (~37k) with headroom for substrate growth. Claude Code's
+// additionalContext accepts large strings; if its own internal cap is
+// lower we don't short the substrate on our side.
+const HARNESS_EXCERPT_CHARS = 40000;
+
+function emit(envelope) {
+  process.stdout.write(JSON.stringify(envelope) + '\n');
+}
+
+function emitFallback(reason, tried = []) {
+  try {
+    appendFileSync(LOG_FILE, `${new Date().toISOString()} offline mode=${MODE} reason="${reason.replace(/"/g, "'")}"\n`);
+  } catch {}
+  emit({
+    systemMessage: `${HEADER_PREFIX} ⚠ offline (${reason}) — fallback mode`,
+    suppressOutput: false,
+    hookSpecificOutput: {
+      hookEventName: HOOK_EVENT_NAME,
+      additionalContext: `${HEADER_PREFIX} offline: ${reason}. Operating without live cognitive grounding. Cluster-side governance (deepseek-gate, lane-router) still active. Tried URLs: ${tried.join(', ') || 'none'}`,
+    },
+  });
+}
+
+function resolveApiKey() {
+  if (process.env.ARIA_API_KEY) return process.env.ARIA_API_KEY;
+  if (process.env.ARIA_MASTER_TOKEN) return process.env.ARIA_MASTER_TOKEN;
+  // Try kubectl secret as last resort.
+  try {
+    const r = spawnSync('kubectl', [
+      'get', 'secret', '-n', 'aria', 'aria-secrets',
+      '-o', 'jsonpath={.data.ARIA_API_KEY}',
+    ], { encoding: 'utf8', timeout: 4_000 });
+    if (r.status === 0 && r.stdout) {
+      return Buffer.from(r.stdout.trim(), 'base64').toString('utf8');
+    }
+  } catch {}
+  return '';
+}
+
+function loadCachedUrl() {
+  try {
+    if (existsSync(LAST_URL_CACHE)) {
+      const v = readFileSync(LAST_URL_CACHE, 'utf8').trim();
+      if (v) return v;
+    }
+  } catch {}
+  return '';
+}
+function saveCachedUrl(url) {
+  try {
+    mkdirSync(dirname(LAST_URL_CACHE), { recursive: true });
+    writeFileSync(LAST_URL_CACHE, url + '\n');
+  } catch {}
+}
+
+function loadCachedPacket() {
+  try {
+    for (const packetPath of [SHARED_PACKET_CACHE, PACKET_CACHE]) {
+      if (!existsSync(packetPath)) continue;
+      const raw = readFileSync(packetPath, 'utf8');
+      const ageSec = (Date.now() - statSync(packetPath).mtimeMs) / 1000;
+      if (ageSec < PACKET_CACHE_TTL_SEC) {
+        return { data: JSON.parse(raw), ageSec };
+      }
+    }
+  } catch {}
+  return null;
+}
+function saveCachedPacket(rawJson) {
+  for (const packetPath of [PACKET_CACHE, SHARED_PACKET_CACHE]) {
+    try {
+      mkdirSync(dirname(packetPath), { recursive: true });
+      writeFileSync(packetPath, rawJson);
+    } catch {}
+  }
+}
+
+function buildUrlList() {
+  const list = [];
+  const cached = loadCachedUrl();
+  if (cached) list.push(cached);
+  if (process.env.ARIA_RUNTIME_URL) list.push(process.env.ARIA_RUNTIME_URL.replace(/\/+$/, ''));
+  list.push(DEFAULT_RUNTIME_URL.replace(/\/+$/, ''));
+  if (process.env.ARIA_HIVE_RUNTIME_URL) list.push(process.env.ARIA_HIVE_RUNTIME_URL.replace(/\/+$/, ''));
+  if (process.env.ARIA_HARNESS_BASE_URL) list.push(process.env.ARIA_HARNESS_BASE_URL.replace(/\/+$/, ''));
+  if (process.env.ARIA_HARNESS_URL) list.push(process.env.ARIA_HARNESS_URL.replace(/\/+$/, ''));
+  if (process.env.ARIA_SOUL_URL) list.push(process.env.ARIA_SOUL_URL.replace(/\/+$/, ''));
+  list.push('http://aria-soul.aria.svc.cluster.local:8080');
+  list.push('http://localhost:30080', 'http://127.0.0.1:30080');
+  // Direct ClusterIP from kubectl
+  try {
+    const r = spawnSync('kubectl', [
+      'get', 'svc', '-n', 'aria', 'aria-soul',
+      '-o', 'jsonpath={.spec.clusterIP}',
+    ], { encoding: 'utf8', timeout: 3_000 });
+    if (r.status === 0 && r.stdout && r.stdout !== 'None') {
+      list.push(`http://${r.stdout.trim()}:8080`);
+    }
+  } catch {}
+  if (process.env.ARIA_PUBLIC_URL) list.push(process.env.ARIA_PUBLIC_URL.replace(/\/+$/, ''));
+  // Dedup preserving order
+  const seen = new Set();
+  return list.filter((u) => (seen.has(u) ? false : (seen.add(u), true)));
+}
+
+function isMountedRuntimeUrl(baseUrl) {
+  return /:\/\/(?:127\.0\.0\.1|localhost):4319$/i.test(String(baseUrl || '').replace(/\/+$/, ''));
+}
+
+function normalizeHarnessPacketPayload(payload) {
+  let current = payload;
+  for (let depth = 0; depth < 3; depth++) {
+    if (!current || typeof current !== 'object' || Array.isArray(current)) break;
+    if (!('packet' in current) || !current.packet || typeof current.packet !== 'object') break;
+    if (!('timestamp' in current) && !('version' in current)) break;
+    current = current.packet;
+  }
+  return current;
+}
+
+// SDK loader — dynamic-import the bundled HTTPHarnessClient from the shared
+// ~/.aria/sdk bundle first, then client-local bundles. Module-cached after
+// first load so we don't repeatedly read disk.
+//
+// Doctrine (Hamza 2026-04-27): "isnt http harness client the fucking harness
+// we hsve been wprking on? YOU ARENT USING THAT AND BUILDING SPMETHING
+// SEPERATE WHY???!!" — SDK is the canonical control plane. Direct fetch
+// remains as a fallback only when the SDK file is physically missing
+// (dev install without `aria connect claude-code`).
+let _SdkClassCache = null;
+let _SdkLookupAttempted = false;
+const SDK_CANDIDATES = [
+  `${HOME}/.aria/sdk/index.js`,
+  `${HOME}/.claude/aria-sdk/index.js`,
+  `${HOME}/.codex/aria-sdk/index.js`,
+];
+async function loadSdkClass() {
+  if (_SdkClassCache) return _SdkClassCache;
+  if (_SdkLookupAttempted) return null;
+  _SdkLookupAttempted = true;
+  for (const sdkPath of SDK_CANDIDATES) {
+    if (!existsSync(sdkPath)) continue;
+    try {
+      const mod = await import(`file://${sdkPath}`);
+      if (mod.HTTPHarnessClient) {
+        _SdkClassCache = mod.HTTPHarnessClient;
+        return _SdkClassCache;
+      }
+    } catch {/* fall through to direct fetch */}
+  }
+  return null;
+}
+
+// Bonus fix #74 — conversation_history_count=0 packet propagation.
+//
+// The codex handler (apps/arias-soul/api/harness/codex.ts) reads req.body.messages
+// to inject conversation history into the harness packet so it can report a real
+// conversation_history_count (non-zero). Previously tryViaSdk never forwarded the
+// messages from the hook event — the packet always had conversation_history_count=0.
+//
+// Fix: read the Claude Code hook event from stdin at startup, extract event.messages
+// (the conversation history array), and forward it in both the SDK bodyOverride and
+// the direct-fetch body shape. The codex handler passes it through to
+// buildAriaExternalHarnessPacket which populates conversation_history_count.
+//
+// Stdin is read once and stored in HOOK_EVENT_MESSAGES. It's capped at 50 entries
+// before forwarding to avoid blowing the POST body size limit; the most recent
+// messages are the most relevant for history-count purposes.
+let HOOK_EVENT_MESSAGES = undefined;
+let HOOK_EVENT = null;
+try {
+  // Claude Code hooks receive the event JSON on stdin. We read it synchronously
+  // only if data is already available (i.e. piped); we don't block waiting for
+  // interactive input. Use a try/catch so the script still works when stdin is
+  // a terminal (e.g. manual invocation for testing).
+  const stdinBuf = readFileSync('/dev/stdin', { flag: 'r' });
+  const hookEvent = JSON.parse(stdinBuf.toString('utf8'));
+  HOOK_EVENT = hookEvent;
+  if (Array.isArray(hookEvent?.messages) && hookEvent.messages.length > 0) {
+    // Cap to last 50 messages. The server-side handler slices further if needed.
+    HOOK_EVENT_MESSAGES = hookEvent.messages.slice(-50);
+  }
+} catch {
+  // stdin not available / not JSON / no messages field — HOOK_EVENT_MESSAGES stays undefined.
+}
+
+function sanitizeSessionId(sessionId) {
+  return String(sessionId || 'claude-code').replace(/[^a-zA-Z0-9_-]/g, '_');
+}
+
+function currentHookSessionId() {
+  return HOOK_EVENT?.session_id || HOOK_EVENT?.sessionId || 'claude-code';
+}
+
+function lastUserMessageFromEvent() {
+  const messages = Array.isArray(HOOK_EVENT?.messages) ? HOOK_EVENT.messages : [];
+  for (let index = messages.length - 1; index >= 0; index -= 1) {
+    const message = messages[index];
+    const role = message?.role || message?.message?.role || message?.type;
+    if (role !== 'user') continue;
+    const content = message?.content ?? message?.message?.content;
+    if (typeof content === 'string' && content.trim()) return content.trim();
+    if (Array.isArray(content)) {
+      const text = content
+        .filter((entry) => entry?.type === 'text' && typeof entry?.text === 'string')
+        .map((entry) => entry.text.trim())
+        .filter(Boolean)
+        .join('\n');
+      if (text) return text;
+    }
+  }
+  return isTurn ? 'Claude turn refresh via harness hook' : 'Claude session start via harness hook';
+}
+
+function receiptPathForSession(sessionId) {
+  return `${MIZAN_RECEIPT_DIR}/${sanitizeSessionId(sessionId)}.json`;
+}
+
+function persistMizanReceipt(sessionId, payload) {
+  try {
+    mkdirSync(MIZAN_RECEIPT_DIR, { recursive: true });
+    writeFileSync(receiptPathForSession(sessionId), JSON.stringify(payload, null, 2) + '\n');
+  } catch {}
+}
+
+async function runMizanPre(apiKey, packet, sourceLabel) {
+  if (!isTurn) return null;
+  const sessionId = currentHookSessionId();
+  const packetHash = createHash('sha256').update(JSON.stringify(packet || {})).digest('hex');
+  const response = await fetch(`${DEFAULT_RUNTIME_URL.replace(/\/+$/, '')}/mizan/pre`, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      sessionId,
+      packet,
+      context: {
+        sessionId,
+        message: lastUserMessageFromEvent().slice(0, 4000),
+        intendedAction: 'Establish canonical pre-turn cognition receipt for this Claude turn before any tool or output work.',
+        rationale: `Claude turn-start harness sync via ${sourceLabel} must mint a canonical Mizan pre receipt for downstream tool and output enforcement.`,
+        platform: 'claude-code',
+        stage: 'hook-turn-pre',
+        packetHash,
+        packetSource: sourceLabel,
+      },
+    }),
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(payload?.error || `mizan/pre failed (${response.status})`);
+  }
+  if (payload?.receipt) {
+    persistMizanReceipt(sessionId, {
+      updatedAt: new Date().toISOString(),
+      source: sourceLabel,
+      sessionId,
+      receipt: payload.receipt,
+      result: payload.result || null,
+      contract: payload.contract || null,
+      summary: payload.summary || null,
+      packetHash,
+      packetSource: sourceLabel,
+    });
+  }
+  return payload;
+}
+
+async function tryViaSdk(baseUrl, apiKey) {
+  // Canonical path: HTTPHarnessClient.getHarnessPacket(). The SDK POSTs to
+  // /api/harness/codex with the right shape and returns { packet, timestamp,
+  // version }. We extract .packet to get the raw response body that
+  // renderPacket() expects (codex.ts returns { harness, preStateGate,
+  // contractGate, ... } at top level — no nested .packet wrapper, so the
+  // SDK's `body.packet ?? body` passes the body through unchanged).
+  const Cls = await loadSdkClass();
+  if (Cls) {
+    const packetUrl = isMountedRuntimeUrl(baseUrl)
+      ? `${baseUrl}${RUNTIME_PACKET_SUFFIX}`
+      : `${baseUrl}/api/harness/codex`;
+    const client = new Cls({
+      baseUrl,
+      apiKey,
+      harnessPacketUrl: packetUrl,
+    });
+    // Pass a bodyOverride that does NOT include isHamza:false. The server
+    // identifies owner tier from the Bearer token (isMasterTokenRequest).
+    // Hardcoding isHamza:false in the body would override that server-side
+    // signal and produce hamza:false in the packet even for master-token callers.
+      const sessionId = currentHookSessionId();
+      const bodyOverride = {
+      message: isTurn ? 'Claude turn refresh — harness via SDK' : 'Claude session start — harness via SDK',
+      stage: isTurn ? 'checkpoint' : 'preflight',
+      sessionId,
+      actor: 'claude-code',
+      system: 'claude-coding-agent',
+      platform: 'claude-code',
+      deliverySurface: 'claude_code_session',
+      userId: 'hamza',
+      isHamza: true,
+      // Bonus #74: forward conversation history so codex handler can report
+      // a non-zero conversation_history_count in the packet.
+      ...(HOOK_EVENT_MESSAGES ? { messages: HOOK_EVENT_MESSAGES } : {}),
+      };
+      const wrapped = await client.getHarnessPacket(bodyOverride);
+      const json = normalizeHarnessPacketPayload(wrapped.packet);
+      if (json && json.ok === false) throw new Error(`ok=false: ${json.error || 'unknown'}`);
+      await runMizanPre(apiKey, wrapped.packet, `${baseUrl}${RUNTIME_PACKET_SUFFIX}`);
+      return { json, raw: JSON.stringify(json) };
+    }
+
+  const packetUrl = isMountedRuntimeUrl(baseUrl)
+    ? `${baseUrl}${RUNTIME_PACKET_SUFFIX}`
+    : `${baseUrl}/api/harness/codex`;
+  // SDK absent (dev environment) — direct fetch with identical wire shape.
+  const resp = await fetch(packetUrl, {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${apiKey}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      message: isTurn ? 'Claude turn refresh — harness via SDK' : 'Claude session start — harness via SDK',
+      stage: isTurn ? 'checkpoint' : 'preflight',
+      sessionId: currentHookSessionId(),
+      actor: 'claude-code',
+      system: 'claude-coding-agent',
+      roleProfile: 'general_worker',
+      platform: 'claude-code',
+      deliverySurface: 'claude_code_session',
+      userId: 'hamza',
+      isHamza: true,
+      // Bonus #74: forward conversation history (same field as SDK path above).
+      ...(HOOK_EVENT_MESSAGES ? { messages: HOOK_EVENT_MESSAGES } : {}),
+    }),
+  });
+  if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
+  const responseBody = await resp.json();
+  const json = normalizeHarnessPacketPayload(responseBody.packet ?? responseBody);
+  if (json && json.ok === false) throw new Error(`ok=false: ${json.error || 'unknown'}`);
+  await runMizanPre(apiKey, responseBody.packet ?? responseBody, packetUrl);
+  return { json, raw: JSON.stringify(json) };
+}
+
+function renderPacket(json, source, ageNote = '') {
+  const harness = json.harness || (json.packet?.prompt?.fullText ?? '') || '';
+  const phash = harness ? createHash('sha256').update(harness).digest('hex').slice(0, 24) : 'NONE';
+  const pre = json.preStateGate || {};
+  const con = json.contractGate || {};
+  const mc = json.missingCritical || [];
+  const loaded = json.loadedByClass || {};
+  const offlineBundle = json.runtimeOfflineBundle && typeof json.runtimeOfflineBundle === 'object'
+    ? json.runtimeOfflineBundle
+    : null;
+
+  let header = `${HEADER_PREFIX} (${MODE}${ageNote}, sdk=harness-http-client) hash=${phash.slice(0, 16)} via=${source}\n`;
+  header += `  preStateGate: passed=${pre.passed} score=${(pre.score || 0).toFixed(2)}`;
+  if (pre.reasons?.length) header += ` reasons=[${pre.reasons.slice(0, 2).join('; ')}]`;
+  header += `\n  contractGate: passed=${con.passed} score=${(con.score || 0).toFixed(2)}`;
+  if (mc.length) header += `\n  missingCritical: ${JSON.stringify(mc.slice(0, 5))}`;
+  const loadedSummary = Object.entries(loaded).sort().map(([k, v]) => `${k}=${v}`).join(' ');
+  if (loadedSummary) header += `\n  loadedByClass: ${loadedSummary}`;
+  if (offlineBundle) {
+    header += `\n  offlineBundle: phase=${offlineBundle.phase || 'unknown'} age=${offlineBundle.ageSeconds ?? 'unknown'}s source=${offlineBundle.source || 'runtime-cache'}`;
+  }
+
+  let ctx = header;
+  if (harness) {
+    ctx += `\n\n--- Aria 7B harness (${harness.length} chars total, ${HARNESS_EXCERPT_CHARS} shown) ---\n`;
+    ctx += harness.slice(0, HARNESS_EXCERPT_CHARS);
+  }
+
+  try {
+    appendFileSync(LOG_FILE, `${new Date().toISOString()} mode=${MODE} hash=${phash.slice(0, 24)} url=${source} pre_passed=${pre.passed} contract_passed=${con.passed} missing=${mc.join(',') || 'none'} sdk=harness-http-client\n`);
+  } catch {}
+
+  emit({
+    systemMessage: `${HEADER_PREFIX} ${MODE} hash=${phash.slice(0, 16)} preState=${(pre.score || 0).toFixed(2)} contract=${(con.score || 0).toFixed(2)} sdk✓`,
+    suppressOutput: false,
+    hookSpecificOutput: { hookEventName: HOOK_EVENT_NAME, additionalContext: ctx },
+  });
+}
+
+// TCP connect probe. Resolves true if the OS completes a TCP handshake to
+// the URL's host:port; false if the OS reports a real network error
+// (ECONNREFUSED, EHOSTUNREACH, ENOTFOUND). No policy timeout — for routable
+// black-hole IPs, the OS-level SYN-retry bounds the wait; for unreachable
+// hosts, errors arrive instantly. The probe never strips identity; it just
+// filters URLs whose TCP layer is dead before we attempt the HTTP fetch.
+function probeUrl(urlStr) {
+  return new Promise((resolve) => {
+    let parsed;
+    try { parsed = new URL(urlStr); }
+    catch { return resolve({ url: urlStr, ok: false, err: 'parse_error' }); }
+    const host = parsed.hostname;
+    const port = parsed.port ? Number(parsed.port) : (parsed.protocol === 'https:' ? 443 : 80);
+    const sock = createConnection({ host, port });
+    let settled = false;
+    const finish = (ok, err) => {
+      if (settled) return;
+      settled = true;
+      try { sock.destroy(); } catch {}
+      resolve({ url: urlStr, ok, err });
+    };
+    sock.once('connect', () => finish(true));
+    sock.once('error', (e) => finish(false, e?.code || e?.message || 'error'));
+  });
+}
+
+async function main() {
+  const apiKey = resolveApiKey();
+  if (!apiKey) {
+    return emitFallback('ARIA_API_KEY not in env and kubectl secret unavailable');
+  }
+
+  // Turn-mode cache hit — don't refetch every keystroke.
+  if (isTurn && existsSync(PACKET_CACHE)) {
+    try {
+      const fs = await import('node:fs');
+      const stat = fs.statSync(PACKET_CACHE);
+      const ageSec = (Date.now() - stat.mtimeMs) / 1000;
+      if (ageSec < PACKET_CACHE_TTL_SEC) {
+      const cached = JSON.parse(fs.readFileSync(PACKET_CACHE, 'utf8'));
+      await runMizanPre(apiKey, cached, '(cache)');
+      return renderPacket(cached, '(cache)', ` cached ${Math.round(ageSec)}s`);
+      }
+    } catch {}
+  }
+
+  const urls = buildUrlList();
+  let lastErr = '';
+
+  // Probe-then-fetch in parallel. Each candidate URL is probed at the TCP
+  // layer; URLs whose connect attempt errors are filtered out (real network
+  // signal, not deadline). Probed-OK URLs kick off real HTTP fetches. The
+  // first 2xx response wins via Promise.any; hung URLs simply don't win.
+  // Healing on the next turn: every invocation re-probes from scratch, so a
+  // recovered URL is picked up automatically.
+  const candidates = urls.map(async (url) => {
+    const probe = await probeUrl(url);
+    if (!probe.ok) throw new Error(`probe-fail: ${probe.err}`);
+    const { json, raw } = await tryViaSdk(url, apiKey);
+    return { url, json, raw };
+  });
+
+  let winner = null;
+  try {
+    winner = await Promise.any(candidates);
+  } catch (aggErr) {
+    const errs = aggErr?.errors || [];
+    lastErr = errs.map((e, i) => `${urls[i]}=${(e?.message || e).toString().slice(0, 80)}`).slice(0, 5).join('; ');
+  }
+
+  if (winner) {
+    saveCachedUrl(winner.url);
+    saveCachedPacket(winner.raw);
+    return renderPacket(winner.json, winner.url);
+  }
+
+  // Stale-cache fallback. If a cached packet exists at all, inject it — no
+  // age cutoff. Doctrine: never strip identity/cognition/gates. The header
+  // surfaces the age and last upstream error so the model knows the world
+  // view is frozen, but the harness body always reaches it.
+  try {
+    const fs = await import('node:fs');
+    if (fs.existsSync(PACKET_CACHE)) {
+      const stat = fs.statSync(PACKET_CACHE);
+      const ageSec = (Date.now() - stat.mtimeMs) / 1000;
+      if (ageSec >= 0) {
+        const cached = JSON.parse(fs.readFileSync(PACKET_CACHE, 'utf8'));
+        await runMizanPre(apiKey, cached, '(stale-cache)');
+        try {
+          appendFileSync(LOG_FILE, `${new Date().toISOString()} stale mode=${MODE} cache_age=${Math.round(ageSec)}s last_err="${lastErr.replace(/"/g, "'")}" sdk=harness-http-client\n`);
+        } catch {}
+        return renderPacket(cached, `(stale ${Math.round(ageSec)}s — fresh fetch failed: ${lastErr.slice(0, 80)})`, ` stale ${Math.round(ageSec)}s`);
+      }
+    }
+  } catch {}
+
+  emitFallback(`all endpoints unreachable; last=${lastErr}`, urls);
+}
+
+main().catch((err) => {
+  emitFallback(`fatal: ${(err?.message || err).toString().slice(0, 200)}`);
+});