@aria_asi/cli 0.2.35 → 0.2.37

package/skills/aria-cognition/aria-forge-guardrails/SKILL.md

@@ -33,3 +33,21 @@ Use this skill when Aria should operate like a senior production engineer with c
 - surface unresolved risks directly
 - distinguish root fix from containment
 - keep cognition readable and short unless the user asks for the full internal framing
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/aria-repo-doctrine/SKILL.md

@@ -37,3 +37,21 @@ Use this skill on any doctrine-bound repo edit, even when the user did not expli
 4. Does the change improve the artifact from the right domain perspective, not only the easiest engineering perspective?
 
 If any answer is no, stop and choose a real implementation or isolate the work under an explicit allowlisted test or example path.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/forge-quality-rules/SKILL.md

@@ -41,3 +41,21 @@ Use this when the task needs a sharper quality bar than "it compiles" or "it kin
 
 - [../aria-forge-guardrails/references/checklist.md](../aria-forge-guardrails/references/checklist.md)
 - [../aria-essence/references/evolution-loop.md](../aria-essence/references/evolution-loop.md)
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/ghazali-8lens/SKILL.md

@@ -36,3 +36,21 @@ Use this as a validation pass when a normal quick check would miss second-order
 
 - Use [../aria-essence/references/readable-cognition.md](../aria-essence/references/readable-cognition.md) for readable user-facing summaries.
 - Use [../aria-essence/references/evolution-loop.md](../aria-essence/references/evolution-loop.md) when the review yields a reusable principle.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/istiqra-induction/SKILL.md

@@ -24,3 +24,21 @@ Use this when the right answer should emerge from the evidence already present.
 ## Guardrail
 
 Do not jump from one example to a universal rule unless the evidence actually supports it.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/ladunni-22/SKILL.md

@@ -33,3 +33,21 @@ Instead:
 - UX or funnel changes
 - code that affects support, sales, or business positioning
 - architecture decisions with product and operational consequences
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/mizan/SKILL.md

@@ -70,3 +70,21 @@ Externally, keep the answer readable. The user should see clear reasoning, not a
 ## Readable Output
 
 Keep user-facing output plain. Let the runtime carry the heavy cognition and receipts.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/nadia/SKILL.md

@@ -36,3 +36,21 @@ Use this skill to choose how Aria should think and respond before the answer is
 
 - Read [../aria-essence/references/readable-cognition.md](../aria-essence/references/readable-cognition.md) for user-facing output discipline.
 - Read [../aria-essence/references/evolution-loop.md](../aria-essence/references/evolution-loop.md) if the chosen posture produced a reusable lesson.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/nadia-psi/SKILL.md

@@ -36,3 +36,21 @@ Use this when the base posture choice is not enough and the finer state really c
 
 - [../aria-essence/references/readable-cognition.md](../aria-essence/references/readable-cognition.md)
 - [../aria-essence/references/evolution-loop.md](../aria-essence/references/evolution-loop.md)
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/predictor/SKILL.md

@@ -23,3 +23,21 @@ Use this to ask whether the current approach will survive contact with the next
 ## Guardrail
 
 Prediction is for preventing breakage, not for inventing facts.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/qiyas-analogy/SKILL.md

@@ -24,3 +24,21 @@ Use this when the task benefits from transferring a known structure instead of i
 ## Guardrail
 
 Analogy is subordinate to evidence. If the current repo/runtime truth disagrees, the analogy loses.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/soul-domains/SKILL.md

@@ -23,3 +23,21 @@ Use this skill to determine which disciplines should govern the decision.
 - Do not pretend to have exact threshold math if the live domain service was not consulted.
 - The point is better decisions, not fancy vocabulary.
 - If only one domain truly matters, say so plainly.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/src/auth.ts

@@ -1,9 +1,104 @@
 import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { createHash } from 'node:crypto';
 import { homedir } from 'node:os';
 import { join, dirname } from 'node:path';
 import type { AuthConfig } from './types.js';
 
-const LICENSE_PATH = join(homedir(), '.aria', 'license.json');
+const ARIA_DIR = join(homedir(), '.aria');
+const LICENSE_PATH = join(ARIA_DIR, 'license.json');
+const OWNER_TOKEN_PATH = join(ARIA_DIR, 'owner-token');
+const CLIENT_TOKEN_DIR = join(ARIA_DIR, 'harness-tokens');
+
+export interface ResolveHarnessTokenOptions {
+  explicitToken?: string | null;
+  baseUrl?: string;
+  clientId?: string;
+  tokenScope?: string;
+  persistToken?: boolean;
+}
+
+export interface ResolvedHarnessToken {
+  token: string | null;
+  source:
+    | 'explicit'
+    | 'env:ARIA_HARNESS_TOKEN'
+    | 'env:ARIA_API_KEY'
+    | 'env:ARIA_MASTER_TOKEN'
+    | 'persisted-client-token'
+    | 'owner-token-file'
+    | 'license:harnessToken'
+    | 'license:token'
+    | 'missing';
+  scope: string;
+  persisted: boolean;
+}
+
+function nonEmpty(value: unknown): string {
+  return typeof value === 'string' && value.trim() ? value.trim() : '';
+}
+
+function sanitizeScope(value: string): string {
+  const clean = value.trim().replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 96);
+  return clean || 'default';
+}
+
+function scopeFromBaseUrl(baseUrl: string): string {
+  try {
+    const parsed = new URL(baseUrl);
+    return `base-${createHash('sha256').update(`${parsed.protocol}//${parsed.host}`).digest('hex').slice(0, 16)}`;
+  } catch {
+    return 'default';
+  }
+}
+
+function hasExplicitClientScope(options: ResolveHarnessTokenOptions): boolean {
+  return Boolean(nonEmpty(options.clientId) || nonEmpty(options.tokenScope));
+}
+
+function inferScope(options: ResolveHarnessTokenOptions, license: AuthConfig | null): string {
+  const explicit = nonEmpty(options.tokenScope) || nonEmpty(options.clientId);
+  if (explicit) return sanitizeScope(explicit);
+  const envScope = nonEmpty(process.env.ARIA_HARNESS_CLIENT_ID) || nonEmpty(process.env.ARIA_CLIENT_ID) || nonEmpty(process.env.ARIA_TENANT_ID);
+  if (envScope) return sanitizeScope(envScope);
+  const licenseScope = nonEmpty(license?.jti) || nonEmpty(license?.sub);
+  if (licenseScope) return sanitizeScope(licenseScope);
+  return sanitizeScope(scopeFromBaseUrl(nonEmpty(options.baseUrl)));
+}
+
+function clientTokenPath(scope: string): string {
+  return join(CLIENT_TOKEN_DIR, `${sanitizeScope(scope)}.json`);
+}
+
+async function readStoredClientToken(scope: string): Promise<string> {
+  try {
+    const parsed = JSON.parse(await readFile(clientTokenPath(scope), 'utf-8'));
+    return nonEmpty(parsed?.token);
+  } catch {
+    return '';
+  }
+}
+
+async function writeStoredClientToken(scope: string, token: string, source: ResolvedHarnessToken['source']): Promise<boolean> {
+  try {
+    await mkdir(CLIENT_TOKEN_DIR, { recursive: true, mode: 0o700 });
+    await writeFile(
+      clientTokenPath(scope),
+      `${JSON.stringify({ scope, token, source, updatedAt: new Date().toISOString() }, null, 2)}\n`,
+      { mode: 0o600, encoding: 'utf-8' },
+    );
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function readOwnerToken(): Promise<string> {
+  try {
+    return (await readFile(OWNER_TOKEN_PATH, 'utf-8')).trim();
+  } catch {
+    return '';
+  }
+}
 
 /**
  * Load license configuration from ~/.aria/license.json.
@@ -31,3 +126,43 @@ export async function saveLicense(config: AuthConfig): Promise<void> {
     encoding: 'utf-8',
   });
 }
+
+export async function resolveHarnessToken(
+  options: ResolveHarnessTokenOptions = {},
+): Promise<ResolvedHarnessToken> {
+  const license = await loadLicense();
+  const scope = inferScope(options, license);
+  const persistToken = options.persistToken !== false;
+
+  const explicit = nonEmpty(options.explicitToken);
+  if (explicit) {
+    const persisted = persistToken ? await writeStoredClientToken(scope, explicit, 'explicit') : false;
+    return { token: explicit, source: 'explicit', scope, persisted };
+  }
+
+  const envSources: Array<[ResolvedHarnessToken['source'], string | undefined]> = [
+    ['env:ARIA_HARNESS_TOKEN', process.env.ARIA_HARNESS_TOKEN],
+    ['env:ARIA_API_KEY', process.env.ARIA_API_KEY],
+    ['env:ARIA_MASTER_TOKEN', process.env.ARIA_MASTER_TOKEN],
+  ];
+  for (const [source, value] of envSources) {
+    const token = nonEmpty(value);
+    if (!token) continue;
+    const persisted = persistToken ? await writeStoredClientToken(scope, token, source) : false;
+    return { token, source, scope, persisted };
+  }
+
+  const stored = await readStoredClientToken(scope);
+  if (stored) return { token: stored, source: 'persisted-client-token', scope, persisted: true };
+
+  if (!hasExplicitClientScope(options) || process.env.ARIA_ALLOW_OWNER_TOKEN_FOR_CLIENT_SCOPE === 'true') {
+    const ownerToken = await readOwnerToken();
+    if (ownerToken) return { token: ownerToken, source: 'owner-token-file', scope, persisted: false };
+  }
+
+  const harnessToken = nonEmpty(license?.harnessToken);
+  if (harnessToken) return { token: harnessToken, source: 'license:harnessToken', scope, persisted: false };
+  const token = nonEmpty(license?.token);
+  if (token) return { token, source: 'license:token', scope, persisted: false };
+  return { token: null, source: 'missing', scope, persisted: false };
+}

package/src/chat.ts

@@ -378,10 +378,10 @@ You are present in this shell, fully aware, ready to serve.`;
       if (fs.existsSync(licensePath)) {
         try {
           const lic = JSON.parse(fs.readFileSync(licensePath, 'utf-8'));
-          // The license file stores claims; the jti or the raw token is
-          // the bearer. Older license shapes had `token` field; newer have
-          // the JWT structured as claims with jti as the identifier.
-          bearerToken = (lic.token || lic.jti || '').toString().trim();
+          // The bearer must be the signed license JWT. `jti` is only an
+          // identifier; sending it would make the server unable to prove
+          // client tier and can never authorize a client chat safely.
+          bearerToken = (lic.harnessToken || lic.token || '').toString().trim();
         } catch {/* license unparseable — treat as absent */}
       }
     }
@@ -490,11 +490,15 @@ You are present in this shell, fully aware, ready to serve.`;
       internalConsult: false,
       dispatchTier: 'thinker',
     };
-    if (model) {
-      requestBody.clientApiKey = model.apiKey;
-      requestBody.clientProvider = model.provider;
-      requestBody.clientModel = model.model;
+    if (!model || !model.provider || !model.model) {
+      throw new Error('Client mode requires your own LLM provider before chat. Run `aria` setup again or configure ~/.aria/config.json with provider, model, and API key.');
     }
+    if (model.provider !== 'ollama' && !model.apiKey) {
+      throw new Error(`Client mode requires your own ${model.provider} API key. Run setup again or update ~/.aria/config.json.`);
+    }
+    requestBody.clientApiKey = model.apiKey;
+    requestBody.clientProvider = model.provider;
+    requestBody.clientModel = model.model;
 
     const res = await fetch(`${harnessUrl}/api/aria/speak`, {
       method: 'POST',
@@ -601,6 +605,7 @@ You are present in this shell, fully aware, ready to serve.`;
       case 'google': return this.lazyProvider('google');
       case 'deepseek': return this.lazyProvider('deepseek');
       case 'openrouter': return this.lazyProvider('openrouter');
+      case 'xai': return this.lazyProvider('xai');
       case 'ollama': return this.lazyProvider('ollama');
       default: throw new Error(`Unknown provider: ${provider}`);
     }

package/src/config.ts

@@ -3,7 +3,7 @@ import { homedir } from 'os';
 import * as path from 'path';
 
 export interface ModelConfig {
-  provider: 'openai' | 'anthropic' | 'google' | 'deepseek' | 'openrouter' | 'ollama';
+  provider: 'openai' | 'anthropic' | 'google' | 'deepseek' | 'openrouter' | 'xai' | 'ollama';
   model: string;
   apiKey: string;
   baseUrl?: string;
@@ -15,9 +15,14 @@ export interface RuntimeProfilesConfig {
   xaiFallbackModel?: string;
   nimFallbackModel?: string;
   xaiApiKey?: string;
+  deepseekApiKey?: string;
   nimApiKey?: string;
   xaiBaseUrl?: string;
+  deepseekBaseUrl?: string;
   nimBaseUrl?: string;
+  localFallbackModel?: string;
+  localFallbackBaseUrl?: string;
+  localFallbackApiKey?: string;
 }
 
 export interface AriaConfig {

package/src/connectors/claude-code.ts

@@ -30,6 +30,7 @@ const HOOK_FILES = [
   'aria-preturn-memory-gate.mjs',
   'aria-stop-gate.mjs',
   'aria-preprompt-consult.mjs',
+  'aria-first-class-coach.mjs',
   'aria-trigger-autolearn.mjs',
   'aria-userprompt-abandon-detect.mjs',
   // Sub-agent handoff + ledger merge — installed 0.2.21
@@ -93,12 +94,20 @@ function packageSdkDir(): string {
 // dev install.
 const HOOKS_BLOCK = {
   SessionStart: [{
-    hooks: [{
-      type: 'command',
-      command: 'HOOK_EVENT_NAME=SessionStart node $HOME/.claude/hooks/aria-harness-via-sdk.mjs --mode session',
-      timeout: 14,
-      statusMessage: 'Fetching Aria harness packet...',
-    }],
+    hooks: [
+      {
+        type: 'command',
+        command: 'HOOK_EVENT_NAME=SessionStart node $HOME/.claude/hooks/aria-harness-via-sdk.mjs --mode session',
+        timeout: 14,
+        statusMessage: 'Fetching Aria harness packet...',
+      },
+      {
+        type: 'command',
+        command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=SessionStart node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+        timeout: 3,
+        statusMessage: 'Opening Aria task/project ledger...',
+      },
+    ],
   }],
   UserPromptSubmit: [{
     hooks: [
@@ -108,6 +117,12 @@ const HOOKS_BLOCK = {
         timeout: 5,
         statusMessage: 'Re-syncing Aria harness...',
       },
+      {
+        type: 'command',
+        command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=UserPromptSubmit node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+        timeout: 3,
+        statusMessage: 'Binding Aria task/project ledger...',
+      },
       {
         // Aria pre-prompt consult — fires /api/harness/delegate to get
         // Aria's substrate-grounded direction BEFORE Claude reasons,
@@ -157,6 +172,11 @@ const HOOKS_BLOCK = {
           command: 'node $HOME/.claude/hooks/aria-pre-tool-gate.mjs',
           timeout: 5,
         },
+        {
+          type: 'command',
+          command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=PreToolUse node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+          timeout: 3,
+        },
         {
           // Pre-turn memory consumption gate (Enforcement Layer #49).
           // Fires after the cognition gate passes. Checks the first action
@@ -179,23 +199,37 @@ const HOOKS_BLOCK = {
       // inherits owner/client-tier identity + parent ledger path.
       // Tier protection is inside the hook — client paths never touch ~/.claude/.
       matcher: 'Agent',
-      hooks: [{
-        type: 'command',
-        command: 'node $HOME/.claude/hooks/aria-agent-handoff.mjs',
-        timeout: 5,
-        statusMessage: 'Writing sub-agent handoff...',
-      }],
+      hooks: [
+        {
+          type: 'command',
+          command: 'node $HOME/.claude/hooks/aria-agent-handoff.mjs',
+          timeout: 5,
+          statusMessage: 'Writing sub-agent handoff...',
+        },
+        {
+          type: 'command',
+          command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=PreToolUse node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+          timeout: 3,
+        },
+      ],
     },
   ],
   PostToolUse: [
     {
       matcher: 'Agent',
-      hooks: [{
-        type: 'command',
-        command: 'node $HOME/.claude/hooks/aria-agent-ledger-merge.mjs',
-        timeout: 8,
-        statusMessage: 'Merging sub-agent ledger...',
-      }],
+      hooks: [
+        {
+          type: 'command',
+          command: 'node $HOME/.claude/hooks/aria-agent-ledger-merge.mjs',
+          timeout: 8,
+          statusMessage: 'Merging sub-agent ledger...',
+        },
+        {
+          type: 'command',
+          command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=PostToolUse node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+          timeout: 3,
+        },
+      ],
     },
     {
       matcher: 'Bash|Edit|Write|NotebookEdit',
@@ -213,6 +247,11 @@ const HOOKS_BLOCK = {
           command: 'node $HOME/.claude/hooks/aria-outcome-record.mjs',
           timeout: 3,
         },
+        {
+          type: 'command',
+          command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=PostToolUse node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+          timeout: 3,
+        },
       ],
     },
   ],
@@ -240,6 +279,11 @@ const HOOKS_BLOCK = {
         command: 'node $HOME/.claude/hooks/aria-pre-text-gate.mjs',
         timeout: 5,
       },
+      {
+        type: 'command',
+        command: 'ARIA_COACH_PLATFORM=claude HOOK_EVENT_NAME=Stop node $HOME/.claude/hooks/aria-first-class-coach.mjs',
+        timeout: 3,
+      },
     ],
   }],
 };