@aria_asi/cli 0.2.36 → 0.2.37

package/dist/runtime/task-project-ledger.mjs

@@ -0,0 +1,290 @@
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync, appendFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
+import { homedir } from 'node:os';
+import { basename, dirname, join } from 'node:path';
+
+export const TASK_PROJECT_LEDGER_VERSION = 'aria.task_project_ledger.v1';
+
+const CLAIM_RX = /\b(?:first[- ]class|production[- ]ready|ready|complete|completed|done|verified|gold[- ]standard|shipped|fixed|landed)\b/i;
+const MAX_LEDGER_EVENTS = 500;
+
+export const TASK_PROJECT_QUALITY_GATES = [
+  { id: 'ledger_created', readinessRequired: true, description: 'A durable task/project ledger exists before work proceeds.' },
+  { id: 'intent_boundary', readinessRequired: true, description: 'The ledger records what task or project is being attempted.' },
+  { id: 'scope_boundary', readinessRequired: true, description: 'The ledger records platform and phase boundaries.' },
+  { id: 'execution_trace', readinessRequired: false, description: 'The ledger records execution, tool, workflow, or background events.' },
+  { id: 'verification_trace', readinessRequired: true, description: 'The ledger records real verification evidence before completion/readiness claims.' },
+  { id: 'post_turn_writeback', readinessRequired: false, description: 'The ledger records post-turn or outcome writeback.' },
+  { id: 'final_claim_guard', readinessRequired: true, description: 'The ledger guards final claims against missing evidence.' },
+];
+
+function stableHash(value = '') {
+  return createHash('sha256').update(String(value || 'unknown')).digest('hex').slice(0, 20);
+}
+
+function firstString(...values) {
+  for (const value of values) {
+    if (typeof value === 'string' && value.trim()) return value.trim();
+    if (typeof value === 'number' && Number.isFinite(value)) return String(value);
+  }
+  return '';
+}
+
+function compactHint(value = '') {
+  const raw = String(value || '').trim();
+  if (!raw) return 'unknown';
+  const tail = raw.includes('/') ? basename(raw) : raw;
+  return tail.replace(/[^a-zA-Z0-9._-]+/g, '-').slice(0, 80) || 'unknown';
+}
+
+function readJsonFile(path) {
+  try {
+    if (!existsSync(path)) return null;
+    return JSON.parse(readFileSync(path, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function writeJsonAtomic(path, value) {
+  mkdirSync(dirname(path), { recursive: true, mode: 0o700 });
+  const tmp = `${path}.${process.pid}.${Date.now()}.tmp`;
+  writeFileSync(tmp, `${JSON.stringify(value, null, 2)}\n`, { mode: 0o600 });
+  renameSync(tmp, path);
+}
+
+function markGate(ledger, gateId, status, evidence = undefined) {
+  const gate = ledger.qualityGates?.[gateId];
+  if (!gate) return;
+  if (gate.status === 'passed' && status !== 'blocked') return;
+  gate.status = status;
+  gate.updatedAt = ledger.updatedAt;
+  if (evidence) gate.evidence = evidence;
+}
+
+function hasPromptIntent(event = {}) {
+  return Boolean(firstString(
+    event.prompt,
+    event.userPrompt,
+    event.user_input,
+    event.message,
+    event.text,
+    event.body,
+    event.sessionID,
+    event.sessionId,
+    event.context?.prompt,
+    event.context?.bodyForAgent
+  ));
+}
+
+function hasVerificationEvidence(evidence = {}, event = {}) {
+  if (evidence.warning_clean === true || evidence.verification === true || evidence.validation_run === true) return true;
+  if (event.verified === true || event.validation?.ok === true || event.test?.ok === true) return true;
+  const text = firstString(event.verification, event.validation, event.testResult, event.commandResult, evidence.commandResult, evidence.outputPreview);
+  return /\b(?:ok|passed|pass|success|succeeded|exit\s*0|0\s*failures?)\b/i.test(text);
+}
+
+function isExecutionPhase(phase = '') {
+  return ['pre_tool', 'post_tool', 'background_worker', 'task_record', 'task_flow', 'lobster_run', 'approval_resume'].includes(phase);
+}
+
+function isPostTurnPhase(phase = '') {
+  return ['post_turn', 'outcome_writeback', 'decision_log'].includes(phase);
+}
+
+export function taskProjectLedgerRoot(env = process.env) {
+  return env.ARIA_TASK_PROJECT_LEDGER_DIR || join(homedir(), '.aria', 'task-project-ledgers');
+}
+
+export function resolveTaskProjectIdentity(event = {}, env = process.env) {
+  const projectRaw = firstString(
+    env.ARIA_PROJECT_ID,
+    event.projectId,
+    event.project_id,
+    event.project,
+    event.workspaceDir,
+    event.workspace_dir,
+    event.cwd,
+    event.currentWorkingDirectory,
+    event.context?.workspaceDir,
+    env.PWD,
+    process.cwd()
+  );
+  const taskRaw = firstString(
+    env.ARIA_TASK_ID,
+    event.taskId,
+    event.task_id,
+    event.sessionID,
+    event.session_id,
+    event.sessionId,
+    event.sessionKey,
+    event.conversationId,
+    event.threadId,
+    event.messageId,
+    event.transcript_path,
+    event.prompt,
+    event.message,
+    projectRaw
+  );
+  const projectHash = stableHash(projectRaw || 'unknown-project');
+  const taskHash = stableHash(`${projectHash}:${taskRaw || 'unknown-task'}`);
+  return {
+    projectHash,
+    taskHash,
+    projectHint: compactHint(projectRaw),
+    taskHint: compactHint(taskRaw),
+  };
+}
+
+export function taskProjectLedgerPaths(identity, env = process.env) {
+  const dir = join(taskProjectLedgerRoot(env), identity.projectHash);
+  return {
+    dir,
+    ledgerPath: join(dir, `${identity.taskHash}.json`),
+    eventPath: join(dir, `${identity.taskHash}.events.jsonl`),
+  };
+}
+
+function createTaskProjectLedger(identity, now) {
+  const qualityGates = Object.fromEntries(TASK_PROJECT_QUALITY_GATES.map((gate) => [
+    gate.id,
+    {
+      status: gate.id === 'ledger_created' || gate.id === 'final_claim_guard' ? 'passed' : 'pending',
+      description: gate.description,
+      readinessRequired: gate.readinessRequired,
+      updatedAt: now,
+    },
+  ]));
+  return {
+    schema: `${TASK_PROJECT_LEDGER_VERSION}.ledger`,
+    version: TASK_PROJECT_LEDGER_VERSION,
+    ledgerId: `tpl_${identity.projectHash}_${identity.taskHash}`,
+    createdAt: now,
+    updatedAt: now,
+    status: 'active',
+    identity,
+    controls: {
+      readinessClaimAllowed: false,
+      readinessClaimRule: 'Completion/readiness claims require all readinessRequired quality gates to pass and no open blockers.',
+    },
+    qualityGates,
+    phaseEvents: [],
+    evidence: [],
+    openBlockers: [],
+    blockedClaims: [],
+  };
+}
+
+export function readinessMissingGates(ledger = {}) {
+  const qualityGates = ledger.qualityGates || {};
+  return TASK_PROJECT_QUALITY_GATES
+    .filter((gate) => gate.readinessRequired)
+    .filter((gate) => qualityGates[gate.id]?.status !== 'passed' && qualityGates[gate.id]?.status !== 'not_applicable')
+    .map((gate) => gate.id);
+}
+
+export function updateTaskProjectLedger({ platform, phase, source = 'task-project-ledger', event = {}, evidence = {}, env = process.env } = {}) {
+  const now = new Date().toISOString();
+  const identity = resolveTaskProjectIdentity(event, env);
+  const paths = taskProjectLedgerPaths(identity, env);
+  const existing = readJsonFile(paths.ledgerPath);
+  const ledger = existing?.schema === `${TASK_PROJECT_LEDGER_VERSION}.ledger`
+    ? existing
+    : createTaskProjectLedger(identity, now);
+
+  ledger.updatedAt = now;
+  ledger.qualityGates = ledger.qualityGates || {};
+  for (const gate of TASK_PROJECT_QUALITY_GATES) {
+    if (!ledger.qualityGates[gate.id]) {
+      ledger.qualityGates[gate.id] = {
+        status: 'pending',
+        description: gate.description,
+        readinessRequired: gate.readinessRequired,
+        updatedAt: now,
+      };
+    }
+  }
+
+  markGate(ledger, 'ledger_created', 'passed', { ledgerPath: paths.ledgerPath });
+  if (hasPromptIntent(event) || phase === 'pre_prompt_injection' || phase === 'session_start') markGate(ledger, 'intent_boundary', 'passed', { source, phase });
+  if (platform && phase && phase !== 'unknown') markGate(ledger, 'scope_boundary', 'passed', { platform, phase });
+  if (isExecutionPhase(phase)) markGate(ledger, 'execution_trace', 'passed', { platform, phase, source });
+  if (hasVerificationEvidence(evidence, event)) markGate(ledger, 'verification_trace', 'passed', { source, phase });
+  if (isPostTurnPhase(phase)) markGate(ledger, 'post_turn_writeback', 'passed', { platform, phase, source });
+  markGate(ledger, 'final_claim_guard', 'passed', { source: 'task_project_ledger_claim_guard' });
+
+  const row = {
+    at: now,
+    platform: platform || 'unknown',
+    phase: phase || 'unknown',
+    source,
+    evidence,
+  };
+  ledger.phaseEvents = Array.isArray(ledger.phaseEvents) ? ledger.phaseEvents : [];
+  ledger.phaseEvents.push(row);
+  if (ledger.phaseEvents.length > MAX_LEDGER_EVENTS) ledger.phaseEvents = ledger.phaseEvents.slice(-MAX_LEDGER_EVENTS);
+  if (Object.keys(evidence || {}).length > 0) {
+    ledger.evidence = Array.isArray(ledger.evidence) ? ledger.evidence : [];
+    ledger.evidence.push({ at: now, source, phase: row.phase, evidence });
+    if (ledger.evidence.length > MAX_LEDGER_EVENTS) ledger.evidence = ledger.evidence.slice(-MAX_LEDGER_EVENTS);
+  }
+
+  const missingReadinessGates = readinessMissingGates(ledger);
+  ledger.controls = ledger.controls || {};
+  ledger.controls.readinessClaimAllowed = missingReadinessGates.length === 0 && (ledger.openBlockers || []).length === 0;
+  ledger.controls.missingReadinessGates = missingReadinessGates;
+
+  writeJsonAtomic(paths.ledgerPath, ledger);
+  mkdirSync(dirname(paths.eventPath), { recursive: true, mode: 0o700 });
+  appendFileSync(paths.eventPath, `${JSON.stringify({ schema: `${TASK_PROJECT_LEDGER_VERSION}.event`, ledgerId: ledger.ledgerId, ...row })}\n`, { mode: 0o600 });
+  return { ledger, paths, identity };
+}
+
+export function formatTaskProjectLedgerContext({ ledger, paths, platform = 'unknown', phase = 'unknown' } = {}) {
+  const missing = readinessMissingGates(ledger);
+  return [
+    '--- ARIA TASK/PROJECT LEDGER CONTRACT ---',
+    `version: ${TASK_PROJECT_LEDGER_VERSION}`,
+    `ledger_id: ${ledger?.ledgerId || 'unknown'}`,
+    `platform: ${platform}`,
+    `phase: ${phase}`,
+    `project_ref: ${ledger?.identity?.projectHint || 'unknown'}`,
+    `task_ref: ${ledger?.identity?.taskHint || 'unknown'}`,
+    `ledger_event_count: ${Array.isArray(ledger?.phaseEvents) ? ledger.phaseEvents.length : 0}`,
+    `readiness_claim_allowed: ${ledger?.controls?.readinessClaimAllowed === true ? 'true' : 'false'}`,
+    `missing_readiness_gates: ${missing.length > 0 ? missing.join(', ') : 'none'}`,
+    `ledger_path: ${paths?.ledgerPath || 'unknown'}`,
+    'required_behavior: create/update this ledger for every task and project; use it as the controlling anti-drift artifact before tool use, final claims, and long-running handoff.',
+    'claim_rule: do not say done/complete/ready/verified/fixed/shipped unless this ledger has verification evidence and no open blockers.',
+    'quality_rule: every phase must preserve intent, scope, evidence, verification, recovery, and post-turn writeback where applicable.',
+    '--- /ARIA TASK/PROJECT LEDGER CONTRACT ---',
+  ].join('\n');
+}
+
+export function evaluateTaskProjectClaim({ text = '', ledger = {} } = {}) {
+  const claim = CLAIM_RX.test(String(text || ''));
+  if (!claim) return { ok: true, claim: false, missingReadinessGates: [], openBlockers: [] };
+  const missingReadinessGates = readinessMissingGates(ledger);
+  const openBlockers = Array.isArray(ledger.openBlockers) ? ledger.openBlockers : [];
+  return {
+    ok: missingReadinessGates.length === 0 && openBlockers.length === 0 && ledger.controls?.readinessClaimAllowed === true,
+    claim: true,
+    missingReadinessGates,
+    openBlockers,
+  };
+}
+
+export function recordBlockedTaskProjectClaim({ ledger, paths, text, evaluation } = {}) {
+  if (!ledger || !paths?.ledgerPath) return null;
+  const now = new Date().toISOString();
+  ledger.blockedClaims = Array.isArray(ledger.blockedClaims) ? ledger.blockedClaims : [];
+  ledger.blockedClaims.push({
+    at: now,
+    textHash: stableHash(text || ''),
+    missingReadinessGates: evaluation?.missingReadinessGates || [],
+    openBlockerCount: evaluation?.openBlockers?.length || 0,
+  });
+  ledger.updatedAt = now;
+  writeJsonAtomic(paths.ledgerPath, ledger);
+  return ledger.blockedClaims[ledger.blockedClaims.length - 1];
+}

package/dist/sdk/BUNDLED.json

@@ -1,5 +1,5 @@
 {
-  "bundledAt": "2026-05-03T03:55:56.398Z",
+  "bundledAt": "2026-05-04T03:02:47.924Z",
   "sdkSource": "/home/hamzaibrahim1/rei-ai-brain/harness/packages/harness-http-client/dist",
-  "files": 9
+  "files": 12
 }

package/dist/sdk/auth.d.ts

@@ -0,0 +1,17 @@
+export type HarnessAuthTokenSource = 'explicit' | 'env:ARIA_HARNESS_TOKEN' | 'env:ARIA_API_KEY' | 'env:ARIA_MASTER_TOKEN' | 'persisted-client-token' | 'owner-token-file' | 'license:harnessToken' | 'license:token' | 'missing';
+export interface HarnessAuthResolutionOptions {
+    explicitToken?: string | null;
+    baseUrl?: string;
+    clientId?: string;
+    tokenScope?: string;
+    persistToken?: boolean;
+}
+export interface HarnessAuthResolution {
+    token: string;
+    source: HarnessAuthTokenSource;
+    scope: string;
+    persisted: boolean;
+    tokenPresent: boolean;
+}
+export declare function resolveHarnessAuthToken(options?: HarnessAuthResolutionOptions): HarnessAuthResolution;
+export declare function getHarnessAuthStatus(options?: HarnessAuthResolutionOptions): Omit<HarnessAuthResolution, 'token'>;

package/dist/sdk/auth.js

@@ -0,0 +1,158 @@
+import { createHash } from 'node:crypto';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+const ARIA_DIR = join(homedir(), '.aria');
+const CLIENT_TOKEN_DIR = join(ARIA_DIR, 'harness-tokens');
+const OWNER_TOKEN_PATH = join(ARIA_DIR, 'owner-token');
+const LICENSE_PATH = join(ARIA_DIR, 'license.json');
+function nonEmpty(value) {
+    return typeof value === 'string' && value.trim() ? value.trim() : '';
+}
+function parseJsonFile(path) {
+    try {
+        if (!existsSync(path))
+            return null;
+        const parsed = JSON.parse(readFileSync(path, 'utf8'));
+        return parsed && typeof parsed === 'object' && !Array.isArray(parsed)
+            ? parsed
+            : null;
+    }
+    catch {
+        return null;
+    }
+}
+function readTextFile(path) {
+    try {
+        if (!existsSync(path))
+            return '';
+        return readFileSync(path, 'utf8').trim();
+    }
+    catch {
+        return '';
+    }
+}
+function hasExplicitClientScope(options) {
+    return Boolean(nonEmpty(options.clientId) || nonEmpty(options.tokenScope));
+}
+function scopeFromBaseUrl(baseUrl) {
+    try {
+        const parsed = new URL(baseUrl);
+        const material = `${parsed.protocol}//${parsed.host}`;
+        return `base-${createHash('sha256').update(material).digest('hex').slice(0, 16)}`;
+    }
+    catch {
+        return 'default';
+    }
+}
+function sanitizeScope(value) {
+    const clean = value.trim().replace(/[^a-zA-Z0-9._-]/g, '_').slice(0, 96);
+    return clean || 'default';
+}
+function inferScope(options, license) {
+    const explicit = nonEmpty(options.tokenScope) || nonEmpty(options.clientId);
+    if (explicit)
+        return sanitizeScope(explicit);
+    const envScope = nonEmpty(process.env.ARIA_HARNESS_CLIENT_ID) ||
+        nonEmpty(process.env.ARIA_CLIENT_ID) ||
+        nonEmpty(process.env.ARIA_TENANT_ID);
+    if (envScope)
+        return sanitizeScope(envScope);
+    const licenseScope = nonEmpty(license?.jti) || nonEmpty(license?.sub);
+    if (licenseScope)
+        return sanitizeScope(licenseScope);
+    return sanitizeScope(scopeFromBaseUrl(nonEmpty(options.baseUrl)));
+}
+function persistedPath(scope) {
+    return join(CLIENT_TOKEN_DIR, `${sanitizeScope(scope)}.json`);
+}
+function readPersistedToken(scope) {
+    const parsed = parseJsonFile(persistedPath(scope));
+    return nonEmpty(parsed?.token);
+}
+function persistClientToken(scope, token, source) {
+    if (!token)
+        return false;
+    try {
+        mkdirSync(CLIENT_TOKEN_DIR, { recursive: true, mode: 0o700 });
+        writeFileSync(persistedPath(scope), `${JSON.stringify({ scope, token, source, updatedAt: new Date().toISOString() }, null, 2)}\n`, { encoding: 'utf8', mode: 0o600 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function tokenFromEnv() {
+    const harness = nonEmpty(process.env.ARIA_HARNESS_TOKEN);
+    if (harness)
+        return { token: harness, source: 'env:ARIA_HARNESS_TOKEN' };
+    const api = nonEmpty(process.env.ARIA_API_KEY);
+    if (api)
+        return { token: api, source: 'env:ARIA_API_KEY' };
+    const master = nonEmpty(process.env.ARIA_MASTER_TOKEN);
+    if (master)
+        return { token: master, source: 'env:ARIA_MASTER_TOKEN' };
+    return { token: '', source: 'missing' };
+}
+function tokenFromLicense(license) {
+    const harness = nonEmpty(license?.harnessToken);
+    if (harness)
+        return { token: harness, source: 'license:harnessToken' };
+    const token = nonEmpty(license?.token);
+    if (token)
+        return { token, source: 'license:token' };
+    return { token: '', source: 'missing' };
+}
+export function resolveHarnessAuthToken(options = {}) {
+    const license = parseJsonFile(LICENSE_PATH);
+    const scope = inferScope(options, license);
+    const persistToken = options.persistToken !== false;
+    const explicitToken = nonEmpty(options.explicitToken);
+    if (explicitToken) {
+        const persisted = persistToken ? persistClientToken(scope, explicitToken, 'explicit') : false;
+        return { token: explicitToken, source: 'explicit', scope, persisted, tokenPresent: true };
+    }
+    const env = tokenFromEnv();
+    if (env.token) {
+        const persisted = persistToken ? persistClientToken(scope, env.token, env.source) : false;
+        return { token: env.token, source: env.source, scope, persisted, tokenPresent: true };
+    }
+    const persistedToken = readPersistedToken(scope);
+    if (persistedToken) {
+        return {
+            token: persistedToken,
+            source: 'persisted-client-token',
+            scope,
+            persisted: true,
+            tokenPresent: true,
+        };
+    }
+    if (!hasExplicitClientScope(options) || process.env.ARIA_ALLOW_OWNER_TOKEN_FOR_CLIENT_SCOPE === 'true') {
+        const ownerToken = readTextFile(OWNER_TOKEN_PATH);
+        if (ownerToken) {
+            return {
+                token: ownerToken,
+                source: 'owner-token-file',
+                scope,
+                persisted: false,
+                tokenPresent: true,
+            };
+        }
+    }
+    const licensed = tokenFromLicense(license);
+    if (licensed.token) {
+        return {
+            token: licensed.token,
+            source: licensed.source,
+            scope,
+            persisted: false,
+            tokenPresent: true,
+        };
+    }
+    return { token: '', source: 'missing', scope, persisted: false, tokenPresent: false };
+}
+export function getHarnessAuthStatus(options = {}) {
+    const { token: _token, ...status } = resolveHarnessAuthToken({ ...options, persistToken: false });
+    return status;
+}
+//# sourceMappingURL=auth.js.map

package/dist/sdk/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AA6BjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,CAAC,CAAC;AAC1C,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;AAC1D,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;AACvD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;AAEpD,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AACvE,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;QACtD,OAAO,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YACnE,CAAC,CAAE,MAAkC;YACrC,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QACjC,OAAO,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAqC;IACnE,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAe;IACvC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC;QACtD,OAAO,QAAQ,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzE,OAAO,KAAK,IAAI,SAAS,CAAC;AAC5B,CAAC;AAED,SAAS,UAAU,CACjB,OAAqC,EACrC,OAAuC;IAEvC,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC5E,IAAI,QAAQ;QAAE,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;IAE7C,MAAM,QAAQ,GACZ,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;QAC5C,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;QACpC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACvC,IAAI,QAAQ;QAAE,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;IAE7C,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACtE,IAAI,YAAY;QAAE,OAAO,aAAa,CAAC,YAAY,CAAC,CAAC;IAErD,OAAO,aAAa,CAAC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,IAAI,CAAC,gBAAgB,EAAE,GAAG,aAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,MAAM,MAAM,GAAG,aAAa,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,OAAO,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa,EAAE,KAAa,EAAE,MAA8B;IACtF,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,CAAC;QACH,SAAS,CAAC,gBAAgB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9D,aAAa,CACX,aAAa,CAAC,KAAK,CAAC,EACpB,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAC7F,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAClC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACzD,IAAI,OAAO;QAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IACzE,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAC/C,IAAI,GAAG;QAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;IAC3D,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACvD,IAAI,MAAM;QAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,uBAAuB,EAAE,CAAC;IACtE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAuC;IAC/D,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAChD,IAAI,OAAO;QAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACvE,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACvC,IAAI,KAAK;QAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IACrD,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,UAAwC,EAAE;IAE1C,MAAM,OAAO,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,KAAK,KAAK,CAAC;IAEpD,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACtD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAC9F,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IAC5F,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,EAAE,CAAC;IAC3B,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QACd,MAAM,SAAS,GAAG,YAAY,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QAC1F,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;IACxF,CAAC;IAED,MAAM,cAAc,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,KAAK,EAAE,cAAc;YACrB,MAAM,EAAE,wBAAwB;YAChC,KAAK;YACL,SAAS,EAAE,IAAI;YACf,YAAY,EAAE,IAAI;SACnB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,uCAAuC,KAAK,MAAM,EAAE,CAAC;QACvG,MAAM,UAAU,GAAG,YAAY,CAAC,gBAAgB,CAAC,CAAC;QAClD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO;gBACL,KAAK,EAAE,UAAU;gBACjB,MAAM,EAAE,kBAAkB;gBAC1B,KAAK;gBACL,SAAS,EAAE,KAAK;gBAChB,YAAY,EAAE,IAAI;aACnB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,KAAK;YACL,SAAS,EAAE,KAAK;YAChB,YAAY,EAAE,IAAI;SACnB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,UAAwC,EAAE;IAE1C,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,GAAG,uBAAuB,CAAC,EAAE,GAAG,OAAO,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;IAClG,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/sdk/index.d.ts

@@ -1,9 +1,13 @@
+import { type HarnessAuthResolution } from './auth.js';
 export interface HarnessClientConfig {
     baseUrl: string;
-    apiKey: string;
+    apiKey?: string;
     harnessPacketUrl?: string;
     gardenBaseUrl?: string;
     workspaceRoot?: string;
+    clientId?: string;
+    tokenScope?: string;
+    persistApiKey?: boolean;
 }
 export interface OwnerTier {
     hamza: boolean;
@@ -303,12 +307,14 @@ export declare class HTTPHarnessClient {
     private readonly harnessPacketUrl;
     private readonly gardenBaseUrl?;
     private readonly workspaceRoot;
+    private readonly authResolution;
     private cachedPacket;
     private packetLastFetched;
     private readonly packetTtlMs;
     private preferredBaseUrl;
     private readonly baseUrlCandidates;
     constructor(config: HarnessClientConfig);
+    getAuthStatus(): Omit<HarnessAuthResolution, 'token'>;
     private buildBaseUrlCandidates;
     private isRouteEligibleForBaseFailover;
     private candidateUrlsFor;
@@ -533,5 +539,6 @@ export declare const harness: {
 };
 export declare function bindingContext(role: string, sessionId: string, stage: string, intendedAction: string, rationale: string): HarnessBindingContext;
 export declare function getBoundHarnessAndPrompt(context: HarnessBindingContext, plan?: Partial<HarnessPlan>, client?: HTTPHarnessClient): Promise<BoundHarnessPromptResult>;
+export * from './auth.js';
 export * from './runWithCognition.js';
 export * from './runWithGovernance.js';

package/dist/sdk/index.js

@@ -3,6 +3,7 @@ import { existsSync, readFileSync, statSync } from 'node:fs';
 import { homedir as _homedir } from 'node:os';
 import { resolve, isAbsolute } from 'node:path';
 import { createHash, randomUUID } from 'node:crypto';
+import { resolveHarnessAuthToken } from './auth.js';
 const CLOUD_RUN_SOUL_URL = 'https://arias-soul-6zp3gtk2ca-uc.a.run.app';
 const PUBLIC_HARNESS_URL = 'https://harness.ariasos.com';
 const LOCAL_HARNESS_CANDIDATES = [
@@ -89,6 +90,7 @@ export class HTTPHarnessClient {
     harnessPacketUrl;
     gardenBaseUrl;
     workspaceRoot;
+    authResolution;
     cachedPacket = null;
     packetLastFetched = 0;
     packetTtlMs = 60_000;
@@ -96,7 +98,14 @@ export class HTTPHarnessClient {
     baseUrlCandidates;
     constructor(config) {
         this.baseUrl = config.baseUrl.replace(/\/+$/, '');
-        this.apiKey = config.apiKey;
+        this.authResolution = resolveHarnessAuthToken({
+            explicitToken: config.apiKey,
+            baseUrl: this.baseUrl,
+            clientId: config.clientId,
+            tokenScope: config.tokenScope,
+            persistToken: config.persistApiKey !== false,
+        });
+        this.apiKey = this.authResolution.token;
         this.harnessPacketUrl = config.harnessPacketUrl ?? (isMountedRuntimeBaseUrl(this.baseUrl)
             ? `${this.baseUrl}/packet`
             : `${this.baseUrl}/api/harness/codex`);
@@ -113,6 +122,10 @@ export class HTTPHarnessClient {
         // TTL is 5 min (matches handoff TTL). Stale packets trigger normal fetch.
         this._tryLoadDiskPacket();
     }
+    getAuthStatus() {
+        const { token: _token, ...status } = this.authResolution;
+        return status;
+    }
     buildBaseUrlCandidates(primaryBaseUrl) {
         const envFallbacks = String(process.env.ARIA_HARNESS_FALLBACK_URLS || '')
             .split(',')
@@ -1709,6 +1722,7 @@ export async function getBoundHarnessAndPrompt(context, plan, client) {
     const sdk = client ?? HTTPHarnessClient.getInstance();
     return sdk.getBoundHarnessAndPrompt(context, plan);
 }
+export * from './auth.js';
 export * from './runWithCognition.js';
 export * from './runWithGovernance.js';
 //# sourceMappingURL=index.js.map