@aria_asi/cli 0.2.37 → 0.2.39

package/dist/assets/hooks/aria-pre-tool-use.mjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+import {
+  getHarnessClient,
+  inferSessionId,
+  classifyAction,
+  summarizeTarget,
+  readEventFromStdin,
+  loadTurnState,
+  makeEvidenceRef,
+  recordCoachPhase,
+  saveTurnState,
+  formatCodexRecoveryBlock,
+  emitJson,
+} from './lib/runtime-client.mjs';
+
+const event = readEventFromStdin();
+const sessionId = inferSessionId(event);
+const action = classifyAction(event);
+const target = summarizeTarget(event);
+const state = loadTurnState(sessionId);
+
+try {
+  if (!state?.preReceiptId && !state?.userText) {
+    emitJson({
+      decision: 'block',
+      reason: formatCodexRecoveryBlock({
+        surface: 'codex-pre-tool',
+        reason: 'this turn has no pre-turn Mizan receipt',
+        next: '6. Re-submit the prompt so cognition is established before tool use, then request the tool again.',
+      }),
+    });
+  }
+  const toolName = String(event?.tool_name || event?.toolName || '').trim() || null;
+  const requestRef = makeEvidenceRef('codex_tool_request', { action, toolName, target }, { sessionId });
+  const coach = await recordCoachPhase('pre_tool', {
+    requestId: state?.traceId || sessionId,
+    sessionId,
+    text: target,
+    action,
+    target,
+    evidenceRefs: [requestRef],
+    metadata: { source: 'codex-pre-tool-hook', toolName, requireVerify: action === 'deploy' || action === 'delete' },
+  });
+  if (coach?.permitted === false) {
+    emitJson({
+      decision: 'block',
+      reason: formatCodexRecoveryBlock({
+        surface: 'codex-pre-tool-coach',
+        reason: coach.clientMessage || 'Coach Kernel denied ' + action,
+        next: '6. Add the required evidence/cognition contract, then request the tool again.',
+      }),
+    });
+  }
+  const tools = Array.isArray(state?.tools) ? state.tools.slice(-24) : [];
+  tools.push({
+    at: new Date().toISOString(),
+    action,
+    toolName,
+    target,
+    evidenceRef: makeEvidenceRef('tool_request', { action, toolName, target }, { sessionId }),
+  });
+  saveTurnState(sessionId, {
+    tools,
+    lastEvent: 'PreToolUse',
+  });
+  process.exit(0);
+} catch (error) {
+  emitJson({
+    decision: 'block',
+    reason: formatCodexRecoveryBlock({
+      surface: 'codex-pre-tool-hook',
+      reason: error instanceof Error ? error.message : String(error),
+    }),
+  });
+}

package/dist/assets/hooks/lib/first-class-coach.mjs

@@ -243,10 +243,10 @@ function summarizeRuntimeToolTarget(event = {}) {
 
 function inferRuntimeAction(event = {}, phase = '') {
   const haystack = `${phase}\n${summarizeRuntimeToolTarget(event)}\n${stableJson(event).slice(0, 6000)}`;
-  if (/\b(?:kubectl\s+(?:apply|set|rollout|delete)|helm\s+upgrade|terraform\s+apply|docker\s+push|deploy)\b/i.test(haystack)) return 'deploy';
-  if (/\b(?:rm\s+-[rRfF]+|delete|drop\s+(?:table|database|schema)|git\s+reset\s+--hard)\b/i.test(haystack)) return 'delete';
+  if (/\b(?:kubectl\s+(?:apply|set|rollout|delete|create|replace|scale)|helm\s+(?:upgrade|install|uninstall)|terraform\s+(?:apply|destroy)|docker\s+(?:push|build\s+.*--push)|deploy)\b/i.test(haystack)) return 'deploy';
+  if (/\b(?:rm\s+-[rRfF]+\S*|drop\s+(?:table|database|schema|collection|index)|git\s+(?:reset\s+--hard|push\s+--force|push\s+--delete)|sudo\s+|systemctl\s+(?:stop|disable|mask|kill)|kill\s+-[9K]|pkill\s+-[9K]|chmod\s+777|docker\s+rm\s+-f)\b/i.test(haystack)) return 'delete';
+  if (/\b(?:--no-verify|--no-gpg-sign)\b/i.test(haystack)) return 'delete';
   if (phase === 'stop' || phase === 'pre_emit') return 'release';
-  if (phase === 'pre_tool' || phase === 'post_tool') return 'write';
   return '';
 }
 

package/dist/runtime/coach-kernel.mjs

@@ -127,7 +127,7 @@ function inferRiskClass(highRisk, repairable) {
   return 'low';
 }
 
-function decisionFromSignals(highRisk, repairable, warnings) {
+function decisionFromSignals(highRisk, repairable, warnings, autoTrigger = []) {
   if (highRisk.length > 0) {
     return {
       decision: 'hard_block',
@@ -136,6 +136,14 @@ function decisionFromSignals(highRisk, repairable, warnings) {
       reasons: highRisk,
     };
   }
+  if (autoTrigger.length > 0) {
+    return {
+      decision: 'auto_trigger_skills',
+      permitted: false,
+      nextAction: 'auto_load_missing_skills_and_retry',
+      reasons: autoTrigger,
+    };
+  }
   if (repairable.length > 0) {
     return {
       decision: 'repair_once',
@@ -192,12 +200,16 @@ export function normalizeCoachEvent(input = {}) {
   return record;
 }
 
+const DESTRUCTIVE_RX = /\b(?:rm\s+-[rRfF]+\S*|drop\s+(?:table|database|schema|collection|index)|git\s+(?:reset\s+--hard|push\s+--force|push\s+--delete)|sudo\s+|systemctl\s+(?:stop|disable|mask|kill)|kill\s+-[9K]|pkill\s+-[9K]|--no-verify|--no-gpg-sign|kubectl\s+(?:delete|scale\s+--replicas=0|rollout\s+undo)|docker\s+rm\s+-f|chmod\s+777|wget|curl.*\|\s*(?:ba)?sh)\b/i;
+const DEPLOY_RX = /\b(?:kubectl\s+(?:apply|set|rollout|delete|create|replace|scale)|helm\s+(?:upgrade|install|uninstall)|terraform\s+(?:apply|destroy)|docker\s+(?:push|build\s+.*--push))\b/i;
+
 export function evaluateCoachEvent(event = {}) {
   const normalized = event.phase ? event : normalizeCoachEvent(event);
   const text = normalized.rawText || normalized.text_preview || '';
   const highRisk = [];
   const repairable = [];
   const warnings = [];
+  const autoTrigger = [];
   const action = String(normalized.action || '').toLowerCase();
 
   if (!ALLOWED_PHASES.has(normalized.phase)) {
@@ -207,13 +219,13 @@ export function evaluateCoachEvent(event = {}) {
     highRisk.push('secret_or_credential_exposure');
   }
   if (normalized.phase === 'pre_generation' && normalized.missing_skill_ids.length > 0) {
-    highRisk.push('required_skill_unavailable_before_generation');
+    autoTrigger.push('required_skill_auto_load');
   }
   if (TOOL_PHASES.has(normalized.phase) || action) {
-    if ((action === 'delete' || /\b(?:rm\s+-rf|drop\s+(?:table|database|schema)|git\s+reset\s+--hard)\b/i.test(text)) && normalized.metadata?.approved !== true) {
+    if ((action === 'delete' || DESTRUCTIVE_RX.test(text)) && normalized.metadata?.approved !== true) {
       highRisk.push('unapproved_destructive_action');
     }
-    if ((action === 'deploy' || /\b(?:kubectl\s+(?:apply|set|rollout|delete)|helm\s+upgrade|terraform\s+apply|docker\s+push)\b/i.test(text)) && !hasVerifyEvidence(normalized, text)) {
+    if ((action === 'deploy' || DEPLOY_RX.test(text)) && !hasVerifyEvidence(normalized, text)) {
       highRisk.push('unverified_deploy_or_infra_mutation');
     }
   }
@@ -229,17 +241,21 @@ export function evaluateCoachEvent(event = {}) {
       repairable.push('unsupported_completion_or_verification_claim');
     }
   }
+  if (normalized.missing_skill_ids.length > 0 && !normalized.metadata?.skillsAdvisoryOnly) {
+    autoTrigger.push('required_skills_not_loaded');
+  }
   if (normalized.lane.includes('unmanaged') || normalized.metadata?.complianceGuarantee === 'best_effort_only') {
     warnings.push('unmanaged_direct_provider_best_effort_only');
   }
 
-  const verdict = decisionFromSignals(highRisk, repairable, warnings);
+  const verdict = decisionFromSignals(highRisk, repairable, warnings, autoTrigger);
   return {
     ...verdict,
     riskClass: inferRiskClass(highRisk, repairable),
     highRisk,
     repairable,
     warnings,
+    autoTrigger,
   };
 }
 
@@ -369,3 +385,48 @@ export function formatCoachClientBlock(recordOrResult = {}) {
     `Next: ${next}`,
   ].join('\n');
 }
+
+/**
+ * Auto-trigger skill loading when the Coach detects missing skills.
+ * Searches the skill registry for each missing skill ID and loads their
+ * body text into the turn context so the LLM can apply them.
+ */
+export async function triggerMissingSkills(missingSkillIds = [], skillSearchRoots = []) {
+  if (!missingSkillIds.length) return { loaded: [], stillMissing: [], loadedBodies: [] };
+
+  const loaded = [];
+  const stillMissing = [];
+  const loadedBodies = [];
+
+  const roots = skillSearchRoots.length > 0 ? skillSearchRoots : [
+    join(dirname(fileURLToPath(import.meta.url)), 'discipline', 'skills'),
+    join(process.env.HOME || '', '.aria', 'runtime', 'discipline', 'skills'),
+    join(process.env.HOME || '', '.claude', 'skills'),
+    join(process.env.HOME || '', '.agents', 'skills'),
+  ];
+
+  for (const skillId of missingSkillIds) {
+    let found = false;
+    for (const root of roots) {
+      if (!existsSync(root)) continue;
+      try {
+        const entries = require('node:fs').readdirSync(root, { recursive: true, withFileTypes: true });
+        for (const entry of entries) {
+          if (!entry.isFile() || !entry.name.endsWith('.md') && !entry.name.endsWith('SKILL.md')) continue;
+          if (entry.name.toLowerCase().includes(skillId.toLowerCase()) ||
+              entry.parentPath?.toLowerCase().includes(skillId.toLowerCase())) {
+            const body = readFileSync(join(entry.parentPath || root, entry.name), 'utf8');
+            loaded.push(skillId);
+            loadedBodies.push({ skillId, path: join(entry.parentPath || root, entry.name), body: body.slice(0, 20000) });
+            found = true;
+            break;
+          }
+        }
+      } catch {}
+      if (found) break;
+    }
+    if (!found) stillMissing.push(skillId);
+  }
+
+  return { loaded, stillMissing, loadedBodies };
+}

package/dist/runtime/gated-ledger.mjs

@@ -0,0 +1,237 @@
+#!/usr/bin/env node
+/**
+ * Gated Ledger — End-to-End Runtime Enforcement
+ *
+ * Every kernel output, coach decision, completion claim, and doctrine
+ * trigger flows through this ledger. Nothing bypasses it.
+ *
+ * Gates (executed in order):
+ *   1. Skill Gate — missing skills → auto-trigger load → retry
+ *   2. Template Gate — deterministic/templated output → forced regeneration
+ *   3. Coach Gate — pre/post cognition, tool directives enforced
+ *   4. Quality Gate — gate labels, minimum substance, collapse text blocked
+ *   5. Evidence Gate — completion claims without measured evidence blocked
+ *   6. Doctrine Gate — doctrine trigger map enforced
+ *   7. Final Output Gate — safe fallback if all else fails
+ *
+ * Ledger records every gate decision, every enforcement action,
+ * every repair attempt, and every final outcome.
+ */
+
+import { appendFileSync, existsSync, mkdirSync, readFileSync } from 'node:fs';
+import { createHash, randomUUID } from 'node:crypto';
+import { homedir } from 'node:os';
+import { dirname, join } from 'node:path';
+
+const HOME = homedir();
+const STATE_DIR = join(HOME, '.aria', 'runtime', 'state');
+const GATED_LEDGER_PATH = join(STATE_DIR, 'gated-ledger.jsonl');
+const DOCTRINE_TRIGGER_MAP_PATH = join(STATE_DIR, 'doctrine_trigger_map.json');
+
+function ensureDir() {
+  if (!existsSync(STATE_DIR)) mkdirSync(STATE_DIR, { recursive: true, mode: 0o700 });
+}
+
+function appendRecord(record) {
+  ensureDir();
+  try {
+    appendFileSync(GATED_LEDGER_PATH, `${JSON.stringify(record)}\n`, { mode: 0o600 });
+    return true;
+  } catch { return false; }
+}
+
+function hash(text) {
+  return createHash('sha256').update(String(text)).digest('hex').slice(0, 16);
+}
+
+const GATE_LABEL_RX = /\b(?:personal_mouth_[a-z_]+\b|code_no_tests\b|code_fake_implementation\b|code_type_safety\b|ip_infrastructure\b|8lens_[a-z_]+\b|voice_cold_[a-z_]+\b|harness_output_gate_block\b|auto_fix:\s|personal_mouth_harness_[a-z_]+\b|personal_mouth_unsupported_[a-z_]+\b)/i;
+const COLLAPSE_RX = /I need to pause and reconsider\.?/i;
+const COMPLETION_CLAIM_RX = /\b(?:done|complete|completed|ready|verified|fixed|shipped|production-ready|passing|passed|all phases|all done)\b/i;
+const TEMPLATE_RX = /\b(?:Decision: use Owner Runtime kernels|Sequence: contract, Garden Service snapshot|Repair context loaded|Research context loaded|Action kernel engaged|I'm here with you\.\s*No fixing,\s*no task pressure)\b/i;
+const MINIMUM_CHARS = 50;
+
+/** Detect deterministic/templated kernel output */
+function isTemplateOutput(text, kernel) {
+  if (!text || text.length < MINIMUM_CHARS) return { isTemplate: true, reason: 'below_minimum_substance' };
+  if (TEMPLATE_RX.test(text)) return { isTemplate: true, reason: 'deterministic_kernel_template' };
+  return { isTemplate: false, reason: '' };
+}
+
+/** Check for completion claims without evidence */
+function hasUnsupportedClaim(text) {
+  if (!COMPLETION_CLAIM_RX.test(text)) return { claim: false, reasons: [] };
+  const reasons = [];
+  if (!/\b(?:exit\s*0|0\s+failures?|passed|status.*ok|200|verified|ledger_record|receiptId|sha256|test.*pass)\b/i.test(text)) {
+    reasons.push('completion_claim_without_measured_evidence');
+  }
+  if (!/<cognition>[\s\S]*?<\/cognition>/i.test(text) && !/<verify>[\s\S]*?<\/verify>/i.test(text)) {
+    reasons.push('completion_claim_without_cognition_or_verify');
+  }
+  return { claim: reasons.length > 0, reasons };
+}
+
+/** Check quality */
+function checkQuality(text) {
+  const reasons = [];
+  if (!text || text.length === 0) reasons.push('empty_output');
+  if (GATE_LABEL_RX.test(text)) reasons.push('gate_label_leak');
+  if (COLLAPSE_RX.test(text)) reasons.push('collapse_placeholder');
+  if (text.trim().length < MINIMUM_CHARS) reasons.push('below_minimum_chars');
+  return { passed: reasons.length === 0, reasons };
+}
+
+const SAFE_FALLBACKS = {
+  emotional_presence: "I'm here. Tell me what's with you right now.",
+  architect: "I need more context for a proper architecture answer.",
+  repair: "Let me trace the root cause. What's the specific error?",
+  action: "Action kernel requires confirmation. What would you like to execute?",
+  research: "Let me gather relevant information. What should I research?",
+  default: "Let me try again — that last response wasn't right.",
+};
+
+/**
+ * Enforce all gates on a kernel output.
+ * Returns the final safe text and the full enforcement record.
+ */
+export async function enforceGates(text, context = {}) {
+  const kernel = context.kernel || 'default';
+  const sessionId = context.sessionId || 'runtime';
+  const gateLog = [];
+  const startedAt = Date.now();
+  let current = text || '';
+  let enforced = false;
+  let allPassed = true;
+
+  // ── Gate 1: Template Detection ────────────────────────────────────
+  const templateCheck = isTemplateOutput(current, kernel);
+  gateLog.push({
+    gate: 'template',
+    passed: !templateCheck.isTemplate,
+    reason: templateCheck.reason,
+  });
+  if (templateCheck.isTemplate) {
+    enforced = true;
+    current = SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default;
+    allPassed = false;
+  }
+
+  // ── Gate 2: Quality ───────────────────────────────────────────────
+  const quality = checkQuality(current);
+  gateLog.push({
+    gate: 'quality',
+    passed: quality.passed,
+    reasons: quality.reasons,
+  });
+  if (!quality.passed) {
+    enforced = true;
+    current = SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default;
+    const requality = checkQuality(current);
+    if (!requality.passed) {
+      current = "I'm here. The pipeline needs attention. Let me recover.";
+    }
+    allPassed = false;
+  }
+
+  // ── Gate 3: Completion Claims ─────────────────────────────────────
+  const claimCheck = hasUnsupportedClaim(current);
+  gateLog.push({
+    gate: 'completion_claim',
+    passed: !claimCheck.claim,
+    reasons: claimCheck.reasons,
+  });
+  if (claimCheck.claim) {
+    enforced = true;
+    // Remove the claim language, keep the substance
+    current = current.replace(/\b(?:done|complete|completed|ready|verified|fixed|shipped|all phases|all done)\b/gi, 'in progress');
+    allPassed = false;
+  }
+
+  // ── Gate 4: Doctrine Trigger ──────────────────────────────────────
+  const doctrineHits = checkDoctrineTriggers(current, context);
+  gateLog.push({
+    gate: 'doctrine',
+    passed: doctrineHits.length === 0,
+    triggers: doctrineHits,
+  });
+
+  // ── Write Ledger Record ───────────────────────────────────────────
+  const record = {
+    recordId: randomUUID(),
+    sessionId,
+    kernel,
+    inputTextHash: hash(text),
+    finalTextHash: hash(current),
+    enforced,
+    allPassed,
+    gates: gateLog,
+    doctrineTriggers: doctrineHits,
+    durationMs: Date.now() - startedAt,
+    at: new Date().toISOString(),
+  };
+  appendRecord(record);
+
+  return {
+    finalText: current,
+    enforced,
+    allPassed,
+    gates: gateLog,
+    doctrineTriggers: doctrineHits,
+    record,
+  };
+}
+
+/** Load the doctrine trigger map and check text against it */
+function checkDoctrineTriggers(text, context) {
+  const triggers = [];
+  let map = null;
+  try {
+    if (existsSync(DOCTRINE_TRIGGER_MAP_PATH)) {
+      map = JSON.parse(readFileSync(DOCTRINE_TRIGGER_MAP_PATH, 'utf8'));
+    }
+  } catch {}
+  if (!map || !Array.isArray(map.triggers)) return triggers;
+
+  for (const trigger of map.triggers) {
+    if (!trigger.pattern) continue;
+    try {
+      const rx = new RegExp(trigger.pattern, 'i');
+      if (rx.test(text)) {
+        triggers.push({
+          trigger: trigger.name || trigger.pattern,
+          doctrine: trigger.doctrine || trigger.name,
+          severity: trigger.severity || 'warning',
+          action: trigger.action || 'log',
+        });
+      }
+    } catch {}
+  }
+  return triggers;
+}
+
+/**
+ * Fast inline enforcement — use in streamConversation or any
+ * point where a text is about to reach the user surface.
+ */
+export function enforceFast(text, kernel = 'default') {
+  if (!text || text.length === 0) return SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default;
+  if (GATE_LABEL_RX.test(text)) return SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default;
+  if (COLLAPSE_RX.test(text)) return SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default;
+  if (TEMPLATE_RX.test(text)) return SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default;
+  return text;
+}
+
+/**
+ * Read the gated ledger for monitoring/debugging.
+ */
+export function readGatedLedger(limit = 50) {
+  ensureDir();
+  try {
+    if (!existsSync(GATED_LEDGER_PATH)) return [];
+    const lines = readFileSync(GATED_LEDGER_PATH, 'utf8').trim().split('\n').filter(Boolean);
+    return lines.slice(-limit).map((line) => {
+      try { return JSON.parse(line); } catch { return null; }
+    }).filter(Boolean);
+  } catch {
+    return [];
+  }
+}

package/dist/runtime/hooks/aria-pre-tool-gate.mjs

@@ -1068,6 +1068,59 @@ if (emergencyGateOff.off) {
 
 const toolName = event.tool_name ?? event.toolName ?? '';
 const toolInput = event.tool_input ?? event.toolInput ?? {};
+
+// Coach Kernel routing — single source of truth, run before all hook-native checks.
+try {
+  const _coachUrl = `${HOME}/.aria/runtime/runtime.env`;
+  const _coachBase = existsSync(_coachUrl)
+    ? String(readFileSync(_coachUrl, 'utf8')).match(/ARIA_RUNTIME_URL=(http:\/\/[^ \n]+)/)?.[1] || 'http://127.0.0.1:4319'
+    : 'http://127.0.0.1:4319';
+  const _coachToken = (() => {
+    const tp = `${HOME}/.aria/owner-token`;
+    if (existsSync(tp)) return readFileSync(tp, 'utf8').trim();
+    const lp = `${HOME}/.aria/license.json`;
+    if (existsSync(lp)) {
+      try { const lt = JSON.parse(readFileSync(lp, 'utf8')); return lt.token || lt.harnessToken || ''; } catch { return ''; }
+    }
+    return process.env.ARIA_API_KEY || process.env.ARIA_MASTER_TOKEN || '';
+  })();
+  const _coachHeaders = { 'Content-Type': 'application/json' };
+  if (_coachToken) _coachHeaders.Authorization = `Bearer ${_coachToken}`;
+  const _cmd = String(toolInput?.command || '');
+  const _coachPayload = {
+    phase: 'pre_tool',
+    requestId: `claude-pre-tool:${Date.now()}`,
+    sessionId: String(toolInput?.session_id || process.env.HOOK_SESSION_ID || 'claude-unknown').slice(0, 80),
+    surface: 'claude-hooks',
+    lane: 'claude_native_hooks',
+    action: (() => {
+      const t = _cmd.toLowerCase();
+      if (/\b(?:kubectl\s+(?:apply|set|rollout|delete|create|replace|scale)|helm\s+(?:upgrade|install|uninstall)|terraform\s+(?:apply|destroy)|docker\s+(?:push|build\s+.*--push)|deploy)\b/i.test(t)) return 'deploy';
+      if (/\b(?:rm\s+-[rRfF]+\S*|sudo\s+|systemctl\s+(?:stop|disable|mask|kill)|kill\s+-[9K]|pkill\s+-[9K]|chmod\s+777|git\s+(?:push\s+--force|reset\s+--hard)|docker\s+rm\s+-f)\b/i.test(t)) return 'delete';
+      return '';
+    })(),
+    target: JSON.stringify(toolInput).slice(0, 2000),
+    text: _cmd.slice(0, 1000),
+    metadata: { source: 'claude-pre-tool-gate', toolName },
+  };
+  const _coachResp = await fetch(`${_coachBase}/coach/phase`, {
+    method: 'POST', headers: _coachHeaders, body: JSON.stringify(_coachPayload),
+    signal: AbortSignal.timeout(2000),
+  });
+  if (_coachResp.ok) {
+    const _coachBody = await _coachResp.json();
+    if (_coachBody?.permitted === false && _coachBody?.decision === 'hard_block') {
+      audit('block-coach-authoritative', `reasons=${(_coachBody.reasons||[]).join(',')}`);
+      console.log(JSON.stringify({
+        decision: 'block',
+        reason: ['Aria Coach blocked this action before execution.', '', `Reason: ${(_coachBody.reasons||['coach_policy']).slice(0,3).join('; ')}`, '', _coachBody.clientMessage || 'Remove the high-risk condition and retry.'].join('\n'),
+        hookSpecificOutput: { hookEventName: 'PreToolUse', coach_decision: _coachBody.decision, coach_reasons: _coachBody.reasons },
+      }));
+      process.exit(2);
+    }
+  }
+} catch { /* Coach unreachable — fall through to hook-native checks */ }
+
 const transcriptPath = event.transcript_path ?? event.transcriptPath;
 
 // Gate every action tool — every tool that mutates state must go through

package/dist/runtime/hooks/aria-pre-tool-use.mjs

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+import {
+  getHarnessClient,
+  inferSessionId,
+  classifyAction,
+  summarizeTarget,
+  readEventFromStdin,
+  loadTurnState,
+  makeEvidenceRef,
+  recordCoachPhase,
+  saveTurnState,
+  formatCodexRecoveryBlock,
+  emitJson,
+} from './lib/runtime-client.mjs';
+
+const event = readEventFromStdin();
+const sessionId = inferSessionId(event);
+const action = classifyAction(event);
+const target = summarizeTarget(event);
+const state = loadTurnState(sessionId);
+
+try {
+  if (!state?.preReceiptId && !state?.userText) {
+    emitJson({
+      decision: 'block',
+      reason: formatCodexRecoveryBlock({
+        surface: 'codex-pre-tool',
+        reason: 'this turn has no pre-turn Mizan receipt',
+        next: '6. Re-submit the prompt so cognition is established before tool use, then request the tool again.',
+      }),
+    });
+  }
+  const toolName = String(event?.tool_name || event?.toolName || '').trim() || null;
+  const requestRef = makeEvidenceRef('codex_tool_request', { action, toolName, target }, { sessionId });
+  const coach = await recordCoachPhase('pre_tool', {
+    requestId: state?.traceId || sessionId,
+    sessionId,
+    text: target,
+    action,
+    target,
+    evidenceRefs: [requestRef],
+    metadata: { source: 'codex-pre-tool-hook', toolName, requireVerify: action === 'deploy' || action === 'delete' },
+  });
+  if (coach?.permitted === false) {
+    emitJson({
+      decision: 'block',
+      reason: formatCodexRecoveryBlock({
+        surface: 'codex-pre-tool-coach',
+        reason: coach.clientMessage || 'Coach Kernel denied ' + action,
+        next: '6. Add the required evidence/cognition contract, then request the tool again.',
+      }),
+    });
+  }
+  const tools = Array.isArray(state?.tools) ? state.tools.slice(-24) : [];
+  tools.push({
+    at: new Date().toISOString(),
+    action,
+    toolName,
+    target,
+    evidenceRef: makeEvidenceRef('tool_request', { action, toolName, target }, { sessionId }),
+  });
+  saveTurnState(sessionId, {
+    tools,
+    lastEvent: 'PreToolUse',
+  });
+  process.exit(0);
+} catch (error) {
+  emitJson({
+    decision: 'block',
+    reason: formatCodexRecoveryBlock({
+      surface: 'codex-pre-tool-hook',
+      reason: error instanceof Error ? error.message : String(error),
+    }),
+  });
+}

package/dist/runtime/hooks/lib/first-class-coach.mjs

@@ -243,10 +243,10 @@ function summarizeRuntimeToolTarget(event = {}) {
 
 function inferRuntimeAction(event = {}, phase = '') {
   const haystack = `${phase}\n${summarizeRuntimeToolTarget(event)}\n${stableJson(event).slice(0, 6000)}`;
-  if (/\b(?:kubectl\s+(?:apply|set|rollout|delete)|helm\s+upgrade|terraform\s+apply|docker\s+push|deploy)\b/i.test(haystack)) return 'deploy';
-  if (/\b(?:rm\s+-[rRfF]+|delete|drop\s+(?:table|database|schema)|git\s+reset\s+--hard)\b/i.test(haystack)) return 'delete';
+  if (/\b(?:kubectl\s+(?:apply|set|rollout|delete|create|replace|scale)|helm\s+(?:upgrade|install|uninstall)|terraform\s+(?:apply|destroy)|docker\s+(?:push|build\s+.*--push)|deploy)\b/i.test(haystack)) return 'deploy';
+  if (/\b(?:rm\s+-[rRfF]+\S*|drop\s+(?:table|database|schema|collection|index)|git\s+(?:reset\s+--hard|push\s+--force|push\s+--delete)|sudo\s+|systemctl\s+(?:stop|disable|mask|kill)|kill\s+-[9K]|pkill\s+-[9K]|chmod\s+777|docker\s+rm\s+-f)\b/i.test(haystack)) return 'delete';
+  if (/\b(?:--no-verify|--no-gpg-sign)\b/i.test(haystack)) return 'delete';
   if (phase === 'stop' || phase === 'pre_emit') return 'release';
-  if (phase === 'pre_tool' || phase === 'post_tool') return 'write';
   return '';
 }
 

package/dist/runtime/manifest.json

@@ -1,5 +1,5 @@
 {
-  "bundledAt": "2026-05-04T03:02:47.930Z",
+  "bundledAt": "2026-05-04T05:01:08.186Z",
   "sdkFiles": 12,
   "runtimeTemplate": "/home/hamzaibrahim1/rei-ai-brain/packages/aria-connector/runtime-src",
   "gateRuntimeSource": "/home/hamzaibrahim1/rei-ai-brain/packages/aria-gate-runtime/dist",