@aria_asi/cli 0.2.37 → 0.2.39

package/runtime-src/service.mjs

@@ -42,8 +42,11 @@ import {
   formatCoachClientBlock,
   readCoachState,
   recordCoachPhase,
+  triggerMissingSkills,
 } from './coach-kernel.mjs';
 import { resolveAriaAuthToken } from './auth-token.mjs';
+import { check, enforceWithRecovery as enforceQualityWithRecovery } from './quality-enforcer.mjs';
+import { enforceGates } from './gated-ledger.mjs';
 
 const require = createRequire(import.meta.url);
 const { runFullChain } = require('./vendor/aria-gate-runtime/index.js');
@@ -3726,6 +3729,15 @@ async function evaluateProviderCandidate(req, body, client, apiKey, turn, provid
   };
 }
 
+function deriveEffectiveKernel(turn, body) {
+  const msg = body?.message || body?.prompt || body?.input || '';
+  if (turn?.turnClass === 'repair' || /repair|fix|debug|broken|bug|error|failing|crash|recover/i.test(msg)) return 'repair';
+  if (turn?.turnClass === 'architect' || /architecture|design|system|pipeline|tradeoff|ADR/i.test(msg)) return 'architect';
+  if (turn?.turnClass === 'action' || /deploy|execute|run|build|ship|rollout|restart|push/i.test(msg)) return 'action';
+  if (turn?.turnClass === 'research' || /research|search|find|recall|retrieve|look.up|investigate/i.test(msg)) return 'research';
+  return 'emotional_presence';
+}
+
 async function handleProviderProxy(req, body, client, providerStyle, options = {}) {
   const apiKey = resolveApiKey(req, body, options);
   const startedAt = Date.now();
@@ -3819,6 +3831,44 @@ async function handleProviderProxy(req, body, client, providerStyle, options = {
     ],
   });
   coachRecords.push(preGenerationCoach);
+  // ── Coach auto-trigger: load missing skills instead of blocking ──
+  if (preGenerationCoach.decision === 'auto_trigger_skills' && turn.missingSkillIds?.length > 0) {
+    const skillResult = await triggerMissingSkills(
+      turn.missingSkillIds,
+      SKILL_SEARCH_ROOTS,
+    );
+    const loadedCoach = recordRuntimeCoachPhase({
+      phase: 'pre_generation',
+      body,
+      turn: { ...turn, loadedSkillIds: [...(turn.loadedSkillIds || []), ...skillResult.loaded], missingSkillIds: skillResult.stillMissing },
+      providerStyle,
+      providerPlan,
+      text: turn.userMessage,
+      evidenceRefs: [`skills_loaded:${skillResult.loaded.length}`, `skills_still_missing:${skillResult.stillMissing.length}`],
+      metadata: { autoLoadedSkills: skillResult.loaded },
+    });
+    coachRecords.push(loadedCoach);
+    if (loadedCoach.decision === 'hard_block') {
+      const refusal = formatCoachClientBlock(loadedCoach);
+      const autoBlockRecord = appendManagedRuntimeLedger(buildManagedRuntimeLedgerRecord({
+        phase: 'pre_generation_skills_block',
+        body, turn, providerStyle, providerPlan,
+        releaseDecision: 'hard_block',
+        blockers: loadedCoach.reasons,
+        evidenceRefs: coachRecordRefs(coachRecords),
+      }));
+      ledgerRecords.push({ phase: 'pre_generation_skills_block', ...autoBlockRecord });
+      return providerStyle === 'anthropic'
+        ? anthropicResponseEnvelope(refusal, { model: body.model || 'aria-runtime', finishReason: 'end_turn' }, {}, body?.ariaDebug === true)
+        : openAiResponseEnvelope(body, refusal, { model: body.model || 'aria-runtime', finishReason: 'stop', usage: null }, {});
+    }
+    // Skills loaded — update turn for the rest of the pipeline
+    turn.loadedSkillIds = [...(turn.loadedSkillIds || []), ...skillResult.loaded];
+    turn.missingSkillIds = skillResult.stillMissing;
+    if (skillResult.loadedBodies.length > 0) {
+      turn.skillBodies = [...(turn.skillBodies || []), ...skillResult.loadedBodies.map((s) => s.body)];
+    }
+  }
   if (preGenerationCoach.decision === 'hard_block') {
     const refusal = formatCoachClientBlock(preGenerationCoach);
     const preBlockRecord = appendManagedRuntimeLedger(buildManagedRuntimeLedgerRecord({
@@ -3877,6 +3927,17 @@ async function handleProviderProxy(req, body, client, providerStyle, options = {
     ledgerRecords.push({ phase: 'provider_call_failed', ...failureRecord });
     throw error;
   }
+
+  const providerQualityResult = await enforceQualityWithRecovery(
+    providerMeta.text || '',
+    deriveEffectiveKernel(turn, body),
+    { sessionId: turn.sessionId || body.sessionId },
+  );
+  if (providerQualityResult.enforced) {
+    providerMeta.text = providerQualityResult.finalText;
+    providerMeta.qualityEnforced = true;
+  }
+
   recordProviderUsage(body, turn, providerMeta);
   let hardCoachBlock = null;
   let evaluation = await evaluateProviderCandidate(req, body, client, apiKey, turn, providerStyle, providerMeta, providerMeta.text || '');
@@ -4125,11 +4186,55 @@ async function handleProviderProxy(req, body, client, providerStyle, options = {
       records: coachRecords,
     },
   };
+  const finalQualityResult = await enforceQualityWithRecovery(
+    finalText,
+    deriveEffectiveKernel(turn, body),
+    { sessionId: turn.sessionId || body.sessionId },
+  );
+  if (finalQualityResult.enforced) {
+    finalText = finalQualityResult.finalText;
+  }
+
+  // ── Gated Ledger: final enforcement before release ──
+  const gated = await enforceGates(finalText, {
+    kernel: deriveEffectiveKernel(turn, body),
+    sessionId: turn.sessionId || body.sessionId,
+  });
+  if (gated.enforced) {
+    extra.gatedLedger = {
+      enforced: true,
+      gates: gated.gates,
+      doctrineTriggers: gated.doctrineTriggers,
+      recordId: gated.record.recordId,
+    };
+  }
+  finalText = gated.finalText;
+
   return providerStyle === 'anthropic'
     ? anthropicResponseEnvelope(finalText, providerMeta, extra, body?.ariaDebug === true)
     : openAiResponseEnvelope(body, finalText, providerMeta, extra);
 }
 
+function extractProviderResponseText(response) {
+  if (!response || typeof response !== 'object') return null;
+  const choices = response.choices;
+  if (Array.isArray(choices) && choices.length > 0) {
+    const content = choices[0]?.message?.content;
+    return typeof content === 'string' ? content : null;
+  }
+  return null;
+}
+
+function extractAnthropicResponseText(response) {
+  if (!response || typeof response !== 'object') return null;
+  const content = response.content;
+  if (Array.isArray(content)) {
+    return content.map(c => (c && c.text ? c.text : '')).join(' ').trim() || null;
+  }
+  if (typeof content === 'string') return content;
+  return null;
+}
+
 async function handleForgeSynthesis(req, body, client) {
   const apiKey = resolveApiKey(req, body);
   const startedAt = Date.now();
@@ -5338,6 +5443,13 @@ async function handleRoute(req, res) {
 
     if (providerPath === '/v1/chat/completions') {
       const response = await handleProviderProxy(req, body, client, 'openai', ariaAuthOptions);
+      const responseText = extractProviderResponseText(response);
+      if (responseText) {
+        const qScan = check(responseText);
+        if (!qScan.allowed) {
+          console.warn(`[quality-enforcer] Gate labels detected in OpenAI response after handleProviderProxy. ${qScan.reasons.join(', ')}`);
+        }
+      }
       return json(res, 200, response);
     }
 
@@ -5349,6 +5461,13 @@ async function handleRoute(req, res) {
 
     if (providerPath === '/v1/messages') {
       const response = await handleProviderProxy(req, body, client, 'anthropic', ariaAuthOptions);
+      const responseText = extractAnthropicResponseText(response);
+      if (responseText) {
+        const qScan = check(responseText);
+        if (!qScan.allowed) {
+          console.warn(`[quality-enforcer] Gate labels detected in Anthropic response after handleProviderProxy. ${qScan.reasons.join(', ')}`);
+        }
+      }
       return json(res, 200, response);
     }
 

package/scripts/install-client.sh

@@ -159,8 +159,38 @@ case "${SOURCE}" in
     ;;
 esac
 
-aria login "${TOKEN}"
-aria connect --force
+resolve_aria_bin() {
+  if command -v aria >/dev/null 2>&1; then
+    echo "aria"
+    return 0
+  fi
+  local npm_prefix
+  npm_prefix="$(npm config get prefix 2>/dev/null || echo '')"
+  local candidate="${npm_prefix}/bin/aria"
+  if [[ -n "${npm_prefix}" && -x "${candidate}" ]]; then
+    echo "${candidate}"
+    return 0
+  fi
+  candidate="${HOME}/.npm-global/bin/aria"
+  if [[ -x "${candidate}" ]]; then
+    echo "${candidate}"
+    return 0
+  fi
+  return 1
+}
+
+ARIA_BIN="$(resolve_aria_bin)" || true
+if [[ -z "${ARIA_BIN}" ]]; then
+  echo "I couldn't find the aria binary after install." >&2
+  echo "Restart your shell (exec \$SHELL -l) and run: aria login ${TOKEN}" >&2
+else
+  "${ARIA_BIN}" login "${TOKEN}"
+  if "${ARIA_BIN}" connect --force 2>&1 | grep -qi 'server\|unreachable\|backend\|unavailable'; then
+    echo ""
+    echo "Aria Soul backend is unreachable — running local-only connect."
+    "${ARIA_BIN}" connect --local
+  fi
+fi
 prompt_github_connect
 
 cat <<'EOF'

package/src/auth.ts

@@ -1,6 +1,6 @@
 import { readFile, writeFile, mkdir } from 'node:fs/promises';
 import { createHash } from 'node:crypto';
-import { homedir } from 'node:os';
+import { homedir, hostname } from 'node:os';
 import { join, dirname } from 'node:path';
 import type { AuthConfig } from './types.js';
 
@@ -127,6 +127,30 @@ export async function saveLicense(config: AuthConfig): Promise<void> {
   });
 }
 
+export async function generateLocalLicense(): Promise<AuthConfig> {
+  const existing = await loadLicense();
+  if (existing?.token && existing?.sub) return existing;
+  const now = new Date();
+  const localToken = `local_${createHash('sha256').update(`${now.toISOString()}-${process.pid || 0}-${Math.random()}`).digest('hex').slice(0, 32)}`;
+  const ownerToken = `aria_${createHash('sha256').update(localToken).digest('hex').slice(0, 24)}`;
+  const license: AuthConfig = {
+    sub: `local-${createHash('sha256').update(hostname()).digest('hex').slice(0, 12)}`,
+    token: localToken,
+    harnessToken: ownerToken,
+    jti: `local-${Date.now()}`,
+    iat: Math.floor(now.getTime() / 1000),
+    iss: 'aria-local-runtime',
+    licenseVersion: 1,
+    features: { offline: true, localRuntime: true, coachGovernance: true },
+  };
+  await saveLicense(license);
+  try {
+    await mkdir(dirname(OWNER_TOKEN_PATH), { recursive: true, mode: 0o700 });
+    await writeFile(OWNER_TOKEN_PATH, ownerToken + '\n', { mode: 0o600, encoding: 'utf-8' });
+  } catch {}
+  return license;
+}
+
 export async function resolveHarnessToken(
   options: ResolveHarnessTokenOptions = {},
 ): Promise<ResolvedHarnessToken> {

package/src/connectors/codex.ts

@@ -525,7 +525,6 @@ try {
 function buildCodexPreToolHook(): string {
   return `#!/usr/bin/env node
 import {
-  getHarnessClient,
   inferSessionId,
   classifyAction,
   summarizeTarget,
@@ -534,14 +533,11 @@ import {
   makeEvidenceRef,
   recordCoachPhase,
   saveTurnState,
-  runGovernanceGate,
-  updateTaskProjectLedger,
   formatCodexRecoveryBlock,
   emitJson,
 } from './lib/runtime-client.mjs';
 
 const event = readEventFromStdin();
-const client = getHarnessClient();
 const sessionId = inferSessionId(event);
 const action = classifyAction(event);
 const target = summarizeTarget(event);
@@ -579,35 +575,6 @@ try {
       }),
     });
   }
-  const actionCheck = await client.checkAction(action, target);
-  if (actionCheck?.allowed === false) {
-    emitJson({
-      decision: 'block',
-      reason: formatCodexRecoveryBlock({
-        surface: 'codex-pre-tool-action',
-        reason: actionCheck?.reason || \`Aria denied \${action}\`,
-        next: '6. Add the required verification/cognition contract for the action, then request the tool again.',
-      }),
-    });
-  }
-  updateTaskProjectLedger({
-    platform: 'codex',
-    phase: 'pre_tool',
-    source: 'codex-pre-tool-hook',
-    event: { ...event, sessionId, cwd: process.cwd() },
-    evidence: { action_ref: requestRef },
-  });
-  runGovernanceGate({
-    sessionId,
-    sourceRuntime: 'codex',
-    surface: 'codex-pre-tool-use',
-    text: JSON.stringify(event).slice(0, 8000),
-    action,
-    toolName,
-    isDeploy: action === 'deploy',
-    isMutation: action === 'write' || action === 'delete',
-    evidence: requestRef,
-  });
   const tools = Array.isArray(state?.tools) ? state.tools.slice(-24) : [];
   tools.push({
     at: new Date().toISOString(),
@@ -712,7 +679,6 @@ import {
   formatValidationFailure,
   formatCodexRecoveryBlock,
   isAriaControlBlock,
-  runGovernanceGate,
   updateTaskProjectLedger,
   evaluateTaskProjectClaim,
   recordBlockedTaskProjectClaim,
@@ -777,14 +743,6 @@ try {
       }),
     });
   }
-  runGovernanceGate({
-    sessionId,
-    sourceRuntime: 'codex',
-    surface: 'codex-stop',
-    text: text.slice(0, 8000),
-    isOutputCloseout: true,
-    evidence: outputRef,
-  });
   const validation = await runtimePost('/validate-output', {
     text,
     sessionId,

package/src/setup-wizard.ts

@@ -113,7 +113,17 @@ export async function runSetupWizard(): Promise<void> {
 
       const resp = await callConverse({ sessionId, action, userMessage });
       if (!resp.ok) {
-        console.error(`\n❌ Onboarding error: ${resp.error || 'unknown'}`);
+        const errMsg = resp.error || 'unknown';
+        console.error(`\n⚠  Aria Soul backend is unreachable: ${errMsg}`);
+        console.log('\nYou can continue with local-only mode.');
+        console.log('Local mode gives you Coach governance, hooks, and runtime.');
+        console.log('Full features (hive sync, garden memory) activate when the server is reachable.\n');
+        const useLocal = await ask('Continue with local-only setup? [Y/n]: ');
+        if (useLocal.toLowerCase().startsWith('n')) {
+          console.log('\nRun `aria` again when the server is available, or use `aria login <token>`.\n');
+          return;
+        }
+        await runLocalOnlySetup(ask);
         return;
       }
 
@@ -345,6 +355,38 @@ async function applyConfigWrites(writes: ConfigWrite[]): Promise<void> {
   }
 }
 
+async function runLocalOnlySetup(ask: (q: string) => Promise<string>): Promise<void> {
+  const { generateLocalLicense } = await import('./auth.js');
+  const { connectClaudeCode } = await import('./connectors/claude-code.js');
+  const { connectCodex } = await import('./connectors/codex.js');
+  const { installSharedRuntime } = await import('./connectors/runtime.js');
+  const provider = (await ask('LLM provider (openai/anthropic/deepseek/xai/google/openrouter): ')).trim().toLowerCase() || 'openai';
+  const apiKey = await ask(`${provider} API key: `);
+  const license = await generateLocalLicense();
+  console.log(`\n  Local license generated (${license.sub}).`);
+  const config = loadConfig();
+  const validProvider = (['openai', 'anthropic', 'deepseek', 'xai', 'google', 'openrouter', 'ollama'] as const).find(
+    (p) => provider === p,
+  ) || 'openai';
+  config.model = {
+    provider: validProvider,
+    model: defaultModelForProvider(validProvider),
+    apiKey,
+  };
+  const { saveConfig: sc } = await import('./config.js');
+  sc(config as Parameters<typeof sc>[0]);
+  console.log('  Installing runtime and hooks...');
+  const logs = [
+    ...(await installSharedRuntime()),
+    ...(await connectClaudeCode(config, { force: true })),
+    ...(await connectCodex(config)),
+  ];
+  for (const line of logs) console.log(`     ${line}`);
+  console.log('\n✅ Local setup complete.');
+  console.log('   Your CLIs are wired with Coach governance.');
+  console.log('   Run `aria login <token>` when the server becomes available for full features.\n');
+}
+
 function defaultModelForProvider(provider: string): string {
   const defaults: Record<string, string> = {
     anthropic: 'claude-sonnet-4-20250514',

package/src/types.ts

@@ -9,8 +9,14 @@ export interface AuthConfig {
   token?: string;
   /** License JWT identifier */
   jti?: string;
+  /** License issuer */
+  iss?: string;
   /** License tier (e.g. 'standard', 'pro') */
   tier?: string;
+  /** License version */
+  licenseVersion?: number;
+  /** License features map */
+  features?: Record<string, boolean>;
   /** License expiry unix timestamp */
   exp?: number;
   /** License issued-at unix timestamp */