@aria_asi/cli 0.2.38 → 0.2.40

package/runtime-src/quality-enforcer.mjs

@@ -0,0 +1,257 @@
+#!/usr/bin/env node
+/**
+ * Runtime Quality Enforcer — First-Class Doctrine Rails
+ *
+ * Hard-blocks any output that contains internal gate labels, placeholders,
+ * or collapse-text. No gate label ever reaches a user surface again.
+ *
+ * Invariants:
+ *  1. HARD regex blocks — catch-all for any internal machinery leaking
+ *  2. Minimum substance check — no empty/trivial responses
+ *  3. Recovery contract — blocked → rewrite prompt → retry (max 2) → safe fallback
+ *  4. Coach kernel notified of every violation for pattern learning
+ *  5. Quality violation ledger records every enforcement action
+ *  6. Safe fallbacks guaranteed per kernel — deterministic, never empty
+ */
+
+import { createHash, randomUUID } from 'node:crypto';
+import { appendFileSync, existsSync, mkdirSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+// ── Paths ──────────────────────────────────────────────────────────────────
+
+const HOME = homedir();
+const STATE_DIR = join(HOME, '.aria', 'runtime', 'state');
+const QUALITY_LEDGER_PATH = join(STATE_DIR, 'quality-violations.jsonl');
+const COACH_STATE_PATH = join(STATE_DIR, 'coach-state.json');
+
+// ── Hard Doctrine Rails ────────────────────────────────────────────────────
+
+const HARD_BLOCK_PATTERNS = [
+  { pattern: /\bpersonal_mouth_[a-z_]+\b/i,          label: 'gate_label:personal_mouth' },
+  { pattern: /\bcode_no_tests\b/i,                   label: 'gate_label:code_no_tests' },
+  { pattern: /\bcode_fake_implementation\b/i,          label: 'gate_label:fake_impl' },
+  { pattern: /\bcode_type_safety\b/i,                 label: 'gate_label:type_safety' },
+  { pattern: /\bip_infrastructure\b/i,                label: 'gate_label:ip_leak' },
+  { pattern: /\b8lens_[a-z_]+\b/i,                    label: 'gate_label:8lens' },
+  { pattern: /\bvoice_cold_[a-z_]+\b/i,               label: 'gate_label:voice_cold' },
+  { pattern: /\bharness_output_gate_block\b/i,        label: 'gate_label:output_block' },
+  { pattern: /\bauto_fix:\s/i,                        label: 'gate_label:auto_fix' },
+  { pattern: /I need to pause and reconsider\.?/i,    label: 'gate_label:collapse_placeholder' },
+  { pattern: /\bpersonal_mouth_harness_shallow_[a-z_]+\b/i, label: 'gate_label:shallow' },
+  { pattern: /\bpersonal_mouth_unsupported_internal_[a-z_]+\b/i, label: 'gate_label:internal_claim' },
+];
+
+const MINIMUM_CHARS = 40;
+
+const SAFE_FALLBACKS = {
+  emotional_presence: "I'm here. Tell me what's with you right now.",
+  architect: "I need more context to give a proper architecture answer. What specific system or decision are you working on?",
+  repair: "I can see the issue — let me trace the root cause. Can you share the specific error or surface that's broken?",
+  action: "Action kernel received — confirmation required before proceeding. What would you like to execute?",
+  research: "Let me gather the relevant information. What specific topic or question should I research?",
+  default: "Let me try again — that last response wasn't right. What were you asking about?",
+};
+
+// ── Violation Ledger ──────────────────────────────────────────────────────
+
+function ensureStateDir() {
+  if (!existsSync(STATE_DIR)) mkdirSync(STATE_DIR, { recursive: true, mode: 0o700 });
+}
+
+function logViolation(violation) {
+  ensureStateDir();
+  try {
+    appendFileSync(QUALITY_LEDGER_PATH, `${JSON.stringify(violation)}\n`, { encoding: 'utf8' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function notifyCoach(violation) {
+  ensureStateDir();
+  try {
+    const event = {
+      at: new Date().toISOString(),
+      type: 'quality_violation',
+      violationId: violation.violationId,
+      kernel: violation.kernel,
+      violation: violation.violation,
+      textPreview: violation.textPreview,
+      recoveryAttempts: violation.recoveryAttempts,
+      finalOutcome: violation.finalOutcome,
+    };
+    if (existsSync(COACH_STATE_PATH)) {
+      // Append to coach state for offline learning
+      appendFileSync(COACH_STATE_PATH, `${JSON.stringify(event)}\n`, { encoding: 'utf8' });
+    }
+  } catch {
+    // Non-fatal — coach learning is best-effort
+  }
+}
+
+function violationHash(text) {
+  return createHash('sha256').update(String(text)).digest('hex').slice(0, 16);
+}
+
+// ── Core Enforcement ──────────────────────────────────────────────────────
+
+export function checkQuality(text) {
+  if (typeof text !== 'string' || text.length === 0) {
+    return { allowed: false, reasons: ['empty_output'] };
+  }
+
+  const reasons = [];
+  for (const { pattern, label } of HARD_BLOCK_PATTERNS) {
+    if (pattern.test(text)) {
+      reasons.push(label);
+    }
+  }
+
+  if (text.trim().length < MINIMUM_CHARS) {
+    reasons.push('below_minimum_chars');
+  }
+
+  return { allowed: reasons.length === 0, reasons };
+}
+
+export async function enforceQualityWithRecovery(
+  text,
+  kernel = 'default',
+  options = {},
+) {
+  const sessionId = options.sessionId || 'runtime';
+  const rewriteFn = options.rewriteFn || null;
+  const maxAttempts = Math.min(2, Math.max(0, Number(options.maxRecoveryAttempts || 2)));
+
+  const initial = checkQuality(text);
+  if (initial.allowed) {
+    return {
+      finalText: text,
+      enforced: false,
+      attempts: 0,
+      violations: [],
+      logged: false,
+    };
+  }
+
+  const violations = [...initial.reasons];
+  let currentText = text;
+  let attempts = 0;
+  let repaired = false;
+
+  // Recovery loop: ask the model to repair its own output
+  while (attempts < maxAttempts && rewriteFn && !repaired) {
+    attempts += 1;
+    try {
+      const repairedText = await rewriteFn(
+        `Your previous response was blocked by quality enforcement for these reasons: ${initial.reasons.join(', ')}. ` +
+        `Rewrite the answer to remove all internal labels, gate phrases, and placeholder text. ` +
+        `Original context: ${text.slice(0, 200)}`
+      );
+      const repairCheck = checkQuality(repairedText);
+      if (repairCheck.allowed) {
+        currentText = repairedText;
+        repaired = true;
+        break;
+      }
+      violations.push(...repairCheck.reasons);
+    } catch {
+      // Recovery attempt failed — continue to next attempt or fallback
+    }
+  }
+
+  // Safe fallback if all recovery attempts failed
+  const finalText = repaired
+    ? currentText
+    : (SAFE_FALLBACKS[kernel] || SAFE_FALLBACKS.default);
+
+  // Log the violation
+  const violation = {
+    violationId: randomUUID(),
+    sessionId,
+    kernel,
+    violations,
+    textPreview: String(text).slice(0, 200),
+    textHash: violationHash(text),
+    recoveryAttempts: attempts,
+    finalOutcome: repaired ? 'repaired' : 'safe_fallback',
+    at: new Date().toISOString(),
+  };
+
+  const logged = logViolation(violation);
+  notifyCoach(violation);
+
+  return {
+    finalText,
+    enforced: true,
+    attempts,
+    violations,
+    logged,
+  };
+}
+
+// ── Safe Mouth Proxy ──────────────────────────────────────────────────────
+
+/**
+ * Drop-in guard for mounted-runtime provider pipelines.
+ * Accepts a providerMeta text and guarantees the finalText is safe.
+ */
+export async function guardProviderOutput(providerMeta, kernel, sessionId) {
+  const result = await enforceQualityWithRecovery(
+    providerMeta.text,
+    kernel,
+    { sessionId },
+  );
+  return {
+    ...providerMeta,
+    text: result.finalText,
+    quality: {
+      enforced: result.enforced,
+      attempts: result.attempts,
+      violations: result.violations,
+      logged: result.logged,
+    },
+  };
+}
+
+// ── Coach Notification Bridge ─────────────────────────────────────────────
+
+/**
+ * Notifies the coach kernel of a new quality violation pattern.
+ * Called by the quality enforcer after every enforcement action.
+ */
+export function getCoachQualitySummary() {
+  ensureStateDir();
+  try {
+    if (!existsSync(QUALITY_LEDGER_PATH)) {
+      return { ok: true, violationCount: 0, recentPatterns: [] };
+    }
+    const lines = require('node:fs').readFileSync(QUALITY_LEDGER_PATH, 'utf8').trim().split('\n').filter(Boolean);
+    const violations = lines.map((line) => {
+      try { return JSON.parse(line); } catch { return null; }
+    }).filter(Boolean);
+
+    // Count by violation type
+    const byType = {};
+    for (const v of violations) {
+      for (const reason of (v.violations || [])) {
+        byType[reason] = (byType[reason] || 0) + 1;
+      }
+    }
+
+    return {
+      ok: true,
+      violationCount: violations.length,
+      recentPatterns: Object.entries(byType)
+        .sort(([, a], [, b]) => b - a)
+        .slice(0, 10)
+        .map(([pattern, count]) => ({ pattern, count })),
+      lastViolation: violations[violations.length - 1] || null,
+    };
+  } catch {
+    return { ok: false, violationCount: 0, recentPatterns: [] };
+  }
+}

package/runtime-src/service.mjs

@@ -42,8 +42,11 @@ import {
   formatCoachClientBlock,
   readCoachState,
   recordCoachPhase,
+  triggerMissingSkills,
 } from './coach-kernel.mjs';
 import { resolveAriaAuthToken } from './auth-token.mjs';
+import { check, enforceWithRecovery as enforceQualityWithRecovery } from './quality-enforcer.mjs';
+import { enforceGates } from './gated-ledger.mjs';
 
 const require = createRequire(import.meta.url);
 const { runFullChain } = require('./vendor/aria-gate-runtime/index.js');
@@ -3726,6 +3729,15 @@ async function evaluateProviderCandidate(req, body, client, apiKey, turn, provid
   };
 }
 
+function deriveEffectiveKernel(turn, body) {
+  const msg = body?.message || body?.prompt || body?.input || '';
+  if (turn?.turnClass === 'repair' || /repair|fix|debug|broken|bug|error|failing|crash|recover/i.test(msg)) return 'repair';
+  if (turn?.turnClass === 'architect' || /architecture|design|system|pipeline|tradeoff|ADR/i.test(msg)) return 'architect';
+  if (turn?.turnClass === 'action' || /deploy|execute|run|build|ship|rollout|restart|push/i.test(msg)) return 'action';
+  if (turn?.turnClass === 'research' || /research|search|find|recall|retrieve|look.up|investigate/i.test(msg)) return 'research';
+  return 'emotional_presence';
+}
+
 async function handleProviderProxy(req, body, client, providerStyle, options = {}) {
   const apiKey = resolveApiKey(req, body, options);
   const startedAt = Date.now();
@@ -3819,6 +3831,44 @@ async function handleProviderProxy(req, body, client, providerStyle, options = {
     ],
   });
   coachRecords.push(preGenerationCoach);
+  // ── Coach auto-trigger: load missing skills instead of blocking ──
+  if (preGenerationCoach.decision === 'auto_trigger_skills' && turn.missingSkillIds?.length > 0) {
+    const skillResult = await triggerMissingSkills(
+      turn.missingSkillIds,
+      SKILL_SEARCH_ROOTS,
+    );
+    const loadedCoach = recordRuntimeCoachPhase({
+      phase: 'pre_generation',
+      body,
+      turn: { ...turn, loadedSkillIds: [...(turn.loadedSkillIds || []), ...skillResult.loaded], missingSkillIds: skillResult.stillMissing },
+      providerStyle,
+      providerPlan,
+      text: turn.userMessage,
+      evidenceRefs: [`skills_loaded:${skillResult.loaded.length}`, `skills_still_missing:${skillResult.stillMissing.length}`],
+      metadata: { autoLoadedSkills: skillResult.loaded },
+    });
+    coachRecords.push(loadedCoach);
+    if (loadedCoach.decision === 'hard_block') {
+      const refusal = formatCoachClientBlock(loadedCoach);
+      const autoBlockRecord = appendManagedRuntimeLedger(buildManagedRuntimeLedgerRecord({
+        phase: 'pre_generation_skills_block',
+        body, turn, providerStyle, providerPlan,
+        releaseDecision: 'hard_block',
+        blockers: loadedCoach.reasons,
+        evidenceRefs: coachRecordRefs(coachRecords),
+      }));
+      ledgerRecords.push({ phase: 'pre_generation_skills_block', ...autoBlockRecord });
+      return providerStyle === 'anthropic'
+        ? anthropicResponseEnvelope(refusal, { model: body.model || 'aria-runtime', finishReason: 'end_turn' }, {}, body?.ariaDebug === true)
+        : openAiResponseEnvelope(body, refusal, { model: body.model || 'aria-runtime', finishReason: 'stop', usage: null }, {});
+    }
+    // Skills loaded — update turn for the rest of the pipeline
+    turn.loadedSkillIds = [...(turn.loadedSkillIds || []), ...skillResult.loaded];
+    turn.missingSkillIds = skillResult.stillMissing;
+    if (skillResult.loadedBodies.length > 0) {
+      turn.skillBodies = [...(turn.skillBodies || []), ...skillResult.loadedBodies.map((s) => s.body)];
+    }
+  }
   if (preGenerationCoach.decision === 'hard_block') {
     const refusal = formatCoachClientBlock(preGenerationCoach);
     const preBlockRecord = appendManagedRuntimeLedger(buildManagedRuntimeLedgerRecord({
@@ -3877,6 +3927,17 @@ async function handleProviderProxy(req, body, client, providerStyle, options = {
     ledgerRecords.push({ phase: 'provider_call_failed', ...failureRecord });
     throw error;
   }
+
+  const providerQualityResult = await enforceQualityWithRecovery(
+    providerMeta.text || '',
+    deriveEffectiveKernel(turn, body),
+    { sessionId: turn.sessionId || body.sessionId },
+  );
+  if (providerQualityResult.enforced) {
+    providerMeta.text = providerQualityResult.finalText;
+    providerMeta.qualityEnforced = true;
+  }
+
   recordProviderUsage(body, turn, providerMeta);
   let hardCoachBlock = null;
   let evaluation = await evaluateProviderCandidate(req, body, client, apiKey, turn, providerStyle, providerMeta, providerMeta.text || '');
@@ -4125,11 +4186,55 @@ async function handleProviderProxy(req, body, client, providerStyle, options = {
       records: coachRecords,
     },
   };
+  const finalQualityResult = await enforceQualityWithRecovery(
+    finalText,
+    deriveEffectiveKernel(turn, body),
+    { sessionId: turn.sessionId || body.sessionId },
+  );
+  if (finalQualityResult.enforced) {
+    finalText = finalQualityResult.finalText;
+  }
+
+  // ── Gated Ledger: final enforcement before release ──
+  const gated = await enforceGates(finalText, {
+    kernel: deriveEffectiveKernel(turn, body),
+    sessionId: turn.sessionId || body.sessionId,
+  });
+  if (gated.enforced) {
+    extra.gatedLedger = {
+      enforced: true,
+      gates: gated.gates,
+      doctrineTriggers: gated.doctrineTriggers,
+      recordId: gated.record.recordId,
+    };
+  }
+  finalText = gated.finalText;
+
   return providerStyle === 'anthropic'
     ? anthropicResponseEnvelope(finalText, providerMeta, extra, body?.ariaDebug === true)
     : openAiResponseEnvelope(body, finalText, providerMeta, extra);
 }
 
+function extractProviderResponseText(response) {
+  if (!response || typeof response !== 'object') return null;
+  const choices = response.choices;
+  if (Array.isArray(choices) && choices.length > 0) {
+    const content = choices[0]?.message?.content;
+    return typeof content === 'string' ? content : null;
+  }
+  return null;
+}
+
+function extractAnthropicResponseText(response) {
+  if (!response || typeof response !== 'object') return null;
+  const content = response.content;
+  if (Array.isArray(content)) {
+    return content.map(c => (c && c.text ? c.text : '')).join(' ').trim() || null;
+  }
+  if (typeof content === 'string') return content;
+  return null;
+}
+
 async function handleForgeSynthesis(req, body, client) {
   const apiKey = resolveApiKey(req, body);
   const startedAt = Date.now();
@@ -5338,6 +5443,13 @@ async function handleRoute(req, res) {
 
     if (providerPath === '/v1/chat/completions') {
       const response = await handleProviderProxy(req, body, client, 'openai', ariaAuthOptions);
+      const responseText = extractProviderResponseText(response);
+      if (responseText) {
+        const qScan = check(responseText);
+        if (!qScan.allowed) {
+          console.warn(`[quality-enforcer] Gate labels detected in OpenAI response after handleProviderProxy. ${qScan.reasons.join(', ')}`);
+        }
+      }
       return json(res, 200, response);
     }
 
@@ -5349,6 +5461,13 @@ async function handleRoute(req, res) {
 
     if (providerPath === '/v1/messages') {
       const response = await handleProviderProxy(req, body, client, 'anthropic', ariaAuthOptions);
+      const responseText = extractAnthropicResponseText(response);
+      if (responseText) {
+        const qScan = check(responseText);
+        if (!qScan.allowed) {
+          console.warn(`[quality-enforcer] Gate labels detected in Anthropic response after handleProviderProxy. ${qScan.reasons.join(', ')}`);
+        }
+      }
       return json(res, 200, response);
     }
 

package/scripts/install-client.sh

@@ -159,8 +159,38 @@ case "${SOURCE}" in
     ;;
 esac
 
-aria login "${TOKEN}"
-aria connect --force
+resolve_aria_bin() {
+  if command -v aria >/dev/null 2>&1; then
+    echo "aria"
+    return 0
+  fi
+  local npm_prefix
+  npm_prefix="$(npm config get prefix 2>/dev/null || echo '')"
+  local candidate="${npm_prefix}/bin/aria"
+  if [[ -n "${npm_prefix}" && -x "${candidate}" ]]; then
+    echo "${candidate}"
+    return 0
+  fi
+  candidate="${HOME}/.npm-global/bin/aria"
+  if [[ -x "${candidate}" ]]; then
+    echo "${candidate}"
+    return 0
+  fi
+  return 1
+}
+
+ARIA_BIN="$(resolve_aria_bin)" || true
+if [[ -z "${ARIA_BIN}" ]]; then
+  echo "I couldn't find the aria binary after install." >&2
+  echo "Restart your shell (exec \$SHELL -l) and run: aria login ${TOKEN}" >&2
+else
+  "${ARIA_BIN}" login "${TOKEN}"
+  if "${ARIA_BIN}" connect --force 2>&1 | grep -qi 'server\|unreachable\|backend\|unavailable'; then
+    echo ""
+    echo "Aria Soul backend is unreachable — running local-only connect."
+    "${ARIA_BIN}" connect --local
+  fi
+fi
 prompt_github_connect
 
 cat <<'EOF'

package/src/auth.ts

@@ -1,6 +1,6 @@
 import { readFile, writeFile, mkdir } from 'node:fs/promises';
 import { createHash } from 'node:crypto';
-import { homedir } from 'node:os';
+import { homedir, hostname } from 'node:os';
 import { join, dirname } from 'node:path';
 import type { AuthConfig } from './types.js';
 
@@ -127,6 +127,30 @@ export async function saveLicense(config: AuthConfig): Promise<void> {
   });
 }
 
+export async function generateLocalLicense(): Promise<AuthConfig> {
+  const existing = await loadLicense();
+  if (existing?.token && existing?.sub) return existing;
+  const now = new Date();
+  const localToken = `local_${createHash('sha256').update(`${now.toISOString()}-${process.pid || 0}-${Math.random()}`).digest('hex').slice(0, 32)}`;
+  const ownerToken = `aria_${createHash('sha256').update(localToken).digest('hex').slice(0, 24)}`;
+  const license: AuthConfig = {
+    sub: `local-${createHash('sha256').update(hostname()).digest('hex').slice(0, 12)}`,
+    token: localToken,
+    harnessToken: ownerToken,
+    jti: `local-${Date.now()}`,
+    iat: Math.floor(now.getTime() / 1000),
+    iss: 'aria-local-runtime',
+    licenseVersion: 1,
+    features: { offline: true, localRuntime: true, coachGovernance: true },
+  };
+  await saveLicense(license);
+  try {
+    await mkdir(dirname(OWNER_TOKEN_PATH), { recursive: true, mode: 0o700 });
+    await writeFile(OWNER_TOKEN_PATH, ownerToken + '\n', { mode: 0o600, encoding: 'utf-8' });
+  } catch {}
+  return license;
+}
+
 export async function resolveHarnessToken(
   options: ResolveHarnessTokenOptions = {},
 ): Promise<ResolvedHarnessToken> {

package/src/connectors/codex.ts

@@ -524,7 +524,7 @@ try {
 
 function buildCodexPreToolHook(): string {
   return `#!/usr/bin/env node
-import {
+  import {
   inferSessionId,
   classifyAction,
   summarizeTarget,
@@ -532,6 +532,7 @@ import {
   loadTurnState,
   makeEvidenceRef,
   recordCoachPhase,
+  runGovernanceGate,
   saveTurnState,
   formatCodexRecoveryBlock,
   emitJson,
@@ -575,6 +576,42 @@ try {
       }),
     });
   }
+  let gateEvidence = null;
+  try {
+    gateEvidence = runGovernanceGate({
+      sessionId,
+      sourceRuntime: 'codex',
+      surface: 'codex-pre-tool-use',
+      text: JSON.stringify(event).slice(0, 8000),
+      action,
+      toolName,
+      isDeploy: action === 'deploy',
+      isMutation: action === 'write' || action === 'delete',
+      evidence: requestRef,
+    });
+  } catch {}
+  if (gateEvidence) {
+    const gateRef = makeEvidenceRef('governance_gate', gateEvidence, { sessionId, action, toolName });
+    const gateCoach = await recordCoachPhase('pre_tool', {
+      requestId: state?.traceId || sessionId,
+      sessionId,
+      text: target,
+      action,
+      target,
+      evidenceRefs: [requestRef, gateRef],
+      metadata: { source: 'codex-pre-tool-hook', toolName, governanceGate: gateEvidence },
+    });
+    if (gateCoach?.permitted === false) {
+      emitJson({
+        decision: 'block',
+        reason: formatCodexRecoveryBlock({
+          surface: 'codex-pre-tool-gate-coach',
+          reason: gateCoach.clientMessage || 'Coach Kernel denied after governance gate signal.',
+          next: '6. Repair the condition flagged by the governance gate, then request the tool again.',
+        }),
+      });
+    }
+  }
   const tools = Array.isArray(state?.tools) ? state.tools.slice(-24) : [];
   tools.push({
     at: new Date().toISOString(),
@@ -679,6 +716,7 @@ import {
   formatValidationFailure,
   formatCodexRecoveryBlock,
   isAriaControlBlock,
+  runGovernanceGate,
   updateTaskProjectLedger,
   evaluateTaskProjectClaim,
   recordBlockedTaskProjectClaim,
@@ -722,6 +760,17 @@ try {
       }),
     });
   }
+  let gateEvidence = null;
+  try {
+    gateEvidence = runGovernanceGate({
+      sessionId,
+      sourceRuntime: 'codex',
+      surface: 'codex-stop',
+      text: text.slice(0, 8000),
+      isOutputCloseout: true,
+      evidence: outputRef,
+    });
+  } catch {}
   const ledgerClaim = evaluateTaskProjectClaim({ text, ledger: ledgerResult.ledger });
   if (!ledgerClaim.ok) {
     recordBlockedTaskProjectClaim({
@@ -763,8 +812,8 @@ try {
     text,
     validation: validation?.validation || null,
     layer3: validation?.layer3 || null,
-    evidenceRefs: [outputRef, makeEvidenceRef('runtime_validation', validation, { sessionId, traceId: state?.traceId || null })],
-    metadata: { source: 'codex-stop-hook', requireCognitionBlock: false, requireAppliedCognition: false },
+    evidenceRefs: [outputRef, makeEvidenceRef('runtime_validation', validation, { sessionId, traceId: state?.traceId || null }), ...(gateEvidence ? [makeEvidenceRef('governance_gate', gateEvidence, { sessionId })] : [])],
+    metadata: { source: 'codex-stop-hook', requireCognitionBlock: false, requireAppliedCognition: false, governanceGate: gateEvidence || null },
   });
   if (preOutputCoach?.permitted === false) {
     emitJson({

package/src/setup-wizard.ts

@@ -113,7 +113,17 @@ export async function runSetupWizard(): Promise<void> {
 
       const resp = await callConverse({ sessionId, action, userMessage });
       if (!resp.ok) {
-        console.error(`\n❌ Onboarding error: ${resp.error || 'unknown'}`);
+        const errMsg = resp.error || 'unknown';
+        console.error(`\n⚠  Aria Soul backend is unreachable: ${errMsg}`);
+        console.log('\nYou can continue with local-only mode.');
+        console.log('Local mode gives you Coach governance, hooks, and runtime.');
+        console.log('Full features (hive sync, garden memory) activate when the server is reachable.\n');
+        const useLocal = await ask('Continue with local-only setup? [Y/n]: ');
+        if (useLocal.toLowerCase().startsWith('n')) {
+          console.log('\nRun `aria` again when the server is available, or use `aria login <token>`.\n');
+          return;
+        }
+        await runLocalOnlySetup(ask);
         return;
       }
 
@@ -345,6 +355,38 @@ async function applyConfigWrites(writes: ConfigWrite[]): Promise<void> {
   }
 }
 
+async function runLocalOnlySetup(ask: (q: string) => Promise<string>): Promise<void> {
+  const { generateLocalLicense } = await import('./auth.js');
+  const { connectClaudeCode } = await import('./connectors/claude-code.js');
+  const { connectCodex } = await import('./connectors/codex.js');
+  const { installSharedRuntime } = await import('./connectors/runtime.js');
+  const provider = (await ask('LLM provider (openai/anthropic/deepseek/xai/google/openrouter): ')).trim().toLowerCase() || 'openai';
+  const apiKey = await ask(`${provider} API key: `);
+  const license = await generateLocalLicense();
+  console.log(`\n  Local license generated (${license.sub}).`);
+  const config = loadConfig();
+  const validProvider = (['openai', 'anthropic', 'deepseek', 'xai', 'google', 'openrouter', 'ollama'] as const).find(
+    (p) => provider === p,
+  ) || 'openai';
+  config.model = {
+    provider: validProvider,
+    model: defaultModelForProvider(validProvider),
+    apiKey,
+  };
+  const { saveConfig: sc } = await import('./config.js');
+  sc(config as Parameters<typeof sc>[0]);
+  console.log('  Installing runtime and hooks...');
+  const logs = [
+    ...(await installSharedRuntime()),
+    ...(await connectClaudeCode(config, { force: true })),
+    ...(await connectCodex(config)),
+  ];
+  for (const line of logs) console.log(`     ${line}`);
+  console.log('\n✅ Local setup complete.');
+  console.log('   Your CLIs are wired with Coach governance.');
+  console.log('   Run `aria login <token>` when the server becomes available for full features.\n');
+}
+
 function defaultModelForProvider(provider: string): string {
   const defaults: Record<string, string> = {
     anthropic: 'claude-sonnet-4-20250514',

package/src/types.ts

@@ -9,8 +9,14 @@ export interface AuthConfig {
   token?: string;
   /** License JWT identifier */
   jti?: string;
+  /** License issuer */
+  iss?: string;
   /** License tier (e.g. 'standard', 'pro') */
   tier?: string;
+  /** License version */
+  licenseVersion?: number;
+  /** License features map */
+  features?: Record<string, boolean>;
   /** License expiry unix timestamp */
   exp?: number;
   /** License issued-at unix timestamp */