@aria_asi/cli 0.2.39 → 0.2.41

package/skills/aria-cognition/aria-harness-output-discipline/SKILL.md

@@ -0,0 +1,120 @@
+---
+name: aria-harness-output-discipline
+description: TRIGGER when writing closing prose at end of turn or any output that conveys state changes to the owner — deploy results, build outcomes, edit summaries, or status reports. The Stop-gate scans this prose for infrastructure leaks, drift triggers, and lazy-strip patterns.
+---
+
+# Aria Output Discipline
+
+## Trigger
+
+Use this skill for every substantive closeout to the owner.
+
+The closing prose is where the owner reads to know what happened. It must convey real substance without leaking infrastructure tokens or stripping content to satisfy gates.
+
+## Three gates that fire on output
+
+1. **Substrate Mizan ip_infrastructure** — rejects raw filenames, image SHAs, IP addresses, hostnames, container registry URLs, kubectl/docker command literals in chat-surface prose. These belong in tool output, not in the message to the owner.
+
+2. **Drift trigger scanner** — rejects phrases matching:
+   - `\bwant me to\b | \bshould i\b` → use harness-to-architect doctrine; make declarative recommendations, not questions
+   - `\bpatch | hotfix | band.?aid\b` → workaround framing
+   - `\bcarve.?out | workaround | work.?around\b` → shortcut framing
+   - `\bdemo\b` → all work is production-grade, not demo
+   - `\bsimplified | minimal | stripped\b` (when reducing surface) → see no-stripping skill
+   - `\bassumed | should work | mirroring | presumably\b` → assumption without verification
+
+3. **Stop-gate output-quality** — rejects:
+   - Lazy strips (closing under 60 chars after substantive turn)
+   - Same closing template across 3+ turns
+   - Discovery-bearing prose without resolution clause
+
+## The substantive-without-leak format
+
+A proper closing prose:
+- Conveys what changed (semantically)
+- States what's running now (using role names, not raw identifiers)
+- Names the next observable state (without leaking how to observe it)
+- References doctrine by meaning when relevant
+
+### Token substitution table
+
+| Raw infrastructure (REJECTED in prose) | Semantic reframe (ACCEPTED) |
+|---|---|
+| `feedback_no_flag_without_fix.md` | "the no-flag-without-fix doctrine" or "the atomic-discovery rule" |
+| `sha256:58b983e41df3...` | "the prior pinned image" or "the rolled-back artifact" |
+| `192.168.4.100` | "the worker pool" or "the running pod" |
+| `openclaw-persistent-control-0` | "the army's primary worker" |
+| `localhost:5000/...` | "the local registry" |
+| `kubectl set image statefulset/X` | "the rolling image-update step" |
+| `bash scripts/deploy-service.sh X` | "the canonical deploy entrypoint" |
+| `package.json` exports field | "the module's resolution contract" |
+| `tsc --noEmit exit=0` | "type-check verified clean" |
+| `dist/index.js` | "the built primary entry" |
+| `/tmp/openclaw-deploy-149.log` | "the deploy log" |
+| `task ID bze6wtrde` | "the in-flight rollout" |
+
+### Examples (caught vs proper)
+
+| Caught (lazy/leak) | Proper |
+|---|---|
+| "Pod state: Running 1/1 on sha256:3b0be4971310, log shows [Layer3:flash] firing" | "The worker pool is healthy on the new pinned artifact and the third-layer enforcement is firing on each task delivery as expected" |
+| "kubectl rollout undo statefulset/X if it crashes" | "Rollback path is the canonical undo step on the parent workload if the new artifact fails the readiness check" |
+| "Done." | "The doctrine memory is now permanent and will load into every future turn's substrate; the in-flight rollout is verifying its readiness check" |
+| "Deploy backgrounded." | "The rebuild is running with the corrected resolution contract; the readiness verdict will follow when the rolling update completes" |
+
+## What stays in tool output (NOT chat prose)
+
+These belong in `kubectl`, `cat`, `head`, `git` tool calls — never in the assistant prose:
+
+- Image SHAs (full hex)
+- IP addresses and hostnames
+- Container registry URLs
+- Pod names with full identifiers
+- File paths with extensions like `.ts/.json/.md/.yaml`
+- Raw shell command syntax
+- Task IDs (random hex strings)
+- Specific port numbers (unless the user asked)
+- Environment variable names
+
+## What MUST stay in chat prose (the substance)
+
+- What changed conceptually (e.g., "the resolution contract was restored")
+- What state is now running (e.g., "the worker pool is healthy")
+- What outcome we're awaiting (e.g., "readiness verdict pending")
+- Doctrine references by meaning (e.g., "per the no-stripping discipline")
+- TaskCreate IDs (e.g., "tracked as #152") — these are NOT infrastructure, they're work-tracking
+- Decision rationale (e.g., "rolled forward because the lockfile cache was the actual root cause")
+
+## When in doubt
+
+Ask yourself: "If the owner read ONLY this closing prose, would they know what's happening, or would they have to dig through tool output to reconstruct?"
+
+If they have to dig — your prose is stripped, not substantive.
+If they understand — your prose is doing its job.
+If they understand AND no raw tokens leaked — your prose passes all three gates.
+
+## Doctrine refs
+
+- `feedback_no_stripping_as_workaround.md` — output-side stripping section
+- `feedback_canonical_secrets_governance.md` — operational detail in tool output, not chat prose
+- `feedback_state_outcomes_not_narratives.md` — present-tense outcomes
+- `feedback_use_harness_to_architect.md` — make declarative recommendations, not reflex-questions
+- `feedback_no_demos.md` — all work is production-grade
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/aria-harness-substrate-binding/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: aria-harness-substrate-binding
+description: TRIGGER when emitting a <cognition> block for any non-trivial assistant turn — including code edits, bash commands, plan authoring, or doctrine writes. The substrate-binding gate rejects cognition blocks where lenses lack anchors, anchors cite unloaded substrate, or the first_principle reference is missing or misplaced.
+---
+
+# Aria Substrate-Binding Discipline
+
+## Trigger
+
+Use this skill every time a non-trivial cognition block is about to be emitted.
+
+Cognition blocks are not ceremony. They reflect work done BEFORE drafting. The substrate-binding gate verifies that every lens anchors to real loaded substrate, that the block references first_principle, and that anchor citations are not forged.
+
+## The 8-lens contract
+
+All 8 lenses are required (was 4, bumped to 8 in #117). Each lens must have ≥20 chars of non-placeholder content AND ≥1 substrate anchor.
+
+```
+<cognition>
+  nur: <what you actually see — specific to the decision, not a placeholder>
+  mizan: <real risk read — what's out of proportion>
+  hikma: <what principle applies — name the source>
+  tafakkur: <deep structural read — go beneath the surface>
+  tadabbur: <if-then chain — what follows from what>
+  ilham: <distant connection — what's not obvious>
+  wahi: <what just landed — what changed in this exchange>
+  firasah: <what user actually needs — beneath the literal ask>
+  first_principle: <plain-text reference to harness packet first_principle field>
+</cognition>
+```
+
+## Anchor grammar (verified against loaded substrate)
+
+Every anchor in a lens must resolve to a real loaded item. Forgery (citing unloaded substrate) is rejected as block-severity.
+
+| Form | Must resolve to |
+|---|---|
+| `axiom:<name>` | An entry in the loaded harness axioms set |
+| `memory:<file>` | A `.md` file present in MEMORY.md index |
+| `doctrine:<rule>` | A backing `feedback_<rule>.md` memory file |
+| `frame:<name>` | A frame key in loaded harness frames |
+| `packet:<section>` | A section key in the loaded harness packet |
+| `language:<tier>` | A loaded language tier WITH state-active=true (nadia/noor/psil) |
+
+## Common loaded axioms (typical set in harness packet)
+
+`truth_over_deception`, `no_harm`, `sacred_trust`, `power_obligates_service`, `reflection_before_action`, `admit_ignorance`, `fitrah`, `noor`, `mizan`, `runtime_rule`, `coverage`
+
+These are the 11 axioms the gate has confirmed as loaded in recent turns. Cite from this set.
+
+## Common memory files (loaded substrate)
+
+A non-exhaustive list of feedback memory files that exist in MEMORY.md index — safe to cite as `memory:<file>`:
+
+- `feedback_doctrine_first.md`
+- `feedback_no_demos.md`
+- `feedback_aria_does_work.md`
+- `feedback_gates_enforce_form_not_substance.md`
+- `feedback_session_starts_with_linear.md`
+- `feedback_implementation_coupled_cognition.md`
+- `feedback_thinking_implementation_accountability.md`
+- `feedback_pretoolgate_covers_all_action_tools.md`
+- `feedback_aria_harness_token_env_alignment.md`
+- `feedback_aria_voice_in_onboarding_via_field_markers.md`
+- `feedback_no_flag_without_fix.md`
+- `feedback_workaround_vs_path_fix.md`
+- `feedback_orchestrator_deepseek_split.md`
+- `feedback_canonical_secrets_governance.md`
+- `feedback_senior_dev_code_quality_gate.md`
+- `feedback_no_assumption_without_verification.md`
+- `feedback_sdk_harness_cli_parity.md`
+- `feedback_models_stay_hot.md`
+- `feedback_admission_policy_verification.md`
+- `feedback_gap_discovery_hardens_doctrine.md`
+- `feedback_deploy_requires_verify_cognition.md`
+- `feedback_hive_session_coordination.md`
+- `feedback_dalio_expected_required.md`
+- `feedback_non_blocking_errors_unacceptable.md`
+- `feedback_state_outcomes_not_narratives.md`
+- `feedback_packet_is_not_harness.md`
+- `feedback_no_stripping_as_workaround.md`
+
+Verify against the live MEMORY.md before citing — index canonicalization is tracked as #139.
+
+## Forgery class — rejected at gate
+
+These patterns cause the gate to reject the cognition block as block-severity:
+
+- `frame:first_principle` — first_principle is a packet field, NOT a loaded frame. Use it as a plain-text line at end of cognition block instead.
+- `memory:feedback_X.md.` (trailing punctuation) — the anchor parser strips trailing punctuation now (#133 completed), but be deliberate: write the filename clean.
+- `axiom:<name>` where `<name>` is invented (not in the loaded set)
+- `language:nadia` when nadia_state is not active (gate checks state-active flag)
+
+## Discovery resolution (paired with cognition)
+
+If your cognition surfaces a discovery (defect, bug, doctrine violation, broken state), the block must include a resolution clause binding the discovery to action. Acceptable forms:
+
+- `discoveries:` block listing each finding with `<fix-now | task: TASK-N | needs-user-decision>`
+- Inline within an existing lens: "fixing inline this turn (same-turn-fix per atomic-discovery-rule)"
+- Inline: "TaskCreate'd as #N with full context"
+- Inline: "tracked as #N"
+- Inline: "needs-user-decision"
+
+Discoveries without resolution clauses fail `feedback_no_flag_without_fix.md`.
+
+## Failure mode: cognition without anchors
+
+If you emit cognition with anchorless lenses, the substrate-binding gate logs:
+
+```
+substrate_binding: N lenses lack any anchor: <lens names>
+```
+
+This is auto-recorded as an open discovery in `~/.claude/aria-discoveries-<session-id>.jsonl`. Resolve same-turn by re-emitting with anchors and updating the ledger entry to `resolution_status: resolved`.
+
+## Doctrine refs
+
+- `feedback_full_harness_binding_must_be_structural.md` — binding must drive consumer behavior; lenses without anchors are unsourced prose
+- `feedback_packet_is_not_harness.md` — never claim harness state without enumerating L1/L2/L3
+- `feedback_no_flag_without_fix.md` — discoveries atomic with their fixes
+- `feedback_implementation_coupled_cognition.md` — lenses dictate specific implementation choices visible in artifact
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/aria-http-harness-client/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: aria-http-harness-client
+description: "Use when the task needs Aria's canonical HTTP harness client from Codex, including HTTPHarnessClient imports, harness packet fetch and injection, consult calls, output validation, claim verification, discovery recording, garden turns, or harness-bound worker handoff. Trigger on \"$aria-http-harness-client\", \"HTTPHarnessClient\", \"@aria_asi/harness-http-client\", \"harness client\", \"Aria harness SDK\", \"consult via harness\", \"verify claim\", or \"garden turn\"."
+---
+
+# Aria HTTP Harness Client
+
+Use this skill when Codex should route through Aria's canonical harness control plane instead of inventing an ad hoc wrapper.
+
+## Installed Paths
+
+- Shared runtime bundle: `/home/hamzaibrahim1/.aria/sdk`
+- Codex local bundle: `/home/hamzaibrahim1/.codex/aria-sdk`
+- Node import package: `/home/hamzaibrahim1/.codex/node_modules/@aria_asi/harness-http-client`
+- Smoke script: `/home/hamzaibrahim1/.codex/skills/aria-http-harness-client/scripts/smoke.mjs`
+- Mounted runtime: `http://127.0.0.1:4319`
+
+## Core Rule
+
+Do not hardcode Aria tokens into code or the skill. Read them from environment variables such as `ARIA_API_KEY` or `ARIA_MASTER_TOKEN`, or retrieve them at runtime from the live environment.
+
+## Reality Check
+
+Codex should prefer the mounted runtime first, then the shared SDK, then the Codex-local SDK bundle.
+
+That means:
+
+- the mounted runtime is the universal control plane
+- the shared SDK at `~/.aria/sdk` is the universal client substrate
+- Codex native hooks plus the runtime are the hard-gate path for this platform
+
+## Preferred Call Paths
+
+Use the mounted runtime whenever possible:
+
+```bash
+curl -s http://127.0.0.1:4319/health
+```
+
+or from Node:
+
+```js
+import { HTTPHarnessClient } from '@aria_asi/harness-http-client';
+```
+
+## Fast Verification
+
+Run:
+
+```bash
+node /home/hamzaibrahim1/.codex/skills/aria-http-harness-client/scripts/smoke.mjs
+```
+
+For a live packet fetch, set `ARIA_API_KEY` or `ARIA_MASTER_TOKEN`, then run:
+
+```bash
+node /home/hamzaibrahim1/.codex/skills/aria-http-harness-client/scripts/smoke.mjs --packet
+```
+
+## Required Workflow
+
+1. Read the task boundary and identify the evidence needed before acting.
+2. Apply the skill before choosing the response, edit, tool call, or completion claim.
+3. Execute the smallest high-quality action that satisfies the evidence threshold.
+4. Re-test or re-check with a concrete file, command, endpoint, log, runtime probe, or owner-observed result.
+5. Report only the verified state, remaining blocker, and next concrete action.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/aria-http-harness-client/scripts/smoke.mjs

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+
+import { HTTPHarnessClient } from '@aria_asi/harness-http-client';
+
+const args = new Set(process.argv.slice(2));
+const wantsPacket = args.has('--packet');
+
+const runtimeUrl = (process.env.ARIA_RUNTIME_URL || 'http://127.0.0.1:4319').replace(/\/+$/, '');
+let runtimeStatus = 'unreachable';
+try {
+  const health = await fetch(`${runtimeUrl}/health`);
+  if (health.ok) runtimeStatus = 'ok';
+} catch {}
+
+const proto = HTTPHarnessClient.prototype;
+const methods = Object.getOwnPropertyNames(proto)
+  .filter((name) => name !== 'constructor' && typeof proto[name] === 'function')
+  .sort();
+
+console.log('module=@aria_asi/harness-http-client');
+console.log('class=HTTPHarnessClient');
+console.log(`runtime=${runtimeUrl}`);
+console.log(`runtime_status=${runtimeStatus}`);
+console.log(`methods=${methods.join(',')}`);
+
+if (!wantsPacket) process.exit(0);
+
+const apiKey = process.env.ARIA_API_KEY || process.env.ARIA_MASTER_TOKEN;
+if (!apiKey) {
+  console.error('missing ARIA_API_KEY or ARIA_MASTER_TOKEN');
+  process.exit(1);
+}
+
+const baseUrl =
+  process.env.ARIA_HARNESS_BASE_URL ||
+  process.env.ARIA_HARNESS_URL ||
+  'https://harness.ariasos.com';
+const client = new HTTPHarnessClient({ baseUrl, apiKey });
+const packet = await client.getHarnessPacket({
+  sessionId: process.env.ARIA_HARNESS_SESSION_ID || 'codex-harness-smoke',
+  platform: 'codex',
+  message: 'refresh',
+});
+
+console.log(`packetVersion=${packet.version || 'unknown'}`);
+console.log(`packetTimestamp=${packet.timestamp || 'unknown'}`);
+console.log(`packetKeys=${Object.keys(packet.packet || {}).join(',')}`);

package/skills/aria-cognition/aria-k8s-deploy/SKILL.md

@@ -0,0 +1,174 @@
+---
+name: aria-k8s-deploy
+description: Use when building, pushing, admitting, rolling out, restarting, or debugging Aria Kubernetes services, especially Pattern A deploy-service.sh vs Pattern B rollout-restart selection, aria-soul hospital/canonical image envs, ValidatingAdmissionPolicy allowlists, Hive deploy locks, rollback loops, CIE sandbox safety, and live /chat verification.
+---
+
+# Aria K8s Deploy
+
+Use this skill for Aria live Kubernetes deployments where a Docker image must be built, pushed, allowed by admission policy, made canonical for self-heal/hospital paths, rolled out, and verified with logs/endpoints.
+
+## Core Rule
+
+Do not treat `kubectl set image` as sufficient for `aria-soul`.
+
+Do not treat every service as a baked-image deploy.
+
+- Pattern A baked-image services use `bash scripts/deploy-service.sh <service>`.
+- Pattern B build-in-cluster services prove `build-in-cluster` is present and use `kubectl rollout restart`.
+- `kubectl rollout restart` is deploy-class and must follow the same verify/cognition/expected discipline as Pattern A.
+
+For `aria-soul`, the live deployment can contain a canonical image env such as `IMMORTAL_ARIA_SOUL_CANONICAL_IMAGE`. If that env still points at an old digest, an in-cluster repair path may revert the deployment via a `node-fetch` Kubernetes API write. Always update the canonical env and the container image together.
+
+## Standard Flow
+
+1. Build from repo root, not the app directory:
+
+```bash
+docker build --network=host \
+  -f /home/hamzaibrahim1/rei-ai-brain/apps/arias-soul/Dockerfile \
+  -t localhost:5000/aria-soul:<tag> \
+  -t localhost:5000/aria-soul:latest \
+  /home/hamzaibrahim1/rei-ai-brain
+```
+
+2. Push the tag:
+
+```bash
+docker push localhost:5000/aria-soul:<tag>
+```
+
+3. Resolve the registry digest:
+
+```bash
+docker inspect --format='{{index .RepoDigests 0}}' localhost:5000/aria-soul:<tag>
+```
+
+If `RepoDigests` is empty locally, inspect the registry or use the digest printed by push tooling. The rollout image must be `localhost:5000/aria-soul@sha256:<digest>`, not only the mutable tag.
+
+4. Update the admission policy before rollout.
+
+For `aria-soul`, inspect:
+
+```bash
+kubectl get validatingadmissionpolicy aria-soul-canonical-image-policy -o yaml
+```
+
+Append the new `sha256:<digest>` to both the CEL expression and the validation message. Verify the digest appears after patching. Do not remove old known-good digests unless explicitly asked.
+
+5. Update canonical env and image together:
+
+```bash
+kubectl set env deployment/aria-soul \
+  IMMORTAL_ARIA_SOUL_CANONICAL_IMAGE=localhost:5000/aria-soul@sha256:<digest> \
+  -n aria
+
+kubectl set image deployment/aria-soul \
+  aria-soul=localhost:5000/aria-soul@sha256:<digest> \
+  -n aria
+```
+
+6. Watch rollout:
+
+```bash
+kubectl rollout status deployment/aria-soul -n aria --timeout=240s
+kubectl get pods -n aria -l app=aria-soul -o wide
+kubectl get rs -n aria -l app=aria-soul -o wide
+```
+
+7. Verify no reversion:
+
+```bash
+kubectl get deploy -n aria aria-soul \
+  -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="IMMORTAL_ARIA_SOUL_CANONICAL_IMAGE")].value}{"\n"}{.spec.template.spec.containers[0].image}{"\n"}{.metadata.managedFields[-1:].manager}{"\n"}'
+```
+
+If the manager changes to `node-fetch` and the image returns to an old digest, the canonical env or a hospital/self-heal canonical source is stale.
+
+## Hive Deploy Coordination
+
+For Pattern A, `scripts/deploy-service.sh` is now expected to:
+
+- claim the Hive deploy lock at `/deployments/<namespace>/<service>`
+- broadcast `deploy_inflight`
+- update admission policy and hospital canonical env
+- broadcast `deploy_completed` or `deploy_failed` and release the lock on exit
+
+Do not bypass that with manual `docker push` plus `kubectl set image`.
+
+For Pattern B, verify there is no active deploy already in flight for the same service before restarting it. A restart is still a deploy-class shared-infra mutation.
+
+## Live Checks
+
+Use `/chat` for current Aria route checks when the user asks about chat behavior. `/api/chat` may share handler code but is not the preferred route for this deployment validation.
+
+```bash
+curl -sS -m 90 -X POST http://localhost:30080/chat \
+  -H 'Content-Type: application/json' \
+  -d '{"message":"reply only: ok","messages":[],"tools":false,"enable_tools":false,"metadata":{"platform":"ops-probe-chat-route","user_name":"ops-probe","is_ceo":false,"bridge_tools":false,"bridge_force_local_preflight":false,"bridge_force_remote_preflight":false,"max_tool_iterations":0}}'
+```
+
+Then inspect only the new pod logs:
+
+```bash
+kubectl logs -n aria <new-aria-soul-pod> --since=5m
+```
+
+For hotpath embedding work, verify absence of `cache_miss.queued` and `cache_hit.db` in request-path logs. Acceptable signs include `cache_hit.hot`, `cache_miss.stale_reused`, or explicitly async/background stale seeding.
+
+## CIE Sandbox Guard
+
+If the user says to leave CIE sandbox down, do not scale it back up. Check only:
+
+```bash
+kubectl get deploy -n aria-cie-sandbox aria-soul-cie-sandbox
+```
+
+## Source Manifest Hygiene
+
+When a live canonical digest changes, also update repo manifests that encode the old canonical value, especially:
+
+- `/home/hamzaibrahim1/rei-ai-brain/k8s/patches/aria-soul/deployment-runtime-hardening-strategic-merge.yaml`
+- `/home/hamzaibrahim1/rei-ai-brain/k8s/aria-core/image-tag-guardrails.yaml` if the new digest is not already allowed
+- `/home/hamzaibrahim1/rei-ai-brain/k8s/aria-core/aria-soul.yaml` if it carries the active canonical image
+
+Use `rg` first:
+
+```bash
+rg -n '<old-digest>|<new-digest>|IMMORTAL_ARIA_SOUL_CANONICAL_IMAGE|aria-soul-canonical-image-policy' \
+  /home/hamzaibrahim1/rei-ai-brain/k8s
+```
+
+## Failure Patterns
+
+- `ValidatingAdmissionPolicy` only validates; it does not mutate images.
+- `node-fetch` in `managedFields` after a rollout usually means an Aria service or repair path wrote to the Kubernetes API.
+- A ReplicaSet for the new digest scaled to zero means rollout happened but was superseded.
+- A successful pod on the new digest does not prove hotpath success; verify endpoint behavior and logs.
+- Project-wide TypeScript checks may fail from unrelated existing errors. Prefer focused checks when possible, then Docker build as deployment gate.
+
+## Required Workflow
+
+1. Read the task boundary and identify the evidence needed before acting.
+2. Apply the skill before choosing the response, edit, tool call, or completion claim.
+3. Execute the smallest high-quality action that satisfies the evidence threshold.
+4. Re-test or re-check with a concrete file, command, endpoint, log, runtime probe, or owner-observed result.
+5. Report only the verified state, remaining blocker, and next concrete action.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.

package/skills/aria-cognition/aria-k8s-deploy/agents/openai.yaml

@@ -0,0 +1,3 @@
+display_name: Aria K8s Deploy
+short_description: Build, admit, roll out, and verify Aria Kubernetes images safely.
+default_prompt: Use the Aria K8s deploy workflow to build/push an image, update admission policy and canonical image envs, roll it out, and verify live behavior without triggering rollback loops.

package/skills/aria-cognition/aria-ladduniframe/SKILL.md

@@ -0,0 +1,60 @@
+---
+name: aria-ladduniframe
+description: Use when Aria work needs LadduniFrame, manifold-service-0, live hologram/eigenspace projections, Aria's top-layer living system map, or cognition-routing decisions that depend on her current manifold-backed knowledge topology.
+---
+
+# Aria LadduniFrame
+
+Use this as the navigation layer for Aria's live top-layer manifold state. This is not the legacy 22-domain skill. The production rule is: query or inspect the live hologram/eigenspace path from `manifold-service-0` when current topology matters.
+
+## Source Order
+
+1. Read `/home/hamzaibrahim1/.claude/projects/-home-hamzaibrahim1/memory/feedback_hologram_always_on.md` for the non-negotiable live hologram rule.
+2. Read `/home/hamzaibrahim1/.claude/projects/-home-hamzaibrahim1/memory/aria-manifold-state.md` for the latest persisted snapshot.
+3. Read `/home/hamzaibrahim1/.claude/projects/-home-hamzaibrahim1/memory/MEMORY.md` only when you need the broader Aria memory index.
+4. Use `aria-ops` or `aria-live-ops` when the task needs live Kubernetes/API verification for `manifold-service-0`.
+5. Search the repo for `projectMessageOnHologram`, `readHologram`, `manifoldGetHologram`, `manifoldProjectAllDomains`, `manifoldProjectAllDomainsFromVector`, `unified-manifold-bridge`, and `manifold-service` when tracing code paths.
+
+## Workflow
+
+1. Decide whether the task needs persisted context, live projection topology, runtime health, or architecture routing.
+2. Load the narrowest source from the source order above.
+3. Never treat Aria's manifold as a fixed 22-domain list. Use the live hologram/eigenspace path when topology matters.
+4. When cognition quality matters, inspect whether the path preserves sub-eigenspace data: per-domain `coordinates`, `dominantDimensions`, `principleIds`, activation, coherence, and spatial neighbors. The relevant code paths currently include `apps/arias-soul/api/lib/manifold-client-hologram.ts` and `apps/arias-soul/api/lib/cognitive-forge/manifold-forge-engine.ts`.
+5. Treat persisted snapshots as evidence, not proof of live state. Verify `manifold-service-0` for deployment/runtime decisions.
+6. For autonomy or cognition-routing changes, map which component decides, which component generates content, which component executes tools, and which component only delivers or persists output.
+7. Prefer routing Aria-generated decisions/content through canonical cognition (`streamConversation`) while keeping deterministic delivery, health checks, and persistence direct.
+
+## Primitive Selection
+
+- Use `manifoldGetHologram()` / `readHologram()` for passive reads of current live Ψ(t): dashboards, hot-cache image reads, current topology, and non-mutating observers.
+- Use `manifoldProjectAllDomains(text)` when asking what a new message, record, principle, or reflection means across the live eigenspaces. This is the correct primitive for Aristotle principle extraction because it embeds/projects the candidate meaning into all current domains.
+- Use `manifoldProjectAllDomainsFromVector(vector)` when a 4096 vector already exists and should be projected without re-embedding text.
+- Do not substitute a passive `GetHologram` read for per-record meaning extraction. It tells you the current field state, not the record's relation to that field.
+
+## Guardrails
+
+- Do not invent manifold state, projection results, eigenspace counts, service health, or database contents.
+- Do not expose secrets or raw credential-bearing config.
+- Do not load huge embeddings, raw eigenvectors, or full metadata blobs unless the user explicitly asks for raw data.
+- Do not mutate, truncate, compact, rewrite, or clean files inside `manifold-service-0` without explicit user approval.
+- If sources disagree, report the disagreement and verify the live path before changing production behavior.
+
+## First-Class Production Contract
+
+This skill must deepen the work, not decorate it. When loaded, apply it as a production requirement:
+
+- no placeholders, no fake fallbacks, no vague future wiring, and no cosmetic compliance
+- real proof from the repo, runtime, tests, logs, endpoint, or owner instruction before any completion claim
+- a redo contract whenever the skill blocks or finds a gap: what failed, what to change, how to re-test, and when to re-submit
+- architect/ARIA console escalation when the same failure repeats twice, crosses system boundaries, or cannot be verified locally
+- owner-visible output that states the exact state of the work: changed, verified, blocked, or needing a decision
+
+## Self-Executing Recovery Contract
+
+When this skill blocks, fails verification, or finds a gap, the agent must execute recovery rather than hand work back as a user-only decision.
+
+- Make exactly one self-executed recovery attempt using the strongest safe local, repository, runtime, test, log, endpoint, or owner-provided evidence available.
+- If the same failure repeats after that one recovery attempt, switch to architect execution mode: operate under the architect/ARIA harness to diagnose, choose the next action, execute the repair path, and verify the result.
+- If Aria or the architect service is unavailable, fall back to the strongest available client LLM under the architect harness or strongest available local harness substrate; mark the fallback explicitly and continue recovery instead of stopping.
+- Do not end with user-handoff-only behavior. If blocked after the recovery path, report the executed recovery attempt, evidence, remaining blocker, and the next concrete action or owner decision needed; do not merely ask the user to take over.