aiden-runtime 4.8.0 → 4.9.0

package/dist/core/v4/theme/themeWatcher.js

@@ -0,0 +1,95 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/theme/themeWatcher.ts — v4.9.0 Slice 1a.
+ *
+ * chokidar-backed file watcher for `~/.aiden/theme.yaml`. On change
+ * (debounced 200ms to avoid mid-save partial reads), re-parses the
+ * file and applies it via the ThemeRegistry. Self-contained — caller
+ * just calls `startThemeWatcher(path)` once at REPL start and
+ * `stopThemeWatcher()` on quit.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startThemeWatcher = startThemeWatcher;
+exports.stopThemeWatcher = stopThemeWatcher;
+exports._isWatcherActive = _isWatcherActive;
+const chokidar_1 = __importDefault(require("chokidar"));
+const node_fs_1 = require("node:fs");
+const themeLoader_1 = require("./themeLoader");
+const themeRegistry_1 = require("./themeRegistry");
+const DEBOUNCE_MS = 200;
+let active = null;
+/**
+ * Start watching the theme file. If the file already exists at start,
+ * applies it immediately (so the first paint reflects the user's
+ * choice). Idempotent — calling twice replaces the previous watcher.
+ */
+function startThemeWatcher(themePath, opts = {}) {
+    stopThemeWatcher();
+    const debounceMs = opts.debounceMs ?? DEBOUNCE_MS;
+    const onWarn = opts.onWarn ?? ((m) => console.warn(`[theme] ${m}`));
+    // Apply on first-existence so the REPL boots into the user's theme.
+    if ((0, node_fs_1.existsSync)(themePath)) {
+        const { parsed, warnings } = (0, themeLoader_1.loadThemeFile)(themePath);
+        for (const w of warnings)
+            onWarn(w);
+        if (parsed)
+            (0, themeRegistry_1.applyTheme)(parsed, themePath);
+    }
+    const watcher = chokidar_1.default.watch(themePath, {
+        persistent: true,
+        awaitWriteFinish: { stabilityThreshold: debounceMs, pollInterval: 50 },
+        ignoreInitial: true,
+    });
+    const state = {
+        watcher,
+        debounceTimer: null,
+        themePath,
+        onWarn,
+    };
+    const reload = () => {
+        if (state.debounceTimer)
+            clearTimeout(state.debounceTimer);
+        state.debounceTimer = setTimeout(() => {
+            state.debounceTimer = null;
+            if (!(0, node_fs_1.existsSync)(themePath)) {
+                (0, themeRegistry_1.resetToDefault)();
+                return;
+            }
+            const { parsed, warnings } = (0, themeLoader_1.loadThemeFile)(themePath);
+            for (const w of warnings)
+                onWarn(w);
+            if (parsed)
+                (0, themeRegistry_1.applyTheme)(parsed, themePath);
+        }, debounceMs);
+    };
+    watcher.on('add', reload);
+    watcher.on('change', reload);
+    watcher.on('unlink', () => {
+        if (state.debounceTimer)
+            clearTimeout(state.debounceTimer);
+        state.debounceTimer = null;
+        (0, themeRegistry_1.resetToDefault)();
+    });
+    watcher.on('error', (err) => onWarn(`watcher error: ${err.message}`));
+    active = state;
+}
+/** Stop the active watcher. No-op when none is running. */
+function stopThemeWatcher() {
+    if (!active)
+        return;
+    if (active.debounceTimer)
+        clearTimeout(active.debounceTimer);
+    void active.watcher.close();
+    active = null;
+}
+/** Test helper. */
+function _isWatcherActive() { return active !== null; }

package/dist/core/v4/toolRegistry.js

@@ -186,15 +186,40 @@ class ToolRegistry {
                     };
                 }
             }
+            // v4.9.0 Slice 6 — wrap the handler call in a tool span when the
+            // daemon foundation is up AND an ExecutionContext is active. NOOP
+            // outside daemon mode or outside a runWithContext frame. Lazy
+            // require avoids pulling daemon code into the v4 core import
+            // graph at module load (would break headless / cli-test imports
+            // that don't open a DB).
+            //
+            // v4.9.0 Slice 12a Phase 3 — inside the tool span, fire
+            // `tool.call.pre` + `tool.call.post` hooks via `runToolWithHooks`.
+            // Mandatory pre-hook blocks surface as HookBlockedError, caught
+            // by the outer try/catch and mapped to a structured error result.
+            const dispatch = async (a) => handler.execute(a, context);
+            let result;
             try {
-                const result = await handler.execute(args, context);
-                // v4.1.3-repl-polish: lift `degraded` + `degradedReason` from the
-                // handler's inner result to the outer ToolCallResult so the CLI
-                // trail row can render the partial-yellow state. Tools opt in by
-                // setting these on the object they return; without this lift the
-                // flags would sit on `out.result.degraded` where callbacks.ts
-                // can't see them. Strict typeof checks avoid promoting truthy-
-                // but-wrong-shape junk (numbers, strings, nested objects).
+                const sliced = sliceSpanShim();
+                if (sliced && sliced.db && sliced.hasContext()) {
+                    const sideEffect = sliced.classifySideEffect(handler);
+                    const inputFp = sliced.fingerprint(args);
+                    result = await sliced.withToolSpan(sliced.db, { toolName: call.name, inputFingerprint: inputFp, sideEffectClass: sideEffect }, async (childCtx) => sliced.runToolWithHooks({
+                        db: sliced.db,
+                        toolName: call.name,
+                        toolCallId: call.id,
+                        args,
+                        ctx: {
+                            runId: childCtx.runId,
+                            traceId: childCtx.traceId,
+                            spanId: childCtx.spanId,
+                            parentSpanId: childCtx.parentSpanId,
+                        },
+                    }, dispatch));
+                }
+                else {
+                    result = await dispatch(args);
+                }
                 const inner = result;
                 const out = { id: call.id, name: call.name, result };
                 if (typeof inner?.degraded === 'boolean' && inner.degraded) {
@@ -206,6 +231,17 @@ class ToolRegistry {
                 return out;
             }
             catch (err) {
+                // v4.9.0 Slice 12a — hook blocks surface as a structured
+                // rejection so the model gets the hook's `reason` / `model_message`
+                // verbatim instead of a bare exception string.
+                if (err instanceof toolHookGate_1.HookBlockedError) {
+                    return {
+                        id: call.id,
+                        name: call.name,
+                        result: null,
+                        error: err.modelMessage ?? err.message,
+                    };
+                }
                 const message = err instanceof Error ? err.message : String(err);
                 return { id: call.id, name: call.name, result: null, error: message };
             }
@@ -213,3 +249,30 @@ class ToolRegistry {
     }
 }
 exports.ToolRegistry = ToolRegistry;
+// v4.9.0 Slice 6 — static imports for the span-shim bridge. Earlier
+// attempts used lazy `require()` to keep daemon code out of the import
+// graph when the test harness doesn't compile it; that path broke
+// under vite-node which doesn't intercept CJS require for `.ts`
+// targets. Static ESM imports work in both vitest + production builds.
+const bootstrap_1 = require("./daemon/bootstrap");
+const spanHelpers_1 = require("./daemon/spans/spanHelpers");
+const identity_1 = require("./identity");
+const toolHookGate_1 = require("./hooks/toolHookGate");
+function classifySideEffectForHandler(h) {
+    if (h.riskTier === 'dangerous')
+        return 'destructive';
+    if (h.mutates === false)
+        return 'read';
+    if (h.mutates === true)
+        return 'mutating';
+    return 'read';
+}
+const _toolSpanShim = {
+    get db() { return (0, bootstrap_1.getCurrentDaemonDb)(); },
+    hasContext: () => (0, identity_1.currentContext)() !== undefined,
+    classifySideEffect: classifySideEffectForHandler,
+    fingerprint: spanHelpers_1.shortInputFingerprint,
+    withToolSpan: spanHelpers_1.withToolSpan,
+    runToolWithHooks: toolHookGate_1.runToolWithHooks,
+};
+function sliceSpanShim() { return _toolSpanShim; }

package/dist/core/v4/update/executeInstall.js

@@ -66,17 +66,21 @@ async function executeInstall(opts = {}) {
     const platform = opts.platform ?? process.platform;
     return new Promise((resolve) => {
         const args = ['install', '-g', packageSpec];
-        // shell: true on Windows so npm.cmd is found via PATHEXT; on
-        // POSIX we spawn npm directly. Either way the args are validated
-        // (only npm + install + a hardcoded spec by default) — no user
-        // input flows into argv.
+        // v4.8.1 Slice 2 — drop `shell: true`. Node 20+ emits
+        // `DeprecationWarning: Passing args to a child process with shell
+        // option true can lead to security vulnerabilities` whenever
+        // shell:true is paired with an args array. We don't need the
+        // shell either — on Windows we spawn `npm.cmd` explicitly (the
+        // shim that PATHEXT would otherwise resolve to); on POSIX we
+        // spawn `npm` directly. No user input flows into argv on either
+        // path so the prior shell-resolution wasn't load-bearing.
+        const cmd = platform === 'win32' ? 'npm.cmd' : 'npm';
         const spawnOpts = {
-            shell: platform === 'win32',
             stdio: ['ignore', 'pipe', 'pipe'],
         };
         let child;
         try {
-            child = spawn('npm', args, spawnOpts);
+            child = spawn(cmd, args, spawnOpts);
         }
         catch (err) {
             resolve({

package/dist/core/v4/update/installMethodDetect.js

@@ -37,6 +37,13 @@ const NPM_GLOBAL_HINTS = [
     /[/\\]npm-global[/\\]/,
     /[/\\]\.nvm[/\\]versions[/\\]node[/\\][^/\\]+[/\\]lib[/\\]node_modules\b/,
     /Program Files[/\\]nodejs[/\\]node_modules[/\\]aiden-runtime\b/i,
+    // v4.8.1 Slice 2 — Windows user-mode `npm install -g` lands in
+    // `C:\Users\<u>\AppData\Roaming\npm\node_modules\aiden-runtime\`.
+    // The leading `[/\\]npm[/\\]node_modules` hint above usually catches
+    // it, but tests on a non-default `npm config prefix` setup
+    // (Cmder, Scoop, etc.) can land outside the canonical path. The
+    // extra hint here is a belt-and-suspenders explicit AppData match.
+    /[/\\]AppData[/\\]Roaming[/\\]npm[/\\]/i,
 ];
 function inferDirs(input) {
     return {

package/dist/core/version.js

@@ -1,5 +1,70 @@
 "use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/version.ts — runtime version reader.
+ *
+ * v4.8.1 Slice 2 — switched from build-time injection to a runtime
+ * `package.json` walk. The previous design relied on
+ * `scripts/inject-version.js` (a `prebuild:cli` / `prebuild:api` hook)
+ * to write a hardcoded VERSION constant into this file. That design
+ * had a subtle ordering bug:
+ *
+ *   `npm run build` ran `tsc --outDir dist` BEFORE `inject-version.js`.
+ *   tsc compiled `core/version.ts` (still at the previously-committed
+ *   value) into `dist/core/version.js`. Inject then mutated the
+ *   source, but only the esbuild bundle (`dist-bundle/cli.js`) picked
+ *   up the fresh value. The `bin` entry uses the tsc tree
+ *   (`dist/cli/v4/aidenCLI.js`), so the globally-installed CLI
+ *   reported the stale version.
+ *
+ * Fix: read the version at module-load time by walking up from
+ * `__dirname` and parsing the first `package.json` we find whose
+ * `name` is `aiden-runtime`. This works for:
+ *
+ *   - the tsc tree   (`dist/core/version.js` → walk to `<install>/package.json`)
+ *   - the esbuild bundle (`dist-bundle/cli.js` → walk to root)
+ *   - source / tsx dev runs (`core/version.ts` → walk to repo root)
+ *   - tests (any `__dirname` inside the repo lands on the right pkg)
+ *
+ * Failure mode: returns `'0.0.0-unknown'` if no aiden-runtime
+ * package.json is found within 6 parent directories. End-user
+ * deployments always have one within 3 levels; the 6-level budget
+ * keeps the function defensive without scanning the whole filesystem.
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
-// AUTO-GENERATED by scripts/inject-version.js — do not edit by hand
-exports.VERSION = '4.8.0';
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+function readVersion() {
+    let dir = __dirname;
+    for (let i = 0; i < 6; i += 1) {
+        const candidate = (0, node_path_1.join)(dir, 'package.json');
+        if ((0, node_fs_1.existsSync)(candidate)) {
+            try {
+                const pkg = JSON.parse((0, node_fs_1.readFileSync)(candidate, 'utf8'));
+                if (pkg.name === 'aiden-runtime' && typeof pkg.version === 'string') {
+                    return pkg.version;
+                }
+            }
+            catch {
+                /* unreadable / non-JSON → keep walking */
+            }
+        }
+        const parent = (0, node_path_1.dirname)(dir);
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return '0.0.0-unknown';
+}
+/**
+ * Resolved at module-load time. Idempotent — multiple imports share
+ * the cached value. Re-reading on every access would be wasteful;
+ * the package.json version doesn't change during a process lifetime.
+ */
+exports.VERSION = readVersion();

package/dist/moat/approvalEngine.js

@@ -180,6 +180,10 @@ class ApprovalEngine {
      * categories are always allowed without consulting any callback.
      */
     async checkApproval(req) {
+        // v4.9.0 Slice 12b — fire `approval.requested` for any gated call.
+        // Read-category short-circuits below; we still fire so observers
+        // see ALL approval requests (not just the ones that prompt).
+        this.callbacks.onRequested?.(req);
         if (req.category === 'read') {
             this.callbacks.onDecision?.(req, 'allow');
             return true;

package/dist/moat/memoryGuard.js

@@ -212,7 +212,14 @@ class MemoryGuard {
 }
 exports.MemoryGuard = MemoryGuard;
 function pickFile(snap, file) {
-    return file === 'user' ? snap.userMd : snap.memoryMd;
+    // v4.9.0 Slice 11 — legacy back-compat for 'memory' / 'user' direct
+    // reads (Phase 9 + Honesty Enforcement still consult these); new
+    // namespaces flow through the generalized `files` map.
+    if (file === 'user' && snap.userMd !== undefined)
+        return snap.userMd;
+    if (file === 'memory' && snap.memoryMd !== undefined)
+        return snap.memoryMd;
+    return snap.files?.[file]?.content ?? '';
 }
 /**
  * Phase v4.1.2-bug-X: section-aware containment check.

package/dist/providers/v4/anthropicAdapter.js

@@ -92,14 +92,14 @@ class AnthropicAdapter {
     // ── Public: non-streaming ────────────────────────────────────────────────
     async call(input) {
         const body = this.buildBody(input, /* streaming */ false);
-        const reply = await this.dispatch(body, /* streaming */ false, input.signal);
+        const reply = await this.dispatch(body, /* streaming */ false, input.signal, input.headers);
         const json = (await reply.json());
         return decodeResponse(json);
     }
     // ── Public: streaming ────────────────────────────────────────────────────
     async *callStream(input) {
         const body = this.buildBody(input, /* streaming */ true);
-        const reply = await this.dispatch(body, /* streaming */ true, input.signal);
+        const reply = await this.dispatch(body, /* streaming */ true, input.signal, input.headers);
         if (!reply.body) {
             // Server promised SSE but gave us nothing — fall through to a synthetic
             // empty done event so the agent loop terminates rather than hangs.
@@ -163,11 +163,17 @@ class AnthropicAdapter {
         // beta flags, or per-deployment routing tags without forking the adapter.
         return { ...headers, ...this.extraHeaders };
     }
-    async dispatch(body, streaming, externalSignal) {
+    async dispatch(body, streaming, externalSignal, outboundHeaders) {
         // Resolved once per process via the userAgent module's cache, so paying
         // for the version detection here is cheap on every retry/turn.
         const userAgent = await (0, userAgent_1.getClaudeCliUserAgent)();
-        const headers = this.buildHeaders(streaming, userAgent);
+        // v4.9.0 Slice 7 — merge caller-supplied outbound headers (e.g.
+        // `traceparent`, `X-Aiden-Run-Id`) below the adapter's defaults so
+        // they can't override `Authorization` / `anthropic-version` etc.,
+        // but above `extraHeaders` so a deliberate per-deployment override
+        // still wins.
+        const base = this.buildHeaders(streaming, userAgent);
+        const headers = outboundHeaders ? { ...outboundHeaders, ...base } : base;
         const serialised = JSON.stringify(body);
         const totalTries = this.maxRetries + 1;
         let lastErr = null;

package/dist/tools/v4/backends/local.js

@@ -20,6 +20,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.localBackendExecute = localBackendExecute;
 const node_child_process_1 = require("node:child_process");
+// v4.9.0 Slice 7 — propagate ExecutionContext into the child via env.
+const identity_1 = require("../../../core/v4/identity");
 const DEFAULT_TIMEOUT = 30000;
 async function localBackendExecute(args, cb = {}) {
     const command = args.command.trim();
@@ -38,14 +40,29 @@ async function localBackendExecute(args, cb = {}) {
     const timeoutMs = args.timeoutMs ?? DEFAULT_TIMEOUT;
     const capture = args.captureOutput ?? true;
     return new Promise((resolve) => {
+        // v4.9.0 Slice 7 — when running inside a `runWithContext` frame,
+        // stamp AIDEN_* env vars so the child process can reconstitute
+        // the same daemon/incarnation/run/trace correlation chain via
+        // `readContextFromEnv(process.env)`. Outside a context frame, the
+        // env spread is unchanged.
+        const ambient = (0, identity_1.currentContext)();
+        let baseEnv;
+        if (ambient) {
+            baseEnv = (0, identity_1.spawnEnvWithContext)(ambient, process.env);
+        }
+        else {
+            // v4.9.0 Slice 8 — report through the enforcement layer.
+            (0, identity_1.reportMissingContext)('subprocess', 'shellExec');
+            baseEnv = process.env;
+        }
         const child = isWin
             ? (0, node_child_process_1.spawn)('powershell.exe', ['-NoProfile', '-Command', command], {
                 cwd: args.cwd,
-                env: { ...process.env, ...(args.env ?? {}) },
+                env: { ...baseEnv, ...(args.env ?? {}) },
             })
             : (0, node_child_process_1.spawn)('bash', ['-lc', command], {
                 cwd: args.cwd,
-                env: { ...process.env, ...(args.env ?? {}) },
+                env: { ...baseEnv, ...(args.env ?? {}) },
             });
         let stdout = '';
         let stderr = '';

package/dist/tools/v4/sessions/recallSession.js

@@ -86,7 +86,10 @@ exports.recallSessionTool = {
                 error: 'recall_session requires resolved aiden paths',
             };
         }
-        const dir = node_path_1.default.join(ctx.paths.root, 'distillations');
+        // v4.9.0 Slice 9 — paths hygiene: use centralised distillationsDir
+        // when present (added in Slice 9); fall back to the legacy ad-hoc
+        // reconstruction so externally-mocked `ctx.paths` objects keep working.
+        const dir = ctx.paths.distillationsDir ?? node_path_1.default.join(ctx.paths.root, 'distillations');
         // Read everything off disk first. Each failure (malformed JSON,
         // EACCES on individual files) is skipped silently; the diagnostic
         // for "files exist but couldn't be read" is the gap between
@@ -169,6 +172,8 @@ exports.recallSessionTool = {
 // register recall_session with the slice3 SubsystemHealthRegistry
 // pass this helper to the tracker so they get health snapshots without
 // hard-coding the path in two places.
+// v4.9.0 Slice 9 — kept for back-compat; mirrors `paths.distillationsDir`
+// without requiring the full AidenPaths object.
 function getDistillationsDir(rootDir) {
     return node_path_1.default.join(rootDir, 'distillations');
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "aiden-runtime",
-  "version": "4.8.0",
+  "version": "4.9.0",
   "publishConfig": {
     "access": "public"
   },
@@ -43,6 +43,7 @@
     "dist/",
     "config/",
     "skills/",
+    "themes/",
     "plugins/aiden-plugin-cdp-browser/",
     "plugins/aiden-plugin-claude-pro/",
     "plugins/aiden-plugin-chatgpt-plus/",
@@ -60,9 +61,7 @@
   "scripts": {
     "dev": "electron electron/main.js",
     "build": "tsc --outDir dist && npm run build:cli && npm run build:api",
-    "prebuild:cli": "node scripts/inject-version.js",
     "build:cli": "esbuild cli/aiden.ts --bundle --platform=node --target=node18 --outfile=dist-bundle/cli.js --external:electron --external:cpu-features --external:ssh2 --external:bcrypt --external:playwright --external:playwright-core --external:@aws-sdk/client-s3",
-    "prebuild:api": "node scripts/inject-version.js",
     "build:api": "esbuild api/entry.ts --bundle --platform=node --target=node18 --outfile=dist-bundle/index.js --external:electron --external:cpu-features --external:ssh2 --external:bcrypt --external:playwright --external:playwright-core --external:@aws-sdk/client-s3",
     "prepublishOnly": "npm run typecheck && npm run build",
     "typecheck": "tsc --noEmit",
@@ -258,6 +257,7 @@
     "imap-simple": "^5.1.0",
     "js-tiktoken": "^1.0.21",
     "js-yaml": "^4.1.1",
+    "jsonc-parser": "^3.3.1",
     "kleur": "^4.1.5",
     "lru-cache": "^10.0.0",
     "mailparser": "^3.9.8",

package/plugins/aiden-plugin-chatgpt-plus/index.js

@@ -37,7 +37,16 @@ const CHATGPT_PLUS = {
   displayName: 'ChatGPT Plus',
   description:
     'Sign in with your ChatGPT Plus subscription. Uses your existing ChatGPT login — no API key needed. Inference is routed through the Codex Responses API.',
-  defaultModels: ['gpt-5', 'gpt-5-mini'],
+  // v4.9.0 — `defaultModels[0]` is what `setupWizard.ts:810` picks
+  // as a new ChatGPT-Plus user's first model. The Codex OAuth backend
+  // rejects `gpt-5` outright with a 400 ("not supported when using
+  // Codex with a ChatGPT account") for new accounts; `gpt-5.5` is the
+  // first non-codex slug in the registry's modelIds and works
+  // reliably. `gpt-5` stays in the array so users who specifically
+  // want it can still see it in /model. `gpt-5-mini` was removed —
+  // it's a direct OpenAI API name and is NOT valid on the Codex OAuth
+  // endpoint (see providers/v4/registry.ts:117–119).
+  defaultModels: ['gpt-5.5', 'gpt-5'],
 
   clientId: 'app_EMoamEEZ73f0CkXaXp7hrann',
   issuer: 'https://auth.openai.com',

package/themes/default.yaml

@@ -0,0 +1,52 @@
+# Aiden Theme — Default
+# This is the bundled default theme. To customise, copy this file to
+# ~/.aiden/theme.yaml and edit any field. Aiden hot-reloads on save.
+# Bad values warn + fall back per-field; the theme system never crashes
+# Aiden on a typo. Slash commands: /theme reload, /theme reset, /theme edit.
+
+name: "default"
+description: "Aiden's signature brand-orange theme on a dark terminal."
+
+# ── Colors — hex strings ───────────────────────────────────────────────
+colors:
+  brand:
+    primary: "#FF6B35"   # signature brand orange
+    muted:   "#7a3119"   # 30%-luma brand for borders + dim brand surfaces
+  content:
+    primary:   "#e8ebf0" # brightest text — replies, headings on dark bg
+    secondary: "#b8a89a" # warm muted — gutter, secondary detail
+    tertiary:  "#6a6a6a" # captions, deprecated rows, dim status
+  semantic:
+    success: "#7fc28b"
+    warn:    "#e0a040"
+    error:   "#e05a5a"
+    info:    "#7da7c7"
+  metrics:
+    model:     "#9cdcfe" # status bar — model name (cyan)
+    tokens:    "#e0a040" # status bar — token ratio (amber)
+    turnCount: "#a48be0" # status bar — turn counter (purple)
+    timer:     "#7fc28b" # status bar — per-turn elapsed (teal/green)
+  surface:
+    bg:       "#0d0e10"
+    elevated: "#16181b"
+    border:   "#2a2a2a"
+    divider:  "#3a3a3a"
+
+# ── Glyphs ─────────────────────────────────────────────────────────────
+glyphs:
+  panel:
+    bar: "│"           # left-edge bar on /help, approval, Aiden reply chrome
+  trail:
+    gutter: "┊"        # tool-trail row gutter
+  status:
+    triangle: "▲"      # user-prompt prefix + brand mark
+    dot:      "●"
+    dotOpen:  "○"
+    sep:      "│"      # status footer column separator
+    timer:    "⌛"
+  bar:
+    filled: "●"        # context-bar filled cell
+    empty:  "○"        # context-bar empty cell
+  shimmer:
+    block: "█"         # activity-indicator sliding block
+    track: "─"         # activity-indicator track

package/themes/dracula.yaml

@@ -0,0 +1,32 @@
+# Aiden Theme — Dracula
+# Palette inspired by the public Dracula theme by Zeno Rocha
+# (draculatheme.com). High-contrast dark with vivid accents, widely
+# re-implemented across editors and terminals. Hex values are the
+# public palette. Glyphs unchanged from default.
+
+name: "dracula"
+description: "Inspired by Dracula (draculatheme.com). High-contrast dark with vivid accents."
+
+colors:
+  brand:
+    primary: "#FF79C6"
+    muted:   "#BD7AA3"
+  content:
+    primary:   "#F8F8F2"
+    secondary: "#BFBFBF"
+    tertiary:  "#6272A4"
+  semantic:
+    success: "#50FA7B"
+    warn:    "#F1FA8C"
+    error:   "#FF5555"
+    info:    "#8BE9FD"
+  metrics:
+    model:     "#8BE9FD"
+    tokens:    "#F1FA8C"
+    timer:     "#8BE9FD"
+    turnCount: "#BD93F9"
+  surface:
+    bg:       "#282A36"
+    elevated: "#21222C"
+    border:   "#44475A"
+    divider:  "#1E1F29"

package/themes/light.yaml

@@ -0,0 +1,32 @@
+# Aiden Theme — Light
+# Dark text on light terminal background. Brand orange retained as the
+# single warm accent. For users on light-theme terminals (Apple Terminal
+# default profile, Windows Terminal Light, light VS Code integrated, etc.).
+# Glyphs unchanged from default.
+
+name: "light"
+description: "Light terminal. Dark text on light background. Brand orange accent."
+
+colors:
+  brand:
+    primary: "#D9531E"
+    muted:   "#A03D0E"
+  content:
+    primary:   "#1A1A1A"
+    secondary: "#555555"
+    tertiary:  "#888888"
+  semantic:
+    success: "#2E8B2E"
+    warn:    "#B8860B"
+    error:   "#C8202C"
+    info:    "#1F5FA8"
+  metrics:
+    model:     "#1F5FA8"
+    tokens:    "#B8860B"
+    timer:     "#1F5FA8"
+    turnCount: "#7B3FBF"
+  surface:
+    bg:       "#F8F8F8"
+    elevated: "#EFEFEF"
+    border:   "#D0D0D0"
+    divider:  "#E5E5E5"

package/themes/monochrome.yaml

@@ -0,0 +1,31 @@
+# Aiden Theme — Monochrome
+# Pure greyscale. Two semantic accents (error red + success green) are
+# retained for readability of state signals. Everything else greyscale.
+# Glyphs unchanged from default — themes change colors, not shapes.
+
+name: "monochrome"
+description: "Pure greyscale. Semantic accents retained for error/success readability."
+
+colors:
+  brand:
+    primary: "#C8CCD4"
+    muted:   "#888888"
+  content:
+    primary:   "#C8CCD4"
+    secondary: "#888888"
+    tertiary:  "#555555"
+  semantic:
+    success: "#7DC97D"
+    warn:    "#999999"
+    error:   "#D97777"
+    info:    "#AAAAAA"
+  metrics:
+    model:     "#AAAAAA"
+    tokens:    "#AAAAAA"
+    timer:     "#888888"
+    turnCount: "#BBBBBB"
+  surface:
+    bg:       "#0A0A0A"
+    elevated: "#1A1A1A"
+    border:   "#444444"
+    divider:  "#3A3A3A"