aiden-runtime 4.8.1 → 4.9.1

package/dist/core/v4/theme/themeWatcher.js

@@ -0,0 +1,95 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/theme/themeWatcher.ts — v4.9.0 Slice 1a.
+ *
+ * chokidar-backed file watcher for `~/.aiden/theme.yaml`. On change
+ * (debounced 200ms to avoid mid-save partial reads), re-parses the
+ * file and applies it via the ThemeRegistry. Self-contained — caller
+ * just calls `startThemeWatcher(path)` once at REPL start and
+ * `stopThemeWatcher()` on quit.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startThemeWatcher = startThemeWatcher;
+exports.stopThemeWatcher = stopThemeWatcher;
+exports._isWatcherActive = _isWatcherActive;
+const chokidar_1 = __importDefault(require("chokidar"));
+const node_fs_1 = require("node:fs");
+const themeLoader_1 = require("./themeLoader");
+const themeRegistry_1 = require("./themeRegistry");
+const DEBOUNCE_MS = 200;
+let active = null;
+/**
+ * Start watching the theme file. If the file already exists at start,
+ * applies it immediately (so the first paint reflects the user's
+ * choice). Idempotent — calling twice replaces the previous watcher.
+ */
+function startThemeWatcher(themePath, opts = {}) {
+    stopThemeWatcher();
+    const debounceMs = opts.debounceMs ?? DEBOUNCE_MS;
+    const onWarn = opts.onWarn ?? ((m) => console.warn(`[theme] ${m}`));
+    // Apply on first-existence so the REPL boots into the user's theme.
+    if ((0, node_fs_1.existsSync)(themePath)) {
+        const { parsed, warnings } = (0, themeLoader_1.loadThemeFile)(themePath);
+        for (const w of warnings)
+            onWarn(w);
+        if (parsed)
+            (0, themeRegistry_1.applyTheme)(parsed, themePath);
+    }
+    const watcher = chokidar_1.default.watch(themePath, {
+        persistent: true,
+        awaitWriteFinish: { stabilityThreshold: debounceMs, pollInterval: 50 },
+        ignoreInitial: true,
+    });
+    const state = {
+        watcher,
+        debounceTimer: null,
+        themePath,
+        onWarn,
+    };
+    const reload = () => {
+        if (state.debounceTimer)
+            clearTimeout(state.debounceTimer);
+        state.debounceTimer = setTimeout(() => {
+            state.debounceTimer = null;
+            if (!(0, node_fs_1.existsSync)(themePath)) {
+                (0, themeRegistry_1.resetToDefault)();
+                return;
+            }
+            const { parsed, warnings } = (0, themeLoader_1.loadThemeFile)(themePath);
+            for (const w of warnings)
+                onWarn(w);
+            if (parsed)
+                (0, themeRegistry_1.applyTheme)(parsed, themePath);
+        }, debounceMs);
+    };
+    watcher.on('add', reload);
+    watcher.on('change', reload);
+    watcher.on('unlink', () => {
+        if (state.debounceTimer)
+            clearTimeout(state.debounceTimer);
+        state.debounceTimer = null;
+        (0, themeRegistry_1.resetToDefault)();
+    });
+    watcher.on('error', (err) => onWarn(`watcher error: ${err.message}`));
+    active = state;
+}
+/** Stop the active watcher. No-op when none is running. */
+function stopThemeWatcher() {
+    if (!active)
+        return;
+    if (active.debounceTimer)
+        clearTimeout(active.debounceTimer);
+    void active.watcher.close();
+    active = null;
+}
+/** Test helper. */
+function _isWatcherActive() { return active !== null; }

package/dist/core/v4/toolRegistry.js

@@ -186,15 +186,40 @@ class ToolRegistry {
                     };
                 }
             }
+            // v4.9.0 Slice 6 — wrap the handler call in a tool span when the
+            // daemon foundation is up AND an ExecutionContext is active. NOOP
+            // outside daemon mode or outside a runWithContext frame. Lazy
+            // require avoids pulling daemon code into the v4 core import
+            // graph at module load (would break headless / cli-test imports
+            // that don't open a DB).
+            //
+            // v4.9.0 Slice 12a Phase 3 — inside the tool span, fire
+            // `tool.call.pre` + `tool.call.post` hooks via `runToolWithHooks`.
+            // Mandatory pre-hook blocks surface as HookBlockedError, caught
+            // by the outer try/catch and mapped to a structured error result.
+            const dispatch = async (a) => handler.execute(a, context);
+            let result;
             try {
-                const result = await handler.execute(args, context);
-                // v4.1.3-repl-polish: lift `degraded` + `degradedReason` from the
-                // handler's inner result to the outer ToolCallResult so the CLI
-                // trail row can render the partial-yellow state. Tools opt in by
-                // setting these on the object they return; without this lift the
-                // flags would sit on `out.result.degraded` where callbacks.ts
-                // can't see them. Strict typeof checks avoid promoting truthy-
-                // but-wrong-shape junk (numbers, strings, nested objects).
+                const sliced = sliceSpanShim();
+                if (sliced && sliced.db && sliced.hasContext()) {
+                    const sideEffect = sliced.classifySideEffect(handler);
+                    const inputFp = sliced.fingerprint(args);
+                    result = await sliced.withToolSpan(sliced.db, { toolName: call.name, inputFingerprint: inputFp, sideEffectClass: sideEffect }, async (childCtx) => sliced.runToolWithHooks({
+                        db: sliced.db,
+                        toolName: call.name,
+                        toolCallId: call.id,
+                        args,
+                        ctx: {
+                            runId: childCtx.runId,
+                            traceId: childCtx.traceId,
+                            spanId: childCtx.spanId,
+                            parentSpanId: childCtx.parentSpanId,
+                        },
+                    }, dispatch));
+                }
+                else {
+                    result = await dispatch(args);
+                }
                 const inner = result;
                 const out = { id: call.id, name: call.name, result };
                 if (typeof inner?.degraded === 'boolean' && inner.degraded) {
@@ -206,6 +231,17 @@ class ToolRegistry {
                 return out;
             }
             catch (err) {
+                // v4.9.0 Slice 12a — hook blocks surface as a structured
+                // rejection so the model gets the hook's `reason` / `model_message`
+                // verbatim instead of a bare exception string.
+                if (err instanceof toolHookGate_1.HookBlockedError) {
+                    return {
+                        id: call.id,
+                        name: call.name,
+                        result: null,
+                        error: err.modelMessage ?? err.message,
+                    };
+                }
                 const message = err instanceof Error ? err.message : String(err);
                 return { id: call.id, name: call.name, result: null, error: message };
             }
@@ -213,3 +249,30 @@ class ToolRegistry {
     }
 }
 exports.ToolRegistry = ToolRegistry;
+// v4.9.0 Slice 6 — static imports for the span-shim bridge. Earlier
+// attempts used lazy `require()` to keep daemon code out of the import
+// graph when the test harness doesn't compile it; that path broke
+// under vite-node which doesn't intercept CJS require for `.ts`
+// targets. Static ESM imports work in both vitest + production builds.
+const bootstrap_1 = require("./daemon/bootstrap");
+const spanHelpers_1 = require("./daemon/spans/spanHelpers");
+const identity_1 = require("./identity");
+const toolHookGate_1 = require("./hooks/toolHookGate");
+function classifySideEffectForHandler(h) {
+    if (h.riskTier === 'dangerous')
+        return 'destructive';
+    if (h.mutates === false)
+        return 'read';
+    if (h.mutates === true)
+        return 'mutating';
+    return 'read';
+}
+const _toolSpanShim = {
+    get db() { return (0, bootstrap_1.getCurrentDaemonDb)(); },
+    hasContext: () => (0, identity_1.currentContext)() !== undefined,
+    classifySideEffect: classifySideEffectForHandler,
+    fingerprint: spanHelpers_1.shortInputFingerprint,
+    withToolSpan: spanHelpers_1.withToolSpan,
+    runToolWithHooks: toolHookGate_1.runToolWithHooks,
+};
+function sliceSpanShim() { return _toolSpanShim; }

package/dist/core/v4/update/depWarningFilter.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/update/depWarningFilter.ts — v4.9.1.
+ *
+ * Strip Node `DeprecationWarning` noise (DEP0190 and friends) from
+ * npm install stderr before it reaches the user. Filtered lines are
+ * preserved in `~/.aiden/logs/update.log` so diagnostics aren't lost.
+ *
+ * Conservative match — only filters lines that BOTH look like a Node
+ * deprecation header AND name a DEP code or the trace-deprecation hint.
+ * Legitimate npm errors (EACCES, ENOTFOUND, ENOENT, etc.) pass through.
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isDeprecationLine = isDeprecationLine;
+exports.splitStderr = splitStderr;
+exports.logFilteredWarnings = logFilteredWarnings;
+const node_fs_1 = require("node:fs");
+const node_path_1 = __importDefault(require("node:path"));
+const node_os_1 = __importDefault(require("node:os"));
+/** True iff the line is Node-deprecation chatter we should hide. */
+function isDeprecationLine(line) {
+    // Node's deprecation banner header: "(node:NNNN) [DEP0190] DeprecationWarning: ..."
+    if (/^\s*\(node:\d+\)\s*(?:\[DEP\d+\]\s*)?DeprecationWarning:/.test(line))
+        return true;
+    // The follow-up hint Node emits underneath the header.
+    if (/Use `node --trace-deprecation/.test(line))
+        return true;
+    // Bare DEP code lines (some Node versions emit these stand-alone).
+    if (/^\s*\[DEP\d+\]/.test(line))
+        return true;
+    return false;
+}
+/**
+ * Split an stderr blob into `kept` (user-visible) and `filtered`
+ * (deprecation noise, routed to the diagnostic log).
+ */
+function splitStderr(blob) {
+    if (!blob)
+        return { kept: '', filtered: '' };
+    const lines = blob.split(/\r?\n/);
+    const kept = [];
+    const filtered = [];
+    for (const ln of lines) {
+        if (isDeprecationLine(ln))
+            filtered.push(ln);
+        else
+            kept.push(ln);
+    }
+    return { kept: kept.join('\n'), filtered: filtered.join('\n') };
+}
+/**
+ * Append filtered lines to `~/.aiden/logs/update.log` with an ISO
+ * timestamp header. Fail-open: a log-write failure must NEVER crash
+ * the install path.
+ */
+async function logFilteredWarnings(filtered, opts = {}) {
+    if (!filtered || !filtered.trim())
+        return;
+    try {
+        const root = opts.aidenRoot ?? node_path_1.default.join(node_os_1.default.homedir(), '.aiden');
+        const logDir = node_path_1.default.join(root, 'logs');
+        await node_fs_1.promises.mkdir(logDir, { recursive: true });
+        const entry = `[${new Date().toISOString()}] update.npm-deprecation:\n${filtered}\n\n`;
+        await node_fs_1.promises.appendFile(node_path_1.default.join(logDir, 'update.log'), entry, 'utf8');
+    }
+    catch { /* fail-open */ }
+}

package/dist/core/v4/update/executeInstall.js

@@ -42,11 +42,18 @@
  *   - No registry probe — call `checkForUpdate` first if you need to
  *     know whether an install is warranted.
  */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.INSTALL_TIMEOUT_MS = void 0;
 exports.executeInstall = executeInstall;
 exports.parseInstalledVersion = parseInstalledVersion;
 const node_child_process_1 = require("node:child_process");
+const node_os_1 = __importDefault(require("node:os"));
+const depWarningFilter_1 = require("./depWarningFilter");
+const platformInstructions_1 = require("./platformInstructions");
+const progressBar_1 = require("../../../cli/v4/ui/progressBar");
 /** 90 s wall-clock cap. Generous on cold caches / slow networks. */
 exports.INSTALL_TIMEOUT_MS = 90000;
 const DEFAULT_PACKAGE_SPEC = 'aiden-runtime@latest';
@@ -64,6 +71,9 @@ async function executeInstall(opts = {}) {
     const timeoutMs = opts.timeoutMs ?? exports.INSTALL_TIMEOUT_MS;
     const packageSpec = opts.packageSpec ?? DEFAULT_PACKAGE_SPEC;
     const platform = opts.platform ?? process.platform;
+    const home = opts.home ?? node_os_1.default.homedir();
+    const env = opts.env ?? process.env;
+    const onPhase = opts.onPhase ?? ((_p) => { });
     return new Promise((resolve) => {
         const args = ['install', '-g', packageSpec];
         // v4.8.1 Slice 2 — drop `shell: true`. Node 20+ emits
@@ -78,6 +88,7 @@ async function executeInstall(opts = {}) {
         const spawnOpts = {
             stdio: ['ignore', 'pipe', 'pipe'],
         };
+        onPhase('spawning');
         let child;
         try {
             child = spawn(cmd, args, spawnOpts);
@@ -92,11 +103,23 @@ async function executeInstall(opts = {}) {
         }
         let stdoutBuf = '';
         let stderrBuf = '';
+        // v4.9.1 — parse phase signal off each chunk.
+        const tryEmitPhase = (chunk) => {
+            for (const ln of chunk.split(/\r?\n/)) {
+                const p = (0, progressBar_1.detectNpmPhase)(ln);
+                if (p)
+                    onPhase(p);
+            }
+        };
         child.stdout?.on('data', (chunk) => {
-            stdoutBuf += chunk.toString();
+            const s = chunk.toString();
+            stdoutBuf += s;
+            tryEmitPhase(s);
         });
         child.stderr?.on('data', (chunk) => {
-            stderrBuf += chunk.toString();
+            const s = chunk.toString();
+            stderrBuf += s;
+            tryEmitPhase(s);
         });
         // Timeout — kill the child + resolve as a failure with the captured
         // output so the user sees what npm was doing.
@@ -121,7 +144,11 @@ async function executeInstall(opts = {}) {
         child.on('close', (code) => {
             clearTimeout(timer);
             const stdout = stdoutBuf;
-            const stderr = stderrBuf;
+            // v4.9.1 — strip Node DEP* noise from stderr before any surfacing
+            // to the user. Filtered lines land in ~/.aiden/logs/update.log.
+            const { kept: stderr, filtered } = (0, depWarningFilter_1.splitStderr)(stderrBuf);
+            if (filtered)
+                void (0, depWarningFilter_1.logFilteredWarnings)(filtered);
             const exitCode = code ?? -1;
             if (timedOut) {
                 resolve({
@@ -134,14 +161,16 @@ async function executeInstall(opts = {}) {
             }
             // Permission-denied: surface platform-specific remediations.
             if (isPermissionDenied(stdout, stderr, exitCode)) {
+                onPhase('failed');
                 resolve({
                     success: false,
-                    error: permissionDeniedMessage(platform),
+                    error: permissionDeniedMessage(platform, home, env),
                     stdout, stderr, exitCode,
                 });
                 return;
             }
             if (exitCode !== 0) {
+                onPhase('failed');
                 resolve({
                     success: false,
                     error: `Install failed (npm exit ${exitCode}). ` +
@@ -153,6 +182,7 @@ async function executeInstall(opts = {}) {
             }
             // Success — parse installed version from npm output. Pattern:
             // "+ aiden-runtime@4.1.3" or "added 1 package ... aiden-runtime@4.1.3"
+            onPhase('installed');
             const installedVersion = parseInstalledVersion(stdout) ?? parseInstalledVersion(stderr) ?? undefined;
             resolve({
                 success: true,
@@ -190,38 +220,14 @@ function isPermissionDenied(stdout, stderr, exitCode) {
     return false;
 }
 /**
- * Build the platform-specific copy-paste remediation. Provides three
- * distinct paths — system-wide-with-elevation (Windows admin),
- * sudo (macOS/Linux), or user-local-prefix (cross-platform) — so the
- * user has options without us trying to self-escalate to UAC/sudo
- * from inside the running REPL.
+ * v4.9.1 — Build the platform-specific copy-paste remediation. Delegates
+ * to `platformInstructions.ts` for the heavy lifting so the same builder
+ * powers both EPERM remediation + stale-prefix warnings + the future
+ * `aiden update --setup-user-prefix` helper.
  */
-function permissionDeniedMessage(platform) {
-    const userLocal = 'Or use a user-local npm prefix to avoid privileges entirely:\n' +
-        '              npm config set prefix ~/.npm-global\n' +
-        '              export PATH=~/.npm-global/bin:$PATH    # add to your shell profile\n' +
-        '              npm install -g aiden-runtime@latest';
-    if (platform === 'win32') {
-        return [
-            'Install failed: permission denied (npm needs Administrator for global install).',
-            '',
-            'To update manually:',
-            '  Windows:  Open PowerShell as Administrator, then:',
-            '              npm install -g aiden-runtime@latest',
-            '',
-            userLocal,
-        ].join('\n');
-    }
-    // darwin / linux / others — sudo path.
-    return [
-        'Install failed: permission denied (npm needs sudo for global install).',
-        '',
-        'To update manually:',
-        '  macOS / Linux:',
-        '              sudo npm install -g aiden-runtime@latest',
-        '',
-        userLocal,
-    ].join('\n');
+function permissionDeniedMessage(platform, home, env) {
+    const instr = (0, platformInstructions_1.permissionDeniedInstructions)({ platform, home, env });
+    return [instr.headline, '', ...instr.steps].join('\n');
 }
 /**
  * Find the installed version in npm output. Two common patterns:

package/dist/core/v4/update/platformInstructions.js

@@ -0,0 +1,128 @@
+"use strict";
+/**
+ * Copyright (c) 2026 Shiva Deore (Taracod).
+ * Licensed under AGPL-3.0. See LICENSE for details.
+ *
+ * Aiden — local-first agent.
+ */
+/**
+ * core/v4/update/platformInstructions.ts — v4.9.1.
+ *
+ * Per-platform copy-paste remediation text for:
+ *   - EPERM / EACCES during global npm install
+ *   - Stale / risky npm prefix detection
+ *
+ * Branches purely on `process.platform` (and `$SHELL` for unix shell-
+ * rc-file recommendations). Shell syntax MUST be correct per-platform:
+ * PowerShell on Windows, bash/zsh on Unix. Cross-contamination is a
+ * regression (the v4.9.0 bug we're hot-fixing).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectShell = detectShell;
+exports.permissionDeniedInstructions = permissionDeniedInstructions;
+exports.detectStalePrefix = detectStalePrefix;
+/**
+ * Detect the user's interactive shell on POSIX. Returns the basename
+ * (`zsh` / `bash` / `sh`) or null when undetectable. Pure — env is
+ * injected so tests pin a value.
+ */
+function detectShell(env = process.env) {
+    const sh = env.SHELL;
+    if (!sh)
+        return null;
+    const last = sh.split(/[\\/]/).pop() || '';
+    return last.toLowerCase() || null;
+}
+/** rc-file path the user should edit, per shell. POSIX only. */
+function rcFileFor(shell, home) {
+    if (shell === 'zsh')
+        return `${home}/.zshrc`;
+    if (shell === 'bash')
+        return `${home}/.bashrc   (or ~/.bash_profile on macOS)`;
+    return `${home}/.profile`;
+}
+/**
+ * Build the EPERM/EACCES remediation. Two options per platform —
+ * elevation (one-time) and user-local prefix (permanent, no privs).
+ */
+function permissionDeniedInstructions(opts) {
+    const env = opts.env ?? process.env;
+    if (opts.platform === 'win32') {
+        return {
+            headline: 'Install failed: permission denied. npm needs Administrator for a global install on Windows.',
+            shell: 'powershell',
+            steps: [
+                'Option 1 — Run once with elevated privileges:',
+                '  • Open PowerShell as Administrator (right-click → "Run as administrator")',
+                '  • npm install -g aiden-runtime@latest',
+                '',
+                'Option 2 — Permanent: switch npm to a user-local prefix (no admin needed ever again):',
+                '  • npm config set prefix "$env:USERPROFILE\\AppData\\Roaming\\npm"',
+                '  • [Environment]::SetEnvironmentVariable("Path", "$env:USERPROFILE\\AppData\\Roaming\\npm;" + [Environment]::GetEnvironmentVariable("Path", "User"), "User")',
+                '  • Close + reopen PowerShell, then:  npm install -g aiden-runtime@latest',
+            ],
+        };
+    }
+    // POSIX: darwin / linux / *bsd / etc.
+    const shell = detectShell(env);
+    const rcFile = rcFileFor(shell, opts.home);
+    return {
+        headline: `Install failed: permission denied. npm needs sudo for a global install on ${opts.platform}.`,
+        shell: shell ?? undefined,
+        rcFile,
+        steps: [
+            'Option 1 — Run once with elevated privileges:',
+            '  • sudo npm install -g aiden-runtime@latest',
+            '',
+            'Option 2 — Permanent: switch npm to a user-local prefix (no sudo needed ever again):',
+            `  • npm config set prefix "${opts.home}/.npm-global"`,
+            `  • echo 'export PATH="${opts.home}/.npm-global/bin:$PATH"' >> ${rcFile}`,
+            `  • source ${rcFile}`,
+            '  • npm install -g aiden-runtime@latest',
+        ],
+    };
+}
+/**
+ * Stale / risky prefix detection. Returns a warning when the npm
+ * `prefix` config points at a location that needs elevation OR is
+ * known to cause permission churn. `null` when the prefix is safe.
+ *
+ * `writable` is the result of a `fs.access` check the caller does
+ * before invoking us (we don't want to do filesystem I/O in a pure
+ * builder — caller controls the side effect).
+ */
+function detectStalePrefix(opts) {
+    const env = opts.env ?? process.env;
+    const p = opts.prefix;
+    // Windows risk: Program Files.
+    if (opts.platform === 'win32') {
+        if (/^[a-zA-Z]:\\Program Files/i.test(p)) {
+            return {
+                warning: `npm prefix is "${p}" — global installs here require Administrator every time.`,
+                switchSteps: [
+                    'Switch to a user-local prefix to avoid the prompt forever:',
+                    '  • npm config set prefix "$env:USERPROFILE\\AppData\\Roaming\\npm"',
+                    '  • [Environment]::SetEnvironmentVariable("Path", "$env:USERPROFILE\\AppData\\Roaming\\npm;" + [Environment]::GetEnvironmentVariable("Path", "User"), "User")',
+                    '  • Close + reopen PowerShell.',
+                ],
+            };
+        }
+        return null;
+    }
+    // POSIX risk: /usr or /usr/local without write access.
+    const risky = p === '/usr' || p === '/usr/local' || p.startsWith('/usr/');
+    if (risky && !opts.writable) {
+        const shell = detectShell(env);
+        const rcFile = rcFileFor(shell, opts.home);
+        return {
+            warning: `npm prefix is "${p}" — global installs here require sudo every time.`,
+            switchSteps: [
+                'Switch to a user-local prefix to avoid sudo forever:',
+                `  • npm config set prefix "${opts.home}/.npm-global"`,
+                `  • echo 'export PATH="${opts.home}/.npm-global/bin:$PATH"' >> ${rcFile}`,
+                `  • source ${rcFile}`,
+            ],
+        };
+    }
+    return null;
+}

package/dist/moat/approvalEngine.js

@@ -180,6 +180,10 @@ class ApprovalEngine {
      * categories are always allowed without consulting any callback.
      */
     async checkApproval(req) {
+        // v4.9.0 Slice 12b — fire `approval.requested` for any gated call.
+        // Read-category short-circuits below; we still fire so observers
+        // see ALL approval requests (not just the ones that prompt).
+        this.callbacks.onRequested?.(req);
         if (req.category === 'read') {
             this.callbacks.onDecision?.(req, 'allow');
             return true;

package/dist/moat/memoryGuard.js

@@ -212,7 +212,14 @@ class MemoryGuard {
 }
 exports.MemoryGuard = MemoryGuard;
 function pickFile(snap, file) {
-    return file === 'user' ? snap.userMd : snap.memoryMd;
+    // v4.9.0 Slice 11 — legacy back-compat for 'memory' / 'user' direct
+    // reads (Phase 9 + Honesty Enforcement still consult these); new
+    // namespaces flow through the generalized `files` map.
+    if (file === 'user' && snap.userMd !== undefined)
+        return snap.userMd;
+    if (file === 'memory' && snap.memoryMd !== undefined)
+        return snap.memoryMd;
+    return snap.files?.[file]?.content ?? '';
 }
 /**
  * Phase v4.1.2-bug-X: section-aware containment check.

package/dist/providers/v4/anthropicAdapter.js

@@ -92,14 +92,14 @@ class AnthropicAdapter {
     // ── Public: non-streaming ────────────────────────────────────────────────
     async call(input) {
         const body = this.buildBody(input, /* streaming */ false);
-        const reply = await this.dispatch(body, /* streaming */ false, input.signal);
+        const reply = await this.dispatch(body, /* streaming */ false, input.signal, input.headers);
         const json = (await reply.json());
         return decodeResponse(json);
     }
     // ── Public: streaming ────────────────────────────────────────────────────
     async *callStream(input) {
         const body = this.buildBody(input, /* streaming */ true);
-        const reply = await this.dispatch(body, /* streaming */ true, input.signal);
+        const reply = await this.dispatch(body, /* streaming */ true, input.signal, input.headers);
         if (!reply.body) {
             // Server promised SSE but gave us nothing — fall through to a synthetic
             // empty done event so the agent loop terminates rather than hangs.
@@ -163,11 +163,17 @@ class AnthropicAdapter {
         // beta flags, or per-deployment routing tags without forking the adapter.
         return { ...headers, ...this.extraHeaders };
     }
-    async dispatch(body, streaming, externalSignal) {
+    async dispatch(body, streaming, externalSignal, outboundHeaders) {
         // Resolved once per process via the userAgent module's cache, so paying
         // for the version detection here is cheap on every retry/turn.
         const userAgent = await (0, userAgent_1.getClaudeCliUserAgent)();
-        const headers = this.buildHeaders(streaming, userAgent);
+        // v4.9.0 Slice 7 — merge caller-supplied outbound headers (e.g.
+        // `traceparent`, `X-Aiden-Run-Id`) below the adapter's defaults so
+        // they can't override `Authorization` / `anthropic-version` etc.,
+        // but above `extraHeaders` so a deliberate per-deployment override
+        // still wins.
+        const base = this.buildHeaders(streaming, userAgent);
+        const headers = outboundHeaders ? { ...outboundHeaders, ...base } : base;
         const serialised = JSON.stringify(body);
         const totalTries = this.maxRetries + 1;
         let lastErr = null;

package/dist/tools/v4/backends/local.js

@@ -20,6 +20,8 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.localBackendExecute = localBackendExecute;
 const node_child_process_1 = require("node:child_process");
+// v4.9.0 Slice 7 — propagate ExecutionContext into the child via env.
+const identity_1 = require("../../../core/v4/identity");
 const DEFAULT_TIMEOUT = 30000;
 async function localBackendExecute(args, cb = {}) {
     const command = args.command.trim();
@@ -38,14 +40,29 @@ async function localBackendExecute(args, cb = {}) {
     const timeoutMs = args.timeoutMs ?? DEFAULT_TIMEOUT;
     const capture = args.captureOutput ?? true;
     return new Promise((resolve) => {
+        // v4.9.0 Slice 7 — when running inside a `runWithContext` frame,
+        // stamp AIDEN_* env vars so the child process can reconstitute
+        // the same daemon/incarnation/run/trace correlation chain via
+        // `readContextFromEnv(process.env)`. Outside a context frame, the
+        // env spread is unchanged.
+        const ambient = (0, identity_1.currentContext)();
+        let baseEnv;
+        if (ambient) {
+            baseEnv = (0, identity_1.spawnEnvWithContext)(ambient, process.env);
+        }
+        else {
+            // v4.9.0 Slice 8 — report through the enforcement layer.
+            (0, identity_1.reportMissingContext)('subprocess', 'shellExec');
+            baseEnv = process.env;
+        }
         const child = isWin
             ? (0, node_child_process_1.spawn)('powershell.exe', ['-NoProfile', '-Command', command], {
                 cwd: args.cwd,
-                env: { ...process.env, ...(args.env ?? {}) },
+                env: { ...baseEnv, ...(args.env ?? {}) },
             })
             : (0, node_child_process_1.spawn)('bash', ['-lc', command], {
                 cwd: args.cwd,
-                env: { ...process.env, ...(args.env ?? {}) },
+                env: { ...baseEnv, ...(args.env ?? {}) },
             });
         let stdout = '';
         let stderr = '';