arkaos 2.63.0 → 2.65.0

package/VERSION

@@ -1 +1 @@
-2.63.0
+2.65.0

package/config/hooks/stop.sh

@@ -19,12 +19,25 @@ SESSION_ID=""
 TRANSCRIPT_PATH=""
 STOP_HOOK_ACTIVE=""
 CWD=""
+EFFORT_LEVEL=""
 if command -v jq &>/dev/null; then
   SESSION_ID=$(echo "$input" | jq -r '.session_id // ""' 2>/dev/null)
   TRANSCRIPT_PATH=$(echo "$input" | jq -r '.transcript_path // ""' 2>/dev/null)
   STOP_HOOK_ACTIVE=$(echo "$input" | jq -r '.stop_hook_active // ""' 2>/dev/null)
   CWD=$(echo "$input" | jq -r '.cwd // ""' 2>/dev/null)
+  # PR46 v2.65.0 — Claude Code W19 ships effort.level in hook stdin and
+  # $CLAUDE_EFFORT env var. Soft-block checks (kb-cite, meta-tag) only
+  # run at high|xhigh; hard enforcement runs regardless.
+  EFFORT_LEVEL=$(echo "$input" | jq -r '.effort.level // ""' 2>/dev/null)
 fi
+# Fallback to env var if stdin didn't carry it
+[ -z "$EFFORT_LEVEL" ] && EFFORT_LEVEL="${CLAUDE_EFFORT:-}"
+
+# Telemetry-only signal. Soft-block checks (kb_cite, meta_tag, sycophancy)
+# always run here because they're cheap and feed /arka compliance.
+# What is effort-gated is the NUDGE SURFACING in user-prompt-submit.sh
+# (whether the next turn sees a [arka:suggest] line). Record the level
+# on the telemetry row so we can later analyze suppression rates.
 
 # Prevent infinite loops when Stop hook was triggered by its own decision.
 if [ "$STOP_HOOK_ACTIVE" = "true" ]; then
@@ -60,6 +73,7 @@ SESSION_ID_VAL="$SESSION_ID" \
 TRANSCRIPT_PATH_VAL="$TRANSCRIPT_PATH" \
 CWD_VAL="$CWD" \
 ARKAOS_ROOT_VAL="$ARKAOS_ROOT" \
+EFFORT_LEVEL_VAL="$EFFORT_LEVEL" \
 python3 - <<'PY' 2>/dev/null
 import json
 import os
@@ -223,6 +237,9 @@ entry = {
     "kb_cite_topic_score": cite_topic_score,
     "meta_tag_check_passed": meta_passed,
     "meta_tag_check_reason": meta_reason,
+    # PR46 v2.65.0 — Claude Code effort level captured for later analysis
+    # of nudge-suppression rates. Unset / unknown values land as "".
+    "effort_level": os.environ.get("EFFORT_LEVEL_VAL", ""),
     "mode": "warn",
 }
 

package/config/hooks/user-prompt-submit.sh

@@ -84,10 +84,25 @@ mkdir -p "$CACHE_DIR" 2>/dev/null
 # ─── Extract user input from hook JSON ───────────────────────────────────
 user_input=""
 SESSION_ID=""
+EFFORT_LEVEL=""
 if command -v jq &>/dev/null; then
   user_input=$(echo "$input" | jq -r '.userInput // .message // ""' 2>/dev/null)
   SESSION_ID=$(echo "$input" | jq -r '.session_id // ""' 2>/dev/null)
+  # PR46 v2.65.0 — Claude Code W19 ships effort.level in hook stdin.
+  # Soft-block nudges (KB-first + meta-tag) are gated by effort: only
+  # surfaced at high|xhigh; low/medium skip the nudge to avoid forcing
+  # the model to comply with full contracts during cheap exploratory
+  # turns. Hard enforcement (PreToolUse flow_enforcer) runs regardless.
+  EFFORT_LEVEL=$(echo "$input" | jq -r '.effort.level // ""' 2>/dev/null)
 fi
+[ -z "$EFFORT_LEVEL" ] && EFFORT_LEVEL="${CLAUDE_EFFORT:-}"
+
+# Decide whether soft-block nudges surface to the next turn.
+_ARKA_SURFACE_NUDGES="true"
+case "${EFFORT_LEVEL:-high}" in
+  low|medium) _ARKA_SURFACE_NUDGES="false" ;;
+  *)          _ARKA_SURFACE_NUDGES="true"  ;;
+esac
 
 # ─── Flow marker cache invalidation (v2 — new turn, reset ALLOW cache) ──
 # Cheap, non-blocking, runs before Synapse so a stuck Python later cannot
@@ -376,7 +391,7 @@ fi
 # the suggestion to the model in this turn's additionalContext. One-shot:
 # the file is deleted after read so the nudge does not repeat across turns.
 _KB_CITE_NUDGE=""
-if [ -n "$SESSION_ID" ]; then
+if [ -n "$SESSION_ID" ] && [ "$_ARKA_SURFACE_NUDGES" = "true" ]; then
   _CITE_FILE="/tmp/arkaos-cite/${SESSION_ID}.json"
   if [ -f "$_CITE_FILE" ]; then
     if command -v jq &>/dev/null; then
@@ -397,7 +412,7 @@ fi
 # Mirror of the KB citation nudge but for the [arka:meta] one-liner
 # contract. One-shot; deleted after read.
 _META_TAG_NUDGE=""
-if [ -n "$SESSION_ID" ]; then
+if [ -n "$SESSION_ID" ] && [ "$_ARKA_SURFACE_NUDGES" = "true" ]; then
   _META_FILE="/tmp/arkaos-meta/${SESSION_ID}.json"
   if [ -f "$_META_FILE" ]; then
     if command -v jq &>/dev/null; then

package/installer/hard-deny.js

@@ -0,0 +1,163 @@
+// autoMode.hard_deny defaults for Claude Code (PR45 v2.64.0).
+//
+// Claude Code v2.1.131+ shipped `autoMode.hard_deny` — actions that block
+// unconditionally in auto mode regardless of allow rules. Without this,
+// auto mode is structurally unsafe (allowlist alone cannot express
+// "never run this even if a broader allow matches"). PR45 ships a
+// curated default deny list and merges it into ~/.claude/settings.json
+// without clobbering operator-authored entries.
+//
+// Operator extensions live in ~/.arkaos/hard-deny.json — installer
+// reads it on every run and merges into the Claude settings file.
+//
+// Behaviour:
+//   - No-op when runtime is not Claude Code
+//   - Idempotent: merges by string equality; duplicates are dropped
+//   - Atomic write via .tmp + rename
+//   - Preserves all other settings.json content untouched
+//   - Never raises — failures logged but don't break the installer
+
+import {
+  existsSync, readFileSync, writeFileSync, renameSync, copyFileSync, mkdirSync,
+} from "node:fs";
+import { homedir } from "node:os";
+import { join, dirname } from "node:path";
+
+// Curated default deny list. Each entry follows Claude Code's
+// permission-rule syntax: ToolName(pattern). The patterns are
+// load-bearing — pick conservatively, since auto mode without these
+// rules silently allows them when a broader allow matches.
+export const DEFAULT_HARD_DENY_RULES = [
+  // Destructive git operations
+  "Bash(git push --force*)",
+  "Bash(git push -f*)",
+  "Bash(git reset --hard*)",
+  "Bash(git clean -fd*)",
+  "Bash(git branch -D*)",
+
+  // Filesystem destruction
+  "Bash(rm -rf /*)",
+  "Bash(rm -rf ~/*)",
+  "Bash(rm -rf ~)",
+  "Bash(rm -rf .*)",
+
+  // Secrets and credential paths
+  "Read(~/.ssh/*)",
+  "Read(~/.ssh/**)",
+  "Read(~/.aws/credentials)",
+  "Read(~/.aws/config)",
+  "Read(~/.gnupg/*)",
+  "Read(~/.gnupg/**)",
+  "Read(~/.npmrc)",
+  "Read(~/.docker/config.json)",
+  "Read(~/.config/gh/*)",
+  "Read(/etc/shadow)",
+  "Read(/etc/sudoers)",
+
+  // Writes to credential / config dirs
+  "Write(~/.ssh/*)",
+  "Write(~/.aws/credentials)",
+  "Write(~/.gnupg/*)",
+  "Write(~/.npmrc)",
+
+  // Process / privilege escalation
+  "Bash(sudo *)",
+  "Bash(su -*)",
+  "Bash(chmod 777*)",
+  "Bash(curl * | sh*)",
+  "Bash(curl * | bash*)",
+  "Bash(wget * | sh*)",
+  "Bash(wget * | bash*)",
+];
+
+
+// Operator extension file. Lines added here are merged into the
+// Claude settings on every install/update.
+const _USER_EXTENSION_FILE = "hard-deny.json";
+
+
+export function seedAutoModeHardDeny({
+  runtime = "claude-code",
+  home = homedir(),
+  defaults = DEFAULT_HARD_DENY_RULES,
+} = {}) {
+  if (runtime !== "claude-code") {
+    return { skipped: "runtime-not-claude-code", action: null, count: 0 };
+  }
+  const settingsPath = join(home, ".claude", "settings.json");
+  if (!existsSync(settingsPath)) {
+    return { skipped: "claude-settings-not-found", action: null, count: 0 };
+  }
+  const userExtensions = readUserExtensions(home);
+  const merged = mergeUnique(defaults, userExtensions);
+  return writeMergedSettings(settingsPath, merged);
+}
+
+
+function readUserExtensions(home) {
+  const path = join(home, ".arkaos", _USER_EXTENSION_FILE);
+  if (!existsSync(path)) return [];
+  try {
+    const data = JSON.parse(readFileSync(path, "utf-8"));
+    const rules = Array.isArray(data.hard_deny) ? data.hard_deny : [];
+    return rules.filter((r) => typeof r === "string" && r.length > 0);
+  } catch {
+    return [];
+  }
+}
+
+
+function mergeUnique(a, b) {
+  const seen = new Set();
+  const merged = [];
+  for (const rule of [...a, ...b]) {
+    if (!seen.has(rule)) {
+      seen.add(rule);
+      merged.push(rule);
+    }
+  }
+  return merged;
+}
+
+
+function writeMergedSettings(settingsPath, mergedRules) {
+  let settings;
+  try {
+    settings = JSON.parse(readFileSync(settingsPath, "utf-8"));
+  } catch {
+    return { skipped: "settings-not-parseable", action: null, count: 0 };
+  }
+  if (typeof settings !== "object" || settings === null) {
+    return { skipped: "settings-not-object", action: null, count: 0 };
+  }
+  settings.autoMode = settings.autoMode && typeof settings.autoMode === "object"
+    ? settings.autoMode
+    : {};
+  const existing = Array.isArray(settings.autoMode.hard_deny)
+    ? settings.autoMode.hard_deny
+    : [];
+  // Preserve any operator-authored rules already in settings.json,
+  // then merge our defaults on top. Operator wins on duplicates
+  // because they appear first in mergeUnique.
+  const finalRules = mergeUnique(existing, mergedRules);
+  if (sameRules(existing, finalRules)) {
+    return { skipped: null, action: "noop", count: finalRules.length };
+  }
+  settings.autoMode.hard_deny = finalRules;
+  // Atomic write
+  const tmp = `${settingsPath}.tmp-${process.pid}`;
+  writeFileSync(tmp, JSON.stringify(settings, null, 2) + "\n");
+  renameSync(tmp, settingsPath);
+  return {
+    skipped: null,
+    action: existing.length === 0 ? "created" : "merged",
+    count: finalRules.length,
+  };
+}
+
+
+function sameRules(a, b) {
+  if (a.length !== b.length) return false;
+  const setA = new Set(a);
+  return b.every((r) => setA.has(r));
+}

package/installer/index.js

@@ -311,6 +311,25 @@ export async function install({ runtime, path, force, skipSystem, withOllama })
     console.log(`         Warning: could not scaffold user-data (${err.message})`);
   }
 
+  // PR45 v2.64.0 — seed autoMode.hard_deny defaults into
+  // ~/.claude/settings.json so auto mode blocks destructive actions
+  // (git push --force, ~/.ssh reads, rm -rf, sudo, etc.) regardless
+  // of allow rules. Preserves operator-authored entries; merges
+  // operator extensions from ~/.arkaos/hard-deny.json.
+  try {
+    const { seedAutoModeHardDeny } = await import("./hard-deny.js");
+    const denyResult = seedAutoModeHardDeny({ runtime });
+    if (!denyResult.skipped) {
+      if (denyResult.action === "created") {
+        console.log(`         autoMode.hard_deny created (${denyResult.count} rules).`);
+      } else if (denyResult.action === "merged") {
+        console.log(`         autoMode.hard_deny merged (${denyResult.count} rules, operator entries preserved).`);
+      }
+    }
+  } catch (err) {
+    console.log(`         Warning: could not seed autoMode.hard_deny (${err.message})`);
+  }
+
   // PR43 v2.62.0 — auto-install default Claude Code plugins. Only runs
   // when runtime is Claude Code AND the `claude` CLI is available.
   // Idempotent: skips plugins already in installed_plugins.json.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "arkaos",
-  "version": "2.63.0",
+  "version": "2.65.0",
   "description": "The Operating System for AI Agent Teams",
   "type": "module",
   "bin": {

package/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "arkaos-core"
-version = "2.63.0"
+version = "2.65.0"
 description = "Core engine for ArkaOS — The Operating System for AI Agent Teams"
 readme = "README.md"
 license = {text = "MIT"}