instar 0.26.9 → 0.26.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.26.9",
+  "version": "0.26.10",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",

package/src/data/builtin-manifest.json

@@ -1,8 +1,8 @@
 {
   "$schema": "./builtin-manifest.schema.json",
   "schemaVersion": 1,
-  "generatedAt": "2026-04-03T19:47:59.436Z",
-  "instarVersion": "0.26.9",
+  "generatedAt": "2026-04-03T20:10:59.894Z",
+  "instarVersion": "0.26.10",
   "entryCount": 182,
   "entries": {
     "hook:session-start": {

package/upgrades/0.26.10.md

@@ -0,0 +1,27 @@
+# Upgrade Guide — vNEXT
+
+<!-- bump: patch -->
+
+## What Changed
+
+Fixed Slack file/snippet download reliability. Three root causes addressed:
+
+1. **Auth header dropped on redirects**: Node.js `fetch` strips the `Authorization` header on cross-origin redirects (per spec). Slack's `url_private` URLs can redirect to CDN subdomains, causing the auth to be lost and an HTML login page returned instead of file content. FileHandler now follows redirects manually, preserving the auth header at each hop (capped at 5 redirects).
+
+2. **Message attachments ignored**: Only `message.files[]` was processed. Link unfurls, rich previews, and integration content (Fathom transcripts, GitHub PRs, etc.) arrive in `message.attachments[]` and were silently dropped. Now extracted and inlined into message text.
+
+3. **Silent error swallowing**: `files.info` API failures were caught and discarded with no logging. Now logs the actual error, making it possible to diagnose missing scopes or API issues.
+
+Also prefers `url_private_download` over `url_private` when available — some file types have a dedicated download URL that works more reliably.
+
+## What to Tell Your User
+
+- **File and snippet sharing**: "Sharing files and snippets in Slack should work much more reliably now. Previously some attachments came through as blank or garbled HTML — that's been fixed. Link previews from external services like Fathom or GitHub are now included in the message too."
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Reliable snippet downloads | Automatic — auth header preserved across redirects |
+| Link unfurl content | Automatic — attachment text extracted from unfurled links |
+| Download error logging | Automatic — files.info failures now logged for debugging |

package/upgrades/0.26.8.md

@@ -1,25 +1,27 @@
-# Upgrade Guide — v0.26.8
+# Upgrade Guide — vNEXT
 
 <!-- bump: patch -->
-<!-- Valid values: patch, minor, major -->
-<!-- patch = bug fixes, refactors, test additions, doc updates -->
-<!-- minor = new features, new APIs, new capabilities (backwards-compatible) -->
-<!-- major = breaking changes to existing APIs or behavior -->
 
 ## What Changed
 
-**Fix Slack session resume** — The resume heartbeat (60s interval) was saving Slack channel resume UUIDs to the wrong file. It wrote to `topic-resume-map.json` using synthetic numeric IDs, but the Slack message handler reads from `slack-channel-resume-map.json` using real channel IDs. The heartbeat now writes to both files, ensuring that when a Slack session dies, the next message in that channel correctly resumes the previous session.
+Fixed Slack file/snippet download reliability. Three root causes addressed:
 
-**Fix cross-topic UUID contamination in proactive saves** — When multiple sessions ran concurrently, the proactive UUID save (fired 8s after session spawn) could pick up the wrong session's UUID via an mtime-based fallback. This caused sessions to resume another topic's conversation entirely. All 4 proactive save locations (telegram-forward, secret-drop, spawnSessionForTopic, Slack heartbeat) now exclusively use the authoritative `claudeSessionId` from hook events. The heartbeat (60s) handles any sessions where hooks haven't fired yet, with a proper multi-session guard.
+1. **Auth header dropped on redirects**: Node.js `fetch` strips the `Authorization` header on cross-origin redirects (per spec). Slack's `url_private` URLs can redirect to CDN subdomains, causing the auth to be lost and an HTML login page returned instead of file content. FileHandler now follows redirects manually, preserving the auth header at each hop (capped at 5 redirects).
 
-Also fixed a stale unit test for `findUuidForSession()` and added a public `jsonlExistsPublic()` method to `TopicResumeMap` for external UUID validation.
+2. **Message attachments ignored**: Only `message.files[]` was processed. Link unfurls, rich previews, and integration content (Fathom transcripts, GitHub PRs, etc.) arrive in `message.attachments[]` and were silently dropped. Now extracted and inlined into message text.
+
+3. **Silent error swallowing**: `files.info` API failures were caught and discarded with no logging. Now logs the actual error, making it possible to diagnose missing scopes or API issues.
+
+Also prefers `url_private_download` over `url_private` when available — some file types have a dedicated download URL that works more reliably.
 
 ## What to Tell Your User
 
-- **Session resume reliability**: "Sessions now reliably resume the correct conversation across all messaging integrations (Telegram, Slack). A bug was causing sessions to occasionally resume a completely different topic's conversation when multiple topics were active at the same time."
+- **File and snippet sharing**: "Sharing files and snippets in Slack should work much more reliably now. Previously some attachments came through as blank or garbled HTML — that's been fixed. Link previews from external services like Fathom or GitHub are now included in the message too."
 
 ## Summary of New Capabilities
 
 | Capability | How to Use |
 |-----------|-----------|
-| Reliable session resume (all integrations) | Automatic — sessions resume correctly even with concurrent topics |
+| Reliable snippet downloads | Automatic — auth header preserved across redirects |
+| Link unfurl content | Automatic — attachment text extracted from unfurled links |
+| Download error logging | Automatic — files.info failures now logged for debugging |

package/upgrades/NEXT.md

@@ -1,35 +0,0 @@
-# Upgrade Guide — vNEXT
-
-<!-- bump: patch -->
-<!-- Valid values: patch, minor, major -->
-<!-- patch = bug fixes, refactors, test additions, doc updates -->
-<!-- minor = new features, new APIs, new capabilities (backwards-compatible) -->
-<!-- major = breaking changes to existing APIs or behavior -->
-
-## What Changed
-
-<!-- Describe what changed technically. What new features, APIs, behavioral changes? -->
-<!-- Write this for the AGENT — they need to understand the system deeply. -->
-
-## What to Tell Your User
-
-<!-- Write talking points the agent should relay to their user. -->
-<!-- This should be warm, conversational, user-facing — not a changelog. -->
-<!-- Focus on what THEY can now do, not internal plumbing. -->
-<!--                                                                    -->
-<!-- PROHIBITED in this section (will fail validation):                 -->
-<!--   camelCase config keys: silentReject, maxRetries, telegramNotify -->
-<!--   Inline code backtick references like silentReject: false        -->
-<!--   Fenced code blocks                                              -->
-<!--   Instructions to edit files or run commands                      -->
-<!--                                                                    -->
-<!-- CORRECT style: "I can turn that on for you" not "set X to false"  -->
-<!-- The agent relays this to their user — keep it human.              -->
-
-- **[Feature name]**: "[Brief, friendly description of what this means for the user]"
-
-## Summary of New Capabilities
-
-| Capability | How to Use |
-|-----------|-----------|
-| [Capability] | [Endpoint, command, or "automatic"] |