instar 0.28.20 → 0.28.22

package/.claude/skills/setup-wizard/SKILL.md

@@ -142,37 +142,25 @@ If they type something else → interpret conversationally and route.
 
 #### If gh_status="auth-needed"
 
-**MANDATORY — DO THIS BEFORE ASKING FOR AN AGENT NAME.** The discovery scan ran without GitHub access. The user may already have agents backed up to GitHub from another machine. You MUST offer to sign them in BEFORE proceeding to fresh-install prompts. Skipping this step has caused users to create duplicate agents instead of restoring existing ones.
+Walk the user through auth FIRST:
 
-Say:
-> Before we set up a new agent, let me check GitHub for any agents you've backed up from another machine. I need to sign you in — it takes about 30 seconds.
+> Let me check if you have agents backed up on GitHub.
+> I need to sign you into GitHub — this opens your browser.
 
-Then follow the **GitHub Device-Code Auth Flow** below. After auth completes, re-run discovery (call `runDiscovery` via the setup CLI or re-invoke the wizard) and present the updated agent list. Only proceed to fresh-install if discovery still shows zero agents.
+```bash
+gh auth login --web --git-protocol https
+```
+
+After auth, re-scan and present results.
 
 #### If gh_status="unavailable"
 
-GitHub CLI isn't installed. With instar 0.28.18+ this should be rare — the prerequisite check auto-installs gh. If you somehow get here, ask:
-> Have you used Instar before on another machine? If so, I should install GitHub CLI so I can find your existing agents before we create a new one.
+Ask:
+> Have you used Instar before on another machine?
 
-If yes: Install gh (brew/apt), then follow the **GitHub Device-Code Auth Flow** below, then re-run discovery.
+If yes: Show install guidance for the platform. After install → auth → scan.
 If no: Continue to fresh install.
 
-#### GitHub Device-Code Auth Flow (use this everywhere `gh auth login` is needed)
-
-**DO NOT run `gh auth login` synchronously in Bash** — it blocks waiting for the user to visit a URL and the Bash tool buffer hides the prompt. The user will see a frozen command and have no idea what to do.
-
-Instead:
-
-1. Start `gh auth login --web --git-protocol https` with `run_in_background: true`.
-2. Poll the background output every 2 seconds (BashOutput tool) until you see a line matching `! First copy your one-time code: XXXX-XXXX` and a line containing `https://github.com/login/device`.
-3. Extract the code and URL, then present them to the user conversationally — NOT as raw Bash output:
-   > To sign in, visit **https://github.com/login/device** and enter this code: **XXXX-XXXX**
-   > I'll wait here until you're done.
-4. Poll `gh auth status` every 5 seconds (foreground, fast). When it exits 0, the user has finished. Stop polling the background process and let it complete on its own.
-5. Confirm: "You're signed in as <username>. Let me check for your agents now."
-
-If 5 minutes pass with no auth completion, ask the user if they want to keep waiting or skip GitHub for now.
-
 #### Normal fresh install options
 
 **If inside a git repo:**
@@ -1921,7 +1909,15 @@ Wait for user to install, then re-check.
 gh auth status 2>&1
 ```
 
-If not authenticated, use the **GitHub Device-Code Auth Flow** described in Entry Point B (above). DO NOT run `gh auth login` synchronously — it blocks the Bash tool and the user will see a frozen command. Run in background, parse the device code and URL from output, present them conversationally, and poll `gh auth status` until success.
+If not authenticated, walk them through it:
+
+> I need to connect to your GitHub account. This opens your browser for a secure sign-in.
+
+```bash
+gh auth login --web --git-protocol https
+```
+
+This is an interactive command that opens the browser — run it with `stdio: 'inherit'` so the user sees the auth flow. Wait for it to complete.
 
 **Step 3: Create private repo**
 

package/dist/commands/init.js

@@ -1178,7 +1178,7 @@ curl -X POST http://localhost:${port}/feedback \\
   -d '{"type":"bug","title":"Short description","description":"Full details with context"}'
 \`\`\`
 
-This routes feedback to the Instar maintainers automatically. Valid types: \`bug\`, \`feature\`, \`improvement\`, \`question\`.
+This routes feedback to the Instar maintainers automatically. Valid types: \`bug\`, \`feature\`, \`improvement\`, \`question\`, \`hallucination\`.
 
 **NEVER use \`gh issue\`, \`gh api\`, or GitHub CLI to file issues.** The feedback API is your channel.
 - View submitted feedback: \`curl http://localhost:${port}/feedback\`
@@ -3275,7 +3275,7 @@ curl -s -X POST http://localhost:${port}/feedback \\
   -d '{"type":"bug","title":"CONCISE_TITLE","description":"FULL_CONTEXT_WITH_ERROR_MESSAGES"}'
 \`\`\`
 
-Types: \`bug\`, \`feature\`, \`improvement\`, \`question\`
+Types: \`bug\`, \`feature\`, \`improvement\`, \`question\`, \`hallucination\`
 
 **Do not wait for the user to notice.** If a hook throws an error, report it. If a job fails, report it. If the server returns unexpected data, report it. You are not just using instar — you are part of its immune system.
 `);

package/dist/commands/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA2PH,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA6zCD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA2oItE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA2PH,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA6zCD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAipItE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}

package/dist/commands/server.js

@@ -4658,7 +4658,8 @@ export async function startServer(options) {
             },
         });
         // Threadline Router — handles threaded cross-agent conversations via relay
-        const threadlineRouter = new ThreadlineRouter(messageRouter, spawnManager, threadResumeMap, messageStore, { localAgent: config.projectName, localMachine: os.hostname() });
+        const threadlineRouter = new ThreadlineRouter(messageRouter, spawnManager, threadResumeMap, messageStore, { localAgent: config.projectName, localMachine: os.hostname() }, null, // autonomyGate
+        messageDelivery);
         // Listener Session Manager — warm session for fast relay responses (Phase 2)
         const listenerManager = config.threadline?.relayEnabled
             ? new ListenerSessionManager(config.stateDir, config.authToken ?? '', config.threadline)
@@ -4873,30 +4874,34 @@ export async function startServer(options) {
                     }
                     // Check if this message resolves a pending waitForReply request.
                     // Skip auto-ack messages (they're from us, not a real reply).
-                    // Try both fingerprint and agent name as keys — the waiter is keyed by
-                    // agent name (from relay-send), but gate-passed provides the fingerprint.
+                    // PR-3: Waiters are now keyed by threadId (unique per conversation)
+                    // rather than sender fingerprint or agent name. Fall back to the
+                    // legacy fingerprint/name lookup only if no threadId is present,
+                    // for compatibility with older senders.
                     const isAutoAck = textContent.startsWith('Message received.') || textContent.startsWith('Message received,');
-                    let waiter = threadlineReplyWaiters.get(senderFingerprint);
+                    let waiter = msg.threadId ? threadlineReplyWaiters.get(msg.threadId) : undefined;
                     if (!waiter) {
-                        // Resolve fingerprint → agent name via known-agents cache
-                        const resolvedName = (() => {
-                            try {
-                                const kaPath = path.join(config.stateDir, 'threadline', 'known-agents.json');
-                                const kaData = JSON.parse(fs.readFileSync(kaPath, 'utf-8'));
-                                const agents = kaData.agents ?? kaData;
-                                if (Array.isArray(agents)) {
-                                    // Check publicKey field for fingerprint match
-                                    const match = agents.find((a) => a.publicKey === senderFingerprint || a.publicKey?.startsWith(senderFingerprint));
-                                    return match?.name ?? null;
+                        // Legacy fallback: try by sender fingerprint, then by resolved name
+                        waiter = threadlineReplyWaiters.get(senderFingerprint);
+                        if (!waiter) {
+                            const resolvedName = (() => {
+                                try {
+                                    const kaPath = path.join(config.stateDir, 'threadline', 'known-agents.json');
+                                    const kaData = JSON.parse(fs.readFileSync(kaPath, 'utf-8'));
+                                    const agents = kaData.agents ?? kaData;
+                                    if (Array.isArray(agents)) {
+                                        const match = agents.find((a) => a.publicKey === senderFingerprint || a.publicKey?.startsWith(senderFingerprint));
+                                        return match?.name ?? null;
+                                    }
+                                    return null;
                                 }
-                                return null;
-                            }
-                            catch {
-                                return null;
-                            }
-                        })();
-                        if (resolvedName)
-                            waiter = threadlineReplyWaiters.get(resolvedName);
+                                catch {
+                                    return null;
+                                }
+                            })();
+                            if (resolvedName)
+                                waiter = threadlineReplyWaiters.get(resolvedName);
+                        }
                     }
                     if (waiter && !isAutoAck) {
                         waiter.resolve(textContent);