instar 0.28.44 → 0.28.45

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.28.44",
+  "version": "0.28.45",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",

package/src/data/builtin-manifest.json

@@ -1,8 +1,8 @@
 {
   "$schema": "./builtin-manifest.schema.json",
   "schemaVersion": 1,
-  "generatedAt": "2026-04-16T02:01:36.401Z",
-  "instarVersion": "0.28.44",
+  "generatedAt": "2026-04-16T02:21:07.278Z",
+  "instarVersion": "0.28.45",
   "entryCount": 186,
   "entries": {
     "hook:session-start": {
@@ -343,7 +343,7 @@
       "id": "skill:autonomous",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/autonomous/skill.md",
+      "sourcePath": ".claude/skills/autonomous/SKILL.md",
       "contentHash": "9bc7dc9eddd4e345ed6564eff850898b66358ce309119c3047e6af275cf9070d",
       "since": "2025-01-01"
     },
@@ -351,7 +351,7 @@
       "id": "skill:build",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/build/skill.md",
+      "sourcePath": ".claude/skills/build/SKILL.md",
       "contentHash": "5b3557fa3662cf0c7b7bab85a252cc2e567b3fc64a04a92d430374ef1f264ca6",
       "since": "2025-01-01"
     },
@@ -359,7 +359,7 @@
       "id": "skill:secret-setup",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/secret-setup/skill.md",
+      "sourcePath": ".claude/skills/secret-setup/SKILL.md",
       "contentHash": "0f4365713d96c98576d19c818701abe96329f3652ed0d8d76ec4e4a1b46dac56",
       "since": "2025-01-01"
     },
@@ -367,7 +367,7 @@
       "id": "skill:setup-wizard",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/setup-wizard/skill.md",
+      "sourcePath": ".claude/skills/setup-wizard/SKILL.md",
       "contentHash": "813fd9164514fd11d1bdc67f4dbee02a74679b3ca46bf1b39893c62deb2e58cb",
       "since": "2025-01-01"
     },

package/upgrades/{0.28.44.md → 0.28.45.md}

@@ -1,4 +1,4 @@
-# Upgrade Guide — v0.28.44
+# Upgrade Guide — vNEXT
 
 <!-- bump: patch -->
 

package/upgrades/side-effects/0.28.44.md

@@ -0,0 +1,36 @@
+# Side-Effects Review — Fix Auto-Ack Echo Loop
+
+**Version / slug:** `fix-auto-ack-echo-loop`
+**Date:** `2026-04-16`
+**Author:** `dawn`
+**Second-pass reviewer:** `not required — single boolean guard addition to existing condition`
+
+## Summary of the change
+
+Adds `!isAutoAck` to the auto-ack send guard in `src/commands/server.ts` (line 5431). This prevents incoming auto-ack messages from triggering outbound auto-acks, breaking the echo loop observed between Demiclaude and E-Ray.
+
+The `isAutoAck` detection (checking if text starts with "Message received.") is already computed at line 5402 and used at line 5424 to prevent auto-acks from resolving reply waiters. This fix applies the same check to the send path.
+
+## Decision-point inventory
+
+- `src/commands/server.ts:5431` — **modify** — add `&& !isAutoAck` to existing guard condition. No new code paths, no new branches.
+
+## 1. Over-block
+
+**Risk:** None. The `isAutoAck` check only matches messages starting with "Message received." — the exact text produced by the auto-ack sender. Real messages that happen to start with "Message received." would be suppressed, but this is the same check already used for reply waiter exclusion (line 5424), so behavior is consistent.
+
+## 2. Under-block
+
+**Risk:** Negligible. Custom `autoAckMessage` configurations that don't start with "Message received." would still echo. This is acceptable — the detection matches the default message, and custom messages are rare.
+
+## 3. Silent behavior change
+
+**Risk:** None. The only behavioral change is: auto-ack messages no longer trigger auto-acks. This is purely bug-fix territory — the echo was never intended behavior.
+
+## 4. Data / state impact
+
+None. No files written, no state modified. This is a pure message-flow guard.
+
+## 5. Downstream agent impact
+
+Positive. Agents will no longer receive duplicate ack messages. No agent behavior depends on receiving multiple acks per message.

package/dist/core/SharedStateLedger.d.ts

@@ -1,111 +0,0 @@
-/**
- * SharedStateLedger — per-agent integrated-being awareness layer.
- *
- * Problem it solves: an instar agent can have multiple sessions alive at once
- * (user-facing session, threadline message handlers, job runners, etc.). Each
- * session makes decisions and commitments without visibility into what the
- * others are doing. The agent as a whole becomes incoherent: the user-facing
- * session doesn't know about commitments a threadline session just made to
- * another agent; two sessions can agree to contradictory things; the user
- * gets inconsistent answers depending on which session is alive when they
- * ask.
- *
- * Design:
- *   - Append-only JSONL file at `.instar/shared-state.jsonl` (runtime state,
- *     gitignored).
- *   - Every session writes an entry when it does something significant:
- *     makes a commitment to a user or agent, opens a thread, reaches an
- *     agreement, commits a substantive decision.
- *   - A turn-start hook reads recent entries and injects them into each
- *     session's context. Sessions see what the agent as a whole has been
- *     doing without being given raw cross-thread message contents.
- *
- * Security boundary: entries are derived facts, NOT raw message contents.
- * The per-thread security sandboxing specified by Threadline is preserved —
- * this ledger lives at a different layer, summarizing at the "what the agent
- * is engaged in" granularity.
- *
- * See docs/signal-vs-authority.md. This module produces signals for
- * downstream consumers (the session context, the user via the dashboard).
- * It holds no blocking authority and makes no judgment decisions.
- */
-export type SharedStateEntryKind = 'commitment' | 'agreement' | 'thread-opened' | 'thread-closed' | 'decision' | 'note';
-export interface SharedStateEntry {
-    /** Entry id — stable for idempotency. */
-    id: string;
-    /** ISO timestamp. */
-    t: string;
-    /** Session id that produced this entry. Used for provenance. */
-    sessionId: string;
-    /** What kind of event this is. */
-    kind: SharedStateEntryKind;
-    /** Short human-readable subject line (<= 200 chars). */
-    subject: string;
-    /**
-     * Optional longer summary (<= 2000 chars). Must be DERIVED facts, NOT raw
-     * cross-thread message contents. E.g., "Agreed with sagemind on 4-endpoint
-     * feedback integration contract" — not "Dawn said: [full message]".
-     */
-    summary?: string;
-    /** Optional counterparty reference (user, agent, thread, etc.). */
-    party?: string;
-}
-export interface SharedStateAppendInput {
-    sessionId: string;
-    kind: SharedStateEntryKind;
-    subject: string;
-    summary?: string;
-    party?: string;
-}
-export declare class SharedStateLedger {
-    private readonly file;
-    /** Maximum chars for subject, enforced on write. */
-    static readonly MAX_SUBJECT = 200;
-    /**
-     * Maximum chars for summary, enforced on write.
-     *
-     * Chosen to be generous enough for "agreed on a multi-point contract with
-     * these bullet details" but small enough that pasting a full agent-to-agent
-     * message body would get truncated. The threadline security boundary says
-     * raw cross-thread message contents must not land in this ledger — this cap
-     * is a programmatic guardrail that backstops the process-level discipline
-     * enforced by the /instar-dev skill's side-effects review.
-     *
-     * A typical threadline message is 1-3KB. 500 chars comfortably holds
-     * derived-fact summaries while making it physically inconvenient to paste
-     * a whole message.
-     */
-    static readonly MAX_SUMMARY = 500;
-    /**
-     * Soft line-count ceiling before the ledger rotates. When exceeded on an
-     * append, the current file is renamed to `.jsonl.1` (overwriting any
-     * prior rotation) and a fresh file is started. Keeps the read path
-     * bounded to this many entries scanned per turn-start.
-     */
-    static readonly ROTATE_AT_LINES = 5000;
-    constructor(projectDir: string);
-    /** Append an entry. Returns the written entry including id+timestamp. */
-    append(input: SharedStateAppendInput): SharedStateEntry;
-    /**
-     * If the ledger file has more than ROTATE_AT_LINES lines, rename it to
-     * `.jsonl.1` (overwriting any prior rotation) and start fresh. Bounded
-     * retention without hiding old data — the previous ledger remains on disk.
-     */
-    private maybeRotate;
-    /**
-     * Read the most recent `limit` entries, oldest-to-newest.
-     * Returns [] if the ledger file does not exist yet.
-     */
-    recent(limit?: number): SharedStateEntry[];
-    /**
-     * Render recent entries as a compact human-readable summary suitable for
-     * injection into a session's context at turn start. Keeps output bounded.
-     */
-    renderForInjection(limit?: number): string;
-    /**
-     * For tests and inspection: the full path to the ledger file.
-     */
-    get filePath(): string;
-    private isValidEntry;
-}
-//# sourceMappingURL=SharedStateLedger.d.ts.map

package/dist/core/SharedStateLedger.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"SharedStateLedger.d.ts","sourceRoot":"","sources":["../../src/core/SharedStateLedger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAMH,MAAM,MAAM,oBAAoB,GAC5B,YAAY,GACZ,WAAW,GACX,eAAe,GACf,eAAe,GACf,UAAU,GACV,MAAM,CAAC;AAEX,MAAM,WAAW,gBAAgB;IAC/B,yCAAyC;IACzC,EAAE,EAAE,MAAM,CAAC;IACX,qBAAqB;IACrB,CAAC,EAAE,MAAM,CAAC;IACV,gEAAgE;IAChE,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,IAAI,EAAE,oBAAoB,CAAC;IAC3B,wDAAwD;IACxD,OAAO,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mEAAmE;IACnE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,sBAAsB;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,oBAAoB,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAE9B,oDAAoD;IACpD,MAAM,CAAC,QAAQ,CAAC,WAAW,OAAO;IAClC;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,QAAQ,CAAC,WAAW,OAAO;IAClC;;;;;OAKG;IACH,MAAM,CAAC,QAAQ,CAAC,eAAe,QAAQ;gBAE3B,UAAU,EAAE,MAAM;IAM9B,yEAAyE;IACzE,MAAM,CAAC,KAAK,EAAE,sBAAsB,GAAG,gBAAgB;IA4BvD;;;;OAIG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;OAGG;IACH,MAAM,CAAC,KAAK,SAAK,GAAG,gBAAgB,EAAE;IAiBtC;;;OAGG;IACH,kBAAkB,CAAC,KAAK,SAAK,GAAG,MAAM;IActC;;OAEG;IACH,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,OAAO,CAAC,YAAY;CAWrB"}

package/dist/core/SharedStateLedger.js

@@ -1,174 +0,0 @@
-/**
- * SharedStateLedger — per-agent integrated-being awareness layer.
- *
- * Problem it solves: an instar agent can have multiple sessions alive at once
- * (user-facing session, threadline message handlers, job runners, etc.). Each
- * session makes decisions and commitments without visibility into what the
- * others are doing. The agent as a whole becomes incoherent: the user-facing
- * session doesn't know about commitments a threadline session just made to
- * another agent; two sessions can agree to contradictory things; the user
- * gets inconsistent answers depending on which session is alive when they
- * ask.
- *
- * Design:
- *   - Append-only JSONL file at `.instar/shared-state.jsonl` (runtime state,
- *     gitignored).
- *   - Every session writes an entry when it does something significant:
- *     makes a commitment to a user or agent, opens a thread, reaches an
- *     agreement, commits a substantive decision.
- *   - A turn-start hook reads recent entries and injects them into each
- *     session's context. Sessions see what the agent as a whole has been
- *     doing without being given raw cross-thread message contents.
- *
- * Security boundary: entries are derived facts, NOT raw message contents.
- * The per-thread security sandboxing specified by Threadline is preserved —
- * this ledger lives at a different layer, summarizing at the "what the agent
- * is engaged in" granularity.
- *
- * See docs/signal-vs-authority.md. This module produces signals for
- * downstream consumers (the session context, the user via the dashboard).
- * It holds no blocking authority and makes no judgment decisions.
- */
-import fs from 'node:fs';
-import path from 'node:path';
-import crypto from 'node:crypto';
-export class SharedStateLedger {
-    file;
-    /** Maximum chars for subject, enforced on write. */
-    static MAX_SUBJECT = 200;
-    /**
-     * Maximum chars for summary, enforced on write.
-     *
-     * Chosen to be generous enough for "agreed on a multi-point contract with
-     * these bullet details" but small enough that pasting a full agent-to-agent
-     * message body would get truncated. The threadline security boundary says
-     * raw cross-thread message contents must not land in this ledger — this cap
-     * is a programmatic guardrail that backstops the process-level discipline
-     * enforced by the /instar-dev skill's side-effects review.
-     *
-     * A typical threadline message is 1-3KB. 500 chars comfortably holds
-     * derived-fact summaries while making it physically inconvenient to paste
-     * a whole message.
-     */
-    static MAX_SUMMARY = 500;
-    /**
-     * Soft line-count ceiling before the ledger rotates. When exceeded on an
-     * append, the current file is renamed to `.jsonl.1` (overwriting any
-     * prior rotation) and a fresh file is started. Keeps the read path
-     * bounded to this many entries scanned per turn-start.
-     */
-    static ROTATE_AT_LINES = 5000;
-    constructor(projectDir) {
-        const dir = path.join(projectDir, '.instar');
-        fs.mkdirSync(dir, { recursive: true });
-        this.file = path.join(dir, 'shared-state.jsonl');
-    }
-    /** Append an entry. Returns the written entry including id+timestamp. */
-    append(input) {
-        const subject = (input.subject || '').slice(0, SharedStateLedger.MAX_SUBJECT).trim();
-        if (!subject) {
-            throw new Error('SharedStateLedger.append: subject is required');
-        }
-        const summary = input.summary
-            ? input.summary.slice(0, SharedStateLedger.MAX_SUMMARY).trim()
-            : undefined;
-        const entry = {
-            id: crypto.randomBytes(6).toString('hex'),
-            t: new Date().toISOString(),
-            sessionId: input.sessionId,
-            kind: input.kind,
-            subject,
-            ...(summary !== undefined ? { summary } : {}),
-            ...(input.party !== undefined ? { party: input.party } : {}),
-        };
-        // Rotate if the ledger has grown past the soft ceiling. Cheap check:
-        // statSync is O(1), and we only actually count lines when size suggests
-        // we might be over. Keeps the read path bounded.
-        this.maybeRotate();
-        fs.appendFileSync(this.file, JSON.stringify(entry) + '\n', 'utf-8');
-        return entry;
-    }
-    /**
-     * If the ledger file has more than ROTATE_AT_LINES lines, rename it to
-     * `.jsonl.1` (overwriting any prior rotation) and start fresh. Bounded
-     * retention without hiding old data — the previous ledger remains on disk.
-     */
-    maybeRotate() {
-        if (!fs.existsSync(this.file))
-            return;
-        try {
-            // Fast path: if file is small, it's definitely under the limit.
-            const stat = fs.statSync(this.file);
-            // Assume average line length ~200 bytes; rotate if size suggests we
-            // might be near ROTATE_AT_LINES. Exact count only if we're close.
-            if (stat.size < SharedStateLedger.ROTATE_AT_LINES * 100)
-                return;
-            const content = fs.readFileSync(this.file, 'utf-8');
-            const lineCount = (content.match(/\n/g) || []).length;
-            if (lineCount < SharedStateLedger.ROTATE_AT_LINES)
-                return;
-            const rotated = this.file + '.1';
-            fs.renameSync(this.file, rotated);
-        }
-        catch {
-            // Best-effort — rotation failing never breaks the append
-        }
-    }
-    /**
-     * Read the most recent `limit` entries, oldest-to-newest.
-     * Returns [] if the ledger file does not exist yet.
-     */
-    recent(limit = 20) {
-        if (!fs.existsSync(this.file))
-            return [];
-        const content = fs.readFileSync(this.file, 'utf-8');
-        const lines = content.split('\n').filter((l) => l.trim().length > 0);
-        const tail = lines.slice(Math.max(0, lines.length - limit));
-        const out = [];
-        for (const line of tail) {
-            try {
-                const parsed = JSON.parse(line);
-                if (this.isValidEntry(parsed))
-                    out.push(parsed);
-            }
-            catch {
-                // Skip malformed lines; ledger is best-effort observable state.
-            }
-        }
-        return out;
-    }
-    /**
-     * Render recent entries as a compact human-readable summary suitable for
-     * injection into a session's context at turn start. Keeps output bounded.
-     */
-    renderForInjection(limit = 20) {
-        const entries = this.recent(limit);
-        if (entries.length === 0) {
-            return '[shared-state] no recent entries — this agent has no active cross-session state.';
-        }
-        const lines = ['[shared-state] recent cross-session activity (most recent last):'];
-        for (const e of entries) {
-            const partySuffix = e.party ? ` [party: ${e.party}]` : '';
-            const summaryLine = e.summary ? `\n    ${e.summary}` : '';
-            lines.push(`  - ${e.t} (${e.kind}) ${e.subject}${partySuffix}${summaryLine}`);
-        }
-        return lines.join('\n');
-    }
-    /**
-     * For tests and inspection: the full path to the ledger file.
-     */
-    get filePath() {
-        return this.file;
-    }
-    isValidEntry(parsed) {
-        if (!parsed || typeof parsed !== 'object')
-            return false;
-        const e = parsed;
-        return (typeof e['id'] === 'string' &&
-            typeof e['t'] === 'string' &&
-            typeof e['sessionId'] === 'string' &&
-            typeof e['kind'] === 'string' &&
-            typeof e['subject'] === 'string');
-    }
-}
-//# sourceMappingURL=SharedStateLedger.js.map

package/dist/core/SharedStateLedger.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"SharedStateLedger.js","sourceRoot":"","sources":["../../src/core/SharedStateLedger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,aAAa,CAAC;AAuCjC,MAAM,OAAO,iBAAiB;IACX,IAAI,CAAS;IAE9B,oDAAoD;IACpD,MAAM,CAAU,WAAW,GAAG,GAAG,CAAC;IAClC;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAU,WAAW,GAAG,GAAG,CAAC;IAClC;;;;;OAKG;IACH,MAAM,CAAU,eAAe,GAAG,IAAI,CAAC;IAEvC,YAAY,UAAkB;QAC5B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;QAC7C,EAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,oBAAoB,CAAC,CAAC;IACnD,CAAC;IAED,yEAAyE;IACzE,MAAM,CAAC,KAA6B;QAClC,MAAM,OAAO,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;QACrF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO;YAC3B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE;YAC9D,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,KAAK,GAAqB;YAC9B,EAAE,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACzC,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAC3B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO;YACP,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7C,GAAG,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7D,CAAC;QAEF,qEAAqE;QACrE,wEAAwE;QACxE,iDAAiD;QACjD,IAAI,CAAC,WAAW,EAAE,CAAC;QAEnB,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QACpE,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;OAIG;IACK,WAAW;QACjB,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO;QACtC,IAAI,CAAC;YACH,gEAAgE;YAChE,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpC,oEAAoE;YACpE,kEAAkE;YAClE,IAAI,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC,eAAe,GAAG,GAAG;gBAAE,OAAO;YAEhE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,SAAS,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YACtD,IAAI,SAAS,GAAG,iBAAiB,CAAC,eAAe;gBAAE,OAAO;YAE1D,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;YACjC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;QAC3D,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,GAAG,EAAE;QACf,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACrE,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAuB,EAAE,CAAC;QACnC,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAChC,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC;oBAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAClD,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;YAClE,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACH,kBAAkB,CAAC,KAAK,GAAG,EAAE;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,kFAAkF,CAAC;QAC5F,CAAC;QACD,MAAM,KAAK,GAAG,CAAC,kEAAkE,CAAC,CAAC;QACnF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,MAAM,WAAW,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1D,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,GAAG,WAAW,GAAG,WAAW,EAAE,CAAC,CAAC;QAChF,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAEO,YAAY,CAAC,MAAe;QAClC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QACxD,MAAM,CAAC,GAAG,MAAiC,CAAC;QAC5C,OAAO,CACL,OAAO,CAAC,CAAC,IAAI,CAAC,KAAK,QAAQ;YAC3B,OAAO,CAAC,CAAC,GAAG,CAAC,KAAK,QAAQ;YAC1B,OAAO,CAAC,CAAC,WAAW,CAAC,KAAK,QAAQ;YAClC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,QAAQ;YAC7B,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,QAAQ,CACjC,CAAC;IACJ,CAAC"}

package/upgrades/0.28.41.md

@@ -1,41 +0,0 @@
-# Upgrade Guide — v0.28.41
-
-<!-- bump: patch -->
-
-## What Changed
-
-Two fixes for volatile state that didn't survive restarts in the Threadline REST adapter and relay offline queue:
-
-1. **REST thread history now persists to disk.** `ThreadlineRESTServer` previously held thread history in memory only, so restarts lost all conversation history even when the client-side MessageStore had messages on disk. The server now hydrates from `~/.threadline/thread-history.json` on startup and persists debounced (1s) on incoming messages and thread deletions. Writes are atomic (temp file + rename) and size-bounded by the existing `maxMessageHistoryPerThread` cap. New config: `historyPath` (default `~/.threadline/thread-history.json`) and `persistHistory` (default `true`, set `false` for tests/ephemeral servers).
-
-2. **Offline queue default TTL extended from 1h to 24h.** `InMemoryOfflineQueue`'s 1-hour default was shorter than typical offline/restart windows for agents, so messages to offline recipients expired before reconnection. Configurable via `OfflineQueueConfig.defaultTtlMs` if you need different behavior.
-
-No API breakage. Existing servers/queues using defaults just get more durable behavior.
-
-## What to Tell Your User
-
-- **Conversation history survives restarts**: "Your thread history will stick around now even if I get restarted — no more losing context from earlier in our conversation."
-- **Messages wait longer for offline agents**: "If you message another agent who's offline, the message will wait up to a day for them to come back online instead of expiring after an hour."
-
-## Summary of New Capabilities
-
-| Capability | How to Use |
-|-----------|-----------|
-| Persistent REST thread history | Automatic (opt-out via `persistHistory: false`) |
-| 24h offline message retention | Automatic (override via `defaultTtlMs`) |
-
-## Evidence
-
-Reproduction before fix:
-1. Start `npx @anthropic-ai/threadline serve --port 18800`
-2. Receive messages on a thread → `GET /threads/{id}` returns them
-3. Restart the server
-4. `GET /threads/{id}` returns 404 — history lost
-
-After fix:
-1. Same steps 1–2
-2. Within 1s, `~/.threadline/thread-history.json` contains the thread
-3. Restart the server
-4. `GET /threads/{id}` returns the same messages — hydrated from disk
-
-Unit tests (40/40 passing in `OfflineQueue.test.ts` and `RESTServerE2E.test.ts`) cover the default config values and existing REST flows; persistence is best-effort (wrapped in try/catch) so disk failures don't crash the server.

package/upgrades/0.28.42.md

@@ -1,25 +0,0 @@
-# Upgrade Guide — v0.28.42
-
-<!-- bump: patch -->
-
-## What Changed
-
-Fixed a silent failure in post-update migration: when Node.js is upgraded in place (e.g., via `brew upgrade node`) while an Instar server is still running, `process.execPath` can point at a binary path that no longer exists on disk. The subsequent spawn fails with ENOENT and post-update migration skips silently, leaving agent configuration stale after auto-updates.
-
-`UpdateChecker.postUpdateMigration` now guards `process.execPath` with an `existsSync` check and falls back to `node` on PATH when the resolved exec path has been deleted.
-
-## What to Tell Your User
-
-- **More reliable self-updates**: "If your system's Node was upgraded while I was running, my next auto-update will still apply its migrations correctly instead of silently skipping them."
-
-## Summary of New Capabilities
-
-| Capability | How to Use |
-|-----------|-----------|
-| Resilient post-update migration across in-place Node upgrades | automatic |
-
-## Evidence
-
-Reproduction: Homebrew users who ran `brew upgrade node` between Instar server starts reported repeated `UpdateChecker.postUpdateMigration` degradation events with reason `spawn /opt/homebrew/Cellar/node@22/22.22.2/bin/node ENOENT`. Root cause traced to `src/core/UpdateChecker.ts:282` where `cmd = process.execPath` was spawned unconditionally.
-
-Verified fix: Before — `execFile(process.execPath, [shadowCliJs, 'migrate'])` rejects with ENOENT when the Cellar path is gone; degradation reporter fires; migration skipped. After — `fs.existsSync(process.execPath)` returns false, `cmd` falls back to `'node'`, spawn resolves via PATH, migration runs. Unit tests for UpdateChecker (13) continue to pass.

package/upgrades/NEXT.md

@@ -1,53 +0,0 @@
-# Upgrade Guide — vNEXT
-
-<!-- bump: patch -->
-<!-- Valid values: patch, minor, major -->
-<!-- patch = bug fixes, refactors, test additions, doc updates -->
-<!-- minor = new features, new APIs, new capabilities (backwards-compatible) -->
-<!-- major = breaking changes to existing APIs or behavior -->
-
-## What Changed
-
-<!-- Describe what changed technically. What new features, APIs, behavioral changes? -->
-<!-- Write this for the AGENT — they need to understand the system deeply. -->
-
-## What to Tell Your User
-
-<!-- Write talking points the agent should relay to their user. -->
-<!-- This should be warm, conversational, user-facing — not a changelog. -->
-<!-- Focus on what THEY can now do, not internal plumbing. -->
-<!--                                                                    -->
-<!-- PROHIBITED in this section (will fail validation):                 -->
-<!--   camelCase config keys: silentReject, maxRetries, telegramNotify -->
-<!--   Inline code backtick references like silentReject: false        -->
-<!--   Fenced code blocks                                              -->
-<!--   Instructions to edit files or run commands                      -->
-<!--                                                                    -->
-<!-- CORRECT style: "I can turn that on for you" not "set X to false"  -->
-<!-- The agent relays this to their user — keep it human.              -->
-
-- **[Feature name]**: "[Brief, friendly description of what this means for the user]"
-
-## Summary of New Capabilities
-
-| Capability | How to Use |
-|-----------|-----------|
-| [Capability] | [Endpoint, command, or "automatic"] |
-
-## Evidence
-
-<!-- REQUIRED if this release claims to fix a bug. -->
-<!-- Unit tests passing is NOT evidence. Provide ONE of: -->
-<!--   (a) Reproduction steps + observed before/after on a live system. -->
-<!--       Include log excerpts, observed command output, or behavior -->
-<!--       description. Make it specific enough that a future reader can -->
-<!--       re-run it and see the same thing. -->
-<!--   (b) "Not reproducible in dev — [concrete reason]" if the failure -->
-<!--       mode truly can't be exercised locally (race conditions, -->
-<!--       event-driven paths requiring external signals, etc). -->
-<!--                                                                 -->
-<!-- If this release doesn't claim a bug fix (pure feature / refactor), -->
-<!-- leave this section blank or delete it — it's only enforced when -->
-<!-- "What Changed" describes a fix. -->
-
-[Describe reproduction + verified fix, OR "Not reproducible in dev — [concrete reason]"]