instar 0.28.49 → 0.28.50

package/src/data/builtin-manifest.json

@@ -1,8 +1,8 @@
 {
   "$schema": "./builtin-manifest.schema.json",
   "schemaVersion": 1,
-  "generatedAt": "2026-04-17T03:25:47.001Z",
-  "instarVersion": "0.28.49",
+  "generatedAt": "2026-04-17T10:26:49.224Z",
+  "instarVersion": "0.28.50",
   "entryCount": 186,
   "entries": {
     "hook:session-start": {
@@ -11,7 +11,7 @@
       "domain": "identity",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/session-start.sh",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:dangerous-command-guard": {
@@ -20,7 +20,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/dangerous-command-guard.sh",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:grounding-before-messaging": {
@@ -29,7 +29,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/grounding-before-messaging.sh",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:compaction-recovery": {
@@ -38,7 +38,7 @@
       "domain": "identity",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/compaction-recovery.sh",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:external-operation-gate": {
@@ -47,7 +47,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/external-operation-gate.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:deferral-detector": {
@@ -56,7 +56,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/deferral-detector.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:post-action-reflection": {
@@ -65,7 +65,7 @@
       "domain": "evolution",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/post-action-reflection.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:external-communication-guard": {
@@ -74,7 +74,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/external-communication-guard.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:scope-coherence-collector": {
@@ -83,7 +83,7 @@
       "domain": "coherence",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/scope-coherence-collector.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:scope-coherence-checkpoint": {
@@ -92,7 +92,7 @@
       "domain": "coherence",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/scope-coherence-checkpoint.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:free-text-guard": {
@@ -101,7 +101,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/free-text-guard.sh",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:claim-intercept": {
@@ -110,7 +110,7 @@
       "domain": "coherence",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/claim-intercept.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:claim-intercept-response": {
@@ -119,7 +119,7 @@
       "domain": "coherence",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/claim-intercept-response.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "hook:auto-approve-permissions": {
@@ -128,7 +128,7 @@
       "domain": "safety",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
       "installedPath": ".instar/hooks/instar/auto-approve-permissions.js",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "job:health-check": {
@@ -136,7 +136,7 @@
       "type": "job",
       "domain": "monitoring",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:reflection-trigger": {
@@ -144,7 +144,7 @@
       "type": "job",
       "domain": "evolution",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:relationship-maintenance": {
@@ -152,7 +152,7 @@
       "type": "job",
       "domain": "relationships",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:feedback-retry": {
@@ -160,7 +160,7 @@
       "type": "job",
       "domain": "feedback",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:insight-harvest": {
@@ -168,7 +168,7 @@
       "type": "job",
       "domain": "evolution",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:evolution-overdue-check": {
@@ -176,7 +176,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:project-map-refresh": {
@@ -184,7 +184,7 @@
       "type": "job",
       "domain": "mapping",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:coherence-audit": {
@@ -192,7 +192,7 @@
       "type": "job",
       "domain": "coherence",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:degradation-digest": {
@@ -200,7 +200,7 @@
       "type": "job",
       "domain": "monitoring",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:state-integrity-check": {
@@ -208,7 +208,7 @@
       "type": "job",
       "domain": "monitoring",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:memory-hygiene": {
@@ -216,7 +216,7 @@
       "type": "job",
       "domain": "memory",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:guardian-pulse": {
@@ -224,7 +224,7 @@
       "type": "job",
       "domain": "monitoring",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:session-continuity-check": {
@@ -232,7 +232,7 @@
       "type": "job",
       "domain": "sessions",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:memory-export": {
@@ -240,7 +240,7 @@
       "type": "job",
       "domain": "memory",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:git-sync": {
@@ -248,7 +248,7 @@
       "type": "job",
       "domain": "coordination",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:capability-audit": {
@@ -256,7 +256,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:identity-review": {
@@ -264,7 +264,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:evolution-proposal-evaluate": {
@@ -272,7 +272,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:evolution-proposal-implement": {
@@ -280,7 +280,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:commitment-detection": {
@@ -288,7 +288,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:dashboard-link-refresh": {
@@ -296,7 +296,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:overseer-guardian": {
@@ -304,7 +304,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:overseer-learning": {
@@ -312,7 +312,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:overseer-maintenance": {
@@ -320,7 +320,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:overseer-infrastructure": {
@@ -328,7 +328,7 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "job:overseer-development": {
@@ -336,14 +336,14 @@
       "type": "job",
       "domain": "general",
       "sourcePath": "src/commands/init.ts",
-      "contentHash": "62ada18b897fb0fb6ce37374c5bd4e13fcc5970194cbc58c6594556ecce4dd57",
+      "contentHash": "40be492b79a21a4063aea7893d2bd89b82afb9de6966a75762b6604dc88187e4",
       "since": "2025-01-01"
     },
     "skill:autonomous": {
       "id": "skill:autonomous",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/autonomous/SKILL.md",
+      "sourcePath": ".claude/skills/autonomous/skill.md",
       "contentHash": "9bc7dc9eddd4e345ed6564eff850898b66358ce309119c3047e6af275cf9070d",
       "since": "2025-01-01"
     },
@@ -351,7 +351,7 @@
       "id": "skill:build",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/build/SKILL.md",
+      "sourcePath": ".claude/skills/build/skill.md",
       "contentHash": "5b3557fa3662cf0c7b7bab85a252cc2e567b3fc64a04a92d430374ef1f264ca6",
       "since": "2025-01-01"
     },
@@ -359,7 +359,7 @@
       "id": "skill:secret-setup",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/secret-setup/SKILL.md",
+      "sourcePath": ".claude/skills/secret-setup/skill.md",
       "contentHash": "0f4365713d96c98576d19c818701abe96329f3652ed0d8d76ec4e4a1b46dac56",
       "since": "2025-01-01"
     },
@@ -367,7 +367,7 @@
       "id": "skill:setup-wizard",
       "type": "skill",
       "domain": "skills",
-      "sourcePath": ".claude/skills/setup-wizard/SKILL.md",
+      "sourcePath": ".claude/skills/setup-wizard/skill.md",
       "contentHash": "813fd9164514fd11d1bdc67f4dbee02a74679b3ca46bf1b39893c62deb2e58cb",
       "since": "2025-01-01"
     },
@@ -1432,7 +1432,7 @@
       "type": "subsystem",
       "domain": "updates",
       "sourcePath": "src/core/PostUpdateMigrator.ts",
-      "contentHash": "0c11d57b5462485511452c10fc139ad61bd8c9dfefcfba15705d13bc6c5fa9f1",
+      "contentHash": "cf8394b7075ab8ec35a2cc330e45f6c728567f11e7a0667b594c4bc6f5ef64b4",
       "since": "2025-01-01"
     },
     "subsystem:scheduler": {

package/upgrades/0.28.48.md

@@ -0,0 +1,52 @@
+# Upgrade Guide — v0.28.48
+
+<!-- bump: patch -->
+
+## What Changed
+
+The job scheduler now injects `$INSTAR_AUTH_TOKEN` into the environment of any
+gate shell it runs when `scheduler.authToken` is configured. Four built-in
+gate scripts (evolution-proposal-evaluate, evolution-proposal-implement,
+evolution-overdue-check, insight-harvest) have been updated to send
+`Authorization: Bearer $INSTAR_AUTH_TOKEN` with their curl calls to the local
+Instar HTTP API.
+
+Previously these gates curled `http://127.0.0.1:4041/evolution/...` without
+authentication. `authMiddleware` returned 401, the downstream
+`python3 -c 'json.load(stdin)'` crashed on invalid JSON, and the job was
+skipped every cycle with no error surface. The fix is additive: when
+`authToken` is unset the env var is absent and gates remain identical to
+their prior behavior; when it IS set (the default post-`instar init` state)
+the four affected gates begin succeeding immediately on next scheduler tick.
+
+A new optional field `authToken?: string` was added to `JobSchedulerConfig`,
+wired through from `instar.json` via `Config.ts`. No migration required.
+
+## What to Tell Your User
+
+- **Evolution pipeline unblocked**: "Your evolution jobs start firing real work again — proposal evaluation, proposal implementation, overdue-check, and insight harvesting have all been silently skipping every cycle, and this release fixes that."
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Authenticated gate calls | automatic — gates inherit auth token from scheduler config |
+| Evolution proposal evaluation | automatic — fires on scheduler tick when proposals queued |
+| Evolution proposal implementation | automatic — fires on scheduler tick when proposals approved |
+| Overdue action check | automatic — fires on scheduler tick when actions overdue |
+| Insight harvest | automatic — fires on scheduler tick when learnings accumulated |
+
+## Evidence
+
+Reproduction: on any instance with `authToken` configured (default post-
+`instar init`), tail `logs/job-scheduler.log` for an evolution job's next
+scheduled tick. Before fix: gate execution stderr contains
+`json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)`
+or a silent 10s timeout, and the job is skipped with no command execution.
+After fix: gate logs show `HTTP/1.1 200 OK` from the authenticated
+localhost call, gate returns 0, command proceeds.
+
+Verified in unit tests: `tests/unit/JobScheduler.test.ts` — 2 new tests
+assert the env var is present when authToken configured (`token=<value>`)
+and absent when unset (`token=`), exercising both branches. All 47 tests
+in the scheduler suite pass.

package/upgrades/0.28.50.md

@@ -0,0 +1,59 @@
+# Upgrade Guide — v0.28.50
+
+<!-- bump: patch -->
+
+## What Changed
+
+Default skills now use a runtime-expandable `${INSTAR_PORT:-NNNN}` pattern in
+their `http://localhost:PORT/...` URLs instead of a port hardcoded at install
+time. This unblocks agents whose server runs on a non-default port.
+
+**Background**: `installBuiltinSkills` templated the server port into each
+generated `.claude/skills/*/SKILL.md` at install time. If the user later
+changed `.instar/config.json#port`, every curl call in every default skill
+continued pointing at the stale port, silently failing with `ECONNREFUSED`.
+One agent running on port 4041 had 25 hardcoded `localhost:4040` references
+across 11 skills, turning short reflection/health-check runs into 75-second
+timeouts.
+
+**The fix is twofold**:
+1. `installBuiltinSkills` in `src/commands/init.ts` now emits URLs as
+   `http://localhost:${INSTAR_PORT:-4040}/...` so the shell expands the port
+   at skill-execute time — respecting `INSTAR_PORT` if set, otherwise
+   falling back to the port configured at install.
+2. A new `PostUpdateMigrator.migrateSkillPortHardcoding()` scans existing
+   default-skill files for hardcoded `localhost:NNNN` URLs and rewrites
+   them to the dynamic pattern. It is idempotent, scoped to the known
+   default-skill set (so custom skills are never touched), and preserves
+   the original port as the fallback default.
+
+## What to Tell Your User
+
+- **Skills survive a port change**: "When you change your Instar server port, your default skills keep working. Before, every curl call in every default skill silently failed with a connection-refused error until you hand-edited each file. Now the port is resolved at the moment the skill runs."
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Runtime port resolution in default skills | automatic — new installs emit the dynamic pattern |
+| Auto-migration of existing skills | automatic — runs on next post-update migration |
+| `INSTAR_PORT` override | `export INSTAR_PORT=4041` before running skill commands |
+
+## Evidence
+
+Reproduction: install instar with server port 4040, then change
+`.instar/config.json#port` to 4041. Before fix: `.claude/skills/reflect/SKILL.md`
+still calls `http://localhost:4040/reflection/record` — every curl returns
+`ECONNREFUSED`, and skills that poll `/sessions`, `/relationships`, or
+`/capabilities` return empty. After fix: the same URL reads
+`http://localhost:${INSTAR_PORT:-4040}/reflection/record`, and shell
+expansion hits the configured port whenever `INSTAR_PORT` is exported.
+
+Verified in unit tests:
+`tests/unit/PostUpdateMigrator-skillPortHardcoding.test.ts` — 6 tests
+covering the migration happy path, idempotency, custom-skill preservation,
+fallback port preservation, and the missing-file branch. All pass.
+
+Template-side verified by invoking `installBuiltinSkills` directly and
+grepping the emitted content: 13 of 14 default skills now contain
+`localhost:${INSTAR_PORT:-4040}` and zero contain bare `localhost:4040`.

package/upgrades/NEXT.md

@@ -0,0 +1,53 @@
+# Upgrade Guide — vNEXT
+
+<!-- bump: patch -->
+<!-- Valid values: patch, minor, major -->
+<!-- patch = bug fixes, refactors, test additions, doc updates -->
+<!-- minor = new features, new APIs, new capabilities (backwards-compatible) -->
+<!-- major = breaking changes to existing APIs or behavior -->
+
+## What Changed
+
+<!-- Describe what changed technically. What new features, APIs, behavioral changes? -->
+<!-- Write this for the AGENT — they need to understand the system deeply. -->
+
+## What to Tell Your User
+
+<!-- Write talking points the agent should relay to their user. -->
+<!-- This should be warm, conversational, user-facing — not a changelog. -->
+<!-- Focus on what THEY can now do, not internal plumbing. -->
+<!--                                                                    -->
+<!-- PROHIBITED in this section (will fail validation):                 -->
+<!--   camelCase config keys: silentReject, maxRetries, telegramNotify -->
+<!--   Inline code backtick references like silentReject: false        -->
+<!--   Fenced code blocks                                              -->
+<!--   Instructions to edit files or run commands                      -->
+<!--                                                                    -->
+<!-- CORRECT style: "I can turn that on for you" not "set X to false"  -->
+<!-- The agent relays this to their user — keep it human.              -->
+
+- **[Feature name]**: "[Brief, friendly description of what this means for the user]"
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| [Capability] | [Endpoint, command, or "automatic"] |
+
+## Evidence
+
+<!-- REQUIRED if this release claims to fix a bug. -->
+<!-- Unit tests passing is NOT evidence. Provide ONE of: -->
+<!--   (a) Reproduction steps + observed before/after on a live system. -->
+<!--       Include log excerpts, observed command output, or behavior -->
+<!--       description. Make it specific enough that a future reader can -->
+<!--       re-run it and see the same thing. -->
+<!--   (b) "Not reproducible in dev — [concrete reason]" if the failure -->
+<!--       mode truly can't be exercised locally (race conditions, -->
+<!--       event-driven paths requiring external signals, etc). -->
+<!--                                                                 -->
+<!-- If this release doesn't claim a bug fix (pure feature / refactor), -->
+<!-- leave this section blank or delete it — it's only enforced when -->
+<!-- "What Changed" describes a fix. -->
+
+[Describe reproduction + verified fix, OR "Not reproducible in dev — [concrete reason]"]

package/upgrades/side-effects/0.28.49.md

@@ -0,0 +1,90 @@
+# 0.28.49 — Evolution Gate Auth Injection
+
+## What Changed
+
+Four built-in gate scripts that call the local Instar HTTP API now receive an
+`$INSTAR_AUTH_TOKEN` environment variable when the scheduler runs them, and
+send `Authorization: Bearer $INSTAR_AUTH_TOKEN` with their curl requests.
+
+Affected gates: `evolution-proposal-evaluate`, `evolution-proposal-implement`,
+`evolution-overdue-check`, `insight-harvest`.
+
+Behind it: `JobScheduler.runGateAsync()` now builds a per-call env object,
+merging `process.env` with `INSTAR_AUTH_TOKEN` when `scheduler.authToken` is
+configured. `JobSchedulerConfig` gained an optional `authToken` field, wired
+up from `instar.json` via `Config.ts`.
+
+## Why
+
+Three evolution jobs (`evolution-proposal-evaluate`,
+`evolution-proposal-implement`, `evolution-overdue-check`) plus insight-harvest
+were silently failing every gate check: they curled a localhost endpoint,
+`authMiddleware` returned 401, and the downstream `python3 -c 'json.load(...)'`
+crashed on invalid JSON. The job was then skipped — every cycle, no error
+surface, no telemetry signal other than "this job never does anything."
+
+The research cluster
+`cluster-evolution-pipeline-jobs-permanently-skip-gate-scripts-missin` traced
+this to the missing Authorization header and proposed the env-var injection
+pattern.
+
+## Side-Effects Review
+
+### Intended
+- Gates that depend on authenticated localhost endpoints now succeed when an
+  `authToken` is configured.
+- Four evolution-pipeline jobs begin firing actual work on next scheduler tick.
+
+### Unintended — Risks Considered
+
+**Env leak.** The auth token is exposed to gate shell commands via environment
+variable. Any gate command inherits it. Gate commands are defined in
+`src/commands/init.ts` (built-in) or `instar.json` (user-defined). In a
+single-user local deployment the scope is identical to `process.env` — a gate
+already has full shell access to the machine. No elevation.
+
+**Gates that don't need auth.** Unaffected. The env var is present but unused
+when the gate doesn't reference it. Curl without a bearer header still hits
+allowlisted endpoints (`/health`, `/ping`) without issue.
+
+**Configs without authToken.** The env var is not set. Gates that reference
+`$INSTAR_AUTH_TOKEN` send `Authorization: Bearer ` (empty bearer), which
+`authMiddleware` treats as unauthorized — same as before. No regression, no
+new failure mode. Public-mode deployments still work because they don't have
+`authToken` configured and the server doesn't require one.
+
+**Token visibility in process listings.** `ps -eE` on Linux can expose
+environment variables of running processes. The token is only present in the
+gate child process for the duration of the gate (<10s, enforced by timeout).
+The same token is already in `instar.json` on disk; `ps` leakage is a lesser
+exposure than filesystem read.
+
+### Not Unintended
+- No breaking change for users without `authToken` configured.
+- No schema migration — `JobSchedulerConfig.authToken` is optional.
+- No change to gate timing, retry semantics, or failure-handling.
+- No change to non-gate code paths (the token is only injected in
+  `runGateAsync`, not in `runCommandAsync` or the main job command execution).
+
+## Compatibility
+
+- Backwards compatible. Existing `instar.json` without `authToken` unchanged
+  behavior.
+- Forwards compatible. When `instar init` runs, it generates `instar.json`
+  with a fresh `authToken`, so new installations work out of the box.
+
+## Verification Artifacts
+
+- Build: `npm run build` — passes (tsc clean + manifest regenerated).
+- Tests: `npm test -- JobScheduler.test.ts` — 47 tests pass including 2 new:
+  1. Gate sees `token=<configured-value>` when `authToken` is set.
+  2. Gate sees empty `token=` when `authToken` is unset.
+- Manual: built-in manifest shows 4 updated gate definitions with the
+  Authorization header.
+
+## Summary of New Capabilities
+
+Evolution pipeline jobs and insight-harvest now run to completion when an
+auth token is configured — which is the default post-`instar init` state.
+Previously-silent failures become visible work. No new user-facing commands
+or config fields beyond the documented optional `authToken`.