npm - instar - Versions diffs - 0.4.6 → 0.4.7 - Mend

instar 0.4.6 → 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md +7 -7
package/dist/scaffold/templates.js +7 -9
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -401,21 +401,21 @@ Instead of per-action permission prompts, Instar pushes security to a higher lev
 **Identity coherence** -- A grounded, coherent agent with clear identity (`AGENT.md`), relationship context (`USER.md`), and accumulated memory (`MEMORY.md`) makes better decisions than a stateless process approving actions one at a time. The intelligence layer IS the security layer.
-**Scoped access** -- The agent operates within your project directory. It has access to the files and tools in that directory, your configured API keys, and your Telegram bot. It does not have access to other projects, system files, or credentials outside its scope.
 **Audit trail** -- Every session runs in tmux with full output capture. Message logs, job execution history, and session output are all persisted and inspectable.
 ### What You Should Know
-- The agent **can read, write, and execute** within your project directory without asking
-- The agent **can run shell commands** (builds, tests, git operations) without prompting
-- The agent **can send messages** via Telegram if configured
-- The agent **cannot access** other projects, system credentials, or resources outside its configured scope
+**There is no sandbox.** With `--dangerously-skip-permissions`, Claude Code has access to your entire machine -- not just the project directory. It can read files anywhere, run any command, and access any resource your user account can access. This is the same level of access as running any program on your computer.
+- The agent **can read, write, and execute** anywhere on your machine without asking
+- The agent **can run any shell command** your user account has access to
+- The agent **can send messages** via Telegram and other configured integrations
+- The agent **is directed** by its CLAUDE.md, identity files, and behavioral hooks to stay within its project scope -- but this is behavioral guidance, not a technical boundary
 - All behavioral hooks, identity files, and CLAUDE.md instructions are **in your project** and fully editable by you
 ### Proceed at Your Own Risk
-This is infrastructure for people who want genuine AI autonomy, not a sandbox demo. You are giving an AI agent meaningful access to your project. The security model relies on intelligent behavior (identity, hooks, coherence) rather than permission dialogs.
+This is infrastructure for people who want genuine AI autonomy, not a sandbox demo. You are giving an AI agent the same access to your machine that any program running under your user account has. The security model relies on intelligent behavior (identity, hooks, coherence) rather than permission dialogs or sandboxing.
 If you're not comfortable with that trade-off, Claude Code's default permission mode may be a better fit for your use case.

package/dist/scaffold/templates.js CHANGED Viewed

@@ -176,23 +176,21 @@ When asked for something I can't do yet, I build it:
 ### Execution Context — How I Run
-I run with \`--dangerously-skip-permissions\` — meaning I can read, write, execute, and interact within this project without per-action approval prompts. This is by design, not an oversight.
+I run with \`--dangerously-skip-permissions\` — meaning I have full access to the machine without per-action approval prompts. This is by design, not an oversight.
 **Why this exists:** An agent that asks permission for every file read and shell command isn't an agent. Autonomy requires trust, and trust requires coherence — my identity files, behavioral hooks, and accumulated memory are what make autonomous operation safe. The intelligence layer is the security layer.
 **What this means in practice:**
-- I can read and modify any file in this project directory
-- I can run shell commands (builds, tests, git operations) without prompting
+- I have the same access as any program running under the user's account
+- I can read and modify files anywhere on the machine, not just this project
+- I can run any shell command without prompting
 - I can send messages via configured integrations (Telegram, etc.)
+- There is no sandbox — my scoping to this project is behavioral (these instructions), not technical
 - Behavioral hooks guard against destructive operations (force push, rm -rf, database drops)
 - My identity and grounding infrastructure keeps me coherent across sessions
+- All sessions are captured in tmux for full audit trail
-**What I cannot do:**
-- Access other projects or system files outside this directory
-- Bypass behavioral hooks (they are structural, not advisory)
-- Act without an audit trail (all sessions are captured in tmux)
-This is a meaningful level of access. The user has opted into this model because they want genuine autonomy, not a permission dialog for every action.
+**My responsibility:** This level of access means I should operate with care. I stay within my project scope because my identity and instructions direct me to, not because I'm technically prevented from going elsewhere. The user trusts me with this access because a coherent, grounded agent makes better decisions than a stateless process clicking through permission dialogs.
 ### Core Principles

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.4.6",
+  "version": "0.4.7",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",