instar 0.7.17 → 0.7.18

package/.vercel/README.txt

@@ -0,0 +1,11 @@
+> Why do I have a folder named ".vercel" in my project?
+The ".vercel" folder is created when you link a directory to a Vercel project.
+
+> What does the "project.json" file contain?
+The "project.json" file contains:
+- The ID of the Vercel project that you linked ("projectId")
+- The ID of the user or team your Vercel project is owned by ("orgId")
+
+> Should I commit the ".vercel" folder?
+No, you should not share the ".vercel" folder with anyone.
+Upon creation, it will be automatically added to your ".gitignore" file.

package/.vercel/project.json

@@ -0,0 +1 @@
+{"projectId":"prj_evM5LcItYL3IAmw8zNvEPGrHeaya","orgId":"team_dHctwIDcV3X9ydapQlCPHFGI","projectName":"claude-agent-kit"}

package/dist/commands/init.js

@@ -156,6 +156,12 @@ async function initFreshProject(projectName, options) {
             relationshipsDir: path.join(stateDir, 'relationships'),
             maxRecentInteractions: 20,
         },
+        feedback: {
+            enabled: true,
+            webhookUrl: 'https://dawn.bot-me.ai/api/instar/feedback',
+            feedbackFile: path.join(stateDir, 'feedback.json'),
+            sharedSecret: randomUUID().replace(/-/g, ''),
+        },
         dispatches: {
             enabled: true,
             dispatchUrl: 'https://dawn.bot-me.ai/api/instar/dispatches',
@@ -328,6 +334,12 @@ async function initExistingProject(options) {
             relationshipsDir: path.join(stateDir, 'relationships'),
             maxRecentInteractions: 20,
         },
+        feedback: {
+            enabled: true,
+            webhookUrl: 'https://dawn.bot-me.ai/api/instar/feedback',
+            feedbackFile: path.join(stateDir, 'feedback.json'),
+            sharedSecret: randomUUID().replace(/-/g, ''),
+        },
         dispatches: {
             enabled: true,
             dispatchUrl: 'https://dawn.bot-me.ai/api/instar/dispatches',
@@ -843,6 +855,84 @@ curl -s http://localhost:${port}/evolution/actions/overdue
 ## The Commitment Check
 
 The commitment-check job runs every 4 hours and surfaces overdue items. If you create an action and forget it, the system won't.
+`,
+        },
+        'feedback': {
+            name: 'feedback',
+            description: 'Submit feedback about bugs, features, or improvements to instar. Routes to maintainers automatically.',
+            content: `---
+name: feedback
+description: Submit feedback about bugs, features, or improvements to instar. Use when something is broken, missing, or could be better. Routes to maintainers automatically via the Rising Tide feedback loop.
+metadata:
+  user_invocable: "true"
+---
+
+# /feedback — Report Issues & Request Features
+
+You have a built-in feedback system. When something isn't working, is missing, or could be better — use this. **Do NOT use GitHub issues, \`gh\` CLI, or any external tracker.**
+
+## Quick Submit
+
+\`\`\`bash
+curl -s -X POST http://localhost:${port}/feedback \\
+  -H 'Content-Type: application/json' \\
+  -d '{
+    "type": "bug",
+    "title": "Brief description of the issue",
+    "description": "Full context: what happened, what you expected, error messages, steps to reproduce"
+  }' | python3 -m json.tool
+\`\`\`
+
+Or via CLI:
+\`\`\`bash
+instar feedback --type bug --title "Brief description" --description "Full context"
+\`\`\`
+
+## Feedback Types
+
+| Type | When to use |
+|------|-------------|
+| \`bug\` | Something broke or behaves differently than expected |
+| \`feature\` | A capability that doesn't exist yet but would be useful |
+| \`improvement\` | Something works but could work better |
+| \`question\` | Not sure if it's a bug or intended behavior |
+
+## When to Submit (Autonomously)
+
+Don't wait for the user to notice. You are the first line of detection:
+
+- **Server API** returning unexpected errors or response shapes
+- **Hooks** throwing errors or not firing when expected
+- **Jobs** not running on schedule or failing silently
+- **Sessions** not spawning, not tracked, or becoming zombies
+- **State files** with corrupted or missing fields
+- **Config settings** not being applied
+- **Missing capabilities** that should exist
+- **Friction** in workflows that feel unnecessarily complex
+
+## Good Feedback
+
+Include enough context for a fix:
+
+**Bug**: What happened + what you expected + steps to reproduce + error output + your environment (\`instar --version\`, \`node --version\`)
+
+**Feature**: What you're trying to do + what's limited today + how you'd like it to work + why it matters
+
+## View & Retry
+
+\`\`\`bash
+# View submitted feedback
+curl -s http://localhost:${port}/feedback | python3 -m json.tool
+
+# Retry failed forwards
+curl -s -X POST http://localhost:${port}/feedback/retry
+\`\`\`
+
+## How It Works
+
+Your feedback is stored locally AND forwarded to the instar maintainers. When they fix the issue and publish an update, your update-check job detects it automatically. One agent's bug report lifts all ships.
+
+**User feedback matters too.** When your user says "this isn't working" or "I wish I could..." — capture it with their original words. User language carries context that technical rephrasing loses.
 `,
         },
     };

package/dist/core/FeedbackManager.d.ts

@@ -18,7 +18,7 @@ export declare class FeedbackManager {
     private version;
     constructor(config: FeedbackConfig);
     /** Standard headers that identify this as a legitimate Instar agent. */
-    private get webhookHeaders();
+    private getWebhookHeaders;
     /** Validate webhook URL is HTTPS and not pointing to internal addresses. */
     private static validateWebhookUrl;
     /**

package/dist/core/FeedbackManager.js

@@ -13,7 +13,7 @@
  */
 import fs from 'node:fs';
 import path from 'node:path';
-import { randomUUID } from 'node:crypto';
+import { randomUUID, createHmac } from 'node:crypto';
 /** Maximum number of feedback items stored locally. */
 const MAX_FEEDBACK_ITEMS = 1000;
 export class FeedbackManager {
@@ -29,12 +29,22 @@ export class FeedbackManager {
         this.version = config.version || '0.0.0';
     }
     /** Standard headers that identify this as a legitimate Instar agent. */
-    get webhookHeaders() {
-        return {
+    getWebhookHeaders(body) {
+        const headers = {
             'Content-Type': 'application/json',
             'User-Agent': `instar/${this.version} (node/${process.version})`,
             'X-Instar-Version': this.version,
         };
+        // HMAC-SHA256 signing if shared secret is configured
+        if (this.config.sharedSecret) {
+            const timestamp = Date.now().toString();
+            const signature = createHmac('sha256', this.config.sharedSecret)
+                .update(`${timestamp}.${body}`)
+                .digest('hex');
+            headers['X-Instar-Signature'] = signature;
+            headers['X-Instar-Timestamp'] = timestamp;
+        }
+        return headers;
     }
     /** Validate webhook URL is HTTPS and not pointing to internal addresses. */
     static validateWebhookUrl(url) {
@@ -80,10 +90,11 @@ export class FeedbackManager {
                     context: feedback.context,
                     submittedAt: feedback.submittedAt,
                 };
+                const body = JSON.stringify(payload);
                 const response = await fetch(this.config.webhookUrl, {
                     method: 'POST',
-                    headers: this.webhookHeaders,
-                    body: JSON.stringify(payload),
+                    headers: this.getWebhookHeaders(body),
+                    body,
                     signal: AbortSignal.timeout(10000), // 10s timeout
                 });
                 if (response.ok) {
@@ -140,10 +151,11 @@ export class FeedbackManager {
                     context: item.context,
                     submittedAt: item.submittedAt,
                 };
+                const body = JSON.stringify(payload);
                 const response = await fetch(this.config.webhookUrl, {
                     method: 'POST',
-                    headers: this.webhookHeaders,
-                    body: JSON.stringify(payload),
+                    headers: this.getWebhookHeaders(body),
+                    body,
                     signal: AbortSignal.timeout(10000),
                 });
                 if (response.ok) {

package/dist/core/SessionManager.js

@@ -127,20 +127,24 @@ export class SessionManager extends EventEmitter {
         if (this.tmuxSessionExists(tmuxSession)) {
             throw new Error(`tmux session "${tmuxSession}" already exists`);
         }
-        // Build Claude CLI arguments — no shell intermediary.
-        // tmux new-session executes the command directly (no bash -c needed)
-        // when given as separate arguments after the session options.
+        // Build Claude CLI arguments via bash wrapper.
+        // Must unset CLAUDECODE to prevent "cannot be launched inside another Claude Code session"
+        // error when instar itself runs inside Claude Code.
         const claudeArgs = ['--dangerously-skip-permissions'];
         if (options.model) {
             claudeArgs.push('--model', options.model);
         }
         claudeArgs.push('-p', options.prompt);
+        const claudeCmd = [this.config.claudePath, ...claudeArgs]
+            .map(a => a.replace(/'/g, "'\\''"))
+            .map(a => `'${a}'`)
+            .join(' ');
         try {
             execFileSync(this.config.tmuxPath, [
                 'new-session', '-d',
                 '-s', tmuxSession,
                 '-c', this.config.projectDir,
-                this.config.claudePath, ...claudeArgs,
+                'bash', '-c', `unset CLAUDECODE; exec ${claudeCmd}`,
             ], { encoding: 'utf-8' });
         }
         catch (err) {
@@ -371,11 +375,14 @@ export class SessionManager extends EventEmitter {
             ];
             if (options?.telegramTopicId) {
                 // Wrap in bash shell to export env var before Claude starts
+                // Also unset CLAUDECODE to prevent nested Claude Code errors
                 const claudeCmd = `${this.config.claudePath} --dangerously-skip-permissions`;
-                tmuxArgs.push('bash', '-c', `export INSTAR_TELEGRAM_TOPIC=${options.telegramTopicId} && exec ${claudeCmd}`);
+                tmuxArgs.push('bash', '-c', `unset CLAUDECODE; export INSTAR_TELEGRAM_TOPIC=${options.telegramTopicId} && exec ${claudeCmd}`);
             }
             else {
-                tmuxArgs.push(this.config.claudePath, '--dangerously-skip-permissions');
+                // Unset CLAUDECODE to prevent nested Claude Code errors
+                const claudeCmd = `${this.config.claudePath} --dangerously-skip-permissions`;
+                tmuxArgs.push('bash', '-c', `unset CLAUDECODE; exec ${claudeCmd}`);
             }
             execFileSync(this.config.tmuxPath, tmuxArgs, { encoding: 'utf-8' });
         }

package/dist/core/types.d.ts

@@ -388,6 +388,8 @@ export interface FeedbackConfig {
     feedbackFile: string;
     /** Instar version — sent in User-Agent and X-Instar-Version headers for endpoint auth */
     version?: string;
+    /** Shared secret for HMAC-SHA256 request signing. Generated during init. */
+    sharedSecret?: string;
 }
 export interface UpdateInfo {
     /** Currently installed version */

package/dist/scheduler/JobScheduler.js

@@ -406,6 +406,12 @@ export class JobScheduler {
         else {
             summary += '\n_No output captured (session already closed)_';
         }
+        // Skip Telegram notification for successful jobs with no meaningful output
+        // Prevents empty notification spam (e.g., dispatch-check when dispatch is unconfigured)
+        if (!failed && (!output || !output.trim())) {
+            console.log(`[scheduler] Skipping notification for ${job.slug} — no meaningful output`);
+            return;
+        }
         // Send to the job's dedicated topic if available, otherwise fall back to generic messenger
         if (this.telegram && job.topicId) {
             try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.7.17",
+  "version": "0.7.18",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",