instar 0.7.25 → 0.7.27

package/dist/commands/init.js

@@ -1052,20 +1052,25 @@ function getDefaultJobs(port) {
             gate: `curl -sf http://localhost:${port}/health >/dev/null 2>&1`,
             execute: {
                 type: 'prompt',
-                value: `You are your own QA team. Scan for issues with your instar infrastructure and submit feedback for anything wrong. Check each area:
+                value: `You are your own QA team. Scan for issues with your instar infrastructure and submit feedback for anything wrong.
 
-1. **Server health**: curl -s http://localhost:${port}/health — is it responding? Are all fields present?
+FIRST: Read your auth token for API calls:
+AUTH=$(python3 -c "import json; print(json.load(open('.instar/config.json')).get('authToken',''))" 2>/dev/null)
+
+Then check each area:
+
+1. **Server health**: curl -s -H "Authorization: Bearer $AUTH" http://localhost:${port}/health — is it responding? Are all fields present? Is status "ok" or "degraded"?
 2. **State files**: Check .instar/state/ — are JSON files parseable? Any empty or corrupted? Try: for f in .instar/state/*.json; do python3 -c "import json; json.load(open('$f'))" 2>&1 || echo "CORRUPT: $f"; done
 3. **Hook files**: Do all hooks in .instar/hooks/ exist and have execute permissions? ls -la .instar/hooks/
-4. **Job execution**: curl -s http://localhost:${port}/jobs — are any jobs failing repeatedly? Check lastRun and lastError fields.
-5. **Quota**: curl -s http://localhost:${port}/quota — is usage approaching limits?
+4. **Job execution**: curl -s -H "Authorization: Bearer $AUTH" http://localhost:${port}/jobs — are any jobs failing repeatedly? Check lastRun and lastError fields.
+5. **Quota**: curl -s -H "Authorization: Bearer $AUTH" http://localhost:${port}/quota — is usage approaching limits?
 6. **Logs**: Check .instar/logs/server.log for recent errors: tail -50 .instar/logs/server.log | grep -i error
 7. **Settings coherence**: Are hooks in .claude/settings.json pointing to files that exist?
 8. **Design friction**: During your recent work, did anything feel unnecessarily difficult, confusing, or broken? Did you work around any issues?
 9. **CI health**: Check if the project has a GitHub repo and if CI is passing. Run: REPO=$(git remote get-url origin 2>/dev/null | sed 's/.*github.com[:/]//;s/.git$//'); if [ -n "$REPO" ]; then FAILURES=$(gh run list --repo "$REPO" --status failure --limit 3 --json databaseId,conclusion,headBranch,name,createdAt 2>/dev/null); if echo "$FAILURES" | python3 -c "import sys,json; runs=json.load(sys.stdin); exit(0 if runs else 1)" 2>/dev/null; then echo "CI FAILURES DETECTED in $REPO"; echo "$FAILURES"; echo ""; echo "FIX THESE NOW: Read the failure logs with 'gh run view RUN_ID --repo $REPO --log-failed', diagnose the issue, fix it, run tests locally, commit and push."; fi; fi
 
 For EACH issue found, submit feedback immediately:
-curl -s -X POST http://localhost:${port}/feedback -H 'Content-Type: application/json' -d '{"type":"bug","title":"TITLE","description":"FULL_CONTEXT"}'
+curl -s -X POST http://localhost:${port}/feedback -H "Authorization: Bearer $AUTH" -H 'Content-Type: application/json' -d '{"type":"bug","title":"TITLE","description":"FULL_CONTEXT"}'
 
 For improvements (not bugs), use type "improvement" instead.
 

package/dist/core/SessionManager.js

@@ -354,13 +354,15 @@ export class SessionManager extends EventEmitter {
             }
             return tmuxSession;
         }
-        // Interactive sessions get a reserved slot beyond maxSessions.
-        // Users should never be blocked from interacting with their agent because
-        // scheduled jobs filled all slots. Interactive gets maxSessions + 1.
+        // User-initiated sessions bypass the maxSessions limit entirely.
+        // The user should NEVER be blocked from interacting with their agent
+        // because scheduled jobs filled all slots. maxSessions only constrains
+        // autonomous/scheduled sessions, not human-initiated ones.
+        // Safety valve: still cap at maxSessions * 3 to prevent runaway sessions.
         const runningSessions = this.listRunningSessions();
-        const interactiveLimit = this.config.maxSessions + 1;
-        if (runningSessions.length >= interactiveLimit) {
-            throw new Error(`Max sessions (${interactiveLimit}, including interactive reserve) reached. ` +
+        const absoluteLimit = this.config.maxSessions * 3;
+        if (runningSessions.length >= absoluteLimit) {
+            throw new Error(`Absolute session limit (${absoluteLimit}) reached. ` +
                 `Running: ${runningSessions.map(s => s.name).join(', ')}`);
         }
         // Spawn Claude in tmux. When a Telegram topic triggered the session,

package/dist/core/types.d.ts

@@ -105,7 +105,7 @@ export interface JobExecution {
 export interface JobState {
     slug: string;
     lastRun?: string;
-    lastResult?: 'success' | 'failure' | 'timeout';
+    lastResult?: 'success' | 'failure' | 'timeout' | 'pending';
     /** Error message from the last failure (cleared on success) */
     lastError?: string;
     nextScheduled?: string;

package/dist/scaffold/templates.js

@@ -120,7 +120,7 @@ When Claude's context window fills up, it compresses prior messages. This can er
 \`\`\`
 I am ${agentName}. Session goal: [what I was working on].
 Core files: .instar/AGENT.md (identity), .instar/MEMORY.md (learnings), .instar/USER.md (user context).
-Server: curl http://localhost:${port}/health | Capabilities: curl http://localhost:${port}/capabilities
+Server: curl http://localhost:${port}/health | Capabilities: curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/capabilities
 \`\`\`
 
 **What compaction erases**: Your name, your principles, what you were working on, who you work with. The compaction-recovery hook re-injects all of this. If it doesn't fire, read \`.instar/AGENT.md\` immediately.
@@ -138,6 +138,22 @@ This project uses instar for persistent agent capabilities. I am not a vanilla C
 - Server: \`instar server start\` (port ${port})
 - Health: \`curl http://localhost:${port}/health\`
 
+### API Authentication
+
+Most server endpoints require an auth token when \`authToken\` is configured in \`.instar/config.json\`. Read it once per session:
+
+\`\`\`bash
+AUTH=$(python3 -c "import json; print(json.load(open('.instar/config.json')).get('authToken',''))" 2>/dev/null)
+\`\`\`
+
+Then include in ALL API calls (except \`/health\`, which is public):
+
+\`\`\`bash
+curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/jobs
+\`\`\`
+
+**Without this header, all endpoints return 401.** The \`telegram-reply.sh\` script reads auth automatically.
+
 ### Reporting Issues & Feedback (IMPORTANT — Read This First)
 
 **I have a built-in feedback system. I do NOT use GitHub, \`gh\`, or any external issue tracker.**
@@ -146,6 +162,7 @@ When something isn't working with instar, or the user wants a feature, I use my
 
 \`\`\`bash
 curl -X POST http://localhost:${port}/feedback \\
+  -H "Authorization: Bearer $AUTH" \\
   -H 'Content-Type: application/json' \\
   -d '{"type":"bug","title":"Short description","description":"Full details with context"}'
 \`\`\`
@@ -153,42 +170,42 @@ curl -X POST http://localhost:${port}/feedback \\
 This routes feedback to the Instar maintainers automatically. Valid types: \`bug\`, \`feature\`, \`improvement\`, \`question\`.
 
 **NEVER use \`gh issue\`, \`gh api\`, or GitHub CLI to file issues.** The feedback API is my channel. It stores a local receipt, forwards upstream, and tracks delivery. I can also:
-- View submitted feedback: \`curl http://localhost:${port}/feedback\`
-- Retry failed forwards: \`curl -X POST http://localhost:${port}/feedback/retry\`
+- View submitted feedback: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/feedback\`
+- Retry failed forwards: \`curl -X POST -H "Authorization: Bearer $AUTH" http://localhost:${port}/feedback/retry\`
 
 ### Capabilities
 
 **Feedback System** — Report bugs, request features, suggest improvements. All via \`POST /feedback\`.
 
 **Job Scheduler** — Run tasks on a schedule. Jobs in \`.instar/jobs.json\`.
-- View: \`curl http://localhost:${port}/jobs\`
-- Trigger: \`curl -X POST http://localhost:${port}/jobs/SLUG/trigger\`
+- View: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/jobs\`
+- Trigger: \`curl -X POST -H "Authorization: Bearer $AUTH" http://localhost:${port}/jobs/SLUG/trigger\`
 
 **Sessions** — Spawn and manage Claude Code sessions.
-- List: \`curl http://localhost:${port}/sessions\`
-- Spawn: \`curl -X POST http://localhost:${port}/sessions/spawn -d '{"name":"task","prompt":"do something"}'\`
+- List: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/sessions\`
+- Spawn: \`curl -X POST -H "Authorization: Bearer $AUTH" http://localhost:${port}/sessions/spawn -d '{"name":"task","prompt":"do something"}'\`
 
 **Relationships** — Track people I interact with.
-- List: \`curl http://localhost:${port}/relationships\`
+- List: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/relationships\`
 
 **Publishing** — Share content as PUBLIC web pages via Telegraph. Instant, zero-config, accessible from anywhere.
-- Publish: \`curl -X POST http://localhost:${port}/publish -H 'Content-Type: application/json' -d '{"title":"Page Title","markdown":"# Content here"}'\`
-- List published: \`curl http://localhost:${port}/published\`
-- Edit: \`curl -X PUT http://localhost:${port}/publish/PAGE_PATH -H 'Content-Type: application/json' -d '{"title":"Updated","markdown":"# New content"}'\`
+- Publish: \`curl -X POST -H "Authorization: Bearer $AUTH" http://localhost:${port}/publish -H 'Content-Type: application/json' -d '{"title":"Page Title","markdown":"# Content here"}'\`
+- List published: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/published\`
+- Edit: \`curl -X PUT -H "Authorization: Bearer $AUTH" http://localhost:${port}/publish/PAGE_PATH -H 'Content-Type: application/json' -d '{"title":"Updated","markdown":"# New content"}'\`
 
 **⚠ CRITICAL: All Telegraph pages are PUBLIC.** Anyone with the URL can view the content. There is no authentication or access control. NEVER publish sensitive, private, or confidential information through Telegraph. When sharing a link, always inform the user that the page is publicly accessible.
 
 **Private Viewing** — Render markdown as auth-gated HTML pages, accessible only through the agent's server (local or via tunnel).
-- Create: \`curl -X POST http://localhost:${port}/view -H 'Content-Type: application/json' -d '{"title":"Report","markdown":"# Private content"}'\`
+- Create: \`curl -X POST -H "Authorization: Bearer $AUTH" http://localhost:${port}/view -H 'Content-Type: application/json' -d '{"title":"Report","markdown":"# Private content"}'\`
 - View (HTML): Open \`http://localhost:${port}/view/VIEW_ID\` in a browser
-- List: \`curl http://localhost:${port}/views\`
-- Update: \`curl -X PUT http://localhost:${port}/view/VIEW_ID -H 'Content-Type: application/json' -d '{"title":"Updated","markdown":"# New content"}'\`
-- Delete: \`curl -X DELETE http://localhost:${port}/view/VIEW_ID\`
+- List: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/views\`
+- Update: \`curl -X PUT -H "Authorization: Bearer $AUTH" http://localhost:${port}/view/VIEW_ID -H 'Content-Type: application/json' -d '{"title":"Updated","markdown":"# New content"}'\`
+- Delete: \`curl -X DELETE -H "Authorization: Bearer $AUTH" http://localhost:${port}/view/VIEW_ID\`
 
 **Use private views for sensitive content. Use Telegraph for public content.**
 
 **Cloudflare Tunnel** — Expose the local server to the internet via Cloudflare. Enables remote access to private views, the API, and file serving.
-- Status: \`curl http://localhost:${port}/tunnel\`
+- Status: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/tunnel\`
 - Configure in \`.instar/config.json\`: \`{"tunnel": {"enabled": true, "type": "quick"}}\`
 - Quick tunnels (default): Zero-config, ephemeral URL (*.trycloudflare.com), no account needed
 - Named tunnels: Persistent custom domain, requires token from Cloudflare dashboard
@@ -254,7 +271,7 @@ When fetching content from ANY URL, always try the most efficient method first:
 Before EVER saying "I don't have", "I can't", or "this isn't available" — check what actually exists:
 
 \`\`\`bash
-curl http://localhost:${port}/capabilities
+curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/capabilities
 \`\`\`
 
 This returns your full capability matrix: scripts, hooks, Telegram status, jobs, relationships, and more. It is the source of truth about what you can do. **Never hallucinate about missing capabilities — verify first.**
@@ -267,11 +284,11 @@ I maintain registries that are the source of truth for specific categories. Thes
 
 | Question | Check First |
 |----------|-------------|
-| What can I do? | \`curl http://localhost:${port}/capabilities\` |
+| What can I do? | \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/capabilities\` |
 | Who do I work with? | \`.instar/USER.md\` |
 | What have I learned? | \`.instar/MEMORY.md\` |
-| What jobs do I have? | \`.instar/jobs.json\` or \`curl http://localhost:${port}/jobs\` |
-| Who have I interacted with? | \`curl http://localhost:${port}/relationships\` |
+| What jobs do I have? | \`.instar/jobs.json\` or \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/jobs\` |
+| Who have I interacted with? | \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/relationships\` |
 | My configuration? | \`.instar/config.json\` |
 | My identity/principles? | \`.instar/AGENT.md\` |
 | Project architecture? | This file (CLAUDE.md), then project docs |
@@ -375,6 +392,7 @@ These are patterns that feel like insight or helpfulness but actually perpetuate
 **When you detect an issue, report it immediately:**
 \`\`\`bash
 curl -s -X POST http://localhost:${port}/feedback \\
+  -H "Authorization: Bearer $AUTH" \\
   -H 'Content-Type: application/json' \\
   -d '{"type":"bug","title":"CONCISE_TITLE","description":"FULL_CONTEXT_WITH_ERROR_MESSAGES"}'
 \`\`\`
@@ -420,6 +438,7 @@ After building something significant for your user, ask yourself: *"Would other
 
 \`\`\`bash
 curl -s -X POST http://localhost:${port}/feedback \\
+  -H "Authorization: Bearer $AUTH" \\
   -H 'Content-Type: application/json' \\
   -d '{
     "type": "improvement",
@@ -442,27 +461,27 @@ If any answer is yes → submit feedback. Let Dawn decide whether to upstream it
 You have a built-in evolution system with four subsystems. This is not a metaphor — it's infrastructure that tracks your growth.
 
 **Evolution Queue** — Staged self-improvement proposals.
-- View: \`curl http://localhost:${port}/evolution/proposals\`
+- View: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/evolution/proposals\`
 - Propose: \`/evolve\` skill or \`POST /evolution/proposals\`
 - The \`evolution-review\` job evaluates and implements proposals every 6 hours.
 
 **Learning Registry** — Structured, searchable insights.
-- View: \`curl http://localhost:${port}/evolution/learnings\`
+- View: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/evolution/learnings\`
 - Record: \`/learn\` skill or \`POST /evolution/learnings\`
 - The \`insight-harvest\` job synthesizes patterns into proposals every 8 hours.
 
 **Capability Gaps** — Track what you're missing.
-- View: \`curl http://localhost:${port}/evolution/gaps\`
+- View: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/evolution/gaps\`
 - Report: \`/gaps\` skill or \`POST /evolution/gaps\`
 
 **Action Queue** — Commitments with follow-through tracking.
-- View: \`curl http://localhost:${port}/evolution/actions\`
+- View: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/evolution/actions\`
 - Create: \`/commit-action\` skill or \`POST /evolution/actions\`
 - The \`commitment-check\` job surfaces overdue items every 4 hours.
 
 **Dashboard** — Full evolution health at a glance:
 \`\`\`bash
-curl http://localhost:${port}/evolution
+curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/evolution
 \`\`\`
 
 **Skills for evolution:**

package/dist/scheduler/JobScheduler.js

@@ -54,6 +54,14 @@ export class JobScheduler {
      */
     setTelegram(adapter) {
         this.telegram = adapter;
+        // If scheduler already started, ensure job topics now that Telegram is available.
+        // This fixes the startup race condition where start() runs before Telegram connects.
+        if (this.running && this.jobs.length > 0) {
+            const enabledJobs = this.jobs.filter(j => j.enabled);
+            this.ensureJobTopics(enabledJobs).catch(err => {
+                console.error(`[scheduler] Failed to ensure job topics (post-Telegram init): ${err}`);
+            });
+        }
     }
     /**
      * Set the quota tracker for session death classification.
@@ -261,10 +269,11 @@ export class JobScheduler {
             triggeredBy: `scheduler:${reason}`,
             maxDurationMinutes: job.expectedDurationMinutes,
         }).then(() => {
-            // Update job state on successful spawn (clear error)
+            // Update job state on successful spawn (clear error, set pending result)
             const jobState = {
                 slug: job.slug,
                 lastRun: new Date().toISOString(),
+                lastResult: 'pending',
                 lastError: undefined,
                 consecutiveFailures: 0,
                 nextScheduled: this.getNextRun(job.slug),

package/dist/server/routes.js

@@ -19,8 +19,22 @@ export function createRoutes(ctx) {
     // ── Health ──────────────────────────────────────────────────────
     router.get('/health', (req, res) => {
         const uptimeMs = Date.now() - ctx.startTime.getTime();
+        // Determine if anything is degraded
+        const sessions = ctx.sessionManager.listRunningSessions();
+        const maxSessions = ctx.config.sessions?.maxSessions ?? 3;
+        const sessionExhausted = sessions.length >= maxSessions;
+        let totalFailures = 0;
+        if (ctx.scheduler) {
+            const jobs = ctx.scheduler.getJobs();
+            for (const j of jobs) {
+                const st = ctx.state.getJobState(j.slug);
+                if (st)
+                    totalFailures += st.consecutiveFailures;
+            }
+        }
+        const isDegraded = sessionExhausted || totalFailures >= 5;
         const base = {
-            status: 'ok',
+            status: isDegraded ? 'degraded' : 'ok',
             uptime: uptimeMs,
             uptimeHuman: formatUptime(uptimeMs),
         };
@@ -39,6 +53,9 @@ export function createRoutes(ctx) {
         if (isAuthed) {
             const mem = process.memoryUsage();
             base.version = ctx.config.version || '0.0.0';
+            base.sessions = { current: sessions.length, max: maxSessions };
+            base.schedulerRunning = ctx.scheduler !== null;
+            base.consecutiveJobFailures = totalFailures;
             base.project = ctx.config.projectName;
             base.node = process.version;
             base.memory = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "instar",
-  "version": "0.7.25",
+  "version": "0.7.27",
   "description": "Persistent autonomy infrastructure for AI agents",
   "type": "module",
   "main": "dist/index.js",