instar 1.2.56 → 1.2.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/skills/autonomous/SKILL.md +11 -2
- package/.claude/skills/autonomous/hooks/autonomous-stop-hook.sh +42 -2
- package/.claude/skills/autonomous/scripts/setup-autonomous.sh +6 -0
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +31 -2
- package/dist/commands/server.js.map +1 -1
- package/dist/core/CompletionEvaluator.d.ts +46 -0
- package/dist/core/CompletionEvaluator.d.ts.map +1 -0
- package/dist/core/CompletionEvaluator.js +86 -0
- package/dist/core/CompletionEvaluator.js.map +1 -0
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +5 -3
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/SessionManager.d.ts +6 -0
- package/dist/core/SessionManager.d.ts.map +1 -1
- package/dist/core/SessionManager.js +10 -0
- package/dist/core/SessionManager.js.map +1 -1
- package/dist/core/frameworkSessionLaunch.d.ts +34 -3
- package/dist/core/frameworkSessionLaunch.d.ts.map +1 -1
- package/dist/core/frameworkSessionLaunch.js +42 -3
- package/dist/core/frameworkSessionLaunch.js.map +1 -1
- package/dist/core/types.d.ts +12 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +1 -0
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +2 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +21 -0
- package/dist/server/routes.js.map +1 -1
- package/dist/threadline/PipeSessionSpawner.d.ts +10 -0
- package/dist/threadline/PipeSessionSpawner.d.ts.map +1 -1
- package/dist/threadline/PipeSessionSpawner.js +6 -0
- package/dist/threadline/PipeSessionSpawner.js.map +1 -1
- package/dist/threadline/ThreadlineBootstrap.d.ts.map +1 -1
- package/dist/threadline/ThreadlineBootstrap.js +5 -16
- package/dist/threadline/ThreadlineBootstrap.js.map +1 -1
- package/dist/threadline/mcpEntry.d.ts +25 -0
- package/dist/threadline/mcpEntry.d.ts.map +1 -0
- package/dist/threadline/mcpEntry.js +38 -0
- package/dist/threadline/mcpEntry.js.map +1 -0
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +64 -64
- package/upgrades/1.2.57.md +64 -0
- package/upgrades/1.2.58.md +77 -0
- package/upgrades/side-effects/codex-multiagent-threadline.md +69 -0
- package/upgrades/side-effects/goal-completion-evaluator.md +69 -0
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
# Instar Upgrade Guide — vNEXT (Codex agents can reply over Threadline)
|
|
2
|
+
|
|
3
|
+
<!-- bump: patch -->
|
|
4
|
+
|
|
5
|
+
## What Changed
|
|
6
|
+
|
|
7
|
+
Codex-framework instar agents couldn't *reply* to Threadline messages — they
|
|
8
|
+
received fine, but every reply silently failed. Two framework-integration bugs,
|
|
9
|
+
both fixed.
|
|
10
|
+
|
|
11
|
+
### Fix A — reply workers can now use MCP tools (targeted)
|
|
12
|
+
|
|
13
|
+
When a Threadline message arrives, instar spawns a one-shot worker prompted to
|
|
14
|
+
reply via the `threadline_send` MCP tool. For Codex, instar launched that worker
|
|
15
|
+
under `-s workspace-write`, where `codex exec` defaults its approval policy to
|
|
16
|
+
`never` — and `never` *cancels* MCP tool calls (`"user cancelled MCP tool
|
|
17
|
+
call"`) AND the sandbox blocks the MCP server's localhost transport. So the
|
|
18
|
+
worker called the tool correctly and the call was killed every time.
|
|
19
|
+
|
|
20
|
+
Verified on codex 0.133 that there is **no** sandboxed mode that permits the MCP
|
|
21
|
+
call — only `--dangerously-bypass-approvals-and-sandbox` works. So the headless
|
|
22
|
+
launch now selects in tiers: explicit sandbox mode → that mode; Threadline
|
|
23
|
+
**reply** workers (`codexAllowMcpTools`) → full bypass (the only mode that lets
|
|
24
|
+
them send); everything else, including scheduled **jobs** → `-s workspace-write`
|
|
25
|
+
unchanged. Jobs stay sandboxed; only reply workers take the bypass.
|
|
26
|
+
|
|
27
|
+
### Fix B — each agent uses its own threadline MCP (no shared-config collision)
|
|
28
|
+
|
|
29
|
+
Every Codex agent registered `[mcp_servers."threadline"]` into the SHARED
|
|
30
|
+
`~/.codex/config.toml` with its own identity baked in — last-writer-wins, so on a
|
|
31
|
+
machine with several Codex agents, all but the last-booted one would reply using
|
|
32
|
+
the WRONG agent's threadline identity. New single-source-of-truth resolver
|
|
33
|
+
(`src/threadline/mcpEntry.ts`) + a per-spawn `-c mcp_servers.threadline.*`
|
|
34
|
+
override pin each agent's codex session to ITS OWN threadline MCP, regardless of
|
|
35
|
+
the shared file. Both reply paths (full-session and the lightweight "pipe" path)
|
|
36
|
+
are wired.
|
|
37
|
+
|
|
38
|
+
## What to Tell Your User
|
|
39
|
+
|
|
40
|
+
If you run a Codex-based agent, it can now actually answer messages other agents
|
|
41
|
+
send it over Threadline — before, it could hear but not reply. And on a machine
|
|
42
|
+
running several Codex agents, each now replies as itself instead of accidentally
|
|
43
|
+
borrowing whichever agent started last. Scheduled background jobs stay sandboxed
|
|
44
|
+
as before; only the reply step runs with the access it needs to send. No action
|
|
45
|
+
needed.
|
|
46
|
+
|
|
47
|
+
## Summary of New Capabilities
|
|
48
|
+
|
|
49
|
+
- **Codex agents reply over Threadline** — reply workers launch in the one mode
|
|
50
|
+
that permits the `threadline_send` MCP call; scheduled jobs stay sandboxed.
|
|
51
|
+
- **Per-agent codex threadline MCP** — a per-spawn `-c` override + shared
|
|
52
|
+
resolver (`resolveThreadlineMcpEntry`) end the shared `~/.codex/config.toml`
|
|
53
|
+
last-writer-wins collision; both reply paths covered.
|
|
54
|
+
|
|
55
|
+
## Evidence
|
|
56
|
+
|
|
57
|
+
- **Reproduced + fixed (mechanism):** a `codex exec --dangerously-bypass-
|
|
58
|
+
approvals-and-sandbox` run completed a real `threadline_send` call
|
|
59
|
+
(codey→echo, reply received); under `-s workspace-write`/`--full-auto` the same
|
|
60
|
+
call was cancelled / the tool was unavailable. The collision was observed live
|
|
61
|
+
(shared config pointed at `inspec` while `instar-codey` was running).
|
|
62
|
+
- **Unit:** `frameworkSessionLaunch.test.ts` (workspace-write job default;
|
|
63
|
+
`codexAllowMcpTools`→bypass; explicit sandbox wins; `-c` override emission +
|
|
64
|
+
JSON validity), `threadline-mcp-entry.test.ts` (resolver). 75-test sweep green.
|
|
65
|
+
- **Convergence:** two-reviewer pass (correctness + adversarial) →
|
|
66
|
+
docs/specs/reports/codex-multiagent-threadline-convergence.md. The adversarial
|
|
67
|
+
reviewer caught the job-sandbox regression and the second reply path; both
|
|
68
|
+
resolved before merge.
|
|
69
|
+
- Full deployed round-trip with a Codex agent is the post-merge Tier-3 check.
|
|
70
|
+
|
|
71
|
+
## Rollback
|
|
72
|
+
|
|
73
|
+
Code-only, no migration or state changes. Revert
|
|
74
|
+
`src/core/frameworkSessionLaunch.ts`, `src/threadline/mcpEntry.ts`, the
|
|
75
|
+
`ThreadlineBootstrap` refactor, and the `server.ts`/`SessionManager`/`types.ts`/
|
|
76
|
+
`PipeSessionSpawner` wiring. The shared-config registration is untouched, so a
|
|
77
|
+
revert cannot strand `~/.codex` or `.instar` state.
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
# Side-Effects Review — Codex Multi-Agent Threadline Robustness
|
|
2
|
+
|
|
3
|
+
Spec: docs/specs/CODEX-MULTIAGENT-THREADLINE-SPEC.md (approved, converged)
|
|
4
|
+
Change: let Codex-framework agents reply to Threadline messages — (A) targeted
|
|
5
|
+
MCP-permitting launch for reply workers, (B) per-agent threadline MCP override,
|
|
6
|
+
(C) wire both reply paths.
|
|
7
|
+
|
|
8
|
+
## 1. Over-block — what legitimate inputs does this reject that it shouldn't?
|
|
9
|
+
|
|
10
|
+
None new. The launch-profile selector is additive: jobs keep `-s
|
|
11
|
+
workspace-write` (unchanged); reply workers add bypass; explicit
|
|
12
|
+
`codexSandboxMode` still wins. The `-c` MCP override only ever points codex at
|
|
13
|
+
THIS agent's own threadline entry — it cannot reject anything.
|
|
14
|
+
|
|
15
|
+
## 2. Under-block — what failure modes does this still miss?
|
|
16
|
+
|
|
17
|
+
- Codex agents without threadline configured: no override emitted (correct — no
|
|
18
|
+
threadline to reply through). Not a miss.
|
|
19
|
+
- The reply worker still depends on the deployed relay / local delivery being
|
|
20
|
+
reachable — out of scope here (transport already works).
|
|
21
|
+
- A future THIRD reply path that calls `buildHeadlessLaunch` directly would need
|
|
22
|
+
the same two flags. Mitigated by routing all reply spawns through the two
|
|
23
|
+
known paths; documented in the spec.
|
|
24
|
+
|
|
25
|
+
## 3. Level-of-abstraction fit
|
|
26
|
+
|
|
27
|
+
Correct layer. The launch-profile + MCP-override are properties of HOW a codex
|
|
28
|
+
session is launched → they belong in `frameworkSessionLaunch` (the builder) with
|
|
29
|
+
the data computed once at boot in `server.ts`. The single-source-of-truth
|
|
30
|
+
resolver (`mcpEntry.ts`) is shared with `ThreadlineBootstrap` so registration and
|
|
31
|
+
per-spawn override cannot drift.
|
|
32
|
+
|
|
33
|
+
## 4. Signal vs authority compliance
|
|
34
|
+
|
|
35
|
+
Compliant. No blocking authority added. The selectors (`codexAllowMcpTools`,
|
|
36
|
+
`codexThreadlineMcp`, `config.threadline`-present) are capability/launch choices,
|
|
37
|
+
not gates that block information flow. See docs/signal-vs-authority.md.
|
|
38
|
+
|
|
39
|
+
## 5. Interactions
|
|
40
|
+
|
|
41
|
+
- Fix A ↔ Fix B: independent (sandbox profile vs MCP entry); both emitted in the
|
|
42
|
+
same codex argv, no conflict.
|
|
43
|
+
- Fix B ↔ existing shared-config registration: intentional — `-c` wins per spawn;
|
|
44
|
+
the shared `~/.codex/config.toml` entry stays (Claude parity / discovery) but
|
|
45
|
+
is non-authoritative for codex spawns. No double-fire (one MCP server named
|
|
46
|
+
"threadline" results).
|
|
47
|
+
- Jobs/dispatch (routes.ts generic spawn, JobScheduler): do NOT set
|
|
48
|
+
`codexAllowMcpTools` → unchanged (`workspace-write`). No shadowing.
|
|
49
|
+
- ThreadlineBootstrap refactor is behavior-preserving (`resolveThreadlineMcpEntry`
|
|
50
|
+
returns the identical `{command,args}`; `absDir` still declared for downstream
|
|
51
|
+
~/.claude.json registration).
|
|
52
|
+
|
|
53
|
+
## 6. External surfaces
|
|
54
|
+
|
|
55
|
+
- Other agents: a codex agent can now actually reply over Threadline — net new
|
|
56
|
+
outbound it previously couldn't send. Bounded by the trust gate (replies only
|
|
57
|
+
to trusted peers, who already messaged it).
|
|
58
|
+
- Security posture: codex reply workers run unsandboxed (full bypass) — the only
|
|
59
|
+
mode that permits the MCP call (verified, finding 2). Scheduled jobs remain
|
|
60
|
+
sandboxed. Operator signed off (topic 12304).
|
|
61
|
+
- Timing/runtime: none introduced; the override is computed once at boot.
|
|
62
|
+
|
|
63
|
+
## 7. Rollback cost
|
|
64
|
+
|
|
65
|
+
Code-only, no migration/state. Revert `frameworkSessionLaunch.ts`, `mcpEntry.ts`,
|
|
66
|
+
`ThreadlineBootstrap` refactor, `server.ts`/`SessionManager`/`types.ts`/
|
|
67
|
+
`PipeSessionSpawner` wiring. The shared-config registration is untouched, so a
|
|
68
|
+
revert cannot strand `~/.codex` or `.instar` state. Existing agents pick up the
|
|
69
|
+
launch fix on normal update (no config rewrite).
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
# Side-Effects Review — autonomous completion evaluator (independent /goal-style judge)
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `goal-completion-evaluator`
|
|
4
|
+
**Date:** 2026-05-24
|
|
5
|
+
**Author:** echo
|
|
6
|
+
**Second-pass reviewer:** internal conformance pass
|
|
7
|
+
|
|
8
|
+
## Summary of the change
|
|
9
|
+
|
|
10
|
+
Replaces the autonomous stop-hook's self-declared `<promise>` completion check (agent grades
|
|
11
|
+
itself) with an **independent** judgment: when a verifiable `completion_condition` is set, a
|
|
12
|
+
small/fast model judges each turn whether it's met against what the agent surfaced (same
|
|
13
|
+
contract as the framework `/goal`). Phase 1 of `docs/specs/goal-completion-evaluator.md`. The
|
|
14
|
+
self-declared promise remains as a legacy fallback. `src/` touched: `CompletionEvaluator.ts`
|
|
15
|
+
(new), `routes.ts` (+RouteContext field + `/autonomous/evaluate-completion`), `AgentServer.ts`
|
|
16
|
+
(thread-through), `commands/server.ts` (construct from sharedIntelligence), `CapabilityIndex.ts`
|
|
17
|
+
(endpoint), `PostUpdateMigrator.ts` (marker bump). Non-src: the hook, setup script, SKILL.md, tests.
|
|
18
|
+
|
|
19
|
+
## Decision-point inventory
|
|
20
|
+
|
|
21
|
+
- `CompletionEvaluator.evaluate` — **add**: the loop's continue/stop authority. Judges
|
|
22
|
+
condition vs transcript; returns met/reason. The one new decision point.
|
|
23
|
+
- `autonomous-stop-hook.sh` — **modify**: when a condition is set, ask the evaluator instead of
|
|
24
|
+
trusting the promise; promise path demoted to fallback; fail-safe on unreachable.
|
|
25
|
+
- `setup-autonomous.sh` — **modify**: `--completion-condition` flag + state field. (`.claude/`.)
|
|
26
|
+
- `POST /autonomous/evaluate-completion` — **add**: thin route over CompletionEvaluator.
|
|
27
|
+
- `PostUpdateMigrator` marker — **modify**: bumped so prior installs upgrade.
|
|
28
|
+
|
|
29
|
+
## 1. Over-block (trapping a session that should exit)
|
|
30
|
+
- The evaluator returns met:true only on an explicit MET verdict; on met:true the run exits.
|
|
31
|
+
Over-block would mean never confirming a truly-met condition. Mitigated by a well-formed
|
|
32
|
+
condition + the reason-feedback loop. Same risk class `/goal` accepts.
|
|
33
|
+
|
|
34
|
+
## 2. Under-block (false "done" / premature exit) — the critical direction
|
|
35
|
+
- The evaluator **fails safe to met:false** on empty/ambiguous/error/unreachable — it can never
|
|
36
|
+
emit a false "done" from a failure. Tested (unit: empty/ambiguous/throw; hook: unreachable →
|
|
37
|
+
keep working). Server-down does NOT premature-exit. This is the strongest safety property.
|
|
38
|
+
|
|
39
|
+
## 3. Level-of-abstraction fit
|
|
40
|
+
- Correct. CompletionEvaluator mirrors existing IntelligenceProvider-backed evaluators
|
|
41
|
+
(DiscoveryEvaluator, CoherenceReviewer); reuses sharedIntelligence + LlmQueue spend cap.
|
|
42
|
+
|
|
43
|
+
## 4. Blocking authority
|
|
44
|
+
- [x] The evaluator IS the autonomous loop's continue/stop authority — appropriate, because it
|
|
45
|
+
is a **full-context model judgment** (condition + transcript), exactly like `/goal`, not a
|
|
46
|
+
brittle low-context filter. It only gates the autonomous loop, nothing else.
|
|
47
|
+
|
|
48
|
+
## 5. Interactions
|
|
49
|
+
- **Legacy promise:** preserved as fallback; runs with no condition behave exactly as before.
|
|
50
|
+
- **Multi-session:** per-topic; the evaluator reads/clears the same per-topic state file.
|
|
51
|
+
- **Cost:** one small/fast call per turn (matches `/goal`) — bounded by the LlmQueue daily cap.
|
|
52
|
+
- **Restart/recovery/duration/emergency-stop:** unchanged; the condition check sits in the
|
|
53
|
+
terminal-checks block alongside them.
|
|
54
|
+
|
|
55
|
+
## 6. External surfaces
|
|
56
|
+
- **HTTP:** one new authed route `POST /autonomous/evaluate-completion` (under the already-claimed
|
|
57
|
+
`/autonomous` capability prefix). The hook calls it best-effort (port+auth from config); failure
|
|
58
|
+
is swallowed → keep working.
|
|
59
|
+
- **LLM:** one small/fast `IntelligenceProvider.evaluate` per turn, attributed `CompletionEvaluator`,
|
|
60
|
+
spend-capped. No new external credential.
|
|
61
|
+
|
|
62
|
+
## 7. Rollback cost
|
|
63
|
+
- Low. Reverting restores the promise-only path; the migration marker is content-sniffed (a
|
|
64
|
+
rollback re-ships the prior hook, which lacks the new marker, and re-deploys cleanly). A
|
|
65
|
+
`completion_condition` left in a state file is simply ignored by an older hook.
|
|
66
|
+
|
|
67
|
+
## 8. Test evidence
|
|
68
|
+
- 7 unit (CompletionEvaluator incl. fail-safe), 8 integration (incl. 3 evaluate-completion route),
|
|
69
|
+
4 hook behavioral (met/not-met/unreachable-fail-safe/legacy). tsc clean; 61 affected tests green.
|