instar 1.2.56 → 1.2.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (52) hide show
  1. package/.claude/skills/autonomous/SKILL.md +11 -2
  2. package/.claude/skills/autonomous/hooks/autonomous-stop-hook.sh +42 -2
  3. package/.claude/skills/autonomous/scripts/setup-autonomous.sh +6 -0
  4. package/dist/commands/server.d.ts.map +1 -1
  5. package/dist/commands/server.js +31 -2
  6. package/dist/commands/server.js.map +1 -1
  7. package/dist/core/CompletionEvaluator.d.ts +46 -0
  8. package/dist/core/CompletionEvaluator.d.ts.map +1 -0
  9. package/dist/core/CompletionEvaluator.js +86 -0
  10. package/dist/core/CompletionEvaluator.js.map +1 -0
  11. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  12. package/dist/core/PostUpdateMigrator.js +5 -3
  13. package/dist/core/PostUpdateMigrator.js.map +1 -1
  14. package/dist/core/SessionManager.d.ts +6 -0
  15. package/dist/core/SessionManager.d.ts.map +1 -1
  16. package/dist/core/SessionManager.js +10 -0
  17. package/dist/core/SessionManager.js.map +1 -1
  18. package/dist/core/frameworkSessionLaunch.d.ts +34 -3
  19. package/dist/core/frameworkSessionLaunch.d.ts.map +1 -1
  20. package/dist/core/frameworkSessionLaunch.js +42 -3
  21. package/dist/core/frameworkSessionLaunch.js.map +1 -1
  22. package/dist/core/types.d.ts +12 -0
  23. package/dist/core/types.d.ts.map +1 -1
  24. package/dist/core/types.js.map +1 -1
  25. package/dist/server/AgentServer.d.ts +1 -0
  26. package/dist/server/AgentServer.d.ts.map +1 -1
  27. package/dist/server/AgentServer.js +1 -0
  28. package/dist/server/AgentServer.js.map +1 -1
  29. package/dist/server/CapabilityIndex.d.ts.map +1 -1
  30. package/dist/server/CapabilityIndex.js +1 -0
  31. package/dist/server/CapabilityIndex.js.map +1 -1
  32. package/dist/server/routes.d.ts +2 -0
  33. package/dist/server/routes.d.ts.map +1 -1
  34. package/dist/server/routes.js +21 -0
  35. package/dist/server/routes.js.map +1 -1
  36. package/dist/threadline/PipeSessionSpawner.d.ts +10 -0
  37. package/dist/threadline/PipeSessionSpawner.d.ts.map +1 -1
  38. package/dist/threadline/PipeSessionSpawner.js +6 -0
  39. package/dist/threadline/PipeSessionSpawner.js.map +1 -1
  40. package/dist/threadline/ThreadlineBootstrap.d.ts.map +1 -1
  41. package/dist/threadline/ThreadlineBootstrap.js +5 -16
  42. package/dist/threadline/ThreadlineBootstrap.js.map +1 -1
  43. package/dist/threadline/mcpEntry.d.ts +25 -0
  44. package/dist/threadline/mcpEntry.d.ts.map +1 -0
  45. package/dist/threadline/mcpEntry.js +38 -0
  46. package/dist/threadline/mcpEntry.js.map +1 -0
  47. package/package.json +1 -1
  48. package/src/data/builtin-manifest.json +64 -64
  49. package/upgrades/1.2.57.md +64 -0
  50. package/upgrades/1.2.58.md +77 -0
  51. package/upgrades/side-effects/codex-multiagent-threadline.md +69 -0
  52. package/upgrades/side-effects/goal-completion-evaluator.md +69 -0
@@ -0,0 +1,77 @@
1
+ # Instar Upgrade Guide — vNEXT (Codex agents can reply over Threadline)
2
+
3
+ <!-- bump: patch -->
4
+
5
+ ## What Changed
6
+
7
+ Codex-framework instar agents couldn't *reply* to Threadline messages — they
8
+ received fine, but every reply silently failed. Two framework-integration bugs,
9
+ both fixed.
10
+
11
+ ### Fix A — reply workers can now use MCP tools (targeted)
12
+
13
+ When a Threadline message arrives, instar spawns a one-shot worker prompted to
14
+ reply via the `threadline_send` MCP tool. For Codex, instar launched that worker
15
+ under `-s workspace-write`, where `codex exec` defaults its approval policy to
16
+ `never` — and `never` *cancels* MCP tool calls (`"user cancelled MCP tool
17
+ call"`) AND the sandbox blocks the MCP server's localhost transport. So the
18
+ worker called the tool correctly and the call was killed every time.
19
+
20
+ Verified on codex 0.133 that there is **no** sandboxed mode that permits the MCP
21
+ call — only `--dangerously-bypass-approvals-and-sandbox` works. So the headless
22
+ launch now selects in tiers: explicit sandbox mode → that mode; Threadline
23
+ **reply** workers (`codexAllowMcpTools`) → full bypass (the only mode that lets
24
+ them send); everything else, including scheduled **jobs** → `-s workspace-write`
25
+ unchanged. Jobs stay sandboxed; only reply workers take the bypass.
26
+
27
+ ### Fix B — each agent uses its own threadline MCP (no shared-config collision)
28
+
29
+ Every Codex agent registered `[mcp_servers."threadline"]` into the SHARED
30
+ `~/.codex/config.toml` with its own identity baked in — last-writer-wins, so on a
31
+ machine with several Codex agents, all but the last-booted one would reply using
32
+ the WRONG agent's threadline identity. New single-source-of-truth resolver
33
+ (`src/threadline/mcpEntry.ts`) + a per-spawn `-c mcp_servers.threadline.*`
34
+ override pin each agent's codex session to ITS OWN threadline MCP, regardless of
35
+ the shared file. Both reply paths (full-session and the lightweight "pipe" path)
36
+ are wired.
37
+
38
+ ## What to Tell Your User
39
+
40
+ If you run a Codex-based agent, it can now actually answer messages other agents
41
+ send it over Threadline — before, it could hear but not reply. And on a machine
42
+ running several Codex agents, each now replies as itself instead of accidentally
43
+ borrowing whichever agent started last. Scheduled background jobs stay sandboxed
44
+ as before; only the reply step runs with the access it needs to send. No action
45
+ needed.
46
+
47
+ ## Summary of New Capabilities
48
+
49
+ - **Codex agents reply over Threadline** — reply workers launch in the one mode
50
+ that permits the `threadline_send` MCP call; scheduled jobs stay sandboxed.
51
+ - **Per-agent codex threadline MCP** — a per-spawn `-c` override + shared
52
+ resolver (`resolveThreadlineMcpEntry`) end the shared `~/.codex/config.toml`
53
+ last-writer-wins collision; both reply paths covered.
54
+
55
+ ## Evidence
56
+
57
+ - **Reproduced + fixed (mechanism):** a `codex exec --dangerously-bypass-
58
+ approvals-and-sandbox` run completed a real `threadline_send` call
59
+ (codey→echo, reply received); under `-s workspace-write`/`--full-auto` the same
60
+ call was cancelled / the tool was unavailable. The collision was observed live
61
+ (shared config pointed at `inspec` while `instar-codey` was running).
62
+ - **Unit:** `frameworkSessionLaunch.test.ts` (workspace-write job default;
63
+ `codexAllowMcpTools`→bypass; explicit sandbox wins; `-c` override emission +
64
+ JSON validity), `threadline-mcp-entry.test.ts` (resolver). 75-test sweep green.
65
+ - **Convergence:** two-reviewer pass (correctness + adversarial) →
66
+ docs/specs/reports/codex-multiagent-threadline-convergence.md. The adversarial
67
+ reviewer caught the job-sandbox regression and the second reply path; both
68
+ resolved before merge.
69
+ - Full deployed round-trip with a Codex agent is the post-merge Tier-3 check.
70
+
71
+ ## Rollback
72
+
73
+ Code-only, no migration or state changes. Revert
74
+ `src/core/frameworkSessionLaunch.ts`, `src/threadline/mcpEntry.ts`, the
75
+ `ThreadlineBootstrap` refactor, and the `server.ts`/`SessionManager`/`types.ts`/
76
+ `PipeSessionSpawner` wiring. The shared-config registration is untouched, so a
77
+ revert cannot strand `~/.codex` or `.instar` state.
@@ -0,0 +1,69 @@
1
+ # Side-Effects Review — Codex Multi-Agent Threadline Robustness
2
+
3
+ Spec: docs/specs/CODEX-MULTIAGENT-THREADLINE-SPEC.md (approved, converged)
4
+ Change: let Codex-framework agents reply to Threadline messages — (A) targeted
5
+ MCP-permitting launch for reply workers, (B) per-agent threadline MCP override,
6
+ (C) wire both reply paths.
7
+
8
+ ## 1. Over-block — what legitimate inputs does this reject that it shouldn't?
9
+
10
+ None new. The launch-profile selector is additive: jobs keep `-s
11
+ workspace-write` (unchanged); reply workers add bypass; explicit
12
+ `codexSandboxMode` still wins. The `-c` MCP override only ever points codex at
13
+ THIS agent's own threadline entry — it cannot reject anything.
14
+
15
+ ## 2. Under-block — what failure modes does this still miss?
16
+
17
+ - Codex agents without threadline configured: no override emitted (correct — no
18
+ threadline to reply through). Not a miss.
19
+ - The reply worker still depends on the deployed relay / local delivery being
20
+ reachable — out of scope here (transport already works).
21
+ - A future THIRD reply path that calls `buildHeadlessLaunch` directly would need
22
+ the same two flags. Mitigated by routing all reply spawns through the two
23
+ known paths; documented in the spec.
24
+
25
+ ## 3. Level-of-abstraction fit
26
+
27
+ Correct layer. The launch-profile + MCP-override are properties of HOW a codex
28
+ session is launched → they belong in `frameworkSessionLaunch` (the builder) with
29
+ the data computed once at boot in `server.ts`. The single-source-of-truth
30
+ resolver (`mcpEntry.ts`) is shared with `ThreadlineBootstrap` so registration and
31
+ per-spawn override cannot drift.
32
+
33
+ ## 4. Signal vs authority compliance
34
+
35
+ Compliant. No blocking authority added. The selectors (`codexAllowMcpTools`,
36
+ `codexThreadlineMcp`, `config.threadline`-present) are capability/launch choices,
37
+ not gates that block information flow. See docs/signal-vs-authority.md.
38
+
39
+ ## 5. Interactions
40
+
41
+ - Fix A ↔ Fix B: independent (sandbox profile vs MCP entry); both emitted in the
42
+ same codex argv, no conflict.
43
+ - Fix B ↔ existing shared-config registration: intentional — `-c` wins per spawn;
44
+ the shared `~/.codex/config.toml` entry stays (Claude parity / discovery) but
45
+ is non-authoritative for codex spawns. No double-fire (one MCP server named
46
+ "threadline" results).
47
+ - Jobs/dispatch (routes.ts generic spawn, JobScheduler): do NOT set
48
+ `codexAllowMcpTools` → unchanged (`workspace-write`). No shadowing.
49
+ - ThreadlineBootstrap refactor is behavior-preserving (`resolveThreadlineMcpEntry`
50
+ returns the identical `{command,args}`; `absDir` still declared for downstream
51
+ ~/.claude.json registration).
52
+
53
+ ## 6. External surfaces
54
+
55
+ - Other agents: a codex agent can now actually reply over Threadline — net new
56
+ outbound it previously couldn't send. Bounded by the trust gate (replies only
57
+ to trusted peers, who already messaged it).
58
+ - Security posture: codex reply workers run unsandboxed (full bypass) — the only
59
+ mode that permits the MCP call (verified, finding 2). Scheduled jobs remain
60
+ sandboxed. Operator signed off (topic 12304).
61
+ - Timing/runtime: none introduced; the override is computed once at boot.
62
+
63
+ ## 7. Rollback cost
64
+
65
+ Code-only, no migration/state. Revert `frameworkSessionLaunch.ts`, `mcpEntry.ts`,
66
+ `ThreadlineBootstrap` refactor, `server.ts`/`SessionManager`/`types.ts`/
67
+ `PipeSessionSpawner` wiring. The shared-config registration is untouched, so a
68
+ revert cannot strand `~/.codex` or `.instar` state. Existing agents pick up the
69
+ launch fix on normal update (no config rewrite).
@@ -0,0 +1,69 @@
1
+ # Side-Effects Review — autonomous completion evaluator (independent /goal-style judge)
2
+
3
+ **Version / slug:** `goal-completion-evaluator`
4
+ **Date:** 2026-05-24
5
+ **Author:** echo
6
+ **Second-pass reviewer:** internal conformance pass
7
+
8
+ ## Summary of the change
9
+
10
+ Replaces the autonomous stop-hook's self-declared `<promise>` completion check (agent grades
11
+ itself) with an **independent** judgment: when a verifiable `completion_condition` is set, a
12
+ small/fast model judges each turn whether it's met against what the agent surfaced (same
13
+ contract as the framework `/goal`). Phase 1 of `docs/specs/goal-completion-evaluator.md`. The
14
+ self-declared promise remains as a legacy fallback. `src/` touched: `CompletionEvaluator.ts`
15
+ (new), `routes.ts` (+RouteContext field + `/autonomous/evaluate-completion`), `AgentServer.ts`
16
+ (thread-through), `commands/server.ts` (construct from sharedIntelligence), `CapabilityIndex.ts`
17
+ (endpoint), `PostUpdateMigrator.ts` (marker bump). Non-src: the hook, setup script, SKILL.md, tests.
18
+
19
+ ## Decision-point inventory
20
+
21
+ - `CompletionEvaluator.evaluate` — **add**: the loop's continue/stop authority. Judges
22
+ condition vs transcript; returns met/reason. The one new decision point.
23
+ - `autonomous-stop-hook.sh` — **modify**: when a condition is set, ask the evaluator instead of
24
+ trusting the promise; promise path demoted to fallback; fail-safe on unreachable.
25
+ - `setup-autonomous.sh` — **modify**: `--completion-condition` flag + state field. (`.claude/`.)
26
+ - `POST /autonomous/evaluate-completion` — **add**: thin route over CompletionEvaluator.
27
+ - `PostUpdateMigrator` marker — **modify**: bumped so prior installs upgrade.
28
+
29
+ ## 1. Over-block (trapping a session that should exit)
30
+ - The evaluator returns met:true only on an explicit MET verdict; on met:true the run exits.
31
+ Over-block would mean never confirming a truly-met condition. Mitigated by a well-formed
32
+ condition + the reason-feedback loop. Same risk class `/goal` accepts.
33
+
34
+ ## 2. Under-block (false "done" / premature exit) — the critical direction
35
+ - The evaluator **fails safe to met:false** on empty/ambiguous/error/unreachable — it can never
36
+ emit a false "done" from a failure. Tested (unit: empty/ambiguous/throw; hook: unreachable →
37
+ keep working). Server-down does NOT premature-exit. This is the strongest safety property.
38
+
39
+ ## 3. Level-of-abstraction fit
40
+ - Correct. CompletionEvaluator mirrors existing IntelligenceProvider-backed evaluators
41
+ (DiscoveryEvaluator, CoherenceReviewer); reuses sharedIntelligence + LlmQueue spend cap.
42
+
43
+ ## 4. Blocking authority
44
+ - [x] The evaluator IS the autonomous loop's continue/stop authority — appropriate, because it
45
+ is a **full-context model judgment** (condition + transcript), exactly like `/goal`, not a
46
+ brittle low-context filter. It only gates the autonomous loop, nothing else.
47
+
48
+ ## 5. Interactions
49
+ - **Legacy promise:** preserved as fallback; runs with no condition behave exactly as before.
50
+ - **Multi-session:** per-topic; the evaluator reads/clears the same per-topic state file.
51
+ - **Cost:** one small/fast call per turn (matches `/goal`) — bounded by the LlmQueue daily cap.
52
+ - **Restart/recovery/duration/emergency-stop:** unchanged; the condition check sits in the
53
+ terminal-checks block alongside them.
54
+
55
+ ## 6. External surfaces
56
+ - **HTTP:** one new authed route `POST /autonomous/evaluate-completion` (under the already-claimed
57
+ `/autonomous` capability prefix). The hook calls it best-effort (port+auth from config); failure
58
+ is swallowed → keep working.
59
+ - **LLM:** one small/fast `IntelligenceProvider.evaluate` per turn, attributed `CompletionEvaluator`,
60
+ spend-capped. No new external credential.
61
+
62
+ ## 7. Rollback cost
63
+ - Low. Reverting restores the promise-only path; the migration marker is content-sniffed (a
64
+ rollback re-ships the prior hook, which lacks the new marker, and re-deploys cleanly). A
65
+ `completion_condition` left in a state file is simply ignored by an older hook.
66
+
67
+ ## 8. Test evidence
68
+ - 7 unit (CompletionEvaluator incl. fail-safe), 8 integration (incl. 3 evaluate-completion route),
69
+ 4 hook behavioral (met/not-met/unreachable-fail-safe/legacy). tsc clean; 61 affected tests green.