instar 1.2.69 → 1.2.71

package/src/data/builtin-manifest.json

@@ -1,8 +1,8 @@
 {
   "$schema": "./builtin-manifest.schema.json",
   "schemaVersion": 1,
-  "generatedAt": "2026-05-25T03:15:08.421Z",
-  "instarVersion": "1.2.69",
+  "generatedAt": "2026-05-25T06:38:58.237Z",
+  "instarVersion": "1.2.71",
   "entryCount": 191,
   "entries": {
     "hook:session-start": {
@@ -752,7 +752,7 @@
       "type": "cli-command",
       "domain": "setup",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:setup": {
@@ -760,7 +760,7 @@
       "type": "cli-command",
       "domain": "setup",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:add": {
@@ -768,7 +768,7 @@
       "type": "cli-command",
       "domain": "setup",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:backup": {
@@ -776,7 +776,7 @@
       "type": "cli-command",
       "domain": "operations",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:git": {
@@ -784,7 +784,7 @@
       "type": "cli-command",
       "domain": "coordination",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:memory": {
@@ -792,7 +792,7 @@
       "type": "cli-command",
       "domain": "memory",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:knowledge": {
@@ -800,7 +800,7 @@
       "type": "cli-command",
       "domain": "memory",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:semantic": {
@@ -808,7 +808,7 @@
       "type": "cli-command",
       "domain": "memory",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:intent": {
@@ -816,7 +816,7 @@
       "type": "cli-command",
       "domain": "intent",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:feedback": {
@@ -824,7 +824,7 @@
       "type": "cli-command",
       "domain": "feedback",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:server": {
@@ -832,7 +832,7 @@
       "type": "cli-command",
       "domain": "server",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:status": {
@@ -840,7 +840,7 @@
       "type": "cli-command",
       "domain": "monitoring",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:user": {
@@ -848,7 +848,7 @@
       "type": "cli-command",
       "domain": "users",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:relationship": {
@@ -856,7 +856,7 @@
       "type": "cli-command",
       "domain": "relationships",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:job": {
@@ -864,7 +864,7 @@
       "type": "cli-command",
       "domain": "scheduling",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:lifeline": {
@@ -872,7 +872,7 @@
       "type": "cli-command",
       "domain": "communication",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:list": {
@@ -880,7 +880,7 @@
       "type": "cli-command",
       "domain": "monitoring",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:autostart": {
@@ -888,7 +888,7 @@
       "type": "cli-command",
       "domain": "operations",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:migrate": {
@@ -896,7 +896,7 @@
       "type": "cli-command",
       "domain": "updates",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:machines": {
@@ -904,7 +904,7 @@
       "type": "cli-command",
       "domain": "coordination",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:whoami": {
@@ -912,7 +912,7 @@
       "type": "cli-command",
       "domain": "identity",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:pair": {
@@ -920,7 +920,7 @@
       "type": "cli-command",
       "domain": "coordination",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:join": {
@@ -928,7 +928,7 @@
       "type": "cli-command",
       "domain": "coordination",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:wakeup": {
@@ -936,7 +936,7 @@
       "type": "cli-command",
       "domain": "coordination",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:leave": {
@@ -944,7 +944,7 @@
       "type": "cli-command",
       "domain": "coordination",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:doctor": {
@@ -952,7 +952,7 @@
       "type": "cli-command",
       "domain": "monitoring",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:review": {
@@ -960,7 +960,7 @@
       "type": "cli-command",
       "domain": "monitoring",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:nuke": {
@@ -968,7 +968,7 @@
       "type": "cli-command",
       "domain": "operations",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "cli:playbook": {
@@ -976,7 +976,7 @@
       "type": "cli-command",
       "domain": "context",
       "sourcePath": "src/cli.ts",
-      "contentHash": "eba93ab5240154f808f97b72ffaf6dc2a11b36c426811ee3c08018c9a651a84a",
+      "contentHash": "2f06177819f2332512cb9fd329ef2a78613fa347b737b3ffb22554e415171861",
       "since": "2025-01-01"
     },
     "template:build-stop-hook.sh": {

package/upgrades/1.2.70.md

@@ -0,0 +1,72 @@
+# Upgrade Guide — vNEXT
+
+<!-- bump: patch -->
+<!-- patch = bug fixes, refactors, test additions, doc updates -->
+
+## What Changed
+
+Two pieces of Codex-parity hardening on the enforcement-hook layer, both within
+the approved spec (`docs/specs/codex-enforcement-hook-layer.md`):
+
+1. **Scope-coherence checkpoint now runs on Codex.** `installCodexHooks` wires
+   `scope-coherence-checkpoint.js` into Codex's `Stop` event, joining the
+   `response-review` + `deferral-detector` pair already there. This completes the
+   spec §4.1 Stop mapping ("deferral / scope checkpoint → Stop") — previously only
+   deferral was wired. The script is framework-neutral (reads stdin, POSTs to the
+   local server) and Codex honors `{decision:"block", reason}` on `Stop` (verified
+   in the 0.133 binary's `StopCommandOutputWire`), so it gives Codex agents the same
+   structural "zoom out and re-read scope" grounding pause Claude agents get — not a
+   hard termination. It defaults to approve and self-throttles (depth threshold +
+   30-minute cooldown), so it cannot loop an autonomous run. Existing Codex agents
+   pick it up on update: the script already ships via always-overwrite migration and
+   `migrateHooks` re-runs `installCodexHooks` for codex-cli agents.
+
+2. **A hook-contract drift canary** (`codexHookContractCanary.ts`). Layer A is an
+   env-independent invariant lock: it asserts the Codex hook config still has the
+   load-bearing shape that two earlier live silent-no-op bugs taught us to protect —
+   the `.*` tool matcher (a bare `*` matches nothing), `dangerous-command-guard` on
+   PreToolUse, and the full Stop review trio. A refactor that regresses any of these
+   fails CI. Layer B is best-effort: when a real codex binary is resolvable, it reads
+   the binary's embedded hook-event schema and confirms the events instar depends on
+   are still declared (catching real Codex-side contract drift). No binary present →
+   the binary layer skips rather than fails.
+
+Also recorded honestly: a WIP that would have wired compaction-recovery to Codex's
+`PostCompact` event was set aside after verifying against the 0.133 binary schema
+that `PostCompact` has no `additionalContext` field — the only channel that
+re-injects context into the model. It would have installed a hook that does nothing.
+Codex compaction-recovery parity needs a different mechanism and is tracked.
+
+## What to Tell Your User
+
+- **Codex agents now get the same scope-grounding check Claude agents have**: "When
+  I've been heads-down implementing for a long stretch, I now get a structural nudge
+  to step back and re-check I'm building the right thing — on the Codex engine too,
+  not just on Claude."
+- **A watchdog for the Codex safety guards**: "There's now an automatic check that
+  notices if the Codex safety guards ever stop firing or if Codex changes its format
+  underneath us — so a guard can't silently turn into a no-op without us catching it."
+- Nothing for you to do — both ship automatically on update.
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Scope-coherence checkpoint on Codex Stop | Automatic (installed via init + update migration) |
+| Codex hook-contract drift canary | Automatic (CI invariant lock; best-effort binary probe) |
+
+## Evidence
+
+- **Codex Stop schema honors `decision:block`**: verified directly against the
+  codex-cli 0.133.0 binary — `strings` shows `StopCommandOutputWire` plus the error
+  string `"Stop hook returned decision:block without a non-empty reason"`, confirming
+  the block-with-reason contract the scope-coherence script relies on.
+- **PostCompact cannot re-inject context** (why that WIP was dropped): the binary's
+  `post-compact.command.output` schema enumerates only `continue/stopReason/`
+  `suppressOutput/systemMessage` — no `additionalContext`. Only the `SessionStart`
+  and `UserPromptSubmit` output wires carry `additionalContext`, and `SessionStart`
+  triggers are `startup/resume/clear` (no `compact`). Verified by extracting the
+  embedded JSON schema from the binary.
+- **Tests**: `installCodexHooks.test.ts` 8 green (incl. new Stop-trio assertion);
+  `codexHookContractCanary.test.ts` 6 green (layer-A invariants always asserted;
+  layer-B skip-not-fail with no binary). `tsc` clean.

package/upgrades/1.2.71.md

@@ -0,0 +1,52 @@
+# Upgrade Guide — tunable topic-intent decay horizons
+
+<!-- bump: minor -->
+<!-- minor = new features, new APIs, new capabilities (backwards-compatible) -->
+
+## What Changed
+
+**You can now tune how fast each kind of memory fades, from config.**
+
+Rung 1 gave topic-intent memories different "shelf lives" — a method ("we're
+testing over Telegram") fades in about a week, an audience in about a month,
+facts and decisions over months. Those numbers were code constants. This ships
+the tracked `cwa-decay-profile-config` follow-up: they're now overridable via
+config, so we can tune them from real data without a code change.
+
+`topicIntent.capture.decayProfiles` takes any subset of refkinds
+(method/audience/goal/fact/decision) and any subset of `{graceDays, halfLifeDays}`;
+anything you don't specify keeps the built-in default. Invalid values (zero,
+negative, non-finite) are ignored — a bad config can never break decay; it just
+falls back to the default. Set nothing and behavior is exactly as before.
+
+Example: slow down how fast a "method" frame fades —
+`{"topicIntent":{"capture":{"decayProfiles":{"method":{"halfLifeDays":21}}}}}`.
+
+**Evidence**: 6 unit tests (defaults, partial override, invalid-ignored,
+idempotent, reset, and that an override actually changes projected decay). The
+rung-0/rung-1 decay math is unchanged when no override is set (existing
+projection tests green). `tsc` + lint clean.
+
+Spec: `docs/specs/topic-intent-task-context-capture.md` §3 (the
+`cwa-decay-profile-config` tracked deferral, now shipped). Side-effects:
+`upgrades/side-effects/cwa-decay-profile-config.md`.
+
+## What to Tell Your User
+
+- **Tune memory shelf-lives**: "How fast I forget different kinds of context is
+  now adjustable in config — if a 'how we're working' note fades too fast or
+  sticks too long, we can dial it without changing code."
+
+## Summary of New Capabilities
+
+| Capability | How to Use |
+|-----------|-----------|
+| Override topic-intent decay horizons | `topicIntent.capture.decayProfiles.<kind>.{graceDays,halfLifeDays}` in `.instar/config.json` (optional; omitted → defaults) |
+
+## Evidence
+
+Not a bug fix — a tuning knob over the rung-1 decay model. Verified by 6 unit
+tests including one that confirms an override actually changes projected decay
+(a method ref barely decays by day 8 under a long-horizon override vs. ~halving
+under the default). No-override behavior is byte-for-byte the prior defaults.
+`tsc` + lint clean.

package/upgrades/side-effects/codex-parity-canary-scope-coherence.md

@@ -0,0 +1,34 @@
+# Side-Effects Review: Codex parity — Stop scope-coherence + hook-contract canary (P6)
+
+## Change
+Two changes to the Codex enforcement layer, both within the approved spec (`docs/specs/codex-enforcement-hook-layer.md`):
+
+1. **`installCodexHooks.ts`** — added `scope-coherence-checkpoint.js` to the Codex `Stop` event, alongside the existing `response-review.js` + `deferral-detector.js`. Completes the spec §4.1 mapping ("deferral / scope checkpoint → Stop"), which previously wired only deferral.
+2. **`codexHookContractCanary.ts`** (new) — the P6 hook-contract drift canary. Two layers: (A) a deterministic, env-independent invariant lock asserting `buildInstarCodexHookGroups` still emits the load-bearing shape (`.*` matcher, `dangerous-command-guard` on PreToolUse, the full Stop review trio); (B) a best-effort probe of a resolvable codex binary's embedded hook-event schema, asserting the events instar depends on are still declared.
+
+## Why
+- **Scope-coherence on Stop**: the spec intends it; without it, Codex agents drift deep into implementation without the structural zoom-out that Claude agents get. The script is framework-neutral (reads stdin, POSTs to the local server) and Codex honors `{decision:'block', reason}` on Stop (verified in the 0.133 binary's `StopCommandOutputWire`). Same grounding-pause semantics as Claude — not a hard termination.
+- **Canary**: P5c paid for two silent-no-op bugs live (a `*` matcher that matched nothing; the `cmd` vs `command` field). Layer A is the regression lock against that exact class — a refactor that regresses any invariant fails CI. Layer B catches real Codex-side drift (renamed/dropped hook events) when a binary is present.
+
+## Scope / blast radius
+- `scope-coherence-checkpoint.js` already ships to all agents via always-overwrite migration (`PostUpdateMigrator` line ~1698) and `installCodexHooks` is called from `migrateHooks` gated on codex-cli (line ~1655) — so existing Codex agents pick up the new Stop wiring on update (migration parity satisfied, no new migration needed). `validateHookReferences` guards against a dangling reference.
+- The canary is invoked only from its unit test (the established pattern for the existing Codex canaries — CI drift lock), so it adds zero runtime cost on the hot path.
+
+## Signal vs Authority
+- Unchanged. scope-coherence is a low-context Stop-trigger that routes to the server; it never holds blocking authority of its own beyond the existing grounding-pause. The canary is pure verification — no authority, no runtime gating.
+
+## Over-block / autonomy risk
+- scope-coherence defaults to `approve` and self-throttles (depth threshold + 30-min cooldown), so it cannot loop an autonomous Codex run. The deferral-detector already runs on Codex Stop the same way (proven-compatible precedent).
+
+## Honesty note — PostCompact NOT shipped
+- A WIP that wired `compaction-recovery.sh` to Codex's `PostCompact` event was set aside this session after verifying (against the 0.133 binary schema) that `PostCompact` exposes only `continue/stopReason/suppressOutput/systemMessage` — no `additionalContext`, the only field that re-injects context. Only `SessionStart`/`UserPromptSubmit` carry it, and Codex's `SessionStart` triggers are `startup/resume/clear` (no `compact`). So that wiring would have installed a hook that cannot re-inject identity — dead on arrival. Compaction-recovery parity on Codex needs a different mechanism; tracked, not shipped.
+
+## Rollback
+- Revert the one-line `Stop` array edit + delete the canary module + test. No data migration, no config change.
+
+## Tests
+- `installCodexHooks.test.ts`: +1 test asserting the full Stop review trio (response-review + deferral + scope-coherence). 8 green.
+- `codexHookContractCanary.test.ts`: 6 tests — layer-A invariants always asserted; layer-B skip-not-fail when no binary; binary-probed branch asserts all required events. Green.
+
+## Publish
+- Feature branch `echo/codex-parity-audit`. Targets a patch release on merge.

package/upgrades/side-effects/cwa-decay-profile-config.md

@@ -0,0 +1,58 @@
+# Side-effects review — config-overridable decay profiles (cwa-decay-profile-config)
+
+**Scope**: Ship the tracked `cwa-decay-profile-config` deferral from the rung-1
+task-context spec (`docs/specs/topic-intent-task-context-capture.md` §3, approved):
+let operators tune the per-kind decay horizons (method/audience/goal/fact/decision)
+via config instead of code constants, so the short/medium/long numbers become
+tunable from real data without a code change.
+
+**Files touched**:
+- `src/core/TopicIntent.ts` — split `DECAY_PROFILES` into `DEFAULT_DECAY_PROFILES`
+  (the baseline) + a mutable `activeDecayProfiles`; add `configureDecayProfiles(overrides)`
+  (existence-checked, validated, idempotent — always re-derives from defaults),
+  `resetDecayProfiles()` (test isolation), and `DecayProfileOverrides` type.
+  `decayProfileFor` now reads the active profiles. `projectConfidence` is
+  unchanged (still pure w.r.t. its args; it calls `decayProfileFor`).
+- `src/core/types.ts` — `topicIntent.capture.decayProfiles?` config field.
+- `src/commands/server.ts` — call `configureDecayProfiles(config.topicIntent?.capture?.decayProfiles)`
+  once at startup, right after the TopicIntentStore is constructed.
+- `tests/unit/TopicIntent-decay-profile-config.test.ts` — 6 tests (defaults,
+  partial override, invalid-ignored, idempotent, reset, projection-reflects-override).
+
+**Under-block**: An override only changes the numbers it specifies; everything
+else keeps the default. Invalid values (non-finite / ≤ 0) are silently ignored,
+so a malformed config can never break decay (the loop falls back to defaults).
+
+**Over-block**: None. This is a tuning knob, not a gate.
+
+**Level-of-abstraction fit**: Decay horizons are process-wide *policy*, so a
+module-level configurable map (set once at startup) is the right level — not
+per-call state. `projectConfidence` keeps its signature and purity-w.r.t-args;
+the only behavioral input it gains is the global policy via `decayProfileFor`,
+which already read a module constant. `configureDecayProfiles` always re-derives
+from `DEFAULT_DECAY_PROFILES` so it's idempotent and order-independent.
+
+**Signal vs authority**: N/A (a tuning value, no decision authority).
+
+**Interactions**:
+- `configureDecayProfiles` is called once at server startup. If never called
+  (e.g. tests, or a path that doesn't boot the server), the defaults are in
+  effect — identical to pre-change behavior. **Rung-0/rung-1 decay math is
+  unchanged when no override is set** (fact/decision stay 30/180; task kinds keep
+  their defaults), so existing projection tests are unaffected.
+- `resetDecayProfiles()` exists for test isolation (module-global state); tests
+  call it in `afterEach`.
+- Idempotent + validated → re-running migration / re-reading config is safe.
+
+**External surfaces**: New config field `topicIntent.capture.decayProfiles`
+(optional, existence-checked). New exported `configureDecayProfiles`,
+`resetDecayProfiles`, `DecayProfileOverrides`. No new endpoint.
+
+**Rollback cost**: Low. Revert `decayProfileFor` to read a const + drop the
+config field + the startup call; behavior returns to fixed code-constant
+profiles (today's state). No persisted state involved.
+
+**Migration parity**: Pure config-read at startup (server-side; every agent
+gets the capability on update). The field is opt-in with an existence check, so
+no `ConfigDefaults` entry is required — absence → built-in defaults. No
+hook/template/skill change.

package/upgrades/side-effects/scg-cli.md

@@ -0,0 +1,48 @@
+# Side-effects review — `instar spec conformance` CLI (scg-cli)
+
+**Scope**: Ship the tracked `scg-cli` deferral from the standards-conformance-gate
+spec (`docs/specs/standards-conformance-gate.md`, approved/merged in #373): a
+command-line entry point to the conformance gate, so a spec can be checked
+against the constitution without curl. Thin client over the existing
+`POST /spec/conformance-check` route.
+
+**Files touched**:
+- `src/commands/spec.ts` — NEW. `runSpecConformance({specPath,dir,port,json})`:
+  reads the spec file, resolves port + authToken from `loadConfig`, POSTs
+  `{markdown}` to the local server's conformance route, prints a formatted
+  rule-by-rule report (or `--json`). Server-down / 503 / missing-file are clear
+  errors with non-zero exit.
+- `src/cli.ts` — register `instar spec conformance <path>` (a `spec` command group
+  + `conformance` subcommand) using the established Commander + `loadConfig` pattern.
+- `tests/unit/spec-conformance-cli.test.ts` — 5 tests (posts markdown, prints
+  findings, clean-pass, degraded-advisory, --json, missing-file exit).
+
+**Under-block / over-block**: None. The CLI only *reads* a spec and *prints* a
+report; it has no authority (mirrors the route's signal-only nature). It cannot
+block anything.
+
+**Level-of-abstraction fit**: The CLI is a thin presentation layer over the
+already-built route + reviewer; it duplicates no logic. It reuses the standard
+CLI→local-server pattern (`loadConfig` → port/authToken → fetch), so the
+subscription-backed intelligence provider stays server-side (the CLI never
+constructs an LLM client).
+
+**Signal vs authority**: Inherits the route's signal-only posture — prints
+"possible violations (you decide)", never a pass/fail verdict that gates anything.
+
+**Interactions**:
+- Requires the local server running (it's a client). Server-down → a clear
+  "Is the server running?" error + exit 1, not a crash.
+- Reads `config.port` (so it targets the agent's real port, e.g. 4042) with a 4040
+  fallback; reads `authToken` for the Bearer header.
+- 60s fetch timeout (a `capable`-tier conformance check can take a while).
+
+**External surfaces**: New CLI subcommand `instar spec conformance <path>
+[--dir] [--port] [--json]`. New exported `runSpecConformance`. No new endpoint,
+no config change.
+
+**Rollback cost**: Trivial. Remove the command registration + `src/commands/spec.ts`
++ the test. The route it calls is unaffected.
+
+**Migration parity**: CLI code only (shipped in the package; every agent gets it
+on update). No hook/template/config/skill change.