instar 1.3.322 → 1.3.324

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,51 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: minor -->
5
+
6
+ ## What Changed
7
+
8
+ Adds the **agent digital passport** — Salim Ismail's EXO 3.0 concept (from *The
9
+ 80-Year Business Rule AI Just Broke*): "every AI agent gets a digital passport
10
+ with metadata saying what it's allowed to do and what it's not allowed to do,
11
+ and other agents watching that it's complying."
12
+
13
+ This packages Instar's existing primitives — agent identity (name + routing
14
+ fingerprint), trust level, and ORG-INTENT constraints — into one portable
15
+ passport, plus a deterministic compliance check a peer runs before trusting an
16
+ action:
17
+
18
+ - `GET /passport` → `{ version, agent, fingerprint, trustLevel,
19
+ allowedCapabilities, forbiddenActions, issuedAt }`. `forbiddenActions` are
20
+ drawn from the agent's ORG-INTENT constraints.
21
+ - `POST /passport/verify` `{ passport, action }` → `{ permitted, basis, reason,
22
+ matched? }` where `basis` is `forbidden-action` | `trust-floor` (an untrusted
23
+ passport may observe but not act) | `out-of-scope` | `ok`.
24
+ - A `/agent-passport` skill so agents reach for it proactively.
25
+
26
+ Deterministic + advisory — it answers "should I let this passport do this?"; the
27
+ caller decides. Pairs with the MTP Protocol (`/intent/org/test-action`).
28
+
29
+ ## What to Tell Your User
30
+
31
+ Your agent now carries a digital passport — one portable card that says who it is (name + cryptographic fingerprint), how trusted it is, and exactly what it's forbidden to do (drawn straight from your organization's written constraints). When two agents work together, one can check the other's proposed action against that passport before trusting it: "is this allowed, forbidden, or outside your scope?" It's the EXO 3.0 idea that agents police each other's compliance — made real. Nothing changes in day-to-day use until agents start exchanging passports; there's nothing you need to configure.
32
+
33
+ ## Summary of New Capabilities
34
+
35
+ - `GET /passport` — your own passport: `{ agent, fingerprint, trustLevel, allowedCapabilities, forbiddenActions, issuedAt }` (forbiddenActions = ORG-INTENT constraints).
36
+ - `POST /passport/verify` `{ passport, action }` — deterministic peer compliance check → `{ permitted, basis, reason }` (basis: forbidden-action / trust-floor / out-of-scope / ok). Advisory — the caller decides.
37
+ - `/agent-passport` skill — the proactive entry point before trusting a peer's proposed action.
38
+
39
+ ## Evidence
40
+
41
+ Three-tier coverage, all green, `tsc --noEmit` clean:
42
+
43
+ - Unit — `AgentPassport.test.ts` (6): build defaults + `permits()` across every
44
+ boundary (forbidden-action, trust-floor, out-of-scope, in-scope, unscoped).
45
+ - Integration — `agent-passport-routes.test.ts` (3): both routes over real HTTP,
46
+ with ORG-INTENT constraints surfaced as the passport's forbidden actions.
47
+ - E2E — `agent-passport-lifecycle.test.ts` (2): a real server on a real port;
48
+ `GET /passport` and `POST /passport/verify` alive end-to-end (200, not 404/503).
49
+
50
+ Skill registered in `installBuiltinSkills`; CLAUDE.md scaffold template documents
51
+ both endpoints.
@@ -0,0 +1,35 @@
1
+ # Side-effects — EXO 3.0 G2 (#791) CI greening on post-rebase main
2
+
3
+ ## Change set
4
+
5
+ - `src/server/CapabilityIndex.ts` — new `agentReadiness` CAPABILITY_INDEX entry
6
+ (prefix `/agent-readiness`, static `configured: true`, one endpoint).
7
+ - `src/core/PostUpdateMigrator.ts` — migrateClaudeMd gains the Agent-Readiness
8
+ Scoring section (content-sniffed, idempotent) + the shadow marker
9
+ `'**Agent-Readiness Scoring (EXO 3.0'` in migrateFrameworkShadowCapabilities.
10
+ - `tests/unit/feature-delivery-completeness.test.ts` — registers the section in
11
+ featureSections (enforces template + migrator + shadow parity).
12
+ - `upgrades/next/agent-readiness-scoring.md` — adds the two user-facing
13
+ sections fragment validation requires.
14
+
15
+ ## Side effects considered
16
+
17
+ - **/capabilities response grows** by one block; builder is pure/static (no
18
+ ctx dependency — the route is a stateless scorer behind a dynamic import),
19
+ so no probe-path cost or null-ctx risk.
20
+ - **Existing agents' CLAUDE.md grows** one section on next migration
21
+ (idempotent via `content.includes` sniff on a distinctive phrase that matches
22
+ both template and migrator variants: 'Agent-Readiness Scoring (EXO 3.0').
23
+ - **Shadow files** (AGENTS.md/GEMINI.md) mirror the section; marker bounded by
24
+ the next-marker scan like its siblings.
25
+ - **No scorer behavior change**: AgentReadinessScorer and its route untouched.
26
+
27
+ ## Verification
28
+
29
+ - feature-delivery-completeness + capabilities-discoverability + agent-readiness
30
+ unit/integration/e2e suites green locally; `check-repo-invariants` holds;
31
+ `tsc --noEmit` 0 errors.
32
+
33
+ ## Rollback
34
+
35
+ Revert this single commit; the feature commits are untouched by it.
@@ -0,0 +1,31 @@
1
+ # Side-effects — EXO 3.0 G3 (#793) CI greening on post-rebase main
2
+
3
+ ## Change set
4
+
5
+ - `tests/integration/agent-passport-routes.test.ts` + `tests/e2e/agent-passport-lifecycle.test.ts`
6
+ — teardown `fs.rmSync` → `SafeFsExecutor.safeRmSync` (lint compliance; test-only).
7
+ - `src/server/CapabilityIndex.ts` — new `agentPassport` entry (prefix `/passport`,
8
+ static `configured: true`, two endpoints).
9
+ - `src/core/PostUpdateMigrator.ts` — migrateClaudeMd Agent Digital Passport
10
+ section (content-sniffed, idempotent) + shadow marker
11
+ `'**Agent Digital Passport (EXO 3.0'`.
12
+ - `tests/unit/feature-delivery-completeness.test.ts` — featureSections entry.
13
+ - `upgrades/next/agent-digital-passport.md` — the two required user sections.
14
+
15
+ ## Side effects considered
16
+
17
+ - **/capabilities grows** one static block (no ctx dependency; the passport
18
+ builder reads identity/trust/intent lazily inside the route, not the index).
19
+ - **Existing agents' CLAUDE.md grows** one section on next migration; sniff
20
+ phrase 'Agent Digital Passport (EXO 3.0' matches template + migrator variants.
21
+ - **Shadow mirror**: marker bounded by the next-marker scan like its siblings.
22
+ - **No passport behavior change**: AgentPassport module and routes untouched.
23
+
24
+ ## Verification
25
+
26
+ - Passport unit/integration/e2e + completeness + discoverability suites green
27
+ locally; `check-repo-invariants` holds; destructive lint clean; `tsc --noEmit` 0.
28
+
29
+ ## Rollback
30
+
31
+ Revert this single commit; feature commits untouched.