instar 1.3.336 → 1.3.337

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,83 @@
1
+ # Side-Effects Review — AUP-Rejection Wedge Signature + Fresh-Respawn API
2
+
3
+ **Version / slug:** `aup-wedge-fresh-api`
4
+ **Date:** `2026-06-06`
5
+ **Author:** `Echo (instar-dev agent, session-robustness topic per Justin's "work on more robust ways to handle these scenarios")`
6
+ **Second-pass reviewer:** `self-adversarial pass over the one-off-vs-loop boundary (the only place this change could destroy user state)`
7
+
8
+ ## Summary of the change
9
+
10
+ ContextWedgeSentinel learns a second wedge-signature family — the AUP-rejection
11
+ loop (2026-06-05 EXO incident) — via `classifyWedgeTail()`, which returns the
12
+ matching family for the live tail and tags every event/escalation with `kind`.
13
+ The AUP family requires the signature on >1 line of the capture (the loop
14
+ repeats every turn; a benign one-off rejection appears once). `POST
15
+ /sessions/refresh` forwards a validated `fresh` boolean to
16
+ `SessionRefresh.refreshSession` — the previously-internal-only fresh-mode.
17
+ CLAUDE.md migrator patch teaches deployed agents both additions. Files:
18
+ `ContextWedgeSentinel.ts`, `server.ts` (wiring detail strings), `routes.ts`,
19
+ `PostUpdateMigrator.ts`, spec doc, three test files.
20
+
21
+ ## Decision-point inventory
22
+
23
+ - AUP tail classification — **add (detector)** — new signal only; same confirm
24
+ window + same opt-in recovery policy as the existing family.
25
+ - One-line AUP occurrence — **deliberate non-detection** — a benign one-off
26
+ rejection must never cost a session its conversation; the wedge always
27
+ repeats, so the second occurrence arrives within one failed turn.
28
+ - `fresh` route param — **add (lever, validated)** — exposes an existing
29
+ internal mode; same spawnLimiter + SessionRefresh rate-guard as every
30
+ refresh.
31
+
32
+ ## 1. Over-block
33
+
34
+ None added. Detection alone never kills anything (autoRecovery ships dark,
35
+ unchanged). The worst over-detection case — a session DISCUSSING the AUP error
36
+ with two quoted copies in its tail — is covered by the same two defenses as the
37
+ thinking-block family (tail gate + 45s no-progress confirm window): a working
38
+ session scrolls the signature out before confirm.
39
+
40
+ ## 2. Under-block
41
+
42
+ (a) A genuinely-wedged session whose FIRST rejection is the only one on screen
43
+ is not detected until the next inbound message produces the second copy —
44
+ bounded by one message turn; accepted to protect one-off conversations.
45
+ (b) A wedge whose error text the provider rewords escapes both families —
46
+ inherent to signature-based detection; the turn-receipt structural close is
47
+ tracked separately (CMT-1115 follow-up design).
48
+
49
+ ## 3. Level-of-abstraction fit
50
+
51
+ The family lives inside the existing sentinel (same lifecycle, confirm window,
52
+ recovery, veto integration) rather than a 5th sentinel — the failure shape is
53
+ identical; only the signature differs. `kind` is data on existing events, not
54
+ a new event vocabulary. The route param reuses `RefreshOptions.fresh` which
55
+ SessionRefresh already owned; the route stays a thin validated entry point.
56
+
57
+ ## 4. Signal vs authority compliance
58
+
59
+ **Required reference:** `docs/signal-vs-authority.md`
60
+
61
+ - [x] No new authority. The detector is a signal; recovery policy (detect-only
62
+ / dry-run / live) is unchanged and opt-in. The `fresh` param is operator/agent
63
+ initiative through an already-rate-guarded lever; the route grants no new
64
+ capability that the sentinel wiring didn't already exercise.
65
+
66
+ ## 5. Interactions
67
+
68
+ - **SessionReaper veto:** `isRecoveryActive` covers AUP wedges identically
69
+ (state machine is shared) — the reaper can't kill a session mid-recovery.
70
+ - **Sentinel audit:** `kind` lands in `logs/sentinel-events.jsonl` detail
71
+ strings; existing consumers parse free-text detail, no schema break.
72
+ - **`fresh` + followUpPrompt:** unchanged interaction — fresh clears the resume
73
+ entry after the kill persists it; respawner then spawns clean (SessionRefresh
74
+ ordering, already tested).
75
+ - **Back-compat:** `signatureIsTail()` boolean wrapper preserved — all existing
76
+ callers/tests pass unmodified (81 green pre-existing + new).
77
+
78
+ ## 6. External surfaces / 7. Rollback
79
+
80
+ One new accepted body field on an existing authed route (400 on non-boolean);
81
+ response gains `fresh` echo. No schema/config/persistent state; migrator patch
82
+ is append-only + idempotent (marker: 'AUP-rejection wedge'). Rollback = revert;
83
+ the second family goes blind again and fresh-respawn returns to internal-only.