instar 1.3.342 → 1.3.344
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/init.d.ts +4 -4
- package/dist/commands/init.d.ts.map +1 -1
- package/dist/commands/init.js.map +1 -1
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +47 -0
- package/dist/commands/server.js.map +1 -1
- package/dist/commands/setup.d.ts +1 -1
- package/dist/commands/setup.d.ts.map +1 -1
- package/dist/commands/setup.js.map +1 -1
- package/dist/core/Config.d.ts +12 -3
- package/dist/core/Config.d.ts.map +1 -1
- package/dist/core/Config.js +40 -6
- package/dist/core/Config.js.map +1 -1
- package/dist/core/FrameworkSessionStore.d.ts +1 -1
- package/dist/core/FrameworkSessionStore.d.ts.map +1 -1
- package/dist/core/PiCliIntelligenceProvider.d.ts +52 -0
- package/dist/core/PiCliIntelligenceProvider.d.ts.map +1 -0
- package/dist/core/PiCliIntelligenceProvider.js +71 -0
- package/dist/core/PiCliIntelligenceProvider.js.map +1 -0
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +14 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/PreCompactionFlush.d.ts +1 -1
- package/dist/core/PreCompactionFlush.d.ts.map +1 -1
- package/dist/core/ResumeValidator.d.ts +1 -1
- package/dist/core/ResumeValidator.d.ts.map +1 -1
- package/dist/core/SessionManager.d.ts.map +1 -1
- package/dist/core/SessionManager.js +35 -1
- package/dist/core/SessionManager.js.map +1 -1
- package/dist/core/TopicFrameworksStore.d.ts.map +1 -1
- package/dist/core/TopicFrameworksStore.js +3 -0
- package/dist/core/TopicFrameworksStore.js.map +1 -1
- package/dist/core/frameworkInjectionProcesses.d.ts.map +1 -1
- package/dist/core/frameworkInjectionProcesses.js +4 -0
- package/dist/core/frameworkInjectionProcesses.js.map +1 -1
- package/dist/core/frameworkSessionLaunch.d.ts +8 -0
- package/dist/core/frameworkSessionLaunch.d.ts.map +1 -1
- package/dist/core/frameworkSessionLaunch.js +73 -0
- package/dist/core/frameworkSessionLaunch.js.map +1 -1
- package/dist/core/intelligenceProviderFactory.d.ts +15 -1
- package/dist/core/intelligenceProviderFactory.d.ts.map +1 -1
- package/dist/core/intelligenceProviderFactory.js +39 -1
- package/dist/core/intelligenceProviderFactory.js.map +1 -1
- package/dist/core/types.d.ts +18 -7
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/messaging/shared/telegramRelayPrompt.d.ts +1 -1
- package/dist/messaging/shared/telegramRelayPrompt.d.ts.map +1 -1
- package/dist/monitoring/SessionReaper.d.ts +1 -1
- package/dist/monitoring/SessionReaper.d.ts.map +1 -1
- package/dist/monitoring/SessionReaper.js.map +1 -1
- package/dist/monitoring/frameworkActivitySignals.d.ts.map +1 -1
- package/dist/monitoring/frameworkActivitySignals.js +21 -0
- package/dist/monitoring/frameworkActivitySignals.js.map +1 -1
- package/dist/monitoring/frameworkProcessSignals.d.ts.map +1 -1
- package/dist/monitoring/frameworkProcessSignals.js +22 -0
- package/dist/monitoring/frameworkProcessSignals.js.map +1 -1
- package/dist/providers/adapters/pi-cli/capabilities.d.ts +31 -0
- package/dist/providers/adapters/pi-cli/capabilities.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/capabilities.js +40 -0
- package/dist/providers/adapters/pi-cli/capabilities.js.map +1 -0
- package/dist/providers/adapters/pi-cli/config.d.ts +65 -0
- package/dist/providers/adapters/pi-cli/config.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/config.js +43 -0
- package/dist/providers/adapters/pi-cli/config.js.map +1 -0
- package/dist/providers/adapters/pi-cli/control/piHardKill.d.ts +19 -0
- package/dist/providers/adapters/pi-cli/control/piHardKill.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/control/piHardKill.js +67 -0
- package/dist/providers/adapters/pi-cli/control/piHardKill.js.map +1 -0
- package/dist/providers/adapters/pi-cli/errors.d.ts +43 -0
- package/dist/providers/adapters/pi-cli/errors.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/errors.js +71 -0
- package/dist/providers/adapters/pi-cli/errors.js.map +1 -0
- package/dist/providers/adapters/pi-cli/index.d.ts +39 -0
- package/dist/providers/adapters/pi-cli/index.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/index.js +69 -0
- package/dist/providers/adapters/pi-cli/index.js.map +1 -0
- package/dist/providers/adapters/pi-cli/observability/sessionId.d.ts +27 -0
- package/dist/providers/adapters/pi-cli/observability/sessionId.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/observability/sessionId.js +53 -0
- package/dist/providers/adapters/pi-cli/observability/sessionId.js.map +1 -0
- package/dist/providers/adapters/pi-cli/policy.d.ts +44 -0
- package/dist/providers/adapters/pi-cli/policy.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/policy.js +74 -0
- package/dist/providers/adapters/pi-cli/policy.js.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/agenticSessionRpc.d.ts +34 -0
- package/dist/providers/adapters/pi-cli/transport/agenticSessionRpc.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/agenticSessionRpc.js +194 -0
- package/dist/providers/adapters/pi-cli/transport/agenticSessionRpc.js.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/oneShotCompletion.d.ts +33 -0
- package/dist/providers/adapters/pi-cli/transport/oneShotCompletion.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/oneShotCompletion.js +166 -0
- package/dist/providers/adapters/pi-cli/transport/oneShotCompletion.js.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/piSpawn.d.ts +87 -0
- package/dist/providers/adapters/pi-cli/transport/piSpawn.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/piSpawn.js +242 -0
- package/dist/providers/adapters/pi-cli/transport/piSpawn.js.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/rpcClient.d.ts +103 -0
- package/dist/providers/adapters/pi-cli/transport/rpcClient.d.ts.map +1 -0
- package/dist/providers/adapters/pi-cli/transport/rpcClient.js +238 -0
- package/dist/providers/adapters/pi-cli/transport/rpcClient.js.map +1 -0
- package/dist/providers/bootRegistration.d.ts +38 -0
- package/dist/providers/bootRegistration.d.ts.map +1 -1
- package/dist/providers/bootRegistration.js +52 -0
- package/dist/providers/bootRegistration.js.map +1 -1
- package/dist/providers/parity/rules/skillParityRule.d.ts.map +1 -1
- package/dist/providers/parity/rules/skillParityRule.js +6 -0
- package/dist/providers/parity/rules/skillParityRule.js.map +1 -1
- package/dist/redteam/ScenarioPack.d.ts +161 -0
- package/dist/redteam/ScenarioPack.d.ts.map +1 -0
- package/dist/redteam/ScenarioPack.js +200 -0
- package/dist/redteam/ScenarioPack.js.map +1 -0
- package/dist/scaffold/templates.js +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +20 -20
- package/src/scaffold/templates.ts +1 -1
- package/upgrades/1.3.343.md +49 -0
- package/upgrades/1.3.344.md +46 -0
- package/upgrades/side-effects/pi-harness-integration.md +82 -0
- package/upgrades/side-effects/redteam-harness-phase1-core.md +53 -0
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: minor -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
instar gained a fourth agentic framework: **pi-cli** (the pi coding agent,
|
|
9
|
+
`@earendil-works/pi-coding-agent` — the minimal harness powering OpenClaw).
|
|
10
|
+
Ships completely DARK: nothing registers and no behavior changes unless an
|
|
11
|
+
agent's config explicitly lists `'pi-cli'` in `enabledFrameworks` AND the
|
|
12
|
+
`pi` binary is installed. Opting in gets: (1) pi topic sessions in tmux with
|
|
13
|
+
IDENTICAL dashboard streaming/typing (TUI-in-tmux v1; launch builders +
|
|
14
|
+
stuck-input detection pinned against real captured panes); (2) a
|
|
15
|
+
provider-substrate adapter with pi's NATIVE structured RPC channel (prompt /
|
|
16
|
+
mid-stream steer / abort, strict-LF JSONL, canonical event normalization)
|
|
17
|
+
plus one-shot completions reporting tokens AND cost; (3)
|
|
18
|
+
`sessions.componentFrameworks` can route internal components (sentinels,
|
|
19
|
+
gates) to `'pi-cli'` — e.g. background chatter onto a Codex/Copilot
|
|
20
|
+
subscription via pi; (4) a STRUCTURAL subscription guard: Anthropic/Claude-
|
|
21
|
+
routed pi model patterns are DENIED by default at every call-construction
|
|
22
|
+
path (Claude-via-pi bills as per-token extra usage, not plan limits — so it
|
|
23
|
+
can never be selected silently; file-config-only override, audit-logged).
|
|
24
|
+
Verified hands-on against the real binary (pi 0.78.1) with a hermetic mock
|
|
25
|
+
provider — zero credentials, all three test tiers.
|
|
26
|
+
|
|
27
|
+
## What to Tell Your User
|
|
28
|
+
|
|
29
|
+
Nothing proactively — this ships dark and changes nothing by default. If your
|
|
30
|
+
user asks about pi/OpenClaw support, or about spreading background LLM load
|
|
31
|
+
onto other subscriptions: instar can now drive the pi coding agent as an
|
|
32
|
+
additional framework (experimental, opt-in), with a built-in guard that
|
|
33
|
+
prevents accidental Anthropic extra-usage billing.
|
|
34
|
+
|
|
35
|
+
## Summary of New Capabilities
|
|
36
|
+
|
|
37
|
+
- **pi-cli framework** (⚗️ experimental, opt-in via `enabledFrameworks`) — drive
|
|
38
|
+
the pi coding agent as a fourth framework alongside claude-code / codex-cli /
|
|
39
|
+
gemini-cli. Sessions run in tmux (dashboard streaming unchanged).
|
|
40
|
+
- **pi provider adapter** — `GET /providers/registry` lists `pi-cli` (one-shot
|
|
41
|
+
completion + native RPC session + session-id + hard-kill) when enabled.
|
|
42
|
+
- **pi component routing** — `sessions.componentFrameworks` accepts `pi-cli`,
|
|
43
|
+
so sentinels/gates can run on pi (onto a non-Claude subscription).
|
|
44
|
+
- **Subscription guard** — `piCli.allowAnthropicProviders` (default false):
|
|
45
|
+
routing pi at an Anthropic/Claude model is denied unless explicitly opted in,
|
|
46
|
+
and the opt-in is audit-logged with a cost warning.
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
# Side-Effects Review — pi-harness-integration (Phases A-D)
|
|
2
|
+
|
|
3
|
+
## Blast radius
|
|
4
|
+
|
|
5
|
+
Additive at every layer; ships DARK behind `enabledFrameworks` containing
|
|
6
|
+
`'pi-cli'` (default absent) AND a detectable `pi` binary. With the default
|
|
7
|
+
config, NOTHING registers and NO dispatch path changes outcome.
|
|
8
|
+
|
|
9
|
+
Shared-file behavior changes (the only non-additive surfaces):
|
|
10
|
+
|
|
11
|
+
1. **SessionManager.isMarkerStuckAtPrompt** — adds a new detection branch
|
|
12
|
+
(marker sandwiched between two `─` rule lines, pi's input box). Requires
|
|
13
|
+
BOTH the injected marker AND a rule within 2 lines above AND below —
|
|
14
|
+
normal transcript output and the other frameworks' panes cannot satisfy
|
|
15
|
+
it (their input areas use prompt chars, not rule sandwiches). Existing
|
|
16
|
+
prompt-char branches untouched; pinned by tests against real captured
|
|
17
|
+
pane bytes for all four frameworks.
|
|
18
|
+
2. **SessionManager binary resolution** — pi-cli now resolves to bare `'pi'`
|
|
19
|
+
instead of falling back to `claudePath` (which holds a CLAUDE binary).
|
|
20
|
+
Without this, a pi topic on a claude install would silently launch
|
|
21
|
+
Claude — the exact additive-only violation this project forbids. Other
|
|
22
|
+
frameworks' resolution is byte-identical.
|
|
23
|
+
3. **framework-arg-rendering-matrix test** — now DERIVED from
|
|
24
|
+
SUPPORTED_FRAMEWORKS instead of a hand-list (which had silently dropped
|
|
25
|
+
gemini-cli). Test-only.
|
|
26
|
+
|
|
27
|
+
## Framework generality
|
|
28
|
+
|
|
29
|
+
This change EXTENDS the framework abstraction rather than special-casing:
|
|
30
|
+
'pi-cli' rides the same Record<IntelligenceFramework, …> dispatch maps as
|
|
31
|
+
claude-code / codex-cli / gemini-cli (launch builders, injection processes,
|
|
32
|
+
activity + process signals, parity renderer), and the never-exhaustiveness
|
|
33
|
+
checks force every future dispatch site to handle all four. The
|
|
34
|
+
framework-agnosticism test suite passes with pi included; the arg-rendering
|
|
35
|
+
matrix now derives from the registry so a fifth framework cannot silently
|
|
36
|
+
miss coverage. Warm-session injection works for pi via the
|
|
37
|
+
FRAMEWORK_INJECTION_PROCESS_NAMES entry ('pi'), same as every framework.
|
|
38
|
+
|
|
39
|
+
## Security / spend surfaces
|
|
40
|
+
|
|
41
|
+
- **Subscription guard (structural)**: Anthropic/Claude-routed pi model
|
|
42
|
+
patterns are DENIED at every call-construction path (one-shot transport,
|
|
43
|
+
RPC session start, intelligence provider construction), including
|
|
44
|
+
aggregator pass-throughs (`openrouter/anthropic/...`) and the
|
|
45
|
+
pattern-less case (pi's ambient default could be an Anthropic login).
|
|
46
|
+
Override is file-config only (`piCli.allowAnthropicProviders`), never env
|
|
47
|
+
or per-call; allowed calls are audit-logged with a cost warning.
|
|
48
|
+
- **Child env hardening**: pi child processes get an explicit allowlist env
|
|
49
|
+
with UNCONDITIONAL deletion of all billing-capable vars (ANTHROPIC/
|
|
50
|
+
OPENAI/GEMINI/GOOGLE/XAI/GROQ/OPENROUTER keys + CLAUDE_CODE_OAUTH_TOKEN),
|
|
51
|
+
mirroring the gemini Rule-1a analog. pi authenticates via its own
|
|
52
|
+
~/.pi/agent/auth.json (subscription OAuth) or models.json custom keys.
|
|
53
|
+
- **No permission system in pi**: instar's gate layer wraps pi sessions
|
|
54
|
+
exactly like other frameworks; containerization noted as future hardening
|
|
55
|
+
in the spec (§ kickoff Risks).
|
|
56
|
+
|
|
57
|
+
## Rollback
|
|
58
|
+
|
|
59
|
+
Revert the commit. No migrations mutate state destructively (the CLAUDE.md
|
|
60
|
+
migration is content-sniffed append-only; no config defaults are written).
|
|
61
|
+
Agents that opted in simply lose the pi framework value on downgrade —
|
|
62
|
+
their claude-code/codex-cli/gemini-cli behavior is untouched.
|
|
63
|
+
|
|
64
|
+
## Deliberate non-goals (tracked in spec §9, not silent drops)
|
|
65
|
+
|
|
66
|
+
Replacing any Claude Code path; pi-ai adoption for non-pi internal calls;
|
|
67
|
+
OAuth flow automation; cross-provider mid-session handoff; event-stream
|
|
68
|
+
dashboard renderer (optional Phase E, decided after the core lands).
|
|
69
|
+
|
|
70
|
+
## CI-fix follow-up (post-first-commit)
|
|
71
|
+
|
|
72
|
+
Greening CI surfaced expected churn, no behavior change:
|
|
73
|
+
- Three existing tests hardcoded the 3-framework SUPPORTED list → added
|
|
74
|
+
'pi-cli' to the expectations.
|
|
75
|
+
- The `no-silent-fallbacks` ratchet counted the intelligenceProviderFactory
|
|
76
|
+
pi-cli degrade-to-null catch → marked `@silent-fallback-ok` (it warns
|
|
77
|
+
loudly and the router emits its own DegradationReporter; a second report
|
|
78
|
+
here would double-count the same degrade).
|
|
79
|
+
- The release-fragment lint required `## Summary of New Capabilities` → added
|
|
80
|
+
it and switched to the canonical `<!-- bump -->` comment.
|
|
81
|
+
None of these touch runtime behavior; they align the new framework with the
|
|
82
|
+
existing structural gates.
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
# Side-effects review — MTP Red-Team Harness Phase-1 core (EXO 3.0 G7)
|
|
2
|
+
|
|
3
|
+
## What this change is
|
|
4
|
+
A new, self-contained module `src/redteam/ScenarioPack.ts` (pure logic) + two
|
|
5
|
+
default scenario packs under `src/redteam/packs/` + a unit test. It adds NO
|
|
6
|
+
route, NO CLI command, NO session/lifecycle hook, NO config key, and is imported
|
|
7
|
+
by nothing in the running server yet. It is foundation code for a Phase-2
|
|
8
|
+
productization (CLI/route).
|
|
9
|
+
|
|
10
|
+
## Blast radius
|
|
11
|
+
- **Runtime impact: none.** Nothing imports `ScenarioPack.ts` at server boot or
|
|
12
|
+
in any job/sentinel/route. Adding the file cannot change any live behavior. A
|
|
13
|
+
grep for `redteam` / `ScenarioPack` across `src/server`, `src/commands`,
|
|
14
|
+
`src/core` composition shows no consumer.
|
|
15
|
+
- **Only dependency is inward**: it imports `IntentTestHarness` and the
|
|
16
|
+
`ParsedOrgIntent` type — both read-only, already-shipped. It calls
|
|
17
|
+
`IntentTestHarness.testRefusal()` (a pure function over parsed intent); it
|
|
18
|
+
never mutates intent, never writes files, never performs I/O.
|
|
19
|
+
- **The packs are data.** The two `pack.json` files + committed `L0.md`/`L1.md`
|
|
20
|
+
payloads are inert until a future runner reads them. No code loads them yet.
|
|
21
|
+
|
|
22
|
+
## Security / safety review
|
|
23
|
+
- **Payload-by-reference is enforced in the type system**: the module handles
|
|
24
|
+
payloads as `{ path, sha256 }` only and has no code path that reads a payload
|
|
25
|
+
body. The committed payloads (`L0.md` declared-audit, `L1.md` naive benign
|
|
26
|
+
ask) were authored in an isolated subagent session, never in the orchestrator
|
|
27
|
+
transcript — honoring the CMT-1115 lesson (inline red-team payloads
|
|
28
|
+
permanently wedged a session via an AUP-rejection loop).
|
|
29
|
+
- **Engineered payloads are NOT committed**: `L2.md` (pressure) and `L3.md`
|
|
30
|
+
(engineered) are gitignored; their `pack.json` sha reads
|
|
31
|
+
`PENDING-LOCAL-AUTHOR`. So the reviewable PR diff contains no engineered
|
|
32
|
+
attack text — a reviewing agent reading this diff cannot be wedged by it.
|
|
33
|
+
- **No new external surface**: no network calls, no new auth, no new file
|
|
34
|
+
writes. The classifier's regexes are local string checks.
|
|
35
|
+
|
|
36
|
+
## Framework generality
|
|
37
|
+
This change does not route through the session-launch / inject abstraction or
|
|
38
|
+
message delivery — it is framework-agnostic pure logic operating on parsed
|
|
39
|
+
ORG-INTENT, which is identical across claude-code / codex-cli / gemini-cli. The
|
|
40
|
+
harness it seeds is explicitly designed to be org-agnostic AND framework-neutral
|
|
41
|
+
(it tests an agent's behavior through whatever channel, independent of the
|
|
42
|
+
underlying framework). No Claude-specific assumption is introduced.
|
|
43
|
+
|
|
44
|
+
## Test coverage
|
|
45
|
+
25 unit tests (`tests/unit/redteam-scenario-pack.test.ts`) cover both sides of
|
|
46
|
+
every decision boundary: coherent vs incoherent transport, governed vs
|
|
47
|
+
ungoverned, each outcome class, pass vs fail, and the boundary-map edges
|
|
48
|
+
(holds-through-L2-cracks-at-L3, cracks-at-L0, holds-everywhere, derivation
|
|
49
|
+
ratio, ungoverned surface). `tsc --noEmit` is clean.
|
|
50
|
+
|
|
51
|
+
## Rollback
|
|
52
|
+
Deleting `src/redteam/` + the test + reverting the `.gitignore` lines fully
|
|
53
|
+
removes the change with zero runtime consequence (nothing depends on it).
|