instar 1.3.346 → 1.3.348

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +121 -5
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/core/CoherenceJournal.d.ts +13 -0
  5. package/dist/core/CoherenceJournal.d.ts.map +1 -1
  6. package/dist/core/CoherenceJournal.js +16 -0
  7. package/dist/core/CoherenceJournal.js.map +1 -1
  8. package/dist/core/MeshRpc.d.ts +17 -0
  9. package/dist/core/MeshRpc.d.ts.map +1 -1
  10. package/dist/core/MeshRpc.js +5 -1
  11. package/dist/core/MeshRpc.js.map +1 -1
  12. package/dist/core/PeerPresencePuller.d.ts +45 -0
  13. package/dist/core/PeerPresencePuller.d.ts.map +1 -1
  14. package/dist/core/PeerPresencePuller.js +59 -0
  15. package/dist/core/PeerPresencePuller.js.map +1 -1
  16. package/dist/monitoring/RateLimitSentinel.d.ts +5 -2
  17. package/dist/monitoring/RateLimitSentinel.d.ts.map +1 -1
  18. package/dist/monitoring/RateLimitSentinel.js.map +1 -1
  19. package/dist/monitoring/sentinelWiring.d.ts +13 -4
  20. package/dist/monitoring/sentinelWiring.d.ts.map +1 -1
  21. package/dist/monitoring/sentinelWiring.js +10 -8
  22. package/dist/monitoring/sentinelWiring.js.map +1 -1
  23. package/dist/redteam/ScenarioPack.d.ts +22 -5
  24. package/dist/redteam/ScenarioPack.d.ts.map +1 -1
  25. package/dist/redteam/ScenarioPack.js +19 -7
  26. package/dist/redteam/ScenarioPack.js.map +1 -1
  27. package/package.json +1 -1
  28. package/src/data/builtin-manifest.json +2 -2
  29. package/upgrades/1.3.347.md +76 -0
  30. package/upgrades/1.3.348.md +57 -0
  31. package/upgrades/coherence-journal-meshwire.eli16.md +9 -0
  32. package/upgrades/rate-limit-resume-nudge-internal-channel.eli16.md +35 -0
  33. package/upgrades/side-effects/coherence-journal-meshwire.md +49 -0
  34. package/upgrades/side-effects/rate-limit-resume-nudge-internal-channel.md +102 -0
  35. package/upgrades/side-effects/resolver-verdict-honesty.md +45 -0
  36. package/upgrades/1.3.346.md +0 -57
@@ -0,0 +1,45 @@
1
+ # Side-effects review — red-team resolver verdict honesty
2
+
3
+ ## What this change is
4
+ A two-part honesty fix to `src/redteam/ScenarioPack.ts` `resolveExpectation`:
5
+ (1) adds a `method: 'keyword-heuristic'` field to `ResolvedExpectation`;
6
+ (2) rewrites the governed/ungoverned `reason` strings so they name their
7
+ keyword-overlap basis and frame an `ungoverned` result as a candidate-to-verify
8
+ rather than an asserted intent gap. The matching LOGIC is unchanged — only the
9
+ verdict's self-description.
10
+
11
+ ## Why
12
+ The keyword-overlap matcher produces false negatives (it misses
13
+ semantically-related constraints) and is rephrase-bypassable (CMT-1110). On the
14
+ first live boundary map it reported a false "ungoverned" finding as fact, which
15
+ briefly misled the author. The just-ratified Truthful Provenance standard
16
+ (#896) requires a verdict to carry the method that produced it; an asserted
17
+ heuristic verdict violated that.
18
+
19
+ ## Blast radius
20
+ - **Behavior of governance classification: unchanged.** `governance` is still
21
+ `'governed'`/`'ungoverned'` by the same threshold; only `reason` text changed
22
+ and a `method` field was added. No scenario's pass/fail flips.
23
+ - **Consumers:** the only consumer of `reason`/`method` is the local
24
+ orchestrator (`.instar/scripts/redteam-run.mjs`), which prints them — it now
25
+ prints the honest text. No code branches on the reason string. The new
26
+ `method` field is additive (optional consumers ignore it).
27
+ - **No route, config, lifecycle, or migration surface touched.** Pure-logic
28
+ module with no runtime consumers in the server.
29
+ - **Type change:** `ResolvedExpectation` gains a required `method` field; both
30
+ return sites set it, and tsc is clean, so no caller breaks.
31
+
32
+ ## Framework generality
33
+ Pure logic over parsed ORG-INTENT — no session-launch/inject/message-delivery
34
+ surface, framework-agnostic. No Claude-specific assumption.
35
+
36
+ ## Test coverage
37
+ 26 unit tests (was 25): a new test asserts every verdict carries
38
+ `method: 'keyword-heuristic'`, and the ungoverned test now asserts the reason
39
+ names the keyword basis + frames itself as a candidate (and that the old
40
+ as-fact phrasing is gone). Both sides of the governed/ungoverned boundary
41
+ covered. `tsc --noEmit` clean.
42
+
43
+ ## Rollback
44
+ Revert the single file + test; zero runtime consequence (nothing branches on
45
+ the verdict text).
@@ -1,57 +0,0 @@
1
- # Upgrade Guide — vNEXT
2
-
3
- <!-- assembled-by: assemble-next-md -->
4
- <!-- bump: patch -->
5
-
6
- ## What Changed
7
-
8
- Honest turn-receipts — the standby (🔭) system now tells the truth about WHY a
9
- turn failed instead of saying "actively working" while a session is dead.
10
-
11
- Three incidents in two days had one symptom: a delivered message that never got
12
- a reply, while the standby showed "🔭 actively working." Root: the tier-3
13
- assessment classified a session "working" whenever it had a live child process
14
- — but a rate-limited, policy-wedged, or context-exhausted session HAS a live
15
- process (the model CLI is alive, just failing every turn). The live process
16
- forced the lie. Separately, the "conversation too long" standby fired on that
17
- phrase anywhere in the buffer, so a stale scrolled-past mention surfaced as
18
- noise on healthy sessions.
19
-
20
- New `StuckSignatureClassifier` (pure, tail-gated, signal-only) classifies a
21
- live-but-failing session from its LIVE tmux tail — rate-limited / policy-wedge /
22
- context-wedge / context-too-long — and PresenceProxy surfaces the real reason
23
- instead of "working". Tail-gating (the signature must be the live tail, not a
24
- scrollback mention) is the same discriminator that kills the "conversation too
25
- long" noise. The classifier defers to any recovery sentinel that already owns a
26
- session's recovery, so the user always hears one voice. Recovery itself is
27
- unchanged — this only makes the messaging honest.
28
-
29
- ## What to Tell Your User
30
-
31
- When a message of yours goes unanswered, I'll now tell you the real reason if I
32
- can't reply — "I've hit the usage limit, resets 10:30pm", "my session got stuck
33
- on a content-policy error, resend your last message" — instead of a misleading
34
- "actively working." And the "conversation too long" messages that used to pop up
35
- when nothing was wrong are gone: that only fires now when it's actually
36
- happening.
37
-
38
- ## Summary of New Capabilities
39
-
40
- - `StuckSignatureClassifier` — tail-gated classification of a live-but-failing
41
- session (rate-limited / policy-wedge / context-wedge / context-too-long) with
42
- an honest user-facing message per kind. Pure + signal-only.
43
- - PresenceProxy tier-3 surfaces the honest reason instead of "working", defers
44
- to an owning recovery sentinel (`isStuckRecoveryActive`), and no longer fires
45
- the context-too-long notice on a stale scrollback mention.
46
- - CLAUDE.md "Honest standby (turn-receipts)" section so agents can explain the
47
- new behavior and the noise fix.
48
-
49
- ## Evidence
50
-
51
- Grounded in the real 2026-06-04/05 incidents (rate-limit, AUP-wedge) using the
52
- verbatim pane text. 30+ new unit tests both sides of every boundary
53
- (honest-when-stuck AND quiet-when-fine, incl. the stale-scrollback noise case
54
- and prose-mentions-a-limit false positive) + a behavioral test driving the real
55
- fireTier3 with a live child process (wedge → honest, NOT "working"; deference →
56
- silent) + migrator add/idempotent + server.ts wiring guard. All 119 existing
57
- presence tests pass; tsc clean; preflight PASS.