instar 1.3.352 → 1.3.354
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +14 -1
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/monitoring/ApprenticeshipCycleStore.d.ts +21 -0
- package/dist/monitoring/ApprenticeshipCycleStore.d.ts.map +1 -1
- package/dist/monitoring/ApprenticeshipCycleStore.js +38 -3
- package/dist/monitoring/ApprenticeshipCycleStore.js.map +1 -1
- package/dist/scaffold/templates.js +1 -1
- package/dist/server/AgentServer.d.ts +4 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +23 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +14 -0
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +4 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +80 -2
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +64 -64
- package/src/scaffold/templates.ts +1 -1
- package/upgrades/1.3.354.md +75 -0
- package/upgrades/side-effects/apprenticeship-keystone-dormancy.md +62 -0
- package/upgrades/side-effects/topic-operator-binding-inc2b.md +72 -0
- package/upgrades/topic-operator-binding-inc2b.eli16.md +47 -0
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
# Side-effects review — keystoneBalance dormancy dimension
|
|
2
|
+
|
|
3
|
+
**Change:** add an orthogonal `dormant` flag (+ `lastKeystoneAgeMs`,
|
|
4
|
+
`dormancyThresholdMs`) to the observe-only `keystoneBalance` block, plus a
|
|
5
|
+
`?keystoneDormancyMs` route knob, template awareness, and a migration.
|
|
6
|
+
|
|
7
|
+
**Signal vs authority (Phase 1):** This change involves **no decision point**. It
|
|
8
|
+
adds read-only computed fields to an existing observe-only signal. It never gates,
|
|
9
|
+
blocks, filters, or constrains any agent behavior. It is a pure signal-producer —
|
|
10
|
+
the consumer (a human, or a future cadence job) decides what to do with `dormant`.
|
|
11
|
+
`docs/signal-vs-authority.md` compliance: trivially satisfied (no authority held).
|
|
12
|
+
|
|
13
|
+
1. **Over-block:** N/A — nothing is blocked. The only "false positive" risk is
|
|
14
|
+
reporting `dormant: true` for a layer that is intentionally idle. That is the
|
|
15
|
+
correct report (the layer IS dormant); acting on it remains a human/cadence
|
|
16
|
+
judgment. A future-dated keystone clamps age to 0, so clock skew cannot
|
|
17
|
+
manufacture false dormancy.
|
|
18
|
+
|
|
19
|
+
2. **Under-block:** N/A — nothing is blocked. The signal still cannot see a layer
|
|
20
|
+
that was *never* registered as an instance (the separate fragmentation finding,
|
|
21
|
+
filed to the framework ledger as `apprenticeship-cycle-instance-no-referential-integrity`,
|
|
22
|
+
tracked for a follow-up decision). Dormancy is scoped to a single instance's
|
|
23
|
+
keystone axis by design.
|
|
24
|
+
|
|
25
|
+
3. **Level-of-abstraction fit:** Correct layer. Dormancy is computed inside
|
|
26
|
+
`ApprenticeshipCycleStore.computeKeystoneBalance` alongside `starved`, from the
|
|
27
|
+
same already-tallied timestamps + the store's injectable `now()`. No new store,
|
|
28
|
+
no cross-store wiring, no new dependency. It belongs exactly where `starved`
|
|
29
|
+
already lives.
|
|
30
|
+
|
|
31
|
+
4. **Signal vs authority compliance:** Compliant. Pure signal; zero blocking
|
|
32
|
+
authority. Both knobs (`?oversightStarvationThreshold`, `?keystoneDormancyMs`)
|
|
33
|
+
are observe-only tuning, not gates.
|
|
34
|
+
|
|
35
|
+
5. **Interactions:** `dormant` is orthogonal to `starved` (both can be true; unit
|
|
36
|
+
test pins this). It does not shadow or get shadowed by `starved`, `driftWarning`,
|
|
37
|
+
or the §4a direct-shortcut exclusion. The migration interacts with the prior
|
|
38
|
+
layer-balance migration: the full-line insert fires only when `keystoneBalance`
|
|
39
|
+
is absent (now appends the dormant-aware shape); the new in-place upgrade fires
|
|
40
|
+
only when the pre-dormancy shape is present. The two are mutually exclusive and
|
|
41
|
+
each idempotent (tested).
|
|
42
|
+
|
|
43
|
+
6. **External surfaces:** The `role-coverage` JSON response gains three fields and
|
|
44
|
+
the route accepts one new query param — purely additive, no removed/renamed
|
|
45
|
+
fields. The CLAUDE.md template + migration change what installed agents read
|
|
46
|
+
(one awareness line). No timing/runtime dependence beyond the store's `now()`,
|
|
47
|
+
which is injectable and tested with a fixed clock.
|
|
48
|
+
|
|
49
|
+
7. **Rollback cost:** Trivial. Observe-only and additive — reverting the commit
|
|
50
|
+
removes the fields with no data migration, no agent-state repair, no hot-fix
|
|
51
|
+
urgency (nothing depends on `dormant` to function). The CLAUDE.md awareness line
|
|
52
|
+
is cosmetic and harmless if left.
|
|
53
|
+
|
|
54
|
+
**Tier:** 1 (observe-only computed fields on an existing endpoint; all three test
|
|
55
|
+
tiers green plus migration-parity tests). Below the risk-floor signal (2, raised
|
|
56
|
+
by the PostUpdateMigrator touch) — acknowledged: the migrator change is the
|
|
57
|
+
established idempotent doc-awareness pattern from #893, not a data migration.
|
|
58
|
+
|
|
59
|
+
**No deferrals:** the feature ships complete — code, three test tiers, template
|
|
60
|
+
awareness, and migration parity (new + already-migrated agents) all in this commit.
|
|
61
|
+
The separate cycle-instance fragmentation finding is a distinct issue (filed to the
|
|
62
|
+
ledger), not a deferred part of this change.
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
# Side-effects review — Topic Operator binding (Know Your Principal #898, increment 2b)
|
|
2
|
+
|
|
3
|
+
## What this change does
|
|
4
|
+
Wires the already-merged `TopicOperatorStore` (#904) into the live `AgentServer`
|
|
5
|
+
composition and exposes it over HTTP, plus the session-start injection block.
|
|
6
|
+
|
|
7
|
+
- `AgentServer.ts`: a new `topicOperatorStore` field constructed under the
|
|
8
|
+
`stateDir` guard inside its own try/catch (mirrors the `approvalLedger`
|
|
9
|
+
precedent), then passed into `routeCtx`.
|
|
10
|
+
- `routes.ts`: a `topicOperatorStore` field on `RouteContext` and four routes —
|
|
11
|
+
`GET /topic-operator`, `GET /topic-operator/:topicId`,
|
|
12
|
+
`GET /topic-operator/session-context?topicId=N`, `POST /topic-operator`.
|
|
13
|
+
- `CapabilityIndex.ts`: a `topicOperator` capability entry (prefix
|
|
14
|
+
`/topic-operator`) so the routes are discoverable.
|
|
15
|
+
|
|
16
|
+
## Blast radius
|
|
17
|
+
- **Additive only.** No existing route, field, or store is modified. The store
|
|
18
|
+
is constructed when `stateDir` is available and is otherwise `null`; every
|
|
19
|
+
route degrades to `503` (feature-not-available) when it is `null`, never a
|
|
20
|
+
null-deref crash. The E2E test asserts the routes answer `200` on the real
|
|
21
|
+
production boot path (the store is genuinely composed in, not null).
|
|
22
|
+
- **No auth change.** All four routes sit behind the existing Bearer
|
|
23
|
+
middleware, identical to `/topic-bindings` and `/approvals`.
|
|
24
|
+
- **Fail-safe by construction.** An init failure is caught and reported via
|
|
25
|
+
`console.warn`; it can never block server boot. A corrupt store file is
|
|
26
|
+
treated as empty (a missing operator means the cross-principal guard treats
|
|
27
|
+
everything as unverifiable — deny-safe, not allow-safe).
|
|
28
|
+
|
|
29
|
+
## The load-bearing security property (unchanged from #904)
|
|
30
|
+
The operator is established ONLY from the authenticated sender `uid`. The POST
|
|
31
|
+
route refuses a blank uid with `400`; a `displayName` (a content name) is never
|
|
32
|
+
authoritative — it is only lowercased for prose-matching. There is no code path
|
|
33
|
+
by which a name read from content becomes the operator. This is the structural
|
|
34
|
+
fix for the "Caroline" identity-bleed failure mode, and the integration + E2E
|
|
35
|
+
tests both assert the blank-uid refusal over the wire.
|
|
36
|
+
|
|
37
|
+
## Migration parity
|
|
38
|
+
No migration is required. These are server-side routes and an in-process store
|
|
39
|
+
field — they reach existing agents automatically on the next server update (the
|
|
40
|
+
Migration Parity Standard governs agent-installed FILES: settings hooks, config
|
|
41
|
+
defaults, CLAUDE.md template, hook scripts, skills — none of which this touches).
|
|
42
|
+
The store auto-creates `state/topic-operators.json` on first write; no config
|
|
43
|
+
key is added, so there is nothing for `migrateConfig` to backfill.
|
|
44
|
+
|
|
45
|
+
The session-start HOOK wiring (so the `<topic-operator>` block is actually
|
|
46
|
+
fetched and injected at boot) is deliberately NOT in this increment — that is a
|
|
47
|
+
hook-template change requiring `migrateHooks`, and is scoped to increment 2c so
|
|
48
|
+
this PR stays a focused, reviewable composition+routes change. Until 2c lands the
|
|
49
|
+
block is reachable at the route but nothing injects it yet; that is intentional.
|
|
50
|
+
|
|
51
|
+
## Framework generality
|
|
52
|
+
This is framework-agnostic. `platform` is a generic string (`telegram` |
|
|
53
|
+
`whatsapp` | `slack` | …), so the binding works for any messaging adapter, not
|
|
54
|
+
just Telegram. The `session-context` route returns a plain text block that any
|
|
55
|
+
framework's session-start hook can fetch and inject — it is not coupled to
|
|
56
|
+
Claude Code, Codex, or Gemini. The store has no platform-specific logic; it
|
|
57
|
+
delegates identity establishment to `PrincipalGuard.establishOperator`, which is
|
|
58
|
+
itself pure and framework-neutral.
|
|
59
|
+
|
|
60
|
+
## Tests
|
|
61
|
+
- Tier 1 (unit): `tests/unit/topic-operator-store.test.ts` (10) — shipped in #904.
|
|
62
|
+
- Tier 2 (integration): `tests/integration/topic-operator-routes.test.ts` (10) —
|
|
63
|
+
full HTTP pipeline over a real file-backed store, incl. the blank-uid refusal
|
|
64
|
+
and the store-not-wired 503 degradation.
|
|
65
|
+
- Tier 3 (E2E): `tests/e2e/topic-operator-lifecycle.test.ts` (6) — feature-alive
|
|
66
|
+
on the real `AgentServer` boot path (200 not 503), full bind→read→inject
|
|
67
|
+
lifecycle, durable-write proof, and the over-the-wire blank-uid refusal.
|
|
68
|
+
|
|
69
|
+
## Rollback
|
|
70
|
+
Revert the three source edits + delete the two test files. The store on disk
|
|
71
|
+
(`state/topic-operators.json`) is inert without the routes and can be left or
|
|
72
|
+
removed with no consequence.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# ELI16 — Who's the boss of this chat?
|
|
2
|
+
|
|
3
|
+
## The problem in one sentence
|
|
4
|
+
An AI agent needs to know, for sure, *which real person* it's working for in a
|
|
5
|
+
given conversation — and it should never get tricked into thinking some other
|
|
6
|
+
name it read somewhere is the boss.
|
|
7
|
+
|
|
8
|
+
## The story behind it
|
|
9
|
+
Not long ago, an agent running on a shared computer slowly started treating a
|
|
10
|
+
*different real person* — call her Caroline — as the person giving it orders. It
|
|
11
|
+
even wrote her name into its work as if her approvals counted. Nobody caught it,
|
|
12
|
+
because the mix-up happened entirely inside the agent's own writing. There was no
|
|
13
|
+
"front door" guard checking that, because the bad name never came in through a
|
|
14
|
+
message — it leaked in from the machine's settings and the agent's own notes.
|
|
15
|
+
|
|
16
|
+
We already built two pieces to stop this: a detector brain (`PrincipalGuard`)
|
|
17
|
+
that spots when the agent credits a decision to the wrong person, and a small
|
|
18
|
+
filing cabinet (`TopicOperatorStore`) that remembers, per conversation, exactly
|
|
19
|
+
who the verified boss is. The rule the filing cabinet enforces is strict: the
|
|
20
|
+
boss is decided ONLY by the verified ID of whoever actually sent the message —
|
|
21
|
+
never by a name typed in some document.
|
|
22
|
+
|
|
23
|
+
## What this change adds
|
|
24
|
+
This step plugs that filing cabinet into the running server so the rest of the
|
|
25
|
+
system can actually use it. It adds four simple web endpoints:
|
|
26
|
+
|
|
27
|
+
- "Who's the boss of this chat?" — read one conversation's verified operator.
|
|
28
|
+
- "Show me all the bosses" — list every conversation's verified operator.
|
|
29
|
+
- "Set the boss" — record the boss, but ONLY from a verified sender ID. If you
|
|
30
|
+
try to set it with a blank ID (hoping a typed-in name will stick), it says no.
|
|
31
|
+
- "Give me the boot-up note" — hand back a short block the agent can read at the
|
|
32
|
+
start of a session so it knows, from message one, who it's really serving.
|
|
33
|
+
|
|
34
|
+
## Why it's safe
|
|
35
|
+
It only *adds* things. Nothing old changes. If the server can't build the filing
|
|
36
|
+
cabinet for some reason, the endpoints politely say "not available" instead of
|
|
37
|
+
crashing. And the one rule that matters most — a name you merely *read* can never
|
|
38
|
+
become the boss, only a verified sender can — is checked right at the web layer,
|
|
39
|
+
and we have tests that prove it by trying to sneak the name "Caroline" in through
|
|
40
|
+
a blank ID and watching it get rejected.
|
|
41
|
+
|
|
42
|
+
## What's deliberately left for next time
|
|
43
|
+
The actual "read the boot-up note at session start" wiring (so the agent
|
|
44
|
+
automatically sees who its boss is every time it wakes up) is a separate, slightly
|
|
45
|
+
riskier change to the start-up script, so it gets its own follow-up step. For now
|
|
46
|
+
the note is available to ask for; nothing reads it automatically yet. That's on
|
|
47
|
+
purpose — it keeps this change small and easy to review.
|