instar 1.3.353 → 1.3.355
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +14 -1
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/monitoring/ApprenticeshipCycleStore.d.ts +21 -0
- package/dist/monitoring/ApprenticeshipCycleStore.d.ts.map +1 -1
- package/dist/monitoring/ApprenticeshipCycleStore.js +38 -3
- package/dist/monitoring/ApprenticeshipCycleStore.js.map +1 -1
- package/dist/monitoring/QuotaExhaustionDetector.d.ts.map +1 -1
- package/dist/monitoring/QuotaExhaustionDetector.js +24 -2
- package/dist/monitoring/QuotaExhaustionDetector.js.map +1 -1
- package/dist/scaffold/templates.js +1 -1
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +10 -2
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +63 -63
- package/src/scaffold/templates.ts +1 -1
- package/upgrades/1.3.354.md +75 -0
- package/upgrades/1.3.355.md +45 -0
- package/upgrades/side-effects/apprenticeship-keystone-dormancy.md +62 -0
- package/upgrades/side-effects/context-exhaustion-false-positive.md +62 -0
- package/upgrades/1.3.353.md +0 -40
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Fixed a false-positive in context-exhaustion detection that could flood a topic with
|
|
9
|
+
duplicate "conversation too long" notices. The detector (`detectContextExhaustion`)
|
|
10
|
+
matched the bare phrase "conversation too long" anywhere in a session's terminal
|
|
11
|
+
output, with no check that it was an actual CLI error versus ordinary content. A
|
|
12
|
+
session that merely discussed the failure mode — or the recovery notice the detector
|
|
13
|
+
itself emits ("Session hit 'conversation too long'…") — re-tripped detection, and
|
|
14
|
+
because the notice text re-enters the pane, one false positive amplified into a flood
|
|
15
|
+
of duplicate notices and spurious respawns on a perfectly healthy session.
|
|
16
|
+
|
|
17
|
+
The detector now requires the real CLI error framing — the "Press esc twice…" hint or
|
|
18
|
+
an "error during compaction" line — for the bare phrase to count. The bare phrase
|
|
19
|
+
alone is treated as content. Real exhaustion errors always carry that framing, so
|
|
20
|
+
genuine recovery is unaffected; the self-amplifying flood and the content
|
|
21
|
+
false-positive are both eliminated.
|
|
22
|
+
|
|
23
|
+
## What to Tell Your User
|
|
24
|
+
|
|
25
|
+
If you ever saw a burst of repeated "conversation too long" messages while your
|
|
26
|
+
session was actually working fine, that was a false alarm — now fixed. Real
|
|
27
|
+
out-of-room recovery still works exactly as before. Nothing for you to do.
|
|
28
|
+
|
|
29
|
+
## Summary of New Capabilities
|
|
30
|
+
|
|
31
|
+
- Context-exhaustion detection no longer fires on the phrase appearing as content or
|
|
32
|
+
in its own recovery notice — it requires the real CLI error framing.
|
|
33
|
+
- Eliminates the self-amplifying "conversation too long" notice flood.
|
|
34
|
+
- No behavior change for genuine context-exhaustion recovery.
|
|
35
|
+
|
|
36
|
+
## Evidence
|
|
37
|
+
|
|
38
|
+
- Unit (`tests/unit/context-exhaustion-recovery.test.ts`): real framed error detected;
|
|
39
|
+
bare phrase rejected; recovery-notice text rejected; agent narration rejected; a
|
|
40
|
+
mixed pane (narration + real framed error) still detected. 31 passing.
|
|
41
|
+
- Unit (`tests/unit/presence-proxy-context-exhaustion.test.ts`): standby detection on
|
|
42
|
+
realistic framed snapshots; non-error content not detected. 14 passing.
|
|
43
|
+
- SessionRecovery recovery-behavior tests updated to realistic framed fixtures and
|
|
44
|
+
still green (recovery still triggers on real exhaustion).
|
|
45
|
+
- Full typecheck clean.
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
# Side-effects review — keystoneBalance dormancy dimension
|
|
2
|
+
|
|
3
|
+
**Change:** add an orthogonal `dormant` flag (+ `lastKeystoneAgeMs`,
|
|
4
|
+
`dormancyThresholdMs`) to the observe-only `keystoneBalance` block, plus a
|
|
5
|
+
`?keystoneDormancyMs` route knob, template awareness, and a migration.
|
|
6
|
+
|
|
7
|
+
**Signal vs authority (Phase 1):** This change involves **no decision point**. It
|
|
8
|
+
adds read-only computed fields to an existing observe-only signal. It never gates,
|
|
9
|
+
blocks, filters, or constrains any agent behavior. It is a pure signal-producer —
|
|
10
|
+
the consumer (a human, or a future cadence job) decides what to do with `dormant`.
|
|
11
|
+
`docs/signal-vs-authority.md` compliance: trivially satisfied (no authority held).
|
|
12
|
+
|
|
13
|
+
1. **Over-block:** N/A — nothing is blocked. The only "false positive" risk is
|
|
14
|
+
reporting `dormant: true` for a layer that is intentionally idle. That is the
|
|
15
|
+
correct report (the layer IS dormant); acting on it remains a human/cadence
|
|
16
|
+
judgment. A future-dated keystone clamps age to 0, so clock skew cannot
|
|
17
|
+
manufacture false dormancy.
|
|
18
|
+
|
|
19
|
+
2. **Under-block:** N/A — nothing is blocked. The signal still cannot see a layer
|
|
20
|
+
that was *never* registered as an instance (the separate fragmentation finding,
|
|
21
|
+
filed to the framework ledger as `apprenticeship-cycle-instance-no-referential-integrity`,
|
|
22
|
+
tracked for a follow-up decision). Dormancy is scoped to a single instance's
|
|
23
|
+
keystone axis by design.
|
|
24
|
+
|
|
25
|
+
3. **Level-of-abstraction fit:** Correct layer. Dormancy is computed inside
|
|
26
|
+
`ApprenticeshipCycleStore.computeKeystoneBalance` alongside `starved`, from the
|
|
27
|
+
same already-tallied timestamps + the store's injectable `now()`. No new store,
|
|
28
|
+
no cross-store wiring, no new dependency. It belongs exactly where `starved`
|
|
29
|
+
already lives.
|
|
30
|
+
|
|
31
|
+
4. **Signal vs authority compliance:** Compliant. Pure signal; zero blocking
|
|
32
|
+
authority. Both knobs (`?oversightStarvationThreshold`, `?keystoneDormancyMs`)
|
|
33
|
+
are observe-only tuning, not gates.
|
|
34
|
+
|
|
35
|
+
5. **Interactions:** `dormant` is orthogonal to `starved` (both can be true; unit
|
|
36
|
+
test pins this). It does not shadow or get shadowed by `starved`, `driftWarning`,
|
|
37
|
+
or the §4a direct-shortcut exclusion. The migration interacts with the prior
|
|
38
|
+
layer-balance migration: the full-line insert fires only when `keystoneBalance`
|
|
39
|
+
is absent (now appends the dormant-aware shape); the new in-place upgrade fires
|
|
40
|
+
only when the pre-dormancy shape is present. The two are mutually exclusive and
|
|
41
|
+
each idempotent (tested).
|
|
42
|
+
|
|
43
|
+
6. **External surfaces:** The `role-coverage` JSON response gains three fields and
|
|
44
|
+
the route accepts one new query param — purely additive, no removed/renamed
|
|
45
|
+
fields. The CLAUDE.md template + migration change what installed agents read
|
|
46
|
+
(one awareness line). No timing/runtime dependence beyond the store's `now()`,
|
|
47
|
+
which is injectable and tested with a fixed clock.
|
|
48
|
+
|
|
49
|
+
7. **Rollback cost:** Trivial. Observe-only and additive — reverting the commit
|
|
50
|
+
removes the fields with no data migration, no agent-state repair, no hot-fix
|
|
51
|
+
urgency (nothing depends on `dormant` to function). The CLAUDE.md awareness line
|
|
52
|
+
is cosmetic and harmless if left.
|
|
53
|
+
|
|
54
|
+
**Tier:** 1 (observe-only computed fields on an existing endpoint; all three test
|
|
55
|
+
tiers green plus migration-parity tests). Below the risk-floor signal (2, raised
|
|
56
|
+
by the PostUpdateMigrator touch) — acknowledged: the migrator change is the
|
|
57
|
+
established idempotent doc-awareness pattern from #893, not a data migration.
|
|
58
|
+
|
|
59
|
+
**No deferrals:** the feature ships complete — code, three test tiers, template
|
|
60
|
+
awareness, and migration parity (new + already-migrated agents) all in this commit.
|
|
61
|
+
The separate cycle-instance fragmentation finding is a distinct issue (filed to the
|
|
62
|
+
ledger), not a deferred part of this change.
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
# Side-effects review — context-exhaustion false-positive fix
|
|
2
|
+
|
|
3
|
+
**Change:** `detectContextExhaustion` (QuotaExhaustionDetector) now requires the
|
|
4
|
+
real CLI error framing ("press esc twice" or "error during compaction") for the
|
|
5
|
+
bare "conversation (is) too long" phrase. The bare phrase as content no longer
|
|
6
|
+
matches.
|
|
7
|
+
|
|
8
|
+
**Signal vs authority (Phase 1):** This IS a decision point — the detector's verdict
|
|
9
|
+
gates a destructive action (SessionMonitor kills + respawns the session and notifies
|
|
10
|
+
the user). It is a SIGNAL feeding the SessionMonitor authority; this change makes the
|
|
11
|
+
signal correct, it does not add or move authority. The fix narrows a brittle
|
|
12
|
+
substring match that was producing false positives with blocking-equivalent
|
|
13
|
+
consequences (forced respawns + user notices) — exactly the "brittle check with
|
|
14
|
+
real-world authority" failure `docs/signal-vs-authority.md` warns about.
|
|
15
|
+
|
|
16
|
+
1. **Over-block (false positive — the bug):** FIXED. Before, the bare phrase as
|
|
17
|
+
content (a session discussing the failure mode, a quoted error, or the recovery
|
|
18
|
+
notice itself) was flagged as live exhaustion → spurious respawn + user notice,
|
|
19
|
+
self-amplifying into a flood (RUN-2 2026-06-06, topic 13435, ~27 notices on a
|
|
20
|
+
healthy session). Now the bare phrase without CLI framing is not matched.
|
|
21
|
+
|
|
22
|
+
2. **Under-block (could a REAL error now be missed?):** No real loss. Every
|
|
23
|
+
realistic exhaustion fixture in the unit tests carries the CLI framing ("press
|
|
24
|
+
esc twice" and/or "error during compaction") — that is how Claude Code actually
|
|
25
|
+
renders the error. The guard only removes matches that lack any framing, which
|
|
26
|
+
are content, not live errors. Residual: if a future Claude Code version renders
|
|
27
|
+
the error WITHOUT the esc hint or compaction line, it would be missed — the frame
|
|
28
|
+
list is a one-line extension and is documented as the tuning point.
|
|
29
|
+
|
|
30
|
+
3. **Level-of-abstraction fit:** Correct layer. The fix is in the detector (the pure
|
|
31
|
+
function that decides), not in SessionMonitor (the actor). One change fixes every
|
|
32
|
+
consumer (SessionMonitor, PresenceProxy standby). The soft, non-phrase patterns
|
|
33
|
+
(context limit, token limit) are deliberately left unchanged — they are not the
|
|
34
|
+
observed bug and gating them risks under-detection; scoped to the live bug, not
|
|
35
|
+
a hypothetical.
|
|
36
|
+
|
|
37
|
+
4. **Signal vs authority compliance:** Compliant. Detector stays a signal; the fix
|
|
38
|
+
reduces its false-positive rate without changing where authority lives.
|
|
39
|
+
|
|
40
|
+
5. **Interactions:** The same `detectContextExhaustion` feeds SessionMonitor's
|
|
41
|
+
proactive check and PresenceProxy. Both now benefit. The self-amplification path
|
|
42
|
+
(recovery notice → pane → re-detect) is closed because the notice lacks CLI
|
|
43
|
+
framing. classifySessionDeath (the POST-death classifier) shares the bare-phrase
|
|
44
|
+
pattern but runs on a dead session's final output where the flood/respawn harm
|
|
45
|
+
does not apply; left as-is to keep this fix scoped to the live false-positive
|
|
46
|
+
(noted as a known sibling, not a deferral of THIS bug).
|
|
47
|
+
|
|
48
|
+
6. **External surfaces:** Reduces user-facing noise (fewer false "conversation too
|
|
49
|
+
long" notices). No API/schema change. Behavior depends on tmux pane content,
|
|
50
|
+
which is what it already read; no new timing/runtime dependence.
|
|
51
|
+
|
|
52
|
+
7. **Rollback cost:** Trivial — revert the commit. Pure-function change, no data
|
|
53
|
+
migration, no state. Worst case on revert is the original false-positive returns.
|
|
54
|
+
|
|
55
|
+
**Tier:** 1 (a guard added to one pure function + realistic test fixtures; no route,
|
|
56
|
+
no migration, no persistent state). No CLAUDE.md template change: this is an internal
|
|
57
|
+
detector hardening, not a new agent-invocable capability.
|
|
58
|
+
|
|
59
|
+
**No deferrals:** the fix is complete — detector guard + both-sides unit coverage
|
|
60
|
+
(real-error-detected, bare-phrase-rejected, recovery-notice-rejected, narration-
|
|
61
|
+
rejected, mixed-pane-still-detected) + updated realistic fixtures. classifySessionDeath
|
|
62
|
+
is a distinct surface (post-death), not a withheld part of this fix.
|
package/upgrades/1.3.353.md
DELETED
|
@@ -1,40 +0,0 @@
|
|
|
1
|
-
# Upgrade Guide — vNEXT
|
|
2
|
-
|
|
3
|
-
<!-- assembled-by: assemble-next-md -->
|
|
4
|
-
<!-- bump: patch -->
|
|
5
|
-
|
|
6
|
-
## What Changed
|
|
7
|
-
|
|
8
|
-
Wired the merged `TopicOperatorStore` (#904) into the live `AgentServer` and
|
|
9
|
-
exposed it over HTTP (Know Your Principal standard, security-build increment 2b).
|
|
10
|
-
The store is now composed into the server under the `stateDir` guard (fail-safe:
|
|
11
|
-
`null` → routes `503`, never a crash) and reachable via four Bearer-gated routes.
|
|
12
|
-
This is the runtime arm of the operator-binding spec (#897); the store had no
|
|
13
|
-
consumers before this.
|
|
14
|
-
|
|
15
|
-
## What to Tell Your User
|
|
16
|
-
|
|
17
|
-
Nothing user-facing changes yet. This is foundation wiring (experimental) for the
|
|
18
|
-
Caroline identity-bleed security fix — it adds routes the system can use but does
|
|
19
|
-
not alter any current conversational behavior. The automatic session-start
|
|
20
|
-
injection of the verified operator is a later increment.
|
|
21
|
-
|
|
22
|
-
## Summary of New Capabilities
|
|
23
|
-
|
|
24
|
-
- `GET /topic-operator` — all bound operators (names + uids).
|
|
25
|
-
- `GET /topic-operator/:topicId` — one topic's verified operator (or null).
|
|
26
|
-
- `GET /topic-operator/session-context?topicId=N` — the `<topic-operator>`
|
|
27
|
-
session-start injection block (`{ present:false }` when unbound).
|
|
28
|
-
- `POST /topic-operator` — bind a topic operator from the AUTHENTICATED sender
|
|
29
|
-
`{ topicId, platform?, uid (required), displayName? }`; a blank uid is refused
|
|
30
|
-
`400` (a content name can never become the operator).
|
|
31
|
-
- `CapabilityIndex` entry `topicOperator` (prefix `/topic-operator`).
|
|
32
|
-
|
|
33
|
-
## Evidence
|
|
34
|
-
|
|
35
|
-
Verified by 10 Tier-2 integration tests (full HTTP pipeline over a real
|
|
36
|
-
file-backed store, incl. the blank-uid refusal and the store-not-wired `503`
|
|
37
|
-
degradation) and 6 Tier-3 E2E lifecycle tests (feature-alive on the real
|
|
38
|
-
`AgentServer` boot path — `200` not `503` — full bind→read→inject lifecycle,
|
|
39
|
-
durable-write proof, and the over-the-wire blank-uid refusal). Tier-1 unit
|
|
40
|
-
coverage shipped in #904. Clean `tsc --noEmit`.
|