instar 1.3.355 → 1.3.356

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "instar",
3
- "version": "1.3.355",
3
+ "version": "1.3.356",
4
4
  "description": "Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-06T08:02:23.000Z",
5
- "instarVersion": "1.3.355",
4
+ "generatedAt": "2026-06-06T08:09:49.249Z",
5
+ "instarVersion": "1.3.356",
6
6
  "entryCount": 199,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -11,7 +11,7 @@
11
11
  "domain": "identity",
12
12
  "sourcePath": "src/core/PostUpdateMigrator.ts",
13
13
  "installedPath": ".instar/hooks/instar/session-start.sh",
14
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
14
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
15
15
  "since": "2025-01-01"
16
16
  },
17
17
  "hook:dangerous-command-guard": {
@@ -20,7 +20,7 @@
20
20
  "domain": "safety",
21
21
  "sourcePath": "src/core/PostUpdateMigrator.ts",
22
22
  "installedPath": ".instar/hooks/instar/dangerous-command-guard.sh",
23
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
23
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
24
24
  "since": "2025-01-01"
25
25
  },
26
26
  "hook:grounding-before-messaging": {
@@ -29,7 +29,7 @@
29
29
  "domain": "safety",
30
30
  "sourcePath": "src/core/PostUpdateMigrator.ts",
31
31
  "installedPath": ".instar/hooks/instar/grounding-before-messaging.sh",
32
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
32
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
33
33
  "since": "2025-01-01"
34
34
  },
35
35
  "hook:compaction-recovery": {
@@ -38,7 +38,7 @@
38
38
  "domain": "identity",
39
39
  "sourcePath": "src/core/PostUpdateMigrator.ts",
40
40
  "installedPath": ".instar/hooks/instar/compaction-recovery.sh",
41
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
41
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
42
42
  "since": "2025-01-01"
43
43
  },
44
44
  "hook:external-operation-gate": {
@@ -47,7 +47,7 @@
47
47
  "domain": "safety",
48
48
  "sourcePath": "src/core/PostUpdateMigrator.ts",
49
49
  "installedPath": ".instar/hooks/instar/external-operation-gate.js",
50
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
50
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
51
51
  "since": "2025-01-01"
52
52
  },
53
53
  "hook:deferral-detector": {
@@ -56,7 +56,7 @@
56
56
  "domain": "safety",
57
57
  "sourcePath": "src/core/PostUpdateMigrator.ts",
58
58
  "installedPath": ".instar/hooks/instar/deferral-detector.js",
59
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
59
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
60
60
  "since": "2025-01-01"
61
61
  },
62
62
  "hook:self-stop-guard": {
@@ -65,7 +65,7 @@
65
65
  "domain": "coherence",
66
66
  "sourcePath": "src/core/PostUpdateMigrator.ts",
67
67
  "installedPath": ".instar/hooks/instar/self-stop-guard.js",
68
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
68
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
69
69
  "since": "2025-01-01"
70
70
  },
71
71
  "hook:post-action-reflection": {
@@ -74,7 +74,7 @@
74
74
  "domain": "evolution",
75
75
  "sourcePath": "src/core/PostUpdateMigrator.ts",
76
76
  "installedPath": ".instar/hooks/instar/post-action-reflection.js",
77
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
77
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
78
78
  "since": "2025-01-01"
79
79
  },
80
80
  "hook:external-communication-guard": {
@@ -83,7 +83,7 @@
83
83
  "domain": "safety",
84
84
  "sourcePath": "src/core/PostUpdateMigrator.ts",
85
85
  "installedPath": ".instar/hooks/instar/external-communication-guard.js",
86
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
86
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
87
87
  "since": "2025-01-01"
88
88
  },
89
89
  "hook:scope-coherence-collector": {
@@ -92,7 +92,7 @@
92
92
  "domain": "coherence",
93
93
  "sourcePath": "src/core/PostUpdateMigrator.ts",
94
94
  "installedPath": ".instar/hooks/instar/scope-coherence-collector.js",
95
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
95
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
96
96
  "since": "2025-01-01"
97
97
  },
98
98
  "hook:scope-coherence-checkpoint": {
@@ -101,7 +101,7 @@
101
101
  "domain": "coherence",
102
102
  "sourcePath": "src/core/PostUpdateMigrator.ts",
103
103
  "installedPath": ".instar/hooks/instar/scope-coherence-checkpoint.js",
104
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
104
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
105
105
  "since": "2025-01-01"
106
106
  },
107
107
  "hook:free-text-guard": {
@@ -110,7 +110,7 @@
110
110
  "domain": "safety",
111
111
  "sourcePath": "src/core/PostUpdateMigrator.ts",
112
112
  "installedPath": ".instar/hooks/instar/free-text-guard.sh",
113
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
113
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
114
114
  "since": "2025-01-01"
115
115
  },
116
116
  "hook:claim-intercept": {
@@ -119,7 +119,7 @@
119
119
  "domain": "coherence",
120
120
  "sourcePath": "src/core/PostUpdateMigrator.ts",
121
121
  "installedPath": ".instar/hooks/instar/claim-intercept.js",
122
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
122
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
123
123
  "since": "2025-01-01"
124
124
  },
125
125
  "hook:claim-intercept-response": {
@@ -128,7 +128,7 @@
128
128
  "domain": "coherence",
129
129
  "sourcePath": "src/core/PostUpdateMigrator.ts",
130
130
  "installedPath": ".instar/hooks/instar/claim-intercept-response.js",
131
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
131
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
132
132
  "since": "2025-01-01"
133
133
  },
134
134
  "hook:stop-gate-router": {
@@ -137,7 +137,7 @@
137
137
  "domain": "safety",
138
138
  "sourcePath": "src/core/PostUpdateMigrator.ts",
139
139
  "installedPath": ".instar/hooks/instar/stop-gate-router.js",
140
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
140
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
141
141
  "since": "2025-01-01"
142
142
  },
143
143
  "hook:auto-approve-permissions": {
@@ -146,7 +146,7 @@
146
146
  "domain": "safety",
147
147
  "sourcePath": "src/core/PostUpdateMigrator.ts",
148
148
  "installedPath": ".instar/hooks/instar/auto-approve-permissions.js",
149
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
149
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
150
150
  "since": "2025-01-01"
151
151
  },
152
152
  "job:health-check": {
@@ -1538,7 +1538,7 @@
1538
1538
  "type": "subsystem",
1539
1539
  "domain": "updates",
1540
1540
  "sourcePath": "src/core/PostUpdateMigrator.ts",
1541
- "contentHash": "aa88c10ba4816114371a58fa15df8d18a92580fbb861c2c3007cab4a85d5e4d2",
1541
+ "contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
1542
1542
  "since": "2025-01-01"
1543
1543
  },
1544
1544
  "subsystem:scheduler": {
@@ -0,0 +1,38 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ The `session-start` hook now injects the verified `<topic-operator>` block at
9
+ session boot (Know Your Principal standard, security-build increment 2c). It
10
+ fetches `/topic-operator/session-context?topicId=$INSTAR_TELEGRAM_TOPIC` (the route
11
+ shipped in #906) and, when the topic has a verified operator, hands the agent a
12
+ short block naming that operator — so the agent reasons with its authenticated
13
+ principal from message one. This is the READ side of the operator binding; it
14
+ cannot itself seat anyone (the store established the operator only from the
15
+ platform-verified sender).
16
+
17
+ ## What to Tell Your User
18
+
19
+ Nothing user-facing changes. Foundation wiring (experimental) for the Caroline
20
+ identity-bleed security fix: the agent now SEES its verified operator at session
21
+ start when one is bound, but no conversational behavior changes and nothing is
22
+ gated. Auto-binding on inbound and the cross-principal guard are later increments.
23
+
24
+ ## Summary of New Capabilities
25
+
26
+ - Session-start injection of the `<topic-operator>` block (fail-open: no topic /
27
+ unbound topic / store unavailable → nothing injected). Reaches existing agents
28
+ automatically — the `instar/` session-start hook is rewritten on every update.
29
+
30
+ ## Evidence
31
+
32
+ Verified by 3 Tier-3 E2E lifecycle tests
33
+ (`tests/e2e/topic-operator-hook-injection-lifecycle.test.ts`): Phase 1 asserts the
34
+ generated hook source wires the fetch; Phase 2 extracts the exact block and runs
35
+ it against a live server, proving it emits the `<topic-operator>` block when a
36
+ topic is bound and nothing when unbound. The analog hook suites
37
+ (PostUpdateMigrator-bootSelfKnowledge, migration-parity-hooks,
38
+ OrgIntentManager-session-start-format) stay green. Clean `tsc --noEmit`.
@@ -0,0 +1,79 @@
1
+ # Side-effects review — Topic Operator session-start injection (Know Your Principal #898, increment 2c)
2
+
3
+ ## What this change does
4
+ Adds one fetch-block to the generated `session-start` hook
5
+ (`PostUpdateMigrator.getHookContent('session-start')`) that injects the
6
+ `<topic-operator>` block at session boot — the READ side of the operator binding
7
+ shipped in #904 (store) and #906 (routes). When a topic has a verified operator,
8
+ the agent now reasons with it from message one.
9
+
10
+ ## Blast radius
11
+ - **One template string edit, additive.** The block is appended after the
12
+ existing ORG-INTENT and AUTO-LEARNED-PREFERENCES injection blocks and before the
13
+ SESSION-BOOT-SELF-KNOWLEDGE block — modeled byte-for-byte on those two
14
+ precedents (same `curl -sf --max-time 4` + `python3` present/block parse + echo).
15
+ - **Fail-open, three guards.** The block only runs when `$INSTAR_TELEGRAM_TOPIC`
16
+ AND `$PORT` AND `$TOKEN` are all set. `curl -sf` emits nothing on any non-2xx
17
+ (route 503 when the store is unavailable, or `{present:false}` for an unbound
18
+ topic), so an unbound topic or an old server injects nothing — the session
19
+ continues normally. A non-Telegram session (no topic env) skips entirely.
20
+ - **No new route, class, config key, or dependency.** It consumes the
21
+ `/topic-operator/session-context` route that already shipped in #906.
22
+ - **Bearer token stays in the header** (never the URL/query), matching the other
23
+ injection blocks.
24
+
25
+ ## The security property
26
+ The injected block names the operator established ONLY from the platform-verified
27
+ sender id (the store guarantees this by construction — #904). The hook merely
28
+ surfaces that verified binding; it cannot itself seat anyone. So this read-side
29
+ change cannot introduce a Caroline-class identity bleed — it can only make the
30
+ ALREADY-verified operator visible to the agent at boot.
31
+
32
+ ## Compaction parity (constitutional)
33
+ The same fetch is ALSO wired into `getCompactionRecovery()` — its compaction twin —
34
+ so the verified operator is re-injected after a context reset, not presumed to
35
+ survive in the compaction summary (the `session-context-compaction-parity` standard
36
+ from PR #811, enforced by `tests/unit/session-context-compaction-parity.test.ts`).
37
+ This is thematically load-bearing for Know Your Principal: an agent that loses its
38
+ verified-operator awareness post-compaction is exactly the identity gap this feature
39
+ closes. The twin block mirrors the SESSION-BOOT-SELF-KNOWLEDGE re-injection
40
+ precedent (own `TOPIC_OP_PORT`/`TOPIC_OP_TOKEN` resolution, same fail-open contract),
41
+ and the injector is NOT added to the parity allowlist (the allowlist only shrinks).
42
+
43
+ ## Migration parity
44
+ The `session-start` hook lives in the always-overwritten `instar/` hook set:
45
+ `migrateHooks()` rewrites `hooks/instar/session-start.sh` from
46
+ `getSessionStartHook()` on EVERY update run (PostUpdateMigrator.ts:1958). So this
47
+ block reaches existing agents automatically on their next update — no dedicated
48
+ migration needed, and the migration-parity-hooks unit suite stays green.
49
+
50
+ ## Agent awareness (deliberately deferred)
51
+ No CLAUDE.md template section is added in this increment. The injected
52
+ `<topic-operator>` block is self-describing (it carries its own "do not attribute
53
+ to any other name" instruction), and the governing behavior is already in the
54
+ ratified #898 "Know Your Principal" constitution standard. The operator-binding
55
+ feature's agent-awareness capability section will be added ONCE, as a coherent
56
+ whole, when the feature is end-to-end (after the Inc-2d inbound auto-bind and the
57
+ Inc-3 guard) — rather than fragmenting it across increments. The feature-delivery
58
+ and docs-coverage gates pass without it.
59
+
60
+ ## Framework generality
61
+ Framework-agnostic. The block is emitted into the generic session-start hook that
62
+ every framework's session runs; the `<topic-operator>` payload is plain text any
63
+ harness injects. The topic is resolved from `$INSTAR_TELEGRAM_TOPIC`, the same env
64
+ the existing topic-context block uses — not coupled to Claude Code, Codex, or
65
+ Gemini.
66
+
67
+ ## Tests
68
+ - Tier 3 (E2E): `tests/e2e/topic-operator-hook-injection-lifecycle.test.ts` (3) —
69
+ Phase 1 asserts the generated hook SOURCE wires the fetch; Phase 2 extracts the
70
+ exact block and runs it against a LIVE server, proving it emits the
71
+ `<topic-operator>` block when a topic is bound and nothing when unbound.
72
+ - Tier 1/2 for the store + route shipped in #904/#906; the analog hook suites
73
+ (PostUpdateMigrator-bootSelfKnowledge, migration-parity-hooks,
74
+ OrgIntentManager-session-start-format) stay green.
75
+
76
+ ## Rollback
77
+ Revert the single template-string block in PostUpdateMigrator.ts + delete the E2E
78
+ test. The next update rewrites the hook without the block; nothing else depends
79
+ on it.
@@ -0,0 +1,47 @@
1
+ # ELI16 — Telling the agent who its boss is, the moment it wakes up
2
+
3
+ ## The one-sentence version
4
+ When the agent starts a conversation, it now gets handed a little note that says
5
+ "the verified boss of this chat is X" — so it knows from the very first message
6
+ who it's working for, instead of guessing from names it reads later.
7
+
8
+ ## The backstory
9
+ We've been fixing a real problem: an agent on a shared computer slowly started
10
+ treating a *different real person* (call her Caroline) as its boss, because the
11
+ mix-up lived inside the agent's own writing where nothing was watching. To fix it
12
+ we built three pieces:
13
+
14
+ 1. A filing cabinet (`TopicOperatorStore`) that remembers, per conversation, who
15
+ the verified boss is — and the rule is strict: the boss is decided ONLY by the
16
+ verified ID of whoever actually sent the message, never by a name typed in a
17
+ document.
18
+ 2. Four web endpoints to read and set that binding (shipped last step).
19
+ 3. **This step:** actually handing the agent that "who's your boss" note at the
20
+ start of every conversation.
21
+
22
+ ## What this change adds
23
+ At session start, the agent already gets handed a few notes — the company's rules,
24
+ the preferences it has learned about you, and so on. This change adds one more
25
+ note to that pile: it quietly asks the server "who's the verified boss of this
26
+ chat?" and, if there's an answer, prints a short block telling the agent. The
27
+ block also reminds the agent: don't ever swap in some other name you happen to
28
+ read — an unfamiliar name in the boss's chair is a question to resolve, not a fact
29
+ to accept.
30
+
31
+ ## Why it's safe
32
+ - It only **adds** a note; it changes nothing else about how sessions start.
33
+ - It's careful: it only runs if there's actually a chat topic and the server is
34
+ reachable. If the server can't answer, or nobody's been set as boss yet, it
35
+ prints nothing and the session goes on exactly as before.
36
+ - It can't *make* anyone the boss — it only shows the boss who was already
37
+ verified the safe way. So there's no way for this to repeat the Caroline mix-up.
38
+ - Every agent gets it automatically the next time it updates, because this note
39
+ lives in the startup script that always gets refreshed on update.
40
+
41
+ ## What's still coming
42
+ Right now a boss gets recorded either by a one-time manual call, or — in the next
43
+ step — automatically whenever the verified boss sends a message. After that, a
44
+ final step will let the agent's own safety checker USE this binding to catch
45
+ itself if it ever credits a decision to the wrong person. This step is the
46
+ "agent can SEE its boss" piece; the "agent gets corrected if it forgets" piece
47
+ comes next.