instar 1.3.355 → 1.3.356
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +66 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +19 -19
- package/upgrades/1.3.356.md +38 -0
- package/upgrades/side-effects/topic-operator-hook-injection-inc2c.md +79 -0
- package/upgrades/topic-operator-hook-injection-inc2c.eli16.md +47 -0
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-06T08:
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-06T08:09:49.249Z",
|
|
5
|
+
"instarVersion": "1.3.356",
|
|
6
6
|
"entryCount": 199,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
"domain": "identity",
|
|
12
12
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
13
13
|
"installedPath": ".instar/hooks/instar/session-start.sh",
|
|
14
|
-
"contentHash": "
|
|
14
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
15
15
|
"since": "2025-01-01"
|
|
16
16
|
},
|
|
17
17
|
"hook:dangerous-command-guard": {
|
|
@@ -20,7 +20,7 @@
|
|
|
20
20
|
"domain": "safety",
|
|
21
21
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
22
22
|
"installedPath": ".instar/hooks/instar/dangerous-command-guard.sh",
|
|
23
|
-
"contentHash": "
|
|
23
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
24
24
|
"since": "2025-01-01"
|
|
25
25
|
},
|
|
26
26
|
"hook:grounding-before-messaging": {
|
|
@@ -29,7 +29,7 @@
|
|
|
29
29
|
"domain": "safety",
|
|
30
30
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
31
31
|
"installedPath": ".instar/hooks/instar/grounding-before-messaging.sh",
|
|
32
|
-
"contentHash": "
|
|
32
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
33
33
|
"since": "2025-01-01"
|
|
34
34
|
},
|
|
35
35
|
"hook:compaction-recovery": {
|
|
@@ -38,7 +38,7 @@
|
|
|
38
38
|
"domain": "identity",
|
|
39
39
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
40
40
|
"installedPath": ".instar/hooks/instar/compaction-recovery.sh",
|
|
41
|
-
"contentHash": "
|
|
41
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
42
42
|
"since": "2025-01-01"
|
|
43
43
|
},
|
|
44
44
|
"hook:external-operation-gate": {
|
|
@@ -47,7 +47,7 @@
|
|
|
47
47
|
"domain": "safety",
|
|
48
48
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
49
49
|
"installedPath": ".instar/hooks/instar/external-operation-gate.js",
|
|
50
|
-
"contentHash": "
|
|
50
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
51
51
|
"since": "2025-01-01"
|
|
52
52
|
},
|
|
53
53
|
"hook:deferral-detector": {
|
|
@@ -56,7 +56,7 @@
|
|
|
56
56
|
"domain": "safety",
|
|
57
57
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
58
58
|
"installedPath": ".instar/hooks/instar/deferral-detector.js",
|
|
59
|
-
"contentHash": "
|
|
59
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
60
60
|
"since": "2025-01-01"
|
|
61
61
|
},
|
|
62
62
|
"hook:self-stop-guard": {
|
|
@@ -65,7 +65,7 @@
|
|
|
65
65
|
"domain": "coherence",
|
|
66
66
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
67
67
|
"installedPath": ".instar/hooks/instar/self-stop-guard.js",
|
|
68
|
-
"contentHash": "
|
|
68
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
69
69
|
"since": "2025-01-01"
|
|
70
70
|
},
|
|
71
71
|
"hook:post-action-reflection": {
|
|
@@ -74,7 +74,7 @@
|
|
|
74
74
|
"domain": "evolution",
|
|
75
75
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
76
76
|
"installedPath": ".instar/hooks/instar/post-action-reflection.js",
|
|
77
|
-
"contentHash": "
|
|
77
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
78
78
|
"since": "2025-01-01"
|
|
79
79
|
},
|
|
80
80
|
"hook:external-communication-guard": {
|
|
@@ -83,7 +83,7 @@
|
|
|
83
83
|
"domain": "safety",
|
|
84
84
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
85
85
|
"installedPath": ".instar/hooks/instar/external-communication-guard.js",
|
|
86
|
-
"contentHash": "
|
|
86
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
87
87
|
"since": "2025-01-01"
|
|
88
88
|
},
|
|
89
89
|
"hook:scope-coherence-collector": {
|
|
@@ -92,7 +92,7 @@
|
|
|
92
92
|
"domain": "coherence",
|
|
93
93
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
94
94
|
"installedPath": ".instar/hooks/instar/scope-coherence-collector.js",
|
|
95
|
-
"contentHash": "
|
|
95
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
96
96
|
"since": "2025-01-01"
|
|
97
97
|
},
|
|
98
98
|
"hook:scope-coherence-checkpoint": {
|
|
@@ -101,7 +101,7 @@
|
|
|
101
101
|
"domain": "coherence",
|
|
102
102
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
103
103
|
"installedPath": ".instar/hooks/instar/scope-coherence-checkpoint.js",
|
|
104
|
-
"contentHash": "
|
|
104
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
105
105
|
"since": "2025-01-01"
|
|
106
106
|
},
|
|
107
107
|
"hook:free-text-guard": {
|
|
@@ -110,7 +110,7 @@
|
|
|
110
110
|
"domain": "safety",
|
|
111
111
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
112
112
|
"installedPath": ".instar/hooks/instar/free-text-guard.sh",
|
|
113
|
-
"contentHash": "
|
|
113
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
114
114
|
"since": "2025-01-01"
|
|
115
115
|
},
|
|
116
116
|
"hook:claim-intercept": {
|
|
@@ -119,7 +119,7 @@
|
|
|
119
119
|
"domain": "coherence",
|
|
120
120
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
121
121
|
"installedPath": ".instar/hooks/instar/claim-intercept.js",
|
|
122
|
-
"contentHash": "
|
|
122
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
123
123
|
"since": "2025-01-01"
|
|
124
124
|
},
|
|
125
125
|
"hook:claim-intercept-response": {
|
|
@@ -128,7 +128,7 @@
|
|
|
128
128
|
"domain": "coherence",
|
|
129
129
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
130
130
|
"installedPath": ".instar/hooks/instar/claim-intercept-response.js",
|
|
131
|
-
"contentHash": "
|
|
131
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
132
132
|
"since": "2025-01-01"
|
|
133
133
|
},
|
|
134
134
|
"hook:stop-gate-router": {
|
|
@@ -137,7 +137,7 @@
|
|
|
137
137
|
"domain": "safety",
|
|
138
138
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
139
139
|
"installedPath": ".instar/hooks/instar/stop-gate-router.js",
|
|
140
|
-
"contentHash": "
|
|
140
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
141
141
|
"since": "2025-01-01"
|
|
142
142
|
},
|
|
143
143
|
"hook:auto-approve-permissions": {
|
|
@@ -146,7 +146,7 @@
|
|
|
146
146
|
"domain": "safety",
|
|
147
147
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
148
148
|
"installedPath": ".instar/hooks/instar/auto-approve-permissions.js",
|
|
149
|
-
"contentHash": "
|
|
149
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
150
150
|
"since": "2025-01-01"
|
|
151
151
|
},
|
|
152
152
|
"job:health-check": {
|
|
@@ -1538,7 +1538,7 @@
|
|
|
1538
1538
|
"type": "subsystem",
|
|
1539
1539
|
"domain": "updates",
|
|
1540
1540
|
"sourcePath": "src/core/PostUpdateMigrator.ts",
|
|
1541
|
-
"contentHash": "
|
|
1541
|
+
"contentHash": "b8227d4a75bfe3ca1a9d0fee53580167a5dbc4e67fe458af11ae66aed1a1d0a0",
|
|
1542
1542
|
"since": "2025-01-01"
|
|
1543
1543
|
},
|
|
1544
1544
|
"subsystem:scheduler": {
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
The `session-start` hook now injects the verified `<topic-operator>` block at
|
|
9
|
+
session boot (Know Your Principal standard, security-build increment 2c). It
|
|
10
|
+
fetches `/topic-operator/session-context?topicId=$INSTAR_TELEGRAM_TOPIC` (the route
|
|
11
|
+
shipped in #906) and, when the topic has a verified operator, hands the agent a
|
|
12
|
+
short block naming that operator — so the agent reasons with its authenticated
|
|
13
|
+
principal from message one. This is the READ side of the operator binding; it
|
|
14
|
+
cannot itself seat anyone (the store established the operator only from the
|
|
15
|
+
platform-verified sender).
|
|
16
|
+
|
|
17
|
+
## What to Tell Your User
|
|
18
|
+
|
|
19
|
+
Nothing user-facing changes. Foundation wiring (experimental) for the Caroline
|
|
20
|
+
identity-bleed security fix: the agent now SEES its verified operator at session
|
|
21
|
+
start when one is bound, but no conversational behavior changes and nothing is
|
|
22
|
+
gated. Auto-binding on inbound and the cross-principal guard are later increments.
|
|
23
|
+
|
|
24
|
+
## Summary of New Capabilities
|
|
25
|
+
|
|
26
|
+
- Session-start injection of the `<topic-operator>` block (fail-open: no topic /
|
|
27
|
+
unbound topic / store unavailable → nothing injected). Reaches existing agents
|
|
28
|
+
automatically — the `instar/` session-start hook is rewritten on every update.
|
|
29
|
+
|
|
30
|
+
## Evidence
|
|
31
|
+
|
|
32
|
+
Verified by 3 Tier-3 E2E lifecycle tests
|
|
33
|
+
(`tests/e2e/topic-operator-hook-injection-lifecycle.test.ts`): Phase 1 asserts the
|
|
34
|
+
generated hook source wires the fetch; Phase 2 extracts the exact block and runs
|
|
35
|
+
it against a live server, proving it emits the `<topic-operator>` block when a
|
|
36
|
+
topic is bound and nothing when unbound. The analog hook suites
|
|
37
|
+
(PostUpdateMigrator-bootSelfKnowledge, migration-parity-hooks,
|
|
38
|
+
OrgIntentManager-session-start-format) stay green. Clean `tsc --noEmit`.
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
# Side-effects review — Topic Operator session-start injection (Know Your Principal #898, increment 2c)
|
|
2
|
+
|
|
3
|
+
## What this change does
|
|
4
|
+
Adds one fetch-block to the generated `session-start` hook
|
|
5
|
+
(`PostUpdateMigrator.getHookContent('session-start')`) that injects the
|
|
6
|
+
`<topic-operator>` block at session boot — the READ side of the operator binding
|
|
7
|
+
shipped in #904 (store) and #906 (routes). When a topic has a verified operator,
|
|
8
|
+
the agent now reasons with it from message one.
|
|
9
|
+
|
|
10
|
+
## Blast radius
|
|
11
|
+
- **One template string edit, additive.** The block is appended after the
|
|
12
|
+
existing ORG-INTENT and AUTO-LEARNED-PREFERENCES injection blocks and before the
|
|
13
|
+
SESSION-BOOT-SELF-KNOWLEDGE block — modeled byte-for-byte on those two
|
|
14
|
+
precedents (same `curl -sf --max-time 4` + `python3` present/block parse + echo).
|
|
15
|
+
- **Fail-open, three guards.** The block only runs when `$INSTAR_TELEGRAM_TOPIC`
|
|
16
|
+
AND `$PORT` AND `$TOKEN` are all set. `curl -sf` emits nothing on any non-2xx
|
|
17
|
+
(route 503 when the store is unavailable, or `{present:false}` for an unbound
|
|
18
|
+
topic), so an unbound topic or an old server injects nothing — the session
|
|
19
|
+
continues normally. A non-Telegram session (no topic env) skips entirely.
|
|
20
|
+
- **No new route, class, config key, or dependency.** It consumes the
|
|
21
|
+
`/topic-operator/session-context` route that already shipped in #906.
|
|
22
|
+
- **Bearer token stays in the header** (never the URL/query), matching the other
|
|
23
|
+
injection blocks.
|
|
24
|
+
|
|
25
|
+
## The security property
|
|
26
|
+
The injected block names the operator established ONLY from the platform-verified
|
|
27
|
+
sender id (the store guarantees this by construction — #904). The hook merely
|
|
28
|
+
surfaces that verified binding; it cannot itself seat anyone. So this read-side
|
|
29
|
+
change cannot introduce a Caroline-class identity bleed — it can only make the
|
|
30
|
+
ALREADY-verified operator visible to the agent at boot.
|
|
31
|
+
|
|
32
|
+
## Compaction parity (constitutional)
|
|
33
|
+
The same fetch is ALSO wired into `getCompactionRecovery()` — its compaction twin —
|
|
34
|
+
so the verified operator is re-injected after a context reset, not presumed to
|
|
35
|
+
survive in the compaction summary (the `session-context-compaction-parity` standard
|
|
36
|
+
from PR #811, enforced by `tests/unit/session-context-compaction-parity.test.ts`).
|
|
37
|
+
This is thematically load-bearing for Know Your Principal: an agent that loses its
|
|
38
|
+
verified-operator awareness post-compaction is exactly the identity gap this feature
|
|
39
|
+
closes. The twin block mirrors the SESSION-BOOT-SELF-KNOWLEDGE re-injection
|
|
40
|
+
precedent (own `TOPIC_OP_PORT`/`TOPIC_OP_TOKEN` resolution, same fail-open contract),
|
|
41
|
+
and the injector is NOT added to the parity allowlist (the allowlist only shrinks).
|
|
42
|
+
|
|
43
|
+
## Migration parity
|
|
44
|
+
The `session-start` hook lives in the always-overwritten `instar/` hook set:
|
|
45
|
+
`migrateHooks()` rewrites `hooks/instar/session-start.sh` from
|
|
46
|
+
`getSessionStartHook()` on EVERY update run (PostUpdateMigrator.ts:1958). So this
|
|
47
|
+
block reaches existing agents automatically on their next update — no dedicated
|
|
48
|
+
migration needed, and the migration-parity-hooks unit suite stays green.
|
|
49
|
+
|
|
50
|
+
## Agent awareness (deliberately deferred)
|
|
51
|
+
No CLAUDE.md template section is added in this increment. The injected
|
|
52
|
+
`<topic-operator>` block is self-describing (it carries its own "do not attribute
|
|
53
|
+
to any other name" instruction), and the governing behavior is already in the
|
|
54
|
+
ratified #898 "Know Your Principal" constitution standard. The operator-binding
|
|
55
|
+
feature's agent-awareness capability section will be added ONCE, as a coherent
|
|
56
|
+
whole, when the feature is end-to-end (after the Inc-2d inbound auto-bind and the
|
|
57
|
+
Inc-3 guard) — rather than fragmenting it across increments. The feature-delivery
|
|
58
|
+
and docs-coverage gates pass without it.
|
|
59
|
+
|
|
60
|
+
## Framework generality
|
|
61
|
+
Framework-agnostic. The block is emitted into the generic session-start hook that
|
|
62
|
+
every framework's session runs; the `<topic-operator>` payload is plain text any
|
|
63
|
+
harness injects. The topic is resolved from `$INSTAR_TELEGRAM_TOPIC`, the same env
|
|
64
|
+
the existing topic-context block uses — not coupled to Claude Code, Codex, or
|
|
65
|
+
Gemini.
|
|
66
|
+
|
|
67
|
+
## Tests
|
|
68
|
+
- Tier 3 (E2E): `tests/e2e/topic-operator-hook-injection-lifecycle.test.ts` (3) —
|
|
69
|
+
Phase 1 asserts the generated hook SOURCE wires the fetch; Phase 2 extracts the
|
|
70
|
+
exact block and runs it against a LIVE server, proving it emits the
|
|
71
|
+
`<topic-operator>` block when a topic is bound and nothing when unbound.
|
|
72
|
+
- Tier 1/2 for the store + route shipped in #904/#906; the analog hook suites
|
|
73
|
+
(PostUpdateMigrator-bootSelfKnowledge, migration-parity-hooks,
|
|
74
|
+
OrgIntentManager-session-start-format) stay green.
|
|
75
|
+
|
|
76
|
+
## Rollback
|
|
77
|
+
Revert the single template-string block in PostUpdateMigrator.ts + delete the E2E
|
|
78
|
+
test. The next update rewrites the hook without the block; nothing else depends
|
|
79
|
+
on it.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# ELI16 — Telling the agent who its boss is, the moment it wakes up
|
|
2
|
+
|
|
3
|
+
## The one-sentence version
|
|
4
|
+
When the agent starts a conversation, it now gets handed a little note that says
|
|
5
|
+
"the verified boss of this chat is X" — so it knows from the very first message
|
|
6
|
+
who it's working for, instead of guessing from names it reads later.
|
|
7
|
+
|
|
8
|
+
## The backstory
|
|
9
|
+
We've been fixing a real problem: an agent on a shared computer slowly started
|
|
10
|
+
treating a *different real person* (call her Caroline) as its boss, because the
|
|
11
|
+
mix-up lived inside the agent's own writing where nothing was watching. To fix it
|
|
12
|
+
we built three pieces:
|
|
13
|
+
|
|
14
|
+
1. A filing cabinet (`TopicOperatorStore`) that remembers, per conversation, who
|
|
15
|
+
the verified boss is — and the rule is strict: the boss is decided ONLY by the
|
|
16
|
+
verified ID of whoever actually sent the message, never by a name typed in a
|
|
17
|
+
document.
|
|
18
|
+
2. Four web endpoints to read and set that binding (shipped last step).
|
|
19
|
+
3. **This step:** actually handing the agent that "who's your boss" note at the
|
|
20
|
+
start of every conversation.
|
|
21
|
+
|
|
22
|
+
## What this change adds
|
|
23
|
+
At session start, the agent already gets handed a few notes — the company's rules,
|
|
24
|
+
the preferences it has learned about you, and so on. This change adds one more
|
|
25
|
+
note to that pile: it quietly asks the server "who's the verified boss of this
|
|
26
|
+
chat?" and, if there's an answer, prints a short block telling the agent. The
|
|
27
|
+
block also reminds the agent: don't ever swap in some other name you happen to
|
|
28
|
+
read — an unfamiliar name in the boss's chair is a question to resolve, not a fact
|
|
29
|
+
to accept.
|
|
30
|
+
|
|
31
|
+
## Why it's safe
|
|
32
|
+
- It only **adds** a note; it changes nothing else about how sessions start.
|
|
33
|
+
- It's careful: it only runs if there's actually a chat topic and the server is
|
|
34
|
+
reachable. If the server can't answer, or nobody's been set as boss yet, it
|
|
35
|
+
prints nothing and the session goes on exactly as before.
|
|
36
|
+
- It can't *make* anyone the boss — it only shows the boss who was already
|
|
37
|
+
verified the safe way. So there's no way for this to repeat the Caroline mix-up.
|
|
38
|
+
- Every agent gets it automatically the next time it updates, because this note
|
|
39
|
+
lives in the startup script that always gets refreshed on update.
|
|
40
|
+
|
|
41
|
+
## What's still coming
|
|
42
|
+
Right now a boss gets recorded either by a one-time manual call, or — in the next
|
|
43
|
+
step — automatically whenever the verified boss sends a message. After that, a
|
|
44
|
+
final step will let the agent's own safety checker USE this binding to catch
|
|
45
|
+
itself if it ever credits a decision to the wrong person. This step is the
|
|
46
|
+
"agent can SEE its boss" piece; the "agent gets corrected if it forgets" piece
|
|
47
|
+
comes next.
|