instar 1.3.355 → 1.3.357
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +66 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/messaging/TelegramAdapter.d.ts +11 -0
- package/dist/messaging/TelegramAdapter.d.ts.map +1 -1
- package/dist/messaging/TelegramAdapter.js +16 -0
- package/dist/messaging/TelegramAdapter.js.map +1 -1
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +24 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +63 -63
- package/upgrades/1.3.356.md +38 -0
- package/upgrades/1.3.357.md +40 -0
- package/upgrades/side-effects/topic-operator-autobind-inc2d.md +70 -0
- package/upgrades/side-effects/topic-operator-hook-injection-inc2c.md +79 -0
- package/upgrades/topic-operator-autobind-inc2d.eli16.md +46 -0
- package/upgrades/topic-operator-hook-injection-inc2c.eli16.md +47 -0
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
# Side-effects review — Topic Operator inbound auto-bind (Know Your Principal #898, increment 2d)
|
|
2
|
+
|
|
3
|
+
## What this change does
|
|
4
|
+
The WRITE side of the operator binding. On the lifeline-forward inbound path
|
|
5
|
+
(`POST /internal/telegram-forward`), the verified operator of a topic is now
|
|
6
|
+
recorded automatically from the AUTHENTICATED + AUTHORIZED sender of a real user
|
|
7
|
+
message — so the session-start hook (#908) and the future cross-principal guard
|
|
8
|
+
have a populated binding instead of relying on a manual `POST /topic-operator`.
|
|
9
|
+
|
|
10
|
+
- `TelegramAdapter`: new public `isAuthorizedSender(number|string): boolean`,
|
|
11
|
+
wrapping the private `isAuthorized` (number/string tolerant; blank/non-numeric
|
|
12
|
+
→ false). Read-only; no behavior change to the private path.
|
|
13
|
+
- `routes.ts` `/internal/telegram-forward`: one additive block, placed AFTER the
|
|
14
|
+
a2a-hook short-circuit and BEFORE `onTopicMessage`, that binds the operator iff
|
|
15
|
+
`ctx.telegram.isAuthorizedSender(fromUserId)` is true.
|
|
16
|
+
|
|
17
|
+
## The load-bearing security property
|
|
18
|
+
ONLY an authorized sender becomes the operator. An unauthorized party in the
|
|
19
|
+
bot's group is never seated — that is exactly the cross-principal ("Caroline")
|
|
20
|
+
bug, and the integration test proves the over-the-wire refusal (a `fromUserId`
|
|
21
|
+
outside the allowlist, even with `fromFirstName: "Caroline"`, binds nothing).
|
|
22
|
+
The uid is the platform-authenticated sender id; a content name is never the
|
|
23
|
+
source (`TopicOperatorStore.setOperator` enforces this by construction, #904).
|
|
24
|
+
|
|
25
|
+
## Blast radius (hot path — reviewed carefully)
|
|
26
|
+
- **Additive + fail-soft.** The block is wrapped in try/catch and only runs when
|
|
27
|
+
`ctx.topicOperatorStore` is non-null, `fromUserId` is present, and `topicId` is
|
|
28
|
+
a number. Any error is logged and swallowed — an auto-bind failure can NEVER
|
|
29
|
+
break message routing. `setOperator` is a fast local JSON write, idempotent on
|
|
30
|
+
the same uid (a redelivered message re-binds the same operator harmlessly).
|
|
31
|
+
- **a2a-safe.** Placed after the a2a short-circuit, so agent-to-agent bot messages
|
|
32
|
+
return before the bind; a bot id is also not in `authorizedUserIds` anyway. The
|
|
33
|
+
14 existing `/internal/telegram-forward` integration tests stay green (no
|
|
34
|
+
regression to the version handshake, exactly-once, sentinel, or a2a paths).
|
|
35
|
+
- **No new route / class / config key / dependency.** It consumes the store +
|
|
36
|
+
routes shipped in #904/#906 and the injection from #908.
|
|
37
|
+
|
|
38
|
+
## No-allowlist trust model (documented)
|
|
39
|
+
`isAuthorizedSender` mirrors `isAuthorized`: with NO `authorizedUserIds` allowlist
|
|
40
|
+
configured, every authenticated sender is accepted (the agent already serves
|
|
41
|
+
everyone in that mode), so the operator becomes the most-recent authenticated
|
|
42
|
+
sender. This is consistent with the existing trust model and is NOT a
|
|
43
|
+
Caroline-class bleed (the uid is Telegram-authenticated, not a content name). A
|
|
44
|
+
secure deployment configures `authorizedUserIds`, and then only those uids bind.
|
|
45
|
+
|
|
46
|
+
## Scope (deliberate) + the known gap
|
|
47
|
+
This binds on the **lifeline-forward path only** — the instar fleet's primary
|
|
48
|
+
inbound route. The adapter's own long-poll path (`onTopicMessage`, the
|
|
49
|
+
no-lifeline case) is NOT covered here, because its single shared callback is
|
|
50
|
+
defined in `src/commands/server.ts` (the production composition root, not
|
|
51
|
+
route-testable). That gap is tracked for a follow-up (Inc-2e): bind in the shared
|
|
52
|
+
`onTopicMessage` handler to cover both paths with one change. Until then, a
|
|
53
|
+
no-lifeline install simply has no auto-bind (fail-safe: no binding → no injection
|
|
54
|
+
→ no false identity), and `POST /topic-operator` remains the manual path.
|
|
55
|
+
|
|
56
|
+
## Migration parity
|
|
57
|
+
None required — server-side route behavior + an in-process adapter method reach
|
|
58
|
+
existing agents on the next server update (the Migration Parity Standard governs
|
|
59
|
+
agent-installed FILES; this touches none).
|
|
60
|
+
|
|
61
|
+
## Tests
|
|
62
|
+
- Tier 1 (unit): `tests/unit/telegram-isauthorizedsender.test.ts` (5) — both sides
|
|
63
|
+
of the boundary, number/string ids, blank/NaN guard, no-allowlist model.
|
|
64
|
+
- Tier 2 (integration): `tests/integration/topic-operator-autobind-route.test.ts`
|
|
65
|
+
(4) — over the wire: authorized binds, unauthorized doesn't, a2a bot doesn't,
|
|
66
|
+
null store no-op. Existing telegram-forward suites (14) stay green.
|
|
67
|
+
|
|
68
|
+
## Rollback
|
|
69
|
+
Revert the one route block + the `isAuthorizedSender` method + delete the two
|
|
70
|
+
tests. The store on disk is inert without the bind.
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
# Side-effects review — Topic Operator session-start injection (Know Your Principal #898, increment 2c)
|
|
2
|
+
|
|
3
|
+
## What this change does
|
|
4
|
+
Adds one fetch-block to the generated `session-start` hook
|
|
5
|
+
(`PostUpdateMigrator.getHookContent('session-start')`) that injects the
|
|
6
|
+
`<topic-operator>` block at session boot — the READ side of the operator binding
|
|
7
|
+
shipped in #904 (store) and #906 (routes). When a topic has a verified operator,
|
|
8
|
+
the agent now reasons with it from message one.
|
|
9
|
+
|
|
10
|
+
## Blast radius
|
|
11
|
+
- **One template string edit, additive.** The block is appended after the
|
|
12
|
+
existing ORG-INTENT and AUTO-LEARNED-PREFERENCES injection blocks and before the
|
|
13
|
+
SESSION-BOOT-SELF-KNOWLEDGE block — modeled byte-for-byte on those two
|
|
14
|
+
precedents (same `curl -sf --max-time 4` + `python3` present/block parse + echo).
|
|
15
|
+
- **Fail-open, three guards.** The block only runs when `$INSTAR_TELEGRAM_TOPIC`
|
|
16
|
+
AND `$PORT` AND `$TOKEN` are all set. `curl -sf` emits nothing on any non-2xx
|
|
17
|
+
(route 503 when the store is unavailable, or `{present:false}` for an unbound
|
|
18
|
+
topic), so an unbound topic or an old server injects nothing — the session
|
|
19
|
+
continues normally. A non-Telegram session (no topic env) skips entirely.
|
|
20
|
+
- **No new route, class, config key, or dependency.** It consumes the
|
|
21
|
+
`/topic-operator/session-context` route that already shipped in #906.
|
|
22
|
+
- **Bearer token stays in the header** (never the URL/query), matching the other
|
|
23
|
+
injection blocks.
|
|
24
|
+
|
|
25
|
+
## The security property
|
|
26
|
+
The injected block names the operator established ONLY from the platform-verified
|
|
27
|
+
sender id (the store guarantees this by construction — #904). The hook merely
|
|
28
|
+
surfaces that verified binding; it cannot itself seat anyone. So this read-side
|
|
29
|
+
change cannot introduce a Caroline-class identity bleed — it can only make the
|
|
30
|
+
ALREADY-verified operator visible to the agent at boot.
|
|
31
|
+
|
|
32
|
+
## Compaction parity (constitutional)
|
|
33
|
+
The same fetch is ALSO wired into `getCompactionRecovery()` — its compaction twin —
|
|
34
|
+
so the verified operator is re-injected after a context reset, not presumed to
|
|
35
|
+
survive in the compaction summary (the `session-context-compaction-parity` standard
|
|
36
|
+
from PR #811, enforced by `tests/unit/session-context-compaction-parity.test.ts`).
|
|
37
|
+
This is thematically load-bearing for Know Your Principal: an agent that loses its
|
|
38
|
+
verified-operator awareness post-compaction is exactly the identity gap this feature
|
|
39
|
+
closes. The twin block mirrors the SESSION-BOOT-SELF-KNOWLEDGE re-injection
|
|
40
|
+
precedent (own `TOPIC_OP_PORT`/`TOPIC_OP_TOKEN` resolution, same fail-open contract),
|
|
41
|
+
and the injector is NOT added to the parity allowlist (the allowlist only shrinks).
|
|
42
|
+
|
|
43
|
+
## Migration parity
|
|
44
|
+
The `session-start` hook lives in the always-overwritten `instar/` hook set:
|
|
45
|
+
`migrateHooks()` rewrites `hooks/instar/session-start.sh` from
|
|
46
|
+
`getSessionStartHook()` on EVERY update run (PostUpdateMigrator.ts:1958). So this
|
|
47
|
+
block reaches existing agents automatically on their next update — no dedicated
|
|
48
|
+
migration needed, and the migration-parity-hooks unit suite stays green.
|
|
49
|
+
|
|
50
|
+
## Agent awareness (deliberately deferred)
|
|
51
|
+
No CLAUDE.md template section is added in this increment. The injected
|
|
52
|
+
`<topic-operator>` block is self-describing (it carries its own "do not attribute
|
|
53
|
+
to any other name" instruction), and the governing behavior is already in the
|
|
54
|
+
ratified #898 "Know Your Principal" constitution standard. The operator-binding
|
|
55
|
+
feature's agent-awareness capability section will be added ONCE, as a coherent
|
|
56
|
+
whole, when the feature is end-to-end (after the Inc-2d inbound auto-bind and the
|
|
57
|
+
Inc-3 guard) — rather than fragmenting it across increments. The feature-delivery
|
|
58
|
+
and docs-coverage gates pass without it.
|
|
59
|
+
|
|
60
|
+
## Framework generality
|
|
61
|
+
Framework-agnostic. The block is emitted into the generic session-start hook that
|
|
62
|
+
every framework's session runs; the `<topic-operator>` payload is plain text any
|
|
63
|
+
harness injects. The topic is resolved from `$INSTAR_TELEGRAM_TOPIC`, the same env
|
|
64
|
+
the existing topic-context block uses — not coupled to Claude Code, Codex, or
|
|
65
|
+
Gemini.
|
|
66
|
+
|
|
67
|
+
## Tests
|
|
68
|
+
- Tier 3 (E2E): `tests/e2e/topic-operator-hook-injection-lifecycle.test.ts` (3) —
|
|
69
|
+
Phase 1 asserts the generated hook SOURCE wires the fetch; Phase 2 extracts the
|
|
70
|
+
exact block and runs it against a LIVE server, proving it emits the
|
|
71
|
+
`<topic-operator>` block when a topic is bound and nothing when unbound.
|
|
72
|
+
- Tier 1/2 for the store + route shipped in #904/#906; the analog hook suites
|
|
73
|
+
(PostUpdateMigrator-bootSelfKnowledge, migration-parity-hooks,
|
|
74
|
+
OrgIntentManager-session-start-format) stay green.
|
|
75
|
+
|
|
76
|
+
## Rollback
|
|
77
|
+
Revert the single template-string block in PostUpdateMigrator.ts + delete the E2E
|
|
78
|
+
test. The next update rewrites the hook without the block; nothing else depends
|
|
79
|
+
on it.
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
# ELI16 — Automatically remembering who the boss is
|
|
2
|
+
|
|
3
|
+
## The one-sentence version
|
|
4
|
+
When the verified boss sends a message, the agent now automatically writes down
|
|
5
|
+
"this is the boss of this chat" — so it no longer has to be told by hand.
|
|
6
|
+
|
|
7
|
+
## The backstory
|
|
8
|
+
We've been fixing a real problem: an agent on a shared computer slowly started
|
|
9
|
+
treating a *different real person* (call her Caroline) as its boss, because the
|
|
10
|
+
mix-up lived inside the agent's own writing where nothing was watching. To fix it
|
|
11
|
+
we built three pieces:
|
|
12
|
+
|
|
13
|
+
1. A filing cabinet that remembers, per chat, who the verified boss is — and the
|
|
14
|
+
rule is strict: the boss is decided ONLY by the verified ID of whoever actually
|
|
15
|
+
sent the message, never a name typed in a document.
|
|
16
|
+
2. A startup note that hands the agent that "who's your boss" info when it wakes
|
|
17
|
+
up (shipped last step).
|
|
18
|
+
3. **This step:** actually filling in the filing cabinet automatically.
|
|
19
|
+
|
|
20
|
+
## What this change adds
|
|
21
|
+
Before, the filing cabinet only got filled in by a manual one-time call. Now,
|
|
22
|
+
whenever a message comes in through the agent's main message pipe, the system
|
|
23
|
+
checks: "is this sender on the allowed list?" If yes, it quietly writes them down
|
|
24
|
+
as the verified boss of that chat. If no, it does NOTHING — an outsider in the
|
|
25
|
+
group can never become the boss. That "only allowed senders count" rule is the
|
|
26
|
+
whole point: it's what stops the Caroline mix-up from happening again. We prove it
|
|
27
|
+
with a test that sends a message from an *un*-allowed person literally named
|
|
28
|
+
"Caroline" and checks that nobody gets written down.
|
|
29
|
+
|
|
30
|
+
## Why it's safe
|
|
31
|
+
- It only **adds** a step, wrapped so that if anything ever goes wrong, the message
|
|
32
|
+
still gets handled normally — recording the boss can never break the chat.
|
|
33
|
+
- It ignores robot-to-robot messages (those get handled earlier), and it ignores
|
|
34
|
+
anyone not on the allowed list.
|
|
35
|
+
- Writing the same boss twice is harmless, so a re-delivered message can't cause
|
|
36
|
+
trouble.
|
|
37
|
+
|
|
38
|
+
## What's deliberately left for next time
|
|
39
|
+
This fills in the cabinet on the agent's **main** message pipe (the one the whole
|
|
40
|
+
fleet uses). There's a second, simpler pipe (used when the agent talks to Telegram
|
|
41
|
+
directly without the relay) that this step doesn't cover yet, because that one's
|
|
42
|
+
wiring lives in a harder-to-test startup file. That's tracked as a small follow-up.
|
|
43
|
+
Until then, an agent on that simpler setup just doesn't auto-fill the cabinet —
|
|
44
|
+
which is safe, because no entry means no false boss. The final step after that
|
|
45
|
+
lets the agent's own safety checker USE the binding to catch itself if it ever
|
|
46
|
+
credits a decision to the wrong person.
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
# ELI16 — Telling the agent who its boss is, the moment it wakes up
|
|
2
|
+
|
|
3
|
+
## The one-sentence version
|
|
4
|
+
When the agent starts a conversation, it now gets handed a little note that says
|
|
5
|
+
"the verified boss of this chat is X" — so it knows from the very first message
|
|
6
|
+
who it's working for, instead of guessing from names it reads later.
|
|
7
|
+
|
|
8
|
+
## The backstory
|
|
9
|
+
We've been fixing a real problem: an agent on a shared computer slowly started
|
|
10
|
+
treating a *different real person* (call her Caroline) as its boss, because the
|
|
11
|
+
mix-up lived inside the agent's own writing where nothing was watching. To fix it
|
|
12
|
+
we built three pieces:
|
|
13
|
+
|
|
14
|
+
1. A filing cabinet (`TopicOperatorStore`) that remembers, per conversation, who
|
|
15
|
+
the verified boss is — and the rule is strict: the boss is decided ONLY by the
|
|
16
|
+
verified ID of whoever actually sent the message, never by a name typed in a
|
|
17
|
+
document.
|
|
18
|
+
2. Four web endpoints to read and set that binding (shipped last step).
|
|
19
|
+
3. **This step:** actually handing the agent that "who's your boss" note at the
|
|
20
|
+
start of every conversation.
|
|
21
|
+
|
|
22
|
+
## What this change adds
|
|
23
|
+
At session start, the agent already gets handed a few notes — the company's rules,
|
|
24
|
+
the preferences it has learned about you, and so on. This change adds one more
|
|
25
|
+
note to that pile: it quietly asks the server "who's the verified boss of this
|
|
26
|
+
chat?" and, if there's an answer, prints a short block telling the agent. The
|
|
27
|
+
block also reminds the agent: don't ever swap in some other name you happen to
|
|
28
|
+
read — an unfamiliar name in the boss's chair is a question to resolve, not a fact
|
|
29
|
+
to accept.
|
|
30
|
+
|
|
31
|
+
## Why it's safe
|
|
32
|
+
- It only **adds** a note; it changes nothing else about how sessions start.
|
|
33
|
+
- It's careful: it only runs if there's actually a chat topic and the server is
|
|
34
|
+
reachable. If the server can't answer, or nobody's been set as boss yet, it
|
|
35
|
+
prints nothing and the session goes on exactly as before.
|
|
36
|
+
- It can't *make* anyone the boss — it only shows the boss who was already
|
|
37
|
+
verified the safe way. So there's no way for this to repeat the Caroline mix-up.
|
|
38
|
+
- Every agent gets it automatically the next time it updates, because this note
|
|
39
|
+
lives in the startup script that always gets refreshed on update.
|
|
40
|
+
|
|
41
|
+
## What's still coming
|
|
42
|
+
Right now a boss gets recorded either by a one-time manual call, or — in the next
|
|
43
|
+
step — automatically whenever the verified boss sends a message. After that, a
|
|
44
|
+
final step will let the agent's own safety checker USE this binding to catch
|
|
45
|
+
itself if it ever credits a decision to the wrong person. This step is the
|
|
46
|
+
"agent can SEE its boss" piece; the "agent gets corrected if it forgets" piece
|
|
47
|
+
comes next.
|