instar 1.3.362 → 1.3.364

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,82 @@
1
+ # Side-effects review — credential-resolution audit + boot coherence (Inc-P3d)
2
+
3
+ ## What this change does
4
+
5
+ Adds Caroline-class OBSERVABILITY to the per-agent credential-isolation
6
+ work: (1) the SafeGitExecutor funnel now records its identity-resolution
7
+ decisions (repo-local-strip / host-identity-inject) to
8
+ `.instar/audit/credential-resolution.jsonl`, and (2) `AgentServer.start()`
9
+ takes a one-line boot coherence sample comparing the agent's repo-local
10
+ identity against the machine's other identity surfaces (inherited identity
11
+ env vars, machine-global gitconfig, gh CLI auth-state presence). Both are
12
+ signal-only.
13
+
14
+ ## Decision boundary (both sides tested)
15
+
16
+ - Identity stripped (Caroline shape) → one `resolution` entry with
17
+ `decision: repo-local-strip` and the stripped keys. Proven by a REAL
18
+ funnel commit under a fully polluted env (integration tier).
19
+ - Nothing to strip → NO entry (unit tier).
20
+ - Host identity injected (repo without local identity) → one
21
+ `host-identity-inject` entry with the injected keys (unit tier).
22
+ - Boot with divergent surfaces → one `boot-coherence` entry + one console
23
+ warning; boot proceeds (e2e tier, real `AgentServer.start()`).
24
+ - Boot with clean surfaces → zero divergences (unit tier, deterministic via
25
+ a homeDir override so the host machine's real `~/.gitconfig` can't leak
26
+ into assertions).
27
+ - `INSTAR_AUDIT_LOG_DISABLED=1` → no writes anywhere; operations and boot
28
+ unaffected (unit + integration + e2e).
29
+
30
+ ## Blast radius
31
+
32
+ - `src/core/SafeGitExecutor.ts`: new exported `appendCredentialResolutionEntry`,
33
+ `auditBootCredentialCoherence`, `CredentialResolutionEntry`,
34
+ `BootCredentialCoherenceReport`; emit calls inside `sanitizeEnv` (both
35
+ branches). All probes and writes are pure `node:fs` — NO subprocess
36
+ (the P3a lesson: funnel-internal subprocess calls consume mocked
37
+ child_process sequences in downstream suites; verified GitSync.test.ts
38
+ stays green).
39
+ - `src/server/AgentServer.ts`: one fail-soft try/catch block in `start()`
40
+ calling the boot sampler with the stateDir's PARENT (the agent repo).
41
+ Console warning only when divergences exist.
42
+ - Write volume: resolution entries are deduped per process on
43
+ (decision, cwd, keys) — a sync loop records once, not per tick.
44
+ Boot-coherence is one line per server boot.
45
+ - Same `INSTAR_AUDIT_LOG_DIR` / `INSTAR_AUDIT_LOG_DISABLED` env overrides
46
+ as the existing destructive-ops audit; tests use them for isolation.
47
+ - No new routes (docs-coverage route floor untouched), no new core class
48
+ files (class floor untouched), no config flag, no migration surface.
49
+
50
+ ## Migration parity
51
+
52
+ No agent-installed files change (no hooks, no config defaults, no CLAUDE.md
53
+ template text, no skills). Behavior ships entirely in code on update.
54
+
55
+ ## Framework generality
56
+
57
+ Framework-agnostic — the funnel and the server boot path serve every
58
+ framework's instar install identically.
59
+
60
+ ## Tests
61
+
62
+ - `tests/unit/credential-resolution-audit.test.ts` — 10 tests: emit truth
63
+ table both sides, dedupe + reset, disable switch, boot coherence
64
+ (divergent env, clean surfaces, global-gitconfig divergence, gh
65
+ presence, not-a-repo never throws).
66
+ - `tests/integration/credential-resolution-funnel.test.ts` — 3 tests: the
67
+ OBSERVED Caroline replay (real funnel commit lands as the agent AND is
68
+ recorded), signal-only with auditing disabled, flood-control under a
69
+ sync-style loop.
70
+ - `tests/e2e/credential-coherence-boot.test.ts` — 4 tests: real
71
+ `AgentServer.start()` writes exactly one boot-coherence line with the
72
+ repo-local expected identity, flags the inherited env var, serves authed
73
+ requests despite divergence (200 not 503), boots clean with auditing
74
+ disabled.
75
+ - Regression canaries green: SafeGitExecutor (48), GitSync (16),
76
+ no-silent-fallbacks (5) — 69/69; tsc clean.
77
+
78
+ ## Rollback
79
+
80
+ Delete the emit calls in `sanitizeEnv`, the credential-audit block in
81
+ SafeGitExecutor, and the boot-sample block in `AgentServer.start()`. The
82
+ JSONL file is inert data; no state or config to unwind.