instar 1.3.362 → 1.3.364
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/SafeGitExecutor.d.ts +59 -1
- package/dist/core/SafeGitExecutor.d.ts.map +1 -1
- package/dist/core/SafeGitExecutor.js +295 -17
- package/dist/core/SafeGitExecutor.js.map +1 -1
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +18 -1
- package/dist/server/AgentServer.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +3 -3
- package/upgrades/1.3.363.md +40 -0
- package/upgrades/1.3.364.md +43 -0
- package/upgrades/side-effects/cred-isolation-p3a.md +76 -0
- package/upgrades/side-effects/cred-isolation-p3d.md +82 -0
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
# Side-effects review — credential-resolution audit + boot coherence (Inc-P3d)
|
|
2
|
+
|
|
3
|
+
## What this change does
|
|
4
|
+
|
|
5
|
+
Adds Caroline-class OBSERVABILITY to the per-agent credential-isolation
|
|
6
|
+
work: (1) the SafeGitExecutor funnel now records its identity-resolution
|
|
7
|
+
decisions (repo-local-strip / host-identity-inject) to
|
|
8
|
+
`.instar/audit/credential-resolution.jsonl`, and (2) `AgentServer.start()`
|
|
9
|
+
takes a one-line boot coherence sample comparing the agent's repo-local
|
|
10
|
+
identity against the machine's other identity surfaces (inherited identity
|
|
11
|
+
env vars, machine-global gitconfig, gh CLI auth-state presence). Both are
|
|
12
|
+
signal-only.
|
|
13
|
+
|
|
14
|
+
## Decision boundary (both sides tested)
|
|
15
|
+
|
|
16
|
+
- Identity stripped (Caroline shape) → one `resolution` entry with
|
|
17
|
+
`decision: repo-local-strip` and the stripped keys. Proven by a REAL
|
|
18
|
+
funnel commit under a fully polluted env (integration tier).
|
|
19
|
+
- Nothing to strip → NO entry (unit tier).
|
|
20
|
+
- Host identity injected (repo without local identity) → one
|
|
21
|
+
`host-identity-inject` entry with the injected keys (unit tier).
|
|
22
|
+
- Boot with divergent surfaces → one `boot-coherence` entry + one console
|
|
23
|
+
warning; boot proceeds (e2e tier, real `AgentServer.start()`).
|
|
24
|
+
- Boot with clean surfaces → zero divergences (unit tier, deterministic via
|
|
25
|
+
a homeDir override so the host machine's real `~/.gitconfig` can't leak
|
|
26
|
+
into assertions).
|
|
27
|
+
- `INSTAR_AUDIT_LOG_DISABLED=1` → no writes anywhere; operations and boot
|
|
28
|
+
unaffected (unit + integration + e2e).
|
|
29
|
+
|
|
30
|
+
## Blast radius
|
|
31
|
+
|
|
32
|
+
- `src/core/SafeGitExecutor.ts`: new exported `appendCredentialResolutionEntry`,
|
|
33
|
+
`auditBootCredentialCoherence`, `CredentialResolutionEntry`,
|
|
34
|
+
`BootCredentialCoherenceReport`; emit calls inside `sanitizeEnv` (both
|
|
35
|
+
branches). All probes and writes are pure `node:fs` — NO subprocess
|
|
36
|
+
(the P3a lesson: funnel-internal subprocess calls consume mocked
|
|
37
|
+
child_process sequences in downstream suites; verified GitSync.test.ts
|
|
38
|
+
stays green).
|
|
39
|
+
- `src/server/AgentServer.ts`: one fail-soft try/catch block in `start()`
|
|
40
|
+
calling the boot sampler with the stateDir's PARENT (the agent repo).
|
|
41
|
+
Console warning only when divergences exist.
|
|
42
|
+
- Write volume: resolution entries are deduped per process on
|
|
43
|
+
(decision, cwd, keys) — a sync loop records once, not per tick.
|
|
44
|
+
Boot-coherence is one line per server boot.
|
|
45
|
+
- Same `INSTAR_AUDIT_LOG_DIR` / `INSTAR_AUDIT_LOG_DISABLED` env overrides
|
|
46
|
+
as the existing destructive-ops audit; tests use them for isolation.
|
|
47
|
+
- No new routes (docs-coverage route floor untouched), no new core class
|
|
48
|
+
files (class floor untouched), no config flag, no migration surface.
|
|
49
|
+
|
|
50
|
+
## Migration parity
|
|
51
|
+
|
|
52
|
+
No agent-installed files change (no hooks, no config defaults, no CLAUDE.md
|
|
53
|
+
template text, no skills). Behavior ships entirely in code on update.
|
|
54
|
+
|
|
55
|
+
## Framework generality
|
|
56
|
+
|
|
57
|
+
Framework-agnostic — the funnel and the server boot path serve every
|
|
58
|
+
framework's instar install identically.
|
|
59
|
+
|
|
60
|
+
## Tests
|
|
61
|
+
|
|
62
|
+
- `tests/unit/credential-resolution-audit.test.ts` — 10 tests: emit truth
|
|
63
|
+
table both sides, dedupe + reset, disable switch, boot coherence
|
|
64
|
+
(divergent env, clean surfaces, global-gitconfig divergence, gh
|
|
65
|
+
presence, not-a-repo never throws).
|
|
66
|
+
- `tests/integration/credential-resolution-funnel.test.ts` — 3 tests: the
|
|
67
|
+
OBSERVED Caroline replay (real funnel commit lands as the agent AND is
|
|
68
|
+
recorded), signal-only with auditing disabled, flood-control under a
|
|
69
|
+
sync-style loop.
|
|
70
|
+
- `tests/e2e/credential-coherence-boot.test.ts` — 4 tests: real
|
|
71
|
+
`AgentServer.start()` writes exactly one boot-coherence line with the
|
|
72
|
+
repo-local expected identity, flags the inherited env var, serves authed
|
|
73
|
+
requests despite divergence (200 not 503), boots clean with auditing
|
|
74
|
+
disabled.
|
|
75
|
+
- Regression canaries green: SafeGitExecutor (48), GitSync (16),
|
|
76
|
+
no-silent-fallbacks (5) — 69/69; tsc clean.
|
|
77
|
+
|
|
78
|
+
## Rollback
|
|
79
|
+
|
|
80
|
+
Delete the emit calls in `sanitizeEnv`, the credential-audit block in
|
|
81
|
+
SafeGitExecutor, and the boot-sample block in `AgentServer.start()`. The
|
|
82
|
+
JSONL file is inert data; no state or config to unwind.
|