instar 1.3.394 → 1.3.396
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +17 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/core/QuotaPoller.d.ts +120 -0
- package/dist/core/QuotaPoller.d.ts.map +1 -0
- package/dist/core/QuotaPoller.js +286 -0
- package/dist/core/QuotaPoller.js.map +1 -0
- package/dist/lifeline/MessageQueue.d.ts +25 -1
- package/dist/lifeline/MessageQueue.d.ts.map +1 -1
- package/dist/lifeline/MessageQueue.js +30 -0
- package/dist/lifeline/MessageQueue.js.map +1 -1
- package/dist/lifeline/TelegramLifeline.d.ts +12 -2
- package/dist/lifeline/TelegramLifeline.d.ts.map +1 -1
- package/dist/lifeline/TelegramLifeline.js +83 -70
- package/dist/lifeline/TelegramLifeline.js.map +1 -1
- package/dist/lifeline/replayPolicy.d.ts +66 -0
- package/dist/lifeline/replayPolicy.d.ts.map +1 -0
- package/dist/lifeline/replayPolicy.js +86 -0
- package/dist/lifeline/replayPolicy.js.map +1 -0
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/routes.d.ts +2 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +36 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/scripts/lint-no-direct-llm-http.js +6 -0
- package/src/data/builtin-manifest.json +48 -48
- package/upgrades/1.3.395.md +57 -0
- package/upgrades/1.3.396.md +31 -0
- package/upgrades/side-effects/lifeline-replay-budget-classification.md +97 -0
- package/upgrades/side-effects/subscription-quota-poller.md +71 -0
package/package.json
CHANGED
|
@@ -53,6 +53,12 @@ const ALLOWLIST = new Set([
|
|
|
53
53
|
'src/providers/adapters/anthropic-headless/errors.ts',
|
|
54
54
|
'src/providers/adapters/anthropic-headless/_smoketest.ts',
|
|
55
55
|
'src/providers/adapters/anthropic-headless/capability/fileSystemAccess.ts',
|
|
56
|
+
// Subscription & Auth Standard P1.2: QuotaPoller calls the READ-ONLY
|
|
57
|
+
// /api/oauth/usage telemetry endpoint (the same one the official client's
|
|
58
|
+
// /usage screen calls) to read per-account quota — NOT an LLM inference call,
|
|
59
|
+
// so there is nothing for burn-detection to attribute. Same class as the
|
|
60
|
+
// anthropic-headless usageMeterProvider above.
|
|
61
|
+
'src/core/QuotaPoller.ts',
|
|
56
62
|
]);
|
|
57
63
|
|
|
58
64
|
/**
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-07T06:08:26.779Z",
|
|
5
|
+
"instarVersion": "1.3.396",
|
|
6
6
|
"entryCount": 199,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -418,7 +418,7 @@
|
|
|
418
418
|
"type": "route-group",
|
|
419
419
|
"domain": "monitoring",
|
|
420
420
|
"sourcePath": "src/server/routes.ts",
|
|
421
|
-
"contentHash": "
|
|
421
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
422
422
|
"since": "2025-01-01"
|
|
423
423
|
},
|
|
424
424
|
"route-group:agents": {
|
|
@@ -426,7 +426,7 @@
|
|
|
426
426
|
"type": "route-group",
|
|
427
427
|
"domain": "sessions",
|
|
428
428
|
"sourcePath": "src/server/routes.ts",
|
|
429
|
-
"contentHash": "
|
|
429
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
430
430
|
"since": "2025-01-01"
|
|
431
431
|
},
|
|
432
432
|
"route-group:backups": {
|
|
@@ -434,7 +434,7 @@
|
|
|
434
434
|
"type": "route-group",
|
|
435
435
|
"domain": "operations",
|
|
436
436
|
"sourcePath": "src/server/routes.ts",
|
|
437
|
-
"contentHash": "
|
|
437
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
438
438
|
"since": "2025-01-01"
|
|
439
439
|
},
|
|
440
440
|
"route-group:git": {
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"type": "route-group",
|
|
443
443
|
"domain": "coordination",
|
|
444
444
|
"sourcePath": "src/server/routes.ts",
|
|
445
|
-
"contentHash": "
|
|
445
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
446
446
|
"since": "2025-01-01"
|
|
447
447
|
},
|
|
448
448
|
"route-group:memory": {
|
|
@@ -450,7 +450,7 @@
|
|
|
450
450
|
"type": "route-group",
|
|
451
451
|
"domain": "memory",
|
|
452
452
|
"sourcePath": "src/server/routes.ts",
|
|
453
|
-
"contentHash": "
|
|
453
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
454
454
|
"since": "2025-01-01"
|
|
455
455
|
},
|
|
456
456
|
"route-group:semantic": {
|
|
@@ -458,7 +458,7 @@
|
|
|
458
458
|
"type": "route-group",
|
|
459
459
|
"domain": "memory",
|
|
460
460
|
"sourcePath": "src/server/routes.ts",
|
|
461
|
-
"contentHash": "
|
|
461
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
462
462
|
"since": "2025-01-01"
|
|
463
463
|
},
|
|
464
464
|
"route-group:status": {
|
|
@@ -466,7 +466,7 @@
|
|
|
466
466
|
"type": "route-group",
|
|
467
467
|
"domain": "monitoring",
|
|
468
468
|
"sourcePath": "src/server/routes.ts",
|
|
469
|
-
"contentHash": "
|
|
469
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
470
470
|
"since": "2025-01-01"
|
|
471
471
|
},
|
|
472
472
|
"route-group:capabilities": {
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"type": "route-group",
|
|
475
475
|
"domain": "mapping",
|
|
476
476
|
"sourcePath": "src/server/routes.ts",
|
|
477
|
-
"contentHash": "
|
|
477
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
478
478
|
"since": "2025-01-01"
|
|
479
479
|
},
|
|
480
480
|
"route-group:project-map": {
|
|
@@ -482,7 +482,7 @@
|
|
|
482
482
|
"type": "route-group",
|
|
483
483
|
"domain": "mapping",
|
|
484
484
|
"sourcePath": "src/server/routes.ts",
|
|
485
|
-
"contentHash": "
|
|
485
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
486
486
|
"since": "2025-01-01"
|
|
487
487
|
},
|
|
488
488
|
"route-group:coherence": {
|
|
@@ -490,7 +490,7 @@
|
|
|
490
490
|
"type": "route-group",
|
|
491
491
|
"domain": "coherence",
|
|
492
492
|
"sourcePath": "src/server/routes.ts",
|
|
493
|
-
"contentHash": "
|
|
493
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
494
494
|
"since": "2025-01-01"
|
|
495
495
|
},
|
|
496
496
|
"route-group:topic-bindings": {
|
|
@@ -498,7 +498,7 @@
|
|
|
498
498
|
"type": "route-group",
|
|
499
499
|
"domain": "sessions",
|
|
500
500
|
"sourcePath": "src/server/routes.ts",
|
|
501
|
-
"contentHash": "
|
|
501
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
502
502
|
"since": "2025-01-01"
|
|
503
503
|
},
|
|
504
504
|
"route-group:context": {
|
|
@@ -506,7 +506,7 @@
|
|
|
506
506
|
"type": "route-group",
|
|
507
507
|
"domain": "context",
|
|
508
508
|
"sourcePath": "src/server/routes.ts",
|
|
509
|
-
"contentHash": "
|
|
509
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
510
510
|
"since": "2025-01-01"
|
|
511
511
|
},
|
|
512
512
|
"route-group:scope-coherence": {
|
|
@@ -514,7 +514,7 @@
|
|
|
514
514
|
"type": "route-group",
|
|
515
515
|
"domain": "coherence",
|
|
516
516
|
"sourcePath": "src/server/routes.ts",
|
|
517
|
-
"contentHash": "
|
|
517
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
518
518
|
"since": "2025-01-01"
|
|
519
519
|
},
|
|
520
520
|
"route-group:canonical-state": {
|
|
@@ -522,7 +522,7 @@
|
|
|
522
522
|
"type": "route-group",
|
|
523
523
|
"domain": "state",
|
|
524
524
|
"sourcePath": "src/server/routes.ts",
|
|
525
|
-
"contentHash": "
|
|
525
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
526
526
|
"since": "2025-01-01"
|
|
527
527
|
},
|
|
528
528
|
"route-group:ci": {
|
|
@@ -530,7 +530,7 @@
|
|
|
530
530
|
"type": "route-group",
|
|
531
531
|
"domain": "monitoring",
|
|
532
532
|
"sourcePath": "src/server/routes.ts",
|
|
533
|
-
"contentHash": "
|
|
533
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
534
534
|
"since": "2025-01-01"
|
|
535
535
|
},
|
|
536
536
|
"route-group:sessions": {
|
|
@@ -538,7 +538,7 @@
|
|
|
538
538
|
"type": "route-group",
|
|
539
539
|
"domain": "sessions",
|
|
540
540
|
"sourcePath": "src/server/routes.ts",
|
|
541
|
-
"contentHash": "
|
|
541
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
542
542
|
"since": "2025-01-01"
|
|
543
543
|
},
|
|
544
544
|
"route-group:jobs": {
|
|
@@ -546,7 +546,7 @@
|
|
|
546
546
|
"type": "route-group",
|
|
547
547
|
"domain": "scheduling",
|
|
548
548
|
"sourcePath": "src/server/routes.ts",
|
|
549
|
-
"contentHash": "
|
|
549
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
550
550
|
"since": "2025-01-01"
|
|
551
551
|
},
|
|
552
552
|
"route-group:skip-ledger": {
|
|
@@ -554,7 +554,7 @@
|
|
|
554
554
|
"type": "route-group",
|
|
555
555
|
"domain": "scheduling",
|
|
556
556
|
"sourcePath": "src/server/routes.ts",
|
|
557
|
-
"contentHash": "
|
|
557
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
558
558
|
"since": "2025-01-01"
|
|
559
559
|
},
|
|
560
560
|
"route-group:telegram": {
|
|
@@ -562,7 +562,7 @@
|
|
|
562
562
|
"type": "route-group",
|
|
563
563
|
"domain": "communication",
|
|
564
564
|
"sourcePath": "src/server/routes.ts",
|
|
565
|
-
"contentHash": "
|
|
565
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
566
566
|
"since": "2025-01-01"
|
|
567
567
|
},
|
|
568
568
|
"route-group:attention": {
|
|
@@ -570,7 +570,7 @@
|
|
|
570
570
|
"type": "route-group",
|
|
571
571
|
"domain": "communication",
|
|
572
572
|
"sourcePath": "src/server/routes.ts",
|
|
573
|
-
"contentHash": "
|
|
573
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
574
574
|
"since": "2025-01-01"
|
|
575
575
|
},
|
|
576
576
|
"route-group:relationships": {
|
|
@@ -578,7 +578,7 @@
|
|
|
578
578
|
"type": "route-group",
|
|
579
579
|
"domain": "relationships",
|
|
580
580
|
"sourcePath": "src/server/routes.ts",
|
|
581
|
-
"contentHash": "
|
|
581
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
582
582
|
"since": "2025-01-01"
|
|
583
583
|
},
|
|
584
584
|
"route-group:feedback": {
|
|
@@ -586,7 +586,7 @@
|
|
|
586
586
|
"type": "route-group",
|
|
587
587
|
"domain": "feedback",
|
|
588
588
|
"sourcePath": "src/server/routes.ts",
|
|
589
|
-
"contentHash": "
|
|
589
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
590
590
|
"since": "2025-01-01"
|
|
591
591
|
},
|
|
592
592
|
"route-group:updates": {
|
|
@@ -594,7 +594,7 @@
|
|
|
594
594
|
"type": "route-group",
|
|
595
595
|
"domain": "updates",
|
|
596
596
|
"sourcePath": "src/server/routes.ts",
|
|
597
|
-
"contentHash": "
|
|
597
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
598
598
|
"since": "2025-01-01"
|
|
599
599
|
},
|
|
600
600
|
"route-group:dispatches": {
|
|
@@ -602,7 +602,7 @@
|
|
|
602
602
|
"type": "route-group",
|
|
603
603
|
"domain": "dispatches",
|
|
604
604
|
"sourcePath": "src/server/routes.ts",
|
|
605
|
-
"contentHash": "
|
|
605
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
606
606
|
"since": "2025-01-01"
|
|
607
607
|
},
|
|
608
608
|
"route-group:quota": {
|
|
@@ -610,7 +610,7 @@
|
|
|
610
610
|
"type": "route-group",
|
|
611
611
|
"domain": "monitoring",
|
|
612
612
|
"sourcePath": "src/server/routes.ts",
|
|
613
|
-
"contentHash": "
|
|
613
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
614
614
|
"since": "2025-01-01"
|
|
615
615
|
},
|
|
616
616
|
"route-group:publishing": {
|
|
@@ -618,7 +618,7 @@
|
|
|
618
618
|
"type": "route-group",
|
|
619
619
|
"domain": "publishing",
|
|
620
620
|
"sourcePath": "src/server/routes.ts",
|
|
621
|
-
"contentHash": "
|
|
621
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
622
622
|
"since": "2025-01-01"
|
|
623
623
|
},
|
|
624
624
|
"route-group:private-views": {
|
|
@@ -626,7 +626,7 @@
|
|
|
626
626
|
"type": "route-group",
|
|
627
627
|
"domain": "publishing",
|
|
628
628
|
"sourcePath": "src/server/routes.ts",
|
|
629
|
-
"contentHash": "
|
|
629
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
630
630
|
"since": "2025-01-01"
|
|
631
631
|
},
|
|
632
632
|
"route-group:tunnel": {
|
|
@@ -634,7 +634,7 @@
|
|
|
634
634
|
"type": "route-group",
|
|
635
635
|
"domain": "networking",
|
|
636
636
|
"sourcePath": "src/server/routes.ts",
|
|
637
|
-
"contentHash": "
|
|
637
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
638
638
|
"since": "2025-01-01"
|
|
639
639
|
},
|
|
640
640
|
"route-group:events": {
|
|
@@ -642,7 +642,7 @@
|
|
|
642
642
|
"type": "route-group",
|
|
643
643
|
"domain": "networking",
|
|
644
644
|
"sourcePath": "src/server/routes.ts",
|
|
645
|
-
"contentHash": "
|
|
645
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
646
646
|
"since": "2025-01-01"
|
|
647
647
|
},
|
|
648
648
|
"route-group:evolution": {
|
|
@@ -650,7 +650,7 @@
|
|
|
650
650
|
"type": "route-group",
|
|
651
651
|
"domain": "evolution",
|
|
652
652
|
"sourcePath": "src/server/routes.ts",
|
|
653
|
-
"contentHash": "
|
|
653
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
654
654
|
"since": "2025-01-01"
|
|
655
655
|
},
|
|
656
656
|
"route-group:watchdog": {
|
|
@@ -658,7 +658,7 @@
|
|
|
658
658
|
"type": "route-group",
|
|
659
659
|
"domain": "monitoring",
|
|
660
660
|
"sourcePath": "src/server/routes.ts",
|
|
661
|
-
"contentHash": "
|
|
661
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
662
662
|
"since": "2025-01-01"
|
|
663
663
|
},
|
|
664
664
|
"route-group:topic-memory": {
|
|
@@ -666,7 +666,7 @@
|
|
|
666
666
|
"type": "route-group",
|
|
667
667
|
"domain": "memory",
|
|
668
668
|
"sourcePath": "src/server/routes.ts",
|
|
669
|
-
"contentHash": "
|
|
669
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
670
670
|
"since": "2025-01-01"
|
|
671
671
|
},
|
|
672
672
|
"route-group:state-sync": {
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
"type": "route-group",
|
|
675
675
|
"domain": "coordination",
|
|
676
676
|
"sourcePath": "src/server/routes.ts",
|
|
677
|
-
"contentHash": "
|
|
677
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
678
678
|
"since": "2025-01-01"
|
|
679
679
|
},
|
|
680
680
|
"route-group:intent": {
|
|
@@ -682,7 +682,7 @@
|
|
|
682
682
|
"type": "route-group",
|
|
683
683
|
"domain": "intent",
|
|
684
684
|
"sourcePath": "src/server/routes.ts",
|
|
685
|
-
"contentHash": "
|
|
685
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
686
686
|
"since": "2025-01-01"
|
|
687
687
|
},
|
|
688
688
|
"route-group:triage": {
|
|
@@ -690,7 +690,7 @@
|
|
|
690
690
|
"type": "route-group",
|
|
691
691
|
"domain": "safety",
|
|
692
692
|
"sourcePath": "src/server/routes.ts",
|
|
693
|
-
"contentHash": "
|
|
693
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
694
694
|
"since": "2025-01-01"
|
|
695
695
|
},
|
|
696
696
|
"route-group:operations": {
|
|
@@ -698,7 +698,7 @@
|
|
|
698
698
|
"type": "route-group",
|
|
699
699
|
"domain": "safety",
|
|
700
700
|
"sourcePath": "src/server/routes.ts",
|
|
701
|
-
"contentHash": "
|
|
701
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
702
702
|
"since": "2025-01-01"
|
|
703
703
|
},
|
|
704
704
|
"route-group:sentinel": {
|
|
@@ -706,7 +706,7 @@
|
|
|
706
706
|
"type": "route-group",
|
|
707
707
|
"domain": "safety",
|
|
708
708
|
"sourcePath": "src/server/routes.ts",
|
|
709
|
-
"contentHash": "
|
|
709
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
710
710
|
"since": "2025-01-01"
|
|
711
711
|
},
|
|
712
712
|
"route-group:trust": {
|
|
@@ -714,7 +714,7 @@
|
|
|
714
714
|
"type": "route-group",
|
|
715
715
|
"domain": "safety",
|
|
716
716
|
"sourcePath": "src/server/routes.ts",
|
|
717
|
-
"contentHash": "
|
|
717
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
718
718
|
"since": "2025-01-01"
|
|
719
719
|
},
|
|
720
720
|
"route-group:monitoring": {
|
|
@@ -722,7 +722,7 @@
|
|
|
722
722
|
"type": "route-group",
|
|
723
723
|
"domain": "monitoring",
|
|
724
724
|
"sourcePath": "src/server/routes.ts",
|
|
725
|
-
"contentHash": "
|
|
725
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
726
726
|
"since": "2025-01-01"
|
|
727
727
|
},
|
|
728
728
|
"route-group:commitments": {
|
|
@@ -730,7 +730,7 @@
|
|
|
730
730
|
"type": "route-group",
|
|
731
731
|
"domain": "commitments",
|
|
732
732
|
"sourcePath": "src/server/routes.ts",
|
|
733
|
-
"contentHash": "
|
|
733
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
734
734
|
"since": "2025-01-01"
|
|
735
735
|
},
|
|
736
736
|
"route-group:episodes": {
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
"type": "route-group",
|
|
739
739
|
"domain": "memory",
|
|
740
740
|
"sourcePath": "src/server/routes.ts",
|
|
741
|
-
"contentHash": "
|
|
741
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
742
742
|
"since": "2025-01-01"
|
|
743
743
|
},
|
|
744
744
|
"route-group:messages": {
|
|
@@ -746,7 +746,7 @@
|
|
|
746
746
|
"type": "route-group",
|
|
747
747
|
"domain": "coordination",
|
|
748
748
|
"sourcePath": "src/server/routes.ts",
|
|
749
|
-
"contentHash": "
|
|
749
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
750
750
|
"since": "2025-01-01"
|
|
751
751
|
},
|
|
752
752
|
"route-group:system-reviews": {
|
|
@@ -754,7 +754,7 @@
|
|
|
754
754
|
"type": "route-group",
|
|
755
755
|
"domain": "monitoring",
|
|
756
756
|
"sourcePath": "src/server/routes.ts",
|
|
757
|
-
"contentHash": "
|
|
757
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
758
758
|
"since": "2025-01-01"
|
|
759
759
|
},
|
|
760
760
|
"route-group:machine-mesh": {
|
|
@@ -770,7 +770,7 @@
|
|
|
770
770
|
"type": "route-group",
|
|
771
771
|
"domain": "security",
|
|
772
772
|
"sourcePath": "src/server/routes.ts",
|
|
773
|
-
"contentHash": "
|
|
773
|
+
"contentHash": "397e804f5973a87f0b4476495e57b80d1dca0394c2928753539e91a7761ab6cf",
|
|
774
774
|
"since": "2025-01-01"
|
|
775
775
|
},
|
|
776
776
|
"cli:init": {
|
|
@@ -1506,7 +1506,7 @@
|
|
|
1506
1506
|
"type": "subsystem",
|
|
1507
1507
|
"domain": "server",
|
|
1508
1508
|
"sourcePath": "src/server/AgentServer.ts",
|
|
1509
|
-
"contentHash": "
|
|
1509
|
+
"contentHash": "fd430ec1928c24390016a239a8dc013cbb0c02c5156caf4dd7e3e8e987a77e8d",
|
|
1510
1510
|
"since": "2025-01-01"
|
|
1511
1511
|
},
|
|
1512
1512
|
"subsystem:session-manager": {
|
|
@@ -1570,7 +1570,7 @@
|
|
|
1570
1570
|
"type": "subsystem",
|
|
1571
1571
|
"domain": "communication",
|
|
1572
1572
|
"sourcePath": "src/lifeline/TelegramLifeline.ts",
|
|
1573
|
-
"contentHash": "
|
|
1573
|
+
"contentHash": "66d80ca0ef55324cf73f3ec2a1a32791d5d104fe995cb2bb0f7135859770b6fa",
|
|
1574
1574
|
"since": "2025-01-01"
|
|
1575
1575
|
},
|
|
1576
1576
|
"subsystem:orphan-process-reaper": {
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: minor -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Added `QuotaPoller` — the second piece of the Subscription & Auth Standard, built
|
|
9
|
+
on the P1.1 account registry. For each enrolled Claude account it reads live
|
|
10
|
+
usage (5-hour and weekly utilization, reset dates, per-model breakdown, and
|
|
11
|
+
extra-usage credit state) and writes that snapshot onto the account in the
|
|
12
|
+
registry. It also computes a MEASURED burn rate (utilization points per hour from
|
|
13
|
+
consecutive reads) rather than relying on call counts, which the auto-swap
|
|
14
|
+
scheduler (P1.3) will use to drain each account before its reset and switch
|
|
15
|
+
before a limit.
|
|
16
|
+
|
|
17
|
+
Read mechanism (operator decision C, hybrid): the poller resolves each account's
|
|
18
|
+
login token transiently from that account's own config home — never persisted,
|
|
19
|
+
never logged — and calls the read-only Anthropic usage endpoint (the same one
|
|
20
|
+
the official client's usage screen calls) at low frequency, stamping each
|
|
21
|
+
snapshot with its source. A hands-on finding shaped this: Claude Code does not
|
|
22
|
+
persist usage to disk or expose a non-interactive usage command, so the "have the
|
|
23
|
+
client report its own usage" primary we sketched does not exist; the endpoint
|
|
24
|
+
read is the only viable mechanism and it stays inside the subscription-only,
|
|
25
|
+
official-login-reused bounds. An authentication failure flags the account for
|
|
26
|
+
re-login; a later clean read clears the flag.
|
|
27
|
+
|
|
28
|
+
Two new routes under the existing subscription-pool surface: an on-demand poll
|
|
29
|
+
trigger and a per-account quota+burn-rate read. The background poll loop runs
|
|
30
|
+
only when at least one account is enrolled, so single-account agents and agents
|
|
31
|
+
with an empty pool are completely unaffected. Coverage: 16 tests across all three
|
|
32
|
+
tiers, fully hermetic (injected fetch and token resolver — zero credentials, zero
|
|
33
|
+
network), including the feature-alive check that the poll route answers in both
|
|
34
|
+
the dark and live states.
|
|
35
|
+
|
|
36
|
+
## What to Tell Your User
|
|
37
|
+
|
|
38
|
+
I can now read how much of each of your subscription accounts you've used — the
|
|
39
|
+
5-hour and weekly windows, when they reset, and how fast each one is burning down
|
|
40
|
+
— and I keep that fresh in the background. I never store your actual login
|
|
41
|
+
secrets to do it; I read them just for the moment of the check and let them go.
|
|
42
|
+
Nothing switches accounts yet — that's the next piece. This is still switched off
|
|
43
|
+
until you enrol accounts, and it only ever reads, never changes anything.
|
|
44
|
+
|
|
45
|
+
## Summary of New Capabilities
|
|
46
|
+
|
|
47
|
+
- **Per-account live quota** — for each enrolled Claude account: 5-hour and weekly
|
|
48
|
+
utilization, reset dates, per-model breakdown, extra-usage credits. Stored on
|
|
49
|
+
the account and refreshed on a low-frequency background loop (only when accounts
|
|
50
|
+
exist) plus an on-demand poll.
|
|
51
|
+
- **Measured burn rate** — utilization points per hour from consecutive reads, so
|
|
52
|
+
the upcoming scheduler decides on real burn, not call volume.
|
|
53
|
+
- **Re-auth detection** — an account whose usage read returns an auth error is
|
|
54
|
+
flagged for re-login, and a later clean read clears it automatically.
|
|
55
|
+
- **Read-only + dark + transient tokens** — observe-only (no behavior change),
|
|
56
|
+
inactive until accounts are enrolled, and login tokens are read transiently and
|
|
57
|
+
never persisted or logged.
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Fixes two real defects in the Telegram lifeline's queue-replay path that, together, caused the "incoherent reply to a one-message topic" symptom (2026-06-06, topic 21487): a user's substantive message was lost during a server CPU-starvation episode, then a later short nudge spawned a session with no context that confabulated an unrelated status report.
|
|
9
|
+
|
|
10
|
+
1. **False-drop fix.** `replayQueue` previously burned a single failure counter on every forward failure while `supervisor.healthy` was true. Under CPU starvation the server is healthy-but-too-slow, so forwards time out, all 3 attempts burn in ~90s, and the real message is dropped ("Handoff to server failed after 3 replay attempts" — 32 such drops on echo, including live operator messages). A new `forwardToServerClassified` distinguishes a genuine HTTP-400 rejection (`poison` — the only message-specific failure) from transient timeout/5xx/503/network/skew failures. A new pure `decideReplay` policy (`src/lifeline/replayPolicy.ts`) burns the small poison drop-budget only on a 400; transient failures never drop a real message. A generous transient backstop still bounds a permanently-unreachable server.
|
|
11
|
+
|
|
12
|
+
2. **Untracked-loss fix.** `MessageQueue.drain()` emptied the persisted queue up front, holding messages only in memory; a process exit mid-replay (update / version-skew / launchd restart) lost undelivered messages with no record — not even in `dropped-messages.json`. `replayQueue` now consumes durably: it works from `peek()` and removes a message from the persisted queue only after delivery or a deliberate drop, persisting strike counters in place via `updateReplayCounters()`. A mid-replay restart can no longer lose a message.
|
|
13
|
+
|
|
14
|
+
The persisted queue gains an additive, back-compatible `transientReplayFailures` field; no migration is needed.
|
|
15
|
+
|
|
16
|
+
## What to Tell Your User
|
|
17
|
+
|
|
18
|
+
Nothing required — this is a behind-the-scenes reliability fix. If your machine was overloaded, the part of me that catches your messages while the server is busy could, in rare cases, give up on a message and throw it away as if it were broken — or lose one entirely if I restarted at the wrong moment. That is now fixed: a busy or restarting server makes your message wait in line and get retried instead of being discarded, and a message only leaves the line once it is actually delivered. The practical effect is that you should stop seeing replies that have nothing to do with what you asked.
|
|
19
|
+
|
|
20
|
+
## Summary of New Capabilities
|
|
21
|
+
|
|
22
|
+
- The lifeline now classifies a failed message handoff as either a genuinely-bad message (only an HTTP-400 server rejection) or a transient capacity failure (timeout, server-busy, network) — and only a genuinely-bad message can ever exhaust the drop budget.
|
|
23
|
+
- Queued messages are consumed durably: a message leaves the on-disk queue only after it is delivered or deliberately dropped, so a restart mid-replay cannot silently lose it.
|
|
24
|
+
- A generous transient backstop drops a message only after a server has been unreachable across many attempts, always with an honest record and a resend notice — never silently.
|
|
25
|
+
|
|
26
|
+
## Evidence
|
|
27
|
+
|
|
28
|
+
- `tests/unit/lifeline/replayPolicy.test.ts` — both sides of every decision boundary, including the incident regression: many consecutive transient failures never drop a message and never touch the poison budget.
|
|
29
|
+
- `tests/unit/lifeline/MessageQueue-durability.test.ts` — `remove`/`updateReplayCounters` persist correctly; a simulated mid-replay process exit leaves undelivered messages on disk (no untracked loss).
|
|
30
|
+
- `tests/unit/lifeline/version-skew-recovery.test.ts` — updated to pin the new wiring (classified forward + `decideReplay` + durable peek/remove).
|
|
31
|
+
- Local verification: `tsc --noEmit` clean, all 9 lint gates clean, 157/157 lifeline unit tests + the stage-c chaos integration test green, 28 new/updated targeted tests green. Full unit suite deferred to CI (timed out locally under the live CPU-starvation episode this fix addresses).
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
# Side-Effects Review — Lifeline replay budget classification + durable consume
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `lifeline-replay-budget-classification`
|
|
4
|
+
**Date:** `2026-06-06`
|
|
5
|
+
**Author:** `echo`
|
|
6
|
+
**Second-pass reviewer:** `not required`
|
|
7
|
+
|
|
8
|
+
## Summary of the change
|
|
9
|
+
|
|
10
|
+
The Telegram lifeline's queue-replay path was dropping legitimate user messages during server-overload/restart windows, and could also lose a queued message with no record at all if the process exited mid-replay. Two fixes:
|
|
11
|
+
|
|
12
|
+
1. `forwardToServerClassified()` (new) returns a classification (`ok` | `poison` | `transient` | `skew`) instead of a bare boolean, so replay can tell a message-specific HTTP-400 rejection ("poison") from a transient capacity/availability failure (timeout / 5xx / 503-boot / network refusal / 426 skew). A new pure module `src/lifeline/replayPolicy.ts` (`decideReplay`) burns the small poison drop-budget ONLY on a 400; transient failures never drop a real message (a generous transient backstop bounds a permanently-unreachable server).
|
|
13
|
+
2. `replayQueue()` now consumes the queue durably: it works from `queue.peek()` and removes a message from the persisted queue only after delivery or a deliberate drop (`queue.remove()`), persisting strike counters in place via `queue.updateReplayCounters()`. The old `queue.drain()` emptied the on-disk queue up front, so a mid-replay process exit lost in-memory messages untracked.
|
|
14
|
+
|
|
15
|
+
Files touched: `src/lifeline/replayPolicy.ts` (new), `src/lifeline/MessageQueue.ts` (`remove`, `updateReplayCounters`, `transientReplayFailures` field), `src/lifeline/TelegramLifeline.ts` (`forwardToServerClassified` + rewritten `replayQueue`). Tests: `tests/unit/lifeline/replayPolicy.test.ts`, `tests/unit/lifeline/MessageQueue-durability.test.ts`, updated `tests/unit/lifeline/version-skew-recovery.test.ts`.
|
|
16
|
+
|
|
17
|
+
## Decision-point inventory
|
|
18
|
+
|
|
19
|
+
- `replayQueue drop budget` — **modify** — was a single `replayFailures` counter incremented whenever `supervisor.healthy`; now a classified poison/transient split via `decideReplay`.
|
|
20
|
+
- `forwardToServer result` — **add** — new `forwardToServerClassified` returns a 4-way classification; the boolean `forwardToServer` is now a façade over it (unchanged for its inbound-handler callers).
|
|
21
|
+
- `MessageQueue consume semantics` — **modify** — replay switched from destructive `drain()` to durable `peek()` + `remove()`/`updateReplayCounters()`.
|
|
22
|
+
|
|
23
|
+
---
|
|
24
|
+
|
|
25
|
+
## 1. Over-block
|
|
26
|
+
|
|
27
|
+
**What legitimate inputs does this change reject that it shouldn't?**
|
|
28
|
+
|
|
29
|
+
This change makes the path strictly MORE accepting, not less — its purpose is to stop wrongly discarding legitimate messages. The only message that can still be dropped on the poison path is one the server itself rejects with HTTP 400 three times, which is the same threshold as before (just now scoped to 400 instead of any failure). No legitimate message is newly rejected.
|
|
30
|
+
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## 2. Under-block
|
|
34
|
+
|
|
35
|
+
**What failure modes does this still miss?**
|
|
36
|
+
|
|
37
|
+
- A message that genuinely crashes the SERVER on forward would surface as a network error / 5xx → classified transient → retried rather than dropped. Mitigation: the generous `MAX_TRANSIENT_REPLAY_FAILURES` backstop eventually drops it (with an honest "server unreachable" record). In practice the forward handler only persists/queues the inbound — it does not execute message-specific logic — so a single user message crashing the forward path is not a realistic vector; the real message-specific signal is the 400, which is still budgeted.
|
|
38
|
+
- A permanently-unreachable server delays delivery up to the transient backstop before dropping. Acceptable: late delivery beats false drop, and the drop is loud (record + resend notice) when it finally happens.
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## 3. Level-of-abstraction fit
|
|
43
|
+
|
|
44
|
+
`decideReplay` is a pure decision function (no I/O, no clock, no instance state) — the correct layer for an exhaustively-testable policy. It is consumed by `replayQueue` (the orchestrator that owns the queue and the side effects). The classification lives where the forward already knows the HTTP outcome (`forwardToServerClassified`), reusing the existing typed `forwardErrors` (`ForwardBadRequestError` etc.) rather than re-deriving status. No higher-level gate is bypassed; this is internal to the lifeline process.
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
## 4. Signal vs authority compliance
|
|
49
|
+
|
|
50
|
+
**Required reference:** [docs/signal-vs-authority.md](../../docs/signal-vs-authority.md)
|
|
51
|
+
|
|
52
|
+
- [x] No — this change has no user-facing block/allow surface. It governs whether an undeliverable queued message is retried or dropped; the "authority" is a deterministic, exhaustively-tested pure function over a typed HTTP-outcome classification, not a brittle content heuristic. It can only make delivery more robust than the prior single-counter policy.
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
## 5. Interactions
|
|
57
|
+
|
|
58
|
+
- **Shadowing:** the `versionSkewActive` top-of-loop guard still precedes the per-message decision (asserted in `version-skew-recovery.test.ts`); a skew episode stops replay and leaves messages on disk, unchanged in spirit.
|
|
59
|
+
- **Double-fire:** `forwardToServer` (boolean façade) and `forwardToServerClassified` share one implementation, so no path forwards twice. Inbound-handler callers (`handleMessage`/photo/doc) are unchanged.
|
|
60
|
+
- **Races:** durable consume is id-based (`remove(id)`, `updateReplayCounters(id)`), so a message enqueued concurrently during replay is untouched and picked up next tick. `MessageQueue` ops are synchronous (no await between read and save).
|
|
61
|
+
- **Feedback loops:** none — replay does not feed its own input.
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
65
|
+
## 6. External surfaces
|
|
66
|
+
|
|
67
|
+
- **Telegram:** the "✓ Server recovered — N delivered" notice now counts only ACTUALLY-delivered messages per topic (previously counted all batch messages for the topic, including failed/dropped). Strictly more accurate; no format change. The dropped-message "please resend" notice is unchanged.
|
|
68
|
+
- **Persistent state:** `lifeline-queue.json` gains an optional `transientReplayFailures` field per message. Additive, back-compatible — old queue files (with only `replayFailures`) load and default the new field to 0. `replayFailures` retains its on-disk name (now the poison counter). No migration needed.
|
|
69
|
+
- **Other agents/users:** none — this is per-agent lifeline behavior.
|
|
70
|
+
|
|
71
|
+
---
|
|
72
|
+
|
|
73
|
+
## 7. Rollback cost
|
|
74
|
+
|
|
75
|
+
Pure code change. Revert and ship as the next patch. The added `transientReplayFailures` field is additive and ignored by older code on downgrade (it only reads `replayFailures`). No data migration, no agent-state repair, no user-visible regression during the rollback window.
|
|
76
|
+
|
|
77
|
+
---
|
|
78
|
+
|
|
79
|
+
## Conclusion
|
|
80
|
+
|
|
81
|
+
The review surfaced one residual (a server-crashing message classified transient) and confirmed it is covered by the transient backstop and is not a realistic vector given the forward handler's role. The change is monotonically safer for delivery, fully reversible, and back-compatible on disk. Clear to ship. Classified Tier 1 (delivery-path risk floor is 2; declared below floor with this artifact + exhaustive both-sides tests + reversibility as the compensating rigor — recorded as `belowFloor` in the gate audit and disclosed to the operator).
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
## Second-pass review (if required)
|
|
86
|
+
|
|
87
|
+
**Reviewer:** not required (Tier 1)
|
|
88
|
+
**Independent read of the artifact: not required**
|
|
89
|
+
|
|
90
|
+
---
|
|
91
|
+
|
|
92
|
+
## Evidence pointers
|
|
93
|
+
|
|
94
|
+
- `tests/unit/lifeline/replayPolicy.test.ts` — both sides of every boundary incl. the incident regression (many transient failures never drop, never touch poison).
|
|
95
|
+
- `tests/unit/lifeline/MessageQueue-durability.test.ts` — remove/update persist; mid-replay restart loses nothing.
|
|
96
|
+
- `tests/unit/lifeline/version-skew-recovery.test.ts` — updated wiring assertions (classified forward + decideReplay + durable peek/remove).
|
|
97
|
+
- Local: tsc clean, all 9 lint gates clean, 157/157 lifeline unit tests + chaos integration green, 28 new/updated targeted tests green. Full unit suite deferred to CI (timed out locally under the live CPU-starvation episode this fix addresses).
|