instar 1.3.394 → 1.3.396

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +17 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/core/QuotaPoller.d.ts +120 -0
  5. package/dist/core/QuotaPoller.d.ts.map +1 -0
  6. package/dist/core/QuotaPoller.js +286 -0
  7. package/dist/core/QuotaPoller.js.map +1 -0
  8. package/dist/lifeline/MessageQueue.d.ts +25 -1
  9. package/dist/lifeline/MessageQueue.d.ts.map +1 -1
  10. package/dist/lifeline/MessageQueue.js +30 -0
  11. package/dist/lifeline/MessageQueue.js.map +1 -1
  12. package/dist/lifeline/TelegramLifeline.d.ts +12 -2
  13. package/dist/lifeline/TelegramLifeline.d.ts.map +1 -1
  14. package/dist/lifeline/TelegramLifeline.js +83 -70
  15. package/dist/lifeline/TelegramLifeline.js.map +1 -1
  16. package/dist/lifeline/replayPolicy.d.ts +66 -0
  17. package/dist/lifeline/replayPolicy.d.ts.map +1 -0
  18. package/dist/lifeline/replayPolicy.js +86 -0
  19. package/dist/lifeline/replayPolicy.js.map +1 -0
  20. package/dist/server/AgentServer.d.ts +1 -0
  21. package/dist/server/AgentServer.d.ts.map +1 -1
  22. package/dist/server/AgentServer.js +1 -0
  23. package/dist/server/AgentServer.js.map +1 -1
  24. package/dist/server/routes.d.ts +2 -0
  25. package/dist/server/routes.d.ts.map +1 -1
  26. package/dist/server/routes.js +36 -0
  27. package/dist/server/routes.js.map +1 -1
  28. package/package.json +1 -1
  29. package/scripts/lint-no-direct-llm-http.js +6 -0
  30. package/src/data/builtin-manifest.json +48 -48
  31. package/upgrades/1.3.395.md +57 -0
  32. package/upgrades/1.3.396.md +31 -0
  33. package/upgrades/side-effects/lifeline-replay-budget-classification.md +97 -0
  34. package/upgrades/side-effects/subscription-quota-poller.md +71 -0
@@ -0,0 +1,71 @@
1
+ # Side-Effects Review — QuotaPoller (P1.2)
2
+
3
+ ## Scope of change
4
+
5
+ - `src/core/QuotaPoller.ts` (new) — per-account quota reader + mapper + burn rate.
6
+ - `src/server/routes.ts` — 2 new routes under the existing `/subscription-pool`
7
+ prefix (POST `/subscription-pool/poll`, GET `/subscription-pool/:id/quota`) +
8
+ RouteContext `quotaPoller` field.
9
+ - `src/server/AgentServer.ts` — threads the `quotaPoller` option → RouteContext.
10
+ - `src/commands/server.ts` — instantiates the poller; starts the background loop
11
+ ONLY when the pool is non-empty.
12
+ - tests (unit/integration/e2e).
13
+
14
+ ## Mutability / authority analysis
15
+
16
+ - **External network call with a credential — the notable surface.** The poller
17
+ resolves each account's OAuth access token transiently from that account's own
18
+ config home and calls the READ-ONLY `GET /api/oauth/usage` telemetry endpoint.
19
+ It is NOT inference and NOT a mutation of any Anthropic-side state — it reads
20
+ usage stats, the same endpoint the official client's /usage screen calls. This
21
+ stays inside Justin's accepted decision-C bounds (subscription-only, official-
22
+ client login reused, no API keys). It is distinct from the inference-spoofing
23
+ Anthropic enforces against.
24
+ - **Token handling (the security-sensitive part).** Tokens are read TRANSIENTLY
25
+ for the duration of one fetch and never persisted, never logged, never
26
+ returned. The SubscriptionPool still stores only the config-home LOCATION; the
27
+ poller reads the token from the OS credential store (macOS keychain entry
28
+ `Claude Code-credentials-<sha256(configHome)[0:8]>`, or `<configHome>/.credentials.json`
29
+ on other platforms) at read time only.
30
+ - **Local writes.** The only persisted effect is writing each account's
31
+ `lastQuota` snapshot (and a `needs-reauth`/`active` status transition) into the
32
+ pool's single JSON file via the pool's existing atomic update path. No new
33
+ files, no deletes.
34
+ - **No behavior authority.** The poller does not gate, block, spawn, kill,
35
+ message, route, or alter any session/scheduling behavior. It is observe-only;
36
+ the consumer that ACTS on quota (the swap scheduler) is P1.3.
37
+ - **Frequency.** Background loop is low-frequency (default 15 min) and only runs
38
+ when the pool has ≥1 account. On-demand poll is available via the POST route.
39
+
40
+ ## Failure modes considered
41
+
42
+ - **Unresolvable token** → account skipped, no snapshot (warn-logged, no token in log).
43
+ - **401/403 (revoked / password change)** → account flagged `needs-reauth`; a
44
+ later clean read restores it to `active`. Covered both sides by tests.
45
+ - **Network error / timeout** → null snapshot this cycle, status unchanged, retry
46
+ next cycle. Covered.
47
+ - **Sparse/partial usage response** → mapper tolerates missing windows. Covered.
48
+ - **Non-claude/disabled accounts** → skipped by pollAll. Covered.
49
+
50
+ ## Blast radius if wrong
51
+
52
+ Contained. Dark (no accounts → no polling). Observe-only (no behavior change).
53
+ Worst realistic case: a stale or missing `lastQuota` value on an account, or an
54
+ account wrongly flagged needs-reauth (self-heals on the next clean read). No
55
+ session/scheduling impact until P1.3 consumes the data.
56
+
57
+ ## Migration / parity
58
+
59
+ None. No config defaults, hooks, skills, or CLAUDE.md template changes. New
60
+ routes stay under the already-classified `/subscription-pool` INTERNAL prefix
61
+ (no CapabilityIndex change). Ships via dist on update.
62
+
63
+ ## Tier rationale
64
+
65
+ Declared Tier 1 despite risk-floor signals (new route + new class). The change
66
+ is read-only external TELEMETRY, observe-only (no behavior authority), dark, with
67
+ transient-never-persisted token handling and fully hermetic tests (injected fetch
68
+ + token resolver — zero credentials, zero network). The one genuinely sensitive
69
+ aspect — reading a per-account token to call the usage endpoint — is within the
70
+ operator's explicitly-chosen decision-C bounds and is flagged to the operator in
71
+ the progress report. Below-floor recorded for audit (the mind holds authority).