instar 1.3.394 → 1.3.396
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +17 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/core/QuotaPoller.d.ts +120 -0
- package/dist/core/QuotaPoller.d.ts.map +1 -0
- package/dist/core/QuotaPoller.js +286 -0
- package/dist/core/QuotaPoller.js.map +1 -0
- package/dist/lifeline/MessageQueue.d.ts +25 -1
- package/dist/lifeline/MessageQueue.d.ts.map +1 -1
- package/dist/lifeline/MessageQueue.js +30 -0
- package/dist/lifeline/MessageQueue.js.map +1 -1
- package/dist/lifeline/TelegramLifeline.d.ts +12 -2
- package/dist/lifeline/TelegramLifeline.d.ts.map +1 -1
- package/dist/lifeline/TelegramLifeline.js +83 -70
- package/dist/lifeline/TelegramLifeline.js.map +1 -1
- package/dist/lifeline/replayPolicy.d.ts +66 -0
- package/dist/lifeline/replayPolicy.d.ts.map +1 -0
- package/dist/lifeline/replayPolicy.js +86 -0
- package/dist/lifeline/replayPolicy.js.map +1 -0
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/routes.d.ts +2 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +36 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/scripts/lint-no-direct-llm-http.js +6 -0
- package/src/data/builtin-manifest.json +48 -48
- package/upgrades/1.3.395.md +57 -0
- package/upgrades/1.3.396.md +31 -0
- package/upgrades/side-effects/lifeline-replay-budget-classification.md +97 -0
- package/upgrades/side-effects/subscription-quota-poller.md +71 -0
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
# Side-Effects Review — QuotaPoller (P1.2)
|
|
2
|
+
|
|
3
|
+
## Scope of change
|
|
4
|
+
|
|
5
|
+
- `src/core/QuotaPoller.ts` (new) — per-account quota reader + mapper + burn rate.
|
|
6
|
+
- `src/server/routes.ts` — 2 new routes under the existing `/subscription-pool`
|
|
7
|
+
prefix (POST `/subscription-pool/poll`, GET `/subscription-pool/:id/quota`) +
|
|
8
|
+
RouteContext `quotaPoller` field.
|
|
9
|
+
- `src/server/AgentServer.ts` — threads the `quotaPoller` option → RouteContext.
|
|
10
|
+
- `src/commands/server.ts` — instantiates the poller; starts the background loop
|
|
11
|
+
ONLY when the pool is non-empty.
|
|
12
|
+
- tests (unit/integration/e2e).
|
|
13
|
+
|
|
14
|
+
## Mutability / authority analysis
|
|
15
|
+
|
|
16
|
+
- **External network call with a credential — the notable surface.** The poller
|
|
17
|
+
resolves each account's OAuth access token transiently from that account's own
|
|
18
|
+
config home and calls the READ-ONLY `GET /api/oauth/usage` telemetry endpoint.
|
|
19
|
+
It is NOT inference and NOT a mutation of any Anthropic-side state — it reads
|
|
20
|
+
usage stats, the same endpoint the official client's /usage screen calls. This
|
|
21
|
+
stays inside Justin's accepted decision-C bounds (subscription-only, official-
|
|
22
|
+
client login reused, no API keys). It is distinct from the inference-spoofing
|
|
23
|
+
Anthropic enforces against.
|
|
24
|
+
- **Token handling (the security-sensitive part).** Tokens are read TRANSIENTLY
|
|
25
|
+
for the duration of one fetch and never persisted, never logged, never
|
|
26
|
+
returned. The SubscriptionPool still stores only the config-home LOCATION; the
|
|
27
|
+
poller reads the token from the OS credential store (macOS keychain entry
|
|
28
|
+
`Claude Code-credentials-<sha256(configHome)[0:8]>`, or `<configHome>/.credentials.json`
|
|
29
|
+
on other platforms) at read time only.
|
|
30
|
+
- **Local writes.** The only persisted effect is writing each account's
|
|
31
|
+
`lastQuota` snapshot (and a `needs-reauth`/`active` status transition) into the
|
|
32
|
+
pool's single JSON file via the pool's existing atomic update path. No new
|
|
33
|
+
files, no deletes.
|
|
34
|
+
- **No behavior authority.** The poller does not gate, block, spawn, kill,
|
|
35
|
+
message, route, or alter any session/scheduling behavior. It is observe-only;
|
|
36
|
+
the consumer that ACTS on quota (the swap scheduler) is P1.3.
|
|
37
|
+
- **Frequency.** Background loop is low-frequency (default 15 min) and only runs
|
|
38
|
+
when the pool has ≥1 account. On-demand poll is available via the POST route.
|
|
39
|
+
|
|
40
|
+
## Failure modes considered
|
|
41
|
+
|
|
42
|
+
- **Unresolvable token** → account skipped, no snapshot (warn-logged, no token in log).
|
|
43
|
+
- **401/403 (revoked / password change)** → account flagged `needs-reauth`; a
|
|
44
|
+
later clean read restores it to `active`. Covered both sides by tests.
|
|
45
|
+
- **Network error / timeout** → null snapshot this cycle, status unchanged, retry
|
|
46
|
+
next cycle. Covered.
|
|
47
|
+
- **Sparse/partial usage response** → mapper tolerates missing windows. Covered.
|
|
48
|
+
- **Non-claude/disabled accounts** → skipped by pollAll. Covered.
|
|
49
|
+
|
|
50
|
+
## Blast radius if wrong
|
|
51
|
+
|
|
52
|
+
Contained. Dark (no accounts → no polling). Observe-only (no behavior change).
|
|
53
|
+
Worst realistic case: a stale or missing `lastQuota` value on an account, or an
|
|
54
|
+
account wrongly flagged needs-reauth (self-heals on the next clean read). No
|
|
55
|
+
session/scheduling impact until P1.3 consumes the data.
|
|
56
|
+
|
|
57
|
+
## Migration / parity
|
|
58
|
+
|
|
59
|
+
None. No config defaults, hooks, skills, or CLAUDE.md template changes. New
|
|
60
|
+
routes stay under the already-classified `/subscription-pool` INTERNAL prefix
|
|
61
|
+
(no CapabilityIndex change). Ships via dist on update.
|
|
62
|
+
|
|
63
|
+
## Tier rationale
|
|
64
|
+
|
|
65
|
+
Declared Tier 1 despite risk-floor signals (new route + new class). The change
|
|
66
|
+
is read-only external TELEMETRY, observe-only (no behavior authority), dark, with
|
|
67
|
+
transient-never-persisted token handling and fully hermetic tests (injected fetch
|
|
68
|
+
+ token resolver — zero credentials, zero network). The one genuinely sensitive
|
|
69
|
+
aspect — reading a per-account token to call the usage endpoint — is within the
|
|
70
|
+
operator's explicitly-chosen decision-C bounds and is flagged to the operator in
|
|
71
|
+
the progress report. Below-floor recorded for audit (the mind holds authority).
|