instar 1.3.431 → 1.3.433

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (36) hide show
  1. package/dashboard/subscriptions.js +21 -0
  2. package/dist/core/MessagingToneGate.d.ts +8 -0
  3. package/dist/core/MessagingToneGate.d.ts.map +1 -1
  4. package/dist/core/MessagingToneGate.js.map +1 -1
  5. package/dist/core/OAuthRefresher.d.ts +112 -0
  6. package/dist/core/OAuthRefresher.d.ts.map +1 -0
  7. package/dist/core/OAuthRefresher.js +222 -0
  8. package/dist/core/OAuthRefresher.js.map +1 -0
  9. package/dist/core/QuotaPoller.d.ts +33 -6
  10. package/dist/core/QuotaPoller.d.ts.map +1 -1
  11. package/dist/core/QuotaPoller.js +73 -66
  12. package/dist/core/QuotaPoller.js.map +1 -1
  13. package/dist/core/SubscriptionPool.d.ts +8 -0
  14. package/dist/core/SubscriptionPool.d.ts.map +1 -1
  15. package/dist/core/SubscriptionPool.js +3 -0
  16. package/dist/core/SubscriptionPool.js.map +1 -1
  17. package/dist/core/types.d.ts +9 -0
  18. package/dist/core/types.d.ts.map +1 -1
  19. package/dist/core/types.js.map +1 -1
  20. package/dist/server/middleware.d.ts +20 -0
  21. package/dist/server/middleware.d.ts.map +1 -1
  22. package/dist/server/middleware.js +20 -0
  23. package/dist/server/middleware.js.map +1 -1
  24. package/dist/server/outboundGateBudget.d.ts +33 -0
  25. package/dist/server/outboundGateBudget.d.ts.map +1 -0
  26. package/dist/server/outboundGateBudget.js +57 -0
  27. package/dist/server/outboundGateBudget.js.map +1 -0
  28. package/dist/server/routes.d.ts.map +1 -1
  29. package/dist/server/routes.js +23 -5
  30. package/dist/server/routes.js.map +1 -1
  31. package/package.json +1 -1
  32. package/src/data/builtin-manifest.json +46 -46
  33. package/upgrades/1.3.432.md +27 -0
  34. package/upgrades/1.3.433.md +52 -0
  35. package/upgrades/side-effects/outbound-gate-budget.md +109 -0
  36. package/upgrades/side-effects/subscription-token-autorefresh.md +29 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "instar",
3
- "version": "1.3.431",
3
+ "version": "1.3.433",
4
4
  "description": "Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-08T08:31:50.678Z",
5
- "instarVersion": "1.3.431",
4
+ "generatedAt": "2026-06-08T22:16:09.710Z",
5
+ "instarVersion": "1.3.433",
6
6
  "entryCount": 199,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -418,7 +418,7 @@
418
418
  "type": "route-group",
419
419
  "domain": "monitoring",
420
420
  "sourcePath": "src/server/routes.ts",
421
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
421
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
422
422
  "since": "2025-01-01"
423
423
  },
424
424
  "route-group:agents": {
@@ -426,7 +426,7 @@
426
426
  "type": "route-group",
427
427
  "domain": "sessions",
428
428
  "sourcePath": "src/server/routes.ts",
429
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
429
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
430
430
  "since": "2025-01-01"
431
431
  },
432
432
  "route-group:backups": {
@@ -434,7 +434,7 @@
434
434
  "type": "route-group",
435
435
  "domain": "operations",
436
436
  "sourcePath": "src/server/routes.ts",
437
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
437
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
438
438
  "since": "2025-01-01"
439
439
  },
440
440
  "route-group:git": {
@@ -442,7 +442,7 @@
442
442
  "type": "route-group",
443
443
  "domain": "coordination",
444
444
  "sourcePath": "src/server/routes.ts",
445
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
445
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
446
446
  "since": "2025-01-01"
447
447
  },
448
448
  "route-group:memory": {
@@ -450,7 +450,7 @@
450
450
  "type": "route-group",
451
451
  "domain": "memory",
452
452
  "sourcePath": "src/server/routes.ts",
453
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
453
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
454
454
  "since": "2025-01-01"
455
455
  },
456
456
  "route-group:semantic": {
@@ -458,7 +458,7 @@
458
458
  "type": "route-group",
459
459
  "domain": "memory",
460
460
  "sourcePath": "src/server/routes.ts",
461
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
461
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
462
462
  "since": "2025-01-01"
463
463
  },
464
464
  "route-group:status": {
@@ -466,7 +466,7 @@
466
466
  "type": "route-group",
467
467
  "domain": "monitoring",
468
468
  "sourcePath": "src/server/routes.ts",
469
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
469
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
470
470
  "since": "2025-01-01"
471
471
  },
472
472
  "route-group:capabilities": {
@@ -474,7 +474,7 @@
474
474
  "type": "route-group",
475
475
  "domain": "mapping",
476
476
  "sourcePath": "src/server/routes.ts",
477
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
477
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
478
478
  "since": "2025-01-01"
479
479
  },
480
480
  "route-group:project-map": {
@@ -482,7 +482,7 @@
482
482
  "type": "route-group",
483
483
  "domain": "mapping",
484
484
  "sourcePath": "src/server/routes.ts",
485
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
485
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
486
486
  "since": "2025-01-01"
487
487
  },
488
488
  "route-group:coherence": {
@@ -490,7 +490,7 @@
490
490
  "type": "route-group",
491
491
  "domain": "coherence",
492
492
  "sourcePath": "src/server/routes.ts",
493
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
493
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
494
494
  "since": "2025-01-01"
495
495
  },
496
496
  "route-group:topic-bindings": {
@@ -498,7 +498,7 @@
498
498
  "type": "route-group",
499
499
  "domain": "sessions",
500
500
  "sourcePath": "src/server/routes.ts",
501
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
501
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
502
502
  "since": "2025-01-01"
503
503
  },
504
504
  "route-group:context": {
@@ -506,7 +506,7 @@
506
506
  "type": "route-group",
507
507
  "domain": "context",
508
508
  "sourcePath": "src/server/routes.ts",
509
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
509
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
510
510
  "since": "2025-01-01"
511
511
  },
512
512
  "route-group:scope-coherence": {
@@ -514,7 +514,7 @@
514
514
  "type": "route-group",
515
515
  "domain": "coherence",
516
516
  "sourcePath": "src/server/routes.ts",
517
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
517
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
518
518
  "since": "2025-01-01"
519
519
  },
520
520
  "route-group:canonical-state": {
@@ -522,7 +522,7 @@
522
522
  "type": "route-group",
523
523
  "domain": "state",
524
524
  "sourcePath": "src/server/routes.ts",
525
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
525
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
526
526
  "since": "2025-01-01"
527
527
  },
528
528
  "route-group:ci": {
@@ -530,7 +530,7 @@
530
530
  "type": "route-group",
531
531
  "domain": "monitoring",
532
532
  "sourcePath": "src/server/routes.ts",
533
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
533
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
534
534
  "since": "2025-01-01"
535
535
  },
536
536
  "route-group:sessions": {
@@ -538,7 +538,7 @@
538
538
  "type": "route-group",
539
539
  "domain": "sessions",
540
540
  "sourcePath": "src/server/routes.ts",
541
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
541
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
542
542
  "since": "2025-01-01"
543
543
  },
544
544
  "route-group:jobs": {
@@ -546,7 +546,7 @@
546
546
  "type": "route-group",
547
547
  "domain": "scheduling",
548
548
  "sourcePath": "src/server/routes.ts",
549
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
549
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
550
550
  "since": "2025-01-01"
551
551
  },
552
552
  "route-group:skip-ledger": {
@@ -554,7 +554,7 @@
554
554
  "type": "route-group",
555
555
  "domain": "scheduling",
556
556
  "sourcePath": "src/server/routes.ts",
557
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
557
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
558
558
  "since": "2025-01-01"
559
559
  },
560
560
  "route-group:telegram": {
@@ -562,7 +562,7 @@
562
562
  "type": "route-group",
563
563
  "domain": "communication",
564
564
  "sourcePath": "src/server/routes.ts",
565
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
565
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
566
566
  "since": "2025-01-01"
567
567
  },
568
568
  "route-group:attention": {
@@ -570,7 +570,7 @@
570
570
  "type": "route-group",
571
571
  "domain": "communication",
572
572
  "sourcePath": "src/server/routes.ts",
573
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
573
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
574
574
  "since": "2025-01-01"
575
575
  },
576
576
  "route-group:relationships": {
@@ -578,7 +578,7 @@
578
578
  "type": "route-group",
579
579
  "domain": "relationships",
580
580
  "sourcePath": "src/server/routes.ts",
581
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
581
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
582
582
  "since": "2025-01-01"
583
583
  },
584
584
  "route-group:feedback": {
@@ -586,7 +586,7 @@
586
586
  "type": "route-group",
587
587
  "domain": "feedback",
588
588
  "sourcePath": "src/server/routes.ts",
589
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
589
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
590
590
  "since": "2025-01-01"
591
591
  },
592
592
  "route-group:updates": {
@@ -594,7 +594,7 @@
594
594
  "type": "route-group",
595
595
  "domain": "updates",
596
596
  "sourcePath": "src/server/routes.ts",
597
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
597
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
598
598
  "since": "2025-01-01"
599
599
  },
600
600
  "route-group:dispatches": {
@@ -602,7 +602,7 @@
602
602
  "type": "route-group",
603
603
  "domain": "dispatches",
604
604
  "sourcePath": "src/server/routes.ts",
605
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
605
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
606
606
  "since": "2025-01-01"
607
607
  },
608
608
  "route-group:quota": {
@@ -610,7 +610,7 @@
610
610
  "type": "route-group",
611
611
  "domain": "monitoring",
612
612
  "sourcePath": "src/server/routes.ts",
613
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
613
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
614
614
  "since": "2025-01-01"
615
615
  },
616
616
  "route-group:publishing": {
@@ -618,7 +618,7 @@
618
618
  "type": "route-group",
619
619
  "domain": "publishing",
620
620
  "sourcePath": "src/server/routes.ts",
621
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
621
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
622
622
  "since": "2025-01-01"
623
623
  },
624
624
  "route-group:private-views": {
@@ -626,7 +626,7 @@
626
626
  "type": "route-group",
627
627
  "domain": "publishing",
628
628
  "sourcePath": "src/server/routes.ts",
629
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
629
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
630
630
  "since": "2025-01-01"
631
631
  },
632
632
  "route-group:tunnel": {
@@ -634,7 +634,7 @@
634
634
  "type": "route-group",
635
635
  "domain": "networking",
636
636
  "sourcePath": "src/server/routes.ts",
637
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
637
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
638
638
  "since": "2025-01-01"
639
639
  },
640
640
  "route-group:events": {
@@ -642,7 +642,7 @@
642
642
  "type": "route-group",
643
643
  "domain": "networking",
644
644
  "sourcePath": "src/server/routes.ts",
645
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
645
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
646
646
  "since": "2025-01-01"
647
647
  },
648
648
  "route-group:evolution": {
@@ -650,7 +650,7 @@
650
650
  "type": "route-group",
651
651
  "domain": "evolution",
652
652
  "sourcePath": "src/server/routes.ts",
653
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
653
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
654
654
  "since": "2025-01-01"
655
655
  },
656
656
  "route-group:watchdog": {
@@ -658,7 +658,7 @@
658
658
  "type": "route-group",
659
659
  "domain": "monitoring",
660
660
  "sourcePath": "src/server/routes.ts",
661
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
661
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
662
662
  "since": "2025-01-01"
663
663
  },
664
664
  "route-group:topic-memory": {
@@ -666,7 +666,7 @@
666
666
  "type": "route-group",
667
667
  "domain": "memory",
668
668
  "sourcePath": "src/server/routes.ts",
669
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
669
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
670
670
  "since": "2025-01-01"
671
671
  },
672
672
  "route-group:state-sync": {
@@ -674,7 +674,7 @@
674
674
  "type": "route-group",
675
675
  "domain": "coordination",
676
676
  "sourcePath": "src/server/routes.ts",
677
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
677
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
678
678
  "since": "2025-01-01"
679
679
  },
680
680
  "route-group:intent": {
@@ -682,7 +682,7 @@
682
682
  "type": "route-group",
683
683
  "domain": "intent",
684
684
  "sourcePath": "src/server/routes.ts",
685
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
685
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
686
686
  "since": "2025-01-01"
687
687
  },
688
688
  "route-group:triage": {
@@ -690,7 +690,7 @@
690
690
  "type": "route-group",
691
691
  "domain": "safety",
692
692
  "sourcePath": "src/server/routes.ts",
693
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
693
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
694
694
  "since": "2025-01-01"
695
695
  },
696
696
  "route-group:operations": {
@@ -698,7 +698,7 @@
698
698
  "type": "route-group",
699
699
  "domain": "safety",
700
700
  "sourcePath": "src/server/routes.ts",
701
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
701
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
702
702
  "since": "2025-01-01"
703
703
  },
704
704
  "route-group:sentinel": {
@@ -706,7 +706,7 @@
706
706
  "type": "route-group",
707
707
  "domain": "safety",
708
708
  "sourcePath": "src/server/routes.ts",
709
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
709
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
710
710
  "since": "2025-01-01"
711
711
  },
712
712
  "route-group:trust": {
@@ -714,7 +714,7 @@
714
714
  "type": "route-group",
715
715
  "domain": "safety",
716
716
  "sourcePath": "src/server/routes.ts",
717
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
717
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
718
718
  "since": "2025-01-01"
719
719
  },
720
720
  "route-group:monitoring": {
@@ -722,7 +722,7 @@
722
722
  "type": "route-group",
723
723
  "domain": "monitoring",
724
724
  "sourcePath": "src/server/routes.ts",
725
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
725
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
726
726
  "since": "2025-01-01"
727
727
  },
728
728
  "route-group:commitments": {
@@ -730,7 +730,7 @@
730
730
  "type": "route-group",
731
731
  "domain": "commitments",
732
732
  "sourcePath": "src/server/routes.ts",
733
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
733
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
734
734
  "since": "2025-01-01"
735
735
  },
736
736
  "route-group:episodes": {
@@ -738,7 +738,7 @@
738
738
  "type": "route-group",
739
739
  "domain": "memory",
740
740
  "sourcePath": "src/server/routes.ts",
741
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
741
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
742
742
  "since": "2025-01-01"
743
743
  },
744
744
  "route-group:messages": {
@@ -746,7 +746,7 @@
746
746
  "type": "route-group",
747
747
  "domain": "coordination",
748
748
  "sourcePath": "src/server/routes.ts",
749
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
749
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
750
750
  "since": "2025-01-01"
751
751
  },
752
752
  "route-group:system-reviews": {
@@ -754,7 +754,7 @@
754
754
  "type": "route-group",
755
755
  "domain": "monitoring",
756
756
  "sourcePath": "src/server/routes.ts",
757
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
757
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
758
758
  "since": "2025-01-01"
759
759
  },
760
760
  "route-group:machine-mesh": {
@@ -770,7 +770,7 @@
770
770
  "type": "route-group",
771
771
  "domain": "security",
772
772
  "sourcePath": "src/server/routes.ts",
773
- "contentHash": "ba95e48c020a055480ff5c548630cc97e7797d6f79cb919affdb589ebd3f8d48",
773
+ "contentHash": "cde0ebbb56e26519e8d6bb35d78dca71eaebafa62c2b7c465145ba5f5c644bbb",
774
774
  "since": "2025-01-01"
775
775
  },
776
776
  "cli:init": {
@@ -0,0 +1,27 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ The subscription-pool quota poller now auto-refreshes an expired OAuth access token from its stored refresh token before declaring an account `needs-reauth`. Previously any 401/403 from the usage endpoint was treated as a dead login — but a Claude Code access token expires routinely (~8–12h) while its refresh token stays valid for weeks, so the poller was wrongly flagging healthy accounts as needing re-authentication every time the short-lived token lapsed.
9
+
10
+ New `OAuthRefresher` performs the `refresh_token` grant against the public Claude Code OAuth token endpoint and writes the rotated credential back corruption-safely (validated-200 only, read-merge-write preserving all fields, fail-closed on any error). `QuotaPoller` calls it on a 401 and retries once; only a genuinely dead refresh token now yields `needs-reauth`. A new optional `lastRefreshAt` field plus a dashboard "Token auto-refreshed" line make the silent refresh visible.
11
+
12
+ ## What to Tell Your User
13
+
14
+ Your accounts no longer ask you to sign in again just because a day went by. A Claude login actually holds two keys — a short-lived one that turns over every several hours, and a long-lived one that lasts weeks. I now renew the short-lived key automatically using the long-lived one, exactly the way the Claude app does, so a routine daily expiry is invisible to you. I'll only ask you to sign in again when the real login is genuinely gone — a password change, a sign-out, or a new login elsewhere. The dashboard also shows a small "token auto-refreshed" note so you can see I'm handling it.
15
+
16
+ ## Summary of New Capabilities
17
+
18
+ | Capability | How to Use |
19
+ |-----------|-----------|
20
+ | Auto-refresh of expired access tokens | automatic (subscription-pool quota poller) |
21
+ | Token-health visibility | Subscriptions dashboard tab — "Token auto-refreshed" line |
22
+
23
+ ## Evidence
24
+
25
+ Reproduction (live, 2026-06-08, echo's two enrolled max accounts): both showed `status: needs-reauth` and a fresh `POST /subscription-pool/poll` failed 2/2. Inspecting the macOS keychain entries (`Claude Code-credentials-5939f6c8` / `-63465191`) showed `hasRefreshToken: true` with the access token `expiresAt` ~11–12h in the past — i.e. only the short-lived token had lapsed; the login was intact. The old code path mapped that 401 straight to `needs-reauth`.
26
+
27
+ After the fix: the unit/integration/e2e suites reproduce the exact sequence (usage read 401 → refresh-token exchange → retry 200) and assert the account stays `active` with a `lastRefreshAt` stamp rather than flipping to `needs-reauth`; the dead-refresh-token case still flips to `needs-reauth`. All three tiers green (`tests/unit/oauth-refresher.test.ts`, `tests/unit/quota-poller.test.ts`, `tests/integration/subscription-quota-routes.test.ts`, `tests/e2e/subscription-quota-lifecycle.test.ts`), tsc + repo lint clean.
@@ -0,0 +1,52 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ The outbound messaging quality gate (`MessagingToneGate.review`, reached via
9
+ `checkOutboundMessage`) is now bounded by a route-budget timeout that fails OPEN.
10
+ Previously the gate ran inside a single un-raced `await`; under rate-limit pressure
11
+ `review()` waits up to `RATE_LIMIT_WAIT_MS` (120s) for a window plus the call, which
12
+ exceeds the 120s outbound route budget (`OUTBOUND_MESSAGING_TIMEOUT_MS`). The route
13
+ then returns 408 and the calling session falls back to posting the message into
14
+ whatever topic it is active in — which is how update notes ended up in working topics.
15
+
16
+ A new helper `reviewWithinBudget` (`src/server/outboundGateBudget.ts`) races the
17
+ review against `OUTBOUND_GATE_REVIEW_BUDGET_MS` (20s, defined in `middleware.ts`,
18
+ asserted to be strictly below the route timeout). On time → the real verdict (pass or
19
+ block, unchanged). On budget elapse → a `budgetExceeded` fail-open (delivered,
20
+ logged). This is a structural guarantee at the route seam, covering every outbound
21
+ path that shares the chokepoint (`/telegram/reply`, `/telegram/post-update`,
22
+ `/slack/reply`, `/attention`, …). An optional per-agent override
23
+ `outboundGateReviewBudgetMs` exists; the default lives in code, so existing agents get
24
+ the fix on update with no config change (no migration).
25
+
26
+ ## What to Tell Your User
27
+
28
+ - **Messages no longer get stuck behind the quality check**: "If you ever saw my
29
+ updates land in the wrong chat, or replies feel stuck for a minute or two when
30
+ things are busy — that's fixed. The check that reviews my messages now has a short
31
+ deadline, so a slow moment can't strand a message anymore."
32
+
33
+ ## Summary of New Capabilities
34
+
35
+ A behind-the-scenes reliability fix to outbound messaging — no new user-facing
36
+ surface. The message-review gate can no longer outlast its delivery deadline, so
37
+ outbound messages (replies and update posts) can't hang or get misrouted under load.
38
+
39
+ ## Evidence
40
+
41
+ - Root cause verified in this agent's live `[tone-gate]` decision log: reviews
42
+ finishing at 121s / 135s / 157s / 170s / 185s, all `failedOpen`, alongside repeated
43
+ `429` rate-limit events — all past the 120s route budget.
44
+ - `tests/unit/outbound-gate-budget.test.ts` — `reviewWithinBudget` semantics
45
+ (pass-through, block-through, hang → `budgetExceeded` fail-open, latency, rejection
46
+ propagation) + the budget-below-route-timeout invariant.
47
+ - `tests/unit/post-update-gate-budget-route.test.ts` — route-level: a hanging gate
48
+ delivers (200, fast) instead of 408; a fast block still blocks (422, no delivery);
49
+ a fast pass delivers.
50
+ - Full lint clean; 71 existing related tone-gate/outbound/route tests green.
51
+ - Spec + side-effects review: `docs/specs/outbound-gate-budget.md`,
52
+ `upgrades/side-effects/outbound-gate-budget.md`.
@@ -0,0 +1,109 @@
1
+ # Side-Effects Review — Outbound tone-gate budget (fail-open within the route budget)
2
+
3
+ **Version / slug:** `outbound-gate-budget`
4
+ **Date:** `2026-06-08`
5
+ **Author:** `echo`
6
+ **Second-pass reviewer:** `not required (Tier-1, additive + localized)`
7
+
8
+ ## Summary of the change
9
+
10
+ Every outbound message (telegram/slack reply, attention item, `/telegram/post-update`)
11
+ passes through `checkOutboundMessage` in `src/server/routes.ts`, which calls
12
+ `MessagingToneGate.review` — an LLM call. The gate is fail-open by design, but under
13
+ rate-limit pressure `review()` waits up to `RATE_LIMIT_WAIT_MS` (120s) for a window
14
+ plus the call, all inside one un-raced `await`, exceeding the 120s outbound route
15
+ budget (`OUTBOUND_MESSAGING_TIMEOUT_MS`). The route then 408s and the calling session
16
+ dumps the note into its active topic. This change wraps the review call in
17
+ `reviewWithinBudget` (new file `src/server/outboundGateBudget.ts`), racing it against
18
+ `OUTBOUND_GATE_REVIEW_BUDGET_MS` (20s, new const in `middleware.ts`) and failing OPEN
19
+ past it. Touches: `routes.ts` (one call wrapped + one log field), `MessagingToneGate.ts`
20
+ (+1 optional result field), `types.ts` (+1 optional config field), `middleware.ts`
21
+ (+1 const), new helper + 2 tests + spec.
22
+
23
+ ## Decision-point inventory
24
+
25
+ - `checkOutboundMessage → tone-gate verdict` — **modify** — the gate verdict is now
26
+ bounded by a route-budget timeout that fails OPEN; the pass/block decision itself is
27
+ unchanged when the gate answers in time.
28
+ - `OUTBOUND_GATE_REVIEW_BUDGET_MS vs OUTBOUND_MESSAGING_TIMEOUT_MS` — **add** — a budget
29
+ invariant (gate budget < route timeout) asserted in tests.
30
+
31
+ ## 1. Over-block
32
+
33
+ **What legitimate inputs does this change reject that it shouldn't?**
34
+
35
+ None — the change can only move the gate from "block/hold" toward "deliver". A real
36
+ block returned within budget is passed through unchanged (covered by the route test:
37
+ a fast B3 block still returns 422). The only new outcome is a budget-exceeded
38
+ fail-open, which DELIVERS (pass=true). So over-block strictly decreases; it never
39
+ increases.
40
+
41
+ ## 2. Under-block
42
+
43
+ **What failure modes does this still miss?**
44
+
45
+ Under sustained rate-limit pressure a message can now be delivered un-reviewed after
46
+ the 20s budget (an intentional, designed fail-open). This is the same outcome the gate
47
+ already produced via its internal `failedOpen` path — just reached deterministically in
48
+ budget instead of after 2–3 minutes. The change does NOT make the gate review more
49
+ content (no new bypass). It does not address the separate behavioral fallback (a
50
+ session re-sending a failed update into a working topic) — tracked as a follow-up.
51
+
52
+ ## 3. Level-of-abstraction fit
53
+
54
+ The budget is enforced at the route seam (`checkOutboundMessage`), the same layer that
55
+ already bounds the ArcCheck signal with a 200ms race — the correct altitude, because the
56
+ budget is a property of the OUTBOUND ROUTE (its 120s limit), not of the gate. The gate
57
+ stays a general authority usable by callers with different budgets.
58
+
59
+ ## 4. Signal vs authority compliance
60
+
61
+ The tone gate remains the single authority; this does not add a competing gate. The
62
+ budget wrapper is a timeout, not a second opinion — when the authority answers in time
63
+ its verdict is used verbatim (pass AND block). On timeout the documented fail-open
64
+ contract applies (deliver). No signal is promoted to authority and no authority is
65
+ demoted to signal.
66
+
67
+ ## 5. Interactions
68
+
69
+ - Shares the chokepoint with `/telegram/reply`, `/slack/reply`, `/whatsapp/send`,
70
+ `/imessage/reply`, `/attention` — all inherit the bound (verified: their existing
71
+ route tests still pass).
72
+ - The abandoned review promise keeps running after a budget timeout (Node has no
73
+ cancel); it resolves/ignored, and `MessagingToneGate.review` never rejects (internal
74
+ catch), so no unhandled rejection. `Promise.race` keeps a reaction attached to the
75
+ review promise, so even a hypothetical late rejection is considered handled.
76
+ - `logToneGateDecision` gains a `budgetExceeded` boolean — additive, back-compatible
77
+ with existing log consumers.
78
+
79
+ ## 6. External surfaces
80
+
81
+ No new routes, no new external calls, no auth/permission change, no Telegram/Slack API
82
+ shape change. Adds one optional config field `outboundGateReviewBudgetMs` (absent →
83
+ code default; no migration). No state files written or read.
84
+
85
+ ## 7. Rollback cost
86
+
87
+ Trivial and low-risk. Revert the commit; the gate returns to its prior un-raced await.
88
+ Or set `config.outboundGateReviewBudgetMs` very high to effectively disable the cap
89
+ without code change. No data migration, no schema, no persisted state to unwind.
90
+
91
+ ## Conclusion
92
+
93
+ Net safety improvement: the change strictly reduces the worst-case behavior (a 408 that
94
+ both bypasses the gate AND misroutes the message) and never introduces a new block. The
95
+ only new behavior — faster fail-open delivery under sustained rate-limit pressure — is
96
+ the gate's already-documented degraded mode, reached in budget. Safe to ship.
97
+
98
+ ## Second-pass review (if required)
99
+
100
+ Not required — Tier-1, additive and localized to one already-fail-open seam, full lint
101
+ green, 9 new + 71 existing related tests green.
102
+
103
+ ## Evidence pointers
104
+
105
+ - Live `[tone-gate]` decision log latencies: 121s / 135s / 157s / 170s / 185s, all
106
+ `failedOpen`, alongside repeated `429` events (this agent, 2026-06-07/08).
107
+ - Tests: `tests/unit/outbound-gate-budget.test.ts`,
108
+ `tests/unit/post-update-gate-budget-route.test.ts`.
109
+ - Spec: `docs/specs/outbound-gate-budget.md`.
@@ -0,0 +1,29 @@
1
+ # Side-effects review — subscription-pool OAuth access-token auto-refresh
2
+
3
+ ## What changed
4
+ - New `src/core/OAuthRefresher.ts`: a corruption-safe refresh-token→access-token exchange for a config home's Claude Code credential (keychain on macOS, `<configHome>/.credentials.json` elsewhere). Endpoint + client id are the public Claude Code values extracted from the official client binary.
5
+ - `src/core/QuotaPoller.ts`: on a usage-read 401/403 the poller now attempts a refresh + one retry BEFORE marking the account `needs-reauth`. `defaultTokenResolver` refactored to share the OAuthRefresher locator (single source of truth for where a config home's credential lives).
6
+ - `src/core/SubscriptionPool.ts`: new optional `lastRefreshAt` field (visibility only).
7
+ - `dashboard/subscriptions.js`: a "Token auto-refreshed <ago>" line + `relativeAge()` helper.
8
+
9
+ ## Blast radius / who is affected
10
+ - Only anthropic/claude-code accounts in a SubscriptionPool. A pool of zero accounts (single-account agents) is entirely unaffected — the poller only runs when accounts are enrolled.
11
+ - Behavior change is strictly a NARROWING of when `needs-reauth` fires: it no longer fires on a recoverable access-token expiry. Genuinely dead logins still flip to `needs-reauth` exactly as before.
12
+
13
+ ## Corruption safety (the load-bearing concern)
14
+ - The ONLY mutation is the credential write-back. It is gated three ways: (1) only on a fully-validated 200 (new access token shaped `sk-ant-oat…`, positive numeric `expires_in`); (2) read-merge-write that preserves every existing field (scopes, subscriptionType, rateLimitTier, unknown fields); (3) refresh-token rotation persisted when present, old token kept when the server doesn't rotate — never dropped.
15
+ - Any failure (wrong endpoint, wrong client id, network error, malformed body, write failure) writes NOTHING and returns a typed failure → the caller's existing `needs-reauth` path. A misconfiguration can only ever fail to improve, never corrupt a working login. This is fail-CLOSED, not silent-degrade-to-heuristic (consistent with the no-silent-llm-fallback standard, though this path is auth not inference).
16
+
17
+ ## Secrets handling
18
+ - Token values are never logged and never returned to any persisted surface. The pool registry's existing `assertNoCredentialFields` guard still rejects any credential-bearing field name; `lastRefreshAt` is a timestamp, not a secret.
19
+
20
+ ## Framework generality
21
+ - Scoped to claude-code OAuth specifically (the refresh-token grant is provider/framework-specific). It does NOT touch the session launch/inject abstraction (frameworkSessionLaunch / MessageDelivery), so it cannot regress codex-cli / gemini-cli / pi-cli. Non-claude-code accounts are skipped by the same provider/framework guard the poller already applies.
22
+
23
+ ## Migration parity
24
+ - No agent-installed files change (no settings.json hooks, no config defaults, no CLAUDE.md template, no hook scripts, no skills). This is an in-process monitoring component; existing agents pick it up on the next server update. The new `lastRefreshAt` field is optional and back-compatible with existing `subscription-pool.json` on disk.
25
+
26
+ ## Tests
27
+ - Tier 1: `tests/unit/oauth-refresher.test.ts` (rotation, no-rotation, no-refresh-token, exchange-failed, malformed, read-failed, write-failed, locator, request shape) + extended `tests/unit/quota-poller.test.ts` (refresh-recovers, still-401-after-refresh, dead-refresh-token) + `tests/unit/subscriptions-render.test.ts` (token-health line + relativeAge).
28
+ - Tier 2: `tests/integration/subscription-quota-routes.test.ts` — recovery + dead-login through the real `/subscription-pool/poll` HTTP route.
29
+ - Tier 3: `tests/e2e/subscription-quota-lifecycle.test.ts` — expired token auto-refreshes end-to-end, account stays active, stamped to the on-disk registry.