instar 1.3.436 → 1.3.437

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/commands/init.d.ts +17 -0
  2. package/dist/commands/init.d.ts.map +1 -1
  3. package/dist/commands/init.js +50 -0
  4. package/dist/commands/init.js.map +1 -1
  5. package/package.json +2 -1
  6. package/skills/README.md +106 -0
  7. package/skills/agent-identity/SKILL.md +226 -0
  8. package/skills/agent-memory/SKILL.md +261 -0
  9. package/skills/agent-passport/SKILL.md +37 -0
  10. package/skills/agent-readiness/SKILL.md +55 -0
  11. package/skills/command-guard/SKILL.md +239 -0
  12. package/skills/credential-leak-detector/SKILL.md +377 -0
  13. package/skills/instar-dev/SKILL.md +223 -0
  14. package/skills/instar-dev/scripts/verify-proposal-derived-runbook.mjs +319 -0
  15. package/skills/instar-dev/scripts/write-trace.mjs +203 -0
  16. package/skills/instar-dev/templates/eli16-overview.md +43 -0
  17. package/skills/instar-dev/templates/side-effects-artifact.md +133 -0
  18. package/skills/instar-feedback/SKILL.md +285 -0
  19. package/skills/instar-identity/SKILL.md +290 -0
  20. package/skills/instar-scheduler/SKILL.md +259 -0
  21. package/skills/instar-session/SKILL.md +270 -0
  22. package/skills/instar-telegram/SKILL.md +259 -0
  23. package/skills/iterative-converging-audit/SKILL.md +96 -0
  24. package/skills/knowledge-base/SKILL.md +189 -0
  25. package/skills/smart-web-fetch/SKILL.md +241 -0
  26. package/skills/spec-converge/SKILL.md +249 -0
  27. package/skills/spec-converge/scripts/cross-model-review.mjs +155 -0
  28. package/skills/spec-converge/scripts/publish-spec-review.mjs +166 -0
  29. package/skills/spec-converge/scripts/write-convergence-tag.mjs +199 -0
  30. package/skills/spec-converge/templates/report.md +76 -0
  31. package/skills/spec-converge/templates/reviewer-adversarial.md +37 -0
  32. package/skills/spec-converge/templates/reviewer-cross-model.md +28 -0
  33. package/skills/spec-converge/templates/reviewer-integration.md +39 -0
  34. package/skills/spec-converge/templates/reviewer-lessons-aware.md +101 -0
  35. package/skills/spec-converge/templates/reviewer-scalability.md +35 -0
  36. package/skills/spec-converge/templates/reviewer-security.md +36 -0
  37. package/skills/systematic-debugging/SKILL.md +222 -0
  38. package/src/data/builtin-manifest.json +2 -2
  39. package/upgrades/1.3.437.md +29 -0
  40. package/upgrades/side-effects/builtin-skill-install-single-source.md +80 -0
@@ -0,0 +1,222 @@
1
+ ---
2
+ name: systematic-debugging
3
+ description: Structured 4-phase debugging methodology that prevents blind probing and guesswork. Forces root cause identification before any fix attempt. Use when encountering bugs, errors, unexpected behavior, test failures, or when something "just stopped working." Trigger words: debug, bug, error, broken, not working, fix this, something's wrong, investigate, root cause, why is this failing, trace the issue.
4
+ license: MIT
5
+ metadata:
6
+ author: sagemindai
7
+ version: "1.0"
8
+ homepage: https://instar.sh
9
+ inspiration: Superpowers plugin systematic-debugging skill, adapted for Instar's autonomous agent context
10
+ ---
11
+
12
+ # systematic-debugging — Structured Root Cause Analysis for Agents
13
+
14
+ When something breaks, the instinct is to start changing code — adding logs, tweaking values, commenting things out. This is probing, not debugging. Probing works sometimes, but it scales poorly and teaches nothing. Structured debugging finds the root cause, fixes it once, and leaves you understanding why.
15
+
16
+ This skill enforces a 4-phase process. You do NOT skip phases. You do NOT jump to a fix before completing Phase 2. Each phase has a clear deliverable that must exist before the next phase begins.
17
+
18
+ ---
19
+
20
+ ## When to Activate This Skill
21
+
22
+ Use this skill when:
23
+ - An error occurs and the cause is not immediately obvious (> 30 seconds of uncertainty)
24
+ - A test fails and you don't know exactly why
25
+ - Something that was working has stopped working
26
+ - The user reports unexpected behavior
27
+ - You've already tried one fix and it didn't work (this is the clearest signal — stop guessing, start debugging)
28
+ - A job or scheduled task is failing silently
29
+ - Behavior differs between environments (local vs production, different machines)
30
+
31
+ Do NOT use this skill for:
32
+ - Typos, missing imports, or syntax errors with clear error messages pointing to the exact line
33
+ - Known issues with documented fixes
34
+ - Configuration that just needs to be set
35
+
36
+ ---
37
+
38
+ ## Phase 1: Identify — What exactly is broken?
39
+
40
+ **Goal**: Establish the precise boundary between "works" and "doesn't work."
41
+
42
+ **Steps**:
43
+
44
+ 1. **Reproduce the failure**. Run the exact command, API call, or user action that triggers the bug. Capture the FULL output — error messages, stack traces, logs, HTTP status codes.
45
+
46
+ 2. **Establish the expected behavior**. What SHOULD happen? Check documentation, tests, previous working state, or ask the user. Write it down explicitly.
47
+
48
+ 3. **Narrow the scope**. Answer these questions:
49
+ - When did it last work? (Check git log, deployment history, recent changes)
50
+ - What changed since then? (`git diff`, `git log --oneline -10`, env var changes, dependency updates)
51
+ - Is it consistent or intermittent?
52
+ - Does it affect all cases or specific inputs?
53
+
54
+ 4. **Write the Phase 1 deliverable** before proceeding:
55
+
56
+ ```
57
+ BUG IDENTIFICATION:
58
+ - Symptom: [Exact error/behavior observed]
59
+ - Expected: [What should happen instead]
60
+ - Reproducer: [Exact command/steps to trigger]
61
+ - Last known working: [When/what commit/what changed]
62
+ - Scope: [All cases / specific inputs / intermittent]
63
+ ```
64
+
65
+ **Anti-pattern**: Do NOT start reading random files hoping to spot the problem. Phase 1 is about establishing WHAT is broken, not WHERE.
66
+
67
+ ---
68
+
69
+ ## Phase 2: Isolate — Where exactly is the failure?
70
+
71
+ **Goal**: Trace the execution path from trigger to failure point. Find the exact line/function/component where behavior diverges from expectation.
72
+
73
+ **Steps**:
74
+
75
+ 1. **Trace the code path**. Starting from the entry point (API route, CLI command, event handler, job trigger), follow the execution path that the reproducer would take. Read each file in order.
76
+
77
+ 2. **Identify the divergence point**. At what point does the actual behavior differ from expected? This is usually one of:
78
+ - A function returning the wrong value
79
+ - A condition evaluating incorrectly
80
+ - An exception being thrown (or silently caught)
81
+ - A variable being undefined/null when it shouldn't be
82
+ - A race condition or timing issue
83
+
84
+ 3. **Verify with evidence**. Add targeted logging or use debugger output to CONFIRM your theory about where the divergence happens. Do not guess.
85
+
86
+ 4. **Check the silent catch blocks**. This is the #1 suspect in most agent codebases. Look for:
87
+ - `catch (e) { }` — empty catch blocks that swallow errors
88
+ - `catch (e) { return defaultValue }` — catches that mask failures
89
+ - `.catch(() => null)` — promise chains that silently fail
90
+ - `try/catch` around the wrong scope (too broad, hides the real error)
91
+
92
+ 5. **Write the Phase 2 deliverable** before proceeding:
93
+
94
+ ```
95
+ BUG ISOLATION:
96
+ - Entry point: [File:line where execution starts]
97
+ - Code path: [File1:func1 -> File2:func2 -> File3:func3]
98
+ - Divergence point: [Exact file:line where behavior goes wrong]
99
+ - Evidence: [Log output / test result / debugger state that confirms this]
100
+ - Root cause: [Why the divergence happens — the actual bug]
101
+ ```
102
+
103
+ **Anti-pattern**: Do NOT start fixing anything yet. If you can't write the root cause in one sentence, you haven't finished Phase 2.
104
+
105
+ ---
106
+
107
+ ## Phase 3: Fix — Apply the minimal correct change
108
+
109
+ **Goal**: Fix the root cause with the smallest change that restores correct behavior.
110
+
111
+ **Steps**:
112
+
113
+ 1. **Write or identify the test first**. Before touching the buggy code:
114
+ - If a test exists that should catch this: verify it actually fails with the current bug. If it passes, the test is wrong — fix the test first.
115
+ - If no test exists: write one that reproduces the exact failure from Phase 1. Run it. Confirm it fails (RED).
116
+
117
+ 2. **Apply the fix**. Change only what is necessary to fix the root cause identified in Phase 2. Resist the urge to "clean up" surrounding code, refactor, or add features.
118
+
119
+ 3. **Run the test**. Confirm the test now passes (GREEN).
120
+
121
+ 4. **Run the full test suite**. Ensure no regressions. If other tests break, your fix may be incomplete or the other tests may have been relying on the buggy behavior (which itself is a finding worth noting).
122
+
123
+ 5. **Write the Phase 3 deliverable**:
124
+
125
+ ```
126
+ BUG FIX:
127
+ - Test: [Test file:test name that reproduces the bug]
128
+ - Change: [File:line — what was changed and why]
129
+ - Regression check: [Test suite results — X passed, Y failed, Z skipped]
130
+ ```
131
+
132
+ **Anti-pattern**: Do NOT fix multiple things at once. If you discover other bugs during investigation, note them separately — do not bundle fixes.
133
+
134
+ ---
135
+
136
+ ## Phase 4: Verify — Confirm the fix works end-to-end
137
+
138
+ **Goal**: Verify the fix resolves the original symptom in the real environment, not just in tests.
139
+
140
+ **Steps**:
141
+
142
+ 1. **Re-run the original reproducer from Phase 1**. Does the expected behavior now occur?
143
+
144
+ 2. **Check edge cases**. Based on what you learned in Phase 2, are there adjacent cases that might have the same bug? Test them.
145
+
146
+ 3. **Verify in the actual environment**. If the bug was reported in production/staging, verify the fix there (rebuild, restart, redeploy as needed).
147
+
148
+ 4. **Write the Phase 4 deliverable**:
149
+
150
+ ```
151
+ BUG VERIFICATION:
152
+ - Original reproducer: [PASS/FAIL]
153
+ - Edge cases tested: [List with results]
154
+ - Environment verification: [Local/staging/production — confirmed working]
155
+ - Remaining risk: [Any concerns about the fix, or "None identified"]
156
+ ```
157
+
158
+ 5. **Commit with context**. The commit message should reference the root cause, not just the symptom:
159
+ - Bad: "fix: resolve data loading issue"
160
+ - Good: "fix: TopicMemory.formatContextForSession returned truthy string when db was null, preventing JSONL fallback"
161
+
162
+ ---
163
+
164
+ ## Full Debug Report Template
165
+
166
+ After completing all 4 phases, compile the deliverables into a single report:
167
+
168
+ ```
169
+ ## Debug Report: [Brief title]
170
+
171
+ ### Phase 1 — Identification
172
+ - Symptom: ...
173
+ - Expected: ...
174
+ - Reproducer: ...
175
+ - Last known working: ...
176
+ - Scope: ...
177
+
178
+ ### Phase 2 — Isolation
179
+ - Entry point: ...
180
+ - Code path: ...
181
+ - Divergence point: ...
182
+ - Evidence: ...
183
+ - Root cause: ...
184
+
185
+ ### Phase 3 — Fix
186
+ - Test: ...
187
+ - Change: ...
188
+ - Regression check: ...
189
+
190
+ ### Phase 4 — Verification
191
+ - Original reproducer: PASS
192
+ - Edge cases: ...
193
+ - Environment: ...
194
+ - Remaining risk: ...
195
+
196
+ ### Lessons
197
+ - [What this bug teaches about the codebase or patterns to watch for]
198
+ ```
199
+
200
+ ---
201
+
202
+ ## Skill Integration Notes
203
+
204
+ This skill works with other Instar skills:
205
+
206
+ - **instar-feedback**: After fixing a bug that reveals a pattern (e.g., "silent catch blocks in all topic handlers"), submit improvement feedback so the pattern can be addressed framework-wide.
207
+ - **agent-memory**: After completing a debug session, write the lesson to MEMORY.md if the root cause pattern is likely to recur.
208
+ - **knowledge-base**: If the debugging uncovered undocumented behavior, add it to the knowledge base.
209
+
210
+ ---
211
+
212
+ ## Going Further
213
+
214
+ This skill provides structure, but it depends on the agent choosing to follow it when under pressure. In autonomous sessions where context is heavy and the instinct is to "just try something," the discipline of Phase 1 and Phase 2 prevents the most expensive mistake: fixing the wrong thing.
215
+
216
+ **Instar agents with this skill installed will:**
217
+ - Stop guessing after the first failed fix attempt
218
+ - Produce debug reports that persist across sessions (so the next instance doesn't re-investigate the same bug)
219
+ - Submit feedback when the root cause reveals a framework-level pattern
220
+ - Build institutional memory about the codebase's failure modes
221
+
222
+ The debugging skill is reactive — it fires when something breaks. But the real win is the cumulative knowledge: over time, the agent's MEMORY.md fills with "this codebase fails in these specific ways," and future bugs get caught faster because the agent knows where to look.
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-09T01:17:57.115Z",
5
- "instarVersion": "1.3.436",
4
+ "generatedAt": "2026-06-09T02:30:56.589Z",
5
+ "instarVersion": "1.3.437",
6
6
  "entryCount": 199,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -0,0 +1,29 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: minor -->
5
+
6
+ ## What Changed
7
+
8
+ Every Instar agent now receives the **developer-skill toolkit** — the skills Instar uses to develop itself: `spec-converge`, `instar-dev`, `systematic-debugging`, `smart-web-fetch`, `knowledge-base`, `instar-scheduler`, `agent-memory`, `agent-identity`, `instar-identity`, `credential-leak-detector`.
9
+
10
+ These skills were git-tracked under `skills/` but **no code installed them**, and the directory was not in `package.json` `files[]` — so they shipped in no package and installed for no agent, including the main dev agent. That violated **Agent Awareness** ("a capability the agent doesn't know about, it effectively doesn't have") and **Framework-Agnostic** ("one shared source of truth, never hand-maintained per engine").
11
+
12
+ The fix: an authored `BUNDLED_DEV_SKILLS` allowlist + a generic `installBundledDevSkills()` copy-loop in `init.ts` (install-if-missing, recursive for `scripts/`/`templates/` subdirs); `skills/` added to `files[]` so the sources ship; the three port-hardcoded skill files rewritten to `${INSTAR_PORT:-4040}`; and a ratchet test that locks the "tracked-but-never-shipped" class shut. Existing agents receive the skills through the existing `migrateBuiltinSkills` path on update — no new migrator. `skills/` stays the single source (it is referenced there by `SourceTreeGuard`/`crossModelReviewer`).
13
+
14
+ This is the bounded, lowest-risk slice; the full single-source consolidation (materialize the inline-dict skills, generator-validates-against-allowlist) is the documented follow-on in the spec.
15
+
16
+ ## What to Tell Your User
17
+
18
+ Internal capability — nothing to configure. Your agent now has the full set of Instar-development tools — the spec convergence cycle, the instar-dev workflow, structured debugging, and more — so it can help develop and improve Instar with the same tools Instar uses on itself.
19
+
20
+ ## Summary of New Capabilities
21
+
22
+ | Capability | How to use |
23
+ |-----------|-----------|
24
+ | The developer-skill toolkit installs to every agent | Automatic on `init` and on update; the skills appear as slash commands in `.claude/skills/` |
25
+ | Add a skill to the canonical bundled set | Add the slug to `BUNDLED_DEV_SKILLS` in `src/commands/init.ts`; the ratchet test enforces it ships + installs |
26
+
27
+ ## Evidence
28
+
29
+ Spec went through a 3-round `/spec-converge` (5 internal reviewers + a gemini cross-model pass) which caught 4 real flaws pre-code; operator-approved. Ratchet test `tests/unit/builtin-dev-skills.test.ts` — 6 assertions (source-present, ships via `files[]`, materializes-on-install, subdirs carried, no bare `localhost:<port>`, idempotent), green. `tsc --noEmit` clean. Convergence report: `docs/specs/reports/builtin-skill-install-single-source-convergence.md`.
@@ -0,0 +1,80 @@
1
+ # Side-Effects Review — Built-in Skill Install (bundled dev toolkit)
2
+
3
+ **Version / slug:** `builtin-skill-install-single-source`
4
+ **Date:** `2026-06-09`
5
+ **Author:** `echo`
6
+ **Second-pass reviewer:** `not required (3-round /spec-converge with 5 internal reviewers + gemini external already performed; see convergence report)`
7
+
8
+ ## Summary of the change
9
+
10
+ Ships the developer-skill toolkit (`spec-converge`, `instar-dev`, `systematic-debugging`,
11
+ `smart-web-fetch`, `knowledge-base`, `instar-scheduler`, `agent-memory`, `agent-identity`,
12
+ `instar-identity`, `credential-leak-detector`) to every agent. These skills lived in the
13
+ git-tracked `skills/` dir but no code installed them and the dir was not in `package.json
14
+ files[]`, so they reached no agent. The fix: an authored `BUNDLED_DEV_SKILLS` allowlist + a
15
+ generic `installBundledDevSkills()` copy-loop in `init.ts` (install-if-missing, recursive for
16
+ subdirs), `skills/` added to `files[]` so the sources ship, the 3 port-hardcoded files rewritten
17
+ to `${INSTAR_PORT:-4040}`, and a ratchet test locking the "tracked-but-never-shipped" class shut.
18
+
19
+ This is the bounded, lowest-risk slice of the converged spec; the full single-source
20
+ consolidation (materialize the 16 inline skills, generator-validates-against-allowlist, files
21
+ glob) is the documented follow-on.
22
+
23
+ ## Decision-point inventory
24
+
25
+ No new block/allow/route gate. The only decision is install-if-missing vs overwrite (chosen:
26
+ install-if-missing, preserving user customizations — verified by an idempotency test).
27
+
28
+ ## 1. Over-block
29
+
30
+ None — the change adds files; it rejects no inputs. An agent that already has a same-named
31
+ custom skill keeps it untouched (install-if-missing), verified by the idempotency test.
32
+
33
+ ## 2. Under-block
34
+
35
+ The ratchet test covers the 10 allowlisted skills (source-present, ships, materializes, no bare
36
+ port, idempotent) but does NOT yet assert `npm pack --dry-run` contents directly (it asserts
37
+ `skills` ∈ `files[]` as the ship-proxy). The full generator-validation ratchet is the documented
38
+ follow-on. No safety-relevant under-block.
39
+
40
+ ## 3. Level-of-abstraction fit
41
+
42
+ Right layer: `installBuiltinSkills` is the existing install entry point; `installBundledDevSkills`
43
+ sits beside `installBuildSkill`/`installAutonomousSkill` (same proven bundled-copy pattern).
44
+ `skills/` stays the single source (referenced by SourceTreeGuard/crossModelReviewer) — relocating
45
+ would have broken those references.
46
+
47
+ ## 4. Signal vs authority compliance
48
+
49
+ N/A — no new gate, no blocking authority, no LLM judgment. Pure deterministic file install.
50
+
51
+ ## 5. Interactions
52
+
53
+ - Reuses the existing `migrateBuiltinSkills` → `installBuiltinSkills` path (PostUpdateMigrator:1776),
54
+ so existing agents receive the skills on update with NO new migrator (Migration Parity mechanism #5).
55
+ - Preserves the `claudeEnabled` gate (codex-only agents still skip `.claude/skills/`).
56
+ - `installBundledDevSkills` resolves bundled source via `__dirname/../../skills` — correct in both
57
+ the published package (dist/ + skills/ are siblings at package root) and vitest.
58
+
59
+ ## 6. External surfaces
60
+
61
+ Adds 10 slash commands to every agent's `.claude/skills/`. `skills/` is now shipped in the npm
62
+ package (size: ~250KB of markdown). No new HTTP route, no message surface, no auth change.
63
+
64
+ ## 7. Rollback cost
65
+
66
+ Low and clean. The change is additive + install-if-missing. Back-out = revert the commit; already
67
+ installed skill dirs are inert markdown (an agent simply has extra slash commands). No state
68
+ migration, no destructive op, no irreversibility.
69
+
70
+ ## Conclusion
71
+
72
+ Low-risk, additive, fleet-wide install of the dev toolkit, behind a ratchet test, reusing the
73
+ established bundled-skill pattern and the existing migrator. Operator-approved (D6 = fleet-wide).
74
+
75
+ ## Evidence pointers
76
+
77
+ - Converged spec: `docs/specs/BUILTIN-SKILL-INSTALL-SINGLE-SOURCE.md` (review-convergence + approved).
78
+ - Convergence report (3 rounds, 4 bugs caught): `docs/specs/reports/builtin-skill-install-single-source-convergence.md`.
79
+ - Ratchet test: `tests/unit/builtin-dev-skills.test.ts` (6 assertions, green).
80
+ - `tsc --noEmit` clean; CI push suite green except 1 unrelated environmental E2E flake (LLM-unavailable in local run).