instar 1.3.440 → 1.3.442
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +36 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/coordination/MandateStore.d.ts +30 -2
- package/dist/coordination/MandateStore.d.ts.map +1 -1
- package/dist/coordination/MandateStore.js +89 -3
- package/dist/coordination/MandateStore.js.map +1 -1
- package/dist/coordination/types.d.ts +35 -0
- package/dist/coordination/types.d.ts.map +1 -1
- package/dist/messaging/slack/SlackAdapter.d.ts.map +1 -1
- package/dist/messaging/slack/SlackAdapter.js +26 -6
- package/dist/messaging/slack/SlackAdapter.js.map +1 -1
- package/dist/permissions/MandateBackedGrantStore.d.ts +40 -0
- package/dist/permissions/MandateBackedGrantStore.d.ts.map +1 -0
- package/dist/permissions/MandateBackedGrantStore.js +72 -0
- package/dist/permissions/MandateBackedGrantStore.js.map +1 -0
- package/dist/permissions/SlackUserRegistry.d.ts +64 -0
- package/dist/permissions/SlackUserRegistry.d.ts.map +1 -0
- package/dist/permissions/SlackUserRegistry.js +114 -0
- package/dist/permissions/SlackUserRegistry.js.map +1 -0
- package/dist/permissions/index.d.ts +2 -0
- package/dist/permissions/index.d.ts.map +1 -1
- package/dist/permissions/index.js +2 -0
- package/dist/permissions/index.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +1 -0
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +117 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +46 -46
- package/src/data/state-coherence-registry.json +12 -0
- package/upgrades/1.3.441.md +26 -0
- package/upgrades/1.3.442.md +28 -0
- package/upgrades/side-effects/mandate-user-grants.md +78 -0
- package/upgrades/side-effects/slack-org-permissions-phase1.md +68 -0
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAS3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAuBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAiG7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AA6JtD,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA05BD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,GAC/F,IAAI,CAyUN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAS3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAuBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAiG7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AA6JtD,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AA05BD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,GAC/F,IAAI,CAyUN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAmrUtE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
|
package/dist/commands/server.js
CHANGED
|
@@ -4221,10 +4221,44 @@ export async function startServer(options) {
|
|
|
4221
4221
|
const slackCfg = slackConfig.config;
|
|
4222
4222
|
const pgCfg = slackCfg.permissionGate;
|
|
4223
4223
|
if (pgCfg && (pgCfg.observeOnly || pgCfg.enforce)) {
|
|
4224
|
-
const { SlackPermissionObserver, SlackPrincipalResolver, SlackPermissionGate, PermissionDecisionLedger, RolePolicy, HeuristicIntentClassifier, HeuristicAnomalyScorer, } = await import('../permissions/index.js');
|
|
4224
|
+
const { SlackPermissionObserver, SlackPrincipalResolver, SlackPermissionGate, PermissionDecisionLedger, RolePolicy, HeuristicIntentClassifier, HeuristicAnomalyScorer, MandateBackedGrantStore, } = await import('../permissions/index.js');
|
|
4225
4225
|
// Own UserManager instance for verified-principal resolution (the
|
|
4226
4226
|
// Telegram-block userManager is out of scope here). Reads users.json.
|
|
4227
4227
|
const slackUserManager = new UserManager(config.stateDir, config.users);
|
|
4228
|
+
// ── Floor-action grants are read from the SIGNED Coordination Mandate ──
|
|
4229
|
+
// A MandateStore reader over the SAME file + SAME HMAC sign/verify deps as
|
|
4230
|
+
// the coordination engine in AgentServer (which is constructed later, so we
|
|
4231
|
+
// can't share the instance) — a stateless reader, so a second instance over
|
|
4232
|
+
// the same on-disk mandates is correct. With no stateDir, leave grants
|
|
4233
|
+
// unset (deny-by-default: the gate then refuses every floor action).
|
|
4234
|
+
let grantStore;
|
|
4235
|
+
if (config.stateDir) {
|
|
4236
|
+
try {
|
|
4237
|
+
const { MandateStore } = await import('../coordination/MandateStore.js');
|
|
4238
|
+
const cryptoMod = await import('node:crypto');
|
|
4239
|
+
const issuanceKey = config.authToken || 'mandate-issuance-unsigned-dev-key';
|
|
4240
|
+
const mSign = (canonical) => cryptoMod.createHmac('sha256', issuanceKey).update(canonical).digest('hex');
|
|
4241
|
+
const mVerify = (canonical, proof) => {
|
|
4242
|
+
const expected = mSign(canonical);
|
|
4243
|
+
try {
|
|
4244
|
+
return expected.length === proof.length
|
|
4245
|
+
&& cryptoMod.timingSafeEqual(Buffer.from(expected), Buffer.from(proof));
|
|
4246
|
+
}
|
|
4247
|
+
catch { /* @silent-fallback-ok — a malformed proof must verify FALSE (deny-safe), never throw */
|
|
4248
|
+
return false;
|
|
4249
|
+
}
|
|
4250
|
+
};
|
|
4251
|
+
const mandateStore = new MandateStore({
|
|
4252
|
+
filePath: path.join(config.stateDir, 'state', 'coordination-mandates.json'),
|
|
4253
|
+
sign: mSign,
|
|
4254
|
+
verifySig: mVerify,
|
|
4255
|
+
});
|
|
4256
|
+
grantStore = new MandateBackedGrantStore({ store: mandateStore });
|
|
4257
|
+
}
|
|
4258
|
+
catch (ge) {
|
|
4259
|
+
console.warn('[slack] mandate-backed grant store wiring skipped:', ge.message);
|
|
4260
|
+
}
|
|
4261
|
+
}
|
|
4228
4262
|
const observer = new SlackPermissionObserver({
|
|
4229
4263
|
resolver: new SlackPrincipalResolver({
|
|
4230
4264
|
resolveFromSlackUserId: (id) => slackUserManager.resolveFromSlackUserId(id),
|
|
@@ -4233,6 +4267,7 @@ export async function startServer(options) {
|
|
|
4233
4267
|
rolePolicy: new RolePolicy(),
|
|
4234
4268
|
classifier: new HeuristicIntentClassifier(),
|
|
4235
4269
|
anomalyScorer: new HeuristicAnomalyScorer(),
|
|
4270
|
+
grants: grantStore,
|
|
4236
4271
|
}),
|
|
4237
4272
|
ledger: new PermissionDecisionLedger(config.stateDir),
|
|
4238
4273
|
enforce: pgCfg.enforce === true,
|