instar 1.3.455 → 1.3.456

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,104 @@
1
+ # Side-Effects Review — Dev-Agent Dark-Gate Conformance Guard (Slice 1)
2
+
3
+ **Change:** Add a structural guard for the `developmentAgent` dark-feature gate
4
+ so a feature can't ship dark on dev agents by hand-rolling/forgetting the gate
5
+ (the PR #1001 miss). Slice 1:
6
+ - `src/core/devAgentGate.ts` — `resolveDevAgentGate(explicit, config)` funnel
7
+ (`explicit ?? !!config?.developmentAgent`).
8
+ - `scripts/lint-dev-agent-dark-gate.js` — assertion A (no hand-rolled
9
+ `?? !!<x>.developmentAgent` outside the funnel) + assertion B (no hardcoded
10
+ `enabled: false` under a dev-gate marker comment in `ConfigDefaults.ts`).
11
+ Wired into the `lint` npm script (Repo Invariants CI).
12
+ - Migrated the 11 existing hand-rolled sites in `src/server/AgentServer.ts`,
13
+ `src/commands/server.ts`, and `src/server/routes.ts` to the funnel
14
+ (behavior-identical). Assertion B is brace-matched on the config block (not a
15
+ fixed line window) — the fix for the convergence-review finding that a long
16
+ marker comment hid the growthAnalyst block from the original window.
17
+
18
+ **Files:**
19
+ - `src/core/devAgentGate.ts` (new), `tests/unit/devAgentGate.test.ts` (new, 8).
20
+ - `scripts/lint-dev-agent-dark-gate.js` (new), `tests/unit/lint-dev-agent-dark-gate.test.ts` (new, 7).
21
+ - `src/server/AgentServer.ts`, `src/commands/server.ts`, `src/server/routes.ts` — 11 call sites + imports.
22
+ - `scripts/lint-no-direct-destructive.js` — allowlist the new lint (reads
23
+ `git diff --cached` for `--staged`, same as its siblings).
24
+ - `package.json` — `lint` script + two convenience scripts.
25
+ - `tests/unit/growth-analyst-gate-wiring.test.ts`, `tests/unit/resource-sampler-wiring.test.ts`
26
+ — source-pattern assertions updated to the funnel form.
27
+ - `docs/specs/DEV-AGENT-DARK-GATE-CONFORMANCE-SPEC.md` (the design).
28
+
29
+ ## 1. Over-block — what legitimate inputs does this reject that it shouldn't?
30
+ Assertion A bans `?? !!<x>.developmentAgent` everywhere but the funnel. A future
31
+ legitimate need to read `config.developmentAgent` for a non-gate purpose (e.g.
32
+ logging which agent kind it is) would trip it. Mitigation: the regex requires the
33
+ `?? ` nullish-coalesce immediately before `.developmentAgent`, so a bare
34
+ `config.developmentAgent` read does NOT match — only the gate-resolution shape
35
+ does. Assertion B only fires on `enabled: false` in *code* lines within 8 lines
36
+ of a dev-gate marker comment in `ConfigDefaults.ts`; `enabled: true` (fleet-flip)
37
+ and comment prose are deliberately not flagged. Verified clean on the real tree
38
+ (the convention's own documentation does not trip it).
39
+
40
+ ## 2. Under-block — what failure modes does this still miss?
41
+ The honest, central limit (named in the spec's layer table): **a feature that
42
+ should be dev-gated but omits the gate entirely** is invisible to both
43
+ assertions — there is no `?? developmentAgent` to flag and no marker comment to
44
+ anchor on. That is exactly the #1001 *shape* (it had a hardcoded `enabled: false`
45
+ default and a `=== true` construction with no gate). Assertion B catches the
46
+ `enabled: false`-under-marker variant, but not a gate-less feature with no
47
+ marker. The layer that truly catches forgot-entirely is the both-sides wiring
48
+ test over a dev-gated-feature registry (Slice 2) and the spec-intent cross-check
49
+ (Slice 3) — explicitly deferred and tracked (CMT-1253), not silently skipped.
50
+
51
+ ## 3. Level-of-abstraction fit — right layer?
52
+ Yes. The funnel mirrors the established single-funnel pattern (SafeFsExecutor,
53
+ SafeGitExecutor); the lint joins the existing `lint-*` family run in Repo
54
+ Invariants. The guard lives in CI (the same layer that already enforces
55
+ no-direct-destructive, no-unfunneled-topic-creation, etc.), not in a prompt.
56
+
57
+ ## 4. Signal vs authority compliance (docs/signal-vs-authority.md)
58
+ The lint is AUTHORITY (it fails CI / blocks a commit) — appropriate, identical to
59
+ its lint siblings: a deterministic, mechanical invariant with a clear fix
60
+ message, not a judgment call. The runtime helper is pure and behavior-identical
61
+ to the code it replaces, so it holds no new authority over runtime behavior.
62
+
63
+ ## 5. Interactions — shadowing, double-fire, races?
64
+ None. The helper is a pure function with no state. The lint reads files only. The
65
+ migration is a mechanical rewrite (`X ?? !!c.developmentAgent` →
66
+ `resolveDevAgentGate(X, c)`) that `tsc --noEmit` confirms type-identical;
67
+ `resolveDevAgentGate` returns exactly `X ?? !!c?.developmentAgent`, so every
68
+ migrated gate resolves to the same boolean as before for all inputs.
69
+
70
+ ## 6. External surfaces — visible to other agents/users/systems?
71
+ None. No routes, no config, no agent-installed files, no Telegram. Purely
72
+ repo-internal source + CI. No Migration Parity entry needed (the spec's Migration
73
+ Parity section says so explicitly).
74
+
75
+ ## 7. Rollback cost — back-out if wrong?
76
+ Trivial and low-blast-radius. Revert the lint line in `package.json` to disable
77
+ the CI gate instantly; revert the migration commits to restore the hand-rolled
78
+ sites (behavior was never changed, so a revert is a no-op at runtime). No data,
79
+ no state, no deployed artifact to unwind.
80
+
81
+ ## No deferrals
82
+ Slices 2 (registry + both-sides wiring test) and 3 (spec-intent cross-check) are
83
+ NOT deferrals of this slice's scope — they are the explicitly-scoped follow-on
84
+ layers named in the spec and tracked as commitment CMT-1253, so the gap is
85
+ visible and re-surfaced, not dropped.
86
+
87
+ ## Second-pass review (independent)
88
+ **Done — via /spec-converge (5 internal reviewers, 2 iterations; report at
89
+ docs/specs/reports/dev-agent-dark-gate-conformance-convergence.md).** The
90
+ independent pass found three material issues that this change now fixes:
91
+ 1. **Assertion B silently no-op'd on its origin case.** The original fixed 8-line
92
+ window missed the real growthAnalyst block (its ~10-line marker comment pushed
93
+ the fields out of range) — empirically, an injected `enabled: false` reported
94
+ "clean." Fixed by brace-matching the block; re-tested: now caught, real tree
95
+ still clean.
96
+ 2. **An 11th un-migrated site + regex blind spot.** `routes.ts` used
97
+ `?? Boolean(ctx.config.developmentAgent)` — missed by the `!!`-only first pass
98
+ and unmatched by the lint. Migrated; regex broadened to `!!`/`Boolean(`/bracket.
99
+ 3. **Spec overclaim.** Softened "catches #1001 directly" → "when gate-marked" and
100
+ "only legal path" → "for the realistic spellings"; layer table now names the
101
+ alias/wrapper and markerless misses.
102
+ Round 2 (lessons-aware + adversarial) returned CONVERGED — no material findings.
103
+ Security and scalability reviewers found nothing material (fails safe toward
104
+ dark-on-fleet; ~0.3s scan, no regex backtracking).