instar 1.3.457 → 1.3.459

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (38) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +42 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  5. package/dist/core/PostUpdateMigrator.js +16 -0
  6. package/dist/core/PostUpdateMigrator.js.map +1 -1
  7. package/dist/core/ProactiveSwapMonitor.d.ts +149 -0
  8. package/dist/core/ProactiveSwapMonitor.d.ts.map +1 -0
  9. package/dist/core/ProactiveSwapMonitor.js +208 -0
  10. package/dist/core/ProactiveSwapMonitor.js.map +1 -0
  11. package/dist/core/types.d.ts +27 -0
  12. package/dist/core/types.d.ts.map +1 -1
  13. package/dist/core/types.js.map +1 -1
  14. package/dist/monitoring/GrowthMilestoneAnalyst.d.ts +21 -3
  15. package/dist/monitoring/GrowthMilestoneAnalyst.d.ts.map +1 -1
  16. package/dist/monitoring/GrowthMilestoneAnalyst.js +50 -1
  17. package/dist/monitoring/GrowthMilestoneAnalyst.js.map +1 -1
  18. package/dist/scaffold/templates.d.ts.map +1 -1
  19. package/dist/scaffold/templates.js +1 -0
  20. package/dist/scaffold/templates.js.map +1 -1
  21. package/dist/server/AgentServer.d.ts +1 -0
  22. package/dist/server/AgentServer.d.ts.map +1 -1
  23. package/dist/server/AgentServer.js +4 -0
  24. package/dist/server/AgentServer.js.map +1 -1
  25. package/dist/server/CapabilityIndex.d.ts.map +1 -1
  26. package/dist/server/CapabilityIndex.js +4 -1
  27. package/dist/server/CapabilityIndex.js.map +1 -1
  28. package/dist/server/routes.d.ts +3 -0
  29. package/dist/server/routes.d.ts.map +1 -1
  30. package/dist/server/routes.js +27 -0
  31. package/dist/server/routes.js.map +1 -1
  32. package/package.json +1 -1
  33. package/src/data/builtin-manifest.json +64 -64
  34. package/src/scaffold/templates.ts +1 -0
  35. package/upgrades/1.3.458.md +62 -0
  36. package/upgrades/1.3.459.md +42 -0
  37. package/upgrades/side-effects/dev-gate-conformance-r6.md +73 -0
  38. package/upgrades/side-effects/proactive-prelimit-swap.md +64 -0
@@ -0,0 +1,42 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ Added Slice 3 (final layer) of the dev-agent dark-gate conformance guard: the
9
+ GrowthMilestoneAnalyst gains rule **R6 (dev-gate conformance)**. On a development
10
+ agent, every registered dev-gated feature (the Slice-2 `DEV_GATED_FEATURES`
11
+ registry) must resolve LIVE; one observed DARK is surfaced as a proactive
12
+ growth-analyst finding ("dev-gated feature X is dark on this dev agent — likely a
13
+ hardcoded enabled:false default or an operator override"). This catches the
14
+ forgot-the-gate-entirely / misconfig class that the Slice-1 lint can't see and
15
+ the Slice-2 default-test only catches at the default level — and it catches it on
16
+ the live config of the very dev agent it affects.
17
+
18
+ ## What to Tell Your User
19
+
20
+ Nothing requiring action. On a development agent the growth digest may now include
21
+ a "dev-gated feature X is dark" finding if a feature is misconfigured — that is the
22
+ guard working. No fleet-facing change (dark for the fleet, live on dev agents).
23
+
24
+ ## Summary of New Capabilities
25
+
26
+ - GrowthMilestoneAnalyst rule R6 (`devGateConformance`, default on) + `liveConfig`
27
+ dep + `devGateDark` digest count.
28
+ - Completes the dev-gate guard (lint → default-test → runtime cross-check) —
29
+ CMT-1253. <!-- tracked: CMT-1253 -->
30
+
31
+ ## Evidence
32
+
33
+ R6 is a preventive/observability layer, so "evidence" is a both-sides demonstration:
34
+ - **Catches the regression:** on a `developmentAgent: true` config with a
35
+ registered feature's flag forced `false`, `computeFindings()` emits an R6
36
+ finding for that feature and `buildDigest().counts.devGateDark > 0` (test:
37
+ `growth-analyst-devgate-r6.test.ts`).
38
+ - **Stays quiet otherwise:** all-live-on-dev → no R6; fleet agent (even with a
39
+ feature forced dark) → no R6 (fleet darkness is expected); `liveConfig` absent →
40
+ skipped; `devGateConformance` rule disabled → skipped.
41
+ - **No regression to existing rules:** the 42 existing GrowthMilestoneAnalyst /
42
+ routes / gate-wiring tests stay green (R6 is inert without `liveConfig`).
@@ -0,0 +1,73 @@
1
+ # Side-Effects Review — Dev-Gate Conformance Cross-Check (Slice 3, GrowthMilestoneAnalyst R6)
2
+
3
+ **Change:** Slice 3 of DEV-AGENT-DARK-GATE-CONFORMANCE-SPEC (converged + approved).
4
+ The layer that catches the forgot-the-gate-entirely / misconfig class: on a
5
+ development agent, every registered dev-gated feature (Slice 2's
6
+ `DEV_GATED_FEATURES`) MUST resolve LIVE — one observed DARK is surfaced as a
7
+ proactive growth-analyst finding on the very agent it affects.
8
+
9
+ - `src/monitoring/GrowthMilestoneAnalyst.ts` — new rule **R6 (devGateConformance)**:
10
+ `computeDevGateConformanceFindings()` iterates the registry, resolves each via
11
+ `resolveDevAgentGate(getConfigByPath(liveConfig, path), liveConfig)`, and emits a
12
+ finding for any that resolve DARK on a dev agent. New `liveConfig?` dep, new
13
+ `devGateDark` digest count, new `rules.devGateConformance` flag (default on),
14
+ R6 wired into `computeFindings` + `buildDigest` + `activeSummary`.
15
+ - `src/server/AgentServer.ts` — feeds `liveConfig: options.config` into the analyst.
16
+ - `tests/unit/growth-analyst-devgate-r6.test.ts` — both sides of the R6 boundary.
17
+
18
+ **Implementation-locus note (deviation from the spec's prose, documented honestly):**
19
+ the spec's Slice 3 said "Extend FeatureRolloutReconciler … surfaces as a
20
+ growth-analyst finding." I implemented the cross-check **in the GrowthMilestoneAnalyst
21
+ itself** (rule R6), not in FeatureRolloutReconciler, because (a) the analyst is the
22
+ finding/digest surface the spec's outcome names, (b) it is itself dev-gated-LIVE so
23
+ it runs on the affected dev agent, and (c) it already consumes the registry pattern.
24
+ Same outcome (a growth-analyst finding), cleaner locus. The reconciler was not
25
+ modified.
26
+
27
+ ## 1. Over-block — what legitimate inputs does this reject?
28
+ R6 is observe-only — it emits a *finding* (signal), never blocks or mutates. A
29
+ false positive would be a feature that is *intentionally* dark on a dev agent but
30
+ sits in the registry; that is prevented by Slice 2's curation (mcpProcessReaper /
31
+ resourceLedger are excluded). Adding a non-conforming feature to the registry is
32
+ the only way to mis-flag, and that is a deliberate, reviewed act.
33
+
34
+ ## 2. Under-block — what does it still miss?
35
+ A dev-gated feature never added to the registry is invisible to R6 (same registry
36
+ dependency as Slice 2). And R6 only runs on a dev agent (`developmentAgent === true`)
37
+ with `liveConfig` present — on the fleet it is silent by design (fleet darkness is
38
+ expected). These are the intended bounds.
39
+
40
+ ## 3. Level-of-abstraction fit
41
+ Right layer: the analyst already computes findings from sensors; R6 is one more
42
+ read-only rule over the live config + the registry. No new subsystem.
43
+
44
+ ## 4. Signal vs authority
45
+ SIGNAL only. R6 produces a digest finding (the analyst never sends/blocks — it
46
+ COMPUTES findings exposed via read routes). It holds no authority over runtime.
47
+
48
+ ## 5. Interactions — shadowing, double-fire, races?
49
+ None. Pure computation over injected `liveConfig` + the static registry. Wrapped
50
+ in try/catch per feature (a bad path routes to `onError`, never throws). Other
51
+ rules (R1–R5) are untouched; R6 is additive in `computeFindings`/`buildDigest`.
52
+
53
+ ## 6. External surfaces
54
+ The existing `/growth/digest` + `/growth/status` routes now may include R6
55
+ findings + a `devGateDark` count — additive fields, no breaking change. Dark for
56
+ the fleet, live on dev agents (the analyst's own gate). No agent-installed files,
57
+ no Migration Parity entry.
58
+
59
+ ## 7. Rollback cost
60
+ Low — revert the analyst R6 additions + the one AgentServer line + the test.
61
+ Behavior reverts to R1–R5 only; no state, no deployed artifact.
62
+
63
+ ## No deferrals
64
+ This is the final slice of the initiative (CMT-1253). With Slices 1–3 shipped, the
65
+ dev-gate guard spans: lint (drift) → registry+default test (hardcoded default) →
66
+ R6 runtime cross-check (forgot-the-gate / misconfig on a live dev agent). <!-- tracked: CMT-1253 -->
67
+
68
+ ## Second-pass review (independent)
69
+ Verified: R6 default-on but inert without `liveConfig` (42 existing analyst tests
70
+ unchanged green); both sides covered (hardcoded-dark on dev → finding; all-live on
71
+ dev → none; fleet → none; absent config → skip; rule-disabled → skip; digest count
72
+ + calm-break asserted). tsc clean; the Slice-1 dark-gate lint stays clean (R6 reads
73
+ the gate via the funnel, hardcodes nothing).
@@ -0,0 +1,64 @@
1
+ # Side-effects review — Proactive pre-limit account swap
2
+
3
+ ## Blast radius when DISABLED (default)
4
+
5
+ Strict no-op. `subscriptionPool.proactiveSwap.enabled` defaults to absent/false →
6
+ the `ProactiveSwapMonitor` is never constructed, never started, never wired into
7
+ the AgentServer ctx. The two new routes answer `200 { enabled:false }` (never
8
+ 503). No new background loop, no polling, no session restarts. An agent that
9
+ doesn't set the flag behaves byte-for-byte as before.
10
+
11
+ ## Blast radius when ENABLED
12
+
13
+ - **It restarts live sessions.** A proactive swap drives the same
14
+ `SessionRefresh` account-swap path the reactive `autoSwapOnRateLimit` already
15
+ uses (kill → respawn with `--resume`, conversation preserved via the topic's
16
+ resume UUID). Same authority and same disruption profile as the already-shipped
17
+ reactive swap — only the trigger is earlier (a measured threshold vs. an actual
18
+ rate-limit escalation). This is why it is opt-in.
19
+ - **It can move UNTAGGED sessions.** An untagged session's effective account is
20
+ resolved from the default-config login via `InUseAccountResolver` (cached
21
+ `claude auth status`). A wrong/blank resolution degrades to "no default
22
+ account" → that session is simply not a candidate (fail-safe, never a wrong
23
+ swap). After a swap the session becomes tagged with its new account.
24
+
25
+ ## Bounding / anti-footgun
26
+
27
+ - `maxSwapsPerCycle` (default 3) caps restarts per pass; per-session `cooldownMs`
28
+ (default 10m) prevents double-swapping a session whose restart is still
29
+ settling; an alternate-must-be-below-threshold guard prevents moving onto a
30
+ nearly-full login (anti-thrash). Near the wall the monitor refreshes the poll
31
+ before deciding so a fast burn isn't missed.
32
+ - Complements (never conflicts with) the reactive swap: once proactive moves a
33
+ session off a hot login, the reactive escalation for that login can't fire for
34
+ it. Both can be enabled together.
35
+
36
+ ## Interactions
37
+
38
+ - Reads `state.listSessions({status:'running'})`, `subscriptionPool.list()`,
39
+ `inUseAccountResolver.resolve()`, and calls `quotaPoller.pollAll()` +
40
+ `quotaAwareScheduler.onQuotaPressure()` — all existing surfaces, no schema
41
+ changes. Adds `subscriptionAccountId`-keyed logic but writes no new state.
42
+ - CapabilityIndex gains two endpoints + a `proactiveSwap` flag; the subscription
43
+ capability description is extended. No prefix added (rides `/subscription-pool`).
44
+
45
+ ## Migration parity
46
+
47
+ New `subscriptionPool.proactiveSwap` config is purely additive (absence = off →
48
+ no `migrateConfig` needed). CLAUDE.md awareness ships in the template AND via a
49
+ dedicated idempotent `migrateClaudeMd` patch for existing agents (the
50
+ section-install guard skips agents that already have the section).
51
+
52
+ ## Framework generality
53
+
54
+ Does not touch the framework launch/inject abstraction. The pool is
55
+ Claude-subscription-specific by nature (claude-code accounts); the monitor only
56
+ considers `framework === 'claude-code'` (or legacy undefined) sessions, so
57
+ codex-cli / gemini-cli / pi-cli sessions are correctly ignored.
58
+
59
+ ## Tests
60
+
61
+ Unit (16) — both sides of every boundary incl. the untagged→default-login
62
+ resolution; integration (6) — full HTTP for both routes incl. dark 200s; e2e (2)
63
+ — feature-alive in dark + live. Sibling subscription/quota suites + all 358
64
+ PostUpdateMigrator tests stay green.