instar 1.3.457 → 1.3.459
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +42 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +16 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/ProactiveSwapMonitor.d.ts +149 -0
- package/dist/core/ProactiveSwapMonitor.d.ts.map +1 -0
- package/dist/core/ProactiveSwapMonitor.js +208 -0
- package/dist/core/ProactiveSwapMonitor.js.map +1 -0
- package/dist/core/types.d.ts +27 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/monitoring/GrowthMilestoneAnalyst.d.ts +21 -3
- package/dist/monitoring/GrowthMilestoneAnalyst.d.ts.map +1 -1
- package/dist/monitoring/GrowthMilestoneAnalyst.js +50 -1
- package/dist/monitoring/GrowthMilestoneAnalyst.js.map +1 -1
- package/dist/scaffold/templates.d.ts.map +1 -1
- package/dist/scaffold/templates.js +1 -0
- package/dist/scaffold/templates.js.map +1 -1
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +4 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +4 -1
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +3 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +27 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +64 -64
- package/src/scaffold/templates.ts +1 -0
- package/upgrades/1.3.458.md +62 -0
- package/upgrades/1.3.459.md +42 -0
- package/upgrades/side-effects/dev-gate-conformance-r6.md +73 -0
- package/upgrades/side-effects/proactive-prelimit-swap.md +64 -0
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Added Slice 3 (final layer) of the dev-agent dark-gate conformance guard: the
|
|
9
|
+
GrowthMilestoneAnalyst gains rule **R6 (dev-gate conformance)**. On a development
|
|
10
|
+
agent, every registered dev-gated feature (the Slice-2 `DEV_GATED_FEATURES`
|
|
11
|
+
registry) must resolve LIVE; one observed DARK is surfaced as a proactive
|
|
12
|
+
growth-analyst finding ("dev-gated feature X is dark on this dev agent — likely a
|
|
13
|
+
hardcoded enabled:false default or an operator override"). This catches the
|
|
14
|
+
forgot-the-gate-entirely / misconfig class that the Slice-1 lint can't see and
|
|
15
|
+
the Slice-2 default-test only catches at the default level — and it catches it on
|
|
16
|
+
the live config of the very dev agent it affects.
|
|
17
|
+
|
|
18
|
+
## What to Tell Your User
|
|
19
|
+
|
|
20
|
+
Nothing requiring action. On a development agent the growth digest may now include
|
|
21
|
+
a "dev-gated feature X is dark" finding if a feature is misconfigured — that is the
|
|
22
|
+
guard working. No fleet-facing change (dark for the fleet, live on dev agents).
|
|
23
|
+
|
|
24
|
+
## Summary of New Capabilities
|
|
25
|
+
|
|
26
|
+
- GrowthMilestoneAnalyst rule R6 (`devGateConformance`, default on) + `liveConfig`
|
|
27
|
+
dep + `devGateDark` digest count.
|
|
28
|
+
- Completes the dev-gate guard (lint → default-test → runtime cross-check) —
|
|
29
|
+
CMT-1253. <!-- tracked: CMT-1253 -->
|
|
30
|
+
|
|
31
|
+
## Evidence
|
|
32
|
+
|
|
33
|
+
R6 is a preventive/observability layer, so "evidence" is a both-sides demonstration:
|
|
34
|
+
- **Catches the regression:** on a `developmentAgent: true` config with a
|
|
35
|
+
registered feature's flag forced `false`, `computeFindings()` emits an R6
|
|
36
|
+
finding for that feature and `buildDigest().counts.devGateDark > 0` (test:
|
|
37
|
+
`growth-analyst-devgate-r6.test.ts`).
|
|
38
|
+
- **Stays quiet otherwise:** all-live-on-dev → no R6; fleet agent (even with a
|
|
39
|
+
feature forced dark) → no R6 (fleet darkness is expected); `liveConfig` absent →
|
|
40
|
+
skipped; `devGateConformance` rule disabled → skipped.
|
|
41
|
+
- **No regression to existing rules:** the 42 existing GrowthMilestoneAnalyst /
|
|
42
|
+
routes / gate-wiring tests stay green (R6 is inert without `liveConfig`).
|
|
@@ -0,0 +1,73 @@
|
|
|
1
|
+
# Side-Effects Review — Dev-Gate Conformance Cross-Check (Slice 3, GrowthMilestoneAnalyst R6)
|
|
2
|
+
|
|
3
|
+
**Change:** Slice 3 of DEV-AGENT-DARK-GATE-CONFORMANCE-SPEC (converged + approved).
|
|
4
|
+
The layer that catches the forgot-the-gate-entirely / misconfig class: on a
|
|
5
|
+
development agent, every registered dev-gated feature (Slice 2's
|
|
6
|
+
`DEV_GATED_FEATURES`) MUST resolve LIVE — one observed DARK is surfaced as a
|
|
7
|
+
proactive growth-analyst finding on the very agent it affects.
|
|
8
|
+
|
|
9
|
+
- `src/monitoring/GrowthMilestoneAnalyst.ts` — new rule **R6 (devGateConformance)**:
|
|
10
|
+
`computeDevGateConformanceFindings()` iterates the registry, resolves each via
|
|
11
|
+
`resolveDevAgentGate(getConfigByPath(liveConfig, path), liveConfig)`, and emits a
|
|
12
|
+
finding for any that resolve DARK on a dev agent. New `liveConfig?` dep, new
|
|
13
|
+
`devGateDark` digest count, new `rules.devGateConformance` flag (default on),
|
|
14
|
+
R6 wired into `computeFindings` + `buildDigest` + `activeSummary`.
|
|
15
|
+
- `src/server/AgentServer.ts` — feeds `liveConfig: options.config` into the analyst.
|
|
16
|
+
- `tests/unit/growth-analyst-devgate-r6.test.ts` — both sides of the R6 boundary.
|
|
17
|
+
|
|
18
|
+
**Implementation-locus note (deviation from the spec's prose, documented honestly):**
|
|
19
|
+
the spec's Slice 3 said "Extend FeatureRolloutReconciler … surfaces as a
|
|
20
|
+
growth-analyst finding." I implemented the cross-check **in the GrowthMilestoneAnalyst
|
|
21
|
+
itself** (rule R6), not in FeatureRolloutReconciler, because (a) the analyst is the
|
|
22
|
+
finding/digest surface the spec's outcome names, (b) it is itself dev-gated-LIVE so
|
|
23
|
+
it runs on the affected dev agent, and (c) it already consumes the registry pattern.
|
|
24
|
+
Same outcome (a growth-analyst finding), cleaner locus. The reconciler was not
|
|
25
|
+
modified.
|
|
26
|
+
|
|
27
|
+
## 1. Over-block — what legitimate inputs does this reject?
|
|
28
|
+
R6 is observe-only — it emits a *finding* (signal), never blocks or mutates. A
|
|
29
|
+
false positive would be a feature that is *intentionally* dark on a dev agent but
|
|
30
|
+
sits in the registry; that is prevented by Slice 2's curation (mcpProcessReaper /
|
|
31
|
+
resourceLedger are excluded). Adding a non-conforming feature to the registry is
|
|
32
|
+
the only way to mis-flag, and that is a deliberate, reviewed act.
|
|
33
|
+
|
|
34
|
+
## 2. Under-block — what does it still miss?
|
|
35
|
+
A dev-gated feature never added to the registry is invisible to R6 (same registry
|
|
36
|
+
dependency as Slice 2). And R6 only runs on a dev agent (`developmentAgent === true`)
|
|
37
|
+
with `liveConfig` present — on the fleet it is silent by design (fleet darkness is
|
|
38
|
+
expected). These are the intended bounds.
|
|
39
|
+
|
|
40
|
+
## 3. Level-of-abstraction fit
|
|
41
|
+
Right layer: the analyst already computes findings from sensors; R6 is one more
|
|
42
|
+
read-only rule over the live config + the registry. No new subsystem.
|
|
43
|
+
|
|
44
|
+
## 4. Signal vs authority
|
|
45
|
+
SIGNAL only. R6 produces a digest finding (the analyst never sends/blocks — it
|
|
46
|
+
COMPUTES findings exposed via read routes). It holds no authority over runtime.
|
|
47
|
+
|
|
48
|
+
## 5. Interactions — shadowing, double-fire, races?
|
|
49
|
+
None. Pure computation over injected `liveConfig` + the static registry. Wrapped
|
|
50
|
+
in try/catch per feature (a bad path routes to `onError`, never throws). Other
|
|
51
|
+
rules (R1–R5) are untouched; R6 is additive in `computeFindings`/`buildDigest`.
|
|
52
|
+
|
|
53
|
+
## 6. External surfaces
|
|
54
|
+
The existing `/growth/digest` + `/growth/status` routes now may include R6
|
|
55
|
+
findings + a `devGateDark` count — additive fields, no breaking change. Dark for
|
|
56
|
+
the fleet, live on dev agents (the analyst's own gate). No agent-installed files,
|
|
57
|
+
no Migration Parity entry.
|
|
58
|
+
|
|
59
|
+
## 7. Rollback cost
|
|
60
|
+
Low — revert the analyst R6 additions + the one AgentServer line + the test.
|
|
61
|
+
Behavior reverts to R1–R5 only; no state, no deployed artifact.
|
|
62
|
+
|
|
63
|
+
## No deferrals
|
|
64
|
+
This is the final slice of the initiative (CMT-1253). With Slices 1–3 shipped, the
|
|
65
|
+
dev-gate guard spans: lint (drift) → registry+default test (hardcoded default) →
|
|
66
|
+
R6 runtime cross-check (forgot-the-gate / misconfig on a live dev agent). <!-- tracked: CMT-1253 -->
|
|
67
|
+
|
|
68
|
+
## Second-pass review (independent)
|
|
69
|
+
Verified: R6 default-on but inert without `liveConfig` (42 existing analyst tests
|
|
70
|
+
unchanged green); both sides covered (hardcoded-dark on dev → finding; all-live on
|
|
71
|
+
dev → none; fleet → none; absent config → skip; rule-disabled → skip; digest count
|
|
72
|
+
+ calm-break asserted). tsc clean; the Slice-1 dark-gate lint stays clean (R6 reads
|
|
73
|
+
the gate via the funnel, hardcodes nothing).
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# Side-effects review — Proactive pre-limit account swap
|
|
2
|
+
|
|
3
|
+
## Blast radius when DISABLED (default)
|
|
4
|
+
|
|
5
|
+
Strict no-op. `subscriptionPool.proactiveSwap.enabled` defaults to absent/false →
|
|
6
|
+
the `ProactiveSwapMonitor` is never constructed, never started, never wired into
|
|
7
|
+
the AgentServer ctx. The two new routes answer `200 { enabled:false }` (never
|
|
8
|
+
503). No new background loop, no polling, no session restarts. An agent that
|
|
9
|
+
doesn't set the flag behaves byte-for-byte as before.
|
|
10
|
+
|
|
11
|
+
## Blast radius when ENABLED
|
|
12
|
+
|
|
13
|
+
- **It restarts live sessions.** A proactive swap drives the same
|
|
14
|
+
`SessionRefresh` account-swap path the reactive `autoSwapOnRateLimit` already
|
|
15
|
+
uses (kill → respawn with `--resume`, conversation preserved via the topic's
|
|
16
|
+
resume UUID). Same authority and same disruption profile as the already-shipped
|
|
17
|
+
reactive swap — only the trigger is earlier (a measured threshold vs. an actual
|
|
18
|
+
rate-limit escalation). This is why it is opt-in.
|
|
19
|
+
- **It can move UNTAGGED sessions.** An untagged session's effective account is
|
|
20
|
+
resolved from the default-config login via `InUseAccountResolver` (cached
|
|
21
|
+
`claude auth status`). A wrong/blank resolution degrades to "no default
|
|
22
|
+
account" → that session is simply not a candidate (fail-safe, never a wrong
|
|
23
|
+
swap). After a swap the session becomes tagged with its new account.
|
|
24
|
+
|
|
25
|
+
## Bounding / anti-footgun
|
|
26
|
+
|
|
27
|
+
- `maxSwapsPerCycle` (default 3) caps restarts per pass; per-session `cooldownMs`
|
|
28
|
+
(default 10m) prevents double-swapping a session whose restart is still
|
|
29
|
+
settling; an alternate-must-be-below-threshold guard prevents moving onto a
|
|
30
|
+
nearly-full login (anti-thrash). Near the wall the monitor refreshes the poll
|
|
31
|
+
before deciding so a fast burn isn't missed.
|
|
32
|
+
- Complements (never conflicts with) the reactive swap: once proactive moves a
|
|
33
|
+
session off a hot login, the reactive escalation for that login can't fire for
|
|
34
|
+
it. Both can be enabled together.
|
|
35
|
+
|
|
36
|
+
## Interactions
|
|
37
|
+
|
|
38
|
+
- Reads `state.listSessions({status:'running'})`, `subscriptionPool.list()`,
|
|
39
|
+
`inUseAccountResolver.resolve()`, and calls `quotaPoller.pollAll()` +
|
|
40
|
+
`quotaAwareScheduler.onQuotaPressure()` — all existing surfaces, no schema
|
|
41
|
+
changes. Adds `subscriptionAccountId`-keyed logic but writes no new state.
|
|
42
|
+
- CapabilityIndex gains two endpoints + a `proactiveSwap` flag; the subscription
|
|
43
|
+
capability description is extended. No prefix added (rides `/subscription-pool`).
|
|
44
|
+
|
|
45
|
+
## Migration parity
|
|
46
|
+
|
|
47
|
+
New `subscriptionPool.proactiveSwap` config is purely additive (absence = off →
|
|
48
|
+
no `migrateConfig` needed). CLAUDE.md awareness ships in the template AND via a
|
|
49
|
+
dedicated idempotent `migrateClaudeMd` patch for existing agents (the
|
|
50
|
+
section-install guard skips agents that already have the section).
|
|
51
|
+
|
|
52
|
+
## Framework generality
|
|
53
|
+
|
|
54
|
+
Does not touch the framework launch/inject abstraction. The pool is
|
|
55
|
+
Claude-subscription-specific by nature (claude-code accounts); the monitor only
|
|
56
|
+
considers `framework === 'claude-code'` (or legacy undefined) sessions, so
|
|
57
|
+
codex-cli / gemini-cli / pi-cli sessions are correctly ignored.
|
|
58
|
+
|
|
59
|
+
## Tests
|
|
60
|
+
|
|
61
|
+
Unit (16) — both sides of every boundary incl. the untagged→default-login
|
|
62
|
+
resolution; integration (6) — full HTTP for both routes incl. dark 200s; e2e (2)
|
|
63
|
+
— feature-alive in dark + live. Sibling subscription/quota suites + all 358
|
|
64
|
+
PostUpdateMigrator tests stay green.
|