instar 1.3.458 → 1.3.460
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/monitoring/GrowthMilestoneAnalyst.d.ts +21 -3
- package/dist/monitoring/GrowthMilestoneAnalyst.d.ts.map +1 -1
- package/dist/monitoring/GrowthMilestoneAnalyst.js +50 -1
- package/dist/monitoring/GrowthMilestoneAnalyst.js.map +1 -1
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +3 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +12 -3
- package/dist/server/routes.js.map +1 -1
- package/dist/threadline/ThreadlineRouter.d.ts +13 -1
- package/dist/threadline/ThreadlineRouter.d.ts.map +1 -1
- package/dist/threadline/ThreadlineRouter.js +6 -2
- package/dist/threadline/ThreadlineRouter.js.map +1 -1
- package/dist/threadline/peerFingerprint.d.ts +41 -0
- package/dist/threadline/peerFingerprint.d.ts.map +1 -0
- package/dist/threadline/peerFingerprint.js +71 -0
- package/dist/threadline/peerFingerprint.js.map +1 -0
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +47 -47
- package/upgrades/1.3.459.md +42 -0
- package/upgrades/1.3.460.md +44 -0
- package/upgrades/side-effects/dev-gate-conformance-r6.md +73 -0
- package/upgrades/side-effects/threadline-local-attribution.md +135 -0
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
# Side-Effects Review — Threadline local-delivery fingerprint attribution
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `threadline-local-attribution`
|
|
4
|
+
**Date:** `2026-06-09`
|
|
5
|
+
**Author:** `Instar Agent (echo)`
|
|
6
|
+
**Second-pass reviewer:** `independent reviewer subagent — CONCUR (Phase 5; high-risk: anti-hijack security surface + A2A routing)`
|
|
7
|
+
|
|
8
|
+
## Summary of the change
|
|
9
|
+
|
|
10
|
+
Fixes the anti-hijack guard isolating legitimate same-machine replies (the live Luna incident, thread
|
|
11
|
+
`199c20fe`). On local delivery the sender is stamped by NAME (`from.agent`), but the thread owner is a
|
|
12
|
+
FINGERPRINT (`publicKey[:32]`), so the guard mismatched and isolated. Driven by the converged spec
|
|
13
|
+
`docs/specs/threadline-local-delivery-fingerprint-attribution.md`. Three pieces:
|
|
14
|
+
(A) a new shared resolver `src/threadline/peerFingerprint.ts` — `resolvePeerFingerprint(entry) =
|
|
15
|
+
fingerprint || publicKey[:32] || null` (lowercased) + `resolvePeerFingerprintByName(stateDir, name)`
|
|
16
|
+
(collision/absent/malformed → null); (B) the `/messages/relay-agent` route resolves `from.agent` and
|
|
17
|
+
passes the result to `handleInboundMessage` via a NEW narrow optional param `opts.inboundSenderFingerprint`,
|
|
18
|
+
consumed ONLY in the anti-hijack `inboundFp` fallback — NOT a full relayContext; (C) the outbound
|
|
19
|
+
owner-record sites (`captureOrigin` / `recordSent` peerFp) adopt `resolvePeerFingerprint` so record and
|
|
20
|
+
compare derive identically. Tests: 13 resolver unit + 3 anti-hijack unit (incl. incident reproduction:
|
|
21
|
+
no-hint isolates, hint resumes) + 2 integration (resolver-from-real-file → guard, the publicKey-only
|
|
22
|
+
shape). 1710 existing threadline tests green; typecheck clean.
|
|
23
|
+
|
|
24
|
+
## Decision-point inventory
|
|
25
|
+
|
|
26
|
+
- `ThreadlineRouter.handleInboundMessage` anti-hijack `inboundFp` (identity the guard compares) —
|
|
27
|
+
**modify** — add `opts.inboundSenderFingerprint` to the fallback chain; logic unchanged.
|
|
28
|
+
- `/messages/relay-agent` ingress — **modify** — resolve `from.agent` → fingerprint, pass the hint.
|
|
29
|
+
- Owner-record derivation (`captureOrigin`/`recordSent`) — **modify** — route through the shared helper
|
|
30
|
+
(same chain, now lowercased).
|
|
31
|
+
|
|
32
|
+
---
|
|
33
|
+
|
|
34
|
+
## 1. Over-block
|
|
35
|
+
|
|
36
|
+
No legitimate input is newly rejected — the change is the opposite (legitimate replies that were
|
|
37
|
+
false-isolated now resume). The only new *match* is a sender whose NAME resolves to the thread owner's
|
|
38
|
+
fingerprint. An unknown / unresolvable name still falls back to the name and isolates a fingerprint-owned
|
|
39
|
+
thread (fail-safe), so nothing legitimate-but-unknown is newly *admitted* into a victim thread either.
|
|
40
|
+
|
|
41
|
+
## 2. Under-block
|
|
42
|
+
|
|
43
|
+
A process running as the same OS user that holds the receiver's relay-agent token could stamp
|
|
44
|
+
`from.agent = <a known peer's name>`, resolve to that peer's fingerprint, and resume that peer's thread.
|
|
45
|
+
This is the **committed trust tradeoff** (spec §C): bounded by token custody (the real authorization
|
|
46
|
+
boundary, unchanged); pre-fix the guard already operated on the self-asserted name and merely
|
|
47
|
+
always-isolated locally (no real protection); the cross-machine attacker path is Ed25519-verified and
|
|
48
|
+
untouched. Tightening *who may call* `/messages/relay-agent` is the correct hardening and is tracked
|
|
49
|
+
out-of-scope.
|
|
50
|
+
|
|
51
|
+
## 3. Level-of-abstraction fit
|
|
52
|
+
|
|
53
|
+
Correct layer. The resolution happens once at the ingress (the route), and the guard consumes a narrow
|
|
54
|
+
hint — not a full relayContext (which would change grounding/history/persistence, convergence B2/M1).
|
|
55
|
+
The shared resolver is the right primitive: record and compare funnel through ONE derivation so they
|
|
56
|
+
cannot drift (the round-1 blocking self-bug was exactly such a drift — a `fingerprint`-only resolver
|
|
57
|
+
no-op'd on the live `publicKey`-only sagemind).
|
|
58
|
+
|
|
59
|
+
## 4. Signal vs authority compliance
|
|
60
|
+
|
|
61
|
+
**Required reference:** docs/signal-vs-authority.md
|
|
62
|
+
|
|
63
|
+
- [x] No — the hint is a signal to the guard's comparison; it has no block/allow authority of its own.
|
|
64
|
+
|
|
65
|
+
The guard's block/allow LOGIC is byte-for-byte unchanged; only the identifier handed to it differs. An
|
|
66
|
+
unresolved sender still isolates. No brittle blocking authority is added.
|
|
67
|
+
|
|
68
|
+
## 5. Interactions
|
|
69
|
+
|
|
70
|
+
- **Shadowing:** the hint is consumed at exactly ONE site — the anti-hijack `inboundFp` (verified:
|
|
71
|
+
`inboundFp`/`inboundName` referenced only at the 3 comparison/log lines). It cannot leak into
|
|
72
|
+
grounding-preamble injection, history depth, affinity (still `verified`-gated, untouched), or the
|
|
73
|
+
persisted `participants.peers` — those are gated on `relayContext` presence, and we pass `undefined`
|
|
74
|
+
for relayContext on the local path.
|
|
75
|
+
- **Double-fire / races:** none — pure per-message resolution from the existing `known-agents.json`.
|
|
76
|
+
- **Owner-record case:** the refactored recorder now lowercases the fingerprint (the resolver
|
|
77
|
+
lowercases); the inbound hint is also lowercased → consistent. Existing threads recorded before this
|
|
78
|
+
PR keep their stored owner; hex fingerprints are already lowercase, so existing lowercase-hex owners
|
|
79
|
+
still match (the incident owner `1db85f…` is lowercase). An existing owner stored in mixed case would
|
|
80
|
+
not match a lowercased hint — but it would have isolated before this fix too (inbound was a name), so
|
|
81
|
+
no regression.
|
|
82
|
+
|
|
83
|
+
## 6. External surfaces
|
|
84
|
+
|
|
85
|
+
- **Other agents / relay:** strictly improves A2A coherence — legitimate co-located replies resume
|
|
86
|
+
instead of being isolated into dead threads. Cross-machine relay path untouched (it already carries
|
|
87
|
+
the fingerprint).
|
|
88
|
+
- **No new route / config knob / dashboard / CLAUDE.md template.** Transparent correctness fix.
|
|
89
|
+
- **Persisted state:** no migration. The owner record now stores a lowercased fingerprint going forward
|
|
90
|
+
(was the same value, possibly mixed case); resolution is computed per-message from `known-agents.json`.
|
|
91
|
+
- **Authenticated cross-machine ingress** (`ThreadlineEndpoints.ts:429`) is deliberately NOT given the
|
|
92
|
+
TOFU name-hint (it's Ed25519-verified; `from.agent` is already a fingerprint) — verified by reading
|
|
93
|
+
the code (convergence round 2).
|
|
94
|
+
|
|
95
|
+
## 7. Rollback cost
|
|
96
|
+
|
|
97
|
+
Pure code change across one new file + two existing files. Rollback = revert the PR; the route stops
|
|
98
|
+
passing the hint and the owner-record reverts to the un-lowercased chain. No data migration, no agent
|
|
99
|
+
state repair, no user-visible regression during rollback.
|
|
100
|
+
|
|
101
|
+
---
|
|
102
|
+
|
|
103
|
+
## Conclusion
|
|
104
|
+
|
|
105
|
+
A focused, fail-safe ingress fix: a shared resolver (closing the publicKey-only no-op the convergence
|
|
106
|
+
caught), a narrow hint to the guard (avoiding the relayContext side effects the convergence caught), and
|
|
107
|
+
record/compare funneled through one derivation. The committed trust tradeoff is documented and bounded by
|
|
108
|
+
the unchanged token boundary. 23 new tests incl. the on-real-guard incident reproduction; 1710 existing
|
|
109
|
+
threadline tests unaffected; typecheck clean. High-risk classification (anti-hijack security surface)
|
|
110
|
+
triggers the Phase-5 second-pass review below.
|
|
111
|
+
|
|
112
|
+
---
|
|
113
|
+
|
|
114
|
+
## Second-pass review (if required)
|
|
115
|
+
|
|
116
|
+
**Reviewer:** independent reviewer subagent
|
|
117
|
+
**Independent read of the artifact: concur**
|
|
118
|
+
|
|
119
|
+
Code-grounded audit of all 7 areas. Confirmed: the hint is consumed at exactly ONE site (the
|
|
120
|
+
anti-hijack `inboundFp` fallback) and leaks into NOTHING else — grounding/history/affinity/participants
|
|
121
|
+
are all gated on `relayContext` presence, and the local path passes `relayContext = undefined`. Fail-safe
|
|
122
|
+
verified (`?? undefined` on miss → name fallback → isolate). The resolver's `publicKey[:32]` provably
|
|
123
|
+
equals `computeFingerprint` (`publicKey.subarray(0,16).toString('hex')`), so it derives the canonical
|
|
124
|
+
fingerprint, not an arbitrary truncation; the collision Set-rule correctly does not false-collide a
|
|
125
|
+
fingerprint + its publicKey twin. Lowercasing is value-preserving (known-agents fingerprints come from
|
|
126
|
+
`Buffer.toString('hex')` = always lowercase). No caller breaks. The "hint resumes" test genuinely REDs
|
|
127
|
+
on main (main ignores the 3rd arg → isolates) and passes on the branch.
|
|
128
|
+
|
|
129
|
+
Two MINOR non-blocking notes: (1) the implementation funneled the shared helper through the two
|
|
130
|
+
owner-record sites (the load-bearing record/compare consistency); the other outbound `[:32]` matching /
|
|
131
|
+
self-guard sites (`routes.ts` ~L17404/17418/17450, ThreadlineMCPServer ~L508/853) retain their
|
|
132
|
+
byte-identical inline `(… || '').toLowerCase()` chain — verified equivalent (they feed matching/self-guard,
|
|
133
|
+
not the owner record), so consistency is intact; a full DRY funnel is a tracked follow-up, not a
|
|
134
|
+
correctness gap. (2) `ThreadlineEndpoints.ts:429` (Ed25519-authenticated cross-machine ingress) is
|
|
135
|
+
correctly NOT given the TOFU hint. Clear to ship.
|