instar 1.3.462 → 1.3.464

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +43 -2
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +10 -0
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/core/types.d.ts +10 -0
  8. package/dist/core/types.d.ts.map +1 -1
  9. package/dist/core/types.js.map +1 -1
  10. package/dist/feedback-factory/cutoverReadiness.d.ts +34 -0
  11. package/dist/feedback-factory/cutoverReadiness.d.ts.map +1 -1
  12. package/dist/feedback-factory/cutoverReadiness.js +37 -0
  13. package/dist/feedback-factory/cutoverReadiness.js.map +1 -1
  14. package/dist/feedback-factory/migration/PersistedShadowImportTarget.d.ts +54 -0
  15. package/dist/feedback-factory/migration/PersistedShadowImportTarget.d.ts.map +1 -0
  16. package/dist/feedback-factory/migration/PersistedShadowImportTarget.js +121 -0
  17. package/dist/feedback-factory/migration/PersistedShadowImportTarget.js.map +1 -0
  18. package/dist/feedback-factory/migration/integrityPassRunner.d.ts +26 -0
  19. package/dist/feedback-factory/migration/integrityPassRunner.d.ts.map +1 -0
  20. package/dist/feedback-factory/migration/integrityPassRunner.js +83 -0
  21. package/dist/feedback-factory/migration/integrityPassRunner.js.map +1 -0
  22. package/dist/monitoring/ActiveWorkSilenceSentinel.d.ts +27 -2
  23. package/dist/monitoring/ActiveWorkSilenceSentinel.d.ts.map +1 -1
  24. package/dist/monitoring/ActiveWorkSilenceSentinel.js +50 -0
  25. package/dist/monitoring/ActiveWorkSilenceSentinel.js.map +1 -1
  26. package/dist/monitoring/SentinelNotifier.d.ts +1 -1
  27. package/dist/monitoring/SentinelNotifier.d.ts.map +1 -1
  28. package/dist/monitoring/SentinelNotifier.js.map +1 -1
  29. package/dist/monitoring/sentinelWiring.d.ts +8 -0
  30. package/dist/monitoring/sentinelWiring.d.ts.map +1 -1
  31. package/dist/monitoring/sentinelWiring.js +10 -0
  32. package/dist/monitoring/sentinelWiring.js.map +1 -1
  33. package/dist/server/AgentServer.d.ts.map +1 -1
  34. package/dist/server/AgentServer.js +49 -0
  35. package/dist/server/AgentServer.js.map +1 -1
  36. package/dist/server/CapabilityIndex.d.ts.map +1 -1
  37. package/dist/server/CapabilityIndex.js +1 -0
  38. package/dist/server/CapabilityIndex.js.map +1 -1
  39. package/dist/server/middleware.d.ts.map +1 -1
  40. package/dist/server/middleware.js +3 -0
  41. package/dist/server/middleware.js.map +1 -1
  42. package/dist/server/routes.d.ts.map +1 -1
  43. package/dist/server/routes.js +28 -0
  44. package/dist/server/routes.js.map +1 -1
  45. package/package.json +1 -1
  46. package/src/data/builtin-manifest.json +47 -47
  47. package/upgrades/1.3.463.md +27 -0
  48. package/upgrades/1.3.464.md +72 -0
  49. package/upgrades/eli16/integrity-leg-shadow-import.md +27 -0
  50. package/upgrades/side-effects/autoheal-silence-ladder.md +98 -0
  51. package/upgrades/side-effects/integrity-leg-shadow-import.md +35 -0
@@ -0,0 +1,35 @@
1
+ # Side-effects review — cutover integrity-pass wiring
2
+
3
+ ## The change
4
+
5
+ Wires the previously-unwired integrity leg of the cutover-readiness door. New surface:
6
+ - `POST /cutover-readiness/integrity-pass` (routes.ts) → `CutoverReadiness.runIntegrityPass()`.
7
+ - `runIntegrityImport` dep + closure (AgentServer) spawns `integrityPassRunner` as a child `node` process.
8
+ - `PersistedShadowImportTarget` — a durable JSONL-backed `ImportTarget`.
9
+ - Extended route budget (middleware) + capability-index entry.
10
+
11
+ ## Blast radius — what this can and cannot touch
12
+
13
+ - **It cannot mutate canonical data.** The import target is a throwaway on-disk shadow dir (`stateDir/state/cutover-integrity-shadow`), `dispose()`d after each pass. There is NO Portal/Prisma write path here. Read side is `GET /api/instar/read` only (read-only token).
14
+ - **It cannot accidentally green the irreversible cutover door.** The door greens only when `recordIntegrityReport` is called with a passing report, which happens ONLY on an explicit `POST /cutover-readiness/integrity-pass`. Shipping/merging/deploying this route does nothing until that trigger fires. The cutover flip itself remains the operator's manual click — there is still no fire-cutover route.
15
+ - **A failing pass is safe + honest.** A failing integrity report is recorded too (door reads closed) so the door reflects the LATEST real verdict, never a stale green. A pre-import abort (fingerprint collision → null report) records nothing and leaves prior state. A failed fetch records nothing (absence of evidence).
16
+
17
+ ## Concurrency + resource safety
18
+
19
+ - Shares `CutoverReadiness`'s single-flight `liveFetchInFlight` guard with parity-pass + import-dryrun — only one live source fetch at a time (the #948 lock-pileup guard). A concurrent integrity-pass is refused 409.
20
+ - The 145K-row fetch+import runs OFF the server event loop in a child process (the in-process import-dryrun budget-fails at 720s; #948). The child's internal fetch budget (600s) sits under `CutoverReadiness`'s 12-min max-hold backstop, which releases the lock if the child ever hangs; the child also carries an 11-min execFile wall-clock cap. Worst case is an orphaned child + a released lock, never a wedged server.
21
+ - Memory: `--max-old-space-size=4096` on the child; the shadow is JSONL on disk, not held in RAM beyond the readback.
22
+
23
+ ## Failure modes considered
24
+
25
+ - Child exits non-zero with a valid failing verdict on stdout → parsed + recorded (door flips closed), not treated as a crash. Only a no-verdict crash (exit 2 / killed) throws → 409, nothing recorded.
26
+ - No paritySource configured → `runIntegrityImport` is null → 409 "no import source configured" (verified by the e2e feature-alive test on the real AgentServer init path).
27
+ - Stale/torn integrity report on disk → `integrityStatus()` reads deny-safe (not passed).
28
+
29
+ ## Migration parity
30
+
31
+ No agent-installed file changes (no settings/hooks/CLAUDE.md template/config-default changes), so no `PostUpdateMigrator` entry is required. The route ships in server code and reaches existing agents on their normal server update. The new capability-index entry surfaces it to agents (Agent Awareness Standard).
32
+
33
+ ## Tests
34
+
35
+ Unit (PersistedShadowImportTarget + runIntegrityPass both-sides-of-boundary), integration (route greens-on-pass / flips-on-fail / 409-fetch-fail / 503-unavailable), e2e (route alive on real AgentServer init path). All green; tsc clean.