instar 1.3.536 โ†’ 1.3.538

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +107 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +13 -0
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/core/CredentialLocationGate.d.ts +99 -0
  8. package/dist/core/CredentialLocationGate.d.ts.map +1 -0
  9. package/dist/core/CredentialLocationGate.js +127 -0
  10. package/dist/core/CredentialLocationGate.js.map +1 -0
  11. package/dist/core/CredentialSwapExecutor.d.ts +10 -0
  12. package/dist/core/CredentialSwapExecutor.d.ts.map +1 -1
  13. package/dist/core/CredentialSwapExecutor.js +19 -0
  14. package/dist/core/CredentialSwapExecutor.js.map +1 -1
  15. package/dist/core/InUseAccountResolver.d.ts +28 -1
  16. package/dist/core/InUseAccountResolver.d.ts.map +1 -1
  17. package/dist/core/InUseAccountResolver.js +34 -1
  18. package/dist/core/InUseAccountResolver.js.map +1 -1
  19. package/dist/core/QuotaPoller.d.ts +22 -0
  20. package/dist/core/QuotaPoller.d.ts.map +1 -1
  21. package/dist/core/QuotaPoller.js +42 -8
  22. package/dist/core/QuotaPoller.js.map +1 -1
  23. package/dist/core/SessionManager.d.ts +19 -0
  24. package/dist/core/SessionManager.d.ts.map +1 -1
  25. package/dist/core/SessionManager.js +37 -5
  26. package/dist/core/SessionManager.js.map +1 -1
  27. package/dist/core/WorkEvidence.d.ts +1 -1
  28. package/dist/core/WorkEvidence.d.ts.map +1 -1
  29. package/dist/core/WorkEvidence.js +7 -0
  30. package/dist/core/WorkEvidence.js.map +1 -1
  31. package/dist/core/devGatedFeatures.d.ts.map +1 -1
  32. package/dist/core/devGatedFeatures.js +6 -0
  33. package/dist/core/devGatedFeatures.js.map +1 -1
  34. package/dist/core/types.d.ts +27 -0
  35. package/dist/core/types.d.ts.map +1 -1
  36. package/dist/core/types.js.map +1 -1
  37. package/dist/core/worktreeDirtyCheck.d.ts +31 -0
  38. package/dist/core/worktreeDirtyCheck.d.ts.map +1 -0
  39. package/dist/core/worktreeDirtyCheck.js +129 -0
  40. package/dist/core/worktreeDirtyCheck.js.map +1 -0
  41. package/dist/monitoring/AccountSwitcher.d.ts.map +1 -1
  42. package/dist/monitoring/AccountSwitcher.js +12 -1
  43. package/dist/monitoring/AccountSwitcher.js.map +1 -1
  44. package/dist/monitoring/CredentialProvider.d.ts +32 -1
  45. package/dist/monitoring/CredentialProvider.d.ts.map +1 -1
  46. package/dist/monitoring/CredentialProvider.js +32 -2
  47. package/dist/monitoring/CredentialProvider.js.map +1 -1
  48. package/dist/monitoring/ResumeQueueDrainer.d.ts +6 -0
  49. package/dist/monitoring/ResumeQueueDrainer.d.ts.map +1 -1
  50. package/dist/monitoring/ResumeQueueDrainer.js +32 -2
  51. package/dist/monitoring/ResumeQueueDrainer.js.map +1 -1
  52. package/dist/monitoring/SessionReaper.d.ts +8 -0
  53. package/dist/monitoring/SessionReaper.d.ts.map +1 -1
  54. package/dist/monitoring/SessionReaper.js +18 -4
  55. package/dist/monitoring/SessionReaper.js.map +1 -1
  56. package/dist/scaffold/templates.d.ts.map +1 -1
  57. package/dist/scaffold/templates.js +1 -0
  58. package/dist/scaffold/templates.js.map +1 -1
  59. package/dist/server/routes.d.ts.map +1 -1
  60. package/dist/server/routes.js +15 -0
  61. package/dist/server/routes.js.map +1 -1
  62. package/package.json +1 -1
  63. package/src/data/builtin-manifest.json +47 -47
  64. package/src/scaffold/templates.ts +1 -0
  65. package/upgrades/1.3.538.md +51 -0
  66. package/upgrades/side-effects/build-session-yield-safety.md +58 -0
  67. package/upgrades/side-effects/ws52-step6-census-rerouting.md +143 -0
@@ -1 +1 @@
1
- {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAgCH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAS3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAuBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAiH7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAsBtD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,OAAO,CAUT;AAyID,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAm3CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,EAKhG,mBAAmB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACpD,IAAI,CA8eN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAo1atE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
1
+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAgCH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAS3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAuBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAiH7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAsBtD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,OAAO,CAUT;AAyID,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAm3CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,EAKhG,mBAAmB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACpD,IAAI,CA8eN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA67atE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
@@ -6223,6 +6223,33 @@ export async function startServer(options) {
6223
6223
  return;
6224
6224
  notify('SUMMARY', 'session-resume', `๐Ÿ” I restarted this session to pick the work back up after it was shut down mid-work.`, entry.topicId);
6225
6225
  },
6226
+ // Build-Session Yield Safety (ACT-839) R2.2: present ONLY when the
6227
+ // dev-gated feature is live (its presence is the gate). Registers a
6228
+ // durable, beacon-enabled obligation so a STALLED revived session is
6229
+ // re-surfaced by PromiseBeacon; deduped per stableKey so a re-revival
6230
+ // refreshes rather than floods. The die-again case is covered by the
6231
+ // dev-live OrphanedWorkSentinel (#1113) โ€” no duplicate scanner here.
6232
+ onWorktreeRevival: resolveDevAgentGate(config.monitoring?.yieldSafety?.enabled, config)
6233
+ ? (entry) => {
6234
+ if (!commitmentTracker || entry.topicId == null)
6235
+ return;
6236
+ const externalKey = `yield-safety:${entry.stableKey}`;
6237
+ try {
6238
+ if (commitmentTracker.getActive().some((c) => c.externalKey === externalKey))
6239
+ return; // dedup
6240
+ commitmentTracker.record({
6241
+ type: 'one-time-action',
6242
+ topicId: entry.topicId,
6243
+ source: 'sentinel',
6244
+ beaconEnabled: true,
6245
+ externalKey,
6246
+ userRequest: 'Session revived because its worktree held uncommitted work (ACT-839 yield-safety).',
6247
+ agentResponse: 'Commit the uncommitted worktree changes with a real, descriptive commit, or deliberately preserve/discard them, before yielding again.',
6248
+ });
6249
+ }
6250
+ catch { /* @silent-fallback-ok: best-effort obligation registration; a CommitmentTracker failure must never endanger the revival. */ }
6251
+ }
6252
+ : undefined,
6226
6253
  raiseAggregated: raiseResumeAggregated,
6227
6254
  audit: auditResumeQueue,
6228
6255
  tier1Check: async (entry) => {
@@ -8488,6 +8515,60 @@ export async function startServer(options) {
8488
8515
  if (subscriptionPool.size() > 0) {
8489
8516
  console.log(pc.green(` Subscription pool: ${subscriptionPool.size()} account(s) registered`));
8490
8517
  }
8518
+ // โ”€โ”€ Live credential re-pointing โ€” census consumer re-routing (WS5.2 Step 6) โ”€โ”€
8519
+ // The CredentialLocationLedger is the machine-local source of truth for "which account is in
8520
+ // which config-home slot" once re-pointing is enabled. The CredentialLocationGate re-routes
8521
+ // the ยง2.2 census consumers (quota poll, spawn placement, in-use badge) through it. Ships DARK:
8522
+ // the gate reads `subscriptionPool.credentialRepointing.enabled` LIVE per call โ€” with the flag
8523
+ // off (always, while dark) every gate read returns the enrollment-home fallback, so every
8524
+ // consumer is byte-for-byte today's behavior. A never-seeded ledger is the same fallback (back-
8525
+ // compat); only UNKNOWN mode (corrupt on-disk) raises a HIGH attention item, never throws.
8526
+ const { CredentialLocationLedger } = await import('../core/CredentialLocationLedger.js');
8527
+ const { CredentialIdentityOracle } = await import('../core/CredentialIdentityOracle.js');
8528
+ const { CredentialLocationGate } = await import('../core/CredentialLocationGate.js');
8529
+ const credentialGateEmitAttention = telegram
8530
+ ? (item) => void telegram.createAttentionItem({
8531
+ id: item.id,
8532
+ title: item.title,
8533
+ summary: item.summary,
8534
+ description: item.description,
8535
+ category: item.category,
8536
+ priority: item.priority,
8537
+ sourceContext: item.sourceContext,
8538
+ })
8539
+ : undefined;
8540
+ const credentialLocationLedger = new CredentialLocationLedger({
8541
+ stateDir: config.stateDir,
8542
+ pool: subscriptionPool,
8543
+ oracle: new CredentialIdentityOracle(),
8544
+ emitAttention: credentialGateEmitAttention,
8545
+ });
8546
+ const credentialLocationGate = new CredentialLocationGate({
8547
+ // Live flag read โ€” a restartless config flip is honored on the next read.
8548
+ isEnabled: () => config.subscriptionPool?.credentialRepointing?.enabled === true,
8549
+ ledger: credentialLocationLedger,
8550
+ emitAttention: credentialGateEmitAttention,
8551
+ });
8552
+ // Census #9: the manager-level competing-writer refusal gate. Installed process-wide so
8553
+ // AccountSwitcher / `/switch-account` / autoMigrate refuse a write to a repointing-owned slot
8554
+ // at the funnel chokepoint, not just on a route. Refuses ONLY when re-pointing is enabled AND
8555
+ // the ledger holds a tenant for the (canonicalized) slot.
8556
+ const { setCredentialWriteRefusalGate } = await import('../monitoring/CredentialProvider.js');
8557
+ const { credentialSlotKey: canonicalizeSlot } = await import('../core/OAuthRefresher.js');
8558
+ setCredentialWriteRefusalGate({
8559
+ shouldRefuse: (canonicalSlot) => {
8560
+ if (config.subscriptionPool?.credentialRepointing?.enabled !== true)
8561
+ return false;
8562
+ // The funnel passes a canonicalized slot key, but the ledger stores raw enrollment-home
8563
+ // spellings (`~/.claude`, an enrollment path). Compare canonical-to-canonical so a
8564
+ // repointing-owned slot is recognized regardless of spelling.
8565
+ return credentialLocationLedger
8566
+ .getAssignments()
8567
+ .some((a) => !!a.accountId && canonicalizeSlot(a.slot) === canonicalSlot);
8568
+ },
8569
+ });
8570
+ // Census #5/#6: spawn placement resolves a pinned account's home through the gate (no-op dark).
8571
+ sessionManager.setCredentialLocationGate(credentialLocationGate);
8491
8572
  // QuotaPoller โ€” per-account live quota reader (P1.2 of the Subscription &
8492
8573
  // Auth Standard). Reads each account's 5h/weekly utilization + reset dates
8493
8574
  // via the OAuth usage endpoint (transient per-account token, never persisted)
@@ -8499,6 +8580,8 @@ export async function startServer(options) {
8499
8580
  const quotaPoller = new QuotaPoller({
8500
8581
  pool: subscriptionPool,
8501
8582
  logger: { log: (m) => console.log(m), warn: (m) => console.warn(m) },
8583
+ // Census #1โ€“#4: resolve each account's LIVE slot through the ledger (no-op while dark).
8584
+ locationGate: credentialLocationGate,
8502
8585
  });
8503
8586
  if (subscriptionPool.size() > 0) {
8504
8587
  quotaPoller.start();
@@ -8508,7 +8591,9 @@ export async function startServer(options) {
8508
8591
  // right now" for the dashboard "in use" badge (read-only; cached probe of
8509
8592
  // `claude auth status`). One shared instance so the TTL cache is honored.
8510
8593
  const { InUseAccountResolver } = await import('../core/InUseAccountResolver.js');
8511
- const inUseAccountResolver = new InUseAccountResolver({});
8594
+ // Census #8 (the E4a liar): when re-pointing is enabled and the ledger knows the `~/.claude`
8595
+ // tenant, the badge resolves from the ledger โ€” NOT a stale `claude auth status` re-probe.
8596
+ const inUseAccountResolver = new InUseAccountResolver({ locationGate: credentialLocationGate });
8512
8597
  // EnrollmentWizard โ€” mobile-first new-account login (P2.1 of the Subscription
8513
8598
  // & Auth Standard). Dark with the pool: the /subscription-pool/enroll routes
8514
8599
  // do nothing until an operator starts an enrollment. The login driver reuses
@@ -11948,8 +12033,29 @@ export async function startServer(options) {
11948
12033
  }
11949
12034
  // (setAwakeChecker is wired earlier, before the boot purge, so the purge is
11950
12035
  // lease-gated โ€” see the ยงP3/ยงP4 block above.)
12036
+ // Build-Session Yield Safety (ACT-839): construct the bounded, cached
12037
+ // worktreeDirtyCheck and inject it into the reaper ONLY when the dev-gated
12038
+ // yieldSafety feature is live (its mere presence is the gate). Dev-enabled,
12039
+ // dark on the fleet, per the Maturation Path standard.
12040
+ let _yieldSafetyDirtyCheck;
12041
+ if (resolveDevAgentGate(config.monitoring?.yieldSafety?.enabled, config)) {
12042
+ const ysCfg = config.monitoring?.yieldSafety ?? {};
12043
+ const { makeWorktreeDirtyCheck } = await import('../core/worktreeDirtyCheck.js');
12044
+ const { SafeGitExecutor } = await import('../core/SafeGitExecutor.js');
12045
+ _yieldSafetyDirtyCheck = makeWorktreeDirtyCheck({
12046
+ readGit: (args, cwd) => SafeGitExecutor.readSync(args, {
12047
+ cwd, encoding: 'utf-8',
12048
+ timeout: ysCfg.dirtyCheckTimeoutMs ?? 5_000,
12049
+ operation: 'src/core/worktreeDirtyCheck.ts (yield-safety)',
12050
+ sourceTreeReadOk: true,
12051
+ sourceTreeWorktreeManagerOk: true,
12052
+ }),
12053
+ config: { residueDenylist: ysCfg.residueDenylist, cacheTtlMs: ysCfg.dirtyCheckCacheTtlMs },
12054
+ });
12055
+ }
11951
12056
  const sessionReaper = new SessionReaper({
11952
12057
  ...reapGuardDeps,
12058
+ dirtyCheck: _yieldSafetyDirtyCheck,
11953
12059
  listRunningSessions: () => sessionManager.listRunningSessions(),
11954
12060
  captureOutput: (s, n) => sessionManager.captureOutput(s, n) ?? '',
11955
12061
  frameworkForSession: (s) => sessionManager.frameworkForSession(s),