instar 1.3.536 → 1.3.538

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +107 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +13 -0
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/core/CredentialLocationGate.d.ts +99 -0
  8. package/dist/core/CredentialLocationGate.d.ts.map +1 -0
  9. package/dist/core/CredentialLocationGate.js +127 -0
  10. package/dist/core/CredentialLocationGate.js.map +1 -0
  11. package/dist/core/CredentialSwapExecutor.d.ts +10 -0
  12. package/dist/core/CredentialSwapExecutor.d.ts.map +1 -1
  13. package/dist/core/CredentialSwapExecutor.js +19 -0
  14. package/dist/core/CredentialSwapExecutor.js.map +1 -1
  15. package/dist/core/InUseAccountResolver.d.ts +28 -1
  16. package/dist/core/InUseAccountResolver.d.ts.map +1 -1
  17. package/dist/core/InUseAccountResolver.js +34 -1
  18. package/dist/core/InUseAccountResolver.js.map +1 -1
  19. package/dist/core/QuotaPoller.d.ts +22 -0
  20. package/dist/core/QuotaPoller.d.ts.map +1 -1
  21. package/dist/core/QuotaPoller.js +42 -8
  22. package/dist/core/QuotaPoller.js.map +1 -1
  23. package/dist/core/SessionManager.d.ts +19 -0
  24. package/dist/core/SessionManager.d.ts.map +1 -1
  25. package/dist/core/SessionManager.js +37 -5
  26. package/dist/core/SessionManager.js.map +1 -1
  27. package/dist/core/WorkEvidence.d.ts +1 -1
  28. package/dist/core/WorkEvidence.d.ts.map +1 -1
  29. package/dist/core/WorkEvidence.js +7 -0
  30. package/dist/core/WorkEvidence.js.map +1 -1
  31. package/dist/core/devGatedFeatures.d.ts.map +1 -1
  32. package/dist/core/devGatedFeatures.js +6 -0
  33. package/dist/core/devGatedFeatures.js.map +1 -1
  34. package/dist/core/types.d.ts +27 -0
  35. package/dist/core/types.d.ts.map +1 -1
  36. package/dist/core/types.js.map +1 -1
  37. package/dist/core/worktreeDirtyCheck.d.ts +31 -0
  38. package/dist/core/worktreeDirtyCheck.d.ts.map +1 -0
  39. package/dist/core/worktreeDirtyCheck.js +129 -0
  40. package/dist/core/worktreeDirtyCheck.js.map +1 -0
  41. package/dist/monitoring/AccountSwitcher.d.ts.map +1 -1
  42. package/dist/monitoring/AccountSwitcher.js +12 -1
  43. package/dist/monitoring/AccountSwitcher.js.map +1 -1
  44. package/dist/monitoring/CredentialProvider.d.ts +32 -1
  45. package/dist/monitoring/CredentialProvider.d.ts.map +1 -1
  46. package/dist/monitoring/CredentialProvider.js +32 -2
  47. package/dist/monitoring/CredentialProvider.js.map +1 -1
  48. package/dist/monitoring/ResumeQueueDrainer.d.ts +6 -0
  49. package/dist/monitoring/ResumeQueueDrainer.d.ts.map +1 -1
  50. package/dist/monitoring/ResumeQueueDrainer.js +32 -2
  51. package/dist/monitoring/ResumeQueueDrainer.js.map +1 -1
  52. package/dist/monitoring/SessionReaper.d.ts +8 -0
  53. package/dist/monitoring/SessionReaper.d.ts.map +1 -1
  54. package/dist/monitoring/SessionReaper.js +18 -4
  55. package/dist/monitoring/SessionReaper.js.map +1 -1
  56. package/dist/scaffold/templates.d.ts.map +1 -1
  57. package/dist/scaffold/templates.js +1 -0
  58. package/dist/scaffold/templates.js.map +1 -1
  59. package/dist/server/routes.d.ts.map +1 -1
  60. package/dist/server/routes.js +15 -0
  61. package/dist/server/routes.js.map +1 -1
  62. package/package.json +1 -1
  63. package/src/data/builtin-manifest.json +47 -47
  64. package/src/scaffold/templates.ts +1 -0
  65. package/upgrades/1.3.538.md +51 -0
  66. package/upgrades/side-effects/build-session-yield-safety.md +58 -0
  67. package/upgrades/side-effects/ws52-step6-census-rerouting.md +143 -0
@@ -0,0 +1,143 @@
1
+ # Side-Effects Review — WS5.2 Step 6: census consumer re-routing (live credential re-pointing, dark)
2
+
3
+ **Version / slug:** `ws52-step6-census-rerouting`
4
+ **Date:** `2026-06-13`
5
+ **Author:** `Echo`
6
+ **Second-pass reviewer:** `4-adversarial-lens self-review (folded as named tests)`
7
+
8
+ ## Summary of the change
9
+
10
+ Step 6 of live credential re-pointing (spec §2.2). Every place in the live code that today treats a
11
+ pool account's enrollment `configHome` as the LIVE location of its credential is re-routed through a
12
+ single new chokepoint, `CredentialLocationGate`, which reads the `CredentialLocationLedger` (Steps
13
+ 1–5, merged). The gate is FLAG-GATED on the EXISTING `subscriptionPool.credentialRepointing.enabled`
14
+ (no new config flag → the dark-gate line-map is UNCHANGED), back-compat-on-unknown (a never-seeded /
15
+ UNKNOWN ledger falls back to today's enrollment-home behavior), and fail-open-loud (an UNKNOWN-mode
16
+ read returns the fallback + ONE HIGH attention, never throws into a hot path). Files touched:
17
+ `src/core/CredentialLocationGate.ts` (new), `src/core/QuotaPoller.ts` (census #1–#4),
18
+ `src/core/InUseAccountResolver.ts` (census #8, the E4a liar), `src/core/SessionManager.ts` (census
19
+ #5/#6 spawn placement), `src/monitoring/CredentialProvider.ts` (census #9 manager-level refusal gate),
20
+ `src/monitoring/AccountSwitcher.ts` (surfaces the #9 refusal cleanly),
21
+ `src/core/CredentialSwapExecutor.ts` (an `onSlotsChanged` commit hook for the #8 cache-bust),
22
+ `src/server/routes.ts` (census #10/#11 PATCH configHome → 409), `src/commands/server.ts` (the wiring
23
+ chain: ledger + gate + consumers + the process-shared refusal gate).
24
+
25
+ ## Decision-point inventory
26
+
27
+ - `CredentialLocationGate.slotForAccount/tenantForSlot` — add — the single re-route chokepoint; flag-gated, back-compat-on-unknown, fail-open-loud.
28
+ - `QuotaPoller.accountForReads` — add — resolves each account's live slot for token read / 401-refresh / needs-reauth; email auto-patch SUPPRESSED while enabled.
29
+ - `InUseAccountResolver.resolve` — modify — when enabled + ledger-known, resolves the default badge from the ledger instead of a `claude auth status` re-probe; `bustCache()` added.
30
+ - `SessionManager.resolvePinnedSpawnHome` — add — a pinned account's spawn home resolves through the ledger; an explicit caller home (account-swap path) still wins.
31
+ - `writeCredentialsSerialized` refusal gate — add — a manager-level competing-writer refusal at the funnel chokepoint (not only the route).
32
+ - `PATCH /subscription-pool/:id` configHome — modify — refused 409 while enabled.
33
+ - `CredentialSwapExecutor.onSlotsChanged` — add — a best-effort commit hook that busts the in-use badge on a default-slot swap.
34
+
35
+ ---
36
+
37
+ ## 1. Over-block
38
+
39
+ The only block surfaces are: (a) the PATCH-409 on `configHome` — refuses ONLY when the flag is
40
+ enabled (always off while dark), and ONLY the `configHome` field (every other field still PATCHes);
41
+ (b) the manager-level competing-writer refusal — refuses ONLY when the flag is enabled AND the ledger
42
+ holds a tenant for the (canonicalized) slot. A legitimate switch to a slot the ledger does NOT own is
43
+ not refused. With the flag off (the shipped dark state) neither block fires: no over-block surface
44
+ exists in the shipped configuration.
45
+
46
+ ---
47
+
48
+ ## 2. Under-block
49
+
50
+ The competing-writer refusal keys on "the ledger holds a tenant for this canonical slot." If a writer
51
+ targets a slot the ledger has never recorded (a brand-new enrollment home not yet seeded), it is NOT
52
+ refused — but that slot is not repointing-owned, so writing it cannot clobber a ledger tenant; this is
53
+ correct back-compat, not an under-block. The refusal is at the SOLE manager funnel
54
+ (`writeCredentialsSerialized`), so a non-route caller cannot dodge it — the spec §2.7 "every item a
55
+ unique source dodge" is closed by construction.
56
+
57
+ ---
58
+
59
+ ## 3. Level-of-abstraction fit
60
+
61
+ `CredentialLocationGate` is a thin DETECTOR/router (sync in-memory ledger read + a flag check), not an
62
+ authority — it never decides policy, it answers "where does account X live now?" The single authority
63
+ in the change is the manager-level refusal, which is a deterministic ownership check (does the ledger
64
+ own this slot?) — the correct altitude per spec §2.7 (manager chokepoint, not a brittle route guard).
65
+ The gate FEEDS the existing consumers; it does not run parallel to them. The ledger (Step 2) is the
66
+ lower-level primitive the gate USES; nothing is re-implemented.
67
+
68
+ ---
69
+
70
+ ## 4. Signal vs authority compliance
71
+
72
+ **Reference:** docs/signal-vs-authority.md
73
+
74
+ - [x] No — the re-routing reads are SIGNAL (advisory location resolution feeding existing consumers);
75
+ the two block surfaces (PATCH-409, competing-writer refusal) are deterministic OWNERSHIP checks
76
+ over durable ledger state, not brittle heuristics — they have full structural context (the
77
+ ledger is the single source of truth), so they are smart-gate-equivalent, not brittle detectors.
78
+
79
+ The gate reads never own block authority: an UNKNOWN-mode read fails OPEN (returns the enrollment
80
+ fallback + an attention item), so a corrupt ledger degrades to today's behavior, never blocks a poll
81
+ or a spawn.
82
+
83
+ ---
84
+
85
+ ## 5. Interactions
86
+
87
+ - **Shadowing:** the PATCH-409 runs BEFORE `subscriptionPool.update` in `/subscription-pool/:id` — when it fires the update never runs (intended; the field-edit must not land). Other fields are unaffected. The competing-writer refusal runs BEFORE the funnel lock in `writeCredentialsSerialized` — when it fires no lock is taken and no write occurs (intended, non-destructive).
88
+ - **Double-fire:** the swap-commit `onSlotsChanged` fires exactly once per committed swap; it is best-effort and a throwing consumer is swallowed (the commit is the load-bearing op and is never rolled back by a cache-bust failure — proven by a named test).
89
+ - **Races:** the gate reads are sync in-memory (no shared mutable state); the refusal gate reads the ledger's in-memory assignments (single-writer process). The InUseAccountResolver cache-bust is idempotent.
90
+ - **Feedback loops:** the email auto-patch SUPPRESSION removes a feedback loop that previously cross-contaminated pool emails after a swap (spec §2.2 #3) — a net REDUCTION in a feedback path.
91
+
92
+ ---
93
+
94
+ ## 6. External surfaces
95
+
96
+ - **Other agents on the same machine:** none — the ledger/gate are per-machine and read-only over the local ledger.
97
+ - **Install base:** none while dark (flag off → byte-identical behavior; proven by the E2E strict-no-op test + per-consumer flag-off unit tests).
98
+ - **External systems:** none — no new network calls; the gate is a pure in-memory read-router.
99
+ - **Persistent state:** reads the existing `state/credential-locations.json` (Step 2); writes nothing new (Step 6 is read re-routing + two refusal surfaces — neither adds a credential write; the `lint-no-unfunneled-credential-write` lint is clean).
100
+ - **Operator surface:** the PATCH-409 changes a `/subscription-pool/:id` response (409 with a plain-English message pointing at `POST /credentials/set-default`) ONLY when the flag is enabled. The AccountSwitcher refusal returns a `SwitchResult` with a plain-English message — phone-surfaced via the existing `/switch-account` Telegram command path. No new operator-only API action is introduced.
101
+
102
+ ## 6b. Operator-surface quality
103
+
104
+ No operator surface (no dashboard renderer / approval page / grant form) is added or touched — the
105
+ dashboard Subscriptions-tab `/credentials/locations` fetch is census #11, which Step 7 owns per the
106
+ build plan §6/§7 sequencing. Not applicable to this step.
107
+
108
+ ---
109
+
110
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
111
+
112
+ **machine-local BY DESIGN.** The reason it SHOULD differ per machine: each machine's
113
+ `CredentialLocationLedger` is the truth for ITS OWN slots (`SubscriptionPool` decision 1A —
114
+ per-machine enrollment = independent grant lineages). An N-machine pool has N independent ledgers and
115
+ this step adds NO cross-machine read. A swap on machine A never needs to bust machine B's in-use cache
116
+ (B's `~/.claude` is a different physical slot with a different credential). Degrades safely:
117
+ ledger-unknown on any machine → that machine shows today's (re-probed) badge / enrollment-home reads.
118
+ No user-facing notice is emitted by the re-routing (the only notice is the UNKNOWN-mode HIGH attention,
119
+ which is a per-machine local degradation surface — correct as machine-local). No durable cross-machine
120
+ state is created; no URLs are generated. (Phase C of the build prompt, answered explicitly.)
121
+
122
+ ---
123
+
124
+ ## Rollback
125
+
126
+ Pure dark-ship: the feature is gated on `subscriptionPool.credentialRepointing.enabled` (default
127
+ false). With the flag off — the only shipped state — every census consumer is byte-for-byte today's
128
+ behavior, the refusal gate refuses nothing, the PATCH-409 never fires. To roll back the code entirely,
129
+ revert this commit; nothing persists (no migration, no new state file — the ledger file predates this
130
+ step). No two-flag flip is part of this step.
131
+
132
+ ## 4-adversarial-lens verdict
133
+
134
+ 1. **E4a-liar resurrection (THE blocker) — PASS.** `InUseAccountResolver` does NOT re-probe `claude auth status` for the default badge when enabled + ledger-known; it reads `ledger.tenantOf('~/.claude')`. `bustCache()` clears the cache, fired at swap-commit by `onSlotsChanged` for any `~/.claude` swap. Named tests: "resolves from the ledger, NEVER re-probes auth status" (`probe` spy asserted `.not.toHaveBeenCalled()`) + "bustCache clears a cached probe result" + the E2E flag-on `probeCalls() === 0`.
135
+ 2. **Competing-writer clobber — PASS.** The refusal lives at the MANAGER (`writeCredentialsSerialized`), before the funnel lock; a non-route caller inherits it. Named tests: "REFUSES at the manager when the slot is repointing-owned (no write occurs)" + AccountSwitcher "REFUSES the switch (no write) … active account unchanged."
136
+ 3. **Hot-path safety — PASS.** A ledger UNKNOWN-mode read returns the enrollment fallback + ONE deduped HIGH attention, never throws. Named tests: "UNKNOWN mode → fallback + ONE deduped HIGH attention, never throws" + "a THROWING attention emitter never escapes the read."
137
+ 4. **Dark-ship inertness — PASS.** Flag off → every consumer byte-for-byte today. Named tests: the per-consumer flag-OFF unit tests (every census row) + the E2E "FLAG OFF: the full wiring is alive AND strictly inert" (in-use re-probes, quota reads enrollment home, PATCH allowed).
138
+
139
+ ## Test tiers
140
+
141
+ - Unit: `tests/unit/credential-location-gate.test.ts` (19), additions to `credential-swap-executor.test.ts` (#8 cache-bust + throw-safety), `interactive-session-pin.test.ts` (#6 spawn re-route ×3), `account-switcher-provider.test.ts` (#9 refusal ×2).
142
+ - Integration: `tests/integration/credential-repointing-census-routes.test.ts` (PATCH-409 live, flag-off 200, non-configHome field still PATCHes).
143
+ - E2E: `tests/e2e/credential-repointing-census-lifecycle.test.ts` (feature-alive: flag-off strict no-op end-to-end + flag-on ledger short-circuit).