instar 1.3.537 → 1.3.538

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (38) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +59 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/core/CredentialLocationGate.d.ts +99 -0
  5. package/dist/core/CredentialLocationGate.d.ts.map +1 -0
  6. package/dist/core/CredentialLocationGate.js +127 -0
  7. package/dist/core/CredentialLocationGate.js.map +1 -0
  8. package/dist/core/CredentialSwapExecutor.d.ts +10 -0
  9. package/dist/core/CredentialSwapExecutor.d.ts.map +1 -1
  10. package/dist/core/CredentialSwapExecutor.js +19 -0
  11. package/dist/core/CredentialSwapExecutor.js.map +1 -1
  12. package/dist/core/InUseAccountResolver.d.ts +28 -1
  13. package/dist/core/InUseAccountResolver.d.ts.map +1 -1
  14. package/dist/core/InUseAccountResolver.js +34 -1
  15. package/dist/core/InUseAccountResolver.js.map +1 -1
  16. package/dist/core/QuotaPoller.d.ts +22 -0
  17. package/dist/core/QuotaPoller.d.ts.map +1 -1
  18. package/dist/core/QuotaPoller.js +42 -8
  19. package/dist/core/QuotaPoller.js.map +1 -1
  20. package/dist/core/SessionManager.d.ts +19 -0
  21. package/dist/core/SessionManager.d.ts.map +1 -1
  22. package/dist/core/SessionManager.js +37 -5
  23. package/dist/core/SessionManager.js.map +1 -1
  24. package/dist/monitoring/AccountSwitcher.d.ts.map +1 -1
  25. package/dist/monitoring/AccountSwitcher.js +12 -1
  26. package/dist/monitoring/AccountSwitcher.js.map +1 -1
  27. package/dist/monitoring/CredentialProvider.d.ts +32 -1
  28. package/dist/monitoring/CredentialProvider.d.ts.map +1 -1
  29. package/dist/monitoring/CredentialProvider.js +32 -2
  30. package/dist/monitoring/CredentialProvider.js.map +1 -1
  31. package/dist/server/routes.d.ts.map +1 -1
  32. package/dist/server/routes.js +15 -0
  33. package/dist/server/routes.js.map +1 -1
  34. package/package.json +1 -1
  35. package/src/data/builtin-manifest.json +47 -47
  36. package/upgrades/1.3.538.md +51 -0
  37. package/upgrades/side-effects/ws52-step6-census-rerouting.md +143 -0
  38. package/upgrades/1.3.537.md +0 -27
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "instar",
3
- "version": "1.3.537",
3
+ "version": "1.3.538",
4
4
  "description": "Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-13T20:04:42.567Z",
5
- "instarVersion": "1.3.537",
4
+ "generatedAt": "2026-06-13T20:08:21.445Z",
5
+ "instarVersion": "1.3.538",
6
6
  "entryCount": 201,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -418,7 +418,7 @@
418
418
  "type": "route-group",
419
419
  "domain": "monitoring",
420
420
  "sourcePath": "src/server/routes.ts",
421
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
421
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
422
422
  "since": "2025-01-01"
423
423
  },
424
424
  "route-group:agents": {
@@ -426,7 +426,7 @@
426
426
  "type": "route-group",
427
427
  "domain": "sessions",
428
428
  "sourcePath": "src/server/routes.ts",
429
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
429
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
430
430
  "since": "2025-01-01"
431
431
  },
432
432
  "route-group:backups": {
@@ -434,7 +434,7 @@
434
434
  "type": "route-group",
435
435
  "domain": "operations",
436
436
  "sourcePath": "src/server/routes.ts",
437
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
437
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
438
438
  "since": "2025-01-01"
439
439
  },
440
440
  "route-group:git": {
@@ -442,7 +442,7 @@
442
442
  "type": "route-group",
443
443
  "domain": "coordination",
444
444
  "sourcePath": "src/server/routes.ts",
445
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
445
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
446
446
  "since": "2025-01-01"
447
447
  },
448
448
  "route-group:memory": {
@@ -450,7 +450,7 @@
450
450
  "type": "route-group",
451
451
  "domain": "memory",
452
452
  "sourcePath": "src/server/routes.ts",
453
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
453
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
454
454
  "since": "2025-01-01"
455
455
  },
456
456
  "route-group:semantic": {
@@ -458,7 +458,7 @@
458
458
  "type": "route-group",
459
459
  "domain": "memory",
460
460
  "sourcePath": "src/server/routes.ts",
461
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
461
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
462
462
  "since": "2025-01-01"
463
463
  },
464
464
  "route-group:status": {
@@ -466,7 +466,7 @@
466
466
  "type": "route-group",
467
467
  "domain": "monitoring",
468
468
  "sourcePath": "src/server/routes.ts",
469
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
469
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
470
470
  "since": "2025-01-01"
471
471
  },
472
472
  "route-group:capabilities": {
@@ -474,7 +474,7 @@
474
474
  "type": "route-group",
475
475
  "domain": "mapping",
476
476
  "sourcePath": "src/server/routes.ts",
477
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
477
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
478
478
  "since": "2025-01-01"
479
479
  },
480
480
  "route-group:project-map": {
@@ -482,7 +482,7 @@
482
482
  "type": "route-group",
483
483
  "domain": "mapping",
484
484
  "sourcePath": "src/server/routes.ts",
485
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
485
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
486
486
  "since": "2025-01-01"
487
487
  },
488
488
  "route-group:coherence": {
@@ -490,7 +490,7 @@
490
490
  "type": "route-group",
491
491
  "domain": "coherence",
492
492
  "sourcePath": "src/server/routes.ts",
493
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
493
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
494
494
  "since": "2025-01-01"
495
495
  },
496
496
  "route-group:topic-bindings": {
@@ -498,7 +498,7 @@
498
498
  "type": "route-group",
499
499
  "domain": "sessions",
500
500
  "sourcePath": "src/server/routes.ts",
501
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
501
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
502
502
  "since": "2025-01-01"
503
503
  },
504
504
  "route-group:context": {
@@ -506,7 +506,7 @@
506
506
  "type": "route-group",
507
507
  "domain": "context",
508
508
  "sourcePath": "src/server/routes.ts",
509
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
509
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
510
510
  "since": "2025-01-01"
511
511
  },
512
512
  "route-group:scope-coherence": {
@@ -514,7 +514,7 @@
514
514
  "type": "route-group",
515
515
  "domain": "coherence",
516
516
  "sourcePath": "src/server/routes.ts",
517
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
517
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
518
518
  "since": "2025-01-01"
519
519
  },
520
520
  "route-group:canonical-state": {
@@ -522,7 +522,7 @@
522
522
  "type": "route-group",
523
523
  "domain": "state",
524
524
  "sourcePath": "src/server/routes.ts",
525
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
525
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
526
526
  "since": "2025-01-01"
527
527
  },
528
528
  "route-group:ci": {
@@ -530,7 +530,7 @@
530
530
  "type": "route-group",
531
531
  "domain": "monitoring",
532
532
  "sourcePath": "src/server/routes.ts",
533
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
533
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
534
534
  "since": "2025-01-01"
535
535
  },
536
536
  "route-group:sessions": {
@@ -538,7 +538,7 @@
538
538
  "type": "route-group",
539
539
  "domain": "sessions",
540
540
  "sourcePath": "src/server/routes.ts",
541
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
541
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
542
542
  "since": "2025-01-01"
543
543
  },
544
544
  "route-group:jobs": {
@@ -546,7 +546,7 @@
546
546
  "type": "route-group",
547
547
  "domain": "scheduling",
548
548
  "sourcePath": "src/server/routes.ts",
549
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
549
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
550
550
  "since": "2025-01-01"
551
551
  },
552
552
  "route-group:skip-ledger": {
@@ -554,7 +554,7 @@
554
554
  "type": "route-group",
555
555
  "domain": "scheduling",
556
556
  "sourcePath": "src/server/routes.ts",
557
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
557
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
558
558
  "since": "2025-01-01"
559
559
  },
560
560
  "route-group:telegram": {
@@ -562,7 +562,7 @@
562
562
  "type": "route-group",
563
563
  "domain": "communication",
564
564
  "sourcePath": "src/server/routes.ts",
565
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
565
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
566
566
  "since": "2025-01-01"
567
567
  },
568
568
  "route-group:attention": {
@@ -570,7 +570,7 @@
570
570
  "type": "route-group",
571
571
  "domain": "communication",
572
572
  "sourcePath": "src/server/routes.ts",
573
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
573
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
574
574
  "since": "2025-01-01"
575
575
  },
576
576
  "route-group:relationships": {
@@ -578,7 +578,7 @@
578
578
  "type": "route-group",
579
579
  "domain": "relationships",
580
580
  "sourcePath": "src/server/routes.ts",
581
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
581
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
582
582
  "since": "2025-01-01"
583
583
  },
584
584
  "route-group:feedback": {
@@ -586,7 +586,7 @@
586
586
  "type": "route-group",
587
587
  "domain": "feedback",
588
588
  "sourcePath": "src/server/routes.ts",
589
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
589
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
590
590
  "since": "2025-01-01"
591
591
  },
592
592
  "route-group:updates": {
@@ -594,7 +594,7 @@
594
594
  "type": "route-group",
595
595
  "domain": "updates",
596
596
  "sourcePath": "src/server/routes.ts",
597
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
597
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
598
598
  "since": "2025-01-01"
599
599
  },
600
600
  "route-group:dispatches": {
@@ -602,7 +602,7 @@
602
602
  "type": "route-group",
603
603
  "domain": "dispatches",
604
604
  "sourcePath": "src/server/routes.ts",
605
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
605
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
606
606
  "since": "2025-01-01"
607
607
  },
608
608
  "route-group:quota": {
@@ -610,7 +610,7 @@
610
610
  "type": "route-group",
611
611
  "domain": "monitoring",
612
612
  "sourcePath": "src/server/routes.ts",
613
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
613
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
614
614
  "since": "2025-01-01"
615
615
  },
616
616
  "route-group:publishing": {
@@ -618,7 +618,7 @@
618
618
  "type": "route-group",
619
619
  "domain": "publishing",
620
620
  "sourcePath": "src/server/routes.ts",
621
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
621
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
622
622
  "since": "2025-01-01"
623
623
  },
624
624
  "route-group:private-views": {
@@ -626,7 +626,7 @@
626
626
  "type": "route-group",
627
627
  "domain": "publishing",
628
628
  "sourcePath": "src/server/routes.ts",
629
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
629
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
630
630
  "since": "2025-01-01"
631
631
  },
632
632
  "route-group:tunnel": {
@@ -634,7 +634,7 @@
634
634
  "type": "route-group",
635
635
  "domain": "networking",
636
636
  "sourcePath": "src/server/routes.ts",
637
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
637
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
638
638
  "since": "2025-01-01"
639
639
  },
640
640
  "route-group:events": {
@@ -642,7 +642,7 @@
642
642
  "type": "route-group",
643
643
  "domain": "networking",
644
644
  "sourcePath": "src/server/routes.ts",
645
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
645
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
646
646
  "since": "2025-01-01"
647
647
  },
648
648
  "route-group:evolution": {
@@ -650,7 +650,7 @@
650
650
  "type": "route-group",
651
651
  "domain": "evolution",
652
652
  "sourcePath": "src/server/routes.ts",
653
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
653
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
654
654
  "since": "2025-01-01"
655
655
  },
656
656
  "route-group:watchdog": {
@@ -658,7 +658,7 @@
658
658
  "type": "route-group",
659
659
  "domain": "monitoring",
660
660
  "sourcePath": "src/server/routes.ts",
661
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
661
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
662
662
  "since": "2025-01-01"
663
663
  },
664
664
  "route-group:topic-memory": {
@@ -666,7 +666,7 @@
666
666
  "type": "route-group",
667
667
  "domain": "memory",
668
668
  "sourcePath": "src/server/routes.ts",
669
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
669
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
670
670
  "since": "2025-01-01"
671
671
  },
672
672
  "route-group:state-sync": {
@@ -674,7 +674,7 @@
674
674
  "type": "route-group",
675
675
  "domain": "coordination",
676
676
  "sourcePath": "src/server/routes.ts",
677
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
677
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
678
678
  "since": "2025-01-01"
679
679
  },
680
680
  "route-group:intent": {
@@ -682,7 +682,7 @@
682
682
  "type": "route-group",
683
683
  "domain": "intent",
684
684
  "sourcePath": "src/server/routes.ts",
685
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
685
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
686
686
  "since": "2025-01-01"
687
687
  },
688
688
  "route-group:triage": {
@@ -690,7 +690,7 @@
690
690
  "type": "route-group",
691
691
  "domain": "safety",
692
692
  "sourcePath": "src/server/routes.ts",
693
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
693
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
694
694
  "since": "2025-01-01"
695
695
  },
696
696
  "route-group:operations": {
@@ -698,7 +698,7 @@
698
698
  "type": "route-group",
699
699
  "domain": "safety",
700
700
  "sourcePath": "src/server/routes.ts",
701
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
701
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
702
702
  "since": "2025-01-01"
703
703
  },
704
704
  "route-group:sentinel": {
@@ -706,7 +706,7 @@
706
706
  "type": "route-group",
707
707
  "domain": "safety",
708
708
  "sourcePath": "src/server/routes.ts",
709
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
709
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
710
710
  "since": "2025-01-01"
711
711
  },
712
712
  "route-group:trust": {
@@ -714,7 +714,7 @@
714
714
  "type": "route-group",
715
715
  "domain": "safety",
716
716
  "sourcePath": "src/server/routes.ts",
717
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
717
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
718
718
  "since": "2025-01-01"
719
719
  },
720
720
  "route-group:monitoring": {
@@ -722,7 +722,7 @@
722
722
  "type": "route-group",
723
723
  "domain": "monitoring",
724
724
  "sourcePath": "src/server/routes.ts",
725
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
725
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
726
726
  "since": "2025-01-01"
727
727
  },
728
728
  "route-group:commitments": {
@@ -730,7 +730,7 @@
730
730
  "type": "route-group",
731
731
  "domain": "commitments",
732
732
  "sourcePath": "src/server/routes.ts",
733
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
733
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
734
734
  "since": "2025-01-01"
735
735
  },
736
736
  "route-group:episodes": {
@@ -738,7 +738,7 @@
738
738
  "type": "route-group",
739
739
  "domain": "memory",
740
740
  "sourcePath": "src/server/routes.ts",
741
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
741
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
742
742
  "since": "2025-01-01"
743
743
  },
744
744
  "route-group:messages": {
@@ -746,7 +746,7 @@
746
746
  "type": "route-group",
747
747
  "domain": "coordination",
748
748
  "sourcePath": "src/server/routes.ts",
749
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
749
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
750
750
  "since": "2025-01-01"
751
751
  },
752
752
  "route-group:system-reviews": {
@@ -754,7 +754,7 @@
754
754
  "type": "route-group",
755
755
  "domain": "monitoring",
756
756
  "sourcePath": "src/server/routes.ts",
757
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
757
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
758
758
  "since": "2025-01-01"
759
759
  },
760
760
  "route-group:machine-mesh": {
@@ -770,7 +770,7 @@
770
770
  "type": "route-group",
771
771
  "domain": "security",
772
772
  "sourcePath": "src/server/routes.ts",
773
- "contentHash": "4d92fe68ea368764c5d14cc9020ce71deed8b5e407776443186ab2cdcd908d61",
773
+ "contentHash": "f74833db7b0f1aa8bb9af7e23a789462915024158adbadaceb1c06e891b447dd",
774
774
  "since": "2025-01-01"
775
775
  },
776
776
  "cli:init": {
@@ -1530,7 +1530,7 @@
1530
1530
  "type": "subsystem",
1531
1531
  "domain": "sessions",
1532
1532
  "sourcePath": "src/core/SessionManager.ts",
1533
- "contentHash": "49e13cb91286150019351a47f1200d0c086c2c2bba27e29023d3a5253024191f",
1533
+ "contentHash": "c505368755a51f57c461447eae1b32da1815444b25060d985ab2381779bd6311",
1534
1534
  "since": "2025-01-01"
1535
1535
  },
1536
1536
  "subsystem:auto-updater": {
@@ -0,0 +1,51 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: minor -->
5
+
6
+ ## What Changed
7
+
8
+ A new dev-gated monitoring capability — **Build-Session Yield Safety** (ACT-839) — closes the "a background build died standing-by-for-tests with its work uncommitted" gap. R1: a session reaped while its worktree holds real uncommitted work is now resume-eligible on that alone — the killer (`SessionReaper`) runs a bounded, cached, fail-open `worktreeDirtyCheck` on the session's worktree PRE-kill (never a synchronous git call on the terminate chokepoint) and tags a new `uncommitted-worktree-work` STRONG `WorkEvidence` value. R2 (Close-the-Loop, signal not block): the revived session's continuation prompt leads with a verbatim commit-first directive, and `ResumeQueueDrainer` fires `onWorktreeRevival`, which registers a deduped, beacon-enabled `CommitmentTracker` obligation so a *stalled* revived session is re-surfaced by PromiseBeacon. The *die-again* case reuses the already-shipped, dev-live `OrphanedWorkSentinel` (#1113) for detect+preserve+surface — no duplicate scanner. An explicit operator/user/emergency kill is never auto-revived on a dirty worktree alone (the origin veto is final). Ships ENABLED on developer agents, dark on the fleet, per the new **Maturation Path** constitutional standard.
9
+
10
+ audience: agent-only
11
+ maturity: experimental
12
+
13
+ Wires the merged credential-location ledger into the live read paths (spec §2.2 — the 12-row consumer census). Every place that today treats a subscription account's enrollment config home as the live LOCATION of its credential now resolves through one chokepoint, the new `CredentialLocationGate`, when the feature is enabled — so once a credential is moved between homes, a poll/spawn/badge reads the home the credential ACTUALLY lives in now, instead of being silently invalidated.
14
+
15
+ - **One re-route chokepoint** — `CredentialLocationGate` (src/core/CredentialLocationGate.ts) reads the ledger via sync in-memory `slotForAccount`/`tenantForSlot`. Flag-gated: with the feature OFF (the only shipped state) every read returns today's enrollment-home value. Back-compat: a never-seeded ledger ALSO returns today's value. Fail-open-loud: an UNKNOWN-mode (corrupt) ledger returns the fallback AND raises ONE HIGH attention item — it never throws into a poll or spawn.
16
+ - **QuotaPoller (census #1–#4)** — the per-account token read, the 401-refresh exchange, and the needs-reauth attribution all target the account's LIVE slot; the email auto-patch is SUPPRESSED while enabled (it would otherwise cross-contaminate pool emails after a move).
17
+ - **Spawn placement (census #5/#6)** — a pinned pool account's session launches under its CURRENT slot, not its stale enrollment home. An explicit caller-supplied home (the account-swap path) still wins unchanged.
18
+ - **In-use badge (census #8, the lying-oracle fix)** — the dashboard "which account am I on" badge reads the ledger's default-home tenant instead of re-probing the client status command, which lags during the post-move window and would re-cache the wrong account. The badge cache is busted the moment a default-home move commits.
19
+ - **Competing-writer refusal (census #9)** — a manual account switch / auto-migrate that would write a moved home is refused at the MANAGER (the single credential-write funnel), not just on a route, with a plain-English message pointing at the correct replacement. The refusal is non-destructive — nothing is written.
20
+ - **Config-home edit lock (census #10/#11)** — editing an account's config-home field via the pool API is refused (409) while enabled — that field is enrollment metadata, not the live location.
21
+ - **Dark** — gated by the existing `subscriptionPool.credentialRepointing` flag (`enabled:false`). With the feature off (the fleet + dev default) every consumer is byte-for-byte today's behavior; the refusal surfaces refuse nothing; the config-home lock never fires.
22
+
23
+ The HTTP routes and the audit-scrub chokepoint that expose this to the operator are Step 7 (a later increment).
24
+
25
+ ## What to Tell Your User
26
+
27
+ Nothing to announce proactively — it's an experimental safety net that runs on developer agents. If anyone asks: a background build that gets shut down before it saves its work now gets brought back and reminded to commit, instead of the work quietly vanishing.
28
+
29
+ This is internal plumbing that ships turned off, so day to day nothing changes for you. What it builds toward: when I hold more than one of your subscription accounts and move a credential between them under the hood, all the parts of me that read your accounts now agree on where each one actually lives — the quota poller checks the right account, a new session launches on the right account, the dashboard badge shows the right account, and a stale background process can no longer silently overwrite a moved account and resurrect an old one. Before this, those readers each trusted a separate, easily-outdated note about where an account lived, so a move could quietly make them disagree. It is off by default and does nothing until it is deliberately turned on after a review window. If something does go wrong while it is on, it fails toward today's behavior and tells me loudly, rather than guessing.
30
+
31
+ ## Summary of New Capabilities
32
+
33
+ | Capability | How to Use |
34
+ |-----------|-----------|
35
+ | Revive a session reaped with a dirty worktree | Automatic (dev-enabled, dark on fleet) |
36
+ | Durable "commit your worktree" obligation | `GET /commitments` (beacon re-surfaces a stalled revive) |
37
+ | Tune the dirty-check / residue denylist | `monitoring.yieldSafety.*` config |
38
+
39
+ New exported `CredentialLocationGate` (src/core/CredentialLocationGate.ts) — the spec §2.2 census re-routing chokepoint of live credential re-pointing. Gated by the existing `subscriptionPool.credentialRepointing` flag; no new config flag, no new HTTP route (routes are Step 7). Re-routes QuotaPoller, SessionManager spawn placement, InUseAccountResolver, the credential-write funnel (manager-level competing-writer refusal), and the pool config-home PATCH through the merged Step 2 location ledger.
40
+
41
+ ## Evidence
42
+
43
+ Not a bug fix — a new dark, dev-gated feature; "not reproducible in dev" in the bug-fix sense. Verified by the 3-tier test plan: 19 unit tests for the shared `worktreeDirtyCheck` (both sides of every boundary + fail-open + cache), 5 reaper tests (dirty → evidence, clean → empty, feature-dark → empty, throw → fail-open, no-cwd → not-consulted), 7 drainer tests (the directive + the revival-obligation hook), and an e2e wired-pipeline test (a reaped dirty-worktree session is revived → the directive appears → a real beacon-enabled commitment is registered + deduped). tsc clean; full lint + dark-gate golden line-map + docs-coverage green.
44
+
45
+ - `tests/unit/credential-location-gate.test.ts` (19) — the gate (flag-off/on-known/on-unknown, fail-open-loud, dedup attention, throwing-emitter safety); QuotaPoller census #1/#2 slot re-route + #3 email-suppress (both sides); InUseAccountResolver census #8 (E4a-liar: never re-probes when enabled, ledger-known short-circuit, never-seeded fall-through, bustCache); competing-writer refusal #9 (manager refuse + non-owned write-through + no-gate inertness).
46
+ - `tests/unit/credential-swap-executor.test.ts` (+2) — census #8 `onSlotsChanged` fires at commit with both swapped slots; a throwing cache-bust never rolls back the committed swap.
47
+ - `tests/unit/interactive-session-pin.test.ts` (+3) — census #6 spawn re-route (flag-on-known → live slot; flag-off → enrollment home; never-seeded → enrollment home).
48
+ - `tests/unit/account-switcher-provider.test.ts` (+2) — census #9 AccountSwitcher manager-refusal (refused switch, no write, active account unchanged) + no-gate proceeds.
49
+ - `tests/integration/credential-repointing-census-routes.test.ts` (3) — PATCH config-home → 409 when enabled, 200 when off, non-config-home field still PATCHes when enabled.
50
+ - `tests/e2e/credential-repointing-census-lifecycle.test.ts` (2) — feature-alive: flag-OFF strict no-op end-to-end (badge re-probes, poll reads enrollment home, PATCH allowed) + flag-ON ledger short-circuit (badge no re-probe, PATCH 409).
51
+ - tsc clean; full `npm run lint` clean; dark-gate unchanged (no ConfigDefaults touched); docs-coverage green.
@@ -0,0 +1,143 @@
1
+ # Side-Effects Review — WS5.2 Step 6: census consumer re-routing (live credential re-pointing, dark)
2
+
3
+ **Version / slug:** `ws52-step6-census-rerouting`
4
+ **Date:** `2026-06-13`
5
+ **Author:** `Echo`
6
+ **Second-pass reviewer:** `4-adversarial-lens self-review (folded as named tests)`
7
+
8
+ ## Summary of the change
9
+
10
+ Step 6 of live credential re-pointing (spec §2.2). Every place in the live code that today treats a
11
+ pool account's enrollment `configHome` as the LIVE location of its credential is re-routed through a
12
+ single new chokepoint, `CredentialLocationGate`, which reads the `CredentialLocationLedger` (Steps
13
+ 1–5, merged). The gate is FLAG-GATED on the EXISTING `subscriptionPool.credentialRepointing.enabled`
14
+ (no new config flag → the dark-gate line-map is UNCHANGED), back-compat-on-unknown (a never-seeded /
15
+ UNKNOWN ledger falls back to today's enrollment-home behavior), and fail-open-loud (an UNKNOWN-mode
16
+ read returns the fallback + ONE HIGH attention, never throws into a hot path). Files touched:
17
+ `src/core/CredentialLocationGate.ts` (new), `src/core/QuotaPoller.ts` (census #1–#4),
18
+ `src/core/InUseAccountResolver.ts` (census #8, the E4a liar), `src/core/SessionManager.ts` (census
19
+ #5/#6 spawn placement), `src/monitoring/CredentialProvider.ts` (census #9 manager-level refusal gate),
20
+ `src/monitoring/AccountSwitcher.ts` (surfaces the #9 refusal cleanly),
21
+ `src/core/CredentialSwapExecutor.ts` (an `onSlotsChanged` commit hook for the #8 cache-bust),
22
+ `src/server/routes.ts` (census #10/#11 PATCH configHome → 409), `src/commands/server.ts` (the wiring
23
+ chain: ledger + gate + consumers + the process-shared refusal gate).
24
+
25
+ ## Decision-point inventory
26
+
27
+ - `CredentialLocationGate.slotForAccount/tenantForSlot` — add — the single re-route chokepoint; flag-gated, back-compat-on-unknown, fail-open-loud.
28
+ - `QuotaPoller.accountForReads` — add — resolves each account's live slot for token read / 401-refresh / needs-reauth; email auto-patch SUPPRESSED while enabled.
29
+ - `InUseAccountResolver.resolve` — modify — when enabled + ledger-known, resolves the default badge from the ledger instead of a `claude auth status` re-probe; `bustCache()` added.
30
+ - `SessionManager.resolvePinnedSpawnHome` — add — a pinned account's spawn home resolves through the ledger; an explicit caller home (account-swap path) still wins.
31
+ - `writeCredentialsSerialized` refusal gate — add — a manager-level competing-writer refusal at the funnel chokepoint (not only the route).
32
+ - `PATCH /subscription-pool/:id` configHome — modify — refused 409 while enabled.
33
+ - `CredentialSwapExecutor.onSlotsChanged` — add — a best-effort commit hook that busts the in-use badge on a default-slot swap.
34
+
35
+ ---
36
+
37
+ ## 1. Over-block
38
+
39
+ The only block surfaces are: (a) the PATCH-409 on `configHome` — refuses ONLY when the flag is
40
+ enabled (always off while dark), and ONLY the `configHome` field (every other field still PATCHes);
41
+ (b) the manager-level competing-writer refusal — refuses ONLY when the flag is enabled AND the ledger
42
+ holds a tenant for the (canonicalized) slot. A legitimate switch to a slot the ledger does NOT own is
43
+ not refused. With the flag off (the shipped dark state) neither block fires: no over-block surface
44
+ exists in the shipped configuration.
45
+
46
+ ---
47
+
48
+ ## 2. Under-block
49
+
50
+ The competing-writer refusal keys on "the ledger holds a tenant for this canonical slot." If a writer
51
+ targets a slot the ledger has never recorded (a brand-new enrollment home not yet seeded), it is NOT
52
+ refused — but that slot is not repointing-owned, so writing it cannot clobber a ledger tenant; this is
53
+ correct back-compat, not an under-block. The refusal is at the SOLE manager funnel
54
+ (`writeCredentialsSerialized`), so a non-route caller cannot dodge it — the spec §2.7 "every item a
55
+ unique source dodge" is closed by construction.
56
+
57
+ ---
58
+
59
+ ## 3. Level-of-abstraction fit
60
+
61
+ `CredentialLocationGate` is a thin DETECTOR/router (sync in-memory ledger read + a flag check), not an
62
+ authority — it never decides policy, it answers "where does account X live now?" The single authority
63
+ in the change is the manager-level refusal, which is a deterministic ownership check (does the ledger
64
+ own this slot?) — the correct altitude per spec §2.7 (manager chokepoint, not a brittle route guard).
65
+ The gate FEEDS the existing consumers; it does not run parallel to them. The ledger (Step 2) is the
66
+ lower-level primitive the gate USES; nothing is re-implemented.
67
+
68
+ ---
69
+
70
+ ## 4. Signal vs authority compliance
71
+
72
+ **Reference:** docs/signal-vs-authority.md
73
+
74
+ - [x] No — the re-routing reads are SIGNAL (advisory location resolution feeding existing consumers);
75
+ the two block surfaces (PATCH-409, competing-writer refusal) are deterministic OWNERSHIP checks
76
+ over durable ledger state, not brittle heuristics — they have full structural context (the
77
+ ledger is the single source of truth), so they are smart-gate-equivalent, not brittle detectors.
78
+
79
+ The gate reads never own block authority: an UNKNOWN-mode read fails OPEN (returns the enrollment
80
+ fallback + an attention item), so a corrupt ledger degrades to today's behavior, never blocks a poll
81
+ or a spawn.
82
+
83
+ ---
84
+
85
+ ## 5. Interactions
86
+
87
+ - **Shadowing:** the PATCH-409 runs BEFORE `subscriptionPool.update` in `/subscription-pool/:id` — when it fires the update never runs (intended; the field-edit must not land). Other fields are unaffected. The competing-writer refusal runs BEFORE the funnel lock in `writeCredentialsSerialized` — when it fires no lock is taken and no write occurs (intended, non-destructive).
88
+ - **Double-fire:** the swap-commit `onSlotsChanged` fires exactly once per committed swap; it is best-effort and a throwing consumer is swallowed (the commit is the load-bearing op and is never rolled back by a cache-bust failure — proven by a named test).
89
+ - **Races:** the gate reads are sync in-memory (no shared mutable state); the refusal gate reads the ledger's in-memory assignments (single-writer process). The InUseAccountResolver cache-bust is idempotent.
90
+ - **Feedback loops:** the email auto-patch SUPPRESSION removes a feedback loop that previously cross-contaminated pool emails after a swap (spec §2.2 #3) — a net REDUCTION in a feedback path.
91
+
92
+ ---
93
+
94
+ ## 6. External surfaces
95
+
96
+ - **Other agents on the same machine:** none — the ledger/gate are per-machine and read-only over the local ledger.
97
+ - **Install base:** none while dark (flag off → byte-identical behavior; proven by the E2E strict-no-op test + per-consumer flag-off unit tests).
98
+ - **External systems:** none — no new network calls; the gate is a pure in-memory read-router.
99
+ - **Persistent state:** reads the existing `state/credential-locations.json` (Step 2); writes nothing new (Step 6 is read re-routing + two refusal surfaces — neither adds a credential write; the `lint-no-unfunneled-credential-write` lint is clean).
100
+ - **Operator surface:** the PATCH-409 changes a `/subscription-pool/:id` response (409 with a plain-English message pointing at `POST /credentials/set-default`) ONLY when the flag is enabled. The AccountSwitcher refusal returns a `SwitchResult` with a plain-English message — phone-surfaced via the existing `/switch-account` Telegram command path. No new operator-only API action is introduced.
101
+
102
+ ## 6b. Operator-surface quality
103
+
104
+ No operator surface (no dashboard renderer / approval page / grant form) is added or touched — the
105
+ dashboard Subscriptions-tab `/credentials/locations` fetch is census #11, which Step 7 owns per the
106
+ build plan §6/§7 sequencing. Not applicable to this step.
107
+
108
+ ---
109
+
110
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
111
+
112
+ **machine-local BY DESIGN.** The reason it SHOULD differ per machine: each machine's
113
+ `CredentialLocationLedger` is the truth for ITS OWN slots (`SubscriptionPool` decision 1A —
114
+ per-machine enrollment = independent grant lineages). An N-machine pool has N independent ledgers and
115
+ this step adds NO cross-machine read. A swap on machine A never needs to bust machine B's in-use cache
116
+ (B's `~/.claude` is a different physical slot with a different credential). Degrades safely:
117
+ ledger-unknown on any machine → that machine shows today's (re-probed) badge / enrollment-home reads.
118
+ No user-facing notice is emitted by the re-routing (the only notice is the UNKNOWN-mode HIGH attention,
119
+ which is a per-machine local degradation surface — correct as machine-local). No durable cross-machine
120
+ state is created; no URLs are generated. (Phase C of the build prompt, answered explicitly.)
121
+
122
+ ---
123
+
124
+ ## Rollback
125
+
126
+ Pure dark-ship: the feature is gated on `subscriptionPool.credentialRepointing.enabled` (default
127
+ false). With the flag off — the only shipped state — every census consumer is byte-for-byte today's
128
+ behavior, the refusal gate refuses nothing, the PATCH-409 never fires. To roll back the code entirely,
129
+ revert this commit; nothing persists (no migration, no new state file — the ledger file predates this
130
+ step). No two-flag flip is part of this step.
131
+
132
+ ## 4-adversarial-lens verdict
133
+
134
+ 1. **E4a-liar resurrection (THE blocker) — PASS.** `InUseAccountResolver` does NOT re-probe `claude auth status` for the default badge when enabled + ledger-known; it reads `ledger.tenantOf('~/.claude')`. `bustCache()` clears the cache, fired at swap-commit by `onSlotsChanged` for any `~/.claude` swap. Named tests: "resolves from the ledger, NEVER re-probes auth status" (`probe` spy asserted `.not.toHaveBeenCalled()`) + "bustCache clears a cached probe result" + the E2E flag-on `probeCalls() === 0`.
135
+ 2. **Competing-writer clobber — PASS.** The refusal lives at the MANAGER (`writeCredentialsSerialized`), before the funnel lock; a non-route caller inherits it. Named tests: "REFUSES at the manager when the slot is repointing-owned (no write occurs)" + AccountSwitcher "REFUSES the switch (no write) … active account unchanged."
136
+ 3. **Hot-path safety — PASS.** A ledger UNKNOWN-mode read returns the enrollment fallback + ONE deduped HIGH attention, never throws. Named tests: "UNKNOWN mode → fallback + ONE deduped HIGH attention, never throws" + "a THROWING attention emitter never escapes the read."
137
+ 4. **Dark-ship inertness — PASS.** Flag off → every consumer byte-for-byte today. Named tests: the per-consumer flag-OFF unit tests (every census row) + the E2E "FLAG OFF: the full wiring is alive AND strictly inert" (in-use re-probes, quota reads enrollment home, PATCH allowed).
138
+
139
+ ## Test tiers
140
+
141
+ - Unit: `tests/unit/credential-location-gate.test.ts` (19), additions to `credential-swap-executor.test.ts` (#8 cache-bust + throw-safety), `interactive-session-pin.test.ts` (#6 spawn re-route ×3), `account-switcher-provider.test.ts` (#9 refusal ×2).
142
+ - Integration: `tests/integration/credential-repointing-census-routes.test.ts` (PATCH-409 live, flag-off 200, non-configHome field still PATCHes).
143
+ - E2E: `tests/e2e/credential-repointing-census-lifecycle.test.ts` (feature-alive: flag-off strict no-op end-to-end + flag-on ledger short-circuit).
@@ -1,27 +0,0 @@
1
- # Upgrade Guide — vNEXT
2
-
3
- <!-- assembled-by: assemble-next-md -->
4
- <!-- bump: minor -->
5
-
6
- ## What Changed
7
-
8
- A new dev-gated monitoring capability — **Build-Session Yield Safety** (ACT-839) — closes the "a background build died standing-by-for-tests with its work uncommitted" gap. R1: a session reaped while its worktree holds real uncommitted work is now resume-eligible on that alone — the killer (`SessionReaper`) runs a bounded, cached, fail-open `worktreeDirtyCheck` on the session's worktree PRE-kill (never a synchronous git call on the terminate chokepoint) and tags a new `uncommitted-worktree-work` STRONG `WorkEvidence` value. R2 (Close-the-Loop, signal not block): the revived session's continuation prompt leads with a verbatim commit-first directive, and `ResumeQueueDrainer` fires `onWorktreeRevival`, which registers a deduped, beacon-enabled `CommitmentTracker` obligation so a *stalled* revived session is re-surfaced by PromiseBeacon. The *die-again* case reuses the already-shipped, dev-live `OrphanedWorkSentinel` (#1113) for detect+preserve+surface — no duplicate scanner. An explicit operator/user/emergency kill is never auto-revived on a dirty worktree alone (the origin veto is final). Ships ENABLED on developer agents, dark on the fleet, per the new **Maturation Path** constitutional standard.
9
-
10
- audience: agent-only
11
- maturity: experimental
12
-
13
- ## What to Tell Your User
14
-
15
- Nothing to announce proactively — it's an experimental safety net that runs on developer agents. If anyone asks: a background build that gets shut down before it saves its work now gets brought back and reminded to commit, instead of the work quietly vanishing.
16
-
17
- ## Summary of New Capabilities
18
-
19
- | Capability | How to Use |
20
- |-----------|-----------|
21
- | Revive a session reaped with a dirty worktree | Automatic (dev-enabled, dark on fleet) |
22
- | Durable "commit your worktree" obligation | `GET /commitments` (beacon re-surfaces a stalled revive) |
23
- | Tune the dirty-check / residue denylist | `monitoring.yieldSafety.*` config |
24
-
25
- ## Evidence
26
-
27
- Not a bug fix — a new dark, dev-gated feature; "not reproducible in dev" in the bug-fix sense. Verified by the 3-tier test plan: 19 unit tests for the shared `worktreeDirtyCheck` (both sides of every boundary + fail-open + cache), 5 reaper tests (dirty → evidence, clean → empty, feature-dark → empty, throw → fail-open, no-cwd → not-consulted), 7 drainer tests (the directive + the revival-obligation hook), and an e2e wired-pipeline test (a reaped dirty-worktree session is revived → the directive appears → a real beacon-enabled commitment is registered + deduped). tsc clean; full lint + dark-gate golden line-map + docs-coverage green.