instar 1.3.538 → 1.3.539
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +74 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/core/CredentialAuditEmit.d.ts +82 -0
- package/dist/core/CredentialAuditEmit.d.ts.map +1 -0
- package/dist/core/CredentialAuditEmit.js +132 -0
- package/dist/core/CredentialAuditEmit.js.map +1 -0
- package/dist/core/CredentialManualLevers.d.ts +57 -0
- package/dist/core/CredentialManualLevers.d.ts.map +1 -0
- package/dist/core/CredentialManualLevers.js +0 -0
- package/dist/core/CredentialManualLevers.js.map +1 -0
- package/dist/core/CredentialRestoreEnrollment.d.ts +76 -0
- package/dist/core/CredentialRestoreEnrollment.d.ts.map +1 -0
- package/dist/core/CredentialRestoreEnrollment.js +76 -0
- package/dist/core/CredentialRestoreEnrollment.js.map +1 -0
- package/dist/core/types.d.ts +7 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +16 -0
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +20 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +213 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +47 -47
- package/upgrades/1.3.539.md +29 -0
- package/upgrades/side-effects/ws52-step7-routes-audit.md +39 -0
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialAuditEmit — the SINGLE secret-scrub chokepoint for live credential re-pointing
|
|
3
|
+
* (spec §2.9, build-plan §7).
|
|
4
|
+
*
|
|
5
|
+
* Every `logs/credential-swaps.jsonl` audit write, every `/credentials/*` HTTP response body,
|
|
6
|
+
* and every attention-item this feature constructs routes through ONE `scrub(record)` funnel.
|
|
7
|
+
* The invariant the spec names — "no field of any persisted, audited, notified, or HTTP-served
|
|
8
|
+
* surface of this feature may contain token material" — is enforced STRUCTURALLY here, not by
|
|
9
|
+
* "remember to scrub at each of N callsites".
|
|
10
|
+
*
|
|
11
|
+
* ── Why a single chokepoint (spec §2.9, round-3) ──
|
|
12
|
+
* Node's `JSON.parse` error is position-only and does not echo bytes, so the real leak vector is
|
|
13
|
+
* developer-authored interpolation: a `${raw}`-bearing log line, a `security`/keychain stderr, a
|
|
14
|
+
* fetch error string that carries a token FRAGMENT inside a free-text `reason`/`error`/`message`.
|
|
15
|
+
* A FORBIDDEN_CREDENTIAL_FIELDS field-name scan does not catch a token hiding in free text. So
|
|
16
|
+
* this funnel deep-walks EVERY string in a record and runs each through `redactToken`-backed
|
|
17
|
+
* scrubbing before the record reaches any persisted/served/notified surface.
|
|
18
|
+
*
|
|
19
|
+
* ── The redaction (reuses CredentialProvider.redactToken — NOT re-authored) ──
|
|
20
|
+
* `redactToken(t)` → `[TOKEN:abc1****]`. We apply it to any token-shaped run: the `sk-ant-…`
|
|
21
|
+
* family (access/oauth/refresh tokens), and any long high-entropy base64url-ish run that could
|
|
22
|
+
* be a bearer/secret. Account ids, slot paths, emails-by-id, and ordinary prose pass through
|
|
23
|
+
* unchanged — the feature references accounts BY ID only, so a healthy record loses nothing.
|
|
24
|
+
*
|
|
25
|
+
* This module performs NO IO and NO credential access. It is a pure, deterministic, machine-local
|
|
26
|
+
* transform (Phase C: redaction is local-deterministic, no peer dependency).
|
|
27
|
+
*/
|
|
28
|
+
/**
|
|
29
|
+
* Scrub token material out of a single string. Reuses `redactToken` (the project's one redactor)
|
|
30
|
+
* on every token-shaped run. Idempotent: a `[TOKEN:…]` marker contains no token-shaped run that
|
|
31
|
+
* survives a second pass.
|
|
32
|
+
*/
|
|
33
|
+
export declare function scrubString(s: string): string;
|
|
34
|
+
/**
|
|
35
|
+
* Deep-scrub an arbitrary JSON-able value: walks objects/arrays and scrubs every string leaf.
|
|
36
|
+
* Object KEYS are passed through unchanged (a key is a field name, never token material — and the
|
|
37
|
+
* §2.9 field-name scan covers forbidden keys separately). Non-string/number/bool/null leaves
|
|
38
|
+
* (functions, symbols) are dropped to a string form so nothing un-serializable rides along.
|
|
39
|
+
*
|
|
40
|
+
* THE chokepoint: `CredentialAuditEmit.scrub(record)` calls this. Every audit write, every
|
|
41
|
+
* `/credentials/*` response body, and every attention-item field passes through here.
|
|
42
|
+
*/
|
|
43
|
+
export declare function scrub<T>(record: T): T;
|
|
44
|
+
/**
|
|
45
|
+
* The audit-emit handle the host wires into the swap executor + the routes. ONE instance per
|
|
46
|
+
* process; every emit path (jsonl, response, attention) calls the corresponding method, and each
|
|
47
|
+
* method scrubs BEFORE the value reaches its surface. Constructing the handle with an injected
|
|
48
|
+
* `writeLine` (the jsonl sink) and `emitAttention` keeps it IO-free + unit-testable.
|
|
49
|
+
*/
|
|
50
|
+
export interface CredentialAuditEmitDeps {
|
|
51
|
+
/** Append one already-stringified JSON line to `logs/credential-swaps.jsonl`. */
|
|
52
|
+
writeLine?: (line: string) => void;
|
|
53
|
+
/** Deliver one attention item (typically telegram.createAttentionItem). */
|
|
54
|
+
emitAttention?: (item: CredentialAttentionItem) => void | Promise<void>;
|
|
55
|
+
now?: () => string;
|
|
56
|
+
}
|
|
57
|
+
export interface CredentialAttentionItem {
|
|
58
|
+
id: string;
|
|
59
|
+
title: string;
|
|
60
|
+
summary: string;
|
|
61
|
+
description?: string;
|
|
62
|
+
category: string;
|
|
63
|
+
priority: 'URGENT' | 'HIGH' | 'NORMAL' | 'LOW';
|
|
64
|
+
sourceContext?: string;
|
|
65
|
+
}
|
|
66
|
+
export declare class CredentialAuditEmit {
|
|
67
|
+
private readonly writeLine?;
|
|
68
|
+
private readonly emitAttentionFn?;
|
|
69
|
+
private readonly now;
|
|
70
|
+
constructor(deps?: CredentialAuditEmitDeps);
|
|
71
|
+
/** Surface 1 — the jsonl audit write. Scrubs the record, stamps it, appends one line. */
|
|
72
|
+
audit(record: Record<string, unknown>): void;
|
|
73
|
+
/**
|
|
74
|
+
* Surface 2 — the `/credentials/*` HTTP response body. Returns the SCRUBBED body the route
|
|
75
|
+
* sends. The route MUST send `emit.response(body)`, never a raw body — this is the wiring the
|
|
76
|
+
* §2.9 chokepoint test asserts.
|
|
77
|
+
*/
|
|
78
|
+
response<T>(body: T): T;
|
|
79
|
+
/** Surface 3 — the attention item. Scrubs every field, then delivers (best-effort). */
|
|
80
|
+
attention(item: CredentialAttentionItem): Promise<void>;
|
|
81
|
+
}
|
|
82
|
+
//# sourceMappingURL=CredentialAuditEmit.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialAuditEmit.d.ts","sourceRoot":"","sources":["../../src/core/CredentialAuditEmit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAkBH;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAS7C;AAED;;;;;;;;GAQG;AACH,wBAAgB,KAAK,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,GAAG,CAAC,CAErC;AAgBD;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACtC,iFAAiF;IACjF,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IACnC,2EAA2E;IAC3E,aAAa,CAAC,EAAE,CAAC,IAAI,EAAE,uBAAuB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACxE,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IAC/C,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,qBAAa,mBAAmB;IAC9B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAyB;IACpD,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAA0D;IAC3F,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;gBAEvB,IAAI,GAAE,uBAA4B;IAM9C,yFAAyF;IACzF,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAa5C;;;;OAIG;IACH,QAAQ,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC;IAIvB,uFAAuF;IACjF,SAAS,CAAC,IAAI,EAAE,uBAAuB,GAAG,OAAO,CAAC,IAAI,CAAC;CAW9D"}
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialAuditEmit — the SINGLE secret-scrub chokepoint for live credential re-pointing
|
|
3
|
+
* (spec §2.9, build-plan §7).
|
|
4
|
+
*
|
|
5
|
+
* Every `logs/credential-swaps.jsonl` audit write, every `/credentials/*` HTTP response body,
|
|
6
|
+
* and every attention-item this feature constructs routes through ONE `scrub(record)` funnel.
|
|
7
|
+
* The invariant the spec names — "no field of any persisted, audited, notified, or HTTP-served
|
|
8
|
+
* surface of this feature may contain token material" — is enforced STRUCTURALLY here, not by
|
|
9
|
+
* "remember to scrub at each of N callsites".
|
|
10
|
+
*
|
|
11
|
+
* ── Why a single chokepoint (spec §2.9, round-3) ──
|
|
12
|
+
* Node's `JSON.parse` error is position-only and does not echo bytes, so the real leak vector is
|
|
13
|
+
* developer-authored interpolation: a `${raw}`-bearing log line, a `security`/keychain stderr, a
|
|
14
|
+
* fetch error string that carries a token FRAGMENT inside a free-text `reason`/`error`/`message`.
|
|
15
|
+
* A FORBIDDEN_CREDENTIAL_FIELDS field-name scan does not catch a token hiding in free text. So
|
|
16
|
+
* this funnel deep-walks EVERY string in a record and runs each through `redactToken`-backed
|
|
17
|
+
* scrubbing before the record reaches any persisted/served/notified surface.
|
|
18
|
+
*
|
|
19
|
+
* ── The redaction (reuses CredentialProvider.redactToken — NOT re-authored) ──
|
|
20
|
+
* `redactToken(t)` → `[TOKEN:abc1****]`. We apply it to any token-shaped run: the `sk-ant-…`
|
|
21
|
+
* family (access/oauth/refresh tokens), and any long high-entropy base64url-ish run that could
|
|
22
|
+
* be a bearer/secret. Account ids, slot paths, emails-by-id, and ordinary prose pass through
|
|
23
|
+
* unchanged — the feature references accounts BY ID only, so a healthy record loses nothing.
|
|
24
|
+
*
|
|
25
|
+
* This module performs NO IO and NO credential access. It is a pure, deterministic, machine-local
|
|
26
|
+
* transform (Phase C: redaction is local-deterministic, no peer dependency).
|
|
27
|
+
*/
|
|
28
|
+
import { redactToken } from '../monitoring/CredentialProvider.js';
|
|
29
|
+
/**
|
|
30
|
+
* The `sk-ant-…` token family Anthropic issues (oauth access `sk-ant-oat…`, api-key `sk-ant-api…`,
|
|
31
|
+
* refresh `sk-ant-ort…`, etc.). Matched first so the canonical leak vector is always redacted.
|
|
32
|
+
*/
|
|
33
|
+
const SK_ANT_RE = /sk-ant-[A-Za-z0-9_-]{8,}/g;
|
|
34
|
+
/**
|
|
35
|
+
* A long high-entropy token-shaped run (≥32 chars of base64url/hex alphabet) that is NOT a
|
|
36
|
+
* recognizable non-secret. This catches a bearer/secret that does NOT carry the `sk-ant-` prefix
|
|
37
|
+
* (a keychain stderr could echo a raw blob). Deliberately conservative on the low end so ordinary
|
|
38
|
+
* ids / slot hashes / ISO timestamps are never mangled (an 8-hex slot suffix is far under 32).
|
|
39
|
+
*/
|
|
40
|
+
const LONG_TOKEN_RE = /\b[A-Za-z0-9_-]{32,}\b/g;
|
|
41
|
+
/**
|
|
42
|
+
* Scrub token material out of a single string. Reuses `redactToken` (the project's one redactor)
|
|
43
|
+
* on every token-shaped run. Idempotent: a `[TOKEN:…]` marker contains no token-shaped run that
|
|
44
|
+
* survives a second pass.
|
|
45
|
+
*/
|
|
46
|
+
export function scrubString(s) {
|
|
47
|
+
if (!s)
|
|
48
|
+
return s;
|
|
49
|
+
let out = s.replace(SK_ANT_RE, (m) => redactToken(m));
|
|
50
|
+
out = out.replace(LONG_TOKEN_RE, (m) => {
|
|
51
|
+
// Never re-redact an already-emitted marker, and never touch the redactor's own output.
|
|
52
|
+
if (m.startsWith('TOKEN'))
|
|
53
|
+
return m;
|
|
54
|
+
return redactToken(m);
|
|
55
|
+
});
|
|
56
|
+
return out;
|
|
57
|
+
}
|
|
58
|
+
/**
|
|
59
|
+
* Deep-scrub an arbitrary JSON-able value: walks objects/arrays and scrubs every string leaf.
|
|
60
|
+
* Object KEYS are passed through unchanged (a key is a field name, never token material — and the
|
|
61
|
+
* §2.9 field-name scan covers forbidden keys separately). Non-string/number/bool/null leaves
|
|
62
|
+
* (functions, symbols) are dropped to a string form so nothing un-serializable rides along.
|
|
63
|
+
*
|
|
64
|
+
* THE chokepoint: `CredentialAuditEmit.scrub(record)` calls this. Every audit write, every
|
|
65
|
+
* `/credentials/*` response body, and every attention-item field passes through here.
|
|
66
|
+
*/
|
|
67
|
+
export function scrub(record) {
|
|
68
|
+
return deepScrub(record);
|
|
69
|
+
}
|
|
70
|
+
function deepScrub(v) {
|
|
71
|
+
if (typeof v === 'string')
|
|
72
|
+
return scrubString(v);
|
|
73
|
+
if (Array.isArray(v))
|
|
74
|
+
return v.map((x) => deepScrub(x));
|
|
75
|
+
if (v && typeof v === 'object') {
|
|
76
|
+
const out = {};
|
|
77
|
+
for (const [k, val] of Object.entries(v)) {
|
|
78
|
+
out[k] = deepScrub(val);
|
|
79
|
+
}
|
|
80
|
+
return out;
|
|
81
|
+
}
|
|
82
|
+
// number | boolean | null | undefined | bigint pass through unchanged (no token material).
|
|
83
|
+
return v;
|
|
84
|
+
}
|
|
85
|
+
export class CredentialAuditEmit {
|
|
86
|
+
writeLine;
|
|
87
|
+
emitAttentionFn;
|
|
88
|
+
now;
|
|
89
|
+
constructor(deps = {}) {
|
|
90
|
+
this.writeLine = deps.writeLine;
|
|
91
|
+
this.emitAttentionFn = deps.emitAttention;
|
|
92
|
+
this.now = deps.now ?? (() => new Date().toISOString());
|
|
93
|
+
}
|
|
94
|
+
/** Surface 1 — the jsonl audit write. Scrubs the record, stamps it, appends one line. */
|
|
95
|
+
audit(record) {
|
|
96
|
+
if (!this.writeLine)
|
|
97
|
+
return;
|
|
98
|
+
const scrubbed = scrub({ at: this.now(), ...record });
|
|
99
|
+
try {
|
|
100
|
+
this.writeLine(JSON.stringify(scrubbed) + '\n');
|
|
101
|
+
}
|
|
102
|
+
catch {
|
|
103
|
+
// @silent-fallback-ok — the audit jsonl is observability; a write failure (full disk, fs
|
|
104
|
+
// hiccup) must never throw into a swap/route. The actual credential operation is the
|
|
105
|
+
// load-bearing action and is unaffected; the next emit retries. (No token can leak here —
|
|
106
|
+
// the value was already scrubbed before the failing write.)
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
/**
|
|
110
|
+
* Surface 2 — the `/credentials/*` HTTP response body. Returns the SCRUBBED body the route
|
|
111
|
+
* sends. The route MUST send `emit.response(body)`, never a raw body — this is the wiring the
|
|
112
|
+
* §2.9 chokepoint test asserts.
|
|
113
|
+
*/
|
|
114
|
+
response(body) {
|
|
115
|
+
return scrub(body);
|
|
116
|
+
}
|
|
117
|
+
/** Surface 3 — the attention item. Scrubs every field, then delivers (best-effort). */
|
|
118
|
+
async attention(item) {
|
|
119
|
+
if (!this.emitAttentionFn)
|
|
120
|
+
return;
|
|
121
|
+
const scrubbed = scrub(item);
|
|
122
|
+
try {
|
|
123
|
+
await this.emitAttentionFn(scrubbed);
|
|
124
|
+
}
|
|
125
|
+
catch {
|
|
126
|
+
// @silent-fallback-ok — attention delivery is best-effort; the swap/quarantine safety action
|
|
127
|
+
// it announces is already durably recorded in the ledger regardless of whether the notice
|
|
128
|
+
// lands. The item was already scrubbed before this call, so a delivery failure leaks nothing.
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
//# sourceMappingURL=CredentialAuditEmit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialAuditEmit.js","sourceRoot":"","sources":["../../src/core/CredentialAuditEmit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC;AAElE;;;GAGG;AACH,MAAM,SAAS,GAAG,2BAA2B,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,aAAa,GAAG,yBAAyB,CAAC;AAEhD;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,CAAS;IACnC,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IACjB,IAAI,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;IACtD,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE;QACrC,wFAAwF;QACxF,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,CAAC,CAAC;QACpC,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC,CAAC,CAAC;IACH,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,KAAK,CAAI,MAAS;IAChC,OAAO,SAAS,CAAC,MAAM,CAAM,CAAC;AAChC,CAAC;AAED,SAAS,SAAS,CAAC,CAAU;IAC3B,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAA4B,CAAC,EAAE,CAAC;YACpE,GAAG,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,2FAA2F;IAC3F,OAAO,CAAC,CAAC;AACX,CAAC;AA0BD,MAAM,OAAO,mBAAmB;IACb,SAAS,CAA0B;IACnC,eAAe,CAA2D;IAC1E,GAAG,CAAe;IAEnC,YAAY,OAAgC,EAAE;QAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAChC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,aAAa,CAAC;QAC1C,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,yFAAyF;IACzF,KAAK,CAAC,MAA+B;QACnC,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,OAAO;QAC5B,MAAM,QAAQ,GAAG,KAAK,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC;YACH,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,yFAAyF;YACzF,qFAAqF;YACrF,0FAA0F;YAC1F,4DAA4D;QAC9D,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,QAAQ,CAAI,IAAO;QACjB,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC;IACrB,CAAC;IAED,uFAAuF;IACvF,KAAK,CAAC,SAAS,CAAC,IAA6B;QAC3C,IAAI,CAAC,IAAI,CAAC,eAAe;YAAE,OAAO;QAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QACvC,CAAC;QAAC,MAAM,CAAC;YACP,6FAA6F;YAC7F,0FAA0F;YAC1F,8FAA8F;QAChG,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialManualLevers — the detective-control bookkeeping for the manual swap/set-default
|
|
3
|
+
* levers (spec §2.4 manual levers + §0.g force budget). Machine-local, in-memory, pure.
|
|
4
|
+
*
|
|
5
|
+
* The levers stay agent-callable (single-operator autonomy directive), so the control is
|
|
6
|
+
* DETECTIVE + structural + non-suppressible, not a PIN gate:
|
|
7
|
+
* - per-PAIR cooldown — a manual swap respects the per-pair cooldown by default; `force:true`
|
|
8
|
+
* overrides it, and the override is FLAGGED in the audit + notification.
|
|
9
|
+
* - force budget (§0.g) — the `force:true` bypass carries its OWN bounded budget:
|
|
10
|
+
* `maxForcedManualSwapsPerWindow`. Exhaustion refuses further FORCED
|
|
11
|
+
* manual swaps until the window rolls — `force` is not the one uncapped
|
|
12
|
+
* bypass left in the spec. A non-forced swap is never blocked by it.
|
|
13
|
+
*
|
|
14
|
+
* Every guard here makes "no safe action available" a SURFACED refusal (a named reason returned to
|
|
15
|
+
* the caller), never a silent drop and never an unbounded retry (§0.g(c)).
|
|
16
|
+
*/
|
|
17
|
+
export interface CredentialManualLeversDeps {
|
|
18
|
+
/** Per-pair cooldown ms (≥1× poll interval). */
|
|
19
|
+
pairCooldownMs?: number;
|
|
20
|
+
/** §0.g force budget: max FORCED manual swaps per window. */
|
|
21
|
+
maxForcedPerWindow?: number;
|
|
22
|
+
/** §0.g force budget window length ms. */
|
|
23
|
+
forcedWindowMs?: number;
|
|
24
|
+
now?: () => number;
|
|
25
|
+
}
|
|
26
|
+
/** A cooldown/budget verdict — allow, or a named refusal (surfaced, never silent). */
|
|
27
|
+
export type LeverVerdict = {
|
|
28
|
+
allowed: true;
|
|
29
|
+
forced: boolean;
|
|
30
|
+
} | {
|
|
31
|
+
allowed: false;
|
|
32
|
+
reason: string;
|
|
33
|
+
code: 'pair-cooldown' | 'force-budget-exhausted';
|
|
34
|
+
};
|
|
35
|
+
export declare class CredentialManualLevers {
|
|
36
|
+
private readonly pairCooldownMs;
|
|
37
|
+
private readonly maxForcedPerWindow;
|
|
38
|
+
private readonly forcedWindowMs;
|
|
39
|
+
private readonly now;
|
|
40
|
+
/** pairKey → last actuation epoch ms. */
|
|
41
|
+
private readonly lastActuation;
|
|
42
|
+
/** Forced-swap timestamps within the rolling window. */
|
|
43
|
+
private forcedTimestamps;
|
|
44
|
+
constructor(deps?: CredentialManualLeversDeps);
|
|
45
|
+
/**
|
|
46
|
+
* Evaluate whether a manual swap of (slotA, slotB) may proceed. `force` overrides the per-pair
|
|
47
|
+
* cooldown BUT is itself bounded by the force budget. Read-only — call `recordSwap` after a
|
|
48
|
+
* swap actually commits so the cooldown/budget advance only on real actuation.
|
|
49
|
+
*/
|
|
50
|
+
evaluateSwap(slotA: string, slotB: string, force: boolean): LeverVerdict;
|
|
51
|
+
/** Record an actually-committed swap: advances the pair cooldown and (if forced) the budget. */
|
|
52
|
+
recordSwap(slotA: string, slotB: string, forced: boolean): void;
|
|
53
|
+
/** Forced swaps remaining in the current window (for observability). */
|
|
54
|
+
forcedBudgetRemaining(): number;
|
|
55
|
+
private pruneForcedWindow;
|
|
56
|
+
}
|
|
57
|
+
//# sourceMappingURL=CredentialManualLevers.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialManualLevers.d.ts","sourceRoot":"","sources":["../../src/core/CredentialManualLevers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAMH,MAAM,WAAW,0BAA0B;IACzC,gDAAgD;IAChD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6DAA6D;IAC7D,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,0CAA0C;IAC1C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAED,sFAAsF;AACtF,MAAM,MAAM,YAAY,GACpB;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAE,GAClC;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,eAAe,GAAG,wBAAwB,CAAA;CAAE,CAAC;AAOzF,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAC5C,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;IAEnC,yCAAyC;IACzC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAA6B;IAC3D,wDAAwD;IACxD,OAAO,CAAC,gBAAgB,CAAgB;gBAE5B,IAAI,GAAE,0BAA+B;IAOjD;;;;OAIG;IACH,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,YAAY;IA8BxE,gGAAgG;IAChG,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,IAAI;IAS/D,wEAAwE;IACxE,qBAAqB,IAAI,MAAM;IAK/B,OAAO,CAAC,iBAAiB;CAI1B"}
|
|
Binary file
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialManualLevers.js","sourceRoot":"","sources":["../../src/core/CredentialManualLevers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,6CAA6C;AAC9F,MAAM,6BAA6B,GAAG,EAAE,CAAC,CAAC,iDAAiD;AAC3F,MAAM,wBAAwB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,oBAAoB;AAiBrE,wDAAwD;AACxD,SAAS,OAAO,CAAC,CAAS,EAAE,CAAS;IACnC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,OAAO,sBAAsB;IAChB,cAAc,CAAS;IACvB,kBAAkB,CAAS;IAC3B,cAAc,CAAS;IACvB,GAAG,CAAe;IAEnC,yCAAyC;IACxB,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC3D,wDAAwD;IAChD,gBAAgB,GAAa,EAAE,CAAC;IAExC,YAAY,OAAmC,EAAE;QAC/C,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC;QACtE,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,IAAI,6BAA6B,CAAC;QACnF,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC;QACtE,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED;;;;OAIG;IACH,YAAY,CAAC,KAAa,EAAE,KAAa,EAAE,KAAc;QACvD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,UAAU,GAAG,IAAI,KAAK,SAAS,IAAI,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC;QAE1E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,QAAQ,GAAG,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,GAAG,IAAK,CAAC,CAAC;gBACrD,OAAO;oBACL,OAAO,EAAE,KAAK;oBACd,IAAI,EAAE,eAAe;oBACrB,MAAM,EAAE,wBAAwB,IAAI,CAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,2CAA2C;iBACtG,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC1C,CAAC;QAED,oFAAoF;QACpF,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,IAAI,CAAC,gBAAgB,CAAC,MAAM,IAAI,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC5D,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,IAAI,EAAE,wBAAwB;gBAC9B,MAAM,EAAE,wCAAwC,IAAI,CAAC,kBAAkB,QAAQ,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,cAAc,GAAG,KAAK,CAAC,kEAAkE;aACzL,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACzC,CAAC;IAED,gGAAgG;IAChG,UAAU,CAAC,KAAa,EAAE,KAAa,EAAE,MAAe;QACtD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC;QACnD,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;YAC5B,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,qBAAqB;QACnB,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC7E,CAAC;IAEO,iBAAiB,CAAC,GAAW;QACnC,MAAM,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,cAAc,CAAC;QACzC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC;IAC1E,CAAC;CACF"}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialRestoreEnrollment — the teardown lever (spec §2.8, build-plan §7).
|
|
3
|
+
*
|
|
4
|
+
* `POST /credentials/restore-enrollment` moves every slot back to its enrollment layout (N
|
|
5
|
+
* ordinary §2.3 swaps back), then the operator darks the feature — at which point ledger ==
|
|
6
|
+
* enrollment and raw `configHome` reads are truthful again (the ordered-rollback the spec names).
|
|
7
|
+
*
|
|
8
|
+
* This module owns the ONE piece the plain swap executor does not: the per-slot DECISION of
|
|
9
|
+
* whether a slot's current blob may be EXCHANGED back into a healthy enrollment slot, or must be
|
|
10
|
+
* PARKED ONE-DIRECTIONALLY (moved out / the slot vacated for operator re-auth, NEVER exchanged in).
|
|
11
|
+
*
|
|
12
|
+
* ── Why a quarantine bypass that retains everything else (spec §0.g + §2.8) ──
|
|
13
|
+
* restore-enrollment is a TEARDOWN, not a balancing move, so it carries a QUARANTINE BYPASS — it
|
|
14
|
+
* must operate ON quarantined slots (the degraded state rollback exists for), or §2.3 step-1 would
|
|
15
|
+
* hard-block it exactly when it is needed. Per §0.g a bypass drops ONLY the named guard: it RETAINS
|
|
16
|
+
* 1. parse (an unparseable blob is parked, never exchanged)
|
|
17
|
+
* 2. refresh-token-present (a refresh-token-less blob is parked, never exchanged)
|
|
18
|
+
* 3. IDENTITY-COHERENCE (access-tenant == refresh-lineage; the §2.7 Frankenstein gap)
|
|
19
|
+
*
|
|
20
|
+
* ── The Frankenstein gap (spec §2.8 round-4) ──
|
|
21
|
+
* "Parses + has a refresh token" is NOT sufficient. A legacy `AccountSwitcher` slip can leave
|
|
22
|
+
* B's access token grafted onto A's PRESERVED refresh token: the blob parses, carries a refresh
|
|
23
|
+
* token, and the oracle (on B's still-valid access token) resolves it to B — yet on first refresh
|
|
24
|
+
* the client exchanges A's refresh token and silently resurrects A (a §0.d violation). So before
|
|
25
|
+
* any exchange, the blob's access-token identity (oracle) MUST equal its refresh-token lineage's
|
|
26
|
+
* expected account. A blob that fails coherence — Frankenstein, revoked-grant, access/refresh
|
|
27
|
+
* tenant mismatch — is parked ONE-DIRECTIONALLY exactly like an unparseable one, NEVER exchanged
|
|
28
|
+
* into a healthy slot (a teardown that exchanges garbage into a good slot, then post-commit-verify
|
|
29
|
+
* quarantines THAT slot, would spread corruption during the exact degraded state rollback is for).
|
|
30
|
+
*
|
|
31
|
+
* This module is the DECISION (coherence classification + the park plan). It performs NO keychain
|
|
32
|
+
* writes itself — the route drives the actual exchange through the §2.3 CredentialSwapExecutor and
|
|
33
|
+
* the actual park through the ledger quarantine + an attention item. Pure + injectable.
|
|
34
|
+
*/
|
|
35
|
+
import type { ClaudeOauth } from './OAuthRefresher.js';
|
|
36
|
+
/** The expected refresh-lineage tenant of a slot's blob, and the oracle's access-token identity. */
|
|
37
|
+
export interface CoherenceProbe {
|
|
38
|
+
/**
|
|
39
|
+
* The account the blob's ACCESS token resolves to via the identity oracle, or null when the
|
|
40
|
+
* oracle could not confirm it (timeout/401/5xx/etc — §2.11 unavailable, never a guess).
|
|
41
|
+
*/
|
|
42
|
+
accessTenant: string | null;
|
|
43
|
+
/**
|
|
44
|
+
* The account the blob's REFRESH-token lineage is EXPECTED to belong to. When the oracle is
|
|
45
|
+
* reachable this is derived from the recorded provenance; when it is down the spec's named cheap
|
|
46
|
+
* proxy applies: the ledger's expected tenant for the slot. null = no expectation available.
|
|
47
|
+
*/
|
|
48
|
+
refreshLineage: string | null;
|
|
49
|
+
}
|
|
50
|
+
export type CoherenceVerdict = {
|
|
51
|
+
coherent: true;
|
|
52
|
+
tenant: string;
|
|
53
|
+
} | {
|
|
54
|
+
coherent: false;
|
|
55
|
+
reason: string;
|
|
56
|
+
park: 'one-directional';
|
|
57
|
+
};
|
|
58
|
+
/** A parsed blob to classify (the raw is round-tripped by the caller; we only read fields). */
|
|
59
|
+
export interface RestoreBlob {
|
|
60
|
+
raw: string;
|
|
61
|
+
oauth: ClaudeOauth | null;
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Classify a slot's current blob for restore-enrollment. Returns a COHERENT verdict (safe to
|
|
65
|
+
* EXCHANGE back to its enrollment slot) ONLY when ALL THREE retained preconditions hold:
|
|
66
|
+
* parse + refresh-token-present + identity-coherence (accessTenant === refreshLineage).
|
|
67
|
+
* Any failure → an INCOHERENT verdict with `park: 'one-directional'` and a named reason — the
|
|
68
|
+
* caller must vacate the slot for operator re-auth and NEVER exchange this blob into a healthy slot.
|
|
69
|
+
*
|
|
70
|
+
* The oracle-down cheap proxy is the caller's job: it supplies `refreshLineage` from the ledger's
|
|
71
|
+
* expected tenant for the slot, and `accessTenant` may be null (oracle unavailable). When BOTH are
|
|
72
|
+
* known and equal → coherent; when the oracle is down (accessTenant null) we CANNOT certify
|
|
73
|
+
* coherence → one-directional park (the safe direction: never exchange an unverifiable blob).
|
|
74
|
+
*/
|
|
75
|
+
export declare function classifyRestoreCoherence(blob: RestoreBlob, probe: CoherenceProbe): CoherenceVerdict;
|
|
76
|
+
//# sourceMappingURL=CredentialRestoreEnrollment.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialRestoreEnrollment.d.ts","sourceRoot":"","sources":["../../src/core/CredentialRestoreEnrollment.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,oGAAoG;AACpG,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;OAIG;IACH,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,MAAM,gBAAgB,GACxB;IAAE,QAAQ,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClC;IAAE,QAAQ,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,iBAAiB,CAAA;CAAE,CAAC;AAEjE,+FAA+F;AAC/F,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,WAAW,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,cAAc,GAAG,gBAAgB,CA4BnG"}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialRestoreEnrollment — the teardown lever (spec §2.8, build-plan §7).
|
|
3
|
+
*
|
|
4
|
+
* `POST /credentials/restore-enrollment` moves every slot back to its enrollment layout (N
|
|
5
|
+
* ordinary §2.3 swaps back), then the operator darks the feature — at which point ledger ==
|
|
6
|
+
* enrollment and raw `configHome` reads are truthful again (the ordered-rollback the spec names).
|
|
7
|
+
*
|
|
8
|
+
* This module owns the ONE piece the plain swap executor does not: the per-slot DECISION of
|
|
9
|
+
* whether a slot's current blob may be EXCHANGED back into a healthy enrollment slot, or must be
|
|
10
|
+
* PARKED ONE-DIRECTIONALLY (moved out / the slot vacated for operator re-auth, NEVER exchanged in).
|
|
11
|
+
*
|
|
12
|
+
* ── Why a quarantine bypass that retains everything else (spec §0.g + §2.8) ──
|
|
13
|
+
* restore-enrollment is a TEARDOWN, not a balancing move, so it carries a QUARANTINE BYPASS — it
|
|
14
|
+
* must operate ON quarantined slots (the degraded state rollback exists for), or §2.3 step-1 would
|
|
15
|
+
* hard-block it exactly when it is needed. Per §0.g a bypass drops ONLY the named guard: it RETAINS
|
|
16
|
+
* 1. parse (an unparseable blob is parked, never exchanged)
|
|
17
|
+
* 2. refresh-token-present (a refresh-token-less blob is parked, never exchanged)
|
|
18
|
+
* 3. IDENTITY-COHERENCE (access-tenant == refresh-lineage; the §2.7 Frankenstein gap)
|
|
19
|
+
*
|
|
20
|
+
* ── The Frankenstein gap (spec §2.8 round-4) ──
|
|
21
|
+
* "Parses + has a refresh token" is NOT sufficient. A legacy `AccountSwitcher` slip can leave
|
|
22
|
+
* B's access token grafted onto A's PRESERVED refresh token: the blob parses, carries a refresh
|
|
23
|
+
* token, and the oracle (on B's still-valid access token) resolves it to B — yet on first refresh
|
|
24
|
+
* the client exchanges A's refresh token and silently resurrects A (a §0.d violation). So before
|
|
25
|
+
* any exchange, the blob's access-token identity (oracle) MUST equal its refresh-token lineage's
|
|
26
|
+
* expected account. A blob that fails coherence — Frankenstein, revoked-grant, access/refresh
|
|
27
|
+
* tenant mismatch — is parked ONE-DIRECTIONALLY exactly like an unparseable one, NEVER exchanged
|
|
28
|
+
* into a healthy slot (a teardown that exchanges garbage into a good slot, then post-commit-verify
|
|
29
|
+
* quarantines THAT slot, would spread corruption during the exact degraded state rollback is for).
|
|
30
|
+
*
|
|
31
|
+
* This module is the DECISION (coherence classification + the park plan). It performs NO keychain
|
|
32
|
+
* writes itself — the route drives the actual exchange through the §2.3 CredentialSwapExecutor and
|
|
33
|
+
* the actual park through the ledger quarantine + an attention item. Pure + injectable.
|
|
34
|
+
*/
|
|
35
|
+
/**
|
|
36
|
+
* Classify a slot's current blob for restore-enrollment. Returns a COHERENT verdict (safe to
|
|
37
|
+
* EXCHANGE back to its enrollment slot) ONLY when ALL THREE retained preconditions hold:
|
|
38
|
+
* parse + refresh-token-present + identity-coherence (accessTenant === refreshLineage).
|
|
39
|
+
* Any failure → an INCOHERENT verdict with `park: 'one-directional'` and a named reason — the
|
|
40
|
+
* caller must vacate the slot for operator re-auth and NEVER exchange this blob into a healthy slot.
|
|
41
|
+
*
|
|
42
|
+
* The oracle-down cheap proxy is the caller's job: it supplies `refreshLineage` from the ledger's
|
|
43
|
+
* expected tenant for the slot, and `accessTenant` may be null (oracle unavailable). When BOTH are
|
|
44
|
+
* known and equal → coherent; when the oracle is down (accessTenant null) we CANNOT certify
|
|
45
|
+
* coherence → one-directional park (the safe direction: never exchange an unverifiable blob).
|
|
46
|
+
*/
|
|
47
|
+
export function classifyRestoreCoherence(blob, probe) {
|
|
48
|
+
// 1. Parse — an unparseable/absent oauth is parked one-directionally.
|
|
49
|
+
if (!blob.oauth || typeof blob.oauth !== 'object') {
|
|
50
|
+
return { coherent: false, reason: 'blob is unparseable or has no claudeAiOauth — parked for re-auth', park: 'one-directional' };
|
|
51
|
+
}
|
|
52
|
+
// 2. Refresh-token-present — a refresh-token-less blob cannot be a healthy lineage.
|
|
53
|
+
if (typeof blob.oauth.refreshToken !== 'string' || !blob.oauth.refreshToken) {
|
|
54
|
+
return { coherent: false, reason: 'blob carries no refresh token — parked for re-auth', park: 'one-directional' };
|
|
55
|
+
}
|
|
56
|
+
// 3. Identity-coherence — access-tenant MUST equal refresh-lineage (the Frankenstein gap).
|
|
57
|
+
if (!probe.accessTenant) {
|
|
58
|
+
// Oracle could not confirm the access-token identity → CANNOT certify coherence. Park (safe
|
|
59
|
+
// direction): never exchange a blob we cannot identity-verify back into a healthy slot.
|
|
60
|
+
return { coherent: false, reason: 'access-token identity unavailable (oracle down) — cannot certify coherence, parked', park: 'one-directional' };
|
|
61
|
+
}
|
|
62
|
+
if (!probe.refreshLineage) {
|
|
63
|
+
return { coherent: false, reason: 'no expected refresh-lineage for slot — cannot certify coherence, parked', park: 'one-directional' };
|
|
64
|
+
}
|
|
65
|
+
if (probe.accessTenant !== probe.refreshLineage) {
|
|
66
|
+
// The §2.7 Frankenstein blob: access resolves to one account, refresh lineage belongs to
|
|
67
|
+
// another. Exchanging it would resurrect the refresh-lineage account on first refresh.
|
|
68
|
+
return {
|
|
69
|
+
coherent: false,
|
|
70
|
+
reason: `identity-incoherent: access-tenant != refresh-lineage — parked one-directionally, never exchanged into a healthy slot`,
|
|
71
|
+
park: 'one-directional',
|
|
72
|
+
};
|
|
73
|
+
}
|
|
74
|
+
return { coherent: true, tenant: probe.accessTenant };
|
|
75
|
+
}
|
|
76
|
+
//# sourceMappingURL=CredentialRestoreEnrollment.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialRestoreEnrollment.js","sourceRoot":"","sources":["../../src/core/CredentialRestoreEnrollment.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AA6BH;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAAiB,EAAE,KAAqB;IAC/E,sEAAsE;IACtE,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,kEAAkE,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;IAClI,CAAC;IACD,oFAAoF;IACpF,IAAI,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QAC5E,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,oDAAoD,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;IACpH,CAAC;IACD,2FAA2F;IAC3F,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;QACxB,4FAA4F;QAC5F,wFAAwF;QACxF,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,oFAAoF,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;IACpJ,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;QAC1B,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,yEAAyE,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC;IACzI,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,KAAK,KAAK,CAAC,cAAc,EAAE,CAAC;QAChD,yFAAyF;QACzF,uFAAuF;QACvF,OAAO;YACL,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,uHAAuH;YAC/H,IAAI,EAAE,iBAAiB;SACxB,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC;AACxD,CAAC"}
|
package/dist/core/types.d.ts
CHANGED
|
@@ -2740,6 +2740,13 @@ export interface InstarConfig {
|
|
|
2740
2740
|
* restore-enrollment) refuse with a named reason. Default true (the levers
|
|
2741
2741
|
* are still gated by `enabled`/`dryRun` above). */
|
|
2742
2742
|
manualLeversEnabled?: boolean;
|
|
2743
|
+
/** §0.g force budget: max FORCED (`force:true`) manual swaps per rolling
|
|
2744
|
+
* window. The `force:true` bypass of the per-pair cooldown carries its OWN
|
|
2745
|
+
* bounded budget so it is not the one uncapped bypass left in the spec.
|
|
2746
|
+
* Default 10 (generous under single-operator autonomy). */
|
|
2747
|
+
maxForcedManualSwapsPerWindow?: number;
|
|
2748
|
+
/** §0.g force-budget rolling window length ms. Default 3600000 (1h). */
|
|
2749
|
+
forcedManualSwapWindowMs?: number;
|
|
2743
2750
|
/** Balancer knobs (Increment B); all clamped at read-time. Present here so
|
|
2744
2751
|
* the config shape is stable from Increment A. */
|
|
2745
2752
|
balancer?: {
|