instar 1.3.538 → 1.3.539
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +74 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/core/CredentialAuditEmit.d.ts +82 -0
- package/dist/core/CredentialAuditEmit.d.ts.map +1 -0
- package/dist/core/CredentialAuditEmit.js +132 -0
- package/dist/core/CredentialAuditEmit.js.map +1 -0
- package/dist/core/CredentialManualLevers.d.ts +57 -0
- package/dist/core/CredentialManualLevers.d.ts.map +1 -0
- package/dist/core/CredentialManualLevers.js +0 -0
- package/dist/core/CredentialManualLevers.js.map +1 -0
- package/dist/core/CredentialRestoreEnrollment.d.ts +76 -0
- package/dist/core/CredentialRestoreEnrollment.d.ts.map +1 -0
- package/dist/core/CredentialRestoreEnrollment.js +76 -0
- package/dist/core/CredentialRestoreEnrollment.js.map +1 -0
- package/dist/core/types.d.ts +7 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +16 -0
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +20 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +213 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +47 -47
- package/upgrades/1.3.539.md +29 -0
- package/upgrades/side-effects/ws52-step7-routes-audit.md +39 -0
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-13T20:
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-13T20:40:05.218Z",
|
|
5
|
+
"instarVersion": "1.3.539",
|
|
6
6
|
"entryCount": 201,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -418,7 +418,7 @@
|
|
|
418
418
|
"type": "route-group",
|
|
419
419
|
"domain": "monitoring",
|
|
420
420
|
"sourcePath": "src/server/routes.ts",
|
|
421
|
-
"contentHash": "
|
|
421
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
422
422
|
"since": "2025-01-01"
|
|
423
423
|
},
|
|
424
424
|
"route-group:agents": {
|
|
@@ -426,7 +426,7 @@
|
|
|
426
426
|
"type": "route-group",
|
|
427
427
|
"domain": "sessions",
|
|
428
428
|
"sourcePath": "src/server/routes.ts",
|
|
429
|
-
"contentHash": "
|
|
429
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
430
430
|
"since": "2025-01-01"
|
|
431
431
|
},
|
|
432
432
|
"route-group:backups": {
|
|
@@ -434,7 +434,7 @@
|
|
|
434
434
|
"type": "route-group",
|
|
435
435
|
"domain": "operations",
|
|
436
436
|
"sourcePath": "src/server/routes.ts",
|
|
437
|
-
"contentHash": "
|
|
437
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
438
438
|
"since": "2025-01-01"
|
|
439
439
|
},
|
|
440
440
|
"route-group:git": {
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"type": "route-group",
|
|
443
443
|
"domain": "coordination",
|
|
444
444
|
"sourcePath": "src/server/routes.ts",
|
|
445
|
-
"contentHash": "
|
|
445
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
446
446
|
"since": "2025-01-01"
|
|
447
447
|
},
|
|
448
448
|
"route-group:memory": {
|
|
@@ -450,7 +450,7 @@
|
|
|
450
450
|
"type": "route-group",
|
|
451
451
|
"domain": "memory",
|
|
452
452
|
"sourcePath": "src/server/routes.ts",
|
|
453
|
-
"contentHash": "
|
|
453
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
454
454
|
"since": "2025-01-01"
|
|
455
455
|
},
|
|
456
456
|
"route-group:semantic": {
|
|
@@ -458,7 +458,7 @@
|
|
|
458
458
|
"type": "route-group",
|
|
459
459
|
"domain": "memory",
|
|
460
460
|
"sourcePath": "src/server/routes.ts",
|
|
461
|
-
"contentHash": "
|
|
461
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
462
462
|
"since": "2025-01-01"
|
|
463
463
|
},
|
|
464
464
|
"route-group:status": {
|
|
@@ -466,7 +466,7 @@
|
|
|
466
466
|
"type": "route-group",
|
|
467
467
|
"domain": "monitoring",
|
|
468
468
|
"sourcePath": "src/server/routes.ts",
|
|
469
|
-
"contentHash": "
|
|
469
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
470
470
|
"since": "2025-01-01"
|
|
471
471
|
},
|
|
472
472
|
"route-group:capabilities": {
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"type": "route-group",
|
|
475
475
|
"domain": "mapping",
|
|
476
476
|
"sourcePath": "src/server/routes.ts",
|
|
477
|
-
"contentHash": "
|
|
477
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
478
478
|
"since": "2025-01-01"
|
|
479
479
|
},
|
|
480
480
|
"route-group:project-map": {
|
|
@@ -482,7 +482,7 @@
|
|
|
482
482
|
"type": "route-group",
|
|
483
483
|
"domain": "mapping",
|
|
484
484
|
"sourcePath": "src/server/routes.ts",
|
|
485
|
-
"contentHash": "
|
|
485
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
486
486
|
"since": "2025-01-01"
|
|
487
487
|
},
|
|
488
488
|
"route-group:coherence": {
|
|
@@ -490,7 +490,7 @@
|
|
|
490
490
|
"type": "route-group",
|
|
491
491
|
"domain": "coherence",
|
|
492
492
|
"sourcePath": "src/server/routes.ts",
|
|
493
|
-
"contentHash": "
|
|
493
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
494
494
|
"since": "2025-01-01"
|
|
495
495
|
},
|
|
496
496
|
"route-group:topic-bindings": {
|
|
@@ -498,7 +498,7 @@
|
|
|
498
498
|
"type": "route-group",
|
|
499
499
|
"domain": "sessions",
|
|
500
500
|
"sourcePath": "src/server/routes.ts",
|
|
501
|
-
"contentHash": "
|
|
501
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
502
502
|
"since": "2025-01-01"
|
|
503
503
|
},
|
|
504
504
|
"route-group:context": {
|
|
@@ -506,7 +506,7 @@
|
|
|
506
506
|
"type": "route-group",
|
|
507
507
|
"domain": "context",
|
|
508
508
|
"sourcePath": "src/server/routes.ts",
|
|
509
|
-
"contentHash": "
|
|
509
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
510
510
|
"since": "2025-01-01"
|
|
511
511
|
},
|
|
512
512
|
"route-group:scope-coherence": {
|
|
@@ -514,7 +514,7 @@
|
|
|
514
514
|
"type": "route-group",
|
|
515
515
|
"domain": "coherence",
|
|
516
516
|
"sourcePath": "src/server/routes.ts",
|
|
517
|
-
"contentHash": "
|
|
517
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
518
518
|
"since": "2025-01-01"
|
|
519
519
|
},
|
|
520
520
|
"route-group:canonical-state": {
|
|
@@ -522,7 +522,7 @@
|
|
|
522
522
|
"type": "route-group",
|
|
523
523
|
"domain": "state",
|
|
524
524
|
"sourcePath": "src/server/routes.ts",
|
|
525
|
-
"contentHash": "
|
|
525
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
526
526
|
"since": "2025-01-01"
|
|
527
527
|
},
|
|
528
528
|
"route-group:ci": {
|
|
@@ -530,7 +530,7 @@
|
|
|
530
530
|
"type": "route-group",
|
|
531
531
|
"domain": "monitoring",
|
|
532
532
|
"sourcePath": "src/server/routes.ts",
|
|
533
|
-
"contentHash": "
|
|
533
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
534
534
|
"since": "2025-01-01"
|
|
535
535
|
},
|
|
536
536
|
"route-group:sessions": {
|
|
@@ -538,7 +538,7 @@
|
|
|
538
538
|
"type": "route-group",
|
|
539
539
|
"domain": "sessions",
|
|
540
540
|
"sourcePath": "src/server/routes.ts",
|
|
541
|
-
"contentHash": "
|
|
541
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
542
542
|
"since": "2025-01-01"
|
|
543
543
|
},
|
|
544
544
|
"route-group:jobs": {
|
|
@@ -546,7 +546,7 @@
|
|
|
546
546
|
"type": "route-group",
|
|
547
547
|
"domain": "scheduling",
|
|
548
548
|
"sourcePath": "src/server/routes.ts",
|
|
549
|
-
"contentHash": "
|
|
549
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
550
550
|
"since": "2025-01-01"
|
|
551
551
|
},
|
|
552
552
|
"route-group:skip-ledger": {
|
|
@@ -554,7 +554,7 @@
|
|
|
554
554
|
"type": "route-group",
|
|
555
555
|
"domain": "scheduling",
|
|
556
556
|
"sourcePath": "src/server/routes.ts",
|
|
557
|
-
"contentHash": "
|
|
557
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
558
558
|
"since": "2025-01-01"
|
|
559
559
|
},
|
|
560
560
|
"route-group:telegram": {
|
|
@@ -562,7 +562,7 @@
|
|
|
562
562
|
"type": "route-group",
|
|
563
563
|
"domain": "communication",
|
|
564
564
|
"sourcePath": "src/server/routes.ts",
|
|
565
|
-
"contentHash": "
|
|
565
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
566
566
|
"since": "2025-01-01"
|
|
567
567
|
},
|
|
568
568
|
"route-group:attention": {
|
|
@@ -570,7 +570,7 @@
|
|
|
570
570
|
"type": "route-group",
|
|
571
571
|
"domain": "communication",
|
|
572
572
|
"sourcePath": "src/server/routes.ts",
|
|
573
|
-
"contentHash": "
|
|
573
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
574
574
|
"since": "2025-01-01"
|
|
575
575
|
},
|
|
576
576
|
"route-group:relationships": {
|
|
@@ -578,7 +578,7 @@
|
|
|
578
578
|
"type": "route-group",
|
|
579
579
|
"domain": "relationships",
|
|
580
580
|
"sourcePath": "src/server/routes.ts",
|
|
581
|
-
"contentHash": "
|
|
581
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
582
582
|
"since": "2025-01-01"
|
|
583
583
|
},
|
|
584
584
|
"route-group:feedback": {
|
|
@@ -586,7 +586,7 @@
|
|
|
586
586
|
"type": "route-group",
|
|
587
587
|
"domain": "feedback",
|
|
588
588
|
"sourcePath": "src/server/routes.ts",
|
|
589
|
-
"contentHash": "
|
|
589
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
590
590
|
"since": "2025-01-01"
|
|
591
591
|
},
|
|
592
592
|
"route-group:updates": {
|
|
@@ -594,7 +594,7 @@
|
|
|
594
594
|
"type": "route-group",
|
|
595
595
|
"domain": "updates",
|
|
596
596
|
"sourcePath": "src/server/routes.ts",
|
|
597
|
-
"contentHash": "
|
|
597
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
598
598
|
"since": "2025-01-01"
|
|
599
599
|
},
|
|
600
600
|
"route-group:dispatches": {
|
|
@@ -602,7 +602,7 @@
|
|
|
602
602
|
"type": "route-group",
|
|
603
603
|
"domain": "dispatches",
|
|
604
604
|
"sourcePath": "src/server/routes.ts",
|
|
605
|
-
"contentHash": "
|
|
605
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
606
606
|
"since": "2025-01-01"
|
|
607
607
|
},
|
|
608
608
|
"route-group:quota": {
|
|
@@ -610,7 +610,7 @@
|
|
|
610
610
|
"type": "route-group",
|
|
611
611
|
"domain": "monitoring",
|
|
612
612
|
"sourcePath": "src/server/routes.ts",
|
|
613
|
-
"contentHash": "
|
|
613
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
614
614
|
"since": "2025-01-01"
|
|
615
615
|
},
|
|
616
616
|
"route-group:publishing": {
|
|
@@ -618,7 +618,7 @@
|
|
|
618
618
|
"type": "route-group",
|
|
619
619
|
"domain": "publishing",
|
|
620
620
|
"sourcePath": "src/server/routes.ts",
|
|
621
|
-
"contentHash": "
|
|
621
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
622
622
|
"since": "2025-01-01"
|
|
623
623
|
},
|
|
624
624
|
"route-group:private-views": {
|
|
@@ -626,7 +626,7 @@
|
|
|
626
626
|
"type": "route-group",
|
|
627
627
|
"domain": "publishing",
|
|
628
628
|
"sourcePath": "src/server/routes.ts",
|
|
629
|
-
"contentHash": "
|
|
629
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
630
630
|
"since": "2025-01-01"
|
|
631
631
|
},
|
|
632
632
|
"route-group:tunnel": {
|
|
@@ -634,7 +634,7 @@
|
|
|
634
634
|
"type": "route-group",
|
|
635
635
|
"domain": "networking",
|
|
636
636
|
"sourcePath": "src/server/routes.ts",
|
|
637
|
-
"contentHash": "
|
|
637
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
638
638
|
"since": "2025-01-01"
|
|
639
639
|
},
|
|
640
640
|
"route-group:events": {
|
|
@@ -642,7 +642,7 @@
|
|
|
642
642
|
"type": "route-group",
|
|
643
643
|
"domain": "networking",
|
|
644
644
|
"sourcePath": "src/server/routes.ts",
|
|
645
|
-
"contentHash": "
|
|
645
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
646
646
|
"since": "2025-01-01"
|
|
647
647
|
},
|
|
648
648
|
"route-group:evolution": {
|
|
@@ -650,7 +650,7 @@
|
|
|
650
650
|
"type": "route-group",
|
|
651
651
|
"domain": "evolution",
|
|
652
652
|
"sourcePath": "src/server/routes.ts",
|
|
653
|
-
"contentHash": "
|
|
653
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
654
654
|
"since": "2025-01-01"
|
|
655
655
|
},
|
|
656
656
|
"route-group:watchdog": {
|
|
@@ -658,7 +658,7 @@
|
|
|
658
658
|
"type": "route-group",
|
|
659
659
|
"domain": "monitoring",
|
|
660
660
|
"sourcePath": "src/server/routes.ts",
|
|
661
|
-
"contentHash": "
|
|
661
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
662
662
|
"since": "2025-01-01"
|
|
663
663
|
},
|
|
664
664
|
"route-group:topic-memory": {
|
|
@@ -666,7 +666,7 @@
|
|
|
666
666
|
"type": "route-group",
|
|
667
667
|
"domain": "memory",
|
|
668
668
|
"sourcePath": "src/server/routes.ts",
|
|
669
|
-
"contentHash": "
|
|
669
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
670
670
|
"since": "2025-01-01"
|
|
671
671
|
},
|
|
672
672
|
"route-group:state-sync": {
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
"type": "route-group",
|
|
675
675
|
"domain": "coordination",
|
|
676
676
|
"sourcePath": "src/server/routes.ts",
|
|
677
|
-
"contentHash": "
|
|
677
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
678
678
|
"since": "2025-01-01"
|
|
679
679
|
},
|
|
680
680
|
"route-group:intent": {
|
|
@@ -682,7 +682,7 @@
|
|
|
682
682
|
"type": "route-group",
|
|
683
683
|
"domain": "intent",
|
|
684
684
|
"sourcePath": "src/server/routes.ts",
|
|
685
|
-
"contentHash": "
|
|
685
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
686
686
|
"since": "2025-01-01"
|
|
687
687
|
},
|
|
688
688
|
"route-group:triage": {
|
|
@@ -690,7 +690,7 @@
|
|
|
690
690
|
"type": "route-group",
|
|
691
691
|
"domain": "safety",
|
|
692
692
|
"sourcePath": "src/server/routes.ts",
|
|
693
|
-
"contentHash": "
|
|
693
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
694
694
|
"since": "2025-01-01"
|
|
695
695
|
},
|
|
696
696
|
"route-group:operations": {
|
|
@@ -698,7 +698,7 @@
|
|
|
698
698
|
"type": "route-group",
|
|
699
699
|
"domain": "safety",
|
|
700
700
|
"sourcePath": "src/server/routes.ts",
|
|
701
|
-
"contentHash": "
|
|
701
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
702
702
|
"since": "2025-01-01"
|
|
703
703
|
},
|
|
704
704
|
"route-group:sentinel": {
|
|
@@ -706,7 +706,7 @@
|
|
|
706
706
|
"type": "route-group",
|
|
707
707
|
"domain": "safety",
|
|
708
708
|
"sourcePath": "src/server/routes.ts",
|
|
709
|
-
"contentHash": "
|
|
709
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
710
710
|
"since": "2025-01-01"
|
|
711
711
|
},
|
|
712
712
|
"route-group:trust": {
|
|
@@ -714,7 +714,7 @@
|
|
|
714
714
|
"type": "route-group",
|
|
715
715
|
"domain": "safety",
|
|
716
716
|
"sourcePath": "src/server/routes.ts",
|
|
717
|
-
"contentHash": "
|
|
717
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
718
718
|
"since": "2025-01-01"
|
|
719
719
|
},
|
|
720
720
|
"route-group:monitoring": {
|
|
@@ -722,7 +722,7 @@
|
|
|
722
722
|
"type": "route-group",
|
|
723
723
|
"domain": "monitoring",
|
|
724
724
|
"sourcePath": "src/server/routes.ts",
|
|
725
|
-
"contentHash": "
|
|
725
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
726
726
|
"since": "2025-01-01"
|
|
727
727
|
},
|
|
728
728
|
"route-group:commitments": {
|
|
@@ -730,7 +730,7 @@
|
|
|
730
730
|
"type": "route-group",
|
|
731
731
|
"domain": "commitments",
|
|
732
732
|
"sourcePath": "src/server/routes.ts",
|
|
733
|
-
"contentHash": "
|
|
733
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
734
734
|
"since": "2025-01-01"
|
|
735
735
|
},
|
|
736
736
|
"route-group:episodes": {
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
"type": "route-group",
|
|
739
739
|
"domain": "memory",
|
|
740
740
|
"sourcePath": "src/server/routes.ts",
|
|
741
|
-
"contentHash": "
|
|
741
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
742
742
|
"since": "2025-01-01"
|
|
743
743
|
},
|
|
744
744
|
"route-group:messages": {
|
|
@@ -746,7 +746,7 @@
|
|
|
746
746
|
"type": "route-group",
|
|
747
747
|
"domain": "coordination",
|
|
748
748
|
"sourcePath": "src/server/routes.ts",
|
|
749
|
-
"contentHash": "
|
|
749
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
750
750
|
"since": "2025-01-01"
|
|
751
751
|
},
|
|
752
752
|
"route-group:system-reviews": {
|
|
@@ -754,7 +754,7 @@
|
|
|
754
754
|
"type": "route-group",
|
|
755
755
|
"domain": "monitoring",
|
|
756
756
|
"sourcePath": "src/server/routes.ts",
|
|
757
|
-
"contentHash": "
|
|
757
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
758
758
|
"since": "2025-01-01"
|
|
759
759
|
},
|
|
760
760
|
"route-group:machine-mesh": {
|
|
@@ -770,7 +770,7 @@
|
|
|
770
770
|
"type": "route-group",
|
|
771
771
|
"domain": "security",
|
|
772
772
|
"sourcePath": "src/server/routes.ts",
|
|
773
|
-
"contentHash": "
|
|
773
|
+
"contentHash": "664e8fc82415ef692376c937deb21d4fc9a848f2ae581702993246e8e6e3406e",
|
|
774
774
|
"since": "2025-01-01"
|
|
775
775
|
},
|
|
776
776
|
"cli:init": {
|
|
@@ -1522,7 +1522,7 @@
|
|
|
1522
1522
|
"type": "subsystem",
|
|
1523
1523
|
"domain": "server",
|
|
1524
1524
|
"sourcePath": "src/server/AgentServer.ts",
|
|
1525
|
-
"contentHash": "
|
|
1525
|
+
"contentHash": "9b9dc8bf6dc2a28591c8559e286f9a7799fbf5c253e094935a7b6f7d5edb7975",
|
|
1526
1526
|
"since": "2025-01-01"
|
|
1527
1527
|
},
|
|
1528
1528
|
"subsystem:session-manager": {
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Makes the staged credential-swap executor (Step 5) reachable as live operator levers, and adds the single place every credential-feature surface passes through so a token can never leak into a log, an HTTP response, or a notification.
|
|
9
|
+
|
|
10
|
+
- **The secret-scrub chokepoint** — a new `CredentialAuditEmit` (src/core/CredentialAuditEmit.ts) with one `scrub(record)` funnel. Every credential-swaps.jsonl audit write, every /credentials/* response body, and every attention-item routes through it; it deep-walks the record and redacts any token-shaped run (reusing the existing `redactToken`). The no-token-material invariant is structural, not "remember to scrub at each callsite".
|
|
11
|
+
- **Manual levers (Bearer-authed, detective controls)** — `POST /credentials/swap` constructs and runs the live staged exchange (the Step-5 residual "nothing constructs the executor live yet" closes here); `POST /credentials/set-default` flips which account ~/.claude serves (the zero-touch default flip); `POST /credentials/restore-enrollment` tears down to the enrollment layout. Each lever param-validates against known ledger slots (400 otherwise), respects a per-pair cooldown (force:true overrides it, bounded by its own per-window budget), emits an operator notification + audit on every invocation.
|
|
12
|
+
- **restore-enrollment never poisons a healthy slot** — `CredentialRestoreEnrollment.classifyRestoreCoherence` (src/core/CredentialRestoreEnrollment.ts) checks identity-coherence (the blob's access-token account must equal its refresh-token lineage). An incoherent blob — a "Frankenstein" graft of one account's access token onto another's refresh token, an unparseable blob, a refresh-token-less blob, or one the oracle can't confirm — is parked one-directionally (the slot is vacated for re-auth) and is NEVER exchanged into a healthy slot.
|
|
13
|
+
- **Read surfaces** — `GET /credentials/locations` is the ledger census read (slot to account, since, lastVerifiedAt, quarantine, journal tail, mode); `GET /credentials/rebalancer` is the autonomous-balancer surface and returns 503 in Increment A (the balancer is Increment B).
|
|
14
|
+
- **Dark** — gated by the existing `subscriptionPool.credentialRepointing` flag (enabled:false). With the feature off (the fleet + dev default) every lever returns 503/no-op and the executor is a strict no-op — byte-for-byte today's behavior.
|
|
15
|
+
|
|
16
|
+
## What to Tell Your User
|
|
17
|
+
|
|
18
|
+
This is internal plumbing that ships turned off, so nothing changes for you day to day. What it builds toward: when I hold more than one of your subscription accounts, I will be able to move a credential between them under the hood without restarting your sessions, flip which account your plain terminal lands on, or tear the whole arrangement back down to the original layout — all as deliberate, audited actions. The most important part is a safety guarantee: there is now one place every one of those actions passes through that strips out any secret before it could reach a log, a status page, or a notification, so a token can never leak out that way. And the teardown is hardened so a corrupted or mismatched credential is set aside for you to re-authenticate rather than being shuffled into a healthy account. It is off by default and does nothing until it is deliberately turned on after a review window.
|
|
19
|
+
|
|
20
|
+
## Summary of New Capabilities
|
|
21
|
+
|
|
22
|
+
Three new exported classes — `CredentialAuditEmit` (the single secret-scrub chokepoint), `CredentialManualLevers` (per-pair cooldown + the force-swap budget), and `CredentialRestoreEnrollment` (the identity-coherence one-directional-park decision) — plus five /credentials/* HTTP routes (swap, set-default, restore-enrollment, locations, rebalancer), all gated by the existing `subscriptionPool.credentialRepointing` flag. No new gate flag, no new unfunneled credential write path. Registered in CapabilityIndex; CredentialAuditEmit documented under-the-hood.
|
|
23
|
+
|
|
24
|
+
## Evidence
|
|
25
|
+
|
|
26
|
+
- `tests/unit/credential-audit-emit.test.ts` (12) — scrub redacts on all three surfaces (jsonl/response/attention) with a real-shaped sk-ant token, deep-scrubs nested objects/arrays, leaves ids/paths/timestamps intact, never throws on a failing sink/delivery; manual levers (per-pair cooldown, force:true override, §0.g force-budget exhaustion + non-forced exemption + window roll); restore coherence (coherent exchange, Frankenstein park, unparseable park, refresh-token-less park, oracle-down park).
|
|
27
|
+
- `tests/integration/credential-routes.test.ts` (6) — dark=503 on every lever + rebalancer 503; live POST /credentials/swap executes the executor with NO token in the response or audit; param-validate unknown slot → 400; manualLeversEnabled:false → 403; restore-enrollment parks an incoherent slot; Bearer-401 on every lever.
|
|
28
|
+
- `tests/e2e/credential-repointing-routes-alive.test.ts` (4) — feature-alive on the real AgentServer factory: ENABLED swap executes (dry-run) + locations reports active; DARK strict no-op (503 on every lever, rebalancer 503, locations reports dark); every lever requires Bearer; rebalancer 503 even when enabled (Increment A).
|
|
29
|
+
- tsc clean; full `npm run lint` clean (dark-gate unchanged — no ConfigDefaults touched); docs-coverage green; repo-invariants hold.
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
# Side-effects review — WS5.2 Step 7 (credential re-pointing routes + audit-scrub chokepoint)
|
|
2
|
+
|
|
3
|
+
**Spec:** `docs/specs/live-credential-repointing-rebalancer.md` (approved:true, converged) §2.4/§2.9/§0.g, build-plan §7.
|
|
4
|
+
**Tier:** 2 (src code + HTTP routes; ships DARK behind the EXISTING `subscriptionPool.credentialRepointing` flag — no new gate).
|
|
5
|
+
**Parent principle:** Cross-Machine Coherence — One Agent, Robust Under Degraded Conditions.
|
|
6
|
+
|
|
7
|
+
## What changed
|
|
8
|
+
|
|
9
|
+
- **NEW `src/core/CredentialAuditEmit.ts`** — the SINGLE secret-scrub chokepoint (`scrub`/`scrubString` + a `CredentialAuditEmit` handle). Every `logs/credential-swaps.jsonl` write, every `/credentials/*` response body, and every attention-item routes through it; it deep-walks records and redacts token-shaped runs via the existing `redactToken` (CredentialProvider.ts:56 — reused, not re-authored).
|
|
10
|
+
- **NEW `src/core/CredentialRestoreEnrollment.ts`** — `classifyRestoreCoherence`: the identity-coherence decision (access-tenant == refresh-lineage). Incoherent / unparseable / refresh-token-less / oracle-unavailable → one-directional park verdict (never exchanged into a healthy slot).
|
|
11
|
+
- **NEW `src/core/CredentialManualLevers.ts`** — per-pair cooldown + §0.g `force:true` budget (`maxForcedManualSwapsPerWindow`). Surfaced refusals, never silent.
|
|
12
|
+
- **`src/commands/server.ts`** — constructs the live `CredentialSwapExecutor` (the Step-5 residual "nothing constructs the executor live yet" closes here), the audit emit (jsonl sink + telegram attention), the composed oracle→pool `resolveIdentity`, and the levers; passes the `credentialRepointing` bundle to AgentServer.
|
|
13
|
+
- **`src/server/routes.ts`** — registers `POST /credentials/swap|set-default|restore-enrollment` (Bearer), `GET /credentials/locations` (census #11), `GET /credentials/rebalancer` (503 in Increment A). Every response sent through `audit.response(...)`.
|
|
14
|
+
- **`src/server/AgentServer.ts`** — threads the `credentialRepointing` bundle option → routeCtx.
|
|
15
|
+
- **`src/server/CapabilityIndex.ts`** — registers the `/credentials` prefix + endpoints.
|
|
16
|
+
- **`src/core/types.ts`** — adds `maxForcedManualSwapsPerWindow?` + `forcedManualSwapWindowMs?` config knobs (NUMBER knobs — NO `enabled: false` literal, so the dark-gate line-map is UNCHANGED, verified 16/16 clean).
|
|
17
|
+
- **`site/src/content/docs/architecture/under-the-hood.md`** — documents `CredentialAuditEmit` (the new exported class; ≥2 mentions for docs-coverage).
|
|
18
|
+
|
|
19
|
+
## State files / migrations
|
|
20
|
+
|
|
21
|
+
- Writes `logs/credential-swaps.jsonl` (size-rotation is Increment B; Step 7 appends). No new schema; reuses the Step-2 `credential-locations.json` ledger.
|
|
22
|
+
- **No migration in Step 7.** CLAUDE.md awareness template + `migrateConfig`/`migrateClaudeMd` are explicitly scoped to **build-plan §9 (Step 9 — Migration parity)** — tracked there, not deferred silently. The new config knobs are optional with code-level defaults, so an existing agent with no value behaves identically.
|
|
23
|
+
|
|
24
|
+
## Blast radius / reversibility
|
|
25
|
+
|
|
26
|
+
- **Ships DARK.** Every lever 503s/no-ops while `subscriptionPool.credentialRepointing.enabled` is false (always, fleet-wide). The executor's own two-flag gate (`enabled`+`dryRun`) makes it a strict no-op too. E2E proves byte-for-byte today's behavior with the flag off.
|
|
27
|
+
- A wrong swap is a reversible, oracle-verified permutation (spec §2.4 supervision Tier 0); no token material is ever returned (the scrub chokepoint).
|
|
28
|
+
- `rebalancer` is 503 in Increment A — the autonomous balancer is Increment B; the route exists + is discoverable now.
|
|
29
|
+
|
|
30
|
+
## Adversarial review (4 lenses, folded as named tests)
|
|
31
|
+
|
|
32
|
+
1. **secret-leak-via-audit (THE blocker)** — `scrub` redacts on all 3 surfaces; named test feeds a real-shaped `sk-ant-…` token through jsonl/response/attention and asserts the token core appears in NONE; integration + e2e also assert no token in a response body. Wiring: the route's `credSend` is the only response path and it routes through `audit.response`.
|
|
33
|
+
2. **restore-enrollment poison** — `classifyRestoreCoherence` parks Frankenstein/unparseable/refresh-token-less/oracle-down one-directionally; integration test asserts an incoherent slot is parked, never exchanged.
|
|
34
|
+
3. **auth boundary** — every POST lever + the GET reads 401 without Bearer (integration + e2e named tests); rebalancer 503 dark.
|
|
35
|
+
4. **dark-ship inertness** — flag OFF → 503 on every lever (e2e strict-no-op test, the single most important test).
|
|
36
|
+
|
|
37
|
+
## Silent-fallback tags
|
|
38
|
+
|
|
39
|
+
Every new catch is tagged `@silent-fallback-ok` with justification (audit-write best-effort, attention best-effort, cache-bust best-effort, unparseable-blob → coherence-park). no-silent-fallbacks + no-empty-catch-blocks tests pass; no baseline bump needed.
|