instar 1.3.538 → 1.3.540

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +87 -6
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +23 -21
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/core/CredentialAuditEmit.d.ts +82 -0
  8. package/dist/core/CredentialAuditEmit.d.ts.map +1 -0
  9. package/dist/core/CredentialAuditEmit.js +132 -0
  10. package/dist/core/CredentialAuditEmit.js.map +1 -0
  11. package/dist/core/CredentialManualLevers.d.ts +57 -0
  12. package/dist/core/CredentialManualLevers.d.ts.map +1 -0
  13. package/dist/core/CredentialManualLevers.js +0 -0
  14. package/dist/core/CredentialManualLevers.js.map +1 -0
  15. package/dist/core/CredentialRestoreEnrollment.d.ts +76 -0
  16. package/dist/core/CredentialRestoreEnrollment.d.ts.map +1 -0
  17. package/dist/core/CredentialRestoreEnrollment.js +76 -0
  18. package/dist/core/CredentialRestoreEnrollment.js.map +1 -0
  19. package/dist/core/PostUpdateMigrator.d.ts +1 -0
  20. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  21. package/dist/core/PostUpdateMigrator.js +83 -0
  22. package/dist/core/PostUpdateMigrator.js.map +1 -1
  23. package/dist/core/devGatedFeatures.d.ts +12 -1
  24. package/dist/core/devGatedFeatures.d.ts.map +1 -1
  25. package/dist/core/devGatedFeatures.js +51 -37
  26. package/dist/core/devGatedFeatures.js.map +1 -1
  27. package/dist/core/types.d.ts +7 -0
  28. package/dist/core/types.d.ts.map +1 -1
  29. package/dist/core/types.js.map +1 -1
  30. package/dist/monitoring/guardManifest.js +4 -4
  31. package/dist/monitoring/guardManifest.js.map +1 -1
  32. package/dist/server/AgentServer.d.ts +1 -0
  33. package/dist/server/AgentServer.d.ts.map +1 -1
  34. package/dist/server/AgentServer.js +16 -11
  35. package/dist/server/AgentServer.js.map +1 -1
  36. package/dist/server/CapabilityIndex.d.ts.map +1 -1
  37. package/dist/server/CapabilityIndex.js +20 -1
  38. package/dist/server/CapabilityIndex.js.map +1 -1
  39. package/dist/server/routes.d.ts +20 -0
  40. package/dist/server/routes.d.ts.map +1 -1
  41. package/dist/server/routes.js +213 -0
  42. package/dist/server/routes.js.map +1 -1
  43. package/package.json +1 -1
  44. package/scripts/lib/dark-gate-attribution.js +7 -2
  45. package/scripts/lint-dev-agent-dark-gate.js +19 -1
  46. package/src/data/builtin-manifest.json +64 -64
  47. package/upgrades/1.3.539.md +29 -0
  48. package/upgrades/1.3.540.md +70 -0
  49. package/upgrades/side-effects/dev-agent-dark-gate-teeth.md +201 -0
  50. package/upgrades/side-effects/ws52-step7-routes-audit.md +39 -0
@@ -0,0 +1,70 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ Retired the catch-all `deliberate-fleet-default` category from the dev-feature
9
+ dark-gate classification and added a concrete `action-bearing` category. Every
10
+ "off even on a development agent" feature must now name a real reason it would be
11
+ unsafe or non-runnable there — it kills/deletes, spends money, takes an external
12
+ action, or needs per-deployment config — and the vague "off by policy" bucket is
13
+ gone. The CI lint (`scripts/lint-dev-agent-dark-gate.js`) rejects the retired
14
+ category and now fails loud if an exclusion entry escapes category validation (the
15
+ backtick-reason silent-skip hole), via a count-match guard in
16
+ `scripts/lib/dark-gate-attribution.js`.
17
+
18
+ Reclassified the 11 features that were in the retired bucket. Each candidate for
19
+ going live on a development agent was re-grounded against its actual code (D4): 4
20
+ verified safe and moved to `DEV_GATED_FEATURES` (`parallelWorkSentinel`,
21
+ `failureLearning`, `releaseReadiness`, `bootHealthBeacon`) — their `enabled` flag
22
+ is now omitted from `ConfigDefaults` so the developmentAgent gate resolves them
23
+ live-on-dev / dark-on-fleet, and their construction sites route through
24
+ `resolveDevAgentGate`. The other 3 candidates were held back as honest exclusions
25
+ because their code contradicted "observe-only": `correctionLearning` (cost-bearing
26
+ — per-message LLM spend), `apprenticeshipCycleSla` and `geminiCapacityEscalation`
27
+ (action-bearing — auto-post Telegram alerts). `greenPrAutoMerge` + `a2aCheckIn` are
28
+ recategorized action-bearing; `mentor` + `mentee` optional-integration.
29
+
30
+ Added a one-shot, dev-agent-only `PostUpdateMigrator.migrateDevGateTeethStrip` that
31
+ strips a stale persisted `enabled: false` for the 4 newly-dev-gated flags so an
32
+ existing development agent actually picks up the change (without it the add-missing
33
+ config merge would leave the stale value and the features would stay dark — the
34
+ cartographer trap).
35
+
36
+ ## What to Tell Your User
37
+
38
+ Nothing changes for you on a normal install — every one of these features stays off
39
+ until you turn it on, exactly as before. On a development agent (the dogfooding
40
+ machine), four watch-only helpers now switch on automatically after the update: a
41
+ parallel-work overlap watcher, a failure-learning recorder, a release-readiness
42
+ watcher, and a boot health responder. They only observe and record — none of them
43
+ sends you a message, spends money, or changes anything. Three other helpers that
44
+ were candidates to turn on were deliberately kept off because they would have spent
45
+ money or sent you alerts; you can still switch any of those on yourself if you want
46
+ them.
47
+
48
+ ## Summary of New Capabilities
49
+
50
+ - A development agent now runs four verified watch-only observers live (parallel-work
51
+ overlap, failure-learning, release-readiness, boot health) so they get dogfooded
52
+ before the fleet ever sees them.
53
+ - The dark-feature classification now requires a concrete, honest reason for any
54
+ feature parked "off even on dev" — enforced in CI — so a safe feature can no longer
55
+ be hidden behind a vague "off by policy" label.
56
+
57
+ ## Evidence
58
+
59
+ - Spec + 6-round convergence report with a real cross-model (GPT-tier) external pass:
60
+ `docs/specs/DEV-AGENT-DARK-GATE-TEETH-SPEC.md`,
61
+ `docs/specs/reports/dev-agent-dark-gate-teeth-convergence.md`.
62
+ - Tests (all green): `tests/unit/lint-dev-agent-dark-gate.test.ts` (retired category
63
+ rejected, `action-bearing` accepted, count-match guard, hand-verified drift canary),
64
+ `tests/unit/devGatedFeatures-wiring.test.ts` (the 4 new entries resolve live-on-dev /
65
+ dark-on-fleet through the real `ConfigDefaults`),
66
+ `tests/unit/PostUpdateMigrator-devGateTeethStrip.test.ts` (migration both sides +
67
+ idempotency + the 3 held untouched), `tests/integration/dev-gate-teeth-rollout.test.ts`
68
+ (full migration → defaults → resolver pipeline + the two-switch drift guard).
69
+ - D4 code-grounding evidence (file:line per feature) is recorded in the spec's
70
+ "D4 grounding result" section.
@@ -0,0 +1,201 @@
1
+ # Side-Effects Review — Dev-Agent Dark-Gate Teeth (CMT-1438)
2
+
3
+ **Version / slug:** `dev-agent-dark-gate-teeth`
4
+ **Date:** `2026-06-13`
5
+ **Author:** `echo`
6
+ **Second-pass reviewer:** `required (touches gate/sentinel/migration) — see below`
7
+
8
+ ## Summary of the change
9
+
10
+ Retires the catch-all `deliberate-fleet-default` category from the `DarkGateCategory`
11
+ enum and adds a concrete `action-bearing` category, so every "off even on dev"
12
+ classification must name a real reason dev-live is wrong (unsafe: destructive /
13
+ cost-bearing / action-bearing; or not-runnable: optional-integration /
14
+ structural-stub). Tightens the CI lint (`scripts/lint-dev-agent-dark-gate.js` +
15
+ `scripts/lib/dark-gate-attribution.js`) to reject the retired category and adds a
16
+ count-match guard that fails loud when an exclusion entry escapes category validation
17
+ (the backtick-reason silent-skip hole). Reclassifies the 11 occupants: after per-feature
18
+ D4 code-grounding, 4 move to `DEV_GATED_FEATURES` (parallelWorkSentinel, failureLearning,
19
+ releaseReadiness, bootHealthBeacon) — their construction sites now route through
20
+ `resolveDevAgentGate` and their `enabled: false` literal is removed from ConfigDefaults;
21
+ 7 stay exclusions with concrete categories (correctionLearning=cost-bearing,
22
+ apprenticeshipCycleSla/geminiCapacityEscalation/greenPrAutoMerge/a2aCheckIn=action-bearing,
23
+ mentor/mentee=optional-integration). Adds `PostUpdateMigrator.migrateDevGateTeethStrip` —
24
+ a one-shot, dev-agent-only strip of stale persisted `enabled: false` for the 4 paths so
25
+ the move actually lands on existing dev agents.
26
+ Files: `src/core/devGatedFeatures.ts`, `scripts/lib/dark-gate-attribution.js`,
27
+ `scripts/lint-dev-agent-dark-gate.js`, `src/config/ConfigDefaults.ts`,
28
+ `src/server/AgentServer.ts` (parallelWorkSentinel + failureLearning gates),
29
+ `src/commands/server.ts` (releaseReadiness + bootHealthBeacon gates),
30
+ `src/server/CapabilityIndex.ts` (failureLearning capability report),
31
+ `src/core/PostUpdateMigrator.ts` (D5 migration) + 3 test files.
32
+
33
+ ## Decision-point inventory
34
+
35
+ - `DarkGateCategory` enum (classification taxonomy) — **modify** — drop the catch-all, add `action-bearing`; closes the willpower escape hatch.
36
+ - `lint-dev-agent-dark-gate.js` Assertion C (CI gate) — **modify** — the closed-enum membership check tightens (one fewer valid category) + a count-match guard added.
37
+ - `resolveDevAgentGate` at 4 construction sites — **modify (pass-through to the funnel)** — the 4 features' enable check now goes through the existing dev-gate funnel instead of a hand-rolled `=== true`. No new decision logic; it reuses the established resolver.
38
+ - `migrateDevGateTeethStrip` — **add** — a config-mutation migration (deletes a stale `enabled: false`), dev-agent-only, run-once. Not an information-flow gate.
39
+
40
+ ---
41
+
42
+ ## 1. Over-block
43
+
44
+ No outbound/inbound message block surface. The only "block"-shaped surface is the CI
45
+ lint, which now *rejects* (a) an exclusion using the retired `deliberate-fleet-default`
46
+ category and (b) an exclusion entry that doesn't fully parse (count-mismatch). The
47
+ count-match guard can *over-trip* on a legitimate-but-unparseable entry — specifically
48
+ an exclusion `reason` written with embedded quotes or a backtick/template literal. This
49
+ is intentional fail-safe behavior (it forces a parseable, single-line, quote-delimited
50
+ reason); it never lets a bad entry through. It surfaced exactly once during this build
51
+ (my own reasons contained embedded `"`), was loud, and was fixed by rewording — proving
52
+ the guard works. Authoring constraint, not a runtime over-block.
53
+
54
+ ---
55
+
56
+ ## 2. Under-block
57
+
58
+ The lint still matches the literal `enabled: false` spelling only (a pre-existing,
59
+ documented limitation — a non-literal `enabled: someFlag ?? false` evades attribution).
60
+ The count-match guard closes the parsed-path-without-a-parsed-entry class (backtick
61
+ reasons, reordered fields) but the registry parser remains regex-based, so other
62
+ source-shape shifts (object spread, imported constants, `as const`) are still a
63
+ theoretical blind spot — disclosed in the spec and tracked as a follow-up (AST /
64
+ pure-data registry). The category honesty itself is never machine-checked (the lint
65
+ validates spelling + reason length, not truthfulness); D4 code-grounding + the
66
+ GrowthMilestoneAnalyst R6 runtime cross-check are the backstops, also disclosed.
67
+
68
+ ---
69
+
70
+ ## 3. Level-of-abstraction fit
71
+
72
+ Right layer. The change does NOT add a new detector or authority — it (a) edits a
73
+ classification enum + its CI lint (build-time signal), and (b) routes 4 features through
74
+ the EXISTING `resolveDevAgentGate` funnel rather than re-implementing the gate inline
75
+ (it removes 4 hand-rolled `=== true` checks). The migration reuses the EXISTING
76
+ `migrateCartographerDevGate` pattern (same `_instar_migrations` marker machinery, same
77
+ dev-agent guard). Nothing is re-implemented; everything feeds or reuses an existing
78
+ primitive.
79
+
80
+ ---
81
+
82
+ ## 4. Signal vs authority compliance
83
+
84
+ **Required reference:** [docs/signal-vs-authority.md](../../docs/signal-vs-authority.md)
85
+
86
+ - [x] No — this change produces a signal consumed by an existing smart gate / has no
87
+ runtime block-allow surface.
88
+
89
+ The CI lint is a deterministic build-time *signal-emitter* (it fails CI on an invalid
90
+ classification); it is not a runtime authority over agent behavior. The spec is explicit
91
+ that the lint closes only the *unclassified/invalid-category* hole — it does NOT
92
+ adjudicate category *honesty* (that is D4 + R6). `resolveDevAgentGate` is the established
93
+ funnel, not a new brittle authority. No brittle blocking authority is added.
94
+
95
+ ---
96
+
97
+ ## 5. Interactions
98
+
99
+ - **Shadowing:** the 4 construction-site gate calls replace `=== true` with
100
+ `resolveDevAgentGate(...)`. For 3 of the 4, routes/consumers already gate on the
101
+ *constructed instance* (null → 503), so they follow the gate result with no shadowing.
102
+ For `failureLearning`, `CapabilityIndex` also reads the flag — updated to the SAME
103
+ funnel so the capability report matches the construction gate (no skew).
104
+ - **Double-fire:** `migrateDevGateTeethStrip` shares the `_instar_migrations` ledger
105
+ with `migrateCartographerDevGate`; the new marker key (`dev-gate-teeth-strip`) is
106
+ distinct (not a prefix of, nor prefixed by, `cartographer-dev-gate-strip`), so the two
107
+ run independently and each exactly once. Verified by the round-2 integration review.
108
+ - **Races:** the migration runs in the single-threaded PostUpdateMigrator pass at update
109
+ time; no concurrent writer to config.json during it.
110
+ - **Feedback loops:** none. The lint is one-way (CI fails or passes).
111
+
112
+ ---
113
+
114
+ ## 6. External surfaces
115
+
116
+ - **Other agents on the machine:** none — the change is per-agent config + a CI lint.
117
+ - **Install base:** fleet behavior is byte-for-byte unchanged (every reclassified flag
118
+ still resolves `false` on a non-development agent; the migration is dev-agent-only).
119
+ Only development agents gain the 4 live observers.
120
+ - **External systems (Telegram/GitHub/etc.):** the 4 features moved live are
121
+ D4-verified to make NO automatic outbound send on enable (parallelWorkSentinel: local
122
+ event/JSONL; failureLearning: append-only ledger, send path unimplemented;
123
+ releaseReadiness: read surface only, sends gated behind the separate dark job;
124
+ bootHealthBeacon: localhost-only inbound socket). The 3 features that DO auto-send
125
+ (correctionLearning spend; apprenticeshipCycleSla/geminiCapacityEscalation Telegram)
126
+ were deliberately HELD as exclusions precisely to avoid that surface on dev.
127
+ - **Persistent state:** the migration deletes a stale `enabled: false` key from the dev
128
+ agent's own `config.json` (and records a run-once marker). Reported in the migration
129
+ result summary so a non-Echo operator sees which flags were freed.
130
+ - **Operator surface (Mobile-Complete):** no operator-facing actions added — no route, no
131
+ form, no PIN-gated action. Not applicable.
132
+
133
+ ---
134
+
135
+ ## 6b. Operator-surface quality (Operator-Surface Quality standard)
136
+
137
+ No operator surface — this change touches no dashboard renderer/markup, approval page, or
138
+ grant/revoke/secret-drop form. Not applicable.
139
+
140
+ ---
141
+
142
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
143
+
144
+ **machine-local BY DESIGN.** The dev-feature classification is a code-shipped TypeScript
145
+ enum + `ConfigDefaults` + each agent's per-machine `.instar/config.json`; `developmentAgent`
146
+ is intrinsically a per-machine identity. None of the `multiMachine.stateSync.*` replicated
147
+ kinds cover config flags or dev-gate state, and nothing here should follow the agent across
148
+ machines — a machine either is or isn't a development agent. The D5 migration is
149
+ dev-agent-only and mutates only the local config.json. No user-facing notice is emitted by
150
+ this change (the 4 live features that COULD notify are either send-inert on enable or held
151
+ as exclusions). No durable cross-machine state, no generated URLs. Confirmed by the
152
+ round-1 integration reviewer (no journal kind needed).
153
+
154
+ ---
155
+
156
+ ## 8. Rollback cost
157
+
158
+ Pure code + config-default change. Back-out = revert the commit (re-adds the
159
+ `deliberate-fleet-default` enum member, the 4 `enabled: false` literals, the 4
160
+ construction-site `=== true` checks, and removes the migration) and ship a patch. The D5
161
+ migration is idempotent and run-once; a rolled-back agent that already ran it keeps its
162
+ stripped config (the 4 flags then resolve via the reverted hardcoded `false` again — back
163
+ to dark — with no error). No data migration, no agent state repair, no user-visible
164
+ regression during the rollback window (fleet was never changed). An operator who wants a
165
+ freed flag off again simply re-adds `enabled: false` (the run-once marker preserves it).
166
+
167
+ ---
168
+
169
+ ## Conclusion
170
+
171
+ This review (plus the 6-round spec convergence that preceded it) reshaped the change in
172
+ three material ways: (1) the migration was added after convergence found the 4 flags
173
+ would otherwise stay dark on Echo (the cartographer trap); (2) D4 code-grounding held 3
174
+ of 7 candidates back as honest exclusions when their code contradicted "observe-only";
175
+ (3) the count-match lint guard was added after the adversarial reviewer found the
176
+ backtick-reason silent-skip. The change adds no runtime blocking authority, makes no
177
+ automatic external send on the dev agent (the senders are held off), leaves the fleet
178
+ byte-for-byte unchanged, and is cleanly reversible. Clear to ship.
179
+
180
+ ---
181
+
182
+ ## Second-pass review (if required)
183
+
184
+ **Reviewer:** independent reviewer subagent
185
+ **Independent read of the artifact: concur**
186
+
187
+ Concur with the review. The reviewer grounded every claim against the actual diff and confirmed: (1) all 4 construction sites route through `resolveDevAgentGate` with no hand-rolled `?? !!developmentAgent` (AgentServer.ts:858/1238, server.ts:3041/13258, CapabilityIndex.ts:794); (2) the migration allowlist is EXACTLY the 4 dev-gated paths, dev-agent-guarded, with a run-once marker distinct from cartographer's; (3) the signal-vs-authority answer holds (build-time signal + reused funnel + fail-safe count-match guard, no new blocking authority); (4) the highest-risk check — a missed read site — was investigated: the 4 flags also feed `src/monitoring/guardManifest.ts` → the `/guards` posture endpoint, but `guardPosture.ts:resolveGuardConfigSnapshot` already iterates `DEV_GATED_FEATURES` and injects the gate-resolved value, so moving the 4 into the registry makes `/guards` resolve them live on a dev agent automatically — NO "live-but-reported-disabled" skew, and the now-absent default raises no spurious boot tripwire. The reviewer's one non-blocking nit (stale "ships dark" prose in 4 `guardManifest.ts` descriptions) was fixed in this commit (descriptions now say "(dev-gated)"). Clear to ship.
188
+
189
+ ---
190
+
191
+ ## Evidence pointers
192
+
193
+ - Spec + convergence report: `docs/specs/DEV-AGENT-DARK-GATE-TEETH-SPEC.md`,
194
+ `docs/specs/reports/dev-agent-dark-gate-teeth-convergence.md` (6 rounds, real
195
+ cross-model pass codex-cli:gpt-5.5).
196
+ - Tests: `tests/unit/lint-dev-agent-dark-gate.test.ts` (enum/category/count-match +
197
+ drift canary), `tests/unit/devGatedFeatures-wiring.test.ts` (42 tests — 4 new entries
198
+ resolve live-on-dev/dark-on-fleet), `tests/unit/PostUpdateMigrator-devGateTeethStrip.test.ts`
199
+ (7 tests — migration both sides + idempotency + the 3 held), `tests/integration/dev-gate-teeth-rollout.test.ts`
200
+ (5 tests — full migration→defaults→resolver pipeline + two-switch drift guard).
201
+ - D4 grounding evidence (file:line) is in the spec's "D4 grounding result" section.
@@ -0,0 +1,39 @@
1
+ # Side-effects review — WS5.2 Step 7 (credential re-pointing routes + audit-scrub chokepoint)
2
+
3
+ **Spec:** `docs/specs/live-credential-repointing-rebalancer.md` (approved:true, converged) §2.4/§2.9/§0.g, build-plan §7.
4
+ **Tier:** 2 (src code + HTTP routes; ships DARK behind the EXISTING `subscriptionPool.credentialRepointing` flag — no new gate).
5
+ **Parent principle:** Cross-Machine Coherence — One Agent, Robust Under Degraded Conditions.
6
+
7
+ ## What changed
8
+
9
+ - **NEW `src/core/CredentialAuditEmit.ts`** — the SINGLE secret-scrub chokepoint (`scrub`/`scrubString` + a `CredentialAuditEmit` handle). Every `logs/credential-swaps.jsonl` write, every `/credentials/*` response body, and every attention-item routes through it; it deep-walks records and redacts token-shaped runs via the existing `redactToken` (CredentialProvider.ts:56 — reused, not re-authored).
10
+ - **NEW `src/core/CredentialRestoreEnrollment.ts`** — `classifyRestoreCoherence`: the identity-coherence decision (access-tenant == refresh-lineage). Incoherent / unparseable / refresh-token-less / oracle-unavailable → one-directional park verdict (never exchanged into a healthy slot).
11
+ - **NEW `src/core/CredentialManualLevers.ts`** — per-pair cooldown + §0.g `force:true` budget (`maxForcedManualSwapsPerWindow`). Surfaced refusals, never silent.
12
+ - **`src/commands/server.ts`** — constructs the live `CredentialSwapExecutor` (the Step-5 residual "nothing constructs the executor live yet" closes here), the audit emit (jsonl sink + telegram attention), the composed oracle→pool `resolveIdentity`, and the levers; passes the `credentialRepointing` bundle to AgentServer.
13
+ - **`src/server/routes.ts`** — registers `POST /credentials/swap|set-default|restore-enrollment` (Bearer), `GET /credentials/locations` (census #11), `GET /credentials/rebalancer` (503 in Increment A). Every response sent through `audit.response(...)`.
14
+ - **`src/server/AgentServer.ts`** — threads the `credentialRepointing` bundle option → routeCtx.
15
+ - **`src/server/CapabilityIndex.ts`** — registers the `/credentials` prefix + endpoints.
16
+ - **`src/core/types.ts`** — adds `maxForcedManualSwapsPerWindow?` + `forcedManualSwapWindowMs?` config knobs (NUMBER knobs — NO `enabled: false` literal, so the dark-gate line-map is UNCHANGED, verified 16/16 clean).
17
+ - **`site/src/content/docs/architecture/under-the-hood.md`** — documents `CredentialAuditEmit` (the new exported class; ≥2 mentions for docs-coverage).
18
+
19
+ ## State files / migrations
20
+
21
+ - Writes `logs/credential-swaps.jsonl` (size-rotation is Increment B; Step 7 appends). No new schema; reuses the Step-2 `credential-locations.json` ledger.
22
+ - **No migration in Step 7.** CLAUDE.md awareness template + `migrateConfig`/`migrateClaudeMd` are explicitly scoped to **build-plan §9 (Step 9 — Migration parity)** — tracked there, not deferred silently. The new config knobs are optional with code-level defaults, so an existing agent with no value behaves identically.
23
+
24
+ ## Blast radius / reversibility
25
+
26
+ - **Ships DARK.** Every lever 503s/no-ops while `subscriptionPool.credentialRepointing.enabled` is false (always, fleet-wide). The executor's own two-flag gate (`enabled`+`dryRun`) makes it a strict no-op too. E2E proves byte-for-byte today's behavior with the flag off.
27
+ - A wrong swap is a reversible, oracle-verified permutation (spec §2.4 supervision Tier 0); no token material is ever returned (the scrub chokepoint).
28
+ - `rebalancer` is 503 in Increment A — the autonomous balancer is Increment B; the route exists + is discoverable now.
29
+
30
+ ## Adversarial review (4 lenses, folded as named tests)
31
+
32
+ 1. **secret-leak-via-audit (THE blocker)** — `scrub` redacts on all 3 surfaces; named test feeds a real-shaped `sk-ant-…` token through jsonl/response/attention and asserts the token core appears in NONE; integration + e2e also assert no token in a response body. Wiring: the route's `credSend` is the only response path and it routes through `audit.response`.
33
+ 2. **restore-enrollment poison** — `classifyRestoreCoherence` parks Frankenstein/unparseable/refresh-token-less/oracle-down one-directionally; integration test asserts an incoherent slot is parked, never exchanged.
34
+ 3. **auth boundary** — every POST lever + the GET reads 401 without Bearer (integration + e2e named tests); rebalancer 503 dark.
35
+ 4. **dark-ship inertness** — flag OFF → 503 on every lever (e2e strict-no-op test, the single most important test).
36
+
37
+ ## Silent-fallback tags
38
+
39
+ Every new catch is tagged `@silent-fallback-ok` with justification (audit-write best-effort, attention best-effort, cache-bust best-effort, unparseable-blob → coherence-park). no-silent-fallbacks + no-empty-catch-blocks tests pass; no baseline bump needed.