instar 1.3.539 → 1.3.541
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +37 -7
- package/dist/commands/server.js.map +1 -1
- package/dist/config/ConfigDefaults.d.ts.map +1 -1
- package/dist/config/ConfigDefaults.js +23 -21
- package/dist/config/ConfigDefaults.js.map +1 -1
- package/dist/core/CredentialEnvTokenGate.d.ts +98 -0
- package/dist/core/CredentialEnvTokenGate.d.ts.map +1 -0
- package/dist/core/CredentialEnvTokenGate.js +103 -0
- package/dist/core/CredentialEnvTokenGate.js.map +1 -0
- package/dist/core/PostUpdateMigrator.d.ts +1 -0
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +83 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/SessionManager.d.ts.map +1 -1
- package/dist/core/SessionManager.js +27 -0
- package/dist/core/SessionManager.js.map +1 -1
- package/dist/core/devGatedFeatures.d.ts +12 -1
- package/dist/core/devGatedFeatures.d.ts.map +1 -1
- package/dist/core/devGatedFeatures.js +51 -37
- package/dist/core/devGatedFeatures.js.map +1 -1
- package/dist/core/types.d.ts +18 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/monitoring/guardManifest.js +4 -4
- package/dist/monitoring/guardManifest.js.map +1 -1
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +15 -11
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +4 -1
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +3 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +29 -3
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/scripts/lib/dark-gate-attribution.js +7 -2
- package/scripts/lint-dev-agent-dark-gate.js +19 -1
- package/src/data/builtin-manifest.json +65 -65
- package/upgrades/1.3.540.md +70 -0
- package/upgrades/1.3.541.md +29 -0
- package/upgrades/side-effects/dev-agent-dark-gate-teeth.md +201 -0
- package/upgrades/side-effects/ws52-step8-provenance-gate.md +78 -0
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Retired the catch-all `deliberate-fleet-default` category from the dev-feature
|
|
9
|
+
dark-gate classification and added a concrete `action-bearing` category. Every
|
|
10
|
+
"off even on a development agent" feature must now name a real reason it would be
|
|
11
|
+
unsafe or non-runnable there — it kills/deletes, spends money, takes an external
|
|
12
|
+
action, or needs per-deployment config — and the vague "off by policy" bucket is
|
|
13
|
+
gone. The CI lint (`scripts/lint-dev-agent-dark-gate.js`) rejects the retired
|
|
14
|
+
category and now fails loud if an exclusion entry escapes category validation (the
|
|
15
|
+
backtick-reason silent-skip hole), via a count-match guard in
|
|
16
|
+
`scripts/lib/dark-gate-attribution.js`.
|
|
17
|
+
|
|
18
|
+
Reclassified the 11 features that were in the retired bucket. Each candidate for
|
|
19
|
+
going live on a development agent was re-grounded against its actual code (D4): 4
|
|
20
|
+
verified safe and moved to `DEV_GATED_FEATURES` (`parallelWorkSentinel`,
|
|
21
|
+
`failureLearning`, `releaseReadiness`, `bootHealthBeacon`) — their `enabled` flag
|
|
22
|
+
is now omitted from `ConfigDefaults` so the developmentAgent gate resolves them
|
|
23
|
+
live-on-dev / dark-on-fleet, and their construction sites route through
|
|
24
|
+
`resolveDevAgentGate`. The other 3 candidates were held back as honest exclusions
|
|
25
|
+
because their code contradicted "observe-only": `correctionLearning` (cost-bearing
|
|
26
|
+
— per-message LLM spend), `apprenticeshipCycleSla` and `geminiCapacityEscalation`
|
|
27
|
+
(action-bearing — auto-post Telegram alerts). `greenPrAutoMerge` + `a2aCheckIn` are
|
|
28
|
+
recategorized action-bearing; `mentor` + `mentee` optional-integration.
|
|
29
|
+
|
|
30
|
+
Added a one-shot, dev-agent-only `PostUpdateMigrator.migrateDevGateTeethStrip` that
|
|
31
|
+
strips a stale persisted `enabled: false` for the 4 newly-dev-gated flags so an
|
|
32
|
+
existing development agent actually picks up the change (without it the add-missing
|
|
33
|
+
config merge would leave the stale value and the features would stay dark — the
|
|
34
|
+
cartographer trap).
|
|
35
|
+
|
|
36
|
+
## What to Tell Your User
|
|
37
|
+
|
|
38
|
+
Nothing changes for you on a normal install — every one of these features stays off
|
|
39
|
+
until you turn it on, exactly as before. On a development agent (the dogfooding
|
|
40
|
+
machine), four watch-only helpers now switch on automatically after the update: a
|
|
41
|
+
parallel-work overlap watcher, a failure-learning recorder, a release-readiness
|
|
42
|
+
watcher, and a boot health responder. They only observe and record — none of them
|
|
43
|
+
sends you a message, spends money, or changes anything. Three other helpers that
|
|
44
|
+
were candidates to turn on were deliberately kept off because they would have spent
|
|
45
|
+
money or sent you alerts; you can still switch any of those on yourself if you want
|
|
46
|
+
them.
|
|
47
|
+
|
|
48
|
+
## Summary of New Capabilities
|
|
49
|
+
|
|
50
|
+
- A development agent now runs four verified watch-only observers live (parallel-work
|
|
51
|
+
overlap, failure-learning, release-readiness, boot health) so they get dogfooded
|
|
52
|
+
before the fleet ever sees them.
|
|
53
|
+
- The dark-feature classification now requires a concrete, honest reason for any
|
|
54
|
+
feature parked "off even on dev" — enforced in CI — so a safe feature can no longer
|
|
55
|
+
be hidden behind a vague "off by policy" label.
|
|
56
|
+
|
|
57
|
+
## Evidence
|
|
58
|
+
|
|
59
|
+
- Spec + 6-round convergence report with a real cross-model (GPT-tier) external pass:
|
|
60
|
+
`docs/specs/DEV-AGENT-DARK-GATE-TEETH-SPEC.md`,
|
|
61
|
+
`docs/specs/reports/dev-agent-dark-gate-teeth-convergence.md`.
|
|
62
|
+
- Tests (all green): `tests/unit/lint-dev-agent-dark-gate.test.ts` (retired category
|
|
63
|
+
rejected, `action-bearing` accepted, count-match guard, hand-verified drift canary),
|
|
64
|
+
`tests/unit/devGatedFeatures-wiring.test.ts` (the 4 new entries resolve live-on-dev /
|
|
65
|
+
dark-on-fleet through the real `ConfigDefaults`),
|
|
66
|
+
`tests/unit/PostUpdateMigrator-devGateTeethStrip.test.ts` (migration both sides +
|
|
67
|
+
idempotency + the 3 held untouched), `tests/integration/dev-gate-teeth-rollout.test.ts`
|
|
68
|
+
(full migration → defaults → resolver pipeline + the two-switch drift guard).
|
|
69
|
+
- D4 code-grounding evidence (file:line per feature) is recorded in the spec's
|
|
70
|
+
"D4 grounding result" section.
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Enforces the spec's applicability precondition: live credential re-pointing only works for sessions that read their credential from the per-config-home store. A session launched with an env token bypasses that store and is invisible to the mechanism — so this step records, at spawn, WHERE each session's Anthropic credential comes from, and refuses to run the feature whenever an env-token session is present.
|
|
9
|
+
|
|
10
|
+
- **Durable per-session provenance flag** — a new `credentialSource: 'store' | 'env'` field on the session record, set at every claude-code spawn lane. It is derived from the IDENTICAL expression that selects the session's Anthropic env block — `(config.anthropicApiKey ?? '') !== '' ? 'env' : 'store'`, computed at the spawn site — so the flag can never drift from what actually launched the session (single source of truth; an independent recomputation would re-create the staleness class this spec exists to kill).
|
|
11
|
+
- **The env-token gate** — a new `CredentialEnvTokenGate` (src/core/CredentialEnvTokenGate.ts), a pure evaluator. It REFUSES the feature, with a NAMED category reason, when either the config field `anthropicApiKey` is any non-empty value (an OAuth token OR a direct API key — both bypass the store) OR any running claude-code session's provenance flag is `env`. Checking the LIVE fleet — not just the config field — closes the mid-life-flip hole: an operator setting an env token mid-run would otherwise leave already-running store sessions steerable while new env spawns are silently un-steered.
|
|
12
|
+
- **Named reason on the status route** — `GET /credentials/rebalancer`, when the feature flag is ON, now surfaces the gate verdict (refused, the reason category, and the count of env sessions), scrubbed through the existing secret-scrub chokepoint. Dark (flag off) it stays a strict 503 no-op.
|
|
13
|
+
- **Attribution-suppression** — on a gate refusal the location gate behaves as dark, so the quota poller stops routing reads/attribution through moved slots: an env session's usage is never mis-attributed to a slot tenant.
|
|
14
|
+
- **Dark** — gated by the existing `subscriptionPool.credentialRepointing` flag. With the feature off (the fleet + dev default) the gate is never consulted and the only delta is the additive provenance field on new session records (free metadata, never read) — byte-for-byte today's behavior.
|
|
15
|
+
|
|
16
|
+
## What to Tell Your User
|
|
17
|
+
|
|
18
|
+
This is internal plumbing that ships turned off, so nothing changes for you day to day. What it builds toward, with a safety guarantee baked in: the under-the-hood feature that moves a credential between your subscription accounts only works for sessions that read their login from the on-disk store I manage. If a session was instead launched with a login token handed straight to it in its environment, that session ignores the store entirely and the moving trick would be a no-op for it. So this step teaches me to record, the moment each session starts, which of those two kinds it is — and to refuse to run the whole moving feature at all whenever any running session is the kind I cannot steer. That refusal is deliberate and visible, with a plain reason, rather than the feature quietly mis-handling a session it does not actually control. It is off by default and does nothing until the feature is turned on after a review window.
|
|
19
|
+
|
|
20
|
+
## Summary of New Capabilities
|
|
21
|
+
|
|
22
|
+
One new exported class — `CredentialEnvTokenGate` (the env-token applicability gate: refuses on the config field OR a live env-token session in the fleet, with a named reason) — plus a new additive optional `Session.credentialSource` provenance field set at every claude-code spawn lane, and the `GET /credentials/rebalancer` route surfacing the gate verdict. All gated by the existing `subscriptionPool.credentialRepointing` flag. No new gate flag, no new unfunneled credential write path.
|
|
23
|
+
|
|
24
|
+
## Evidence
|
|
25
|
+
|
|
26
|
+
- `tests/unit/credential-env-token-gate.test.ts` (18) — config predicate (permits empty/undefined; refuses on sk-ant-oat, on a direct sk-ant-api03 key, and on any non-empty value); live-fleet path (refuses on one running env session with config empty, counts multiple, ignores a non-running env session and a non-claude env session, treats undefined as store, config-field refusal short-circuits before the fleet scan); attribution-suppression (`shouldAttributeSlotTenant` false for env, true for store/undefined); and the single-source-of-truth blocker proven by a static grep-assert against the real SessionManager source (exactly 3 env-block predicates + 3 identical provenance derivations + 4 record writes).
|
|
27
|
+
- `tests/integration/credential-routes.test.ts` (+3) — the rebalancer route surfaces the config-field refusal (scrubbed, no token leak), the live-fleet refusal (mid-life flip, config empty), and permits when config empty + all-store fleet.
|
|
28
|
+
- `tests/e2e/credential-repointing-routes-alive.test.ts` (+3) — feature-alive on the real AgentServer factory: rebalancer DARK is a strict 503 no-op, ENABLED + clean config + all-store fleet permits, ENABLED + a live env-token session refuses with the named reason.
|
|
29
|
+
- tsc clean; full `npm run lint` clean (dark-gate 16/16 unchanged — no ConfigDefaults touched); no-silent-fallbacks + no-empty-catch-blocks + feature-delivery-completeness + docs-coverage green.
|
|
@@ -0,0 +1,201 @@
|
|
|
1
|
+
# Side-Effects Review — Dev-Agent Dark-Gate Teeth (CMT-1438)
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `dev-agent-dark-gate-teeth`
|
|
4
|
+
**Date:** `2026-06-13`
|
|
5
|
+
**Author:** `echo`
|
|
6
|
+
**Second-pass reviewer:** `required (touches gate/sentinel/migration) — see below`
|
|
7
|
+
|
|
8
|
+
## Summary of the change
|
|
9
|
+
|
|
10
|
+
Retires the catch-all `deliberate-fleet-default` category from the `DarkGateCategory`
|
|
11
|
+
enum and adds a concrete `action-bearing` category, so every "off even on dev"
|
|
12
|
+
classification must name a real reason dev-live is wrong (unsafe: destructive /
|
|
13
|
+
cost-bearing / action-bearing; or not-runnable: optional-integration /
|
|
14
|
+
structural-stub). Tightens the CI lint (`scripts/lint-dev-agent-dark-gate.js` +
|
|
15
|
+
`scripts/lib/dark-gate-attribution.js`) to reject the retired category and adds a
|
|
16
|
+
count-match guard that fails loud when an exclusion entry escapes category validation
|
|
17
|
+
(the backtick-reason silent-skip hole). Reclassifies the 11 occupants: after per-feature
|
|
18
|
+
D4 code-grounding, 4 move to `DEV_GATED_FEATURES` (parallelWorkSentinel, failureLearning,
|
|
19
|
+
releaseReadiness, bootHealthBeacon) — their construction sites now route through
|
|
20
|
+
`resolveDevAgentGate` and their `enabled: false` literal is removed from ConfigDefaults;
|
|
21
|
+
7 stay exclusions with concrete categories (correctionLearning=cost-bearing,
|
|
22
|
+
apprenticeshipCycleSla/geminiCapacityEscalation/greenPrAutoMerge/a2aCheckIn=action-bearing,
|
|
23
|
+
mentor/mentee=optional-integration). Adds `PostUpdateMigrator.migrateDevGateTeethStrip` —
|
|
24
|
+
a one-shot, dev-agent-only strip of stale persisted `enabled: false` for the 4 paths so
|
|
25
|
+
the move actually lands on existing dev agents.
|
|
26
|
+
Files: `src/core/devGatedFeatures.ts`, `scripts/lib/dark-gate-attribution.js`,
|
|
27
|
+
`scripts/lint-dev-agent-dark-gate.js`, `src/config/ConfigDefaults.ts`,
|
|
28
|
+
`src/server/AgentServer.ts` (parallelWorkSentinel + failureLearning gates),
|
|
29
|
+
`src/commands/server.ts` (releaseReadiness + bootHealthBeacon gates),
|
|
30
|
+
`src/server/CapabilityIndex.ts` (failureLearning capability report),
|
|
31
|
+
`src/core/PostUpdateMigrator.ts` (D5 migration) + 3 test files.
|
|
32
|
+
|
|
33
|
+
## Decision-point inventory
|
|
34
|
+
|
|
35
|
+
- `DarkGateCategory` enum (classification taxonomy) — **modify** — drop the catch-all, add `action-bearing`; closes the willpower escape hatch.
|
|
36
|
+
- `lint-dev-agent-dark-gate.js` Assertion C (CI gate) — **modify** — the closed-enum membership check tightens (one fewer valid category) + a count-match guard added.
|
|
37
|
+
- `resolveDevAgentGate` at 4 construction sites — **modify (pass-through to the funnel)** — the 4 features' enable check now goes through the existing dev-gate funnel instead of a hand-rolled `=== true`. No new decision logic; it reuses the established resolver.
|
|
38
|
+
- `migrateDevGateTeethStrip` — **add** — a config-mutation migration (deletes a stale `enabled: false`), dev-agent-only, run-once. Not an information-flow gate.
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## 1. Over-block
|
|
43
|
+
|
|
44
|
+
No outbound/inbound message block surface. The only "block"-shaped surface is the CI
|
|
45
|
+
lint, which now *rejects* (a) an exclusion using the retired `deliberate-fleet-default`
|
|
46
|
+
category and (b) an exclusion entry that doesn't fully parse (count-mismatch). The
|
|
47
|
+
count-match guard can *over-trip* on a legitimate-but-unparseable entry — specifically
|
|
48
|
+
an exclusion `reason` written with embedded quotes or a backtick/template literal. This
|
|
49
|
+
is intentional fail-safe behavior (it forces a parseable, single-line, quote-delimited
|
|
50
|
+
reason); it never lets a bad entry through. It surfaced exactly once during this build
|
|
51
|
+
(my own reasons contained embedded `"`), was loud, and was fixed by rewording — proving
|
|
52
|
+
the guard works. Authoring constraint, not a runtime over-block.
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
## 2. Under-block
|
|
57
|
+
|
|
58
|
+
The lint still matches the literal `enabled: false` spelling only (a pre-existing,
|
|
59
|
+
documented limitation — a non-literal `enabled: someFlag ?? false` evades attribution).
|
|
60
|
+
The count-match guard closes the parsed-path-without-a-parsed-entry class (backtick
|
|
61
|
+
reasons, reordered fields) but the registry parser remains regex-based, so other
|
|
62
|
+
source-shape shifts (object spread, imported constants, `as const`) are still a
|
|
63
|
+
theoretical blind spot — disclosed in the spec and tracked as a follow-up (AST /
|
|
64
|
+
pure-data registry). The category honesty itself is never machine-checked (the lint
|
|
65
|
+
validates spelling + reason length, not truthfulness); D4 code-grounding + the
|
|
66
|
+
GrowthMilestoneAnalyst R6 runtime cross-check are the backstops, also disclosed.
|
|
67
|
+
|
|
68
|
+
---
|
|
69
|
+
|
|
70
|
+
## 3. Level-of-abstraction fit
|
|
71
|
+
|
|
72
|
+
Right layer. The change does NOT add a new detector or authority — it (a) edits a
|
|
73
|
+
classification enum + its CI lint (build-time signal), and (b) routes 4 features through
|
|
74
|
+
the EXISTING `resolveDevAgentGate` funnel rather than re-implementing the gate inline
|
|
75
|
+
(it removes 4 hand-rolled `=== true` checks). The migration reuses the EXISTING
|
|
76
|
+
`migrateCartographerDevGate` pattern (same `_instar_migrations` marker machinery, same
|
|
77
|
+
dev-agent guard). Nothing is re-implemented; everything feeds or reuses an existing
|
|
78
|
+
primitive.
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## 4. Signal vs authority compliance
|
|
83
|
+
|
|
84
|
+
**Required reference:** [docs/signal-vs-authority.md](../../docs/signal-vs-authority.md)
|
|
85
|
+
|
|
86
|
+
- [x] No — this change produces a signal consumed by an existing smart gate / has no
|
|
87
|
+
runtime block-allow surface.
|
|
88
|
+
|
|
89
|
+
The CI lint is a deterministic build-time *signal-emitter* (it fails CI on an invalid
|
|
90
|
+
classification); it is not a runtime authority over agent behavior. The spec is explicit
|
|
91
|
+
that the lint closes only the *unclassified/invalid-category* hole — it does NOT
|
|
92
|
+
adjudicate category *honesty* (that is D4 + R6). `resolveDevAgentGate` is the established
|
|
93
|
+
funnel, not a new brittle authority. No brittle blocking authority is added.
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## 5. Interactions
|
|
98
|
+
|
|
99
|
+
- **Shadowing:** the 4 construction-site gate calls replace `=== true` with
|
|
100
|
+
`resolveDevAgentGate(...)`. For 3 of the 4, routes/consumers already gate on the
|
|
101
|
+
*constructed instance* (null → 503), so they follow the gate result with no shadowing.
|
|
102
|
+
For `failureLearning`, `CapabilityIndex` also reads the flag — updated to the SAME
|
|
103
|
+
funnel so the capability report matches the construction gate (no skew).
|
|
104
|
+
- **Double-fire:** `migrateDevGateTeethStrip` shares the `_instar_migrations` ledger
|
|
105
|
+
with `migrateCartographerDevGate`; the new marker key (`dev-gate-teeth-strip`) is
|
|
106
|
+
distinct (not a prefix of, nor prefixed by, `cartographer-dev-gate-strip`), so the two
|
|
107
|
+
run independently and each exactly once. Verified by the round-2 integration review.
|
|
108
|
+
- **Races:** the migration runs in the single-threaded PostUpdateMigrator pass at update
|
|
109
|
+
time; no concurrent writer to config.json during it.
|
|
110
|
+
- **Feedback loops:** none. The lint is one-way (CI fails or passes).
|
|
111
|
+
|
|
112
|
+
---
|
|
113
|
+
|
|
114
|
+
## 6. External surfaces
|
|
115
|
+
|
|
116
|
+
- **Other agents on the machine:** none — the change is per-agent config + a CI lint.
|
|
117
|
+
- **Install base:** fleet behavior is byte-for-byte unchanged (every reclassified flag
|
|
118
|
+
still resolves `false` on a non-development agent; the migration is dev-agent-only).
|
|
119
|
+
Only development agents gain the 4 live observers.
|
|
120
|
+
- **External systems (Telegram/GitHub/etc.):** the 4 features moved live are
|
|
121
|
+
D4-verified to make NO automatic outbound send on enable (parallelWorkSentinel: local
|
|
122
|
+
event/JSONL; failureLearning: append-only ledger, send path unimplemented;
|
|
123
|
+
releaseReadiness: read surface only, sends gated behind the separate dark job;
|
|
124
|
+
bootHealthBeacon: localhost-only inbound socket). The 3 features that DO auto-send
|
|
125
|
+
(correctionLearning spend; apprenticeshipCycleSla/geminiCapacityEscalation Telegram)
|
|
126
|
+
were deliberately HELD as exclusions precisely to avoid that surface on dev.
|
|
127
|
+
- **Persistent state:** the migration deletes a stale `enabled: false` key from the dev
|
|
128
|
+
agent's own `config.json` (and records a run-once marker). Reported in the migration
|
|
129
|
+
result summary so a non-Echo operator sees which flags were freed.
|
|
130
|
+
- **Operator surface (Mobile-Complete):** no operator-facing actions added — no route, no
|
|
131
|
+
form, no PIN-gated action. Not applicable.
|
|
132
|
+
|
|
133
|
+
---
|
|
134
|
+
|
|
135
|
+
## 6b. Operator-surface quality (Operator-Surface Quality standard)
|
|
136
|
+
|
|
137
|
+
No operator surface — this change touches no dashboard renderer/markup, approval page, or
|
|
138
|
+
grant/revoke/secret-drop form. Not applicable.
|
|
139
|
+
|
|
140
|
+
---
|
|
141
|
+
|
|
142
|
+
## 7. Multi-machine posture (Cross-Machine Coherence)
|
|
143
|
+
|
|
144
|
+
**machine-local BY DESIGN.** The dev-feature classification is a code-shipped TypeScript
|
|
145
|
+
enum + `ConfigDefaults` + each agent's per-machine `.instar/config.json`; `developmentAgent`
|
|
146
|
+
is intrinsically a per-machine identity. None of the `multiMachine.stateSync.*` replicated
|
|
147
|
+
kinds cover config flags or dev-gate state, and nothing here should follow the agent across
|
|
148
|
+
machines — a machine either is or isn't a development agent. The D5 migration is
|
|
149
|
+
dev-agent-only and mutates only the local config.json. No user-facing notice is emitted by
|
|
150
|
+
this change (the 4 live features that COULD notify are either send-inert on enable or held
|
|
151
|
+
as exclusions). No durable cross-machine state, no generated URLs. Confirmed by the
|
|
152
|
+
round-1 integration reviewer (no journal kind needed).
|
|
153
|
+
|
|
154
|
+
---
|
|
155
|
+
|
|
156
|
+
## 8. Rollback cost
|
|
157
|
+
|
|
158
|
+
Pure code + config-default change. Back-out = revert the commit (re-adds the
|
|
159
|
+
`deliberate-fleet-default` enum member, the 4 `enabled: false` literals, the 4
|
|
160
|
+
construction-site `=== true` checks, and removes the migration) and ship a patch. The D5
|
|
161
|
+
migration is idempotent and run-once; a rolled-back agent that already ran it keeps its
|
|
162
|
+
stripped config (the 4 flags then resolve via the reverted hardcoded `false` again — back
|
|
163
|
+
to dark — with no error). No data migration, no agent state repair, no user-visible
|
|
164
|
+
regression during the rollback window (fleet was never changed). An operator who wants a
|
|
165
|
+
freed flag off again simply re-adds `enabled: false` (the run-once marker preserves it).
|
|
166
|
+
|
|
167
|
+
---
|
|
168
|
+
|
|
169
|
+
## Conclusion
|
|
170
|
+
|
|
171
|
+
This review (plus the 6-round spec convergence that preceded it) reshaped the change in
|
|
172
|
+
three material ways: (1) the migration was added after convergence found the 4 flags
|
|
173
|
+
would otherwise stay dark on Echo (the cartographer trap); (2) D4 code-grounding held 3
|
|
174
|
+
of 7 candidates back as honest exclusions when their code contradicted "observe-only";
|
|
175
|
+
(3) the count-match lint guard was added after the adversarial reviewer found the
|
|
176
|
+
backtick-reason silent-skip. The change adds no runtime blocking authority, makes no
|
|
177
|
+
automatic external send on the dev agent (the senders are held off), leaves the fleet
|
|
178
|
+
byte-for-byte unchanged, and is cleanly reversible. Clear to ship.
|
|
179
|
+
|
|
180
|
+
---
|
|
181
|
+
|
|
182
|
+
## Second-pass review (if required)
|
|
183
|
+
|
|
184
|
+
**Reviewer:** independent reviewer subagent
|
|
185
|
+
**Independent read of the artifact: concur**
|
|
186
|
+
|
|
187
|
+
Concur with the review. The reviewer grounded every claim against the actual diff and confirmed: (1) all 4 construction sites route through `resolveDevAgentGate` with no hand-rolled `?? !!developmentAgent` (AgentServer.ts:858/1238, server.ts:3041/13258, CapabilityIndex.ts:794); (2) the migration allowlist is EXACTLY the 4 dev-gated paths, dev-agent-guarded, with a run-once marker distinct from cartographer's; (3) the signal-vs-authority answer holds (build-time signal + reused funnel + fail-safe count-match guard, no new blocking authority); (4) the highest-risk check — a missed read site — was investigated: the 4 flags also feed `src/monitoring/guardManifest.ts` → the `/guards` posture endpoint, but `guardPosture.ts:resolveGuardConfigSnapshot` already iterates `DEV_GATED_FEATURES` and injects the gate-resolved value, so moving the 4 into the registry makes `/guards` resolve them live on a dev agent automatically — NO "live-but-reported-disabled" skew, and the now-absent default raises no spurious boot tripwire. The reviewer's one non-blocking nit (stale "ships dark" prose in 4 `guardManifest.ts` descriptions) was fixed in this commit (descriptions now say "(dev-gated)"). Clear to ship.
|
|
188
|
+
|
|
189
|
+
---
|
|
190
|
+
|
|
191
|
+
## Evidence pointers
|
|
192
|
+
|
|
193
|
+
- Spec + convergence report: `docs/specs/DEV-AGENT-DARK-GATE-TEETH-SPEC.md`,
|
|
194
|
+
`docs/specs/reports/dev-agent-dark-gate-teeth-convergence.md` (6 rounds, real
|
|
195
|
+
cross-model pass codex-cli:gpt-5.5).
|
|
196
|
+
- Tests: `tests/unit/lint-dev-agent-dark-gate.test.ts` (enum/category/count-match +
|
|
197
|
+
drift canary), `tests/unit/devGatedFeatures-wiring.test.ts` (42 tests — 4 new entries
|
|
198
|
+
resolve live-on-dev/dark-on-fleet), `tests/unit/PostUpdateMigrator-devGateTeethStrip.test.ts`
|
|
199
|
+
(7 tests — migration both sides + idempotency + the 3 held), `tests/integration/dev-gate-teeth-rollout.test.ts`
|
|
200
|
+
(5 tests — full migration→defaults→resolver pipeline + two-switch drift guard).
|
|
201
|
+
- D4 grounding evidence (file:line) is in the spec's "D4 grounding result" section.
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
# Side-effects review — WS5.2 Step 8 (credential provenance flag + env-token gate)
|
|
2
|
+
|
|
3
|
+
**Spec:** `docs/specs/live-credential-repointing-rebalancer.md` (approved:true, converged) §2.10/§0.b/§2.4, build-plan §8.
|
|
4
|
+
**Tier:** 2 (src code + a read-time gate + a session-record metadata field; ships DARK behind the EXISTING `subscriptionPool.credentialRepointing` flag — NO new gate flag).
|
|
5
|
+
**Parent principle:** Cross-Machine Coherence — One Agent, Robust Under Degraded Conditions.
|
|
6
|
+
**Second-pass reviewer:** independent reviewer subagent (this change touches a "gate" → Phase 5 required).
|
|
7
|
+
|
|
8
|
+
## What changed
|
|
9
|
+
|
|
10
|
+
- **NEW `src/core/CredentialEnvTokenGate.ts`** — the §2.10 env-token gate (the §0.b applicability precondition, enforced). Pure evaluator (no IO): `evaluate()` REFUSES the feature, with a NAMED CATEGORY reason, when (a) `config.anthropicApiKey` is ANY non-empty value (OAuth OR API key — round-3) OR (b) any RUNNING claude-code session's durable `credentialSource` flag is `'env'` (the live-fleet path that closes the mid-life flip). The static helper `shouldAttributeSlotTenant(session)` is `false` for an env session (its usage is never mis-attributed to a slot tenant — §2.10 requirement 3).
|
|
11
|
+
- **`src/core/types.ts`** — adds `Session.credentialSource?: 'store' | 'env'` (additive optional metadata field; no `enabled:` literal → dark-gate UNCHANGED).
|
|
12
|
+
- **`src/core/SessionManager.ts`** — sets `credentialSource` on the session record at all four claude-code spawn record-writes. At the three env-block lanes (headless `~:1846`, rerouted-interactive `~:2127`, interactive `~:3248`) it is derived from the **IDENTICAL** expression that selects the Anthropic env block — `(this.config.anthropicApiKey ?? '') !== '' ? 'env' : 'store'`, computed at the spawn site, NEVER a recomputation. The triage lane hardcodes `'store'` (it always empties `ANTHROPIC_API_KEY=`, so it deterministically reads the store).
|
|
13
|
+
- **`src/commands/server.ts`** — constructs the `CredentialEnvTokenGate` (reading `config.sessions.anthropicApiKey` — the SAME source `sessionManagerConfig` spreads into SessionManager — and `state.listSessions()`); AND-s its refusal into the `CredentialLocationGate.isEnabled` (so a §2.10 refusal suppresses ALL re-pointing attribution: requirement 3 enforced structurally through the one gate the QuotaPoller already consults); adds the gate to the `credentialRepointing` bundle.
|
|
14
|
+
- **`src/server/routes.ts`** — adds `envTokenGate` to the `credentialRepointing` RouteContext type; `GET /credentials/rebalancer` now surfaces the gate verdict (refused + named reason + envSessionCount) when the flag is ON, scrubbed via `audit.response`. DARK → strict 503 no-op (unchanged).
|
|
15
|
+
- **Tests:** NEW `tests/unit/credential-env-token-gate.test.ts` (18); extended `tests/integration/credential-routes.test.ts` (+3 rebalancer cases) and `tests/e2e/credential-repointing-routes-alive.test.ts` (+3 cases, incl. live env-token fleet); widened the look-back window in `tests/unit/codex-model-swap-wiring.test.ts` (the §2.10 derivation sits between `effectiveAccountId` and `buildInteractiveLaunch` — the WS5.3 source-string-ratchet lesson).
|
|
16
|
+
|
|
17
|
+
## Decision-point inventory
|
|
18
|
+
|
|
19
|
+
- `CredentialEnvTokenGate.evaluate()` — **add** — the §2.10 refusal decision (config field OR live fleet). It is a SIGNAL feeding the rebalancer status surface + the location-gate enablement; it never blocks a session spawn, a message, or a swap directly.
|
|
20
|
+
- `CredentialLocationGate.isEnabled` AND-in — **modify** — a §2.10 refusal makes the location gate behave as dark (attribution off) so the QuotaPoller stops re-routing reads/attribution through moved slots for an env fleet.
|
|
21
|
+
- `Session.credentialSource` derivation — **add** — additive provenance metadata, not a decision (it is the durable INPUT the gate's fleet scan reads).
|
|
22
|
+
|
|
23
|
+
## State files / migrations
|
|
24
|
+
|
|
25
|
+
- **No new state file.** `credentialSource` rides the existing session record (`state/sessions/*.json`); additive optional field, absent on legacy records (treated as `'store'` — the safe, non-refusing direction).
|
|
26
|
+
- **No migration in Step 8.** The CLAUDE.md awareness template + `migrateConfig`/`migrateClaudeMd` + CapabilityIndex are explicitly scoped to **build-plan §9 (Step 9 — Migration parity)** — tracked there, not deferred silently. No new config flag means nothing to migrate for the gate itself.
|
|
27
|
+
|
|
28
|
+
## Blast radius / reversibility
|
|
29
|
+
|
|
30
|
+
- **Ships DARK.** The gate is only consulted behind `subscriptionPool.credentialRepointing.enabled` (the location-gate AND-in short-circuits on the flag BEFORE evaluating the gate, and the rebalancer route 503s while dark). With the flag off (always, fleet-wide) the only runtime delta is the additive `credentialSource` field on new session records — free metadata, never read. E2E proves the dark surface is a byte-for-byte 503 no-op.
|
|
31
|
+
- Reversibility: revert the commit. The `credentialSource` field is inert metadata; no credential write, no schema migration, no durable state to repair. A swap is still the reversible oracle-verified permutation from Step 5.
|
|
32
|
+
|
|
33
|
+
## Per-Phase-C (multi-machine posture)
|
|
34
|
+
|
|
35
|
+
- **Machine-local BY DESIGN.** The gate is per-machine: each machine evaluates ITS OWN `config.sessions.anthropicApiKey` + ITS OWN `state.listSessions()`. An N-machine pool is N independent gates; a machine running an env-token fleet refuses LOCALLY without reading or affecting a peer's store-reading fleet. No cross-machine credential read, no LAN/broadcast assumption. The `credentialSource` flag is per-session-per-machine durable metadata and never crosses machines (it would be meaningless on another machine, whose config/fleet differ). This is the correct posture: env-vs-store is a function of the LOCAL config field + the LOCAL fleet, so a remote read would be both unnecessary and a coherence hazard.
|
|
36
|
+
|
|
37
|
+
## Adversarial review (4 lenses, folded as named tests)
|
|
38
|
+
|
|
39
|
+
1. **Single-source-of-truth provenance (THE blocker)** — the flag is the IDENTICAL `(this.config.anthropicApiKey ?? '')` expression as the env-block selection at each of the three lanes, computed at the spawn site. Proven by a static grep-assert against the real SessionManager source (exactly 3 env-block predicates + 3 identical provenance derivations + 4 record writes) — an independent recomputation would fail it. A divergence test guards the staleness class this whole spec exists to kill.
|
|
40
|
+
2. **Mid-life-flip / live-fleet** — the gate refuses on a running `env` session even when the config field is empty (named unit + integration + e2e tests). A config-only gate would miss it; the fleet scan reads the durable flag.
|
|
41
|
+
3. **Attribution-suppression** — `shouldAttributeSlotTenant` is false for an env session (named test); structurally, the location-gate AND-in suppresses re-pointing attribution wholesale on refusal so the QuotaPoller never mis-attributes an env session's usage to a slot tenant.
|
|
42
|
+
4. **Dark-ship inertness** — flag OFF → rebalancer 503 strict no-op; record-write shape unchanged except the additive field (e2e "feature is alive" — the single most important test).
|
|
43
|
+
|
|
44
|
+
## Silent-fallback tags
|
|
45
|
+
|
|
46
|
+
`CredentialEnvTokenGate` is pure logic with NO catch blocks. The route/server edits add no new catch. no-silent-fallbacks (5/5) + no-empty-catch-blocks (4/4) pass with NO baseline bump.
|
|
47
|
+
|
|
48
|
+
## Second-pass review (Phase 5 — independent reviewer subagent)
|
|
49
|
+
|
|
50
|
+
**Concur with the review.** All seven load-bearing invariants verified against the actual code:
|
|
51
|
+
1. Single-source-of-truth — the `credentialSource` derivation is the IDENTICAL `(this.config.anthropicApiKey ?? '') !== ''` expression adjacent to each lane's `.startsWith('sk-ant-oat')` env-block predicate over the SAME `this.config.anthropicApiKey` field (SessionManager lanes 1/2/3); triage hardcodes `'store'` and demonstrably empties `ANTHROPIC_API_KEY=`. Not a recomputation.
|
|
52
|
+
2. Config predicate is "any non-empty value" (`key !== ''`), correctly broader than the launch's sk-ant-oat branch (both branches set a store-bypassing env var).
|
|
53
|
+
3. Gate ANDs the live-fleet scan (running + claude-code + `credentialSource === 'env'`, undefined→store safe default) onto the config check, closing the mid-life-flip hole.
|
|
54
|
+
4. The location-gate `isEnabled` AND-in is sound: `&&` short-circuits on the dark flag BEFORE `evaluate()` is ever called (true no-op while dark); on refusal it suppresses re-pointing attribution wholesale (the conservatively-correct direction); `shouldAttributeSlotTenant` false for env.
|
|
55
|
+
5. Gate-level single-source-of-truth holds — `config.sessions?.anthropicApiKey` is the same value `sessionManagerConfig = { ...config.sessions }` feeds SessionManager (anthropicApiKey not overridden).
|
|
56
|
+
6. Dark surface is a strict 503 no-op through the scrub chokepoint; the only record-shape delta is the additive optional field.
|
|
57
|
+
7. Signal-vs-authority: advisory except the attribution-suppression AND-in, which is appropriate and non-brittle (a boolean over a durable flag with a safe default).
|
|
58
|
+
|
|
59
|
+
No concern raised.
|
|
60
|
+
|
|
61
|
+
## Gate-ratchet results (run locally before push)
|
|
62
|
+
|
|
63
|
+
- `tsc --noEmit` clean; full `npm run lint` clean (includes dark-gate 16/16 — **UNCHANGED**, no ConfigDefaults touch).
|
|
64
|
+
- no-silent-fallbacks 5/5, no-empty-catch-blocks 4/4, feature-delivery-completeness 97/97, docs-coverage --check pass (floor-based; internal-plumbing symbol, no floor breach).
|
|
65
|
+
- credential-env-token-gate 18/18; credential-routes (integration) all pass incl. 3 new rebalancer cases; credential-repointing-routes-alive (e2e) 6/6 incl. live env-token fleet; codex-model-swap-wiring 7/7 (window widened); all SessionManager wiring/activation tests green.
|
|
66
|
+
|
|
67
|
+
## Second-pass review verdict (Phase 5 — required: change touches a "gate")
|
|
68
|
+
|
|
69
|
+
Independent reviewer subagent audited the gate + the 4 spawn-site provenance derivations + the dark-ship short-circuit against the real code (not the artifact's claims), and against `docs/signal-vs-authority.md`. All six verification points held:
|
|
70
|
+
|
|
71
|
+
1. **Single-source-of-truth** — all 3 env-block lanes (`SessionManager.ts:1844/2126/3246`) derive `credentialSource` from the identical `(this.config.anthropicApiKey ?? '') !== ''` predicate adjacent to their own env-block write; the triage lane hardcodes `'store'` and provably empties `ANTHROPIC_API_KEY=`. The gate reads `config.sessions?.anthropicApiKey` (`server.ts:9213`), which is the SAME value `sessionManagerConfig = {...config.sessions}` feeds SessionManager (not overridden). Not a recompute.
|
|
72
|
+
2. **Fail-safe direction** — `credentialSource==='env'` is the only fleet-path refusal; `undefined`→`'store'` (non-refusing). A refusal disables the FEATURE (re-pointing attribution), never messaging/sessions/swaps.
|
|
73
|
+
3. **Dark-ship inertness** — `enabled === true && !gate.evaluate().refused` short-circuits on the flag BEFORE `evaluate()`; the route 503s before evaluating. Byte-for-byte prior behavior when dark.
|
|
74
|
+
4. **Config predicate** — refuses on ANY non-empty `anthropicApiKey` (OAuth `sk-ant-oat` OR api key), matching both SessionManager launch branches.
|
|
75
|
+
5. **Signal-vs-authority** — a deterministic policy evaluator over a structured durable flag, not a brittle detector; the only authority it holds is suppressing the feature itself (the conservatively-correct fail-safe), which the principle doc explicitly permits for a domain this constrained.
|
|
76
|
+
6. **Over/under-refuse** — the mixed-fleet whole-feature refusal is conservatively-correct (refuse rather than mis-steer); machine-local posture is correct. No hole found.
|
|
77
|
+
|
|
78
|
+
**Verdict: CONCUR.** The side-effects artifact's claims all hold against the actual code.
|