instar 1.3.539 → 1.3.541

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +37 -7
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +23 -21
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/core/CredentialEnvTokenGate.d.ts +98 -0
  8. package/dist/core/CredentialEnvTokenGate.d.ts.map +1 -0
  9. package/dist/core/CredentialEnvTokenGate.js +103 -0
  10. package/dist/core/CredentialEnvTokenGate.js.map +1 -0
  11. package/dist/core/PostUpdateMigrator.d.ts +1 -0
  12. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  13. package/dist/core/PostUpdateMigrator.js +83 -0
  14. package/dist/core/PostUpdateMigrator.js.map +1 -1
  15. package/dist/core/SessionManager.d.ts.map +1 -1
  16. package/dist/core/SessionManager.js +27 -0
  17. package/dist/core/SessionManager.js.map +1 -1
  18. package/dist/core/devGatedFeatures.d.ts +12 -1
  19. package/dist/core/devGatedFeatures.d.ts.map +1 -1
  20. package/dist/core/devGatedFeatures.js +51 -37
  21. package/dist/core/devGatedFeatures.js.map +1 -1
  22. package/dist/core/types.d.ts +18 -0
  23. package/dist/core/types.d.ts.map +1 -1
  24. package/dist/core/types.js.map +1 -1
  25. package/dist/monitoring/guardManifest.js +4 -4
  26. package/dist/monitoring/guardManifest.js.map +1 -1
  27. package/dist/server/AgentServer.d.ts.map +1 -1
  28. package/dist/server/AgentServer.js +15 -11
  29. package/dist/server/AgentServer.js.map +1 -1
  30. package/dist/server/CapabilityIndex.d.ts.map +1 -1
  31. package/dist/server/CapabilityIndex.js +4 -1
  32. package/dist/server/CapabilityIndex.js.map +1 -1
  33. package/dist/server/routes.d.ts +3 -0
  34. package/dist/server/routes.d.ts.map +1 -1
  35. package/dist/server/routes.js +29 -3
  36. package/dist/server/routes.js.map +1 -1
  37. package/package.json +1 -1
  38. package/scripts/lib/dark-gate-attribution.js +7 -2
  39. package/scripts/lint-dev-agent-dark-gate.js +19 -1
  40. package/src/data/builtin-manifest.json +65 -65
  41. package/upgrades/1.3.540.md +70 -0
  42. package/upgrades/1.3.541.md +29 -0
  43. package/upgrades/side-effects/dev-agent-dark-gate-teeth.md +201 -0
  44. package/upgrades/side-effects/ws52-step8-provenance-gate.md +78 -0
@@ -0,0 +1,70 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ Retired the catch-all `deliberate-fleet-default` category from the dev-feature
9
+ dark-gate classification and added a concrete `action-bearing` category. Every
10
+ "off even on a development agent" feature must now name a real reason it would be
11
+ unsafe or non-runnable there — it kills/deletes, spends money, takes an external
12
+ action, or needs per-deployment config — and the vague "off by policy" bucket is
13
+ gone. The CI lint (`scripts/lint-dev-agent-dark-gate.js`) rejects the retired
14
+ category and now fails loud if an exclusion entry escapes category validation (the
15
+ backtick-reason silent-skip hole), via a count-match guard in
16
+ `scripts/lib/dark-gate-attribution.js`.
17
+
18
+ Reclassified the 11 features that were in the retired bucket. Each candidate for
19
+ going live on a development agent was re-grounded against its actual code (D4): 4
20
+ verified safe and moved to `DEV_GATED_FEATURES` (`parallelWorkSentinel`,
21
+ `failureLearning`, `releaseReadiness`, `bootHealthBeacon`) — their `enabled` flag
22
+ is now omitted from `ConfigDefaults` so the developmentAgent gate resolves them
23
+ live-on-dev / dark-on-fleet, and their construction sites route through
24
+ `resolveDevAgentGate`. The other 3 candidates were held back as honest exclusions
25
+ because their code contradicted "observe-only": `correctionLearning` (cost-bearing
26
+ — per-message LLM spend), `apprenticeshipCycleSla` and `geminiCapacityEscalation`
27
+ (action-bearing — auto-post Telegram alerts). `greenPrAutoMerge` + `a2aCheckIn` are
28
+ recategorized action-bearing; `mentor` + `mentee` optional-integration.
29
+
30
+ Added a one-shot, dev-agent-only `PostUpdateMigrator.migrateDevGateTeethStrip` that
31
+ strips a stale persisted `enabled: false` for the 4 newly-dev-gated flags so an
32
+ existing development agent actually picks up the change (without it the add-missing
33
+ config merge would leave the stale value and the features would stay dark — the
34
+ cartographer trap).
35
+
36
+ ## What to Tell Your User
37
+
38
+ Nothing changes for you on a normal install — every one of these features stays off
39
+ until you turn it on, exactly as before. On a development agent (the dogfooding
40
+ machine), four watch-only helpers now switch on automatically after the update: a
41
+ parallel-work overlap watcher, a failure-learning recorder, a release-readiness
42
+ watcher, and a boot health responder. They only observe and record — none of them
43
+ sends you a message, spends money, or changes anything. Three other helpers that
44
+ were candidates to turn on were deliberately kept off because they would have spent
45
+ money or sent you alerts; you can still switch any of those on yourself if you want
46
+ them.
47
+
48
+ ## Summary of New Capabilities
49
+
50
+ - A development agent now runs four verified watch-only observers live (parallel-work
51
+ overlap, failure-learning, release-readiness, boot health) so they get dogfooded
52
+ before the fleet ever sees them.
53
+ - The dark-feature classification now requires a concrete, honest reason for any
54
+ feature parked "off even on dev" — enforced in CI — so a safe feature can no longer
55
+ be hidden behind a vague "off by policy" label.
56
+
57
+ ## Evidence
58
+
59
+ - Spec + 6-round convergence report with a real cross-model (GPT-tier) external pass:
60
+ `docs/specs/DEV-AGENT-DARK-GATE-TEETH-SPEC.md`,
61
+ `docs/specs/reports/dev-agent-dark-gate-teeth-convergence.md`.
62
+ - Tests (all green): `tests/unit/lint-dev-agent-dark-gate.test.ts` (retired category
63
+ rejected, `action-bearing` accepted, count-match guard, hand-verified drift canary),
64
+ `tests/unit/devGatedFeatures-wiring.test.ts` (the 4 new entries resolve live-on-dev /
65
+ dark-on-fleet through the real `ConfigDefaults`),
66
+ `tests/unit/PostUpdateMigrator-devGateTeethStrip.test.ts` (migration both sides +
67
+ idempotency + the 3 held untouched), `tests/integration/dev-gate-teeth-rollout.test.ts`
68
+ (full migration → defaults → resolver pipeline + the two-switch drift guard).
69
+ - D4 code-grounding evidence (file:line per feature) is recorded in the spec's
70
+ "D4 grounding result" section.
@@ -0,0 +1,29 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ Enforces the spec's applicability precondition: live credential re-pointing only works for sessions that read their credential from the per-config-home store. A session launched with an env token bypasses that store and is invisible to the mechanism — so this step records, at spawn, WHERE each session's Anthropic credential comes from, and refuses to run the feature whenever an env-token session is present.
9
+
10
+ - **Durable per-session provenance flag** — a new `credentialSource: 'store' | 'env'` field on the session record, set at every claude-code spawn lane. It is derived from the IDENTICAL expression that selects the session's Anthropic env block — `(config.anthropicApiKey ?? '') !== '' ? 'env' : 'store'`, computed at the spawn site — so the flag can never drift from what actually launched the session (single source of truth; an independent recomputation would re-create the staleness class this spec exists to kill).
11
+ - **The env-token gate** — a new `CredentialEnvTokenGate` (src/core/CredentialEnvTokenGate.ts), a pure evaluator. It REFUSES the feature, with a NAMED category reason, when either the config field `anthropicApiKey` is any non-empty value (an OAuth token OR a direct API key — both bypass the store) OR any running claude-code session's provenance flag is `env`. Checking the LIVE fleet — not just the config field — closes the mid-life-flip hole: an operator setting an env token mid-run would otherwise leave already-running store sessions steerable while new env spawns are silently un-steered.
12
+ - **Named reason on the status route** — `GET /credentials/rebalancer`, when the feature flag is ON, now surfaces the gate verdict (refused, the reason category, and the count of env sessions), scrubbed through the existing secret-scrub chokepoint. Dark (flag off) it stays a strict 503 no-op.
13
+ - **Attribution-suppression** — on a gate refusal the location gate behaves as dark, so the quota poller stops routing reads/attribution through moved slots: an env session's usage is never mis-attributed to a slot tenant.
14
+ - **Dark** — gated by the existing `subscriptionPool.credentialRepointing` flag. With the feature off (the fleet + dev default) the gate is never consulted and the only delta is the additive provenance field on new session records (free metadata, never read) — byte-for-byte today's behavior.
15
+
16
+ ## What to Tell Your User
17
+
18
+ This is internal plumbing that ships turned off, so nothing changes for you day to day. What it builds toward, with a safety guarantee baked in: the under-the-hood feature that moves a credential between your subscription accounts only works for sessions that read their login from the on-disk store I manage. If a session was instead launched with a login token handed straight to it in its environment, that session ignores the store entirely and the moving trick would be a no-op for it. So this step teaches me to record, the moment each session starts, which of those two kinds it is — and to refuse to run the whole moving feature at all whenever any running session is the kind I cannot steer. That refusal is deliberate and visible, with a plain reason, rather than the feature quietly mis-handling a session it does not actually control. It is off by default and does nothing until the feature is turned on after a review window.
19
+
20
+ ## Summary of New Capabilities
21
+
22
+ One new exported class — `CredentialEnvTokenGate` (the env-token applicability gate: refuses on the config field OR a live env-token session in the fleet, with a named reason) — plus a new additive optional `Session.credentialSource` provenance field set at every claude-code spawn lane, and the `GET /credentials/rebalancer` route surfacing the gate verdict. All gated by the existing `subscriptionPool.credentialRepointing` flag. No new gate flag, no new unfunneled credential write path.
23
+
24
+ ## Evidence
25
+
26
+ - `tests/unit/credential-env-token-gate.test.ts` (18) — config predicate (permits empty/undefined; refuses on sk-ant-oat, on a direct sk-ant-api03 key, and on any non-empty value); live-fleet path (refuses on one running env session with config empty, counts multiple, ignores a non-running env session and a non-claude env session, treats undefined as store, config-field refusal short-circuits before the fleet scan); attribution-suppression (`shouldAttributeSlotTenant` false for env, true for store/undefined); and the single-source-of-truth blocker proven by a static grep-assert against the real SessionManager source (exactly 3 env-block predicates + 3 identical provenance derivations + 4 record writes).
27
+ - `tests/integration/credential-routes.test.ts` (+3) — the rebalancer route surfaces the config-field refusal (scrubbed, no token leak), the live-fleet refusal (mid-life flip, config empty), and permits when config empty + all-store fleet.
28
+ - `tests/e2e/credential-repointing-routes-alive.test.ts` (+3) — feature-alive on the real AgentServer factory: rebalancer DARK is a strict 503 no-op, ENABLED + clean config + all-store fleet permits, ENABLED + a live env-token session refuses with the named reason.
29
+ - tsc clean; full `npm run lint` clean (dark-gate 16/16 unchanged — no ConfigDefaults touched); no-silent-fallbacks + no-empty-catch-blocks + feature-delivery-completeness + docs-coverage green.
@@ -0,0 +1,201 @@
1
+ # Side-Effects Review — Dev-Agent Dark-Gate Teeth (CMT-1438)
2
+
3
+ **Version / slug:** `dev-agent-dark-gate-teeth`
4
+ **Date:** `2026-06-13`
5
+ **Author:** `echo`
6
+ **Second-pass reviewer:** `required (touches gate/sentinel/migration) — see below`
7
+
8
+ ## Summary of the change
9
+
10
+ Retires the catch-all `deliberate-fleet-default` category from the `DarkGateCategory`
11
+ enum and adds a concrete `action-bearing` category, so every "off even on dev"
12
+ classification must name a real reason dev-live is wrong (unsafe: destructive /
13
+ cost-bearing / action-bearing; or not-runnable: optional-integration /
14
+ structural-stub). Tightens the CI lint (`scripts/lint-dev-agent-dark-gate.js` +
15
+ `scripts/lib/dark-gate-attribution.js`) to reject the retired category and adds a
16
+ count-match guard that fails loud when an exclusion entry escapes category validation
17
+ (the backtick-reason silent-skip hole). Reclassifies the 11 occupants: after per-feature
18
+ D4 code-grounding, 4 move to `DEV_GATED_FEATURES` (parallelWorkSentinel, failureLearning,
19
+ releaseReadiness, bootHealthBeacon) — their construction sites now route through
20
+ `resolveDevAgentGate` and their `enabled: false` literal is removed from ConfigDefaults;
21
+ 7 stay exclusions with concrete categories (correctionLearning=cost-bearing,
22
+ apprenticeshipCycleSla/geminiCapacityEscalation/greenPrAutoMerge/a2aCheckIn=action-bearing,
23
+ mentor/mentee=optional-integration). Adds `PostUpdateMigrator.migrateDevGateTeethStrip` —
24
+ a one-shot, dev-agent-only strip of stale persisted `enabled: false` for the 4 paths so
25
+ the move actually lands on existing dev agents.
26
+ Files: `src/core/devGatedFeatures.ts`, `scripts/lib/dark-gate-attribution.js`,
27
+ `scripts/lint-dev-agent-dark-gate.js`, `src/config/ConfigDefaults.ts`,
28
+ `src/server/AgentServer.ts` (parallelWorkSentinel + failureLearning gates),
29
+ `src/commands/server.ts` (releaseReadiness + bootHealthBeacon gates),
30
+ `src/server/CapabilityIndex.ts` (failureLearning capability report),
31
+ `src/core/PostUpdateMigrator.ts` (D5 migration) + 3 test files.
32
+
33
+ ## Decision-point inventory
34
+
35
+ - `DarkGateCategory` enum (classification taxonomy) — **modify** — drop the catch-all, add `action-bearing`; closes the willpower escape hatch.
36
+ - `lint-dev-agent-dark-gate.js` Assertion C (CI gate) — **modify** — the closed-enum membership check tightens (one fewer valid category) + a count-match guard added.
37
+ - `resolveDevAgentGate` at 4 construction sites — **modify (pass-through to the funnel)** — the 4 features' enable check now goes through the existing dev-gate funnel instead of a hand-rolled `=== true`. No new decision logic; it reuses the established resolver.
38
+ - `migrateDevGateTeethStrip` — **add** — a config-mutation migration (deletes a stale `enabled: false`), dev-agent-only, run-once. Not an information-flow gate.
39
+
40
+ ---
41
+
42
+ ## 1. Over-block
43
+
44
+ No outbound/inbound message block surface. The only "block"-shaped surface is the CI
45
+ lint, which now *rejects* (a) an exclusion using the retired `deliberate-fleet-default`
46
+ category and (b) an exclusion entry that doesn't fully parse (count-mismatch). The
47
+ count-match guard can *over-trip* on a legitimate-but-unparseable entry — specifically
48
+ an exclusion `reason` written with embedded quotes or a backtick/template literal. This
49
+ is intentional fail-safe behavior (it forces a parseable, single-line, quote-delimited
50
+ reason); it never lets a bad entry through. It surfaced exactly once during this build
51
+ (my own reasons contained embedded `"`), was loud, and was fixed by rewording — proving
52
+ the guard works. Authoring constraint, not a runtime over-block.
53
+
54
+ ---
55
+
56
+ ## 2. Under-block
57
+
58
+ The lint still matches the literal `enabled: false` spelling only (a pre-existing,
59
+ documented limitation — a non-literal `enabled: someFlag ?? false` evades attribution).
60
+ The count-match guard closes the parsed-path-without-a-parsed-entry class (backtick
61
+ reasons, reordered fields) but the registry parser remains regex-based, so other
62
+ source-shape shifts (object spread, imported constants, `as const`) are still a
63
+ theoretical blind spot — disclosed in the spec and tracked as a follow-up (AST /
64
+ pure-data registry). The category honesty itself is never machine-checked (the lint
65
+ validates spelling + reason length, not truthfulness); D4 code-grounding + the
66
+ GrowthMilestoneAnalyst R6 runtime cross-check are the backstops, also disclosed.
67
+
68
+ ---
69
+
70
+ ## 3. Level-of-abstraction fit
71
+
72
+ Right layer. The change does NOT add a new detector or authority — it (a) edits a
73
+ classification enum + its CI lint (build-time signal), and (b) routes 4 features through
74
+ the EXISTING `resolveDevAgentGate` funnel rather than re-implementing the gate inline
75
+ (it removes 4 hand-rolled `=== true` checks). The migration reuses the EXISTING
76
+ `migrateCartographerDevGate` pattern (same `_instar_migrations` marker machinery, same
77
+ dev-agent guard). Nothing is re-implemented; everything feeds or reuses an existing
78
+ primitive.
79
+
80
+ ---
81
+
82
+ ## 4. Signal vs authority compliance
83
+
84
+ **Required reference:** [docs/signal-vs-authority.md](../../docs/signal-vs-authority.md)
85
+
86
+ - [x] No — this change produces a signal consumed by an existing smart gate / has no
87
+ runtime block-allow surface.
88
+
89
+ The CI lint is a deterministic build-time *signal-emitter* (it fails CI on an invalid
90
+ classification); it is not a runtime authority over agent behavior. The spec is explicit
91
+ that the lint closes only the *unclassified/invalid-category* hole — it does NOT
92
+ adjudicate category *honesty* (that is D4 + R6). `resolveDevAgentGate` is the established
93
+ funnel, not a new brittle authority. No brittle blocking authority is added.
94
+
95
+ ---
96
+
97
+ ## 5. Interactions
98
+
99
+ - **Shadowing:** the 4 construction-site gate calls replace `=== true` with
100
+ `resolveDevAgentGate(...)`. For 3 of the 4, routes/consumers already gate on the
101
+ *constructed instance* (null → 503), so they follow the gate result with no shadowing.
102
+ For `failureLearning`, `CapabilityIndex` also reads the flag — updated to the SAME
103
+ funnel so the capability report matches the construction gate (no skew).
104
+ - **Double-fire:** `migrateDevGateTeethStrip` shares the `_instar_migrations` ledger
105
+ with `migrateCartographerDevGate`; the new marker key (`dev-gate-teeth-strip`) is
106
+ distinct (not a prefix of, nor prefixed by, `cartographer-dev-gate-strip`), so the two
107
+ run independently and each exactly once. Verified by the round-2 integration review.
108
+ - **Races:** the migration runs in the single-threaded PostUpdateMigrator pass at update
109
+ time; no concurrent writer to config.json during it.
110
+ - **Feedback loops:** none. The lint is one-way (CI fails or passes).
111
+
112
+ ---
113
+
114
+ ## 6. External surfaces
115
+
116
+ - **Other agents on the machine:** none — the change is per-agent config + a CI lint.
117
+ - **Install base:** fleet behavior is byte-for-byte unchanged (every reclassified flag
118
+ still resolves `false` on a non-development agent; the migration is dev-agent-only).
119
+ Only development agents gain the 4 live observers.
120
+ - **External systems (Telegram/GitHub/etc.):** the 4 features moved live are
121
+ D4-verified to make NO automatic outbound send on enable (parallelWorkSentinel: local
122
+ event/JSONL; failureLearning: append-only ledger, send path unimplemented;
123
+ releaseReadiness: read surface only, sends gated behind the separate dark job;
124
+ bootHealthBeacon: localhost-only inbound socket). The 3 features that DO auto-send
125
+ (correctionLearning spend; apprenticeshipCycleSla/geminiCapacityEscalation Telegram)
126
+ were deliberately HELD as exclusions precisely to avoid that surface on dev.
127
+ - **Persistent state:** the migration deletes a stale `enabled: false` key from the dev
128
+ agent's own `config.json` (and records a run-once marker). Reported in the migration
129
+ result summary so a non-Echo operator sees which flags were freed.
130
+ - **Operator surface (Mobile-Complete):** no operator-facing actions added — no route, no
131
+ form, no PIN-gated action. Not applicable.
132
+
133
+ ---
134
+
135
+ ## 6b. Operator-surface quality (Operator-Surface Quality standard)
136
+
137
+ No operator surface — this change touches no dashboard renderer/markup, approval page, or
138
+ grant/revoke/secret-drop form. Not applicable.
139
+
140
+ ---
141
+
142
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
143
+
144
+ **machine-local BY DESIGN.** The dev-feature classification is a code-shipped TypeScript
145
+ enum + `ConfigDefaults` + each agent's per-machine `.instar/config.json`; `developmentAgent`
146
+ is intrinsically a per-machine identity. None of the `multiMachine.stateSync.*` replicated
147
+ kinds cover config flags or dev-gate state, and nothing here should follow the agent across
148
+ machines — a machine either is or isn't a development agent. The D5 migration is
149
+ dev-agent-only and mutates only the local config.json. No user-facing notice is emitted by
150
+ this change (the 4 live features that COULD notify are either send-inert on enable or held
151
+ as exclusions). No durable cross-machine state, no generated URLs. Confirmed by the
152
+ round-1 integration reviewer (no journal kind needed).
153
+
154
+ ---
155
+
156
+ ## 8. Rollback cost
157
+
158
+ Pure code + config-default change. Back-out = revert the commit (re-adds the
159
+ `deliberate-fleet-default` enum member, the 4 `enabled: false` literals, the 4
160
+ construction-site `=== true` checks, and removes the migration) and ship a patch. The D5
161
+ migration is idempotent and run-once; a rolled-back agent that already ran it keeps its
162
+ stripped config (the 4 flags then resolve via the reverted hardcoded `false` again — back
163
+ to dark — with no error). No data migration, no agent state repair, no user-visible
164
+ regression during the rollback window (fleet was never changed). An operator who wants a
165
+ freed flag off again simply re-adds `enabled: false` (the run-once marker preserves it).
166
+
167
+ ---
168
+
169
+ ## Conclusion
170
+
171
+ This review (plus the 6-round spec convergence that preceded it) reshaped the change in
172
+ three material ways: (1) the migration was added after convergence found the 4 flags
173
+ would otherwise stay dark on Echo (the cartographer trap); (2) D4 code-grounding held 3
174
+ of 7 candidates back as honest exclusions when their code contradicted "observe-only";
175
+ (3) the count-match lint guard was added after the adversarial reviewer found the
176
+ backtick-reason silent-skip. The change adds no runtime blocking authority, makes no
177
+ automatic external send on the dev agent (the senders are held off), leaves the fleet
178
+ byte-for-byte unchanged, and is cleanly reversible. Clear to ship.
179
+
180
+ ---
181
+
182
+ ## Second-pass review (if required)
183
+
184
+ **Reviewer:** independent reviewer subagent
185
+ **Independent read of the artifact: concur**
186
+
187
+ Concur with the review. The reviewer grounded every claim against the actual diff and confirmed: (1) all 4 construction sites route through `resolveDevAgentGate` with no hand-rolled `?? !!developmentAgent` (AgentServer.ts:858/1238, server.ts:3041/13258, CapabilityIndex.ts:794); (2) the migration allowlist is EXACTLY the 4 dev-gated paths, dev-agent-guarded, with a run-once marker distinct from cartographer's; (3) the signal-vs-authority answer holds (build-time signal + reused funnel + fail-safe count-match guard, no new blocking authority); (4) the highest-risk check — a missed read site — was investigated: the 4 flags also feed `src/monitoring/guardManifest.ts` → the `/guards` posture endpoint, but `guardPosture.ts:resolveGuardConfigSnapshot` already iterates `DEV_GATED_FEATURES` and injects the gate-resolved value, so moving the 4 into the registry makes `/guards` resolve them live on a dev agent automatically — NO "live-but-reported-disabled" skew, and the now-absent default raises no spurious boot tripwire. The reviewer's one non-blocking nit (stale "ships dark" prose in 4 `guardManifest.ts` descriptions) was fixed in this commit (descriptions now say "(dev-gated)"). Clear to ship.
188
+
189
+ ---
190
+
191
+ ## Evidence pointers
192
+
193
+ - Spec + convergence report: `docs/specs/DEV-AGENT-DARK-GATE-TEETH-SPEC.md`,
194
+ `docs/specs/reports/dev-agent-dark-gate-teeth-convergence.md` (6 rounds, real
195
+ cross-model pass codex-cli:gpt-5.5).
196
+ - Tests: `tests/unit/lint-dev-agent-dark-gate.test.ts` (enum/category/count-match +
197
+ drift canary), `tests/unit/devGatedFeatures-wiring.test.ts` (42 tests — 4 new entries
198
+ resolve live-on-dev/dark-on-fleet), `tests/unit/PostUpdateMigrator-devGateTeethStrip.test.ts`
199
+ (7 tests — migration both sides + idempotency + the 3 held), `tests/integration/dev-gate-teeth-rollout.test.ts`
200
+ (5 tests — full migration→defaults→resolver pipeline + two-switch drift guard).
201
+ - D4 grounding evidence (file:line) is in the spec's "D4 grounding result" section.
@@ -0,0 +1,78 @@
1
+ # Side-effects review — WS5.2 Step 8 (credential provenance flag + env-token gate)
2
+
3
+ **Spec:** `docs/specs/live-credential-repointing-rebalancer.md` (approved:true, converged) §2.10/§0.b/§2.4, build-plan §8.
4
+ **Tier:** 2 (src code + a read-time gate + a session-record metadata field; ships DARK behind the EXISTING `subscriptionPool.credentialRepointing` flag — NO new gate flag).
5
+ **Parent principle:** Cross-Machine Coherence — One Agent, Robust Under Degraded Conditions.
6
+ **Second-pass reviewer:** independent reviewer subagent (this change touches a "gate" → Phase 5 required).
7
+
8
+ ## What changed
9
+
10
+ - **NEW `src/core/CredentialEnvTokenGate.ts`** — the §2.10 env-token gate (the §0.b applicability precondition, enforced). Pure evaluator (no IO): `evaluate()` REFUSES the feature, with a NAMED CATEGORY reason, when (a) `config.anthropicApiKey` is ANY non-empty value (OAuth OR API key — round-3) OR (b) any RUNNING claude-code session's durable `credentialSource` flag is `'env'` (the live-fleet path that closes the mid-life flip). The static helper `shouldAttributeSlotTenant(session)` is `false` for an env session (its usage is never mis-attributed to a slot tenant — §2.10 requirement 3).
11
+ - **`src/core/types.ts`** — adds `Session.credentialSource?: 'store' | 'env'` (additive optional metadata field; no `enabled:` literal → dark-gate UNCHANGED).
12
+ - **`src/core/SessionManager.ts`** — sets `credentialSource` on the session record at all four claude-code spawn record-writes. At the three env-block lanes (headless `~:1846`, rerouted-interactive `~:2127`, interactive `~:3248`) it is derived from the **IDENTICAL** expression that selects the Anthropic env block — `(this.config.anthropicApiKey ?? '') !== '' ? 'env' : 'store'`, computed at the spawn site, NEVER a recomputation. The triage lane hardcodes `'store'` (it always empties `ANTHROPIC_API_KEY=`, so it deterministically reads the store).
13
+ - **`src/commands/server.ts`** — constructs the `CredentialEnvTokenGate` (reading `config.sessions.anthropicApiKey` — the SAME source `sessionManagerConfig` spreads into SessionManager — and `state.listSessions()`); AND-s its refusal into the `CredentialLocationGate.isEnabled` (so a §2.10 refusal suppresses ALL re-pointing attribution: requirement 3 enforced structurally through the one gate the QuotaPoller already consults); adds the gate to the `credentialRepointing` bundle.
14
+ - **`src/server/routes.ts`** — adds `envTokenGate` to the `credentialRepointing` RouteContext type; `GET /credentials/rebalancer` now surfaces the gate verdict (refused + named reason + envSessionCount) when the flag is ON, scrubbed via `audit.response`. DARK → strict 503 no-op (unchanged).
15
+ - **Tests:** NEW `tests/unit/credential-env-token-gate.test.ts` (18); extended `tests/integration/credential-routes.test.ts` (+3 rebalancer cases) and `tests/e2e/credential-repointing-routes-alive.test.ts` (+3 cases, incl. live env-token fleet); widened the look-back window in `tests/unit/codex-model-swap-wiring.test.ts` (the §2.10 derivation sits between `effectiveAccountId` and `buildInteractiveLaunch` — the WS5.3 source-string-ratchet lesson).
16
+
17
+ ## Decision-point inventory
18
+
19
+ - `CredentialEnvTokenGate.evaluate()` — **add** — the §2.10 refusal decision (config field OR live fleet). It is a SIGNAL feeding the rebalancer status surface + the location-gate enablement; it never blocks a session spawn, a message, or a swap directly.
20
+ - `CredentialLocationGate.isEnabled` AND-in — **modify** — a §2.10 refusal makes the location gate behave as dark (attribution off) so the QuotaPoller stops re-routing reads/attribution through moved slots for an env fleet.
21
+ - `Session.credentialSource` derivation — **add** — additive provenance metadata, not a decision (it is the durable INPUT the gate's fleet scan reads).
22
+
23
+ ## State files / migrations
24
+
25
+ - **No new state file.** `credentialSource` rides the existing session record (`state/sessions/*.json`); additive optional field, absent on legacy records (treated as `'store'` — the safe, non-refusing direction).
26
+ - **No migration in Step 8.** The CLAUDE.md awareness template + `migrateConfig`/`migrateClaudeMd` + CapabilityIndex are explicitly scoped to **build-plan §9 (Step 9 — Migration parity)** — tracked there, not deferred silently. No new config flag means nothing to migrate for the gate itself.
27
+
28
+ ## Blast radius / reversibility
29
+
30
+ - **Ships DARK.** The gate is only consulted behind `subscriptionPool.credentialRepointing.enabled` (the location-gate AND-in short-circuits on the flag BEFORE evaluating the gate, and the rebalancer route 503s while dark). With the flag off (always, fleet-wide) the only runtime delta is the additive `credentialSource` field on new session records — free metadata, never read. E2E proves the dark surface is a byte-for-byte 503 no-op.
31
+ - Reversibility: revert the commit. The `credentialSource` field is inert metadata; no credential write, no schema migration, no durable state to repair. A swap is still the reversible oracle-verified permutation from Step 5.
32
+
33
+ ## Per-Phase-C (multi-machine posture)
34
+
35
+ - **Machine-local BY DESIGN.** The gate is per-machine: each machine evaluates ITS OWN `config.sessions.anthropicApiKey` + ITS OWN `state.listSessions()`. An N-machine pool is N independent gates; a machine running an env-token fleet refuses LOCALLY without reading or affecting a peer's store-reading fleet. No cross-machine credential read, no LAN/broadcast assumption. The `credentialSource` flag is per-session-per-machine durable metadata and never crosses machines (it would be meaningless on another machine, whose config/fleet differ). This is the correct posture: env-vs-store is a function of the LOCAL config field + the LOCAL fleet, so a remote read would be both unnecessary and a coherence hazard.
36
+
37
+ ## Adversarial review (4 lenses, folded as named tests)
38
+
39
+ 1. **Single-source-of-truth provenance (THE blocker)** — the flag is the IDENTICAL `(this.config.anthropicApiKey ?? '')` expression as the env-block selection at each of the three lanes, computed at the spawn site. Proven by a static grep-assert against the real SessionManager source (exactly 3 env-block predicates + 3 identical provenance derivations + 4 record writes) — an independent recomputation would fail it. A divergence test guards the staleness class this whole spec exists to kill.
40
+ 2. **Mid-life-flip / live-fleet** — the gate refuses on a running `env` session even when the config field is empty (named unit + integration + e2e tests). A config-only gate would miss it; the fleet scan reads the durable flag.
41
+ 3. **Attribution-suppression** — `shouldAttributeSlotTenant` is false for an env session (named test); structurally, the location-gate AND-in suppresses re-pointing attribution wholesale on refusal so the QuotaPoller never mis-attributes an env session's usage to a slot tenant.
42
+ 4. **Dark-ship inertness** — flag OFF → rebalancer 503 strict no-op; record-write shape unchanged except the additive field (e2e "feature is alive" — the single most important test).
43
+
44
+ ## Silent-fallback tags
45
+
46
+ `CredentialEnvTokenGate` is pure logic with NO catch blocks. The route/server edits add no new catch. no-silent-fallbacks (5/5) + no-empty-catch-blocks (4/4) pass with NO baseline bump.
47
+
48
+ ## Second-pass review (Phase 5 — independent reviewer subagent)
49
+
50
+ **Concur with the review.** All seven load-bearing invariants verified against the actual code:
51
+ 1. Single-source-of-truth — the `credentialSource` derivation is the IDENTICAL `(this.config.anthropicApiKey ?? '') !== ''` expression adjacent to each lane's `.startsWith('sk-ant-oat')` env-block predicate over the SAME `this.config.anthropicApiKey` field (SessionManager lanes 1/2/3); triage hardcodes `'store'` and demonstrably empties `ANTHROPIC_API_KEY=`. Not a recomputation.
52
+ 2. Config predicate is "any non-empty value" (`key !== ''`), correctly broader than the launch's sk-ant-oat branch (both branches set a store-bypassing env var).
53
+ 3. Gate ANDs the live-fleet scan (running + claude-code + `credentialSource === 'env'`, undefined→store safe default) onto the config check, closing the mid-life-flip hole.
54
+ 4. The location-gate `isEnabled` AND-in is sound: `&&` short-circuits on the dark flag BEFORE `evaluate()` is ever called (true no-op while dark); on refusal it suppresses re-pointing attribution wholesale (the conservatively-correct direction); `shouldAttributeSlotTenant` false for env.
55
+ 5. Gate-level single-source-of-truth holds — `config.sessions?.anthropicApiKey` is the same value `sessionManagerConfig = { ...config.sessions }` feeds SessionManager (anthropicApiKey not overridden).
56
+ 6. Dark surface is a strict 503 no-op through the scrub chokepoint; the only record-shape delta is the additive optional field.
57
+ 7. Signal-vs-authority: advisory except the attribution-suppression AND-in, which is appropriate and non-brittle (a boolean over a durable flag with a safe default).
58
+
59
+ No concern raised.
60
+
61
+ ## Gate-ratchet results (run locally before push)
62
+
63
+ - `tsc --noEmit` clean; full `npm run lint` clean (includes dark-gate 16/16 — **UNCHANGED**, no ConfigDefaults touch).
64
+ - no-silent-fallbacks 5/5, no-empty-catch-blocks 4/4, feature-delivery-completeness 97/97, docs-coverage --check pass (floor-based; internal-plumbing symbol, no floor breach).
65
+ - credential-env-token-gate 18/18; credential-routes (integration) all pass incl. 3 new rebalancer cases; credential-repointing-routes-alive (e2e) 6/6 incl. live env-token fleet; codex-model-swap-wiring 7/7 (window widened); all SessionManager wiring/activation tests green.
66
+
67
+ ## Second-pass review verdict (Phase 5 — required: change touches a "gate")
68
+
69
+ Independent reviewer subagent audited the gate + the 4 spawn-site provenance derivations + the dark-ship short-circuit against the real code (not the artifact's claims), and against `docs/signal-vs-authority.md`. All six verification points held:
70
+
71
+ 1. **Single-source-of-truth** — all 3 env-block lanes (`SessionManager.ts:1844/2126/3246`) derive `credentialSource` from the identical `(this.config.anthropicApiKey ?? '') !== ''` predicate adjacent to their own env-block write; the triage lane hardcodes `'store'` and provably empties `ANTHROPIC_API_KEY=`. The gate reads `config.sessions?.anthropicApiKey` (`server.ts:9213`), which is the SAME value `sessionManagerConfig = {...config.sessions}` feeds SessionManager (not overridden). Not a recompute.
72
+ 2. **Fail-safe direction** — `credentialSource==='env'` is the only fleet-path refusal; `undefined`→`'store'` (non-refusing). A refusal disables the FEATURE (re-pointing attribution), never messaging/sessions/swaps.
73
+ 3. **Dark-ship inertness** — `enabled === true && !gate.evaluate().refused` short-circuits on the flag BEFORE `evaluate()`; the route 503s before evaluating. Byte-for-byte prior behavior when dark.
74
+ 4. **Config predicate** — refuses on ANY non-empty `anthropicApiKey` (OAuth `sk-ant-oat` OR api key), matching both SessionManager launch branches.
75
+ 5. **Signal-vs-authority** — a deterministic policy evaluator over a structured durable flag, not a brittle detector; the only authority it holds is suppressing the feature itself (the conservatively-correct fail-safe), which the principle doc explicitly permits for a domain this constrained.
76
+ 6. **Over/under-refuse** — the mixed-fleet whole-feature refusal is conservatively-correct (refuse rather than mis-steer); machine-local posture is correct. No hole found.
77
+
78
+ **Verdict: CONCUR.** The side-effects artifact's claims all hold against the actual code.