instar 1.3.540 → 1.3.542
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +24 -2
- package/dist/commands/server.js.map +1 -1
- package/dist/core/CredentialEnvTokenGate.d.ts +98 -0
- package/dist/core/CredentialEnvTokenGate.d.ts.map +1 -0
- package/dist/core/CredentialEnvTokenGate.js +103 -0
- package/dist/core/CredentialEnvTokenGate.js.map +1 -0
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +12 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/SessionManager.d.ts.map +1 -1
- package/dist/core/SessionManager.js +27 -0
- package/dist/core/SessionManager.js.map +1 -1
- package/dist/core/types.d.ts +18 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/scaffold/templates.d.ts.map +1 -1
- package/dist/scaffold/templates.js +7 -0
- package/dist/scaffold/templates.js.map +1 -1
- package/dist/server/routes.d.ts +3 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +29 -3
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +64 -64
- package/src/scaffold/templates.ts +7 -0
- package/upgrades/1.3.541.md +29 -0
- package/upgrades/1.3.542.md +25 -0
- package/upgrades/side-effects/ws52-step8-provenance-gate.md +78 -0
- package/upgrades/side-effects/ws52-step9-migration-docs.md +44 -0
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialEnvTokenGate — the §0.b applicability precondition, enforced structurally
|
|
3
|
+
* (Step 8 of live credential re-pointing).
|
|
4
|
+
*
|
|
5
|
+
* Spec: docs/specs/live-credential-repointing-rebalancer.md §2.10 (the env-token gate — verbatim
|
|
6
|
+
* contract), §0.b (applicability gate), §2.4 (the status route the named reason surfaces on).
|
|
7
|
+
*
|
|
8
|
+
* ── What this is ──
|
|
9
|
+
* The live credential re-pointing mechanism only works for sessions whose credential comes from
|
|
10
|
+
* the per-`CLAUDE_CONFIG_DIR` STORE (a swap re-points the store; claude-code re-reads it on the
|
|
11
|
+
* next 401). A session launched with an env token (`CLAUDE_CODE_OAUTH_TOKEN` / `ANTHROPIC_API_KEY`
|
|
12
|
+
* set from a non-empty `config.anthropicApiKey`) NEVER reads the store, ignores any swap, and is
|
|
13
|
+
* INVISIBLE to the mechanism. If such a launch were the norm the entire feature would be inert
|
|
14
|
+
* (§0.b). This gate REFUSES to run the feature — with a NAMED reason on the status route — whenever
|
|
15
|
+
* an env-token condition is present, so the mechanism can never silently mis-steer a fleet it does
|
|
16
|
+
* not actually control.
|
|
17
|
+
*
|
|
18
|
+
* ── The load-bearing safety contract (spec §2.10; build-prompt invariants 1, 2) ──
|
|
19
|
+
* 1. EVALUATES BOTH the config field AND the live running fleet. A config-only check would miss
|
|
20
|
+
* the mid-life flip: an operator setting `config.anthropicApiKey` to an OAuth token mid-run
|
|
21
|
+
* leaves already-running STORE sessions steerable while new ENV spawns are silently un-steered
|
|
22
|
+
* — a genuinely mixed fleet a config-only check freezes incoherently. The fleet scan reads the
|
|
23
|
+
* durable per-session `credentialSource` flag (recorded at spawn from the IDENTICAL expression
|
|
24
|
+
* that selected the env block — single source of truth) so it can detect that mixed state.
|
|
25
|
+
* 2. THE CONFIG PREDICATE IS "ANY NON-EMPTY anthropicApiKey" (round-3) — NOT only an
|
|
26
|
+
* `sk-ant-oat` OAuth token. The code's launch predicate is binary: `sk-ant-oat…` sets
|
|
27
|
+
* `CLAUDE_CODE_OAUTH_TOKEN`, ANY OTHER non-empty value sets `ANTHROPIC_API_KEY`, and BOTH make
|
|
28
|
+
* claude-code ignore the store. So the gate predicate is `(anthropicApiKey ?? '') !== ''`,
|
|
29
|
+
* matching the SessionManager `?? ''`-then-non-empty branch exactly.
|
|
30
|
+
* 3. NAMED, CATEGORICAL REASON. The refusal reason is a category string (never a credential), but
|
|
31
|
+
* the host still routes it through `CredentialAuditEmit.scrub` (Step 7) before any surface,
|
|
32
|
+
* consistent with the §2.9 chokepoint.
|
|
33
|
+
*
|
|
34
|
+
* This module performs NO IO and NO credential reads. It is a pure evaluator over an injected
|
|
35
|
+
* config-key getter + an injected session lister, so it is fully unit-testable.
|
|
36
|
+
*/
|
|
37
|
+
import type { Session } from './types.js';
|
|
38
|
+
/** A session lister snapshot input — the gate only reads `framework`, `status`, `credentialSource`. */
|
|
39
|
+
export type EnvTokenFleetSession = Pick<Session, 'framework' | 'status' | 'credentialSource'>;
|
|
40
|
+
export interface CredentialEnvTokenGateDeps {
|
|
41
|
+
/**
|
|
42
|
+
* Reads the live `config.anthropicApiKey` value EACH call (not cached) so a restartless config
|
|
43
|
+
* flip is honored on the next evaluation — the same restartless posture the rest of the feature
|
|
44
|
+
* uses. May return undefined/empty when no key is configured (the §0.b alive case).
|
|
45
|
+
*/
|
|
46
|
+
getAnthropicApiKey: () => string | undefined;
|
|
47
|
+
/**
|
|
48
|
+
* Lists the CURRENT sessions (the live fleet). The gate filters to running claude-code sessions
|
|
49
|
+
* and reads their durable `credentialSource` flag. Injected so the gate stays IO-free.
|
|
50
|
+
*/
|
|
51
|
+
listSessions: () => EnvTokenFleetSession[];
|
|
52
|
+
}
|
|
53
|
+
/** The named refusal reason categories (a category, never a credential). */
|
|
54
|
+
export type EnvTokenRefusalReason = 'config-anthropic-api-key-set' | 'env-token-session-in-fleet';
|
|
55
|
+
export interface EnvTokenGateVerdict {
|
|
56
|
+
/** True when the feature MUST refuse to run (an env-token condition is present). */
|
|
57
|
+
refused: boolean;
|
|
58
|
+
/** The named, scrub-safe reason category when refused; undefined when permitted. */
|
|
59
|
+
reason?: EnvTokenRefusalReason;
|
|
60
|
+
/** A human-readable one-line explanation (category-level, no credential material). */
|
|
61
|
+
detail?: string;
|
|
62
|
+
/**
|
|
63
|
+
* The names/ids absent here on purpose: the verdict carries NO session identifiers and NO key
|
|
64
|
+
* material, so it is safe to surface as-is (and is scrubbed regardless by the host).
|
|
65
|
+
*/
|
|
66
|
+
/** How many running claude-code sessions in the fleet are env-token (0 when none / config-only refusal). */
|
|
67
|
+
envSessionCount: number;
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Evaluates the §2.10 env-token precondition over BOTH the config field AND the live fleet.
|
|
71
|
+
*
|
|
72
|
+
* Construct ONE per process and call `evaluate()` at enable-time AND per-pass. The CONFIG check is
|
|
73
|
+
* evaluated FIRST (cheapest + the dominant case); the FLEET scan closes the mid-life-flip hole.
|
|
74
|
+
*/
|
|
75
|
+
export declare class CredentialEnvTokenGate {
|
|
76
|
+
private readonly getAnthropicApiKey;
|
|
77
|
+
private readonly listSessions;
|
|
78
|
+
constructor(deps: CredentialEnvTokenGateDeps);
|
|
79
|
+
/**
|
|
80
|
+
* The §2.10 verdict. Refuses when:
|
|
81
|
+
* (a) `config.anthropicApiKey` is non-empty (ANY value — OAuth or API key); OR
|
|
82
|
+
* (b) any RUNNING claude-code session's `credentialSource` is `'env'` (the live-fleet path that
|
|
83
|
+
* closes the mid-life flip). `credentialSource` undefined on a legacy/non-claude record is
|
|
84
|
+
* treated as `'store'` (the safe, non-refusing direction — only an explicit `'env'` refuses).
|
|
85
|
+
* Permits (refused:false) only when the config field is empty AND every running claude-code
|
|
86
|
+
* session reads the store.
|
|
87
|
+
*/
|
|
88
|
+
evaluate(): EnvTokenGateVerdict;
|
|
89
|
+
/**
|
|
90
|
+
* True iff a given session should still feed `tenantOf(slot)` slot-attribution into usage records.
|
|
91
|
+
* On a §2.10 refusal the balancer STOPS feeding attribution for env-token sessions so an env
|
|
92
|
+
* session's usage is never mis-attributed to a slot tenant (spec §2.10 requirement 3). A session
|
|
93
|
+
* with `credentialSource: 'env'` never reads the store, so its usage does not belong to any slot
|
|
94
|
+
* tenant — it is attributed to its own account directly (enrollment-home behavior).
|
|
95
|
+
*/
|
|
96
|
+
static shouldAttributeSlotTenant(session: Pick<Session, 'credentialSource'>): boolean;
|
|
97
|
+
}
|
|
98
|
+
//# sourceMappingURL=CredentialEnvTokenGate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialEnvTokenGate.d.ts","sourceRoot":"","sources":["../../src/core/CredentialEnvTokenGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAE1C,uGAAuG;AACvG,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,QAAQ,GAAG,kBAAkB,CAAC,CAAC;AAE9F,MAAM,WAAW,0BAA0B;IACzC;;;;OAIG;IACH,kBAAkB,EAAE,MAAM,MAAM,GAAG,SAAS,CAAC;IAC7C;;;OAGG;IACH,YAAY,EAAE,MAAM,oBAAoB,EAAE,CAAC;CAC5C;AAED,4EAA4E;AAC5E,MAAM,MAAM,qBAAqB,GAC7B,8BAA8B,GAC9B,4BAA4B,CAAC;AAEjC,MAAM,WAAW,mBAAmB;IAClC,oFAAoF;IACpF,OAAO,EAAE,OAAO,CAAC;IACjB,oFAAoF;IACpF,MAAM,CAAC,EAAE,qBAAqB,CAAC;IAC/B,sFAAsF;IACtF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,4GAA4G;IAC5G,eAAe,EAAE,MAAM,CAAC;CACzB;AAED;;;;;GAKG;AACH,qBAAa,sBAAsB;IACjC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAA2B;IAC9D,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA+B;gBAEhD,IAAI,EAAE,0BAA0B;IAK5C;;;;;;;;OAQG;IACH,QAAQ,IAAI,mBAAmB;IAyC/B;;;;;;OAMG;IACH,MAAM,CAAC,yBAAyB,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,kBAAkB,CAAC,GAAG,OAAO;CAGtF"}
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* CredentialEnvTokenGate — the §0.b applicability precondition, enforced structurally
|
|
3
|
+
* (Step 8 of live credential re-pointing).
|
|
4
|
+
*
|
|
5
|
+
* Spec: docs/specs/live-credential-repointing-rebalancer.md §2.10 (the env-token gate — verbatim
|
|
6
|
+
* contract), §0.b (applicability gate), §2.4 (the status route the named reason surfaces on).
|
|
7
|
+
*
|
|
8
|
+
* ── What this is ──
|
|
9
|
+
* The live credential re-pointing mechanism only works for sessions whose credential comes from
|
|
10
|
+
* the per-`CLAUDE_CONFIG_DIR` STORE (a swap re-points the store; claude-code re-reads it on the
|
|
11
|
+
* next 401). A session launched with an env token (`CLAUDE_CODE_OAUTH_TOKEN` / `ANTHROPIC_API_KEY`
|
|
12
|
+
* set from a non-empty `config.anthropicApiKey`) NEVER reads the store, ignores any swap, and is
|
|
13
|
+
* INVISIBLE to the mechanism. If such a launch were the norm the entire feature would be inert
|
|
14
|
+
* (§0.b). This gate REFUSES to run the feature — with a NAMED reason on the status route — whenever
|
|
15
|
+
* an env-token condition is present, so the mechanism can never silently mis-steer a fleet it does
|
|
16
|
+
* not actually control.
|
|
17
|
+
*
|
|
18
|
+
* ── The load-bearing safety contract (spec §2.10; build-prompt invariants 1, 2) ──
|
|
19
|
+
* 1. EVALUATES BOTH the config field AND the live running fleet. A config-only check would miss
|
|
20
|
+
* the mid-life flip: an operator setting `config.anthropicApiKey` to an OAuth token mid-run
|
|
21
|
+
* leaves already-running STORE sessions steerable while new ENV spawns are silently un-steered
|
|
22
|
+
* — a genuinely mixed fleet a config-only check freezes incoherently. The fleet scan reads the
|
|
23
|
+
* durable per-session `credentialSource` flag (recorded at spawn from the IDENTICAL expression
|
|
24
|
+
* that selected the env block — single source of truth) so it can detect that mixed state.
|
|
25
|
+
* 2. THE CONFIG PREDICATE IS "ANY NON-EMPTY anthropicApiKey" (round-3) — NOT only an
|
|
26
|
+
* `sk-ant-oat` OAuth token. The code's launch predicate is binary: `sk-ant-oat…` sets
|
|
27
|
+
* `CLAUDE_CODE_OAUTH_TOKEN`, ANY OTHER non-empty value sets `ANTHROPIC_API_KEY`, and BOTH make
|
|
28
|
+
* claude-code ignore the store. So the gate predicate is `(anthropicApiKey ?? '') !== ''`,
|
|
29
|
+
* matching the SessionManager `?? ''`-then-non-empty branch exactly.
|
|
30
|
+
* 3. NAMED, CATEGORICAL REASON. The refusal reason is a category string (never a credential), but
|
|
31
|
+
* the host still routes it through `CredentialAuditEmit.scrub` (Step 7) before any surface,
|
|
32
|
+
* consistent with the §2.9 chokepoint.
|
|
33
|
+
*
|
|
34
|
+
* This module performs NO IO and NO credential reads. It is a pure evaluator over an injected
|
|
35
|
+
* config-key getter + an injected session lister, so it is fully unit-testable.
|
|
36
|
+
*/
|
|
37
|
+
/**
|
|
38
|
+
* Evaluates the §2.10 env-token precondition over BOTH the config field AND the live fleet.
|
|
39
|
+
*
|
|
40
|
+
* Construct ONE per process and call `evaluate()` at enable-time AND per-pass. The CONFIG check is
|
|
41
|
+
* evaluated FIRST (cheapest + the dominant case); the FLEET scan closes the mid-life-flip hole.
|
|
42
|
+
*/
|
|
43
|
+
export class CredentialEnvTokenGate {
|
|
44
|
+
getAnthropicApiKey;
|
|
45
|
+
listSessions;
|
|
46
|
+
constructor(deps) {
|
|
47
|
+
this.getAnthropicApiKey = deps.getAnthropicApiKey;
|
|
48
|
+
this.listSessions = deps.listSessions;
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* The §2.10 verdict. Refuses when:
|
|
52
|
+
* (a) `config.anthropicApiKey` is non-empty (ANY value — OAuth or API key); OR
|
|
53
|
+
* (b) any RUNNING claude-code session's `credentialSource` is `'env'` (the live-fleet path that
|
|
54
|
+
* closes the mid-life flip). `credentialSource` undefined on a legacy/non-claude record is
|
|
55
|
+
* treated as `'store'` (the safe, non-refusing direction — only an explicit `'env'` refuses).
|
|
56
|
+
* Permits (refused:false) only when the config field is empty AND every running claude-code
|
|
57
|
+
* session reads the store.
|
|
58
|
+
*/
|
|
59
|
+
evaluate() {
|
|
60
|
+
// (a) Config field — the dominant case, checked first. `?? ''`-then-non-empty mirrors the
|
|
61
|
+
// SessionManager launch predicate exactly: any non-empty value (OAuth OR API key) bypasses
|
|
62
|
+
// the store.
|
|
63
|
+
const key = this.getAnthropicApiKey() ?? '';
|
|
64
|
+
if (key !== '') {
|
|
65
|
+
return {
|
|
66
|
+
refused: true,
|
|
67
|
+
reason: 'config-anthropic-api-key-set',
|
|
68
|
+
detail: 'credential re-pointing refused: config.anthropicApiKey is set, so sessions launch with ' +
|
|
69
|
+
'an env token and bypass the per-CLAUDE_CONFIG_DIR store the mechanism steers (§0.b).',
|
|
70
|
+
envSessionCount: 0,
|
|
71
|
+
};
|
|
72
|
+
}
|
|
73
|
+
// (b) Live fleet — closes the mid-life flip. Count RUNNING claude-code sessions whose durable
|
|
74
|
+
// provenance flag is explicitly 'env'. Undefined ⇒ 'store' (safe direction).
|
|
75
|
+
const envSessions = this.listSessions().filter((s) => s.status === 'running' &&
|
|
76
|
+
s.framework === 'claude-code' &&
|
|
77
|
+
s.credentialSource === 'env');
|
|
78
|
+
if (envSessions.length > 0) {
|
|
79
|
+
return {
|
|
80
|
+
refused: true,
|
|
81
|
+
reason: 'env-token-session-in-fleet',
|
|
82
|
+
detail: `credential re-pointing refused: ${envSessions.length} running claude-code session(s) ` +
|
|
83
|
+
'launched with an env token (store-bypassing) per the durable per-session provenance ' +
|
|
84
|
+
'flag — a config field flipped mid-run would otherwise leave a mixed fleet steered ' +
|
|
85
|
+
'incoherently (§2.10).',
|
|
86
|
+
envSessionCount: envSessions.length,
|
|
87
|
+
};
|
|
88
|
+
}
|
|
89
|
+
// Permitted: config empty + all-store fleet (the §0.b "alive" case for THIS deployment).
|
|
90
|
+
return { refused: false, envSessionCount: 0 };
|
|
91
|
+
}
|
|
92
|
+
/**
|
|
93
|
+
* True iff a given session should still feed `tenantOf(slot)` slot-attribution into usage records.
|
|
94
|
+
* On a §2.10 refusal the balancer STOPS feeding attribution for env-token sessions so an env
|
|
95
|
+
* session's usage is never mis-attributed to a slot tenant (spec §2.10 requirement 3). A session
|
|
96
|
+
* with `credentialSource: 'env'` never reads the store, so its usage does not belong to any slot
|
|
97
|
+
* tenant — it is attributed to its own account directly (enrollment-home behavior).
|
|
98
|
+
*/
|
|
99
|
+
static shouldAttributeSlotTenant(session) {
|
|
100
|
+
return session.credentialSource !== 'env';
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
//# sourceMappingURL=CredentialEnvTokenGate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"CredentialEnvTokenGate.js","sourceRoot":"","sources":["../../src/core/CredentialEnvTokenGate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AAyCH;;;;;GAKG;AACH,MAAM,OAAO,sBAAsB;IAChB,kBAAkB,CAA2B;IAC7C,YAAY,CAA+B;IAE5D,YAAY,IAAgC;QAC1C,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,CAAC;QAClD,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;IACxC,CAAC;IAED;;;;;;;;OAQG;IACH,QAAQ;QACN,0FAA0F;QAC1F,2FAA2F;QAC3F,aAAa;QACb,MAAM,GAAG,GAAG,IAAI,CAAC,kBAAkB,EAAE,IAAI,EAAE,CAAC;QAC5C,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,8BAA8B;gBACtC,MAAM,EACJ,yFAAyF;oBACzF,sFAAsF;gBACxF,eAAe,EAAE,CAAC;aACnB,CAAC;QACJ,CAAC;QAED,8FAA8F;QAC9F,6EAA6E;QAC7E,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC,MAAM,CAC5C,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,MAAM,KAAK,SAAS;YACtB,CAAC,CAAC,SAAS,KAAK,aAAa;YAC7B,CAAC,CAAC,gBAAgB,KAAK,KAAK,CAC/B,CAAC;QACF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,MAAM,EAAE,4BAA4B;gBACpC,MAAM,EACJ,mCAAmC,WAAW,CAAC,MAAM,kCAAkC;oBACvF,sFAAsF;oBACtF,oFAAoF;oBACpF,uBAAuB;gBACzB,eAAe,EAAE,WAAW,CAAC,MAAM;aACpC,CAAC;QACJ,CAAC;QAED,yFAAyF;QACzF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,EAAE,CAAC;IAChD,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,yBAAyB,CAAC,OAA0C;QACzE,OAAO,OAAO,CAAC,gBAAgB,KAAK,KAAK,CAAC;IAC5C,CAAC;CACF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"PostUpdateMigrator.d.ts","sourceRoot":"","sources":["../../src/core/PostUpdateMigrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAwCH,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC3B,MAAM,yBAAyB,CAAC;AAyBjC,MAAM,WAAW,eAAe;IAC9B,wBAAwB;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,kCAAkC;IAClC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,2CAA2C;IAC3C,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAYnF;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAiB;IAC/B;;;;;;OAMG;IACH,OAAO,CAAC,UAAU,CAAiC;gBAEvC,MAAM,EAAE,cAAc;IAIlC;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,oBAAoB;IA0B5B;;;;;;;;;;;OAWG;IACH,YAAY,CAAC,IAAI,EAAE,YAAY,GAAG,IAAI;IAItC;;;;;;OAMG;IACG,eAAe,CACnB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,qBAAqB,CAAC;IAIjC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,kBAAkB;IAO1B;;;;OAIG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,IAAI,eAAe;IAuE1B,OAAO,CAAC,gCAAgC;IAwCxC,OAAO,CAAC,8BAA8B;IAoFtC,OAAO,CAAC,yCAAyC;IA8DjD,OAAO,CAAC,0BAA0B;IAsFlC,OAAO,CAAC,wBAAwB;IAiFhC,OAAO,CAAC,sCAAsC;IAmE9C;;;;;;;;;;;;;;;;;;OAkBG;IACH,OAAO,CAAC,uCAAuC;IAqC/C;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,0BAA0B;IAmFlC,OAAO,CAAC,0BAA0B;IAmDlC;;;;;;;;;;OAUG;IACH,OAAO,CAAC,kCAAkC;IAwH1C;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,kCAAkC;IA8C1C;;;;;;;;OAQG;IACH,OAAO,CAAC,kCAAkC;IA2B1C,OAAO,CAAC,uBAAuB;IAwE/B,OAAO,CAAC,4CAA4C;IA+CpD;;;;;;;OAOG;IACH,OAAO,CAAC,iCAAiC;IA0BzC;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oCAAoC;IAmB5C;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,yCAAyC;IAWjD;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,kCAAkC;IAW1C,OAAO,CAAC,yBAAyB;IA6FjC;;;;;;;;;;OAUG;IACG,YAAY,IAAI,OAAO,CAAC,eAAe,CAAC;YA4BhC,uBAAuB;IAkGrC,OAAO,CAAC,0BAA0B;IAkGlC,OAAO,CAAC,0BAA0B;IAoElC,OAAO,CAAC,oBAAoB;IAuH5B,OAAO,CAAC,8BAA8B;IA2EtC;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAaxB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,0BAA0B;IA8BlC;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,4BAA4B;IAwBpC;;;;;;;;;;OAUG;IACH,OAAO,CAAC,sBAAsB;IAwB9B;;;;;;;;;OASG;IACH,OAAO,CAAC,wCAAwC;IAuBhD;;;;;;;;OAQG;IACH,OAAO,CAAC,2CAA2C;IAuBnD;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,kCAAkC;IAuB1C;;;;;;;;;;;;;;;;OAgBG;IACH,OAAO,CAAC,mCAAmC;IAmK3C;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAW5B;;;;;;;;;OASG;IACH,OAAO,CAAC,kBAAkB;IA2B1B;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,OAAO,CAAC,yBAAyB;IA4HjC;6EACyE;IACzE,OAAO,CAAC,wBAAwB;IAShC;sDACkD;IAClD,OAAO,CAAC,wBAAwB;IAQhC;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAkQpB;;;;;;;;OAQG;IACH,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,IAAI;IA6CvE;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAkEzB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC;;;;;;;;;OASG;IACH,OAAO,CAAC,wBAAwB;IAoEhC;;;;;;OAMG;IACH,OAAO,CAAC,oBAAoB;IAiE5B;;;;;OAKG;IACH,OAAO,CAAC,2BAA2B;IA8BnC;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IAyIhC;;;;;;OAMG;IACH,OAAO,CAAC,8BAA8B;IAwDtC,OAAO,CAAC,0BAA0B;IAiElC;;;OAGG;IACH,OAAO,CAAC,eAAe;
|
|
1
|
+
{"version":3,"file":"PostUpdateMigrator.d.ts","sourceRoot":"","sources":["../../src/core/PostUpdateMigrator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAwCH,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,qBAAqB,EAC3B,MAAM,yBAAyB,CAAC;AAyBjC,MAAM,WAAW,eAAe;IAC9B,wBAAwB;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,kCAAkC;IAClC,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,2CAA2C;IAC3C,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,OAAO,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAYnF;AAED,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAiB;IAC/B;;;;;;OAMG;IACH,OAAO,CAAC,UAAU,CAAiC;gBAEvC,MAAM,EAAE,cAAc;IAIlC;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,oBAAoB;IA0B5B;;;;;;;;;;;OAWG;IACH,YAAY,CAAC,IAAI,EAAE,YAAY,GAAG,IAAI;IAItC;;;;;;OAMG;IACG,eAAe,CACnB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,qBAAqB,CAAC;IAIjC,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,kBAAkB;IAO1B;;;;OAIG;IACH,OAAO,CAAC,YAAY;IASpB;;;OAGG;IACH,OAAO,IAAI,eAAe;IAuE1B,OAAO,CAAC,gCAAgC;IAwCxC,OAAO,CAAC,8BAA8B;IAoFtC,OAAO,CAAC,yCAAyC;IA8DjD,OAAO,CAAC,0BAA0B;IAsFlC,OAAO,CAAC,wBAAwB;IAiFhC,OAAO,CAAC,sCAAsC;IAmE9C;;;;;;;;;;;;;;;;;;OAkBG;IACH,OAAO,CAAC,uCAAuC;IAqC/C;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,0BAA0B;IAmFlC,OAAO,CAAC,0BAA0B;IAmDlC;;;;;;;;;;OAUG;IACH,OAAO,CAAC,kCAAkC;IAwH1C;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,kCAAkC;IA8C1C;;;;;;;;OAQG;IACH,OAAO,CAAC,kCAAkC;IA2B1C,OAAO,CAAC,uBAAuB;IAwE/B,OAAO,CAAC,4CAA4C;IA+CpD;;;;;;;OAOG;IACH,OAAO,CAAC,iCAAiC;IA0BzC;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,oCAAoC;IAmB5C;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,yCAAyC;IAWjD;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,kCAAkC;IAW1C,OAAO,CAAC,yBAAyB;IA6FjC;;;;;;;;;;OAUG;IACG,YAAY,IAAI,OAAO,CAAC,eAAe,CAAC;YA4BhC,uBAAuB;IAkGrC,OAAO,CAAC,0BAA0B;IAkGlC,OAAO,CAAC,0BAA0B;IAoElC,OAAO,CAAC,oBAAoB;IAuH5B,OAAO,CAAC,8BAA8B;IA2EtC;;;;OAIG;IACH,OAAO,CAAC,gBAAgB;IAaxB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,0BAA0B;IA8BlC;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,4BAA4B;IAwBpC;;;;;;;;;;OAUG;IACH,OAAO,CAAC,sBAAsB;IAwB9B;;;;;;;;;OASG;IACH,OAAO,CAAC,wCAAwC;IAuBhD;;;;;;;;OAQG;IACH,OAAO,CAAC,2CAA2C;IAuBnD;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,kCAAkC;IAuB1C;;;;;;;;;;;;;;;;OAgBG;IACH,OAAO,CAAC,mCAAmC;IAmK3C;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAW5B;;;;;;;;;OASG;IACH,OAAO,CAAC,kBAAkB;IA2B1B;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,OAAO,CAAC,yBAAyB;IA4HjC;6EACyE;IACzE,OAAO,CAAC,wBAAwB;IAShC;sDACkD;IAClD,OAAO,CAAC,wBAAwB;IAQhC;;;;OAIG;IACH,OAAO,CAAC,YAAY;IAkQpB;;;;;;;;OAQG;IACH,sBAAsB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,eAAe,GAAG,IAAI;IA6CvE;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAkEzB;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IAkChC;;;;;;;;;OASG;IACH,OAAO,CAAC,wBAAwB;IAoEhC;;;;;;OAMG;IACH,OAAO,CAAC,oBAAoB;IAiE5B;;;;;OAKG;IACH,OAAO,CAAC,2BAA2B;IA8BnC;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IAyIhC;;;;;;OAMG;IACH,OAAO,CAAC,8BAA8B;IAwDtC,OAAO,CAAC,0BAA0B;IAiElC;;;OAGG;IACH,OAAO,CAAC,eAAe;IAgkFvB;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,OAAO,CAAC,kCAAkC;IAuN1C;;;OAGG;IACH,OAAO,CAAC,cAAc;IAmLtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA+BG;IACH,OAAO,CAAC,yCAAyC;IAyDjD;;;OAGG;IACH,OAAO,CAAC,eAAe;IAqWvB;;;OAGG;IACH,OAAO,CAAC,aAAa;IAsGrB;;;OAGG;IACH;;;OAGG;IACH;;;;;;;;;;;;;;;;;;OAkBG;IACH,OAAO,CAAC,wBAAwB;IAmEhC;;;;;;;;;;;;;;OAcG;IACH,OAAO,CAAC,6BAA6B;IAwDrC;;;;;;;;;OASG;IACH,OAAO,CAAC,yBAAyB;IAsDjC,OAAO,CAAC,wBAAwB;IAqChC,OAAO,CAAC,gBAAgB;IAuBxB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAyCG;IACH,OAAO,CAAC,qBAAqB;IAsG7B;;;;;;;;;;;;;;;;;;;OAmBG;IACH,OAAO,CAAC,0BAA0B;IAgDlC;;;;;OAKG;IACH,OAAO,CAAC,oBAAoB;IAkC5B;;;;;;;;;;OAUG;IACH,OAAO,CAAC,kBAAkB;IA2C1B;;;;;OAKG;IACH,OAAO,CAAC,iBAAiB;IA+BzB,OAAO,CAAC,oBAAoB;IAgC5B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAyBrB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAqC9B;;;OAGG;IACH,cAAc,CAAC,IAAI,EAAE,eAAe,GAAG,wBAAwB,GAAG,qBAAqB,GAAG,yBAAyB,GAAG,mBAAmB,GAAG,iBAAiB,GAAG,iBAAiB,GAAG,wBAAwB,GAAG,8BAA8B,GAAG,2BAA2B,GAAG,4BAA4B,GAAG,iBAAiB,GAAG,0BAA0B,GAAG,wBAAwB,GAAG,iBAAiB,GAAG,kBAAkB,GAAG,0BAA0B,GAAG,uBAAuB,GAAG,iBAAiB,GAAG,wBAAwB,GAAG,uBAAuB,GAAG,MAAM;IA0BxiB,oFAAoF;IACpF,iCAAiC,IAAI,MAAM;IAI3C,6EAA6E;IAC7E,yBAAyB,IAAI,MAAM;IAInC;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,OAAO,CAAC,2BAA2B;IAmFnC,OAAO,CAAC,mBAAmB;IAuf3B,OAAO,CAAC,wBAAwB;IA6JhC,OAAO,CAAC,2BAA2B;IAwEnC,OAAO,CAAC,yBAAyB;IA8IjC,OAAO,CAAC,2BAA2B;IAqKnC,OAAO,CAAC,qBAAqB;IAyU7B,OAAO,CAAC,uBAAuB;IAmS/B,OAAO,CAAC,oBAAoB;IAgG5B,OAAO,CAAC,qBAAqB;IA8H7B,OAAO,CAAC,2BAA2B;IAoHnC,OAAO,CAAC,iCAAiC;IA6DzC,OAAO,CAAC,4BAA4B;IA+MpC;;;;;;;;;;OAUG;IACH;;;;;;;;;;;OAWG;IAEH,gBAAuB,iCAAiC,EAAE,WAAW,CAAC,MAAM,CAAC,CA2C1E;IAEH;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,8BAA8B;IAiHtC,OAAO,CAAC,uBAAuB;IAwD/B;;;;OAIG;IACH,OAAO,CAAC,iBAAiB;IAIzB,OAAO,CAAC,sBAAsB;IAwC9B,OAAO,CAAC,iBAAiB;IAwBzB,OAAO,CAAC,mBAAmB;IAa3B,OAAO,CAAC,8BAA8B;IA6HtC,OAAO,CAAC,+BAA+B;IAuKvC,OAAO,CAAC,oBAAoB;IAY5B,OAAO,CAAC,qBAAqB;IAqO7B,OAAO,CAAC,qBAAqB;IAwI7B,OAAO,CAAC,qBAAqB;IA2O7B,OAAO,CAAC,6BAA6B;IAkLrC,OAAO,CAAC,0BAA0B;IAiClC,OAAO,CAAC,0BAA0B;IA8ElC,OAAO,CAAC,0BAA0B;IA8IlC,OAAO,CAAC,gBAAgB;IAmJxB,OAAO,CAAC,6BAA6B;CAoCtC"}
|
|
@@ -5864,6 +5864,18 @@ Create worktrees for collaborator repos with \`instar worktree create <branch>\`
|
|
|
5864
5864
|
patched = true;
|
|
5865
5865
|
result.upgraded.push('CLAUDE.md: added Honest progress messaging section');
|
|
5866
5866
|
}
|
|
5867
|
+
// Live Credential Re-pointing (WS5.2, CMT-1372) — existing agents learn the
|
|
5868
|
+
// /credentials/* manual levers + the zero-touch default-flip proactive trigger
|
|
5869
|
+
// ("flip my default account" → set-default; "which account is this slot on?"
|
|
5870
|
+
// → GET /credentials/locations). Body mirrors generateClaudeMd() (Agent
|
|
5871
|
+
// Awareness Standard). Content-sniffed on the distinctive section header so the
|
|
5872
|
+
// migration is idempotent and skips template-generated CLAUDE.md files. Harmless
|
|
5873
|
+
// on agents where the feature is dark (every lever 503s).
|
|
5874
|
+
if (!content.includes('Live Credential Re-pointing (move a pool account')) {
|
|
5875
|
+
content += `\n**Live Credential Re-pointing (move a pool account's login between config-home "slots" without restarting — WS5.2)** — Beyond the subscription pool's session-MOVING, this MOVES the credential itself: it exchanges which pool account's OAuth login sits in which config-home "slot" via a staged keychain swap, so the sessions already reading that slot pick up the new account on their NEXT API call — no restart, no re-login, nothing on your screen. The unit shuffled is the CREDENTIAL (always a clean SWAP between two slots, never a copy — one home per credential), verified by identity after every move (quarantine-never-repair when the identity oracle can't confirm). **Ships DARK** behind \`subscriptionPool.credentialRepointing.enabled\` — every lever 503s/no-ops while disabled (byte-for-byte today's behavior); going live needs a deliberate \`enabled:true\` + \`dryRun:false\` flip, and that ON decision is yours, separate from any build.\n- **Which account is in which slot?** (Registry First — read it, never guess) \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/credentials/locations\` → the ledger census (slot ↔ account, since, lastVerifiedAt, quarantine state, journal tail, mode).\n- **Flip your default account (zero-touch)** — \`curl -X POST -H "Authorization: Bearer $AUTH" http://localhost:${port}/credentials/set-default -H 'Content-Type: application/json' -d '{"toAccountId":"<account>"}'\` swaps which account \`~/.claude\` serves, with no restart of the session you're talking to.\n- **Swap two slots' credentials live** — \`POST /credentials/swap\` \`{"slotA":"<home>","slotB":"<home>"}\` (the staged §2.3 exchange). **Restore the enrollment layout** — \`POST /credentials/restore-enrollment\` (parks any identity-incoherent blob one-directionally; never exchanges it into a healthy slot). All levers are DETECTIVE controls — operator-notified + audited + param-validated + per-pair cooldown + a force budget on \`force:true\`. No token material ever exits any \`/credentials/*\` surface (the single CredentialAuditEmit scrub chokepoint).\n- **The autonomous balancer surface** — \`GET /credentials/rebalancer\` (the use-it-or-lose-it drainer is Increment B; this surfaces the env-token applicability gate's verdict + WHY re-pointing would refuse, when enabled).\n- **When to use** (PROACTIVE — these are the triggers): "flip my default account to X" / "make X my default" → \`POST /credentials/set-default\`; "which account is this session/slot on?" / "where does ~/.claude point?" → \`GET /credentials/locations\` (read it, don't infer from \`claude auth status\` — that reads a metadata file, not the live credential). Single-account agents are a no-op. (Spec: \`docs/specs/live-credential-repointing-rebalancer.md\`.)\n`;
|
|
5876
|
+
patched = true;
|
|
5877
|
+
result.upgraded.push('CLAUDE.md: added Live Credential Re-pointing awareness section');
|
|
5878
|
+
}
|
|
5867
5879
|
if (patched) {
|
|
5868
5880
|
try {
|
|
5869
5881
|
fs.writeFileSync(claudeMdPath, content);
|