instar 1.3.545 → 1.3.547

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/dashboard/index.html +12 -1
  2. package/dashboard/mandates.js +88 -0
  3. package/dist/commands/server.d.ts.map +1 -1
  4. package/dist/commands/server.js +59 -0
  5. package/dist/commands/server.js.map +1 -1
  6. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  7. package/dist/config/ConfigDefaults.js +6 -0
  8. package/dist/config/ConfigDefaults.js.map +1 -1
  9. package/dist/core/AuthorizationRequestStore.d.ts +138 -0
  10. package/dist/core/AuthorizationRequestStore.d.ts.map +1 -0
  11. package/dist/core/AuthorizationRequestStore.js +307 -0
  12. package/dist/core/AuthorizationRequestStore.js.map +1 -0
  13. package/dist/core/devGatedFeatures.d.ts.map +1 -1
  14. package/dist/core/devGatedFeatures.js +6 -0
  15. package/dist/core/devGatedFeatures.js.map +1 -1
  16. package/dist/core/types.d.ts +10 -0
  17. package/dist/core/types.d.ts.map +1 -1
  18. package/dist/core/types.js.map +1 -1
  19. package/dist/scaffold/templates.d.ts.map +1 -1
  20. package/dist/scaffold/templates.js +6 -0
  21. package/dist/scaffold/templates.js.map +1 -1
  22. package/dist/server/AgentServer.d.ts +3 -0
  23. package/dist/server/AgentServer.d.ts.map +1 -1
  24. package/dist/server/AgentServer.js +34 -0
  25. package/dist/server/AgentServer.js.map +1 -1
  26. package/dist/server/CapabilityIndex.d.ts.map +1 -1
  27. package/dist/server/CapabilityIndex.js +16 -0
  28. package/dist/server/CapabilityIndex.js.map +1 -1
  29. package/dist/server/routes.d.ts +21 -0
  30. package/dist/server/routes.d.ts.map +1 -1
  31. package/dist/server/routes.js +167 -2
  32. package/dist/server/routes.js.map +1 -1
  33. package/package.json +1 -1
  34. package/scripts/instar-dev-precommit.js +24 -1
  35. package/scripts/lib/operator-surface.mjs +30 -0
  36. package/src/data/builtin-manifest.json +47 -47
  37. package/src/scaffold/templates.ts +6 -0
  38. package/upgrades/1.3.546.md +24 -0
  39. package/upgrades/1.3.547.md +26 -0
  40. package/upgrades/side-effects/operator-authorization-request.md +65 -0
  41. package/upgrades/side-effects/ws52-incb-b3b-wire.md +46 -0
@@ -0,0 +1,46 @@
1
+ # Side-Effects Review — WS5.2 Increment B / B3b-wire: balancer wired into the server (dry-run on dev)
2
+
3
+ **Version / slug:** `ws52-incb-b3b-wire`
4
+ **Date:** 2026-06-13
5
+ **Author:** echo
6
+ **Second-pass reviewer:** independent reviewer subagent — CONCUR (wires autonomous-write actuation into the live server → Phase 5 required)
7
+
8
+ ## Summary of the change
9
+
10
+ Wires the (already-reviewed) `CredentialRebalancer` orchestrator into the server composition root: constructs it in the `credentialRepointing` bundle (server.ts) with the snapshot-mapper providers + the re-gated `isEnabled`, schedules a reentrancy-guarded periodic `setInterval` pass, adds `rebalancer` to the bundle, and extends `GET /credentials/rebalancer` to report `rebalancer.status()` (last pass + breaker) alongside the env-token gate verdict. Because the feature is re-gated to live-on-dev-in-dry-run, on a DEV agent this loop now RUNS every ~5min in dry-run (full decision loop + audit, ZERO credential writes); on the fleet it is a strict no-op. This is the dogfooding the maturation path needs (CMT-1493). Real writes still require a deliberate `dryRun:false` (CMT-1494).
11
+
12
+ ## Decision-point inventory
13
+
14
+ - `credentialRebalancer.tick()` (now scheduled) — the autonomous balancer pass, now LIVE-on-dev in dry-run. Its `isEnabled` mirrors the location gate exactly (dev-gate-resolved AND not env-token-refused); the destructive write is gated by the executor's own `dryRun` (default true). The orchestrator's decision/breaker logic was reviewed in B3a; this change is the WIRING.
15
+
16
+ ---
17
+
18
+ ## 1. Over-block
19
+ No block/allow surface. Conservative direction preserved: the pass is a strict no-op whenever the feature is dark OR the env-token gate refuses; even when it runs (dev), the executor's dry-run gate blocks every write.
20
+
21
+ ## 2. Under-block
22
+ The new exposure on a dev agent: the balancer loop now actuates decisions (in dry-run) every pass. The reviewer confirmed no path writes a credential without an explicit `dryRun:false`. The known operator-opt-in subtlety (an explicit `enabled:true` resolves the gate true even on a fleet agent) is the documented two-flag design and remains write-protected by the dry-run default.
23
+
24
+ ## 3. Level-of-abstraction fit
25
+ Correct: the wiring layer holds ONLY the construction + scheduling; the decision is the pure policy's, the actuation is the gated executor's, the cross-pass state is the orchestrator's. The snapshot mappers (kept pure) translate live state. The setInterval is the thin "make it run" layer.
26
+
27
+ ## 4. Signal vs authority compliance
28
+ - [x] Yes — the conservatively-bounded actuation authority the §2.4 Tier-0 justification sanctions: deterministic policy, oracle-verified reversible swaps, every pass audited, dark + dry-run-first. The wiring grants no NEW authority beyond scheduling the already-reviewed orchestrator under the unchanged gate. (Ref: docs/signal-vs-authority.md; §2.4.)
29
+
30
+ ## 5. Interactions
31
+ - **Gate interaction:** `isEnabled` is byte-identical to the location gate, so the balancer and the QuotaPoller-attribution path agree on dark/live. The executor's own dark/dryRun gate is belt-and-suspenders.
32
+ - **Timer:** reentrancy-guarded (a slow tick never overlaps), interval clamped [60s, 60min], `.unref()`'d (never holds the process open), tick errors caught (a throw never crashes the loop or sticks the in-flight flag).
33
+ - **Route:** the dark path (`!credRepointEnabled()`) short-circuits to a 503 no-op BEFORE touching the rebalancer; the enabled path adds `balancerWired` + a leak-free `status()` (only enabled/breaker/cooldown counts + the last pass's slot/account/objective/reason — no token/blob material; scrubbed via `credSend → audit.response`).
34
+
35
+ ## 6. External surfaces
36
+ - On a **dev agent**: `GET /credentials/rebalancer` now reports `balancerWired:true` + the live status, and the balancer runs its dry-run loop (visible in the audit + DegradationReporter/attention on a surfaced terminal state). Zero credential writes. On the **fleet**: byte-for-byte unchanged (dark 503; the unref'd timer's tick is a strict no-op).
37
+
38
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
39
+ - **Machine-local BY DESIGN.** Each machine schedules its own pass over its own ledger/pool/keychain snapshot; the in-memory cooldown/breaker state is per-process. No cross-machine input or coordination.
40
+
41
+ ## 8. Rollback cost
42
+ Low. Revert the commit → the rebalancer is no longer constructed/scheduled and the route returns to `balancerWired:false`. No state, no migration, no credential touch (dry-run never wrote). Any swap the live balancer ever performs is the reversible, oracle-verified, dry-run-gated round-trip the executor owns.
43
+
44
+ ## Follow-ups (tracked, not orphaned)
45
+ - An explicit operator default-account config + tmux-activity busyness for the drain target are dogfood refinements `<!-- tracked: 20905 -->` (B3b uses the current `~/.claude` tenant as the desired default and uniform busyness for now — safe in dry-run).
46
+ - B4 (livetest tie-in) + the `dryRun:false` promotion decision are tracked as commitments CMT-1493 / CMT-1494.