instar 1.3.565 → 1.3.566

package/dist/server/routes.js

@@ -5824,6 +5824,123 @@ export function createRoutes(ctx) {
             res.status(500).json({ error: msg });
         }
     });
+    // ── Self-Unblock Before Escalating (read-only checklist-run view, spec §7) ───
+    // Extends the /blockers read surface with the recent self-unblock checklist runs
+    // (per-probe results + the rung). Registered BEFORE GET /blockers/:id so the
+    // literal path is not swallowed by the :id param. Bearer-gated by the same
+    // router-wide authMiddleware (NOT auth-exempt); the 503-when-dark check happens
+    // AFTER auth (an unauthenticated caller gets 401 from the middleware, never a 503
+    // that would confirm the route exists). Cache-Control: no-store — the body is
+    // credential-reachability reconnaissance. Default-bounded (?limit=, last 200) +
+    // skip-corrupt-lines (the store's list() tolerates partial lines). Served through
+    // the <blocker-ledger-data> envelope — each run's untrusted detail is DATA.
+    const SELF_UNBLOCK_DARK = 'Self-Unblock checklist not initialized (monitoring.blockerLedger.selfUnblockChecklist.enabled is false)';
+    router.get('/blockers/self-unblock-runs', async (req, res) => {
+        if (!ctx.selfUnblockRunStore) {
+            res.status(503).json({ error: SELF_UNBLOCK_DARK });
+            return;
+        }
+        try {
+            const { toLlmSafeEnvelope } = await import('../monitoring/BlockerLedger.js');
+            const { resolveRung } = await import('../monitoring/SelfUnblockChecklist.js');
+            const rawLimit = req.query.limit ? Number(req.query.limit) : 200;
+            const limit = Number.isFinite(rawLimit) ? Math.min(Math.max(rawLimit, 1), 200) : 200;
+            const runs = ctx.selfUnblockRunStore.list(limit);
+            const view = runs.map((run) => {
+                // Derive the rung from the run (no action-class / operator-only context
+                // available on a pure read — surface the BASE rung the run implies).
+                const rung = resolveRung({ run }).rung;
+                return {
+                    runId: run.runId,
+                    target: run.target,
+                    requiredAttemptType: run.requiredAttemptType,
+                    completedAt: run.completedAt,
+                    exhausted: run.exhausted,
+                    rung,
+                    probes: run.probes.map((p) => ({
+                        source: p.source,
+                        reachable: p.reachable,
+                        holdsRelevantCred: p.holdsRelevantCred,
+                        probedAt: p.probedAt,
+                        matchedScopeTags: p.matchedScopeTags,
+                        // Untrusted free text → DATA, wrapped in the ledger envelope.
+                        detail: p.detail ? toLlmSafeEnvelope(p.detail) : undefined,
+                    })),
+                };
+            });
+            res.set('Cache-Control', 'no-store');
+            res.json({ runs: view, total: view.length });
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ error: msg });
+        }
+    });
+    // ── Self-Unblock Before Escalating — RUN the checklist (the PRODUCER, spec §5) ─
+    // POST /blockers/self-unblock-run runs the PRODUCTION checklist (real probe
+    // providers + durable run store) against a target and persists the run, so a
+    // true-blocker settle can REFERENCE that verified run. Without this surface
+    // nothing in production could PRODUCE a run, so enabling the feature made
+    // settling a credential-blocker impossible — this closes that gap.
+    //
+    // Bearer-gated by the router-wide authMiddleware (NOT auth-exempt); the
+    // 503-when-dark check happens AFTER auth (an unauthenticated caller gets 401 from
+    // the middleware, never a 503 confirming the route exists). Cache-Control:
+    // no-store — the body is credential-reachability reconnaissance. Registered
+    // BEFORE POST /blockers/:id/* is irrelevant (those are distinct literal paths),
+    // but it MUST precede GET /blockers/:id (above) — which it does, sharing the
+    // /blockers/self-unblock-* prefix that is registered first. Run is rate-limited.
+    const SELF_UNBLOCK_RUN_DARK = 'Self-Unblock checklist producer not initialized (monitoring.blockerLedger.selfUnblockChecklist.enabled is false)';
+    router.post('/blockers/self-unblock-run', blockerWriteLimiter, async (req, res) => {
+        if (!ctx.selfUnblockChecklist) {
+            res.status(503).json({ error: SELF_UNBLOCK_RUN_DARK });
+            return;
+        }
+        if (req.headers['x-instar-request'] !== '1') {
+            res.status(403).json({ error: 'POST /blockers/self-unblock-run requires the X-Instar-Request: 1 intent header' });
+            return;
+        }
+        try {
+            const body = (req.body ?? {});
+            const target = typeof body.target === 'string' ? body.target.trim() : '';
+            if (!target) {
+                res.status(400).json({ error: 'target (a non-empty service:scope string) is required' });
+                return;
+            }
+            const rawType = body.requiredAttemptType;
+            if (rawType !== undefined && rawType !== 'self-fetch' && rawType !== 'dry-run') {
+                res.status(400).json({ error: "requiredAttemptType must be 'self-fetch' or 'dry-run'" });
+                return;
+            }
+            const requiredAttemptType = rawType === 'dry-run' ? 'dry-run' : 'self-fetch';
+            const { toLlmSafeEnvelope } = await import('../monitoring/BlockerLedger.js');
+            const { resolveRung } = await import('../monitoring/SelfUnblockChecklist.js');
+            const run = await ctx.selfUnblockChecklist.run({ target, requiredAttemptType });
+            const rung = resolveRung({ run }).rung;
+            res.set('Cache-Control', 'no-store');
+            res.json({
+                runId: run.runId,
+                target: run.target,
+                requiredAttemptType: run.requiredAttemptType,
+                completedAt: run.completedAt,
+                exhausted: run.exhausted,
+                rung,
+                probes: run.probes.map((p) => ({
+                    source: p.source,
+                    reachable: p.reachable,
+                    holdsRelevantCred: p.holdsRelevantCred,
+                    probedAt: p.probedAt,
+                    matchedScopeTags: p.matchedScopeTags,
+                    // Untrusted free text → DATA, wrapped in the ledger envelope.
+                    detail: p.detail ? toLlmSafeEnvelope(p.detail) : undefined,
+                })),
+            });
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            res.status(500).json({ error: msg });
+        }
+    });
     router.get('/blockers/:id', (req, res) => {
         if (!ctx.blockerLedger) {
             res.status(503).json({ error: BLOCKER_DARK });