instar 1.3.584 → 1.3.586
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +15 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/messaging/MessageProcessingLedger.d.ts +19 -2
- package/dist/messaging/MessageProcessingLedger.d.ts.map +1 -1
- package/dist/messaging/MessageProcessingLedger.js +25 -4
- package/dist/messaging/MessageProcessingLedger.js.map +1 -1
- package/dist/messaging/stuckMessageRecovery.d.ts +10 -0
- package/dist/messaging/stuckMessageRecovery.d.ts.map +1 -1
- package/dist/messaging/stuckMessageRecovery.js +13 -5
- package/dist/messaging/stuckMessageRecovery.js.map +1 -1
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +41 -3
- package/dist/server/routes.js.map +1 -1
- package/dist/server/stopGate.d.ts +37 -0
- package/dist/server/stopGate.d.ts.map +1 -1
- package/dist/server/stopGate.js +85 -8
- package/dist/server/stopGate.js.map +1 -1
- package/package.json +1 -1
- package/scripts/safe-merge.mjs +68 -5
- package/src/data/builtin-manifest.json +46 -46
- package/upgrades/1.3.585.md +48 -0
- package/upgrades/1.3.586.md +76 -0
- package/upgrades/side-effects/autonomous-run-registration-guarantee.md +40 -0
- package/upgrades/side-effects/safe-merge-native-auto-merge.md +92 -0
- package/upgrades/side-effects/wedge-recovery-abandoned-notice.md +47 -0
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-16T00:12:28.453Z",
|
|
5
|
+
"instarVersion": "1.3.586",
|
|
6
6
|
"entryCount": 201,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -418,7 +418,7 @@
|
|
|
418
418
|
"type": "route-group",
|
|
419
419
|
"domain": "monitoring",
|
|
420
420
|
"sourcePath": "src/server/routes.ts",
|
|
421
|
-
"contentHash": "
|
|
421
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
422
422
|
"since": "2025-01-01"
|
|
423
423
|
},
|
|
424
424
|
"route-group:agents": {
|
|
@@ -426,7 +426,7 @@
|
|
|
426
426
|
"type": "route-group",
|
|
427
427
|
"domain": "sessions",
|
|
428
428
|
"sourcePath": "src/server/routes.ts",
|
|
429
|
-
"contentHash": "
|
|
429
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
430
430
|
"since": "2025-01-01"
|
|
431
431
|
},
|
|
432
432
|
"route-group:backups": {
|
|
@@ -434,7 +434,7 @@
|
|
|
434
434
|
"type": "route-group",
|
|
435
435
|
"domain": "operations",
|
|
436
436
|
"sourcePath": "src/server/routes.ts",
|
|
437
|
-
"contentHash": "
|
|
437
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
438
438
|
"since": "2025-01-01"
|
|
439
439
|
},
|
|
440
440
|
"route-group:git": {
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"type": "route-group",
|
|
443
443
|
"domain": "coordination",
|
|
444
444
|
"sourcePath": "src/server/routes.ts",
|
|
445
|
-
"contentHash": "
|
|
445
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
446
446
|
"since": "2025-01-01"
|
|
447
447
|
},
|
|
448
448
|
"route-group:memory": {
|
|
@@ -450,7 +450,7 @@
|
|
|
450
450
|
"type": "route-group",
|
|
451
451
|
"domain": "memory",
|
|
452
452
|
"sourcePath": "src/server/routes.ts",
|
|
453
|
-
"contentHash": "
|
|
453
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
454
454
|
"since": "2025-01-01"
|
|
455
455
|
},
|
|
456
456
|
"route-group:semantic": {
|
|
@@ -458,7 +458,7 @@
|
|
|
458
458
|
"type": "route-group",
|
|
459
459
|
"domain": "memory",
|
|
460
460
|
"sourcePath": "src/server/routes.ts",
|
|
461
|
-
"contentHash": "
|
|
461
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
462
462
|
"since": "2025-01-01"
|
|
463
463
|
},
|
|
464
464
|
"route-group:status": {
|
|
@@ -466,7 +466,7 @@
|
|
|
466
466
|
"type": "route-group",
|
|
467
467
|
"domain": "monitoring",
|
|
468
468
|
"sourcePath": "src/server/routes.ts",
|
|
469
|
-
"contentHash": "
|
|
469
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
470
470
|
"since": "2025-01-01"
|
|
471
471
|
},
|
|
472
472
|
"route-group:capabilities": {
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"type": "route-group",
|
|
475
475
|
"domain": "mapping",
|
|
476
476
|
"sourcePath": "src/server/routes.ts",
|
|
477
|
-
"contentHash": "
|
|
477
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
478
478
|
"since": "2025-01-01"
|
|
479
479
|
},
|
|
480
480
|
"route-group:project-map": {
|
|
@@ -482,7 +482,7 @@
|
|
|
482
482
|
"type": "route-group",
|
|
483
483
|
"domain": "mapping",
|
|
484
484
|
"sourcePath": "src/server/routes.ts",
|
|
485
|
-
"contentHash": "
|
|
485
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
486
486
|
"since": "2025-01-01"
|
|
487
487
|
},
|
|
488
488
|
"route-group:coherence": {
|
|
@@ -490,7 +490,7 @@
|
|
|
490
490
|
"type": "route-group",
|
|
491
491
|
"domain": "coherence",
|
|
492
492
|
"sourcePath": "src/server/routes.ts",
|
|
493
|
-
"contentHash": "
|
|
493
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
494
494
|
"since": "2025-01-01"
|
|
495
495
|
},
|
|
496
496
|
"route-group:topic-bindings": {
|
|
@@ -498,7 +498,7 @@
|
|
|
498
498
|
"type": "route-group",
|
|
499
499
|
"domain": "sessions",
|
|
500
500
|
"sourcePath": "src/server/routes.ts",
|
|
501
|
-
"contentHash": "
|
|
501
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
502
502
|
"since": "2025-01-01"
|
|
503
503
|
},
|
|
504
504
|
"route-group:context": {
|
|
@@ -506,7 +506,7 @@
|
|
|
506
506
|
"type": "route-group",
|
|
507
507
|
"domain": "context",
|
|
508
508
|
"sourcePath": "src/server/routes.ts",
|
|
509
|
-
"contentHash": "
|
|
509
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
510
510
|
"since": "2025-01-01"
|
|
511
511
|
},
|
|
512
512
|
"route-group:scope-coherence": {
|
|
@@ -514,7 +514,7 @@
|
|
|
514
514
|
"type": "route-group",
|
|
515
515
|
"domain": "coherence",
|
|
516
516
|
"sourcePath": "src/server/routes.ts",
|
|
517
|
-
"contentHash": "
|
|
517
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
518
518
|
"since": "2025-01-01"
|
|
519
519
|
},
|
|
520
520
|
"route-group:canonical-state": {
|
|
@@ -522,7 +522,7 @@
|
|
|
522
522
|
"type": "route-group",
|
|
523
523
|
"domain": "state",
|
|
524
524
|
"sourcePath": "src/server/routes.ts",
|
|
525
|
-
"contentHash": "
|
|
525
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
526
526
|
"since": "2025-01-01"
|
|
527
527
|
},
|
|
528
528
|
"route-group:ci": {
|
|
@@ -530,7 +530,7 @@
|
|
|
530
530
|
"type": "route-group",
|
|
531
531
|
"domain": "monitoring",
|
|
532
532
|
"sourcePath": "src/server/routes.ts",
|
|
533
|
-
"contentHash": "
|
|
533
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
534
534
|
"since": "2025-01-01"
|
|
535
535
|
},
|
|
536
536
|
"route-group:sessions": {
|
|
@@ -538,7 +538,7 @@
|
|
|
538
538
|
"type": "route-group",
|
|
539
539
|
"domain": "sessions",
|
|
540
540
|
"sourcePath": "src/server/routes.ts",
|
|
541
|
-
"contentHash": "
|
|
541
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
542
542
|
"since": "2025-01-01"
|
|
543
543
|
},
|
|
544
544
|
"route-group:jobs": {
|
|
@@ -546,7 +546,7 @@
|
|
|
546
546
|
"type": "route-group",
|
|
547
547
|
"domain": "scheduling",
|
|
548
548
|
"sourcePath": "src/server/routes.ts",
|
|
549
|
-
"contentHash": "
|
|
549
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
550
550
|
"since": "2025-01-01"
|
|
551
551
|
},
|
|
552
552
|
"route-group:skip-ledger": {
|
|
@@ -554,7 +554,7 @@
|
|
|
554
554
|
"type": "route-group",
|
|
555
555
|
"domain": "scheduling",
|
|
556
556
|
"sourcePath": "src/server/routes.ts",
|
|
557
|
-
"contentHash": "
|
|
557
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
558
558
|
"since": "2025-01-01"
|
|
559
559
|
},
|
|
560
560
|
"route-group:telegram": {
|
|
@@ -562,7 +562,7 @@
|
|
|
562
562
|
"type": "route-group",
|
|
563
563
|
"domain": "communication",
|
|
564
564
|
"sourcePath": "src/server/routes.ts",
|
|
565
|
-
"contentHash": "
|
|
565
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
566
566
|
"since": "2025-01-01"
|
|
567
567
|
},
|
|
568
568
|
"route-group:attention": {
|
|
@@ -570,7 +570,7 @@
|
|
|
570
570
|
"type": "route-group",
|
|
571
571
|
"domain": "communication",
|
|
572
572
|
"sourcePath": "src/server/routes.ts",
|
|
573
|
-
"contentHash": "
|
|
573
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
574
574
|
"since": "2025-01-01"
|
|
575
575
|
},
|
|
576
576
|
"route-group:relationships": {
|
|
@@ -578,7 +578,7 @@
|
|
|
578
578
|
"type": "route-group",
|
|
579
579
|
"domain": "relationships",
|
|
580
580
|
"sourcePath": "src/server/routes.ts",
|
|
581
|
-
"contentHash": "
|
|
581
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
582
582
|
"since": "2025-01-01"
|
|
583
583
|
},
|
|
584
584
|
"route-group:feedback": {
|
|
@@ -586,7 +586,7 @@
|
|
|
586
586
|
"type": "route-group",
|
|
587
587
|
"domain": "feedback",
|
|
588
588
|
"sourcePath": "src/server/routes.ts",
|
|
589
|
-
"contentHash": "
|
|
589
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
590
590
|
"since": "2025-01-01"
|
|
591
591
|
},
|
|
592
592
|
"route-group:updates": {
|
|
@@ -594,7 +594,7 @@
|
|
|
594
594
|
"type": "route-group",
|
|
595
595
|
"domain": "updates",
|
|
596
596
|
"sourcePath": "src/server/routes.ts",
|
|
597
|
-
"contentHash": "
|
|
597
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
598
598
|
"since": "2025-01-01"
|
|
599
599
|
},
|
|
600
600
|
"route-group:dispatches": {
|
|
@@ -602,7 +602,7 @@
|
|
|
602
602
|
"type": "route-group",
|
|
603
603
|
"domain": "dispatches",
|
|
604
604
|
"sourcePath": "src/server/routes.ts",
|
|
605
|
-
"contentHash": "
|
|
605
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
606
606
|
"since": "2025-01-01"
|
|
607
607
|
},
|
|
608
608
|
"route-group:quota": {
|
|
@@ -610,7 +610,7 @@
|
|
|
610
610
|
"type": "route-group",
|
|
611
611
|
"domain": "monitoring",
|
|
612
612
|
"sourcePath": "src/server/routes.ts",
|
|
613
|
-
"contentHash": "
|
|
613
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
614
614
|
"since": "2025-01-01"
|
|
615
615
|
},
|
|
616
616
|
"route-group:publishing": {
|
|
@@ -618,7 +618,7 @@
|
|
|
618
618
|
"type": "route-group",
|
|
619
619
|
"domain": "publishing",
|
|
620
620
|
"sourcePath": "src/server/routes.ts",
|
|
621
|
-
"contentHash": "
|
|
621
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
622
622
|
"since": "2025-01-01"
|
|
623
623
|
},
|
|
624
624
|
"route-group:private-views": {
|
|
@@ -626,7 +626,7 @@
|
|
|
626
626
|
"type": "route-group",
|
|
627
627
|
"domain": "publishing",
|
|
628
628
|
"sourcePath": "src/server/routes.ts",
|
|
629
|
-
"contentHash": "
|
|
629
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
630
630
|
"since": "2025-01-01"
|
|
631
631
|
},
|
|
632
632
|
"route-group:tunnel": {
|
|
@@ -634,7 +634,7 @@
|
|
|
634
634
|
"type": "route-group",
|
|
635
635
|
"domain": "networking",
|
|
636
636
|
"sourcePath": "src/server/routes.ts",
|
|
637
|
-
"contentHash": "
|
|
637
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
638
638
|
"since": "2025-01-01"
|
|
639
639
|
},
|
|
640
640
|
"route-group:events": {
|
|
@@ -642,7 +642,7 @@
|
|
|
642
642
|
"type": "route-group",
|
|
643
643
|
"domain": "networking",
|
|
644
644
|
"sourcePath": "src/server/routes.ts",
|
|
645
|
-
"contentHash": "
|
|
645
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
646
646
|
"since": "2025-01-01"
|
|
647
647
|
},
|
|
648
648
|
"route-group:evolution": {
|
|
@@ -650,7 +650,7 @@
|
|
|
650
650
|
"type": "route-group",
|
|
651
651
|
"domain": "evolution",
|
|
652
652
|
"sourcePath": "src/server/routes.ts",
|
|
653
|
-
"contentHash": "
|
|
653
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
654
654
|
"since": "2025-01-01"
|
|
655
655
|
},
|
|
656
656
|
"route-group:watchdog": {
|
|
@@ -658,7 +658,7 @@
|
|
|
658
658
|
"type": "route-group",
|
|
659
659
|
"domain": "monitoring",
|
|
660
660
|
"sourcePath": "src/server/routes.ts",
|
|
661
|
-
"contentHash": "
|
|
661
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
662
662
|
"since": "2025-01-01"
|
|
663
663
|
},
|
|
664
664
|
"route-group:topic-memory": {
|
|
@@ -666,7 +666,7 @@
|
|
|
666
666
|
"type": "route-group",
|
|
667
667
|
"domain": "memory",
|
|
668
668
|
"sourcePath": "src/server/routes.ts",
|
|
669
|
-
"contentHash": "
|
|
669
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
670
670
|
"since": "2025-01-01"
|
|
671
671
|
},
|
|
672
672
|
"route-group:state-sync": {
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
"type": "route-group",
|
|
675
675
|
"domain": "coordination",
|
|
676
676
|
"sourcePath": "src/server/routes.ts",
|
|
677
|
-
"contentHash": "
|
|
677
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
678
678
|
"since": "2025-01-01"
|
|
679
679
|
},
|
|
680
680
|
"route-group:intent": {
|
|
@@ -682,7 +682,7 @@
|
|
|
682
682
|
"type": "route-group",
|
|
683
683
|
"domain": "intent",
|
|
684
684
|
"sourcePath": "src/server/routes.ts",
|
|
685
|
-
"contentHash": "
|
|
685
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
686
686
|
"since": "2025-01-01"
|
|
687
687
|
},
|
|
688
688
|
"route-group:triage": {
|
|
@@ -690,7 +690,7 @@
|
|
|
690
690
|
"type": "route-group",
|
|
691
691
|
"domain": "safety",
|
|
692
692
|
"sourcePath": "src/server/routes.ts",
|
|
693
|
-
"contentHash": "
|
|
693
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
694
694
|
"since": "2025-01-01"
|
|
695
695
|
},
|
|
696
696
|
"route-group:operations": {
|
|
@@ -698,7 +698,7 @@
|
|
|
698
698
|
"type": "route-group",
|
|
699
699
|
"domain": "safety",
|
|
700
700
|
"sourcePath": "src/server/routes.ts",
|
|
701
|
-
"contentHash": "
|
|
701
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
702
702
|
"since": "2025-01-01"
|
|
703
703
|
},
|
|
704
704
|
"route-group:sentinel": {
|
|
@@ -706,7 +706,7 @@
|
|
|
706
706
|
"type": "route-group",
|
|
707
707
|
"domain": "safety",
|
|
708
708
|
"sourcePath": "src/server/routes.ts",
|
|
709
|
-
"contentHash": "
|
|
709
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
710
710
|
"since": "2025-01-01"
|
|
711
711
|
},
|
|
712
712
|
"route-group:trust": {
|
|
@@ -714,7 +714,7 @@
|
|
|
714
714
|
"type": "route-group",
|
|
715
715
|
"domain": "safety",
|
|
716
716
|
"sourcePath": "src/server/routes.ts",
|
|
717
|
-
"contentHash": "
|
|
717
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
718
718
|
"since": "2025-01-01"
|
|
719
719
|
},
|
|
720
720
|
"route-group:monitoring": {
|
|
@@ -722,7 +722,7 @@
|
|
|
722
722
|
"type": "route-group",
|
|
723
723
|
"domain": "monitoring",
|
|
724
724
|
"sourcePath": "src/server/routes.ts",
|
|
725
|
-
"contentHash": "
|
|
725
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
726
726
|
"since": "2025-01-01"
|
|
727
727
|
},
|
|
728
728
|
"route-group:commitments": {
|
|
@@ -730,7 +730,7 @@
|
|
|
730
730
|
"type": "route-group",
|
|
731
731
|
"domain": "commitments",
|
|
732
732
|
"sourcePath": "src/server/routes.ts",
|
|
733
|
-
"contentHash": "
|
|
733
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
734
734
|
"since": "2025-01-01"
|
|
735
735
|
},
|
|
736
736
|
"route-group:episodes": {
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
"type": "route-group",
|
|
739
739
|
"domain": "memory",
|
|
740
740
|
"sourcePath": "src/server/routes.ts",
|
|
741
|
-
"contentHash": "
|
|
741
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
742
742
|
"since": "2025-01-01"
|
|
743
743
|
},
|
|
744
744
|
"route-group:messages": {
|
|
@@ -746,7 +746,7 @@
|
|
|
746
746
|
"type": "route-group",
|
|
747
747
|
"domain": "coordination",
|
|
748
748
|
"sourcePath": "src/server/routes.ts",
|
|
749
|
-
"contentHash": "
|
|
749
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
750
750
|
"since": "2025-01-01"
|
|
751
751
|
},
|
|
752
752
|
"route-group:system-reviews": {
|
|
@@ -754,7 +754,7 @@
|
|
|
754
754
|
"type": "route-group",
|
|
755
755
|
"domain": "monitoring",
|
|
756
756
|
"sourcePath": "src/server/routes.ts",
|
|
757
|
-
"contentHash": "
|
|
757
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
758
758
|
"since": "2025-01-01"
|
|
759
759
|
},
|
|
760
760
|
"route-group:machine-mesh": {
|
|
@@ -770,7 +770,7 @@
|
|
|
770
770
|
"type": "route-group",
|
|
771
771
|
"domain": "security",
|
|
772
772
|
"sourcePath": "src/server/routes.ts",
|
|
773
|
-
"contentHash": "
|
|
773
|
+
"contentHash": "f25efb874f94ac6c3825e6ef5dee658670a80c6540d38bbb35f285a694295e3f",
|
|
774
774
|
"since": "2025-01-01"
|
|
775
775
|
},
|
|
776
776
|
"cli:init": {
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
When an inbound message gets stranded mid-turn (the machine handling it crashed or was handed off),
|
|
9
|
+
recovery re-runs it a few times, then gives up. Previously "give up" did nothing useful: the message
|
|
10
|
+
was **silently dropped** (the user never told) AND it stayed marked "being-worked-on", so the
|
|
11
|
+
recovery routine kept re-finding it and logging `stuck-recovery: giving up … after 3 attempts` every
|
|
12
|
+
~10 minutes, indefinitely (observed firing for hours on the same entries).
|
|
13
|
+
|
|
14
|
+
Now an exhausted entry is **terminally abandoned** and **announced**: a new terminal `abandoned`
|
|
15
|
+
state in `MessageProcessingLedger` (`markAbandoned`) moves it out of `processing` — so `reclaimStuck`
|
|
16
|
+
stops re-selecting it (the log-loop ends), `beginProcessing` refuses to revive it, and a provider
|
|
17
|
+
redelivery of the same event is dropped (a genuine resend uses a fresh dedupeKey). It leaves
|
|
18
|
+
`reply_committed_at` NULL, so it never masquerades as a real reply. `recoverStuckMessages` surfaces
|
|
19
|
+
abandoned entries and the server emits one per-topic loss notice.
|
|
20
|
+
|
|
21
|
+
## What to Tell Your User
|
|
22
|
+
|
|
23
|
+
- **No more silently-dropped messages**: "If I ever can't finish handling something you sent — say my
|
|
24
|
+
machine crashed mid-thought — I'll now tell you plainly that I didn't get to it and ask you to
|
|
25
|
+
resend, instead of leaving you waiting on a reply that never comes."
|
|
26
|
+
- **A quieter, healthier system**: "I also fixed a case where I'd keep silently retrying the same
|
|
27
|
+
failed message every few minutes, forever. Now I close it out cleanly the first time."
|
|
28
|
+
|
|
29
|
+
## Summary of New Capabilities
|
|
30
|
+
|
|
31
|
+
| Capability | How to Use |
|
|
32
|
+
|-----------|-----------|
|
|
33
|
+
| Honest loss notice when a stuck message is abandoned | automatic (posted to the affected conversation) |
|
|
34
|
+
| Stuck-recovery give-up no longer loops or drops silently | automatic |
|
|
35
|
+
|
|
36
|
+
## Evidence
|
|
37
|
+
|
|
38
|
+
Reproduction (live, 2026-06-15): `logs/server.log` showed `stuck-recovery: giving up on
|
|
39
|
+
telegram:21487:990487 after 3 attempts` (plus two sibling entries) firing on a ~10-minute cadence for
|
|
40
|
+
hours (19:07 → 20:11+), because the give-up branch did `skipped++; continue` — leaving the entry in
|
|
41
|
+
`processing` so `reclaimStuck` re-selected it every cycle, with no user notice.
|
|
42
|
+
|
|
43
|
+
After the fix (verified by 30/30 ledger + recovery unit tests, both sides of the boundary): an
|
|
44
|
+
exhausted entry is marked `abandoned` (state asserted terminal, `replyCommittedAt` NULL,
|
|
45
|
+
`hasReplyCommittedForTopicSince` still false, `reclaimStuck` no longer returns it), surfaced in
|
|
46
|
+
`result.abandoned`, and a subsequent recovery pass neither re-selects nor re-surfaces it — the
|
|
47
|
+
10-minute log-loop is gone and exactly one "resend anything still needed" notice is emitted per
|
|
48
|
+
abandoned entry. tsc clean.
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
An internal correction to the stop-gate's autonomous-run detection. The gate that
|
|
9
|
+
decides whether a stopping session is a registered autonomous run was reading only
|
|
10
|
+
an old single-file convention that modern runs no longer write — so a run that
|
|
11
|
+
registered itself per-topic was invisible to the gate and got treated as a plain
|
|
12
|
+
idle session, defeating the revive-it-later safety net.
|
|
13
|
+
|
|
14
|
+
The read now follows a fixed precedence chain: the canonical per-topic registration
|
|
15
|
+
under the .instar autonomous directory first, then the .instar legacy single-file,
|
|
16
|
+
then the oldest .claude legacy single-file. autonomousActive is true if any exists.
|
|
17
|
+
|
|
18
|
+
To check the per-topic path the server now resolves the serving topic itself: it
|
|
19
|
+
maps the Claude session id to its tmux session name via the session manager, then
|
|
20
|
+
inverts the topic-session registry on that name — the same inversion the bash stop
|
|
21
|
+
hook already uses. A resolution miss (no session record, corrupt or missing
|
|
22
|
+
registry, unknown name) explicitly falls back to the legacy paths and NEVER silently
|
|
23
|
+
returns a false negative — the no-silent-fallback boundary, annotated and covered by
|
|
24
|
+
tests on both sides.
|
|
25
|
+
|
|
26
|
+
This is the deterministic read-path fix. The dev-gated registration-guard that
|
|
27
|
+
auto-writes a registration stub when a run starts without one is a distinct change
|
|
28
|
+
specified separately in the spec's PR2 section.
|
|
29
|
+
|
|
30
|
+
`scripts/safe-merge.mjs` gained a `--auto` flag: it arms GitHub native
|
|
31
|
+
auto-merge (`gh pr merge --auto`) and returns immediately, instead of polling
|
|
32
|
+
the PR's checks until a deadline and force-merging with `--admin`. Native
|
|
33
|
+
auto-merge lets GitHub merge the PR the instant every required check passes —
|
|
34
|
+
it bypasses no check (strictly safer than `--admin`, which it then has to
|
|
35
|
+
re-impose) and it never times out (the failure mode that wedged hot-branch
|
|
36
|
+
merges: the poll watcher gets killed at ~18min before slow CI finishes).
|
|
37
|
+
|
|
38
|
+
`--auto` and `--admin` are mutually exclusive (parser-enforced). New exit code
|
|
39
|
+
`5 = auto-merge-armed` (distinct from `0 = merged-confirmed`). The existing
|
|
40
|
+
`--admin` synchronous path is byte-untouched and remains the fallback for repos
|
|
41
|
+
without "Allow auto-merge" enabled.
|
|
42
|
+
|
|
43
|
+
## What to Tell Your User
|
|
44
|
+
|
|
45
|
+
Your autonomous runs are now recognized more reliably when a session stops. The check that
|
|
46
|
+
decides whether a stopping session is a real autonomous run used to look only at an old
|
|
47
|
+
location that current runs no longer write, so a run that had registered itself could be
|
|
48
|
+
mistaken for an idle session. It now looks at the modern per-run location first and falls
|
|
49
|
+
back to the older ones, and it figures out which conversation it is looking at on its own.
|
|
50
|
+
If it cannot tell, it still checks the older locations rather than assuming the run is idle.
|
|
51
|
+
You do not need to do anything; this just makes the autonomous safety net harder to miss.
|
|
52
|
+
|
|
53
|
+
## Summary of New Capabilities
|
|
54
|
+
|
|
55
|
+
No new capabilities or APIs. This is a correctness fix to an existing internal check —
|
|
56
|
+
behavior only, fully backwards compatible, and reversible.
|
|
57
|
+
|
|
58
|
+
## Evidence
|
|
59
|
+
|
|
60
|
+
- tsc clean; full lint clean (no-silent-fallbacks ratchet green over the annotated catches).
|
|
61
|
+
- 38 tests green across tests/unit/stopGate.test.ts (D1 precedence, the D2 unresolved-topic boundary both sides, and the resolveTopicForTmux registry inversion) and tests/integration/stop-gate-autonomous-topic-resolution.test.ts (the full HTTP hot-path UUID to tmux to topic resolution).
|
|
62
|
+
- Server-only change — no agent-installed file touched, so no migration parity is required.
|
|
63
|
+
|
|
64
|
+
Side-effects review: upgrades/side-effects/autonomous-run-registration-guarantee.md
|
|
65
|
+
|
|
66
|
+
- `scripts/safe-merge.mjs`: new `--auto` flag, mutual-exclusion guard,
|
|
67
|
+
`native-auto-merge` capability + `autoMergeArmed:5` exit code, and the
|
|
68
|
+
arm-and-confirm block in `main()` (early-returns before the poll loop, so the
|
|
69
|
+
`--admin` path is unaffected).
|
|
70
|
+
- `tests/unit/safe-merge-hardening.test.ts`: +4 tests (parses `--auto`, defaults
|
|
71
|
+
off, rejects `--auto --admin` both orders, capabilities exposes the new
|
|
72
|
+
feature + exit code). 29/29 green.
|
|
73
|
+
- Second-pass review (merge machinery): CONCUR.
|
|
74
|
+
|
|
75
|
+
Follow-up (separately spec'd, NOT in this PR): switch the green-pr-automerge
|
|
76
|
+
watcher (`MergeRunner`) to `--auto` so the automated path also stops timing out.
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
# Side-Effects Review — Autonomous-Run Registration Guarantee (GAP-B, PR1)
|
|
2
|
+
|
|
3
|
+
**Spec:** docs/specs/autonomous-run-registration-guarantee.md (converged R1 + approved — operator full pre-approval, Justin 2026-06-15). **Parent:** An Autonomous Run Must Outlive Its Session.
|
|
4
|
+
**Scope:** PR1 only — the deterministic read-path correction (D1 precedence chain + D2 server-side topic resolution). Ships LIVE (no flag; a pure accuracy fix to an existing read).
|
|
5
|
+
**Files:** src/server/stopGate.ts, src/server/routes.ts, tests/unit/stopGate.test.ts, tests/integration/stop-gate-autonomous-topic-resolution.test.ts
|
|
6
|
+
|
|
7
|
+
## What changed
|
|
8
|
+
|
|
9
|
+
1. **stopGate.ts (`readAutonomousActive`):** replaced the single oldest-legacy-path existence check with a fixed precedence chain — (1) the per-topic canonical path .instar/autonomous/TOPIC.local.md, only when a topicId resolves; (2) the .instar legacy single-file; (3) the .claude oldest-legacy single-file. autonomousActive is true if ANY exists. The historical autonomousStateFile override still wins as the sole path read (back-compat). New optional HotPathInputs fields: topicId and stateRoot.
|
|
10
|
+
2. **stopGate.ts (`resolveTopicForTmux`, new exported pure fn):** inverts topic-session-registry.json's topicToSession map on a tmux name — the SAME inversion the bash stop hook uses. Pure, injectable reader, fail-open to null on any read/parse error.
|
|
11
|
+
3. **routes.ts (`resolveTopicForStopGate` helper + two getHotPathState callsites):** resolves the Claude session UUID to its tmux name via the session manager's claudeSessionId record, then to a topicId via resolveTopicForTmux, and passes topicId + stateRoot into both hot-path reads.
|
|
12
|
+
|
|
13
|
+
## Blast radius
|
|
14
|
+
|
|
15
|
+
Server-only. The single behavior touched is the stop-gate's autonomousActive read — which it computes for two consumers: the hot-path stop decision input and the StopNotifier unattended-session gate. No agent-installed file changed; no new HTTP route, no new config key, no new state file, no schema change. A single-machine or non-autonomous agent simply reads the same three paths and gets the same answer it would expect.
|
|
16
|
+
|
|
17
|
+
## Reversibility
|
|
18
|
+
|
|
19
|
+
Fully reversible. This is a read-path change with no persisted side effects — nothing is written, migrated, or stamped. Reverting the two source files restores the prior single-path read exactly; there is no on-disk state to unwind.
|
|
20
|
+
|
|
21
|
+
## Signal vs authority
|
|
22
|
+
|
|
23
|
+
The stop-gate's autonomousActive is a SIGNAL that informs the stop decision and the unattended-notice gate — it is not itself an authority that blocks or commits anything. This change adds NO new authority: it makes the existing signal MORE accurate by reading the canonical per-topic path a modern autonomous run actually writes. It never blocks a message, never gates a session, never spawns or kills anything. A more-accurate "this is an autonomous run" reading only changes whether the existing revive/notify machinery engages — the machinery's own authorities are unchanged.
|
|
24
|
+
|
|
25
|
+
## Failure modes
|
|
26
|
+
|
|
27
|
+
The one boundary that matters is the topic-resolution miss (no session record, corrupt/missing registry, unknown tmux name). It resolves to undefined/null and the read falls back EXPLICITLY to both legacy paths — it can never coerce a miss into a silent autonomousActive:false (the no-silent-fallbacks ratchet). Three @silent-fallback-ok catches are annotated and justified: a session-manager read failure (resolver returns undefined → legacy fallback), a per-path stat error (the chain continues to the next path, never short-circuiting the whole read), and a corrupt/missing registry (resolveTopicForTmux returns null → legacy fallback). All three are test-covered on both sides of the boundary.
|
|
28
|
+
|
|
29
|
+
## Migration parity
|
|
30
|
+
|
|
31
|
+
NONE required. No agent-installed file changed — this is server code only (the stop-gate read and the route resolver). Existing agents pick up the corrected read the moment their server runs the new code; there is no .claude/settings.json hook, .instar/config.json default, CLAUDE.md section, hook script, or built-in skill to migrate.
|
|
32
|
+
|
|
33
|
+
## Tests
|
|
34
|
+
|
|
35
|
+
- tests/unit/stopGate.test.ts — D1 precedence (per-topic wins; a different topic does not activate; fall-through to each legacy path; none-exist false; topic-less still reads both legacy paths; override-is-sole-path back-compat) and the D2 unresolved-topic boundary both sides (HIT reads per-topic; MISS-with-legacy stays true; MISS-with-nothing is the genuinely-inactive false) plus resolveTopicForTmux inversion (hit, unknown-name miss, null/empty, corrupt-registry fail-open).
|
|
36
|
+
- tests/integration/stop-gate-autonomous-topic-resolution.test.ts — the full HTTP hot-path: UUID→tmux→topic resolution feeds the canonical per-topic read end to end.
|
|
37
|
+
|
|
38
|
+
## What's scoped to the follow-on PR
|
|
39
|
+
|
|
40
|
+
PR1 covers the read-path correction only — the gate now SEES a registration that already exists on disk. The dev-gated registration-guard that auto-writes a TTL-bounded provenance stub when a run starts without one (D3) is specified separately in the spec's PR2 section, with its own dev-gate rollout and sign-off. <!-- tracked: autonomous-run-registration-guarantee -->
|
|
@@ -0,0 +1,92 @@
|
|
|
1
|
+
# Side-effects review — safe-merge `--auto` (native auto-merge path)
|
|
2
|
+
|
|
3
|
+
**Change:** add a `--auto` flag to `scripts/safe-merge.mjs` that arms GitHub
|
|
4
|
+
native auto-merge and returns immediately, as an additive alternative to the
|
|
5
|
+
existing `--admin` synchronous poll-and-merge path. Plus unit coverage.
|
|
6
|
+
|
|
7
|
+
## 1. Over-block (legitimate inputs rejected that shouldn't be)
|
|
8
|
+
None introduced. The new path is opt-in (`--auto`). The one new rejection is the
|
|
9
|
+
incoherent `--auto --admin` combo — that SHOULD be rejected (the two are
|
|
10
|
+
contradictory merge strategies). No existing invocation is affected: every
|
|
11
|
+
current caller passes `--admin` (or neither) and behaves byte-identically.
|
|
12
|
+
|
|
13
|
+
## 2. Under-block (failure modes still missed)
|
|
14
|
+
The `--auto` path delegates required-check enforcement to GitHub's branch
|
|
15
|
+
protection. If a repo has auto-merge enabled but branch protection is weak/absent
|
|
16
|
+
(no required checks), native auto-merge would merge on mergeable-state alone — but
|
|
17
|
+
that is GitHub's configured posture, not a bypass this script introduces, and it
|
|
18
|
+
is identical to what a human `gh pr merge --auto` would do. The `--admin` path's
|
|
19
|
+
manual re-imposition (e2e-presence, producer-bound floor) intentionally does NOT
|
|
20
|
+
run on `--auto` because GitHub enforces the required contexts itself; on a repo
|
|
21
|
+
with no required contexts there is nothing to enforce either way. Documented in
|
|
22
|
+
the ELI16. Mitigation for instar's own repo: main has 12 required checks, so
|
|
23
|
+
auto-merge waits for all of them.
|
|
24
|
+
|
|
25
|
+
## 3. Level-of-abstraction fit
|
|
26
|
+
Correct layer: this is the merge-mechanism wrapper, and native auto-merge is a
|
|
27
|
+
merge mechanism. It does not duplicate a higher gate — it DELEGATES to GitHub's
|
|
28
|
+
branch protection (a smarter, platform-level gate) rather than re-implementing
|
|
29
|
+
enforcement in-process. That is the right direction (less brittle in-process
|
|
30
|
+
logic, more native enforcement).
|
|
31
|
+
|
|
32
|
+
## 4. Signal vs authority compliance
|
|
33
|
+
The act-time authority on the `--auto` path is GitHub's branch protection (it
|
|
34
|
+
decides whether/when to merge). `safe-merge --auto` is a thin arming command +
|
|
35
|
+
honest confirmation reader — it holds no brittle blocking authority of its own;
|
|
36
|
+
it cannot merge anything GitHub's required checks haven't cleared. This is MORE
|
|
37
|
+
aligned with signal-vs-authority than `--admin` (which bypasses the authority and
|
|
38
|
+
then re-imposes it in brittle script logic). No new in-process gate is created.
|
|
39
|
+
|
|
40
|
+
## 5. Interactions (shadowing, double-fire, races)
|
|
41
|
+
- Does not shadow or get shadowed by the `--admin` path — they are mutually
|
|
42
|
+
exclusive (parser-enforced) and the `--auto` branch returns before the poll
|
|
43
|
+
loop is reached.
|
|
44
|
+
- No double-merge: arming auto-merge is idempotent (re-arming an armed PR is a
|
|
45
|
+
no-op on GitHub); the independent confirmation reports `merged`/`armed`/error
|
|
46
|
+
honestly.
|
|
47
|
+
- The dangerous-command-guard does NOT block `gh pr merge --auto` (verified
|
|
48
|
+
live 2026-06-15: `--auto` only QUEUES, it does not merge-before-green) — so the
|
|
49
|
+
arming command runs without tripping the #539-outage guard.
|
|
50
|
+
- `--match-head-commit` interaction: when an explicit SHA is supplied it is
|
|
51
|
+
passed through to `gh pr merge --auto`, so a moved head cancels the arming
|
|
52
|
+
(GitHub behavior), consistent with the head-pin intent. When NO explicit SHA is
|
|
53
|
+
supplied, the head is intentionally NOT pinned on the `--auto` path — native
|
|
54
|
+
auto-merge re-evaluates required checks against whatever the head becomes, so a
|
|
55
|
+
post-arming push simply makes GitHub wait for the new head's checks; it cannot
|
|
56
|
+
merge an unverified head. (This differs from the `--admin` path, which always
|
|
57
|
+
pins; the difference is sound under native enforcement.)
|
|
58
|
+
|
|
59
|
+
## 6. External surfaces
|
|
60
|
+
- Changes the script's CLI contract (new `--auto` flag, new feature
|
|
61
|
+
`native-auto-merge`, new exit code `5 = autoMergeArmed`) — surfaced in
|
|
62
|
+
`--capabilities` and asserted in tests, so a caller probing the contract sees
|
|
63
|
+
it.
|
|
64
|
+
- Depends on the repo having "Allow auto-merge" enabled (enabled on
|
|
65
|
+
JKHeadley/instar 2026-06-15). On a repo without it, arming fails with a clear
|
|
66
|
+
`refused:auto-arm-<cls>` + a message naming the missing setting — an honest
|
|
67
|
+
refusal, never a silent degrade, and the `--admin` path remains the fallback.
|
|
68
|
+
|
|
69
|
+
## 7. Multi-machine posture (Cross-Machine Coherence)
|
|
70
|
+
**Machine-local BY DESIGN.** `safe-merge.mjs` is a stateless CLI invoked
|
|
71
|
+
synchronously by whichever machine runs it; it holds no durable state, opens no
|
|
72
|
+
topic, generates no URL. The arming call targets GitHub (a shared external
|
|
73
|
+
authority), so the outcome is identical regardless of which machine arms it —
|
|
74
|
+
and GitHub de-dupes (arming an already-armed PR is a no-op), so two machines
|
|
75
|
+
arming the same PR cannot double-merge. No replication or proxied-read needed.
|
|
76
|
+
|
|
77
|
+
## 8. Rollback cost
|
|
78
|
+
Trivial. The flag is additive; reverting the commit removes `--auto` and leaves
|
|
79
|
+
the untouched `--admin` path. No data migration, no state repair, no fleet
|
|
80
|
+
coordination. At the repo level, `allow_auto_merge` can be toggled back off in
|
|
81
|
+
one API call / settings click if ever undesired (independent of this code).
|
|
82
|
+
|
|
83
|
+
## Second-pass review (required — touches merge machinery)
|
|
84
|
+
|
|
85
|
+
Second-pass: CONCUR — the `if (args.auto)` block early-returns before the poll
|
|
86
|
+
loop so the `--admin` path is behavior-identical, the independent `pr view`
|
|
87
|
+
re-read only claims `merged`/`armed` on a real `MERGED`/`autoMergeRequest` state
|
|
88
|
+
and otherwise exits 2 (no false success), and mutual-exclusion + exit codes are
|
|
89
|
+
correct; the only weakening is the author-disclosed branch-protection delegation
|
|
90
|
+
(§2), which is bounded — it adds no bypass and is moot on JKHeadley/instar's 12
|
|
91
|
+
required checks, so "strictly safer than --admin" holds wherever required checks
|
|
92
|
+
exist. (Reviewer's §5 doc-precision nit on head-pinning was applied above.)
|