instar 1.3.592 → 1.3.593

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +5 -0
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/core/PostUpdateMigrator.d.ts +10 -0
  5. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  6. package/dist/core/PostUpdateMigrator.js +83 -12
  7. package/dist/core/PostUpdateMigrator.js.map +1 -1
  8. package/dist/core/types.d.ts +15 -0
  9. package/dist/core/types.d.ts.map +1 -1
  10. package/dist/core/types.js.map +1 -1
  11. package/dist/monitoring/GreenPrAutoMerger.d.ts +90 -5
  12. package/dist/monitoring/GreenPrAutoMerger.d.ts.map +1 -1
  13. package/dist/monitoring/GreenPrAutoMerger.js +269 -6
  14. package/dist/monitoring/GreenPrAutoMerger.js.map +1 -1
  15. package/dist/monitoring/MergeRunner.d.ts +21 -0
  16. package/dist/monitoring/MergeRunner.d.ts.map +1 -1
  17. package/dist/monitoring/MergeRunner.js +33 -5
  18. package/dist/monitoring/MergeRunner.js.map +1 -1
  19. package/dist/monitoring/greenPrAutomergeWiring.d.ts +7 -0
  20. package/dist/monitoring/greenPrAutomergeWiring.d.ts.map +1 -1
  21. package/dist/monitoring/greenPrAutomergeWiring.js +44 -2
  22. package/dist/monitoring/greenPrAutomergeWiring.js.map +1 -1
  23. package/dist/monitoring/greenPrLogic.d.ts +39 -1
  24. package/dist/monitoring/greenPrLogic.d.ts.map +1 -1
  25. package/dist/monitoring/greenPrLogic.js +33 -1
  26. package/dist/monitoring/greenPrLogic.js.map +1 -1
  27. package/dist/server/CapabilityIndex.js +1 -1
  28. package/dist/server/CapabilityIndex.js.map +1 -1
  29. package/dist/server/routes.d.ts.map +1 -1
  30. package/dist/server/routes.js +29 -4
  31. package/dist/server/routes.js.map +1 -1
  32. package/package.json +1 -1
  33. package/scripts/safe-merge.mjs +27 -1
  34. package/src/data/builtin-manifest.json +63 -63
  35. package/upgrades/1.3.593.md +28 -0
  36. package/upgrades/side-effects/mergerunner-auto-arm-handoff-parity-track.md +60 -0
  37. package/upgrades/side-effects/mergerunner-auto-arm-handoff.md +48 -0
@@ -0,0 +1,60 @@
1
+ # Side-Effects Review — Track `mergeStrategy` in Migration-Parity guard test
2
+
3
+ **Change:** Add `mergeStrategy` to `legacyMigratorSections` in
4
+ `tests/unit/feature-delivery-completeness.test.ts`. Test-only. Tier 1.
5
+
6
+ **Context:** PR #1191's `PostUpdateMigrator.migrateClaudeMd` uses
7
+ `else if (!content.includes('mergeStrategy'))` as the updated-copy content-sniff to
8
+ detect+replace a STALE copy of the already-tracked "Green-PR Auto-Merge" section.
9
+ The parity guard's section-detector treats every `content.includes('X')` literal as
10
+ a section name and flagged `mergeStrategy` as untracked. The fix records it as the
11
+ re-detection marker for the already-tracked `/green-pr-automerge` section.
12
+
13
+ ## Phase 1 — Principle check (signal vs authority)
14
+
15
+ Does this change involve a decision point that gates information flow, blocks
16
+ actions, filters messages, or constrains agent behavior? **No.** It is a one-line
17
+ addition to a test's allowlist of known migrator section markers. It adds no
18
+ runtime logic, no detector, no authority. The guard test it touches is itself a
19
+ signal (it fails CI; it never blocks runtime behavior). No signal-vs-authority
20
+ concern.
21
+
22
+ ## Phase 4 — Side-effects answers
23
+
24
+ 1. **Over-block** — None. The guard now correctly recognizes one more legitimate
25
+ marker. It does NOT loosen the guard generally: any genuinely-new section name
26
+ still trips it. Over-blocking would be the guard staying red on a legitimate
27
+ marker — which is the bug being fixed.
28
+ 2. **Under-block** — Could adding `mergeStrategy` mask a future real section that
29
+ happened to also contain that literal? Negligible: the detector matches the
30
+ exact literal inside a `content.includes('mergeStrategy')` guard in the
31
+ migrator; `mergeStrategy` is a specific marker for one section. A future
32
+ unrelated section would carry its own distinct sniff literal.
33
+ 3. **Level-of-abstraction fit** — Correct layer. The tracking list is exactly where
34
+ the established pattern (`/corrections`, `/cutover-readiness/import-dryrun`,
35
+ `unlabeledCallShare`) records sub-line / re-detection sniff keys for parent
36
+ sections that are tracked elsewhere. This entry is identical in kind.
37
+ 4. **Signal vs authority compliance** — Compliant. No blocking authority added;
38
+ the test is a CI signal, not a runtime gate.
39
+ 5. **Interactions** — None. The entry sits alongside the existing
40
+ `/green-pr-automerge` tracking entry; it doesn't shadow or double-count it (the
41
+ detector lists each distinct literal once; both are accounted for).
42
+ 6. **External surfaces** — None. Test-only; no runtime, route, message, or
43
+ cross-agent surface changes.
44
+ 7. **Multi-machine posture** — N/A (test-only, machine-agnostic). The parent
45
+ feature's own multi-machine posture was reviewed in
46
+ `mergerunner-auto-arm-handoff.md`; this fix changes nothing about it.
47
+ 8. **Rollback cost** — Trivial. Revert the one-line test addition. No release, no
48
+ migration, no state repair. The parent PR's runtime behavior is untouched
49
+ either way.
50
+
51
+ ## Phase 4.5 — No deferrals
52
+
53
+ This fix is complete; nothing is deferred. It is the entirety of the parity-guard
54
+ correction for #1191.
55
+
56
+ ## Phase 5 — Second-pass review
57
+
58
+ Not required: the change carries no block/allow authority, no session-lifecycle,
59
+ coherence, idempotency, or runtime-gate surface. It is a test-tracking-list
60
+ addition.
@@ -0,0 +1,48 @@
1
+ # Side-Effects Review — MergeRunner Auto-Arm Handoff
2
+
3
+ **Spec:** `docs/specs/mergerunner-auto-arm-handoff.md` (CONVERGED 3 rounds + approved:true; report `docs/specs/reports/mergerunner-auto-arm-handoff-convergence.md`). Dev-cycle P0.
4
+ **Change:** switch the green-PR auto-merge watcher (`MergeRunner`/`GreenPrAutoMerger`) from "spawn `safe-merge --admin` and synchronously watch the merge land" to "arm GitHub native auto-merge (`safe-merge --auto`) and hand off," confirming the eventual merge on a later reconciliation tick. New non-terminal `armed`/`armed-overdue` episode states; operator-disarm reach via `--disable-auto`; GitHub `autoMergeRequest` as the cross-machine source of truth.
5
+
6
+ ## Phase 1 — Principle check (signal vs authority)
7
+ Touches a decision point (whether/when to merge a PR), so the principle applies. **No new brittle blocking authority.** Arming native auto-merge is a *handoff*, not a new gate — GitHub enforces every required check (strictly STRICTER than `--admin`, which *bypassed* them). The merge AUTHORITY is unchanged (still the existing eligibility gates: protected-paths, identity, dual-latch, lease, holds — all upstream of arming and unmodified). The new pieces are SIGNALS or operator-authorized actions: the `merged-at-unexpected-head` detector, `armed-overdue`, `auto-merge-unavailable`, and the `unconfirmedArmAttempts` ceiling are attention lines (never forced give-ups); the `--disable-auto` disarm is the explicit reach of an EXISTING operator kill switch (the operator pressed rollback / set the HOLD), not a new autonomous mutation. The B10 honesty invariant is preserved exactly — `merged` is recorded only after an independent `gh pr view` MERGED read, now on the reconciliation tick. Fail-open throughout (UNKNOWN read → leave armed, no ladder, no breaker). Compliant (`docs/signal-vs-authority.md`).
8
+
9
+ ## Phase 2 — Plan
10
+ Built in `.worktrees/mergerunner-auto-switch` off `JKHeadley/main` #1188 (`git remote -v` → JKHeadley; converged+approved spec present). Decision points touched: the act-path strategy (`mergeStrategy:'auto'` default | `'admin'` legacy) + the B10 confirm timing. Existing detectors interacted with: the per-PR failure ladder, the global breaker, the dual-latch, the lease. Rollback: `mergeStrategy:'admin'` config lever + the dual-latch/dark flags + revert the PR (additive code, no data migration).
11
+
12
+ ## 1. Over-block
13
+ The change does not block inputs — it routes the merge to GitHub. The inverse risk is **over-merge** (auto-merge merging something it shouldn't). Bounded by: the SAME upstream eligibility gates (protected-paths, identity, holds, dual-latch, lease) all run BEFORE arming and are unchanged; native auto-merge cannot merge a red/pending PR (GitHub enforces required checks — stricter than the old `--admin` bypass); the documented residual race (a write-capable push between arm and green could merge an unvetted head) is surfaced post-hoc via the `mergeCommitOid`/`expectedHeadOid` vs `armedHead` mismatch detector + attention line; and the whole watcher ships dark (`monitoring.greenPrAutoMerge.enabled` off fleet-wide; `dryRun` soak first).
14
+
15
+ ## 2. Under-block
16
+ A PR armed-then-stuck (CI perma-red after arming) is NOT silently dropped — `armed-overdue` keeps reconciling and re-surfaces a deduped attention line (Close the Loop). A confirm gap that persists is bounded by the head-keyed `unconfirmedArmAttempts` ceiling (surfaces, never spins invisibly). The one accepted residual (write-capable-push head substitution) is documented + post-hoc-detected, not silently missed — and the realistic write-capable-pusher set on `JKHeadley/instar` is small.
17
+
18
+ ## 3. Level-of-abstraction fit
19
+ Correct layer. The switch lives in the existing `MergeRunner`/`GreenPrAutoMerger` (the one place the watcher acts) + a thin `safe-merge.mjs` slug refinement + a config-threading chain. It reuses the existing episode/ladder/breaker/lease machinery rather than building a parallel revival path; the new `armed` outcome is a clean third branch of `applyOutcome` that does not alter the existing terminal branches. GitHub's `autoMergeRequest` (not a new local store) is the cross-machine truth.
20
+
21
+ ## 4. Signal vs authority compliance
22
+ See Phase 1. No brittle check gains blocking authority. The only new mutation (`--disable-auto`) is operator-authorized + audited + namespace-checked + null-safe. Compliant.
23
+
24
+ ## 5. Interactions
25
+ - **The B10 line (`GreenPrAutoMerger.ts:452`)** is the central interaction: it is left gated on `merged` ONLY (explicit comment forbids generalizing it to `armed` — `confirmedMerged:false` is correct/expected for armed). Verified by a positive + negative test.
26
+ - **Reconciliation vs candidate path:** `gather()` excludes any PR with a local `armedAt` OR GitHub `autoMergeArmed`, so an armed PR never re-enters the act path until reconciliation clears it — no arm/re-arm thrash (the mirror-decision-methods lesson: the reconciler's "leave armed" is matched by gather's exclusion).
27
+ - **Breaker:** reconciliation read-failures (UNKNOWN) and the non-ladder retry classes feed NO breaker signal (the breaker still only takes busy/deadline/tick-failed); arming already succeeded, so a flaky read can't open the breaker.
28
+ - **Disarm vs tick:** disarm runs IN-LINE in the rollback/pool-disarm routes (the tick is latch-gated and would never reach it), so the operator kill switch genuinely reaches in-flight armed merges.
29
+ - **No double-fire:** the `armed` (candidate) and reconciliation paths are mutually exclusive on a given PR within a tick.
30
+
31
+ ## 6. External surfaces
32
+ - `GET /green-pr-automerge` gains non-optional `armedCount`/`armed:[]` (observability — an in-flight async merge is now first-class visible).
33
+ - `safe-merge.mjs` gains a `refused:auto-arm-unavailable` result + `--capabilities` entry (back-compat: a new slug; existing callers unaffected).
34
+ - CLAUDE.md template gains the corrected behavior text (new agents via `generateClaudeMd`; EXISTING agents via a dedicated content-sniff REPLACE migration — the Migration-Parity fix, since the old install-if-`/green-pr-automerge`-absent sniff would skip already-armed agents and never deliver the load-bearing "a HOLD label alone does NOT stop GitHub auto-merge" fact).
35
+ - Depends on a runtime condition: "Allow auto-merge" enabled on the repo (it is, on `JKHeadley/instar`); if disabled, `refused:auto-arm-unavailable` → terminal-non-ladder attention (operator enables it or sets `mergeStrategy:'admin'`).
36
+
37
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
38
+ **Machine-local episodes + GitHub-global merge authority, coordinated by the existing lease + GitHub `autoMergeRequest`.** Episode state (`green-pr-automerge.json`) is machine-local-by-design and does NOT replicate — but that no longer strands a lease move, because GitHub-side `autoMergeRequest` (read in the widened `gather()`/`refetchPr` projections) is the source of truth for "already armed": the new lease holder reads GitHub and skips/reconciles rather than re-arming. The async handoff genuinely IMPROVES the multi-machine story (a lease move between arm and merge no longer loses the merge — GitHub owns it). No new cross-machine state, no generated URL, no one-voice notice surface introduced. Stated explicitly in the spec's Multi-machine posture section.
39
+
40
+ ## 8. Rollback cost
41
+ Cheap and layered. (a) **Dark by default:** the whole watcher is off fleet-wide; armed per dev agent. (b) **`mergeStrategy:'admin'` lever:** restores the exact prior poll+admin behavior (runbook documents that a code-level rollback with armed PRs on GitHub leaves them for old code to redundantly `--admin`-merge — benign, both paths enforce required checks; or disarm-first). (c) **Dual-latch:** rollback/emergency-pause/pool-disarm now actively `--disable-auto` armed PRs. (d) **Full back-out:** revert the PR — additive code, new optional config/episode fields are forward-compatible via the `loadState` spread, no data migration, no agent-state repair.
42
+
43
+ ## No-deferrals (Phase 4.5)
44
+ No deferrals. Every Round-2/Round-3 finding was resolved in the converged spec and implemented (the convergence report is the audit trail). The one accepted residual (write-capable-push head race) is an explicitly-documented, post-hoc-detected, bounded risk — the honest scope, not a partial fix.
45
+
46
+ ## Phase 5 — Second-pass review
47
+ *(reaper/merge-class — REQUIRED; appended below)*
48
+ **Concur with the review.** An independent reaper/merge-class reviewer audited the ACTUAL implementation diff (not the artifact's claims) against all 7 load-bearing properties at real file:line — B10 not corrupted (`GreenPrAutoMerger.ts:579` gated on `merged` only; `armed` reaches its own branch; `act()` truthy for armed + negative misimpl test), re-arm exclusion airtight (`gather()` `localArmed||githubArmed` :451-461; widened projection derives `autoMergeArmed`), disarm reach real (rollback/pool-disarm in-line null-safe → `--disable-auto`; honest per-PR failure split), reconciliation fail-open (UNKNOWN→leave armed, no ladder/breaker; MERGED compares `expectedHeadOid`/`headRefOid` not squash `mergeCommitOid`), multi-machine (GitHub `autoMergeRequest` source of truth, machine-local episodes, no strand), `--disable-auto` namespace-safe (only `state.episodes` from `@me`-gated PRs, `--repo` pinned), B24 scoped to admin path. tsc clean; new optional fields forward-compatible; no existing terminal `applyOutcome` branch altered. No blockers.