instar 1.3.603 → 1.3.604

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "instar",
3
- "version": "1.3.603",
3
+ "version": "1.3.604",
4
4
  "description": "Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-16T23:45:33.497Z",
5
- "instarVersion": "1.3.603",
4
+ "generatedAt": "2026-06-17T00:21:27.330Z",
5
+ "instarVersion": "1.3.604",
6
6
  "entryCount": 201,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -418,7 +418,7 @@
418
418
  "type": "route-group",
419
419
  "domain": "monitoring",
420
420
  "sourcePath": "src/server/routes.ts",
421
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
421
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
422
422
  "since": "2025-01-01"
423
423
  },
424
424
  "route-group:agents": {
@@ -426,7 +426,7 @@
426
426
  "type": "route-group",
427
427
  "domain": "sessions",
428
428
  "sourcePath": "src/server/routes.ts",
429
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
429
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
430
430
  "since": "2025-01-01"
431
431
  },
432
432
  "route-group:backups": {
@@ -434,7 +434,7 @@
434
434
  "type": "route-group",
435
435
  "domain": "operations",
436
436
  "sourcePath": "src/server/routes.ts",
437
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
437
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
438
438
  "since": "2025-01-01"
439
439
  },
440
440
  "route-group:git": {
@@ -442,7 +442,7 @@
442
442
  "type": "route-group",
443
443
  "domain": "coordination",
444
444
  "sourcePath": "src/server/routes.ts",
445
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
445
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
446
446
  "since": "2025-01-01"
447
447
  },
448
448
  "route-group:memory": {
@@ -450,7 +450,7 @@
450
450
  "type": "route-group",
451
451
  "domain": "memory",
452
452
  "sourcePath": "src/server/routes.ts",
453
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
453
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
454
454
  "since": "2025-01-01"
455
455
  },
456
456
  "route-group:semantic": {
@@ -458,7 +458,7 @@
458
458
  "type": "route-group",
459
459
  "domain": "memory",
460
460
  "sourcePath": "src/server/routes.ts",
461
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
461
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
462
462
  "since": "2025-01-01"
463
463
  },
464
464
  "route-group:status": {
@@ -466,7 +466,7 @@
466
466
  "type": "route-group",
467
467
  "domain": "monitoring",
468
468
  "sourcePath": "src/server/routes.ts",
469
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
469
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
470
470
  "since": "2025-01-01"
471
471
  },
472
472
  "route-group:capabilities": {
@@ -474,7 +474,7 @@
474
474
  "type": "route-group",
475
475
  "domain": "mapping",
476
476
  "sourcePath": "src/server/routes.ts",
477
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
477
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
478
478
  "since": "2025-01-01"
479
479
  },
480
480
  "route-group:project-map": {
@@ -482,7 +482,7 @@
482
482
  "type": "route-group",
483
483
  "domain": "mapping",
484
484
  "sourcePath": "src/server/routes.ts",
485
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
485
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
486
486
  "since": "2025-01-01"
487
487
  },
488
488
  "route-group:coherence": {
@@ -490,7 +490,7 @@
490
490
  "type": "route-group",
491
491
  "domain": "coherence",
492
492
  "sourcePath": "src/server/routes.ts",
493
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
493
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
494
494
  "since": "2025-01-01"
495
495
  },
496
496
  "route-group:topic-bindings": {
@@ -498,7 +498,7 @@
498
498
  "type": "route-group",
499
499
  "domain": "sessions",
500
500
  "sourcePath": "src/server/routes.ts",
501
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
501
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
502
502
  "since": "2025-01-01"
503
503
  },
504
504
  "route-group:context": {
@@ -506,7 +506,7 @@
506
506
  "type": "route-group",
507
507
  "domain": "context",
508
508
  "sourcePath": "src/server/routes.ts",
509
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
509
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
510
510
  "since": "2025-01-01"
511
511
  },
512
512
  "route-group:scope-coherence": {
@@ -514,7 +514,7 @@
514
514
  "type": "route-group",
515
515
  "domain": "coherence",
516
516
  "sourcePath": "src/server/routes.ts",
517
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
517
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
518
518
  "since": "2025-01-01"
519
519
  },
520
520
  "route-group:canonical-state": {
@@ -522,7 +522,7 @@
522
522
  "type": "route-group",
523
523
  "domain": "state",
524
524
  "sourcePath": "src/server/routes.ts",
525
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
525
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
526
526
  "since": "2025-01-01"
527
527
  },
528
528
  "route-group:ci": {
@@ -530,7 +530,7 @@
530
530
  "type": "route-group",
531
531
  "domain": "monitoring",
532
532
  "sourcePath": "src/server/routes.ts",
533
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
533
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
534
534
  "since": "2025-01-01"
535
535
  },
536
536
  "route-group:sessions": {
@@ -538,7 +538,7 @@
538
538
  "type": "route-group",
539
539
  "domain": "sessions",
540
540
  "sourcePath": "src/server/routes.ts",
541
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
541
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
542
542
  "since": "2025-01-01"
543
543
  },
544
544
  "route-group:jobs": {
@@ -546,7 +546,7 @@
546
546
  "type": "route-group",
547
547
  "domain": "scheduling",
548
548
  "sourcePath": "src/server/routes.ts",
549
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
549
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
550
550
  "since": "2025-01-01"
551
551
  },
552
552
  "route-group:skip-ledger": {
@@ -554,7 +554,7 @@
554
554
  "type": "route-group",
555
555
  "domain": "scheduling",
556
556
  "sourcePath": "src/server/routes.ts",
557
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
557
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
558
558
  "since": "2025-01-01"
559
559
  },
560
560
  "route-group:telegram": {
@@ -562,7 +562,7 @@
562
562
  "type": "route-group",
563
563
  "domain": "communication",
564
564
  "sourcePath": "src/server/routes.ts",
565
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
565
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
566
566
  "since": "2025-01-01"
567
567
  },
568
568
  "route-group:attention": {
@@ -570,7 +570,7 @@
570
570
  "type": "route-group",
571
571
  "domain": "communication",
572
572
  "sourcePath": "src/server/routes.ts",
573
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
573
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
574
574
  "since": "2025-01-01"
575
575
  },
576
576
  "route-group:relationships": {
@@ -578,7 +578,7 @@
578
578
  "type": "route-group",
579
579
  "domain": "relationships",
580
580
  "sourcePath": "src/server/routes.ts",
581
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
581
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
582
582
  "since": "2025-01-01"
583
583
  },
584
584
  "route-group:feedback": {
@@ -586,7 +586,7 @@
586
586
  "type": "route-group",
587
587
  "domain": "feedback",
588
588
  "sourcePath": "src/server/routes.ts",
589
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
589
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
590
590
  "since": "2025-01-01"
591
591
  },
592
592
  "route-group:updates": {
@@ -594,7 +594,7 @@
594
594
  "type": "route-group",
595
595
  "domain": "updates",
596
596
  "sourcePath": "src/server/routes.ts",
597
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
597
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
598
598
  "since": "2025-01-01"
599
599
  },
600
600
  "route-group:dispatches": {
@@ -602,7 +602,7 @@
602
602
  "type": "route-group",
603
603
  "domain": "dispatches",
604
604
  "sourcePath": "src/server/routes.ts",
605
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
605
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
606
606
  "since": "2025-01-01"
607
607
  },
608
608
  "route-group:quota": {
@@ -610,7 +610,7 @@
610
610
  "type": "route-group",
611
611
  "domain": "monitoring",
612
612
  "sourcePath": "src/server/routes.ts",
613
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
613
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
614
614
  "since": "2025-01-01"
615
615
  },
616
616
  "route-group:publishing": {
@@ -618,7 +618,7 @@
618
618
  "type": "route-group",
619
619
  "domain": "publishing",
620
620
  "sourcePath": "src/server/routes.ts",
621
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
621
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
622
622
  "since": "2025-01-01"
623
623
  },
624
624
  "route-group:private-views": {
@@ -626,7 +626,7 @@
626
626
  "type": "route-group",
627
627
  "domain": "publishing",
628
628
  "sourcePath": "src/server/routes.ts",
629
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
629
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
630
630
  "since": "2025-01-01"
631
631
  },
632
632
  "route-group:tunnel": {
@@ -634,7 +634,7 @@
634
634
  "type": "route-group",
635
635
  "domain": "networking",
636
636
  "sourcePath": "src/server/routes.ts",
637
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
637
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
638
638
  "since": "2025-01-01"
639
639
  },
640
640
  "route-group:events": {
@@ -642,7 +642,7 @@
642
642
  "type": "route-group",
643
643
  "domain": "networking",
644
644
  "sourcePath": "src/server/routes.ts",
645
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
645
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
646
646
  "since": "2025-01-01"
647
647
  },
648
648
  "route-group:evolution": {
@@ -650,7 +650,7 @@
650
650
  "type": "route-group",
651
651
  "domain": "evolution",
652
652
  "sourcePath": "src/server/routes.ts",
653
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
653
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
654
654
  "since": "2025-01-01"
655
655
  },
656
656
  "route-group:watchdog": {
@@ -658,7 +658,7 @@
658
658
  "type": "route-group",
659
659
  "domain": "monitoring",
660
660
  "sourcePath": "src/server/routes.ts",
661
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
661
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
662
662
  "since": "2025-01-01"
663
663
  },
664
664
  "route-group:topic-memory": {
@@ -666,7 +666,7 @@
666
666
  "type": "route-group",
667
667
  "domain": "memory",
668
668
  "sourcePath": "src/server/routes.ts",
669
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
669
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
670
670
  "since": "2025-01-01"
671
671
  },
672
672
  "route-group:state-sync": {
@@ -674,7 +674,7 @@
674
674
  "type": "route-group",
675
675
  "domain": "coordination",
676
676
  "sourcePath": "src/server/routes.ts",
677
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
677
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
678
678
  "since": "2025-01-01"
679
679
  },
680
680
  "route-group:intent": {
@@ -682,7 +682,7 @@
682
682
  "type": "route-group",
683
683
  "domain": "intent",
684
684
  "sourcePath": "src/server/routes.ts",
685
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
685
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
686
686
  "since": "2025-01-01"
687
687
  },
688
688
  "route-group:triage": {
@@ -690,7 +690,7 @@
690
690
  "type": "route-group",
691
691
  "domain": "safety",
692
692
  "sourcePath": "src/server/routes.ts",
693
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
693
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
694
694
  "since": "2025-01-01"
695
695
  },
696
696
  "route-group:operations": {
@@ -698,7 +698,7 @@
698
698
  "type": "route-group",
699
699
  "domain": "safety",
700
700
  "sourcePath": "src/server/routes.ts",
701
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
701
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
702
702
  "since": "2025-01-01"
703
703
  },
704
704
  "route-group:sentinel": {
@@ -706,7 +706,7 @@
706
706
  "type": "route-group",
707
707
  "domain": "safety",
708
708
  "sourcePath": "src/server/routes.ts",
709
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
709
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
710
710
  "since": "2025-01-01"
711
711
  },
712
712
  "route-group:trust": {
@@ -714,7 +714,7 @@
714
714
  "type": "route-group",
715
715
  "domain": "safety",
716
716
  "sourcePath": "src/server/routes.ts",
717
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
717
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
718
718
  "since": "2025-01-01"
719
719
  },
720
720
  "route-group:monitoring": {
@@ -722,7 +722,7 @@
722
722
  "type": "route-group",
723
723
  "domain": "monitoring",
724
724
  "sourcePath": "src/server/routes.ts",
725
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
725
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
726
726
  "since": "2025-01-01"
727
727
  },
728
728
  "route-group:commitments": {
@@ -730,7 +730,7 @@
730
730
  "type": "route-group",
731
731
  "domain": "commitments",
732
732
  "sourcePath": "src/server/routes.ts",
733
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
733
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
734
734
  "since": "2025-01-01"
735
735
  },
736
736
  "route-group:episodes": {
@@ -738,7 +738,7 @@
738
738
  "type": "route-group",
739
739
  "domain": "memory",
740
740
  "sourcePath": "src/server/routes.ts",
741
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
741
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
742
742
  "since": "2025-01-01"
743
743
  },
744
744
  "route-group:messages": {
@@ -746,7 +746,7 @@
746
746
  "type": "route-group",
747
747
  "domain": "coordination",
748
748
  "sourcePath": "src/server/routes.ts",
749
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
749
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
750
750
  "since": "2025-01-01"
751
751
  },
752
752
  "route-group:system-reviews": {
@@ -754,7 +754,7 @@
754
754
  "type": "route-group",
755
755
  "domain": "monitoring",
756
756
  "sourcePath": "src/server/routes.ts",
757
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
757
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
758
758
  "since": "2025-01-01"
759
759
  },
760
760
  "route-group:machine-mesh": {
@@ -770,7 +770,7 @@
770
770
  "type": "route-group",
771
771
  "domain": "security",
772
772
  "sourcePath": "src/server/routes.ts",
773
- "contentHash": "2241f1f32dee1b3c36243721735ac371ede4ed7c55a9ae56eddef926d78b52bc",
773
+ "contentHash": "edc5a575d5d1eaac6e996d382acd8c3e46bec6c62f5293f8e5c6fbf667eaf7ed",
774
774
  "since": "2025-01-01"
775
775
  },
776
776
  "cli:init": {
@@ -0,0 +1,57 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ Implements the **always-on scheduled identity audit** the live-credential-repointing design already
9
+ specified (§2.4 / §0.c) but never actually built — the missing piece that lets the account
10
+ "use-it-or-lose-it" optimizer actually act.
11
+
12
+ Background: the credential rebalancer can only move an account's work onto a slot whose identity was
13
+ **verified recently** (within `auditCadenceMs`, default 6h). But nothing re-verified after the initial
14
+ boot seed — `markVerified` had **zero callers** and the periodic balancer loop never re-checked — so
15
+ ~6h after seeding, every slot decayed to "not recently verified", the rebalancer found zero eligible
16
+ targets, and the optimizer went **permanently inert** (it decided nothing even with an idle account
17
+ whose quota was about to reset and go to waste).
18
+
19
+ - **`CredentialLocationLedger.auditIdentities()`** — a NON-DESTRUCTIVE periodic re-verification (wipes
20
+ nothing, unlike `seedFromOracle`): re-probes each tracked slot via the identity oracle and refreshes
21
+ ONLY its verification/quarantine state. A re-confirmed healthy slot is re-stamped fresh; a slot that
22
+ has since become resolvable EXITS quarantine; a slot whose credential now belongs to a different
23
+ account (a confirmed login divergence) is quarantined.
24
+ - **Safe direction (never re-creates the stall):** a transient oracle failure/timeout **HOLDS** a
25
+ healthy slot — it is never knocked offline on a momentary probe failure. It moves **zero**
26
+ credentials and never triggers a swap; it only refreshes the ledger state the rebalancer reads.
27
+ - **Wiring:** a boot one-shot (~90s after start, guarded against the in-flight boot seed) plus a
28
+ periodic pass at `auditCadenceMs/2` (capped 30 min), behind the pure `shouldRunIdentityAudit` gate
29
+ and the SAME dev-gate as the rebalancer. Surfaced read-only on `GET /credentials/rebalancer` as
30
+ `identityAudit` (last-pass counts).
31
+
32
+ Ships **dark on the fleet** (rides `subscriptionPool.credentialRepointing.enabled`; strict no-op / no
33
+ oracle probe when off) and runs **live in dry-run on a development agent** (refreshes verification,
34
+ moves zero credentials). Flag-off = byte-identical to today.
35
+
36
+ ## What to Tell Your User
37
+
38
+ - "The account load-balancer that drains a soon-to-reset account before its quota is wasted now stays
39
+ alive — previously it quietly stopped finding anything to do after a few hours and sat idle."
40
+ - "It changes nothing on a normal install (off by default) and still moves zero real logins on its own
41
+ — it just keeps the optimizer's view of your accounts fresh so it can act when you turn it loose."
42
+
43
+ ## Summary of New Capabilities
44
+
45
+ | Capability | How to Use |
46
+ |-----------|-----------|
47
+ | Scheduled credential identity audit (keeps the rebalancer's targets fresh) | Automatic when credential re-pointing is enabled; no action needed |
48
+ | Audit status | `GET /credentials/rebalancer` → `identityAudit` (last-pass refreshed/recovered/quarantined/unresolved counts) |
49
+
50
+ ## Evidence
51
+
52
+ - 16 new/extended tests across all three tiers + a pure wiring predicate (`auditIdentities` both sides
53
+ of every branch, `shouldRunIdentityAudit` all 5 combos, integration route surfacing a real pass,
54
+ e2e "feature alive") — all green; broader credential sweep 88 green; `tsc` clean.
55
+ - Spec implementation note: `docs/specs/live-credential-repointing-rebalancer.md` §2.4.1.
56
+ - Side-effects review with an independent Phase-5 second-pass concurrence:
57
+ `upgrades/side-effects/credential-identity-audit.md`.
@@ -0,0 +1,183 @@
1
+ # Side-Effects Review — Scheduled credential identity audit (B3c)
2
+
3
+ **Version / slug:** `credential-identity-audit`
4
+ **Date:** `2026-06-16`
5
+ **Author:** `Echo (instar-dev agent)`
6
+ **Second-pass reviewer:** `subagent (Phase 5 — credential subsystem is high-risk-adjacent)`
7
+
8
+ ## Summary of the change
9
+
10
+ Implements the "always-on scheduled identity audit" the live-credential-repointing spec already
11
+ specified (§2.4 / §0.c / §6) but never built. `CredentialLocationLedger.auditIdentities()` is a
12
+ NON-DESTRUCTIVE periodic re-verification: it re-probes each EXISTING tracked slot via the identity
13
+ oracle and refreshes ONLY that slot's verification/quarantine state (it wipes nothing — distinct from
14
+ `seedFromOracle`, which rebuilds). It is wired in `server.ts` as a boot one-shot (~90 s after start,
15
+ after the seed) plus a periodic interval (`auditCadenceMs/2`, capped 30 min, floored 1 min), gated by
16
+ the pure `shouldRunIdentityAudit(enabled, seeded, unknownMode, inFlight)` predicate and the SAME
17
+ dev-gate as the rebalancer. The last pass is surfaced read-only on `GET /credentials/rebalancer` as
18
+ `identityAudit`. Files: `src/core/CredentialLocationLedger.ts`, `src/commands/server.ts`,
19
+ `src/server/routes.ts`, `docs/specs/live-credential-repointing-rebalancer.md` (§2.4.1), + 4 test files.
20
+
21
+ **Why it matters:** the credential rebalancer's every objective (wall-rescue AND the use-it-or-lose-it
22
+ drain) only acts on a DESTINATION slot that passed `targetVerifiedRecent` = verified within
23
+ `auditCadenceMs` (default 6h). Nothing re-stamped `lastVerifiedAt` after the boot seed (`markVerified`
24
+ had zero callers; the periodic `rebalancer.tick()` never re-verified), so ~6h after seed every slot
25
+ decayed to "not recently verified" and the optimizer went permanently inert (`decisions: []`,
26
+ `noActuationReason: "… missing eligible target"`) even with an idle soon-resetting account begging to
27
+ be drained. This is the robustness fix that makes the existing optimizer able to act.
28
+
29
+ ## Decision-point inventory
30
+
31
+ - `CredentialLocationLedger.auditIdentities()` — **add** — per-slot: refresh verified-recent on a
32
+ re-confirmed healthy slot; recover (un-quarantine) a now-resolvable slot; quarantine a confirmed
33
+ divergence / unverifiable email; HOLD a healthy slot on a transient oracle failure.
34
+ - `shouldRunIdentityAudit(enabled, seeded, unknownMode, inFlight)` — **add** — pure gate deciding
35
+ whether a scheduled pass runs.
36
+ - `GET /credentials/rebalancer` response — **modify (pass-through, additive)** — adds a read-only
37
+ `identityAudit` field (last-pass counts; null until first pass). No behavior change to existing fields.
38
+
39
+ ---
40
+
41
+ ## 1. Over-block
42
+
43
+ No outbound/inbound message or dispatch block surface. The nearest "block-like" action is quarantining
44
+ a slot (excluding it from balancing). Over-quarantine risk: a healthy slot quarantined when it
45
+ shouldn't be. The safe direction explicitly prevents the dangerous over-block: a transient oracle
46
+ failure/throw → **HOLD** (the slot is left exactly as-is, never quarantined). A slot is only
47
+ quarantined on a CONFIRMED `email` (the oracle contract §2.11: `email` set === identity-confirmed, it
48
+ never guesses a mismatch) that belongs to a different account / no account / an ambiguous account — a
49
+ genuine login divergence, the same condition `seedFromOracle` already quarantines on.
50
+
51
+ ## 2. Under-block
52
+
53
+ The audit will NOT catch a divergence during the window between two passes (≤ `auditCadenceMs/2`,
54
+ ≤30 min) — a login that changes and changes back within one interval is missed, as is any divergence
55
+ in the seconds before a rebalancer pass reads the slot. This is acceptable: the §2.3.6 delayed
56
+ re-verify still covers in-flight-swap divergence, and the audit narrows (not closes) the long-tail
57
+ client-write-back window exactly as §6 already states. It also does not re-probe a pool `configHome`
58
+ that was never seeded into the ledger (a brand-new enrollment) — that is `seedFromOracle`'s job at boot;
59
+ the audit is scoped to existing tracked slots by design.
60
+
61
+ ## 3. Level-of-abstraction fit
62
+
63
+ Right layer. The audit lives ON the ledger (`CredentialLocationLedger`) — the single write funnel that
64
+ already owns the oracle, the pool view, and every verification/quarantine mutator (`markVerified`,
65
+ `quarantineSlot`, `unquarantineSlot`, `recordAssignment`). It REUSES those primitives rather than
66
+ re-implementing identity resolution, and mirrors `seedFromOracle`'s probe/classify logic on a
67
+ per-slot, non-destructive basis. The scheduling is a thin `setInterval` in `server.ts` (the same
68
+ pattern as the existing rebalancer tick), and the run/skip decision is extracted to a pure predicate
69
+ (`shouldRunIdentityAudit`) exactly like the existing `shouldBootSeedCredentialLedger`.
70
+
71
+ ## 4. Signal vs authority compliance
72
+
73
+ **Required reference:** [docs/signal-vs-authority.md](../../docs/signal-vs-authority.md)
74
+
75
+ - [x] No — this change produces a SIGNAL (refreshed ledger verification state) consumed by the
76
+ existing rebalancer; it has no outbound/dispatch block authority.
77
+
78
+ The audit moves ZERO credentials and NEVER triggers a swap — the executor (gated by dry-run) remains
79
+ the only write path for credential material. The one authority-shaped action, quarantining a slot, is
80
+ a DETECTIVE, reversible exclusion that follows the spec's already-converged quarantine-never-repair
81
+ rule, fires only on the oracle's non-brittle CONFIRMED-email contract, and is biased to the safe
82
+ direction (transient failure → HOLD, never quarantine). It adds no brittle blocking logic.
83
+
84
+ ## 5. Interactions
85
+
86
+ - **Shadowing:** none. The audit refreshes state the rebalancer reads on its NEXT tick; it runs on its
87
+ own timer (different cadence) and does not pre-empt or wrap the rebalancer tick.
88
+ - **Double-fire:** the periodic timer + the boot one-shot can never overlap — both go through the
89
+ single `credAuditInFlight` reentrancy guard (and the pure predicate gates on it). A slow oracle pass
90
+ cannot stack a successor.
91
+ - **Seed↔audit interleave (hardened after second-pass):** on a FRESH never-seeded agent the boot
92
+ `seedFromOracle()` is fire-and-forget at t=0 and the boot audit fires at t≈90 s; `isSeeded()` does
93
+ NOT protect this (seed bumps version at 'begin', flipping `isSeeded()` true mid-seed). Closed
94
+ structurally with a `credSeedInFlight` flag (set around the boot seed, cleared in its `.finally`)
95
+ that `runCredentialIdentityAudit` checks before running — so the audit cannot interleave with an
96
+ in-flight boot seed, rather than relying on the 90 s timing assumption.
97
+ - **Races:** the audit and the rebalancer both touch the ledger, but the ledger is a single-writer
98
+ in-process store (version-bumped, `save()` after each mutation); they run on the same Node event
99
+ loop (no true concurrency), and the audit only writes verification/quarantine fields the rebalancer
100
+ reads, never the cooldown/hysteresis state the rebalancer owns. The `seedFromOracle` boot path and
101
+ the audit are sequenced (the boot audit is delayed 90 s and the predicate skips while unseeded).
102
+ - **Feedback loops:** none. The audit's output (fresh verification) feeds the rebalancer, but the
103
+ rebalancer does not feed back into the oracle's identity answers.
104
+
105
+ ## 6. External surfaces
106
+
107
+ - **Identity oracle (Anthropic OAuth profile endpoint):** the audit issues per-slot oracle probes on
108
+ its cadence — the same probe `seedFromOracle` already makes, now also on a ≤30 min schedule. Bounded
109
+ (≤ slot count per pass; reentrancy-guarded; dark-fleet no-op so single-account/plain installs never
110
+ probe). No new external system, no new credential surface — the oracle dependency already exists.
111
+ - **`GET /credentials/rebalancer`:** adds a read-only `identityAudit` field (counts only — never any
112
+ token material; the route's existing scrub chokepoint is unchanged). Additive; existing fields
113
+ untouched.
114
+ - **Persistent state:** writes the SAME ledger file (`credential-locations.json`) the seed/swap paths
115
+ already write (verification timestamps + quarantine flags + journal entries). No new file, no schema
116
+ change to the assignment shape.
117
+ - **No operator-facing actions** added — the audit is autonomous background housekeeping; the only
118
+ surface is the read-only status field. Not applicable to Mobile-Complete.
119
+
120
+ ## 6b. Operator-surface quality
121
+
122
+ No operator surface — not applicable. This change touches no `dashboard/*` renderer, approval page, or
123
+ grant/revoke/secret form; the only surface is a read-only JSON field on an existing API route.
124
+
125
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
126
+
127
+ **machine-local BY DESIGN.** A credential's login physically lives in a config-home on ONE machine's
128
+ disk/keychain; the `CredentialLocationLedger` is inherently per-machine (it maps THIS machine's slots
129
+ to accounts), as is the rebalancer it feeds. The identity audit re-verifies THIS machine's slots — it
130
+ must differ per machine because the credential blobs differ per machine. It emits NO user-facing
131
+ notices (one-voice gating not needed — background housekeeping, counts only in a status field), holds
132
+ no topic-bound durable state (so nothing strands on topic transfer), and generates no URLs. The
133
+ cross-machine credential story (sharing logins across machines) is the separate, in-flight
134
+ `cross-machine-account-sharing` workstream (instar-exo) and is explicitly out of this change's scope;
135
+ confirmed zero source-file overlap with that branch.
136
+
137
+ ## 8. Rollback cost
138
+
139
+ Pure code change — revert the commit, ship as the next patch. No data migration: the audit writes only
140
+ the existing ledger fields (`lastVerifiedAt`, `quarantined`, journal) that seed/swap already write, so
141
+ a rollback leaves the ledger in a valid state (just no longer auto-refreshed). No agent-state repair,
142
+ no user-visible regression during the rollback window (the feature is dev-gated and dark on the fleet;
143
+ on a dev agent a rollback simply returns to the prior inert-after-6h behavior). The new `identityAudit`
144
+ status field disappearing is inert (read-only, additive).
145
+
146
+ ## Conclusion
147
+
148
+ The review produced no design changes — the implementation already follows the safe-direction and
149
+ single-write-funnel patterns the converged spec established. The change closes a specified-but-unbuilt
150
+ gap (the scheduled identity audit) that was the root cause of the optimizer never acting; it adds a
151
+ signal-refresher with no brittle blocking authority, reuses existing ledger primitives, is
152
+ reentrancy-guarded and dark-gated, and is covered across all three test tiers plus a pure wiring
153
+ predicate. Clear to ship pending Phase 5 second-pass concurrence.
154
+
155
+ ## Second-pass review (if required)
156
+
157
+ **Reviewer:** subagent (credential-subsystem reviewer)
158
+ **Independent read of the artifact: CONCUR**
159
+
160
+ The reviewer independently traced the code and confirmed: the safe direction is correct (an
161
+ `unavailable`/throwing oracle lands `unavailable-held` via `continue`, never reaching `quarantineSlot`;
162
+ a confirmed-different email correctly `diverged-quarantined`; a recovered slot correctly
163
+ un-quarantines); signal-vs-authority compliant (zero credential moves; quarantine fires only on the
164
+ oracle's non-brittle CONFIRMED-`email` contract); iteration safety correct (slot names snapshotted
165
+ up-front, `existing` re-fetched per iteration, `continue` on mid-pass disappearance — no
166
+ mutate-while-iterating bug); no token leak (status routes through the scrub chokepoint; carries
167
+ non-secret email/accountId identifiers only); all three test tiers genuinely cover both sides of every
168
+ boundary (no hollow assertions). One LOW finding raised and RESOLVED in this artifact: the fresh-agent
169
+ seed↔audit interleave now has an explicit `credSeedInFlight` guard (see §5) rather than relying on the
170
+ 90 s timing assumption. Concur to ship.
171
+
172
+ ## Evidence pointers
173
+
174
+ - `tests/unit/credential-identity-audit.test.ts` — 10 tests, both sides of every branch (refresh,
175
+ recover, divergence-quarantine, transient-held, ambiguous/unknown quarantine, still-quarantined,
176
+ UNKNOWN-mode no-op, aggregate report).
177
+ - `tests/unit/credential-ledger-boot-seed-guard.test.ts` — `shouldRunIdentityAudit` predicate, all 5
178
+ boundary combinations.
179
+ - `tests/integration/credential-routes.test.ts` — route surfaces a real audit pass live (wiring
180
+ integrity + safe-direction end-to-end).
181
+ - `tests/e2e/credential-repointing-routes-alive.test.ts` — `identityAudit` alive on the
182
+ production-shaped bundle.
183
+ - Broader sweep: 88 green across the credential subsystem; `tsc --noEmit` clean.