instar 1.3.606 → 1.3.607

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +36 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +16 -0
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/coordination/CrossMachineMandate.d.ts +53 -0
  8. package/dist/coordination/CrossMachineMandate.d.ts.map +1 -0
  9. package/dist/coordination/CrossMachineMandate.js +76 -0
  10. package/dist/coordination/CrossMachineMandate.js.map +1 -0
  11. package/dist/core/AccountCredentialShare.d.ts +115 -0
  12. package/dist/core/AccountCredentialShare.d.ts.map +1 -0
  13. package/dist/core/AccountCredentialShare.js +113 -0
  14. package/dist/core/AccountCredentialShare.js.map +1 -0
  15. package/dist/core/AccountFollowMeGrants.d.ts +92 -0
  16. package/dist/core/AccountFollowMeGrants.d.ts.map +1 -0
  17. package/dist/core/AccountFollowMeGrants.js +106 -0
  18. package/dist/core/AccountFollowMeGrants.js.map +1 -0
  19. package/dist/core/CoherenceJournal.d.ts +1 -1
  20. package/dist/core/CoherenceJournal.d.ts.map +1 -1
  21. package/dist/core/CoherenceJournal.js +12 -2
  22. package/dist/core/CoherenceJournal.js.map +1 -1
  23. package/dist/core/PairingEpochManager.d.ts +68 -0
  24. package/dist/core/PairingEpochManager.d.ts.map +1 -0
  25. package/dist/core/PairingEpochManager.js +88 -0
  26. package/dist/core/PairingEpochManager.js.map +1 -0
  27. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  28. package/dist/core/PostUpdateMigrator.js +20 -0
  29. package/dist/core/PostUpdateMigrator.js.map +1 -1
  30. package/dist/core/SecretStore.d.ts +44 -0
  31. package/dist/core/SecretStore.d.ts.map +1 -1
  32. package/dist/core/SecretStore.js +126 -0
  33. package/dist/core/SecretStore.js.map +1 -1
  34. package/dist/core/SecretSync.d.ts.map +1 -1
  35. package/dist/core/SecretSync.js +6 -0
  36. package/dist/core/SecretSync.js.map +1 -1
  37. package/dist/core/SubscriptionAccountMetaReplicatedStore.d.ts +106 -0
  38. package/dist/core/SubscriptionAccountMetaReplicatedStore.d.ts.map +1 -0
  39. package/dist/core/SubscriptionAccountMetaReplicatedStore.js +263 -0
  40. package/dist/core/SubscriptionAccountMetaReplicatedStore.js.map +1 -0
  41. package/dist/core/SubscriptionPool.d.ts +23 -5
  42. package/dist/core/SubscriptionPool.d.ts.map +1 -1
  43. package/dist/core/SubscriptionPool.js +30 -6
  44. package/dist/core/SubscriptionPool.js.map +1 -1
  45. package/dist/core/devGatedFeatures.d.ts.map +1 -1
  46. package/dist/core/devGatedFeatures.js +6 -0
  47. package/dist/core/devGatedFeatures.js.map +1 -1
  48. package/dist/scaffold/templates.d.ts.map +1 -1
  49. package/dist/scaffold/templates.js +3 -0
  50. package/dist/scaffold/templates.js.map +1 -1
  51. package/package.json +1 -1
  52. package/src/data/builtin-manifest.json +19 -19
  53. package/src/scaffold/templates.ts +3 -0
  54. package/upgrades/1.3.607.md +25 -0
  55. package/upgrades/side-effects/ws52-account-follow-me-pr1.md +74 -0
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-17T08:42:50.389Z",
5
- "instarVersion": "1.3.606",
4
+ "generatedAt": "2026-06-17T09:04:32.557Z",
5
+ "instarVersion": "1.3.607",
6
6
  "entryCount": 201,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -11,7 +11,7 @@
11
11
  "domain": "identity",
12
12
  "sourcePath": "src/core/PostUpdateMigrator.ts",
13
13
  "installedPath": ".instar/hooks/instar/session-start.sh",
14
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
14
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
15
15
  "since": "2025-01-01"
16
16
  },
17
17
  "hook:dangerous-command-guard": {
@@ -20,7 +20,7 @@
20
20
  "domain": "safety",
21
21
  "sourcePath": "src/core/PostUpdateMigrator.ts",
22
22
  "installedPath": ".instar/hooks/instar/dangerous-command-guard.sh",
23
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
23
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
24
24
  "since": "2025-01-01"
25
25
  },
26
26
  "hook:grounding-before-messaging": {
@@ -29,7 +29,7 @@
29
29
  "domain": "safety",
30
30
  "sourcePath": "src/core/PostUpdateMigrator.ts",
31
31
  "installedPath": ".instar/hooks/instar/grounding-before-messaging.sh",
32
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
32
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
33
33
  "since": "2025-01-01"
34
34
  },
35
35
  "hook:compaction-recovery": {
@@ -38,7 +38,7 @@
38
38
  "domain": "identity",
39
39
  "sourcePath": "src/core/PostUpdateMigrator.ts",
40
40
  "installedPath": ".instar/hooks/instar/compaction-recovery.sh",
41
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
41
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
42
42
  "since": "2025-01-01"
43
43
  },
44
44
  "hook:external-operation-gate": {
@@ -47,7 +47,7 @@
47
47
  "domain": "safety",
48
48
  "sourcePath": "src/core/PostUpdateMigrator.ts",
49
49
  "installedPath": ".instar/hooks/instar/external-operation-gate.js",
50
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
50
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
51
51
  "since": "2025-01-01"
52
52
  },
53
53
  "hook:deferral-detector": {
@@ -56,7 +56,7 @@
56
56
  "domain": "safety",
57
57
  "sourcePath": "src/core/PostUpdateMigrator.ts",
58
58
  "installedPath": ".instar/hooks/instar/deferral-detector.js",
59
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
59
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
60
60
  "since": "2025-01-01"
61
61
  },
62
62
  "hook:self-stop-guard": {
@@ -65,7 +65,7 @@
65
65
  "domain": "coherence",
66
66
  "sourcePath": "src/core/PostUpdateMigrator.ts",
67
67
  "installedPath": ".instar/hooks/instar/self-stop-guard.js",
68
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
68
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
69
69
  "since": "2025-01-01"
70
70
  },
71
71
  "hook:post-action-reflection": {
@@ -74,7 +74,7 @@
74
74
  "domain": "evolution",
75
75
  "sourcePath": "src/core/PostUpdateMigrator.ts",
76
76
  "installedPath": ".instar/hooks/instar/post-action-reflection.js",
77
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
77
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
78
78
  "since": "2025-01-01"
79
79
  },
80
80
  "hook:external-communication-guard": {
@@ -83,7 +83,7 @@
83
83
  "domain": "safety",
84
84
  "sourcePath": "src/core/PostUpdateMigrator.ts",
85
85
  "installedPath": ".instar/hooks/instar/external-communication-guard.js",
86
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
86
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
87
87
  "since": "2025-01-01"
88
88
  },
89
89
  "hook:scope-coherence-collector": {
@@ -92,7 +92,7 @@
92
92
  "domain": "coherence",
93
93
  "sourcePath": "src/core/PostUpdateMigrator.ts",
94
94
  "installedPath": ".instar/hooks/instar/scope-coherence-collector.js",
95
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
95
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
96
96
  "since": "2025-01-01"
97
97
  },
98
98
  "hook:scope-coherence-checkpoint": {
@@ -101,7 +101,7 @@
101
101
  "domain": "coherence",
102
102
  "sourcePath": "src/core/PostUpdateMigrator.ts",
103
103
  "installedPath": ".instar/hooks/instar/scope-coherence-checkpoint.js",
104
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
104
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
105
105
  "since": "2025-01-01"
106
106
  },
107
107
  "hook:free-text-guard": {
@@ -110,7 +110,7 @@
110
110
  "domain": "safety",
111
111
  "sourcePath": "src/core/PostUpdateMigrator.ts",
112
112
  "installedPath": ".instar/hooks/instar/free-text-guard.sh",
113
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
113
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
114
114
  "since": "2025-01-01"
115
115
  },
116
116
  "hook:claim-intercept": {
@@ -119,7 +119,7 @@
119
119
  "domain": "coherence",
120
120
  "sourcePath": "src/core/PostUpdateMigrator.ts",
121
121
  "installedPath": ".instar/hooks/instar/claim-intercept.js",
122
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
122
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
123
123
  "since": "2025-01-01"
124
124
  },
125
125
  "hook:claim-intercept-response": {
@@ -128,7 +128,7 @@
128
128
  "domain": "coherence",
129
129
  "sourcePath": "src/core/PostUpdateMigrator.ts",
130
130
  "installedPath": ".instar/hooks/instar/claim-intercept-response.js",
131
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
131
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
132
132
  "since": "2025-01-01"
133
133
  },
134
134
  "hook:stop-gate-router": {
@@ -137,7 +137,7 @@
137
137
  "domain": "safety",
138
138
  "sourcePath": "src/core/PostUpdateMigrator.ts",
139
139
  "installedPath": ".instar/hooks/instar/stop-gate-router.js",
140
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
140
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
141
141
  "since": "2025-01-01"
142
142
  },
143
143
  "hook:auto-approve-permissions": {
@@ -146,7 +146,7 @@
146
146
  "domain": "safety",
147
147
  "sourcePath": "src/core/PostUpdateMigrator.ts",
148
148
  "installedPath": ".instar/hooks/instar/auto-approve-permissions.js",
149
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
149
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
150
150
  "since": "2025-01-01"
151
151
  },
152
152
  "job:health-check": {
@@ -1554,7 +1554,7 @@
1554
1554
  "type": "subsystem",
1555
1555
  "domain": "updates",
1556
1556
  "sourcePath": "src/core/PostUpdateMigrator.ts",
1557
- "contentHash": "261224b21c761aa30adcbb59bc00fe1d03deb55954bbb5e119815a070f024374",
1557
+ "contentHash": "6ba8eb8270f39534f0bb43af9a9c73d89f768df0b5fea421e3673cb6791b5f7c",
1558
1558
  "since": "2025-01-01"
1559
1559
  },
1560
1560
  "subsystem:scheduler": {
@@ -550,6 +550,9 @@ Every guard (monitoring sentinels, reapers, the scheduler, …) is graded by wha
550
550
  - **Topic-operator binding is the THIRD PII store** (WS2.6): when enabled, the VERIFIED operator a topic was bound to on one machine is VISIBLE as advisory context on the others. THE LOAD-BEARING SAFETY RULE (Know Your Principal): a replicated topic-operator record is UNTRUSTED peer data — it is NEVER my authoritative answer to "who is my verified operator of this topic?". Only the LOCAL binding from an AUTHENTICATED sender (TopicOperatorStore.setOperator) is authoritative; a replicated record can NEVER establish or override an operator — it is rendered as quoted untrusted data that explicitly says so. Cross-machine identity is keyed on \`sha256(topicId + ":" + verified-uid)\`, NEVER a content-name. An unbind propagates a tombstone. Enable with \`multiMachine.stateSync.topicOperator\` (ships dark: \`enabled:false\`, \`dryRun:true\`). With user-registry + topic-operator, the WS2 memory family is COMPLETE (7 kinds; playbook deferred).
551
551
  - **When to use** (PROACTIVE — these are the triggers): the user asks "why do I have two versions of preference X?" → read open conflicts and present them for resolution. The user says "roll back machine Y's data / forget what the other machine learned" → un-merge that origin. The user asks "is my relationship/contact data shared across machines / is it encrypted on the other machine?" → explain the at-rest honesty above (transit encrypted; at-rest plaintext on each machine). The user asks "do my learnings/lessons follow me across machines?" → yes when \`stateSync.learnings\` is on (the same lesson collapses by content fingerprint, never duplicates). The user asks "do my ingested sources / knowledge base follow me across machines?" → yes when \`stateSync.knowledge\` is on (the same source collapses by content fingerprint; only the catalog metadata syncs, not the file body). The user asks "do my action items / commitments follow me across machines?" → yes when \`stateSync.evolutionActions\` is on (the same action collapses by content fingerprint; a peer sees its real status so it does not redo completed work). The user asks "do my registered users follow me across machines?" → yes when \`stateSync.userRegistry\` is on (keyed on the channel set; but identity resolution of an inbound sender stays local-authoritative). The user asks "do you know who my verified operator is on the other machine?" → a replicated topic-operator record is advisory context ONLY; my authoritative operator is always the locally auth-bound one. Spec: \`docs/specs/multi-machine-replicated-store-foundation.md\` §7, \`docs/specs/ws23-relationships-userregistry-security.md\`.
552
552
 
553
+ **Cross-Machine Account Follow-Me (WS5.2 — seamless account/quota sharing)** — When I run on more than one machine, "log in once, the account works everywhere" is delivered the ToS-SAFE way: each machine RE-MINTS its OWN login (operator approves once per machine; Mechanism B — default), and NO Claude OAuth token is ever copied between machines (Anthropic's ToS forbids relocating a Claude login). Only a redacted, credential-free METADATA projection of each account (id, nickname, email, provider, framework, status, quota) replicates so a peer KNOWS an account's depth/quota — the login LOCATION (configHome) and every credential field are STRIPPED and never cross the wire. A cross-machine credential SHARE (Mechanism A, sealed-transport) is fully designed but REFUSED for Anthropic by default (per-provider allowlist, default empty). Authorization is operator-mandate-gated (deny-by-default; a peer can NEVER enroll an account onto itself via the mesh), the cross-machine mandate carries an asymmetric Ed25519 issuance signature (the local HMAC proof is machine-local), de-pairing ROTATES the recipient key so old sealed credentials die, and per-account spend is lease-sliced (sum-of-leases bound). Ships DARK on the fleet, LIVE on a development agent (dogfooding); gate: \`multiMachine.accountFollowMe\`. Spec: \`docs/specs/ws52-account-follow-me-security.md\`.
554
+ - **When to use** (PROACTIVE): the user asks "do I have to log my account in on every machine?" / "share my account across machines" → explain the re-mint-per-machine model (one approval per machine, then that machine serves from the shared pool's quota; no token copied). "is my login copied to my other machines?" → NO — only non-credential account metadata replicates; each machine holds its own grant.
555
+
553
556
  **Relationships** — Track people I interact with.
554
557
  - List: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/relationships\`
555
558
 
@@ -0,0 +1,25 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ WS5.2 Account Follow-Me, PR1 — the shared security primitives for seamless cross-machine account/quota sharing, with **no live-credential code path** (the security spec's build-order requires the secure mechanism to exist and be proven before any credential-bearing wiring). Ships DARK on the fleet (live on a development agent for dogfooding) behind `multiMachine.accountFollowMe`.
9
+
10
+ Added: an AAD-bound, fail-closed credential-sealing crypto pair (`encryptAccountCredential`/`decryptAccountCredential`, domain-separated from secret-sync); the distinct `account-credential-share` mesh verb + an RBAC-gated handler (recipient-match → operator-mandate → single-use grant, all before decrypt); an asymmetric Ed25519 cross-machine mandate issuance signature (the existing HMAC proof is machine-local); de-pair X25519 key-rotation with a durable, rollback-resistant epoch anchor; single-use grants + a per-account sum-of-leases spend ceiling; and the `subscription-account-meta` replicated JournalKind — a redacted, credential-free projection (id/nickname/email/provider/framework/status/quota) that replicates so a peer knows an account's depth/quota WITHOUT holding its login (the login location and every credential field are stripped). R0: corrected the `SubscriptionPool.ts` header contradiction (default is re-mint-per-machine, not credential-blob transport).
11
+
12
+ ## What to Tell Your User
13
+
14
+ Nothing changes for you yet — this lays the secure foundation for "log in once, your account works on every machine," shipped off by default. When the follow-on pieces land, a new machine with no account will (with one approval tap from you) enroll its own login and serve from your shared quota — and no Claude login token is ever copied between machines (each machine mints its own, the ToS-safe way). If asked "do I have to log in on every machine?" the answer will be: the agent does it for you, one tap per machine.
15
+
16
+ ## Summary of New Capabilities
17
+
18
+ Cross-machine account follow-me security foundation (dark): AAD-bound credential sealing, an operator-mandate-gated credential-share mesh verb, asymmetric cross-machine mandate signatures, de-pair key-rotation revocation, per-account lease-sliced spend bounds, and a credential-free account-metadata replication kind. No user-facing surface is live in this release.
19
+
20
+ ## Evidence
21
+
22
+ - 61 new unit tests + the wiring-integrity test, all green; full replication regression suite green (147 tests together); `tsc --noEmit` clean.
23
+ - The wiring-integrity test caught a real bug pre-ship (a reserved-envelope-field collision that would have thrown at server-startup registration and disrupted machine-to-machine sync) — fixed.
24
+ - Side-effects review + mandatory independent second-pass security review (high-risk: credentials/gate/mesh) — reviewer concurred after independently re-running the tests + tsc and verifying no fail-open path, no credential-on-the-wire, and a genuinely-inert fleet default. Artifact: `upgrades/side-effects/ws52-account-follow-me-pr1.md`.
25
+ - Spec: `docs/specs/ws52-account-follow-me-security.md` (converged 2026-06-13, approved).
@@ -0,0 +1,74 @@
1
+ # Side-Effects Review — WS5.2 Account Follow-Me, PR1 (shared security primitives + metadata kind)
2
+
3
+ **Version / slug:** `ws52-account-follow-me-pr1`
4
+ **Date:** `2026-06-17`
5
+ **Author:** Echo (autonomous)
6
+ **Second-pass reviewer:** REQUIRED (high-risk: credentials, mesh verb + RBAC, a replication JournalKind) — verdict appended below.
7
+ **Spec:** `docs/specs/ws52-account-follow-me-security.md` (converged 2026-06-13, approved)
8
+
9
+ ## Summary of the change
10
+
11
+ PR1 of the WS5.2 build — the SHARED SECURITY PRIMITIVES, with **NO live-credential code path** (spec §9 build-order). It makes cross-machine account/quota sharing possible the ToS-safe way (re-mint per machine; no Claude OAuth token copied). Six primitives + the non-credential metadata kind:
12
+
13
+ Files added:
14
+ - `src/core/AccountCredentialShare.ts` — the distinct `account-credential-share` mesh verb + `AccountCredentialShareHandler` (RBAC gate BEFORE decrypt: recipient-match → mandate-verify → single-use-grant-consume → fail-closed AAD decrypt). Structurally separate from the permissive `secret-share`.
15
+ - `src/coordination/CrossMachineMandate.ts` — `signMandateIssuance`/`verifyMandateIssuance` (asymmetric Ed25519 issuance signature; the existing HMAC proof is machine-local).
16
+ - `src/core/PairingEpochManager.ts` — de-pair X25519 key-rotation + durable epoch anchor (`secretStoreKeyAnchor`, encrypted/keychain-backed, rollback-resistant).
17
+ - `src/core/AccountFollowMeGrants.ts` — single-use grant ledger + per-account sum-of-leases spend ceiling + failover re-derivation + epoch fencing.
18
+ - `src/core/SubscriptionAccountMetaReplicatedStore.ts` — the `subscription-account-meta` JournalKind schema (strict §6.1a whitelist + clamps), allowlist projection (`projectAccountToMeta` strips configHome + credentials), envelope builders, emit-seam interface, registration const.
19
+ - Unit tests: `account-credential-crypto`, `account-credential-share`, `cross-machine-mandate`, `pairing-epoch-manager`, `account-followme-grants`, `subscription-account-meta-store`, `ws52-account-follow-me-wiring` (61 new tests).
20
+
21
+ Files modified:
22
+ - `src/core/SecretStore.ts` — NEW `encryptAccountCredential`/`decryptAccountCredential` (AAD-bound, distinct HKDF info, fail-closed). Existing `encryptForSync`/`decryptFromSync` untouched.
23
+ - `src/core/SecretSync.ts` — `SecretShareHandler.handle` now refuses a non-`secret-share` command (credential-class data must use the distinct verb).
24
+ - `src/core/SubscriptionPool.ts` — R0 header correction + the meta emit seam (`setMetaReplicationEmitter` + emitPut on add/update + emitDelete on remove).
25
+ - `src/core/CoherenceJournal.ts` — `subscription-account-meta` added to JournalKind union, JOURNAL_KINDS, DEFAULT_RETENTION + the per-kind `Record<JournalKind>` literals.
26
+ - `src/commands/server.ts` — registers the kind; injects the accountFollowMe-gated store-flag; wires the emit adapter at SubscriptionPool construction.
27
+ - `src/config/ConfigDefaults.ts` + `src/core/devGatedFeatures.ts` — `multiMachine.accountFollowMe` dev-gated (live-on-dev, dark-on-fleet); `credentialTransport` default empty; `maxFollowMachines` 5.
28
+ - `src/scaffold/templates.ts` + `src/core/PostUpdateMigrator.ts` — awareness section (Agent Awareness + Migration Parity).
29
+
30
+ ## The eight side-effect questions
31
+
32
+ 1. **Over-block — what legitimate inputs does this reject that it shouldn't?**
33
+ The `subscription-account-meta` schema rejects ANY non-whitelisted key (incl. a future `SubscriptionAccount` field). That's deliberate (allowlist), but it means a NEW account field won't replicate until added to both the source-of-truth and this whitelist — a documented, bounded maintenance cost (mirrors every other `*-record` kind). The `SecretShareHandler` now throws on a non-`secret-share` command; the only caller is the legacy secret-sync path which only ever sends `secret-share`, so no legitimate caller is blocked.
34
+
35
+ 2. **Under-block — what failure modes does this still miss?**
36
+ PR1 ships no live-credential path, so Mechanism A's at-rest plaintext residual (the framework's own config-home token, gap 6) is NOT yet addressed — it is explicitly a later-PR concern (active wipe + TTL + provider rotation). The grant ledger's `now()` is injectable but a wall-clock-only TTL can't defend a machine with a tampered clock (accepted; the AAD epoch + single-use grant are the primary defenses, not the TTL).
37
+
38
+ 3. **Level-of-abstraction fit.**
39
+ Correct layers: crypto in `SecretStore` (where the sync crypto lives), the mesh verb + handler as a standalone module (parallel to `SecretSync`, not folded into it — the spec's structural-separation mandate), the JournalKind as a `ReplicatedKindRegistry` store (matching the 8 existing kinds), the emit seam on `SubscriptionPool` (the registry owner). No logic placed above/below where it belongs.
40
+
41
+ 4. **Signal vs authority compliance.**
42
+ The RBAC gate in `AccountCredentialShareHandler` is an AUTHORITY (it gates a credential write), but it is NOT brittle: it delegates the actual authorization to injected seams (`verifyMandate` = the operator-mandate gate; `consumeGrant` = the single-use ledger), and FAILS CLOSED on every uncertainty. It never fabricates an allow. The cross-machine mandate verification is deny-by-default. No brittle check holds blocking authority.
43
+
44
+ 5. **Interactions.**
45
+ Adding a JournalKind cascades to every `Record<JournalKind>` map — all updated (caught by tsc + the existing CoherenceJournal getOwnAdvert test, which was updated). The emit gate reuses the existing `_stateSyncStoresResolved` map (injected entry) so it shares the generic emitter's dark-by-default discipline. The new verb is structurally disjoint from `secret-share` (no shared handler/decryptor). No double-fire: emit fires once per mutation after `save()`.
46
+
47
+ 6. **External surfaces.**
48
+ No new HTTP route. No new outbound egress in PR1 (the emit path is dark on the fleet; live only on a dev agent, and even then only emits the non-credential metadata projection). The metadata projection includes `email` (operator/provider PII, "never a secret") which lands at-rest in same-operator peers' plaintext journal replicas — disclosed in the spec §6.1 and the code comment. configHome + every credential field are stripped by allowlist construction.
49
+
50
+ 7. **Multi-machine posture (Cross-Machine Coherence).**
51
+ This feature IS the multi-machine work. Posture: **replicated** (the `subscription-account-meta` kind over the WS2 journal). The credential itself is **machine-local BY DESIGN** (re-mint per machine; never replicated). Authorization is **operator-rooted, not peer-quorum** — holds at pool size 1/2/N. Single-machine agents are a strict no-op (no peers; the emit gate + dark default). Cross-machine mandate auth uses the asymmetric Ed25519 path (works over the relay where the local HMAC cannot).
52
+
53
+ 8. **Rollback cost.**
54
+ Low. Everything is dark on the fleet (gate `multiMachine.accountFollowMe`, default off via the dev-gate). The JournalKind addition is additive + forward-compat (an old peer that doesn't know the kind drops it; the receive validator is present so a known peer never suspect-flags). Back-out = revert the PR; no data migration (no live credential ever written), no agent-state repair. The R0 header change is documentation-only.
55
+
56
+ ## What's NOT in PR1 (tracked, not deferred-orphan)
57
+
58
+ Per spec §9, PR1 is the primitives + the metadata kind ONLY. The following are the spec's own subsequent build-round items, tracked in the WS5.2 spec + the autonomous task list (topic 13481):
59
+ - Mechanism B enroll-drive (re-mint per machine, operator-mandate-gated) — the live account path.
60
+ - The router `locallyExecutable` gate + revocation (R12) + the offline-wipe escalation.
61
+ - The `?scope=pool` offline-fallback read that surfaces the durable replicated meta when a peer is offline (the live `?scope=pool` HTTP fan-out already serves online peers; the meta is correctly received + stored now).
62
+ - The live-channel proof (a real operator message answered FROM the Mini using an account the Mini enrolled itself).
63
+
64
+ ## Second-pass review
65
+
66
+ **Verdict: Concur with the review.** (Independent reviewer subagent, 2026-06-17.)
67
+
68
+ The reviewer independently read all eight files, ran the seven WS5.2 test files (63/63 pass) and `tsc --noEmit` (clean), and verified the four security focus areas:
69
+ - **(a) No credential decrypt/store without mandate + consumed grant** — the RBAC gate runs strictly before any crypto (type → expiry → recipient-match → verifyMandate deny-by-default → consumeGrant single-use → fail-closed decrypt); every denial returns `{accepted:false}`, never fail-open. The crypto pair is genuinely domain-separated (distinct HKDF info; AAD bound via setAAD with a timing-safe pre-compare; throws on absent/mismatched AAD); a secret-sync blob cannot decrypt as a credential or vice-versa; `SecretShareHandler` refuses credential-class commands; the cross-machine mandate uses an asymmetric Ed25519 signature binding the issuer fingerprint.
70
+ - **(b) configHome / OAuth token cannot cross via the metadata kind** — `projectAccountToMeta` is a strict build-by-copy 7-key allowlist; the receive validator independently rejects non-whitelisted keys (exempting only RESERVED_ENVELOPE_FIELDS). Enforced both ends.
71
+ - **(c) Dark/fleet default genuinely inert** — `resolveDevAgentGate(undefined, fleetConfig)` is false ⇒ no store-flag entry, emitter not constructed, registration inert, `storeCredential` unwired in PR1.
72
+ - **(d) No fail-open bugs** — every security check defaults to deny/throw-into-deny.
73
+
74
+ Two non-blocking observations (both safe-direction, acceptable for the PR1 primitive layer): a forged-AAD payload that ALREADY passed the mandate gate burns its single-use grant on the fail-closed decrypt (a self-limited DoS that requires first passing the operator-mandate gate); and `rotateOnDepair` is load-then-save without an explicit lock (serial single-machine de-pair). Both are noted for the live-path PRs; neither blocks PR1.