instar 1.3.608 → 1.3.610
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.js +2 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/coordination/AccountFollowMeMandateBridge.d.ts +56 -0
- package/dist/coordination/AccountFollowMeMandateBridge.d.ts.map +1 -0
- package/dist/coordination/AccountFollowMeMandateBridge.js +56 -0
- package/dist/coordination/AccountFollowMeMandateBridge.js.map +1 -0
- package/dist/core/AccountFollowMeDetector.d.ts +53 -0
- package/dist/core/AccountFollowMeDetector.d.ts.map +1 -0
- package/dist/core/AccountFollowMeDetector.js +56 -0
- package/dist/core/AccountFollowMeDetector.js.map +1 -0
- package/dist/core/AccountFollowMeEmailGate.d.ts +51 -0
- package/dist/core/AccountFollowMeEmailGate.d.ts.map +1 -0
- package/dist/core/AccountFollowMeEmailGate.js +50 -0
- package/dist/core/AccountFollowMeEmailGate.js.map +1 -0
- package/dist/core/AccountFollowMeOrchestrator.d.ts +98 -0
- package/dist/core/AccountFollowMeOrchestrator.d.ts.map +1 -0
- package/dist/core/AccountFollowMeOrchestrator.js +76 -0
- package/dist/core/AccountFollowMeOrchestrator.js.map +1 -0
- package/dist/core/AccountFollowMeService.d.ts +84 -0
- package/dist/core/AccountFollowMeService.d.ts.map +1 -0
- package/dist/core/AccountFollowMeService.js +105 -0
- package/dist/core/AccountFollowMeService.js.map +1 -0
- package/dist/core/QuotaAwareScheduler.d.ts +4 -2
- package/dist/core/QuotaAwareScheduler.d.ts.map +1 -1
- package/dist/core/QuotaAwareScheduler.js +7 -8
- package/dist/core/QuotaAwareScheduler.js.map +1 -1
- package/dist/core/SubscriptionPool.d.ts +20 -0
- package/dist/core/SubscriptionPool.d.ts.map +1 -1
- package/dist/core/SubscriptionPool.js +26 -0
- package/dist/core/SubscriptionPool.js.map +1 -1
- package/dist/core/accountFollowMeDepth.d.ts +40 -0
- package/dist/core/accountFollowMeDepth.d.ts.map +1 -0
- package/dist/core/accountFollowMeDepth.js +47 -0
- package/dist/core/accountFollowMeDepth.js.map +1 -0
- package/dist/core/fetchPeerSubscriptionViews.d.ts +46 -0
- package/dist/core/fetchPeerSubscriptionViews.d.ts.map +1 -0
- package/dist/core/fetchPeerSubscriptionViews.js +70 -0
- package/dist/core/fetchPeerSubscriptionViews.js.map +1 -0
- package/dist/monitoring/guardManifest.d.ts.map +1 -1
- package/dist/monitoring/guardManifest.js +1 -0
- package/dist/monitoring/guardManifest.js.map +1 -1
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/routes.d.ts +3 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +49 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +47 -47
- package/upgrades/1.3.609.md +24 -0
- package/upgrades/1.3.610.md +24 -0
- package/upgrades/side-effects/ws52-account-follow-me-locally-executable.md +69 -0
- package/upgrades/side-effects/ws52-account-follow-me-pr2.md +59 -0
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-17T11:44:29.710Z",
|
|
5
|
+
"instarVersion": "1.3.610",
|
|
6
6
|
"entryCount": 201,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -418,7 +418,7 @@
|
|
|
418
418
|
"type": "route-group",
|
|
419
419
|
"domain": "monitoring",
|
|
420
420
|
"sourcePath": "src/server/routes.ts",
|
|
421
|
-
"contentHash": "
|
|
421
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
422
422
|
"since": "2025-01-01"
|
|
423
423
|
},
|
|
424
424
|
"route-group:agents": {
|
|
@@ -426,7 +426,7 @@
|
|
|
426
426
|
"type": "route-group",
|
|
427
427
|
"domain": "sessions",
|
|
428
428
|
"sourcePath": "src/server/routes.ts",
|
|
429
|
-
"contentHash": "
|
|
429
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
430
430
|
"since": "2025-01-01"
|
|
431
431
|
},
|
|
432
432
|
"route-group:backups": {
|
|
@@ -434,7 +434,7 @@
|
|
|
434
434
|
"type": "route-group",
|
|
435
435
|
"domain": "operations",
|
|
436
436
|
"sourcePath": "src/server/routes.ts",
|
|
437
|
-
"contentHash": "
|
|
437
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
438
438
|
"since": "2025-01-01"
|
|
439
439
|
},
|
|
440
440
|
"route-group:git": {
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"type": "route-group",
|
|
443
443
|
"domain": "coordination",
|
|
444
444
|
"sourcePath": "src/server/routes.ts",
|
|
445
|
-
"contentHash": "
|
|
445
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
446
446
|
"since": "2025-01-01"
|
|
447
447
|
},
|
|
448
448
|
"route-group:memory": {
|
|
@@ -450,7 +450,7 @@
|
|
|
450
450
|
"type": "route-group",
|
|
451
451
|
"domain": "memory",
|
|
452
452
|
"sourcePath": "src/server/routes.ts",
|
|
453
|
-
"contentHash": "
|
|
453
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
454
454
|
"since": "2025-01-01"
|
|
455
455
|
},
|
|
456
456
|
"route-group:semantic": {
|
|
@@ -458,7 +458,7 @@
|
|
|
458
458
|
"type": "route-group",
|
|
459
459
|
"domain": "memory",
|
|
460
460
|
"sourcePath": "src/server/routes.ts",
|
|
461
|
-
"contentHash": "
|
|
461
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
462
462
|
"since": "2025-01-01"
|
|
463
463
|
},
|
|
464
464
|
"route-group:status": {
|
|
@@ -466,7 +466,7 @@
|
|
|
466
466
|
"type": "route-group",
|
|
467
467
|
"domain": "monitoring",
|
|
468
468
|
"sourcePath": "src/server/routes.ts",
|
|
469
|
-
"contentHash": "
|
|
469
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
470
470
|
"since": "2025-01-01"
|
|
471
471
|
},
|
|
472
472
|
"route-group:capabilities": {
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"type": "route-group",
|
|
475
475
|
"domain": "mapping",
|
|
476
476
|
"sourcePath": "src/server/routes.ts",
|
|
477
|
-
"contentHash": "
|
|
477
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
478
478
|
"since": "2025-01-01"
|
|
479
479
|
},
|
|
480
480
|
"route-group:project-map": {
|
|
@@ -482,7 +482,7 @@
|
|
|
482
482
|
"type": "route-group",
|
|
483
483
|
"domain": "mapping",
|
|
484
484
|
"sourcePath": "src/server/routes.ts",
|
|
485
|
-
"contentHash": "
|
|
485
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
486
486
|
"since": "2025-01-01"
|
|
487
487
|
},
|
|
488
488
|
"route-group:coherence": {
|
|
@@ -490,7 +490,7 @@
|
|
|
490
490
|
"type": "route-group",
|
|
491
491
|
"domain": "coherence",
|
|
492
492
|
"sourcePath": "src/server/routes.ts",
|
|
493
|
-
"contentHash": "
|
|
493
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
494
494
|
"since": "2025-01-01"
|
|
495
495
|
},
|
|
496
496
|
"route-group:topic-bindings": {
|
|
@@ -498,7 +498,7 @@
|
|
|
498
498
|
"type": "route-group",
|
|
499
499
|
"domain": "sessions",
|
|
500
500
|
"sourcePath": "src/server/routes.ts",
|
|
501
|
-
"contentHash": "
|
|
501
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
502
502
|
"since": "2025-01-01"
|
|
503
503
|
},
|
|
504
504
|
"route-group:context": {
|
|
@@ -506,7 +506,7 @@
|
|
|
506
506
|
"type": "route-group",
|
|
507
507
|
"domain": "context",
|
|
508
508
|
"sourcePath": "src/server/routes.ts",
|
|
509
|
-
"contentHash": "
|
|
509
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
510
510
|
"since": "2025-01-01"
|
|
511
511
|
},
|
|
512
512
|
"route-group:scope-coherence": {
|
|
@@ -514,7 +514,7 @@
|
|
|
514
514
|
"type": "route-group",
|
|
515
515
|
"domain": "coherence",
|
|
516
516
|
"sourcePath": "src/server/routes.ts",
|
|
517
|
-
"contentHash": "
|
|
517
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
518
518
|
"since": "2025-01-01"
|
|
519
519
|
},
|
|
520
520
|
"route-group:canonical-state": {
|
|
@@ -522,7 +522,7 @@
|
|
|
522
522
|
"type": "route-group",
|
|
523
523
|
"domain": "state",
|
|
524
524
|
"sourcePath": "src/server/routes.ts",
|
|
525
|
-
"contentHash": "
|
|
525
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
526
526
|
"since": "2025-01-01"
|
|
527
527
|
},
|
|
528
528
|
"route-group:ci": {
|
|
@@ -530,7 +530,7 @@
|
|
|
530
530
|
"type": "route-group",
|
|
531
531
|
"domain": "monitoring",
|
|
532
532
|
"sourcePath": "src/server/routes.ts",
|
|
533
|
-
"contentHash": "
|
|
533
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
534
534
|
"since": "2025-01-01"
|
|
535
535
|
},
|
|
536
536
|
"route-group:sessions": {
|
|
@@ -538,7 +538,7 @@
|
|
|
538
538
|
"type": "route-group",
|
|
539
539
|
"domain": "sessions",
|
|
540
540
|
"sourcePath": "src/server/routes.ts",
|
|
541
|
-
"contentHash": "
|
|
541
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
542
542
|
"since": "2025-01-01"
|
|
543
543
|
},
|
|
544
544
|
"route-group:jobs": {
|
|
@@ -546,7 +546,7 @@
|
|
|
546
546
|
"type": "route-group",
|
|
547
547
|
"domain": "scheduling",
|
|
548
548
|
"sourcePath": "src/server/routes.ts",
|
|
549
|
-
"contentHash": "
|
|
549
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
550
550
|
"since": "2025-01-01"
|
|
551
551
|
},
|
|
552
552
|
"route-group:skip-ledger": {
|
|
@@ -554,7 +554,7 @@
|
|
|
554
554
|
"type": "route-group",
|
|
555
555
|
"domain": "scheduling",
|
|
556
556
|
"sourcePath": "src/server/routes.ts",
|
|
557
|
-
"contentHash": "
|
|
557
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
558
558
|
"since": "2025-01-01"
|
|
559
559
|
},
|
|
560
560
|
"route-group:telegram": {
|
|
@@ -562,7 +562,7 @@
|
|
|
562
562
|
"type": "route-group",
|
|
563
563
|
"domain": "communication",
|
|
564
564
|
"sourcePath": "src/server/routes.ts",
|
|
565
|
-
"contentHash": "
|
|
565
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
566
566
|
"since": "2025-01-01"
|
|
567
567
|
},
|
|
568
568
|
"route-group:attention": {
|
|
@@ -570,7 +570,7 @@
|
|
|
570
570
|
"type": "route-group",
|
|
571
571
|
"domain": "communication",
|
|
572
572
|
"sourcePath": "src/server/routes.ts",
|
|
573
|
-
"contentHash": "
|
|
573
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
574
574
|
"since": "2025-01-01"
|
|
575
575
|
},
|
|
576
576
|
"route-group:relationships": {
|
|
@@ -578,7 +578,7 @@
|
|
|
578
578
|
"type": "route-group",
|
|
579
579
|
"domain": "relationships",
|
|
580
580
|
"sourcePath": "src/server/routes.ts",
|
|
581
|
-
"contentHash": "
|
|
581
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
582
582
|
"since": "2025-01-01"
|
|
583
583
|
},
|
|
584
584
|
"route-group:feedback": {
|
|
@@ -586,7 +586,7 @@
|
|
|
586
586
|
"type": "route-group",
|
|
587
587
|
"domain": "feedback",
|
|
588
588
|
"sourcePath": "src/server/routes.ts",
|
|
589
|
-
"contentHash": "
|
|
589
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
590
590
|
"since": "2025-01-01"
|
|
591
591
|
},
|
|
592
592
|
"route-group:updates": {
|
|
@@ -594,7 +594,7 @@
|
|
|
594
594
|
"type": "route-group",
|
|
595
595
|
"domain": "updates",
|
|
596
596
|
"sourcePath": "src/server/routes.ts",
|
|
597
|
-
"contentHash": "
|
|
597
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
598
598
|
"since": "2025-01-01"
|
|
599
599
|
},
|
|
600
600
|
"route-group:dispatches": {
|
|
@@ -602,7 +602,7 @@
|
|
|
602
602
|
"type": "route-group",
|
|
603
603
|
"domain": "dispatches",
|
|
604
604
|
"sourcePath": "src/server/routes.ts",
|
|
605
|
-
"contentHash": "
|
|
605
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
606
606
|
"since": "2025-01-01"
|
|
607
607
|
},
|
|
608
608
|
"route-group:quota": {
|
|
@@ -610,7 +610,7 @@
|
|
|
610
610
|
"type": "route-group",
|
|
611
611
|
"domain": "monitoring",
|
|
612
612
|
"sourcePath": "src/server/routes.ts",
|
|
613
|
-
"contentHash": "
|
|
613
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
614
614
|
"since": "2025-01-01"
|
|
615
615
|
},
|
|
616
616
|
"route-group:publishing": {
|
|
@@ -618,7 +618,7 @@
|
|
|
618
618
|
"type": "route-group",
|
|
619
619
|
"domain": "publishing",
|
|
620
620
|
"sourcePath": "src/server/routes.ts",
|
|
621
|
-
"contentHash": "
|
|
621
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
622
622
|
"since": "2025-01-01"
|
|
623
623
|
},
|
|
624
624
|
"route-group:private-views": {
|
|
@@ -626,7 +626,7 @@
|
|
|
626
626
|
"type": "route-group",
|
|
627
627
|
"domain": "publishing",
|
|
628
628
|
"sourcePath": "src/server/routes.ts",
|
|
629
|
-
"contentHash": "
|
|
629
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
630
630
|
"since": "2025-01-01"
|
|
631
631
|
},
|
|
632
632
|
"route-group:tunnel": {
|
|
@@ -634,7 +634,7 @@
|
|
|
634
634
|
"type": "route-group",
|
|
635
635
|
"domain": "networking",
|
|
636
636
|
"sourcePath": "src/server/routes.ts",
|
|
637
|
-
"contentHash": "
|
|
637
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
638
638
|
"since": "2025-01-01"
|
|
639
639
|
},
|
|
640
640
|
"route-group:events": {
|
|
@@ -642,7 +642,7 @@
|
|
|
642
642
|
"type": "route-group",
|
|
643
643
|
"domain": "networking",
|
|
644
644
|
"sourcePath": "src/server/routes.ts",
|
|
645
|
-
"contentHash": "
|
|
645
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
646
646
|
"since": "2025-01-01"
|
|
647
647
|
},
|
|
648
648
|
"route-group:evolution": {
|
|
@@ -650,7 +650,7 @@
|
|
|
650
650
|
"type": "route-group",
|
|
651
651
|
"domain": "evolution",
|
|
652
652
|
"sourcePath": "src/server/routes.ts",
|
|
653
|
-
"contentHash": "
|
|
653
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
654
654
|
"since": "2025-01-01"
|
|
655
655
|
},
|
|
656
656
|
"route-group:watchdog": {
|
|
@@ -658,7 +658,7 @@
|
|
|
658
658
|
"type": "route-group",
|
|
659
659
|
"domain": "monitoring",
|
|
660
660
|
"sourcePath": "src/server/routes.ts",
|
|
661
|
-
"contentHash": "
|
|
661
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
662
662
|
"since": "2025-01-01"
|
|
663
663
|
},
|
|
664
664
|
"route-group:topic-memory": {
|
|
@@ -666,7 +666,7 @@
|
|
|
666
666
|
"type": "route-group",
|
|
667
667
|
"domain": "memory",
|
|
668
668
|
"sourcePath": "src/server/routes.ts",
|
|
669
|
-
"contentHash": "
|
|
669
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
670
670
|
"since": "2025-01-01"
|
|
671
671
|
},
|
|
672
672
|
"route-group:state-sync": {
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
"type": "route-group",
|
|
675
675
|
"domain": "coordination",
|
|
676
676
|
"sourcePath": "src/server/routes.ts",
|
|
677
|
-
"contentHash": "
|
|
677
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
678
678
|
"since": "2025-01-01"
|
|
679
679
|
},
|
|
680
680
|
"route-group:intent": {
|
|
@@ -682,7 +682,7 @@
|
|
|
682
682
|
"type": "route-group",
|
|
683
683
|
"domain": "intent",
|
|
684
684
|
"sourcePath": "src/server/routes.ts",
|
|
685
|
-
"contentHash": "
|
|
685
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
686
686
|
"since": "2025-01-01"
|
|
687
687
|
},
|
|
688
688
|
"route-group:triage": {
|
|
@@ -690,7 +690,7 @@
|
|
|
690
690
|
"type": "route-group",
|
|
691
691
|
"domain": "safety",
|
|
692
692
|
"sourcePath": "src/server/routes.ts",
|
|
693
|
-
"contentHash": "
|
|
693
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
694
694
|
"since": "2025-01-01"
|
|
695
695
|
},
|
|
696
696
|
"route-group:operations": {
|
|
@@ -698,7 +698,7 @@
|
|
|
698
698
|
"type": "route-group",
|
|
699
699
|
"domain": "safety",
|
|
700
700
|
"sourcePath": "src/server/routes.ts",
|
|
701
|
-
"contentHash": "
|
|
701
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
702
702
|
"since": "2025-01-01"
|
|
703
703
|
},
|
|
704
704
|
"route-group:sentinel": {
|
|
@@ -706,7 +706,7 @@
|
|
|
706
706
|
"type": "route-group",
|
|
707
707
|
"domain": "safety",
|
|
708
708
|
"sourcePath": "src/server/routes.ts",
|
|
709
|
-
"contentHash": "
|
|
709
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
710
710
|
"since": "2025-01-01"
|
|
711
711
|
},
|
|
712
712
|
"route-group:trust": {
|
|
@@ -714,7 +714,7 @@
|
|
|
714
714
|
"type": "route-group",
|
|
715
715
|
"domain": "safety",
|
|
716
716
|
"sourcePath": "src/server/routes.ts",
|
|
717
|
-
"contentHash": "
|
|
717
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
718
718
|
"since": "2025-01-01"
|
|
719
719
|
},
|
|
720
720
|
"route-group:monitoring": {
|
|
@@ -722,7 +722,7 @@
|
|
|
722
722
|
"type": "route-group",
|
|
723
723
|
"domain": "monitoring",
|
|
724
724
|
"sourcePath": "src/server/routes.ts",
|
|
725
|
-
"contentHash": "
|
|
725
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
726
726
|
"since": "2025-01-01"
|
|
727
727
|
},
|
|
728
728
|
"route-group:commitments": {
|
|
@@ -730,7 +730,7 @@
|
|
|
730
730
|
"type": "route-group",
|
|
731
731
|
"domain": "commitments",
|
|
732
732
|
"sourcePath": "src/server/routes.ts",
|
|
733
|
-
"contentHash": "
|
|
733
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
734
734
|
"since": "2025-01-01"
|
|
735
735
|
},
|
|
736
736
|
"route-group:episodes": {
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
"type": "route-group",
|
|
739
739
|
"domain": "memory",
|
|
740
740
|
"sourcePath": "src/server/routes.ts",
|
|
741
|
-
"contentHash": "
|
|
741
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
742
742
|
"since": "2025-01-01"
|
|
743
743
|
},
|
|
744
744
|
"route-group:messages": {
|
|
@@ -746,7 +746,7 @@
|
|
|
746
746
|
"type": "route-group",
|
|
747
747
|
"domain": "coordination",
|
|
748
748
|
"sourcePath": "src/server/routes.ts",
|
|
749
|
-
"contentHash": "
|
|
749
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
750
750
|
"since": "2025-01-01"
|
|
751
751
|
},
|
|
752
752
|
"route-group:system-reviews": {
|
|
@@ -754,7 +754,7 @@
|
|
|
754
754
|
"type": "route-group",
|
|
755
755
|
"domain": "monitoring",
|
|
756
756
|
"sourcePath": "src/server/routes.ts",
|
|
757
|
-
"contentHash": "
|
|
757
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
758
758
|
"since": "2025-01-01"
|
|
759
759
|
},
|
|
760
760
|
"route-group:machine-mesh": {
|
|
@@ -770,7 +770,7 @@
|
|
|
770
770
|
"type": "route-group",
|
|
771
771
|
"domain": "security",
|
|
772
772
|
"sourcePath": "src/server/routes.ts",
|
|
773
|
-
"contentHash": "
|
|
773
|
+
"contentHash": "be17078af854f08cbba01afe1d5dd3be118be68f1db475e78743221279ea044b",
|
|
774
774
|
"since": "2025-01-01"
|
|
775
775
|
},
|
|
776
776
|
"cli:init": {
|
|
@@ -1522,7 +1522,7 @@
|
|
|
1522
1522
|
"type": "subsystem",
|
|
1523
1523
|
"domain": "server",
|
|
1524
1524
|
"sourcePath": "src/server/AgentServer.ts",
|
|
1525
|
-
"contentHash": "
|
|
1525
|
+
"contentHash": "7ed80be6bb2846567ed0c9b3b3c9edd1d4f38e166bd919623d691c96d1daff7c",
|
|
1526
1526
|
"since": "2025-01-01"
|
|
1527
1527
|
},
|
|
1528
1528
|
"subsystem:session-manager": {
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
WS5.2 Account Follow-Me, PR2 — the cross-machine enrollment **detection→consent surface** (Mechanism B re-mint). When the agent runs on more than one machine and a machine has no usable account for an operator subscription (a "depth-zero" machine), it now proactively detects that and surfaces ONE aggregated, phone-first consent ("authorize on the dashboard?") — and **enrolls nothing on its own**. Authorization remains the operator's PIN-gated mandate (issued on the target's own dashboard, per-server per OQ6); a peer can never enroll an account onto itself.
|
|
9
|
+
|
|
10
|
+
Built on PR1's primitives: the request-never-self-authorize orchestrator, the depth-zero detector (R7-bounded), the per-machine depth adapter, the tolerant peer-views fetcher (reuses the `?scope=pool` fan-out, metadata-only — no token or config-home ever crosses), the cross-machine mandate bridge (R4a), and the composing service. Wired through `server.ts`/`AgentServer`/`RouteContext` and exposed at `POST /subscription-pool/follow-me/scan`. Ships DARK behind `multiMachine.accountFollowMe` (503 on the fleet, live on a development agent).
|
|
11
|
+
|
|
12
|
+
## What to Tell Your User
|
|
13
|
+
|
|
14
|
+
Still nothing to do yet — this is the next layer toward "log in once, it works on every machine," shipped off by default. With it, when one of your machines has no account, I'll notice and offer you a one-tap dashboard approval to enroll it (rather than ever doing it silently) — and no login token is copied between machines. The actual one-tap enrollment + safety checks land in the next PR.
|
|
15
|
+
|
|
16
|
+
## Summary of New Capabilities
|
|
17
|
+
|
|
18
|
+
Proactive cross-machine account-enrollment detection + consent (dark): the agent detects a machine with no usable account and surfaces ONE operator approval, enrolling nothing on its own. No user-facing surface is live in this release.
|
|
19
|
+
|
|
20
|
+
## Evidence
|
|
21
|
+
|
|
22
|
+
- 37 tests: 35 unit across 7 modules + 2 Tier-2 integration over the real HTTP pipeline (dark→503; enabled→detects a depth-zero peer→ONE consent, enrolls nothing); `tsc --noEmit` clean.
|
|
23
|
+
- Side-effects review + mandatory independent second-pass security review (concurred) — verified no self-authorization path, no credential leak (peer fetch is metadata-only, configHome discarded), genuinely-inert fleet default, and no fail-open paths. Artifact: `upgrades/side-effects/ws52-account-follow-me-pr2.md`.
|
|
24
|
+
- Spec: `docs/specs/ws52-account-follow-me-security.md` (converged, approved).
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
WS5.2 Account Follow-Me, §6.2 — the `locallyExecutable` account-selection gate. A new shared predicate `isLocallyExecutable(account)` (an account is executable on THIS machine iff it holds a real local `configHome` AND a valid login — active/warming) now gates account selection at its chokepoint: both `QuotaAwareScheduler.selectAccount()` (placement + swap-target selection) and `poolHeadroom()` (the quota throttle) filter on it, preserving the documented never-loop invariant `placeable ⟺ selectAccount(...) !== null`. A credential-less meta-only account replicated in from a peer (empty `configHome`) is now structurally unselectable — closing the force-mode "use an account I have metadata for but no credential" hole at SELECTION time. Adds `SubscriptionPool.locallyExecutable()` as the canonical machine-executable account set.
|
|
9
|
+
|
|
10
|
+
This is a pure tightening: every real pool account already carries a non-empty `configHome` (required by `add()`), so among genuinely-held accounts the predicate is a no-op — it only ever excludes a credential-less peer projection. The structural guard that lets the later enrollment-execution PRs add accounts without any path ever selecting a peer's credential-less account.
|
|
11
|
+
|
|
12
|
+
## What to Tell Your User
|
|
13
|
+
|
|
14
|
+
Nothing to do — this is an internal selection-safety guard, shipped off by default as part of the multi-machine account-sharing groundwork. It guarantees this machine can only ever pick an account it actually holds a login for, never a peer's account it merely knows about. No user-facing surface in this release.
|
|
15
|
+
|
|
16
|
+
## Summary of New Capabilities
|
|
17
|
+
|
|
18
|
+
Internal: a `locallyExecutable` account-selection gate so a credential-less peer account projection can never be selected for execution, placement, or swap on this machine. Defense-in-depth groundwork for the WS5.2 enrollment-execution path. No user-facing surface.
|
|
19
|
+
|
|
20
|
+
## Evidence
|
|
21
|
+
|
|
22
|
+
- 9 unit tests (`tests/unit/account-follow-me-locally-executable.test.ts`): both boundary sides (executable active/warming + real configHome; non-executable empty/whitespace configHome, needs-reauth/disabled/rate-limited), selectAccount exclusion of a meta-only account, real-over-meta preference, no-regression for held accounts, and explicit never-loop-invariant agreement (`poolHeadroom.placeable ⟺ selectAccount !== null`) for meta-only and real cases. `tsc --noEmit` clean.
|
|
23
|
+
- Side-effects review + mandatory independent second-pass security review (concurred): verified the never-loop invariant is preserved by the shared predicate, the change is a true no-op for current accounts, zero dangling references, no missed selection path, fail-closed (no fail-open). Artifact: `upgrades/side-effects/ws52-account-follow-me-locally-executable.md`.
|
|
24
|
+
- Spec: `docs/specs/ws52-account-follow-me-security.md` §6.2 + §6.3a (converged, approved).
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
# Side-Effects Review — WS5.2 §6.2 `locallyExecutable` selection gate
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `ws52-account-follow-me-locally-executable`
|
|
4
|
+
**Date:** `2026-06-17`
|
|
5
|
+
**Author:** `Echo (instar-dev agent)`
|
|
6
|
+
**Second-pass reviewer:** `pending (high-risk: account selection / credential boundary)`
|
|
7
|
+
|
|
8
|
+
## Summary of the change
|
|
9
|
+
|
|
10
|
+
WS5.2 §6.2. Adds a single shared predicate `isLocallyExecutable(account)` (exported from `src/core/SubscriptionPool.ts`) — an account is executable on THIS machine iff it carries a real local `configHome` AND a valid login (status `active`/`warming`). A meta-only account replicated in from a peer (credential-less, empty `configHome`) is NOT locally executable. The predicate is applied at the account-selection chokepoint in `src/core/QuotaAwareScheduler.ts` — in BOTH `selectAccount()` (the placement/swap selector, used by `ProactiveSwapMonitor` + `onQuotaPressure`/`SessionMigrator`) AND `poolHeadroom()` (the quota-throttle), which MUST share the exact eligibility predicate to preserve the documented never-loop invariant `placeable ⟺ selectAccount(...) !== null`. A `SubscriptionPool.locallyExecutable()` convenience method returns the filtered selectable set. Files: `SubscriptionPool.ts`, `QuotaAwareScheduler.ts`, plus `tests/unit/account-follow-me-locally-executable.test.ts`.
|
|
11
|
+
|
|
12
|
+
## Decision-point inventory
|
|
13
|
+
|
|
14
|
+
- `QuotaAwareScheduler.selectAccount()` eligibility filter — **modify** — tightened from status-only (`isEligibleStatus`) to `isLocallyExecutable` (status + non-empty configHome). A credential-less account is now unselectable.
|
|
15
|
+
- `QuotaAwareScheduler.poolHeadroom()` eligibility filter — **modify** — tightened identically, preserving `placeable ⟺ selectAccount !== null`.
|
|
16
|
+
- `SubscriptionPool.locallyExecutable()` — **add** — canonical read of the machine-executable account set.
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## 1. Over-block
|
|
21
|
+
|
|
22
|
+
**What legitimate inputs does this change reject that it shouldn't?**
|
|
23
|
+
|
|
24
|
+
None. Every genuinely-held pool account carries a non-empty `configHome` (required by `SubscriptionPool.add()`, which trims and validates it), so among real accounts this predicate is a pure no-op — it returns exactly what `isEligibleStatus` returned before. It only ever excludes an account with an empty/whitespace `configHome`, which by construction has no local credential and therefore cannot spawn a session. There is no legitimate "selectable account with no configHome" today.
|
|
25
|
+
|
|
26
|
+
## 2. Under-block
|
|
27
|
+
|
|
28
|
+
**What failure modes does this still miss?**
|
|
29
|
+
|
|
30
|
+
It gates SELECTION, not execution-time credential validity. An account that has a `configHome` and `active` status but whose on-disk token is stale/revoked still passes the predicate (the swap/refresh machinery + provider-side 401 handling owns that case — out of scope for §6.2). It also does not inspect token contents; a corrupted credential file at a valid `configHome` is caught downstream, not here. This is intentional: §6.2's job is "never select an account we hold no credential for," not "verify the credential works."
|
|
31
|
+
|
|
32
|
+
## 3. Level-of-abstraction fit
|
|
33
|
+
|
|
34
|
+
Correct layer. Account selection is exactly where "can this machine run this account?" must be decided — the predicate lives next to the `SubscriptionAccount` type (its canonical home) and is applied at the two selectors that gate placement. A higher layer (the router) does not select accounts (it routes SDK-vs-pool *path*, then the interactive pool runs whatever account the session was placed under); a lower layer (the credential store) does not know about selection. The shared-predicate design avoids the classic split-brain where two selectors drift.
|
|
35
|
+
|
|
36
|
+
## 4. Signal vs authority compliance
|
|
37
|
+
|
|
38
|
+
This is a **filter on a selection set**, not a brittle check with blocking authority over messages/actions. It is deterministic (a field-presence + status check), not heuristic — so it does not fall under the signal-vs-authority concern about brittle blocking logic. It cannot mis-fire on ambiguous input: `configHome` is either a non-empty string or not. It never blocks a user message or an outbound action; it only narrows which accounts a placement/swap may pick. Reference: `docs/signal-vs-authority.md` — a deterministic capability gate (can this machine physically execute this account) is authority appropriately exercised, not a brittle heuristic.
|
|
39
|
+
|
|
40
|
+
## 5. Interactions
|
|
41
|
+
|
|
42
|
+
The one real interaction is the **never-loop invariant** between `selectAccount` and `poolHeadroom`: the throttle's comment guarantees `placeable ⟺ selectAccount(...) !== null`. Tightening only one selector would break it (throttle says "go" while placement returns null → spin). Both are tightened with the SAME predicate, and a unit test asserts the two agree on a meta-only account. No other selector consumes these. `ProactiveSwapMonitor`/`SessionMigrator`/`onQuotaPressure` reach selection THROUGH `selectAccount`, so they inherit the gate for free. `PlacementExecutor` (cross-machine placement) does not select an account, so it is unaffected.
|
|
43
|
+
|
|
44
|
+
## 6. External surfaces
|
|
45
|
+
|
|
46
|
+
No new route, no new config, no user-facing surface. `SubscriptionPool.locallyExecutable()` is a new read method but no route exposes it in this change. Behavior visible to other agents/users is unchanged because the predicate is a no-op for all real accounts today (all have configHomes). It does not depend on timing or runtime conditions.
|
|
47
|
+
|
|
48
|
+
## 7. Multi-machine posture (Cross-Machine Coherence)
|
|
49
|
+
|
|
50
|
+
**Machine-local BY DESIGN.** This is the precise point of the change: a `configHome` is a per-machine credential location, so "locally executable" is inherently a per-machine question. The predicate deliberately treats a peer's account (which would arrive as a credential-less meta projection if/when a future scope=pool selection merges peer accounts into a local selection list) as NON-executable here. There is no replication or proxy-on-read surface — by design, each machine answers "which accounts can I run?" from its OWN configHome-bearing accounts. This is the structural guard that lets the later enrollment-execution PRs safely add accounts without any path ever selecting a peer's credential-less account.
|
|
51
|
+
|
|
52
|
+
## 8. Rollback cost
|
|
53
|
+
|
|
54
|
+
Trivial. Pure code change, no migration, no persisted state, no config. Revert is a single-commit back-out; because the predicate is a no-op for all current accounts, reverting changes nothing observable today. No agent state repair, no data migration.
|
|
55
|
+
|
|
56
|
+
---
|
|
57
|
+
|
|
58
|
+
## Second-pass review
|
|
59
|
+
|
|
60
|
+
**Concur with the review.** Verified independently against the actual code, spec §6.2/§6.3a, build, and tests:
|
|
61
|
+
|
|
62
|
+
1. **Never-loop invariant preserved** — `selectAccount` (`QuotaAwareScheduler.ts:103-108`) and `poolHeadroom` (`:141-143`) use the byte-identical eligibility predicate `isLocallyExecutable(a) && bindingUtilization(a.lastQuota) < soft`. `selectAccount`'s extra `a.id !== excludeId` is a pure narrowing on the swap path; the throttle calls `poolHeadroom` without an exclude, so `placeable ⟺ selectAccount(...) !== null` holds.
|
|
63
|
+
2. **True no-op for current accounts** — `add()` (`SubscriptionPool.ts:308-309`) and `update()` (`:356-359`) both trim and reject empty `configHome`; no real account can have one. For real accounts `isLocallyExecutable` reduces to the old `active/warming` status check — exact behavioral parity.
|
|
64
|
+
3. **Zero dangling `isEligibleStatus`** — grep across `src/` + `tests/` returns nothing; `tsc --noEmit` EXIT=0.
|
|
65
|
+
4. **No missed selection path** — all `selectAccount`/`poolHeadroom` callers (`ProactiveSwapMonitor:226` swap-target, `server.ts:14343` spawn-resolver, `onQuotaPressure`, QuotaTracker throttle) route through the gated selectors. `AnthropicSubscriptionRouter` routes SDK-vs-pool *paths*, not accounts; `InteractivePoolIntelligenceProvider` runs sessions already spawned under a gated account; `mapCandidates` only enumerates running-session SOURCES; no `.list()[0]`-style ungated picks exist; `PlacementExecutor` doesn't select accounts.
|
|
66
|
+
5. **Tests cover both boundary sides + invariant agreement** — 9/9 pass; explicit `poolHeadroom.placeable ⟺ selectAccount !== null` assertions for meta-only and real cases.
|
|
67
|
+
6. **No fail-OPEN** — predicate is fail-closed (missing/non-string/empty `configHome` → false).
|
|
68
|
+
|
|
69
|
+
Sound, well-tested pure tightening with the never-loop invariant correctly preserved.
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# Side-Effects Review — WS5.2 Account Follow-Me, PR2 (Mechanism B enroll-drive)
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `ws52-account-follow-me-pr2`
|
|
4
|
+
**Date:** `2026-06-17`
|
|
5
|
+
**Author:** Echo (autonomous)
|
|
6
|
+
**Second-pass reviewer:** REQUIRED (high-risk: credentials, mandate authorization, cross-machine mesh delivery) — to be appended.
|
|
7
|
+
**Spec:** `docs/specs/ws52-account-follow-me-security.md` (converged 2026-06-13, approved)
|
|
8
|
+
**Status:** READY — the detection→consent flow is built, production-wired, and tested (37 tests: 35 unit across 7 modules + 2 Tier-2 integration over the real HTTP pipeline; tsc clean). PR2 ships the detection/consent/offer surface; the email-gate-at-completion (S7) wiring + the router `locallyExecutable` gate are PR3 (selection-safety) <!-- tracked: CMT-1620 --> (the email-gate LOGIC is already built + unit-tested here; only its completion-flow wiring is PR3). Revocation is PR4 <!-- tracked: CMT-1620 -->.
|
|
9
|
+
|
|
10
|
+
## Summary of the change
|
|
11
|
+
|
|
12
|
+
PR2 builds Mechanism B (re-mint per machine) account enrollment — the "one approval per machine, ToS-safe" flow. Per OQ6 (resolved per the spec's lean + the 2-machine topology) the transport is **per-server operator-side selection**, not a new credential-adjacent mesh verb. PR2 ships the decision/orchestration logic (built, unit-tested) + the server-shell wiring (pending).
|
|
13
|
+
|
|
14
|
+
Files added (all unit-tested, dark behind `multiMachine.accountFollowMe`):
|
|
15
|
+
- `src/core/AccountFollowMeOrchestrator.ts` — §5.2 request-never-self-authorize: depth-zero → MandateGate.evaluate(`account-follow-me`) → deny/no-mandate ⇒ phone-first consent (never proceed/CLI); allow ⇒ proceed.
|
|
16
|
+
- `src/core/AccountFollowMeEmailGate.ts` — §5.3/S7 email-validation-before-selectable (fail-closed; HIGH attention item on mismatch).
|
|
17
|
+
- `src/core/AccountFollowMeDetector.ts` — depth-zero offer detection, R7-bounded (per-account max-follow cap, one-per-(account,target), in-flight dedup).
|
|
18
|
+
- `src/coordination/AccountFollowMeMandateBridge.ts` — R4a cross-machine mandate package/accept via PR1's Ed25519 signMandateIssuance/verifyMandateIssuance.
|
|
19
|
+
- `src/core/AccountFollowMeService.ts` — composes the above: `scanAndOffer()` (one aggregated consent, enrolls nothing) + `onMandateDelivered()` (verify → allow → enroll-drive instruction).
|
|
20
|
+
- `src/core/accountFollowMeDepth.ts` — pure adapter: per-machine pool views → detector input (usable = locallyHeld + active/warming; meta-only ⇒ depth-zero).
|
|
21
|
+
- `src/core/fetchPeerSubscriptionViews.ts` — extracts the `?scope=pool` fan-out into a tolerant, injectable peer-views fetcher (dark peers skipped, never throws).
|
|
22
|
+
- `src/server/routes.ts` — `POST /subscription-pool/follow-me/scan` (dark→503; enabled→detect depth-zero peers→ONE aggregated consent attention item, enrolls nothing) + an optional `accountFollowMePeerViews` RouteContext field.
|
|
23
|
+
- `src/server/AgentServer.ts` + `src/commands/server.ts` — thread + construct the real peer-views fetcher (listPoolMachines + fetchPeerSubscriptionViews, authToken).
|
|
24
|
+
- `tests/integration/account-follow-me-scan-route.test.ts` — Tier-2 over the real HTTP pipeline (dark→503; enabled→detect+one-consent).
|
|
25
|
+
- 37 tests total (35 unit across 7 modules + 2 Tier-2).
|
|
26
|
+
|
|
27
|
+
## The eight side-effect questions (for the built decision logic)
|
|
28
|
+
|
|
29
|
+
1. **Over-block** — The detector only offers to DEPTH-ZERO machines and caps per account; a machine that already serves is never offered, and the cap can suppress a legitimate offer past N machines (intended R7 bound, operator-tunable). No legitimate enrollment is silently lost — it's surfaced as consent or capped-by-policy.
|
|
30
|
+
2. **Under-block** — PR2 logic does not itself perform the credential write (the server-shell does, pending); the at-rest residual / revocation (R10/R12) is PR4, tracked. The orchestrator denies by default, so the under-block risk (enrolling without authorization) is structurally closed at the decision layer.
|
|
31
|
+
3. **Level-of-abstraction fit** — Decision logic is pure + injectable (no I/O), mirroring PR1's primitives; side effects (attention item, EnrollmentWizard drive, SubscriptionPool.add) are injected so the server-shell owns I/O. Correct layering.
|
|
32
|
+
4. **Signal vs authority** — The orchestrator + bridge are AUTHORITIES (they gate a credential enrollment) but are NOT brittle: authorization delegates to the existing PIN-gated MandateGate + the R4a asymmetric signature, and every path FAILS CLOSED. No brittle check holds blocking authority; deny-by-default throughout.
|
|
33
|
+
5. **Interactions** — Reuses PR1's CrossMachineMandate (no duplication) + the existing MandateGate (action-agnostic, no change needed) + the existing EnrollmentWizard/enroll routes (no fork). The `account-follow-me` action is a new string in the existing gate — no schema change.
|
|
34
|
+
6. **External surfaces** — Dark on fleet. The consent surface is a phone-first dashboard deep-link, never a CLI instruction. The aggregated consent is ONE attention item (P17), never per-machine spam. No credential or token is in any surface the logic produces.
|
|
35
|
+
7. **Multi-machine posture** — This IS the multi-machine feature. Mandate authority crosses via the R4a asymmetric signature (verified-operator binding); the credential is re-minted per machine (never replicated). Operator-rooted, not peer-quorum. Single-machine = no-op (no depth-zero peers).
|
|
36
|
+
8. **Rollback cost** — Low. Dark behind `multiMachine.accountFollowMe`; revert the PR. No data migration (no live credential written by PR2's logic layer). The server-shell increment carries its own rollback once added.
|
|
37
|
+
|
|
38
|
+
## Wired-surface notes (questions 2/6/8 for the shipped detection surface)
|
|
39
|
+
|
|
40
|
+
- **Under-block (2):** the scan route only SURFACES consent (enrolls nothing); the credential write stays in the existing operator-driven enroll route. The email-gate (S7) validating a completed enrollment is PR3 <!-- tracked: CMT-1620 --> — until then a follow-me enrollment relies on the operator approving on the target's own dashboard (the existing, already-shipped enroll flow). No new credential path is opened by PR2.
|
|
41
|
+
- **External surfaces (6):** the scan route fetches peers' PLAIN `/subscription-pool` (Bearer `config.authToken`, 4s timeout, dark-peer-tolerant) — same auth + tolerance posture as the existing `?scope=pool` / `/guards` fan-out. It surfaces ONE aggregated attention item (category `account-follow-me`), never per-machine spam. Dark on fleet (resolveDevAgentGate → 503).
|
|
42
|
+
- **Rollback (8):** dark behind `multiMachine.accountFollowMe`; revert the PR. No data migration; no credential written by the detection surface. The `accountFollowMePeerViews` ctx field + server wiring are additive/optional.
|
|
43
|
+
|
|
44
|
+
## Pending for PR3/PR4 (tracked)
|
|
45
|
+
|
|
46
|
+
- PR3 <!-- tracked: CMT-1620 -->: wire the email-gate at enrollment completion (S7) + the router `locallyExecutable` gate (§6.2).
|
|
47
|
+
- PR4 <!-- tracked: CMT-1620 -->: revocation (R12).
|
|
48
|
+
|
|
49
|
+
## Second-pass review
|
|
50
|
+
|
|
51
|
+
**Verdict: Concur with the review.** (Independent reviewer subagent, 2026-06-17; ran 35 unit + 2 integration tests green + `tsc --noEmit` clean.)
|
|
52
|
+
|
|
53
|
+
Verified the four focus areas:
|
|
54
|
+
- **(a) No self-authorization path** — `requestEnrollment` short-circuits to consent BEFORE the gate when no mandateId; only returns proceed on an explicit gate `allow`. `scanAndOffer` never passes a mandateId (structurally consent-only). `onMandateDelivered` requires the R4a asymmetric verify AND the real MandateGate (authorship/expiry/revocation/named-party/bounds). Deny-by-default holds.
|
|
55
|
+
- **(b) No credential leak** — the peer fetch hits each peer's PLAIN `/subscription-pool` (no scope=pool recursion), projects only id/email/status, discards configHome; SubscriptionAccount structurally cannot carry a token; consent/attention surfaces are metadata-only.
|
|
56
|
+
- **(c) Dark-default genuinely inert** — scan route 503s on the fleet via resolveDevAgentGate; integration test asserts it.
|
|
57
|
+
- **(d) No fail-open bugs** — meta-only never counts usable; a dark peer can't make a held machine read depth-zero; email-gate + mandate-verify fail closed; the R7 cap is order-independent.
|
|
58
|
+
|
|
59
|
+
Two non-blocking notes for the PR3+ author (NOT PR2 defects — PR2 never reaches these): the route wires `agentFp` to `ctx.config.projectName ?? 'self'`, which must match the named agent party once the real mandate-delivered flow lands in PR3; and the plain `/subscription-pool` route serializes `configHome` (a path, never a token; pre-existing, Bearer-gated) which the PR2 fetcher correctly discards.
|