instar 1.3.611 → 1.3.613
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/AccountFollowMeRevocation.d.ts +178 -0
- package/dist/core/AccountFollowMeRevocation.d.ts.map +1 -0
- package/dist/core/AccountFollowMeRevocation.js +279 -0
- package/dist/core/AccountFollowMeRevocation.js.map +1 -0
- package/dist/core/resolveFollowMeEnrollTarget.d.ts +54 -0
- package/dist/core/resolveFollowMeEnrollTarget.d.ts.map +1 -0
- package/dist/core/resolveFollowMeEnrollTarget.js +57 -0
- package/dist/core/resolveFollowMeEnrollTarget.js.map +1 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +91 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +46 -46
- package/upgrades/1.3.612.md +28 -0
- package/upgrades/1.3.613.md +22 -0
- package/upgrades/side-effects/ws52-account-follow-me-enroll-start.md +65 -0
- package/upgrades/side-effects/ws52-account-follow-me-revocation.md +122 -0
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-17T12:30:56.584Z",
|
|
5
|
+
"instarVersion": "1.3.613",
|
|
6
6
|
"entryCount": 201,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -418,7 +418,7 @@
|
|
|
418
418
|
"type": "route-group",
|
|
419
419
|
"domain": "monitoring",
|
|
420
420
|
"sourcePath": "src/server/routes.ts",
|
|
421
|
-
"contentHash": "
|
|
421
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
422
422
|
"since": "2025-01-01"
|
|
423
423
|
},
|
|
424
424
|
"route-group:agents": {
|
|
@@ -426,7 +426,7 @@
|
|
|
426
426
|
"type": "route-group",
|
|
427
427
|
"domain": "sessions",
|
|
428
428
|
"sourcePath": "src/server/routes.ts",
|
|
429
|
-
"contentHash": "
|
|
429
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
430
430
|
"since": "2025-01-01"
|
|
431
431
|
},
|
|
432
432
|
"route-group:backups": {
|
|
@@ -434,7 +434,7 @@
|
|
|
434
434
|
"type": "route-group",
|
|
435
435
|
"domain": "operations",
|
|
436
436
|
"sourcePath": "src/server/routes.ts",
|
|
437
|
-
"contentHash": "
|
|
437
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
438
438
|
"since": "2025-01-01"
|
|
439
439
|
},
|
|
440
440
|
"route-group:git": {
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"type": "route-group",
|
|
443
443
|
"domain": "coordination",
|
|
444
444
|
"sourcePath": "src/server/routes.ts",
|
|
445
|
-
"contentHash": "
|
|
445
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
446
446
|
"since": "2025-01-01"
|
|
447
447
|
},
|
|
448
448
|
"route-group:memory": {
|
|
@@ -450,7 +450,7 @@
|
|
|
450
450
|
"type": "route-group",
|
|
451
451
|
"domain": "memory",
|
|
452
452
|
"sourcePath": "src/server/routes.ts",
|
|
453
|
-
"contentHash": "
|
|
453
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
454
454
|
"since": "2025-01-01"
|
|
455
455
|
},
|
|
456
456
|
"route-group:semantic": {
|
|
@@ -458,7 +458,7 @@
|
|
|
458
458
|
"type": "route-group",
|
|
459
459
|
"domain": "memory",
|
|
460
460
|
"sourcePath": "src/server/routes.ts",
|
|
461
|
-
"contentHash": "
|
|
461
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
462
462
|
"since": "2025-01-01"
|
|
463
463
|
},
|
|
464
464
|
"route-group:status": {
|
|
@@ -466,7 +466,7 @@
|
|
|
466
466
|
"type": "route-group",
|
|
467
467
|
"domain": "monitoring",
|
|
468
468
|
"sourcePath": "src/server/routes.ts",
|
|
469
|
-
"contentHash": "
|
|
469
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
470
470
|
"since": "2025-01-01"
|
|
471
471
|
},
|
|
472
472
|
"route-group:capabilities": {
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"type": "route-group",
|
|
475
475
|
"domain": "mapping",
|
|
476
476
|
"sourcePath": "src/server/routes.ts",
|
|
477
|
-
"contentHash": "
|
|
477
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
478
478
|
"since": "2025-01-01"
|
|
479
479
|
},
|
|
480
480
|
"route-group:project-map": {
|
|
@@ -482,7 +482,7 @@
|
|
|
482
482
|
"type": "route-group",
|
|
483
483
|
"domain": "mapping",
|
|
484
484
|
"sourcePath": "src/server/routes.ts",
|
|
485
|
-
"contentHash": "
|
|
485
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
486
486
|
"since": "2025-01-01"
|
|
487
487
|
},
|
|
488
488
|
"route-group:coherence": {
|
|
@@ -490,7 +490,7 @@
|
|
|
490
490
|
"type": "route-group",
|
|
491
491
|
"domain": "coherence",
|
|
492
492
|
"sourcePath": "src/server/routes.ts",
|
|
493
|
-
"contentHash": "
|
|
493
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
494
494
|
"since": "2025-01-01"
|
|
495
495
|
},
|
|
496
496
|
"route-group:topic-bindings": {
|
|
@@ -498,7 +498,7 @@
|
|
|
498
498
|
"type": "route-group",
|
|
499
499
|
"domain": "sessions",
|
|
500
500
|
"sourcePath": "src/server/routes.ts",
|
|
501
|
-
"contentHash": "
|
|
501
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
502
502
|
"since": "2025-01-01"
|
|
503
503
|
},
|
|
504
504
|
"route-group:context": {
|
|
@@ -506,7 +506,7 @@
|
|
|
506
506
|
"type": "route-group",
|
|
507
507
|
"domain": "context",
|
|
508
508
|
"sourcePath": "src/server/routes.ts",
|
|
509
|
-
"contentHash": "
|
|
509
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
510
510
|
"since": "2025-01-01"
|
|
511
511
|
},
|
|
512
512
|
"route-group:scope-coherence": {
|
|
@@ -514,7 +514,7 @@
|
|
|
514
514
|
"type": "route-group",
|
|
515
515
|
"domain": "coherence",
|
|
516
516
|
"sourcePath": "src/server/routes.ts",
|
|
517
|
-
"contentHash": "
|
|
517
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
518
518
|
"since": "2025-01-01"
|
|
519
519
|
},
|
|
520
520
|
"route-group:canonical-state": {
|
|
@@ -522,7 +522,7 @@
|
|
|
522
522
|
"type": "route-group",
|
|
523
523
|
"domain": "state",
|
|
524
524
|
"sourcePath": "src/server/routes.ts",
|
|
525
|
-
"contentHash": "
|
|
525
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
526
526
|
"since": "2025-01-01"
|
|
527
527
|
},
|
|
528
528
|
"route-group:ci": {
|
|
@@ -530,7 +530,7 @@
|
|
|
530
530
|
"type": "route-group",
|
|
531
531
|
"domain": "monitoring",
|
|
532
532
|
"sourcePath": "src/server/routes.ts",
|
|
533
|
-
"contentHash": "
|
|
533
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
534
534
|
"since": "2025-01-01"
|
|
535
535
|
},
|
|
536
536
|
"route-group:sessions": {
|
|
@@ -538,7 +538,7 @@
|
|
|
538
538
|
"type": "route-group",
|
|
539
539
|
"domain": "sessions",
|
|
540
540
|
"sourcePath": "src/server/routes.ts",
|
|
541
|
-
"contentHash": "
|
|
541
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
542
542
|
"since": "2025-01-01"
|
|
543
543
|
},
|
|
544
544
|
"route-group:jobs": {
|
|
@@ -546,7 +546,7 @@
|
|
|
546
546
|
"type": "route-group",
|
|
547
547
|
"domain": "scheduling",
|
|
548
548
|
"sourcePath": "src/server/routes.ts",
|
|
549
|
-
"contentHash": "
|
|
549
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
550
550
|
"since": "2025-01-01"
|
|
551
551
|
},
|
|
552
552
|
"route-group:skip-ledger": {
|
|
@@ -554,7 +554,7 @@
|
|
|
554
554
|
"type": "route-group",
|
|
555
555
|
"domain": "scheduling",
|
|
556
556
|
"sourcePath": "src/server/routes.ts",
|
|
557
|
-
"contentHash": "
|
|
557
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
558
558
|
"since": "2025-01-01"
|
|
559
559
|
},
|
|
560
560
|
"route-group:telegram": {
|
|
@@ -562,7 +562,7 @@
|
|
|
562
562
|
"type": "route-group",
|
|
563
563
|
"domain": "communication",
|
|
564
564
|
"sourcePath": "src/server/routes.ts",
|
|
565
|
-
"contentHash": "
|
|
565
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
566
566
|
"since": "2025-01-01"
|
|
567
567
|
},
|
|
568
568
|
"route-group:attention": {
|
|
@@ -570,7 +570,7 @@
|
|
|
570
570
|
"type": "route-group",
|
|
571
571
|
"domain": "communication",
|
|
572
572
|
"sourcePath": "src/server/routes.ts",
|
|
573
|
-
"contentHash": "
|
|
573
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
574
574
|
"since": "2025-01-01"
|
|
575
575
|
},
|
|
576
576
|
"route-group:relationships": {
|
|
@@ -578,7 +578,7 @@
|
|
|
578
578
|
"type": "route-group",
|
|
579
579
|
"domain": "relationships",
|
|
580
580
|
"sourcePath": "src/server/routes.ts",
|
|
581
|
-
"contentHash": "
|
|
581
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
582
582
|
"since": "2025-01-01"
|
|
583
583
|
},
|
|
584
584
|
"route-group:feedback": {
|
|
@@ -586,7 +586,7 @@
|
|
|
586
586
|
"type": "route-group",
|
|
587
587
|
"domain": "feedback",
|
|
588
588
|
"sourcePath": "src/server/routes.ts",
|
|
589
|
-
"contentHash": "
|
|
589
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
590
590
|
"since": "2025-01-01"
|
|
591
591
|
},
|
|
592
592
|
"route-group:updates": {
|
|
@@ -594,7 +594,7 @@
|
|
|
594
594
|
"type": "route-group",
|
|
595
595
|
"domain": "updates",
|
|
596
596
|
"sourcePath": "src/server/routes.ts",
|
|
597
|
-
"contentHash": "
|
|
597
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
598
598
|
"since": "2025-01-01"
|
|
599
599
|
},
|
|
600
600
|
"route-group:dispatches": {
|
|
@@ -602,7 +602,7 @@
|
|
|
602
602
|
"type": "route-group",
|
|
603
603
|
"domain": "dispatches",
|
|
604
604
|
"sourcePath": "src/server/routes.ts",
|
|
605
|
-
"contentHash": "
|
|
605
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
606
606
|
"since": "2025-01-01"
|
|
607
607
|
},
|
|
608
608
|
"route-group:quota": {
|
|
@@ -610,7 +610,7 @@
|
|
|
610
610
|
"type": "route-group",
|
|
611
611
|
"domain": "monitoring",
|
|
612
612
|
"sourcePath": "src/server/routes.ts",
|
|
613
|
-
"contentHash": "
|
|
613
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
614
614
|
"since": "2025-01-01"
|
|
615
615
|
},
|
|
616
616
|
"route-group:publishing": {
|
|
@@ -618,7 +618,7 @@
|
|
|
618
618
|
"type": "route-group",
|
|
619
619
|
"domain": "publishing",
|
|
620
620
|
"sourcePath": "src/server/routes.ts",
|
|
621
|
-
"contentHash": "
|
|
621
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
622
622
|
"since": "2025-01-01"
|
|
623
623
|
},
|
|
624
624
|
"route-group:private-views": {
|
|
@@ -626,7 +626,7 @@
|
|
|
626
626
|
"type": "route-group",
|
|
627
627
|
"domain": "publishing",
|
|
628
628
|
"sourcePath": "src/server/routes.ts",
|
|
629
|
-
"contentHash": "
|
|
629
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
630
630
|
"since": "2025-01-01"
|
|
631
631
|
},
|
|
632
632
|
"route-group:tunnel": {
|
|
@@ -634,7 +634,7 @@
|
|
|
634
634
|
"type": "route-group",
|
|
635
635
|
"domain": "networking",
|
|
636
636
|
"sourcePath": "src/server/routes.ts",
|
|
637
|
-
"contentHash": "
|
|
637
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
638
638
|
"since": "2025-01-01"
|
|
639
639
|
},
|
|
640
640
|
"route-group:events": {
|
|
@@ -642,7 +642,7 @@
|
|
|
642
642
|
"type": "route-group",
|
|
643
643
|
"domain": "networking",
|
|
644
644
|
"sourcePath": "src/server/routes.ts",
|
|
645
|
-
"contentHash": "
|
|
645
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
646
646
|
"since": "2025-01-01"
|
|
647
647
|
},
|
|
648
648
|
"route-group:evolution": {
|
|
@@ -650,7 +650,7 @@
|
|
|
650
650
|
"type": "route-group",
|
|
651
651
|
"domain": "evolution",
|
|
652
652
|
"sourcePath": "src/server/routes.ts",
|
|
653
|
-
"contentHash": "
|
|
653
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
654
654
|
"since": "2025-01-01"
|
|
655
655
|
},
|
|
656
656
|
"route-group:watchdog": {
|
|
@@ -658,7 +658,7 @@
|
|
|
658
658
|
"type": "route-group",
|
|
659
659
|
"domain": "monitoring",
|
|
660
660
|
"sourcePath": "src/server/routes.ts",
|
|
661
|
-
"contentHash": "
|
|
661
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
662
662
|
"since": "2025-01-01"
|
|
663
663
|
},
|
|
664
664
|
"route-group:topic-memory": {
|
|
@@ -666,7 +666,7 @@
|
|
|
666
666
|
"type": "route-group",
|
|
667
667
|
"domain": "memory",
|
|
668
668
|
"sourcePath": "src/server/routes.ts",
|
|
669
|
-
"contentHash": "
|
|
669
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
670
670
|
"since": "2025-01-01"
|
|
671
671
|
},
|
|
672
672
|
"route-group:state-sync": {
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
"type": "route-group",
|
|
675
675
|
"domain": "coordination",
|
|
676
676
|
"sourcePath": "src/server/routes.ts",
|
|
677
|
-
"contentHash": "
|
|
677
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
678
678
|
"since": "2025-01-01"
|
|
679
679
|
},
|
|
680
680
|
"route-group:intent": {
|
|
@@ -682,7 +682,7 @@
|
|
|
682
682
|
"type": "route-group",
|
|
683
683
|
"domain": "intent",
|
|
684
684
|
"sourcePath": "src/server/routes.ts",
|
|
685
|
-
"contentHash": "
|
|
685
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
686
686
|
"since": "2025-01-01"
|
|
687
687
|
},
|
|
688
688
|
"route-group:triage": {
|
|
@@ -690,7 +690,7 @@
|
|
|
690
690
|
"type": "route-group",
|
|
691
691
|
"domain": "safety",
|
|
692
692
|
"sourcePath": "src/server/routes.ts",
|
|
693
|
-
"contentHash": "
|
|
693
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
694
694
|
"since": "2025-01-01"
|
|
695
695
|
},
|
|
696
696
|
"route-group:operations": {
|
|
@@ -698,7 +698,7 @@
|
|
|
698
698
|
"type": "route-group",
|
|
699
699
|
"domain": "safety",
|
|
700
700
|
"sourcePath": "src/server/routes.ts",
|
|
701
|
-
"contentHash": "
|
|
701
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
702
702
|
"since": "2025-01-01"
|
|
703
703
|
},
|
|
704
704
|
"route-group:sentinel": {
|
|
@@ -706,7 +706,7 @@
|
|
|
706
706
|
"type": "route-group",
|
|
707
707
|
"domain": "safety",
|
|
708
708
|
"sourcePath": "src/server/routes.ts",
|
|
709
|
-
"contentHash": "
|
|
709
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
710
710
|
"since": "2025-01-01"
|
|
711
711
|
},
|
|
712
712
|
"route-group:trust": {
|
|
@@ -714,7 +714,7 @@
|
|
|
714
714
|
"type": "route-group",
|
|
715
715
|
"domain": "safety",
|
|
716
716
|
"sourcePath": "src/server/routes.ts",
|
|
717
|
-
"contentHash": "
|
|
717
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
718
718
|
"since": "2025-01-01"
|
|
719
719
|
},
|
|
720
720
|
"route-group:monitoring": {
|
|
@@ -722,7 +722,7 @@
|
|
|
722
722
|
"type": "route-group",
|
|
723
723
|
"domain": "monitoring",
|
|
724
724
|
"sourcePath": "src/server/routes.ts",
|
|
725
|
-
"contentHash": "
|
|
725
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
726
726
|
"since": "2025-01-01"
|
|
727
727
|
},
|
|
728
728
|
"route-group:commitments": {
|
|
@@ -730,7 +730,7 @@
|
|
|
730
730
|
"type": "route-group",
|
|
731
731
|
"domain": "commitments",
|
|
732
732
|
"sourcePath": "src/server/routes.ts",
|
|
733
|
-
"contentHash": "
|
|
733
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
734
734
|
"since": "2025-01-01"
|
|
735
735
|
},
|
|
736
736
|
"route-group:episodes": {
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
"type": "route-group",
|
|
739
739
|
"domain": "memory",
|
|
740
740
|
"sourcePath": "src/server/routes.ts",
|
|
741
|
-
"contentHash": "
|
|
741
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
742
742
|
"since": "2025-01-01"
|
|
743
743
|
},
|
|
744
744
|
"route-group:messages": {
|
|
@@ -746,7 +746,7 @@
|
|
|
746
746
|
"type": "route-group",
|
|
747
747
|
"domain": "coordination",
|
|
748
748
|
"sourcePath": "src/server/routes.ts",
|
|
749
|
-
"contentHash": "
|
|
749
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
750
750
|
"since": "2025-01-01"
|
|
751
751
|
},
|
|
752
752
|
"route-group:system-reviews": {
|
|
@@ -754,7 +754,7 @@
|
|
|
754
754
|
"type": "route-group",
|
|
755
755
|
"domain": "monitoring",
|
|
756
756
|
"sourcePath": "src/server/routes.ts",
|
|
757
|
-
"contentHash": "
|
|
757
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
758
758
|
"since": "2025-01-01"
|
|
759
759
|
},
|
|
760
760
|
"route-group:machine-mesh": {
|
|
@@ -770,7 +770,7 @@
|
|
|
770
770
|
"type": "route-group",
|
|
771
771
|
"domain": "security",
|
|
772
772
|
"sourcePath": "src/server/routes.ts",
|
|
773
|
-
"contentHash": "
|
|
773
|
+
"contentHash": "4666744e990aab57550cd8216d9d56e2a1c1a33ed90001f6e96afb20399d0f85",
|
|
774
774
|
"since": "2025-01-01"
|
|
775
775
|
},
|
|
776
776
|
"cli:init": {
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
WS5.2 Account Follow-Me, R12 — the honest revocation data-plane. Revoking "stop following to machine X" is a PIN-gated mandate revoke (control plane — the agent cannot do it) PLUS a real data-plane effect. This PR builds that data-plane effect as a pure, injectable executor (`src/core/AccountFollowMeRevocation.ts`) covering the three R12 branches honestly:
|
|
9
|
+
|
|
10
|
+
- **Cooperative, online target → `removed`.** The target logs the account out of its config-home, deletes the per-account slot, and `SubscriptionPool.remove(accountId)` fires. Local and total.
|
|
11
|
+
- **De-paired / hostile holder → `provider-rotation-required`.** A re-minted (Mechanism B) login is an independently-refreshable real OAuth credential; instar CANNOT force a logout on a machine that left the pair. The honest path is a phone-first instruction to de-authorize / rotate at the provider — never a false "removed everywhere".
|
|
12
|
+
- **Offline target → bounded `revocation-pending` → `revocation-failed`.** The wipe becomes a durable pending action fired on reconnect (`onTargetReconnect`). The dashboard shows `revocation-pending`, not `removed`. After an operator-tunable reconnect-deadline, `sweepDeadlines()` escalates it to a LOUD `revocation-FAILED — rotate at provider NOW` aggregated HIGH attention item — never a silently-aging "pending".
|
|
13
|
+
|
|
14
|
+
Fail-closed throughout: a partial or throwing cooperative wipe falls to `revocation-pending` (never a false `removed`); Mechanism A (dark / refused for Anthropic) always flags `provider-rotation-required` because a delivered credential cannot be un-delivered; flag-off / single-machine is a strict no-op. The module is pure/injectable — it touches no shared production file (the destructive effects — framework logout, slot delete, `SubscriptionPool.remove`) are injected seams.
|
|
15
|
+
|
|
16
|
+
## What to Tell Your User
|
|
17
|
+
|
|
18
|
+
Nothing to do — this is internal multi-machine account-sharing groundwork, shipped off by default. It guarantees that when you stop sharing an account with one of your machines, the system tells you the TRUTH about what was removed: it never claims a credential was destroyed everywhere when a departed or offline machine still holds its own login — in that case it surfaces a clear "rotate at the provider" instruction instead. No user-facing surface in this release.
|
|
19
|
+
|
|
20
|
+
## Summary of New Capabilities
|
|
21
|
+
|
|
22
|
+
Internal: an honest revocation data-plane for Account Follow-Me — cooperative-target total wipe, provider-rotation instruction for a de-paired/hostile holder, and a bounded offline `revocation-pending → revocation-FAILED` escalation. The system can never claim a credential was destroyed when it wasn't. Dark behind `multiMachine.accountFollowMe`; server-shell wiring (consuming the mesh revoke, scheduling the deadline sweep, dashboard render) is a tracked follow-on increment.
|
|
23
|
+
|
|
24
|
+
## Evidence
|
|
25
|
+
|
|
26
|
+
- 15 unit tests (`tests/unit/account-followme-revocation.test.ts`): both sides of every boundary — cooperative-online↔revoked↔offline, within-deadline↔past-deadline, clean↔partial↔throwing wipe, Mechanism B↔A, dark↔enabled, reconnect-with-record↔no-record, selective multi-record sweep; an explicit assertion that the message never contains "removed" on non-removed paths. `npx tsc --noEmit` clean.
|
|
27
|
+
- Side-effects review + mandatory independent second-pass security review (concurred): verified `removed` is reachable only after a fully-successful cooperative wipe, all three branches selected without fall-through, the offline give-up is bounded and loud, Mechanism A never claims success without provider-rotation, signal-vs-authority compliant (data-plane executor, not a new blocking authority), injected seams only. Artifact: `upgrades/side-effects/ws52-account-follow-me-revocation.md`.
|
|
28
|
+
- Spec: `docs/specs/ws52-account-follow-me-security.md` R12 (converged, approved).
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
WS5.2 Account Follow-Me, R6/R6a(option 2)/S7 — the enroll-drive **START** route, the keystone that makes a cross-machine enrollment actually run after the operator approves it. New dark route `POST /subscription-pool/follow-me/enroll/start`: given an operator-issued `account-follow-me` mandate, it verifies the mandate (deny-by-default — non-allow → 403, the agent can never self-authorize), resolves the operator-APPROVED account email AUTHORITATIVELY from real pool state (local SubscriptionPool + the replicated `subscription-account-meta` peer views — NEVER the request body, per S7; unresolvable → 409 fail-closed), allocates a per-account config-home slot on this machine, and drives the local `EnrollmentWizard.start({…, expectedEmail})` to mint the device-code login. The existing `/complete` route then validates the minted login's email against `expectedEmail` before the account is added. This closes the gap between consent (the scan) and completion (the S7 gate) — the full Mechanism-B flow now runs end-to-end (per-server: the operator drives the target machine's own enroll route; nothing but read-only email metadata crosses machines).
|
|
9
|
+
|
|
10
|
+
## What to Tell Your User
|
|
11
|
+
|
|
12
|
+
This is the piece that makes "log in once, it works on every machine" actually run end-to-end (still off by default). When you approve a machine to use one of your accounts (a one-tap dashboard approval), that machine now starts its OWN login for it, and I verify the login that completes is really the account you approved before it's used — no token is ever copied between machines. With this in, the cross-machine enrollment works start-to-finish behind the flag.
|
|
13
|
+
|
|
14
|
+
## Summary of New Capabilities
|
|
15
|
+
|
|
16
|
+
The enroll-drive START route (dark): an operator-mandate-gated, per-server route that drives a target machine's own `EnrollmentWizard` with the authoritatively-resolved approved email, completing the WS5.2 Mechanism-B flow (consent → start → email-validated completion → selectable). No user-facing surface is live in this release.
|
|
17
|
+
|
|
18
|
+
## Evidence
|
|
19
|
+
|
|
20
|
+
- 11 tests: 6 unit (`resolveFollowMeEnrollTarget` — local-pool resolve, peer-view resolve, local-preferred, and all three fail-closed branches: unknown account, no email, blank email) + 5 Tier-2 integration over the REAL route pipeline (dark→503, denied/no-mandate→403 with zero pending logins, valid+resolvable→201 with a pending login carrying `expectedEmail` and the correct per-account slot, unresolvable email→409 fail-closed, missing fields→400). `tsc --noEmit` clean.
|
|
21
|
+
- Side-effects review + mandatory independent second-pass security review (concurred): verified deny-by-default authorization, `expectedEmail` is authoritative (never from the body), agentFp fails closed (a wrong fp denies, never accidentally allows), config-home path-traversal-safe, fail-closed exhaustiveness, and no regression to normal enrollment.
|
|
22
|
+
- Spec: `docs/specs/ws52-account-follow-me-security.md` R1/R6/R6a/S7 (converged, approved).
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
# Side-Effects Review — WS5.2 Account Follow-Me enroll-drive START route
|
|
2
|
+
|
|
3
|
+
**Version / slug:** `ws52-account-follow-me-enroll-start`
|
|
4
|
+
**Date:** `2026-06-17`
|
|
5
|
+
**Author:** `Echo (instar-dev agent)`
|
|
6
|
+
**Second-pass reviewer:** `pending (high-risk: mandate authorization + credential enrollment + the live-proof keystone)`
|
|
7
|
+
|
|
8
|
+
## Summary of the change
|
|
9
|
+
|
|
10
|
+
WS5.2 R6/R6a(option 2)/S7. The keystone that makes the cross-machine enrollment actually run: a new dark route `POST /subscription-pool/follow-me/enroll/start` (per-server — the operator drives the TARGET machine's own enroll route). Given an operator-issued `account-follow-me` mandate, it (1) verifies the mandate via `ctx.coordination.gate.evaluate({action:'account-follow-me', params:{accountId, targetMachineId, mechanism:'re-mint'}, agentFp, mandateId})` — deny-by-default, non-allow → 403; (2) resolves the operator-APPROVED account email AUTHORITATIVELY (local SubscriptionPool then the replicated `subscription-account-meta` peer views — NEVER the request body, per S7) via the new pure helper `resolveFollowMeEnrollTarget`, unresolvable → 409 fail-closed; (3) allocates a per-account configHome slot on this machine; (4) calls `EnrollmentWizard.start({..., expectedEmail})` returning the device-code/URL. The EXISTING `/complete` route then finishes via `completeFollowMe` (validates the minted login's email == expectedEmail before adding). Files: `src/server/routes.ts` (route + a `resolveAgentFingerprint` helper), `src/core/resolveFollowMeEnrollTarget.ts` (new pure helper), + 2 test files. Dark behind `multiMachine.accountFollowMe`.
|
|
11
|
+
|
|
12
|
+
## Decision-point inventory
|
|
13
|
+
|
|
14
|
+
- `POST /subscription-pool/follow-me/enroll/start` mandate check — **add** — the authorization decision: a follow-me enrollment STARTS only under a valid operator `account-follow-me` mandate for this exact (account, this machine, mechanism). Deny-by-default.
|
|
15
|
+
- `resolveFollowMeEnrollTarget` — **add** — the S7 decision input: `expectedEmail` is the authoritatively-resolved approved email, never self-asserted; unresolvable → refuse.
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## 1. Over-block
|
|
20
|
+
|
|
21
|
+
A legitimate enrollment whose account email is not yet known on this machine (the replicated `subscription-account-meta` hasn't arrived, or the peer holding it is offline) is refused with 409. This is deliberate fail-closed (S7: never start an enrollment without the approved email to validate against). The operator retries once the account metadata has replicated (the scan that produced the consent already proves the email is known mesh-wide, so in the real flow the email is present). No legitimate "start without a known approved email" case exists.
|
|
22
|
+
|
|
23
|
+
## 2. Under-block
|
|
24
|
+
|
|
25
|
+
The route authorizes the START; the actual credential admission is gated downstream by S7 at `/complete` (the minted email must match expectedEmail) and by §6.2 (`isLocallyExecutable`) at selection. This route does not itself verify the device-code login outcome — by design, the completion gate owns that. It also trusts the mandate gate's verdict (the mandate is the authorizer); a mis-issued mandate is the operator's PIN-gated responsibility, not this route's. agentFp resolution that fails (returns a fallback) makes the mandate evaluate DENY (the mandate is party-bound) — safe direction, never an accidental allow.
|
|
26
|
+
|
|
27
|
+
## 3. Level-of-abstraction fit
|
|
28
|
+
|
|
29
|
+
Correct layer (R6a option 2): the START runs ON the target machine's own server, driven by the operator from that machine's dashboard after they issue the mandate locally — so the device-code is minted on the machine that will hold the credential and never transits. The mandate check reuses the existing `ctx.coordination.gate` (no new authorization primitive). The email resolution reuses the same authoritative source the scan uses (local pool + replicated meta peer views), extracted into a pure, testable helper rather than re-implemented inline.
|
|
30
|
+
|
|
31
|
+
## 4. Signal vs authority compliance
|
|
32
|
+
|
|
33
|
+
This route holds genuine authority (it starts a credential enrollment), exercised through the EXISTING deny-by-default MandateGate — not a new brittle check. The authorization is the mandate (PIN-gated, operator-issued); the route is a consumer of that authority, never a self-grant (requester≠authorizer preserved — the agent cannot issue the mandate). Every uncertain path fails closed (no/denied mandate → 403; unresolvable email → 409). Reference `docs/signal-vs-authority.md`: authority delegated from the operator mandate, deny-by-default, is correctly-placed authority.
|
|
34
|
+
|
|
35
|
+
## 5. Interactions
|
|
36
|
+
|
|
37
|
+
Pairs with the existing scan (detection→consent), the S7 `/complete` gate, and §6.2 selection — this route is the missing START link between consent and completion. It does NOT touch the generic `/subscription-pool/enroll` route (normal enrollment unchanged). The configHome slot is per-account (`.claude-followme-<accountId>`), isolated from other accounts. The pending login it issues carries `expectedEmail`, which `completeFollowMe` reads — the two routes compose without shared mutable state beyond the PendingLoginStore (single-flow-per-id discipline). No double-fire (one pending login per start; the wizard's id discipline applies).
|
|
38
|
+
|
|
39
|
+
## 6. External surfaces
|
|
40
|
+
|
|
41
|
+
One new HTTP route, dark behind `multiMachine.accountFollowMe` (503 when off — proven by the integration test). It returns a device-code/verificationUrl (already public per the EnrollmentWizard contract). No new config. It is the per-server enroll path (R6a option 2) and does not reach across the mesh itself (the operator drives it on the target's own dashboard).
|
|
42
|
+
|
|
43
|
+
## 7. Multi-machine posture (Cross-Machine Coherence)
|
|
44
|
+
|
|
45
|
+
**Machine-local execution BY DESIGN, fed by replicated read-only metadata.** The enrollment runs on the TARGET machine (the one gaining the login); `targetMachineId` is this machine (`ctx.meshSelfId`). The only cross-machine input is the READ-ONLY `subscription-account-meta` projection (the approved email), consumed via the existing peer-views fetch — no credential or configHome crosses. The mandate is verified locally against `ctx.coordination.gate`. This is the intended Mechanism-B posture: each machine mints its own login locally; nothing is replicated except the email metadata used to validate identity.
|
|
46
|
+
|
|
47
|
+
## 8. Rollback cost
|
|
48
|
+
|
|
49
|
+
Low. The route is dark by default (no agent runs it until `multiMachine.accountFollowMe` is enabled). No persisted schema change (the configHome slot is created only on a real enrollment; PendingLogin already carries `expectedEmail` from S7). Revert is a single-commit back-out of the route + helper; no migration, no state repair.
|
|
50
|
+
|
|
51
|
+
---
|
|
52
|
+
|
|
53
|
+
## Second-pass review
|
|
54
|
+
|
|
55
|
+
**Concur with the review.** Independent audit of the full route (`routes.ts:20886-20947`), `resolveAgentFingerprint`, the pure resolver, `MandateGate.evaluate` (`:85-135`), `EnrollmentWizard.start`/`completeFollowMe`, and both test files. tsc EXIT=0; 11/11 pass.
|
|
56
|
+
|
|
57
|
+
1. **Deny-by-default** — missing ids → 400; gate called with the exact action/params/mandateId; `verdict.decision !== 'allow'` → 403 (correctly not `=== 'deny'`). No path starts without allow. Route never issues/widens a mandate (requester≠authorizer).
|
|
58
|
+
2. **expectedEmail authoritative (S7)** — resolver reads only `localAccounts` + `peerViews`, never `req.body` (route destructures only `mandateId`/`accountId`); blank/missing → 409 fail-closed, `start` not called. Chain holds: `start` persists expectedEmail, `completeFollowMe` validates it.
|
|
59
|
+
3. **agentFp (critical)** — fails closed: a wrong/fallback fp is not a named mandate party → MandateGate step 5 denies. A wrong fp can never produce allow.
|
|
60
|
+
4. **configHome isolation** — `accountId.replace(/[^a-z0-9-]/gi,'-')`; `../../etc` → `------etc`, no traversal; per-account slot.
|
|
61
|
+
5. **No regression** — routes.ts diff +93/-0 purely additive; generic `/enroll` + `/complete` untouched.
|
|
62
|
+
6. **Fail-closed exhaustiveness** — dark→503, missing deps→503, bad body→400, non-allow→403, unresolvable email→409, start throws→500. None start a bogus enrollment.
|
|
63
|
+
7. **Test adequacy** — dark→503, denied/no-mandate→403 (zero pending logins), valid→201 (pending carries expectedEmail + correct slot), unresolvable→409, 400; unit covers resolved + all fail-closed branches.
|
|
64
|
+
|
|
65
|
+
Minor note (not a defect): the integration test stubs `gate.evaluate` (exercises route branching, not real party-binding — that guarantee rests on MandateGate, verified directly).
|