instar 1.3.614 → 1.3.615
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +58 -1
- package/dist/commands/server.js.map +1 -1
- package/dist/config/ConfigDefaults.d.ts.map +1 -1
- package/dist/config/ConfigDefaults.js +4 -0
- package/dist/config/ConfigDefaults.js.map +1 -1
- package/dist/core/AccountFollowMeRevocationStore.d.ts +34 -0
- package/dist/core/AccountFollowMeRevocationStore.d.ts.map +1 -0
- package/dist/core/AccountFollowMeRevocationStore.js +76 -0
- package/dist/core/AccountFollowMeRevocationStore.js.map +1 -0
- package/dist/core/PostUpdateMigrator.d.ts +9 -0
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +30 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/accountFollowMeCooperativeWipe.d.ts +66 -0
- package/dist/core/accountFollowMeCooperativeWipe.d.ts.map +1 -0
- package/dist/core/accountFollowMeCooperativeWipe.js +179 -0
- package/dist/core/accountFollowMeCooperativeWipe.js.map +1 -0
- package/dist/server/AgentServer.d.ts +1 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +1 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/routes.d.ts +6 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +42 -1
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +64 -64
- package/upgrades/1.3.615.md +35 -0
- package/upgrades/side-effects/ws52-account-follow-me-revocation-wiring.md +104 -0
package/dist/server/routes.js
CHANGED
|
@@ -6515,7 +6515,48 @@ export function createRoutes(ctx) {
|
|
|
6515
6515
|
res.status(404).json({ error: `mandate "${req.params.id}" not found` });
|
|
6516
6516
|
return;
|
|
6517
6517
|
}
|
|
6518
|
-
|
|
6518
|
+
// WS5.2 R12 — Account Follow-Me revocation data-plane trigger (PER-SERVER model, OQ6). The
|
|
6519
|
+
// control-plane revoke above already fired (every subsequent MandateGate.evaluate denies). If
|
|
6520
|
+
// the revoked mandate carried an `account-follow-me` authority, run THIS machine's OWN local
|
|
6521
|
+
// data-plane wipe (the operator revoked on the target's OWN dashboard ⇒ the target IS this
|
|
6522
|
+
// machine ⇒ cooperative-online posture). Non-account-follow-me mandates are completely
|
|
6523
|
+
// unaffected. Strict no-op when the executor is unwired OR the feature gate resolves dark
|
|
6524
|
+
// (revoke() returns feature-disabled and runs nothing). Surfaces the honest data-plane outcome
|
|
6525
|
+
// on the response so the operator/dashboard never sees a false "removed".
|
|
6526
|
+
let accountFollowMeRevocation;
|
|
6527
|
+
try {
|
|
6528
|
+
const followMeAuthority = (m.authorities ?? []).find((a) => a.action === 'account-follow-me');
|
|
6529
|
+
if (followMeAuthority && ctx.accountFollowMeRevocation) {
|
|
6530
|
+
const bounds = (followMeAuthority.bounds ?? {});
|
|
6531
|
+
const accountId = typeof bounds.accountId === 'string' ? bounds.accountId : '';
|
|
6532
|
+
const targetMachineId = typeof bounds.targetMachineId === 'string' ? bounds.targetMachineId : '';
|
|
6533
|
+
const mechanism = bounds.mechanism === 'credential-transport' ? 'credential-transport' : 're-mint';
|
|
6534
|
+
if (accountId && targetMachineId) {
|
|
6535
|
+
const acct = ctx.subscriptionPool?.get(accountId) ?? null;
|
|
6536
|
+
accountFollowMeRevocation = ctx.accountFollowMeRevocation.revoke({
|
|
6537
|
+
accountId,
|
|
6538
|
+
accountEmail: acct?.email ?? accountId,
|
|
6539
|
+
targetMachineId,
|
|
6540
|
+
targetMachineNickname: typeof bounds.targetMachineNickname === 'string' ? bounds.targetMachineNickname : targetMachineId,
|
|
6541
|
+
provider: acct?.provider ?? (typeof bounds.provider === 'string' ? bounds.provider : 'the provider'),
|
|
6542
|
+
mandateId: m.id,
|
|
6543
|
+
mechanism,
|
|
6544
|
+
},
|
|
6545
|
+
// PER-SERVER: the operator revoked on the target's own dashboard ⇒ target is online &
|
|
6546
|
+
// cooperative (this very machine). The local wipe runs; an offline/de-paired posture is
|
|
6547
|
+
// only reachable on the cross-machine path, which the per-server model does not use.
|
|
6548
|
+
'cooperative-online');
|
|
6549
|
+
}
|
|
6550
|
+
}
|
|
6551
|
+
}
|
|
6552
|
+
catch {
|
|
6553
|
+
// @silent-fallback-ok: the data-plane effect must never break the control-plane revoke (which
|
|
6554
|
+
// already succeeded). A wipe error is surfaced honestly INSIDE the executor (fail-closed to
|
|
6555
|
+
// pending) for the normal path; this catch is the last-resort backstop so the route always
|
|
6556
|
+
// returns the successful revoke.
|
|
6557
|
+
accountFollowMeRevocation = undefined;
|
|
6558
|
+
}
|
|
6559
|
+
res.json({ revoked: true, mandate: m, ...(accountFollowMeRevocation ? { accountFollowMeRevocation } : {}) });
|
|
6519
6560
|
});
|
|
6520
6561
|
// Add user→agent authority grant(s) to a mandate — PIN-GATED (the same human-
|
|
6521
6562
|
// authenticated surface as issuance; an agent's Bearer token cannot mint a grant).
|