instar 1.3.614 → 1.3.615

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (30) hide show
  1. package/dist/commands/server.d.ts.map +1 -1
  2. package/dist/commands/server.js +58 -1
  3. package/dist/commands/server.js.map +1 -1
  4. package/dist/config/ConfigDefaults.d.ts.map +1 -1
  5. package/dist/config/ConfigDefaults.js +4 -0
  6. package/dist/config/ConfigDefaults.js.map +1 -1
  7. package/dist/core/AccountFollowMeRevocationStore.d.ts +34 -0
  8. package/dist/core/AccountFollowMeRevocationStore.d.ts.map +1 -0
  9. package/dist/core/AccountFollowMeRevocationStore.js +76 -0
  10. package/dist/core/AccountFollowMeRevocationStore.js.map +1 -0
  11. package/dist/core/PostUpdateMigrator.d.ts +9 -0
  12. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  13. package/dist/core/PostUpdateMigrator.js +30 -0
  14. package/dist/core/PostUpdateMigrator.js.map +1 -1
  15. package/dist/core/accountFollowMeCooperativeWipe.d.ts +66 -0
  16. package/dist/core/accountFollowMeCooperativeWipe.d.ts.map +1 -0
  17. package/dist/core/accountFollowMeCooperativeWipe.js +179 -0
  18. package/dist/core/accountFollowMeCooperativeWipe.js.map +1 -0
  19. package/dist/server/AgentServer.d.ts +1 -0
  20. package/dist/server/AgentServer.d.ts.map +1 -1
  21. package/dist/server/AgentServer.js +1 -0
  22. package/dist/server/AgentServer.js.map +1 -1
  23. package/dist/server/routes.d.ts +6 -0
  24. package/dist/server/routes.d.ts.map +1 -1
  25. package/dist/server/routes.js +42 -1
  26. package/dist/server/routes.js.map +1 -1
  27. package/package.json +1 -1
  28. package/src/data/builtin-manifest.json +64 -64
  29. package/upgrades/1.3.615.md +35 -0
  30. package/upgrades/side-effects/ws52-account-follow-me-revocation-wiring.md +104 -0
@@ -6515,7 +6515,48 @@ export function createRoutes(ctx) {
6515
6515
  res.status(404).json({ error: `mandate "${req.params.id}" not found` });
6516
6516
  return;
6517
6517
  }
6518
- res.json({ revoked: true, mandate: m });
6518
+ // WS5.2 R12 Account Follow-Me revocation data-plane trigger (PER-SERVER model, OQ6). The
6519
+ // control-plane revoke above already fired (every subsequent MandateGate.evaluate denies). If
6520
+ // the revoked mandate carried an `account-follow-me` authority, run THIS machine's OWN local
6521
+ // data-plane wipe (the operator revoked on the target's OWN dashboard ⇒ the target IS this
6522
+ // machine ⇒ cooperative-online posture). Non-account-follow-me mandates are completely
6523
+ // unaffected. Strict no-op when the executor is unwired OR the feature gate resolves dark
6524
+ // (revoke() returns feature-disabled and runs nothing). Surfaces the honest data-plane outcome
6525
+ // on the response so the operator/dashboard never sees a false "removed".
6526
+ let accountFollowMeRevocation;
6527
+ try {
6528
+ const followMeAuthority = (m.authorities ?? []).find((a) => a.action === 'account-follow-me');
6529
+ if (followMeAuthority && ctx.accountFollowMeRevocation) {
6530
+ const bounds = (followMeAuthority.bounds ?? {});
6531
+ const accountId = typeof bounds.accountId === 'string' ? bounds.accountId : '';
6532
+ const targetMachineId = typeof bounds.targetMachineId === 'string' ? bounds.targetMachineId : '';
6533
+ const mechanism = bounds.mechanism === 'credential-transport' ? 'credential-transport' : 're-mint';
6534
+ if (accountId && targetMachineId) {
6535
+ const acct = ctx.subscriptionPool?.get(accountId) ?? null;
6536
+ accountFollowMeRevocation = ctx.accountFollowMeRevocation.revoke({
6537
+ accountId,
6538
+ accountEmail: acct?.email ?? accountId,
6539
+ targetMachineId,
6540
+ targetMachineNickname: typeof bounds.targetMachineNickname === 'string' ? bounds.targetMachineNickname : targetMachineId,
6541
+ provider: acct?.provider ?? (typeof bounds.provider === 'string' ? bounds.provider : 'the provider'),
6542
+ mandateId: m.id,
6543
+ mechanism,
6544
+ },
6545
+ // PER-SERVER: the operator revoked on the target's own dashboard ⇒ target is online &
6546
+ // cooperative (this very machine). The local wipe runs; an offline/de-paired posture is
6547
+ // only reachable on the cross-machine path, which the per-server model does not use.
6548
+ 'cooperative-online');
6549
+ }
6550
+ }
6551
+ }
6552
+ catch {
6553
+ // @silent-fallback-ok: the data-plane effect must never break the control-plane revoke (which
6554
+ // already succeeded). A wipe error is surfaced honestly INSIDE the executor (fail-closed to
6555
+ // pending) for the normal path; this catch is the last-resort backstop so the route always
6556
+ // returns the successful revoke.
6557
+ accountFollowMeRevocation = undefined;
6558
+ }
6559
+ res.json({ revoked: true, mandate: m, ...(accountFollowMeRevocation ? { accountFollowMeRevocation } : {}) });
6519
6560
  });
6520
6561
  // Add user→agent authority grant(s) to a mandate — PIN-GATED (the same human-
6521
6562
  // authenticated surface as issuance; an agent's Bearer token cannot mint a grant).