instar 1.3.619 → 1.3.620

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "instar",
3
- "version": "1.3.619",
3
+ "version": "1.3.620",
4
4
  "description": "Coherence infrastructure for self-evolving AI agents — on the Claude Code or Codex subscription you already have.",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "./builtin-manifest.schema.json",
3
3
  "schemaVersion": 1,
4
- "generatedAt": "2026-06-18T02:58:23.805Z",
5
- "instarVersion": "1.3.619",
4
+ "generatedAt": "2026-06-18T04:21:02.177Z",
5
+ "instarVersion": "1.3.620",
6
6
  "entryCount": 201,
7
7
  "entries": {
8
8
  "hook:session-start": {
@@ -418,7 +418,7 @@
418
418
  "type": "route-group",
419
419
  "domain": "monitoring",
420
420
  "sourcePath": "src/server/routes.ts",
421
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
421
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
422
422
  "since": "2025-01-01"
423
423
  },
424
424
  "route-group:agents": {
@@ -426,7 +426,7 @@
426
426
  "type": "route-group",
427
427
  "domain": "sessions",
428
428
  "sourcePath": "src/server/routes.ts",
429
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
429
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
430
430
  "since": "2025-01-01"
431
431
  },
432
432
  "route-group:backups": {
@@ -434,7 +434,7 @@
434
434
  "type": "route-group",
435
435
  "domain": "operations",
436
436
  "sourcePath": "src/server/routes.ts",
437
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
437
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
438
438
  "since": "2025-01-01"
439
439
  },
440
440
  "route-group:git": {
@@ -442,7 +442,7 @@
442
442
  "type": "route-group",
443
443
  "domain": "coordination",
444
444
  "sourcePath": "src/server/routes.ts",
445
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
445
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
446
446
  "since": "2025-01-01"
447
447
  },
448
448
  "route-group:memory": {
@@ -450,7 +450,7 @@
450
450
  "type": "route-group",
451
451
  "domain": "memory",
452
452
  "sourcePath": "src/server/routes.ts",
453
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
453
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
454
454
  "since": "2025-01-01"
455
455
  },
456
456
  "route-group:semantic": {
@@ -458,7 +458,7 @@
458
458
  "type": "route-group",
459
459
  "domain": "memory",
460
460
  "sourcePath": "src/server/routes.ts",
461
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
461
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
462
462
  "since": "2025-01-01"
463
463
  },
464
464
  "route-group:status": {
@@ -466,7 +466,7 @@
466
466
  "type": "route-group",
467
467
  "domain": "monitoring",
468
468
  "sourcePath": "src/server/routes.ts",
469
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
469
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
470
470
  "since": "2025-01-01"
471
471
  },
472
472
  "route-group:capabilities": {
@@ -474,7 +474,7 @@
474
474
  "type": "route-group",
475
475
  "domain": "mapping",
476
476
  "sourcePath": "src/server/routes.ts",
477
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
477
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
478
478
  "since": "2025-01-01"
479
479
  },
480
480
  "route-group:project-map": {
@@ -482,7 +482,7 @@
482
482
  "type": "route-group",
483
483
  "domain": "mapping",
484
484
  "sourcePath": "src/server/routes.ts",
485
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
485
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
486
486
  "since": "2025-01-01"
487
487
  },
488
488
  "route-group:coherence": {
@@ -490,7 +490,7 @@
490
490
  "type": "route-group",
491
491
  "domain": "coherence",
492
492
  "sourcePath": "src/server/routes.ts",
493
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
493
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
494
494
  "since": "2025-01-01"
495
495
  },
496
496
  "route-group:topic-bindings": {
@@ -498,7 +498,7 @@
498
498
  "type": "route-group",
499
499
  "domain": "sessions",
500
500
  "sourcePath": "src/server/routes.ts",
501
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
501
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
502
502
  "since": "2025-01-01"
503
503
  },
504
504
  "route-group:context": {
@@ -506,7 +506,7 @@
506
506
  "type": "route-group",
507
507
  "domain": "context",
508
508
  "sourcePath": "src/server/routes.ts",
509
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
509
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
510
510
  "since": "2025-01-01"
511
511
  },
512
512
  "route-group:scope-coherence": {
@@ -514,7 +514,7 @@
514
514
  "type": "route-group",
515
515
  "domain": "coherence",
516
516
  "sourcePath": "src/server/routes.ts",
517
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
517
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
518
518
  "since": "2025-01-01"
519
519
  },
520
520
  "route-group:canonical-state": {
@@ -522,7 +522,7 @@
522
522
  "type": "route-group",
523
523
  "domain": "state",
524
524
  "sourcePath": "src/server/routes.ts",
525
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
525
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
526
526
  "since": "2025-01-01"
527
527
  },
528
528
  "route-group:ci": {
@@ -530,7 +530,7 @@
530
530
  "type": "route-group",
531
531
  "domain": "monitoring",
532
532
  "sourcePath": "src/server/routes.ts",
533
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
533
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
534
534
  "since": "2025-01-01"
535
535
  },
536
536
  "route-group:sessions": {
@@ -538,7 +538,7 @@
538
538
  "type": "route-group",
539
539
  "domain": "sessions",
540
540
  "sourcePath": "src/server/routes.ts",
541
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
541
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
542
542
  "since": "2025-01-01"
543
543
  },
544
544
  "route-group:jobs": {
@@ -546,7 +546,7 @@
546
546
  "type": "route-group",
547
547
  "domain": "scheduling",
548
548
  "sourcePath": "src/server/routes.ts",
549
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
549
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
550
550
  "since": "2025-01-01"
551
551
  },
552
552
  "route-group:skip-ledger": {
@@ -554,7 +554,7 @@
554
554
  "type": "route-group",
555
555
  "domain": "scheduling",
556
556
  "sourcePath": "src/server/routes.ts",
557
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
557
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
558
558
  "since": "2025-01-01"
559
559
  },
560
560
  "route-group:telegram": {
@@ -562,7 +562,7 @@
562
562
  "type": "route-group",
563
563
  "domain": "communication",
564
564
  "sourcePath": "src/server/routes.ts",
565
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
565
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
566
566
  "since": "2025-01-01"
567
567
  },
568
568
  "route-group:attention": {
@@ -570,7 +570,7 @@
570
570
  "type": "route-group",
571
571
  "domain": "communication",
572
572
  "sourcePath": "src/server/routes.ts",
573
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
573
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
574
574
  "since": "2025-01-01"
575
575
  },
576
576
  "route-group:relationships": {
@@ -578,7 +578,7 @@
578
578
  "type": "route-group",
579
579
  "domain": "relationships",
580
580
  "sourcePath": "src/server/routes.ts",
581
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
581
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
582
582
  "since": "2025-01-01"
583
583
  },
584
584
  "route-group:feedback": {
@@ -586,7 +586,7 @@
586
586
  "type": "route-group",
587
587
  "domain": "feedback",
588
588
  "sourcePath": "src/server/routes.ts",
589
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
589
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
590
590
  "since": "2025-01-01"
591
591
  },
592
592
  "route-group:updates": {
@@ -594,7 +594,7 @@
594
594
  "type": "route-group",
595
595
  "domain": "updates",
596
596
  "sourcePath": "src/server/routes.ts",
597
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
597
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
598
598
  "since": "2025-01-01"
599
599
  },
600
600
  "route-group:dispatches": {
@@ -602,7 +602,7 @@
602
602
  "type": "route-group",
603
603
  "domain": "dispatches",
604
604
  "sourcePath": "src/server/routes.ts",
605
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
605
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
606
606
  "since": "2025-01-01"
607
607
  },
608
608
  "route-group:quota": {
@@ -610,7 +610,7 @@
610
610
  "type": "route-group",
611
611
  "domain": "monitoring",
612
612
  "sourcePath": "src/server/routes.ts",
613
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
613
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
614
614
  "since": "2025-01-01"
615
615
  },
616
616
  "route-group:publishing": {
@@ -618,7 +618,7 @@
618
618
  "type": "route-group",
619
619
  "domain": "publishing",
620
620
  "sourcePath": "src/server/routes.ts",
621
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
621
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
622
622
  "since": "2025-01-01"
623
623
  },
624
624
  "route-group:private-views": {
@@ -626,7 +626,7 @@
626
626
  "type": "route-group",
627
627
  "domain": "publishing",
628
628
  "sourcePath": "src/server/routes.ts",
629
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
629
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
630
630
  "since": "2025-01-01"
631
631
  },
632
632
  "route-group:tunnel": {
@@ -634,7 +634,7 @@
634
634
  "type": "route-group",
635
635
  "domain": "networking",
636
636
  "sourcePath": "src/server/routes.ts",
637
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
637
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
638
638
  "since": "2025-01-01"
639
639
  },
640
640
  "route-group:events": {
@@ -642,7 +642,7 @@
642
642
  "type": "route-group",
643
643
  "domain": "networking",
644
644
  "sourcePath": "src/server/routes.ts",
645
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
645
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
646
646
  "since": "2025-01-01"
647
647
  },
648
648
  "route-group:evolution": {
@@ -650,7 +650,7 @@
650
650
  "type": "route-group",
651
651
  "domain": "evolution",
652
652
  "sourcePath": "src/server/routes.ts",
653
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
653
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
654
654
  "since": "2025-01-01"
655
655
  },
656
656
  "route-group:watchdog": {
@@ -658,7 +658,7 @@
658
658
  "type": "route-group",
659
659
  "domain": "monitoring",
660
660
  "sourcePath": "src/server/routes.ts",
661
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
661
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
662
662
  "since": "2025-01-01"
663
663
  },
664
664
  "route-group:topic-memory": {
@@ -666,7 +666,7 @@
666
666
  "type": "route-group",
667
667
  "domain": "memory",
668
668
  "sourcePath": "src/server/routes.ts",
669
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
669
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
670
670
  "since": "2025-01-01"
671
671
  },
672
672
  "route-group:state-sync": {
@@ -674,7 +674,7 @@
674
674
  "type": "route-group",
675
675
  "domain": "coordination",
676
676
  "sourcePath": "src/server/routes.ts",
677
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
677
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
678
678
  "since": "2025-01-01"
679
679
  },
680
680
  "route-group:intent": {
@@ -682,7 +682,7 @@
682
682
  "type": "route-group",
683
683
  "domain": "intent",
684
684
  "sourcePath": "src/server/routes.ts",
685
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
685
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
686
686
  "since": "2025-01-01"
687
687
  },
688
688
  "route-group:triage": {
@@ -690,7 +690,7 @@
690
690
  "type": "route-group",
691
691
  "domain": "safety",
692
692
  "sourcePath": "src/server/routes.ts",
693
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
693
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
694
694
  "since": "2025-01-01"
695
695
  },
696
696
  "route-group:operations": {
@@ -698,7 +698,7 @@
698
698
  "type": "route-group",
699
699
  "domain": "safety",
700
700
  "sourcePath": "src/server/routes.ts",
701
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
701
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
702
702
  "since": "2025-01-01"
703
703
  },
704
704
  "route-group:sentinel": {
@@ -706,7 +706,7 @@
706
706
  "type": "route-group",
707
707
  "domain": "safety",
708
708
  "sourcePath": "src/server/routes.ts",
709
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
709
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
710
710
  "since": "2025-01-01"
711
711
  },
712
712
  "route-group:trust": {
@@ -714,7 +714,7 @@
714
714
  "type": "route-group",
715
715
  "domain": "safety",
716
716
  "sourcePath": "src/server/routes.ts",
717
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
717
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
718
718
  "since": "2025-01-01"
719
719
  },
720
720
  "route-group:monitoring": {
@@ -722,7 +722,7 @@
722
722
  "type": "route-group",
723
723
  "domain": "monitoring",
724
724
  "sourcePath": "src/server/routes.ts",
725
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
725
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
726
726
  "since": "2025-01-01"
727
727
  },
728
728
  "route-group:commitments": {
@@ -730,7 +730,7 @@
730
730
  "type": "route-group",
731
731
  "domain": "commitments",
732
732
  "sourcePath": "src/server/routes.ts",
733
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
733
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
734
734
  "since": "2025-01-01"
735
735
  },
736
736
  "route-group:episodes": {
@@ -738,7 +738,7 @@
738
738
  "type": "route-group",
739
739
  "domain": "memory",
740
740
  "sourcePath": "src/server/routes.ts",
741
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
741
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
742
742
  "since": "2025-01-01"
743
743
  },
744
744
  "route-group:messages": {
@@ -746,7 +746,7 @@
746
746
  "type": "route-group",
747
747
  "domain": "coordination",
748
748
  "sourcePath": "src/server/routes.ts",
749
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
749
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
750
750
  "since": "2025-01-01"
751
751
  },
752
752
  "route-group:system-reviews": {
@@ -754,7 +754,7 @@
754
754
  "type": "route-group",
755
755
  "domain": "monitoring",
756
756
  "sourcePath": "src/server/routes.ts",
757
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
757
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
758
758
  "since": "2025-01-01"
759
759
  },
760
760
  "route-group:machine-mesh": {
@@ -770,7 +770,7 @@
770
770
  "type": "route-group",
771
771
  "domain": "security",
772
772
  "sourcePath": "src/server/routes.ts",
773
- "contentHash": "8a6b6b22d35c2b9a2e19ad98e71d1403302971274b3d66c911953215672a1f20",
773
+ "contentHash": "ed6959d356dbd711b482bd419caac9ee35407454b547fe9d26e3b6d00a4bbcd4",
774
774
  "since": "2025-01-01"
775
775
  },
776
776
  "cli:init": {
@@ -0,0 +1,22 @@
1
+ # Upgrade Guide — vNEXT
2
+
3
+ <!-- assembled-by: assemble-next-md -->
4
+ <!-- bump: patch -->
5
+
6
+ ## What Changed
7
+
8
+ Fixes the WS5.2 one-tap Approve card so it actually appears and works on the live dashboard. The previous release shipped the card's parts (renderers, payload builder, connector, enforcement) but never wired them into the dashboard controller, and the scan offer was missing the fields/agents the card needs — so the card never rendered on the real Subscriptions tab. This connects the pieces end-to-end: the scan offer is enriched server-side with the card fields + the FD2 agent pair (operator never types a fingerprint); the controller now POSTs the scan, renders the card as the Subscriptions panel's lead section, and wires the Approve tap → PIN-gated `issue-for-machine`. A new controller integration test drives the real flow (fetch scan → render → Approve → POST).
9
+
10
+ ## What to Tell Your User
11
+
12
+ The one-tap "let another machine use this subscription" Approve card now actually shows up on your dashboard's Subscriptions tab and works with a single tap + PIN — no codes, no JSON. (It was missing its final wiring before, so it never appeared.)
13
+
14
+ ## Summary of New Capabilities
15
+
16
+ - The WS5.2 one-tap account-follow-me Approve card is now live on the Subscriptions tab (renders from the scan offer, Approve issues the PIN-gated mandate). Dark on fleet / live on the dev agent, as before.
17
+
18
+ ## Evidence
19
+
20
+ - `tests/unit/follow-me-controller-wiring.test.ts` — NEW; drives the real controller: POSTs the scan, renders the card into `els.followMe`, and on Approve-with-PIN POSTs `/mandate/issue-for-machine` with the server-resolved FD2 agents + PIN; refuses to POST with no PIN. 4/4 pass.
21
+ - Existing card + payload unit tests still green (47 tests total across the follow-me suite).
22
+ - `npx tsc --noEmit` clean.
@@ -0,0 +1,60 @@
1
+ # Side-Effects Review — WS5.2 one-tap card: live wiring (the missing integration)
2
+
3
+ **Version / slug:** `ws52-operator-card-wiring`
4
+ **Date:** `2026-06-18`
5
+ **Author:** `Echo (instar-dev agent)`
6
+ **Second-pass reviewer:** `not required (completion of an already-approved + second-pass-concurred design; no new decision surface)`
7
+
8
+ ## Summary of the change
9
+
10
+ Completes the live wiring of the WS5.2 one-tap Approve card (approved spec `docs/specs/ws52-operator-tap-not-text.md`). The prior PR (#1223) shipped the card render functions, the payload builder, the connector, and the enforcement — but the render functions were never invoked by the live dashboard controller, and the scan offer lacked the fields/agents the card needs, so the card never appeared on the real Subscriptions tab (a Live-User-Channel-Proof failure caught while driving the actual proof). This change connects the pieces: (1) `src/server/routes.ts` — the `/subscription-pool/follow-me/scan` handler now enriches each consent offer with the card fields (`machineNickname`, `accountLabel`, `expiryText`) and the FD2 `agents` pair, resolved SERVER-SIDE (`resolveAgentFingerprint`) so the operator never types a fingerprint; (2) `dashboard/subscriptions.js` — the controller now POSTs the scan, renders the offers via `renderFollowMeOffers` into `els.followMe`, and wires the Approve tap (delegated, once) → `buildFollowMeIssuePayload` → POST `/mandate/issue-for-machine`; (3) `dashboard/index.html` — adds the `#subFollowMe` container as the panel's lead section + passes `els.followMe` + widens the subscriptions `fetchImpl` to pass method/body (for the POST scan + issue). A new integration test (`tests/unit/follow-me-controller-wiring.test.ts`) drives the real controller end-to-end.
11
+
12
+ ## Decision-point inventory
13
+
14
+ - `/subscription-pool/follow-me/scan` offer shape — **modify** — adds card fields + FD2 agents (server-resolved); no gating change.
15
+ - Approve → `/mandate/issue-for-machine` — **pass-through** — unchanged PIN-gated route; the client now calls it with a server-resolved agents pair instead of nothing.
16
+ - No new block/allow gate is introduced.
17
+
18
+ ## 1. Over-block
19
+ No block/allow surface — over-block not applicable. (The card renders only when the scan offers a candidate; the Approve POST is the existing PIN-gated route, unchanged.)
20
+
21
+ ## 2. Under-block
22
+ No block/allow surface — under-block not applicable. The PIN gate, deny-by-default mandate gate, and R4a delivered-mandate re-verify are all unchanged and still authoritative at enroll time.
23
+
24
+ ## 3. Level-of-abstraction fit
25
+ Correct layer — pure presentation/wiring. The card is a dashboard view that reads a server-built offer and calls an existing authority (the PIN-gated issue route). No decision logic moved into the client; the agents pair is resolved server-side (the client never composes authority data).
26
+
27
+ ## 4. Signal vs authority compliance
28
+ **Required reference:** docs/signal-vs-authority.md
29
+ - [x] No — this change has no block/allow surface. It renders an offer and calls the existing PIN-gated mandate route; all authority (PIN, deny-by-default gate, R4a bounds+signature) is unchanged and server-side. The client holds zero authority — a forged client payload still hits the PIN gate + the mandate gate + the enroll-time bounds/signature re-verify.
30
+
31
+ ## 5. Interactions
32
+ - **Shadowing:** the scan POST is added to the existing best-effort `Promise.all` in the controller tick, caught independently (a scan failure degrades to "no card", never blanks the accounts list). No shadowing of accounts/pending.
33
+ - **Double-fire:** the Approve listener is delegated and wired ONCE (`state.approveWired`), so re-renders never stack listeners or double-POST; the button disables on submit.
34
+ - **Races:** the scan rides the same aborted-controller guard as the other fetches.
35
+ - **Feedback loops:** none.
36
+
37
+ ## 6. External surfaces
38
+ - **Operator (phone):** the one-tap card now actually appears on the Subscriptions tab and is the panel's lead section. Mobile-complete: tap Approve + PIN; the device-code login link surfaces in the existing Pending Logins panel.
39
+ - **Server:** the scan response gains fields (additive; existing consumers unaffected). No token/fingerprint leaves the server in operator-facing text (agents stay out of the DOM by the card's construction).
40
+ - **No** change to other agents/users or persistent state shapes.
41
+
42
+ ## 6b. Operator-surface quality (Operator-Surface Quality standard)
43
+ This change touches an operator surface (`dashboard/index.html`, `dashboard/subscriptions.js`), so this section is required.
44
+ 1. **Leads with the primary action?** Yes — `#subFollowMe` is inserted as the FIRST section of the Subscriptions panel (above Accounts), so the Approve card is the first thing seen when a follow-me offer exists.
45
+ 2. **Zero raw internals as primary content?** Yes — the card shows plain language ("Let Mac Mini use your … subscription") + a PIN box + Approve; the FD2 agent fingerprints are resolved server-side and never enter the DOM (verified by the card test); only non-sensitive account/target ids ride as `data-*`.
46
+ 3. **Destructive actions de-emphasized?** N/A — the card is constructive (Approve) only.
47
+ 4. **Plain language + phone width?** Yes — single-column card, plain labels, password PIN field, one button; status messages are plain English ("Approved — the machine is logging in now…").
48
+
49
+ ## 7. Multi-machine posture (Cross-Machine Coherence)
50
+ **Proxied/served from the fronting machine, by construction.** The scan runs on the machine serving the dashboard (the operator's single dashboard) and offers to enroll OTHER machines that lack the account (peer-views). The Approve issues a cross-machine mandate (`issue-for-machine`) delivered to the target; the FD2 agents are this Echo identity's fingerprint (issuer === target identity). The login link surfaces on the fronting machine's existing Pending Logins panel. No machine-local stranding (the mandate + delivery are the existing durable cross-machine path); the dashboard is the single operator surface (honors one-dashboard).
51
+
52
+ ## 8. Rollback cost
53
+ Pure dashboard/route-shape change behind the existing dev-agent gate (dark on fleet). Back-out = revert; no persistent state, no migration. Reverting removes the card wiring (back to the render functions being unused) and the scan's extra fields (additive — harmless if a stale client reads them).
54
+
55
+ ## Conclusion
56
+ This change closes the Live-User-Channel-Proof gap that the previous PR left: the card now renders on the real dashboard and the Approve tap drives the real PIN-gated issue route, verified by a new controller integration test (`follow-me-controller-wiring`) plus the existing card/payload unit tests (47 tests green, tsc clean). No new authority or block surface. Clear to ship; the operator-tap → deliver → enroll → answer chain is exercised live in the proof itself.
57
+
58
+ ## Evidence pointers
59
+ - `npx tsc --noEmit` — clean.
60
+ - `npx vitest run` (6 files) — 47/47 pass, incl. the new `follow-me-controller-wiring` (drives fetch-scan → render → Approve → POST issue).