instar 1.3.623 → 1.3.624
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dashboard/subscriptions.js +72 -0
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +2 -3
- package/dist/commands/server.js.map +1 -1
- package/dist/core/FrameworkLoginDriver.d.ts +10 -0
- package/dist/core/FrameworkLoginDriver.d.ts.map +1 -1
- package/dist/core/FrameworkLoginDriver.js +13 -0
- package/dist/core/FrameworkLoginDriver.js.map +1 -1
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +199 -0
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +46 -46
- package/upgrades/1.3.624.md +23 -0
- package/upgrades/side-effects/ws52-code-paste-back.md +105 -0
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "./builtin-manifest.schema.json",
|
|
3
3
|
"schemaVersion": 1,
|
|
4
|
-
"generatedAt": "2026-06-
|
|
5
|
-
"instarVersion": "1.3.
|
|
4
|
+
"generatedAt": "2026-06-19T02:52:10.913Z",
|
|
5
|
+
"instarVersion": "1.3.624",
|
|
6
6
|
"entryCount": 201,
|
|
7
7
|
"entries": {
|
|
8
8
|
"hook:session-start": {
|
|
@@ -418,7 +418,7 @@
|
|
|
418
418
|
"type": "route-group",
|
|
419
419
|
"domain": "monitoring",
|
|
420
420
|
"sourcePath": "src/server/routes.ts",
|
|
421
|
-
"contentHash": "
|
|
421
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
422
422
|
"since": "2025-01-01"
|
|
423
423
|
},
|
|
424
424
|
"route-group:agents": {
|
|
@@ -426,7 +426,7 @@
|
|
|
426
426
|
"type": "route-group",
|
|
427
427
|
"domain": "sessions",
|
|
428
428
|
"sourcePath": "src/server/routes.ts",
|
|
429
|
-
"contentHash": "
|
|
429
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
430
430
|
"since": "2025-01-01"
|
|
431
431
|
},
|
|
432
432
|
"route-group:backups": {
|
|
@@ -434,7 +434,7 @@
|
|
|
434
434
|
"type": "route-group",
|
|
435
435
|
"domain": "operations",
|
|
436
436
|
"sourcePath": "src/server/routes.ts",
|
|
437
|
-
"contentHash": "
|
|
437
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
438
438
|
"since": "2025-01-01"
|
|
439
439
|
},
|
|
440
440
|
"route-group:git": {
|
|
@@ -442,7 +442,7 @@
|
|
|
442
442
|
"type": "route-group",
|
|
443
443
|
"domain": "coordination",
|
|
444
444
|
"sourcePath": "src/server/routes.ts",
|
|
445
|
-
"contentHash": "
|
|
445
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
446
446
|
"since": "2025-01-01"
|
|
447
447
|
},
|
|
448
448
|
"route-group:memory": {
|
|
@@ -450,7 +450,7 @@
|
|
|
450
450
|
"type": "route-group",
|
|
451
451
|
"domain": "memory",
|
|
452
452
|
"sourcePath": "src/server/routes.ts",
|
|
453
|
-
"contentHash": "
|
|
453
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
454
454
|
"since": "2025-01-01"
|
|
455
455
|
},
|
|
456
456
|
"route-group:semantic": {
|
|
@@ -458,7 +458,7 @@
|
|
|
458
458
|
"type": "route-group",
|
|
459
459
|
"domain": "memory",
|
|
460
460
|
"sourcePath": "src/server/routes.ts",
|
|
461
|
-
"contentHash": "
|
|
461
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
462
462
|
"since": "2025-01-01"
|
|
463
463
|
},
|
|
464
464
|
"route-group:status": {
|
|
@@ -466,7 +466,7 @@
|
|
|
466
466
|
"type": "route-group",
|
|
467
467
|
"domain": "monitoring",
|
|
468
468
|
"sourcePath": "src/server/routes.ts",
|
|
469
|
-
"contentHash": "
|
|
469
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
470
470
|
"since": "2025-01-01"
|
|
471
471
|
},
|
|
472
472
|
"route-group:capabilities": {
|
|
@@ -474,7 +474,7 @@
|
|
|
474
474
|
"type": "route-group",
|
|
475
475
|
"domain": "mapping",
|
|
476
476
|
"sourcePath": "src/server/routes.ts",
|
|
477
|
-
"contentHash": "
|
|
477
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
478
478
|
"since": "2025-01-01"
|
|
479
479
|
},
|
|
480
480
|
"route-group:project-map": {
|
|
@@ -482,7 +482,7 @@
|
|
|
482
482
|
"type": "route-group",
|
|
483
483
|
"domain": "mapping",
|
|
484
484
|
"sourcePath": "src/server/routes.ts",
|
|
485
|
-
"contentHash": "
|
|
485
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
486
486
|
"since": "2025-01-01"
|
|
487
487
|
},
|
|
488
488
|
"route-group:coherence": {
|
|
@@ -490,7 +490,7 @@
|
|
|
490
490
|
"type": "route-group",
|
|
491
491
|
"domain": "coherence",
|
|
492
492
|
"sourcePath": "src/server/routes.ts",
|
|
493
|
-
"contentHash": "
|
|
493
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
494
494
|
"since": "2025-01-01"
|
|
495
495
|
},
|
|
496
496
|
"route-group:topic-bindings": {
|
|
@@ -498,7 +498,7 @@
|
|
|
498
498
|
"type": "route-group",
|
|
499
499
|
"domain": "sessions",
|
|
500
500
|
"sourcePath": "src/server/routes.ts",
|
|
501
|
-
"contentHash": "
|
|
501
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
502
502
|
"since": "2025-01-01"
|
|
503
503
|
},
|
|
504
504
|
"route-group:context": {
|
|
@@ -506,7 +506,7 @@
|
|
|
506
506
|
"type": "route-group",
|
|
507
507
|
"domain": "context",
|
|
508
508
|
"sourcePath": "src/server/routes.ts",
|
|
509
|
-
"contentHash": "
|
|
509
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
510
510
|
"since": "2025-01-01"
|
|
511
511
|
},
|
|
512
512
|
"route-group:scope-coherence": {
|
|
@@ -514,7 +514,7 @@
|
|
|
514
514
|
"type": "route-group",
|
|
515
515
|
"domain": "coherence",
|
|
516
516
|
"sourcePath": "src/server/routes.ts",
|
|
517
|
-
"contentHash": "
|
|
517
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
518
518
|
"since": "2025-01-01"
|
|
519
519
|
},
|
|
520
520
|
"route-group:canonical-state": {
|
|
@@ -522,7 +522,7 @@
|
|
|
522
522
|
"type": "route-group",
|
|
523
523
|
"domain": "state",
|
|
524
524
|
"sourcePath": "src/server/routes.ts",
|
|
525
|
-
"contentHash": "
|
|
525
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
526
526
|
"since": "2025-01-01"
|
|
527
527
|
},
|
|
528
528
|
"route-group:ci": {
|
|
@@ -530,7 +530,7 @@
|
|
|
530
530
|
"type": "route-group",
|
|
531
531
|
"domain": "monitoring",
|
|
532
532
|
"sourcePath": "src/server/routes.ts",
|
|
533
|
-
"contentHash": "
|
|
533
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
534
534
|
"since": "2025-01-01"
|
|
535
535
|
},
|
|
536
536
|
"route-group:sessions": {
|
|
@@ -538,7 +538,7 @@
|
|
|
538
538
|
"type": "route-group",
|
|
539
539
|
"domain": "sessions",
|
|
540
540
|
"sourcePath": "src/server/routes.ts",
|
|
541
|
-
"contentHash": "
|
|
541
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
542
542
|
"since": "2025-01-01"
|
|
543
543
|
},
|
|
544
544
|
"route-group:jobs": {
|
|
@@ -546,7 +546,7 @@
|
|
|
546
546
|
"type": "route-group",
|
|
547
547
|
"domain": "scheduling",
|
|
548
548
|
"sourcePath": "src/server/routes.ts",
|
|
549
|
-
"contentHash": "
|
|
549
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
550
550
|
"since": "2025-01-01"
|
|
551
551
|
},
|
|
552
552
|
"route-group:skip-ledger": {
|
|
@@ -554,7 +554,7 @@
|
|
|
554
554
|
"type": "route-group",
|
|
555
555
|
"domain": "scheduling",
|
|
556
556
|
"sourcePath": "src/server/routes.ts",
|
|
557
|
-
"contentHash": "
|
|
557
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
558
558
|
"since": "2025-01-01"
|
|
559
559
|
},
|
|
560
560
|
"route-group:telegram": {
|
|
@@ -562,7 +562,7 @@
|
|
|
562
562
|
"type": "route-group",
|
|
563
563
|
"domain": "communication",
|
|
564
564
|
"sourcePath": "src/server/routes.ts",
|
|
565
|
-
"contentHash": "
|
|
565
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
566
566
|
"since": "2025-01-01"
|
|
567
567
|
},
|
|
568
568
|
"route-group:attention": {
|
|
@@ -570,7 +570,7 @@
|
|
|
570
570
|
"type": "route-group",
|
|
571
571
|
"domain": "communication",
|
|
572
572
|
"sourcePath": "src/server/routes.ts",
|
|
573
|
-
"contentHash": "
|
|
573
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
574
574
|
"since": "2025-01-01"
|
|
575
575
|
},
|
|
576
576
|
"route-group:relationships": {
|
|
@@ -578,7 +578,7 @@
|
|
|
578
578
|
"type": "route-group",
|
|
579
579
|
"domain": "relationships",
|
|
580
580
|
"sourcePath": "src/server/routes.ts",
|
|
581
|
-
"contentHash": "
|
|
581
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
582
582
|
"since": "2025-01-01"
|
|
583
583
|
},
|
|
584
584
|
"route-group:feedback": {
|
|
@@ -586,7 +586,7 @@
|
|
|
586
586
|
"type": "route-group",
|
|
587
587
|
"domain": "feedback",
|
|
588
588
|
"sourcePath": "src/server/routes.ts",
|
|
589
|
-
"contentHash": "
|
|
589
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
590
590
|
"since": "2025-01-01"
|
|
591
591
|
},
|
|
592
592
|
"route-group:updates": {
|
|
@@ -594,7 +594,7 @@
|
|
|
594
594
|
"type": "route-group",
|
|
595
595
|
"domain": "updates",
|
|
596
596
|
"sourcePath": "src/server/routes.ts",
|
|
597
|
-
"contentHash": "
|
|
597
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
598
598
|
"since": "2025-01-01"
|
|
599
599
|
},
|
|
600
600
|
"route-group:dispatches": {
|
|
@@ -602,7 +602,7 @@
|
|
|
602
602
|
"type": "route-group",
|
|
603
603
|
"domain": "dispatches",
|
|
604
604
|
"sourcePath": "src/server/routes.ts",
|
|
605
|
-
"contentHash": "
|
|
605
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
606
606
|
"since": "2025-01-01"
|
|
607
607
|
},
|
|
608
608
|
"route-group:quota": {
|
|
@@ -610,7 +610,7 @@
|
|
|
610
610
|
"type": "route-group",
|
|
611
611
|
"domain": "monitoring",
|
|
612
612
|
"sourcePath": "src/server/routes.ts",
|
|
613
|
-
"contentHash": "
|
|
613
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
614
614
|
"since": "2025-01-01"
|
|
615
615
|
},
|
|
616
616
|
"route-group:publishing": {
|
|
@@ -618,7 +618,7 @@
|
|
|
618
618
|
"type": "route-group",
|
|
619
619
|
"domain": "publishing",
|
|
620
620
|
"sourcePath": "src/server/routes.ts",
|
|
621
|
-
"contentHash": "
|
|
621
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
622
622
|
"since": "2025-01-01"
|
|
623
623
|
},
|
|
624
624
|
"route-group:private-views": {
|
|
@@ -626,7 +626,7 @@
|
|
|
626
626
|
"type": "route-group",
|
|
627
627
|
"domain": "publishing",
|
|
628
628
|
"sourcePath": "src/server/routes.ts",
|
|
629
|
-
"contentHash": "
|
|
629
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
630
630
|
"since": "2025-01-01"
|
|
631
631
|
},
|
|
632
632
|
"route-group:tunnel": {
|
|
@@ -634,7 +634,7 @@
|
|
|
634
634
|
"type": "route-group",
|
|
635
635
|
"domain": "networking",
|
|
636
636
|
"sourcePath": "src/server/routes.ts",
|
|
637
|
-
"contentHash": "
|
|
637
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
638
638
|
"since": "2025-01-01"
|
|
639
639
|
},
|
|
640
640
|
"route-group:events": {
|
|
@@ -642,7 +642,7 @@
|
|
|
642
642
|
"type": "route-group",
|
|
643
643
|
"domain": "networking",
|
|
644
644
|
"sourcePath": "src/server/routes.ts",
|
|
645
|
-
"contentHash": "
|
|
645
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
646
646
|
"since": "2025-01-01"
|
|
647
647
|
},
|
|
648
648
|
"route-group:evolution": {
|
|
@@ -650,7 +650,7 @@
|
|
|
650
650
|
"type": "route-group",
|
|
651
651
|
"domain": "evolution",
|
|
652
652
|
"sourcePath": "src/server/routes.ts",
|
|
653
|
-
"contentHash": "
|
|
653
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
654
654
|
"since": "2025-01-01"
|
|
655
655
|
},
|
|
656
656
|
"route-group:watchdog": {
|
|
@@ -658,7 +658,7 @@
|
|
|
658
658
|
"type": "route-group",
|
|
659
659
|
"domain": "monitoring",
|
|
660
660
|
"sourcePath": "src/server/routes.ts",
|
|
661
|
-
"contentHash": "
|
|
661
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
662
662
|
"since": "2025-01-01"
|
|
663
663
|
},
|
|
664
664
|
"route-group:topic-memory": {
|
|
@@ -666,7 +666,7 @@
|
|
|
666
666
|
"type": "route-group",
|
|
667
667
|
"domain": "memory",
|
|
668
668
|
"sourcePath": "src/server/routes.ts",
|
|
669
|
-
"contentHash": "
|
|
669
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
670
670
|
"since": "2025-01-01"
|
|
671
671
|
},
|
|
672
672
|
"route-group:state-sync": {
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
"type": "route-group",
|
|
675
675
|
"domain": "coordination",
|
|
676
676
|
"sourcePath": "src/server/routes.ts",
|
|
677
|
-
"contentHash": "
|
|
677
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
678
678
|
"since": "2025-01-01"
|
|
679
679
|
},
|
|
680
680
|
"route-group:intent": {
|
|
@@ -682,7 +682,7 @@
|
|
|
682
682
|
"type": "route-group",
|
|
683
683
|
"domain": "intent",
|
|
684
684
|
"sourcePath": "src/server/routes.ts",
|
|
685
|
-
"contentHash": "
|
|
685
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
686
686
|
"since": "2025-01-01"
|
|
687
687
|
},
|
|
688
688
|
"route-group:triage": {
|
|
@@ -690,7 +690,7 @@
|
|
|
690
690
|
"type": "route-group",
|
|
691
691
|
"domain": "safety",
|
|
692
692
|
"sourcePath": "src/server/routes.ts",
|
|
693
|
-
"contentHash": "
|
|
693
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
694
694
|
"since": "2025-01-01"
|
|
695
695
|
},
|
|
696
696
|
"route-group:operations": {
|
|
@@ -698,7 +698,7 @@
|
|
|
698
698
|
"type": "route-group",
|
|
699
699
|
"domain": "safety",
|
|
700
700
|
"sourcePath": "src/server/routes.ts",
|
|
701
|
-
"contentHash": "
|
|
701
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
702
702
|
"since": "2025-01-01"
|
|
703
703
|
},
|
|
704
704
|
"route-group:sentinel": {
|
|
@@ -706,7 +706,7 @@
|
|
|
706
706
|
"type": "route-group",
|
|
707
707
|
"domain": "safety",
|
|
708
708
|
"sourcePath": "src/server/routes.ts",
|
|
709
|
-
"contentHash": "
|
|
709
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
710
710
|
"since": "2025-01-01"
|
|
711
711
|
},
|
|
712
712
|
"route-group:trust": {
|
|
@@ -714,7 +714,7 @@
|
|
|
714
714
|
"type": "route-group",
|
|
715
715
|
"domain": "safety",
|
|
716
716
|
"sourcePath": "src/server/routes.ts",
|
|
717
|
-
"contentHash": "
|
|
717
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
718
718
|
"since": "2025-01-01"
|
|
719
719
|
},
|
|
720
720
|
"route-group:monitoring": {
|
|
@@ -722,7 +722,7 @@
|
|
|
722
722
|
"type": "route-group",
|
|
723
723
|
"domain": "monitoring",
|
|
724
724
|
"sourcePath": "src/server/routes.ts",
|
|
725
|
-
"contentHash": "
|
|
725
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
726
726
|
"since": "2025-01-01"
|
|
727
727
|
},
|
|
728
728
|
"route-group:commitments": {
|
|
@@ -730,7 +730,7 @@
|
|
|
730
730
|
"type": "route-group",
|
|
731
731
|
"domain": "commitments",
|
|
732
732
|
"sourcePath": "src/server/routes.ts",
|
|
733
|
-
"contentHash": "
|
|
733
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
734
734
|
"since": "2025-01-01"
|
|
735
735
|
},
|
|
736
736
|
"route-group:episodes": {
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
"type": "route-group",
|
|
739
739
|
"domain": "memory",
|
|
740
740
|
"sourcePath": "src/server/routes.ts",
|
|
741
|
-
"contentHash": "
|
|
741
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
742
742
|
"since": "2025-01-01"
|
|
743
743
|
},
|
|
744
744
|
"route-group:messages": {
|
|
@@ -746,7 +746,7 @@
|
|
|
746
746
|
"type": "route-group",
|
|
747
747
|
"domain": "coordination",
|
|
748
748
|
"sourcePath": "src/server/routes.ts",
|
|
749
|
-
"contentHash": "
|
|
749
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
750
750
|
"since": "2025-01-01"
|
|
751
751
|
},
|
|
752
752
|
"route-group:system-reviews": {
|
|
@@ -754,7 +754,7 @@
|
|
|
754
754
|
"type": "route-group",
|
|
755
755
|
"domain": "monitoring",
|
|
756
756
|
"sourcePath": "src/server/routes.ts",
|
|
757
|
-
"contentHash": "
|
|
757
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
758
758
|
"since": "2025-01-01"
|
|
759
759
|
},
|
|
760
760
|
"route-group:machine-mesh": {
|
|
@@ -770,7 +770,7 @@
|
|
|
770
770
|
"type": "route-group",
|
|
771
771
|
"domain": "security",
|
|
772
772
|
"sourcePath": "src/server/routes.ts",
|
|
773
|
-
"contentHash": "
|
|
773
|
+
"contentHash": "81524511cfacdc92599b1d994788849aa2563b92a9ae21ecbeb4c14f989df56b",
|
|
774
774
|
"since": "2025-01-01"
|
|
775
775
|
},
|
|
776
776
|
"cli:init": {
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# Upgrade Guide — vNEXT
|
|
2
|
+
|
|
3
|
+
<!-- assembled-by: assemble-next-md -->
|
|
4
|
+
<!-- bump: patch -->
|
|
5
|
+
|
|
6
|
+
## What Changed
|
|
7
|
+
|
|
8
|
+
Completes the last step of the account-follow-me login. The `url-code-paste` login (letting one machine use another's subscription) is two parts: open the link and sign in, then paste back the **code** the provider hands you. The dashboard card showed the "Sign in" link but had nowhere to put the code — in the live run the operator signed in, got a code, and had to route it through chat for the agent to paste by hand. This adds a code field right on the pending-login card, plus the routing to deliver it off-chat: a target-local route types the code into the waiting login pane and drives to a real outcome (S7 email-gate → add to pool), and a fronting relay carries the code one authed hop from the operator's single dashboard to the machine that owns the login. Hardened from a 4-round cross-model (codex) review: pane derivation via a single shared helper, single-token code-shape validation, a `url-code-paste` kind guard, a pane-**readiness** check (refuses if the pane dropped to a shell, so the code is never typed into a shell), a per-login in-flight mutex, best-effort scrollback clear after submit, and a greppable terminal-outcome log. Dev-gated (`multiMachine.accountFollowMe`), dark on the fleet.
|
|
9
|
+
|
|
10
|
+
## What to Tell Your User
|
|
11
|
+
|
|
12
|
+
When you let one of your machines borrow another's subscription, signing in is now self-serve from the dashboard. After you tap "Sign in" and authenticate, paste the code the page gives you into the box right there on the card and tap Submit — it goes straight to the machine doing the login over the secure connection, never through chat. The card then updates to "Done." No more sending a sign-in code through a message for me to paste by hand.
|
|
13
|
+
|
|
14
|
+
## Summary of New Capabilities
|
|
15
|
+
|
|
16
|
+
- **Paste your sign-in code on the card (off-chat).** The account-follow-me pending-login card now has a code field + "Submit code" button for the two-part Claude sign-in. The code travels over the authenticated dashboard API to the machine doing the login — never through chat — and the card shows the real outcome (done / finishing / needs another try). Dev-gated; dark on the fleet.
|
|
17
|
+
|
|
18
|
+
## Evidence
|
|
19
|
+
|
|
20
|
+
- `tests/integration/account-follow-me-submit-code-route.test.ts` — 12 tests over the full HTTP pipeline (target route + fronting relay): dark→503, missing/whitespace/control-char code→400, wrong-kind→409, no-pending→404, pane-not-at-prompt→409 (code never typed), concurrent double-submit→409 (mutex), happy-path→201 validated (code typed, value never echoed in the response), self→loopback relay→201, unreachable peer→502.
|
|
21
|
+
- `tests/unit/framework-login-driver.test.ts` — 17 tests incl. the shared `enrollPaneSessionName` helper (regression guard against pane-name drift between spawn and submit).
|
|
22
|
+
- `tests/unit/subscriptions-render.test.ts` (28) + `tests/unit/follow-me-controller-wiring.test.ts` (6) — the code field renders only for `url-code-paste` logins, and a Submit tap POSTs `{id, machineId, code}` to the relay (empty field does not POST).
|
|
23
|
+
- `npx tsc --noEmit` clean; `pnpm build` clean.
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
# Side-effects review — WS5.2 Account Follow-Me operator code paste-back
|
|
2
|
+
|
|
3
|
+
Spec: `docs/specs/ws52-code-paste-back.md` · ELI16: `docs/specs/ws52-code-paste-back.eli16.md`
|
|
4
|
+
Parent principle: Operator-Surface Quality (constitution → Interaction family)
|
|
5
|
+
|
|
6
|
+
## What the change is
|
|
7
|
+
|
|
8
|
+
The account-follow-me `url-code-paste` login is a two-part flow: (1) the operator opens the
|
|
9
|
+
verification URL and authenticates, (2) the provider hands back an authorization code that must
|
|
10
|
+
be pasted into the waiting `claude auth login` process. The dashboard card surfaced part 1 but
|
|
11
|
+
had no field for part 2, so the operator (live proof 2026-06-18) ended up routing the code through
|
|
12
|
+
Telegram and the agent relayed it by hand. This adds: a code field on the card, a target-local
|
|
13
|
+
route that types the code into the waiting pane and drives to a real outcome, and a fronting relay
|
|
14
|
+
so the operator's single dashboard hands the code one authed hop to the machine owning the pane.
|
|
15
|
+
|
|
16
|
+
Files: `src/server/routes.ts` (two routes + per-login mutex), `src/core/FrameworkLoginDriver.ts`
|
|
17
|
+
(shared `enrollPaneSessionName` helper), `src/commands/server.ts` (use the shared helper),
|
|
18
|
+
`dashboard/subscriptions.js` (code field + `wireCodeSubmit`). Tests: route integration,
|
|
19
|
+
render unit, controller-wiring unit, helper unit.
|
|
20
|
+
|
|
21
|
+
## 1. Over-block — legitimate inputs rejected that shouldn't be
|
|
22
|
+
|
|
23
|
+
The code-shape validation rejects any value containing whitespace or control chars. Some users
|
|
24
|
+
paste a code with surrounding whitespace — handled: the **client trims** leading/trailing
|
|
25
|
+
whitespace before submitting, and the server validates the trimmed value, so harmless surrounding
|
|
26
|
+
whitespace is tolerated; only embedded whitespace/control chars (which would break pane input) are
|
|
27
|
+
rejected. The validation is reject-unsafe, not enumerate-allowed (FD11), so unusual but valid
|
|
28
|
+
provider code charsets (punctuation, URL-safe base64) are accepted.
|
|
29
|
+
|
|
30
|
+
## 2. Under-block — failure modes still missed
|
|
31
|
+
|
|
32
|
+
- A genuinely malformed but whitespace-free code is accepted and typed into the pane; the provider
|
|
33
|
+
rejects it and the login stays open. Mitigation: the client surfaces an honest "re-tap the
|
|
34
|
+
sign-in link" message on a non-validated outcome; no false "done".
|
|
35
|
+
- If the pane reconstruction were wrong, the code would go nowhere. Mitigated structurally: the
|
|
36
|
+
pane name is derived through the single shared `enrollPaneSessionName` helper used by BOTH the
|
|
37
|
+
spawn and this route (cannot drift), plus a pane-existence check (409 if not waiting).
|
|
38
|
+
|
|
39
|
+
## 3. Level-of-abstraction fit
|
|
40
|
+
|
|
41
|
+
Correct layer. The routes sit alongside the existing `/subscription-pool/follow-me/enroll/*`
|
|
42
|
+
routes and reuse the proven follow-me machinery: the S7 email-gate (`completeFollowMe`) is the
|
|
43
|
+
account validator, `SubscriptionPool.add` the sink, `resolvePeerUrls()` the cross-machine hop,
|
|
44
|
+
`SessionManager.sendInput` (already argv-safe) the pane delivery. No new subsystem; the only new
|
|
45
|
+
shared primitive (`enrollPaneSessionName`) de-duplicates a formula that previously lived in two
|
|
46
|
+
places.
|
|
47
|
+
|
|
48
|
+
## 4. Signal vs authority compliance
|
|
49
|
+
|
|
50
|
+
No brittle blocking authority added. The routes are dev-gated (503 when off) and deny-by-default
|
|
51
|
+
via the existing enroll gate. They carry **no new credential-returning authority**; they add a
|
|
52
|
+
**narrow paste-back authority** (typing the operator's own single-use code into the operator's own
|
|
53
|
+
login) bounded by: dev-gate, Bearer-auth, the `url-code-paste` kind guard, the pending-login
|
|
54
|
+
lookup, the pane-existence check, the single-token code-shape validation, and the per-login
|
|
55
|
+
in-flight mutex. The actual account-acceptance decision remains the S7 identity-oracle email gate
|
|
56
|
+
(unchanged) — file-existence is only a trigger, never the validator.
|
|
57
|
+
|
|
58
|
+
## 5. Interactions
|
|
59
|
+
|
|
60
|
+
- Reuses `completeFollowMe` → identical email-gate behavior as the existing complete route
|
|
61
|
+
(validated/held/HIGH-attention-on-mismatch). No new account ever bypasses S7.
|
|
62
|
+
- The per-login in-flight mutex prevents two rapid submits from interleaving into one pane; the
|
|
63
|
+
client also disables the button on submit (defense in depth).
|
|
64
|
+
- A successful submit removes the pending login (via `completeFollowMe`), so a replay is a 404 —
|
|
65
|
+
one-shot by construction, layered on the provider's single-use code.
|
|
66
|
+
- No shadowing/double-fire with the reissue/complete sweep: on poll-timeout the route returns
|
|
67
|
+
`submitted` and the existing sweep finishes the login (the route does not duplicate that path).
|
|
68
|
+
|
|
69
|
+
## 6. External surfaces
|
|
70
|
+
|
|
71
|
+
- New dashboard UI element (code field + Submit button) on the Subscriptions tab pending-login
|
|
72
|
+
card — operator-facing, off-chat. No raw internals exposed (login id / machineId are
|
|
73
|
+
de-emphasized data attributes, not displayed). Operators act in taps + a single paste.
|
|
74
|
+
- The OAuth authorization code travels over the Bearer-authed API + authed mesh hop ONLY, never
|
|
75
|
+
any chat/messaging surface. It is never stored or logged (value redacted; only a greppable
|
|
76
|
+
terminal-outcome key is logged).
|
|
77
|
+
- No change visible to other agents.
|
|
78
|
+
|
|
79
|
+
## 7. Multi-machine posture (Cross-Machine Coherence)
|
|
80
|
+
|
|
81
|
+
Machine-local execution, proxied-on-WRITE by design (FD9). The login pane is inherently
|
|
82
|
+
machine-local (a tmux pane on the target's disk). The operator's SINGLE fronting dashboard calls
|
|
83
|
+
the relay; the relay forwards one authed hop to the pane's owning machine via `resolvePeerUrls()`
|
|
84
|
+
(self → loopback). No durable state is introduced that could strand on a topic transfer (the only
|
|
85
|
+
state is the existing `PendingLogin`); no URLs are generated that must survive a machine boundary;
|
|
86
|
+
an offline target returns an honest 502, never a false ok. Single-machine agents: the relay calls
|
|
87
|
+
local — a no-op difference.
|
|
88
|
+
|
|
89
|
+
## 8. Rollback cost
|
|
90
|
+
|
|
91
|
+
Cheap. The feature is dev-gated (`multiMachine.accountFollowMe`) and dark on the fleet. Back-out
|
|
92
|
+
is reverting the four source files; no data migration, no persistent schema, no agent-state repair
|
|
93
|
+
(the only state touched is the existing transient `PendingLogin`, unchanged in shape). The static
|
|
94
|
+
dashboard JS is served from disk per-request, so a client revert needs no restart.
|
|
95
|
+
|
|
96
|
+
## Cross-model review note
|
|
97
|
+
|
|
98
|
+
Codex (gpt-5.5) reviewed across rounds: round 1 surfaced 6 findings (pane-name drift, code
|
|
99
|
+
escaping, replay/one-shot, authority framing, weak completion oracle, UX code ambiguity) — all
|
|
100
|
+
addressed (shared helper, code-shape validation, kind guard + login-removal one-shot, S7-as-
|
|
101
|
+
validator clarification, client copy). Round 2 surfaced MINOR refinements (concurrent-submit
|
|
102
|
+
mutex, explicit charset/cap, client trim, "submitted"-is-success-pending, authority wording) —
|
|
103
|
+
all addressed (mutex code + FD10–FD12 + Decision-Points rewording). Gemini degraded (timeout) and
|
|
104
|
+
is recorded as such. The Standards-Conformance Gate flagged Observability (addressed via the
|
|
105
|
+
greppable terminal-outcome log).
|