instar 1.3.726 → 1.3.728
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +53 -4
- package/dist/commands/server.js.map +1 -1
- package/dist/core/IntelligenceRouter.d.ts +57 -0
- package/dist/core/IntelligenceRouter.d.ts.map +1 -1
- package/dist/core/IntelligenceRouter.js +135 -20
- package/dist/core/IntelligenceRouter.js.map +1 -1
- package/dist/core/types.d.ts +39 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/messaging/slack/SlackAdapter.d.ts +15 -0
- package/dist/messaging/slack/SlackAdapter.d.ts.map +1 -1
- package/dist/messaging/slack/SlackAdapter.js +20 -2
- package/dist/messaging/slack/SlackAdapter.js.map +1 -1
- package/dist/messaging/slack/types.d.ts +38 -0
- package/dist/messaging/slack/types.d.ts.map +1 -1
- package/dist/messaging/slack/types.js +4 -0
- package/dist/messaging/slack/types.js.map +1 -1
- package/dist/permissions/TestWorkspacePrincipalSource.d.ts +133 -0
- package/dist/permissions/TestWorkspacePrincipalSource.d.ts.map +1 -0
- package/dist/permissions/TestWorkspacePrincipalSource.js +189 -0
- package/dist/permissions/TestWorkspacePrincipalSource.js.map +1 -0
- package/dist/permissions/index.d.ts +1 -0
- package/dist/permissions/index.d.ts.map +1 -1
- package/dist/permissions/index.js +1 -0
- package/dist/permissions/index.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +2 -2
- package/upgrades/1.3.728.md +215 -0
- package/upgrades/side-effects/per-target-swap-timeout.md +120 -0
- package/upgrades/side-effects/slack-test-workspace-principal-source.md +227 -0
- package/upgrades/1.3.726.md +0 -61
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA+CH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAU3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAyBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AA6H7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAgFtD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,OAAO,CAUT;AAyID,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAi/CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,EAKhG,mBAAmB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACpD,IAAI,CAijBN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,
|
|
1
|
+
{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/commands/server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AA+CH,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAU3D,OAAO,EAAE,eAAe,EAAiC,MAAM,iCAAiC,CAAC;AAyBjG,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AA6H7D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAgFtD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,yBAAyB,CACvC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,gBAAgB,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAC1C,OAAO,CAUT;AAyID,UAAU,YAAY;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;2DACuD;IACvD,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAi/CD,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,eAAe,EACzB,cAAc,EAAE,cAAc,EAC9B,YAAY,CAAC,EAAE,YAAY,EAC3B,WAAW,CAAC,EAAE,WAAW,EACzB,WAAW,CAAC,EAAE,WAAW,EACzB,iBAAiB,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,CAAC,EAGvE,UAAU,CAAC,EAAE,MAAM,OAAO,8BAA8B,EAAE,WAAW,GAAG,IAAI,EAK5E,qBAAqB,CAAC,EAAE,MAAM,OAAO,gCAAgC,EAAE,kBAAkB,GAAG,IAAI,EAKhG,mBAAmB,CAAC,EAAE,MAAM,MAAM,GAAG,IAAI,GAAG,SAAS,GACpD,IAAI,CAijBN;AA2lBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA68jBtE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAsDzE;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAuD5E"}
|
package/dist/commands/server.js
CHANGED
|
@@ -5457,6 +5457,14 @@ export async function startServer(options) {
|
|
|
5457
5457
|
// §4.5: per-attempt swap timeout, inline-defaulted to 5s (no ConfigDefaults
|
|
5458
5458
|
// entry — codexExecJson precedent; absent ⇒ 5s, present ⇒ operator's value).
|
|
5459
5459
|
swapAttemptTimeoutMs: config.intelligence?.swapAttemptTimeoutMs ?? 5000,
|
|
5460
|
+
// Per-target swap caps + clamp + total budget (docs/specs/
|
|
5461
|
+
// per-target-swap-timeout-spec.md): all three thread through UNSET by
|
|
5462
|
+
// default — dark ship, byte-identical routing behavior until the operator
|
|
5463
|
+
// opts in. Validation (invalid → fall-through / 120s default / treated
|
|
5464
|
+
// unset) happens inside the router's resolveSwapCap, never here.
|
|
5465
|
+
swapAttemptTimeoutMsByFramework: config.intelligence?.swapAttemptTimeoutMsByFramework,
|
|
5466
|
+
swapAttemptTimeoutMsMax: config.intelligence?.swapAttemptTimeoutMsMax,
|
|
5467
|
+
swapTotalBudgetMs: config.intelligence?.swapTotalBudgetMs,
|
|
5460
5468
|
// The dedicated queue for the DEFERRABLE queue rung (§3b.3); undefined when the rung is
|
|
5461
5469
|
// dark ⇒ the rung is a no-op (a deferrable call falls straight to its heuristic, as before).
|
|
5462
5470
|
llmQueue: degradationLadderQueue,
|
|
@@ -6651,7 +6659,7 @@ export async function startServer(options) {
|
|
|
6651
6659
|
const slackCfg = slackConfig.config;
|
|
6652
6660
|
const pgCfg = slackCfg.permissionGate;
|
|
6653
6661
|
if (pgCfg && (pgCfg.observeOnly || pgCfg.enforce)) {
|
|
6654
|
-
const { SlackPermissionObserver, SlackPrincipalResolver, SlackPermissionGate, PermissionDecisionLedger, RolePolicy, HeuristicIntentClassifier, LlmIntentClassifier, HeuristicAnomalyScorer, RelationshipBehaviorStore, RelationshipAnomalyScorer, MandateBackedGrantStore, } = await import('../permissions/index.js');
|
|
6662
|
+
const { SlackPermissionObserver, SlackPrincipalResolver, SlackPermissionGate, PermissionDecisionLedger, RolePolicy, HeuristicIntentClassifier, LlmIntentClassifier, HeuristicAnomalyScorer, RelationshipBehaviorStore, RelationshipAnomalyScorer, MandateBackedGrantStore, TestWorkspacePrincipalSource, ChainedUserLookup, } = await import('../permissions/index.js');
|
|
6655
6663
|
// Own UserManager instance for verified-principal resolution (the
|
|
6656
6664
|
// Telegram-block userManager is out of scope here). Reads users.json.
|
|
6657
6665
|
const slackUserManager = new UserManager(config.stateDir, config.users);
|
|
@@ -6742,10 +6750,51 @@ export async function startServer(options) {
|
|
|
6742
6750
|
});
|
|
6743
6751
|
console.log(`[slack] relationship-aware anomaly scorer attached (observe-only baseline; LLM style check ${raCfg.useLlmStyleCheck ? 'ON' : 'off'}; poisoning-resistance: min-age ${pr.minBaselineAgeDays ?? 7}d, rate-cap ${pr.maxObservationsPerWindow ?? 50}/window, decay ${pr.decayHalfLifeWindows ?? 30}w)`);
|
|
6744
6752
|
}
|
|
6753
|
+
// ── Principal resolution: production registry first; optionally chained
|
|
6754
|
+
// with the sanctioned test-cast source (roadmap 0.3 entry condition).
|
|
6755
|
+
// The cast source is workspace-scoped (VERIFIED connected team id from
|
|
6756
|
+
// auth.test — fail-closed until verified), fixture-marker-only (the
|
|
6757
|
+
// partition invariant: the production registry refuses fixtures, this
|
|
6758
|
+
// source accepts ONLY fixtures — one identity space, two disjoint homes),
|
|
6759
|
+
// and read-only (it never touches users.json; the fixture-identity
|
|
6760
|
+
// guard's production invariant is fully intact).
|
|
6761
|
+
const productionLookup = {
|
|
6762
|
+
resolveFromSlackUserId: (id) => slackUserManager.resolveFromSlackUserId(id),
|
|
6763
|
+
};
|
|
6764
|
+
let principalLookup = productionLookup;
|
|
6765
|
+
const tcCfg = pgCfg.testCast;
|
|
6766
|
+
if (tcCfg && typeof tcCfg.workspaceId === 'string' && tcCfg.workspaceId.trim()
|
|
6767
|
+
&& Array.isArray(tcCfg.principals) && tcCfg.principals.length > 0) {
|
|
6768
|
+
try {
|
|
6769
|
+
const adapterForScope = slackAdapter;
|
|
6770
|
+
const testCastSource = new TestWorkspacePrincipalSource({
|
|
6771
|
+
workspaceId: tcCfg.workspaceId,
|
|
6772
|
+
testWorkspace: tcCfg.testWorkspace === true,
|
|
6773
|
+
principals: tcCfg.principals,
|
|
6774
|
+
getVerifiedWorkspaceId: () => adapterForScope?.getConnectedTeamId() ?? null,
|
|
6775
|
+
});
|
|
6776
|
+
if (testCastSource.disabled) {
|
|
6777
|
+
// Fail-closed: the source already logged the single loud line
|
|
6778
|
+
// (missing "testWorkspace: true"). Stay production-registry-only —
|
|
6779
|
+
// do NOT attach an inert chain, so behavior is byte-identical to
|
|
6780
|
+
// having no cast configured.
|
|
6781
|
+
}
|
|
6782
|
+
else {
|
|
6783
|
+
for (const r of testCastSource.rejected) {
|
|
6784
|
+
console.warn(`[slack] test-cast principal REFUSED (${r.reason}): "${r.slackUserId}" — the cast admits fixture-marker identities only (see users/testIdentityMarkers.ts)`);
|
|
6785
|
+
}
|
|
6786
|
+
principalLookup = new ChainedUserLookup([productionLookup, testCastSource]);
|
|
6787
|
+
console.log(`[slack] permission-gate test-cast principal source attached: workspace ${tcCfg.workspaceId}, ` +
|
|
6788
|
+
`${testCastSource.size} seat(s) admitted, ${testCastSource.rejected.length} refused ` +
|
|
6789
|
+
`(production registry takes precedence; cast inert until the connected team id is verified)`);
|
|
6790
|
+
}
|
|
6791
|
+
}
|
|
6792
|
+
catch (tce) {
|
|
6793
|
+
console.warn('[slack] test-cast principal source wiring skipped:', tce.message);
|
|
6794
|
+
}
|
|
6795
|
+
}
|
|
6745
6796
|
const observer = new SlackPermissionObserver({
|
|
6746
|
-
resolver: new SlackPrincipalResolver(
|
|
6747
|
-
resolveFromSlackUserId: (id) => slackUserManager.resolveFromSlackUserId(id),
|
|
6748
|
-
}),
|
|
6797
|
+
resolver: new SlackPrincipalResolver(principalLookup),
|
|
6749
6798
|
gate: new SlackPermissionGate({
|
|
6750
6799
|
rolePolicy: new RolePolicy(),
|
|
6751
6800
|
classifier: intentClassifier,
|