instar 1.3.728 → 1.3.730
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commands/server.d.ts.map +1 -1
- package/dist/commands/server.js +259 -2
- package/dist/commands/server.js.map +1 -1
- package/dist/config/ConfigDefaults.d.ts.map +1 -1
- package/dist/config/ConfigDefaults.js +11 -0
- package/dist/config/ConfigDefaults.js.map +1 -1
- package/dist/core/FileClassifier.d.ts.map +1 -1
- package/dist/core/FileClassifier.js +11 -0
- package/dist/core/FileClassifier.js.map +1 -1
- package/dist/core/LocalSessionOwnershipStore.d.ts +5 -0
- package/dist/core/LocalSessionOwnershipStore.d.ts.map +1 -1
- package/dist/core/LocalSessionOwnershipStore.js +13 -0
- package/dist/core/LocalSessionOwnershipStore.js.map +1 -1
- package/dist/core/ModelSwapService.d.ts +13 -0
- package/dist/core/ModelSwapService.d.ts.map +1 -1
- package/dist/core/ModelSwapService.js +11 -0
- package/dist/core/ModelSwapService.js.map +1 -1
- package/dist/core/ModelTierEscalation.d.ts +10 -0
- package/dist/core/ModelTierEscalation.d.ts.map +1 -1
- package/dist/core/ModelTierEscalation.js +4 -0
- package/dist/core/ModelTierEscalation.js.map +1 -1
- package/dist/core/PostUpdateMigrator.d.ts +1 -0
- package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
- package/dist/core/PostUpdateMigrator.js +35 -0
- package/dist/core/PostUpdateMigrator.js.map +1 -1
- package/dist/core/ProactiveSwapMonitor.d.ts +74 -20
- package/dist/core/ProactiveSwapMonitor.d.ts.map +1 -1
- package/dist/core/ProactiveSwapMonitor.js +349 -28
- package/dist/core/ProactiveSwapMonitor.js.map +1 -1
- package/dist/core/QuotaAwareScheduler.d.ts +70 -3
- package/dist/core/QuotaAwareScheduler.d.ts.map +1 -1
- package/dist/core/QuotaAwareScheduler.js +100 -16
- package/dist/core/QuotaAwareScheduler.js.map +1 -1
- package/dist/core/SessionBuildContextStore.d.ts +20 -0
- package/dist/core/SessionBuildContextStore.d.ts.map +1 -1
- package/dist/core/SessionBuildContextStore.js +20 -3
- package/dist/core/SessionBuildContextStore.js.map +1 -1
- package/dist/core/SessionManager.d.ts +33 -0
- package/dist/core/SessionManager.d.ts.map +1 -1
- package/dist/core/SessionManager.js +105 -0
- package/dist/core/SessionManager.js.map +1 -1
- package/dist/core/SessionOwnershipRegistry.d.ts +16 -0
- package/dist/core/SessionOwnershipRegistry.d.ts.map +1 -1
- package/dist/core/SessionOwnershipRegistry.js +13 -0
- package/dist/core/SessionOwnershipRegistry.js.map +1 -1
- package/dist/core/SessionRefresh.d.ts +116 -1
- package/dist/core/SessionRefresh.d.ts.map +1 -1
- package/dist/core/SessionRefresh.js +280 -17
- package/dist/core/SessionRefresh.js.map +1 -1
- package/dist/core/StateManager.d.ts +20 -0
- package/dist/core/StateManager.d.ts.map +1 -1
- package/dist/core/StateManager.js +72 -4
- package/dist/core/StateManager.js.map +1 -1
- package/dist/core/SwapAntiThrash.d.ts +329 -0
- package/dist/core/SwapAntiThrash.d.ts.map +1 -0
- package/dist/core/SwapAntiThrash.js +1025 -0
- package/dist/core/SwapAntiThrash.js.map +1 -0
- package/dist/core/SwapLedger.d.ts +168 -0
- package/dist/core/SwapLedger.d.ts.map +1 -0
- package/dist/core/SwapLedger.js +275 -0
- package/dist/core/SwapLedger.js.map +1 -0
- package/dist/core/SwapWorkGate.d.ts +100 -0
- package/dist/core/SwapWorkGate.d.ts.map +1 -0
- package/dist/core/SwapWorkGate.js +175 -0
- package/dist/core/SwapWorkGate.js.map +1 -0
- package/dist/core/WriteAdmission.d.ts +277 -0
- package/dist/core/WriteAdmission.d.ts.map +1 -0
- package/dist/core/WriteAdmission.js +514 -0
- package/dist/core/WriteAdmission.js.map +1 -0
- package/dist/core/WriteDomainRegistry.d.ts +132 -0
- package/dist/core/WriteDomainRegistry.d.ts.map +1 -0
- package/dist/core/WriteDomainRegistry.js +186 -0
- package/dist/core/WriteDomainRegistry.js.map +1 -0
- package/dist/core/devGatedFeatures.d.ts.map +1 -1
- package/dist/core/devGatedFeatures.js +12 -0
- package/dist/core/devGatedFeatures.js.map +1 -1
- package/dist/core/types.d.ts +89 -1
- package/dist/core/types.d.ts.map +1 -1
- package/dist/core/types.js.map +1 -1
- package/dist/monitoring/guardManifest.d.ts.map +1 -1
- package/dist/monitoring/guardManifest.js +58 -1
- package/dist/monitoring/guardManifest.js.map +1 -1
- package/dist/scaffold/templates.d.ts.map +1 -1
- package/dist/scaffold/templates.js +3 -1
- package/dist/scaffold/templates.js.map +1 -1
- package/dist/server/AgentServer.d.ts +3 -0
- package/dist/server/AgentServer.d.ts.map +1 -1
- package/dist/server/AgentServer.js +20 -0
- package/dist/server/AgentServer.js.map +1 -1
- package/dist/server/CapabilityIndex.d.ts.map +1 -1
- package/dist/server/CapabilityIndex.js +1 -0
- package/dist/server/CapabilityIndex.js.map +1 -1
- package/dist/server/routes.d.ts +6 -0
- package/dist/server/routes.d.ts.map +1 -1
- package/dist/server/routes.js +115 -3
- package/dist/server/routes.js.map +1 -1
- package/package.json +1 -1
- package/src/data/builtin-manifest.json +65 -65
- package/src/scaffold/templates.ts +3 -1
- package/upgrades/1.3.729.md +92 -0
- package/upgrades/1.3.730.md +112 -0
- package/upgrades/side-effects/standby-write-reconciliation.md +62 -0
- package/upgrades/side-effects/swap-continuity-antithrash.md +118 -0
|
@@ -106,6 +106,13 @@ Two reconcilers keep a multi-machine mesh from drifting into the wrong shape. Bo
|
|
|
106
106
|
- **When to use** (PROACTIVE — these are the triggers): user asks "why did my conversation move machines by itself?" → read the claim trace (\`logs/stale-owner-release.jsonl\`) + \`GET /pool/placement?topic=N\` and explain the episode honestly. "why did serving move back to the Mini by itself?" → the hand-back reconciler; \`GET /pool/lease-handback\` names the episode + latch state. "is auto-failover healthy?" → \`GET /pool/stale-owner-release\`.
|
|
107
107
|
`;
|
|
108
108
|
}
|
|
109
|
+
export function WRITE_ADMISSION_CLAUDEMD_SECTION(port) {
|
|
110
|
+
return `\n### Write Admission (⚗️ experimental, dry-run — why did my write get a 409 naming another machine?)
|
|
111
|
+
|
|
112
|
+
On a multi-machine setup, writes are classified by DOMAIN (machine-local / session-scoped / topic-scoped / cluster-shared) and admitted by ownership instead of the old blanket "standby is read-only" boolean. A write this machine genuinely must not perform gets a TYPED 409 refusal in <2s — \`{ error: "write-refused", code, owner, leaseHolder, retryable }\` with a \`Retry-After\` header — never a hang. Ships dev-gated + dry-run FIRST: while dry, the legacy standby guard keeps enforcing and the layer only logs would-verdicts.
|
|
113
|
+
- Status + per-domain counters + recent refusals + the event-loop-lag gauge: \`curl -H "Authorization: Bearer $AUTH" http://localhost:${port}/write-admission\` (503 when dark). Refusal audit: \`logs/write-admission.jsonl\`.
|
|
114
|
+
- **When to use** (PROACTIVE): a write of mine (or a route like \`POST /evolution/actions\` / \`POST /attention\`) answers 409 \`write-refused\` naming another machine → that state belongs to the named owner; re-send it there — do NOT auto-move the topic (moving is a consent-gated operator decision, the refusal hint is advisory prose). "Are writes hanging or being refused?" → read \`GET /write-admission\` (the eventLoop block attributes hang windows to loop starvation) instead of guessing. A refusal storm surfaces as ONE deduped attention item, never a flood.\n`;
|
|
115
|
+
}
|
|
109
116
|
export function PLAYWRIGHT_PROFILE_REGISTRY_CLAUDEMD_SECTION(port) {
|
|
110
117
|
return `\n### Playwright Profile Registry (which browser profile holds which account)
|
|
111
118
|
|
|
@@ -4186,6 +4193,16 @@ setTimeout(() => process.exit(0), 2000);
|
|
|
4186
4193
|
patched = true;
|
|
4187
4194
|
result.upgraded.push('CLAUDE.md: added Mesh Self-Healing (U4.2/U4.4) section');
|
|
4188
4195
|
}
|
|
4196
|
+
// Write Admission (standby-write-reconciliation §7 migration parity) —
|
|
4197
|
+
// Agent Awareness: existing agents learn the GET /write-admission surface
|
|
4198
|
+
// + the "why did my write get a 409 naming another machine?" proactive
|
|
4199
|
+
// trigger. Honestly tagged experimental/dry-run (Maturity Honesty).
|
|
4200
|
+
// Content-sniffed on the heading.
|
|
4201
|
+
if (!content.includes('Write Admission')) {
|
|
4202
|
+
content += WRITE_ADMISSION_CLAUDEMD_SECTION(port);
|
|
4203
|
+
patched = true;
|
|
4204
|
+
result.upgraded.push('CLAUDE.md: added Write Admission section');
|
|
4205
|
+
}
|
|
4189
4206
|
// Dynamic MCP Lifecycle (DYNAMIC-MCP-LIFECYCLE-SPEC) — Agent Awareness +
|
|
4190
4207
|
// Migration Parity: existing agents learn the dark/opt-in load-on-demand
|
|
4191
4208
|
// capability, the /mcp/* surface, the Know-Your-Principal authorization rule,
|
|
@@ -4495,6 +4512,7 @@ Rule: I do not state that work landed inside another agent's state unless I have
|
|
|
4495
4512
|
- **Quota across ALL my machines** (pool-scope read) — \`GET /subscription-pool?scope=pool\` fans out to every ONLINE peer's plain pool, tags each account with the machine holding it (\`machineId\`/\`machineNickname\`/\`remote:true\`), and merges into ONE dark-peer-tolerant object \`{ enabled, accounts:[...], pool:{ selfMachineId, peersQueried, peersOk, failed }, scope:'pool' }\`. A down/slow/unauth peer is a classified \`pool.failed\` row (normalized reason — never a peer URL or token), never a silent omission and never a 500. Per-machine seat is meaningful, so the SAME account on two machines stays individually visible (never coalesced). Single-machine → the plain self-only view tagged \`scope:'pool'\`. Use this when the operator asks "how much quota is left across ALL my machines?".
|
|
4496
4513
|
- **Continuity guarantee** — a long session that hits its account's quota resumes on another eligible account (conversation preserved via \`--resume\`), never dies. Manual lever: \`POST /subscription-pool/swap\` \`{"sessionName":"...","exhaustedAccountId":"..."}\`. Auto-swap on rate-limit ships OFF (opt-in via \`subscriptionPool.autoSwapOnRateLimit\` — it moves a live session, real authority).
|
|
4497
4514
|
- **Pre-limit (proactive) swap** — beyond the reactive swap above, I can move a session OFF an account BEFORE it walls, at a lag-aware measured threshold (default 80% — the polled reading trails real usage, so the swap completes with margin). It also covers the UNTAGGED interactive session (resolves its account from the default login), so the session you talk to doesn't wedge at the wall. Opt-in via \`subscriptionPool.proactiveSwap.enabled\` (same authority as auto-swap, earlier trigger). Status: \`GET /subscription-pool/proactive-swap\`; run a pass now: \`POST /subscription-pool/proactive-swap/check\`.
|
|
4515
|
+
- **Anti-thrash brakes + in-flight work protection on swaps** — the proactive swap carries brakes so it can never ping-pong sessions between hot accounts: when EVERY account is hot it STAYS PUT (\`all-hot\` refusal), a just-swapped session dwells ~45 min before it can be moved again (restart-safe via \`state/swap-ledger.jsonl\`), and a swap only executes onto a target that is MATERIALLY cooler on a fresh quota reading. A session mid-turn or carrying live subagents is never killed by an optimization — the swap DEFERS until the work lands (a forced/reactive kill carries a mitigation note enumerating interrupted subagents + re-injecting the last unanswered message). Brakes ship dry-run first (\`subscriptionPool.proactiveSwap.antiThrash.dryRun\`); the work gate's \`subscriptionPool.swapContinuity.enabled\` is restart-required. "Why didn't my session swap?" → \`GET /subscription-pool/proactive-swap\` \`brakes\`/\`deferrals\` blocks name the refusal; "why did my refresh get a session-busy error?" → the work gate refused to kill in-flight work — wait, or re-issue with \`force:true\`.
|
|
4498
4516
|
- **Enroll a new account from your phone** — \`POST /subscription-pool/enroll\` \`{"id","label","provider","framework","configHome"}\` starts a login and returns a public code/URL (never a token); \`GET /subscription-pool/pending-logins\` is the surface; expired codes are auto-reissued. Mark done with \`POST /subscription-pool/enroll/:id/complete\`.
|
|
4499
4517
|
- **Dashboard**: the **Subscriptions tab** shows live quota bars (5h + weekly + reset countdown), status, and the Pending Logins panel — share the dashboard URL + PIN.
|
|
4500
4518
|
- **When to use** (PROACTIVE): "how much quota is left across my accounts?" / "am I about to hit a limit?" → \`GET /subscription-pool\`; the user wants to add another subscription → drive the enrollment wizard (never ask them to paste a token); a long job is at risk of a quota wall → the continuity guarantee + \`/swap\` keep it alive. Single-account pools are a no-op.
|
|
@@ -4518,6 +4536,23 @@ Rule: I do not state that work landed inside another agent's state unless I have
|
|
|
4518
4536
|
result.upgraded.push('CLAUDE.md: added Subscription Pool pre-limit (proactive) swap bullet');
|
|
4519
4537
|
}
|
|
4520
4538
|
}
|
|
4539
|
+
// Swap-continuity anti-thrash awareness (swap-continuity-antithrash §9).
|
|
4540
|
+
// Existing agents that ALREADY carry the Subscription Pool section won't get
|
|
4541
|
+
// the new bullet from the section-install guard above. Patch it in
|
|
4542
|
+
// idempotently: insert the anti-thrash bullet right after the pre-limit
|
|
4543
|
+
// (proactive) swap bullet when the section exists but the bullet is missing.
|
|
4544
|
+
// Content-sniffed on the distinctive bullet title.
|
|
4545
|
+
if (content.includes('Subscription Pool (multi-account quota') &&
|
|
4546
|
+
content.includes('Pre-limit (proactive) swap') &&
|
|
4547
|
+
!content.includes('Anti-thrash brakes + in-flight work protection')) {
|
|
4548
|
+
const preLimitAnchor = '`GET /subscription-pool/proactive-swap`; run a pass now: `POST /subscription-pool/proactive-swap/check`.';
|
|
4549
|
+
const antiThrashBullet = '\n- **Anti-thrash brakes + in-flight work protection on swaps** — the proactive swap carries brakes so it can never ping-pong sessions between hot accounts: when EVERY account is hot it STAYS PUT (`all-hot` refusal), a just-swapped session dwells ~45 min before it can be moved again (restart-safe via `state/swap-ledger.jsonl`), and a swap only executes onto a target that is MATERIALLY cooler on a fresh quota reading. A session mid-turn or carrying live subagents is never killed by an optimization — the swap DEFERS until the work lands (a forced/reactive kill carries a mitigation note enumerating interrupted subagents + re-injecting the last unanswered message). Brakes ship dry-run first (`subscriptionPool.proactiveSwap.antiThrash.dryRun`); the work gate\'s `subscriptionPool.swapContinuity.enabled` is restart-required. "Why didn\'t my session swap?" → `GET /subscription-pool/proactive-swap` `brakes`/`deferrals` blocks name the refusal; "why did my refresh get a session-busy error?" → the work gate refused to kill in-flight work — wait, or re-issue with `force:true`.';
|
|
4550
|
+
if (content.includes(preLimitAnchor)) {
|
|
4551
|
+
content = content.replace(preLimitAnchor, preLimitAnchor + antiThrashBullet);
|
|
4552
|
+
patched = true;
|
|
4553
|
+
result.upgraded.push('CLAUDE.md: added Subscription Pool anti-thrash brakes + work-gate bullet');
|
|
4554
|
+
}
|
|
4555
|
+
}
|
|
4521
4556
|
// WS5.1 pool-scope read awareness. Existing agents that ALREADY carry the
|
|
4522
4557
|
// Subscription Pool section won't get the new bullet from the section-install
|
|
4523
4558
|
// guard above. Patch it in idempotently: insert the pool-scope bullet right
|