instar 1.3.744 → 1.3.746

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (25) hide show
  1. package/dist/core/PostUpdateMigrator.d.ts.map +1 -1
  2. package/dist/core/PostUpdateMigrator.js +13 -3
  3. package/dist/core/PostUpdateMigrator.js.map +1 -1
  4. package/dist/monitoring/delivery-failure-sentinel/recovery-policy.d.ts +7 -0
  5. package/dist/monitoring/delivery-failure-sentinel/recovery-policy.d.ts.map +1 -1
  6. package/dist/monitoring/delivery-failure-sentinel/recovery-policy.js +47 -0
  7. package/dist/monitoring/delivery-failure-sentinel/recovery-policy.js.map +1 -1
  8. package/dist/server/routes.d.ts +23 -0
  9. package/dist/server/routes.d.ts.map +1 -1
  10. package/dist/server/routes.js +112 -16
  11. package/dist/server/routes.js.map +1 -1
  12. package/package.json +4 -2
  13. package/scripts/lint-model-registry-freshness.mjs +192 -0
  14. package/scripts/model-registry-freshness.manifest.json +104 -0
  15. package/src/data/builtin-manifest.json +65 -65
  16. package/src/templates/scripts/slack-reply.sh +30 -0
  17. package/src/templates/scripts/telegram-reply.sh +50 -5
  18. package/upgrades/1.3.745.md +19 -0
  19. package/upgrades/1.3.746.md +43 -0
  20. package/upgrades/side-effects/model-registry-freshness-guard.md +53 -0
  21. package/upgrades/side-effects/slack-outbound-robustness-r8m1-arm-b-adapter-timeout.md +76 -0
  22. package/upgrades/side-effects/slack-outbound-robustness-r8m1-recovery-policy.md +110 -0
  23. package/upgrades/side-effects/slack-outbound-robustness-slack-delivery-id.md +83 -0
  24. package/upgrades/side-effects/slack-outbound-robustness-slack-forward-refusal.md +74 -0
  25. package/upgrades/side-effects/slack-outbound-robustness-telegram-prepost-mint.md +81 -0
@@ -0,0 +1,81 @@
1
+ # Side-Effects Review — Telegram pre-POST delivery-id mint + 409 Arm C
2
+
3
+ **Version / slug:** `slack-outbound-robustness-telegram-prepost-mint`
4
+ **Date:** `2026-07-03`
5
+ **Author:** `echo`
6
+ **Second-pass reviewer:** `not required`
7
+
8
+ ## Summary of the change
9
+
10
+ Two coupled fixes to the DEPLOYED Telegram reply script (spec §2.6 round-3 C1 + R8-M1 Arm C):
11
+
12
+ 1. **Pre-POST delivery-id mint (the latent double-post fix, task 2).** The deployed `telegram-reply.sh` mints the `delivery_id` at ENQUEUE time — i.e. only AFTER the first POST already failed — so the FIRST send is permanently outside the id-ledger guarantee. If the initial POST is accepted server-side but the response is lost to the script, the script enqueues under a FRESH id and a redrive past the content-dedup window re-POSTs the same message under an id the server never recorded → double-post. The fix mints the UUID BEFORE the initial POST and sends it as `X-Instar-DeliveryId` on the initial send; the server records THAT id the moment the send lands (the route already reads + records the header), and the enqueue reuses the exact same id + a mint-time `attempted_at`, so every redrive of that row is answered `idempotent:true`.
13
+ 2. **409 delivery-in-flight → NON-LOSING (Arm C).** The classifier gains a 409 branch: a structured `{ "error": "delivery-in-flight" }` (the §2.4 single-flight reservation race) is RECOVERABLE — enqueued under the same pre-minted id so the sentinel redrives and converges to idempotent. An UNSTRUCTURED 409 stays terminal (default-deny), matching `recovery-policy`'s deployed direction.
14
+
15
+ **Migration Parity:** the current shipped `telegram-reply.sh` SHA (`63ca933e…`) is added to `PostUpdateMigrator.TELEGRAM_REPLY_PRIOR_SHIPPED_SHAS` so deployed agents cleanly upgrade to the pre-POST-mint template on update (rather than getting a `.new` candidate).
16
+
17
+ Files touched: `src/templates/scripts/telegram-reply.sh`, `src/core/PostUpdateMigrator.ts` (SHA-history entry), `tests/unit/telegram-reply-prepost-mint.test.ts`.
18
+
19
+ ## Decision-point inventory
20
+
21
+ - `pre-POST DELIVERY_ID mint + ATTEMPTED_AT` — move — from inside the enqueue block to before the initial `curl`. A mint failure (python3 gone) degrades to a headerless send (fail toward delivery) and, on a later recoverable failure, skips the enqueue with the loud note (today's degraded behavior).
22
+ - `X-Instar-DeliveryId` on the initial curl — add — only when a mint succeeded.
23
+ - `409` classifier branch — add — structured `delivery-in-flight` → recoverable; unstructured → terminal.
24
+ - `TELEGRAM_REPLY_PRIOR_SHIPPED_SHAS` — add one entry — migration parity for the template change.
25
+
26
+ ## 1. Over-block
27
+
28
+ None. The initial send is unchanged except for one extra header; a mint failure keeps today's headerless send. No legitimate send is newly refused. An unstructured 409 stays terminal exactly as an unstructured 4xx does today (the script had no 409 branch, so a 409 previously fell to the terminal `else` — behavior preserved for the unstructured case).
29
+
30
+ ## 2. Under-block
31
+
32
+ `--max-time` on the initial curl (the §2.6 wedged-script gap + the round-7 phase-aware exit-28 classification) is NOT added in this increment — the deployed initial curl has no `--max-time` today, so this change keeps that exact behavior (a hang is a hang, as today) and only strictly improves the first-send id coverage. The exit-28 phase-aware split is tracked as remaining §2.6 machinery. A pre-POST mint failure still leaves the first send outside the ledger (headerless) — the honest, named degradation, identical to today's queue-write-skip.
33
+
34
+ ## 3. Level-of-abstraction fit
35
+
36
+ Yes. The delivery-id lifecycle belongs in the reply script (Layer 1) that owns the send; the route already reads + records the header. Moving the mint earlier in the SAME script is the minimal, correct place.
37
+
38
+ ## 4. Signal vs authority compliance
39
+
40
+ **Required reference:** [docs/signal-vs-authority.md](../../docs/signal-vs-authority.md)
41
+
42
+ - [x] No — a shell classifier that keys on an exact structured error code (`delivery-in-flight`) and a header add. It never withholds a message; it relaxes the never-seen-a-409 default toward the loss-free recoverable direction only for the exact structured code.
43
+
44
+ ## 5. Interactions
45
+
46
+ The pre-POST id composes with the deployed `/telegram/reply` X-Instar-DeliveryId LRU (records the id on the first successful send → a redrive is idempotent). The 409 branch composes with R8-M1 Arm A (`recovery-policy` retries structured 409). The enqueue's reuse of the pre-minted id is what makes the sentinel's redrive idempotent rather than a fresh double-post. Existing telegram-reply tests (advisory preflight, end-to-end enqueue, --max-time clamp) all still pass.
47
+
48
+ ## 6. External surfaces
49
+
50
+ No new route/config/env/CLI. One new outbound header on the initial `/telegram/reply` POST (`X-Instar-DeliveryId`), which the route already handles. One migration SHA entry.
51
+
52
+ ## 6b. Operator-surface quality
53
+
54
+ No operator-facing surface changes.
55
+
56
+ ## 7. Multi-machine posture
57
+
58
+ The delivery-id + queue are machine-local by design (the failure and its retry belong to the machine that owns the socket). No cross-machine state introduced.
59
+
60
+ ## 8. Rollback cost
61
+
62
+ Low: revert the script edits + the SHA entry + the test. A rolled-back binary mints at enqueue again (the deployed latent-double-post behavior). The migration SHA entry is additive and harmless if left.
63
+
64
+ ## Conclusion
65
+
66
+ Closes the latent Telegram double-post window (delivery-id minted too late to cover the first attempt) by minting pre-POST and reusing the id at enqueue, and classifies the reservation-race 409 as non-losing — both under the Testing Integrity Standard with a real-script test, and with Migration Parity for the template change.
67
+
68
+ ## Second-pass review (if required)
69
+
70
+ Not required — script-side classifier + header add + migration SHA, fail-toward-delivery, reversible, tested against the real shipped script.
71
+
72
+ ## Evidence pointers
73
+
74
+ - `src/templates/scripts/telegram-reply.sh` — pre-POST mint, `X-Instar-DeliveryId` header, 409 branch, mint-time `attempted_at`.
75
+ - `src/core/PostUpdateMigrator.ts` — `TELEGRAM_REPLY_PRIOR_SHIPPED_SHAS` entry `63ca933e…`.
76
+ - `tests/unit/telegram-reply-prepost-mint.test.ts` — header-on-initial-send / same-id-enqueue / 409-in-flight-recoverable / 409-unstructured-terminal.
77
+ - `docs/specs/slack-outbound-robustness.md` §2.6, R8-M1 Arm C.
78
+
79
+ ## Class-Closure Declaration (display-only mirror)
80
+
81
+ Class: delivery-id-covers-first-attempt (the mint-timing double-post window) on the Telegram lane, plus the 409 member of the R8-M1 status class on the Telegram script. The Slack lane's equivalent (route idempotency + slack-reply.sh pre-POST mint + 409) closes in its own increment.