aaronrene / knowtation public
BREAKING main #1 / 44
aaronrene · 1 hour ago · Jun 10, 2026 · Diff

reconcile: import GitHub-direct RBAC/OAuth/companion and hotfix history into Muse canonical

Import the GitHub-only work shipped directly to GitHub main during the 2026-06-08 production hotfix window, restoring Muse as the canonical history:

- 8ae04be: RBAC proposal-approval silent-failure fix (bridge-failure JWT fallback, HUB_ADMIN_USER_IDS override, approve/discard error toasts) + companion app phases 1-6 + MCP OAuth C3 (iss, RFC 9207) and C5 (redirect_uri validation, RFC 6749 4.1.3) hardening. - d5cfe77: AGENTS.md muse-mirror PR mandate (no direct push to GitHub main). - PR #229: hosted MCP discovery timeout hotfix (verified byte-identical to Muse 6f47d53a hosted-context work - one implementation, no duplicate). - PR #230: hosted note frontmatter normalization hotfix. - OpenRouter/chat-provider lane restored from GitHub: muse log shows it was never deliberately removed on Muse main (lives on unmerged branch feat/companion-design-openrouter-lane); flagged for a separate decision.

Tree now equals GitHub origin/main exactly (verified empty diff). Full suite green: 3339 tests / 777 suites / 0 fail. Record: docs/MUSE-GITHUB-RECONCILIATION-2026-06.md

sha256:0d530f9ef27b8b75547d1db7701a74bc77b77aa8f3d7fa3a8672cf2af36e63bb sha
sha256:6f47d53a6adbcf105ba1b9cfc126c788d6a0f461d197f84f78794914305b4bd5 parent
+709 ~57 −4 symbols
124 changed · 818 in snapshot files
sha256:368633e3753929e564f35430b0922aeee4246cc54e30f43e7828495f4a14adce snapshot
+709
symbols added
~57
symbols modified
−4
symbols removed
124
files changed
818
files in snapshot
0
dead code introduced
Semantic Changes 770 symbols
+ test/helpers/
~ docs/COMPANION-APP-DESIGN-AND-AUTHORIZATION-GATE.md .md 41 symbols added
+ Companion App — Design & Authorization Gate section Companion App — Design & Authorization Gate L1–587
+ Scope and non-goals section 1. Scope and non-goals L94–104
+ Test obligations (7-tier) for the future implementation section 10. Test obligations (7-tier) for the future implementation L228–242
+ Deferred / open questions (carried from the brief) section 11. Deferred / open questions (carried from the brief) L242–252
+ Build phases & model-tier guidance section 12. Build phases & model-tier guidance L252–306
+ Model-tier legend section Model-tier legend L259–272
+ Phase table section Phase table L272–288
+ table section table L274–287
+ Why the 🧠 / 🔀 phases need deeper reasoning section Why the 🧠 / 🔀 phases need deeper reasoning L288–306
+ Phase 0 — Decision Record (the three hard dependencies) section 13. Phase 0 — Decision Record (the three hard dependencies) L306–587
+ 0 Grounding (decisions anchored to existing code, not assumptions) section 13.0 Grounding (decisions anchored to existing code, not assumptions) L317–328
+ table section table L319–327
+ 1 What Phase 0 unblocks section 13.1 What Phase 0 unblocks L550–561
+ 2 What remains NOT approved by this record section 13.2 What remains NOT approved by this record L561–570
+ 3 Explicitly deferred (not Phase 0 blockers) section 13.3 Explicitly deferred (not Phase 0 blockers) L570–577
+ 4 Approval section 13.4 Approval L577–587
+ table section table L579–584
+ D1 — Hosted tenancy + owner-vs-member billing/consent section D1 — Hosted tenancy + owner-vs-member billing/consent L338–442
+ D2 — Model-routing lane matrix, default-lane logic, client-side constraint section D2 — Model-routing lane matrix, default-lane logic, client-side constraint L442–503
+ table@L456 section table@L456 L456–464
+ table@L489 section table@L489 L489–497
+ D3 — Derived-artifact storage per privacy tier section D3 — Derived-artifact storage per privacy tier L503–550
+ table section table L522–527
+ Decision index section Decision index L328–338
+ table section table L330–335
+ Architecture section 2. Architecture L104–129
+ code variable variable code L106–123
+ OAuth (native/public client, PKCE + loopback) section 3. OAuth (native/public client, PKCE + loopback) L129–141
+ Localhost endpoint security model (the core of this gate) section 4. Localhost endpoint security model (the core of this gate) L141–164
+ Derived-artifact storage paradox resolution section 5. Derived-artifact storage paradox resolution L164–178
+ table section table L170–174
+ Provenance section 6. Provenance L178–184
+ Packaging / distribution (design intent, not approved to build) section 7. Packaging / distribution (design intent, not approved to build) L184–193
+ Scooling consumption contract section 8. Scooling consumption contract L193–199
+ The OpenRouter lane (implemented on this branch — model-routing precursor) section 9. The OpenRouter lane (implemented on this branch — model-routing precursor) L199–228
+ Review Decision (Authorization Gate) section Review Decision (Authorization Gate) L58–94
+ Hard dependencies (must be accepted BEFORE companion implementation) section Hard dependencies (must be accepted BEFORE companion implementation) L83–94
+ This gate ACCEPTS (design only) section This gate ACCEPTS (design only) L60–72
+ This gate DOES NOT approve (no code) section This gate DOES NOT approve (no code) L72–83
+ Simple Summary section Simple Summary L10–34
+ Technical Summary section Technical Summary L34–58
~ docs/COMPANION-APP-MODEL-ROUTING-AND-ENRICHMENT-ARCHITECTURE.md .md 31 symbols added
+ Companion App, Model Routing, Enrichment & Discovery — Architecture Brief section Companion App, Model Routing, Enrichment & Discovery — Architecture Brief L1–474
+ Why this brief exists section 1. Why this brief exists L16–33
+ Decisions to make in the dedicated session section 10. Decisions to make in the dedicated session L405–422
+ Tenancy/teams (developed in conjunction — own design + gate) section 10A. Tenancy/teams (developed in conjunction — own design + gate) L389–405
+ Sequencing & PR/push recommendation section 11. Sequencing & PR/push recommendation L422–436
+ Session prompt (copy for the dedicated session) section 12. Session prompt (copy for the dedicated session) L436–474
+ code[text] variable variable code[text] L438–474
+ The companion app — what it is (and is not) section 2. The companion app — what it is (and is not) L33–55
+ The hard architectural constraint: local inference is invoked CLIENT-SIDE section 3. The hard architectural constraint: local inference is invoked CLIENT-SIDE L55–69
+ Model-routing lane matrix (agreed direction) section 4. Model-routing lane matrix (agreed direction) L69–91
+ table section table L71–79
+ OAuth for the companion (and in-browser) section 5. OAuth for the companion (and in-browser) L91–106
+ Billing model (keep base low, pay for what you use) section 6. Billing model (keep base low, pay for what you use) L106–127
+ Enrichment & Discovery strategy section 7. Enrichment & Discovery strategy L127–179
+ 1 Embeddings ≠ enrichment section 7.1 Embeddings ≠ enrichment L129–135
+ 2 Enrichment timing — recommended combination section 7.2 Enrichment timing — recommended combination L135–148
+ 3 Do NOT overload "proposal" section 7.3 Do NOT overload "proposal" L148–155
+ 4 Discovery is the upstream insight engine (key revelation) section 7.4 Discovery is the upstream insight engine (key revelation) L155–179
+ table section table L161–167
+ What we might have missed (open risks/items to resolve) section 8. What we might have missed (open risks/items to resolve) L179–211
+ Zero-Knowledge Privacy & Post-Quantum Cryptography section 9. Zero-Knowledge Privacy & Post-Quantum Cryptography L211–389
+ 1 What "true zero-knowledge" means (vs today) section 9.1 What "true zero-knowledge" means (vs today) L213–228
+ 2 Why Argon2id replaces scrypt (and when to migrate) section 9.2 Why Argon2id replaces scrypt (and when to migrate) L228–264
+ 3 The two-tier vault model (agreed direction) section 9.3 The two-tier vault model (agreed direction) L264–278
+ table section table L269–273
+ 4 The ZK key hierarchy section 9.4 The ZK key hierarchy L278–306
+ code variable variable code L280–293
+ 5 Post-quantum hardening section 9.5 Post-quantum hardening L306–358
+ table section table L343–352
+ 6 ML-DSA signature migration — sequencing with Muse section 9.6 ML-DSA signature migration — sequencing with Muse L358–371
+ 7 Migration path for existing vaults (you as the only user) section 9.7 Migration path for existing vaults (you as the only user) L371–389
~ docs/COMPANION-APP-OAUTH-SERVERSIDE-GATE.md .md 31 symbols added
+ Companion App — Server-Side OAuth Gate (client registration + scopes) section Companion App — Server-Side OAuth Gate (client registration + scopes) L1–344
+ 1 — Scope / identity parity for the native client section 1. Decision D-SS.1 — Scope / identity parity for the native client L63–114
+ Adversarial argument section Adversarial argument L82–92
+ table section table L84–91
+ Recommendation — Option (b) (product + eng call → owner ratification requested, §9) section Recommendation — Option (b) (product + eng call → owner ratification requested, §9) L92–114
+ Verified state section Verified state L68–82
+ 2 — Hosted availability of the authorization/token endpoints section 2. Decision D-SS.2 — Hosted availability of the authorization/token endpoints L114–185
+ Adversarial argument section Adversarial argument L142–160
+ Recommendation — DECIDED: reuse `knowtation-mcp-gateway` (no new server) section Recommendation — DECIDED: reuse `knowtation-mcp-gateway` (no new server) L160–185
+ Verified live server inventory (owner-confirmed 2026-06-06) section Verified live server inventory (owner-confirmed 2026-06-06) L128–142
+ table section table L133–137
+ Verified state section Verified state L119–128
+ 3 — RFC 9207 iss emission on the redirect section 3. Decision D-SS.3 — RFC 9207 iss emission on the redirect L185–214
+ Recommendation — CONFIRM (emit `iss`) section Recommendation — CONFIRM (emit `iss`) L196–214
+ Verified state section Verified state L189–196
+ 4 — Loopback redirect registration with a variable ephemeral port variable section 4. Decision D-SS.4 — Loopback redirect registration with a variable ephemeral port L214–264
+ Adversarial argument section Adversarial argument L231–247
+ Recommendation — CONFIRM, with a hard implementation obligation section Recommendation — CONFIRM, with a hard implementation obligation L247–264
+ Verified state section Verified state L220–231
+ Threat model → control (server side) section 5. Threat model → control (server side) L264–281
+ table section table L268–278
+ Precise server-side change list (for the FOLLOW-UP implementation phase) section 6. Precise server-side change list (for the FOLLOW-UP implementation phase) L281–303
+ table section table L285–293
+ 7-tier test obligations (per change C1–C6) section 7. 7-tier test obligations (per change C1–C6) L303–319
+ table section table L307–316
+ Constraints honored section 8. Constraints honored L319–332
+ Approval table section 9. Approval table L332–344
+ table section table L334–340
+ Simple summary section Simple summary L18–34
+ Technical summary section Technical summary L34–63
+ table section table L42–55
~ docs/COMPANION-APP-PHASE-1-ADAPTER-SEAM.md .md 23 symbols added
+ Companion App — Phase 1 Adapter Seam Contract section Companion App — Phase 1 Adapter Seam Contract L1–199
+ mjs section 1. Module contract — lib/model-runtime-lane.mjs L25–136
+ 1 LaneCapabilities type section 1.1 LaneCapabilities type L27–40
+ table section table L31–39
+ 2 LanePreferences type section 1.2 LanePreferences type L40–51
+ table section table L44–50
+ 2 default-lane logic section 1.3 selectLane(capabilities, preferences) — D2.2 default-lane logic L51–84
+ code@L57 variable variable code@L57 L57–69
+ code@L73 variable variable code@L73 L73–76
+ 2 metering boundary section 1.4 isManagedLane(lane) — D1.2 metering boundary L84–95
+ 3(2) consent/policy gate section 1.5 enforceConsentPolicy(params) — D1.4 + D1.3(2) consent/policy gate L95–136
+ Scooling interface additions (cross-repo) section 2. Scooling interface additions (cross-repo) L136–158
+ ts) section 2.1 ModelResponse (Scooling src/adapters/types.ts) L138–152
+ code[ts] variable variable code[ts] L142–149
+ 2 createMockModelRuntimeAdapter() update section 2.2 createMockModelRuntimeAdapter() update L152–158
+ 4) section 3. Metering-boundary and lane-mapping summary (D1.2 × D2.4) L158–171
+ table section table L160–168
+ What Phase 2+ builds on this section 4. What Phase 2+ builds on this L171–179
+ Threat model and security properties (invariants under test) section 5. Threat model and security properties (invariants under test) L179–194
+ table section table L181–191
+ Deferred section 6. Deferred L194–199
+ What Phase 1 does NOT produce section What Phase 1 does NOT produce L17–25
+ What Phase 1 produces section What Phase 1 produces L11–17
~ docs/COMPANION-APP-PHASE-2-LOOPBACK-SECURITY.md .md 25 symbols added
+ Companion App — Phase 2: Loopback Endpoint Security Core section Companion App — Phase 2: Loopback Endpoint Security Core L1–345
+ Adversarial threat model section 1. Adversarial threat model L63–141
+ Attacker A — malicious web page in the user's browser (cross-origin) section Attacker A — malicious web page in the user's browser (cross-origin) L69–89
+ Attacker B — DNS-rebinding (make a remote origin appear to target loopback) section Attacker B — DNS-rebinding (make a remote origin appear to target loopback) L89–106
+ Attacker C — a local non-browser process section Attacker C — a local non-browser process L106–124
+ Attacker D — prompt-injection payload inside a note body section Attacker D — prompt-injection payload inside a note body L124–141
+ mjs section 2. Guard contract — lib/companion-loopback-guard.mjs L141–216
+ 1 verifyLoopbackRequest(params) → LoopbackVerdict section 2.1 verifyLoopbackRequest(params) → LoopbackVerdict L143–186
+ code[js] variable variable code[js] L147–151
+ table@L152 section table@L152 L152–161
+ table@L165 section table@L165 L165–176
+ 2 Rate-limit helpers section 2.2 Rate-limit helpers L186–197
+ 3 Why the Origin allowlist is the loopback origin only section 2.3 Why the Origin allowlist is the loopback origin only L197–216
+ Evaluation order (and why) section 3. Evaluation order (and why) L216–241
+ code variable variable code L220–229
+ The rate-limit recording contract section 4. The rate-limit recording contract L241–266
+ code[js] variable variable code[js] L246–252
+ Mapping: gate §4 controls → Phase 2 enforcement section 5. Mapping: gate §4 controls → Phase 2 enforcement L266–286
+ table section table L268–278
+ What Phase 5 must do to bind the socket safely section 6. What Phase 5 must do to bind the socket safely L286–321
+ Test obligations satisfied (gate §10, 7 tiers) section 7. Test obligations satisfied (gate §10, 7 tiers) L321–337
+ table section table L325–334
+ Deferred (explicitly not Phase 2) section 8. Deferred (explicitly not Phase 2) L337–345
+ Simple summary section Simple summary L16–37
+ Technical summary section Technical summary L37–63
~ docs/COMPANION-APP-PHASE-2-SESSION-PROMPT.md .md 10 symbols added
+ Companion App — Phase 2 Session Prompt (Loopback Endpoint Security Core) section Companion App — Phase 2 Session Prompt (Loopback Endpoint Security Core) L1–155
+ Copy-paste prompt (paste this into the new session) section 0. Copy-paste prompt (paste this into the new session) L8–71
+ code[text] variable variable code[text] L10–68
+ Where we are (state at end of this session) section 1. Where we are (state at end of this session) L71–96
+ What Phase 2 is (gate §12, row 2 — 🧠 Thinking) section 2. What Phase 2 is (gate §12, row 2 — 🧠 Thinking) L96–103
+ The 8 mandatory controls (gate §4 — verbatim intent) section 3. The 8 mandatory controls (gate §4 — verbatim intent) L103–119
+ Threat model to reason against (do not pattern-match — argue each) section 4. Threat model to reason against (do not pattern-match — argue each) L119–131
+ Proposed deliverables (confirm scope first — see §0 scope question) section 5. Proposed deliverables (confirm scope first — see §0 scope question) L131–139
+ Definition of done section 6. Definition of done L139–148
+ Open questions to settle at session start section 7. Open questions to settle at session start L148–155
~ docs/COMPANION-APP-PHASE-3-OAUTH-PKCE.md .md 18 symbols added
+ Companion App — Phase 3: OAuth Native/Public Client (PKCE + Loopback Redirect) section Companion App — Phase 3: OAuth Native/Public Client (PKCE + Loopback Redirect) L1–298
+ Scope decisions (owner-approved 2026-06-05) section 1. Scope decisions (owner-approved 2026-06-05) L69–118
+ 1 — Pure-then-bind (CONFIRMED) section D-P3.1 — Pure-then-bind (CONFIRMED) L71–80
+ 2 — Provider-agnostic core; client-registration boundary respected (CONFIRMED) section D-P3.2 — Provider-agnostic core; client-registration boundary respected (CONFIRMED) L80–107
+ 3 — RFC 9207 iss: optional-but-validated (CONFIRMED) section D-P3.3 — RFC 9207 iss: optional-but-validated (CONFIRMED) L107–118
+ Adversarial threat model → exact control section 2. Adversarial threat model → exact control L118–140
+ table section table L125–137
+ mjs section 3. Module contract — lib/companion-oauth-pkce.mjs L140–162
+ table section table L144–157
+ mjs section 4. Module contract — lib/companion-token-custody.mjs L162–189
+ RFC conformance section 5. RFC conformance L189–209
+ What Phase 5 must do to bind safely section 6. What Phase 5 must do to bind safely L209–246
+ Server-side OAuth gate (Phase 5 prerequisite) section 7. Server-side OAuth gate (Phase 5 prerequisite) L246–269
+ Test obligations satisfied (gate §10, 7 tiers × 2 modules) section 8. Test obligations satisfied (gate §10, 7 tiers × 2 modules) L269–290
+ table section table L273–282
+ Deferred (explicitly not Phase 3) section 9. Deferred (explicitly not Phase 3) L290–298
+ Simple summary section Simple summary L18–41
+ Technical summary section Technical summary L41–69
~ docs/COMPANION-APP-PHASE-3-SESSION-PROMPT.md .md 12 symbols added
+ Companion App — Phase 3 Session Prompt (OAuth Native/Public Client — PKCE + Loopback Redirect, JWT in OS Keychain) section Companion App — Phase 3 Session Prompt (OAuth Native/Public Client — PKCE + Loopback Redirect, JWT in OS Keychain) L1–228
+ Copy-paste prompt (paste this into the new session) section 0. Copy-paste prompt (paste this into the new session) L9–125
+ code[text] variable variable code[text] L11–122
+ Where we are (state at start of Phase 3) section 1. Where we are (state at start of Phase 3) L125–142
+ The pure-then-bind discipline (carried from Phases 1–2) section 2. The pure-then-bind discipline (carried from Phases 1–2) L142–156
+ table section table L148–155
+ Mandatory controls / standards to argue against the attacker section 3. Mandatory controls / standards to argue against the attacker L156–175
+ Threat model to reason against (argue each — do not pattern-match) section 4. Threat model to reason against (argue each — do not pattern-match) L175–188
+ Proposed deliverables (confirm scope first — see §0 scope questions) section 5. Proposed deliverables (confirm scope first — see §0 scope questions) L188–199
+ Definition of done section 6. Definition of done L199–211
+ Open questions to settle at session start section 7. Open questions to settle at session start L211–228
+ code variable variable code L227–228
~ docs/COMPANION-APP-PHASE-4-RUNTIME-MANAGER.md .md 45 symbols added
+ Companion App — Phase 4: Bundled Runtime Manager (Decision Core) section Companion App — Phase 4: Bundled Runtime Manager (Decision Core) L1–363
+ Adversarial / threat note section 1. Adversarial / threat note L33–68
+ (a) SUPPLY-CHAIN — tampered/poisoned model file section (a) SUPPLY-CHAIN — tampered/poisoned model file L35–46
+ (b) RESOURCE EXHAUSTION — inference flood → OOM section (b) RESOURCE EXHAUSTION — inference flood → OOM L46–56
+ (c) AMBIENT AUTHORITY — runtime must never reach vault/canister/JWT section (c) AMBIENT AUTHORITY — runtime must never reach vault/canister/JWT L56–68
+ mjs section 2. Module contract — lib/companion-runtime-manager.mjs L68–207
+ 1 Design constraints (security invariants) section 2.1 Design constraints (security invariants) L70–78
+ 10 Injected adapter interface (RuntimeAdapterFns) section 2.10 Injected adapter interface (RuntimeAdapterFns) L190–207
+ code[js] variable variable code[js] L194–202
+ 2 RUNTIME_MANAGER_REASONS section 2.2 RUNTIME_MANAGER_REASONS L78–95
+ code variable variable code L82–94
+ 3 Supply-chain integrity — createIntegrityAccumulator (streaming) section 2.3 Supply-chain integrity — createIntegrityAccumulator (streaming) L95–109
+ code[js] variable variable code[js] L98–102
+ 4 Supply-chain integrity — verifyModelBytes (in-memory) section 2.4 Supply-chain integrity — verifyModelBytes (in-memory) L109–119
+ code[js] variable variable code[js] L112–116
+ 5 Source validation section 2.5 Source validation L119–125
+ 6 Lifecycle state machine section 2.6 Lifecycle state machine L125–147
+ code variable variable code L130–137
+ 7 Backpressure / concurrency admission section 2.7 Backpressure / concurrency admission L147–163
+ code variable variable code L150–153
+ 8 Resource-limit policy section 2.8 Resource-limit policy L163–175
+ code variable variable code L166–170
+ 9 Top-level admission gate — evaluateRuntimeRequest section 2.9 Top-level admission gate — evaluateRuntimeRequest L175–190
+ code[js] variable variable code[js] L178–182
+ Lifecycle/integrity interaction — the single path to ready section 3. Lifecycle/integrity interaction — the single path to ready L207–251
+ code variable variable code L209–246
+ Backpressure and resource enforcement rules section 4. Backpressure and resource enforcement rules L251–271
+ Backpressure section Backpressure L253–263
+ table section table L255–260
+ Resource limits section Resource limits L263–271
+ What Phase 5 must do to bind the runtime safely section 5. What Phase 5 must do to bind the runtime safely L271–319
+ 1 Model download and integrity (supply-chain gate) section 5.1 Model download and integrity (supply-chain gate) L275–282
+ 2 Runtime spawn section 5.2 Runtime spawn L282–289
+ 3 Health-check loop section 5.3 Health-check loop L289–295
+ 4 Per-request gate section 5.4 Per-request gate L295–300
+ 5 Wire shape the runtime must speak section 5.5 Wire shape the runtime must speak L300–308
+ 8 gate control) section 5.6 Minimal logging (§4.8 gate control) L308–313
+ 7 No ambient authority section 5.7 No ambient authority L313–319
+ Test obligations satisfied (gate §10, 7 tiers) section 6. Test obligations satisfied (gate §10, 7 tiers) L319–335
+ table section table L323–332
+ Deferred (explicitly not Phase 4) section 7. Deferred (explicitly not Phase 4) L335–348
+ Remaining blockers to Phase 5 section 8. Remaining blockers to Phase 5 L348–363
+ table section table L352–356
+ Simple summary section Simple summary L12–23
+ Technical summary section Technical summary L23–33
~ docs/COMPANION-APP-PHASE-5-BIND-GATE.md .md 46 symbols added
+ Companion App — Phase 5: Bind Gate (sockets · spawn · keychain · download) section Companion App — Phase 5: Bind Gate (sockets · spawn · keychain · download) L1–605
+ What this gate lifts — and what it deliberately does not section 0. What this gate lifts — and what it deliberately does not L81–102
+ table section table L88–96
+ Adversarial threat model (the bind surface) section 1. Adversarial threat model (the bind surface) L102–124
+ table section table L108–121
+ How Phase 5 discharges the prior phases' deferred obligations section 10. How Phase 5 discharges the prior phases' deferred obligations L540–556
+ table section table L542–550
+ 7-tier test obligations (Phase 5 bind/lifecycle layer) section 11. 7-tier test obligations (Phase 5 bind/lifecycle layer) L556–573
+ table section table L561–570
+ Constraints honored section 12. Constraints honored L573–588
+ Approval table section 13. Approval table L588–605
+ table section table L590–600
+ 1 — Inference loopback socket bind contract section 2. Decision D5.1 — Inference loopback socket bind contract L124–169
+ Decision — OS-assigned ephemeral port, loopback-only, port secrecy is NOT a control section Decision — OS-assigned ephemeral port, loopback-only, port secrecy is NOT a control L137–162
+ Fail-closed section Fail-closed L162–169
+ Verified state section Verified state L129–137
+ 2 — OAuth redirect loopback listener bind section 3. Decision D5.2 — OAuth redirect loopback listener bind L169–212
+ Decision — Separate, short-lived, one-shot ephemeral redirect listener section Decision — Separate, short-lived, one-shot ephemeral redirect listener L183–204
+ Fail-closed section Fail-closed L204–212
+ Verified state section Verified state L174–183
+ 3 — OS-keychain adapter surface section 4. Decision D5.3 — OS-keychain adapter surface L212–266
+ Decision — Exactly `get`/`set`/`delete` on four named accounts; nothing wider; device-local section Decision — Exactly `get`/`set`/`delete` on four named accounts; nothing wider; device-local L224–259
+ Fail-closed section Fail-closed L259–266
+ Verified state section Verified state L217–224
+ 4 — Spawn adapter (process-management surface) section 5. Decision D5.4 — Spawn adapter (process-management surface) L266–333
+ Decision — `spawn` + `kill` + `healthCheck` only; hardened launch; supervised lifetime section Decision — `spawn` + `kill` + `healthCheck` only; hardened launch; supervised lifetime L279–325
+ Fail-closed section Fail-closed L325–333
+ Verified state section Verified state L271–279
+ 5 — Download adapter + Phase 4 integrity wiring section 6. Decision D5.5 — Download adapter + Phase 4 integrity wiring L333–399
+ Decision — Dumb download adapter; accumulator + `finalize()` owned by the orchestrator; trust anchor is a first-party ma section Decision — Dumb download adapter; accumulator + `finalize()` owned by the orchestrator; trust anchor is a first-party ma L348–391
+ Fail-closed section Fail-closed L391–399
+ Verified state section Verified state L339–348
+ 6 — Resource-probe adapter section 7. Decision D5.6 — Resource-probe adapter L399–444
+ Decision — Probe the runtime's own PID; VRAM as aggregate headroom only; never enumerate other processes; no privilege e section Decision — Probe the runtime's own PID; VRAM as aggregate headroom only; never enumerate other processes; no privilege e L410–436
+ Fail-closed section Fail-closed L436–444
+ Verified state section Verified state L404–410
+ 7 — Phase 1 seam activation (companionAvailable) section 8. Decision D5.7 — Phase 1 seam activation (companionAvailable) L444–490
+ Decision — True only when ALL of {integrity-verified ∧ lifecycle `ready` ∧ recent health round-trip} hold; false on any section Decision — True only when ALL of {integrity-verified ∧ lifecycle `ready` ∧ recent health round-trip} hold; false on any L456–483
+ Fail-closed section Fail-closed L483–490
+ Verified state section Verified state L449–456
+ 8 — No-ambient-authority enforcement mechanism section 9. Decision D5.8 — No-ambient-authority enforcement mechanism L490–540
+ Decision — Object-capability segregation, enforced by tests, not convention section Decision — Object-capability segregation, enforced by tests, not convention L502–532
+ Fail-closed section Fail-closed L532–540
+ Verified state section Verified state L495–502
+ Simple summary section Simple summary L32–60
+ Technical summary section Technical summary L60–81
~ docs/COMPANION-APP-PHASE-5-SESSION-PROMPT.md .md 6 symbols added
+ Phase 5 Implementation — Next-Session Prompt section Phase 5 Implementation — Next-Session Prompt L1–95
+ Hard constraints section Hard constraints L66–76
+ Read first (in full) section Read first (in full) L16–32
+ Suggested order section Suggested order L85–95
+ Tests (Aaron's Rule #0 — all 7 tiers before any merge to main) section Tests (Aaron's Rule #0 — all 7 tiers before any merge to main) L76–85
+ What to build (run-from-source; NOT packaging — that's Phase 7, §0) section What to build (run-from-source; NOT packaging — that's Phase 7, §0) L32–66
~ docs/COMPANION-APP-PHASE-6-DERIVED-ARTIFACT-STORAGE-GATE.md .md 45 symbols added
+ Companion App — Phase 6: Derived-Artifact Storage & Provenance Enforcement Gate section Companion App — Phase 6: Derived-Artifact Storage & Provenance Enforcement Gate L1–618
+ What this gate lifts — and what it deliberately does not section 0. What this gate lifts — and what it deliberately does not L108–131
+ table section table L115–124
+ Adversarial threat model (the storage/write-back surface) section 1. Adversarial threat model (the storage/write-back surface) L131–153
+ table section table L137–150
+ 7-tier test obligations (Phase 6 derived-artifact storage layer) section 10. 7-tier test obligations (Phase 6 derived-artifact storage layer) L559–576
+ table section table L564–573
+ Constraints honored section 11. Constraints honored L576–599
+ Approval table section 12. Approval table L599–618
+ table section table L601–610
+ 1 — Per-tier, per-artifact storage location (binding routing) section 2. Decision D6.1 — Per-tier, per-artifact storage location (binding routing) L153–210
+ Decision — Routing table is binding; privacy-max never resolves to a host-readable or server-held-key location; resoluti section Decision — Routing table is binding; privacy-max never resolves to a host-readable or server-held-key location; resoluti L175–201
+ table section table L177–183
+ Fail-closed section Fail-closed L201–210
+ Verified state section Verified state L158–175
+ 2 — Provenance schema (required fields, placement, semantics) section 3. Decision D6.2 — Provenance schema (required fields, placement, semantics) L210–276
+ Decision — A single canonical provenance record, validated as a write precondition, stamped by the authority group section Decision — A single canonical provenance record, validated as a write precondition, stamped by the authority group L223–267
+ table section table L228–242
+ Fail-closed section Fail-closed L267–276
+ Verified state section Verified state L215–223
+ 3 — Write-back authorization (owner/delegate; default-OFF; no downgrade) section 4. Decision D6.3 — Write-back authorization (owner/delegate; default-OFF; no downgrade) L276–337
+ Decision — Every write-back is gated by `enforceConsentPolicy`; the owner's tier governs; delegated writes stay default- section Decision — Every write-back is gated by `enforceConsentPolicy`; the owner's tier governs; delegated writes stay default- L291–328
+ Fail-closed section Fail-closed L328–337
+ Verified state section Verified state L281–291
+ 4 — Client-encryption hook interface (privacy-max; fail-closed; no plaintext fallback) section 5. Decision D6.4 — Client-encryption hook interface (privacy-max; fail-closed; no plaintext fallback) L337–404
+ Decision — Define the `ClientEncryptor` hook; privacy-max writes require it; absence/failure fails closed; never a plain section Decision — Define the `ClientEncryptor` hook; privacy-max writes require it; absence/failure fails closed; never a plain L350–395
+ code[text] variable variable code[text] L355–366
+ Fail-closed section Fail-closed L395–404
+ Verified state section Verified state L342–350
+ 5 — Retention & deletion (inherit source; delete-on-delete; crypto-shred) section 6. Decision D6.5 — Retention & deletion (inherit source; delete-on-delete; crypto-shred) L404–454
+ Decision — Note-scoped artifacts inherit the note 1:1 and are deleted on delete; aggregate artifacts are invalidated/re- section Decision — Note-scoped artifacts inherit the note 1:1 and are deleted on delete; aggregate artifacts are invalidated/re- L417–446
+ Fail-closed section Fail-closed L446–454
+ Verified state section Verified state L409–417
+ 6 — Single derived-artifact writer (object-capability enforcement) section 7. Decision D6.6 — Single derived-artifact writer (object-capability enforcement) L454–500
+ Decision — Exactly one `DerivedArtifactWriter` in the authority group; all stores reached only through it; enforced by a section Decision — Exactly one `DerivedArtifactWriter` in the authority group; all stores reached only through it; enforced by a L466–492
+ Fail-closed section Fail-closed L492–500
+ Verified state section Verified state L459–466
+ 7 — Provenance integrity & re-enrichment on model upgrade section 8. Decision D6.7 — Provenance integrity & re-enrichment on model upgrade L500–539
+ Decision — Re-enrichment writes a fresh provenance record; never rewrites history silently; never a lifecycle state section Decision — Re-enrichment writes a fresh provenance record; never rewrites history silently; never a lifecycle state L510–531
+ Fail-closed section Fail-closed L531–539
+ Verified state section Verified state L505–510
+ How Phase 6 discharges the prior phases' deferred obligations section 9. How Phase 6 discharges the prior phases' deferred obligations L539–559
+ table section table L541–551
+ Simple summary section Simple summary L54–82
+ Technical summary section Technical summary L82–108
~ docs/MUSE-GITHUB-RECONCILIATION-2026-06.md .md 16 symbols added
+ Muse ↔ GitHub history reconciliation — June 2026 section Muse ↔ GitHub history reconciliation — June 2026 L1–175
+ Conflict resolutions (as planned, with outcomes) section Conflict resolutions (as planned, with outcomes) L98–108
+ table section table L100–107
+ Current operating procedure (unchanged, now unblocked) section Current operating procedure (unchanged, now unblocked) L143–153
+ Divergence inventory (evidence captured 2026-06-10) section Divergence inventory (evidence captured 2026-06-10) L28–48
+ table section table L32–40
+ Exit criteria section Exit criteria L153–169
+ Findings that shaped the resolution section Findings that shaped the resolution L48–98
+ The MCP discovery "overlap hazard" was already resolved upstream section 1. The MCP discovery "overlap hazard" was already resolved upstream L50–61
+ OpenRouter/chat-provider was never deliberately removed in Muse section 2. OpenRouter/chat-provider was never deliberately in Muse L61–75
+ origin/main is a strict superset of Muse main section 3. origin/main is a strict superset of Muse main L75–98
+ table section table L80–95
+ Related documents section Related documents L169–175
+ Seven-tier coverage for the merged surface section Seven-tier coverage for the merged surface L124–143
+ What was done section What was done L108–124
+ Why this was shelved, and why it is now resolved section Why this was shelved, and why it is now resolved L20–28
~ hub/gateway/native-as-store.mjs .mjs 9 symbols added
+ _nativeCodePath function function _nativeCodePath L61–64
+ _normalizeCodes function function _normalizeCodes L89–106
+ _pruneExpired function function _pruneExpired L72–80
+ _readCodes function async_function _readCodes L112–121
+ _writeCodes function async_function _writeCodes L129–141
+ bindUserToCode function async_function bindUserToCode L180–187
+ consumePendingCode function async_function consumePendingCode L197–204
+ pruneExpiredCodes function async_function pruneExpiredCodes L210–216
+ savePendingCode function async_function savePendingCode L157–170
~ hub/gateway/native-oauth-provider.mjs .mjs 10 symbols added
+ NativeClientStore class class NativeClientStore L156–221
+ constructor method method constructor L157–160
+ getClient method method getClient L166–168
+ registerClient method method registerClient L178–220
+ _nativeRefreshError function function _nativeRefreshError L107–118
+ _sha256Base64url function function _sha256Base64url L95–97
+ applyScopeCeiling function function applyScopeCeiling L137–140
+ completeNativeAuthorization function async_function completeNativeAuthorization L565–599
+ createNativeOAuthRouter function function createNativeOAuthRouter L245–602
+ isLoopbackUri function function isLoopbackUri L76–88
~ lib/companion-artifact-writer.mjs .mjs 7 symbols added
+ _safeProvenanceFields function function _safeProvenanceFields L381–392
+ _scopeForArtifact function function _scopeForArtifact L368–372
+ _storeArtifact function async_function _storeArtifact L410–503
+ checkReEnrichmentEligibility function function checkReEnrichmentEligibility L316–355
+ createDerivedArtifactWriter function function createDerivedArtifactWriter L127–358
+ deleteArtifacts function async_function deleteArtifacts L245–300
+ write function async_function write L152–235
~ lib/companion-client-encryptor.mjs .mjs 3 symbols added
+ createClientEncryptor function function createClientEncryptor L119–168
+ encrypt method method encrypt L152–166
+ isAvailable method method isAvailable L137–143
~ lib/companion-download-adapter.mjs .mjs 3 symbols added
+ createCompanionDownloadAdapter function function createCompanionDownloadAdapter L43–77
+ download method async_method download L46–75
+ requireHttpsDownloadUrl function function requireHttpsDownloadUrl L22–36
~ lib/companion-inference-listener.mjs .mjs 7 symbols added
+ allowedHosts method method allowedHosts L123–125
+ buildAllowedHosts function function buildAllowedHosts L30–37
+ close method async_method close L146–151
+ createCompanionInferenceListener function function createCompanionInferenceListener L65–153
+ extractLoopbackBearerToken function function extractLoopbackBearerToken L44–51
+ port method method port L126–129
+ start method async_method start L130–145
~ lib/companion-keychain-adapter.mjs .mjs 14 symbols added
+ accountFile function function accountFile L194–194
+ createCompanionKeychainAdapter function function createCompanionKeychainAdapter L126–139
+ createLinuxSecretServiceBackend function function createLinuxSecretServiceBackend L253–280
+ createMacOSKeychainBackend function function createMacOSKeychainBackend L158–185
+ createWindowsDpapiBackend function function createWindowsDpapiBackend L191–247
+ delete method async_method delete L276–278
+ dpapiProtect function async_function dpapiProtect L195–209
+ dpapiUnprotect function async_function dpapiUnprotect L210–224
+ get method async_method get L269–272
+ requireKeychainSecret function function requireKeychainSecret L114–119
+ requireKnownKeychainAccount function function requireKnownKeychainAccount L102–107
+ run function async_function run L255–267
+ selectKeychainBackend function function selectKeychainBackend L146–152
+ set method async_method set L273–275
~ lib/companion-loopback-guard.mjs .mjs 10 symbols added
+ constantTimeStringEqual function function constantTimeStringEqual L146–152
+ createLoopbackRateState function function createLoopbackRateState L120–128
+ deny function function deny L321–323
+ evaluateRateLimit function function evaluateRateLimit L226–249
+ getHeader function function getHeader L164–174
+ isLoopbackHost function function isLoopbackHost L210–214
+ parseHostHeader function function parseHostHeader L183–203
+ recordLoopbackRequest function function recordLoopbackRequest L267–283
+ shouldCountTowardRateLimit function function shouldCountTowardRateLimit L315–318
+ verifyLoopbackRequest function function verifyLoopbackRequest L366–451
~ lib/companion-oauth-flow.mjs .mjs 5 symbols added
+ close method method close L119–122
+ createOAuthRedirectAttempt function async_function createOAuthRedirectAttempt L49–124
+ openSystemBrowser function async_function openSystemBrowser L36–43
+ registerNativeClient function async_function registerNativeClient L130–150
+ runCompanionOAuthFlow function async_function runCompanionOAuthFlow L168–237
~ lib/companion-oauth-pkce.mjs .mjs 13 symbols added
+ buildAuthorizationUrl function function buildAuthorizationUrl L305–381
+ buildRefreshRequest function function buildRefreshRequest L546–587
+ buildTokenRequest function function buildTokenRequest L478–531
+ computeCodeChallenge function function computeCodeChallenge L154–164
+ constantTimeEqual function function constantTimeEqual L134–140
+ createNonce function function createNonce L195–197
+ createOAuthState function function createOAuthState L186–188
+ createPkcePair function function createPkcePair L175–179
+ decideTokenRefresh function function decideTokenRefresh L680–695
+ validateAuthorizationResponse function function validateAuthorizationResponse L407–457
+ validateRedirectUri function function validateRedirectUri L221–262
+ validateScopes function function validateScopes L269–277
+ validateTokenResponse function function validateTokenResponse L604–664
~ lib/companion-provenance-validator.mjs .mjs 3 symbols added
+ buildConvenienceProvenance function function buildConvenienceProvenance L227–242
+ isIso8601 function function isIso8601 L83–87
+ validateProvenance function function validateProvenance L105–208
~ lib/companion-resource-probe.mjs .mjs 7 symbols added
+ createCompanionResourceProbe function function createCompanionResourceProbe L44–64
+ probeByPlatform function async_function probeByPlatform L69–74
+ probeLinuxProc function async_function probeLinuxProc L76–86
+ probeWindows function async_function probeWindows L107–126
+ probeWithPs function async_function probeWithPs L88–105
+ requireRuntimePid function function requireRuntimePid L25–30
+ statResources method async_method statResources L56–62
~ lib/companion-runtime-manager.mjs .mjs 20 symbols added
+ abort method method abort L291–293
+ canServeInference function function canServeInference L455–458
+ createAdmissionState function function createAdmissionState L481–489
+ createIntegrityAccumulator function function createIntegrityAccumulator L219–295
+ createLifecycleState function function createLifecycleState L407–409
+ createResourceLimits function function createResourceLimits L625–636
+ evaluateAdmission function function evaluateAdmission L507–528
+ evaluateResourceLimits function function evaluateResourceLimits L649–680
+ evaluateRuntimeRequest function function evaluateRuntimeRequest L720–749
+ finalize method method finalize L257–277
+ getReceivedBytes method method getReceivedBytes L283–285
+ recordCompletion function function recordCompletion L556–564
+ recordDequeued function function recordDequeued L589–597
+ recordInFlight function function recordInFlight L541–546
+ recordQueued function function recordQueued L574–579
+ transitionLifecycle function function transitionLifecycle L427–443
+ update method method update L237–246
+ validateIntegritySpec function function validateIntegritySpec L159–174
+ validateSourceUrl function function validateSourceUrl L122–149
+ verifyModelBytes function function verifyModelBytes L313–336
~ lib/companion-shell.mjs .mjs 18 symbols added
+ companionAvailable method method companionAvailable L215–225
+ computeCompanionAvailable function function computeCompanionAvailable L104–113
+ createAuthorityGroup function function createAuthorityGroup L38–45
+ createCompanionShell function function createCompanionShell L167–277
+ createRuntimeGroup function function createRuntimeGroup L51–65
+ downloadVerifyAndStageModel function async_function downloadVerifyAndStageModel L125–156
+ healthProbe method async_method healthProbe L256–268
+ laneCapabilities method method laneCapabilities L226–228
+ markIntegrityFailed method method markIntegrityFailed L211–214
+ markIntegrityVerified method method markIntegrityVerified L208–210
+ markUnavailable function function markUnavailable L180–186
+ selectLane method method selectLane L229–231
+ setListenerBound method method setListenerBound L200–203
+ setLoopbackTokenPresent method method setLoopbackTokenPresent L204–207
+ shutdown method async_method shutdown L269–275
+ startRuntime method async_method startRuntime L232–255
+ state method method state L191–199
+ validateManifestTrustAnchor function function validateManifestTrustAnchor L72–90
~ lib/companion-spawn-adapter.mjs .mjs 8 symbols added
+ buildRuntimeArgv function function buildRuntimeArgv L78–102
+ createCompanionSpawnAdapter function function createCompanionSpawnAdapter L108–162
+ createScrubbedRuntimeEnv function function createScrubbedRuntimeEnv L62–71
+ healthCheck method async_method healthCheck L140–154
+ kill method async_method kill L134–136
+ reclaimStaleRuntime method async_method reclaimStaleRuntime L156–160
+ requireAbsolutePath function function requireAbsolutePath L50–55
+ spawn method async_method spawn L114–138
~ lib/companion-tier-resolver.mjs .mjs 1 symbol added
+ resolveTier function function resolveTier L73–95
~ lib/companion-token-custody.mjs .mjs 14 symbols added
+ buildSessionMeta function function buildSessionMeta L110–132
+ clearLoopbackToken function async_function clearLoopbackToken L282–284
+ clearSession function async_function clearSession L241–245
+ createTokenCustody function function createTokenCustody L152–297
+ decide function async_function decide L251–260
+ getLoopbackToken function async_function getLoopbackToken L268–271
+ loadSession function async_function loadSession L209–234
+ requireAdapter function function requireAdapter L70–81
+ requireSecret function function requireSecret L89–94
+ rotateLoopbackToken function async_function rotateLoopbackToken L277–279
+ serializeMeta function function serializeMeta L156–168
+ storeLoopbackToken function async_function storeLoopbackToken L263–265
+ storeSession function async_function storeSession L174–185
+ updateAccessToken function async_function updateAccessToken L191–203
~ lib/model-runtime-lane.mjs .mjs 3 symbols added
+ enforceConsentPolicy function function enforceConsentPolicy L222–249
+ isManagedLane function function isManagedLane L163–165
+ selectLane function function selectLane L127–148
~ test/companion-loopback-guard-data-integrity.test.mjs .mjs 1 symbol added
+ base function function base L25–36
~ test/companion-loopback-guard-e2e.test.mjs .mjs 1 symbol added
+ listenerDecide function function listenerDecide L26–30
~ test/companion-loopback-guard-integration.test.mjs .mjs 2 symbols added
+ req function function req L26–37
+ step function function step L40–47
~ test/companion-loopback-guard-performance.test.mjs .mjs 1 symbol added
+ base function function base L24–35
~ test/companion-loopback-guard-security.test.mjs .mjs 2 symbols added
+ base function function base L37–48
+ toString method method toString L289–289
~ test/companion-loopback-guard-stress.test.mjs .mjs 1 symbol added
+ base function function base L25–36
~ test/companion-loopback-guard-unit.test.mjs .mjs 1 symbol added
+ goodRequest function function goodRequest L32–47
+ test/companion-oauth-pkce-data-integrity.test.mjs .mjs
~ test/companion-oauth-pkce-e2e.test.mjs .mjs 3 symbols added
+ authorize method method authorize L35–49
+ makeSimulatedServer function function makeSimulatedServer L31–68
+ token method method token L50–66
+ test/companion-oauth-pkce-integration.test.mjs .mjs
~ test/companion-oauth-pkce-performance.test.mjs .mjs 1 symbol added
+ timed function function timed L22–26
+ test/companion-oauth-pkce-security.test.mjs .mjs
+ test/companion-oauth-pkce-stress.test.mjs .mjs
+ test/companion-oauth-pkce-unit.test.mjs .mjs
~ test/companion-runtime-manager-data-integrity.test.mjs .mjs 1 symbol added
+ makeDigest function function makeDigest L41–43
~ test/companion-runtime-manager-e2e.test.mjs .mjs 7 symbols added
+ download method async_method download L49–49
+ healthCheck method async_method healthCheck L50–50
+ makeDigest function function makeDigest L36–38
+ makeStubAdapter function function makeStubAdapter L45–53
+ simulatePhase5Session function async_function simulatePhase5Session L57–120
+ spawn method async_method spawn L48–48
+ statResources method async_method statResources L51–51
~ test/companion-runtime-manager-integration.test.mjs .mjs 1 symbol added
+ makeDigest function function makeDigest L35–37
~ test/companion-runtime-manager-performance.test.mjs .mjs 1 symbol added
+ makeDigest function function makeDigest L39–41
~ test/companion-runtime-manager-security.test.mjs .mjs 4 symbols added
+ assertNoSecretInReason function function assertNoSecretInReason L325–332
+ makeDigest function function makeDigest L44–46
+ timeVerify function function timeVerify L401–410
+ timeWith function function timeWith L386–398
~ test/companion-runtime-manager-stress.test.mjs .mjs 1 symbol added
+ makeDigest function function makeDigest L32–34
~ test/companion-runtime-manager-unit.test.mjs .mjs 1 symbol added
+ makeDigest function function makeDigest L44–46
~ test/companion-shell-data-integrity.test.mjs .mjs 5 symbols added
+ download method async_method download L31–33
+ healthCheck method async_method healthCheck L37–39
+ runtimeRequest method method runtimeRequest L68–72
+ sha256 function function sha256 L18–20
+ spawn method async_method spawn L34–36
~ test/companion-shell-e2e.test.mjs .mjs 7 symbols added
+ download method async_method download L86–88
+ healthCheck method async_method healthCheck L93–95
+ json method async_method json L35–43
+ openBrowser method async_method openBrowser L56–67
+ sha256 function function sha256 L22–24
+ spawn method async_method spawn L89–92
+ tokenFetch function function tokenFetch L31–45
~ test/companion-shell-integration.test.mjs .mjs 3 symbols added
+ download method async_method download L74–77
+ runtimeRequest method method runtimeRequest L33–38
+ sha256 function function sha256 L24–26
~ test/companion-shell-performance.test.mjs .mjs 1 symbol added
+ runtimeRequest method method runtimeRequest L41–44
~ test/companion-shell-security.test.mjs .mjs 2 symbols added
+ rawHttpStatus function function rawHttpStatus L18–33
+ runtimeRequest method method runtimeRequest L174–174
~ test/companion-shell-stress.test.mjs .mjs 4 symbols added
+ download method async_method download L50–55
+ healthCheck method async_method healthCheck L59–61
+ sha256 function function sha256 L18–20
+ spawn method async_method spawn L56–58
+ test/companion-shell-unit.test.mjs .mjs
+ test/companion-token-custody-data-integrity.test.mjs .mjs
+ test/companion-token-custody-e2e.test.mjs .mjs
+ test/companion-token-custody-integration.test.mjs .mjs
~ test/companion-token-custody-performance.test.mjs .mjs 1 symbol added
+ timed function function timed L10–13
+ test/companion-token-custody-security.test.mjs .mjs
+ test/companion-token-custody-stress.test.mjs .mjs
~ test/companion-token-custody-unit.test.mjs .mjs 2 symbols added
+ get method method get L37–37
+ set method method set L37–37
+ test/config-llm-block.test.mjs .mjs
~ test/derived-artifact-storage-data-integrity.test.mjs .mjs 3 symbols added
+ buildIntegrityStores function function buildIntegrityStores L34–65
+ selfCtx function function selfCtx L67–72
+ writeNoteFn function function writeNoteFn L40–43
~ test/derived-artifact-storage-e2e.test.mjs .mjs 3 symbols added
+ buildE2EStores function function buildE2EStores L34–67
+ fakeLlm function function fakeLlm L319–323
+ writeNoteFn function function writeNoteFn L40–48
~ test/derived-artifact-storage-integration.test.mjs .mjs 6 symbols added
+ convenienceContext function function convenienceContext L71–80
+ fakeLlm function function fakeLlm L376–380
+ insightProvenance function function insightProvenance L96–108
+ makeStores function function makeStores L41–69
+ summaryProvenance function function summaryProvenance L82–94
+ writeNoteFn function function writeNoteFn L47–50
~ test/derived-artifact-storage-performance.test.mjs .mjs 6 symbols added
+ buildPerfStores function function buildPerfStores L35–45
+ elapsed function function elapsed L23–27
+ elapsedAsync function async_function elapsedAsync L29–33
+ prov function function prov L55–68
+ selfCtx function function selfCtx L47–53
+ writeNoteFn function function writeNoteFn L36–36
~ test/derived-artifact-storage-security.test.mjs .mjs 5 symbols added
+ baseProv function function baseProv L85–97
+ buildSecStores function function buildSecStores L52–74
+ countingWriter function function countingWriter L211–211
+ selfCtx function function selfCtx L76–83
+ writeNoteFn function function writeNoteFn L57–59
~ test/derived-artifact-storage-stress.test.mjs .mjs 7 symbols added
+ buildStressStores function function buildStressStores L22–61
+ failOnThird function function failOnThird L235–238
+ makeProvenance function function makeProvenance L63–74
+ selfCtx function function selfCtx L76–85
+ upsertCalls method method upsertCalls L59–59
+ writeCalls method method writeCalls L58–58
+ writeNoteFn function function writeNoteFn L30–34
~ test/derived-artifact-storage-unit.test.mjs .mjs 2 symbols added
+ makeWriter function function makeWriter L65–71
+ validProvenance function function validProvenance L47–63
~ test/gateway-hosted-notes-frontmatter.test.mjs .mjs 3 symbols added
+ bearer function function bearer L37–43
+ installFetchMock function function installFetchMock L56–138
+ responseJson function function responseJson L45–54
~ test/helpers/companion-keychain-fake.mjs .mjs 5 symbols added
+ delete method async_method delete L51–53
+ get method async_method get L45–47
+ makeAsyncKeychain function function makeAsyncKeychain L41–55
+ makeSyncKeychain function function makeSyncKeychain L18–35
+ set method async_method set L48–50
~ test/hub-settings-chat-provider.test.mjs .mjs 2 symbols added
+ chatRouteSource function function chatRouteSource L26–33
+ readRepoFile function function readRepoFile L22–24
~ test/llm-complete-config-provider.test.mjs .mjs 3 symbols added
+ clearChatEnv function function clearChatEnv L33–35
+ mockByHost function function mockByHost L44–55
+ restoreEnv function function restoreEnv L37–42
~ test/llm-complete-openrouter-data-integrity.test.mjs .mjs 3 symbols added
+ captureBody function function captureBody L39–48
+ clearChatEnv function function clearChatEnv L28–30
+ restoreEnv function function restoreEnv L32–37
~ test/llm-complete-openrouter-e2e.test.mjs .mjs 2 symbols added
+ clearChatEnv function function clearChatEnv L26–28
+ restoreEnv function function restoreEnv L30–35
~ test/llm-complete-openrouter-integration.test.mjs .mjs 3 symbols added
+ clearChatEnv function function clearChatEnv L29–31
+ mockByHost function function mockByHost L41–54
+ restoreEnv function function restoreEnv L33–38
~ test/llm-complete-openrouter-performance.test.mjs .mjs 2 symbols added
+ clearChatEnv function function clearChatEnv L29–31
+ restoreEnv function function restoreEnv L33–38
~ test/llm-complete-openrouter-security.test.mjs .mjs 2 symbols added
+ clearChatEnv function function clearChatEnv L36–38
+ restoreEnv function function restoreEnv L40–45
~ test/llm-complete-openrouter-stress.test.mjs .mjs 2 symbols added
+ clearChatEnv function function clearChatEnv L27–29
+ restoreEnv function function restoreEnv L31–36
~ test/llm-complete-openrouter-unit.test.mjs .mjs 3 symbols added
+ clearChatEnv function function clearChatEnv L42–44
+ mockOpenRouterOk function function mockOpenRouterOk L58–68
+ restoreEnv function function restoreEnv L46–51
+ test/model-runtime-lane-data-integrity.test.mjs .mjs
~ test/model-runtime-lane-e2e.test.mjs .mjs 1 symbol added
+ route function function route L26–39
~ test/model-runtime-lane-integration.test.mjs .mjs 1 symbol added
+ runPipeline function function runPipeline L28–39
+ test/model-runtime-lane-performance.test.mjs .mjs
+ test/model-runtime-lane-security.test.mjs .mjs
+ test/model-runtime-lane-stress.test.mjs .mjs
+ test/model-runtime-lane-unit.test.mjs .mjs
~ test/native-oauth-c1-c6-data-integrity.test.mjs .mjs 3 symbols added
+ applyScopeCeiling function function applyScopeCeiling L120–123
+ grantedScopes function function grantedScopes L117–119
+ sha256b64url function function sha256b64url L21–23
~ test/native-oauth-c1-c6-e2e.test.mjs .mjs 10 symbols added
+ fetch method async_method fetch L50–70
+ grantedScopes function function grantedScopes L96–100
+ issueAccessToken function function issueAccessToken L88–94
+ json method method json L176–176
+ redirect method method redirect L177–177
+ sha256b64url function function sha256b64url L26–28
+ start method method start L38–46
+ status method method status L175–175
+ stop method method stop L47–49
+ testClient function function testClient L33–72
~ test/native-oauth-c1-c6-integration.test.mjs .mjs 15 symbols added
+ cookie method method cookie L144–144
+ end method method end L143–143
+ grantedScopes function function grantedScopes L88–92
+ issue function async_function issue L34–40
+ issueAccessToken function function issueAccessToken L81–87
+ json method method json L233–233
+ makeRequest function function makeRequest L123–151
+ mockRefreshStore function function mockRefreshStore L31–68
+ redirect method method redirect L234–234
+ revoke function async_function revoke L60–65
+ rotate function async_function rotate L42–58
+ runFullFlow function async_function runFullFlow L153–177
+ set method method set L139–139
+ sha256b64url function function sha256b64url L27–29
+ status method method status L232–232
~ test/native-oauth-c1-c6-performance.test.mjs .mjs 4 symbols added
+ applyScopeCeiling function function applyScopeCeiling L92–95
+ elapsed function function elapsed L29–32
+ run function async_function run L126–141
+ sha256b64url function function sha256b64url L25–27
~ test/native-oauth-c1-c6-security.test.mjs .mjs 10 symbols added
+ fetch method async_method fetch L46–63
+ grantedScopes function function grantedScopes L86–89
+ issueAccessToken function function issueAccessToken L78–84
+ json method method json L454–454
+ redirect method method redirect L455–455
+ sha256b64url function function sha256b64url L27–29
+ start method method start L35–42
+ status method method status L453–453
+ stop method method stop L43–45
+ testClient function function testClient L31–65
~ test/native-oauth-c1-c6-stress.test.mjs .mjs 1 symbol added
+ sha256b64url function function sha256b64url L19–21
~ test/native-oauth-c1-c6-unit.test.mjs .mjs 3 symbols added
+ roleForSub function function roleForSub L88–90
+ scopesForRole function function scopesForRole L84–87
+ sha256b64url function function sha256b64url L26–28
~ test/proposal-approve-rbac-fix-data-integrity.test.mjs .mjs 4 symbols added
+ load function function load L154–154
+ makeToken function function makeToken L23–25
+ resolveRole function async_function resolveRole L27–57
+ roleForSub function function roleForSub L28–28
~ test/proposal-approve-rbac-fix-e2e.test.mjs .mjs 1 symbol added
+ load function function load L68–71
~ test/proposal-approve-rbac-fix-integration.test.mjs .mjs 5 symbols added
+ makeAdminToken function function makeAdminToken L128–130
+ makeBridgeServer function function makeBridgeServer L30–41
+ makeMemberToken function function makeMemberToken L132–134
+ resolveHostedActorRoleMock function async_function resolveHostedActorRoleMock L58–126
+ roleForSub function function roleForSub L71–73
+ test/proposal-approve-rbac-fix-performance.test.mjs .mjs
~ test/proposal-approve-rbac-fix-security.test.mjs .mjs 1 symbol added
+ checkOverride function function checkOverride L144–149
~ test/proposal-approve-rbac-fix-stress.test.mjs .mjs 3 symbols added
+ makeToken function function makeToken L16–18
+ resolveRole function async_function resolveRole L23–46
+ roleForSub function function roleForSub L24–24
~ test/proposal-approve-rbac-fix-unit.test.mjs .mjs 1 symbol added
+ load function function load L132–132
~ .env.example .example
~ AGENTS.md .md 2 symbols added, 2 symbols modified
+ GitHub mirror workflow — MANDATORY, no exceptions section GitHub mirror workflow — MANDATORY, no exceptions L16–43
+ code[bash] variable variable code[bash] L22–36
~ Knowtation — agent instructions
~ Version control (read first)
~ docs/HUB-API.md .md 3 symbols modified
~ Knowtation Hub API
~ Endpoints (contract)
~ 2 Vault read
~ docs/PAPERCLIP-AWS-SETUP-AND-IMAC-TRANSITION.md .md 3 symbols modified
~ code[bash]@L78
~ code[bash]@L88
~ Paperclip — AWS setup, root-cause notes, and iMac transition plan
~ hub/gateway/mcp-oauth-provider.mjs .mjs 4 symbols modified
~ KnowtationOAuthProvider
~ completeMcpAuthorization
~ constructor
~ exchangeAuthorizationCode
~ hub/gateway/server.mjs .mjs 1 symbol added, 3 symbols modified
+ normalizeGatewayNoteFrontmatter function function normalizeGatewayNoteFrontmatter L2419–2425
~ gatewayProxyGetNoteOne
~ gatewayProxyGetNotesList
~ resolveHostedActorRole
~ hub/server.mjs .mjs
~ lib/config.mjs .mjs 2 symbols added, 1 symbol modified
+ loadLlmConfig function function loadLlmConfig L296–308
+ normalizeChatProviderInput function function normalizeChatProviderInput L269–283
~ loadConfig
~ lib/daemon-llm.mjs .mjs 1 symbol modified
~ buildDelegateConfig
~ lib/llm-complete.mjs .mjs 2 symbols added, 2 symbols modified
+ ollamaChat function async_function ollamaChat L225–261
+ openrouterChat function async_function openrouterChat L180–215
~ chatProvider
~ completeChat
~ lib/memory-consolidate.mjs .mjs 1 symbol modified
~ runDiscoverPass
~ mcp/tools/index-enrich.mjs .mjs 2 symbols added, 1 symbol modified
+ _buildDefaultWriter function function _buildDefaultWriter L34–40
+ _defaultWriteContext function function _defaultWriteContext L48–57
~ enrichIndexedNotes
~ test/gateway-auth-refresh-wiring.test.mjs .mjs 1 symbol added
+ routeBlock function function routeBlock L24–29
~ test/hub-integration-guides.test.mjs .mjs
~ vault/projects/knowtation/research/2026-05-07-architecture-final-decision.md .md 1 symbol modified
~ Architecture final decision — 2026-05-07
~ web/hub/hub-integration-guides.mjs .mjs
~ web/hub/hub.js .js 2 symbols added, 3 symbols modified
+ applyChatProviderSettings function function applyChatProviderSettings L9911–9966
+ chatProviderKeyHintText function function chatProviderKeyHintText L9889–9909
~ approveProposal
~ discardProposal
~ openSettings
~ web/hub/index.html .html 14 symbols added, 4 symbols removed, 32 symbols modified
~ details@1159
~ details@1169
~ details@1261
~ details@1265
~ details@1310
~ details@1316
~ details@1330
~ details@1356
~ details@1789
~ details@1796
~ details@1943
~ details@2115
~ details@2187
~ details@2191
~ details@2197
~ details@2203
~ details@2211
~ details@2239
~ details@2269
~ details@2283
~ details@2311
~ details@2398
~ details@2452
~ fieldset@1660
~ fieldset@1700
details@1918 section details@1918 L1918–1923
details@1924 section details@1924 L1924–1929
details@1930 section details@1930 L1930–1935
details@1936 section details@1936 L1936–1941
+ button#btn-chat-provider-save section button#btn-chat-provider-save L1151–1151
+ button[OpenRouter — setup details] section button[OpenRouter — setup details] L1156–1160
+ details@1980 section details@1980 L1980–1985
+ details@1986 section details@1986 L1986–1991
+ details@1992 section details@1992 L1992–1997
+ details@1998 section details@1998 L1998–2005
+ div#integ-model-grid section div#integ-model-grid L1155–1161
+ div#settings-chat-provider section div#settings-chat-provider L1137–1154
+ h3: AI model provider section h3: AI model provider L1132–1135
+ p#chat-provider-admin-hint section p#chat-provider-admin-hint L1149–1149
+ p#chat-provider-env-hint section p#chat-provider-env-hint L1148–1148
+ p#chat-provider-key-hint section p#chat-provider-key-hint L1147–1147
+ select#chat-provider-select section select#chat-provider-select L1139–1146
+ span#chat-provider-msg section span#chat-provider-msg L1152–1152
~ details@1949
~ details@1955
~ details@1961
~ details@1967
~ div#app
~ div#modal-settings
~ div#settings-panel-integrations
Files Changed
+106 ~18
818 in snapshot
+ docs/COMPANION-APP-DESIGN-AND-AUTHORIZATION-GATE.md .md
+ docs/COMPANION-APP-MODEL-ROUTING-AND-ENRICHMENT-ARCHITECTURE.md .md
+ docs/COMPANION-APP-OAUTH-SERVERSIDE-GATE.md .md
+ docs/COMPANION-APP-PHASE-1-ADAPTER-SEAM.md .md
+ docs/COMPANION-APP-PHASE-2-LOOPBACK-SECURITY.md .md
+ docs/COMPANION-APP-PHASE-2-SESSION-PROMPT.md .md
+ docs/COMPANION-APP-PHASE-3-OAUTH-PKCE.md .md
+ docs/COMPANION-APP-PHASE-3-SESSION-PROMPT.md .md
+ docs/COMPANION-APP-PHASE-4-RUNTIME-MANAGER.md .md
+ docs/COMPANION-APP-PHASE-5-BIND-GATE.md .md
+ docs/COMPANION-APP-PHASE-5-SESSION-PROMPT.md .md
+ docs/COMPANION-APP-PHASE-6-DERIVED-ARTIFACT-STORAGE-GATE.md .md
+ docs/MUSE-GITHUB-RECONCILIATION-2026-06.md .md
+ hub/gateway/native-as-store.mjs .mjs
+ hub/gateway/native-oauth-provider.mjs .mjs
+ lib/companion-artifact-writer.mjs .mjs
+ lib/companion-client-encryptor.mjs .mjs
+ lib/companion-download-adapter.mjs .mjs
+ lib/companion-inference-listener.mjs .mjs
+ lib/companion-keychain-adapter.mjs .mjs
+ lib/companion-loopback-guard.mjs .mjs
+ lib/companion-oauth-flow.mjs .mjs
+ lib/companion-oauth-pkce.mjs .mjs
+ lib/companion-provenance-validator.mjs .mjs
+ lib/companion-resource-probe.mjs .mjs
+ lib/companion-runtime-manager.mjs .mjs
+ lib/companion-shell.mjs .mjs
+ lib/companion-spawn-adapter.mjs .mjs
+ lib/companion-tier-resolver.mjs .mjs
+ lib/companion-token-custody.mjs .mjs
+ lib/model-runtime-lane.mjs .mjs
+ test/companion-loopback-guard-data-integrity.test.mjs .mjs
+ test/companion-loopback-guard-e2e.test.mjs .mjs
+ test/companion-loopback-guard-integration.test.mjs .mjs
+ test/companion-loopback-guard-performance.test.mjs .mjs
+ test/companion-loopback-guard-security.test.mjs .mjs
+ test/companion-loopback-guard-stress.test.mjs .mjs
+ test/companion-loopback-guard-unit.test.mjs .mjs
+ test/companion-oauth-pkce-data-integrity.test.mjs .mjs
+ test/companion-oauth-pkce-e2e.test.mjs .mjs
+ test/companion-oauth-pkce-integration.test.mjs .mjs
+ test/companion-oauth-pkce-performance.test.mjs .mjs
+ test/companion-oauth-pkce-security.test.mjs .mjs
+ test/companion-oauth-pkce-stress.test.mjs .mjs
+ test/companion-oauth-pkce-unit.test.mjs .mjs
+ test/companion-runtime-manager-data-integrity.test.mjs .mjs
+ test/companion-runtime-manager-e2e.test.mjs .mjs
+ test/companion-runtime-manager-integration.test.mjs .mjs
+ test/companion-runtime-manager-performance.test.mjs .mjs
+ test/companion-runtime-manager-security.test.mjs .mjs
+ test/companion-runtime-manager-stress.test.mjs .mjs
+ test/companion-runtime-manager-unit.test.mjs .mjs
+ test/companion-shell-data-integrity.test.mjs .mjs
+ test/companion-shell-e2e.test.mjs .mjs
+ test/companion-shell-integration.test.mjs .mjs
+ test/companion-shell-performance.test.mjs .mjs
+ test/companion-shell-security.test.mjs .mjs
+ test/companion-shell-stress.test.mjs .mjs
+ test/companion-shell-unit.test.mjs .mjs
+ test/companion-token-custody-data-integrity.test.mjs .mjs
+ test/companion-token-custody-e2e.test.mjs .mjs
+ test/companion-token-custody-integration.test.mjs .mjs
+ test/companion-token-custody-performance.test.mjs .mjs
+ test/companion-token-custody-security.test.mjs .mjs
+ test/companion-token-custody-stress.test.mjs .mjs
+ test/companion-token-custody-unit.test.mjs .mjs
+ test/config-llm-block.test.mjs .mjs
+ test/derived-artifact-storage-data-integrity.test.mjs .mjs
+ test/derived-artifact-storage-e2e.test.mjs .mjs
+ test/derived-artifact-storage-integration.test.mjs .mjs
+ test/derived-artifact-storage-performance.test.mjs .mjs
+ test/derived-artifact-storage-security.test.mjs .mjs
+ test/derived-artifact-storage-stress.test.mjs .mjs
+ test/derived-artifact-storage-unit.test.mjs .mjs
+ test/gateway-hosted-notes-frontmatter.test.mjs .mjs
+ test/helpers/companion-keychain-fake.mjs .mjs
+ test/hub-settings-chat-provider.test.mjs .mjs
+ test/llm-complete-config-provider.test.mjs .mjs
+ test/llm-complete-openrouter-data-integrity.test.mjs .mjs
+ test/llm-complete-openrouter-e2e.test.mjs .mjs
+ test/llm-complete-openrouter-integration.test.mjs .mjs
+ test/llm-complete-openrouter-performance.test.mjs .mjs
+ test/llm-complete-openrouter-security.test.mjs .mjs
+ test/llm-complete-openrouter-stress.test.mjs .mjs
+ test/llm-complete-openrouter-unit.test.mjs .mjs
+ test/model-runtime-lane-data-integrity.test.mjs .mjs
+ test/model-runtime-lane-e2e.test.mjs .mjs
+ test/model-runtime-lane-integration.test.mjs .mjs
+ test/model-runtime-lane-performance.test.mjs .mjs
+ test/model-runtime-lane-security.test.mjs .mjs
+ test/model-runtime-lane-stress.test.mjs .mjs
+ test/model-runtime-lane-unit.test.mjs .mjs
+ test/native-oauth-c1-c6-data-integrity.test.mjs .mjs
+ test/native-oauth-c1-c6-e2e.test.mjs .mjs
+ test/native-oauth-c1-c6-integration.test.mjs .mjs
+ test/native-oauth-c1-c6-performance.test.mjs .mjs
+ test/native-oauth-c1-c6-security.test.mjs .mjs
+ test/native-oauth-c1-c6-stress.test.mjs .mjs
+ test/native-oauth-c1-c6-unit.test.mjs .mjs
+ test/proposal-approve-rbac-fix-data-integrity.test.mjs .mjs
+ test/proposal-approve-rbac-fix-e2e.test.mjs .mjs
+ test/proposal-approve-rbac-fix-integration.test.mjs .mjs
+ test/proposal-approve-rbac-fix-performance.test.mjs .mjs
+ test/proposal-approve-rbac-fix-security.test.mjs .mjs
+ test/proposal-approve-rbac-fix-stress.test.mjs .mjs
+ test/proposal-approve-rbac-fix-unit.test.mjs .mjs
~ .env.example .example
~ AGENTS.md .md
~ docs/HUB-API.md .md
~ docs/PAPERCLIP-AWS-SETUP-AND-IMAC-TRANSITION.md .md
~ hub/gateway/mcp-oauth-provider.mjs .mjs
~ hub/gateway/server.mjs .mjs
~ hub/server.mjs .mjs
~ lib/config.mjs .mjs
~ lib/daemon-llm.mjs .mjs
~ lib/llm-complete.mjs .mjs
~ lib/memory-consolidate.mjs .mjs
~ mcp/tools/index-enrich.mjs .mjs
~ test/gateway-auth-refresh-wiring.test.mjs .mjs
~ test/hub-integration-guides.test.mjs .mjs
~ vault/projects/knowtation/research/2026-05-07-architecture-final-decision.md .md
~ web/hub/hub-integration-guides.mjs .mjs
~ web/hub/hub.js .js
~ web/hub/index.html .html
Older fix(test): align hub.js cache-bust contract with hub integration UI sha256:f4def6a1a567d25eac87e879d96235c0588804a6c9b770d3958e74b22231db59 All commits
Newer → Latest on main

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:0d530f9ef27b8b75547d1db7701a74bc77b77aa8f3d7fa3a8672cf2af36e63bb --body "your comment"