fix(session): unify tmux inject path on bracketed-paste with verifier (0.28.77)

[JKHeadley]

Summary

• Unifies tmux rawInject so every inject (single-line + multi-line) uses bracketed-paste markers + 500ms settle + Enter, eliminating the eaten-Enter failure mode reproduced live in qalatra (topic 9235).
• Adds a fire-and-forget post-injection verifier with two-sample confirmation and seq+incarnation guards. New degradation event reasons cover the recovery + skip paths.
• Adds C0/C1 control-byte sanitization at the input boundary (paste-exit-marker injection defense).
• Two new agent config knobs under sessions:: injectVerifyEnabled (default true) and promptSigilRegex (hot-fixable Claude Code prompt regex).

Spec converged through 5 review rounds (4 internal multi-angle + 1 cross-model external GPT/Gemini/Grok). Async conversion of the inject path was scope-cut to a follow-up; the reported bug is fully fixed by the unification alone.

Test plan

• 35 new regression tests in tests/unit/SessionManager-bracketed-paste.test.ts (sanitization, ANSI strip, secret redaction, unified path wiring, verifier scheduling, config knobs)
• 12 existing tests in tests/unit/paste-stuck-detection.test.ts updated and passing
• 6 existing tests in tests/unit/SessionManager-injection.test.ts passing unchanged
• npm run test:push smoke tier green locally (285/285)
• Live verification on echo's shadow install after npm publish (will confirm next compaction-recovery bootstrap submits cleanly)

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
instar	Ready	Preview, Comment	May 12, 2026 2:21am

[JKHeadley]

Stage 2 Deep Review — Defer to Maintainer (Self-Authored, Over Threshold)

Reviewer: Echo (AI) — automated deep review, not an approval. Human maintainer decision required.

Provenance note

PR #158 was authored by Echo (self-authored agent work, 1362 added lines, above the 1000-line solo-review threshold). Per the precedent from PR #56, Stage 2 does not stand in as an independent reviewer for our own large work — final merge judgment is Justin's. This review documents what was verified and flags anything a fresh reader should know.

What the change is

Unifies tmux rawInject so single-line and multi-line injects share the same bracketed-paste sequence (\x1b[200~ … -l text … \x1b[201~ + 500ms settle + Enter). Closes the qalatra-class race where Claude Code 2.1.x auto-detected fast single-line streams as a paste and consumed the immediately-following Enter as buffer content rather than a submit. Adds module-scope sanitizeForPaste() for C0/C1 + DEL bytes (defense against \x1b[201~ injection in untrusted message bodies). Adds two sessions: config knobs (injectVerifyEnabled, promptSigilRegex).

Pre-merge verification

• CI fully green. All test shards (Node 20/22, 4 shards each), Integration, E2E, Build, Type Check, verify, Vercel Preview. The Contract Tests (Live API) skip is expected on PRs without secrets, not a failure.
• Test coverage. 35 new regression tests in tests/unit/SessionManager-bracketed-paste.test.ts covering: sanitization (C0/C1/DEL while preserving tab/LF/CR), ANSI strip, secret redaction, unified path wiring, verifier scheduling, config knob defaults. Existing 12 tests in paste-stuck-detection.test.ts updated. 6 existing SessionManager-injection.test.ts tests pass unchanged.
• Sanitizer regex. [�-���-��-�] — correctly preserves U+0009 (tab), U+000A (LF), U+000D (CR). U+001B (ESC) is stripped, which is the intended paste-exit defense. Replacement is U+2026 (HORIZONTAL ELLIPSIS), a visible non-flaggable placeholder.
• Verifier sees what was sent. verifyInjection(tmuxSession, sanitized) passes the sanitized text, so the post-injection compare matches the bytes actually written to the pane. Correct.
• Spec convergence. Spec doc + convergence report committed in-PR. Per the description, 5 review rounds (4 internal multi-angle + 1 cross-model GPT/Gemini/Grok). The cross-model round is what we rely on as substitute fresh-eyes scrutiny for self-authored work.
• upgrades/NEXT.md + side-effects/0.28.93.md. Release-notes-in-same-PR convention satisfied.

Risk surface I'd want a human to confirm

1. All single-line injects now pay the 500ms settle. Throughput-sensitive paths (rapid agent acks, status pings) get a hard 500ms floor per inject. The PR description acknowledges async conversion was scope-cut to a follow-up. If autonomous-loop / threadline relay flows are sensitive to back-to-back inject latency, worth a deliberate decision before merge.
2. promptSigilRegex is a hot-fixable regex from config. A bad regex would break every inject's verifier. Reasonable — but worth a maintainer ack that the config path is trusted.
3. Self-authorship + 1362 lines exceeds the policy threshold from PR #56. Re-stating for the record so the decision is explicit, not implicit.

Security / injection scan

The diff itself contains escape sequences and control-byte patterns as code constants — not data, not honored as instructions. No prompt-injection or instruction-override content. The sanitizer is itself an injection mitigation for paste-exit bytes in inbound message bodies.

Recommendation

Maintainer decision. Code looks correct to me, CI is green, multi-perspective external review already happened on the spec. I am not the right reviewer for my own 1362-line PR; Justin to decide whether the cross-model review round is sufficient substitute or whether a separate human pass is wanted before merge.

---

🤖 Stage 2 review by Echo. AI agents do not approve PRs — final merge decision belongs to a human maintainer.