itx grand cleanup: §8+§9 graduate — egress is a capability, captun intercept dies, kernel shrinks, auth mints, legacy afterAppend deleted

[jonastemplestein]

What

The remaining grand-cleanup workstreams in one deliberately breaking PR (prd gets redeployed). DECISIONS D23 is the canonical record. Three main-side PRs landed mid-flight and overlap this work — all adopted wholesale in the merges: #1482 (repos/workspace/worker as platform defaults with origin-carrying delegation), #1487 (fetch is a shadowable cap, define absorbs provide, shared registry host), and #1490 (intercept tunnel deleted, streams is a cap, best-effort onRpcBroken). This PR contributes the layers below on top of them.

§9 finished: the egress pipe is stateless

• itx consolidation: one define verb, fetch is just a (shadowable) cap, one context-node shape #1487/itx follow-ups: intercept tunnel deleted, streams is a cap, scoped DO names, REPL reads types.ts #1490 made fetch a shadowable platform:project cap and deleted the tunnel, but kept the DEFAULT pipe inside the Project DO (ProjectEgress.call → egressFetch). This PR replaces that terminal with the stateless EgressPipe loopback. The Project DO still supervises every dispatch (live shadows resolve in its registry), but egress secrets are D1 rows scoped by the registry-injected projectId, so substitution + the real outbound fetch run in a plain isolate and secret material never enters the DO.
• The Project DO has no fetch surface at all — no fetch, no ingressFetch, no egressFetch.

Worker-loading unification

• itx/isolate.ts is the ONE place the platform's trust posture (Law 4 ITERATE scoping, Law 5 egress outbound) is wired into loaded isolates; the registry's source caps and the project worker both use it. (The Workers-RPC-safe onRpcBroken guard this PR carried shipped independently in itx follow-ups: intercept tunnel deleted, streams is a cap, scoped DO names, REPL reads types.ts #1490 — main's version adopted.)

ProjectCapability dissolved

The hand-wired forwarder entrypoint is deleted; nothing called it.

Auth is the ONLY project-id minter

New auth internal route POST /internal/project/mint-project-id (service-authed); OS operator/recovery creates (project directory + itx.projects.create) round-trip through it. mintProjectId is deleted from OS — the prj_ id space has exactly one source.

Legacy afterAppend/runner-state deleted

The agent, slack-agent, slack-integration, and repo DOs lose their afterAppend RPCs and fake runner shapes (delivery has been on the host model for a while). Agent runtime state is now the honest { agentPath, processors: { [slug]: snapshot } }; slack ensureReady returns a plain snapshot; the agent-stream benchmark updated.

Deferred to main's posture (from the original plan)

• project stays a hardwired built-in (per itx: repos/workspace/worker become platform defaults; origin-carrying delegation; durable-object refs #1482's kernel choice) rather than a durable-object default; DIALABLE_DURABLE_OBJECTS stays empty by default (config-gated).
• The egress cap is named fetch (per itx consolidation: one define verb, fetch is just a (shadowable) cap, one context-node shape #1487), not egress.

⚠️ Merge order

#1489 must merge (and auth deploy) first — this PR's create paths round-trip id minting through auth's new /internal/project/mint-project-id, and previews point at production auth. The preview e2e here 404s until that endpoint is live.

Breaking changes (intended)

• Agent runtimeState shape changed (consumers were shape-agnostic or updated).
• egressFetch is gone from every surface; use itx.fetch / the egress cap.

Testing

• Full repo gates green (typecheck, lint, 35/35 apps/os test files).
• Workers suites: project-ingress 6/6 (incl. live-shadow + revoke-restores-default), itx-stream-subscribe 13/13.
• project-mcp-server-connection fails 2/3 identically on the branch base (verified in a clean worktree) — pre-existing.
• Preview e2e exercises: the egress capability over capnweb (explicit + implicit doors), the new live-shadow helper, and auth-routed minting.

Out of scope

• Egress policy-as-data / hold-for-approval (the §9 follow-on).
• Stream processors taking a synchronous SQL client (jam).

🤖 Generated with Claude Code

---

Note

High Risk
Breaking egress and secret-handling semantics (DO no longer substitutes secrets; interceptors see raw placeholders), new auth dependency for id minting, and changed agent runtimeState shape affect security-sensitive paths and deploy ordering.

Overview
Completes itx D23: project egress is a shadowable fetch capability whose default terminal is the stateless EgressPipe (secret substitution + outbound fetch in a plain isolate), while the Project DO only supervises registry dispatch. fetch / egressFetch are removed from the Project DO; ProjectCapability is deleted.

Adds itx/isolate.ts so project workers, source caps, and the run harness share one ITERATE + ProjectEgress globalOutbound wiring path.

Auth is the sole prj_ minter: OS drops local mintProjectId; operator/admin and itx.projects.create call auth’s mintProjectId internal route.

Removes legacy afterAppend / runner-shaped RPCs on agent, slack, and repo DOs; agent runtimeState is { agentPath, processors } (benchmark updated). Docs mark §8/§9 shipped; live fetch shadows see raw getSecret(...) placeholders (withheld-text mode removed).

^{Reviewed by Cursor Bugbot for commit df5965b. Bugbot is set up for automated code reviews on this repo. Configure here.}

Environment Config Lease

No active environment config lease.

OS

Status: released
Commit: df5965b
Preview: https://os.iterate-preview-6.com
Summary: Preview app released.
Workflow run
Updated: 2026-06-11T10:34:00.682Z

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6502e43. Configure here.}