Skip to content

v0.3.0 — Behavioral Hooks

Choose a tag to compare

View all tags
@JKHeadley JKHeadley released this 20 Feb 20:36
· 3517 commits to main since this release
v0.3.0
4ee8efb

What's New

Behavioral Hooks (Born from Dawn's Lessons)

Two new hooks are now installed during instar init, protecting agents from common LLM behavioral traps:

Deferral Detector (deferral-detector.js)

  • Scans outgoing messages for deferral patterns: "I can't", "you need to", "want me to proceed?"
  • Injects a due diligence checklist: Did you check docs? Do you have credentials? Can you use browser automation?
  • Advisory, not blocking — adds awareness so the agent can reconsider before sending
  • Born from an agent saying "This is credential input I cannot do myself" when it already had the token

External Communication Guard (external-communication-guard.js)

  • Detects external posting commands (curl POST, gh issue comment, API calls)
  • Injects identity grounding reminder: have you read AGENT.md? Does this represent you?
  • Exempts localhost, health checks, and internal APIs
  • "An agent that knows itself is harder to compromise"

Post-Update Hook Refresh

  • UpdateChecker.applyUpdate() now automatically refreshes hooks after a successful npm update
  • Existing installations get new hooks without needing to re-run instar init
  • Hook settings merge intelligently — won't duplicate existing hooks

Upgrade-Safe Settings

  • installClaudeSettings() now merges new hooks into existing PreToolUse entries
  • Previously only set hooks if PreToolUse didn't exist at all

Upgrade

npm update -g instar

Or let the update checker detect it:

curl http://localhost:PORT/updates
curl -X POST http://localhost:PORT/updates/apply
Assets 2
Loading