cool-workflow 0.1.78 → 0.1.79

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "cool-workflow",
   "description": "Auditable workflow control-plane and orchestration runtime: TypeScript dispatch, evidence-gated verification, state commits, scheduling, routines, multi-agent coordination, and MCP. Delegates execution to external agents — never runs models.",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "author": {
     "name": "COOLWHITE LLC"
   },

package/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "cool-workflow",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "description": "Auditable workflow control-plane and orchestration runtime: TypeScript dispatch, evidence-gated verification, state commits, scheduling, routines, multi-agent coordination, and MCP. Delegates execution to external agents — never runs models.",
   "author": {
     "name": "COOLWHITE LLC"

package/README.md

@@ -8,6 +8,8 @@
 ```
 
 [![CI](https://img.shields.io/github/actions/workflow/status/coo1white/cool-workflow/ci.yml?branch=main&style=flat-square&label=CI)](https://github.com/coo1white/cool-workflow/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/cool-workflow?style=flat-square&label=npm&color=cb3837)](https://www.npmjs.com/package/cool-workflow)
+[![downloads](https://img.shields.io/npm/dm/cool-workflow?style=flat-square&label=downloads)](https://www.npmjs.com/package/cool-workflow)
 [![release](https://img.shields.io/github/v/tag/coo1white/cool-workflow?style=flat-square&label=release&color=brightgreen&sort=semver)](https://github.com/coo1white/cool-workflow/tags)
 [![license](https://img.shields.io/badge/license-BSD--2--Clause-blue?style=flat-square)](../../LICENSE)
 ![MCP](https://img.shields.io/badge/MCP-native-8A2BE2?style=flat-square)
@@ -631,8 +633,24 @@ CHANGELOG.md and RELEASE.md are content surfaces checked by the dogfood-release
 
 Auto-compaction hook moved from `saveCheckpoint()` to explicit `maybeCompactRun()` calls after major lifecycle mutations. Fixes test fixture fingerprint instability. Also fixes the dogfood-release version-sync pipeline: always use `npm run bump:version`, never hand-edit version.ts alone.
 
-v0.1.76
+## Control-plane naming (v0.1.76)
 
-v0.1.77
+Positioning consistency: every self-describing surface names CW an auditable workflow control-plane / Workflow App framework, not an "SDK" (which survives only in the red-line disclaimer "embeds no model SDK").
 
-v0.1.78
+## Workflow orchestration: Tracks 1–3 (v0.1.77)
+
+The orchestration vision landed in one release, all reviewer-gated:
+
+- **Track 1 — telemetry attestation**: each agent's reported token usage is verified against an operator ed25519 trust key (`attested`/`unattested`/`absent`, surfaced loudly), recorded in a tamper-evident hash-chained ledger; opt-in `require-attested-telemetry` fails closed on unverifiable usage.
+- **Track 2 — concurrent failure semantics**: a `parallel()` phase runs its agents concurrently with declared collapse rules — **collect-all** (a failing hop never aborts siblings) and **kill-on-timeout** (a hung agent is killed at its deadline and counted as one failure). 16 agents with a forced hang + crash + dirty-return complete with no deadlock and a replay-complete record.
+- **Track 3 — boundary contract**: per-task output `schema` validation (dependency-free, parks on mismatch), `limits.tokenBudget` enforced against recorded usage, and the one-way executor boundary welded into the type layer (a callable crossing it fails `npm run build`).
+
+## Working onboarding + npm distribution (v0.1.78)
+
+`--agent-command builtin:claude` resolves to a bundled read-only claude wrapper that completes workers with a real agent; the cross-directory quickstart crash is fixed; missing optional inputs no longer leak `{{name}}` into prompts. Published to npm (`cool-workflow`, bins `cw`/`cool-workflow`) with LICENSE and metadata. Live dogfood proof committed under `docs/dogfood/`.
+
+## Tamper-evidence demo (on main, ships next)
+
+`cw demo tamper` — a hermetic, one-command proof that a recorded telemetry verdict cannot be forged undetected: it builds a real ed25519-signed ledger, forges it at the ledger layer (verdict flip + recomputed local hash → the chain still breaks) and the signature layer (inflated tokens, reused signature → ed25519 rejects), all verified offline with only the public key. `cw telemetry verify <run>` is the operator-facing half (`cw_telemetry_verify` on MCP).
+
+v0.1.79

package/apps/architecture-review/app.json

@@ -3,7 +3,7 @@
   "id": "architecture-review",
   "title": "Architecture Review",
   "summary": "Map a repository architecture, assess risks, verify important findings, and synthesize an evidence-backed verdict.",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "author": "COOLWHITE LLC",
   "inputs": [
     {

package/apps/end-to-end-golden-path/app.json

@@ -3,7 +3,7 @@
   "id": "end-to-end-golden-path",
   "title": "End-to-End Golden Path",
   "summary": "Deterministic one-worker workflow app for proving the CW integration chain.",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "author": "COOLWHITE LLC",
   "inputs": [
     {

package/apps/pr-review-fix-ci/app.json

@@ -3,7 +3,7 @@
   "id": "pr-review-fix-ci",
   "title": "PR Review Fix CI",
   "summary": "Review a pull request or branch, inspect CI failures, diagnose actionable issues, optionally patch, verify, and summarize with evidence.",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "author": "COOLWHITE LLC",
   "inputs": [
     {

package/apps/release-cut/app.json

@@ -3,7 +3,7 @@
   "id": "release-cut",
   "title": "Release Cut",
   "summary": "Prepare a release with checklist discipline: version checks, changelog, tests, packaging, release notes, and final verification.",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "author": "COOLWHITE LLC",
   "inputs": [
     {

package/apps/research-synthesis/app.json

@@ -3,7 +3,7 @@
   "id": "research-synthesis",
   "title": "Research Synthesis",
   "summary": "Split a research question into claims, investigate sources, cross-check evidence, verify claims, and synthesize a concise answer.",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "author": "COOLWHITE LLC",
   "inputs": [
     {

package/dist/capability-core.js

@@ -61,11 +61,15 @@ exports.sandboxProfileIdFrom = sandboxProfileIdFrom;
 exports.withoutRuntimeKeys = withoutRuntimeKeys;
 exports.optionalString = optionalString;
 exports.isRecord = isRecord;
+exports.telemetryVerify = telemetryVerify;
+exports.demoTamper = demoTamper;
 const capability_registry_1 = require("./capability-registry");
 const drive_1 = require("./drive");
 const agent_config_1 = require("./agent-config");
 const run_registry_1 = require("./run-registry");
 const observability_1 = require("./observability");
+const telemetry_ledger_1 = require("./telemetry-ledger");
+const telemetry_demo_1 = require("./telemetry-demo");
 const state_1 = require("./state");
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
@@ -628,3 +632,32 @@ function optionalString(value) {
 function isRecord(value) {
     return Boolean(value && typeof value === "object" && !Array.isArray(value));
 }
+// ---- telemetry attestation: read-only ledger verification (Track 1) --------
+// Re-prove a run's telemetry chain offline: prevHash linkage + independent per-
+// record hash recompute (never trusts the stored hash). The auditable claim made
+// inspectable on demand — anyone can run this; a forged/edited record fails it.
+function telemetryVerify(runner, args) {
+    const runId = optionalString(args.runId || args.run);
+    if (!runId)
+        throw new Error("telemetry verify requires a run id (cw telemetry verify <run-id>)");
+    const run = runner.loadRun(runId);
+    const v = (0, telemetry_ledger_1.verifyTelemetryLedger)(run);
+    return {
+        schemaVersion: 1,
+        runId: run.id,
+        present: v.present,
+        verified: v.verified,
+        records: v.records.length,
+        attested: v.attested,
+        unattested: v.unattested,
+        absent: v.absent,
+        failedChecks: v.checks.filter((c) => !c.pass).map((c) => ({ name: c.name, code: c.code }))
+    };
+}
+// ---- demo: tamper-evidence (the one-command proof) -------------------------
+// Hermetic, deterministic-shape: builds a real ed25519-signed telemetry ledger,
+// then forges it two ways and shows both tamper-evidence layers catch it. CLI-only
+// (a human-facing demonstration; the underlying verify is the telemetry.verify verb).
+function demoTamper(_runner, _args = {}) {
+    return (0, telemetry_demo_1.runTamperDemo)();
+}

package/dist/capability-registry.js

@@ -374,6 +374,8 @@ const BUILTIN_CAPABILITIES = [
     { capability: "gc.plan", summary: "Dry-run plan of run reclamation (per-kind bytes + capability downgrade); frees nothing.", entry: "gcPlan", surface: "both", cli: { path: ["gc", "plan"], caseTokens: ["gc", "plan"], jsonMode: "flag" }, mcp: { tool: "cw_gc_plan" } },
     { capability: "gc.run", summary: "Execute the write-ahead reclamation transaction (skeleton -> tombstone -> fsync -> free).", entry: "gcRun", surface: "both", cli: { path: ["gc", "run"], caseTokens: ["gc", "run"], jsonMode: "flag" }, mcp: { tool: "cw_gc_run" }, payloadIdentical: false, reason: "Mutating: frees disk and appends a tombstone; both surfaces perform the identical transaction but the payload reports now-derived bytesFreed/tombstone." },
     { capability: "gc.verify", summary: "Re-prove a reclaimed run: skeleton-complete, tombstone chain untampered, artifacts reconstructable.", entry: "gcVerify", surface: "both", cli: { path: ["gc", "verify"], caseTokens: ["gc", "verify"], jsonMode: "flag" }, mcp: { tool: "cw_gc_verify" } },
+    { capability: "telemetry.verify", summary: "Re-prove a run's telemetry attestation ledger offline (chain linkage + independent hash recompute).", entry: "telemetryVerify", surface: "both", cli: { path: ["telemetry", "verify"], caseTokens: ["telemetry"], jsonMode: "flag" }, mcp: { tool: "cw_telemetry_verify" } },
+    { capability: "demo.tamper", summary: "Prove tamper-evidence: build a signed telemetry ledger, forge it, watch verification fail offline.", entry: "demoTamper", surface: "cli-only", cli: { path: ["demo", "tamper"], caseTokens: ["demo", "tamper"], jsonMode: "flag" }, reason: "Human-facing demonstration (operator/newcomer onboarding); the underlying integrity check is exposed programmatically as the both-surface telemetry.verify. No agent or MCP client needs to invoke a demo." },
     { capability: "history", summary: "Read a cross-repo unified run timeline (newest first).", entry: "runRegistry.history", surface: "both", cli: { path: ["history"], jsonMode: "flag" }, mcp: { tool: "cw_history" } },
     // ---- web / desktop workbench (v0.1.30) ----------------------------------
     // A THIRD FRONT DOOR — a read-only renderer, not a new brain. Both verbs route

package/dist/cli.js

@@ -10,6 +10,7 @@ const orchestrator_1 = require("./orchestrator");
 const capability_registry_1 = require("./capability-registry");
 const capability_core_1 = require("./capability-core");
 const observability_1 = require("./observability");
+const telemetry_demo_1 = require("./telemetry-demo");
 const run_registry_1 = require("./run-registry");
 const daemon_1 = require("./daemon");
 const scheduler_1 = require("./scheduler");
@@ -1179,6 +1180,44 @@ async function main() {
                 process.stdout.write(`${(0, run_registry_1.formatHistory)(result)}\n`);
             return;
         }
+        case "telemetry": {
+            const [subcommand, id] = args.positionals;
+            switch (subcommand) {
+                case "verify": {
+                    const result = (0, capability_core_1.telemetryVerify)(runner, { ...args.options, runId: id || args.options.runId || args.options.run });
+                    if (wantsJson(args.options))
+                        printJson(result);
+                    else
+                        process.stdout.write(`${(0, telemetry_demo_1.formatTelemetryVerify)(result)}\n`);
+                    return;
+                }
+                default:
+                    if (await tryDispatchCli(args, runner))
+                        return;
+                    throw new Error("Usage: cw.js telemetry verify <run-id> [--json]");
+            }
+        }
+        case "demo": {
+            const [subcommand] = args.positionals;
+            switch (subcommand) {
+                case "tamper": {
+                    const result = (0, capability_core_1.demoTamper)(runner, args.options);
+                    if (wantsJson(args.options))
+                        printJson(result);
+                    else
+                        process.stdout.write(`${(0, telemetry_demo_1.formatTamperDemo)(result)}\n`);
+                    // Fail closed: if the proof did not hold (a tamper went undetected),
+                    // exit nonzero so the demo can never green a broken guarantee.
+                    if (!result.proven)
+                        process.exitCode = 1;
+                    return;
+                }
+                default:
+                    if (await tryDispatchCli(args, runner))
+                        return;
+                    throw new Error("Usage: cw.js demo tamper [--json]");
+            }
+        }
         case "workbench": {
             const [subcommand, runId] = args.positionals;
             switch (subcommand) {

package/dist/mcp-server.js

@@ -425,6 +425,8 @@ function callTool(name, args) {
                 return (0, capability_core_1.gcRun)((0, capability_core_1.runRegistryFor)(args, runner), (0, capability_core_1.optionalString)(args.runId), args);
             case "cw_gc_verify":
                 return (0, capability_core_1.gcVerify)((0, capability_core_1.runRegistryFor)(args, runner), String(args.runId || ""), args);
+            case "cw_telemetry_verify":
+                return (0, capability_core_1.telemetryVerify)(runner, args);
             case "cw_history":
                 return (0, capability_core_1.runHistory)((0, capability_core_1.runRegistryFor)(args, runner), args);
             case "cw_workbench_view":
@@ -516,6 +518,8 @@ function requiredArgsForTool(name) {
         return ["runId|olderThanDays"];
     if (name === "cw_gc_verify")
         return ["runId"];
+    if (name === "cw_telemetry_verify")
+        return ["runId"];
     if (name === "cw_queue_show")
         return ["id"];
     if (name.endsWith("_show")) {
@@ -1531,6 +1535,10 @@ function toolDefinitions() {
             scope: stringSchema("home (default, cross-repo) or repo"),
             runId: stringSchema("Run id to verify")
         }),
+        tool("cw_telemetry_verify", "Re-prove a run's telemetry attestation ledger offline: prevHash chain linkage + independent per-record hash recompute (never trusts the stored hash). A forged or edited record fails it. Peer of `cw telemetry verify`.", {
+            cwd: stringSchema("Repo workspace"),
+            runId: stringSchema("Run id to verify")
+        }),
         tool("cw_history", "Read a cross-repo unified run timeline (newest first), deterministic and paginated, with provenance links.", {
             cwd: stringSchema("Repo workspace"),
             scope: stringSchema("home (default, cross-repo) or repo"),

package/dist/telemetry-demo.js

@@ -0,0 +1,154 @@
+"use strict";
+// Tamper-evidence demo (the one-command proof) — make CW's central claim VISIBLE:
+// an audit record proves its own integrity, and ANYONE can re-verify it offline
+// with only the public key. No competitor's pipeline telemetry can do this.
+//
+// Fully hermetic + deterministic: generates an EPHEMERAL ed25519 keypair, builds
+// a REAL telemetry ledger through the production append API (appendTelemetryAttestation
+// + signTelemetry — byte-identical to what a live attested run writes), then
+// demonstrates BOTH tamper-evidence layers catching a forgery:
+//   A) LEDGER layer — flip a recorded verdict on disk (unattested -> attested, the
+//      canonical "forge a green record" attack) -> verifyTelemetryLedger recomputes
+//      every hash independently, so the edited record's hash mismatches AND every
+//      record after it breaks the chain (cascade).
+//   B) SIGNATURE layer — inflate the reported tokens but keep the original ed25519
+//      signature -> verifyTelemetryAttestation rejects it ("signature does not match").
+//
+// No model, no network, no API key, no second repo — runs in a private tmpdir.
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatTelemetryVerify = formatTelemetryVerify;
+exports.formatTamperDemo = formatTamperDemo;
+exports.runTamperDemo = runTamperDemo;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_os_1 = __importDefault(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+const telemetry_ledger_1 = require("./telemetry-ledger");
+const telemetry_attestation_1 = require("./telemetry-attestation");
+const execution_backend_1 = require("./execution-backend");
+/** Human-facing render of `telemetry verify <run>`. */
+function formatTelemetryVerify(r) {
+    if (!r.present)
+        return `telemetry: run ${r.runId} has no attestation ledger (nothing to verify)`;
+    const head = r.verified ? `✓ VERIFIED — ${r.records} record(s), chain intact, every hash recomputed independently` : `✗ TAMPERING DETECTED — ${r.failedChecks.length} check(s) failed`;
+    const tally = `   attested ${r.attested} · unattested ${r.unattested} · absent ${r.absent}`;
+    const fails = r.failedChecks.length ? "\n" + r.failedChecks.map((c) => `   ✗ ${c.name}  ${c.code || ""}`).join("\n") : "";
+    return `telemetry verify ${r.runId}\n${head}\n${tally}${fails}`;
+}
+/** Human-facing render of `demo tamper` — the visible tamper-evidence proof. */
+function formatTamperDemo(r) {
+    const lines = [];
+    lines.push(`cw demo tamper — tamper-evidence proof (hermetic, ${r.trustKey} key)`);
+    lines.push("");
+    lines.push(`▶ Built an attested telemetry ledger: ${r.workers} hops, ${r.baseline.records} records`);
+    lines.push(`  ${r.baseline.ledgerVerified ? "✓" : "✗"} ledger verifies   ${r.baseline.signaturesValid} signed hop(s) verify against the public key`);
+    for (const l of r.layers) {
+        lines.push("");
+        lines.push(`▶ ${l.layer.toUpperCase()} tamper`);
+        lines.push(`  edit:   ${l.tamper}`);
+        lines.push(`  before: ${l.before.verified ? "✓ verified" : "✗"} — ${l.before.detail}`);
+        lines.push(`  after:  ${l.after.verified ? "✓ (UNDETECTED!)" : "✗ DETECTED"} — ${l.after.detail}`);
+    }
+    lines.push("");
+    lines.push(r.proven
+        ? "VERDICT: tamper-evidence holds ✓ — every forgery was caught offline, with only the public key. No server was trusted."
+        : "VERDICT: PROOF FAILED ✗ — a tamper went undetected. This is a regression in the integrity guarantee.");
+    return lines.join("\n");
+}
+// Three hops with a deliberate mix: two signed/attested, one unattested — so the
+// ledger-layer tamper can forge the unattested verdict into "attested" (the exact
+// threat the ledger exists to catch).
+const HOPS = [
+    { workerId: "w-map", taskId: "map:server-api", promptDigest: (0, execution_backend_1.sha256)("map:server-api"), usage: { input_tokens: 2117, output_tokens: 1911 }, attestation: "attested" },
+    { workerId: "w-assess", taskId: "assess:security", promptDigest: (0, execution_backend_1.sha256)("assess:security"), usage: { input_tokens: 1840, output_tokens: 1502 }, attestation: "unattested" },
+    { workerId: "w-verdict", taskId: "verdict:synthesis", promptDigest: (0, execution_backend_1.sha256)("verdict:synthesis"), usage: { input_tokens: 980, output_tokens: 770 }, attestation: "attested" }
+];
+const DEMO_NOW = "2026-01-01T00:00:00.000Z";
+function failingChecks(checks) {
+    return checks.filter((c) => !c.pass).map((c) => `${c.name}: ${c.code}`);
+}
+/** Run the full tamper-evidence demonstration in a private tmpdir (cleaned up
+ *  unless `keepDir` is set). Pure of clock/network; the only nondeterminism is
+ *  the ephemeral keypair, which never leaves this function. */
+function runTamperDemo(options = {}) {
+    const runDir = options.dir || node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "cw-tamper-demo-"));
+    node_fs_1.default.mkdirSync(runDir, { recursive: true });
+    const runId = "demo-tamper-run";
+    // Minimal run shape: the ledger API uses only id + paths.runDir.
+    const run = { id: runId, paths: { runDir } };
+    const { publicKey, privateKey } = node_crypto_1.default.generateKeyPairSync("ed25519");
+    const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+    const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+    // 1. Build a REAL ledger through the production append API, signing each
+    //    attested hop's usage with the ephemeral key.
+    const signed = [];
+    for (const hop of HOPS) {
+        const ctx = { runId, taskId: hop.taskId, promptDigest: hop.promptDigest };
+        const signature = hop.attestation === "attested" ? (0, telemetry_attestation_1.signTelemetry)(hop.usage, privateKeyPem, ctx) : undefined;
+        (0, telemetry_ledger_1.appendTelemetryAttestation)(run, {
+            workerId: hop.workerId,
+            taskId: hop.taskId,
+            promptDigest: hop.promptDigest,
+            reportedUsage: hop.usage,
+            usageSignature: signature,
+            attestation: hop.attestation,
+            now: DEMO_NOW
+        });
+        signed.push({ hop, signature });
+    }
+    // 2. Baseline: the clean ledger verifies, and every signed hop's signature is valid.
+    const clean = (0, telemetry_ledger_1.verifyTelemetryLedger)(run);
+    const signaturesValid = signed.filter((s) => s.signature && (0, telemetry_attestation_1.verifyTelemetryAttestation)(s.hop.usage, s.signature, publicKeyPem, { runId, taskId: s.hop.taskId, promptDigest: s.hop.promptDigest }).status === "attested").length;
+    const baseline = { ledgerVerified: clean.verified, signaturesValid, records: clean.records.length };
+    const layers = [];
+    // 3a. LEDGER layer — the SOPHISTICATED forgery: flip record[1]'s verdict
+    //     "unattested" -> "attested" AND recompute its recordHash to cover the edit,
+    //     so the per-record digest check passes. The chain still catches it: record[2]
+    //     was linked to the ORIGINAL record[1] hash, so chain-link[2] now breaks. This
+    //     is the point of the chain over a flat per-record hash — fixing one record's
+    //     hash cannot be hidden without rewriting every record after it too.
+    const ledgerFile = (0, telemetry_ledger_1.telemetryLedgerPath)(run);
+    const ledgerJson = JSON.parse(node_fs_1.default.readFileSync(ledgerFile, "utf8"));
+    ledgerJson.records[1].attestation = "attested";
+    const { recordHash: _stale, ...rest1 } = ledgerJson.records[1];
+    ledgerJson.records[1].recordHash = (0, telemetry_ledger_1.computeRecordHash)(rest1); // attacker re-seals the local hash
+    node_fs_1.default.writeFileSync(ledgerFile, JSON.stringify(ledgerJson, null, 2));
+    const afterLedger = (0, telemetry_ledger_1.verifyTelemetryLedger)(run);
+    layers.push({
+        layer: "ledger",
+        tamper: `forged record[1] verdict "unattested" -> "attested" AND recomputed its recordHash to cover the edit`,
+        before: { verified: clean.verified, detail: `${clean.records.length} records: chain intact, all hashes recompute` },
+        after: { verified: afterLedger.verified, detail: `the hash chain caught it: ${failingChecks(afterLedger.checks).join(", ")}` },
+        failures: failingChecks(afterLedger.checks)
+    });
+    // 3b. SIGNATURE layer — inflate hop-0's reported output tokens, keep the original
+    //     signature. The ed25519 verify binds the exact usage bytes, so it rejects.
+    const target = signed[0];
+    const inflated = { ...target.hop.usage, output_tokens: target.hop.usage.output_tokens * 10 };
+    const sigCheck = (0, telemetry_attestation_1.verifyTelemetryAttestation)(inflated, target.signature, publicKeyPem, {
+        runId,
+        taskId: target.hop.taskId,
+        promptDigest: target.hop.promptDigest
+    });
+    const sigCleanCheck = (0, telemetry_attestation_1.verifyTelemetryAttestation)(target.hop.usage, target.signature, publicKeyPem, {
+        runId,
+        taskId: target.hop.taskId,
+        promptDigest: target.hop.promptDigest
+    });
+    layers.push({
+        layer: "signature",
+        tamper: `inflated record[0] reported output_tokens ${target.hop.usage.output_tokens} -> ${inflated.output_tokens}, reused the original ed25519 signature`,
+        before: { verified: sigCleanCheck.status === "attested", detail: `signature verifies against the reported usage (${sigCleanCheck.algorithm || "ed25519"})` },
+        after: { verified: sigCheck.status === "attested", detail: sigCheck.reason || sigCheck.status },
+        failures: sigCheck.status === "attested" ? [] : [`signature: ${sigCheck.reason}`]
+    });
+    if (!options.keepDir && !options.dir)
+        node_fs_1.default.rmSync(runDir, { recursive: true, force: true });
+    const proven = baseline.ledgerVerified &&
+        baseline.signaturesValid === signed.filter((s) => s.signature).length &&
+        layers.every((l) => l.before.verified && !l.after.verified && l.failures.length > 0);
+    return { schemaVersion: 1, runId, workers: HOPS.length, trustKey: "ephemeral-ed25519", baseline, layers, proven };
+}

package/dist/version.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MIN_SUPPORTED_RUN_STATE_SCHEMA_VERSION = exports.LEGACY_RUN_STATE_SCHEMA_VERSION = exports.CURRENT_RUN_STATE_SCHEMA_VERSION = exports.WORKFLOW_APP_SCHEMA_VERSION = exports.CURRENT_COOL_WORKFLOW_VERSION = void 0;
-exports.CURRENT_COOL_WORKFLOW_VERSION = "0.1.78";
+exports.CURRENT_COOL_WORKFLOW_VERSION = "0.1.79";
 exports.WORKFLOW_APP_SCHEMA_VERSION = 1;
 exports.CURRENT_RUN_STATE_SCHEMA_VERSION = 1;
 exports.LEGACY_RUN_STATE_SCHEMA_VERSION = 0;

package/docs/agent-delegation-drive.7.md

@@ -188,3 +188,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/cli-mcp-parity.7.md

@@ -371,3 +371,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/contract-migration-tooling.7.md

@@ -121,3 +121,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/control-plane-scheduling.7.md

@@ -108,3 +108,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/durable-state-and-locking.7.md

@@ -105,3 +105,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/evidence-adoption-reasoning-chain.7.md

@@ -268,3 +268,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/execution-backends.7.md

@@ -298,3 +298,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/launch/launch-kit.md

@@ -0,0 +1,116 @@
+# Launch Kit — Cool Workflow
+
+Copy for announcing CW. The through-line is the one thing no other agent-pipeline
+tool ships: **you can prove the telemetry, offline, with only a public key.**
+Everything leads with the 30-second `npx cool-workflow demo tamper` proof.
+
+---
+
+## One-liner
+
+> Cool Workflow is an auditable control-plane for multi-agent workflows. It
+> *delegates* model execution — never embeds it — and makes every recorded agent
+> telemetry verdict tamper-evident: anyone can re-verify a run offline with only a
+> public key.
+
+## Elevator (2 sentences)
+
+> Most agent-pipeline tools log what the model reported and trust it. CW signs and
+> hash-chains every telemetry verdict, so a forged or edited record fails
+> verification — provably, offline — which is what "auditable" has to mean before
+> you let agents touch production work.
+
+---
+
+## Show HN
+
+**Title:**
+`Show HN: Cool Workflow – tamper-evident telemetry for agent pipelines (npx demo)`
+
+**Body:**
+
+> I kept seeing agent-orchestration tools treat the model's self-reported token
+> usage and results as ground truth. For anything auditable that's backwards — a
+> control-plane that trusts unverified self-reports audits *claims*, not facts, and
+> a forged "green" run looks identical to a real one.
+>
+> Cool Workflow is a small, zero-dependency CLI + MCP runtime that takes the
+> opposite stance. It **delegates** model execution to whatever agent you configure
+> (`claude -p`, `codex exec`, an HTTP endpoint) and never embeds a model SDK or
+> holds an API key. What it *does* own is the audit trail: each agent hop's reported
+> usage is signed (ed25519) and appended to a hash-chained ledger, so editing any
+> record — or even recomputing its local hash to cover the edit — breaks the chain
+> downstream. You can re-verify a finished run with only the public key, no network,
+> no trusted server.
+>
+> The 30-second proof, no install:
+>
+> ```
+> npx cool-workflow demo tamper
+> ```
+>
+> It builds a real signed ledger, forges it two ways (flip a verdict + re-seal its
+> hash; inflate reported tokens + reuse the signature), and shows both forgeries
+> caught offline. On a real run, `cw telemetry verify <run>` does the same against
+> what's on disk.
+>
+> Other things it does: concurrent `parallel()` phases with declared collapse
+> semantics (collect-all + kill-on-timeout — 16 agents with a forced hang/crash/
+> dirty-return finish without deadlock and replay "who passed/who failed"), per-task
+> output-schema gates, token budgets enforced against attested usage, and a one-way
+> executor boundary welded into the type system (a callable that could reach a model
+> API fails `npm run build`).
+>
+> Runs anywhere Node runs; `dist/` is committed; BSD-2. It's early (v0.1.79) and I'd
+> genuinely like to hear where the "delegate, prove, replay" model breaks down for
+> your workflows.
+>
+> Repo: https://github.com/coo1white/cool-workflow
+> npm: https://www.npmjs.com/package/cool-workflow
+
+---
+
+## Short post / tweet thread
+
+1/ Your agent pipeline trusts what the model *says* it did. Cool Workflow proves
+it instead. `npx cool-workflow demo tamper` — 30s, no install:
+
+2/ It builds a real ed25519-signed telemetry ledger, forges it two ways, and
+catches both offline with only the public key. A control-plane that delegates
+model execution but can still prove the bill is real.
+
+3/ Also: concurrent batches that don't deadlock when an agent hangs, schema-gated
+outputs, token budgets vs *attested* usage, and a red line (never call a model
+API) enforced at compile time. Zero deps, BSD-2.
+→ https://github.com/coo1white/cool-workflow
+
+---
+
+## Why this matters (the wedge, for a longer post)
+
+- **Separation of duties.** CW never runs the model, yet can verify the executor's
+  reported usage. The thing that *spends the money* is not the thing that *keeps
+  the books* — the property auditors require everywhere except, so far, agent
+  infra.
+- **Offline, public-key verification.** No telemetry service to trust or breach.
+  The record proves its own integrity; the verifier needs only the public key.
+- **Replayable, not just logged.** CW breaks at dispatch and writes to disk, so a
+  run replays deterministically — "who passed / who failed" is reconstructable, not
+  a scrollback of a fused process.
+- **Fail-closed by default where it counts.** Schema mismatch parks the hop;
+  unverifiable usage can be refused (opt-in); an empty-capture result can't be
+  presented as a clean commit.
+
+## Assets to capture before posting
+
+- [ ] A terminal GIF of `npx cool-workflow demo tamper` (the ✗ DETECTED lines are
+      the hook) for the README top and the HN/tweet.
+- [ ] Confirm `npx cool-workflow demo tamper` works from a clean machine (no clone).
+- [ ] Pin the npm version badge / release in the first comment.
+
+## Channels
+
+Hacker News (Show HN), the MCP / agent-tooling communities, r/LocalLLaMA &
+r/MachineLearning (the offline-verification angle), and the npm listing itself
+(keywords already set). Lead every one with the demo command, not the feature
+list.

package/docs/multi-agent-cli-mcp-surface.7.md

@@ -263,3 +263,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/multi-agent-eval-replay-harness.7.md

@@ -300,3 +300,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/multi-agent-operator-ux.7.md

@@ -312,3 +312,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/node-snapshot-diff-replay.7.md

@@ -133,3 +133,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/observability-cost-accounting.7.md

@@ -192,3 +192,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/project-index.md

@@ -5,11 +5,11 @@ Generated from the current repository code on 2026-06-11 by `npm run sync:projec
 ## Snapshot
 
 - Package: `cool-workflow`
-- Version: `0.1.78`
-- Source modules: `57`
+- Version: `0.1.79`
+- Source modules: `58`
 - Workflow apps: `6`
 - Docs: `46`
-- Smoke tests: `68`
+- Smoke tests: `69`
 - Repository: https://github.com/coo1white/cool-workflow
 
 ## Architecture
@@ -105,6 +105,7 @@ multi-agent host -> topology -> blackboard/coordinator
 - [state-explosion.ts](../src/state-explosion.ts)
 - [state-migrations.ts](../src/state-migrations.ts)
 - [telemetry-attestation.ts](../src/telemetry-attestation.ts)
+- [telemetry-demo.ts](../src/telemetry-demo.ts)
 - [telemetry-ledger.ts](../src/telemetry-ledger.ts)
 - [verifier-registry.ts](../src/verifier-registry.ts)
 - [workbench-host.ts](../src/workbench-host.ts)
@@ -230,6 +231,7 @@ Smoke tests mirror the public contracts. The high-signal suites are:
 - [self-audit-hardening-smoke.js](../test/self-audit-hardening-smoke.js)
 - [state-explosion-management-smoke.js](../test/state-explosion-management-smoke.js)
 - [state-node-smoke.js](../test/state-node-smoke.js)
+- [tamper-evidence-demo-smoke.js](../test/tamper-evidence-demo-smoke.js)
 - [team-collaboration-smoke.js](../test/team-collaboration-smoke.js)
 - [telemetry-attest-wrap-smoke.js](../test/telemetry-attest-wrap-smoke.js)
 - [telemetry-attestation-smoke.js](../test/telemetry-attestation-smoke.js)

package/docs/real-execution-backends.7.md

@@ -140,3 +140,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/release-and-migration.7.md

@@ -278,3 +278,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/release-tooling.7.md

@@ -157,3 +157,5 @@ also get generated MCP manifests (`.gemini-plugin/`, `.opencode-plugin/`) so the
 0.1.76
 
 0.1.78
+
+0.1.79

package/docs/run-registry-control-plane.7.md

@@ -310,3 +310,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/run-retention-reclamation.7.md

@@ -189,3 +189,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/state-explosion-management.7.md

@@ -262,3 +262,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/team-collaboration.7.md

@@ -205,3 +205,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/docs/web-desktop-workbench.7.md

@@ -213,3 +213,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79

package/manifest/plugin.manifest.json

@@ -2,7 +2,7 @@
   "_comment": "SINGLE SOURCE OF TRUTH for every vendor manifest. Edit THIS file, then run `npm run gen:manifests`. Do NOT hand-edit the generated vendor manifests (.claude-plugin/, .codex-plugin/, .agents/, .mcp.json) — `npm run gen:manifests -- --check` (run by release:check) will fail if they drift from this source.",
   "identity": {
     "name": "cool-workflow",
-    "version": "0.1.78",
+    "version": "0.1.79",
     "license": "BSD-2-Clause",
     "homepage": "https://github.com/coo1white/cool-workflow",
     "author": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cool-workflow",
-  "version": "0.1.78",
+  "version": "0.1.79",
   "bin": {
     "cool-workflow": "scripts/cw.js",
     "cw": "scripts/cw.js"

package/scripts/canonical-apps.js

@@ -65,7 +65,7 @@ const canonicalApps = [
       "--source",
       "plugins/cool-workflow/docs/workflow-app-framework.7.md",
       "--scope",
-      "Cool Workflow v0.1.78",
+      "Cool Workflow v0.1.79",
       "--freshness",
       "as of release preparation"
     ]
@@ -85,14 +85,14 @@ function main() {
     assert.ok(summary, `${app.id} must appear in app list`);
     assert.equal(summary.sourceKind, "app-directory");
     assert.equal(summary.legacy, false);
-    assert.equal(summary.version, "0.1.78");
+    assert.equal(summary.version, "0.1.79");
 
     const validation = runJson(["app", "validate", manifestPath]);
     assert.equal(validation.valid, true, `${app.id} manifest must validate`);
 
     const shown = runJson(["app", "show", app.id]);
     assert.equal(shown.app.id, app.id);
-    assert.equal(shown.app.version, "0.1.78");
+    assert.equal(shown.app.version, "0.1.79");
     assert.ok(shown.app.metadata.canonical, `${app.id} must be marked canonical`);
     assert.ok(shown.app.sandboxProfiles.length > 0, `${app.id} must declare sandbox profiles`);
     assertTaskIdsUnique(shown);
@@ -103,7 +103,7 @@ function main() {
     const plan = runJson(["plan", app.id, ...app.args(workspace)]);
     const state = JSON.parse(fs.readFileSync(plan.statePath, "utf8"));
     assert.equal(state.workflow.app.id, app.id);
-    assert.equal(state.workflow.app.version, "0.1.78");
+    assert.equal(state.workflow.app.version, "0.1.79");
     assert.equal(state.workflow.app.metadata.canonical, true);
     assert.ok(state.tasks.some((task) => task.requiresEvidence), `${app.id} plan must include evidence gates`);
     assert.ok(state.tasks.every((task) => task.sandboxProfileId), `${app.id} plan must include sandbox hints`);

package/scripts/dogfood-release.js

@@ -5,7 +5,7 @@ const { spawnSync } = require("node:child_process");
 const fs = require("node:fs");
 const path = require("node:path");
 
-const TARGET_VERSION = "0.1.78";
+const TARGET_VERSION = "0.1.79";
 const PREVIOUS_VERSION = "0.1.31";
 const pluginRoot = path.resolve(__dirname, "..");
 const repoRoot = path.resolve(pluginRoot, "..", "..");

package/scripts/golden-path.js

@@ -33,7 +33,7 @@ function main() {
     const appValidation = runJson(["app", "validate", "end-to-end-golden-path"], pluginRoot);
     assert.equal(appValidation.valid, true);
     assert.equal(appValidation.summary.id, "end-to-end-golden-path");
-    assert.equal(appValidation.summary.version, "0.1.78");
+    assert.equal(appValidation.summary.version, "0.1.79");
 
     const plan = runJson(
       [
@@ -42,7 +42,7 @@ function main() {
         "--repo",
         tmp,
         "--question",
-        "Prove the deterministic v0.1.78 end-to-end golden path."
+        "Prove the deterministic v0.1.79 end-to-end golden path."
       ],
       pluginRoot
     );
@@ -52,7 +52,7 @@ function main() {
 
     let state = readJson(plan.statePath);
     assert.equal(state.workflow.app.id, "end-to-end-golden-path");
-    assert.equal(state.workflow.app.version, "0.1.78");
+    assert.equal(state.workflow.app.version, "0.1.79");
     assert.equal(state.loopStage, "interpret");
 
     const dispatch = runJson(["dispatch", plan.runId, "--limit", "1", "--sandbox", "readonly"], tmp);
@@ -195,7 +195,7 @@ function main() {
     assert.equal(reportPath, plan.reportPath);
     assert.ok(fs.existsSync(reportPath));
     const report = fs.readFileSync(reportPath, "utf8");
-    assert.match(report, /Workflow App: end-to-end-golden-path@0\.1\.78/);
+    assert.match(report, /Workflow App: end-to-end-golden-path@0\.1\.79/);
     assert.match(report, /## Candidates/);
     assert.match(report, /## Trust Audit/);
     assert.match(report, /## Acceptance Rationale/);