cool-workflow 0.1.78 → 0.1.80

package/dist/state-explosion.js

@@ -48,13 +48,55 @@ exports.GRAPH_VIEWS = [
     "candidate",
     "commit-gate"
 ];
+function createStateExplosionBuildContext() {
+    return {
+        stateSizes: new Map(),
+        blackboardDigests: new Map(),
+        graphRecords: new Map()
+    };
+}
+function fullGraphFor(run, context) {
+    if (!context.fullGraph)
+        context.fullGraph = (0, multi_agent_operator_ux_1.buildMultiAgentOperatorGraph)(run);
+    return context.fullGraph;
+}
+function operatorFor(run, context) {
+    if (!context.operator)
+        context.operator = (0, multi_agent_operator_ux_1.summarizeMultiAgentOperator)(run);
+    return context.operator;
+}
+function reasoningCriticalIdsFor(run, context) {
+    if (!context.reasoningCriticalIds)
+        context.reasoningCriticalIds = (0, evidence_reasoning_1.reasoningCriticalNodeIds)(run, operatorFor(run, context));
+    return context.reasoningCriticalIds;
+}
+function thresholdsKey(thresholds) {
+    return [
+        thresholds.graphNodes,
+        thresholds.graphEdges,
+        thresholds.blackboardMessages,
+        thresholds.blackboardRecords,
+        thresholds.collapseBucket,
+        thresholds.totalRecords
+    ].join(":");
+}
+function graphKey(view, options) {
+    return [
+        view,
+        options.focus || "",
+        options.depth === undefined ? "" : String(options.depth),
+        thresholdsKey(options.thresholds || exports.DEFAULT_STATE_EXPLOSION_THRESHOLDS)
+    ].join("\0");
+}
 // ---------------------------------------------------------------------------
 // State size
 // ---------------------------------------------------------------------------
 function computeStateSize(run, thresholds = exports.DEFAULT_STATE_EXPLOSION_THRESHOLDS) {
+    return computeStateSizeWithGraph(run, thresholds, (0, multi_agent_operator_ux_1.buildMultiAgentOperatorGraph)(run));
+}
+function computeStateSizeWithGraph(run, thresholds, graph) {
     const ma = run.multiAgent || { runs: [], roles: [], groups: [], memberships: [], fanouts: [], fanins: [] };
     const bb = run.blackboard || { topics: [], messages: [], contexts: [], artifacts: [], snapshots: [], decisions: [] };
-    const graph = (0, multi_agent_operator_ux_1.buildMultiAgentOperatorGraph)(run);
     const counts = {
         multiAgentRuns: (ma.runs || []).length,
         roles: (ma.roles || []).length,
@@ -97,6 +139,15 @@ function computeStateSize(run, thresholds = exports.DEFAULT_STATE_EXPLOSION_THRE
         reasons.push(`run has ${total} multi-agent records (> ${thresholds.totalRecords})`);
     return { ...counts, total, compactionRecommended: reasons.length > 0, reasons: reasons.sort() };
 }
+function stateSizeFor(run, thresholds, context) {
+    const key = thresholdsKey(thresholds);
+    let size = context.stateSizes.get(key);
+    if (!size) {
+        size = computeStateSizeWithGraph(run, thresholds, fullGraphFor(run, context));
+        context.stateSizes.set(key, size);
+    }
+    return size;
+}
 // ---------------------------------------------------------------------------
 // Blackboard digest (deterministic structural summary)
 // ---------------------------------------------------------------------------
@@ -310,10 +361,26 @@ function summarizeBlackboardDigest(run, blackboardId) {
         highSignal
     };
 }
+function blackboardDigestFor(run, context, blackboardId) {
+    const key = blackboardId || "";
+    let digest = context.blackboardDigests.get(key);
+    if (!digest) {
+        digest = summarizeBlackboardDigest(run, blackboardId);
+        context.blackboardDigests.set(key, digest);
+    }
+    return digest;
+}
 function buildCompactGraph(run, view = "compact", options = {}) {
+    return buildCompactGraphWithContext(run, view, options, createStateExplosionBuildContext());
+}
+function buildCompactGraphWithContext(run, view, options, context) {
     const thresholds = options.thresholds || exports.DEFAULT_STATE_EXPLOSION_THRESHOLDS;
-    const full = (0, multi_agent_operator_ux_1.buildMultiAgentOperatorGraph)(run);
-    const operator = (0, multi_agent_operator_ux_1.summarizeMultiAgentOperator)(run);
+    const key = graphKey(view, { ...options, thresholds });
+    const cached = context.graphRecords.get(key);
+    if (cached)
+        return cached;
+    const full = fullGraphFor(run, context);
+    const operator = operatorFor(run, context);
     const critical = criticalPathNodeIds(run, operator);
     const protectedIds = new Set(critical);
     // Failures, blocked, rejected, conflicting nodes are always preserved.
@@ -324,7 +391,7 @@ function buildCompactGraph(run, view = "compact", options = {}) {
     // v0.1.26: reasoning steps are on the critical path and must never be collapsed
     // into a synthetic summary node — protect every decision-gate node backing an
     // adopted reasoning chain (notably score nodes, which are otherwise collapsed).
-    for (const id of (0, evidence_reasoning_1.reasoningCriticalNodeIds)(run))
+    for (const id of reasoningCriticalIdsFor(run, context))
         protectedIds.add(id);
     for (const failure of operator.failures) {
         if (failure.linked)
@@ -349,13 +416,15 @@ function buildCompactGraph(run, view = "compact", options = {}) {
     const collapseEnabled = view === "compact" || view === "critical-path" || Boolean(options.focus);
     if (view === "full" || !collapseEnabled) {
         // No collapse: emit scoped graph verbatim (still records provenance + critical path).
-        return finalizeGraphRecord(run, view, options, full, {
+        const record = finalizeGraphRecord(run, view, options, full, {
             nodes: scopeNodes.map((node) => ({ ...node })),
             edges: scopeEdges.map((edge) => ({ ...edge })),
             syntheticNodes: [],
             critical,
             operator
         });
+        context.graphRecords.set(key, record);
+        return record;
     }
     // Determine collapse buckets per node.
     const rule = collapseRuleFor(view);
@@ -436,13 +505,15 @@ function buildCompactGraph(run, view = "compact", options = {}) {
         edgeSeen.add(key);
         edges.push({ from, to, label: edge.label });
     }
-    return finalizeGraphRecord(run, view, options, full, {
+    const record = finalizeGraphRecord(run, view, options, full, {
         nodes: nodes.sort((a, b) => a.kind.localeCompare(b.kind) || a.id.localeCompare(b.id)),
         edges: edges.sort((a, b) => a.from.localeCompare(b.from) || a.to.localeCompare(b.to) || (a.label || "").localeCompare(b.label || "")),
         syntheticNodes: synthetic.sort((a, b) => a.id.localeCompare(b.id)),
         critical,
         operator
     });
+    context.graphRecords.set(key, record);
+    return record;
 }
 function finalizeGraphRecord(run, view, options, full, built) {
     const collapsedNodeCount = built.syntheticNodes.reduce((acc, syn) => acc + syn.collapsedNodeCount, 0);
@@ -671,10 +742,13 @@ function expansionCommandFor(run, view, key) {
 // Operator digest
 // ---------------------------------------------------------------------------
 function buildOperatorDigest(run, thresholds = exports.DEFAULT_STATE_EXPLOSION_THRESHOLDS) {
-    const stateSize = computeStateSize(run, thresholds);
-    const operator = (0, multi_agent_operator_ux_1.summarizeMultiAgentOperator)(run);
-    const compact = buildCompactGraph(run, "compact", { thresholds });
-    const blackboard = summarizeBlackboardDigest(run);
+    return buildOperatorDigestWithContext(run, thresholds, createStateExplosionBuildContext());
+}
+function buildOperatorDigestWithContext(run, thresholds, context) {
+    const stateSize = stateSizeFor(run, thresholds, context);
+    const operator = operatorFor(run, context);
+    const compact = buildCompactGraphWithContext(run, "compact", { thresholds }, context);
+    const blackboard = blackboardDigestFor(run, context);
     const evidence = operator.evidence;
     const adopted = evidence.filter((e) => e.status === "adopted");
     const missing = evidence.filter((e) => e.status === "missing" || e.status === "pending" || e.status === "conflicting");
@@ -753,12 +827,15 @@ function buildOperatorDigest(run, thresholds = exports.DEFAULT_STATE_EXPLOSION_T
 // State explosion report (combines all derived indexes)
 // ---------------------------------------------------------------------------
 function buildStateExplosionReport(run, options = {}) {
+    return buildStateExplosionReportWithContext(run, options, createStateExplosionBuildContext());
+}
+function buildStateExplosionReportWithContext(run, options, context) {
     const thresholds = options.thresholds || exports.DEFAULT_STATE_EXPLOSION_THRESHOLDS;
-    const stateSize = computeStateSize(run, thresholds);
-    const compactGraph = buildCompactGraph(run, "compact", { thresholds });
-    const criticalPathGraph = buildCompactGraph(run, "critical-path", { thresholds });
-    const blackboardDigest = summarizeBlackboardDigest(run);
-    const operatorDigest = buildOperatorDigest(run, thresholds);
+    const stateSize = stateSizeFor(run, thresholds, context);
+    const compactGraph = buildCompactGraphWithContext(run, "compact", { thresholds }, context);
+    const criticalPathGraph = buildCompactGraphWithContext(run, "critical-path", { thresholds }, context);
+    const blackboardDigest = blackboardDigestFor(run, context);
+    const operatorDigest = buildOperatorDigestWithContext(run, thresholds, context);
     const currentFingerprint = fingerprintStrings([
         compactGraph.sourceFingerprint,
         blackboardDigest.sourceFingerprint,
@@ -837,12 +914,13 @@ function summariesDir(run) {
 }
 function refreshStateExplosionSummaries(run, options = {}) {
     const thresholds = options.thresholds || exports.DEFAULT_STATE_EXPLOSION_THRESHOLDS;
+    const context = createStateExplosionBuildContext();
     const dir = summariesDir(run);
     node_fs_1.default.mkdirSync(dir, { recursive: true });
     const views = options.views || ["full", "compact", "critical-path", "failures", "evidence", "trust", "topology", "blackboard", "candidate", "commit-gate"];
-    const blackboardDigest = summarizeBlackboardDigest(run);
-    const operatorDigest = buildOperatorDigest(run, thresholds);
-    const graphRecords = views.map((view) => buildCompactGraph(run, view, { thresholds }));
+    const blackboardDigest = blackboardDigestFor(run, context);
+    const operatorDigest = buildOperatorDigestWithContext(run, thresholds, context);
+    const graphRecords = views.map((view) => buildCompactGraphWithContext(run, view, { thresholds }, context));
     const entries = [];
     const writeRecord = (id, record, scope, fingerprint, included, omitted) => {
         const file = node_path_1.default.join(dir, `${(0, state_1.safeFileName)(id)}.json`);
@@ -854,13 +932,14 @@ function refreshStateExplosionSummaries(run, options = {}) {
     for (const record of graphRecords) {
         writeRecord(record.id, record, "run", record.sourceFingerprint, record.compactNodeCount, record.collapsedNodeCount);
     }
-    const stateSize = computeStateSize(run, thresholds);
+    const stateSize = stateSizeFor(run, thresholds, context);
     const indexFingerprint = fingerprintStrings([
         operatorDigest.sourceFingerprint,
         blackboardDigest.sourceFingerprint,
         ...graphRecords.map((r) => r.sourceFingerprint),
         String(stateSize.total)
     ]);
+    const compactGraph = buildCompactGraphWithContext(run, "compact", { thresholds }, context);
     const reportPath = node_path_1.default.join(dir, "state-explosion-report.json");
     const index = {
         schemaVersion: exports.STATE_EXPLOSION_SCHEMA_VERSION,
@@ -869,7 +948,7 @@ function refreshStateExplosionSummaries(run, options = {}) {
         scope: "run",
         sourceRecordIds: unique([...blackboardDigest.sourceRecordIds, ...operatorDigest.sourceRecordIds]),
         sourceFingerprint: fingerprintStrings([
-            buildCompactGraph(run, "compact", { thresholds }).sourceFingerprint,
+            compactGraph.sourceFingerprint,
             blackboardDigest.sourceFingerprint,
             operatorDigest.sourceFingerprint,
             String(stateSize.total)
@@ -893,7 +972,7 @@ function refreshStateExplosionSummaries(run, options = {}) {
     };
     void indexFingerprint;
     (0, state_1.writeJson)(index.paths.indexPath, index);
-    const report = buildStateExplosionReport(run, { thresholds, index });
+    const report = buildStateExplosionReportWithContext(run, { thresholds, index }, context);
     (0, state_1.writeJson)(reportPath, report);
     (0, trust_audit_1.recordTrustAuditEvent)(run, {
         kind: "summary.refresh",

package/dist/telemetry-demo.js

@@ -0,0 +1,154 @@
+"use strict";
+// Tamper-evidence demo (the one-command proof) — make CW's central claim VISIBLE:
+// an audit record proves its own integrity, and ANYONE can re-verify it offline
+// with only the public key. No competitor's pipeline telemetry can do this.
+//
+// Fully hermetic + deterministic: generates an EPHEMERAL ed25519 keypair, builds
+// a REAL telemetry ledger through the production append API (appendTelemetryAttestation
+// + signTelemetry — byte-identical to what a live attested run writes), then
+// demonstrates BOTH tamper-evidence layers catching a forgery:
+//   A) LEDGER layer — flip a recorded verdict on disk (unattested -> attested, the
+//      canonical "forge a green record" attack) -> verifyTelemetryLedger recomputes
+//      every hash independently, so the edited record's hash mismatches AND every
+//      record after it breaks the chain (cascade).
+//   B) SIGNATURE layer — inflate the reported tokens but keep the original ed25519
+//      signature -> verifyTelemetryAttestation rejects it ("signature does not match").
+//
+// No model, no network, no API key, no second repo — runs in a private tmpdir.
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatTelemetryVerify = formatTelemetryVerify;
+exports.formatTamperDemo = formatTamperDemo;
+exports.runTamperDemo = runTamperDemo;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const node_fs_1 = __importDefault(require("node:fs"));
+const node_os_1 = __importDefault(require("node:os"));
+const node_path_1 = __importDefault(require("node:path"));
+const telemetry_ledger_1 = require("./telemetry-ledger");
+const telemetry_attestation_1 = require("./telemetry-attestation");
+const execution_backend_1 = require("./execution-backend");
+/** Human-facing render of `telemetry verify <run>`. */
+function formatTelemetryVerify(r) {
+    if (!r.present)
+        return `telemetry: run ${r.runId} has no attestation ledger (nothing to verify)`;
+    const head = r.verified ? `✓ VERIFIED — ${r.records} record(s), chain intact, every hash recomputed independently` : `✗ TAMPERING DETECTED — ${r.failedChecks.length} check(s) failed`;
+    const tally = `   attested ${r.attested} · unattested ${r.unattested} · absent ${r.absent}`;
+    const fails = r.failedChecks.length ? "\n" + r.failedChecks.map((c) => `   ✗ ${c.name}  ${c.code || ""}`).join("\n") : "";
+    return `telemetry verify ${r.runId}\n${head}\n${tally}${fails}`;
+}
+/** Human-facing render of `demo tamper` — the visible tamper-evidence proof. */
+function formatTamperDemo(r) {
+    const lines = [];
+    lines.push(`cw demo tamper — tamper-evidence proof (hermetic, ${r.trustKey} key)`);
+    lines.push("");
+    lines.push(`▶ Built an attested telemetry ledger: ${r.workers} hops, ${r.baseline.records} records`);
+    lines.push(`  ${r.baseline.ledgerVerified ? "✓" : "✗"} ledger verifies   ${r.baseline.signaturesValid} signed hop(s) verify against the public key`);
+    for (const l of r.layers) {
+        lines.push("");
+        lines.push(`▶ ${l.layer.toUpperCase()} tamper`);
+        lines.push(`  edit:   ${l.tamper}`);
+        lines.push(`  before: ${l.before.verified ? "✓ verified" : "✗"} — ${l.before.detail}`);
+        lines.push(`  after:  ${l.after.verified ? "✓ (UNDETECTED!)" : "✗ DETECTED"} — ${l.after.detail}`);
+    }
+    lines.push("");
+    lines.push(r.proven
+        ? "VERDICT: tamper-evidence holds ✓ — every forgery was caught offline, with only the public key. No server was trusted."
+        : "VERDICT: PROOF FAILED ✗ — a tamper went undetected. This is a regression in the integrity guarantee.");
+    return lines.join("\n");
+}
+// Three hops with a deliberate mix: two signed/attested, one unattested — so the
+// ledger-layer tamper can forge the unattested verdict into "attested" (the exact
+// threat the ledger exists to catch).
+const HOPS = [
+    { workerId: "w-map", taskId: "map:server-api", promptDigest: (0, execution_backend_1.sha256)("map:server-api"), usage: { input_tokens: 2117, output_tokens: 1911 }, attestation: "attested" },
+    { workerId: "w-assess", taskId: "assess:security", promptDigest: (0, execution_backend_1.sha256)("assess:security"), usage: { input_tokens: 1840, output_tokens: 1502 }, attestation: "unattested" },
+    { workerId: "w-verdict", taskId: "verdict:synthesis", promptDigest: (0, execution_backend_1.sha256)("verdict:synthesis"), usage: { input_tokens: 980, output_tokens: 770 }, attestation: "attested" }
+];
+const DEMO_NOW = "2026-01-01T00:00:00.000Z";
+function failingChecks(checks) {
+    return checks.filter((c) => !c.pass).map((c) => `${c.name}: ${c.code}`);
+}
+/** Run the full tamper-evidence demonstration in a private tmpdir (cleaned up
+ *  unless `keepDir` is set). Pure of clock/network; the only nondeterminism is
+ *  the ephemeral keypair, which never leaves this function. */
+function runTamperDemo(options = {}) {
+    const runDir = options.dir || node_fs_1.default.mkdtempSync(node_path_1.default.join(node_os_1.default.tmpdir(), "cw-tamper-demo-"));
+    node_fs_1.default.mkdirSync(runDir, { recursive: true });
+    const runId = "demo-tamper-run";
+    // Minimal run shape: the ledger API uses only id + paths.runDir.
+    const run = { id: runId, paths: { runDir } };
+    const { publicKey, privateKey } = node_crypto_1.default.generateKeyPairSync("ed25519");
+    const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+    const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" }).toString();
+    // 1. Build a REAL ledger through the production append API, signing each
+    //    attested hop's usage with the ephemeral key.
+    const signed = [];
+    for (const hop of HOPS) {
+        const ctx = { runId, taskId: hop.taskId, promptDigest: hop.promptDigest };
+        const signature = hop.attestation === "attested" ? (0, telemetry_attestation_1.signTelemetry)(hop.usage, privateKeyPem, ctx) : undefined;
+        (0, telemetry_ledger_1.appendTelemetryAttestation)(run, {
+            workerId: hop.workerId,
+            taskId: hop.taskId,
+            promptDigest: hop.promptDigest,
+            reportedUsage: hop.usage,
+            usageSignature: signature,
+            attestation: hop.attestation,
+            now: DEMO_NOW
+        });
+        signed.push({ hop, signature });
+    }
+    // 2. Baseline: the clean ledger verifies, and every signed hop's signature is valid.
+    const clean = (0, telemetry_ledger_1.verifyTelemetryLedger)(run);
+    const signaturesValid = signed.filter((s) => s.signature && (0, telemetry_attestation_1.verifyTelemetryAttestation)(s.hop.usage, s.signature, publicKeyPem, { runId, taskId: s.hop.taskId, promptDigest: s.hop.promptDigest }).status === "attested").length;
+    const baseline = { ledgerVerified: clean.verified, signaturesValid, records: clean.records.length };
+    const layers = [];
+    // 3a. LEDGER layer — the SOPHISTICATED forgery: flip record[1]'s verdict
+    //     "unattested" -> "attested" AND recompute its recordHash to cover the edit,
+    //     so the per-record digest check passes. The chain still catches it: record[2]
+    //     was linked to the ORIGINAL record[1] hash, so chain-link[2] now breaks. This
+    //     is the point of the chain over a flat per-record hash — fixing one record's
+    //     hash cannot be hidden without rewriting every record after it too.
+    const ledgerFile = (0, telemetry_ledger_1.telemetryLedgerPath)(run);
+    const ledgerJson = JSON.parse(node_fs_1.default.readFileSync(ledgerFile, "utf8"));
+    ledgerJson.records[1].attestation = "attested";
+    const { recordHash: _stale, ...rest1 } = ledgerJson.records[1];
+    ledgerJson.records[1].recordHash = (0, telemetry_ledger_1.computeRecordHash)(rest1); // attacker re-seals the local hash
+    node_fs_1.default.writeFileSync(ledgerFile, JSON.stringify(ledgerJson, null, 2));
+    const afterLedger = (0, telemetry_ledger_1.verifyTelemetryLedger)(run);
+    layers.push({
+        layer: "ledger",
+        tamper: `forged record[1] verdict "unattested" -> "attested" AND recomputed its recordHash to cover the edit`,
+        before: { verified: clean.verified, detail: `${clean.records.length} records: chain intact, all hashes recompute` },
+        after: { verified: afterLedger.verified, detail: `the hash chain caught it: ${failingChecks(afterLedger.checks).join(", ")}` },
+        failures: failingChecks(afterLedger.checks)
+    });
+    // 3b. SIGNATURE layer — inflate hop-0's reported output tokens, keep the original
+    //     signature. The ed25519 verify binds the exact usage bytes, so it rejects.
+    const target = signed[0];
+    const inflated = { ...target.hop.usage, output_tokens: target.hop.usage.output_tokens * 10 };
+    const sigCheck = (0, telemetry_attestation_1.verifyTelemetryAttestation)(inflated, target.signature, publicKeyPem, {
+        runId,
+        taskId: target.hop.taskId,
+        promptDigest: target.hop.promptDigest
+    });
+    const sigCleanCheck = (0, telemetry_attestation_1.verifyTelemetryAttestation)(target.hop.usage, target.signature, publicKeyPem, {
+        runId,
+        taskId: target.hop.taskId,
+        promptDigest: target.hop.promptDigest
+    });
+    layers.push({
+        layer: "signature",
+        tamper: `inflated record[0] reported output_tokens ${target.hop.usage.output_tokens} -> ${inflated.output_tokens}, reused the original ed25519 signature`,
+        before: { verified: sigCleanCheck.status === "attested", detail: `signature verifies against the reported usage (${sigCleanCheck.algorithm || "ed25519"})` },
+        after: { verified: sigCheck.status === "attested", detail: sigCheck.reason || sigCheck.status },
+        failures: sigCheck.status === "attested" ? [] : [`signature: ${sigCheck.reason}`]
+    });
+    if (!options.keepDir && !options.dir)
+        node_fs_1.default.rmSync(runDir, { recursive: true, force: true });
+    const proven = baseline.ledgerVerified &&
+        baseline.signaturesValid === signed.filter((s) => s.signature).length &&
+        layers.every((l) => l.before.verified && !l.after.verified && l.failures.length > 0);
+    return { schemaVersion: 1, runId, workers: HOPS.length, trustKey: "ephemeral-ed25519", baseline, layers, proven };
+}

package/dist/version.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MIN_SUPPORTED_RUN_STATE_SCHEMA_VERSION = exports.LEGACY_RUN_STATE_SCHEMA_VERSION = exports.CURRENT_RUN_STATE_SCHEMA_VERSION = exports.WORKFLOW_APP_SCHEMA_VERSION = exports.CURRENT_COOL_WORKFLOW_VERSION = void 0;
-exports.CURRENT_COOL_WORKFLOW_VERSION = "0.1.78";
+exports.CURRENT_COOL_WORKFLOW_VERSION = "0.1.80";
 exports.WORKFLOW_APP_SCHEMA_VERSION = 1;
 exports.CURRENT_RUN_STATE_SCHEMA_VERSION = 1;
 exports.LEGACY_RUN_STATE_SCHEMA_VERSION = 0;

package/docs/agent-delegation-drive.7.md

@@ -133,12 +133,66 @@ node dist/cli.js run architecture-review --drive --once --repo /path/to/repo --q
 node dist/cli.js run drive <run-id> --json       # read-only preview of the next step
 ```
 
+For faster first results, use the opt-in fast app instead of changing the full
+review contract:
+
+```text
+node scripts/architecture-review-fast.js --repo /path/to/repo --question "Is the design sound?" --fast-model gpt-5.5-high --strong-model gpt-5.5-extra-high --metrics --schedule-full
+```
+
+`architecture-review-fast` has six workers: two Map and two Assess workers in
+parallel, then sequential Verify and Verdict workers. The original
+`architecture-review` app remains the full 14-worker review and is the right
+target for background routines when a deep audit can finish outside the user's
+foreground wait.
+
+The model flags are policy, not attestation: they set task-level `{{model}}`
+hints for the delegated agent process. The recorded model still comes only from
+the agent-reported output.
+
+The wrapper computes the source-context digest and supplies it to the fast app.
+For external repositories, the documented no-profile command creates a repo-local
+default `repo` profile over common tracked text surfaces. If the selected profile
+exports zero records, the wrapper refuses rather than handing the app an empty
+context digest.
+The two Map workers opt in to result caching keyed by source-context digest plus
+prompt digest. The two Assess workers also opt in, but their cache key includes
+the completed previous-phase result digests so stale Map outputs do not satisfy
+an Assess cache hit. A cache hit still passes through `recordWorkerOutput`
+validation; a corrupt cached result parks/fails closed rather than spawning a
+silent fallback.
+
+`--metrics` is diagnostic and opt-in. It adds elapsed milliseconds, step counts,
+agent-spawn counts, and `result-cache` hit counts to the wrapper JSON payload;
+without it, the wrapper's default output shape stays unchanged.
+
 `{{manifest}}`, `{{input}}`, `{{result}}`, `{{workerDir}}`, `{{model}}`, and
 `{{prompt}}` are substituted into DISCRETE argv elements (never a shell-interpreted
 string). Each verb is declared once in `capability-registry.ts`, so `cw <cmd>
 --json` is byte-identical to the matching `cw_<tool>` MCP tool for the read-only
 preview/config-show verbs.
 
+## Live output — opt-in stderr passthrough (Unix-clean)
+
+A drive can show the agent's activity live, without touching the evidence
+contract, when the operator opts in with `CW_AGENT_STREAM=1`:
+
+- **Default stays buffered.** Without `CW_AGENT_STREAM=1`, the bundled wrapper
+  preserves the legacy `--output-format json` path and forwards claude's JSON
+  stdout verbatim after writing `result.md`.
+- **The opt-in wrapper renders; stderr only.** With `CW_AGENT_STREAM=1`, the
+  bundled wrapper runs claude in `--output-format stream-json` and renders a
+  concise human trace (tool uses, assistant text, per-turn summaries) to its
+  **stderr** — diagnostics, never data. It reconstructs the single
+  `{model, usage, result}` object for stdout only on that opt-in path.
+- **Core forwards, never parses.** `runAgentProcess` passes the agent child's
+  stderr straight through to the operator's terminal (`stdio` inherit) only when
+  `CW_AGENT_STREAM=1`, CW's own stderr is a TTY, and `CW_NO_STREAM` is not set.
+  Piped / CI runs stay silent (the Rule of Silence). Vendor-specific rendering
+  lives in the wrapper (policy), not the kernel (mechanism).
+- **Determinism intact.** The backend evidence triple hashes stdout only, so
+  the live stderr stream never affects recorded evidence or replay.
+
 ## Compatibility
 
 Agent Delegation Drive is introduced in CW v0.1.38. Adding the `agent` row leaves
@@ -188,3 +242,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/canonical-workflow-apps.7.md

@@ -28,6 +28,43 @@ node scripts/cw.js plan architecture-review \
   --focus "runtime"
 ```
 
+`architecture-review-fast`
+
+Run a shorter architecture review for a fast first result. The app keeps the
+full `architecture-review` contract available under its original id, but uses two
+parallel Map workers, two parallel Assess workers, one verifier, and one verdict
+worker. Operators can optionally provide a pinned JSONL source context and route
+mapping/assessment work to a faster model while reserving stronger models for
+verification and synthesis.
+
+```bash
+node scripts/architecture-review-fast.js \
+  --repo /path/to/repo \
+  --question "Is this architecture sound?" \
+  --fast-model gpt-5.5-high \
+  --strong-model gpt-5.5-extra-high \
+  --metrics \
+  --schedule-full
+```
+
+The wrapper prepares one cached JSONL source context, passes its sha256 digest to
+the fast app, runs `quickstart architecture-review-fast`, and optionally creates
+a one-shot background schedule for the full `architecture-review` app. When run
+against an external repo without `--profile` or `--profile-file`, it writes a
+small repo-local `repo` profile covering common tracked text surfaces such as
+README/package metadata, `src/`, `lib/`, `apps/`, `scripts/`, docs, and tests.
+If the selected profile exports zero records, the wrapper fails closed instead of
+passing an empty context digest to the app.
+`--fast-model` and `--strong-model` are userland policy flags; internally they
+set the same task-level hints as `CW_ARCHITECTURE_REVIEW_FAST_MODEL` and
+`CW_ARCHITECTURE_REVIEW_STRONG_MODEL`.
+`--metrics` is opt-in; when present the wrapper adds elapsed-time, worker-step,
+agent-spawn, and result-cache-hit counts to the JSON payload so operators can
+measure foreground wait reductions without changing the default output shape.
+
+For long full reviews, use the existing routine or schedule surfaces to run
+`architecture-review` in the background after the fast report has returned.
+
 `pr-review-fix-ci`
 
 Review a pull request or branch, inspect CI failures, diagnose actionable

package/docs/cli-mcp-parity.7.md

@@ -39,6 +39,14 @@ A new runtime capability is added once, in the registry, against one core entry.
 The CLI command and the MCP tool are then two policies over that one mechanism —
 which is exactly what the parity gate checks.
 
+The MCP tool list is also being collapsed toward that single source. The first
+read-only inspection group (`operator.status`, `graph`, `operator.report`,
+worker/candidate/feedback/commit summaries, and the basic multi-agent inspection
+views) derives its MCP tool name and description directly from the capability
+registry; `mcp-server.ts` still owns the MCP input schema for those tools. This
+keeps the public `tools/list` output unchanged while removing one duplicate
+description table at a time.
+
 ## Human vs Machine Contract
 
 The two surfaces have different contracts and must not interfere:
@@ -371,3 +379,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/contract-migration-tooling.7.md

@@ -121,3 +121,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/control-plane-scheduling.7.md

@@ -108,3 +108,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/durable-state-and-locking.7.md

@@ -105,3 +105,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/evidence-adoption-reasoning-chain.7.md

@@ -268,3 +268,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/execution-backends.7.md

@@ -298,3 +298,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.77
 
 0.1.78
+
+0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.

package/docs/index.md

@@ -35,6 +35,7 @@ Read these in order when you are new to CW:
 31. [Agent Delegation Drive](agent-delegation-drive.7.md) - the `agent` backend delegates each worker to an EXTERNAL agent process (claude/codex/HTTP endpoint) and `run --drive` auto-advances plan→dispatch→fulfill→accept→commit; the model runs in the agent's process, never in CW. Two-layer evidence, operator-vs-attested model, fail-closed park, replay without re-spawn.
 32. [Run Retention & Provable Reclamation](run-retention-reclamation.7.md) - tiered, append-only, cryptographically-verifiable disk reclamation over the v0.1.28 archive overlay: seal the audit skeleton, free the reconstructable/scratch bulk, and prove it via a hash-chained tombstone; `gc plan|run|verify`, write-ahead + fail-closed, explicit capability downgrade.
 33. [Durable State & Locking](durable-state-and-locking.7.md) - atomic (temp→rename) writes for every authoritative store with fsync-durability for the audit-essential ones, plus a portable stale-stealing file lock serializing the cross-process read-modify-write stores (home queue, archive overlay, reclamation chain); closes the prior verdict's non-atomic/unlocked P1.
+34. [Source Context Profiles](source-context-profiles.7.md) - opt-in JSONL source exports for AI context slimming, with profile policy in manifest data and manifest records proving every included or omitted tracked file.
 
 CW is the base system. Workflow apps are userland. Release and migration rules
 must preserve that line: stable contracts, explicit compatibility checks, and

package/docs/launch/demo.tape

@@ -0,0 +1,28 @@
+# VHS tape — records the `cw demo tamper` proof to a GIF for the README hero.
+#
+# Reproducible, deterministic capture (no manual screen-recording). Install VHS
+# (https://github.com/charmbracelet/vhs), then from the repo root:
+#
+#   vhs plugins/cool-workflow/docs/launch/demo.tape
+#
+# Output: docs/launch/demo-tamper.gif. Then in the root README, replace the
+# fenced demo output block under "See it in 30 seconds" with:
+#   ![cw demo tamper](plugins/cool-workflow/docs/launch/demo-tamper.gif)
+
+Output plugins/cool-workflow/docs/launch/demo-tamper.gif
+
+Set FontSize 15
+Set Width 1180
+Set Height 760
+Set Padding 18
+Set Theme "Dracula"
+Set Framerate 24
+Set PlaybackSpeed 1.0
+
+# Use the published package so the GIF reflects exactly what a new user runs.
+Type "npx cool-workflow demo tamper"
+Sleep 600ms
+Enter
+
+# Allow npx fetch + the demo to run and print the verdict.
+Sleep 14s