cool-workflow 0.1.78

package/scripts/parity-check.js

@@ -0,0 +1,213 @@
+#!/usr/bin/env node
+"use strict";
+
+// CLI <-> MCP parity gate. Two renderings of one data source must agree.
+//
+//   node scripts/parity-check.js            # print the parity report (JSON)
+//   node scripts/parity-check.js --check    # fail (exit 1) on ANY drift
+//
+// FAIL CLOSED ON DRIFT (BSD discipline, same shape as gen-manifests --check):
+//   1. STATIC parity — the declared capability registry must exactly match the
+//      live MCP tool list (tools/list) and the CLI dispatch tokens parsed from
+//      dist/cli.js. A tool or command on one surface but not the other, or not
+//      declared in src/capability-registry.ts, is release-blocking.
+//   2. PAYLOAD parity — for every capability declared `payloadIdentical`, the
+//      `cw <cmd> --json` payload must equal the `cw_<tool>` MCP result on a real
+//      bootstrap run (whitespace + generation-moment ISO timestamps aside).
+//
+// The registry (src/capability-registry.ts -> dist/capability-registry.js) is
+// the single source of truth; this script never re-declares capabilities.
+
+const assert = require("node:assert/strict");
+const { execFileSync, spawn } = require("node:child_process");
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+const readline = require("node:readline");
+
+const pluginRoot = path.resolve(__dirname, "..");
+const node = process.execPath;
+const cli = path.join(pluginRoot, "dist", "cli.js");
+const mcpServer = path.join(pluginRoot, "dist", "mcp-server.js");
+const registry = require(path.join(pluginRoot, "dist", "capability-registry.js"));
+
+// Read capabilities that are safe to probe on a freshly planned run with only a
+// runId (or no args). Each: [capability, cliArgvAfterRunId, mcpTool].
+// runId-less reads use [] for cli args and {} mcp args.
+const RUN_PROBES = [
+  ["status", ["--json"], "cw_status"],
+  ["operator.status", ["--json"], "cw_operator_status"],
+  ["operator.report", ["--json"], "cw_operator_report"],
+  ["graph", ["--json"], "cw_operator_graph"],
+  ["report", ["--json"], "cw_report"],
+  ["next", [], "cw_next"],
+  ["state.check", [], "cw_state_check"],
+  ["contract.show", [], "cw_contract_show"],
+  ["node.list", [], "cw_node_list"],
+  ["node.graph", ["--json"], "cw_node_graph"],
+  ["worker.summary", ["--json"], "cw_worker_summary"],
+  ["candidate.summary", ["--json"], "cw_candidate_summary"],
+  ["feedback.summary", ["--json"], "cw_feedback_summary"],
+  ["commit.summary", ["--json"], "cw_commit_summary"],
+  ["audit.summary", [], "cw_audit_summary"],
+  ["multi-agent.summary", ["--json"], "cw_multi_agent_summary"],
+  ["workbench.view", ["--json"], "cw_workbench_view"],
+  ["metrics.show", ["--json"], "cw_metrics_show"],
+  ["review.status", ["--json"], "cw_review_status"],
+  ["comment.list", ["--json"], "cw_comment_list"],
+  ["run.drive", ["--json"], "cw_run_drive"],
+  ["gc.plan", ["--json"], "cw_gc_plan"],
+  ["gc.verify", ["--json"], "cw_gc_verify"]
+];
+const GLOBAL_PROBES = [
+  ["list", "cw_list"],
+  ["app.list", "cw_app_list"],
+  ["topology.list", "cw_topology_list"],
+  ["sandbox.list", "cw_sandbox_list"],
+  ["backend.list", "cw_backend_list"],
+  ["backend.agent.config.show", "cw_backend_agent_config_show"],
+  ["metrics.summary", "cw_metrics_summary"]
+];
+
+function capById(id) {
+  const cap = registry.CAPABILITY_REGISTRY.find((entry) => entry.capability === id);
+  assert.ok(cap, `probe references unknown capability ${id}`);
+  return cap;
+}
+
+// ---- 1. static surface parity ---------------------------------------------
+function liveMcpTools() {
+  const result = execFileSync(node, [mcpServer], {
+    cwd: pluginRoot,
+    input: `${JSON.stringify({ jsonrpc: "2.0", id: 1, method: "tools/list", params: {} })}\n`,
+    encoding: "utf8"
+  });
+  const line = result
+    .trim()
+    .split("\n")
+    .find((entry) => entry.includes('"tools"'));
+  assert.ok(line, "MCP server returned no tools/list result");
+  return JSON.parse(line).result.tools.map((tool) => tool.name);
+}
+
+function cliDispatchTokens() {
+  const source = fs.readFileSync(cli, "utf8");
+  return [...new Set([...source.matchAll(/case\s+"([^"]+)":/g)].map((match) => match[1]))];
+}
+
+// ---- 2. payload identity ---------------------------------------------------
+// Generation-moment ISO timestamps are presentation metadata, not capability
+// data: the same field carries the wall-clock instant of the render. Neutralize
+// them (and only them) before comparison so we assert canonical-payload identity.
+function canonical(value) {
+  return JSON.stringify(value).replace(/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z/g, "<ts>");
+}
+
+function openMcp() {
+  const server = spawn(node, [mcpServer], { cwd: pluginRoot, stdio: ["pipe", "pipe", "pipe"] });
+  const lines = readline.createInterface({ input: server.stdout });
+  const pending = new Map();
+  let nextId = 1;
+  lines.on("line", (line) => {
+    let message;
+    try {
+      message = JSON.parse(line);
+    } catch {
+      return;
+    }
+    const waiter = pending.get(message.id);
+    if (!waiter) return;
+    pending.delete(message.id);
+    if (message.error) waiter.reject(new Error(message.error.message));
+    else waiter.resolve(message.result);
+  });
+  const rpc = (method, params) => {
+    const id = nextId++;
+    server.stdin.write(`${JSON.stringify({ jsonrpc: "2.0", id, method, params })}\n`);
+    return new Promise((resolve, reject) => pending.set(id, { resolve, reject }));
+  };
+  const tool = (name, args) => rpc("tools/call", { name, arguments: args }).then((result) => JSON.parse(result.content[0].text));
+  return { server, rpc, tool };
+}
+
+async function payloadParity() {
+  // realpath so the CLI (which realpath-resolves its cwd) and the MCP server we
+  // hand `cwd` to observe identical absolute paths — a workspace symlink would
+  // otherwise masquerade as a payload divergence.
+  const workspace = fs.realpathSync(fs.mkdtempSync(path.join(os.tmpdir(), "cw-parity-")));
+  const plan = JSON.parse(
+    execFileSync(node, [cli, "plan", "architecture-review", "--repo", workspace, "--question", "v0.1.27 CLI<->MCP parity probe"], {
+      cwd: workspace,
+      encoding: "utf8"
+    })
+  );
+  const runId = plan.runId;
+  const mismatches = [];
+  const checked = [];
+  const mcp = openMcp();
+  try {
+    await mcp.rpc("initialize", {});
+    for (const [capability, mcpTool] of GLOBAL_PROBES) {
+      const cap = capById(capability);
+      assert.equal(cap.mcp.tool, mcpTool, `probe/registry MCP tool mismatch for ${capability}`);
+      const cliArgv = [...cap.cli.path, ...(cap.cli.jsonMode === "flag" ? ["--json"] : [])];
+      const cliOut = JSON.parse(execFileSync(node, [cli, ...cliArgv], { cwd: workspace, encoding: "utf8" }));
+      const mcpOut = await mcp.tool(mcpTool, { cwd: workspace });
+      checked.push(capability);
+      if (canonical(cliOut) !== canonical(mcpOut)) mismatches.push(capability);
+    }
+    for (const [capability, extraArgv, mcpTool] of RUN_PROBES) {
+      const cap = capById(capability);
+      assert.equal(cap.mcp.tool, mcpTool, `probe/registry MCP tool mismatch for ${capability}`);
+      const cliArgv = [...cap.cli.path, runId, ...extraArgv];
+      const cliOut = JSON.parse(execFileSync(node, [cli, ...cliArgv], { cwd: workspace, encoding: "utf8" }));
+      const mcpOut = await mcp.tool(mcpTool, { cwd: workspace, runId });
+      checked.push(capability);
+      if (canonical(cliOut) !== canonical(mcpOut)) mismatches.push(capability);
+    }
+  } finally {
+    mcp.server.kill();
+  }
+  return { runId, checked, mismatches };
+}
+
+async function main() {
+  const check = process.argv.includes("--check");
+  const tools = liveMcpTools();
+  const tokens = cliDispatchTokens();
+  const report = registry.buildParityReport({ mcpTools: tools, cliTokens: tokens });
+  const payload = await payloadParity();
+
+  const ok = report.ok && payload.mismatches.length === 0;
+  const out = {
+    ok,
+    static: report,
+    payload: {
+      ok: payload.mismatches.length === 0,
+      runId: payload.runId,
+      checked: payload.checked.length,
+      capabilities: payload.checked,
+      mismatches: payload.mismatches
+    }
+  };
+  process.stdout.write(`${JSON.stringify(out, null, 2)}\n`);
+
+  if (check && !ok) {
+    const lines = ["", "CLI <-> MCP parity drift detected (release-blocking):"];
+    if (report.missingMcpTools.length) lines.push(`  - registry declares MCP tools absent from the server: ${report.missingMcpTools.join(", ")}`);
+    if (report.undeclaredMcpTools.length) lines.push(`  - server exposes MCP tools not declared in the registry: ${report.undeclaredMcpTools.join(", ")}`);
+    if (report.missingCliTokens.length) lines.push(`  - registry declares CLI tokens absent from dist/cli.js: ${report.missingCliTokens.join(", ")}`);
+    if (report.undeclaredCliTokens.length) lines.push(`  - dist/cli.js dispatches tokens not declared in the registry: ${report.undeclaredCliTokens.join(", ")}`);
+    if (report.reasonlessExceptions.length) lines.push(`  - surface-specific / payload-divergent capabilities missing a recorded reason: ${report.reasonlessExceptions.join(", ")}`);
+    if (report.registryLint.length) lines.push(`  - registry lint: ${report.registryLint.join("; ")}`);
+    if (payload.mismatches.length) lines.push(`  - cw --json != cw_<tool> payload for: ${payload.mismatches.join(", ")}`);
+    lines.push("Reconcile src/capability-registry.ts, cli.ts, and mcp-server.ts so both surfaces render one data source.\n");
+    process.stderr.write(lines.join("\n"));
+    process.exitCode = 1;
+  }
+}
+
+main().catch((error) => {
+  process.stderr.write(`parity-check: ${error instanceof Error ? error.message : String(error)}\n`);
+  process.exitCode = 1;
+});

package/scripts/release-check.js

@@ -0,0 +1,118 @@
+#!/usr/bin/env node
+"use strict";
+
+const { spawnSync } = require("node:child_process");
+const fs = require("node:fs");
+const path = require("node:path");
+
+const pluginRoot = path.resolve(__dirname, "..");
+const repoRoot = path.resolve(pluginRoot, "..", "..");
+const checks = [
+  {
+    name: "docs presence",
+    run: () => {
+      for (const file of [
+        "README.md",
+        "docs/index.md",
+        "docs/getting-started.md",
+        "docs/release-and-migration.7.md",
+        "docs/multi-agent-cli-mcp-surface.7.md",
+        "docs/multi-agent-operator-ux.7.md",
+        "docs/multi-agent-trust-policy-audit.7.md",
+        "docs/multi-agent-eval-replay-harness.7.md",
+        "docs/state-explosion-management.7.md",
+        "docs/evidence-adoption-reasoning-chain.7.md",
+        "docs/cli-mcp-parity.7.md",
+        "docs/run-registry-control-plane.7.md",
+        "docs/execution-backends.7.md",
+        "docs/web-desktop-workbench.7.md",
+        "docs/observability-cost-accounting.7.md",
+        "docs/team-collaboration.7.md",
+        "docs/release-tooling.7.md",
+        "docs/real-execution-backends.7.md",
+        "docs/node-snapshot-diff-replay.7.md",
+        "docs/contract-migration-tooling.7.md",
+        "docs/control-plane-scheduling.7.md",
+        "docs/agent-delegation-drive.7.md",
+        "docs/run-retention-reclamation.7.md",
+        "docs/durable-state-and-locking.7.md",
+        "docs/security-trust-hardening.7.md",
+        "../../CHANGELOG.md",
+        "../../RELEASE.md"
+      ]) {
+        const absolute = path.resolve(pluginRoot, file);
+        if (!fs.existsSync(absolute)) throw new Error(`missing ${path.relative(repoRoot, absolute)}`);
+      }
+    }
+  },
+  // NOTE: the individual `node test/<x>-smoke.js` steps were removed — every one
+  // is already run by `npm test` below (proven by set intersection). Re-running
+  // them here doubled wall time (~86s -> ~25s) without adding coverage. The steps
+  // kept below are the ones NOT covered by `npm test`: the build/typecheck, the
+  // app/script runners (canonical-apps, golden-path), and the dedicated gates
+  // (parity, manifest drift, version sync). `npm test` already runs every smoke,
+  // including eval-replay-harness, fixture-compat, dogfood, security, and the
+  // per-feature smokes.
+  // `dist:check` builds from src/ AND fails closed if the committed dist/ drifted
+  // from that fresh build — strictly stronger than a bare `npm run build`.
+  { name: "dist freshness", command: ["npm", "run", "dist:check"] },
+  { name: "type check", command: ["npm", "run", "check"] },
+  { name: "run-state schema consistency", command: ["node", "scripts/validate-run-state-schema.js"] },
+  { name: "tests", command: ["npm", "test"] },
+  { name: "canonical apps", command: ["npm", "run", "canonical-apps"] },
+  { name: "golden path", command: ["npm", "run", "golden-path"] },
+  { name: "CLI MCP parity", command: ["npm", "run", "parity:check"] },
+  { name: "vendor manifest synchronization", command: ["npm", "run", "gen:manifests", "--", "--check"] },
+  { name: "version synchronization", command: ["npm", "run", "version:sync"] },
+  // Lightweight (~50ms) standalone gate: fail closed if docs/project-index.md has
+  // drifted from a fresh source scan. The teeth-on-the-gate live in
+  // test/project-index-sync-smoke.js (run by `npm test`); this entry gives the
+  // real-doc check its own visible PASS/FAIL line in the release summary.
+  { name: "project index sync", command: ["npm", "run", "index:check"] }
+];
+
+function main() {
+  const results = [];
+  for (const check of checks) {
+    process.stdout.write(`release:check ${check.name} ... `);
+    const started = Date.now();
+    try {
+      if (check.run) check.run();
+      else runCommand(check.command);
+      const elapsedMs = Date.now() - started;
+      results.push({ name: check.name, ok: true, elapsedMs });
+      process.stdout.write(`ok (${elapsedMs}ms)\n`);
+    } catch (error) {
+      const elapsedMs = Date.now() - started;
+      results.push({ name: check.name, ok: false, elapsedMs, error: error.message });
+      process.stdout.write(`failed (${elapsedMs}ms)\n`);
+      process.stderr.write(`${error.message}\n`);
+    }
+  }
+
+  const failed = results.filter((entry) => !entry.ok);
+  process.stdout.write("\nRelease Check Summary\n");
+  for (const result of results) {
+    process.stdout.write(`- ${result.ok ? "PASS" : "FAIL"} ${result.name}\n`);
+  }
+  process.stdout.write(`\nDry-run only: no tag, push, publish, or fixture mutation was requested.\n`);
+  if (failed.length > 0) {
+    process.stderr.write(`\n${failed.length} release-blocking check(s) failed.\n`);
+    process.exitCode = 1;
+  }
+}
+
+function runCommand(command) {
+  const result = spawnSync(command[0], command.slice(1), {
+    cwd: pluginRoot,
+    encoding: "utf8",
+    stdio: "pipe",
+    env: { ...process.env, CW_RELEASE_CHECK: "1" }
+  });
+  if (result.status !== 0) {
+    const output = [result.stdout, result.stderr].filter(Boolean).join("\n").trim();
+    throw new Error(`${command.join(" ")} exited ${result.status}\n${output}`);
+  }
+}
+
+main();

package/scripts/release-flow.js

@@ -0,0 +1,272 @@
+#!/usr/bin/env node
+"use strict";
+
+// release-flow.js — portable, vendor-neutral release orchestrator.
+//
+// One script that runs the SAME gated release flow under any harness
+// (Claude / Codex / Gemini / OpenCode) or a plain shell. It does NOT depend on
+// any one host's agent-orchestration primitive — it is just node + git + the
+// existing CW scripts. The only LLM step (the independent reviewer) is
+// DELEGATED through CW's agent backend config (CW_AGENT_COMMAND / CW_AGENT_ENDPOINT),
+// so whichever model you configure does the review. CW spawns the agent
+// argv-style (shell:false), inherits the agent's own env/key, and imports no
+// model SDK — the same red line as src/execution-backend.ts.
+//
+// Modes:
+//   node release-flow.js [--check]                 gate + review, no mutation (default)
+//   node release-flow.js --cut --version x.y.z [--push]
+//                                                  also bump:version, commit verdict, tag, (push)
+// Flags also accepted: --prev-tag <t>, --agent-command "...", --agent-model m, --dry-run
+//
+// Test seam: CW_RELEASE_FLOW_GATE_CMD overrides the deterministic gate command
+// (default: `bash <thisdir>/release-gate.sh`) so the smoke can exercise the
+// orchestration layer without re-running the full build/test suite.
+//
+// Zero dependency: node + git only.
+
+const fs = require("node:fs");
+const path = require("node:path");
+const https = require("node:https");
+const http = require("node:http");
+const { spawnSync } = require("node:child_process");
+
+const scriptsDir = __dirname;
+const pluginRoot = path.resolve(scriptsDir, "..");
+
+// ---- args ------------------------------------------------------------------
+const argv = process.argv.slice(2);
+const has = (f) => argv.includes(f);
+const val = (f) => {
+  const i = argv.indexOf(f);
+  return i >= 0 ? argv[i + 1] : undefined;
+};
+const MODE_CUT = has("--cut");
+const DRY_RUN = has("--dry-run");
+const PUSH = has("--push");
+const cutVersion = val("--version");
+const prevTagArg = val("--prev-tag");
+
+function die(msg, extra) {
+  process.stderr.write(`release-flow: ${msg}\n`);
+  if (extra) process.stderr.write(`${extra}\n`);
+  process.exit(1);
+}
+function say(msg) {
+  process.stdout.write(`${msg}\n`);
+}
+function git(args, opts = {}) {
+  const r = spawnSync("git", args, { cwd: repoRoot, encoding: "utf8", ...opts });
+  return { code: r.status, out: (r.stdout || "").trim(), err: (r.stderr || "").trim() };
+}
+
+// ---- repo + revision context ----------------------------------------------
+const top = spawnSync("git", ["rev-parse", "--show-toplevel"], { encoding: "utf8" });
+if (top.status !== 0) die("not inside a git work tree");
+const repoRoot = top.stdout.trim();
+
+const HEAD = git(["rev-parse", "HEAD"]).out;
+// Previous tag, excluding any tag that already points at HEAD (so this works
+// whether run before tagging or re-run on a freshly tagged commit — same fix
+// as release-gate.sh).
+function resolvePrevTag() {
+  if (prevTagArg) return prevTagArg;
+  const headTags = git(["tag", "--points-at", "HEAD"]).out.split("\n").filter(Boolean);
+  let prev = git(["describe", "--tags", "--abbrev=0"]).out;
+  if (prev && headTags.includes(prev)) prev = git(["describe", "--tags", "--abbrev=0", "HEAD^"]).out;
+  return prev || "";
+}
+const PREV_TAG = resolvePrevTag();
+
+// ---- 1. deterministic gate -------------------------------------------------
+function runGate() {
+  const override = (process.env.CW_RELEASE_FLOW_GATE_CMD || "").trim();
+  say("[1/3] deterministic gate");
+  let r;
+  if (override) {
+    // Test/override seam — run via the shell intentionally; this path is for
+    // the smoke and operator overrides only, never the delegated agent.
+    r = spawnSync(override, { cwd: repoRoot, encoding: "utf8", shell: true, stdio: "inherit" });
+  } else {
+    r = spawnSync("bash", [path.join(scriptsDir, "release-gate.sh")], {
+      cwd: repoRoot,
+      encoding: "utf8",
+      stdio: "inherit"
+    });
+  }
+  if (r.status !== 0) die("deterministic gate FAILED — fix findings in normal cycles, do not retry the release here.");
+}
+
+// ---- 2. independent reviewer, delegated to the configured agent -------------
+function reviewerPromptBody() {
+  // Reuse the committed reviewer spec as the prompt; strip YAML frontmatter.
+  const specPath = path.join(pluginRoot, "agents", "release-reviewer.md");
+  let body = fs.existsSync(specPath) ? fs.readFileSync(specPath, "utf8") : "";
+  body = body.replace(/^---[\s\S]*?---\n/, "");
+  return body.trim();
+}
+
+function buildReviewerInput(resultPath) {
+  const action = MODE_CUT ? `tag v${cutVersion || "<next>"}` : "check (no tag)";
+  return [
+    reviewerPromptBody(),
+    "",
+    "---",
+    "## Release candidate context (derive/verify everything yourself)",
+    `- HEAD: ${HEAD}`,
+    `- Previous tag: ${PREV_TAG || "(none)"}`,
+    `- Diff range: ${PREV_TAG ? `${PREV_TAG}..HEAD` : "(no previous tag)"}`,
+    `- Proposed action: ${action}`,
+    `- Repo root (run git here): ${repoRoot}`,
+    "",
+    "## Required output — write ONLY this file, nothing else",
+    `Write your verdict to this exact path:`,
+    `  ${resultPath}`,
+    "First line MUST be exactly one of:",
+    `  APPROVED ${HEAD}`,
+    "  <one concrete sentence: the user-visible capability this ships>",
+    "or:",
+    "  REJECTED",
+    "  <numbered gate failures with file:line references>",
+    ""
+  ].join("\n");
+}
+
+function substitute(arg, map) {
+  return arg.replace(/\{\{(\w+)\}\}/g, (m, k) => (k in map ? String(map[k]) : m));
+}
+
+function delegateReview(resultPath, inputPath) {
+  // Reuse the canonical agent-config resolver (flags > env > file).
+  let resolveAgentConfig;
+  try {
+    ({ resolveAgentConfig } = require(path.join(pluginRoot, "dist", "agent-config.js")));
+  } catch (e) {
+    die("cannot load dist/agent-config.js — run `npm run build` first", String(e));
+  }
+  const cfg = resolveAgentConfig(
+    { "agent-command": val("--agent-command"), "agent-model": val("--agent-model") },
+    process.env
+  );
+  if (cfg.source === "none" || (!cfg.command && !cfg.endpoint)) {
+    die(
+      "no reviewer agent configured. Set one of:\n" +
+      '  CW_AGENT_COMMAND="claude -p {{input}}"   (or codex exec / gemini -p / opencode run)\n' +
+      "  CW_AGENT_ENDPOINT=https://...            (HTTP agent, e.g. DeepSeek)\n" +
+      "  or pass --agent-command. CW delegates the review; it never runs a model itself."
+    );
+  }
+
+  const subMap = {
+    input: inputPath,
+    manifest: inputPath,
+    result: resultPath,
+    workerDir: repoRoot,
+    model: cfg.model || "",
+    prompt: fs.readFileSync(inputPath, "utf8")
+  };
+
+  if (cfg.command) {
+    const args = (cfg.args || []).map((a) => substitute(a, subMap));
+    say(`[2/3] reviewer — delegating to: ${cfg.command} ${(cfg.args || []).join(" ")} (model: ${cfg.model || "unreported"})`);
+    // RED LINE: argv-style, shell:false. The agent runs the model in its own
+    // process and inherits its own credentials; CW holds none.
+    const r = spawnSync(cfg.command, args, {
+      cwd: repoRoot,
+      env: { ...process.env },
+      encoding: "utf8",
+      timeout: cfg.timeoutMs || 600000,
+      shell: false,
+      stdio: "inherit"
+    });
+    if (r.status !== 0) die(`reviewer agent exited ${r.status === null ? "(timeout/no-exit)" : r.status} — no verdict trusted.`);
+    return;
+  }
+
+  // Endpoint mode (e.g. DeepSeek HTTP): POST the prompt, write the response as
+  // the verdict. The remote agent cannot write our local file, so we persist
+  // its returned text ourselves.
+  say(`[2/3] reviewer — POSTing to endpoint ${cfg.endpoint} (model: ${cfg.model || "unreported"})`);
+  const body = JSON.stringify({ prompt: subMap.prompt, model: cfg.model, sha: HEAD });
+  const lib = cfg.endpoint.startsWith("https:") ? https : http;
+  const text = postSync(lib, cfg.endpoint, body, cfg.timeoutMs || 600000);
+  if (text === null) die("reviewer endpoint call failed — no verdict trusted.");
+  fs.writeFileSync(resultPath, text.endsWith("\n") ? text : `${text}\n`);
+}
+
+// Minimal synchronous-ish POST using a child node process would overcomplicate;
+// use a blocking wait via Atomics on a SharedArrayBuffer-free approach: do a
+// simple promise + deasync-free busy loop is not available, so use execFileSync
+// with curl ONLY if present; otherwise instruct the operator to use command mode.
+function postSync(lib, endpoint, body, timeoutMs) {
+  const curl = spawnSync("curl", [
+    "-sS", "--max-time", String(Math.ceil(timeoutMs / 1000)),
+    "-X", "POST", "-H", "Content-Type: application/json",
+    "--data-binary", body, endpoint
+  ], { encoding: "utf8" });
+  if (curl.error || curl.status !== 0) {
+    process.stderr.write(curl.stderr || String(curl.error || "curl failed") + "\n");
+    return null;
+  }
+  return curl.stdout || "";
+}
+
+function verifyVerdict(resultPath) {
+  say("[3/3] verify verdict");
+  if (!fs.existsSync(resultPath)) die(`no verdict written to ${path.relative(repoRoot, resultPath)} — fail closed.`);
+  const text = fs.readFileSync(resultPath, "utf8");
+  const lines = text.split(/\r?\n/);
+  const firstLine = lines[0] || "";
+  if (firstLine !== `APPROVED ${HEAD}`) {
+    die(`verdict first line must be exactly "APPROVED ${HEAD}" — release blocked.`, text.trim());
+  }
+  const cap = (lines[1] || "").trim();
+  return cap;
+}
+
+// ---- 3. optional cut (bump + commit verdict + tag + push) ------------------
+function cut(resultPath, capability) {
+  if (!cutVersion || !/^\d+\.\d+\.\d+$/.test(cutVersion)) die("--cut requires --version x.y.z");
+  if (DRY_RUN) { say(`[dry-run] would: bump:version ${cutVersion}, commit verdict, tag v${cutVersion}${PUSH ? ", push" : ""}`); return; }
+  const bump = spawnSync("npm", ["run", "bump:version", "--", cutVersion], { cwd: pluginRoot, encoding: "utf8", stdio: "inherit" });
+  if (bump.status !== 0) die("bump:version failed");
+  // Regenerate the gated project index after the version bump (PR #87 gate).
+  spawnSync("npm", ["run", "sync:project-index", "--", "--repo-only"], { cwd: pluginRoot, stdio: "inherit" });
+  git(["add", "-A"]);
+  const commit = git(["commit", "-m", `chore(release): record APPROVED reviewer verdict for v${cutVersion}`]);
+  if (commit.code !== 0) die("verdict commit failed", commit.err);
+  const tag = git(["tag", "-a", `v${cutVersion}`, "-m", `v${cutVersion}: ${capability || "release"}`]);
+  if (tag.code !== 0) die("git tag failed", tag.err);
+  if (PUSH) {
+    git(["push", "origin", "HEAD"]);
+    git(["push", "origin", `v${cutVersion}`]);
+  }
+  say(`tagged v${cutVersion}${PUSH ? " and pushed" : " (local only; push when ready)"}`);
+}
+
+// ---- main ------------------------------------------------------------------
+function main() {
+  if (!HEAD) die("could not resolve HEAD");
+  const markerDir = path.join(repoRoot, ".cw-release");
+  fs.mkdirSync(markerDir, { recursive: true });
+  const resultPath = path.join(markerDir, `review-${HEAD}.verdict`);
+  const inputPath = path.join(markerDir, `review-input-${HEAD}.md`);
+
+  runGate();
+  fs.writeFileSync(inputPath, buildReviewerInput(resultPath));
+  delegateReview(resultPath, inputPath);
+  const capability = verifyVerdict(resultPath);
+
+  if (MODE_CUT) cut(resultPath, capability);
+
+  process.stdout.write(`${JSON.stringify({
+    ok: true,
+    mode: MODE_CUT ? "cut" : "check",
+    head: HEAD,
+    prevTag: PREV_TAG || null,
+    verdict: "APPROVED",
+    capability,
+    tagged: MODE_CUT && !DRY_RUN ? `v${cutVersion}` : null
+  }, null, 2)}\n`);
+}
+
+main();