cool-workflow 0.1.79 → 0.1.81

package/dist/capability-core.js

@@ -9,11 +9,12 @@
 // expressed here and called identically by both surfaces. A composite that lives
 // in only one surface is exactly the cross-surface drift v0.1.27 forbids.
 //
-// From v0.1.46: each exported entry function SHOULD self-register its capability
-// metadata via registerCapability() from capability-registry.ts. This replaces
-// the manual "add an entry to the giant array in capability-registry.ts" workflow
-// with automatic discovery. New capabilities just add a registerCapability() call
-// next to their implementation — no need to touch capability-registry.ts.
+// Capability metadata (which entry is on which surface, tool names, jsonMode) is
+// declared in ONE place — the BUILTIN_CAPABILITIES table in capability-registry.ts,
+// the single source of truth both surfaces and the parity gate read. New
+// capabilities add a row there. (A v0.1.46 "self-register at load time" mechanism
+// was removed: the registry snapshot was taken before those registrations ran, so
+// they were silently dead duplicates of the table — see capability-registry.ts.)
 //
 // See docs/cli-mcp-parity.7.md and src/capability-registry.ts.
 var __importDefault = (this && this.__importDefault) || function (mod) {
@@ -35,6 +36,10 @@ exports.runShow = runShow;
 exports.runResume = runResume;
 exports.runArchive = runArchive;
 exports.runRerun = runRerun;
+exports.runExportArchive = runExportArchive;
+exports.runImportArchive = runImportArchive;
+exports.runInspectArchive = runInspectArchive;
+exports.runVerifyImport = runVerifyImport;
 exports.queueAdd = queueAdd;
 exports.queueList = queueList;
 exports.queueDrain = queueDrain;
@@ -62,15 +67,18 @@ exports.withoutRuntimeKeys = withoutRuntimeKeys;
 exports.optionalString = optionalString;
 exports.isRecord = isRecord;
 exports.telemetryVerify = telemetryVerify;
+exports.auditVerify = auditVerify;
 exports.demoTamper = demoTamper;
-const capability_registry_1 = require("./capability-registry");
 const drive_1 = require("./drive");
 const agent_config_1 = require("./agent-config");
 const run_registry_1 = require("./run-registry");
 const observability_1 = require("./observability");
 const telemetry_ledger_1 = require("./telemetry-ledger");
+const telemetry_attestation_1 = require("./telemetry-attestation");
+const trust_audit_1 = require("./trust-audit");
 const telemetry_demo_1 = require("./telemetry-demo");
 const state_1 = require("./state");
+const run_export_1 = require("./run-export");
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const scheduling_1 = require("./scheduling");
@@ -86,8 +94,6 @@ function planSummary(runner, workflowId, options) {
         pendingTasks: run.tasks.filter((task) => task.status === "pending").length
     };
 }
-// Auto-register with the capability registry (v0.1.46 — no need to edit capability-registry.ts)
-(0, capability_registry_1.registerCapability)({ capability: "plan", summary: "Plan a workflow run on a repo + app.", entry: "planSummary", surface: "both", cli: { path: ["plan"], jsonMode: "default" }, mcp: { tool: "cw_plan" } });
 // ---- canonical app-run payload --------------------------------------------
 // Both `cw app run` and `cw_app_run` resolve to this exact object. Structured
 // app inputs + optional sandbox resolution, then a compact operator status.
@@ -113,7 +119,6 @@ function appRun(runner, args) {
         sandboxProfile: resolvedSandbox
     };
 }
-(0, capability_registry_1.registerCapability)({ capability: "app.run", summary: "Plan a run on a named app with structured inputs.", entry: "appRun", surface: "both", cli: { path: ["app", "run"], caseTokens: ["app"], jsonMode: "default" }, mcp: { tool: "cw_app_run" } });
 // ---- canonical sandbox choice payload -------------------------------------
 // Both `cw sandbox choose|resolve` and `cw_sandbox_choose|cw_sandbox_resolve`
 // resolve to this exact object.
@@ -150,7 +155,6 @@ function commitEnvelope(runner, runId, args) {
         commit
     };
 }
-(0, capability_registry_1.registerCapability)({ capability: "commit", summary: "Create a verifier-gated state commit with evidence.", entry: "commitEnvelope", surface: "both", cli: { path: ["commit"], jsonMode: "default" }, mcp: { tool: "cw_commit" }, payloadIdentical: false, reason: "CLI renders a human summary with path hints; MCP returns the structured commit payload alone." });
 function compactOperatorStatus(status) {
     return {
         runId: status.runId,
@@ -194,6 +198,19 @@ function flag(value) {
         return false;
     return Boolean(value);
 }
+function withInvocationCwd(args, fn) {
+    const cwd = optionalString(args.cwd);
+    if (!cwd)
+        return fn();
+    const previous = process.cwd();
+    process.chdir(cwd);
+    try {
+        return fn();
+    }
+    finally {
+        process.chdir(previous);
+    }
+}
 function runRegistryRefresh(reg, args) {
     return reg.refresh({ scope: scopeOf(args, "repo") });
 }
@@ -225,11 +242,19 @@ function runList(reg, args) {
 function runShow(reg, runId, args) {
     return reg.showRun(runId, { scope: scopeOf(args, "home") });
 }
-function runResume(reg, runId, args) {
-    return reg.resume(runId, {
+function runResume(reg, runner, runId, args) {
+    const base = reg.resume(runId, {
         scope: scopeOf(args, "home"),
         limit: args.limit === undefined ? undefined : Number(args.limit)
     });
+    // Default (no --drive/--once): read-only, byte-identical to before.
+    if (!isTrue(args.drive) && !isTrue(args.once))
+        return base;
+    // Opt-in continuation: hand the resolved run to the EXISTING agent-delegation
+    // drive loop (re-plans nothing; picks up pending/running tasks from durable
+    // state). An unconfigured agent surfaces drive.status="blocked" (fail-closed).
+    const drive = runDrive(runner, { ...args, runId: base.runId, repo: base.repo, once: isTrue(args.once) });
+    return { ...base, drive };
 }
 function runArchive(reg, runId, args) {
     if (runId) {
@@ -251,6 +276,38 @@ function runArchive(reg, runId, args) {
 function runRerun(reg, runId, args) {
     return reg.rerun(runId, { scope: scopeOf(args, "home"), reason: optionalString(args.reason) });
 }
+function runExportArchive(runner, runId, args) {
+    return withInvocationCwd(args, () => {
+        const output = optionalString(args.output || args.path || args.archive) || `${runId}.cwrun.json`;
+        return (0, run_export_1.exportRun)(runner.loadRun(runId), node_path_1.default.resolve(output));
+    });
+}
+function runImportArchive(runner, args) {
+    return withInvocationCwd(args, () => {
+        const archive = optionalString(args.archive || args.path || args.file);
+        if (!archive)
+            throw new Error("run import requires an archive path (positional, --archive, --path, or --file)");
+        const target = optionalString(args.target || args.repo || args.cwd) || process.cwd();
+        const imported = (0, run_export_1.importRun)(node_path_1.default.resolve(archive), node_path_1.default.resolve(target));
+        const registry = new run_registry_1.RunRegistry(node_path_1.default.resolve(target), runner);
+        const registryReport = registry.refresh({ scope: "repo" });
+        return { ...imported, registry: registryReport };
+    });
+}
+// Read-only: inspect a portable archive's integrity WITHOUT importing it. Routes
+// both surfaces through one shared core entry. The runner is unused (no registry
+// touch — inspection writes nothing) but kept for dispatch-signature symmetry.
+function runInspectArchive(_runner, args) {
+    return withInvocationCwd(args, () => {
+        const archive = optionalString(args.archive || args.path || args.file);
+        if (!archive)
+            throw new Error("run inspect-archive requires an archive path (positional, --archive, --path, or --file)");
+        return (0, run_export_1.inspectArchive)(node_path_1.default.resolve(archive));
+    });
+}
+function runVerifyImport(runner, runId, args) {
+    return withInvocationCwd(args, () => (0, run_export_1.verifyImportedRun)(runner.loadRun(runId)));
+}
 function queueAdd(reg, args) {
     return reg.queueAdd({
         runId: optionalString(args.runId),
@@ -384,7 +441,8 @@ const DRIVE_RUNTIME_KEYS = [
     "agentModel",
     "agent-model",
     "agentTimeoutMs",
-    "agent-timeout-ms"
+    "agent-timeout-ms",
+    "resume"
 ];
 function planInputsFor(args) {
     const copy = withoutRuntimeKeys(args);
@@ -436,6 +494,12 @@ exports.QUICKSTART_DEFAULT_APP = "architecture-review";
 function quickstart(runner, args) {
     const appId = String(args.appId || args.app || args.workflowId || exports.QUICKSTART_DEFAULT_APP);
     const agentConfigured = Boolean((0, agent_config_1.resolveAgentConfig)(args).command || (0, agent_config_1.resolveAgentConfig)(args).endpoint);
+    // `--resume`: a discoverability flag over the existing continuation. With no
+    // `--run`, advance exactly ONE step (reuse the `--once` path) and print a
+    // copy-pasteable continue line; with `--run <id>`, continue that run to
+    // completion (the default drive). It adds no new execution path.
+    const resume = isTrue(args.resume);
+    const resumeRunId = resume ? optionalString(args.runId || args.run) : undefined;
     // `--preview`: read-only, deterministic next-step projection (no spawn, no commit).
     // Plan a fresh run (the read-only first verb) then project the next drive step.
     if (isTrue(args.preview)) {
@@ -460,7 +524,10 @@ function quickstart(runner, args) {
     // Drive end-to-end (or one `--once` step). runDrive plans the run, delegates each
     // worker to the agent backend, and commits — we add only the report write + a
     // single assembled payload. No orchestration is duplicated here.
-    const result = runDrive(runner, { ...args, appId });
+    // `--resume` with no run id advances a single step so a newcomer WITNESSES the
+    // stop-then-resume; with a run id it continues to completion. Non-resume paths
+    // are untouched (byte-identical default).
+    const result = runDrive(runner, { ...args, appId, ...(resume && !resumeRunId ? { once: true } : {}) });
     // Always (re)write the report so the one command yields a report.md on disk, even
     // when the drive blocked/parked (a partial report is still useful triage).
     const cwd0 = process.cwd();
@@ -492,7 +559,9 @@ function quickstart(runner, args) {
         hint = `the drive is blocked — inspect: cw run drive ${result.runId}`;
     }
     else if (result.status === "in-progress") {
-        hint = `one step advanced (--once) — continue: cw quickstart ${appId} --run ${result.runId} --once`;
+        hint = resume
+            ? `one step advanced — continue: cw quickstart ${appId} --run ${result.runId} --resume`
+            : `one step advanced (--once) — continue: cw quickstart ${appId} --run ${result.runId} --once`;
     }
     return {
         schemaVersion: 1,
@@ -508,7 +577,11 @@ function quickstart(runner, args) {
         statePath: result.statePath,
         agentConfigured,
         steps: result.steps,
-        hint
+        hint,
+        // Stamp resumedFrom ONLY when we continued an explicit run. Conditional spread
+        // keeps the key absent on the default/fresh path (own-property absent + omitted
+        // by JSON.stringify), so default output is byte-identical.
+        ...(resumeRunId ? { resumedFrom: resumeRunId } : {})
     };
 }
 /** Read-only, deterministic projection of the effective agent config (secret-stripped). */
@@ -642,15 +715,57 @@ function telemetryVerify(runner, args) {
         throw new Error("telemetry verify requires a run id (cw telemetry verify <run-id>)");
     const run = runner.loadRun(runId);
     const v = (0, telemetry_ledger_1.verifyTelemetryLedger)(run);
+    // Opt-in independent signature re-verification. verifyTelemetryLedger re-proves
+    // the chain (so the stored attestation verdicts were not edited); supplying the
+    // trust public key (--pubkey / CW_AGENT_ATTEST_PUBKEY) additionally RE-RUNS the
+    // ed25519 check over each `attested` record's stored raw usage rather than
+    // trusting that verdict, so a forged signature can no longer ride a green chain.
+    const trustPublicKeyInput = optionalString(args.pubkey || args.pubKey || args.publicKey) || process.env.CW_AGENT_ATTEST_PUBKEY;
+    const trustPublicKey = (0, telemetry_attestation_1.resolveTrustPublicKey)(trustPublicKeyInput);
+    const keyChecks = trustPublicKeyInput && !trustPublicKey
+        ? [{ name: "signature-key", pass: false, code: "telemetry-pubkey-unreadable" }]
+        : [];
+    const sig = (0, telemetry_attestation_1.verifyTelemetrySignatures)(v.records, trustPublicKey);
+    const failedChecks = [...v.checks.filter((c) => !c.pass), ...keyChecks, ...sig.checks.filter((c) => !c.pass)];
     return {
         schemaVersion: 1,
         runId: run.id,
         present: v.present,
-        verified: v.verified,
+        // Chain integrity AND (when a key was supplied) every attested signature must
+        // re-verify. With no key, sig.failed is 0 → unchanged chain-only behavior.
+        verified: v.verified && keyChecks.length === 0 && sig.failed === 0,
         records: v.records.length,
         attested: v.attested,
         unattested: v.unattested,
         absent: v.absent,
+        signatureKeyProvided: sig.keyProvided,
+        signaturesChecked: sig.checked,
+        signaturesReverified: sig.reverified,
+        signaturesFailed: sig.failed,
+        failedChecks: failedChecks.map((c) => ({ name: c.name, code: c.code }))
+    };
+}
+// audit.verify — fail-closed re-prove of a run's trust-audit hash chain. The peer
+// of telemetry.verify for the sandbox/policy/commit-gate decision log: recomputes
+// every event hash from genesis, checks chain linkage, and catches the
+// unchained-event forgery. Exposed as a verb (not just embedded in `audit summary`,
+// which always exits 0) so `cw audit verify <run> && deploy` can gate on the exit
+// code. POLA: a run with no audit log is present:false / verified:true / exit 0.
+function auditVerify(runner, args) {
+    const runId = optionalString(args.runId || args.run);
+    if (!runId)
+        throw new Error("audit verify requires a run id (cw audit verify <run-id>)");
+    const run = runner.loadRun(runId);
+    const v = (0, trust_audit_1.verifyTrustAudit)(run);
+    return {
+        schemaVersion: 1,
+        runId: run.id,
+        present: v.present,
+        verified: v.verified,
+        eventCount: v.eventCount,
+        chained: v.chained,
+        unchained: v.unchained,
+        corruptLines: v.corruptLines,
         failedChecks: v.checks.filter((c) => !c.pass).map((c) => ({ name: c.name, code: c.code }))
     };
 }