cool-workflow 0.1.79 → 0.1.81

package/dist/state-node.js

@@ -17,6 +17,8 @@ exports.artifactExists = artifactExists;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const state_1 = require("./state");
+const execution_backend_1 = require("./execution-backend");
+const telemetry_attestation_1 = require("./telemetry-attestation");
 exports.STATE_NODE_SCHEMA_VERSION = 1;
 exports.PIPELINE_CONTRACT_SCHEMA_VERSION = 1;
 class PipelineContractError extends Error {
@@ -35,7 +37,7 @@ function createStateNode(input) {
     const now = new Date().toISOString();
     return {
         schemaVersion: exports.STATE_NODE_SCHEMA_VERSION,
-        id: input.id || createNodeId(input.kind),
+        id: input.id || createNodeId(input),
         kind: input.kind,
         status: input.status || "pending",
         loopStage: input.loopStage,
@@ -281,9 +283,22 @@ function contractError(code, message, options = {}) {
         ...options
     });
 }
-function createNodeId(kind) {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    return `${kind}-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
+// Deterministic id (FreeBSD-audit L12/L13): no wall-clock stamp, no PRNG suffix.
+// Almost every node is created WITH an explicit, already-deterministic id
+// (e.g. `${run.id}:result:${task.id}`); this fallback only fires for ad-hoc nodes
+// minted without an id. We bind the id to a short sha256 of the node's stable
+// content (kind + loopStage + canonical inputs/outputs/contract), so the same
+// logical node yields a byte-identical id across runs and replay reaches the same
+// fingerprint. Two nodes with identical content collapse to the same id by design.
+function createNodeId(input) {
+    const digest = (0, execution_backend_1.sha256)((0, telemetry_attestation_1.stableStringify)({
+        kind: input.kind,
+        loopStage: input.loopStage,
+        contractId: input.contractId ?? null,
+        inputs: input.inputs ?? null,
+        outputs: input.outputs ?? null
+    }));
+    return `${input.kind}-${digest.replace("sha256:", "").slice(0, 16)}`;
 }
 function mergeById(existing, next) {
     const values = [...existing];

package/dist/telemetry-attestation.js

@@ -33,6 +33,7 @@ exports.normalizeReportedUsage = normalizeReportedUsage;
 exports.verifyTelemetryAttestation = verifyTelemetryAttestation;
 exports.resolveTrustPublicKey = resolveTrustPublicKey;
 exports.signTelemetry = signTelemetry;
+exports.verifyTelemetrySignatures = verifyTelemetrySignatures;
 const node_crypto_1 = __importDefault(require("node:crypto"));
 /** Deterministic, key-sorted JSON so signer and verifier hash byte-identical
  *  input regardless of object key order. */
@@ -154,3 +155,57 @@ function signTelemetry(usage, privateKeyPem, ctx) {
     const key = node_crypto_1.default.createPrivateKey(privateKeyPem);
     return node_crypto_1.default.sign(null, payload, key).toString("base64");
 }
+function stableDigest(value) {
+    return `sha256:${node_crypto_1.default.createHash("sha256").update(stableStringify(value), "utf8").digest("hex")}`;
+}
+function verifyTelemetrySignatures(records, trustPublicKeyPem) {
+    const checks = [];
+    let checked = 0;
+    let reverified = 0;
+    let failed = 0;
+    for (let i = 0; i < records.length; i++) {
+        const record = records[i];
+        if (record.attestation !== "attested")
+            continue;
+        checked += 1;
+        if (!trustPublicKeyPem) {
+            checks.push({ name: `signature[${i}]`, pass: true, code: "signature-unchecked-no-key" });
+            continue;
+        }
+        if (!record.reportedUsage) {
+            // A claimed-`attested` record with no re-verifiable raw usage cannot be
+            // independently checked — fail closed rather than trust the stored verdict.
+            failed += 1;
+            checks.push({ name: `signature[${i}]`, pass: false, code: "telemetry-usage-unavailable" });
+            continue;
+        }
+        if (record.reportedUsageDigest !== stableDigest(record.reportedUsage)) {
+            // The raw usage is stored so a public-key verifier can re-run ed25519.
+            // The hash-chained record binds its digest; verify the two still match
+            // before trusting the raw payload for signature re-verification.
+            failed += 1;
+            checks.push({ name: `signature[${i}]`, pass: false, code: "telemetry-usage-digest-mismatch" });
+            continue;
+        }
+        const result = verifyTelemetryAttestation(record.reportedUsage, record.usageSignature, trustPublicKeyPem, {
+            runId: record.runId,
+            taskId: record.taskId,
+            promptDigest: record.promptDigest
+        });
+        if (result.status === "attested") {
+            reverified += 1;
+            checks.push({ name: `signature[${i}]`, pass: true });
+        }
+        else {
+            failed += 1;
+            checks.push({
+                name: `signature[${i}]`,
+                pass: false,
+                code: result.reason && result.reason.startsWith("trust key unreadable")
+                    ? "telemetry-pubkey-unreadable"
+                    : "telemetry-signature-mismatch"
+            });
+        }
+    }
+    return { keyProvided: Boolean(trustPublicKeyPem), checked, reverified, failed, checks };
+}

package/dist/telemetry-demo.js

@@ -31,12 +31,24 @@ const telemetry_attestation_1 = require("./telemetry-attestation");
 const execution_backend_1 = require("./execution-backend");
 /** Human-facing render of `telemetry verify <run>`. */
 function formatTelemetryVerify(r) {
-    if (!r.present)
+    const keyUnreadable = r.failedChecks.some((c) => c.code === "telemetry-pubkey-unreadable");
+    if (!r.present && !keyUnreadable)
         return `telemetry: run ${r.runId} has no attestation ledger (nothing to verify)`;
-    const head = r.verified ? `✓ VERIFIED — ${r.records} record(s), chain intact, every hash recomputed independently` : `✗ TAMPERING DETECTED — ${r.failedChecks.length} check(s) failed`;
+    const head = r.verified
+        ? `✓ VERIFIED — ${r.records} record(s), chain intact, every hash recomputed independently`
+        : keyUnreadable
+            ? `✗ VERIFICATION REFUSED — supplied public key was unreadable`
+            : `✗ TAMPERING DETECTED — ${r.failedChecks.length} check(s) failed`;
     const tally = `   attested ${r.attested} · unattested ${r.unattested} · absent ${r.absent}`;
+    const sig = keyUnreadable
+        ? `\n   signatures: public key unreadable; ed25519 re-check refused`
+        : r.signatureKeyProvided
+            ? `\n   signatures: ${r.signaturesReverified}/${r.signaturesChecked} re-verified against the supplied public key${r.signaturesFailed ? ` · ${r.signaturesFailed} FAILED` : ""}`
+            : r.signaturesChecked
+                ? `\n   signatures: ${r.signaturesChecked} attested record(s) — chain-proven only; pass --pubkey to re-verify ed25519 offline`
+                : "";
     const fails = r.failedChecks.length ? "\n" + r.failedChecks.map((c) => `   ✗ ${c.name}  ${c.code || ""}`).join("\n") : "";
-    return `telemetry verify ${r.runId}\n${head}\n${tally}${fails}`;
+    return `telemetry verify ${r.runId}\n${head}\n${tally}${sig}${fails}`;
 }
 /** Human-facing render of `demo tamper` — the visible tamper-evidence proof. */
 function formatTamperDemo(r) {

package/dist/telemetry-ledger.js

@@ -17,7 +17,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TELEMETRY_LEDGER_SCHEMA_VERSION = void 0;
+exports.TelemetryLedgerCorruptError = exports.TELEMETRY_LEDGER_SCHEMA_VERSION = void 0;
 exports.telemetryLedgerPath = telemetryLedgerPath;
 exports.loadTelemetryLedger = loadTelemetryLedger;
 exports.genesisPrevHash = genesisPrevHash;
@@ -34,19 +34,47 @@ exports.TELEMETRY_LEDGER_SCHEMA_VERSION = 1;
 function telemetryLedgerPath(run) {
     return node_path_1.default.join(run.paths.runDir, "telemetry.json");
 }
-/** Load the ledger; fail closed to an empty chain on a malformed overlay (a
- *  corrupt file must never brick the run — and an empty chain verifies as such). */
-function loadTelemetryLedger(run) {
+/** A telemetry ledger that EXISTS on disk but cannot be parsed (or whose shape is
+ *  not a record array). This is exactly the corruption/truncation case the hash
+ *  chain exists to catch — it must fail closed, never be silently treated as the
+ *  "empty/absent" chain (which verifies as clean). */
+class TelemetryLedgerCorruptError extends Error {
+    file;
+    constructor(file) {
+        super(`Telemetry ledger exists but is corrupt (unparseable): ${file}`);
+        this.name = "TelemetryLedgerCorruptError";
+        this.file = file;
+    }
+}
+exports.TelemetryLedgerCorruptError = TelemetryLedgerCorruptError;
+/** Read the ledger, DISTINGUISHING absent (never written -> empty chain, fine)
+ *  from corrupt (exists but unparseable/wrong shape -> fail closed). Conflating
+ *  the two was the bug that let a corrupt overlay verify green and let an append
+ *  silently re-genesis on top of it, discarding history. */
+function readTelemetryLedgerState(run) {
     const file = telemetryLedgerPath(run);
     if (!node_fs_1.default.existsSync(file))
-        return { schemaVersion: 1, runId: run.id, records: [] };
+        return { status: "absent", ledger: { schemaVersion: 1, runId: run.id, records: [] } };
+    let parsed;
     try {
-        const parsed = JSON.parse(node_fs_1.default.readFileSync(file, "utf8"));
-        return { schemaVersion: 1, runId: run.id, records: Array.isArray(parsed.records) ? parsed.records : [] };
+        parsed = JSON.parse(node_fs_1.default.readFileSync(file, "utf8"));
     }
     catch {
-        return { schemaVersion: 1, runId: run.id, records: [] };
+        return { status: "corrupt", file };
+    }
+    if (!parsed || typeof parsed !== "object" || !Array.isArray(parsed.records)) {
+        return { status: "corrupt", file };
     }
+    return { status: "ok", ledger: { schemaVersion: 1, runId: run.id, records: parsed.records } };
+}
+/** Load the ledger for read/append. Absent -> empty chain. Corrupt -> THROWS, so
+ *  an append can never silently re-genesis on a poisoned/edited file, and a read
+ *  surfaces the corruption rather than swallowing it. */
+function loadTelemetryLedger(run) {
+    const state = readTelemetryLedgerState(run);
+    if (state.status === "corrupt")
+        throw new TelemetryLedgerCorruptError(state.file);
+    return state.ledger;
 }
 /** genesis prevHash for a run's chain (no prior record). */
 function genesisPrevHash(runId) {
@@ -64,6 +92,7 @@ function recordHashInput(record) {
         taskId: record.taskId,
         promptDigest: record.promptDigest,
         reportedUsageDigest: record.reportedUsageDigest,
+        ...(record.reportedUsage !== undefined ? { reportedUsage: record.reportedUsage } : {}),
         usageSignature: record.usageSignature || null,
         attestation: record.attestation,
         attestationReason: record.attestationReason || null,
@@ -78,11 +107,10 @@ function computeRecordHash(record) {
 function reportedUsageDigest(usage) {
     return (0, execution_backend_1.sha256)((0, telemetry_attestation_1.stableStringify)(usage ?? null));
 }
-let recordCounter = 0;
-function recordId(now) {
-    recordCounter += 1;
-    const stamp = now.replace(/[-:.TZ]/g, "").slice(0, 14);
-    return `tel-${stamp}-${String(recordCounter).padStart(3, "0")}`;
+function recordId(seq) {
+    // Deterministic (FreeBSD-audit L13): the chain POSITION, not a process-global
+    // counter or wall-clock stamp — recordId is bound into the recordHash chain.
+    return `tel-${String(seq).padStart(3, "0")}`;
 }
 /** Append one attestation record DURABLY to the append-only chain, linking it to
  *  the prior record (or genesis). Returns the committed record. */
@@ -93,12 +121,15 @@ function appendTelemetryAttestation(run, input) {
     const base = {
         schemaVersion: 1,
         runId: run.id,
-        recordId: recordId(now),
+        recordId: recordId(ledger.records.length + 1),
         recordedAt: now,
         workerId: input.workerId,
         taskId: input.taskId,
         promptDigest: input.promptDigest,
         reportedUsageDigest: reportedUsageDigest(input.reportedUsage),
+        // Store the raw usage verbatim, digest-bound, and hash-chained so the
+        // signature can be independently re-verified offline at `telemetry verify`.
+        ...(input.reportedUsage ? { reportedUsage: input.reportedUsage } : {}),
         usageSignature: input.usageSignature,
         attestation: input.attestation,
         attestationReason: input.attestationReason,
@@ -114,7 +145,21 @@ function appendTelemetryAttestation(run, input) {
  *  value — so an edited record/verdict is detected. An empty ledger verifies as
  *  present:false (nothing to prove), NOT a failure. */
 function verifyTelemetryLedger(run) {
-    const records = loadTelemetryLedger(run).records;
+    const state = readTelemetryLedgerState(run);
+    if (state.status === "corrupt") {
+        // Fail closed: a ledger that exists but cannot be parsed is indistinguishable
+        // from a truncated/forged one — report it, never green it.
+        return {
+            present: true,
+            verified: false,
+            records: [],
+            checks: [{ name: "ledger-load", pass: false, code: "telemetry-ledger-corrupt" }],
+            attested: 0,
+            unattested: 0,
+            absent: 0
+        };
+    }
+    const records = state.ledger.records;
     const checks = [];
     const tally = { attested: 0, unattested: 0, absent: 0 };
     for (const record of records)

package/dist/topology.js

@@ -30,7 +30,7 @@ exports.OFFICIAL_TOPOLOGIES = [
         title: "Map-Reduce",
         summary: "Fan out mapper roles, index mapper evidence on the blackboard, then reduce only after required evidence is present.",
         roles: [
-            roleSpec("mapper", "Mapper", ["Produce an independent shard result and cite evidence."], ["mapper output artifact"], ["indexed mapper artifact"]),
+            roleSpec("mapper", "Mapper", ["Produce an independent shard result and cite evidence."], ["mapper output artifact"], ["indexed mapper artifact"], 2),
             roleSpec("reducer", "Reducer", ["Synthesize mapper outputs only after fanin is verifier-ready."], ["reducer synthesis"], ["all mapper evidence"])
         ],
         groups: [{ id: "map-reduce", title: "Map-Reduce Group", roleIds: ["mapper", "reducer"] }],
@@ -83,7 +83,7 @@ exports.OFFICIAL_TOPOLOGIES = [
         title: "Judge Panel",
         summary: "Collect independent judge outputs, aggregate scores, and select a panel decision with linked evidence.",
         roles: [
-            roleSpec("judge", "Judge", ["Score candidates independently and cite evidence."], ["judge score artifact"], ["judge verdict"]),
+            roleSpec("judge", "Judge", ["Score candidates independently and cite evidence."], ["judge score artifact"], ["judge verdict"], 3),
             roleSpec("panel-chair", "Panel Chair", ["Aggregate scores and write a panel decision."], ["panel decision"], ["judge evidence"])
         ],
         groups: [{ id: "judge-panel", title: "Judge Panel Group", roleIds: ["judge", "panel-chair"] }],
@@ -211,7 +211,7 @@ function applyTopology(run, topologyId, input = {}) {
         metadata: { topologyId: definition.id, topologyRunId: id }
     });
     const roleIds = [];
-    for (const role of materializedRoles(definition, input)) {
+    for (const role of materializedRoles(definition, withLegacyRoleCounts(input))) {
         const record = (0, multi_agent_1.createAgentRole)(run, {
             id: `${id}-${role.id}`,
             multiAgentRunId: multiAgentRun.id,
@@ -387,7 +387,7 @@ function summarizeTopologies(run) {
         runId: run.id,
         totalRuns: state.runs.length,
         runsByStatus: countBy(active, (record) => record.status),
-        officialTopologies: exports.OFFICIAL_TOPOLOGIES.map((definition) => definition.id),
+        officialTopologies: listTopologyDefinitions().map((definition) => definition.id),
         active,
         nextAction: active.find((record) => record.nextActions.length)?.nextActions[0] || `node scripts/cw.js topology apply ${run.id} map-reduce --task <task-id>`
     };
@@ -422,11 +422,28 @@ function showTopologyRun(run, topologyRunId) {
         throw new Error(`Unknown topology run id: ${topologyRunId}`);
     return record;
 }
+/** Boundary adapter: fold the legacy id-keyed mapperCount/judgeCount flags into
+ *  the uniform roleCounts map so materializedRoles can stay purely data-driven.
+ *  An explicit roleCounts entry always wins; the judge floor (>= 2) preserves the
+ *  prior clamp so a panel never collapses to a single judge. */
+function withLegacyRoleCounts(input) {
+    const legacy = {
+        mapper: input.mapperCount === undefined ? undefined : Math.max(1, input.mapperCount),
+        judge: input.judgeCount === undefined ? undefined : Math.max(2, input.judgeCount)
+    };
+    const roleCounts = { ...input.roleCounts };
+    for (const [roleId, value] of Object.entries(legacy)) {
+        if (value !== undefined && roleCounts[roleId] === undefined)
+            roleCounts[roleId] = value;
+    }
+    return Object.keys(roleCounts).length ? { ...input, roleCounts } : input;
+}
 function materializedRoles(definition, input) {
-    const count = definition.id === "map-reduce" ? Math.max(1, input.mapperCount || 2) : definition.id === "judge-panel" ? Math.max(2, input.judgeCount || 3) : 1;
     const roles = [];
     for (const role of definition.roles) {
-        const roleCount = role.count ?? (role.id === "mapper" || role.id === "judge" ? count : 1);
+        // Width is data-driven: a uniform per-role override, else the role's
+        // declared count, else a single instance. No topology-id/role-id branching.
+        const roleCount = Math.max(1, input.roleCounts?.[role.id] ?? role.count ?? 1);
         if (roleCount > 1) {
             for (let index = 1; index <= roleCount; index += 1)
                 roles.push(expandRole(role, `${role.id}-${index}`, `${role.title} ${index}`));
@@ -458,8 +475,8 @@ function appendTopologyNode(run, record, status) {
         metadata: { topologyId: record.topologyId, topologyRunId: record.id }
     }));
 }
-function roleSpec(id, title, responsibilities, expectedArtifacts, faninObligations) {
-    return { id, title, responsibilities, requiredEvidence: expectedArtifacts, expectedArtifacts, faninObligations };
+function roleSpec(id, title, responsibilities, expectedArtifacts, faninObligations, count) {
+    return { id, title, responsibilities, requiredEvidence: expectedArtifacts, expectedArtifacts, faninObligations, ...(count !== undefined ? { count } : {}) };
 }
 function topicSpec(id, title, description) {
     return { id, title, description };

package/dist/triggers.js

@@ -18,8 +18,14 @@ class RoutineTriggerBridge {
     }
     create(options) {
         const now = new Date().toISOString();
+        const store = this.load();
+        // Monotonic id, NOT triggers.length: delete shrinks the collection, so a
+        // length-based seq would reuse a live id after delete+create (corrupting the
+        // append-only event/audit log). nextTriggerSeq only ever increments.
+        const seq = (store.nextTriggerSeq || 0) + 1;
+        store.nextTriggerSeq = seq;
         const trigger = {
-            id: createTriggerId(normalizeKind(options.kind)),
+            id: createTriggerId(normalizeKind(options.kind), seq),
             kind: normalizeKind(options.kind),
             createdAt: now,
             updatedAt: now,
@@ -30,7 +36,6 @@ class RoutineTriggerBridge {
             match: parseJsonObject(options.match),
             metadata: parseJsonObject(options.metadata)
         };
-        const store = this.load();
         store.triggers.push(trigger);
         this.save(store);
         return trigger;
@@ -50,9 +55,10 @@ class RoutineTriggerBridge {
         const normalizedKind = normalizeKind(kind);
         const store = this.load();
         const now = new Date().toISOString();
+        const base = store.events.length;
         const events = store.triggers
             .filter((trigger) => trigger.kind === normalizedKind)
-            .map((trigger) => this.createEvent(trigger, payload, now));
+            .map((trigger, index) => this.createEvent(trigger, payload, now, base + index + 1));
         store.events.push(...events);
         this.save(store);
         return events;
@@ -61,9 +67,9 @@ class RoutineTriggerBridge {
         const store = this.load();
         return triggerId ? store.events.filter((event) => event.triggerId === triggerId) : store.events;
     }
-    createEvent(trigger, payload, receivedAt) {
+    createEvent(trigger, payload, receivedAt, seq) {
         const matched = matches(trigger.match, payload);
-        const eventId = createEventId(trigger.kind);
+        const eventId = createEventId(trigger.kind, seq);
         const payloadPath = node_path_1.default.join(this.payloadsDir, `${(0, state_1.safeFileName)(eventId)}.json`);
         (0, state_1.writeJson)(payloadPath, {
             schemaVersion: 1,
@@ -84,12 +90,21 @@ class RoutineTriggerBridge {
     }
     load() {
         if (!node_fs_1.default.existsSync(this.storePath))
-            return { schemaVersion: 1, triggers: [], events: [] };
+            return { schemaVersion: 1, triggers: [], events: [], nextTriggerSeq: 0 };
         const value = (0, state_1.readJson)(this.storePath);
+        const triggers = Array.isArray(value.triggers) ? value.triggers : [];
+        // Recover the monotonic sequence: max(persisted, highest existing id seq). The
+        // second term protects legacy stores (no nextTriggerSeq) and any store written
+        // before this field existed — a post-delete create can never reuse a live id.
+        const maxExisting = triggers.reduce((max, trigger) => {
+            const n = Number((String(trigger.id).match(/(\d+)$/) || [])[1] || 0);
+            return Number.isFinite(n) && n > max ? n : max;
+        }, 0);
         return {
             schemaVersion: 1,
-            triggers: Array.isArray(value.triggers) ? value.triggers : [],
-            events: Array.isArray(value.events) ? value.events : []
+            triggers,
+            events: Array.isArray(value.events) ? value.events : [],
+            nextTriggerSeq: Math.max(typeof value.nextTriggerSeq === "number" ? value.nextTriggerSeq : 0, maxExisting)
         };
     }
     save(store) {
@@ -149,11 +164,15 @@ function stringOption(value) {
         return undefined;
     return String(value);
 }
-function createTriggerId(kind) {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    return `${kind}-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
+// Deterministic trigger id (FreeBSD-audit L12/L13): the trigger's POSITION in the
+// append-only trigger store, qualified by kind. No wall-clock stamp, no PRNG suffix
+// — registering the same triggers in the same order mints byte-identical ids.
+function createTriggerId(kind, seq) {
+    return `${kind}-${String(seq).padStart(4, "0")}`;
 }
-function createEventId(kind) {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    return `event-${kind}-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
+// Deterministic event id (FreeBSD-audit L12/L13): the event's POSITION in the
+// append-only event log (firing many triggers at once still yields a distinct,
+// stable id per trigger). No clock, no PRNG.
+function createEventId(kind, seq) {
+    return `event-${kind}-${String(seq).padStart(4, "0")}`;
 }