cool-workflow 0.1.79 → 0.1.81

package/dist/trust-audit.js

@@ -4,6 +4,8 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TRUST_AUDIT_SCHEMA_VERSION = void 0;
+exports.trustAuditGenesis = trustAuditGenesis;
+exports.verifyTrustAudit = verifyTrustAudit;
 exports.ensureTrustAudit = ensureTrustAudit;
 exports.recordTrustAuditEvent = recordTrustAuditEvent;
 exports.recordSandboxPathDecision = recordSandboxPathDecision;
@@ -22,17 +24,139 @@ const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const state_1 = require("./state");
 const evidence_grounding_1 = require("./evidence-grounding");
+const execution_backend_1 = require("./execution-backend");
+const telemetry_attestation_1 = require("./telemetry-attestation");
 exports.TRUST_AUDIT_SCHEMA_VERSION = 1;
+// ---- Tamper-evidence chain (v0.1.81) --------------------------------------
+// Same discipline as telemetry-ledger.ts / reclamation.ts: the event log is
+// hash-chained in APPEND order, and verifyTrustAudit recomputes every hash
+// independently (never trusts a stored value), so an edited or removed event is
+// detected. Durability (fsync) only guards against power loss; this guards
+// against post-hoc edits — the threat an external auditor actually cares about.
+//
+// THREAT MODEL (be honest about the limit): the genesis is sha256(runId), so this
+// detects casual/partial tampering, accidental corruption, truncation, removal,
+// and forged-unchained lines — but NOT a determined local writer who re-chains the
+// WHOLE log with this module's own sha256 after an edit. That is the same limit
+// reclamation.ts's tombstone chain has, and it is INHERENT to a local, self-
+// recomputable chain: closing it needs an anchor the writer cannot reproduce.
+// CW cannot self-sign that anchor — by design CW holds NO private key (see
+// telemetry-attestation.ts: "CW never holds the private key"; the AGENT signs its
+// usage, CW only VERIFIES with the operator-provisioned public half). The single
+// cryptographic anchor that exists is therefore the agent's telemetry signature,
+// which binds agent-reported USAGE (worker-isolation cross-links the chain into it)
+// — it does NOT cover CW-only sandbox/policy/commit-gate decisions, which have no
+// external signer. For those, the only stronger guarantee is operational: commit
+// events.jsonl to an external append-only medium (git history / a remote log) the
+// local writer cannot rewrite. The chain is a strict upgrade over a bare append-
+// only log, not a substitute for an external anchor — and that anchor is not
+// something CW can mint for itself.
+/** Single source of truth for a run's audit-paths object: the schemaVersion plus
+ *  the three derived file paths under auditRoot(run). ensureTrustAudit /
+ *  refreshTrustAudit spread this, and createEventId reads .eventLogPath from it, so
+ *  the path-derivation rule lives in exactly one place. */
+function trustAuditPaths(run) {
+    const dir = auditRoot(run);
+    return {
+        schemaVersion: exports.TRUST_AUDIT_SCHEMA_VERSION,
+        eventLogPath: node_path_1.default.join(dir, "events.jsonl"),
+        summaryPath: node_path_1.default.join(dir, "summary.json"),
+        indexPath: node_path_1.default.join(dir, "index.json")
+    };
+}
+/** Genesis prevHash for a run's chain (no prior event). */
+function trustAuditGenesis(runId) {
+    return (0, execution_backend_1.sha256)(`cw-trust-audit:${runId}`);
+}
+/** Canonical bytes the eventHash binds: every field EXCEPT eventHash itself
+ *  (prevEventHash included, so the chain link is bound).
+ *
+ *  The hash binds the PERSISTED form. `stableStringify` keeps an undefined-valued
+ *  key as `"k":null`, but the `JSON.stringify` that writes events.jsonl DROPS such
+ *  keys — so without this round-trip the record-time hash (over the in-memory event,
+ *  which can carry nested undefined like an absent dispatchId in worker-sandbox
+ *  metadata) would never match the verify-time hash (over the parsed-from-disk
+ *  event), false-failing legitimate worker events as `trust-audit-digest-mismatch`.
+ *  Round-tripping makes record-time == verify-time. It is identity for events with
+ *  no undefined fields, so existing intact chains hash unchanged. */
+function computeEventHash(event) {
+    const { eventHash, ...rest } = event;
+    return (0, execution_backend_1.sha256)((0, telemetry_attestation_1.stableStringify)(JSON.parse(JSON.stringify(rest))));
+}
+/** The hash to chain the NEXT event to: the stored eventHash, or a recompute for
+ *  a legacy event written before the chain existed. */
+function chainHashOf(event) {
+    return event.eventHash || computeEventHash(event);
+}
+/** Read events in FILE (append) order, tolerating corrupt lines — one bad line
+ *  must not brick the whole audit read surface (it is counted, not thrown). The
+ *  chain links append order, so this is the order verification walks. */
+function readEventsRaw(eventLogPath) {
+    if (!node_fs_1.default.existsSync(eventLogPath))
+        return { events: [], corruptLines: 0 };
+    let corruptLines = 0;
+    const events = [];
+    for (const line of node_fs_1.default.readFileSync(eventLogPath, "utf8").split(/\n/g)) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        try {
+            events.push(JSON.parse(trimmed));
+        }
+        catch {
+            corruptLines += 1;
+        }
+    }
+    return { events, corruptLines };
+}
+/** Re-prove the run's trust-audit chain: prevEventHash linkage (append order) +
+ *  per-event hash recompute. A corrupt line, an edited event, or a removed event
+ *  flips verified=false. Legacy events without a hash are reported as `unchained`
+ *  (skipped), NOT treated as a forgery — they predate the chain. */
+function verifyTrustAudit(run) {
+    const audit = ensureTrustAudit(run);
+    const { events, corruptLines } = readEventsRaw(audit.eventLogPath);
+    const checks = [];
+    let verified = corruptLines === 0;
+    if (corruptLines > 0)
+        checks.push({ name: "parse", pass: false, code: "trust-audit-corrupt-line" });
+    let chained = 0;
+    let unchained = 0;
+    let expectedPrev = trustAuditGenesis(run.id);
+    for (let i = 0; i < events.length; i++) {
+        const event = events[i];
+        const recomputed = computeEventHash(event);
+        if (event.eventHash === undefined) {
+            unchained += 1;
+            expectedPrev = recomputed; // advance the chain over legacy events
+            continue;
+        }
+        chained += 1;
+        if (event.eventHash !== recomputed) {
+            verified = false;
+            checks.push({ name: `event-hash[${i}]`, pass: false, code: "trust-audit-digest-mismatch" });
+        }
+        if (event.prevEventHash !== undefined && event.prevEventHash !== expectedPrev) {
+            verified = false;
+            checks.push({ name: `chain-link[${i}]`, pass: false, code: "trust-audit-chain-broken" });
+        }
+        expectedPrev = event.eventHash;
+    }
+    // A log with ANY chained event must have EVERY event chained: a single run is
+    // written by one code version, so it is all-chained (chain era) or all-legacy
+    // (pre-chain). An unchained (eventHash-less) line mixed into a chained log is a
+    // forgery attempt — drop the hash to be waved through as "legacy" — so it fails.
+    if (chained > 0 && unchained > 0) {
+        verified = false;
+        checks.push({ name: "unchained-events", pass: false, code: "trust-audit-unchained-event" });
+    }
+    return { present: events.length > 0, verified, eventCount: events.length, chained, unchained, corruptLines, checks };
+}
 function ensureTrustAudit(run) {
     const auditDir = auditRoot(run);
     node_fs_1.default.mkdirSync(auditDir, { recursive: true });
     run.paths.auditDir = auditDir;
-    const audit = {
-        schemaVersion: exports.TRUST_AUDIT_SCHEMA_VERSION,
-        eventLogPath: node_path_1.default.join(auditDir, "events.jsonl"),
-        summaryPath: node_path_1.default.join(auditDir, "summary.json"),
-        indexPath: node_path_1.default.join(auditDir, "index.json")
-    };
+    const audit = { ...trustAuditPaths(run) };
     run.audit = audit;
     if (!node_fs_1.default.existsSync(audit.eventLogPath))
         node_fs_1.default.writeFileSync(audit.eventLogPath, "", "utf8");
@@ -90,6 +214,12 @@ function recordTrustAuditEvent(run, input) {
         parentEventIds: unique(input.parentEventIds || []).sort(),
         metadata: scrubMetadata(input.metadata || {})
     });
+    // Tamper-evidence chain: link this event to the prior one (append order) and
+    // bind its content with eventHash BEFORE persisting. verifyTrustAudit recomputes
+    // both independently, so a later edit or removal is detectable.
+    const prior = readEventsRaw(audit.eventLogPath).events;
+    event.prevEventHash = prior.length ? chainHashOf(prior[prior.length - 1]) : trustAuditGenesis(run.id);
+    event.eventHash = computeEventHash(event);
     // DURABLE append (v0.1.40 self-audit P1): the audit log is the one artifact
     // whose loss breaks audit-completeness, so fsync it before returning — never a
     // bare appendFileSync, which can drop the last event on power loss.
@@ -127,15 +257,7 @@ function recordHostAttestation(run, input) {
 }
 function listTrustAuditEvents(run) {
     const audit = ensureTrustAudit(run);
-    if (!node_fs_1.default.existsSync(audit.eventLogPath))
-        return [];
-    return node_fs_1.default
-        .readFileSync(audit.eventLogPath, "utf8")
-        .split(/\n/g)
-        .map((line) => line.trim())
-        .filter(Boolean)
-        .map((line) => JSON.parse(line))
-        .sort(compareEvents);
+    return readEventsRaw(audit.eventLogPath).events.sort(compareEvents);
 }
 /** Search audit events by kind, worker, or candidate (v0.1.65).
  *  Filters are AND-ed; empty filters match all. */
@@ -159,6 +281,7 @@ function summarizeTrustAudit(run) {
         runId: run.id,
         generatedAt: new Date().toISOString(),
         eventCount: events.length,
+        integrity: verifyTrustAudit(run),
         eventLogPath: audit.eventLogPath,
         indexPath: audit.indexPath,
         summaryPath: audit.summaryPath,
@@ -255,12 +378,7 @@ function summarizeTrustAudit(run) {
     return summary;
 }
 function refreshTrustAudit(run) {
-    const audit = {
-        schemaVersion: exports.TRUST_AUDIT_SCHEMA_VERSION,
-        eventLogPath: node_path_1.default.join(auditRoot(run), "events.jsonl"),
-        summaryPath: node_path_1.default.join(auditRoot(run), "summary.json"),
-        indexPath: node_path_1.default.join(auditRoot(run), "index.json")
-    };
+    const audit = { ...trustAuditPaths(run) };
     node_fs_1.default.mkdirSync(node_path_1.default.dirname(audit.eventLogPath), { recursive: true });
     if (!node_fs_1.default.existsSync(audit.eventLogPath))
         node_fs_1.default.writeFileSync(audit.eventLogPath, "", "utf8");
@@ -365,15 +483,7 @@ function auditRoot(run) {
     return run.paths.auditDir || node_path_1.default.join(run.paths.runDir, "audit");
 }
 function readEvents(eventLogPath) {
-    if (!node_fs_1.default.existsSync(eventLogPath))
-        return [];
-    return node_fs_1.default
-        .readFileSync(eventLogPath, "utf8")
-        .split(/\n/g)
-        .map((line) => line.trim())
-        .filter(Boolean)
-        .map((line) => JSON.parse(line))
-        .sort(compareEvents);
+    return readEventsRaw(eventLogPath).events.sort(compareEvents);
 }
 function workerRows(events, run) {
     const workerIds = unique([...(run.workers || []).map((worker) => worker.id), ...events.map((event) => event.workerId || "")]).sort();
@@ -419,9 +529,11 @@ function commitRows(events, run) {
     });
 }
 function createEventId(run, kind) {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    const count = readEvents(node_path_1.default.join(auditRoot(run), "events.jsonl")).length + 1;
-    return `audit-${(0, state_1.safeFileName)(kind)}-${stamp}-${String(count).padStart(4, "0")}`;
+    // Deterministic (FreeBSD-audit L12/L13): chain-local sequence (event-log length),
+    // no wall-clock stamp — event.id is bound into the eventHash chain (computeEventHash),
+    // so a stable id keeps the chain reproducible on replay.
+    const count = readEvents(trustAuditPaths(run).eventLogPath).length + 1;
+    return `audit-${(0, state_1.safeFileName)(kind)}-${String(count).padStart(4, "0")}`;
 }
 function redactPolicy(policy) {
     if (!policy)

package/dist/version.js

@@ -1,7 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MIN_SUPPORTED_RUN_STATE_SCHEMA_VERSION = exports.LEGACY_RUN_STATE_SCHEMA_VERSION = exports.CURRENT_RUN_STATE_SCHEMA_VERSION = exports.WORKFLOW_APP_SCHEMA_VERSION = exports.CURRENT_COOL_WORKFLOW_VERSION = void 0;
-exports.CURRENT_COOL_WORKFLOW_VERSION = "0.1.79";
+exports.CURRENT_COOL_WORKFLOW_VERSION = "0.1.81";
 exports.WORKFLOW_APP_SCHEMA_VERSION = 1;
 exports.CURRENT_RUN_STATE_SCHEMA_VERSION = 1;
 exports.LEGACY_RUN_STATE_SCHEMA_VERSION = 0;

package/dist/worker-isolation/helpers.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.structuredError = structuredError;
+exports.isBoundaryViolation = isBoundaryViolation;
+exports.isStateNodeError = isStateNodeError;
+exports.mergeScopes = mergeScopes;
+exports.unique = unique;
+exports.compactMetadata = compactMetadata;
+exports.countBy = countBy;
+function structuredError(code, message, options = {}) {
+    return {
+        code,
+        message,
+        at: new Date().toISOString(),
+        path: options.path,
+        retryable: options.retryable,
+        details: options.details
+    };
+}
+function isBoundaryViolation(value) {
+    return Boolean(value && typeof value === "object" && "allowedPaths" in value && "message" in value);
+}
+function isStateNodeError(value) {
+    return Boolean(value && typeof value === "object" && "code" in value && "message" in value);
+}
+function mergeScopes(left, right) {
+    const merged = [...left];
+    for (const scope of right) {
+        const index = merged.findIndex((candidate) => candidate.id === scope.id);
+        if (index >= 0)
+            merged[index] = scope;
+        else
+            merged.push(scope);
+    }
+    return merged;
+}
+function unique(values) {
+    return Array.from(new Set(values.filter(Boolean)));
+}
+function compactMetadata(value) {
+    const entries = Object.entries(value).filter(([, entry]) => entry !== undefined);
+    return entries.length ? Object.fromEntries(entries) : undefined;
+}
+function countBy(items, key) {
+    const counts = {};
+    for (const item of items) {
+        const value = key(item);
+        counts[value] = (counts[value] || 0) + 1;
+    }
+    return counts;
+}

package/dist/worker-isolation/paths.js

@@ -0,0 +1,46 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WORKER_MANIFEST_FILE = exports.WORKER_SCOPE_FILE = void 0;
+exports.manifestPath = manifestPath;
+exports.workerScopePath = workerScopePath;
+exports.workerArtifacts = workerArtifacts;
+exports.createWorkerId = createWorkerId;
+// Path, artifact, and id derivation for worker isolation. Pure functions of a
+// WorkerScope (or run + taskId) — no run-state mutation, no disk I/O. Carved out
+// of worker-isolation.ts following the established router pattern
+// (run-registry/{format,policy}.ts, orchestrator/*-operations.ts).
+//
+// BEHAVIOR-PRESERVING — pure code movement, zero logic change. Re-exported from
+// worker-isolation.ts so the public surface is byte-unchanged.
+const node_path_1 = __importDefault(require("node:path"));
+const state_1 = require("../state");
+exports.WORKER_SCOPE_FILE = "worker.json";
+exports.WORKER_MANIFEST_FILE = "manifest.json";
+function manifestPath(scope) {
+    return node_path_1.default.join(scope.workerDir, exports.WORKER_MANIFEST_FILE);
+}
+function workerScopePath(scope) {
+    return node_path_1.default.join(scope.workerDir, exports.WORKER_SCOPE_FILE);
+}
+function workerArtifacts(scope) {
+    return [
+        { id: "worker", kind: "json", path: workerScopePath(scope) },
+        { id: "worker-manifest", kind: "json", path: manifestPath(scope) },
+        { id: "worker-input", kind: "markdown", path: scope.inputPath }
+    ];
+}
+// Deterministic worker id (v0.1.40 self-audit P2): a wall-clock stamp + Math.random()
+// made every dispatch mint a different id, so audit references were not reproducible
+// across re-runs of the same inputs. The id is now derived from the task plus a
+// per-task sequence (count of worker scopes already allocated for that task + 1),
+// so re-running the same workflow yields byte-identical worker ids while retries of
+// the SAME task still get a fresh, unique id. (workerId is excluded from the
+// snapshot source fingerprint, so this does not change replay digests.)
+function createWorkerId(run, taskId) {
+    const prefix = `worker-${(0, state_1.safeFileName)(taskId)}-`;
+    const seq = (run.workers || []).filter((scope) => scope.id.startsWith(prefix)).length + 1;
+    return `${prefix}${String(seq).padStart(4, "0")}`;
+}