cool-workflow 0.1.79 → 0.1.81

package/dist/worker-isolation.js

@@ -4,7 +4,6 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.WORKER_ISOLATION_SCHEMA_VERSION = void 0;
-exports.createWorkerIsolation = createWorkerIsolation;
 exports.allocateWorkerScope = allocateWorkerScope;
 exports.writeWorkerManifest = writeWorkerManifest;
 exports.syncWorkerScopeFromTask = syncWorkerScopeFromTask;
@@ -33,21 +32,9 @@ const multi_agent_1 = require("./multi-agent");
 const telemetry_attestation_1 = require("./telemetry-attestation");
 const telemetry_ledger_1 = require("./telemetry-ledger");
 const coordinator_1 = require("./coordinator");
+const helpers_1 = require("./worker-isolation/helpers");
+const paths_1 = require("./worker-isolation/paths");
 exports.WORKER_ISOLATION_SCHEMA_VERSION = 1;
-const WORKER_SCOPE_FILE = "worker.json";
-const WORKER_MANIFEST_FILE = "manifest.json";
-function createWorkerIsolation(options = {}) {
-    return {
-        allocateWorkerScope: (run, task, allocateOptions) => allocateWorkerScope(run, task, { ...options, ...allocateOptions }),
-        writeWorkerManifest,
-        listWorkerScopes: (run, listOptions) => listWorkerScopes(run, listOptions),
-        getWorkerScope,
-        recordWorkerOutput,
-        recordWorkerFailure,
-        validateWorkerBoundary,
-        summarizeWorkers
-    };
-}
 function allocateWorkerScope(run, task, options = {}) {
     ensureWorkerState(run);
     const existing = task.workerId ? getWorkerScope(run, task.workerId) : undefined;
@@ -64,7 +51,7 @@ function allocateWorkerScope(run, task, options = {}) {
         return existing;
     }
     const now = new Date().toISOString();
-    const workerId = options.workerId || createWorkerId(run, task.id);
+    const workerId = options.workerId || (0, paths_1.createWorkerId)(run, task.id);
     const workerDir = node_path_1.default.join(workerRoot(run), (0, state_1.safeFileName)(workerId));
     const inputPath = node_path_1.default.join(workerDir, "input.md");
     const resultPath = node_path_1.default.join(workerDir, "result.md");
@@ -82,7 +69,10 @@ function allocateWorkerScope(run, task, options = {}) {
         extraReadPaths: options.policy?.readPaths || [],
         extraWritePaths: [...(options.policy?.writePaths || []), ...(options.policy?.allowedPaths || [])],
         allowArtifacts: options.policy?.allowArtifacts,
-        allowLogs: options.policy?.allowLogs
+        allowLogs: options.policy?.allowLogs,
+        // H7: persisted custom profile definitions so a custom logical id resolves
+        // against THIS worker's context (worker-specific path tokens bind correctly).
+        customProfiles: run.customSandboxProfiles
     });
     const allowedPaths = (0, sandbox_profile_1.effectiveSandboxWritePaths)(sandboxPolicy);
     (0, sandbox_profile_1.upsertRunSandboxPolicy)(run, sandboxPolicy);
@@ -123,7 +113,7 @@ function allocateWorkerScope(run, task, options = {}) {
         feedbackIds: [],
         errors: [],
         multiAgent: options.multiAgent,
-        metadata: compactMetadata({
+        metadata: (0, helpers_1.compactMetadata)({
             ...options.metadata,
             multiAgent: options.multiAgent,
             phase: task.phase,
@@ -165,7 +155,7 @@ function allocateWorkerScope(run, task, options = {}) {
         });
     }
     task.workerId = scope.id;
-    task.workerManifestPath = manifestPath(scope);
+    task.workerManifestPath = (0, paths_1.manifestPath)(scope);
     task.sandboxProfileId = sandboxPolicy.id;
     task.sandboxPolicy = sandboxPolicy;
     task.backendId = backendId;
@@ -180,8 +170,8 @@ function writeWorkerManifest(run, scope) {
     const task = run.tasks.find((candidate) => candidate.id === scope.taskId);
     const sandboxPolicy = scope.sandboxPolicy || sandboxPolicyForBoundary(run, scope);
     const sandboxProfileId = scope.sandboxProfileId || sandboxPolicy.id;
-    const scopePath = workerScopePath(scope);
-    const workerManifestPath = manifestPath(scope);
+    const scopePath = (0, paths_1.workerScopePath)(scope);
+    const workerManifestPath = (0, paths_1.manifestPath)(scope);
     const manifest = {
         schemaVersion: exports.WORKER_ISOLATION_SCHEMA_VERSION,
         id: scope.id,
@@ -257,7 +247,7 @@ function syncWorkerScopeFromTask(run, workerId) {
         ...scope,
         updatedAt: new Date().toISOString(),
         multiAgent: task.multiAgent,
-        metadata: compactMetadata({
+        metadata: (0, helpers_1.compactMetadata)({
             ...(scope.metadata || {}),
             multiAgent: task.multiAgent
         })
@@ -267,7 +257,7 @@ function syncWorkerScopeFromTask(run, workerId) {
 function listWorkerScopes(run, options = {}) {
     ensureWorkerState(run);
     const scopes = loadWorkerScopesFromDisk(run);
-    run.workers = mergeScopes(run.workers || [], scopes);
+    run.workers = (0, helpers_1.mergeScopes)(run.workers || [], scopes);
     const listed = run.workers || [];
     return options.status ? listed.filter((scope) => scope.status === options.status) : listed;
 }
@@ -276,7 +266,7 @@ function getWorkerScope(run, workerId) {
     const existing = (run.workers || []).find((scope) => scope.id === workerId);
     if (existing)
         return existing;
-    const file = node_path_1.default.join(workerRoot(run), (0, state_1.safeFileName)(workerId), WORKER_SCOPE_FILE);
+    const file = node_path_1.default.join(workerRoot(run), (0, state_1.safeFileName)(workerId), paths_1.WORKER_SCOPE_FILE);
     if (!node_fs_1.default.existsSync(file))
         return undefined;
     const scope = JSON.parse(node_fs_1.default.readFileSync(file, "utf8"));
@@ -302,7 +292,7 @@ function recordWorkerOutput(run, workerId, resultPath, options = {}) {
         throw new Error(violation.message);
     }
     if (!node_fs_1.default.existsSync(absoluteResultPath)) {
-        const error = structuredError("worker-result-missing", `Worker result file does not exist: ${absoluteResultPath}`, {
+        const error = (0, helpers_1.structuredError)("worker-result-missing", `Worker result file does not exist: ${absoluteResultPath}`, {
             path: absoluteResultPath,
             retryable: true
         });
@@ -321,7 +311,7 @@ function recordWorkerOutput(run, workerId, resultPath, options = {}) {
         const baseDirs = Array.from(new Set([run.cwd, process.cwd(), scope.workerDir, run.paths.runDir].filter(Boolean)));
         const unresolved = (0, evidence_grounding_1.unresolvedFileEvidence)(parsedResult.evidence, baseDirs);
         if (unresolved.length) {
-            const error = structuredError("worker-evidence-unresolvable", `Worker ${workerId} result cites file evidence that does not resolve on disk: ${unresolved.join(", ")}`, { path: absoluteResultPath, retryable: false });
+            const error = (0, helpers_1.structuredError)("worker-evidence-unresolvable", `Worker ${workerId} result cites file evidence that does not resolve on disk: ${unresolved.join(", ")}`, { path: absoluteResultPath, retryable: false });
             recordWorkerFailure(run, workerId, error, { ...options, persist: options.persist });
             throw new Error(error.message);
         }
@@ -345,7 +335,7 @@ function recordWorkerOutput(run, workerId, resultPath, options = {}) {
     // it instead of recording unverifiable usage. Default behavior is unchanged
     // (flag-and-surface). Non-agent hops carry no verdict and are never blocked.
     if (options.requireAttestedTelemetry && telemetry && telemetry.status !== "attested") {
-        const error = structuredError("telemetry-unattested-blocked", `Worker ${workerId} telemetry is ${telemetry.status} (${telemetry.reason || "unverified"}) and require-attested-telemetry is enabled — refusing to accept a hop whose usage cannot be cryptographically verified`, { path: absoluteResultPath, retryable: false });
+        const error = (0, helpers_1.structuredError)("telemetry-unattested-blocked", `Worker ${workerId} telemetry is ${telemetry.status} (${telemetry.reason || "unverified"}) and require-attested-telemetry is enabled — refusing to accept a hop whose usage cannot be cryptographically verified`, { path: absoluteResultPath, retryable: false });
         recordWorkerFailure(run, workerId, error, { ...options, persist: options.persist });
         throw new Error(error.message);
     }
@@ -581,7 +571,7 @@ function recordWorkerFailure(run, workerId, error, options = {}) {
         status: "pending",
         loopStage: "adjust",
         inputs: { workerId, taskId: task.id, dispatchId: scope.dispatchId },
-        artifacts: workerArtifacts(scope),
+        artifacts: (0, paths_1.workerArtifacts)(scope),
         parents: task.stateNodeId ? [task.stateNodeId] : [],
         contractId: pipeline_contract_1.DEFAULT_PIPELINE_CONTRACT_ID,
         metadata: { workerId, taskId: task.id, dispatchId: scope.dispatchId, workerDir: scope.workerDir, sandboxProfileId: scope.sandboxProfileId }
@@ -636,7 +626,7 @@ function recordWorkerFailure(run, workerId, error, options = {}) {
         updatedAt: new Date().toISOString(),
         status: structured.code === "worker-boundary-violation" || structured.code.startsWith("sandbox-") ? "rejected" : "failed",
         retryCount: typeof options.retryCount === "number" ? options.retryCount : scope.retryCount,
-        feedbackIds: unique([...(scope.feedbackIds || []), feedback.id]),
+        feedbackIds: (0, helpers_1.unique)([...(scope.feedbackIds || []), feedback.id]),
         errors: [...(scope.errors || []), structured]
     });
     if (options.persist !== false)
@@ -649,7 +639,7 @@ function recordWorkerRetryAttempt(run, workerId, attempts, reason, options = {})
         ...scope,
         updatedAt: new Date().toISOString(),
         retryCount: attempts,
-        metadata: compactMetadata({
+        metadata: (0, helpers_1.compactMetadata)({
             ...scope.metadata,
             agentDelegationAttempts: attempts,
             agentDelegationLastFailure: reason
@@ -668,8 +658,8 @@ function summarizeWorkers(run) {
     const workers = listWorkerScopes(run);
     return {
         total: workers.length,
-        byStatus: countBy(workers, (scope) => scope.status),
-        manifestPaths: workers.map(manifestPath),
+        byStatus: (0, helpers_1.countBy)(workers, (scope) => scope.status),
+        manifestPaths: workers.map(paths_1.manifestPath),
         failed: workers
             .filter((scope) => scope.status === "failed" || scope.status === "rejected")
             .map((scope) => ({ id: scope.id, status: scope.status, feedbackIds: scope.feedbackIds || [] }))
@@ -705,15 +695,9 @@ function reclaimOrphans(run, now) {
     }
     if (orphans.length) {
         writeWorkerIndex(run);
-        saveWorkerCheckpoint(run);
     }
     return { runId: run.id, reclaimed: orphans.length, orphans };
 }
-function saveWorkerCheckpoint(run) {
-    // Durable write via atomic temp+rename (same contract as saveCheckpoint)
-    // For worker index, the atomic write in writeWorkerIndex already handles it.
-    // This is a no-op wrapper that signals the checkpoint boundary.
-}
 function ensureWorkerState(run) {
     run.paths.workersDir = run.paths.workersDir || node_path_1.default.join(run.paths.runDir, "workers");
     node_fs_1.default.mkdirSync(run.paths.workersDir, { recursive: true });
@@ -771,7 +755,7 @@ function updateWorkerScope(run, scope) {
     return updated;
 }
 function writeWorkerScope(scope) {
-    (0, state_1.writeJson)(workerScopePath(scope), scope);
+    (0, state_1.writeJson)((0, paths_1.workerScopePath)(scope), scope);
 }
 function writeWorkerIndex(run) {
     ensureWorkerState(run);
@@ -784,7 +768,7 @@ function writeWorkerIndex(run) {
             dispatchId: scope.dispatchId,
             status: scope.status,
             workerDir: scope.workerDir,
-            manifestPath: manifestPath(scope),
+            manifestPath: (0, paths_1.manifestPath)(scope),
             resultPath: scope.resultPath,
             sandboxProfileId: scope.sandboxProfileId,
             backendId: scope.backendId,
@@ -800,7 +784,7 @@ function loadWorkerScopesFromDisk(run) {
     return node_fs_1.default
         .readdirSync(workerRoot(run), { withFileTypes: true })
         .filter((entry) => entry.isDirectory())
-        .map((entry) => node_path_1.default.join(workerRoot(run), entry.name, WORKER_SCOPE_FILE))
+        .map((entry) => node_path_1.default.join(workerRoot(run), entry.name, paths_1.WORKER_SCOPE_FILE))
         .filter((file) => node_fs_1.default.existsSync(file))
         .map((file) => JSON.parse(node_fs_1.default.readFileSync(file, "utf8")));
 }
@@ -823,6 +807,12 @@ function sandboxPolicyForBoundary(run, scope, options = {}) {
     if (scope.sandboxPolicy && !options.policy && !options.sandboxProfileId)
         return scope.sandboxPolicy;
     const profileId = options.sandboxProfileId || options.policy?.sandboxProfileId || scope.sandboxProfileId || sandbox_profile_1.DEFAULT_SANDBOX_PROFILE_ID;
+    // H7: when the scope.sandboxPolicy snapshot is LOST, this re-resolves the policy
+    // by its logical profileId against the WORKER's paths (scope.workerDir etc.). For
+    // a CUSTOM profile the bundled lookup would throw not-found; threading
+    // run.customSandboxProfiles lets resolveSandboxProfileById re-resolve the persisted
+    // DEFINITION here — re-enforcing the same policy with worker-correct path tokens
+    // (NOT the dispatch-time paths), so a legitimate worker write is not falsely denied.
     return (0, sandbox_profile_1.sandboxPolicyForWorker)(profileId, {
         cwd: run.cwd,
         runDir: run.paths.runDir,
@@ -838,7 +828,8 @@ function sandboxPolicyForBoundary(run, scope, options = {}) {
             ...(!scope.sandboxPolicy ? scope.allowedPaths || [] : [])
         ],
         allowArtifacts: options.policy?.allowArtifacts,
-        allowLogs: options.policy?.allowLogs
+        allowLogs: options.policy?.allowLogs,
+        customProfiles: run.customSandboxProfiles
     });
 }
 function blackboardManifest(run, scope) {
@@ -927,7 +918,7 @@ function blackboardLinkage(run, scope) {
     const role = scope.multiAgent?.roleId ? run.multiAgent?.roles.find((entry) => entry.id === scope.multiAgent?.roleId) : undefined;
     const multiAgentRun = scope.multiAgent?.runId ? run.multiAgent?.runs.find((entry) => entry.id === scope.multiAgent?.runId) : undefined;
     const blackboardId = membership?.blackboardId || group?.blackboardId || role?.blackboardId || multiAgentRun?.blackboardId;
-    const topicIds = unique([
+    const topicIds = (0, helpers_1.unique)([
         ...(membership?.topicIds || []),
         ...(group?.topicIds || []),
         ...(role?.topicIds || []),
@@ -935,94 +926,27 @@ function blackboardLinkage(run, scope) {
     ]);
     return { blackboardId, topicIds };
 }
-function manifestPath(scope) {
-    return node_path_1.default.join(scope.workerDir, WORKER_MANIFEST_FILE);
-}
-function workerScopePath(scope) {
-    return node_path_1.default.join(scope.workerDir, WORKER_SCOPE_FILE);
-}
-// Deterministic worker id (v0.1.40 self-audit P2): a wall-clock stamp + Math.random()
-// made every dispatch mint a different id, so audit references were not reproducible
-// across re-runs of the same inputs. The id is now derived from the task plus a
-// per-task sequence (count of worker scopes already allocated for that task + 1),
-// so re-running the same workflow yields byte-identical worker ids while retries of
-// the SAME task still get a fresh, unique id. (workerId is excluded from the
-// snapshot source fingerprint, so this does not change replay digests.)
-function createWorkerId(run, taskId) {
-    const prefix = `worker-${(0, state_1.safeFileName)(taskId)}-`;
-    const seq = (run.workers || []).filter((scope) => scope.id.startsWith(prefix)).length + 1;
-    return `${prefix}${String(seq).padStart(4, "0")}`;
-}
-function workerArtifacts(scope) {
-    return [
-        { id: "worker", kind: "json", path: workerScopePath(scope) },
-        { id: "worker-manifest", kind: "json", path: manifestPath(scope) },
-        { id: "worker-input", kind: "markdown", path: scope.inputPath }
-    ];
-}
 function normalizeWorkerError(error, scope, options) {
-    if (isBoundaryViolation(error)) {
-        return structuredError(error.code, error.message, {
+    if ((0, helpers_1.isBoundaryViolation)(error)) {
+        return (0, helpers_1.structuredError)(error.code, error.message, {
             path: error.path,
             retryable: false,
             details: { allowedPaths: error.allowedPaths, workerId: scope.id, taskId: scope.taskId, sandboxProfileId: scope.sandboxProfileId }
         });
     }
-    if (isStateNodeError(error)) {
+    if ((0, helpers_1.isStateNodeError)(error)) {
         return {
             ...error,
             at: error.at || new Date().toISOString(),
             path: options.path || error.path,
             retryable: options.retryable ?? error.retryable ?? false,
-            details: compactMetadata({ ...(error.details || {}), workerId: scope.id, taskId: scope.taskId })
+            details: (0, helpers_1.compactMetadata)({ ...(error.details || {}), workerId: scope.id, taskId: scope.taskId })
         };
     }
     const message = error instanceof Error ? error.message : String(error);
-    return structuredError(options.code || "worker-runtime-error", message, {
+    return (0, helpers_1.structuredError)(options.code || "worker-runtime-error", message, {
         path: options.path,
         retryable: options.retryable ?? false,
         details: { workerId: scope.id, taskId: scope.taskId }
     });
 }
-function structuredError(code, message, options = {}) {
-    return {
-        code,
-        message,
-        at: new Date().toISOString(),
-        path: options.path,
-        retryable: options.retryable,
-        details: options.details
-    };
-}
-function isBoundaryViolation(value) {
-    return Boolean(value && typeof value === "object" && "allowedPaths" in value && "message" in value);
-}
-function isStateNodeError(value) {
-    return Boolean(value && typeof value === "object" && "code" in value && "message" in value);
-}
-function mergeScopes(left, right) {
-    const merged = [...left];
-    for (const scope of right) {
-        const index = merged.findIndex((candidate) => candidate.id === scope.id);
-        if (index >= 0)
-            merged[index] = scope;
-        else
-            merged.push(scope);
-    }
-    return merged;
-}
-function unique(values) {
-    return Array.from(new Set(values.filter(Boolean)));
-}
-function compactMetadata(value) {
-    const entries = Object.entries(value).filter(([, entry]) => entry !== undefined);
-    return entries.length ? Object.fromEntries(entries) : undefined;
-}
-function countBy(items, key) {
-    const counts = {};
-    for (const item of items) {
-        const value = key(item);
-        counts[value] = (counts[value] || 0) + 1;
-    }
-    return counts;
-}

package/docs/agent-delegation-drive.7.md

@@ -131,14 +131,77 @@ node dist/cli.js backend probe agent --json      # ready iff configured, else un
 node dist/cli.js run architecture-review --drive --repo /path/to/repo --question "Is the design sound?"
 node dist/cli.js run architecture-review --drive --once --repo /path/to/repo --question "..."   # one step
 node dist/cli.js run drive <run-id> --json       # read-only preview of the next step
+
+# quickstart --resume: a guided stop-then-resume a newcomer can WITNESS in <5 min
+node dist/cli.js quickstart --resume --repo /path/to/repo --question "..."   # advances ONE step, prints a continue line
+node dist/cli.js quickstart --run <run-id> --resume                          # continues that run to completion
+```
+
+`quickstart --resume` with no `--run` drives a single step and prints a
+copy-pasteable `cw quickstart --run <id> --resume` continue line; rerun it with the
+`--run <id>` to finish. The continuing invocation echoes `resumedFrom: <id>`. Bare
+`quickstart` (no `--resume`) is unchanged — it drives straight to completion.
+
+For faster first results, use the opt-in fast app instead of changing the full
+review contract:
+
+```text
+node scripts/architecture-review-fast.js --repo /path/to/repo --question "Is the design sound?" --fast-model gpt-5.5-high --strong-model gpt-5.5-extra-high --metrics --schedule-full
 ```
 
+`architecture-review-fast` has six workers: two Map and two Assess workers in
+parallel, then sequential Verify and Verdict workers. The original
+`architecture-review` app remains the full 14-worker review and is the right
+target for background routines when a deep audit can finish outside the user's
+foreground wait.
+
+The model flags are policy, not attestation: they set task-level `{{model}}`
+hints for the delegated agent process. The recorded model still comes only from
+the agent-reported output.
+
+The wrapper computes the source-context digest and supplies it to the fast app.
+For external repositories, the documented no-profile command creates a repo-local
+default `repo` profile over common tracked text surfaces. If the selected profile
+exports zero records, the wrapper refuses rather than handing the app an empty
+context digest.
+The two Map workers opt in to result caching keyed by source-context digest plus
+prompt digest. The two Assess workers also opt in, but their cache key includes
+the completed previous-phase result digests so stale Map outputs do not satisfy
+an Assess cache hit. A cache hit still passes through `recordWorkerOutput`
+validation; a corrupt cached result parks/fails closed rather than spawning a
+silent fallback.
+
+`--metrics` is diagnostic and opt-in. It adds elapsed milliseconds, step counts,
+agent-spawn counts, and `result-cache` hit counts to the wrapper JSON payload;
+without it, the wrapper's default output shape stays unchanged.
+
 `{{manifest}}`, `{{input}}`, `{{result}}`, `{{workerDir}}`, `{{model}}`, and
 `{{prompt}}` are substituted into DISCRETE argv elements (never a shell-interpreted
 string). Each verb is declared once in `capability-registry.ts`, so `cw <cmd>
 --json` is byte-identical to the matching `cw_<tool>` MCP tool for the read-only
 preview/config-show verbs.
 
+## Live output — opt-in stderr passthrough (Unix-clean)
+
+A drive can show the agent's activity live, without touching the evidence
+contract, when the operator opts in with `CW_AGENT_STREAM=1`:
+
+- **Default stays buffered.** Without `CW_AGENT_STREAM=1`, the bundled wrapper
+  preserves the legacy `--output-format json` path and forwards claude's JSON
+  stdout verbatim after writing `result.md`.
+- **The opt-in wrapper renders; stderr only.** With `CW_AGENT_STREAM=1`, the
+  bundled wrapper runs claude in `--output-format stream-json` and renders a
+  concise human trace (tool uses, assistant text, per-turn summaries) to its
+  **stderr** — diagnostics, never data. It reconstructs the single
+  `{model, usage, result}` object for stdout only on that opt-in path.
+- **Core forwards, never parses.** `runAgentProcess` passes the agent child's
+  stderr straight through to the operator's terminal (`stdio` inherit) only when
+  `CW_AGENT_STREAM=1`, CW's own stderr is a TTY, and `CW_NO_STREAM` is not set.
+  Piped / CI runs stay silent (the Rule of Silence). Vendor-specific rendering
+  lives in the wrapper (policy), not the kernel (mechanism).
+- **Determinism intact.** The backend evidence triple hashes stdout only, so
+  the live stderr stream never affects recorded evidence or replay.
+
 ## Compatibility
 
 Agent Delegation Drive is introduced in CW v0.1.38. Adding the `agent` row leaves
@@ -190,3 +253,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## Resumable Drive & Resume Routing (v0.1.81)
+
+Adds `run resume <id> --drive/--once` alongside `quickstart --resume`: a stopped pipeline resumes in-place, advancing to completion (`--drive`) or one deterministic step (`--once`) over the same plan->dispatch->agent-fulfill->accept->commit lifecycle, echoing `resumedFrom: <id>`. Fixes the `run resume --drive` CLI routing so the drive flag reaches the resumed run instead of being read as an app name. Replay determinism and the agent evidence triple are unchanged.

package/docs/canonical-workflow-apps.7.md

@@ -28,6 +28,43 @@ node scripts/cw.js plan architecture-review \
   --focus "runtime"
 ```
 
+`architecture-review-fast`
+
+Run a shorter architecture review for a fast first result. The app keeps the
+full `architecture-review` contract available under its original id, but uses two
+parallel Map workers, two parallel Assess workers, one verifier, and one verdict
+worker. Operators can optionally provide a pinned JSONL source context and route
+mapping/assessment work to a faster model while reserving stronger models for
+verification and synthesis.
+
+```bash
+node scripts/architecture-review-fast.js \
+  --repo /path/to/repo \
+  --question "Is this architecture sound?" \
+  --fast-model gpt-5.5-high \
+  --strong-model gpt-5.5-extra-high \
+  --metrics \
+  --schedule-full
+```
+
+The wrapper prepares one cached JSONL source context, passes its sha256 digest to
+the fast app, runs `quickstart architecture-review-fast`, and optionally creates
+a one-shot background schedule for the full `architecture-review` app. When run
+against an external repo without `--profile` or `--profile-file`, it writes a
+small repo-local `repo` profile covering common tracked text surfaces such as
+README/package metadata, `src/`, `lib/`, `apps/`, `scripts/`, docs, and tests.
+If the selected profile exports zero records, the wrapper fails closed instead of
+passing an empty context digest to the app.
+`--fast-model` and `--strong-model` are userland policy flags; internally they
+set the same task-level hints as `CW_ARCHITECTURE_REVIEW_FAST_MODEL` and
+`CW_ARCHITECTURE_REVIEW_STRONG_MODEL`.
+`--metrics` is opt-in; when present the wrapper adds elapsed-time, worker-step,
+agent-spawn, and result-cache-hit counts to the JSON payload so operators can
+measure foreground wait reductions without changing the default output shape.
+
+For long full reviews, use the existing routine or schedule surfaces to run
+`architecture-review` in the background after the fast report has returned.
+
 `pr-review-fix-ci`
 
 Review a pull request or branch, inspect CI failures, diagnose actionable

package/docs/cli-mcp-parity.7.md

@@ -39,6 +39,14 @@ A new runtime capability is added once, in the registry, against one core entry.
 The CLI command and the MCP tool are then two policies over that one mechanism —
 which is exactly what the parity gate checks.
 
+The MCP tool list is also being collapsed toward that single source. The first
+read-only inspection group (`operator.status`, `graph`, `operator.report`,
+worker/candidate/feedback/commit summaries, and the basic multi-agent inspection
+views) derives its MCP tool name and description directly from the capability
+registry; `mcp-server.ts` still owns the MCP input schema for those tools. This
+keeps the public `tools/list` output unchanged while removing one duplicate
+description table at a time.
+
 ## Human vs Machine Contract
 
 The two surfaces have different contracts and must not interfere:
@@ -373,3 +381,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## Re-Prove Verbs on Both Surfaces (v0.1.81)
+
+v0.1.81 grows the parity surface with two new both-surface, fail-closed verbs declared once in the capability registry: `cw audit verify` / `cw_audit_verify` re-proves the trust-audit chain and exits non-zero on any unverified or corrupt chain, and `cw run inspect-archive` / `cw_run_inspect_archive` is a read-only archive integrity check. Each `cw <cmd> --json` is schema-identical to its `cw_<tool>` and validated by the same parity gate.

package/docs/contract-migration-tooling.7.md

@@ -123,3 +123,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the contract-migration subsystem in v0.1.81._

package/docs/control-plane-scheduling.7.md

@@ -110,3 +110,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the control-plane scheduling surface in v0.1.81._

package/docs/dogfood/resume-drive-real-agent-2026-06-14.md

@@ -0,0 +1,40 @@
+# Dogfood: real `builtin:claude` agent + `run resume --drive` (2026-06-14)
+
+A live dogfood run with a REAL external agent (`CW_AGENT_COMMAND=builtin:claude`, the
+bundled read-only claude wrapper). The model ran in the agent's own process; CW
+spawned it and recorded the attested output — CW holds no API key and imports no
+model SDK. This run had two purposes and delivered both: it confirmed the real-agent
+delegation path works end to end, and — because it exercised the **CLI** rather than
+the unit-test function path — it **caught a real shipped bug** in `run resume --drive`.
+
+## What ran
+
+- `cw run architecture-review --drive --once --repo <tmp> --question "…"` with a real
+  `builtin:claude` agent: **1 worker completed** end-to-end with zero hand-written
+  result.md — the worker's `result.md` was produced by real claude, passed the
+  evidence-gated acceptance, and a `report.md` (7.5 KB, "# Architecture Review …")
+  + 3 state commits were written. The real-agent path (spawn → attested output →
+  evidence gate → commit) works.
+- Run: `architecture-review-20260614T104416Z-upkor2`, status `in-progress` (1/14)
+  after the single `--once` step.
+
+## The bug it caught (and the fix)
+
+Resuming the partway run with `cw run resume <id> --drive` failed:
+`cw: Workflow app not found: resume`. The `run` command's early `--drive` branch
+(the `cw run <app> --drive` one-command form) intercepted the invocation *before* the
+subcommand switch, so the `resume` keyword was misread as an app name and never
+reached the `runResume` continuation shipped in #155.
+
+The A1 unit smoke (`run-resume-drive-smoke`) had tested `runResume()` **directly**, so
+it never exercised the CLI dispatch — only a real CLI run surfaced it. Fixed by
+guarding the early app-drive route so a leading run-registry subcommand keyword
+(resume/show/export/…) falls through to the switch; `run-resume-drive-smoke` now drives
+`cw run resume <id> --drive` through the actual CLI and asserts it routes to the verb,
+plus a regression guard that `run <app> --drive` still routes to the app drive.
+
+## Takeaway
+
+Unit tests that call the capability function directly can miss CLI-dispatch bugs.
+Every both-surface verb that adds a flag wants at least one test through the real CLI
+argv path, not just the exported function.

package/docs/durable-state-and-locking.7.md

@@ -107,3 +107,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## Deterministic Tombstone Hash (v0.1.81)
+
+The reclamation tombstone's freed-manifest is now path-sorted before it feeds `tombstoneHash`, so the same freed set always yields the same hash regardless of filesystem enumeration order. This removes a non-determinism from the write-ahead chain (v0.1.39/v0.1.40), keeping the per-run tombstone hash-chain replayable and stable across hosts. Atomicity, locking, and the durable re-point seam are unchanged. v0.1.81 also adds import-time refusal (`CW_REQUIRE_ARCHIVE_INTEGRITY=1`) and restore-time trust-audit re-proving — see run-registry-control-plane(7).

package/docs/evidence-adoption-reasoning-chain.7.md

@@ -270,3 +270,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the Evidence Adoption Reasoning Chain surface in v0.1.81. The v0.1.81 trust-audit `computeEventHash` fix hardens the underlying audit records this chain links to by reference, but the derived reasoning view, its commands, and its eval gates are unchanged._

package/docs/execution-backends.7.md

@@ -300,3 +300,9 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 0.1.78
 
 0.1.79
+
+## Fast Architecture Review (v0.1.80)
+
+Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the execution-backends surface in v0.1.81._

package/docs/index.md

@@ -7,6 +7,7 @@ Read these in order when you are new to CW:
 3. [Workflow App framework](workflow-app-framework.7.md) - userland app manifests, entrypoints, compatibility, and validation.
 4. [Sandbox Profiles](sandbox-profiles.7.md) - named worker policy contracts for read/write/execute/network/env handling.
 5. [Security / Trust Hardening](security-trust-hardening.7.md) - audit records, provenance, sandbox attestations, and acceptance rationale.
+   - [Trust Model & Limitations](trust-model.md) - what the ed25519 + hash-chain tamper-evidence proves and, honestly, what it does **not** (the single-keyholder ceiling). Read this before relying on a green verdict.
 6. [Multi-Agent Runtime Core](multi-agent-runtime-core.7.md) - first-class MultiAgentRun, roles, groups, memberships, fanout, fanin, and lifecycle state.
 7. [Coordinator / Blackboard](coordinator-blackboard.7.md) - shared topics, messages, context frames, artifact refs, snapshots, decisions, conflicts, and fanin evidence.
 8. [Multi-Agent Topologies](multi-agent-topologies.7.md) - official map-reduce, debate, and judge-panel recipes built on multi-agent and blackboard records.
@@ -35,6 +36,7 @@ Read these in order when you are new to CW:
 31. [Agent Delegation Drive](agent-delegation-drive.7.md) - the `agent` backend delegates each worker to an EXTERNAL agent process (claude/codex/HTTP endpoint) and `run --drive` auto-advances plan→dispatch→fulfill→accept→commit; the model runs in the agent's process, never in CW. Two-layer evidence, operator-vs-attested model, fail-closed park, replay without re-spawn.
 32. [Run Retention & Provable Reclamation](run-retention-reclamation.7.md) - tiered, append-only, cryptographically-verifiable disk reclamation over the v0.1.28 archive overlay: seal the audit skeleton, free the reconstructable/scratch bulk, and prove it via a hash-chained tombstone; `gc plan|run|verify`, write-ahead + fail-closed, explicit capability downgrade.
 33. [Durable State & Locking](durable-state-and-locking.7.md) - atomic (temp→rename) writes for every authoritative store with fsync-durability for the audit-essential ones, plus a portable stale-stealing file lock serializing the cross-process read-modify-write stores (home queue, archive overlay, reclamation chain); closes the prior verdict's non-atomic/unlocked P1.
+34. [Source Context Profiles](source-context-profiles.7.md) - opt-in JSONL source exports for AI context slimming, with profile policy in manifest data and manifest records proving every included or omitted tracked file.
 
 CW is the base system. Workflow apps are userland. Release and migration rules
 must preserve that line: stable contracts, explicit compatibility checks, and

package/docs/launch/demo.tape

@@ -0,0 +1,28 @@
+# VHS tape — records the `cw demo tamper` proof to a GIF for the README hero.
+#
+# Reproducible, deterministic capture (no manual screen-recording). Install VHS
+# (https://github.com/charmbracelet/vhs), then from the repo root:
+#
+#   vhs plugins/cool-workflow/docs/launch/demo.tape
+#
+# Output: docs/launch/demo-tamper.gif. Then in the root README, replace the
+# fenced demo output block under "See it in 30 seconds" with:
+#   ![cw demo tamper](plugins/cool-workflow/docs/launch/demo-tamper.gif)
+
+Output plugins/cool-workflow/docs/launch/demo-tamper.gif
+
+Set FontSize 15
+Set Width 1180
+Set Height 760
+Set Padding 18
+Set Theme "Dracula"
+Set Framerate 24
+Set PlaybackSpeed 1.0
+
+# Use the published package so the GIF reflects exactly what a new user runs.
+Type "npx cool-workflow demo tamper"
+Sleep 600ms
+Enter
+
+# Allow npx fetch + the demo to run and print the verdict.
+Sleep 14s