cool-workflow 0.1.80 → 0.1.81

package/docs/launch/pre-launch-checklist.md

@@ -1,26 +1,20 @@
 # Pre-Launch Checklist — Cool Workflow Show HN
 
-Tick top to bottom; when it's done, post. The one non-negotiable gate is ③.
+Tick top to bottom; when it's done, post. The one non-negotiable gate is ②.
 Copy for the post itself lives in [launch-kit.md](launch-kit.md) (the **✅ FINAL**
 block).
 
-## ① Fix the machine (prerequisite)
-
-- [ ] **Reboot the Mac** — clears the leaked ptys (`kern.tty.ptmx_max` was 511 with
-      527 allocated), so Terminal / VS Code can spawn shells again. Required before
-      the verification below.
-
-## ② Prepare assets (optional, recommended)
+## ① Prepare assets (optional, recommended)
 
 - [ ] Install [vhs](https://github.com/charmbracelet/vhs) (`brew install vhs`).
 - [ ] Record the GIF: `vhs plugins/cool-workflow/docs/launch/demo.tape` →
       `docs/launch/demo-tamper.gif`.
-- [ ] Swap it into the README hero (replace the fenced demo output block with
-      `![demo](plugins/cool-workflow/docs/launch/demo-tamper.gif)`), commit + push.
+- [ ] Add it to the README hero (insert
+      `![demo](plugins/cool-workflow/docs/launch/demo-tamper.gif)` near the badges/intro), commit + push.
   > Shippable without the GIF — the README's text `✗ DETECTED` hook already stands;
   > the GIF is upside, not a blocker.
 
-## ③ Verify — the make-or-break gate (do not skip)
+## ② Verify — the make-or-break gate (do not skip)
 
 - [ ] On a **clean machine / fresh terminal**: `npx cool-workflow demo tamper`
       prints `VERDICT: tamper-evidence holds ✓`.
@@ -28,20 +22,26 @@ block).
   > non-negotiable check.
 - [ ] Sanity: `npx cool-workflow quickstart architecture-review --repo . --question "risks?"`
       → `status: blocked` with no agent configured (fails closed, no crash).
+- [ ] Resumable sanity: `cw quickstart architecture-review --resume` advances one step
+      then stops; `cw run resume <run-id> --drive` continues a stopped run — proving
+      runs break at dispatch and replay from disk.
 
-## ④ Post (US morning, ~9–11am ET is peak)
+## ③ Post (US morning, ~9–11am ET is peak)
 
 - [ ] Open the **✅ FINAL** block in [launch-kit.md](launch-kit.md).
 - [ ] HN title: `Show HN: Cool Workflow – tamper-evident telemetry for agent pipelines (npx demo)`
 - [ ] URL field: `https://github.com/coo1white/cool-workflow`
 - [ ] Immediately after posting, paste the FINAL "first comment" as the first reply.
 
-## ⑤ First hour (decides the outcome)
+## ④ First hour (decides the outcome)
 
 - [ ] Watch and reply fast — early engagement weighs most on HN.
 - [ ] On the "single key holder / no second party" critique (the audit flagged it
       too): concede it honestly and frame it as exactly why you're looking for early
       integration partners. **Turn the critique into an invitation; don't argue.**
+  > The canned, linkable answer is already written: [docs/trust-model.md](../trust-model.md)
+  > states the ceiling plainly (integrity ≠ source honesty; one party holding both
+  > roles; full local re-chain) and frames the partner ask. Link it; don't re-argue it.
 - [ ] No vote-rigging, no asking friends to upvote, no deleting critical comments —
       HN's anti-abuse will sink the post.
 
@@ -49,5 +49,5 @@ block).
 
 ### Go / no-go
 
-> If **③ — `npx cool-workflow demo tamper` prints `✓` on a clean machine** — passes,
+> If **② — `npx cool-workflow demo tamper` prints `✓` on a clean machine** — passes,
 > you can post. Everything else is upside.

package/docs/multi-agent-cli-mcp-surface.7.md

@@ -269,3 +269,7 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## New Both-Surface Verbs (v0.1.81)
+
+v0.1.81 adds `audit verify` (`cw_audit_verify`) and `run inspect-archive` (`cw_run_inspect_archive`) — both declared once in the capability registry and exposed identically on the CLI and MCP, fail-closed (non-zero exit / `ok:false` on an unverified chain or a tampered archive).

package/docs/multi-agent-eval-replay-harness.7.md

@@ -306,3 +306,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the multi-agent eval/replay harness in v0.1.81 (the multi-agent-eval module was carved into behavior-preserving siblings; replay output is byte-identical)._

package/docs/multi-agent-operator-ux.7.md

@@ -318,3 +318,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the multi-agent operator UX surface in v0.1.81 (the operator-ux module was carved into behavior-preserving siblings; output is byte-identical)._

package/docs/multi-agent-trust-policy-audit.7.md

@@ -115,6 +115,32 @@ Human output includes stable panels:
 - Policy Violations
 - Next Action
 
+## Verify (fail-closed)
+
+`audit summary` embeds an `integrity` field but is a *reader* — it always exits 0,
+so it cannot gate a script. `audit verify` is the gate:
+
+```bash
+node scripts/cw.js audit verify <run-id>        # exit 1 if the chain is forged
+node scripts/cw.js audit verify <run-id> --json
+```
+
+It re-proves the run's trust-audit hash chain offline: it recomputes every event
+hash from genesis, checks `prevEventHash` linkage, and catches the unchained-event
+forgery (an `eventHash`-less line slipped into a chained log to be waved through as
+"legacy"). The JSON reports `present`, `verified`, `eventCount`, `chained`,
+`unchained`, `corruptLines`, and `failedChecks[]`.
+
+Exit-code contract (the peer of `telemetry verify`):
+
+- ANY **unverified** chain exits **1** — forged / edited / truncated / unchained-injected,
+  *and* a fully-corrupt log (every line unparseable, which reports `present:false` but
+  `verified:false`). The gate keys on `verified`, not `present`, so the most severe
+  tamper — garbling the whole log — cannot escape by looking "absent". So
+  `cw audit verify <run> && deploy` stops on tampering.
+- Only a truly **absent / empty** chain is `verified:true` / exit **0** — a run with
+  no audit log (or a blank one) has nothing to prove (no false-red).
+
 ## MCP
 
 MCP parity tools:
@@ -128,6 +154,7 @@ MCP parity tools:
 The older audit tools remain available:
 
 - `cw_audit_summary`
+- `cw_audit_verify` — fail-closed re-prove of the trust-audit hash chain (peer of `cw_telemetry_verify`)
 - `cw_audit_worker`
 - `cw_audit_provenance`
 - `cw_audit_attest`

package/docs/node-snapshot-diff-replay.7.md

@@ -139,3 +139,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to node-snapshot diff/replay in v0.1.81._

package/docs/observability-cost-accounting.7.md

@@ -198,3 +198,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the observability + cost-accounting surface in v0.1.81 (the observability module was carved into behavior-preserving siblings; output is byte-identical)._

package/docs/project-index.md

@@ -1,15 +1,15 @@
 # Cool Workflow Project Index
 
-Generated from the current repository code on 2026-06-13 by `npm run sync:project-index`.
+Generated from the current repository code on 2026-06-14 by `npm run sync:project-index`.
 
 ## Snapshot
 
 - Package: `cool-workflow`
-- Version: `0.1.80`
+- Version: `0.1.81`
 - Source modules: `58`
 - Workflow apps: `7`
-- Docs: `47`
-- Smoke tests: `75`
+- Docs: `49`
+- Smoke tests: `86`
 - Repository: https://github.com/coo1white/cool-workflow
 
 ## Architecture
@@ -82,9 +82,9 @@ multi-agent host -> topology -> blackboard/coordinator
 
 - [agent-config.ts](../src/agent-config.ts)
 - [capability-core.ts](../src/capability-core.ts)
-- [capability-dispatcher.ts](../src/capability-dispatcher.ts)
 - [capability-registry.ts](../src/capability-registry.ts)
 - [collaboration.ts](../src/collaboration.ts)
+- [compare.ts](../src/compare.ts)
 - [contract-migration.ts](../src/contract-migration.ts)
 - [drive.ts](../src/drive.ts)
 - [evidence-grounding.ts](../src/evidence-grounding.ts)
@@ -167,7 +167,9 @@ multi-agent host -> topology -> blackboard/coordinator
 - [State Explosion Management](state-explosion-management.7.md)
 - [STATE-NODE(7)](state-node.7.md)
 - [Team Collaboration](team-collaboration.7.md)
+- [Trust Model & Limitations](trust-model.md)
 - [Unix-Inspired Workflow Principles](unix-principles.md)
+- [Vendor Manifest Loadability](vendor-manifest-loadability.7.md)
 - [VERIFIER-GATED-COMMIT(7)](verifier-gated-commit.7.md)
 - [Web / Desktop Workbench](web-desktop-workbench.7.md)
 - [WORKER-ISOLATION(7)](worker-isolation.7.md)
@@ -181,17 +183,20 @@ Smoke tests mirror the public contracts. The high-signal suites are:
 - [architecture-review-fast-automation-smoke.js](../test/architecture-review-fast-automation-smoke.js)
 - [architecture-review-fast-smoke.js](../test/architecture-review-fast-smoke.js)
 - [artifact-integrity-smoke.js](../test/artifact-integrity-smoke.js)
+- [audit-verify-smoke.js](../test/audit-verify-smoke.js)
 - [backend-registry-smoke.js](../test/backend-registry-smoke.js)
 - [block-unapproved-tag-smoke.js](../test/block-unapproved-tag-smoke.js)
 - [candidate-scoring-smoke.js](../test/candidate-scoring-smoke.js)
 - [canonical-workflow-apps-smoke.js](../test/canonical-workflow-apps-smoke.js)
 - [claude-p-agent-wrapper-smoke.js](../test/claude-p-agent-wrapper-smoke.js)
+- [cli-jsonmode-parity-smoke.js](../test/cli-jsonmode-parity-smoke.js)
 - [cli-mcp-parity-smoke.js](../test/cli-mcp-parity-smoke.js)
 - [concurrent-failure-semantics-smoke.js](../test/concurrent-failure-semantics-smoke.js)
 - [concurrent-workflow-dsl-smoke.js](../test/concurrent-workflow-dsl-smoke.js)
 - [contract-migration-tooling-smoke.js](../test/contract-migration-tooling-smoke.js)
 - [control-plane-scheduling-smoke.js](../test/control-plane-scheduling-smoke.js)
 - [coordinator-blackboard-smoke.js](../test/coordinator-blackboard-smoke.js)
+- [det-ids-b-smoke.js](../test/det-ids-b-smoke.js)
 - [dogfood-release-smoke.js](../test/dogfood-release-smoke.js)
 - [durable-atomic-write-smoke.js](../test/durable-atomic-write-smoke.js)
 - [end-to-end-demo-smoke.js](../test/end-to-end-demo-smoke.js)
@@ -201,6 +206,8 @@ Smoke tests mirror the public contracts. The high-signal suites are:
 - [evidence-adoption-reasoning-smoke.js](../test/evidence-adoption-reasoning-smoke.js)
 - [evidence-content-extraction-smoke.js](../test/evidence-content-extraction-smoke.js)
 - [execution-backends-smoke.js](../test/execution-backends-smoke.js)
+- [freebsd-audit-fixes-smoke.js](../test/freebsd-audit-fixes-smoke.js)
+- [h7-custom-profile-persist-smoke.js](../test/h7-custom-profile-persist-smoke.js)
 - [mcp-app-surface-smoke.js](../test/mcp-app-surface-smoke.js)
 - [multi-agent-cli-mcp-surface-smoke.js](../test/multi-agent-cli-mcp-surface-smoke.js)
 - [multi-agent-eval-replay-harness-smoke.js](../test/multi-agent-eval-replay-harness-smoke.js)
@@ -229,7 +236,10 @@ Smoke tests mirror the public contracts. The high-signal suites are:
 - [run-export-restore-rerun-smoke.js](../test/run-export-restore-rerun-smoke.js)
 - [run-export-restore-resume-smoke.js](../test/run-export-restore-resume-smoke.js)
 - [run-fixture-compat-smoke.js](../test/run-fixture-compat-smoke.js)
+- [run-import-tamper-failclosed-smoke.js](../test/run-import-tamper-failclosed-smoke.js)
+- [run-inspect-archive-smoke.js](../test/run-inspect-archive-smoke.js)
 - [run-registry-control-plane-smoke.js](../test/run-registry-control-plane-smoke.js)
+- [run-resume-drive-smoke.js](../test/run-resume-drive-smoke.js)
 - [run-retention-reclamation-smoke.js](../test/run-retention-reclamation-smoke.js)
 - [sandbox-profile-smoke.js](../test/sandbox-profile-smoke.js)
 - [schedule-routine-daemon-smoke.js](../test/schedule-routine-daemon-smoke.js)
@@ -246,8 +256,11 @@ Smoke tests mirror the public contracts. The high-signal suites are:
 - [telemetry-fail-closed-smoke.js](../test/telemetry-fail-closed-smoke.js)
 - [telemetry-ledger-smoke.js](../test/telemetry-ledger-smoke.js)
 - [telemetry-metrics-coverage-smoke.js](../test/telemetry-metrics-coverage-smoke.js)
+- [telemetry-verify-signatures-smoke.js](../test/telemetry-verify-signatures-smoke.js)
 - [token-budget-enforcement-smoke.js](../test/token-budget-enforcement-smoke.js)
+- [vendor-manifest-load-smoke.js](../test/vendor-manifest-load-smoke.js)
 - [verifier-gated-commit-smoke.js](../test/verifier-gated-commit-smoke.js)
+- [verify-import-audit-chain-smoke.js](../test/verify-import-audit-chain-smoke.js)
 - [web-desktop-workbench-smoke.js](../test/web-desktop-workbench-smoke.js)
 - [worker-isolation-smoke.js](../test/worker-isolation-smoke.js)
 - [worker-retry-count-smoke.js](../test/worker-retry-count-smoke.js)

package/docs/real-execution-backends.7.md

@@ -146,3 +146,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the real execution backends in v0.1.81._

package/docs/release-and-migration.7.md

@@ -284,3 +284,7 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## Migration Compatibility (v0.1.81)
+
+v0.1.81 is additive: every change is a new flag/verb/env (`audit verify`, `run inspect-archive`, `verify-import --strict`, `CW_REQUIRE_ARCHIVE_INTEGRITY`, `quickstart --resume`, `run resume --drive`) or an internal behavior-preserving carve. Run-state schema, existing outputs, files, and exit codes are byte-identical, so runs and archives from prior versions load and verify unchanged. No migration action is required.

package/docs/release-tooling.7.md

@@ -163,3 +163,5 @@ also get generated MCP manifests (`.gemini-plugin/`, `.opencode-plugin/`) so the
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the release-flow tooling in v0.1.81; this release was cut through the existing gate->review->tag flow._

package/docs/run-registry-control-plane.7.md

@@ -115,6 +115,14 @@ cwd — loads its durable state, and returns the next runnable tasks and next
 actions for the host to execute. Resume is read-only over source: it never
 mutates `state.json` and never un-archives a run.
 
+`run resume <run-id> --drive` (or `--once` for a single step) hands the resolved
+run straight to the existing agent-delegation drive loop — it re-plans nothing and
+picks up the pending/running tasks deterministically from durable state — and
+augments the result with the drive outcome under a `drive` field. The default (no
+`--drive`) payload and `nextActions` stay byte-identical. An unconfigured agent
+yields `drive.status="blocked"` (fail-closed, never a fabricated completion); CW
+delegates worker execution to your agent and never runs a model itself.
+
 ## Queue
 
 `queue add` appends a durable entry to `$CW_HOME/registry/queue.json` with an
@@ -160,14 +168,47 @@ resumed from the target repo; restored failed runs remain discoverable from the
 home registry and can be rerun as new linked runs. The import does not alter the
 source repository or the source run.
 
-`run verify-import <run-id> [--cwd DIR]` re-reads the restore manifest, recomputes
-every restored file digest, checks the manifest digest, and verifies the
-telemetry ledger when one was restored. Missing manifests, digest mismatches,
-path escapes, unsupported archive schemas, unreadable files, or telemetry-chain
-failures return explicit failed checks instead of a fabricated success.
+**Import-time refusal (fail-closed before any write).** Import verifies every
+file digest, every file size, the file count, and the manifest digest *before*
+creating the target run directory — so a tampered archive is refused with a
+non-zero exit and a single `cw:` stderr line, leaving nothing on disk (no partial
+restore). Set `CW_REQUIRE_ARCHIVE_INTEGRITY=1` to additionally refuse an archive
+whose top-level integrity block is *absent* — closing the legacy fail-open seam
+where a stripped-integrity archive imported unverified. Unset (the default) keeps
+legacy integrity-less archives byte-identical; the flag is mechanism, not policy.
 
-MCP exposes the same mechanisms as `cw_run_export`, `cw_run_import`, and
-`cw_run_verify_import`; the CLI and MCP paths share the same runtime functions.
+`run verify-import <run-id> [--cwd DIR]` re-reads the restore manifest, recomputes
+every restored file digest, checks the manifest digest, verifies the telemetry
+ledger when one was restored, and re-proves the **trust-audit hash chain** (the
+decisions / sandbox / commit-gate log, also restored under `audit/`). Missing
+manifests, digest mismatches, path escapes, unsupported archive schemas, unreadable
+files, telemetry-chain failures, or a forged audit chain (`trust-audit-invalid`)
+return explicit failed checks instead of a fabricated success. An archive with no
+audit log yields a passing `trust-audit` check (nothing to prove — no false-red).
+
+By default `verify-import` prints the result and exits 0 even when a check fails
+(it is a report). Pass `--strict` to make any failed restore check exit non-zero,
+so `cw run verify-import <run> --strict && restore` stops on a tampered archive.
+
+**Inspect an archive before restoring.** `run inspect-archive PATH [--json]`
+re-proves a portable archive's integrity *without writing anything* — contrast
+with `run import`, which validates as a side-effect of restoring a full
+`.cw/runs/<id>/` tree. It re-computes every embedded file's sha256 and size, the
+`integrity.fileCount` and manifest digest, and the whole-archive sha256, returning
+a structured `checks[]` — each failure names the offending `relativePath` with a
+`digest-mismatch` / `size-mismatch` / `manifest-digest-mismatch` /
+`file-count-mismatch` code. It never throws: an unreadable path, invalid JSON, or an
+unknown `schemaVersion` (`schemaSupported:false`) is reported as a check, not a
+stacktrace — stdout is always valid JSON, diagnostics go to stderr. It exits `1`
+when `ok:false`, so `cw run inspect-archive <path> && cw run import <path>` stops
+before importing a bad archive. It is a faithful preview of import: under
+`CW_REQUIRE_ARCHIVE_INTEGRITY=1` a stripped-integrity archive (which import would
+refuse) also inspects as `ok:false`; with the env unset (default) an absent integrity
+block is merely reported, not failed.
+
+MCP exposes the same mechanisms as `cw_run_export`, `cw_run_import`,
+`cw_run_verify_import`, and `cw_run_inspect_archive`; the CLI and MCP paths share
+the same runtime functions.
 
 ## Cross-repo history
 
@@ -184,13 +225,14 @@ node scripts/cw.js registry show [--scope repo|home] [--json]
 node scripts/cw.js run search [--app ID] [--status STATE] [--text Q] [--repo PATH] [--since ISO] [--until ISO] [--limit N] [--offset N] [--scope repo|home] [--json]
 node scripts/cw.js run list [--scope repo|home] [--json]
 node scripts/cw.js run show <run-id> [--scope repo|home] [--json]
-node scripts/cw.js run resume <run-id> [--limit N] [--json]
+node scripts/cw.js run resume <run-id> [--limit N] [--drive [--once]] [--json]
 node scripts/cw.js run archive <run-id> [--reason TEXT] [--unarchive]
 node scripts/cw.js run archive --older-than-days N [--state completed --state failed]
 node scripts/cw.js run rerun <run-id> [--reason TEXT]
 node scripts/cw.js run export <run-id> --output PATH
 node scripts/cw.js run import PATH --target DIR
 node scripts/cw.js run verify-import <run-id> [--cwd DIR]
+node scripts/cw.js run inspect-archive PATH [--json]
 node scripts/cw.js queue add [--app ID|--workflow ID|--runId ID] [--repo PATH] [--priority N] [--note TEXT]
 node scripts/cw.js queue list [--status STATE] [--repo PATH] [--json]
 node scripts/cw.js queue show <queue-id>
@@ -353,3 +395,7 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## Resume Drive, Inspect-Archive & Restore Re-Prove (v0.1.81)
+
+v0.1.81 adds `run resume <id> --drive/--once` (continue an interrupted run via the agent-drive loop; default resume stays read-only and byte-identical), `run inspect-archive PATH` (read-only archive integrity check that names any offending file without importing), and restore-time hardening: `verify-import` now re-proves the trust-audit chain on restore and gains `--strict`, and `CW_REQUIRE_ARCHIVE_INTEGRITY=1` refuses a stripped-integrity archive before any write.

package/docs/run-retention-reclamation.7.md

@@ -195,3 +195,7 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+## Deterministic Freed Manifest (v0.1.81)
+
+The freed manifest is path-sorted before it feeds `tombstoneHash`, so reclamation's write-ahead tombstone hash-chain is reproducible across hosts regardless of filesystem enumeration order. Reclaimed tiers, the re-point seam, and the default (reclaim-nothing) policy are unchanged.

package/docs/state-explosion-management.7.md

@@ -275,3 +275,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the state-explosion management surface in v0.1.81 (the module was carved into behavior-preserving siblings; output is byte-identical)._

package/docs/team-collaboration.7.md

@@ -211,3 +211,5 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
 ## Fast Architecture Review (v0.1.80)
 
 Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
+
+_No changes to the team-collaboration surface in v0.1.81._