cool-workflow 0.1.80 → 0.1.81

package/dist/cli.js

@@ -7,7 +7,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_path_1 = __importDefault(require("node:path"));
 const orchestrator_1 = require("./orchestrator");
-const capability_registry_1 = require("./capability-registry");
 const capability_core_1 = require("./capability-core");
 const observability_1 = require("./observability");
 const telemetry_demo_1 = require("./telemetry-demo");
@@ -70,8 +69,6 @@ async function main() {
                     printJson((0, capability_core_1.appRun)(runner, { ...args.options, appId: required(appIdOrPath, "app id") }));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js app list|show|validate|init|package|run [app-id|path]");
             }
         }
@@ -128,8 +125,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js state check <run-id> [--state PATH] [--write]");
             }
         }
@@ -175,8 +170,6 @@ async function main() {
                         process.stdout.write(`${(0, operator_ux_1.formatOperatorReport)(runner.operatorReport(required(runId, "run id")))}\n`);
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js operator status|report <run-id> [--json]");
             }
         }
@@ -227,8 +220,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js topology list|show <topology-id>|show <run-id> <topology-run-id>|validate <topology-id>|apply <run-id> <topology-id>|summary <run-id>|graph <run-id>");
             }
         }
@@ -252,8 +243,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js summary refresh|show <run-id> [--json]");
             }
         }
@@ -410,8 +399,6 @@ async function main() {
                     }
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js multi-agent run|status|step|blackboard|score|select|summary|summarize|graph|dependencies|failures|evidence|reasoning|show|role|group|membership|fanout|fanin <run-id> [id]");
             }
         }
@@ -440,8 +427,6 @@ async function main() {
                     result = runner.evalReport(required(first, "replay id or path"));
                     break;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js eval snapshot <run-id> --id <snapshot-id> | replay <snapshot-id-or-path> | compare <baseline-id-or-path> <replay-id-or-path> | score <replay-id-or-path> | gate <suite-id-or-path> | report <replay-id-or-path>");
             }
             if (wantsJson(args.options))
@@ -510,8 +495,6 @@ async function main() {
                 default:
                     break;
             }
-            if (await tryDispatchCli(args, runner))
-                return;
             throw new Error("Usage: cw.js blackboard summary|summarize|graph|resolve <run-id> | topic create <run-id> | message post|list <run-id> | context put <run-id> | artifact add|list <run-id> | snapshot <run-id>");
         }
         case "coordinator": {
@@ -524,8 +507,6 @@ async function main() {
                     printJson(runner.recordCoordinatorDecision(required(runId, "run id"), args.options));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js coordinator summary <run-id> | coordinator decision <run-id> --kind <kind> --outcome <outcome> --reason TEXT");
             }
         }
@@ -538,16 +519,18 @@ async function main() {
                 case "show":
                     printJson(runner.showSandboxProfile(required(profileIdOrFile, "profile id"), args.options));
                     return;
-                case "validate":
-                    printJson(runner.validateSandboxProfile(required(profileIdOrFile, "profile file"), args.options));
+                case "validate": {
+                    const result = runner.validateSandboxProfile(required(profileIdOrFile, "profile file"), args.options);
+                    printJson(result);
+                    if (!result.valid)
+                        process.exitCode = 1;
                     return;
+                }
                 case "choose":
                 case "resolve":
                     printJson((0, capability_core_1.sandboxChoose)(runner, { ...args.options, profileId: profileIdOrFile || args.options.profileId }));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js sandbox list|show|validate|choose|resolve [profile-id|profile-file]");
             }
         }
@@ -574,8 +557,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js backend list|show|probe [backend-id]  |  cw.js backend agent config [show|set] [--agent-command ... --agent-endpoint ... --agent-model ...]");
             }
         }
@@ -586,8 +567,6 @@ async function main() {
                     printJson(runner.showContract(required(runId, "run id"), contractId));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js contract show <run-id> [contract-id]");
             }
         }
@@ -615,12 +594,14 @@ async function main() {
                 case "replay":
                     printJson(runner.nodeReplay(required(runId, "run id"), required(nodeId, "snapshot id")));
                     return;
-                case "verify":
-                    printJson(runner.nodeReplayVerify(required(runId, "run id"), required(nodeId, "replay id")));
+                case "verify": {
+                    const verdict = runner.nodeReplayVerify(required(runId, "run id"), required(nodeId, "replay id"));
+                    printJson(verdict);
+                    if (!verdict.pass)
+                        process.exitCode = 1;
                     return;
+                }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js node list|show|graph|snapshot|diff|replay|verify <run-id> [node-id|snapshot-id|replay-id]");
             }
         }
@@ -630,15 +611,21 @@ async function main() {
                 case "list":
                     printJson(runner.migrationList());
                     return;
-                case "check":
-                    printJson(runner.migrationCheck(required(target, "target (run-id or state/app file)"), args.options));
+                case "check": {
+                    const report = runner.migrationCheck(required(target, "target (run-id or state/app file)"), args.options);
+                    printJson(report);
+                    if (report.status === "unsupported")
+                        process.exitCode = 1;
                     return;
-                case "prove":
-                    printJson(runner.migrationProve(required(target, "target (run-id or state/app file)"), args.options));
+                }
+                case "prove": {
+                    const proof = runner.migrationProve(required(target, "target (run-id or state/app file)"), args.options);
+                    printJson(proof);
+                    if (!proof.pass)
+                        process.exitCode = 1;
                     return;
+                }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js migration list|check|prove [target] [--contract run-state|workflow-app]");
             }
         }
@@ -669,8 +656,6 @@ async function main() {
                     printJson(runner.resolveFeedback(required(runId, "run id"), required(feedbackId, "feedback id"), args.options));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js feedback list|show|summary|collect|task|resolve <run-id> [feedback-id]");
             }
         }
@@ -698,14 +683,18 @@ async function main() {
                     printJson(runner.recordWorkerOutput(required(runId, "run id"), required(workerId, "worker id"), required(resultPath, "result file"), args.options));
                     return;
                 case "fail":
-                    printJson(runner.recordWorkerFailure(required(runId, "run id"), required(workerId, "worker id"), String(args.options.message || args.options.m || required(resultPath, "failure message")), args.options));
+                    printJson(runner.recordWorkerFailure(required(runId, "run id"), required(workerId, "worker id"), String(args.options.message || required(resultPath, "failure message")), args.options));
                     return;
-                case "validate":
-                    printJson(runner.validateWorker(required(runId, "run id"), required(workerId, "worker id"), resultPath));
+                case "validate": {
+                    // Non-null = a boundary violation: a validate verb must report an invalid
+                    // verdict through its exit code, not just print it and exit 0.
+                    const violation = runner.validateWorker(required(runId, "run id"), required(workerId, "worker id"), resultPath);
+                    printJson(violation);
+                    if (violation)
+                        process.exitCode = 1;
                     return;
+                }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js worker list|summary|show|manifest|output|fail|validate <run-id> [worker-id] [result-file]");
             }
         }
@@ -715,6 +704,19 @@ async function main() {
                 case "summary":
                     printJson(runner.auditSummary(required(runId, "run id")));
                     return;
+                case "verify": {
+                    const result = (0, capability_core_1.auditVerify)(runner, { ...args.options, runId: required(runId, "run id") });
+                    printJson(result);
+                    // Fail-closed: any unverified chain exits non-zero so `cw audit verify
+                    // <run> && deploy` stops — mirrors the telemetry-verify guard. verifyTrustAudit
+                    // returns verified:true for a truly absent/empty chain (nothing to prove),
+                    // so this stays exit 0 there; a FULLY-corrupt log reports present:false but
+                    // verified:false (corruptLines>0) and must NOT be conflated with absent — the
+                    // earlier `present && ...` guard let that severe tamper escape (exit 0).
+                    if (!result.verified)
+                        process.exitCode = 1;
+                    return;
+                }
                 case "worker":
                     printJson(runner.workerAudit(required(runId, "run id"), required(id, "worker id")));
                     return;
@@ -768,8 +770,6 @@ async function main() {
                     printJson(runner.recordAuditDecision(required(runId, "run id"), required(id, "worker id"), args.options));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js audit summary|worker|provenance|multi-agent|policy|role|blackboard|judge|attest|decision <run-id> [worker-id|role-id]");
             }
         }
@@ -804,8 +804,6 @@ async function main() {
                         process.stdout.write(`${(0, operator_ux_1.formatCandidateSummary)(runner.summarizeCandidateOperatorRecords(required(runId, "run id")))}\n`);
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js candidate list|show|register|score|rank|select|reject|summary <run-id> [candidate-id]");
             }
         }
@@ -835,8 +833,6 @@ async function main() {
                     process.stdout.write(`${runner.formatCommentList(result.comments)}\n`);
                 return;
             }
-            if (await tryDispatchCli(args, runner))
-                return;
             throw new Error("Usage: cw.js comment add <kind> <run-id> <target-id> --body <text> | comment list <run-id> [--json]");
         }
         case "handoff": {
@@ -910,8 +906,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js schedule create|list|delete|due|complete|pause|resume|run-now|history|daemon");
             }
         }
@@ -937,8 +931,6 @@ async function main() {
                     printJson(triggers.events(idOrKind));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js routine create|list|delete|fire|events");
             }
         }
@@ -963,8 +955,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js registry refresh|show [--scope repo|home] [--json]");
             }
         }
@@ -996,7 +986,15 @@ async function main() {
             // run end-to-end by delegating each worker to the agent backend. Distinct from
             // the run-REGISTRY verbs below. `--preview` (or the `run drive <run-id>` form)
             // is the read-only, deterministic next-step preview.
-            if (args.options.drive) {
+            //
+            // A run-REGISTRY subcommand keyword (resume/show/...) must NOT be intercepted
+            // here just because it carries a --drive flag of its own — e.g.
+            // `run resume <id> --drive` is the resume verb's opt-in continuation, not
+            // `run <app=resume> --drive`. Fall through to the switch for those keywords.
+            const runRegistrySubcommand = new Set([
+                "drive", "search", "list", "show", "resume", "archive", "rerun", "export", "import", "verify-import", "inspect-archive"
+            ]);
+            if (args.options.drive && !runRegistrySubcommand.has(String(args.positionals[0] || ""))) {
                 const target = args.positionals[0];
                 const runId = optionalArg(args.options.run) || optionalArg(args.options.runId);
                 if (args.options.preview) {
@@ -1051,7 +1049,7 @@ async function main() {
                     return;
                 }
                 case "resume": {
-                    const result = (0, capability_core_1.runResume)(registry, required(id, "run id"), args.options);
+                    const result = (0, capability_core_1.runResume)(registry, runner, required(id, "run id"), args.options);
                     if (wantsJson(args.options))
                         printJson(result);
                     else
@@ -1070,13 +1068,27 @@ async function main() {
                 case "import":
                     printJson((0, capability_core_1.runImportArchive)(runner, { ...args.options, archive: id || args.options.archive || args.options.path }));
                     return;
-                case "verify-import":
-                    printJson((0, capability_core_1.runVerifyImport)(runner, required(id || optionalArg(args.options.runId || args.options.run), "run id"), args.options));
+                case "verify-import": {
+                    const result = (0, capability_core_1.runVerifyImport)(runner, required(id || optionalArg(args.options.runId || args.options.run), "run id"), args.options);
+                    printJson(result);
+                    // Fail-closed ONLY behind --strict, so the default exit stays 0
+                    // (byte-identical). With --strict, any failed restore check — including
+                    // the new trust-audit row — exits 1 for `verify-import && restore`.
+                    if (Boolean(args.options.strict) && !result.ok)
+                        process.exitCode = 1;
+                    return;
+                }
+                case "inspect-archive": {
+                    const result = (0, capability_core_1.runInspectArchive)(runner, { ...args.options, archive: id || args.options.archive || args.options.path });
+                    printJson(result);
+                    // Read-only diagnostic: exit 1 when the archive fails any integrity check,
+                    // so `cw run inspect-archive <path> && restore` stops on a bad archive.
+                    if (!result.ok)
+                        process.exitCode = 1;
                     return;
+                }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
-                    throw new Error("Usage: cw.js run search|list|show|resume|archive|rerun|drive|export|import|verify-import [run-id|archive] [--scope repo|home] [--json]  |  cw.js run <app> --drive [--once] [--repo R --question Q]");
+                    throw new Error("Usage: cw.js run search|list|show|resume|archive|rerun|drive|export|import|verify-import|inspect-archive [run-id|archive] [--scope repo|home] [--json]  |  cw.js run <app> --drive [--once] [--repo R --question Q]");
             }
         }
         case "queue": {
@@ -1101,8 +1113,6 @@ async function main() {
                     printJson((0, capability_core_1.queueShow)(registry, required(id, "queue id")));
                     return;
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js queue add|list|drain|show [queue-id] [--repo PATH] [--priority N]");
             }
         }
@@ -1138,8 +1148,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js sched plan|lease|release|complete|reclaim|reset|policy [show|set] [id] [--maxConcurrent N --maxAttempts N ...]");
             }
         }
@@ -1172,11 +1180,18 @@ async function main() {
                         printJson(result);
                     else
                         process.stdout.write(`${(0, run_registry_1.formatGcVerify)(result)}\n`);
+                    // Fail closed ONLY on a real integrity failure: a run that WAS reclaimed
+                    // but no longer re-proves. A not-reclaimed run has nothing to verify
+                    // (reclaimed:false/verified:false) and must not be treated as a failure.
+                    // LIMIT (honest): a DELETED reclaimed.json reads as reclaimed:false, so
+                    // proof-deletion is indistinguishable from never-reclaimed here without
+                    // an independent witness (e.g. a trust-audit reclamation event) — a
+                    // follow-up. This guard is still strictly better than the prior exit-0.
+                    if (result.reclaimed && !result.verified)
+                        process.exitCode = 1;
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js gc plan|run|verify [run-id] [--reclaimAfterArchiveDays N] [--keep-scratch] [--keep-snapshots] [--limit N] [--json]");
             }
         }
@@ -1198,12 +1213,15 @@ async function main() {
                         printJson(result);
                     else
                         process.stdout.write(`${(0, telemetry_demo_1.formatTelemetryVerify)(result)}\n`);
+                    // Fail closed: a forged/edited/corrupt ledger verifies false — report it
+                    // through the exit code so `cw telemetry verify <run> && deploy` cannot
+                    // pass on a lie. (Absent ledger = present:false/verified:true -> exit 0.)
+                    if (!result.verified)
+                        process.exitCode = 1;
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
-                    throw new Error("Usage: cw.js telemetry verify <run-id> [--json]");
+                    throw new Error("Usage: cw.js telemetry verify <run-id> [--pubkey <pem-or-path>] [--json]");
             }
         }
         case "demo": {
@@ -1222,8 +1240,6 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js demo tamper [--json]");
             }
         }
@@ -1256,39 +1272,13 @@ async function main() {
                     return;
                 }
                 default:
-                    if (await tryDispatchCli(args, runner))
-                        return;
                     throw new Error("Usage: cw.js workbench serve [--port N] [--once] | view <run-id> [--json]");
             }
         }
         default:
-            if (await tryDispatchCli(args, runner))
-                return;
             throw new Error(`Unknown command: ${args.command}`);
     }
 }
-/** Try to dispatch a command through the dynamic capability registry.
- *  Mechanism: reconstructs the full CLI path, resolves a handler, invokes it.
- *  Policy: unknown commands fall through to the legacy switch; this is a thin pipe.
- *  Returns true when the command was dispatched. */
-async function tryDispatchCli(args, runner) {
-    const cliPath = [args.command, ...args.positionals].filter((token) => typeof token === "string");
-    if (!cliPath.length)
-        return false;
-    const capabilityId = (0, capability_registry_1.resolveCliPath)(cliPath);
-    if (!capabilityId)
-        return false;
-    const handler = (0, capability_registry_1.getCapabilityHandler)(capabilityId);
-    if (!handler)
-        return false;
-    const result = await (0, capability_registry_1.dispatchCapability)(capabilityId, args.options, {
-        runner,
-        cwd: String(args.options.cwd || process.cwd())
-    });
-    if (wantsJson(args.options) || handler.descriptor.cli?.jsonMode === "default")
-        printJson(result);
-    return true;
-}
 function required(value, label) {
     if (!value)
         throw new Error(`Missing ${label}`);

package/dist/collaboration.js

@@ -553,7 +553,7 @@ function buildTimeline(run) {
             summary: `review policy: ${policy.requiredApprovals} approval(s) from [${policy.authorizedRoles.join(", ")}] for [${policy.appliesTo.join(", ")}]`
         });
     }
-    return entries.sort(compareTimeline);
+    return entries.sort(compareByCreated);
 }
 function buildNextActions(run, states, policy) {
     const actions = [];
@@ -674,8 +674,10 @@ function targetKey(target) {
     return `${target.kind}:${target.id}`;
 }
 function createCollabId(run, kind, count) {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    return `collab-${(0, state_1.safeFileName)(kind)}-${stamp}-${String(count + 1).padStart(4, "0")}`;
+    // Deterministic (FreeBSD-audit L12/L13): caller-supplied count (approvals/comments/
+    // handoffs length), no wall-clock stamp. The collab id is bound into the trust-audit
+    // chain via linkedAuditEventIds, so a stable id keeps that reproducible.
+    return `collab-${(0, state_1.safeFileName)(kind)}-${String(count + 1).padStart(4, "0")}`;
 }
 function persist(run, options) {
     if (options.persist === false)
@@ -685,9 +687,6 @@ function persist(run, options) {
 function compareByCreated(left, right) {
     return left.createdAt.localeCompare(right.createdAt) || left.id.localeCompare(right.id);
 }
-function compareTimeline(left, right) {
-    return left.createdAt.localeCompare(right.createdAt) || left.id.localeCompare(right.id);
-}
 function compact(value) {
     return Object.fromEntries(Object.entries(value).filter(([, entry]) => entry !== undefined));
 }

package/dist/commit.js

@@ -17,6 +17,7 @@ const trust_audit_1 = require("./trust-audit");
 const collaboration_1 = require("./collaboration");
 const evidence_grounding_1 = require("./evidence-grounding");
 const verifier_1 = require("./verifier");
+const compare_1 = require("./compare");
 class CommitGateError extends Error {
     structured;
     feedbackId;
@@ -37,7 +38,7 @@ function commitState(run, input) {
         throw recordCommitGateFailure(run, options, gate);
     }
     node_fs_1.default.mkdirSync(run.paths.commitsDir, { recursive: true });
-    const id = createCommitId();
+    const id = createCommitId(run);
     const snapshotPath = node_path_1.default.join(run.paths.commitsDir, `${id}.json`);
     const audit = gate.verifierGated
         ? (0, trust_audit_1.recordTrustAuditEvent)(run, {
@@ -440,7 +441,7 @@ function recordCommitNode(run, commit, options, gate) {
 function recordCommitGateFailure(run, options, gate) {
     const first = gate.errors[0] || error("commit-gate-blocked", "Verifier-gated commit blocked");
     const node = (0, state_node_1.recordNodeError)((0, state_node_1.createStateNode)({
-        id: `${run.id}:commit-gate-failed:${createCommitId()}`,
+        id: `${run.id}:commit-gate-failed:${gateFailureSeq(run)}`,
         kind: "error",
         status: "pending",
         loopStage: "checkpoint",
@@ -511,7 +512,7 @@ function resolveLinkedVerifier(requested, linked, errors, ownerKind, ownerId) {
 function latestSelectionForCandidate(run, candidateId) {
     return [...(run.candidateSelections || [])]
         .filter((selection) => selection.candidateId === candidateId)
-        .sort((left, right) => right.selectedAt.localeCompare(left.selectedAt))[0];
+        .sort((left, right) => (0, compare_1.compareBytes)(right.selectedAt, left.selectedAt))[0];
 }
 function findSelection(run, selectionId) {
     return (run.candidateSelections || []).find((selection) => selection.id === selectionId);
@@ -552,9 +553,22 @@ function error(code, message, options = {}) {
         ...options
     };
 }
-function createCommitId() {
-    const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
-    return `state-${stamp}-${(0, state_1.safeFileName)(Math.random().toString(36).slice(2, 8))}`;
+// Deterministic commit id (FreeBSD-audit L12/L13): the commit's POSITION in the
+// run's append-only commit log, not a wall-clock stamp + PRNG suffix. Re-running
+// the same workflow mints byte-identical commit ids, so snapshot/replay digests
+// match. The sequence is unique within a run (commits only ever append), and the
+// commitState caller writes the snapshot under this id before pushing the commit.
+function createCommitId(run) {
+    const seq = (run.commits || []).length + 1;
+    return `state-${String(seq).padStart(4, "0")}`;
+}
+// Deterministic suffix for a blocked-commit node id. Counts the commit-gate-failed
+// nodes already recorded on the run and returns the next position, so repeated
+// gate failures in one run stay collision-free and replay-stable.
+function gateFailureSeq(run) {
+    const marker = ":commit-gate-failed:";
+    const seq = (run.nodes || []).filter((node) => node.id.includes(marker)).length + 1;
+    return String(seq).padStart(4, "0");
 }
 function readGitHead(cwd) {
     try {

package/dist/compare.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compareBytes = compareBytes;
+// Locale-INDEPENDENT total order for strings (FreeBSD-audit L12 determinism).
+//
+// `String.localeCompare` is host/locale-sensitive: two hosts can order the same
+// byte-identical strings differently. That is fine for human-facing display, but
+// FATAL when the sorted order feeds a sha256 digest, a tombstone/hash chain, or a
+// stable-persisted projection (index.json, messages.jsonl, an export manifest):
+// the same content would then serialize/hash differently across hosts, breaking
+// CW's cross-host reproducibility and replay-determinism guarantees.
+//
+// Use compareBytes() for any ordering that flows into a hash, an export, a
+// persisted projection, or a commit/replay-bearing decision. Pure display sorts
+// may keep localeCompare.
+function compareBytes(a, b) {
+    return a < b ? -1 : a > b ? 1 : 0;
+}

package/dist/coordinator/classify.js

@@ -0,0 +1,45 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.statusToNodeStatus = statusToNodeStatus;
+exports.decisionStatus = decisionStatus;
+exports.auditDecision = auditDecision;
+exports.sourceForAuthor = sourceForAuthor;
+function statusToNodeStatus(status) {
+    switch (status) {
+        case "active":
+        case "open":
+            return "running";
+        case "resolved":
+        case "superseded":
+            return "completed";
+        case "conflicting":
+            return "blocked";
+        case "rejected":
+            return "rejected";
+        default:
+            return "completed";
+    }
+}
+function decisionStatus(outcome) {
+    if (outcome === "conflicting" || outcome === "blocked")
+        return "conflicting";
+    if (outcome === "rejected")
+        return "rejected";
+    if (outcome === "superseded")
+        return "superseded";
+    return "active";
+}
+function auditDecision(outcome) {
+    if (outcome === "rejected")
+        return "rejected";
+    if (outcome === "blocked" || outcome === "conflicting")
+        return "failed";
+    return "accepted";
+}
+function sourceForAuthor(author) {
+    if (author.kind === "runtime" || author.kind === "coordinator")
+        return "runtime-derived";
+    if (author.kind === "worker" || author.kind === "verifier")
+        return "cw-validated";
+    return "operator-recorded";
+}

package/dist/coordinator/paths.js

@@ -0,0 +1,42 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.boardPaths = boardPaths;
+exports.blackboardRoot = blackboardRoot;
+exports.messagesPath = messagesPath;
+exports.recordPath = recordPath;
+// Filesystem path derivation for the coordinator/blackboard layer
+// (FreeBSD-audit R-carve). Carved out of coordinator.ts so the module no longer
+// bundles the per-run path computation alongside the stateful blackboard
+// operations. Re-exported from coordinator.ts to keep the public surface
+// byte-identical.
+//
+// BEHAVIOR-PRESERVING — pure code movement, zero logic change. Each function is a
+// function of a WorkflowRun's paths only: it reads run.paths and joins names; it
+// never mutates run, never touches the blackboard state, never writes the disk.
+const node_path_1 = __importDefault(require("node:path"));
+const state_1 = require("../state");
+function boardPaths(run) {
+    const root = blackboardRoot(run);
+    return {
+        root,
+        index: node_path_1.default.join(root, "index.json"),
+        messages: messagesPath(run),
+        topicsDir: node_path_1.default.join(root, "topics"),
+        contextsDir: node_path_1.default.join(root, "contexts"),
+        artifactsDir: node_path_1.default.join(root, "artifacts"),
+        snapshotsDir: node_path_1.default.join(root, "snapshots"),
+        decisionsDir: node_path_1.default.join(root, "decisions")
+    };
+}
+function blackboardRoot(run) {
+    return run.paths.blackboardDir || node_path_1.default.join(run.paths.runDir, "blackboard");
+}
+function messagesPath(run) {
+    return node_path_1.default.join(blackboardRoot(run), "messages.jsonl");
+}
+function recordPath(run, kind, id) {
+    return node_path_1.default.join(blackboardRoot(run), kind, `${(0, state_1.safeFileName)(id)}.json`);
+}