cool-workflow 0.1.80 → 0.1.82
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/README.md +42 -2
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/agent-config.js +21 -7
- package/dist/candidate-scoring.js +62 -48
- package/dist/capability-core.js +152 -96
- package/dist/capability-registry.js +160 -174
- package/dist/cli.js +90 -100
- package/dist/collaboration.js +5 -6
- package/dist/commit.js +232 -209
- package/dist/compare.js +18 -0
- package/dist/coordinator/classify.js +45 -0
- package/dist/coordinator/paths.js +42 -0
- package/dist/coordinator/util.js +126 -0
- package/dist/coordinator.js +127 -300
- package/dist/dispatch.js +46 -3
- package/dist/drive.js +7 -7
- package/dist/error-feedback.js +8 -4
- package/dist/evidence-reasoning.js +5 -2
- package/dist/execution-backend/agent.js +294 -0
- package/dist/execution-backend/probes.js +96 -0
- package/dist/execution-backend/util.js +47 -0
- package/dist/execution-backend.js +77 -450
- package/dist/gates.js +48 -0
- package/dist/mcp-server.js +34 -173
- package/dist/multi-agent/graph.js +84 -0
- package/dist/multi-agent/helpers.js +141 -0
- package/dist/multi-agent/ids.js +20 -0
- package/dist/multi-agent/paths.js +22 -0
- package/dist/multi-agent-eval/format.js +194 -0
- package/dist/multi-agent-eval/normalize.js +51 -0
- package/dist/multi-agent-eval.js +63 -242
- package/dist/multi-agent-host.js +53 -40
- package/dist/multi-agent-operator-ux.js +2 -1
- package/dist/multi-agent-trust.js +5 -5
- package/dist/multi-agent.js +125 -314
- package/dist/node-projection.js +59 -0
- package/dist/node-snapshot.js +11 -21
- package/dist/observability/format.js +61 -0
- package/dist/observability/intake.js +98 -0
- package/dist/observability.js +14 -160
- package/dist/operator-ux/format.js +364 -0
- package/dist/operator-ux.js +22 -363
- package/dist/orchestrator/lifecycle-operations.js +22 -1
- package/dist/orchestrator/report.js +8 -0
- package/dist/orchestrator.js +41 -10
- package/dist/reclamation.js +32 -55
- package/dist/run-export.js +138 -14
- package/dist/run-registry/derive.js +172 -0
- package/dist/run-registry/format.js +124 -0
- package/dist/run-registry/gc.js +251 -0
- package/dist/run-registry/policy.js +16 -0
- package/dist/run-registry/queue.js +116 -0
- package/dist/run-registry.js +78 -593
- package/dist/run-state-schema.js +1 -0
- package/dist/sandbox-profile.js +43 -2
- package/dist/scheduler.js +34 -4
- package/dist/state-explosion/format.js +159 -0
- package/dist/state-explosion/helpers.js +82 -0
- package/dist/state-explosion.js +65 -283
- package/dist/state-node.js +19 -4
- package/dist/telemetry-attestation.js +55 -0
- package/dist/telemetry-demo.js +15 -3
- package/dist/telemetry-ledger.js +60 -15
- package/dist/topology.js +50 -12
- package/dist/triggers.js +33 -14
- package/dist/trust-audit.js +215 -71
- package/dist/validation.js +328 -0
- package/dist/version.js +1 -1
- package/dist/worker-isolation/helpers.js +51 -0
- package/dist/worker-isolation/paths.js +46 -0
- package/dist/worker-isolation.js +182 -173
- package/docs/agent-delegation-drive.7.md +14 -0
- package/docs/cli-mcp-parity.7.md +5 -0
- package/docs/contract-migration-tooling.7.md +3 -0
- package/docs/control-plane-scheduling.7.md +3 -0
- package/docs/dogfood/resume-drive-real-agent-2026-06-14.md +40 -0
- package/docs/durable-state-and-locking.7.md +5 -0
- package/docs/evidence-adoption-reasoning-chain.7.md +3 -0
- package/docs/execution-backends.7.md +3 -0
- package/docs/index.md +1 -0
- package/docs/launch/launch-kit.md +46 -23
- package/docs/launch/pre-launch-checklist.md +14 -14
- package/docs/multi-agent-cli-mcp-surface.7.md +5 -0
- package/docs/multi-agent-eval-replay-harness.7.md +3 -0
- package/docs/multi-agent-operator-ux.7.md +3 -0
- package/docs/multi-agent-trust-policy-audit.7.md +27 -0
- package/docs/node-snapshot-diff-replay.7.md +3 -0
- package/docs/observability-cost-accounting.7.md +3 -0
- package/docs/project-index.md +23 -6
- package/docs/real-execution-backends.7.md +3 -0
- package/docs/release-and-migration.7.md +5 -0
- package/docs/release-tooling.7.md +35 -2
- package/docs/run-registry-control-plane.7.md +55 -8
- package/docs/run-retention-reclamation.7.md +5 -0
- package/docs/state-explosion-management.7.md +3 -0
- package/docs/team-collaboration.7.md +3 -0
- package/docs/trust-model.md +267 -0
- package/docs/vendor-manifest-loadability.7.md +43 -0
- package/docs/web-desktop-workbench.7.md +3 -0
- package/manifest/plugin.manifest.json +1 -1
- package/manifest/source-context-profiles.json +1 -1
- package/package.json +4 -2
- package/scripts/agents/builtin-templates.json +7 -0
- package/scripts/bump-version.js +5 -11
- package/scripts/canonical-apps-list.js +64 -0
- package/scripts/canonical-apps.js +19 -4
- package/scripts/children/batch-delegate-child.js +58 -0
- package/scripts/children/http-delegate-child.js +39 -0
- package/scripts/dogfood-release.js +1 -1
- package/scripts/golden-path.js +4 -4
- package/scripts/parity-check.js +5 -0
- package/scripts/release-check.js +5 -1
- package/scripts/release-flow.js +181 -5
- package/scripts/version-sync-check.js +5 -8
- package/dist/capability-dispatcher.js +0 -86
|
@@ -114,3 +114,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
114
114
|
## Fast Architecture Review (v0.1.80)
|
|
115
115
|
|
|
116
116
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
117
|
+
|
|
118
|
+
_No changes to the control-plane scheduling surface in v0.1.81._
|
|
119
|
+
_No behavioral change in v0.1.82 (schedule/run ids are now deterministic-but-unique via a monotonic counter + pid instead of Math.random; ids stay collision-free)._
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
# Dogfood: real `builtin:claude` agent + `run resume --drive` (2026-06-14)
|
|
2
|
+
|
|
3
|
+
A live dogfood run with a REAL external agent (`CW_AGENT_COMMAND=builtin:claude`, the
|
|
4
|
+
bundled read-only claude wrapper). The model ran in the agent's own process; CW
|
|
5
|
+
spawned it and recorded the attested output — CW holds no API key and imports no
|
|
6
|
+
model SDK. This run had two purposes and delivered both: it confirmed the real-agent
|
|
7
|
+
delegation path works end to end, and — because it exercised the **CLI** rather than
|
|
8
|
+
the unit-test function path — it **caught a real shipped bug** in `run resume --drive`.
|
|
9
|
+
|
|
10
|
+
## What ran
|
|
11
|
+
|
|
12
|
+
- `cw run architecture-review --drive --once --repo <tmp> --question "…"` with a real
|
|
13
|
+
`builtin:claude` agent: **1 worker completed** end-to-end with zero hand-written
|
|
14
|
+
result.md — the worker's `result.md` was produced by real claude, passed the
|
|
15
|
+
evidence-gated acceptance, and a `report.md` (7.5 KB, "# Architecture Review …")
|
|
16
|
+
+ 3 state commits were written. The real-agent path (spawn → attested output →
|
|
17
|
+
evidence gate → commit) works.
|
|
18
|
+
- Run: `architecture-review-20260614T104416Z-upkor2`, status `in-progress` (1/14)
|
|
19
|
+
after the single `--once` step.
|
|
20
|
+
|
|
21
|
+
## The bug it caught (and the fix)
|
|
22
|
+
|
|
23
|
+
Resuming the partway run with `cw run resume <id> --drive` failed:
|
|
24
|
+
`cw: Workflow app not found: resume`. The `run` command's early `--drive` branch
|
|
25
|
+
(the `cw run <app> --drive` one-command form) intercepted the invocation *before* the
|
|
26
|
+
subcommand switch, so the `resume` keyword was misread as an app name and never
|
|
27
|
+
reached the `runResume` continuation shipped in #155.
|
|
28
|
+
|
|
29
|
+
The A1 unit smoke (`run-resume-drive-smoke`) had tested `runResume()` **directly**, so
|
|
30
|
+
it never exercised the CLI dispatch — only a real CLI run surfaced it. Fixed by
|
|
31
|
+
guarding the early app-drive route so a leading run-registry subcommand keyword
|
|
32
|
+
(resume/show/export/…) falls through to the switch; `run-resume-drive-smoke` now drives
|
|
33
|
+
`cw run resume <id> --drive` through the actual CLI and asserts it routes to the verb,
|
|
34
|
+
plus a regression guard that `run <app> --drive` still routes to the app drive.
|
|
35
|
+
|
|
36
|
+
## Takeaway
|
|
37
|
+
|
|
38
|
+
Unit tests that call the capability function directly can miss CLI-dispatch bugs.
|
|
39
|
+
Every both-surface verb that adds a flag wants at least one test through the real CLI
|
|
40
|
+
argv path, not just the exported function.
|
|
@@ -111,3 +111,8 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
111
111
|
## Fast Architecture Review (v0.1.80)
|
|
112
112
|
|
|
113
113
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
114
|
+
|
|
115
|
+
## Deterministic Tombstone Hash (v0.1.81)
|
|
116
|
+
|
|
117
|
+
The reclamation tombstone's freed-manifest is now path-sorted before it feeds `tombstoneHash`, so the same freed set always yields the same hash regardless of filesystem enumeration order. This removes a non-determinism from the write-ahead chain (v0.1.39/v0.1.40), keeping the per-run tombstone hash-chain replayable and stable across hosts. Atomicity, locking, and the durable re-point seam are unchanged. v0.1.81 also adds import-time refusal (`CW_REQUIRE_ARCHIVE_INTEGRITY=1`) and restore-time trust-audit re-proving — see run-registry-control-plane(7).
|
|
118
|
+
_No changes in v0.1.82._
|
|
@@ -274,3 +274,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
274
274
|
## Fast Architecture Review (v0.1.80)
|
|
275
275
|
|
|
276
276
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
277
|
+
|
|
278
|
+
_No changes to the Evidence Adoption Reasoning Chain surface in v0.1.81. The v0.1.81 trust-audit `computeEventHash` fix hardens the underlying audit records this chain links to by reference, but the derived reasoning view, its commands, and its eval gates are unchanged._
|
|
279
|
+
_No changes in v0.1.82._
|
|
@@ -304,3 +304,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
304
304
|
## Fast Architecture Review (v0.1.80)
|
|
305
305
|
|
|
306
306
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
307
|
+
|
|
308
|
+
_No changes to the execution-backends surface in v0.1.81._
|
|
309
|
+
_No behavioral change in v0.1.82 (the delegated child programs moved from inline `node -e` strings to `scripts/children/`; spawn argv and shell:false behavior are byte-identical)._
|
package/docs/index.md
CHANGED
|
@@ -7,6 +7,7 @@ Read these in order when you are new to CW:
|
|
|
7
7
|
3. [Workflow App framework](workflow-app-framework.7.md) - userland app manifests, entrypoints, compatibility, and validation.
|
|
8
8
|
4. [Sandbox Profiles](sandbox-profiles.7.md) - named worker policy contracts for read/write/execute/network/env handling.
|
|
9
9
|
5. [Security / Trust Hardening](security-trust-hardening.7.md) - audit records, provenance, sandbox attestations, and acceptance rationale.
|
|
10
|
+
- [Trust Model & Limitations](trust-model.md) - what the ed25519 + hash-chain tamper-evidence proves and, honestly, what it does **not** (the single-keyholder ceiling). Read this before relying on a green verdict.
|
|
10
11
|
6. [Multi-Agent Runtime Core](multi-agent-runtime-core.7.md) - first-class MultiAgentRun, roles, groups, memberships, fanout, fanin, and lifecycle state.
|
|
11
12
|
7. [Coordinator / Blackboard](coordinator-blackboard.7.md) - shared topics, messages, context frames, artifact refs, snapshots, decisions, conflicts, and fanin evidence.
|
|
12
13
|
8. [Multi-Agent Topologies](multi-agent-topologies.7.md) - official map-reduce, debate, and judge-panel recipes built on multi-agent and blackboard records.
|
|
@@ -9,7 +9,7 @@ Everything leads with the 30-second `npx cool-workflow demo tamper` proof.
|
|
|
9
9
|
## ✅ FINAL — Show HN (copy-paste ready)
|
|
10
10
|
|
|
11
11
|
**Pre-flight (do these first):**
|
|
12
|
-
1. Record the demo GIF: `vhs plugins/cool-workflow/docs/launch/demo.tape` →
|
|
12
|
+
1. Record the demo GIF: `vhs plugins/cool-workflow/docs/launch/demo.tape` → add it to the README hero (insert the GIF near the badges/intro).
|
|
13
13
|
2. Confirm on a clean machine: `npx cool-workflow demo tamper` runs and prints `VERDICT: tamper-evidence holds ✓`.
|
|
14
14
|
3. Post during US morning (HN traffic peak); reply to the first comment with the npm + provenance link.
|
|
15
15
|
|
|
@@ -34,25 +34,33 @@ agent you configure (claude -p, codex exec, an HTTP endpoint) and never embeds a
|
|
|
34
34
|
model SDK or holds an API key. What it owns is the audit trail: each agent hop's
|
|
35
35
|
reported usage is signed (ed25519) and appended to a hash-chained ledger, so
|
|
36
36
|
editing any record — or even recomputing its local hash to cover the edit — breaks
|
|
37
|
-
the chain downstream. You re-verify a finished run offline
|
|
38
|
-
|
|
37
|
+
the chain downstream. You re-verify a finished run offline — no telemetry service
|
|
38
|
+
to trust or breach.
|
|
39
39
|
|
|
40
40
|
30-second proof, no install:
|
|
41
41
|
|
|
42
42
|
npx cool-workflow demo tamper
|
|
43
43
|
|
|
44
44
|
It builds a real signed ledger, forges it two ways (flip a verdict + re-seal its
|
|
45
|
-
hash; inflate reported tokens + reuse the signature), and
|
|
46
|
-
real run, `cw telemetry verify <run>`
|
|
45
|
+
hash; inflate reported tokens + reuse the signature), and catches both offline with
|
|
46
|
+
only the public key. On a real run, `cw telemetry verify <run>` re-proves the
|
|
47
|
+
recorded ledger on disk — recomputing the chain so any later edit to a verdict or
|
|
48
|
+
usage digest is caught; add `--pubkey <public.pem>` to re-run each attested hop's
|
|
49
|
+
signature check offline too. I keep an
|
|
50
|
+
honest trust-model doc (what it does and does NOT prove, incl. the single-keyholder
|
|
51
|
+
ceiling): https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/trust-model.md
|
|
47
52
|
|
|
48
53
|
Also: concurrent parallel() phases with declared collapse semantics (collect-all +
|
|
49
54
|
kill-on-timeout — 16 agents with a forced hang/crash/dirty-return finish without
|
|
50
55
|
deadlock and replay who-passed-who-failed), per-task output-schema gates, token
|
|
51
|
-
budgets enforced against
|
|
56
|
+
budgets enforced against the host's recorded usage (opt-in gate fails closed on
|
|
57
|
+
unattested telemetry), and a one-way executor boundary welded
|
|
52
58
|
into the type system (a callable that could reach a model API fails `npm run
|
|
53
|
-
build`). Zero runtime deps, BSD-2, published to npm with provenance.
|
|
59
|
+
build`). Zero runtime deps, BSD-2, published to npm with provenance. Ships generated
|
|
60
|
+
plugin manifests for 5 agent platforms (claude, codex, agents, gemini, opencode);
|
|
61
|
+
`npm run manifest:load-check` boots all five from one source of truth.
|
|
54
62
|
|
|
55
|
-
It's early (v0.1.
|
|
63
|
+
It's early (v0.1.81) — I'd genuinely like to hear where the "delegate, prove,
|
|
56
64
|
replay" model breaks down for your workflows.
|
|
57
65
|
|
|
58
66
|
npm: https://www.npmjs.com/package/cool-workflow
|
|
@@ -64,8 +72,8 @@ npm: https://www.npmjs.com/package/cool-workflow
|
|
|
64
72
|
|
|
65
73
|
> Cool Workflow is an auditable control-plane for multi-agent workflows. It
|
|
66
74
|
> *delegates* model execution — never embeds it — and makes every recorded agent
|
|
67
|
-
> telemetry verdict tamper-evident: anyone can re-verify a run offline
|
|
68
|
-
> public key.
|
|
75
|
+
> telemetry verdict tamper-evident: anyone can re-verify a run's integrity offline,
|
|
76
|
+
> and check the ed25519 attribution with the public key alone.
|
|
69
77
|
|
|
70
78
|
## Elevator (2 sentences)
|
|
71
79
|
|
|
@@ -94,8 +102,8 @@ npm: https://www.npmjs.com/package/cool-workflow
|
|
|
94
102
|
> holds an API key. What it *does* own is the audit trail: each agent hop's reported
|
|
95
103
|
> usage is signed (ed25519) and appended to a hash-chained ledger, so editing any
|
|
96
104
|
> record — or even recomputing its local hash to cover the edit — breaks the chain
|
|
97
|
-
> downstream. You can re-verify a finished run
|
|
98
|
-
>
|
|
105
|
+
> downstream. You can re-verify a finished run offline — no network, no trusted
|
|
106
|
+
> server.
|
|
99
107
|
>
|
|
100
108
|
> The 30-second proof, no install:
|
|
101
109
|
>
|
|
@@ -104,18 +112,23 @@ npm: https://www.npmjs.com/package/cool-workflow
|
|
|
104
112
|
> ```
|
|
105
113
|
>
|
|
106
114
|
> It builds a real signed ledger, forges it two ways (flip a verdict + re-seal its
|
|
107
|
-
> hash; inflate reported tokens + reuse the signature), and
|
|
108
|
-
>
|
|
109
|
-
>
|
|
115
|
+
> hash; inflate reported tokens + reuse the signature), and catches both offline with
|
|
116
|
+
> only the public key. On a real run, `cw telemetry verify <run>` re-proves the
|
|
117
|
+
> recorded ledger on disk — recomputing the chain so any later edit to a verdict or
|
|
118
|
+
> usage digest is caught; add `--pubkey <public.pem>` to re-run each attested hop's
|
|
119
|
+
> signature check offline too. I keep an
|
|
120
|
+
> honest [trust model & limitations](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/trust-model.md)
|
|
121
|
+
> doc, including the single-keyholder ceiling.
|
|
110
122
|
>
|
|
111
123
|
> Other things it does: concurrent `parallel()` phases with declared collapse
|
|
112
124
|
> semantics (collect-all + kill-on-timeout — 16 agents with a forced hang/crash/
|
|
113
125
|
> dirty-return finish without deadlock and replay "who passed/who failed"), per-task
|
|
114
|
-
> output-schema gates, token budgets enforced against
|
|
126
|
+
> output-schema gates, token budgets enforced against the host's recorded usage
|
|
127
|
+
> (an opt-in gate fails closed on unattested telemetry), and a one-way
|
|
115
128
|
> executor boundary welded into the type system (a callable that could reach a model
|
|
116
129
|
> API fails `npm run build`).
|
|
117
130
|
>
|
|
118
|
-
> Runs anywhere Node runs; `dist/` is committed; BSD-2. It's early (v0.1.
|
|
131
|
+
> Runs anywhere Node runs; `dist/` is committed; BSD-2. It's early (v0.1.81) and I'd
|
|
119
132
|
> genuinely like to hear where the "delegate, prove, replay" model breaks down for
|
|
120
133
|
> your workflows.
|
|
121
134
|
>
|
|
@@ -134,8 +147,9 @@ catches both offline with only the public key. A control-plane that delegates
|
|
|
134
147
|
model execution but can still prove the bill is real.
|
|
135
148
|
|
|
136
149
|
3/ Also: concurrent batches that don't deadlock when an agent hangs, schema-gated
|
|
137
|
-
outputs, token budgets vs
|
|
138
|
-
API) enforced at compile time. Zero
|
|
150
|
+
outputs, token budgets vs the host's recorded usage (attested-telemetry gate is
|
|
151
|
+
opt-in), and a red line (never call a model API) enforced at compile time. Zero
|
|
152
|
+
deps, BSD-2.
|
|
139
153
|
→ https://github.com/coo1white/cool-workflow
|
|
140
154
|
|
|
141
155
|
---
|
|
@@ -146,20 +160,29 @@ API) enforced at compile time. Zero deps, BSD-2.
|
|
|
146
160
|
reported usage. The thing that *spends the money* is not the thing that *keeps
|
|
147
161
|
the books* — the property auditors require everywhere except, so far, agent
|
|
148
162
|
infra.
|
|
149
|
-
- **Offline
|
|
150
|
-
|
|
163
|
+
- **Offline verification.** No telemetry service to trust or breach. The record
|
|
164
|
+
proves its own integrity offline — re-proving the chain needs no key at all — and
|
|
165
|
+
the ed25519 attribution checks against the public key alone.
|
|
151
166
|
- **Replayable, not just logged.** CW breaks at dispatch and writes to disk, so a
|
|
152
167
|
run replays deterministically — "who passed / who failed" is reconstructable, not
|
|
153
|
-
a scrollback of a fused process.
|
|
168
|
+
a scrollback of a fused process. A finished run is portable and self-proving:
|
|
169
|
+
`cw run inspect-archive <archive>` re-proves every file digest, the manifest, and
|
|
170
|
+
the whole-archive hash without importing it; `cw run import` then
|
|
171
|
+
`cw run verify-import <run-id>` restores it and re-proves the restored digests +
|
|
172
|
+
telemetry chain — a tampered archive is caught before it is trusted.
|
|
154
173
|
- **Fail-closed by default where it counts.** Schema mismatch parks the hop;
|
|
155
174
|
unverifiable usage can be refused (opt-in); an empty-capture result can't be
|
|
156
175
|
presented as a clean commit.
|
|
176
|
+
- **Cross-vendor, and it actually boots.** One source manifest
|
|
177
|
+
(`manifest/plugin.manifest.json`) generates Claude / Codex / Gemini / OpenCode /
|
|
178
|
+
agents adapters, and `npm run manifest:load-check` boots all five (184 tools each)
|
|
179
|
+
— the neutrality moat is executable, not aspirational.
|
|
157
180
|
|
|
158
181
|
## Assets to capture before posting
|
|
159
182
|
|
|
160
183
|
- [ ] **Demo GIF** — reproducible, no manual screen-recording: `vhs
|
|
161
184
|
plugins/cool-workflow/docs/launch/demo.tape` → `docs/launch/demo-tamper.gif`,
|
|
162
|
-
then
|
|
185
|
+
then add it to the README hero (insert it near the badges/intro). The
|
|
163
186
|
✗ DETECTED lines are the hook.
|
|
164
187
|
- [ ] Confirm `npx cool-workflow demo tamper` works from a clean machine (no clone).
|
|
165
188
|
- [ ] Pin the npm version badge / release + provenance link in the first comment.
|
|
@@ -1,26 +1,20 @@
|
|
|
1
1
|
# Pre-Launch Checklist — Cool Workflow Show HN
|
|
2
2
|
|
|
3
|
-
Tick top to bottom; when it's done, post. The one non-negotiable gate is
|
|
3
|
+
Tick top to bottom; when it's done, post. The one non-negotiable gate is ②.
|
|
4
4
|
Copy for the post itself lives in [launch-kit.md](launch-kit.md) (the **✅ FINAL**
|
|
5
5
|
block).
|
|
6
6
|
|
|
7
|
-
## ①
|
|
8
|
-
|
|
9
|
-
- [ ] **Reboot the Mac** — clears the leaked ptys (`kern.tty.ptmx_max` was 511 with
|
|
10
|
-
527 allocated), so Terminal / VS Code can spawn shells again. Required before
|
|
11
|
-
the verification below.
|
|
12
|
-
|
|
13
|
-
## ② Prepare assets (optional, recommended)
|
|
7
|
+
## ① Prepare assets (optional, recommended)
|
|
14
8
|
|
|
15
9
|
- [ ] Install [vhs](https://github.com/charmbracelet/vhs) (`brew install vhs`).
|
|
16
10
|
- [ ] Record the GIF: `vhs plugins/cool-workflow/docs/launch/demo.tape` →
|
|
17
11
|
`docs/launch/demo-tamper.gif`.
|
|
18
|
-
- [ ]
|
|
19
|
-
``), commit + push.
|
|
12
|
+
- [ ] Add it to the README hero (insert
|
|
13
|
+
`` near the badges/intro), commit + push.
|
|
20
14
|
> Shippable without the GIF — the README's text `✗ DETECTED` hook already stands;
|
|
21
15
|
> the GIF is upside, not a blocker.
|
|
22
16
|
|
|
23
|
-
##
|
|
17
|
+
## ② Verify — the make-or-break gate (do not skip)
|
|
24
18
|
|
|
25
19
|
- [ ] On a **clean machine / fresh terminal**: `npx cool-workflow demo tamper`
|
|
26
20
|
prints `VERDICT: tamper-evidence holds ✓`.
|
|
@@ -28,20 +22,26 @@ block).
|
|
|
28
22
|
> non-negotiable check.
|
|
29
23
|
- [ ] Sanity: `npx cool-workflow quickstart architecture-review --repo . --question "risks?"`
|
|
30
24
|
→ `status: blocked` with no agent configured (fails closed, no crash).
|
|
25
|
+
- [ ] Resumable sanity: `cw quickstart architecture-review --resume` advances one step
|
|
26
|
+
then stops; `cw run resume <run-id> --drive` continues a stopped run — proving
|
|
27
|
+
runs break at dispatch and replay from disk.
|
|
31
28
|
|
|
32
|
-
##
|
|
29
|
+
## ③ Post (US morning, ~9–11am ET is peak)
|
|
33
30
|
|
|
34
31
|
- [ ] Open the **✅ FINAL** block in [launch-kit.md](launch-kit.md).
|
|
35
32
|
- [ ] HN title: `Show HN: Cool Workflow – tamper-evident telemetry for agent pipelines (npx demo)`
|
|
36
33
|
- [ ] URL field: `https://github.com/coo1white/cool-workflow`
|
|
37
34
|
- [ ] Immediately after posting, paste the FINAL "first comment" as the first reply.
|
|
38
35
|
|
|
39
|
-
##
|
|
36
|
+
## ④ First hour (decides the outcome)
|
|
40
37
|
|
|
41
38
|
- [ ] Watch and reply fast — early engagement weighs most on HN.
|
|
42
39
|
- [ ] On the "single key holder / no second party" critique (the audit flagged it
|
|
43
40
|
too): concede it honestly and frame it as exactly why you're looking for early
|
|
44
41
|
integration partners. **Turn the critique into an invitation; don't argue.**
|
|
42
|
+
> The canned, linkable answer is already written: [docs/trust-model.md](../trust-model.md)
|
|
43
|
+
> states the ceiling plainly (integrity ≠ source honesty; one party holding both
|
|
44
|
+
> roles; full local re-chain) and frames the partner ask. Link it; don't re-argue it.
|
|
45
45
|
- [ ] No vote-rigging, no asking friends to upvote, no deleting critical comments —
|
|
46
46
|
HN's anti-abuse will sink the post.
|
|
47
47
|
|
|
@@ -49,5 +49,5 @@ block).
|
|
|
49
49
|
|
|
50
50
|
### Go / no-go
|
|
51
51
|
|
|
52
|
-
> If
|
|
52
|
+
> If **② — `npx cool-workflow demo tamper` prints `✓` on a clean machine** — passes,
|
|
53
53
|
> you can post. Everything else is upside.
|
|
@@ -269,3 +269,8 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
269
269
|
## Fast Architecture Review (v0.1.80)
|
|
270
270
|
|
|
271
271
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
272
|
+
|
|
273
|
+
## New Both-Surface Verbs (v0.1.81)
|
|
274
|
+
|
|
275
|
+
v0.1.81 adds `audit verify` (`cw_audit_verify`) and `run inspect-archive` (`cw_run_inspect_archive`) — both declared once in the capability registry and exposed identically on the CLI and MCP, fail-closed (non-zero exit / `ok:false` on an unverified chain or a tampered archive).
|
|
276
|
+
_No changes in v0.1.82._
|
|
@@ -306,3 +306,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
306
306
|
## Fast Architecture Review (v0.1.80)
|
|
307
307
|
|
|
308
308
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
309
|
+
|
|
310
|
+
_No changes to the multi-agent eval/replay harness in v0.1.81 (the multi-agent-eval module was carved into behavior-preserving siblings; replay output is byte-identical)._
|
|
311
|
+
_v0.1.82 — replay now RE-DERIVES the projection from the raw captured state instead of copying the baseline, so a nondeterministic projection is caught instead of silently passing; a new regression smoke (including an intrinsic-nondeterminism case) proves the moat has teeth._
|
|
@@ -318,3 +318,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
318
318
|
## Fast Architecture Review (v0.1.80)
|
|
319
319
|
|
|
320
320
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
321
|
+
|
|
322
|
+
_No changes to the multi-agent operator UX surface in v0.1.81 (the operator-ux module was carved into behavior-preserving siblings; output is byte-identical)._
|
|
323
|
+
_No changes in v0.1.82._
|
|
@@ -115,6 +115,32 @@ Human output includes stable panels:
|
|
|
115
115
|
- Policy Violations
|
|
116
116
|
- Next Action
|
|
117
117
|
|
|
118
|
+
## Verify (fail-closed)
|
|
119
|
+
|
|
120
|
+
`audit summary` embeds an `integrity` field but is a *reader* — it always exits 0,
|
|
121
|
+
so it cannot gate a script. `audit verify` is the gate:
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
node scripts/cw.js audit verify <run-id> # exit 1 if the chain is forged
|
|
125
|
+
node scripts/cw.js audit verify <run-id> --json
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
It re-proves the run's trust-audit hash chain offline: it recomputes every event
|
|
129
|
+
hash from genesis, checks `prevEventHash` linkage, and catches the unchained-event
|
|
130
|
+
forgery (an `eventHash`-less line slipped into a chained log to be waved through as
|
|
131
|
+
"legacy"). The JSON reports `present`, `verified`, `eventCount`, `chained`,
|
|
132
|
+
`unchained`, `corruptLines`, and `failedChecks[]`.
|
|
133
|
+
|
|
134
|
+
Exit-code contract (the peer of `telemetry verify`):
|
|
135
|
+
|
|
136
|
+
- ANY **unverified** chain exits **1** — forged / edited / truncated / unchained-injected,
|
|
137
|
+
*and* a fully-corrupt log (every line unparseable, which reports `present:false` but
|
|
138
|
+
`verified:false`). The gate keys on `verified`, not `present`, so the most severe
|
|
139
|
+
tamper — garbling the whole log — cannot escape by looking "absent". So
|
|
140
|
+
`cw audit verify <run> && deploy` stops on tampering.
|
|
141
|
+
- Only a truly **absent / empty** chain is `verified:true` / exit **0** — a run with
|
|
142
|
+
no audit log (or a blank one) has nothing to prove (no false-red).
|
|
143
|
+
|
|
118
144
|
## MCP
|
|
119
145
|
|
|
120
146
|
MCP parity tools:
|
|
@@ -128,6 +154,7 @@ MCP parity tools:
|
|
|
128
154
|
The older audit tools remain available:
|
|
129
155
|
|
|
130
156
|
- `cw_audit_summary`
|
|
157
|
+
- `cw_audit_verify` — fail-closed re-prove of the trust-audit hash chain (peer of `cw_telemetry_verify`)
|
|
131
158
|
- `cw_audit_worker`
|
|
132
159
|
- `cw_audit_provenance`
|
|
133
160
|
- `cw_audit_attest`
|
|
@@ -139,3 +139,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
139
139
|
## Fast Architecture Review (v0.1.80)
|
|
140
140
|
|
|
141
141
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
142
|
+
|
|
143
|
+
_No changes to node-snapshot diff/replay in v0.1.81._
|
|
144
|
+
_No behavioral change in v0.1.82 (the node projection field set was unified into one source of truth; snapshot/replay digests are byte-identical)._
|
|
@@ -198,3 +198,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
198
198
|
## Fast Architecture Review (v0.1.80)
|
|
199
199
|
|
|
200
200
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
201
|
+
|
|
202
|
+
_No changes to the observability + cost-accounting surface in v0.1.81 (the observability module was carved into behavior-preserving siblings; output is byte-identical)._
|
|
203
|
+
_No changes in v0.1.82._
|
package/docs/project-index.md
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
# Cool Workflow Project Index
|
|
2
2
|
|
|
3
|
-
Generated from the current repository code on 2026-06-
|
|
3
|
+
Generated from the current repository code on 2026-06-15 by `npm run sync:project-index`.
|
|
4
4
|
|
|
5
5
|
## Snapshot
|
|
6
6
|
|
|
7
7
|
- Package: `cool-workflow`
|
|
8
|
-
- Version: `0.1.
|
|
9
|
-
- Source modules: `
|
|
8
|
+
- Version: `0.1.82`
|
|
9
|
+
- Source modules: `61`
|
|
10
10
|
- Workflow apps: `7`
|
|
11
|
-
- Docs: `
|
|
12
|
-
- Smoke tests: `
|
|
11
|
+
- Docs: `49`
|
|
12
|
+
- Smoke tests: `87`
|
|
13
13
|
- Repository: https://github.com/coo1white/cool-workflow
|
|
14
14
|
|
|
15
15
|
## Architecture
|
|
@@ -82,17 +82,19 @@ multi-agent host -> topology -> blackboard/coordinator
|
|
|
82
82
|
|
|
83
83
|
- [agent-config.ts](../src/agent-config.ts)
|
|
84
84
|
- [capability-core.ts](../src/capability-core.ts)
|
|
85
|
-
- [capability-dispatcher.ts](../src/capability-dispatcher.ts)
|
|
86
85
|
- [capability-registry.ts](../src/capability-registry.ts)
|
|
87
86
|
- [collaboration.ts](../src/collaboration.ts)
|
|
87
|
+
- [compare.ts](../src/compare.ts)
|
|
88
88
|
- [contract-migration.ts](../src/contract-migration.ts)
|
|
89
89
|
- [drive.ts](../src/drive.ts)
|
|
90
90
|
- [evidence-grounding.ts](../src/evidence-grounding.ts)
|
|
91
91
|
- [evidence-reasoning.ts](../src/evidence-reasoning.ts)
|
|
92
92
|
- [execution-backend.ts](../src/execution-backend.ts)
|
|
93
|
+
- [gates.ts](../src/gates.ts)
|
|
93
94
|
- [multi-agent-eval.ts](../src/multi-agent-eval.ts)
|
|
94
95
|
- [multi-agent-operator-ux.ts](../src/multi-agent-operator-ux.ts)
|
|
95
96
|
- [multi-agent-trust.ts](../src/multi-agent-trust.ts)
|
|
97
|
+
- [node-projection.ts](../src/node-projection.ts)
|
|
96
98
|
- [node-snapshot.ts](../src/node-snapshot.ts)
|
|
97
99
|
- [observability.ts](../src/observability.ts)
|
|
98
100
|
- [reclamation.ts](../src/reclamation.ts)
|
|
@@ -107,6 +109,7 @@ multi-agent host -> topology -> blackboard/coordinator
|
|
|
107
109
|
- [telemetry-attestation.ts](../src/telemetry-attestation.ts)
|
|
108
110
|
- [telemetry-demo.ts](../src/telemetry-demo.ts)
|
|
109
111
|
- [telemetry-ledger.ts](../src/telemetry-ledger.ts)
|
|
112
|
+
- [validation.ts](../src/validation.ts)
|
|
110
113
|
- [verifier-registry.ts](../src/verifier-registry.ts)
|
|
111
114
|
- [workbench-host.ts](../src/workbench-host.ts)
|
|
112
115
|
- [workbench.ts](../src/workbench.ts)
|
|
@@ -167,7 +170,9 @@ multi-agent host -> topology -> blackboard/coordinator
|
|
|
167
170
|
- [State Explosion Management](state-explosion-management.7.md)
|
|
168
171
|
- [STATE-NODE(7)](state-node.7.md)
|
|
169
172
|
- [Team Collaboration](team-collaboration.7.md)
|
|
173
|
+
- [Trust Model & Limitations](trust-model.md)
|
|
170
174
|
- [Unix-Inspired Workflow Principles](unix-principles.md)
|
|
175
|
+
- [Vendor Manifest Loadability](vendor-manifest-loadability.7.md)
|
|
171
176
|
- [VERIFIER-GATED-COMMIT(7)](verifier-gated-commit.7.md)
|
|
172
177
|
- [Web / Desktop Workbench](web-desktop-workbench.7.md)
|
|
173
178
|
- [WORKER-ISOLATION(7)](worker-isolation.7.md)
|
|
@@ -181,17 +186,20 @@ Smoke tests mirror the public contracts. The high-signal suites are:
|
|
|
181
186
|
- [architecture-review-fast-automation-smoke.js](../test/architecture-review-fast-automation-smoke.js)
|
|
182
187
|
- [architecture-review-fast-smoke.js](../test/architecture-review-fast-smoke.js)
|
|
183
188
|
- [artifact-integrity-smoke.js](../test/artifact-integrity-smoke.js)
|
|
189
|
+
- [audit-verify-smoke.js](../test/audit-verify-smoke.js)
|
|
184
190
|
- [backend-registry-smoke.js](../test/backend-registry-smoke.js)
|
|
185
191
|
- [block-unapproved-tag-smoke.js](../test/block-unapproved-tag-smoke.js)
|
|
186
192
|
- [candidate-scoring-smoke.js](../test/candidate-scoring-smoke.js)
|
|
187
193
|
- [canonical-workflow-apps-smoke.js](../test/canonical-workflow-apps-smoke.js)
|
|
188
194
|
- [claude-p-agent-wrapper-smoke.js](../test/claude-p-agent-wrapper-smoke.js)
|
|
195
|
+
- [cli-jsonmode-parity-smoke.js](../test/cli-jsonmode-parity-smoke.js)
|
|
189
196
|
- [cli-mcp-parity-smoke.js](../test/cli-mcp-parity-smoke.js)
|
|
190
197
|
- [concurrent-failure-semantics-smoke.js](../test/concurrent-failure-semantics-smoke.js)
|
|
191
198
|
- [concurrent-workflow-dsl-smoke.js](../test/concurrent-workflow-dsl-smoke.js)
|
|
192
199
|
- [contract-migration-tooling-smoke.js](../test/contract-migration-tooling-smoke.js)
|
|
193
200
|
- [control-plane-scheduling-smoke.js](../test/control-plane-scheduling-smoke.js)
|
|
194
201
|
- [coordinator-blackboard-smoke.js](../test/coordinator-blackboard-smoke.js)
|
|
202
|
+
- [det-ids-b-smoke.js](../test/det-ids-b-smoke.js)
|
|
195
203
|
- [dogfood-release-smoke.js](../test/dogfood-release-smoke.js)
|
|
196
204
|
- [durable-atomic-write-smoke.js](../test/durable-atomic-write-smoke.js)
|
|
197
205
|
- [end-to-end-demo-smoke.js](../test/end-to-end-demo-smoke.js)
|
|
@@ -201,8 +209,11 @@ Smoke tests mirror the public contracts. The high-signal suites are:
|
|
|
201
209
|
- [evidence-adoption-reasoning-smoke.js](../test/evidence-adoption-reasoning-smoke.js)
|
|
202
210
|
- [evidence-content-extraction-smoke.js](../test/evidence-content-extraction-smoke.js)
|
|
203
211
|
- [execution-backends-smoke.js](../test/execution-backends-smoke.js)
|
|
212
|
+
- [freebsd-audit-fixes-smoke.js](../test/freebsd-audit-fixes-smoke.js)
|
|
213
|
+
- [h7-custom-profile-persist-smoke.js](../test/h7-custom-profile-persist-smoke.js)
|
|
204
214
|
- [mcp-app-surface-smoke.js](../test/mcp-app-surface-smoke.js)
|
|
205
215
|
- [multi-agent-cli-mcp-surface-smoke.js](../test/multi-agent-cli-mcp-surface-smoke.js)
|
|
216
|
+
- [multi-agent-eval-determinism-regression-smoke.js](../test/multi-agent-eval-determinism-regression-smoke.js)
|
|
206
217
|
- [multi-agent-eval-replay-harness-smoke.js](../test/multi-agent-eval-replay-harness-smoke.js)
|
|
207
218
|
- [multi-agent-eval-replay-smoke.js](../test/multi-agent-eval-replay-smoke.js)
|
|
208
219
|
- [multi-agent-operator-ux-smoke.js](../test/multi-agent-operator-ux-smoke.js)
|
|
@@ -229,7 +240,10 @@ Smoke tests mirror the public contracts. The high-signal suites are:
|
|
|
229
240
|
- [run-export-restore-rerun-smoke.js](../test/run-export-restore-rerun-smoke.js)
|
|
230
241
|
- [run-export-restore-resume-smoke.js](../test/run-export-restore-resume-smoke.js)
|
|
231
242
|
- [run-fixture-compat-smoke.js](../test/run-fixture-compat-smoke.js)
|
|
243
|
+
- [run-import-tamper-failclosed-smoke.js](../test/run-import-tamper-failclosed-smoke.js)
|
|
244
|
+
- [run-inspect-archive-smoke.js](../test/run-inspect-archive-smoke.js)
|
|
232
245
|
- [run-registry-control-plane-smoke.js](../test/run-registry-control-plane-smoke.js)
|
|
246
|
+
- [run-resume-drive-smoke.js](../test/run-resume-drive-smoke.js)
|
|
233
247
|
- [run-retention-reclamation-smoke.js](../test/run-retention-reclamation-smoke.js)
|
|
234
248
|
- [sandbox-profile-smoke.js](../test/sandbox-profile-smoke.js)
|
|
235
249
|
- [schedule-routine-daemon-smoke.js](../test/schedule-routine-daemon-smoke.js)
|
|
@@ -246,8 +260,11 @@ Smoke tests mirror the public contracts. The high-signal suites are:
|
|
|
246
260
|
- [telemetry-fail-closed-smoke.js](../test/telemetry-fail-closed-smoke.js)
|
|
247
261
|
- [telemetry-ledger-smoke.js](../test/telemetry-ledger-smoke.js)
|
|
248
262
|
- [telemetry-metrics-coverage-smoke.js](../test/telemetry-metrics-coverage-smoke.js)
|
|
263
|
+
- [telemetry-verify-signatures-smoke.js](../test/telemetry-verify-signatures-smoke.js)
|
|
249
264
|
- [token-budget-enforcement-smoke.js](../test/token-budget-enforcement-smoke.js)
|
|
265
|
+
- [vendor-manifest-load-smoke.js](../test/vendor-manifest-load-smoke.js)
|
|
250
266
|
- [verifier-gated-commit-smoke.js](../test/verifier-gated-commit-smoke.js)
|
|
267
|
+
- [verify-import-audit-chain-smoke.js](../test/verify-import-audit-chain-smoke.js)
|
|
251
268
|
- [web-desktop-workbench-smoke.js](../test/web-desktop-workbench-smoke.js)
|
|
252
269
|
- [worker-isolation-smoke.js](../test/worker-isolation-smoke.js)
|
|
253
270
|
- [worker-retry-count-smoke.js](../test/worker-retry-count-smoke.js)
|
|
@@ -146,3 +146,6 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
146
146
|
## Fast Architecture Review (v0.1.80)
|
|
147
147
|
|
|
148
148
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
149
|
+
|
|
150
|
+
_No changes to the real execution backends in v0.1.81._
|
|
151
|
+
_No behavioral change in v0.1.82 (delegated child programs extracted to `scripts/children/`; spawn behavior byte-identical)._
|
|
@@ -284,3 +284,8 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
284
284
|
## Fast Architecture Review (v0.1.80)
|
|
285
285
|
|
|
286
286
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
287
|
+
|
|
288
|
+
## Migration Compatibility (v0.1.81)
|
|
289
|
+
|
|
290
|
+
v0.1.81 is additive: every change is a new flag/verb/env (`audit verify`, `run inspect-archive`, `verify-import --strict`, `CW_REQUIRE_ARCHIVE_INTEGRITY`, `quickstart --resume`, `run resume --drive`) or an internal behavior-preserving carve. Run-state schema, existing outputs, files, and exit codes are byte-identical, so runs and archives from prior versions load and verify unchanged. No migration action is required.
|
|
291
|
+
_No changes in v0.1.82._
|
|
@@ -133,8 +133,10 @@ inherits the agent's own credentials, and imports no model SDK — the red line.
|
|
|
133
133
|
```bash
|
|
134
134
|
# check only (gate + independent review, no mutation):
|
|
135
135
|
node plugins/cool-workflow/scripts/release-flow.js --check
|
|
136
|
-
# cut a tag once review is green:
|
|
137
|
-
node plugins/cool-workflow/scripts/release-flow.js --cut --version 0.1.77 [--push]
|
|
136
|
+
# cut a tag once review is green (when --push, also creates the GitHub Release):
|
|
137
|
+
node plugins/cool-workflow/scripts/release-flow.js --cut --version 0.1.77 [--push] [--no-release]
|
|
138
|
+
# backfill / re-create the GitHub Release for an already-pushed tag (no gate/cut):
|
|
139
|
+
node plugins/cool-workflow/scripts/release-flow.js --release --version 0.1.77 [--soft]
|
|
138
140
|
```
|
|
139
141
|
|
|
140
142
|
The per-platform difference is config, not code — set the reviewer agent:
|
|
@@ -152,6 +154,34 @@ also get generated MCP manifests (`.gemini-plugin/`, `.opencode-plugin/`) so the
|
|
|
152
154
|
`cw_*` tools are available as MCP tools in those hosts. The verdict path
|
|
153
155
|
(`.cw-release/review-<sha>.verdict`) and the tag-push CI backstop are unchanged.
|
|
154
156
|
|
|
157
|
+
### GitHub Release finishing step
|
|
158
|
+
|
|
159
|
+
A `--cut --push` finishes by creating the **GitHub Release** for the tag, and
|
|
160
|
+
`--release --version x.y.z` creates-or-skips one for an already-pushed tag
|
|
161
|
+
(backfill). The notes body is assembled from the `## x.y.z` CHANGELOG section as
|
|
162
|
+
shipped at the tag, the independent reviewer's one-line capability, and a
|
|
163
|
+
"Provenance & audit" footer linking the reviewed commit, the **committed** reviewer
|
|
164
|
+
verdict, the full diff, and the provenance-attested npm version.
|
|
165
|
+
|
|
166
|
+
This step is **distribution upside, not a correctness gate**: the load-bearing
|
|
167
|
+
artifacts (the tag and the provenance-attested npm publish) already exist when it
|
|
168
|
+
runs. Therefore `gh` is **not** part of the node/git portability floor — it runs
|
|
169
|
+
ONLY in the human `--cut --push` / `--release` paths (never a gate or CI path) and
|
|
170
|
+
is **idempotent** (skips if the Release already exists).
|
|
171
|
+
|
|
172
|
+
Failure semantics differ by mode: in the **`--cut --push` finishing step** an
|
|
173
|
+
absent/unauthenticated/erroring `gh` **skips with a stderr note and never fails the
|
|
174
|
+
cut** (the tag and npm publish stand) — opt out entirely with `--no-release`. In the
|
|
175
|
+
explicit **`--release` backfill** it **fails closed** (exit 1) with guidance, since
|
|
176
|
+
the operator asked for it directly; add `--soft` to downgrade `--release` to the same
|
|
177
|
+
best-effort skip-not-fail behavior.
|
|
178
|
+
|
|
179
|
+
Honesty: the notes claim the gated flow ("independent release-reviewer, verdict
|
|
180
|
+
above") **only when a committed `APPROVED` verdict is found at the tag**; backfilling
|
|
181
|
+
an ungated tag emits a neutral caveat instead and warns on stderr — the notes never
|
|
182
|
+
assert a review that isn't there. Test seam: `CW_RELEASE_FLOW_GH_CMD` swaps the `gh`
|
|
183
|
+
binary for a stub (spawned `shell:false`) so the smoke exercises it offline.
|
|
184
|
+
|
|
155
185
|
0.1.51
|
|
156
186
|
|
|
157
187
|
0.1.76
|
|
@@ -163,3 +193,6 @@ also get generated MCP manifests (`.gemini-plugin/`, `.opencode-plugin/`) so the
|
|
|
163
193
|
## Fast Architecture Review (v0.1.80)
|
|
164
194
|
|
|
165
195
|
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
196
|
+
|
|
197
|
+
_No changes to the release-flow tooling in v0.1.81; this release was cut through the existing gate->review->tag flow._
|
|
198
|
+
_No changes to the release-tooling contract in v0.1.82._
|