cool-workflow 0.1.80 → 0.1.82

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (122) hide show
  1. package/.claude-plugin/plugin.json +1 -1
  2. package/.codex-plugin/plugin.json +1 -1
  3. package/README.md +42 -2
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/agent-config.js +21 -7
  11. package/dist/candidate-scoring.js +62 -48
  12. package/dist/capability-core.js +152 -96
  13. package/dist/capability-registry.js +160 -174
  14. package/dist/cli.js +90 -100
  15. package/dist/collaboration.js +5 -6
  16. package/dist/commit.js +232 -209
  17. package/dist/compare.js +18 -0
  18. package/dist/coordinator/classify.js +45 -0
  19. package/dist/coordinator/paths.js +42 -0
  20. package/dist/coordinator/util.js +126 -0
  21. package/dist/coordinator.js +127 -300
  22. package/dist/dispatch.js +46 -3
  23. package/dist/drive.js +7 -7
  24. package/dist/error-feedback.js +8 -4
  25. package/dist/evidence-reasoning.js +5 -2
  26. package/dist/execution-backend/agent.js +294 -0
  27. package/dist/execution-backend/probes.js +96 -0
  28. package/dist/execution-backend/util.js +47 -0
  29. package/dist/execution-backend.js +77 -450
  30. package/dist/gates.js +48 -0
  31. package/dist/mcp-server.js +34 -173
  32. package/dist/multi-agent/graph.js +84 -0
  33. package/dist/multi-agent/helpers.js +141 -0
  34. package/dist/multi-agent/ids.js +20 -0
  35. package/dist/multi-agent/paths.js +22 -0
  36. package/dist/multi-agent-eval/format.js +194 -0
  37. package/dist/multi-agent-eval/normalize.js +51 -0
  38. package/dist/multi-agent-eval.js +63 -242
  39. package/dist/multi-agent-host.js +53 -40
  40. package/dist/multi-agent-operator-ux.js +2 -1
  41. package/dist/multi-agent-trust.js +5 -5
  42. package/dist/multi-agent.js +125 -314
  43. package/dist/node-projection.js +59 -0
  44. package/dist/node-snapshot.js +11 -21
  45. package/dist/observability/format.js +61 -0
  46. package/dist/observability/intake.js +98 -0
  47. package/dist/observability.js +14 -160
  48. package/dist/operator-ux/format.js +364 -0
  49. package/dist/operator-ux.js +22 -363
  50. package/dist/orchestrator/lifecycle-operations.js +22 -1
  51. package/dist/orchestrator/report.js +8 -0
  52. package/dist/orchestrator.js +41 -10
  53. package/dist/reclamation.js +32 -55
  54. package/dist/run-export.js +138 -14
  55. package/dist/run-registry/derive.js +172 -0
  56. package/dist/run-registry/format.js +124 -0
  57. package/dist/run-registry/gc.js +251 -0
  58. package/dist/run-registry/policy.js +16 -0
  59. package/dist/run-registry/queue.js +116 -0
  60. package/dist/run-registry.js +78 -593
  61. package/dist/run-state-schema.js +1 -0
  62. package/dist/sandbox-profile.js +43 -2
  63. package/dist/scheduler.js +34 -4
  64. package/dist/state-explosion/format.js +159 -0
  65. package/dist/state-explosion/helpers.js +82 -0
  66. package/dist/state-explosion.js +65 -283
  67. package/dist/state-node.js +19 -4
  68. package/dist/telemetry-attestation.js +55 -0
  69. package/dist/telemetry-demo.js +15 -3
  70. package/dist/telemetry-ledger.js +60 -15
  71. package/dist/topology.js +50 -12
  72. package/dist/triggers.js +33 -14
  73. package/dist/trust-audit.js +215 -71
  74. package/dist/validation.js +328 -0
  75. package/dist/version.js +1 -1
  76. package/dist/worker-isolation/helpers.js +51 -0
  77. package/dist/worker-isolation/paths.js +46 -0
  78. package/dist/worker-isolation.js +182 -173
  79. package/docs/agent-delegation-drive.7.md +14 -0
  80. package/docs/cli-mcp-parity.7.md +5 -0
  81. package/docs/contract-migration-tooling.7.md +3 -0
  82. package/docs/control-plane-scheduling.7.md +3 -0
  83. package/docs/dogfood/resume-drive-real-agent-2026-06-14.md +40 -0
  84. package/docs/durable-state-and-locking.7.md +5 -0
  85. package/docs/evidence-adoption-reasoning-chain.7.md +3 -0
  86. package/docs/execution-backends.7.md +3 -0
  87. package/docs/index.md +1 -0
  88. package/docs/launch/launch-kit.md +46 -23
  89. package/docs/launch/pre-launch-checklist.md +14 -14
  90. package/docs/multi-agent-cli-mcp-surface.7.md +5 -0
  91. package/docs/multi-agent-eval-replay-harness.7.md +3 -0
  92. package/docs/multi-agent-operator-ux.7.md +3 -0
  93. package/docs/multi-agent-trust-policy-audit.7.md +27 -0
  94. package/docs/node-snapshot-diff-replay.7.md +3 -0
  95. package/docs/observability-cost-accounting.7.md +3 -0
  96. package/docs/project-index.md +23 -6
  97. package/docs/real-execution-backends.7.md +3 -0
  98. package/docs/release-and-migration.7.md +5 -0
  99. package/docs/release-tooling.7.md +35 -2
  100. package/docs/run-registry-control-plane.7.md +55 -8
  101. package/docs/run-retention-reclamation.7.md +5 -0
  102. package/docs/state-explosion-management.7.md +3 -0
  103. package/docs/team-collaboration.7.md +3 -0
  104. package/docs/trust-model.md +267 -0
  105. package/docs/vendor-manifest-loadability.7.md +43 -0
  106. package/docs/web-desktop-workbench.7.md +3 -0
  107. package/manifest/plugin.manifest.json +1 -1
  108. package/manifest/source-context-profiles.json +1 -1
  109. package/package.json +4 -2
  110. package/scripts/agents/builtin-templates.json +7 -0
  111. package/scripts/bump-version.js +5 -11
  112. package/scripts/canonical-apps-list.js +64 -0
  113. package/scripts/canonical-apps.js +19 -4
  114. package/scripts/children/batch-delegate-child.js +58 -0
  115. package/scripts/children/http-delegate-child.js +39 -0
  116. package/scripts/dogfood-release.js +1 -1
  117. package/scripts/golden-path.js +4 -4
  118. package/scripts/parity-check.js +5 -0
  119. package/scripts/release-check.js +5 -1
  120. package/scripts/release-flow.js +181 -5
  121. package/scripts/version-sync-check.js +5 -8
  122. package/dist/capability-dispatcher.js +0 -86
package/dist/dispatch.js CHANGED
@@ -32,6 +32,12 @@ function createDispatchManifest(run, limit, options = {}) {
32
32
  const requestedSandboxProfileId = options.sandboxProfileId || options.sandbox;
33
33
  const sandboxProfileId = String(requestedSandboxProfileId || sandbox_profile_1.DEFAULT_SANDBOX_PROFILE_ID);
34
34
  (0, sandbox_profile_1.resolveSandboxProfileById)(sandboxProfileId, (0, sandbox_profile_1.sandboxContextForValidation)(run.cwd));
35
+ // H7: if the requested profile is a CUSTOM profile loaded from a FILE (non-bundled,
36
+ // existing file), persist its DEFINITION on run.customSandboxProfiles keyed by the
37
+ // definition's logical id. This makes the custom profile durable with run state so a
38
+ // worker boundary can re-resolve it by logical id after a scope snapshot is lost
39
+ // (re-resolving against the worker context, not the dispatch-time file path).
40
+ persistCustomSandboxProfile(run, sandboxProfileId);
35
41
  // Resolve the execution backend once (mechanism vs policy): the kernel records
36
42
  // WHICH backend was selected; it never branches on which one. Defaults to node
37
43
  // (behavior-preserving) when no `--backend` flag / CW_BACKEND env is set.
@@ -49,7 +55,7 @@ function createDispatchManifest(run, limit, options = {}) {
49
55
  backendSelection
50
56
  };
51
57
  }
52
- const dispatchId = createDispatchId();
58
+ const dispatchId = createDispatchId(run);
53
59
  const manifestPath = node_path_1.default.join(run.paths.dispatchesDir, `${dispatchId}.json`);
54
60
  node_fs_1.default.mkdirSync(run.paths.dispatchesDir, { recursive: true });
55
61
  const taskIds = new Set(tasks.map((task) => task.id));
@@ -195,7 +201,44 @@ function formatDispatchTask(task) {
195
201
  multiAgent: task.multiAgent
196
202
  };
197
203
  }
198
- function createDispatchId() {
204
+ // Deterministic dispatch id (replay-determinism self-audit): the wall-clock stamp
205
+ // is an edge timestamp (stripped on replay), but the former Math.random() suffix
206
+ // made every dispatch mint a non-reproducible id. The suffix is now a per-run
207
+ // sequence — the count of dispatches already allocated on this run — so re-running
208
+ // the same workflow yields byte-identical dispatch ids while each dispatch within a
209
+ // run still gets a distinct, monotonically increasing id. Mirrors the de-clock done
210
+ // for worker ids in src/worker-isolation/paths.ts.
211
+ function createDispatchId(run) {
199
212
  const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
200
- return `dispatch-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
213
+ const seq = (run.dispatches?.length || 0) + 1;
214
+ return `dispatch-${stamp}-${String(seq).padStart(4, "0")}`;
215
+ }
216
+ // H7: persist a CUSTOM sandbox profile DEFINITION (loaded from a FILE at dispatch)
217
+ // onto run.customSandboxProfiles, keyed by the definition's logical id. Only fires
218
+ // for a non-bundled id that resolves to a readable, valid profile file. The
219
+ // resolveSandboxProfileById call above has already validated the file (it throws on
220
+ // invalid), so this re-parses only to recover the raw DEFINITION — we store the
221
+ // definition (not a resolved policy) so worker-specific path tokens re-bind to the
222
+ // correct worker context on every later re-resolve. Bundled ids and unknown ids are
223
+ // left untouched, so this never shadows a bundled profile or masks a fail-closed.
224
+ function persistCustomSandboxProfile(run, requested) {
225
+ if (!requested || (0, sandbox_profile_1.isBundledSandboxProfileId)(requested))
226
+ return;
227
+ const absolute = node_path_1.default.resolve(requested);
228
+ if (!node_fs_1.default.existsSync(absolute) || !node_fs_1.default.statSync(absolute).isFile())
229
+ return;
230
+ const validation = (0, sandbox_profile_1.validateSandboxProfileFile)(requested, (0, sandbox_profile_1.sandboxContextForValidation)(run.cwd));
231
+ if (!validation.valid || !validation.profile)
232
+ return;
233
+ let definition;
234
+ try {
235
+ definition = JSON.parse(node_fs_1.default.readFileSync(absolute, "utf8"));
236
+ }
237
+ catch {
238
+ return;
239
+ }
240
+ if (!definition || typeof definition !== "object" || typeof definition.id !== "string" || !definition.id)
241
+ return;
242
+ run.customSandboxProfiles = run.customSandboxProfiles || {};
243
+ run.customSandboxProfiles[definition.id] = definition;
201
244
  }
package/dist/drive.js CHANGED
@@ -39,6 +39,7 @@ const agent_config_1 = require("./agent-config");
39
39
  const scheduling_1 = require("./scheduling");
40
40
  const observability_1 = require("./observability");
41
41
  const state_1 = require("./state");
42
+ const compare_1 = require("./compare");
42
43
  exports.DRIVE_SCHEMA_VERSION = 1;
43
44
  /** The task the next drive step would advance: a RUNNING (already-dispatched,
44
45
  * awaiting fulfillment / retry) task first, else the next PENDING task in the
@@ -209,7 +210,7 @@ function processSelectedTask(ctx, selected, preparedOutcome) {
209
210
  runner.recordWorkerOutput(runId, workerId, manifest.resultPath, {});
210
211
  }
211
212
  catch (error) {
212
- return handleHop(ctx, selected, workerId, `result cache rejected: ${error instanceof Error ? error.message : String(error)}`, dispatched);
213
+ return handleHop(ctx, selected, workerId, `result cache rejected: ${error instanceof Error ? error.message : String(error)}`);
213
214
  }
214
215
  return step("accept", "ok", {
215
216
  runId,
@@ -226,13 +227,13 @@ function processSelectedTask(ctx, selected, preparedOutcome) {
226
227
  const reportedUsage = handle?.metadata?.reportedUsage;
227
228
  const usageSignature = handle?.metadata?.usageSignature;
228
229
  if (envelope.status !== "completed") {
229
- return handleHop(ctx, selected, workerId, `agent hop ${envelope.status}: ${envelope.result.summary}`, dispatched);
230
+ return handleHop(ctx, selected, workerId, `agent hop ${envelope.status}: ${envelope.result.summary}`);
230
231
  }
231
232
  // 3. ACCEPT — the SEPARATE recordWorkerOutput layer validates + records result.md.
232
233
  // A missing result.md is a failed hop (pre-checked so no terminal side effect);
233
234
  // an invalid result.md throws at validation BEFORE any state mutation.
234
235
  if (!manifest.resultPath || !node_fs_1.default.existsSync(manifest.resultPath)) {
235
- return handleHop(ctx, selected, workerId, "agent produced no result.md", dispatched);
236
+ return handleHop(ctx, selected, workerId, "agent produced no result.md");
236
237
  }
237
238
  try {
238
239
  runner.recordWorkerOutput(runId, workerId, manifest.resultPath, {
@@ -254,7 +255,7 @@ function processSelectedTask(ctx, selected, preparedOutcome) {
254
255
  });
255
256
  }
256
257
  catch (error) {
257
- return handleHop(ctx, selected, workerId, `result.md rejected: ${error instanceof Error ? error.message : String(error)}`, dispatched);
258
+ return handleHop(ctx, selected, workerId, `result.md rejected: ${error instanceof Error ? error.message : String(error)}`);
258
259
  }
259
260
  if (cachePath && manifest.resultPath && node_fs_1.default.existsSync(manifest.resultPath)) {
260
261
  writeResultCache(cachePath, node_fs_1.default.readFileSync(manifest.resultPath, "utf8"));
@@ -299,7 +300,7 @@ function completedResultsCacheDigest(run, task) {
299
300
  const previousTaskIds = new Set(run.phases.slice(0, phaseIndex).flatMap((phase) => phase.taskIds));
300
301
  const records = run.tasks
301
302
  .filter((candidate) => previousTaskIds.has(candidate.id))
302
- .sort((a, b) => a.id.localeCompare(b.id))
303
+ .sort((a, b) => (0, compare_1.compareBytes)(a.id, b.id))
303
304
  .map((candidate) => {
304
305
  if (candidate.status !== "completed" || !candidate.resultPath || !node_fs_1.default.existsSync(candidate.resultPath))
305
306
  return undefined;
@@ -411,7 +412,7 @@ function prepareConcurrentOutcomes(ctx, batch) {
411
412
  }
412
413
  /** A failed agent hop: charge one attempt and (reuse v0.1.37 retryOrPark) either
413
414
  * retry on the SAME worker scope next step, or PARK past the retry budget. */
414
- function handleHop(ctx, task, workerId, reason, dispatched) {
415
+ function handleHop(ctx, task, workerId, reason) {
415
416
  const persisted = ctx.runner.showWorker(ctx.runId, workerId).retryCount || 0;
416
417
  const prior = Math.max(ctx.attempts.get(task.id) || 0, persisted);
417
418
  const entry = {
@@ -444,7 +445,6 @@ function handleHop(ctx, task, workerId, reason, dispatched) {
444
445
  });
445
446
  }
446
447
  // Retryable: leave the task running (scope reused) for the next step.
447
- void dispatched;
448
448
  (0, worker_isolation_1.recordWorkerRetryAttempt)(ctx.runner.loadRun(ctx.runId), workerId, decided.attempts || prior + 1, reason);
449
449
  return step("fulfill", "failed", {
450
450
  runId: ctx.runId,
@@ -97,7 +97,7 @@ function recordFeedback(run, input, options = {}) {
97
97
  const now = new Date().toISOString();
98
98
  const record = {
99
99
  schemaVersion: exports.ERROR_FEEDBACK_SCHEMA_VERSION,
100
- id: createFeedbackId(classification),
100
+ id: createFeedbackId(run, classification),
101
101
  runId: run.id,
102
102
  createdAt: now,
103
103
  updatedAt: now,
@@ -357,9 +357,13 @@ function formatEvidence(evidence) {
357
357
  return ["No evidence recorded."];
358
358
  return evidence.map((entry) => `- ${entry.id}: ${entry.locator || entry.path || entry.summary || entry.source || ""}`);
359
359
  }
360
- function createFeedbackId(classification) {
361
- const stamp = new Date().toISOString().replace(/[-:]/g, "").replace(/\..+/, "Z");
362
- return `feedback-${classification}-${stamp}-${Math.random().toString(36).slice(2, 8)}`;
360
+ // Deterministic feedback id (FreeBSD-audit L12/L13): the feedback record's
361
+ // POSITION in the run's append-only feedback log, qualified by classification for
362
+ // readability. recordFeedback dedups identical errors before minting, so the
363
+ // sequence is stable and collision-free across replays — no clock, no PRNG.
364
+ function createFeedbackId(run, classification) {
365
+ const seq = (run.feedback || []).length + 1;
366
+ return `feedback-${classification}-${String(seq).padStart(4, "0")}`;
363
367
  }
364
368
  function feedbackKey(value) {
365
369
  return [
@@ -19,6 +19,7 @@ const state_1 = require("./state");
19
19
  const multi_agent_operator_ux_1 = require("./multi-agent-operator-ux");
20
20
  const trust_audit_1 = require("./trust-audit");
21
21
  const multi_agent_trust_1 = require("./multi-agent-trust");
22
+ const validation_1 = require("./validation");
22
23
  // ---------------------------------------------------------------------------
23
24
  // Evidence Adoption Reasoning Chain (v0.1.26)
24
25
  //
@@ -343,7 +344,7 @@ function deriveCounterfactuals(run, scores) {
343
344
  forSelectionGate.push({
344
345
  ref: candidate.id,
345
346
  kind: "candidate",
346
- status: candidate.status === "failed" ? "rejected" : "rejected",
347
+ status: "rejected",
347
348
  reason: candidate.feedbackIds[0] ? `see feedback ${candidate.feedbackIds[0]}` : `candidate ${candidate.id} ${candidate.status}`
348
349
  });
349
350
  for (const scoreId of candidate.scores || []) {
@@ -616,7 +617,9 @@ function readAllScores(run) {
616
617
  continue;
617
618
  for (const file of node_fs_1.default.readdirSync(dir).filter((entry) => entry.endsWith(".json")).sort()) {
618
619
  try {
619
- const score = JSON.parse(node_fs_1.default.readFileSync(node_path_1.default.join(dir, file), "utf8"));
620
+ const score = (0, validation_1.tryValidateCandidateScore)(JSON.parse(node_fs_1.default.readFileSync(node_path_1.default.join(dir, file), "utf8")));
621
+ if (!score)
622
+ continue; // Malformed/forged score shape: skip; the score gate fails closed.
620
623
  scores.set(score.id, score);
621
624
  }
622
625
  catch {
@@ -0,0 +1,294 @@
1
+ "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
5
+ Object.defineProperty(exports, "__esModule", { value: true });
6
+ exports.resolveAgentInvocation = resolveAgentInvocation;
7
+ exports.stripSecretArgs = stripSecretArgs;
8
+ exports.parseAgentReport = parseAgentReport;
9
+ exports.agentSubstitutions = agentSubstitutions;
10
+ exports.substituteAgentArg = substituteAgentArg;
11
+ exports.recordedAgentHandle = recordedAgentHandle;
12
+ exports.extractEndpointResult = extractEndpointResult;
13
+ exports.agentHandle = agentHandle;
14
+ exports.prepareAgentSpawn = prepareAgentSpawn;
15
+ exports.runAgentBatchOutcomes = runAgentBatchOutcomes;
16
+ // Agent-delegation pure helpers + concurrent batch fulfillment for the
17
+ // execution-backend driver layer. Carved out of execution-backend.ts
18
+ // (FreeBSD-audit god-module carve) so the driver layer no longer bundles the
19
+ // agent sub-domain's data-transform helpers; the stateful runners
20
+ // (runAgentProcess / runAgentEndpoint) that build refusal/delegated envelopes
21
+ // stay in the parent and import these. The parent re-exports the public surface
22
+ // (stripSecretArgs, AgentSpawnJob, prepareAgentSpawn, runAgentBatchOutcomes) so
23
+ // every importer is byte-unchanged.
24
+ //
25
+ // BEHAVIOR-PRESERVING — pure code movement, zero logic change. Every function
26
+ // here is a pure function of its inputs (request/env/argv → resolved data); none
27
+ // reaches back into the parent's envelope builders, so there is no runtime cycle.
28
+ // Matches the existing router pattern (orchestrator/*-operations.ts,
29
+ // run-registry/derive.ts).
30
+ //
31
+ // agent — the v0.1.38 delegating driver. Spawns an EXTERNAL agent process per
32
+ // worker (claude -p / codex exec / …) argv-style (shell:false), or POSTs the
33
+ // manifest to a configured HTTP agent endpoint. The agent reads the worker
34
+ // input/manifest and writes the worker's result.md out-of-process; CW captures
35
+ // the agent CHILD's command + exit + stdout digest as the canonical evidence
36
+ // triple (NEVER the result.md — that is the separate recordWorkerOutput layer)
37
+ // and records the kind:process handle + agent-reported model in provenance.
38
+ //
39
+ // THE RED LINE: CW spawns the agent and records its attested output. It NEVER
40
+ // imports a model SDK, holds an API key, or constructs a model API request. Any
41
+ // API key flows from the agent's OWN inherited env; CW never reads or records it.
42
+ // The operator-chosen CW_AGENT_MODEL is interpolated into `{{model}}` as policy
43
+ // and recorded ONLY in secret-stripped args — it is NEVER the attested model id.
44
+ const node_path_1 = __importDefault(require("node:path"));
45
+ const node_child_process_1 = require("node:child_process");
46
+ const util_1 = require("./util");
47
+ /** Resolve the agent invocation from the request delegation > env. Vendor-neutral;
48
+ * the durable file config is folded in by the drive layer before this point. */
49
+ function resolveAgentInvocation(request) {
50
+ const delegation = request.delegation || {};
51
+ const envCommand = (process.env.CW_AGENT_COMMAND || "").trim();
52
+ const endpoint = delegation.endpoint || (process.env.CW_AGENT_ENDPOINT || "").trim() || undefined;
53
+ const model = delegation.model || (process.env.CW_AGENT_MODEL || "").trim() || undefined;
54
+ // Accept the invocation via delegation (preferred) OR the top-level command/args.
55
+ let binary = delegation.command || request.command || undefined;
56
+ let rawArgs = delegation.args ? [...delegation.args] : request.args ? [...request.args] : [];
57
+ // An env-string command ("claude -p --output-format json {{manifest}}") is split
58
+ // into a binary + discrete argv template — NEVER shell-interpreted.
59
+ if (!binary && envCommand) {
60
+ const parts = envCommand.split(/\s+/).filter(Boolean);
61
+ binary = parts[0];
62
+ if (!delegation.args)
63
+ rawArgs = parts.slice(1);
64
+ }
65
+ else if (binary && !delegation.args && /\s/.test(binary)) {
66
+ const parts = binary.split(/\s+/).filter(Boolean);
67
+ binary = parts[0];
68
+ rawArgs = parts.slice(1);
69
+ }
70
+ return { binary, rawArgs, endpoint, model, timeoutMs: request.timeoutMs };
71
+ }
72
+ const AGENT_SECRET_FLAGS = new Set(["--api-key", "--apikey", "--token", "--key", "--secret", "--password", "--auth", "--bearer"]);
73
+ /** Redact secrets from recorded agent args: a value FOLLOWING a known secret flag,
74
+ * an `--x-key=...` inline value, or a token that LOOKS like a credential. Never
75
+ * record a raw secret in provenance/evidence. Exported so the durable config
76
+ * surface strips the SAME way before persisting/showing a command template. */
77
+ function stripSecretArgs(args) {
78
+ const out = [];
79
+ for (let i = 0; i < args.length; i++) {
80
+ const arg = String(args[i]);
81
+ if (AGENT_SECRET_FLAGS.has(arg.toLowerCase())) {
82
+ out.push(arg);
83
+ if (i + 1 < args.length) {
84
+ out.push("<redacted>");
85
+ i++;
86
+ }
87
+ continue;
88
+ }
89
+ const inline = arg.match(/^(--?[A-Za-z][\w-]*(?:key|token|secret|password|auth|bearer)[\w-]*)=.*/i);
90
+ if (inline) {
91
+ out.push(`${inline[1]}=<redacted>`);
92
+ continue;
93
+ }
94
+ // Bare credential-looking token: a known provider prefix, or a long high-entropy
95
+ // run with NO path separators (so file paths / {{...}} substitutions survive as
96
+ // useful provenance). Over-redaction is safe; leaking a key is not.
97
+ if (/^(sk-|ghp_|gho_|github_pat_|xox[abpr]-|Bearer\s)/.test(arg) || (arg.length >= 32 && /^[A-Za-z0-9_\-]{32,}$/.test(arg))) {
98
+ out.push("<redacted>");
99
+ continue;
100
+ }
101
+ out.push(arg);
102
+ }
103
+ return out;
104
+ }
105
+ /** Best-effort parse of the AGENT-reported model id from its stdout. SOLELY the
106
+ * agent's own report — `unreported` when absent. Never CW_AGENT_MODEL. */
107
+ function parseAgentReport(stdout) {
108
+ const text = String(stdout || "").trim();
109
+ if (!text)
110
+ return {};
111
+ const tryObj = (value) => {
112
+ try {
113
+ const parsed = JSON.parse(value);
114
+ return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : undefined;
115
+ }
116
+ catch {
117
+ return undefined;
118
+ }
119
+ };
120
+ let obj = tryObj(text);
121
+ if (!obj) {
122
+ const line = text
123
+ .split(/\r?\n/)
124
+ .reverse()
125
+ .find((entry) => entry.trim().startsWith("{") && entry.trim().endsWith("}"));
126
+ if (line)
127
+ obj = tryObj(line.trim());
128
+ }
129
+ if (!obj)
130
+ return {};
131
+ const usage = obj.usage && typeof obj.usage === "object" ? obj.usage : undefined;
132
+ let model = typeof obj.model === "string"
133
+ ? obj.model
134
+ : usage && typeof usage.model === "string"
135
+ ? usage.model
136
+ : typeof obj.modelId === "string"
137
+ ? obj.modelId
138
+ : undefined;
139
+ // Some agents (e.g. `claude -p --output-format json`) report no top-level model;
140
+ // the model id(s) appear as KEYS of a `modelUsage` object. Pick the primary model
141
+ // (the one with the most input tokens). Still SOLELY the agent's own report.
142
+ if (!model && obj.modelUsage && typeof obj.modelUsage === "object" && !Array.isArray(obj.modelUsage)) {
143
+ const entries = Object.entries(obj.modelUsage);
144
+ if (entries.length) {
145
+ const tokensOf = (value) => {
146
+ const record = value && typeof value === "object" ? value : {};
147
+ const input = Number(record.inputTokens ?? record.input_tokens ?? 0);
148
+ return Number.isFinite(input) ? input : 0;
149
+ };
150
+ entries.sort((left, right) => tokensOf(right[1]) - tokensOf(left[1]));
151
+ model = entries[0][0];
152
+ }
153
+ }
154
+ // Track 1: the executor's detached signature over its usage report, if it signs.
155
+ // SOLELY the agent's own field — CW verifies it later against the trust key.
156
+ const usageSignature = typeof obj.usageSignature === "string"
157
+ ? obj.usageSignature
158
+ : typeof obj.usage_signature === "string"
159
+ ? obj.usage_signature
160
+ : undefined;
161
+ return { model, usage, usageSignature };
162
+ }
163
+ function agentSubstitutions(request, model) {
164
+ const manifest = request.manifest;
165
+ const workerDir = manifest?.workerDir || request.cwd || "";
166
+ return {
167
+ manifest: manifest?.manifestPath || (workerDir ? node_path_1.default.join(workerDir, "manifest.json") : ""),
168
+ input: manifest?.inputPath || "",
169
+ result: manifest?.resultPath || "",
170
+ workerDir,
171
+ model: model || "",
172
+ prompt: manifest?.prompt || ""
173
+ };
174
+ }
175
+ function substituteAgentArg(arg, subst) {
176
+ return arg.replace(/\{\{(\w+)\}\}/g, (_, key) => (key in subst ? subst[key] : `{{${key}}}`));
177
+ }
178
+ /** Build the recorded process handle for the envelope — secret-stripped + the
179
+ * agent-reported model. Same SHAPE that lands in provenance, never in evidence. */
180
+ function recordedAgentHandle(binary, endpoint, recordedArgs, model, reportedModel, reportedUsage, usageSignature) {
181
+ const ref = binary ? [binary, ...recordedArgs].join(" ") : endpoint || "";
182
+ return {
183
+ kind: "process",
184
+ ref,
185
+ endpoint,
186
+ metadata: {
187
+ mode: binary ? "command" : "endpoint",
188
+ command: binary,
189
+ args: recordedArgs,
190
+ model,
191
+ reportedModel,
192
+ // Telemetry thread-back: the agent's OWN self-reported token usage (parsed
193
+ // from its stdout by parseAgentReport). ATTESTED, never measured by CW —
194
+ // same red-line posture as reportedModel. Lands in provenance, never in the
195
+ // byte-stable evidence triple. Absent when the agent reported no usage.
196
+ ...(reportedUsage ? { reportedUsage } : {}),
197
+ // Track 1: the executor's detached signature over its usage report. CW
198
+ // verifies it against the operator trust key at output intake.
199
+ ...(usageSignature ? { usageSignature } : {})
200
+ }
201
+ };
202
+ }
203
+ function extractEndpointResult(stdout) {
204
+ const text = String(stdout || "").trim();
205
+ if (!text)
206
+ return undefined;
207
+ try {
208
+ const parsed = JSON.parse(text);
209
+ if (parsed && typeof parsed === "object") {
210
+ if (typeof parsed.result === "string")
211
+ return parsed.result;
212
+ if (typeof parsed.resultMarkdown === "string")
213
+ return parsed.resultMarkdown;
214
+ }
215
+ }
216
+ catch {
217
+ /* not JSON — treat the raw text as the result body */
218
+ return text;
219
+ }
220
+ return undefined;
221
+ }
222
+ function agentHandle(request) {
223
+ // The agent invocation is POLICY-as-DATA, resolved flags(delegation) > env. The
224
+ // handle records ONLY secret-stripped provenance; the raw template is re-resolved
225
+ // inside runAgentProcess for substitution + spawning so no secret ever lands in
226
+ // a recorded handle/evidence entry.
227
+ const resolved = resolveAgentInvocation(request);
228
+ if (!resolved.binary && !resolved.endpoint)
229
+ return undefined;
230
+ const strippedArgs = stripSecretArgs(resolved.rawArgs);
231
+ const ref = resolved.binary ? [resolved.binary, ...strippedArgs].join(" ") : resolved.endpoint || "";
232
+ return {
233
+ kind: "process",
234
+ ref,
235
+ endpoint: resolved.endpoint,
236
+ metadata: {
237
+ mode: resolved.binary ? "command" : "endpoint",
238
+ command: resolved.binary,
239
+ args: strippedArgs,
240
+ model: resolved.model
241
+ }
242
+ };
243
+ }
244
+ /** Resolve a request to a spawn-style batch job, or undefined when the agent is
245
+ * endpoint-configured/unconfigured (those settle through the serial path). */
246
+ function prepareAgentSpawn(request) {
247
+ const resolved = resolveAgentInvocation(request);
248
+ if (!resolved.binary)
249
+ return undefined;
250
+ const subst = agentSubstitutions(request, resolved.model);
251
+ return {
252
+ binary: resolved.binary,
253
+ args: resolved.rawArgs.map((arg) => substituteAgentArg(arg, subst)),
254
+ cwd: request.cwd,
255
+ timeoutMs: resolved.timeoutMs || 600000
256
+ };
257
+ }
258
+ // The batch delegate child is a real, packaged Node script (not an embedded
259
+ // `node -e` string — F11). It reads jobs JSON on stdin, spawns ALL concurrently
260
+ // (shell:false, inherited env — the agent's own credentials resolve; CW never
261
+ // reads them), per-job SIGTERM at timeoutMs + SIGKILL at +5s, caps each captured
262
+ // stdout at 32MB, and prints the outcome array when every job has settled. stderr
263
+ // is drained (a full pipe must never wedge a child). A kill yields exitCode null —
264
+ // the no-exit-code refusal. We spawn it BY PATH (shell:false); the path is
265
+ // resolved from this compiled module (dist/execution-backend/agent.js) up to the
266
+ // package's `scripts/children/` dir, which package.json ships in "files".
267
+ const BATCH_DELEGATE_CHILD_SCRIPT = node_path_1.default.resolve(__dirname, "..", "..", "scripts", "children", "batch-delegate-child.js");
268
+ /** Run a batch of agent spawns concurrently; outcomes index-align with jobs. The
269
+ * parent backstop timeout (max job timeout + 30s) means even a wedged delegate
270
+ * child cannot deadlock the drive: on any batch-level failure EVERY job settles
271
+ * as a fail-closed spawn refusal — never a fabricated completion, never a hang. */
272
+ function runAgentBatchOutcomes(jobs) {
273
+ if (!jobs.length)
274
+ return [];
275
+ const maxTimeout = Math.max(...jobs.map((job) => job.timeoutMs));
276
+ const child = (0, node_child_process_1.spawnSync)(process.execPath, [BATCH_DELEGATE_CHILD_SCRIPT], {
277
+ input: JSON.stringify(jobs),
278
+ encoding: "utf8",
279
+ maxBuffer: 33 * 1024 * 1024 * jobs.length,
280
+ timeout: maxTimeout + 30000
281
+ });
282
+ if (!child.error && typeof child.status === "number" && child.status === 0) {
283
+ try {
284
+ const parsed = JSON.parse(String(child.stdout || ""));
285
+ if (Array.isArray(parsed) && parsed.length === jobs.length)
286
+ return parsed;
287
+ }
288
+ catch {
289
+ // fall through to the fail-closed mapping below
290
+ }
291
+ }
292
+ const reason = child.error ? (0, util_1.messageOf)(child.error) : `batch delegate exited ${child.status === null ? "without an exit code (timed out or killed)" : `with ${child.status}`}`;
293
+ return jobs.map(() => ({ spawnError: `batch delegate failed: ${reason}`, exitCode: null, stdout: "" }));
294
+ }
@@ -0,0 +1,96 @@
1
+ "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
5
+ Object.defineProperty(exports, "__esModule", { value: true });
6
+ exports.probeNodeBackend = probeNodeBackend;
7
+ exports.probeShellBackend = probeShellBackend;
8
+ exports.probeBunBackend = probeBunBackend;
9
+ exports.probeContainerBackend = probeContainerBackend;
10
+ exports.probeRemoteBackend = probeRemoteBackend;
11
+ exports.probeCiBackend = probeCiBackend;
12
+ exports.probeAgentBackend = probeAgentBackend;
13
+ // Per-backend readiness probe bodies for the execution-backend driver layer.
14
+ // Carved out of execution-backend.ts (FreeBSD-audit god-module carve) so the
15
+ // driver layer no longer bundles every driver's readiness check; the parent's
16
+ // `probeBackend` still wraps these with the descriptor-derived envelope, and each
17
+ // built-in driver references its probe through BUILTIN_DRIVER_BEHAVIORS.
18
+ //
19
+ // BEHAVIOR-PRESERVING — pure code movement, zero logic change. Each probe is a
20
+ // pure free function of the host (PATH + configured env), matching the existing
21
+ // router pattern (run-registry/derive.ts, orchestrator/*-operations.ts).
22
+ //
23
+ // Readiness probe. Deterministic given the host (PATH + configured env).
24
+ const node_fs_1 = __importDefault(require("node:fs"));
25
+ const util_1 = require("./util");
26
+ function probeNodeBackend() {
27
+ const ok = (0, util_1.hasExecutable)("node");
28
+ return {
29
+ checks: [{ name: "node-runtime", ok, detail: ok ? "node on PATH" : "node not found on PATH" }],
30
+ readiness: ok ? "ready" : "unavailable",
31
+ reason: ok ? undefined : "node runtime not found on PATH"
32
+ };
33
+ }
34
+ function probeShellBackend() {
35
+ const ok = (0, util_1.hasExecutable)("sh") || node_fs_1.default.existsSync("/bin/sh");
36
+ return {
37
+ checks: [{ name: "posix-shell", ok, detail: ok ? "sh available" : "no POSIX shell found" }],
38
+ readiness: ok ? "ready" : "unavailable",
39
+ reason: ok ? undefined : "POSIX shell not found"
40
+ };
41
+ }
42
+ function probeBunBackend() {
43
+ const bun = (0, util_1.hasExecutable)("bun");
44
+ const node = (0, util_1.hasExecutable)("node");
45
+ return {
46
+ checks: [
47
+ { name: "bun-runtime", ok: bun, detail: bun ? "bun on PATH" : "bun not found; node-compatible fallback" },
48
+ { name: "node-compatible-fallback", ok: node, detail: node ? "node on PATH" : "node not found on PATH" }
49
+ ],
50
+ readiness: bun || node ? "ready" : "unavailable",
51
+ reason: !bun && node ? "bun not installed; executing via node-compatible runtime" : !bun && !node ? "neither bun nor node found on PATH" : undefined
52
+ };
53
+ }
54
+ function probeContainerBackend() {
55
+ const docker = (0, util_1.hasExecutable)("docker");
56
+ const podman = (0, util_1.hasExecutable)("podman");
57
+ return {
58
+ checks: [
59
+ { name: "docker", ok: docker, detail: docker ? "docker on PATH" : "docker not found" },
60
+ { name: "podman", ok: podman, detail: podman ? "podman on PATH" : "podman not found" }
61
+ ],
62
+ readiness: docker || podman ? "ready" : "unavailable",
63
+ reason: docker || podman ? undefined : "no container runtime (docker/podman) found; supply --image to delegate explicitly"
64
+ };
65
+ }
66
+ function probeRemoteBackend() {
67
+ const endpoint = (process.env.CW_REMOTE_ENDPOINT || "").trim();
68
+ return {
69
+ checks: [{ name: "endpoint", ok: Boolean(endpoint), detail: endpoint ? "CW_REMOTE_ENDPOINT configured" : "CW_REMOTE_ENDPOINT not set" }],
70
+ readiness: endpoint ? "ready" : "unverified",
71
+ reason: endpoint ? undefined : "no remote endpoint configured (set CW_REMOTE_ENDPOINT or pass --endpoint)"
72
+ };
73
+ }
74
+ function probeCiBackend() {
75
+ const endpoint = (process.env.CW_CI_ENDPOINT || "").trim();
76
+ return {
77
+ checks: [{ name: "ci-endpoint", ok: Boolean(endpoint), detail: endpoint ? "CW_CI_ENDPOINT configured" : "CW_CI_ENDPOINT not set" }],
78
+ readiness: endpoint ? "ready" : "unverified",
79
+ reason: endpoint ? undefined : "no CI job target configured (set CW_CI_ENDPOINT or pass --job)"
80
+ };
81
+ }
82
+ function probeAgentBackend() {
83
+ // Mirrors remote/ci EXACTLY: unconfigured ⇒ `unverified` (NOT a hard refusal),
84
+ // configured ⇒ `ready`. "Configured" = a command-template or endpoint is set.
85
+ const command = (process.env.CW_AGENT_COMMAND || "").trim();
86
+ const endpoint = (process.env.CW_AGENT_ENDPOINT || "").trim();
87
+ const configured = Boolean(command || endpoint);
88
+ return {
89
+ checks: [
90
+ { name: "agent-command", ok: Boolean(command), detail: command ? "CW_AGENT_COMMAND configured" : "CW_AGENT_COMMAND not set" },
91
+ { name: "agent-endpoint", ok: Boolean(endpoint), detail: endpoint ? "CW_AGENT_ENDPOINT configured" : "CW_AGENT_ENDPOINT not set" }
92
+ ],
93
+ readiness: configured ? "ready" : "unverified",
94
+ reason: configured ? undefined : "no agent configured (set CW_AGENT_COMMAND or CW_AGENT_ENDPOINT, or pass --agent-command/--agent-endpoint)"
95
+ };
96
+ }
@@ -0,0 +1,47 @@
1
+ "use strict";
2
+ var __importDefault = (this && this.__importDefault) || function (mod) {
3
+ return (mod && mod.__esModule) ? mod : { "default": mod };
4
+ };
5
+ Object.defineProperty(exports, "__esModule", { value: true });
6
+ exports.sha256 = sha256;
7
+ exports.hasExecutable = hasExecutable;
8
+ exports.firstString = firstString;
9
+ exports.messageOf = messageOf;
10
+ // Leaf helpers for the execution-backend driver layer. Carved out of
11
+ // execution-backend.ts (FreeBSD-audit god-module carve) so the driver layer no
12
+ // longer bundles its pure utilities; the parent re-exports `sha256` to keep the
13
+ // public surface byte-identical, and imports the rest internally.
14
+ //
15
+ // BEHAVIOR-PRESERVING — pure code movement, zero logic change. Each function is a
16
+ // pure leaf (no dependency on the rest of the module), matching the existing
17
+ // router pattern (run-registry/derive.ts + format.ts, orchestrator/*-operations.ts).
18
+ const node_crypto_1 = __importDefault(require("node:crypto"));
19
+ const node_fs_1 = __importDefault(require("node:fs"));
20
+ const node_path_1 = __importDefault(require("node:path"));
21
+ function sha256(value) {
22
+ return `sha256:${node_crypto_1.default.createHash("sha256").update(value, "utf8").digest("hex")}`;
23
+ }
24
+ function hasExecutable(name) {
25
+ const dirs = (process.env.PATH || "").split(node_path_1.default.delimiter).filter(Boolean);
26
+ for (const dir of dirs) {
27
+ const candidate = node_path_1.default.join(dir, name);
28
+ try {
29
+ if (node_fs_1.default.existsSync(candidate) && node_fs_1.default.statSync(candidate).isFile())
30
+ return true;
31
+ }
32
+ catch {
33
+ // ignore unreadable PATH entries
34
+ }
35
+ }
36
+ return false;
37
+ }
38
+ function firstString(...values) {
39
+ for (const value of values) {
40
+ if (typeof value === "string" && value.trim())
41
+ return value.trim();
42
+ }
43
+ return undefined;
44
+ }
45
+ function messageOf(error) {
46
+ return error instanceof Error ? error.message : String(error);
47
+ }