cool-workflow 0.1.81 → 0.1.83
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +125 -121
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/candidate-scoring.js +20 -26
- package/dist/capability-core.js +80 -93
- package/dist/capability-registry.js +30 -3
- package/dist/cli.js +12 -1
- package/dist/commit.js +217 -204
- package/dist/coordinator/util.js +6 -9
- package/dist/dispatch.js +11 -3
- package/dist/doctor.js +153 -0
- package/dist/evidence-reasoning.js +4 -1
- package/dist/execution-backend/agent.js +11 -48
- package/dist/execution-backend.js +11 -31
- package/dist/gates.js +48 -0
- package/dist/mcp-server.js +11 -0
- package/dist/multi-agent/helpers.js +6 -10
- package/dist/multi-agent/ids.js +20 -0
- package/dist/multi-agent-eval.js +27 -1
- package/dist/multi-agent-host.js +53 -21
- package/dist/multi-agent-operator-ux.js +2 -1
- package/dist/multi-agent-trust.js +5 -5
- package/dist/node-projection.js +59 -0
- package/dist/node-snapshot.js +8 -18
- package/dist/orchestrator/lifecycle-operations.js +22 -1
- package/dist/orchestrator.js +29 -2
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +31 -112
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +112 -57
- package/dist/topology.js +25 -4
- package/dist/trust-audit.js +70 -38
- package/dist/validation.js +328 -0
- package/dist/version.js +1 -1
- package/dist/worker-isolation.js +163 -58
- package/docs/agent-delegation-drive.7.md +90 -85
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +227 -154
- package/docs/contract-migration-tooling.7.md +49 -41
- package/docs/control-plane-scheduling.7.md +45 -40
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +35 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +63 -58
- package/docs/execution-backends.7.md +84 -79
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +83 -77
- package/docs/multi-agent-eval-replay-harness.7.md +59 -54
- package/docs/multi-agent-operator-ux.7.md +70 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +26 -21
- package/docs/observability-cost-accounting.7.md +50 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +15 -6
- package/docs/real-execution-backends.7.md +47 -42
- package/docs/release-and-migration.7.md +43 -38
- package/docs/release-tooling.7.md +74 -39
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +120 -115
- package/docs/run-retention-reclamation.7.md +46 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +64 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +63 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +70 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/manifest/source-context-profiles.json +1 -1
- package/package.json +3 -2
- package/scripts/canonical-apps.js +4 -4
- package/scripts/children/batch-delegate-child.js +58 -0
- package/scripts/children/http-delegate-child.js +39 -0
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/scripts/release-flow.js +181 -5
- package/dist/verifier-registry.js +0 -46
|
@@ -1,23 +1,24 @@
|
|
|
1
1
|
# Contract Migration Tooling
|
|
2
2
|
|
|
3
|
-
CW v0.1.36 makes schema migration a
|
|
4
|
-
v0.1.36 migration was
|
|
5
|
-
inline step array walked by `migrateRunState`,
|
|
6
|
-
registry, no
|
|
7
|
-
guarantee, and NOTHING covering the workflow-app
|
|
8
|
-
flatly
|
|
9
|
-
compatibility proofs, fail-closed reachability,
|
|
10
|
-
the existing `migrateRunState` transform
|
|
3
|
+
CW v0.1.36 makes schema migration a named, declared part of the system. Before
|
|
4
|
+
v0.1.36 migration was done one step at a time and only on run-state:
|
|
5
|
+
`RUN_STATE_MIGRATIONS` was an inline step array walked by `migrateRunState`,
|
|
6
|
+
with no declared `up`-transform registry, no kept compatibility PROOF, no
|
|
7
|
+
round-trip/non-destruction guarantee, and NOTHING covering the workflow-app
|
|
8
|
+
schema (an old app schema was turned away flatly, never migrated). v0.1.36 adds
|
|
9
|
+
a declared registry, per-edge compatibility proofs, fail-closed reachability,
|
|
10
|
+
and a round-trip prover — using again the existing `migrateRunState` transform
|
|
11
|
+
(no logic forked).
|
|
11
12
|
|
|
12
13
|
## The declared registry
|
|
13
14
|
|
|
14
|
-
`migration list` is the
|
|
15
|
-
to
|
|
15
|
+
`migration list` is the one declared source for "what versions exist and how
|
|
16
|
+
to move them forward": one `MigrationContract` per schema (`run-state`,
|
|
16
17
|
`workflow-app`), each with `currentVersion`, `minVersion`, and an array of
|
|
17
18
|
`MigrationEdge { from, to, description, proof }`. The run-state edges ARE
|
|
18
|
-
`RUN_STATE_MIGRATIONS` (the transform is not
|
|
19
|
-
|
|
20
|
-
(`addsDefaulted`, `dropsNothing`), as data, not
|
|
19
|
+
`RUN_STATE_MIGRATIONS` (the transform is not copied). Each edge carries a
|
|
20
|
+
machine-checkable `MigrationCompatibilityProof` — the invariant it keeps
|
|
21
|
+
(`addsDefaulted`, `dropsNothing`), as data, not as words.
|
|
21
22
|
|
|
22
23
|
```text
|
|
23
24
|
migration list [--json]
|
|
@@ -25,20 +26,21 @@ migration list [--json]
|
|
|
25
26
|
|
|
26
27
|
## Fail closed on reachability
|
|
27
28
|
|
|
28
|
-
Before transforming, the chain `detected -> current` is
|
|
29
|
-
detected version is below `minVersion`, above `currentVersion`, or
|
|
30
|
-
path, the verdict is `unsupported` with a named reason and NO
|
|
31
|
-
|
|
32
|
-
yet, fails closed with
|
|
29
|
+
Before transforming, the chain `detected -> current` is worked out. If a
|
|
30
|
+
contract's detected version is below `minVersion`, above `currentVersion`, or
|
|
31
|
+
has no chained path, the verdict is `unsupported` with a named reason and NO
|
|
32
|
+
write — never a part-way migration that does its best. (An older workflow-app,
|
|
33
|
+
for which no edge exists yet, fails closed with an exact reason in place of
|
|
34
|
+
being taken in quietly.)
|
|
33
35
|
|
|
34
36
|
```text
|
|
35
37
|
migration check <target> [--contract run-state|workflow-app] [--json]
|
|
36
38
|
```
|
|
37
39
|
|
|
38
40
|
`<target>` is a run id (resolves to `.cw/runs/<id>/state.json`) or a path to a
|
|
39
|
-
`state.json` / app manifest. The verdict
|
|
41
|
+
`state.json` / app manifest. The verdict gives the `status`
|
|
40
42
|
(`current|migrated|normalized|unsupported`), the detected/current versions, the
|
|
41
|
-
resolved `chain`, the
|
|
43
|
+
resolved `chain`, the count of changes, and any errors.
|
|
42
44
|
|
|
43
45
|
## Round-trip / non-destruction proof
|
|
44
46
|
|
|
@@ -46,33 +48,34 @@ resolved `chain`, the change count, and any errors.
|
|
|
46
48
|
migration prove <target> [--contract run-state|workflow-app] [--json]
|
|
47
49
|
```
|
|
48
50
|
|
|
49
|
-
`migration prove` runs the chain and PROVES four properties,
|
|
51
|
+
`migration prove` runs the chain and PROVES four properties, putting out a
|
|
50
52
|
deterministic, sha256-fingerprinted `MigrationProof`:
|
|
51
53
|
|
|
52
54
|
- **validatesAtCurrent** — the result validates at `currentVersion`.
|
|
53
|
-
- **appendOnly** — every source record/key
|
|
54
|
-
nothing is
|
|
55
|
-
- **idempotent** —
|
|
56
|
-
- **sourceImmutable** — `sourceHash == resultHash`-of-source: the
|
|
55
|
+
- **appendOnly** — every source record/key lives on into the output (recursive);
|
|
56
|
+
nothing is lost.
|
|
57
|
+
- **idempotent** — running migration again on the output gives no further change.
|
|
58
|
+
- **sourceImmutable** — `sourceHash == resultHash`-of-source: the first
|
|
57
59
|
snapshot is byte-unchanged (`migrateRunState` clones; the source `state.json` is
|
|
58
|
-
never
|
|
60
|
+
never changed).
|
|
59
61
|
|
|
60
|
-
`pass` is
|
|
61
|
-
claims a
|
|
62
|
+
`pass` is true when all of these are true. An `unsupported` verdict never
|
|
63
|
+
transforms and never claims a good proof.
|
|
62
64
|
|
|
63
65
|
## Append-only proof storage
|
|
64
66
|
|
|
65
|
-
`migration prove`
|
|
66
|
-
`migration/<fingerprint>.json` — a NEW file, never
|
|
67
|
-
source manifest.
|
|
67
|
+
`migration prove` keeps the `MigrationProof` next to the target under
|
|
68
|
+
`migration/<fingerprint>.json` — a NEW file, never writing over `state.json` or
|
|
69
|
+
the source manifest. Working it out again from disk gives back the same
|
|
70
|
+
fingerprint.
|
|
68
71
|
|
|
69
72
|
## Surfaces & Compatibility
|
|
70
73
|
|
|
71
74
|
`migration.list`/`check`/`prove` are declared `surface: "both"`, so
|
|
72
|
-
`cw migration <verb> --json` and the `cw_migration_*` MCP tools
|
|
73
|
-
(`src/contract-migration.ts`).
|
|
74
|
-
versions and `migrateRunState` are unchanged; the registry declares and
|
|
75
|
-
over the existing transform. Pre-0.1.36 runs and apps load unchanged.
|
|
75
|
+
`cw migration <verb> --json` and the `cw_migration_*` MCP tools draw from one
|
|
76
|
+
core (`src/contract-migration.ts`). It only adds: the run-state and workflow-app
|
|
77
|
+
schema versions and `migrateRunState` are unchanged; the registry declares and
|
|
78
|
+
proves over the existing transform. Pre-0.1.36 runs and apps load unchanged.
|
|
76
79
|
|
|
77
80
|
## See Also
|
|
78
81
|
|
|
@@ -81,7 +84,7 @@ cli-mcp-parity(7)
|
|
|
81
84
|
|
|
82
85
|
## Control-Plane Scheduling (v0.1.37)
|
|
83
86
|
|
|
84
|
-
priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed park over the v0.1.28 Run Registry queue; policy-as-data, deterministic. See control-plane-scheduling(7).
|
|
87
|
+
priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed park over the v0.1.28 Run Registry queue; policy-as-data, deterministic. See control-plane-scheduling(7) for more.
|
|
85
88
|
|
|
86
89
|
## Agent Delegation Drive (v0.1.38)
|
|
87
90
|
|
|
@@ -101,19 +104,19 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
|
|
|
101
104
|
|
|
102
105
|
## Robust Result Ingest (v0.1.42)
|
|
103
106
|
|
|
104
|
-
capture findings/evidence from any
|
|
107
|
+
capture findings/evidence from any agent shape that makes sense (alt keys + prose), CW works out grounded evidence itself, give a warning on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
105
108
|
|
|
106
109
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
107
110
|
|
|
108
|
-
Hard gate
|
|
111
|
+
Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
|
|
109
112
|
|
|
110
113
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
111
114
|
|
|
112
|
-
Release-readiness checks now validate the committed blob (`git show HEAD:<path>`)
|
|
115
|
+
Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) in place of the changeable working tree — getting rid of false-red/false-green from working-tree writes at the same time (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common way in to CW.
|
|
113
116
|
|
|
114
117
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
115
118
|
|
|
116
|
-
Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
|
|
119
|
+
Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49) on top.
|
|
117
120
|
0.1.51
|
|
118
121
|
|
|
119
122
|
0.1.76
|
|
@@ -126,6 +129,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
126
129
|
|
|
127
130
|
## Fast Architecture Review (v0.1.80)
|
|
128
131
|
|
|
129
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results,
|
|
132
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
130
133
|
|
|
131
134
|
_No changes to the contract-migration subsystem in v0.1.81._
|
|
135
|
+
_No changes in v0.1.82._
|
|
136
|
+
|
|
137
|
+
## Hardening and Onboarding (v0.1.83)
|
|
138
|
+
|
|
139
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|
|
@@ -2,24 +2,24 @@
|
|
|
2
2
|
|
|
3
3
|
CW v0.1.37 adds Control-Plane Scheduling: a scheduling-policy layer over the
|
|
4
4
|
v0.1.28 Run Registry queue. Before v0.1.37 the queue had ORDER (priority,
|
|
5
|
-
`enqueuedAt`) but no policy — nothing
|
|
6
|
-
|
|
7
|
-
(`queue drain` would
|
|
8
|
-
policy-as-data over the
|
|
9
|
-
readiness selection, a hard concurrency ceiling, leases, retry with
|
|
10
|
-
backoff, and a fail-closed park state. The verbs use
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
The core (`src/scheduling.ts`) is pure and deterministic — every function
|
|
14
|
-
injected `now`; "CW
|
|
5
|
+
`enqueuedAt`) but no policy — nothing kept down how many runs were in flight, nothing
|
|
6
|
+
tried again after a short-lived failure with backoff, and nothing put a limit on retries
|
|
7
|
+
(`queue drain` would hand out the same failing entry again and again, for ever). v0.1.37 puts
|
|
8
|
+
policy-as-data over the queue that is already there (no queue file is copied): priority +
|
|
9
|
+
readiness selection, a hard concurrency ceiling, leases, retry with worked-out
|
|
10
|
+
backoff, and a fail-closed park state. The verbs use their own `sched` namespace,
|
|
11
|
+
apart from the unrelated wall-clock `schedule` (loop/cron) scheduler.
|
|
12
|
+
|
|
13
|
+
The core (`src/scheduling.ts`) is pure and deterministic — every function is given an
|
|
14
|
+
injected `now`; "CW writes down readiness/order/leases, the host still runs the
|
|
15
15
|
workers."
|
|
16
16
|
|
|
17
17
|
## Policy as data
|
|
18
18
|
|
|
19
19
|
`SchedulingPolicy` is a plain, diffable file under `$CW_HOME/registry/
|
|
20
|
-
scheduling-policy.json
|
|
21
|
-
|
|
22
|
-
`baseMs 1000 * factor 2 ^ (attempts-1)`
|
|
20
|
+
scheduling-policy.json`. When it is not there, it takes safe fail-closed values:
|
|
21
|
+
`maxConcurrent 1`, `maxAttempts 3`, `leaseTtlMs 300000`, backoff
|
|
22
|
+
`baseMs 1000 * factor 2 ^ (attempts-1)` with a top of `60000` (no jitter).
|
|
23
23
|
|
|
24
24
|
```text
|
|
25
25
|
sched policy show [--json]
|
|
@@ -34,36 +34,36 @@ ready --lease--> leased --complete--> drained
|
|
|
34
34
|
|__reset________/
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
-
- **`sched plan`** — READ-ONLY: the would
|
|
38
|
-
queue+policy+now, deterministic and
|
|
37
|
+
- **`sched plan`** — READ-ONLY: the lease plan that would be used for the current
|
|
38
|
+
queue+policy+now, deterministic and able to be run again, with no changes made. Payload-
|
|
39
39
|
identical across CLI and MCP.
|
|
40
|
-
- **`sched lease`** —
|
|
41
|
-
|
|
40
|
+
- **`sched lease`** — take eligible entries (priority order via `compareQueue`,
|
|
41
|
+
jumping over anything not yet eligible / parked / leased) as `leased` with a
|
|
42
42
|
`leaseId` and `leaseExpiresAt`. The **concurrency ceiling is a hard limit** —
|
|
43
|
-
leasing stops at `maxConcurrent`; over
|
|
44
|
-
- **`sched complete <leaseId>`** —
|
|
45
|
-
- **`sched release <leaseId> [--failed]`** — failed releases count an attempt
|
|
46
|
-
(retry/backoff or park); a clean release
|
|
47
|
-
- **`sched reclaim`** — an EXPIRED lease (the host died)
|
|
48
|
-
one failed attempt —
|
|
43
|
+
leasing stops at `maxConcurrent`; entries over the limit stay `ready`.
|
|
44
|
+
- **`sched complete <leaseId>`** — end success (`drained`).
|
|
45
|
+
- **`sched release <leaseId> [--failed]`** — failed releases count as an attempt
|
|
46
|
+
(retry/backoff or park); a clean release sends the entry back to `ready`.
|
|
47
|
+
- **`sched reclaim`** — an EXPIRED lease (the host died) can be reclaimed and counts
|
|
48
|
+
as one failed attempt — written down, not quietly reset.
|
|
49
49
|
- **`sched reset <id>`** — operator recovery: a parked entry back to `ready`.
|
|
50
50
|
|
|
51
51
|
## Fail closed
|
|
52
52
|
|
|
53
|
-
- **Concurrency is a hard ceiling** — never
|
|
53
|
+
- **Concurrency is a hard ceiling** — never gone past; `sched plan`/`lease` stop at
|
|
54
54
|
`maxConcurrent` in-flight leases.
|
|
55
55
|
- **Park past budget** — when `attempts >= maxAttempts` the entry becomes `parked`
|
|
56
|
-
with a `parkedReason` and is NEVER
|
|
57
|
-
back. The queue can never
|
|
58
|
-
- **Backoff is deterministic** — a pure curve,
|
|
59
|
-
`nextEligibleAt` and is
|
|
56
|
+
with a `parkedReason` and is NEVER picked again. `sched reset` is the only way
|
|
57
|
+
back. The queue can never hand out a failing entry for ever.
|
|
58
|
+
- **Backoff is deterministic** — a pure curve, nothing random; a retried entry sets
|
|
59
|
+
`nextEligibleAt` and is jumped over until then.
|
|
60
60
|
|
|
61
61
|
## Compatibility
|
|
62
62
|
|
|
63
|
-
Additive: `RunQueueEntry`
|
|
63
|
+
Additive: `RunQueueEntry` gets the optional `attempts`/`leaseId`/`leaseExpiresAt`/
|
|
64
64
|
`nextEligibleAt`/`parkedReason` and two statuses (`leased`/`parked`); a pre-0.1.37
|
|
65
|
-
`queue.json` loads
|
|
66
|
-
|
|
65
|
+
`queue.json` loads with no change (no scheduling fields = a plain ordered queue). The
|
|
66
|
+
`queue add|list|drain|show` verbs that are already there do not change. No new database, no
|
|
67
67
|
daemon-owned state.
|
|
68
68
|
|
|
69
69
|
## See Also
|
|
@@ -72,35 +72,35 @@ run-registry-control-plane(7), cli-mcp-parity(7), release-and-migration(7)
|
|
|
72
72
|
|
|
73
73
|
## Agent Delegation Drive (v0.1.38)
|
|
74
74
|
|
|
75
|
-
|
|
75
|
+
start an outside agent process for each worker, take in result.md + attestation, and drive plan->dispatch->fulfill->accept->commit by itself
|
|
76
76
|
|
|
77
77
|
## Run Retention & Provable Reclamation (v0.1.39)
|
|
78
78
|
|
|
79
|
-
tiered, append-only, cryptographically-verifiable run reclamation:
|
|
79
|
+
tiered, append-only, cryptographically-verifiable run reclamation: shut the audit skeleton, free the bulk that can be built again, give proof of it
|
|
80
80
|
|
|
81
81
|
## Durable State & Locking (v0.1.40)
|
|
82
82
|
|
|
83
|
-
atomic temp->rename writes + fsync-durability for authoritative stores; portable stale-stealing file lock
|
|
83
|
+
atomic temp->rename writes + fsync-durability for the authoritative stores; portable stale-stealing file lock that puts the cross-process read-modify-write stores in order, one at a time
|
|
84
84
|
|
|
85
85
|
## Self-Audit Hardening & Pure-Router Decomposition (v0.1.41)
|
|
86
86
|
|
|
87
|
-
evidence grounding + durable audit append + symlink-hardened containment + deterministic worker ids + recursive redaction; BackendRegistry self-describing drivers (no per-id switches); orchestrator god-object
|
|
87
|
+
evidence grounding + durable audit append + symlink-hardened containment + deterministic worker ids + recursive redaction; BackendRegistry self-describing drivers (no per-id switches); the orchestrator god-object is broken up into per-domain operation modules (pure loadRun->delegate router)
|
|
88
88
|
|
|
89
89
|
## Robust Result Ingest (v0.1.42)
|
|
90
90
|
|
|
91
|
-
|
|
91
|
+
take in findings/evidence from any reasonable agent shape (alt keys + prose), CW works out grounded evidence by itself, give a warning on empty capture — this shuts the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
92
92
|
|
|
93
93
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
94
94
|
|
|
95
|
-
Hard gate
|
|
95
|
+
Hard gate that stops empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
|
|
96
96
|
|
|
97
97
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
98
98
|
|
|
99
|
-
Release-readiness checks now
|
|
99
|
+
Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — taking away false-red/false-green that came from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
|
|
100
100
|
|
|
101
101
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
102
102
|
|
|
103
|
-
Migration DAG with
|
|
103
|
+
Migration DAG with edges that can go both ways (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
|
|
104
104
|
0.1.51
|
|
105
105
|
|
|
106
106
|
0.1.76
|
|
@@ -113,6 +113,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
113
113
|
|
|
114
114
|
## Fast Architecture Review (v0.1.80)
|
|
115
115
|
|
|
116
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports,
|
|
116
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, Map and Assess results that can be used again, wrapper metrics that can be measured, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
117
117
|
|
|
118
118
|
_No changes to the control-plane scheduling surface in v0.1.81._
|
|
119
|
+
_No change in behavior in v0.1.82 (schedule/run ids are now deterministic-but-unique through a monotonic counter + pid in place of Math.random; ids stay collision-free)._
|
|
120
|
+
|
|
121
|
+
## Hardening and Onboarding (v0.1.83)
|
|
122
|
+
|
|
123
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|
|
@@ -7,15 +7,15 @@ CW v0.1.25 adds `blackboard summarize <run-id>` (MCP: `cw_blackboard_summarize`)
|
|
|
7
7
|
a deterministic blackboard digest with topic rollups, thread summaries,
|
|
8
8
|
unresolved questions, conflicts, decisions, artifacts, adopted and missing
|
|
9
9
|
evidence, policy violations, judge rationale, recent changes, and high-signal
|
|
10
|
-
records. The digest is a
|
|
11
|
-
source messages, contexts, artifacts, snapshots, coordinator
|
|
12
|
-
audit events, and never deletes raw records. See
|
|
10
|
+
records. The digest is a worked-out index made from other records: it keeps
|
|
11
|
+
links back to source messages, contexts, artifacts, snapshots, coordinator
|
|
12
|
+
decisions, and audit events, and never deletes raw records. See
|
|
13
13
|
[state-explosion-management.7.md](state-explosion-management.7.md).
|
|
14
14
|
|
|
15
|
-
This release
|
|
16
|
-
indexing, snapshots, and coordinator decisions. It does not
|
|
17
|
-
judge, map-reduce, swarm, committee, or synthesis topologies
|
|
18
|
-
|
|
15
|
+
This release gives fixed building blocks for shared context, messages, artifact
|
|
16
|
+
indexing, snapshots, and coordinator decisions. It does not yet build debate,
|
|
17
|
+
judge, map-reduce, swarm, committee, or synthesis topologies. Those topologies
|
|
18
|
+
are meant to use this base later.
|
|
19
19
|
|
|
20
20
|
## State Model
|
|
21
21
|
|
|
@@ -44,14 +44,14 @@ Runtime objects are:
|
|
|
44
44
|
- `BlackboardSnapshot`
|
|
45
45
|
- `CoordinatorDecision`
|
|
46
46
|
|
|
47
|
-
Every record
|
|
47
|
+
Every record has schema version, stable id, timestamps, author/source,
|
|
48
48
|
scope, status, parent references, tags, metadata, and links back to workflow,
|
|
49
49
|
multi-agent, worker, task, candidate, verifier, commit, audit, and evidence
|
|
50
|
-
records
|
|
50
|
+
records when they apply.
|
|
51
51
|
|
|
52
52
|
## Storage Layout
|
|
53
53
|
|
|
54
|
-
CW
|
|
54
|
+
CW copies blackboard state to local files that last:
|
|
55
55
|
|
|
56
56
|
```text
|
|
57
57
|
.cw/runs/<run-id>/blackboard/
|
|
@@ -64,13 +64,13 @@ CW mirrors blackboard state to durable local files:
|
|
|
64
64
|
decisions/<decision-id>.json
|
|
65
65
|
```
|
|
66
66
|
|
|
67
|
-
`messages.jsonl` is
|
|
68
|
-
|
|
67
|
+
`messages.jsonl` is good for adding to the end. `index.json` is made again the
|
|
68
|
+
same way from run state each time. CW does not keep secrets or raw environment
|
|
69
69
|
values in blackboard metadata.
|
|
70
70
|
|
|
71
71
|
## Context Semantics
|
|
72
72
|
|
|
73
|
-
Shared context
|
|
73
|
+
Shared context takes these kinds:
|
|
74
74
|
|
|
75
75
|
- `fact`
|
|
76
76
|
- `constraint`
|
|
@@ -78,12 +78,12 @@ Shared context supports:
|
|
|
78
78
|
- `question`
|
|
79
79
|
- `decision`
|
|
80
80
|
|
|
81
|
-
Context updates do not
|
|
81
|
+
Context updates do not quietly write over older records. If a new update has
|
|
82
82
|
the same topic, kind, and key as an active context record but a different value,
|
|
83
83
|
CW marks the records `conflicting` and records a `CoordinatorDecision`.
|
|
84
84
|
|
|
85
|
-
Use `--supersedes <context-id>` to
|
|
86
|
-
older record is marked `superseded`, and the new record links to it.
|
|
85
|
+
Use `--supersedes <context-id>` when you mean to take the place of older context.
|
|
86
|
+
The older record is marked `superseded`, and the new record links to it.
|
|
87
87
|
|
|
88
88
|
## Artifact Index
|
|
89
89
|
|
|
@@ -91,15 +91,15 @@ older record is marked `superseded`, and the new record links to it.
|
|
|
91
91
|
locators, generated artifacts, reports, commit snapshots, and external paths.
|
|
92
92
|
|
|
93
93
|
Artifact refs include kind, path or locator, owner, source, provenance,
|
|
94
|
-
evidence refs, checksum when the path is a
|
|
95
|
-
Existing `StateArtifact` records
|
|
96
|
-
shared coordination state
|
|
94
|
+
evidence refs, checksum when the path is a file that can be read, and trust audit
|
|
95
|
+
links. Existing `StateArtifact` records stay good; blackboard refs join them into
|
|
96
|
+
shared coordination state and do not take their place.
|
|
97
97
|
|
|
98
98
|
## Multi-Agent Integration
|
|
99
99
|
|
|
100
100
|
`MultiAgentRun`, groups, roles, memberships, fanout, and fanin can link to a
|
|
101
101
|
blackboard id and topic ids. Worker manifests for blackboard-enabled work
|
|
102
|
-
|
|
102
|
+
have:
|
|
103
103
|
|
|
104
104
|
```json
|
|
105
105
|
{
|
|
@@ -112,8 +112,8 @@ include:
|
|
|
112
112
|
}
|
|
113
113
|
```
|
|
114
114
|
|
|
115
|
-
Accepted worker output can
|
|
116
|
-
blackboard. Fanin can
|
|
115
|
+
Accepted worker output can put result summaries and artifacts into the
|
|
116
|
+
blackboard. Fanin can ask for indexed blackboard evidence and fails closed when
|
|
117
117
|
required role memberships have no blackboard message or artifact refs.
|
|
118
118
|
|
|
119
119
|
## CLI
|
|
@@ -133,12 +133,12 @@ node scripts/cw.js coordinator summary <run-id>
|
|
|
133
133
|
node scripts/cw.js coordinator decision <run-id> --kind conflict-resolution --outcome accepted --reason "..."
|
|
134
134
|
```
|
|
135
135
|
|
|
136
|
-
The CLI
|
|
136
|
+
The CLI gives JSON by default for focused blackboard and coordinator
|
|
137
137
|
commands.
|
|
138
138
|
|
|
139
139
|
## MCP Parity
|
|
140
140
|
|
|
141
|
-
MCP
|
|
141
|
+
MCP gives the same tools:
|
|
142
142
|
|
|
143
143
|
```text
|
|
144
144
|
cw_blackboard_summary
|
|
@@ -155,14 +155,14 @@ cw_coordinator_summary
|
|
|
155
155
|
cw_coordinator_decision
|
|
156
156
|
```
|
|
157
157
|
|
|
158
|
-
There is no
|
|
158
|
+
There is no CLI-only behavior on purpose for core blackboard operations.
|
|
159
159
|
|
|
160
160
|
## Operator UX
|
|
161
161
|
|
|
162
|
-
`status`, `report --show`, and graph output
|
|
162
|
+
`status`, `report --show`, and graph output have a Blackboard / Coordinator
|
|
163
163
|
panel. It shows topics, message counts, open questions, conflicts, missing
|
|
164
|
-
evidence, artifact counts, snapshot paths, ready-for-fanin state, and next
|
|
165
|
-
|
|
164
|
+
evidence, artifact counts, snapshot paths, ready-for-fanin state, and the next
|
|
165
|
+
suggested action.
|
|
166
166
|
|
|
167
167
|
Use:
|
|
168
168
|
|
|
@@ -177,7 +177,7 @@ node scripts/cw.js audit provenance <run-id>
|
|
|
177
177
|
## Migration
|
|
178
178
|
|
|
179
179
|
Older v0.1.17 and earlier runs normalize with empty blackboard state and a
|
|
180
|
-
`.cw/runs/<run-id>/blackboard/` path.
|
|
180
|
+
`.cw/runs/<run-id>/blackboard/` path. User data that is not known is kept.
|
|
181
181
|
|
|
182
|
-
Newer
|
|
182
|
+
Newer run-state schemas that are not supported still fail closed.
|
|
183
183
|
0.1.51
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# Dogfood One Real Repo
|
|
2
2
|
|
|
3
|
-
CW v0.1.16
|
|
4
|
-
repository. The
|
|
5
|
-
worker outputs, scores a release candidate,
|
|
6
|
-
evidence,
|
|
3
|
+
CW v0.1.16 tests the release workflow against the real Cool Workflow
|
|
4
|
+
repository. The test uses the canonical `release-cut` app, keeps a record of
|
|
5
|
+
separate worker outputs, scores a release candidate, picks it only with verifier
|
|
6
|
+
evidence, makes a verifier-gated CW state commit, and shows trust audit
|
|
7
7
|
provenance.
|
|
8
8
|
|
|
9
9
|
## Dry-Run Command
|
|
@@ -15,7 +15,7 @@ cd plugins/cool-workflow
|
|
|
15
15
|
npm run dogfood:release
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
The command
|
|
18
|
+
The command points at the repository two directories above the package, uses
|
|
19
19
|
`release-cut`, sets `version=0.1.18`, `previousVersion=0.1.17`, the current git
|
|
20
20
|
branch, and `dryRun=true`. It writes a machine-readable summary to:
|
|
21
21
|
|
|
@@ -23,13 +23,13 @@ branch, and `dryRun=true`. It writes a machine-readable summary to:
|
|
|
23
23
|
.cw/runs/<run-id>/dogfood-summary.json
|
|
24
24
|
```
|
|
25
25
|
|
|
26
|
-
The summary
|
|
26
|
+
The summary has the run id, report path, audit summary path, provenance
|
|
27
27
|
counts, worker ids, candidate id, score id, selection id, commit or checkpoint
|
|
28
28
|
id, command log paths, and the release verdict.
|
|
29
29
|
|
|
30
30
|
## Real Evidence
|
|
31
31
|
|
|
32
|
-
The full dry-run
|
|
32
|
+
The full dry-run gets real repository evidence from:
|
|
33
33
|
|
|
34
34
|
```bash
|
|
35
35
|
git status --short --branch
|
|
@@ -44,8 +44,8 @@ npm run release:check
|
|
|
44
44
|
npm pack --dry-run --json
|
|
45
45
|
```
|
|
46
46
|
|
|
47
|
-
Each command log is written under the worker `logs/` directory and
|
|
48
|
-
worker `cw:result` evidence array. The release verdict worker
|
|
47
|
+
Each command log is written under the worker `logs/` directory and named in the
|
|
48
|
+
worker `cw:result` evidence array. The release verdict worker takes the full
|
|
49
49
|
set of command locators into the release candidate, score, selection, and
|
|
50
50
|
commit/checkpoint provenance.
|
|
51
51
|
|
|
@@ -72,14 +72,14 @@ node scripts/cw.js audit provenance <run-id> --candidate dogfood-release-0.1.18
|
|
|
72
72
|
node scripts/cw.js audit provenance <run-id> --commit <commit-id>
|
|
73
73
|
```
|
|
74
74
|
|
|
75
|
-
The report
|
|
76
|
-
host attestations, evidence provenance, candidate scoring, acceptance
|
|
75
|
+
The report tells why the candidate is trusted by showing sandbox profiles,
|
|
76
|
+
host attestations, evidence provenance, candidate scoring, acceptance reasons,
|
|
77
77
|
and the verifier-gated commit.
|
|
78
78
|
|
|
79
|
-
The dogfood command
|
|
80
|
-
MCP tool because it
|
|
79
|
+
The dogfood command stays a local release-engineering script and not a new
|
|
80
|
+
MCP tool because it is built from existing first-class CW capabilities: `release-cut`
|
|
81
81
|
planning, dispatch, worker manifests/output, candidate scoring/selection,
|
|
82
|
-
commits, reports, and audit/provenance. MCP parity is
|
|
82
|
+
commits, reports, and audit/provenance. MCP parity is kept for the
|
|
83
83
|
inspectable state through the existing worker, candidate, commit, operator
|
|
84
84
|
report, and audit tools.
|
|
85
85
|
|
|
@@ -91,14 +91,14 @@ report, and audit tools.
|
|
|
91
91
|
node test/dogfood-release-smoke.js
|
|
92
92
|
```
|
|
93
93
|
|
|
94
|
-
The smoke test
|
|
94
|
+
The smoke test runs `scripts/dogfood-release.js --smoke --json`. It still
|
|
95
95
|
uses the real repository, `release-cut`, worker manifests, trust audit records,
|
|
96
96
|
candidate scoring, selection, verifier-gated commit, and a report, but keeps the
|
|
97
|
-
command set smaller
|
|
97
|
+
command set smaller so it does not do recursive release checking.
|
|
98
98
|
|
|
99
99
|
## Promote To Real Release Actions
|
|
100
100
|
|
|
101
|
-
Dry-run mode never
|
|
101
|
+
Dry-run mode never makes tags, pushes, puts out packages, or changes a
|
|
102
102
|
marketplace. Real actions are separate maintainer commands after the dogfood
|
|
103
103
|
run passes:
|
|
104
104
|
|
|
@@ -110,42 +110,42 @@ git tag v0.1.18
|
|
|
110
110
|
git push origin main --tags
|
|
111
111
|
```
|
|
112
112
|
|
|
113
|
-
Package publish and plugin marketplace updates should be separate
|
|
114
|
-
steps. If
|
|
115
|
-
`--execute --tag --confirm-release-actions=0.1.18`. The script
|
|
116
|
-
push, or publish flags in dry-run mode and
|
|
113
|
+
Package publish and plugin marketplace updates should be separate, clear
|
|
114
|
+
steps. If execute flags are used later, they must be stated openly, for example
|
|
115
|
+
`--execute --tag --confirm-release-actions=0.1.18`. The script says no to tag,
|
|
116
|
+
push, or publish flags in dry-run mode and says no to execute mode without the
|
|
117
117
|
target-version confirmation.
|
|
118
118
|
|
|
119
119
|
## Safety Gates
|
|
120
120
|
|
|
121
|
-
The dogfood command holds the candidate and writes
|
|
122
|
-
any evidence command fails, version sync is
|
|
123
|
-
missing, audit records are
|
|
124
|
-
selected candidate
|
|
125
|
-
verifier-gated commit
|
|
126
|
-
profile, worker, and acceptance
|
|
121
|
+
The dogfood command holds the candidate and writes a clear checkpoint if
|
|
122
|
+
any evidence command fails, version sync is not complete, release docs are
|
|
123
|
+
missing, audit records are not there, or verifier evidence is not present. A
|
|
124
|
+
selected candidate needs score evidence and a verified verifier node; a
|
|
125
|
+
verifier-gated commit needs the selected candidate, score, evidence, sandbox
|
|
126
|
+
profile, worker, and acceptance reasons.
|
|
127
127
|
|
|
128
|
-
This is
|
|
128
|
+
This is release engineering made dull on purpose: local-first, inspectable,
|
|
129
129
|
scriptable, and fail-closed.
|
|
130
130
|
|
|
131
131
|
## Architecture-Review Agent-Delegation Dogfood (v0.1.38)
|
|
132
132
|
|
|
133
133
|
`scripts/dogfood-architecture-review.js` dogfoods the v0.1.38 Agent Delegation
|
|
134
|
-
Drive: the `architecture-review` app driven end
|
|
135
|
-
with
|
|
134
|
+
Drive: the `architecture-review` app driven from end to end by the `agent` backend,
|
|
135
|
+
with no hand-written `result.md` at all.
|
|
136
136
|
|
|
137
|
-
It
|
|
137
|
+
It is cut into two halves, just like the release dogfood above:
|
|
138
138
|
|
|
139
139
|
- **`--smoke` (CI-verifiable).** A hermetic STUB agent (no live binary, no second
|
|
140
140
|
repo, no network, no model SDK) drives the real app to a committed audited
|
|
141
|
-
report. `node scripts/dogfood-architecture-review.js --smoke --json`
|
|
141
|
+
report. `node scripts/dogfood-architecture-review.js --smoke --json` gives back
|
|
142
142
|
`{ ok: true, mode: "smoke" }` with a `reportPath` and `auditSummaryPath` that
|
|
143
|
-
|
|
144
|
-
>= 1`. This is
|
|
143
|
+
are there, the Verdict node accepted, and `audit.byKind["worker.agent-delegation"]
|
|
144
|
+
>= 1`. This is checked under `npm test` (`test/dogfood-release-smoke.js`).
|
|
145
145
|
|
|
146
|
-
- **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL
|
|
146
|
+
- **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL set-up agent
|
|
147
147
|
(`CW_AGENT_COMMAND`, e.g. `claude -p {{input}}` / `codex exec`, or
|
|
148
|
-
`--agent-command`) against ONE real
|
|
148
|
+
`--agent-command`) against ONE real outside repository:
|
|
149
149
|
|
|
150
150
|
```bash
|
|
151
151
|
CW_AGENT_COMMAND="claude -p {{input}}" \
|
|
@@ -154,15 +154,15 @@ It splits into two halves, exactly like the release dogfood above:
|
|
|
154
154
|
```
|
|
155
155
|
|
|
156
156
|
This drives plan → dispatch → agent-fulfill → accept/verify → commit for every
|
|
157
|
-
worker the planner emits,
|
|
158
|
-
a `docs/dogfood/architecture-review-<repo>.md` provenance note
|
|
159
|
-
name and the agent-REPORTED model id. It
|
|
157
|
+
worker the planner emits, makes the committed audited risk report, and writes
|
|
158
|
+
a `docs/dogfood/architecture-review-<repo>.md` provenance note that keeps the repo
|
|
159
|
+
name and the agent-REPORTED model id. It needs a live outside agent binary
|
|
160
160
|
and a second repository, which CI cannot have (CI is node/npm/git-only and
|
|
161
|
-
hermetic), so it is **explicitly OUT of CI** — a maintainer
|
|
162
|
-
|
|
163
|
-
|
|
161
|
+
hermetic), so it is **explicitly OUT of CI** — a maintainer step run out-of-band,
|
|
162
|
+
just like the "Promote To Real Release Actions" above. The CI/release gate is
|
|
163
|
+
only the stub `--smoke` path.
|
|
164
164
|
|
|
165
|
-
The model runs in the
|
|
166
|
-
|
|
165
|
+
The model runs in the outside agent's process, never inside CW: this script
|
|
166
|
+
starts the agent and records its attested output; it brings in no model SDK and
|
|
167
167
|
holds no API key.
|
|
168
168
|
0.1.51
|