cool-workflow 0.1.81 → 0.1.83
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +125 -121
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/candidate-scoring.js +20 -26
- package/dist/capability-core.js +80 -93
- package/dist/capability-registry.js +30 -3
- package/dist/cli.js +12 -1
- package/dist/commit.js +217 -204
- package/dist/coordinator/util.js +6 -9
- package/dist/dispatch.js +11 -3
- package/dist/doctor.js +153 -0
- package/dist/evidence-reasoning.js +4 -1
- package/dist/execution-backend/agent.js +11 -48
- package/dist/execution-backend.js +11 -31
- package/dist/gates.js +48 -0
- package/dist/mcp-server.js +11 -0
- package/dist/multi-agent/helpers.js +6 -10
- package/dist/multi-agent/ids.js +20 -0
- package/dist/multi-agent-eval.js +27 -1
- package/dist/multi-agent-host.js +53 -21
- package/dist/multi-agent-operator-ux.js +2 -1
- package/dist/multi-agent-trust.js +5 -5
- package/dist/node-projection.js +59 -0
- package/dist/node-snapshot.js +8 -18
- package/dist/orchestrator/lifecycle-operations.js +22 -1
- package/dist/orchestrator.js +29 -2
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +31 -112
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +112 -57
- package/dist/topology.js +25 -4
- package/dist/trust-audit.js +70 -38
- package/dist/validation.js +328 -0
- package/dist/version.js +1 -1
- package/dist/worker-isolation.js +163 -58
- package/docs/agent-delegation-drive.7.md +90 -85
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +227 -154
- package/docs/contract-migration-tooling.7.md +49 -41
- package/docs/control-plane-scheduling.7.md +45 -40
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +35 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +63 -58
- package/docs/execution-backends.7.md +84 -79
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +83 -77
- package/docs/multi-agent-eval-replay-harness.7.md +59 -54
- package/docs/multi-agent-operator-ux.7.md +70 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +26 -21
- package/docs/observability-cost-accounting.7.md +50 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +15 -6
- package/docs/real-execution-backends.7.md +47 -42
- package/docs/release-and-migration.7.md +43 -38
- package/docs/release-tooling.7.md +74 -39
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +120 -115
- package/docs/run-retention-reclamation.7.md +46 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +64 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +63 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +70 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/manifest/source-context-profiles.json +1 -1
- package/package.json +3 -2
- package/scripts/canonical-apps.js +4 -4
- package/scripts/children/batch-delegate-child.js +58 -0
- package/scripts/children/http-delegate-child.js +39 -0
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/scripts/release-flow.js +181 -5
- package/dist/verifier-registry.js +0 -46
|
@@ -1,34 +1,34 @@
|
|
|
1
1
|
# Run Registry / Control Plane
|
|
2
2
|
|
|
3
|
-
CW v0.1.28 adds the Run Registry / Control Plane: a layer that
|
|
3
|
+
CW v0.1.28 adds the Run Registry / Control Plane: a layer that takes care of MANY
|
|
4
4
|
workflow runs across repositories. Before v0.1.28 a run lived only under its
|
|
5
5
|
repo's `.cw/runs/<id>/` and was loaded from the current directory
|
|
6
|
-
(`loadRunFromCwd`); there was no cross-repo index and no
|
|
7
|
-
|
|
8
|
-
cross-repo history, and failed-run rerun — without
|
|
6
|
+
(`loadRunFromCwd`); there was no cross-repo index and no joined-up lifecycle
|
|
7
|
+
control. This release adds search, resume, archive, a durable queue,
|
|
8
|
+
cross-repo history, and failed-run rerun — without any change to the run-state schema
|
|
9
9
|
and without taking ownership of source truth.
|
|
10
10
|
|
|
11
|
-
The design
|
|
11
|
+
The design keeps to the same base-system observability idea as
|
|
12
12
|
[State Explosion Management](state-explosion-management.7.md) and the
|
|
13
13
|
[Evidence Adoption Reasoning Chain](evidence-adoption-reasoning-chain.7.md):
|
|
14
14
|
|
|
15
15
|
- the per-run `.cw/runs/<id>/state.json` is the SINGLE source of truth
|
|
16
|
-
- the registry is a DERIVED userland index, never a
|
|
16
|
+
- the registry is a DERIVED userland index, never a stand-in for source records
|
|
17
17
|
- plain files, stable JSON, deterministic output
|
|
18
|
-
- small
|
|
19
|
-
machine-readable output
|
|
18
|
+
- small commands that join together and console views easy to read, with full
|
|
19
|
+
machine-readable output on offer
|
|
20
20
|
- fail closed when the index is stale, a run's source changed, or its source is
|
|
21
|
-
missing — never
|
|
22
|
-
- append-only history: resume
|
|
21
|
+
missing — never make up run status from the cache
|
|
22
|
+
- append-only history: resume goes on with a run, rerun makes a NEW linked run,
|
|
23
23
|
and archive marks rather than deletes
|
|
24
|
-
- backward compatible; no hidden database; no daemon
|
|
24
|
+
- backward compatible; no hidden database; no daemon needed to read state
|
|
25
25
|
|
|
26
26
|
## Mechanism vs policy
|
|
27
27
|
|
|
28
28
|
The registry is MECHANISM: a rebuildable cache over runs. POLICY — retention
|
|
29
|
-
windows, queue ordering, and archive thresholds —
|
|
29
|
+
windows, queue ordering, and archive thresholds — can be set and is kept out
|
|
30
30
|
of the index (`RunRegistryPolicy`, explicit flags). The index can be deleted and
|
|
31
|
-
|
|
31
|
+
built again from source at any time; it never holds power that a `state.json` does
|
|
32
32
|
not.
|
|
33
33
|
|
|
34
34
|
## Derived index model
|
|
@@ -42,24 +42,24 @@ counts, `commitCount`, `verifierGatedCommitCount`, `openFeedbackCount`, a bounde
|
|
|
42
42
|
per-record `freshness` (`valid`, `stale`, or `missing`), and optional
|
|
43
43
|
`provenance`.
|
|
44
44
|
|
|
45
|
-
A `RunRegistryIndex`
|
|
45
|
+
A `RunRegistryIndex` brings together records for a scope (`repo` or `home`) with its
|
|
46
46
|
own `sourceFingerprint`, the covered `repos`, the `queue`, and lifecycle
|
|
47
47
|
`counts`. A `RunRegistryReport` wraps the index with explicit freshness
|
|
48
48
|
(`valid`, `stale`, or `absent`) plus the `staleRuns` and `missingRuns` lists and
|
|
49
|
-
a `nextAction`. Every read
|
|
49
|
+
a `nextAction`. Every read makes records again from source; the persisted index is
|
|
50
50
|
only compared against, never trusted as the live status.
|
|
51
51
|
|
|
52
52
|
During one index build, repo-level overlays (`archive.json` and
|
|
53
53
|
`provenance.json`) are read once per repo and passed as an in-memory scan
|
|
54
|
-
snapshot to each run record. This is a short-lived mechanism, not a
|
|
55
|
-
cache: the next registry command
|
|
54
|
+
snapshot to each run record. This is a short-lived mechanism, not a lasting
|
|
55
|
+
cache: the next registry command reads source state and overlays again from disk, so
|
|
56
56
|
freshness, fail-closed behavior, and output shape stay unchanged while large
|
|
57
|
-
repos
|
|
57
|
+
repos keep clear of doing the same overlay reads over and over.
|
|
58
58
|
|
|
59
59
|
## Lifecycle state machine
|
|
60
60
|
|
|
61
|
-
Lifecycle is
|
|
62
|
-
|
|
61
|
+
Lifecycle is SORTED from state that is already there, never made up. `deriveLifecycle`
|
|
62
|
+
puts the following rules to a run's source state — first match wins:
|
|
63
63
|
|
|
64
64
|
```text
|
|
65
65
|
1. running tasks > 0 -> running
|
|
@@ -71,14 +71,14 @@ applies the following rules to a run's source state — first match wins:
|
|
|
71
71
|
7. otherwise -> queued
|
|
72
72
|
```
|
|
73
73
|
|
|
74
|
-
`archived` is an OVERLAY
|
|
75
|
-
`lifecycle` becomes `archived`, but `derivedLifecycle`
|
|
76
|
-
source-derived state so search and history can still match the
|
|
74
|
+
`archived` is an OVERLAY state put on top of this. The shown
|
|
75
|
+
`lifecycle` becomes `archived`, but `derivedLifecycle` keeps the
|
|
76
|
+
source-derived state so search and history can still match the run under it.
|
|
77
77
|
The classifier never reads the cache; it reads source `state.json`.
|
|
78
78
|
|
|
79
79
|
## Cross-repo layout
|
|
80
80
|
|
|
81
|
-
State is plain files,
|
|
81
|
+
State is plain files, easy to read and to diff:
|
|
82
82
|
|
|
83
83
|
```text
|
|
84
84
|
<repo>/.cw/runs/<id>/state.json source of truth (unchanged, never owned here)
|
|
@@ -91,131 +91,131 @@ $CW_HOME/registry/index.json cross-repo derived index (rebuildable)
|
|
|
91
91
|
$CW_HOME/registry/queue.json durable run queue (plain, ordered)
|
|
92
92
|
```
|
|
93
93
|
|
|
94
|
-
The home registry root
|
|
94
|
+
The home registry root is worked out from `CW_HOME`, then
|
|
95
95
|
`XDG_STATE_HOME/cool-workflow`, then `~/.local/state/cool-workflow`. A repo is
|
|
96
|
-
|
|
97
|
-
it). Reads never write: a search or show
|
|
96
|
+
put into `repos.json` when it is refreshed (or when a queue entry names
|
|
97
|
+
it). Reads never write: a search or show works out the repo set as the union of
|
|
98
98
|
the registered repos and the current repo in memory, so reading the index never
|
|
99
|
-
|
|
99
|
+
changes discovery state.
|
|
100
100
|
|
|
101
101
|
## Search
|
|
102
102
|
|
|
103
103
|
`run search` queries runs by `--app`, `--status`, time range (`--since`,
|
|
104
104
|
`--until`), `--repo`, and free-text (`--text`, matched over runId, app, workflow,
|
|
105
105
|
title, repo, lifecycle, loop stage, and a bounded digest of run inputs).
|
|
106
|
-
Results are deterministic (ordered by `createdAt`, then `runId`) and
|
|
106
|
+
Results are deterministic (ordered by `createdAt`, then `runId`) and in pages
|
|
107
107
|
(`--limit`, `--offset`). Search is cross-repo by default (`--scope home`); use
|
|
108
|
-
`--scope repo` to
|
|
109
|
-
default and can be
|
|
108
|
+
`--scope repo` to keep to the current repo. Archived runs are taken in by
|
|
109
|
+
default and can be left out with `--include-archived false`.
|
|
110
110
|
|
|
111
111
|
## Resume
|
|
112
112
|
|
|
113
|
-
`run resume <run-id>`
|
|
114
|
-
cwd — loads its durable state, and
|
|
115
|
-
actions for the host to
|
|
116
|
-
|
|
113
|
+
`run resume <run-id>` finds a run by id across the registry — not just the
|
|
114
|
+
cwd — loads its durable state, and gives back the next runnable tasks and next
|
|
115
|
+
actions for the host to run. Resume is read-only over source: it never
|
|
116
|
+
changes `state.json` and never un-archives a run.
|
|
117
117
|
|
|
118
|
-
`run resume <run-id> --drive` (or `--once` for a single step) hands the
|
|
119
|
-
run straight to the
|
|
118
|
+
`run resume <run-id> --drive` (or `--once` for a single step) hands the found
|
|
119
|
+
run straight to the agent-delegation drive loop that is already there — it plans nothing again and
|
|
120
120
|
picks up the pending/running tasks deterministically from durable state — and
|
|
121
|
-
|
|
121
|
+
adds the drive outcome to the result under a `drive` field. The default (no
|
|
122
122
|
`--drive`) payload and `nextActions` stay byte-identical. An unconfigured agent
|
|
123
|
-
|
|
124
|
-
|
|
123
|
+
gives `drive.status="blocked"` (fail-closed, never a made-up completion); CW
|
|
124
|
+
hands worker execution to your agent and never runs a model itself.
|
|
125
125
|
|
|
126
126
|
## Queue
|
|
127
127
|
|
|
128
|
-
`queue add`
|
|
128
|
+
`queue add` adds a durable entry to the end of `$CW_HOME/registry/queue.json` with an
|
|
129
129
|
explicit `--priority` (lower drains first; ties break by enqueue time, then id).
|
|
130
130
|
`queue list` prints the queue in policy order; `queue show <id>` shows one entry.
|
|
131
|
-
`queue drain [--limit N]` marks the next ready entries drained and
|
|
132
|
-
CW
|
|
133
|
-
the queue
|
|
131
|
+
`queue drain [--limit N]` marks the next ready entries drained and gives them back —
|
|
132
|
+
CW keeps a record of order and readiness; the HOST still runs the workers. Nothing in
|
|
133
|
+
the queue starts work on its own.
|
|
134
134
|
|
|
135
135
|
## Archive
|
|
136
136
|
|
|
137
137
|
`run archive <run-id>` writes an overlay mark to the owning repo's
|
|
138
138
|
`registry/archive.json`; the run's `state.json` is never moved or deleted, and
|
|
139
|
-
the run stays searchable (its `derivedLifecycle` is
|
|
139
|
+
the run stays searchable (its `derivedLifecycle` is kept). `--unarchive`
|
|
140
140
|
clears the mark. Retention is POLICY: `run archive --older-than-days N
|
|
141
|
-
[--state completed --state failed]` archives
|
|
141
|
+
[--state completed --state failed]` archives runs that fit and are older than the window
|
|
142
142
|
without touching source truth. The default policy archives nothing
|
|
143
143
|
(`archiveOlderThanDays = 0`) until a window is given.
|
|
144
144
|
|
|
145
145
|
## Rerun
|
|
146
146
|
|
|
147
|
-
`run rerun <run-id>`
|
|
148
|
-
inputs and app,
|
|
147
|
+
`run rerun <run-id>` runs a failed run again as a NEW run: it uses the first
|
|
148
|
+
inputs and app again, puts the new run next to the first one (same repo), and keeps a record of a
|
|
149
149
|
provenance link (`rerunOf`, `rerunOfRepo`, `originRunId`, `generation`, `reason`)
|
|
150
|
-
in the repo's `registry/provenance.json`. The
|
|
151
|
-
for audit — the past is never
|
|
150
|
+
in the repo's `registry/provenance.json`. The first failed run is KEPT
|
|
151
|
+
for audit — the past is never written over. Rerunning a rerun adds one to
|
|
152
152
|
`generation` and keeps `originRunId` pinned to the chain root.
|
|
153
153
|
|
|
154
154
|
## Portable export, import, and restore verification
|
|
155
155
|
|
|
156
156
|
`run export <run-id> --output PATH` writes a portable JSON archive for a run. The
|
|
157
|
-
archive
|
|
157
|
+
archive takes in the run state plus run-local files, committed artifacts, audit
|
|
158
158
|
overlays, telemetry ledger files, per-file sha256 digests, file sizes, and a
|
|
159
|
-
manifest digest. External repo-local artifact paths
|
|
160
|
-
copied into the archive under `external-artifacts/` and
|
|
161
|
-
|
|
159
|
+
manifest digest. External repo-local artifact paths named by the run are
|
|
160
|
+
copied into the archive under `external-artifacts/` and kept with their
|
|
161
|
+
first `sourcePath`; the source run is never changed.
|
|
162
162
|
|
|
163
|
-
`run import PATH --target DIR`
|
|
163
|
+
`run import PATH --target DIR` puts the archive back under
|
|
164
164
|
`DIR/.cw/runs/<run-id>/`, rebases paths to the target repo, writes an
|
|
165
|
-
`import-manifest.json`, refreshes the target repo registry, and
|
|
166
|
-
the same verification used by `run verify-import`. Restored
|
|
167
|
-
resumed from the target repo; restored failed runs
|
|
168
|
-
home registry and can be rerun as new linked runs. The import does not
|
|
165
|
+
`import-manifest.json`, refreshes the target repo registry, and at once runs
|
|
166
|
+
the same verification used by `run verify-import`. Restored part runs can be
|
|
167
|
+
resumed from the target repo; restored failed runs can still be found from the
|
|
168
|
+
home registry and can be rerun as new linked runs. The import does not change the
|
|
169
169
|
source repository or the source run.
|
|
170
170
|
|
|
171
|
-
**Import-time refusal (fail-closed before any write).** Import
|
|
171
|
+
**Import-time refusal (fail-closed before any write).** Import checks every
|
|
172
172
|
file digest, every file size, the file count, and the manifest digest *before*
|
|
173
|
-
|
|
174
|
-
non-zero exit and a single `cw:` stderr line, leaving nothing on disk (no
|
|
175
|
-
restore). Set `CW_REQUIRE_ARCHIVE_INTEGRITY=1` to
|
|
173
|
+
making the target run directory — so a tampered archive is turned away with a
|
|
174
|
+
non-zero exit and a single `cw:` stderr line, leaving nothing on disk (no part
|
|
175
|
+
restore). Set `CW_REQUIRE_ARCHIVE_INTEGRITY=1` to also turn away an archive
|
|
176
176
|
whose top-level integrity block is *absent* — closing the legacy fail-open seam
|
|
177
177
|
where a stripped-integrity archive imported unverified. Unset (the default) keeps
|
|
178
178
|
legacy integrity-less archives byte-identical; the flag is mechanism, not policy.
|
|
179
179
|
|
|
180
|
-
`run verify-import <run-id> [--cwd DIR]`
|
|
181
|
-
every restored file digest, checks the manifest digest,
|
|
182
|
-
ledger when one was restored, and
|
|
180
|
+
`run verify-import <run-id> [--cwd DIR]` reads the restore manifest again, works out
|
|
181
|
+
every restored file digest again, checks the manifest digest, checks the telemetry
|
|
182
|
+
ledger when one was restored, and proves the **trust-audit hash chain** again (the
|
|
183
183
|
decisions / sandbox / commit-gate log, also restored under `audit/`). Missing
|
|
184
184
|
manifests, digest mismatches, path escapes, unsupported archive schemas, unreadable
|
|
185
185
|
files, telemetry-chain failures, or a forged audit chain (`trust-audit-invalid`)
|
|
186
|
-
|
|
187
|
-
audit log
|
|
186
|
+
give back explicit failed checks in place of a made-up success. An archive with no
|
|
187
|
+
audit log gives a passing `trust-audit` check (nothing to prove — no false-red).
|
|
188
188
|
|
|
189
189
|
By default `verify-import` prints the result and exits 0 even when a check fails
|
|
190
190
|
(it is a report). Pass `--strict` to make any failed restore check exit non-zero,
|
|
191
191
|
so `cw run verify-import <run> --strict && restore` stops on a tampered archive.
|
|
192
192
|
|
|
193
193
|
**Inspect an archive before restoring.** `run inspect-archive PATH [--json]`
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
`.cw/runs/<id>/` tree. It
|
|
197
|
-
`integrity.fileCount` and manifest digest, and the whole-archive sha256,
|
|
198
|
-
a structured `checks[]` — each failure names the
|
|
194
|
+
proves a portable archive's integrity again *without writing anything* — set it next to
|
|
195
|
+
`run import`, which checks as a side-effect of restoring a full
|
|
196
|
+
`.cw/runs/<id>/` tree. It works out every built-in file's sha256 and size again, the
|
|
197
|
+
`integrity.fileCount` and manifest digest, and the whole-archive sha256, giving back
|
|
198
|
+
a structured `checks[]` — each failure names the bad `relativePath` with a
|
|
199
199
|
`digest-mismatch` / `size-mismatch` / `manifest-digest-mismatch` /
|
|
200
200
|
`file-count-mismatch` code. It never throws: an unreadable path, invalid JSON, or an
|
|
201
201
|
unknown `schemaVersion` (`schemaSupported:false`) is reported as a check, not a
|
|
202
202
|
stacktrace — stdout is always valid JSON, diagnostics go to stderr. It exits `1`
|
|
203
203
|
when `ok:false`, so `cw run inspect-archive <path> && cw run import <path>` stops
|
|
204
|
-
before importing a bad archive. It is a
|
|
204
|
+
before importing a bad archive. It is a true preview of import: under
|
|
205
205
|
`CW_REQUIRE_ARCHIVE_INTEGRITY=1` a stripped-integrity archive (which import would
|
|
206
|
-
|
|
207
|
-
block is
|
|
206
|
+
turn away) also inspects as `ok:false`; with the env unset (default) an absent integrity
|
|
207
|
+
block is only reported, not failed.
|
|
208
208
|
|
|
209
|
-
MCP
|
|
209
|
+
MCP gives the same mechanisms as `cw_run_export`, `cw_run_import`,
|
|
210
210
|
`cw_run_verify_import`, and `cw_run_inspect_archive`; the CLI and MCP paths share
|
|
211
211
|
the same runtime functions.
|
|
212
212
|
|
|
213
213
|
## Cross-repo history
|
|
214
214
|
|
|
215
|
-
`history` reads
|
|
215
|
+
`history` reads one joined-up timeline of runs across all registered repos
|
|
216
216
|
(newest first), each entry carrying its repo, lifecycle, loop stage, timestamps,
|
|
217
217
|
freshness, and provenance back to its `.cw/runs/<id>/`. Filter with `--app` and
|
|
218
|
-
`--status`;
|
|
218
|
+
`--status`; page with `--limit` and `--offset`.
|
|
219
219
|
|
|
220
220
|
## CLI
|
|
221
221
|
|
|
@@ -240,13 +240,13 @@ node scripts/cw.js queue drain [--limit N] [--repo PATH]
|
|
|
240
240
|
node scripts/cw.js history [--app ID] [--status STATE] [--limit N] [--offset N] [--scope repo|home] [--json]
|
|
241
241
|
```
|
|
242
242
|
|
|
243
|
-
Read commands print
|
|
243
|
+
Read commands print short human panels by default (lifecycle, freshness, counts,
|
|
244
244
|
and next action) and full machine output under `--json` or `--format json`.
|
|
245
245
|
|
|
246
246
|
## MCP parity
|
|
247
247
|
|
|
248
248
|
Every command above is declared once in the v0.1.28 capability registry
|
|
249
|
-
(`src/capability-registry.ts`) and
|
|
249
|
+
(`src/capability-registry.ts`) and shown on both surfaces, so `cw <cmd>
|
|
250
250
|
--json` is schema-identical to the matching `cw_<tool>` result and the pair
|
|
251
251
|
passes `npm run parity:check`:
|
|
252
252
|
|
|
@@ -261,61 +261,61 @@ See [cli-mcp-parity.7.md](cli-mcp-parity.7.md).
|
|
|
261
261
|
|
|
262
262
|
## Freshness and fail-closed behavior
|
|
263
263
|
|
|
264
|
-
`registry show`
|
|
264
|
+
`registry show` works out the current source fingerprint again for every run and
|
|
265
265
|
compares it to the persisted index. If a run's source changed, the report status
|
|
266
266
|
is `stale` and the run is named in `staleRuns`. If a persisted run's source is
|
|
267
|
-
gone, the run is named in `missingRuns`, it is NOT
|
|
267
|
+
gone, the run is named in `missingRuns`, it is NOT made up into the current
|
|
268
268
|
records, and the next action is `registry refresh`. `run show` of a run whose
|
|
269
|
-
source is missing
|
|
270
|
-
last-known persisted record, clearly
|
|
271
|
-
unreadable or unsupported run state is
|
|
269
|
+
source is missing gives back `found: false` with `freshness: missing` and only the
|
|
270
|
+
last-known persisted record, marked clearly — never as a live status. An
|
|
271
|
+
unreadable or unsupported run state is taken as missing, never as success.
|
|
272
272
|
|
|
273
273
|
## Migration
|
|
274
274
|
|
|
275
|
-
Pre-0.1.28 single-repo runs and
|
|
275
|
+
Pre-0.1.28 single-repo runs and `.cw/runs/` layouts that are already there keep working with
|
|
276
276
|
an empty, rebuildable registry: `registry show` reports `absent` until the first
|
|
277
277
|
`registry refresh`, and every pre-0.1.28 CLI command and MCP tool is unchanged.
|
|
278
278
|
No run-state schema change ships in v0.1.28; newer unsupported run-state schemas
|
|
279
279
|
still fail closed. The registry, archive overlay, provenance overlay, queue, and
|
|
280
|
-
home discovery set are all derived files that can be deleted and
|
|
280
|
+
home discovery set are all derived files that can be deleted and built again from
|
|
281
281
|
source at any time.
|
|
282
282
|
|
|
283
283
|
## CLI ↔ MCP Parity (v0.1.28)
|
|
284
284
|
|
|
285
|
-
Every command and tool
|
|
286
|
-
(`src/capability-registry.ts`) and
|
|
287
|
-
`cw <cmd> --json` and the matching `cw_<tool>` result
|
|
285
|
+
Every command and tool named above is declared in the capability registry
|
|
286
|
+
(`src/capability-registry.ts`) and checked by `npm run parity:check`, so
|
|
287
|
+
`cw <cmd> --json` and the matching `cw_<tool>` result show one data source.
|
|
288
288
|
See [cli-mcp-parity.7.md](cli-mcp-parity.7.md).
|
|
289
289
|
|
|
290
290
|
## Execution Backends (v0.1.29)
|
|
291
291
|
|
|
292
292
|
v0.1.29 lifts execution into a pluggable driver layer: one narrow `ExecutionBackend`
|
|
293
|
-
contract with
|
|
294
|
-
drivers,
|
|
293
|
+
contract with `node`/`bun`/`shell`/`container`/`remote`/`ci`
|
|
294
|
+
drivers you can swap, picked by `--backend` (parallel to `--sandbox`) and looked at through
|
|
295
295
|
`backend list|show|probe`. The result/evidence envelope is schema-identical across
|
|
296
|
-
backends; the backend id + sandbox attestation are
|
|
297
|
-
surface is unchanged
|
|
296
|
+
backends; the backend id + sandbox attestation are kept as provenance, so this
|
|
297
|
+
surface is unchanged no matter which backend ran a run. See
|
|
298
298
|
[execution-backends.7.md](execution-backends.7.md).
|
|
299
299
|
## Web / Desktop Workbench (v0.1.30)
|
|
300
300
|
|
|
301
301
|
v0.1.30 adds the Web / Desktop Workbench: a read-only, localhost-only human
|
|
302
|
-
console that
|
|
302
|
+
console that shows this surface (and the other four operator panels — run
|
|
303
303
|
graph, blackboard, worker logs, candidate compare, audit timeline) for any run,
|
|
304
|
-
reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR
|
|
304
|
+
reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR beside
|
|
305
305
|
the CLI and MCP that holds no authoritative state and forks no schema: each panel
|
|
306
306
|
equals its `cw <cmd> --json` payload byte-for-byte (parity-gated), and refresh
|
|
307
|
-
|
|
307
|
+
makes everything again from disk. See
|
|
308
308
|
[web-desktop-workbench.7.md](web-desktop-workbench.7.md).
|
|
309
309
|
|
|
310
310
|
## Observability + Cost Accounting (v0.1.31)
|
|
311
311
|
|
|
312
312
|
v0.1.31 adds Observability + Cost Accounting: `metrics show`/`metrics summary`
|
|
313
|
-
|
|
314
|
-
fail-closed `n/a`), and host-attested token/cost from
|
|
313
|
+
work out durations, failure/verifier/acceptance rates (with sample counts and
|
|
314
|
+
fail-closed `n/a`), and host-attested token/cost from durable run state that is already there
|
|
315
315
|
— no metrics database, no collector daemon, no hidden counter. Usage is additive
|
|
316
316
|
and optional (absent ⇒ `unreported`, never 0); cost is `attested` (attested usage
|
|
317
317
|
× a recorded pricing policy) or clearly `estimated`, with pricing as policy. Both
|
|
318
|
-
verbs are parity-gated and
|
|
318
|
+
verbs are parity-gated and show read-only in the v0.1.30 Workbench. See
|
|
319
319
|
[observability-cost-accounting.7.md](observability-cost-accounting.7.md).
|
|
320
320
|
|
|
321
321
|
|
|
@@ -324,24 +324,24 @@ verbs are parity-gated and render read-only in the v0.1.30 Workbench. See
|
|
|
324
324
|
v0.1.32 adds Team Collaboration: a host-attested actor and append-only
|
|
325
325
|
approvals/rejections/comments/handoffs provenance-linked to a durable target,
|
|
326
326
|
plus a review gate that STACKS ON the verifier gate — required approvals from
|
|
327
|
-
authorized roles,
|
|
328
|
-
and never
|
|
329
|
-
|
|
327
|
+
authorized roles, made to hold inside `resolveCommitGate` AFTER the verifier checks
|
|
328
|
+
and never in place of them, failing closed on quorum/authority/self-approval and
|
|
329
|
+
keeping a record of who approved the very artifact that shipped. Policy (required approvals,
|
|
330
330
|
authorized roles, self-approval) is data, default off (pre-v0.1.32 behavior
|
|
331
|
-
unchanged). The verbs are parity-gated and
|
|
331
|
+
unchanged). The verbs are parity-gated and show read-only in the v0.1.30
|
|
332
332
|
Workbench. See [Team Collaboration](team-collaboration.7.md).
|
|
333
333
|
|
|
334
334
|
## Release Tooling (v0.1.33)
|
|
335
335
|
|
|
336
|
-
the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a
|
|
336
|
+
the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a release gate that has no doubles. See release-tooling(7).
|
|
337
337
|
|
|
338
338
|
## Real Execution Backend Integrations (v0.1.34)
|
|
339
339
|
|
|
340
|
-
container/remote/ci backends really
|
|
340
|
+
container/remote/ci backends really run work (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not on hand. See real-execution-backends(7).
|
|
341
341
|
|
|
342
342
|
## Node Snapshot / Diff / Replay (v0.1.35)
|
|
343
343
|
|
|
344
|
-
per-node snapshot, structural diff, and
|
|
344
|
+
per-node snapshot, structural diff, and on-its-own deterministic replay over StateNode, using the v0.1.23 eval harness again; fail-closed on source drift (valid|stale|absent). See node-snapshot-diff-replay(7).
|
|
345
345
|
|
|
346
346
|
## Contract Migration Tooling (v0.1.36)
|
|
347
347
|
|
|
@@ -353,11 +353,11 @@ priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed pa
|
|
|
353
353
|
|
|
354
354
|
## Agent Delegation Drive (v0.1.38)
|
|
355
355
|
|
|
356
|
-
|
|
356
|
+
start an external agent process per worker, take in result.md + attestation, auto-drive plan->dispatch->fulfill->accept->commit
|
|
357
357
|
|
|
358
358
|
## Run Retention & Provable Reclamation (v0.1.39)
|
|
359
359
|
|
|
360
|
-
tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the
|
|
360
|
+
tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the bulk that can be built again, prove it
|
|
361
361
|
|
|
362
362
|
## Durable State & Locking (v0.1.40)
|
|
363
363
|
|
|
@@ -369,15 +369,15 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
|
|
|
369
369
|
|
|
370
370
|
## Robust Result Ingest (v0.1.42)
|
|
371
371
|
|
|
372
|
-
|
|
372
|
+
take in findings/evidence from any sensible agent shape (alt keys + prose), CW makes grounded evidence itself, give a warning on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
373
373
|
|
|
374
374
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
375
375
|
|
|
376
|
-
Hard gate
|
|
376
|
+
Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
|
|
377
377
|
|
|
378
378
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
379
379
|
|
|
380
|
-
Release-readiness checks now
|
|
380
|
+
Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — doing away with false-red/false-green from working-tree writes at the same time (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
|
|
381
381
|
|
|
382
382
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
383
383
|
|
|
@@ -394,8 +394,13 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
394
394
|
|
|
395
395
|
## Fast Architecture Review (v0.1.80)
|
|
396
396
|
|
|
397
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports,
|
|
397
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, Map and Assess results you can use again, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without any change to the full review contract.
|
|
398
398
|
|
|
399
399
|
## Resume Drive, Inspect-Archive & Restore Re-Prove (v0.1.81)
|
|
400
400
|
|
|
401
|
-
v0.1.81 adds `run resume <id> --drive/--once` (
|
|
401
|
+
v0.1.81 adds `run resume <id> --drive/--once` (go on with a run that was stopped through the agent-drive loop; default resume stays read-only and byte-identical), `run inspect-archive PATH` (read-only archive integrity check that names any bad file without importing), and restore-time hardening: `verify-import` now proves the trust-audit chain again on restore and gains `--strict`, and `CW_REQUIRE_ARCHIVE_INTEGRITY=1` turns away a stripped-integrity archive before any write.
|
|
402
|
+
_No behavioral change in v0.1.82 (run resolution now threads an explicit base directory via CoolWorkflowRunner.withBaseDir in place of changing process.cwd; the resolved run is unchanged)._
|
|
403
|
+
|
|
404
|
+
## Hardening and Onboarding (v0.1.83)
|
|
405
|
+
|
|
406
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|