cool-workflow 0.1.82 → 0.1.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +124 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +8 -0
  12. package/dist/cli.js +12 -1
  13. package/dist/commit.js +5 -1
  14. package/dist/doctor.js +153 -0
  15. package/dist/mcp-server.js +11 -0
  16. package/dist/orchestrator.js +13 -0
  17. package/dist/reclamation/hash.js +72 -0
  18. package/dist/reclamation.js +25 -78
  19. package/dist/run-registry/queue.js +6 -7
  20. package/dist/run-registry.js +35 -24
  21. package/dist/scheduler.js +78 -53
  22. package/dist/version.js +1 -1
  23. package/dist/worker-isolation.js +22 -2
  24. package/docs/agent-delegation-drive.7.md +90 -86
  25. package/docs/agent-framework.md +33 -32
  26. package/docs/candidate-scoring.7.md +26 -24
  27. package/docs/canonical-workflow-apps.7.md +40 -40
  28. package/docs/capability-topology-registry.7.md +24 -24
  29. package/docs/cli-mcp-parity.7.md +226 -154
  30. package/docs/contract-migration-tooling.7.md +48 -41
  31. package/docs/control-plane-scheduling.7.md +45 -41
  32. package/docs/coordinator-blackboard.7.md +30 -30
  33. package/docs/dogfood-one-real-repo.7.md +44 -44
  34. package/docs/durable-state-and-locking.7.md +34 -30
  35. package/docs/end-to-end-golden-path.7.md +29 -29
  36. package/docs/error-feedback.7.md +27 -27
  37. package/docs/evidence-adoption-reasoning-chain.7.md +62 -58
  38. package/docs/execution-backends.7.md +84 -80
  39. package/docs/getting-started.md +35 -18
  40. package/docs/index.md +3 -3
  41. package/docs/mcp-app-surface.7.md +64 -64
  42. package/docs/multi-agent-cli-mcp-surface.7.md +82 -77
  43. package/docs/multi-agent-eval-replay-harness.7.md +59 -55
  44. package/docs/multi-agent-operator-ux.7.md +69 -65
  45. package/docs/multi-agent-runtime-core.7.md +39 -39
  46. package/docs/multi-agent-topologies.7.md +24 -24
  47. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  48. package/docs/node-snapshot-diff-replay.7.md +26 -22
  49. package/docs/observability-cost-accounting.7.md +49 -45
  50. package/docs/operator-ux.7.md +30 -30
  51. package/docs/pipeline-runner.7.md +31 -31
  52. package/docs/project-index.md +10 -5
  53. package/docs/real-execution-backends.7.md +47 -43
  54. package/docs/release-and-migration.7.md +42 -38
  55. package/docs/release-tooling.7.md +53 -49
  56. package/docs/routines.md +16 -16
  57. package/docs/run-registry-control-plane.7.md +120 -116
  58. package/docs/run-retention-reclamation.7.md +45 -41
  59. package/docs/sandbox-profiles.7.md +32 -32
  60. package/docs/scheduled-tasks.md +14 -14
  61. package/docs/security-trust-hardening.7.md +29 -29
  62. package/docs/source-context-profiles.7.md +28 -28
  63. package/docs/state-explosion-management.7.md +63 -59
  64. package/docs/state-node.7.md +8 -8
  65. package/docs/team-collaboration.7.md +62 -58
  66. package/docs/trust-model.md +126 -126
  67. package/docs/unix-principles.md +80 -80
  68. package/docs/vendor-manifest-loadability.7.md +20 -20
  69. package/docs/verifier-gated-commit.7.md +16 -16
  70. package/docs/web-desktop-workbench.7.md +69 -65
  71. package/docs/worker-isolation.7.md +34 -37
  72. package/docs/workflow-app-framework.7.md +38 -38
  73. package/manifest/plugin.manifest.json +4 -4
  74. package/package.json +3 -2
  75. package/scripts/canonical-apps.js +4 -4
  76. package/scripts/dogfood-release.js +1 -1
  77. package/scripts/gen-parity-doc.js +106 -0
  78. package/scripts/golden-path.js +4 -4
  79. package/dist/verifier-registry.js +0 -46
@@ -2,16 +2,16 @@
2
2
 
3
3
  CW v0.1.39 adds Run Retention & Provable Reclamation: a tiered, append-only,
4
4
  cryptographically-verifiable way to **free disk WITHOUT violating the audit/replay
5
- moat**. A single day of dogfooding produced ~1 GB across 200+ runs under
5
+ moat**. One day of dogfooding made ~1 GB across 200+ runs under
6
6
  `.cw/runs/`, and before v0.1.39 there was **zero disk reclamation** — `run archive`
7
- only marked an overlay (it never freed bytes), `sched reclaim` reclaimed expired
8
- leases (not disk), and worker scratch dirs were never cleaned. Naive GC is
9
- forbidden: CW's entire value is "don't trust, verify." So reclamation is a
7
+ only marked an overlay (it never freed bytes), `sched reclaim` got back expired
8
+ leases (not disk), and worker scratch dirs were never cleaned. Simple GC is
9
+ not allowed: all of CW's value is "don't trust, verify." So reclamation is a
10
10
  **verifiable, append-only state transition** — freeing bytes leaves behind
11
- cryptographic proof that what was freed is reconstructable-or-worthless and that
11
+ cryptographic proof that what was freed can be made again or has no worth, and that
12
12
  the audit-essential subset is sealed.
13
13
 
14
- This release builds directly on a precise lineage: v0.1.28's archive overlay
14
+ This release is built straight on a clear line of past work: v0.1.28's archive overlay
15
15
  (`run-registry.ts` — "Archive is an overlay mark, not a delete"), v0.1.35's
16
16
  per-node snapshot/diff/deterministic replay (`node-snapshot.ts`), v0.1.32's
17
17
  append-only collaboration log, and v0.1.37's policy-as-data scheduling. It EXTENDS
@@ -26,37 +26,37 @@ reclaimed tombstone + skeleton + digests verify-only (or re-runnable-by-reconst
26
26
  ```
27
27
 
28
28
  `archived` keeps its mark-only semantics, untouched. `reclaimed` is the NEW
29
- disk-freeing tier above it. The lifecycle ceiling for this release is `reclaimed`;
30
- a future `forgotten` compliance tier (discarding even the skeleton, keeping only
29
+ disk-freeing tier over it. The lifecycle ceiling for this release is `reclaimed`;
30
+ a future `forgotten` compliance tier (dropping even the skeleton, keeping only
31
31
  the chained tombstone hash) is out of scope — the `RunLifecycleState` union gains
32
- ONLY `reclaimed`, and the hash chain is designed to extend to it later.
32
+ ONLY `reclaimed`, and the hash chain is made to extend to it later.
33
33
 
34
34
  ## The red line — never delete what is audit-essential AND irreproducible
35
35
 
36
- A byte is freeable ONLY if it is one of two classes:
36
+ A byte can be freed ONLY if it is one of two classes:
37
37
 
38
- 1. **reconstructable** — deterministically re-derivable from RETAINED inputs + a
38
+ 1. **reconstructable** — deterministically able to be made again from RETAINED inputs + a
39
39
  recorded recipe + an `expectDigest`, or
40
40
  2. **pure scratch** — zero audit value,
41
41
 
42
42
  AND it is **referenced by no surviving evidence locator or audit/collaboration
43
- event.** Any path that is neither class defaults to **RETAINED** (fail closed).
43
+ event.** Any path that is in neither class defaults to **RETAINED** (fail closed).
44
44
  The hard ALLOW-LIST — never freed under any policy — is `state.json`, `audit/`,
45
45
  `commits/`, the collaboration log, the attestation chain, `report.md`, and the new
46
46
  `reclaimed.json` overlay.
47
47
 
48
- The **skeleton** is the machine-checkable contract for what must survive every
48
+ The **skeleton** is the machine-checkable contract for what must live through every
49
49
  reclamation (`SKELETON_REQUIRED_KEYS` + `validateSkeleton()`): the final verdict,
50
50
  every commit record, every evidence locator's content digest, the attestation
51
51
  chain, the cost record, and the append-only audit + collaboration logs. If a
52
- complete skeleton cannot be extracted, reclamation **refuses with
52
+ full skeleton cannot be pulled out, reclamation **refuses with
53
53
  `skeleton-incomplete` and frees zero bytes.**
54
54
 
55
55
  ## Write-ahead, fail-closed sequencing — order is the safety property
56
56
 
57
- The reclamation transaction is four discrete, individually-callable steps:
57
+ The reclamation transaction is four separate steps, each one able to be called on its own:
58
58
 
59
- 1. `extractSkeleton()` — extract + seal the audit-essential subset.
59
+ 1. `extractSkeleton()` — pull out + seal the audit-essential subset.
60
60
  2. `buildTombstone()` — write the full freed-manifest with a **pre-deletion
61
61
  sha256 per path**, plus the hash chain.
62
62
  3. `commitTombstone()` — **fsync** the tombstone into the append-only
@@ -64,9 +64,9 @@ The reclamation transaction is four discrete, individually-callable steps:
64
64
  through the existing append-only trust-audit log.
65
65
  4. `freeBulk()` — ONLY THEN free the bulk bytes.
66
66
 
67
- A crash between any steps leaves **EITHER the full run OR a complete tombstone —
68
- never a half-deleted run with no proof.** This is testable by design:
69
- `runReclamation(run, policy, { faultAfter })` throws a synthetic `ReclamationAbort`
67
+ A crash between any steps leaves **EITHER the full run OR a full tombstone —
68
+ never a half-deleted run with no proof.** This can be tested by design:
69
+ `runReclamation(run, policy, { faultAfter })` throws a made-up `ReclamationAbort`
70
70
  after the named step (`skeleton` | `tombstone-write` | `tombstone-commit`) — never
71
71
  by killing the process.
72
72
 
@@ -75,9 +75,9 @@ by killing the process.
75
75
  The tombstone is a NEW `reclaimed.json` overlay (a peer of `archive.json`'s role).
76
76
  Only the bulk DATA bytes are freed — no existing audit, state, or commit record is
77
77
  ever rewritten. It is itself a new audit record, **hash-chained**: `tombstoneHash`
78
- is recomputed from the freed-manifest + sealed skeleton + `prevTombstoneHash`
79
- (genesis = sha256 of the sealed skeleton). `gc verify` recomputes `tombstoneHash`
80
- **independently**, never trusting the stored value, so a tampered registry entry
78
+ is worked out again from the freed-manifest + sealed skeleton + `prevTombstoneHash`
79
+ (genesis = sha256 of the sealed skeleton). `gc verify` works out `tombstoneHash`
80
+ again **on its own**, never trusting the stored value, so a changed registry entry
81
81
  is caught — flipping a per-path sha256 fails with `tombstone-digest-mismatch`;
82
82
  editing a hash link fails with `tombstone-chain-broken`.
83
83
 
@@ -90,22 +90,22 @@ enumerable `record.capabilityReason` (a closed set, e.g.
90
90
  `snapshot-reclaimed-no-reconstruction` | `inputs-and-expectdigest-retained` |
91
91
  `scratch-only-reclaimed`) — never free-text prose.
92
92
 
93
- **Reconstruction is a distinct code path, NOT live `verifyNodeReplay`.** A reclaimed
93
+ **Reconstruction is a separate code path, NOT live `verifyNodeReplay`.** A reclaimed
94
94
  artifact making `loadNodeSnapshot` return `absent` is the EXPECTED fail-closed
95
95
  signal. The reconstruction verifier re-runs the recorded recipe against the
96
96
  RETAINED inputs (keyed on the retained-inputs digest) and compares the result's
97
- sha256 to the tombstoned `expectDigest` — it never routes through the freed source
97
+ sha256 to the tombstoned `expectDigest` — it never goes through the freed source
98
98
  bytes. Flipping one retained input byte fails with `reconstruction-digest-mismatch`.
99
99
 
100
100
  ## The eager-scratch exception
101
101
 
102
- Worker scratch is the one class reclaimed eagerly. A worker's scratch dir is pure
102
+ Worker scratch is the one class reclaimed early. A worker's scratch dir is pure
103
103
  scratch with zero audit value, and its `result.md` is already copied to
104
104
  `results/<task-id>.md` and evidence-gated. Before the scratch is freed, the result
105
105
  node's `worker-result` artifact (set by `recordWorkerOutput` to a path INSIDE the
106
106
  scratch dir) is **re-pointed** to the retained `results/<task-id>.md` copy, and the
107
- result-node snapshot is proven to stay `valid` (not `absent`) — so no surviving
108
- node references a freed path. Opt out with `--keep-scratch`.
107
+ result-node snapshot is shown to stay `valid` (not `absent`) — so no surviving
108
+ node points to a freed path. Opt out with `--keep-scratch`.
109
109
 
110
110
  ## CLI
111
111
 
@@ -115,14 +115,14 @@ cw gc run [run-id] [--reclaimAfterArchiveDays N] [--keep-scratch] [--keep-sna
115
115
  cw gc verify <run-id> [--scope repo|home] [--json]
116
116
  ```
117
117
 
118
- - `gc plan` is a pure **dry-run**: it computes eligible runs, the exact bytes that
118
+ - `gc plan` is a pure **dry-run**: it works out eligible runs, the exact bytes that
119
119
  WOULD be freed per kind, and the per-run capability downgrade. It frees nothing
120
120
  (`plan.bytesToFree` equals the summed per-path sizes it lists).
121
- - `gc run` executes the write-ahead transaction for eligible runs, bounded by
121
+ - `gc run` runs the write-ahead transaction for eligible runs, bounded by
122
122
  `maxReclaimRuns` / `maxReclaimBytes`, fail-closed on any incomplete skeleton.
123
123
  - `gc verify` re-proves a reclaimed run end-to-end.
124
124
 
125
- Eligibility is explicit and fail-closed: a run is reclaimable exactly when its
125
+ Eligibility is explicit and fail-closed: a run can be reclaimed exactly when its
126
126
  **derived lifecycle is `completed` or `failed` AND it is archived AND it has no
127
127
  open feedback AND it is past `reclaimAfterArchiveDays`.** `running` / `blocked` /
128
128
  `queued` runs are NEVER reclaimable; the check reads live source state and fails
@@ -134,8 +134,8 @@ action, never a daemon.
134
134
  ## MCP
135
135
 
136
136
  `cw_gc_plan`, `cw_gc_run`, and `cw_gc_verify` are the peers of the CLI verbs,
137
- registered in the capability registry and validated by `parity:check` (fail-closed
138
- on drift). The read-only `gc plan` / `gc verify` payloads obey the now-derived-field
137
+ registered in the capability registry and checked by `parity:check` (fail-closed
138
+ on drift). The read-only `gc plan` / `gc verify` payloads follow the now-derived-field
139
139
  rule: only ISO timestamps may be now-derived.
140
140
 
141
141
  ## Policy-as-data
@@ -147,16 +147,16 @@ Back-compatible defaults reclaim nothing; pre-v0.1.39 runs load unchanged.
147
147
 
148
148
  ## Compatibility
149
149
 
150
- Additive. The kernel `state.json` schema is unchanged beyond the new per-run
150
+ Additive. The kernel `state.json` schema is unchanged but for the new per-run
151
151
  `reclaimed.json` overlay + policy fields; pre-v0.1.39 runs load unchanged. The
152
152
  `RunLifecycleState` union gains only `reclaimed`. `run archive` keeps its mark-only
153
- semantics. Nothing in the original audit log is ever edited or erased.
153
+ semantics. Nothing in the first audit log is ever edited or wiped.
154
154
 
155
155
  ## See Also
156
156
 
157
157
  - `docs/run-registry-control-plane.7.md` — the v0.1.28 archive overlay this extends.
158
- - `docs/node-snapshot-diff-replay.7.md` — the v0.1.35 snapshot engine reconstruction layers beside.
159
- - `docs/control-plane-scheduling.7.md` — the v0.1.37 policy-as-data lineage.
158
+ - `docs/node-snapshot-diff-replay.7.md` — the v0.1.35 snapshot engine reconstruction sits beside.
159
+ - `docs/control-plane-scheduling.7.md` — the v0.1.37 policy-as-data line of work.
160
160
  - `docs/team-collaboration.7.md` — the v0.1.32 append-only log sealed in the skeleton.
161
161
 
162
162
  ## Durable State & Locking (v0.1.40)
@@ -169,15 +169,15 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
169
169
 
170
170
  ## Robust Result Ingest (v0.1.42)
171
171
 
172
- capture findings/evidence from any reasonable agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
172
+ capture findings/evidence from any sensible agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — shuts the v0.1.41 live-drive 'accepted with 0 captured' failure
173
173
 
174
174
  ## No-False-Green Gate & Launch Prep (v0.1.43)
175
175
 
176
- Hard gate blocking empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
176
+ Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
177
177
 
178
178
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
179
179
 
180
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
180
+ Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — getting rid of false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
181
181
 
182
182
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
183
183
 
@@ -194,9 +194,13 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
194
194
 
195
195
  ## Fast Architecture Review (v0.1.80)
196
196
 
197
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
197
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, useful background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
198
198
 
199
199
  ## Deterministic Freed Manifest (v0.1.81)
200
200
 
201
- The freed manifest is path-sorted before it feeds `tombstoneHash`, so reclamation's write-ahead tombstone hash-chain is reproducible across hosts regardless of filesystem enumeration order. Reclaimed tiers, the re-point seam, and the default (reclaim-nothing) policy are unchanged.
201
+ The freed manifest is path-sorted before it feeds `tombstoneHash`, so reclamation's write-ahead tombstone hash-chain can be made again across hosts no matter the filesystem enumeration order. Reclaimed tiers, the re-point seam, and the default (reclaim-nothing) policy are unchanged.
202
202
  _No changes in v0.1.82._
203
+
204
+ ## Hardening and Onboarding (v0.1.83)
205
+
206
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
@@ -16,14 +16,14 @@ node dist/cli.js worker manifest <run-id> <worker-id>
16
16
 
17
17
  ## DESCRIPTION
18
18
 
19
- A sandbox profile is a CW policy contract. It tells the agent host what a
20
- worker may read, write, execute, access over the network, and receive through
19
+ A sandbox profile is a CW policy contract. It says what the agent host lets a
20
+ worker read, write, execute, get to over the network, and take in through
21
21
  environment variables.
22
22
 
23
- It is not a container, jail, chroot, seatbelt profile, packet filter, or OS
24
- process sandbox by itself. CW enforces profile validation, deterministic path
23
+ By itself it is not a container, jail, chroot, seatbelt profile, packet filter,
24
+ or OS process sandbox. CW does profile validation, deterministic path
25
25
  normalization, worker result acceptance, and durable feedback for denied worker
26
- output. The agent host must enforce OS-level file access, process execution,
26
+ output. The agent host has to do OS-level file access, process execution,
27
27
  network access, and environment filtering.
28
28
 
29
29
  The design goal is simple:
@@ -32,28 +32,28 @@ The design goal is simple:
32
32
  named policy -> resolved worker manifest -> host enforcement -> CW acceptance
33
33
  ```
34
34
 
35
- Profiles are selected at dispatch time and stored in run state, worker records,
35
+ Profiles are picked at dispatch time and kept in run state, worker records,
36
36
  dispatch manifests, worker manifests, feedback records, and reports.
37
37
 
38
38
  ## BUNDLED PROFILES
39
39
 
40
40
  `default`
41
- : Preserves existing Worker Isolation behavior. Workers may read the workspace
42
- and write only accepted worker output paths unless additional `allowedPaths`
43
- are supplied by older APIs.
41
+ : Keeps the same Worker Isolation behavior. Workers may read the workspace
42
+ and write only accepted worker output paths, unless more `allowedPaths`
43
+ come from older APIs.
44
44
 
45
45
  `readonly`
46
46
  : Workers may read the workspace and write only worker-local output paths.
47
- Network access is denied by profile. CW still relies on the host to enforce
48
- read-only mounts or equivalent OS policy.
47
+ Network access is denied by profile. CW still needs the host to do
48
+ read-only mounts or an equal OS policy.
49
49
 
50
50
  `workspace-write`
51
- : Workers may read and write the workspace, plus worker-local output paths.
52
- Use this only for workers expected to modify repository files.
51
+ : Workers may read and write the workspace, and worker-local output paths too.
52
+ Use this only for workers that are meant to change repository files.
53
53
 
54
54
  `locked-down`
55
55
  : Workers may read only `input.md` and write only `result.md`. Command,
56
- network, and inherited environment access are denied by policy.
56
+ network, and inherited environment access are all denied by policy.
57
57
 
58
58
  ## PROFILE SHAPE
59
59
 
@@ -73,14 +73,14 @@ Profile files use schema version `1`:
73
73
  }
74
74
  ```
75
75
 
76
- Supported path tokens are `$cwd`, `$runDir`, `$workerDir`, `$inputPath`,
77
- `$resultPath`, `$artifactsDir`, and `$logsDir`. Relative paths are resolved
76
+ The path tokens you may use are `$cwd`, `$runDir`, `$workerDir`, `$inputPath`,
77
+ `$resultPath`, `$artifactsDir`, and `$logsDir`. Relative paths are worked out
78
78
  from the run workspace. Empty paths, control characters, unknown tokens, and
79
- `..` traversal are rejected.
79
+ `..` traversal are turned away.
80
80
 
81
81
  `execute.mode` and `network.mode` are `none`, `allowlist`, or `any`.
82
82
  Allowlisted commands or network targets are exact strings. Environment variable
83
- names must use normal shell identifier syntax.
83
+ names have to use normal shell identifier syntax.
84
84
 
85
85
  ## ENFORCEMENT
86
86
 
@@ -93,15 +93,15 @@ CW-enforced:
93
93
 
94
94
  Host-required:
95
95
 
96
- - preventing reads outside `readPaths`
97
- - preventing writes before CW accepts a result
96
+ - stopping reads outside `readPaths`
97
+ - stopping writes before CW takes a result
98
98
  - command execution restrictions
99
99
  - network restrictions
100
100
  - environment variable filtering
101
101
 
102
- Worker manifests include both lists as `sandbox.enforcedByCW` and
103
- `sandbox.hostRequired`. Do not present CW Sandbox Profiles as OS-level
104
- sandboxing unless the agent host actually applies OS policy.
102
+ Worker manifests have both lists as `sandbox.enforcedByCW` and
103
+ `sandbox.hostRequired`. Do not put forward CW Sandbox Profiles as OS-level
104
+ sandboxing unless the agent host truly puts OS policy to work.
105
105
 
106
106
  ## FILES
107
107
 
@@ -118,20 +118,20 @@ sandboxing unless the agent host actually applies OS policy.
118
118
 
119
119
  Unknown requested profiles fail closed with `sandbox-profile-not-found`.
120
120
 
121
- Malformed profile files fail validation with `sandbox-profile-invalid`.
121
+ Bad profile files fail validation with `sandbox-profile-invalid`.
122
122
 
123
- Denied worker output writes create `sandbox-write-denied` feedback. Runtime
124
- helpers also provide `sandbox-read-denied`, `sandbox-network-denied`, and
125
- `sandbox-command-denied` for hosts that want to record those decisions through
123
+ Denied worker output writes make `sandbox-write-denied` feedback. Runtime
124
+ helpers also give `sandbox-read-denied`, `sandbox-network-denied`, and
125
+ `sandbox-command-denied` for hosts that want to note down those decisions through
126
126
  CW.
127
127
 
128
- CW never silently downgrades a requested profile to `default`.
128
+ CW never quietly drops a requested profile down to `default`.
129
129
 
130
130
  ## COMPATIBILITY
131
131
 
132
- Sandbox Profiles are introduced in CW v0.1.8. The legacy `allowedPaths` field
133
- remains in worker scopes and manifests as the effective write-path alias for
132
+ Sandbox Profiles come in with CW v0.1.8. The legacy `allowedPaths` field
133
+ stays in worker scopes and manifests as the effective write-path alias for
134
134
  older callers. New hosts should read `sandboxPolicy.readPaths` and
135
- `sandboxPolicy.writePaths`, then apply worker output allowances from
136
- `sandboxPolicy.workerOutput`.
135
+ `sandboxPolicy.writePaths`, then put worker output allowances from
136
+ `sandboxPolicy.workerOutput` to work.
137
137
  0.1.51
@@ -1,9 +1,9 @@
1
1
  # Scheduled Tasks
2
2
 
3
- CW scheduled tasks support looping prompts, cron-like schedules, one-shot
4
- reminders, expiration, jitter, and explicit completion.
3
+ CW scheduled tasks let you make looping prompts, cron-like schedules, one-shot
4
+ reminders, expiration, jitter, and clear completion.
5
5
 
6
- CW stores schedules in:
6
+ CW keeps schedules in:
7
7
 
8
8
  ```text
9
9
  .cw/schedules/tasks.json
@@ -11,7 +11,7 @@ CW stores schedules in:
11
11
 
12
12
  ## Commands
13
13
 
14
- Create a `/loop`-compatible schedule:
14
+ Make a `/loop`-ready schedule:
15
15
 
16
16
  ```bash
17
17
  node scripts/cw.js loop \
@@ -19,7 +19,7 @@ node scripts/cw.js loop \
19
19
  --prompt "Check this workflow and continue if work is due."
20
20
  ```
21
21
 
22
- Create a loop:
22
+ Make a loop:
23
23
 
24
24
  ```bash
25
25
  node scripts/cw.js schedule create \
@@ -28,7 +28,7 @@ node scripts/cw.js schedule create \
28
28
  --prompt "Check this workflow and continue if work is due."
29
29
  ```
30
30
 
31
- Create a cron schedule:
31
+ Make a cron schedule:
32
32
 
33
33
  ```bash
34
34
  node scripts/cw.js schedule create \
@@ -37,7 +37,7 @@ node scripts/cw.js schedule create \
37
37
  --prompt "Run the due workflow scan."
38
38
  ```
39
39
 
40
- Create a reminder:
40
+ Make a reminder:
41
41
 
42
42
  ```bash
43
43
  node scripts/cw.js schedule create \
@@ -46,7 +46,7 @@ node scripts/cw.js schedule create \
46
46
  --prompt "Remind me to inspect the report."
47
47
  ```
48
48
 
49
- List and scan:
49
+ List and look through:
50
50
 
51
51
  ```bash
52
52
  node scripts/cw.js schedule list
@@ -59,13 +59,13 @@ node scripts/cw.js schedule history <schedule-id>
59
59
  node scripts/cw.js schedule delete <schedule-id>
60
60
  ```
61
61
 
62
- Run the local desktop-style daemon once:
62
+ Run the local desktop-like daemon one time:
63
63
 
64
64
  ```bash
65
65
  node scripts/cw.js schedule daemon --once
66
66
  ```
67
67
 
68
- Run it continuously:
68
+ Run it without stopping:
69
69
 
70
70
  ```bash
71
71
  node scripts/cw.js schedule daemon --intervalSeconds 60
@@ -73,8 +73,8 @@ node scripts/cw.js schedule daemon --intervalSeconds 60
73
73
 
74
74
  ## Notes
75
75
 
76
- - Resolution is minute-level.
77
- - Default expiration is 7 days.
78
- - `jitterSeconds` can spread runs.
76
+ - Time is measured to the minute.
77
+ - By default, expiration comes after 7 days.
78
+ - `jitterSeconds` can put space between runs.
79
79
  - CW does not start the daemon by default. Use `schedule daemon`, cron, or
80
- another supervisor to call `schedule due` and execute due prompts.
80
+ some other overseer to call `schedule due` and run due prompts.
@@ -2,13 +2,13 @@
2
2
 
3
3
  CW v0.1.15 adds a local trust audit layer for worker sandbox decisions,
4
4
  evidence provenance, candidate selection, and verifier-gated commits.
5
- CW v0.1.22 reuses this same layer for multi-agent role policy, blackboard
5
+ CW v0.1.22 uses this same layer again for multi-agent role policy, blackboard
6
6
  write audit, message provenance, judge rationale, panel decisions, and policy
7
7
  violations.
8
8
 
9
9
  ## Audit Records
10
10
 
11
- Every run has an audit directory:
11
+ Every run has an audit directory of its own:
12
12
 
13
13
  ```text
14
14
  .cw/runs/<run-id>/audit/
@@ -17,37 +17,37 @@ Every run has an audit directory:
17
17
  summary.json
18
18
  ```
19
19
 
20
- `events.jsonl` is append-friendly. `index.json` and `summary.json` are
21
- deterministic inspection files regenerated by CW commands.
20
+ `events.jsonl` is made so you can add to the end. `index.json` and `summary.json` are
21
+ fixed, repeatable look files that CW commands make again.
22
22
 
23
- Each event records:
23
+ Each event keeps a record of:
24
24
 
25
25
  - schema version, event id, timestamp, run id, kind, decision, and source
26
- - actor, worker id, task id, node id, candidate id, score id, selection id, or commit id when relevant
26
+ - actor, worker id, task id, node id, candidate id, score id, selection id, or commit id when it has a part to play
27
27
  - sandbox profile id and policy snapshot/reference
28
- - normalized path, command, network target, or env variable names when relevant
28
+ - normalized path, command, network target, or env variable names when they have a part to play
29
29
  - evidence references and parent audit event ids
30
30
  - feedback ids for denied or failed decisions
31
31
 
32
- Event sources are explicit:
32
+ Event sources are clear:
33
33
 
34
- - `cw-validated`: CW checked a policy or gate locally.
35
- - `host-attested`: the agent host or operator recorded what the host enforced.
36
- - `operator-recorded`: a human or caller supplied the record.
37
- - `runtime-derived`: CW derived the event from run state.
34
+ - `cw-validated`: CW checked a policy or gate on the local machine.
35
+ - `host-attested`: the agent host or operator put down a record of what the host made certain.
36
+ - `operator-recorded`: a person or caller gave the record.
37
+ - `runtime-derived`: CW got the event from run state.
38
38
 
39
- CW does not store secrets or raw environment values. Environment audit records
40
- store names only.
39
+ CW does not keep secrets or raw environment values. Environment audit records
40
+ keep names only.
41
41
 
42
42
  ## Enforcement Boundary
43
43
 
44
- CW validates sandbox profiles, normalizes paths, validates worker output
45
- acceptance, validates command/network/env decisions when asked, and records
46
- durable feedback for denied worker decisions.
44
+ CW checks sandbox profiles, normalizes paths, checks worker output
45
+ acceptance, checks command/network/env decisions when asked, and keeps
46
+ lasting feedback for denied worker decisions.
47
47
 
48
- The agent host must still enforce OS-level read isolation, write isolation,
49
- process execution restrictions, network restrictions, and environment filtering.
50
- The audit layer makes that boundary inspectable; it is not a kernel.
48
+ The agent host must still make certain of OS-level read isolation, write isolation,
49
+ limits on process execution, limits on network, and environment filtering.
50
+ The audit layer lets you look at that boundary; it is not a kernel.
51
51
 
52
52
  ## CLI
53
53
 
@@ -67,24 +67,24 @@ node scripts/cw.js audit decision <run-id> <worker-id> --network example.com
67
67
  node scripts/cw.js audit decision <run-id> <worker-id> --env SECRET_NAME
68
68
  ```
69
69
 
70
- Denied audit decisions are written to audit files and linked to feedback/error
71
- records. Environment values are redacted to names.
70
+ Denied audit decisions are put into audit files and joined to feedback/error
71
+ records. Environment values are cut back to names.
72
72
 
73
73
  ## Evidence Provenance
74
74
 
75
- `StateEvidence` remains backward compatible. v0.1.15 adds optional
75
+ `StateEvidence` still works with older versions. v0.1.15 adds optional
76
76
  `provenance` metadata that can point from:
77
77
 
78
78
  ```text
79
79
  worker result -> result node -> verifier node -> candidate -> score -> selection -> commit
80
80
  ```
81
81
 
82
- Candidate scores, selections, and verifier-gated commits preserve provenance
83
- links instead of only copying evidence arrays.
82
+ Candidate scores, selections, and verifier-gated commits keep provenance
83
+ links in place of only copying evidence arrays.
84
84
 
85
85
  ## Why Accepted
86
86
 
87
- Selected candidates and verifier-gated commits carry an acceptance rationale:
87
+ Selected candidates and verifier-gated commits come with an acceptance rationale:
88
88
 
89
89
  - selected candidate id
90
90
  - score id and score criteria
@@ -95,12 +95,12 @@ Selected candidates and verifier-gated commits carry an acceptance rationale:
95
95
  - commit gate result
96
96
  - audit event ids
97
97
 
98
- Verifier-gated commits fail closed when the acceptance rationale cannot explain
98
+ Verifier-gated commits fail closed when the acceptance rationale is not able to make clear
99
99
  the evidence chain.
100
100
 
101
101
  ## MCP
102
102
 
103
- The MCP server exposes matching tools:
103
+ The MCP server gives these like tools:
104
104
 
105
105
  - `cw_audit_summary`
106
106
  - `cw_audit_worker`
@@ -113,5 +113,5 @@ The MCP server exposes matching tools:
113
113
  - `cw_audit_attest`
114
114
  - `cw_audit_decision`
115
115
 
116
- Existing MCP tool names remain stable.
116
+ MCP tool names that are already there do not change.
117
117
  0.1.51