cool-workflow 0.1.82 → 0.1.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +124 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +8 -0
  12. package/dist/cli.js +12 -1
  13. package/dist/commit.js +5 -1
  14. package/dist/doctor.js +153 -0
  15. package/dist/mcp-server.js +11 -0
  16. package/dist/orchestrator.js +13 -0
  17. package/dist/reclamation/hash.js +72 -0
  18. package/dist/reclamation.js +25 -78
  19. package/dist/run-registry/queue.js +6 -7
  20. package/dist/run-registry.js +35 -24
  21. package/dist/scheduler.js +78 -53
  22. package/dist/version.js +1 -1
  23. package/dist/worker-isolation.js +22 -2
  24. package/docs/agent-delegation-drive.7.md +90 -86
  25. package/docs/agent-framework.md +33 -32
  26. package/docs/candidate-scoring.7.md +26 -24
  27. package/docs/canonical-workflow-apps.7.md +40 -40
  28. package/docs/capability-topology-registry.7.md +24 -24
  29. package/docs/cli-mcp-parity.7.md +226 -154
  30. package/docs/contract-migration-tooling.7.md +48 -41
  31. package/docs/control-plane-scheduling.7.md +45 -41
  32. package/docs/coordinator-blackboard.7.md +30 -30
  33. package/docs/dogfood-one-real-repo.7.md +44 -44
  34. package/docs/durable-state-and-locking.7.md +34 -30
  35. package/docs/end-to-end-golden-path.7.md +29 -29
  36. package/docs/error-feedback.7.md +27 -27
  37. package/docs/evidence-adoption-reasoning-chain.7.md +62 -58
  38. package/docs/execution-backends.7.md +84 -80
  39. package/docs/getting-started.md +35 -18
  40. package/docs/index.md +3 -3
  41. package/docs/mcp-app-surface.7.md +64 -64
  42. package/docs/multi-agent-cli-mcp-surface.7.md +82 -77
  43. package/docs/multi-agent-eval-replay-harness.7.md +59 -55
  44. package/docs/multi-agent-operator-ux.7.md +69 -65
  45. package/docs/multi-agent-runtime-core.7.md +39 -39
  46. package/docs/multi-agent-topologies.7.md +24 -24
  47. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  48. package/docs/node-snapshot-diff-replay.7.md +26 -22
  49. package/docs/observability-cost-accounting.7.md +49 -45
  50. package/docs/operator-ux.7.md +30 -30
  51. package/docs/pipeline-runner.7.md +31 -31
  52. package/docs/project-index.md +10 -5
  53. package/docs/real-execution-backends.7.md +47 -43
  54. package/docs/release-and-migration.7.md +42 -38
  55. package/docs/release-tooling.7.md +53 -49
  56. package/docs/routines.md +16 -16
  57. package/docs/run-registry-control-plane.7.md +120 -116
  58. package/docs/run-retention-reclamation.7.md +45 -41
  59. package/docs/sandbox-profiles.7.md +32 -32
  60. package/docs/scheduled-tasks.md +14 -14
  61. package/docs/security-trust-hardening.7.md +29 -29
  62. package/docs/source-context-profiles.7.md +28 -28
  63. package/docs/state-explosion-management.7.md +63 -59
  64. package/docs/state-node.7.md +8 -8
  65. package/docs/team-collaboration.7.md +62 -58
  66. package/docs/trust-model.md +126 -126
  67. package/docs/unix-principles.md +80 -80
  68. package/docs/vendor-manifest-loadability.7.md +20 -20
  69. package/docs/verifier-gated-commit.7.md +16 -16
  70. package/docs/web-desktop-workbench.7.md +69 -65
  71. package/docs/worker-isolation.7.md +34 -37
  72. package/docs/workflow-app-framework.7.md +38 -38
  73. package/manifest/plugin.manifest.json +4 -4
  74. package/package.json +3 -2
  75. package/scripts/canonical-apps.js +4 -4
  76. package/scripts/dogfood-release.js +1 -1
  77. package/scripts/gen-parity-doc.js +106 -0
  78. package/scripts/golden-path.js +4 -4
  79. package/dist/verifier-registry.js +0 -46
@@ -2,48 +2,48 @@
2
2
 
3
3
  CW v0.1.32 adds Team Collaboration: a host-attested actor, append-only approvals,
4
4
  rejections, comments, and handoffs, and a review gate that STACKS ON the verifier
5
- gate. Before v0.1.32 there was no review/approval/comment/handoff/identity concept
6
- anywhere; the foundations already existed — trust-audit recorded every decision
7
- with an `actor`, candidate selection carried `selectedBy`, role policies existed,
8
- and commits were verifier-gated. This release adds the human-decision layer ON TOP
9
- of those mechanisms, without changing them and without taking ownership of source
5
+ gate. Before v0.1.32 there was no review/approval/comment/handoff/identity idea
6
+ anywhere; the base parts were already there — trust-audit kept a note of every
7
+ decision with an `actor`, candidate selection had `selectedBy`, role policies were
8
+ there, and commits were verifier-gated. This release adds the human-decision layer ON TOP
9
+ of those mechanisms. It does not change them and does not take ownership of source
10
10
  truth.
11
11
 
12
- The design follows the same base-system discipline as
12
+ The design keeps to the same base-system way as
13
13
  [Security / Trust Hardening](security-trust-hardening.7.md) and the
14
14
  [Verifier-Gated Commit](verifier-gated-commit.7.md):
15
15
 
16
16
  - the per-run `.cw/runs/<id>/state.json` is the SINGLE source of truth
17
- - collaboration records are an APPEND-ONLY log, never mutated in place
17
+ - collaboration records are an APPEND-ONLY log, never changed in place
18
18
  - identity is ATTESTED provenance, never authenticated; CW is not an auth server
19
- - the review gate is POLICY layered on the verifier MECHANISM — never a bypass
20
- - fail closed: missing authority, ambiguous role, or self-approval is a denial
19
+ - the review gate is POLICY put over the verifier MECHANISM — never a bypass
20
+ - fail closed: missing authority, unclear role, or self-approval is a denial
21
21
  - policy (required approvals, authorized roles, self-approval) is data, not kernel
22
- - backward compatible; every collaboration field is additive and optional
22
+ - backward compatible; every collaboration field is added on and optional
23
23
 
24
24
  ## Identity is attested, not authenticated
25
25
 
26
- An `Actor` is host-attested provenance, not an authenticated principal. CW records
27
- WHO acted; it does not verify a password, a token, or a signature — that is a host
28
- trust-boundary concern. `normalizeActor` maps an actor input to one of three
29
- provenances: `host-attested` (the host vouched, `--attested`), `operator-recorded`
30
- (supplied unverified), or `unattributed` (no identity supplied). An absent identity
31
- becomes the explicit `unattributed` actor — `{ kind: "unattributed", id:
32
- "unattributed", attested: false }` — never a fabricated one. Spoofing is recorded
33
- honestly as whatever provenance the host attested, not hidden. This extends the
26
+ An `Actor` is host-attested provenance, not an authenticated principal. CW keeps a
27
+ note of WHO acted; it does not check a password, a token, or a signature — that is a host
28
+ trust-boundary thing. `normalizeActor` maps an actor input to one of three
29
+ provenances: `host-attested` (the host said so, `--attested`), `operator-recorded`
30
+ (given but not checked), or `unattributed` (no identity given). A missing identity
31
+ becomes the plain `unattributed` actor — `{ kind: "unattributed", id:
32
+ "unattributed", attested: false }` — never a made-up one. Spoofing is kept on record
33
+ in a true way as whatever provenance the host attested, not hidden. This builds on the
34
34
  existing trust-audit `actor` string and the v0.1.29/v0.1.31 attestation pattern.
35
35
 
36
36
  ## Approvals and rejections are append-only and provenance-linked
37
37
 
38
38
  `approve` and `reject` append an `ApprovalRecord` to `run.collaboration.approvals`.
39
- Each record carries the actor, the decision, the durable target it attaches to, an
39
+ Each record holds the actor, the decision, the durable target it joins to, an
40
40
  optional rationale, the role the actor claims, and `auditEventIds` linking it to a
41
41
  `collaboration.approval`/`collaboration.rejection` event in the trust-audit log —
42
- exactly as `candidate.selection` records both a `CandidateSelection` and an audit
42
+ just as `candidate.selection` keeps a note of both a `CandidateSelection` and an audit
43
43
  event. The approved artifact (candidate/commit/selection) is NEVER edited in place:
44
- "who approved what" is a provenance link, not a field overwrite. A correction is a
45
- NEW record carrying `supersedes` (git-style); the superseded record stays in the
46
- log, no longer counts, and the original is unchanged.
44
+ "who approved what" is a provenance link, not a field overwrite. A fix is a
45
+ NEW record holding `supersedes` (git-style); the superseded record stays in the
46
+ log, no longer counts, and the original is left as it was.
47
47
 
48
48
  A target is one of `run | task | candidate | selection | commit | node`. "Who
49
49
  approved which candidate/commit" is answered by filtering the append-only records
@@ -54,76 +54,76 @@ by target.
54
54
  The verifier-gated commit is the MECHANISM (see
55
55
  [Verifier-Gated Commit](verifier-gated-commit.7.md)): `resolveCommitGate` accepts a
56
56
  commit only when a verified verifier node, a scored+verified candidate, and a
57
- complete acceptance rationale are present. A review gate is POLICY layered on top.
57
+ full acceptance rationale are present. A review gate is POLICY put on top.
58
58
  `reviewGateErrors` runs INSIDE `resolveCommitGate`, AFTER the verifier checks, and
59
- can only ADD errors — required approvals from authorized roles — never remove the
59
+ can only ADD errors — required approvals from authorized roles — never take away the
60
60
  verifier's. The same call guards candidate selection in `selectCandidate`.
61
61
 
62
62
  Data flow for a gated commit:
63
63
 
64
- 1. `resolveCommitGate` resolves the candidate/selection and runs every verifier
64
+ 1. `resolveCommitGate` works out the candidate/selection and runs every verifier
65
65
  check; if any fail the commit is blocked as before.
66
66
  2. If a `ReviewGatePolicy` applies to `commit` (or `selection`), `reviewGateErrors`
67
- derives the review state over the approvals targeting the commit AND its
67
+ works out the review state over the approvals pointing at the commit AND its
68
68
  underlying selection/candidate (you approve the candidate; the commit honors it).
69
69
  3. If the review state is not `approved`, a single `review-gate-missing-approvals`
70
- StateNodeError is appended, listing exactly which approvals are missing.
71
- `commitState` throws `CommitGateError`, recorded as append-only feedback.
70
+ StateNodeError is appended, listing just which approvals are missing.
71
+ `commitState` throws `CommitGateError`, kept on record as append-only feedback.
72
72
  4. Only when BOTH gates pass is the commit written — and it is stamped with a
73
- `CommitReviewProvenance` recording WHO approved the very artifact that shipped.
73
+ `CommitReviewProvenance` keeping a note of WHO approved the very artifact that shipped.
74
74
 
75
- Because the review errors are appended after the verifier errors and never replace
76
- them, an approval can never turn an unverified result into a committed one: an
75
+ Because the review errors are appended after the verifier errors and never take their
76
+ place, an approval can never turn an unverified result into a committed one: an
77
77
  approved-but-unverified candidate is still blocked by the verifier gate.
78
78
 
79
79
  ## Fail closed on authority and quorum
80
80
 
81
81
  `deriveReviewState` is a pure, deterministic projection of the append-only records
82
- plus a policy. It counts ONLY approvals that are, all at once: from an attested
82
+ plus a policy. It counts ONLY approvals that are, all at the same time: from an attested
83
83
  identity (when `requireAttestedActor`), from a role in `authorizedRoles` (or `*`),
84
84
  and not a self-approval (when `allowSelfApproval` is false; "self" is the
85
- candidate's producing worker and its selector). Distinct counted approvers must
86
- reach `requiredApprovals`. Anything short is not auto-passed; the status is:
85
+ candidate's producing worker and its selector). The number of separate counted approvers must
86
+ reach `requiredApprovals`. Anything less is not let through on its own; the status is:
87
87
 
88
88
  - `approved` — requirement met (or the target is not gated)
89
89
  - `pending` — gated, no blocking reject, fewer than required counted approvals
90
- - `blocked` — recorded approvals exist but none count (authority/self)
90
+ - `blocked` — recorded approvals are there but none count (authority/self)
91
91
  - `unattributed` — the only recorded approvals are from unattributed actors
92
92
  - `rejected` — an authorized, attested reject is a blocking veto
93
93
 
94
- Every disqualified approval is surfaced with its reason (`unattributed`,
94
+ Every approval that does not qualify is shown with its reason (`unattributed`,
95
95
  `unauthorized-role`, `self-approval`, `superseded`), so a reader can audit why an
96
- approval did not count. A target requiring N approvals with fewer recorded is
97
- BLOCKED, and the block records exactly what is missing.
96
+ approval did not count. A target needing N approvals with fewer recorded is
97
+ BLOCKED, and the block keeps a note of just what is missing.
98
98
 
99
99
  ## Comments and handoffs are state, not chat
100
100
 
101
101
  A `comment` appends a `CommentRecord` to a durable target with an actor, a thread
102
- id, and an audit link; threads are ordered by `createdAt` and never edited in
103
- place. A `handoff` appends a `HandoffRecord` — an explicit ownership transfer with
104
- a from-actor, a to-actor, and a reason — and the current owner of a run/task is
105
- DERIVED from the latest handoff, never an overwritten field. There is no side
106
- channel: the collaboration IS the durable, inspectable state, consistent with CW's
102
+ id, and an audit link; threads are put in order by `createdAt` and never edited in
103
+ place. A `handoff` appends a `HandoffRecord` — a clear ownership transfer with
104
+ a from-actor, a to-actor, and a reason — and the present owner of a run/task is
105
+ DERIVED from the newest handoff, never an overwritten field. There is no side
106
+ channel: the collaboration IS the durable, inspectable state, in keeping with CW's
107
107
  no-hidden-dashboard-database rule.
108
108
 
109
109
  ## Policy as data, kept out of the kernel
110
110
 
111
111
  `review policy <run-id>` writes a `ReviewGatePolicy` to `run.collaboration.policy`:
112
112
  `requiredApprovals` (0 = no gate), `authorizedRoles` (`*` = any), `allowSelfApproval`,
113
- `requireAttestedActor`, and `appliesTo` (target kinds). The default — absent policy
114
- or `requiredApprovals: 0` — requires no approvals, so pre-v0.1.32 runs and any run
115
- without a policy behave exactly as before. The policy is data; the kernel only
116
- enforces the mechanism.
113
+ `requireAttestedActor`, and `appliesTo` (target kinds). The default — no policy
114
+ or `requiredApprovals: 0` — needs no approvals, so pre-v0.1.32 runs and any run
115
+ without a policy act just as before. The policy is data; the kernel only
116
+ makes the mechanism hold.
117
117
 
118
118
  ## One source, every surface
119
119
 
120
120
  Each collaboration verb is declared once in `src/capability-registry.ts`, so
121
121
  `cw <cmd> --json` is schema-identical to `cw_<cmd>` and passes the parity gate. The
122
- read-only `review status` and `comment list` are byte-for-byte identical across CLI
123
- and MCP (the payload-identity probe strips only ISO timestamps; the only
122
+ read-only `review status` and `comment list` are byte-for-byte the same across CLI
123
+ and MCP (the payload-identity probe takes out only ISO timestamps; the only
124
124
  now-derived field in a review report is `generatedAt`). The v0.1.30 Workbench
125
- renders the review timeline and per-target approval state read-only as a sixth
126
- panel, embedding the `review status` payload verbatim. The v0.1.31 metrics report
125
+ shows the review timeline and per-target approval state read-only as a sixth
126
+ panel, putting in the `review status` payload word for word. The v0.1.31 metrics report
127
127
  adds derived approval-rate, time-to-approval, handoff-count, and reviewer-count,
128
128
  all from recorded timestamps — deterministic over a fixed snapshot.
129
129
 
@@ -141,7 +141,7 @@ cw review status <run-id> [--json]
141
141
 
142
142
  `<kind>` is one of `run | task | candidate | selection | commit | node`. Approve a
143
143
  candidate (or selection), then commit `--candidate`/`--selection`; the commit gate
144
- honors the candidate's approvals and records who approved the shipped commit.
144
+ honors the candidate's approvals and keeps a note of who approved the shipped commit.
145
145
 
146
146
  CW is the base system. Workflow apps are userland. Collaboration adds the human
147
147
  decision as durable, attested, append-only state — never a hidden dashboard, never
@@ -149,11 +149,11 @@ a bypass of the verifier gate.
149
149
 
150
150
  ## Release Tooling (v0.1.33)
151
151
 
152
- the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a de-duplicated release gate. See release-tooling(7).
152
+ the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a de-duplicated release gate. See release-tooling(7) for more.
153
153
 
154
154
  ## Real Execution Backend Integrations (v0.1.34)
155
155
 
156
- container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is unavailable. See real-execution-backends(7).
156
+ container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not there to use. See real-execution-backends(7).
157
157
 
158
158
  ## Node Snapshot / Diff / Replay (v0.1.35)
159
159
 
@@ -193,11 +193,11 @@ Hard gate blocking empty-capture verifier-gated commits, plus quickstart and lau
193
193
 
194
194
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
195
195
 
196
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
196
+ Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — doing away with false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
197
197
 
198
198
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
199
199
 
200
- Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
200
+ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), and CI content-surface determinism hardening (v0.1.49).
201
201
  0.1.51
202
202
 
203
203
  0.1.76
@@ -210,7 +210,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
210
210
 
211
211
  ## Fast Architecture Review (v0.1.80)
212
212
 
213
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
213
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, useful background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
214
214
 
215
215
  _No changes to the team-collaboration surface in v0.1.81._
216
216
  _No changes in v0.1.82._
217
+
218
+ ## Hardening and Onboarding (v0.1.83)
219
+
220
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
@@ -1,57 +1,57 @@
1
1
  # Trust Model & Limitations
2
2
 
3
- > **Read this before you trust a cool-workflow record.** This document states
3
+ > **Read this before you trust a cool-workflow record.** This page says
4
4
  > exactly what CW's cryptographic guarantees prove, and — just as important —
5
- > what they do **not** prove. We would rather lose a skeptical reader here than
6
- > have them over-trust a green checkmark in production. If anything below reads
7
- > as an overclaim, it is a bug; please file it.
5
+ > what they do **not** prove. We would be happier to lose a doubting reader here than
6
+ > to have them put too much trust in a green check mark in production. If anything below
7
+ > says more than is true, it is a bug; please send it in.
8
8
 
9
- CW is an **auditable control-plane**. It plans, dispatches, records, and verifies
10
- agent work — it does **not** run the model itself. That single architectural
11
- choice is what the guarantees below rest on, and it is also the source of their
12
- honest ceiling.
9
+ CW is an **auditable control-plane**. It plans, sends out, records, and checks
10
+ agent work — it does **not** run the model itself. That one design
11
+ choice is what the guarantees below are built on, and it is also the cause of their
12
+ honest limit.
13
13
 
14
14
  ---
15
15
 
16
16
  ## TL;DR
17
17
 
18
18
  - CW's ed25519 signature + hash-chained ledger prove **integrity and
19
- attribution**: a recorded usage figure was signed by the keyholder and has not
20
- been edited since it was recorded. Both re-verify **offline** — the recorded
19
+ attribution**: a recorded usage number was signed by the keyholder and has not
20
+ been changed since it was recorded. Both check again **offline** — the recorded
21
21
  ledger's integrity with **no key at all** (`cw telemetry verify`), and each
22
- `attested` signature with the **public key alone** (`cw telemetry verify
23
- --pubkey <public.pem>`; also reproduced by `cw demo tamper`).
24
- - They do **not** prove the original number was **true**. A dishonest signer can
25
- sign a lie; the lie is then cryptographically bound to its signer, but it is
26
- still a lie.
27
- - **CW holds no private key.** It can verify, but it can neither forge a
28
- signature nor measure usage itself (by design — see the red line below).
22
+ `attested` signature with the **public key by itself** (`cw telemetry verify
23
+ --pubkey <public.pem>`; also done again by `cw demo tamper`).
24
+ - They do **not** prove the first number was **true**. A signer who is not honest can
25
+ sign a false number; the false number is then bound by cryptography to its signer, but it is
26
+ still false.
27
+ - **CW holds no private key.** It can verify, but it can not make a fake
28
+ signature and it can not measure usage itself (by design — see the red line below).
29
29
  - The honest gap is **single-keyholder / no second party**: when the same
30
30
  operator runs CW *and* holds the only signing key, integrity is real but there
31
- is no independent party attesting that the source was honest. **This is exactly
32
- why we are seeking early integration partners** who supply an independent
31
+ is no separate party giving word that the source was honest. **This is exactly
32
+ why we are looking for early integration partners** who give a separate
33
33
  second party / co-signer. See [Closing the gap](#closing-the-gap-the-second-party).
34
34
 
35
35
  ---
36
36
 
37
37
  ## What the cryptography is, precisely
38
38
 
39
- There are two distinct mechanisms. Conflating them is the most common way to
40
- over- or under-state the guarantee, so they are kept separate here.
39
+ There are two separate parts. Mixing them up is the most common way to
40
+ say too much or too little about the guarantee, so they are kept apart here.
41
41
 
42
42
  ### 1. The telemetry signature (ed25519) — attribution of a reported number
43
43
 
44
- The agent (the **executor**) self-reports its token usage. A control-plane that
45
- records that number verbatim is recording a **claim**. To turn the claim into an
44
+ The agent (the **executor**) reports its own token usage. A control-plane that
45
+ records that number word for word is recording a **claim**. To make the claim into an
46
46
  **attestation**, the executor signs a canonical payload with its **private key**:
47
47
 
48
48
  ```
49
49
  sign({ usage, runId, taskId, promptDigest }) // ed25519, executor-side
50
50
  ```
51
51
 
52
- The `runId` / `taskId` / `promptDigest` binding is load-bearing: it ties the
53
- signature to **this** hop, so a valid signature from one task cannot be replayed
54
- onto another. `promptDigest` is the sha256 of the exact worker prompt CW handed
52
+ The `runId` / `taskId` / `promptDigest` binding does important work: it ties the
53
+ signature to **this** hop, so a good signature from one task can not be used again
54
+ on another. `promptDigest` is the sha256 of the exact worker prompt CW gave
55
55
  the agent.
56
56
 
57
57
  CW then **verifies** that signature against an **operator-provisioned public
@@ -61,42 +61,42 @@ key**. CW holds *only* the public half. From `telemetry-attestation.ts`:
61
61
  > ONLY the public key — it can verify, but can neither forge a signature nor (the
62
62
  > red line) call a model to measure usage itself.
63
63
 
64
- The result is one of three honest states, surfaced loudly and never silently
65
- upgraded to "trusted":
64
+ The result is one of three honest states, shown clearly and never quietly
65
+ moved up to "trusted":
66
66
 
67
67
  | State | Meaning |
68
68
  |---|---|
69
- | `attested` | A valid ed25519 signature over the reported usage, bound to this run/task/prompt, verified against the configured public key. |
70
- | `unattested` | Usage was reported but the signature is missing, malformed, made with the wrong key, or does not match the payload (tampered or replayed). Also: no trust key configured. |
69
+ | `attested` | A good ed25519 signature over the reported usage, bound to this run/task/prompt, checked against the set public key. |
70
+ | `unattested` | Usage was reported but the signature is missing, badly formed, made with the wrong key, or does not match the payload (changed or used again). Also: no trust key set. |
71
71
  | `absent` | The agent reported no usage at all. |
72
72
 
73
73
  Defaults are honest: no signature ⇒ `unattested`; no usage ⇒ `absent`. **Usage
74
- is never silently recorded as trusted.** The opt-in `require-attested-telemetry`
74
+ is never quietly recorded as trusted.** The opt-in `require-attested-telemetry`
75
75
  policy fails the run closed on anything other than `attested`.
76
76
 
77
77
  ### 2. The hash-chained ledgers — tamper-evidence of the recorded log
78
78
 
79
- A signature proves the agent *said* a number in flight. It does not, by itself,
80
- prove that **CW recorded exactly that** and that **nobody edited the record
81
- afterward**. That is the job of the append-only, hash-chained ledgers:
79
+ A signature proves the agent *said* a number while running. By itself it does not
80
+ prove that **CW recorded exactly that** and that **nobody changed the record
81
+ after**. That is the job of the append-only, hash-chained ledgers:
82
82
 
83
83
  - **Telemetry ledger** (`telemetry.json`, one entry per agent hop): each entry
84
- chains to the previous via `prevHash`, and `recordHash = sha256(canonical
85
- entry)`. Flip a recorded verdict (`unattested` → `attested`) or edit a recorded
86
- usage digest, and the chain no longer recomputes.
87
- - **Trust-audit event log** (`events.jsonl`): the same discipline applied to
84
+ chains to the one before through `prevHash`, and `recordHash = sha256(canonical
85
+ entry)`. Flip a recorded verdict (`unattested` → `attested`) or change a recorded
86
+ usage digest, and the chain no longer comes out the same.
87
+ - **Trust-audit event log** (`events.jsonl`): the same care put on
88
88
  every recorded decision — sandbox path allow/deny, policy snapshots,
89
89
  verifier-gated commits, collaboration approvals.
90
90
 
91
- Verification **recomputes every hash independently and never trusts the stored
92
- value**, so an edited, reordered, removed, or truncated entry flips
93
- `verified = false`. A ledger that exists but cannot be parsed **fails closed** —
94
- it is treated as corrupt, never silently as the clean empty chain.
91
+ Verification **works out every hash on its own and never trusts the stored
92
+ value**, so a changed, reordered, removed, or cut-short entry flips
93
+ `verified = false`. A ledger that is there but can not be parsed **fails closed** —
94
+ it is taken as broken, never quietly as the clean empty chain.
95
95
 
96
96
  This is all **offline**. The chain re-proof needs **no key at all**; add
97
97
  `--pubkey <public.pem>` to re-run the signature **attribution** check against the
98
98
  stored raw usage for every `attested` record. There is no telemetry service to
99
- trust or breach — the record proves its own integrity, and a third-party auditor
99
+ trust or break into — the record proves its own integrity, and a third-party auditor
100
100
  can re-run both checks on their own machine.
101
101
 
102
102
  ---
@@ -104,79 +104,79 @@ can re-run both checks on their own machine.
104
104
  ## What this DOES prove
105
105
 
106
106
  For telemetry, if `cw telemetry verify <run> --pubkey <public.pem>` reports green,
107
- you can rely on **all** of the following, and only these:
107
+ you can put trust in **all** of the following, and only these:
108
108
 
109
- 1. **Attribution.** Each `attested` usage figure was signed by the holder of the
110
- configured private key, over a payload bound to that specific run, task, and
111
- prompt. It is **non-repudiable**: the signer cannot later disown it, and it
112
- could not have been replayed from a different hop.
109
+ 1. **Attribution.** Each `attested` usage number was signed by the holder of the
110
+ set private key, over a payload bound to that one run, task, and
111
+ prompt. It is **non-repudiable**: the signer can not later say it is not theirs, and it
112
+ could not have been used again from a different hop.
113
113
  2. **Tamper-evidence of the record.** The recorded ledger — verdicts, usage
114
- digests, audit decisions — has not been edited, reordered, truncated, or had
115
- entries removed since it was written, *to the extent a self-recomputable chain
116
- can detect* (see the threat-model caveat below). Casual or partial tampering,
117
- accidental corruption, truncation, and forged unchained lines are all caught.
114
+ digests, audit decisions — has not been changed, reordered, cut short, or had
115
+ entries taken out since it was written, *as far as a self-recomputable chain
116
+ can see* (see the threat-model note below). Light or part tampering,
117
+ damage by chance, cutting short, and faked unchained lines are all caught.
118
118
  3. **Offline, independent re-verification.** Re-proving the recorded ledger needs
119
- no network, no CW service, and no trust in our infrastructure — `cw telemetry
120
- verify` recomputes the chain on your machine (and needs no key to do it). With
121
- `--pubkey`, the ed25519 **attribution** is independently re-checked with the
122
- **public key alone**; `cw demo tamper` reproduces that sign-and-catch
123
- end-to-end, offline. The integrity claim does not depend on trusting us.
124
- 4. **CW never forged or measured anything.** CW holds no private key and never
125
- calls a model. It cannot mint a signature, and it cannot fabricate a usage
126
- number to sign. What it records, it received and verified.
119
+ no network, no CW service, and no trust in our setup — `cw telemetry
120
+ verify` works out the chain again on your machine (and needs no key to do it). With
121
+ `--pubkey`, the ed25519 **attribution** is checked again on its own with the
122
+ **public key by itself**; `cw demo tamper` does that sign-and-catch again
123
+ end-to-end, offline. The integrity claim does not rest on trusting us.
124
+ 4. **CW never faked or measured anything.** CW holds no private key and never
125
+ calls a model. It can not make a signature, and it can not make up a usage
126
+ number to sign. What it records, it took in and checked.
127
127
 
128
128
  ---
129
129
 
130
130
  ## What this DOES NOT prove
131
131
 
132
- Equally load-bearing. None of the following are within the guarantee, and we will
133
- not imply otherwise:
132
+ Just as important. None of the following are inside the guarantee, and we will
133
+ not give any other idea:
134
134
 
135
135
  1. **It does not prove the reported number is true.** A signature proves *who*
136
- said it and that it *wasn't altered* — **not** that it was correct at the
137
- source. Quoting the code's own honest ceiling:
136
+ said it and that it *was not changed* — **not** that it was right at the
137
+ source. To quote the code's own honest limit:
138
138
 
139
139
  > A dishonest keyholder can still sign a lie, but the lie is now
140
140
  > cryptographically bound to its signer.
141
141
 
142
- CW deliberately does **not** independently measure usage (doing so would mean
143
- calling the model — the red line it refuses to cross). So the strongest honest
142
+ CW on purpose does **not** measure usage on its own (to do so would mean
143
+ calling the model — the red line it will not cross). So the strongest honest
144
144
  claim is **attribution, not ground-truth measurement**.
145
145
 
146
- 2. **It does not defend against a single party who holds both roles.** If the
146
+ 2. **It does not guard against a single party who holds both roles.** If the
147
147
  same operator runs CW, holds the signing private key, *and* controls the
148
- machine the ledger lives on, then a green verdict attests that **that party**
149
- signed and that **that party's** record is internally consistent. It does not
150
- bring in any *independent* party. Self-consistency is not third-party
148
+ machine the ledger lives on, then a green verdict gives word that **that party**
149
+ signed and that **that party's** record agrees with itself. It does not
150
+ bring in any *separate* party. Agreeing with itself is not third-party
151
151
  verification.
152
152
 
153
- 3. **A determined local writer can re-chain the whole log.** The hash-chain's
153
+ 3. **A set local writer can re-chain the whole log.** The hash-chain's
154
154
  genesis is `sha256(runId)` — a value the local writer knows. So the chain
155
- detects edits to *part* of a log, but a writer who edits an entry and then
156
- **re-computes every subsequent hash** with CW's own sha256 produces a log that
157
- re-verifies green. From `trust-audit.ts`:
155
+ sees changes to *part* of a log, but a writer who changes an entry and then
156
+ **works out every later hash** with CW's own sha256 makes a log that
157
+ verifies green again. From `trust-audit.ts`:
158
158
 
159
159
  > THREAT MODEL (be honest about the limit): the genesis is sha256(runId), so
160
160
  > this detects casual/partial tampering, accidental corruption, truncation,
161
161
  > removal, and forged-unchained lines — but NOT a determined local writer who
162
162
  > re-chains the WHOLE log with this module's own sha256 after an edit.
163
163
 
164
- This is **inherent** to any local, self-recomputable chain. Closing it needs an
165
- anchor the writer cannot reproduce. CW **cannot mint that anchor itself** —
164
+ This is **built in** to any local, self-recomputable chain. To close it needs an
165
+ anchor the writer can not make again. CW **can not make that anchor itself** —
166
166
  because by design it holds no private key. The one cryptographic anchor that
167
- exists is the **agent's** telemetry signature, which covers agent-reported
167
+ is there is the **agent's** telemetry signature, which covers agent-reported
168
168
  *usage* — it does **not** cover CW-only decisions (sandbox / policy /
169
- commit-gate), which have no external signer.
169
+ commit-gate), which have no outside signer.
170
170
 
171
- For those CW-only decisions, the only stronger guarantee available today is
172
- **operational**, not cryptographic: commit `events.jsonl` to an external
171
+ For those CW-only decisions, the only stronger guarantee we have today is
172
+ **operational**, not cryptographic: commit `events.jsonl` to an outside
173
173
  append-only medium (git history, a remote append-only log) that the local
174
- writer cannot rewrite. The chain is a **strict upgrade** over a bare
175
- append-only log — not a substitute for an external anchor.
174
+ writer can not rewrite. The chain is a **clear step up** over a bare
175
+ append-only log — not a thing to use in place of an outside anchor.
176
176
 
177
177
  4. **It says nothing about the quality, safety, or correctness of the work.**
178
- Attestation is about *provenance and integrity of records*, not about whether
179
- the agent's output is good, secure, or even functional. Other CW mechanisms
178
+ Attestation is about *where records come from and the integrity of records*, not about whether
179
+ the agent's output is good, safe, or even working. Other CW parts
180
180
  (verifier gate, schema validation, evidence grounding) speak to that; the
181
181
  cryptography here does not.
182
182
 
@@ -184,84 +184,84 @@ not imply otherwise:
184
184
 
185
185
  ## The single-keyholder limitation (stated plainly)
186
186
 
187
- > **The core honest gap:** when the same operator runs CW and holds the only
188
- > verification/signing key, tamper-evidence proves that **records were not edited
189
- > after the fact** — it does **not** prove that the **original signer was
190
- > honest**. Integrity, yes. A trustworthy source, not necessarily.
187
+ > **The main honest gap:** when the same operator runs CW and holds the only
188
+ > verification/signing key, tamper-evidence proves that **records were not changed
189
+ > after the fact** — it does **not** prove that the **first signer was
190
+ > honest**. Integrity, yes. A source you can trust, not for certain.
191
191
 
192
- Concretely, in a single-party setup:
192
+ To put it plainly, in a single-party setup:
193
193
 
194
- - The operator provisions the keypair.
194
+ - The operator makes the keypair.
195
195
  - The operator's agent process signs usage with the private key.
196
196
  - CW (run by the same operator) verifies with the public key and writes the
197
197
  ledger to the operator's disk.
198
198
 
199
- Every cryptographic check can pass while a motivated single party fabricates the
200
- source number, or — given the genesis caveat above — rewrites the whole local
201
- chain. **Cryptography cannot manufacture a second party that does not exist.**
202
- Separation of duties is the property auditors require everywhere; with one
203
- operator wearing both hats, it is structurally absent no matter how good the
199
+ Every cryptographic check can pass while a single party who wants to lie makes up the
200
+ source number, or — given the genesis note above — rewrites the whole local
201
+ chain. **Cryptography can not make a second party that is not there.**
202
+ Separation of duties is the property auditors need everywhere; with one
203
+ operator wearing both hats, it is missing by design no matter how good the
204
204
  math is.
205
205
 
206
- We are not going to argue this point away. It is real, it is the most important
207
- limitation in this document, and it is the right critique to raise.
206
+ We are not going to talk this point away. It is real, it is the most important
207
+ limit in this page, and it is the right point to bring up.
208
208
 
209
209
  ---
210
210
 
211
211
  ## Closing the gap: the second party
212
212
 
213
- The fix is **not** more cryptography on one machine — it is an **independent
214
- second party**, which is precisely the thing a single operator cannot self-supply.
215
- This is why CW's near-term priority is **early integration partners**, and what we
216
- mean by that concretely:
213
+ The fix is **not** more cryptography on one machine — it is a **separate
214
+ second party**, which is just the thing a single operator can not give itself.
215
+ This is why CW's near-term aim is **early integration partners**, and what we
216
+ mean by that plainly:
217
217
 
218
- - **An independent co-signer / second keyholder.** A second party (a different
218
+ - **A separate co-signer / second keyholder.** A second party (a different
219
219
  team, a CI identity outside the operator's control, or a partner's signing
220
220
  service) holds a key the operator does not. When that party counter-signs runs —
221
221
  or *is* the executor that signs usage — a green verdict starts to mean
222
222
  "two parties who do not fully trust each other agree," which is the property
223
- single-party attestation structurally cannot provide.
224
- - **An external append-only anchor.** Pushing `events.jsonl` to a medium the local
225
- operator cannot rewrite (a partner-held log, a public transparency log, signed
226
- git history on a remote the operator doesn't control) closes the re-chain gap
227
- for CW-only decisions described above.
223
+ single-party attestation by its nature can not give.
224
+ - **An outside append-only anchor.** Pushing `events.jsonl` to a medium the local
225
+ operator can not rewrite (a partner-held log, a public transparency log, signed
226
+ git history on a remote the operator does not control) closes the re-chain gap
227
+ for CW-only decisions named above.
228
228
  - **Separated execution and verification.** The party that *spends the money*
229
- (runs the model) and the party that *keeps the books* (CW) being genuinely
230
- different entities turns CW's separation-of-duties design from an architectural
231
- intent into an enforced fact.
229
+ (runs the model) and the party that *keeps the books* (CW) being truly
230
+ different bodies turns CW's separation-of-duties design from a plan
231
+ into an enforced fact.
232
232
 
233
- If you are a potential partner who can supply an independent second party — a
234
- co-signer, an external anchor, or separated execution — **that is the
235
- collaboration we are actively looking for.** We would rather ship this honestly
236
- and earn the second party than paper over the gap with a stronger-sounding claim
237
- than the math supports.
233
+ If you are a possible partner who can give a separate second party — a
234
+ co-signer, an outside anchor, or separated execution — **that is the
235
+ work together we are now looking for.** We would rather ship this honestly
236
+ and earn the second party than cover over the gap with a claim that sounds stronger
237
+ than the math will back up.
238
238
 
239
239
  ---
240
240
 
241
241
  ## How to verify for yourself
242
242
 
243
- - `cw telemetry verify <run>` — re-proves the telemetry ledger's **integrity**:
244
- chain linkage + an independent per-record hash recompute, so any edit to a
243
+ - `cw telemetry verify <run>` — proves the telemetry ledger's **integrity** again:
244
+ chain linkage + a per-record hash worked out on its own, so any change to a
245
245
  recorded verdict or usage digest since record time flips it red. It needs **no
246
- key** (it re-proves the *recording*). Add `--pubkey <pem-or-path>` to re-run the
246
+ key** (it proves the *recording* again). Add `--pubkey <pem-or-path>` to re-run the
247
247
  ed25519 **signature** check for every `attested` record against the stored raw
248
- usage; unreadable keys, missing raw usage, digest mismatches, wrong keys, and
248
+ usage; keys that can not be read, missing raw usage, digest mismatches, wrong keys, and
249
249
  signature mismatches fail closed. Mirrored as `cw_telemetry_verify` on the MCP
250
250
  surface.
251
- - `cw demo tamper` — a hermetic, offline, one-command proof: it builds a real
252
- ed25519-signed ledger and then forges it two ways — flips a recorded verdict and
253
- re-computes the *local* record hash (the chain still breaks), and reuses a
254
- signature over inflated tokens (ed25519 rejects it). Everything is verified with
251
+ - `cw demo tamper` — a sealed, offline, one-command proof: it builds a real
252
+ ed25519-signed ledger and then fakes it two ways — flips a recorded verdict and
253
+ works out the *local* record hash again (the chain still breaks), and uses a
254
+ signature again over blown-up tokens (ed25519 turns it down). Everything is checked with
255
255
  the public key only. The `✗ DETECTED` lines are the point.
256
256
  - Re-run either with **only the public key** on a machine we do not control. If it
257
- doesn't reproduce, our integrity claim is false — hold us to it.
257
+ does not come out the same, our integrity claim is false — hold us to it.
258
258
 
259
259
  ---
260
260
 
261
261
  ## One-line summary
262
262
 
263
- CW's cryptography proves **records weren't edited and were signed by the
263
+ CW's cryptography proves **records were not changed and were signed by the
264
264
  keyholder** — strong, offline, public-key-verifiable **integrity and
265
265
  attribution**. It does **not** prove the **source was honest**, and a single
266
- operator holding both roles is the honest limit we are explicitly recruiting
266
+ operator holding both roles is the honest limit we are openly looking for
267
267
  integration partners to close.