cool-workflow 0.1.82 → 0.1.83
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +124 -120
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +16 -8
- package/dist/capability-registry.js +8 -0
- package/dist/cli.js +12 -1
- package/dist/commit.js +5 -1
- package/dist/doctor.js +153 -0
- package/dist/mcp-server.js +11 -0
- package/dist/orchestrator.js +13 -0
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +25 -78
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +78 -53
- package/dist/version.js +1 -1
- package/dist/worker-isolation.js +22 -2
- package/docs/agent-delegation-drive.7.md +90 -86
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +226 -154
- package/docs/contract-migration-tooling.7.md +48 -41
- package/docs/control-plane-scheduling.7.md +45 -41
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +34 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +62 -58
- package/docs/execution-backends.7.md +84 -80
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +82 -77
- package/docs/multi-agent-eval-replay-harness.7.md +59 -55
- package/docs/multi-agent-operator-ux.7.md +69 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +26 -22
- package/docs/observability-cost-accounting.7.md +49 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +10 -5
- package/docs/real-execution-backends.7.md +47 -43
- package/docs/release-and-migration.7.md +42 -38
- package/docs/release-tooling.7.md +53 -49
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +120 -116
- package/docs/run-retention-reclamation.7.md +45 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +63 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +62 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +69 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/package.json +3 -2
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/dist/verifier-registry.js +0 -46
package/docs/unix-principles.md
CHANGED
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
# Unix-Inspired Workflow Principles
|
|
2
2
|
|
|
3
|
-
CW
|
|
3
|
+
CW takes a small group of long-lasting systems ideas and puts them to work in agent
|
|
4
4
|
workflow engineering. These are design principles, not platform claims — but
|
|
5
|
-
they are not
|
|
6
|
-
|
|
7
|
-
against (
|
|
5
|
+
they are not a free choice: this project keeps closely to the FreeBSD programming
|
|
6
|
+
way of thought, and §7 below gives the binding rules every change is checked
|
|
7
|
+
against (copied as hard limits in the repository's `AGENTS.md`).
|
|
8
8
|
|
|
9
9
|
## 1. Everything Is State
|
|
10
10
|
|
|
11
|
-
Every
|
|
11
|
+
Every workflow event with meaning should be kept as state you can look into.
|
|
12
12
|
|
|
13
|
-
CW
|
|
13
|
+
CW keeps now:
|
|
14
14
|
|
|
15
15
|
- workflow runs in `.cw/runs/<run-id>/state.json`
|
|
16
16
|
- task prompts in `.cw/runs/<run-id>/tasks/`
|
|
@@ -25,22 +25,22 @@ CW already stores:
|
|
|
25
25
|
- workflow app identity and version in `.cw/runs/<run-id>/state.json`
|
|
26
26
|
- canonical app matrix run state in temporary `.cw/runs/<run-id>/` workspaces
|
|
27
27
|
- golden path proof artifacts in temporary `.cw/runs/<run-id>/` workspaces
|
|
28
|
-
- operator summaries
|
|
28
|
+
- operator summaries made from state without changing run files
|
|
29
29
|
- MCP app-surface smoke runs driven through stdio JSON-RPC
|
|
30
30
|
|
|
31
|
-
The
|
|
31
|
+
The working rule is:
|
|
32
32
|
|
|
33
33
|
```text
|
|
34
34
|
prompt, task, dispatch, result, error, verifier decision, schedule, trigger
|
|
35
35
|
= state that can be inspected, replayed, snapshotted, or compared
|
|
36
36
|
```
|
|
37
37
|
|
|
38
|
-
This keeps the runtime
|
|
38
|
+
This keeps the runtime fixed and certain, and keeps agent work open to check.
|
|
39
39
|
|
|
40
40
|
## 2. Small Kernel, Composable Userland
|
|
41
41
|
|
|
42
|
-
CW should keep the kernel small. The kernel
|
|
43
|
-
contracts; workflow apps
|
|
42
|
+
CW should keep the kernel small. The kernel is the owner of state changes and
|
|
43
|
+
fixed contracts; workflow apps are the owners of their field behavior.
|
|
44
44
|
|
|
45
45
|
Core system calls:
|
|
46
46
|
|
|
@@ -56,8 +56,8 @@ schedule()
|
|
|
56
56
|
trigger()
|
|
57
57
|
```
|
|
58
58
|
|
|
59
|
-
The kernel should
|
|
60
|
-
|
|
59
|
+
The kernel should keep away from hard-coded business logic. New behavior should
|
|
60
|
+
for the most part come in as:
|
|
61
61
|
|
|
62
62
|
- a workflow app
|
|
63
63
|
- a workflow app manifest under `apps/<app-id>/app.json`
|
|
@@ -66,20 +66,20 @@ enter as:
|
|
|
66
66
|
- a routine trigger
|
|
67
67
|
- an external worker
|
|
68
68
|
|
|
69
|
-
Workflow App framework v0.1.9 makes this split
|
|
70
|
-
system. Apps are userland: versioned,
|
|
71
|
-
can be listed, shown, validated, initialized, packaged, planned, and reported
|
|
72
|
-
without
|
|
69
|
+
Workflow App framework v0.1.9 makes this split solid and clear. The runner is the
|
|
70
|
+
base system. Apps are userland: versioned, checked definitions you can look into,
|
|
71
|
+
that can be listed, shown, validated, initialized, packaged, planned, and reported
|
|
72
|
+
without leaning on hidden runner internals.
|
|
73
73
|
|
|
74
|
-
The v0.1.12 Operator UX layer is userland over state. It
|
|
75
|
-
`graph`, `report --show`, and resource summaries without
|
|
76
|
-
|
|
74
|
+
The v0.1.12 Operator UX layer is userland over state. It puts out `status`,
|
|
75
|
+
`graph`, `report --show`, and resource summaries without being the owner of core
|
|
76
|
+
changes.
|
|
77
77
|
|
|
78
|
-
The v0.1.13 MCP app surface is the same
|
|
79
|
-
small JSON tool bridge over the base runtime, old names
|
|
80
|
-
|
|
78
|
+
The v0.1.13 MCP app surface is the same way of work put to agent hosts: a
|
|
79
|
+
small JSON tool bridge over the base runtime, old names kept, read-only
|
|
80
|
+
looking-in kept apart from change, and every change put away into the run.
|
|
81
81
|
|
|
82
|
-
The v0.1.13 canonical apps are
|
|
82
|
+
The v0.1.13 canonical apps are kept-up userland:
|
|
83
83
|
|
|
84
84
|
```text
|
|
85
85
|
architecture-review
|
|
@@ -88,18 +88,18 @@ release-cut
|
|
|
88
88
|
research-synthesis
|
|
89
89
|
```
|
|
90
90
|
|
|
91
|
-
They keep
|
|
92
|
-
directories
|
|
91
|
+
They keep field prompts, inputs, evidence gates, and sandbox hints in app
|
|
92
|
+
directories in place of runner internals.
|
|
93
93
|
|
|
94
|
-
The v0.1.10 `end-to-end-golden-path` app is
|
|
95
|
-
has one readonly worker task and
|
|
96
|
-
|
|
94
|
+
The v0.1.10 `end-to-end-golden-path` app is by design dull userland. It
|
|
95
|
+
has one readonly worker task and is here to give proof that the base system pipes are
|
|
96
|
+
joined up.
|
|
97
97
|
|
|
98
98
|
## 3. Pipelines Over Monoliths
|
|
99
99
|
|
|
100
|
-
CW
|
|
100
|
+
CW is for clear data flow in place of hidden control from above.
|
|
101
101
|
|
|
102
|
-
The
|
|
102
|
+
The normal pipeline is:
|
|
103
103
|
|
|
104
104
|
```text
|
|
105
105
|
workflow definition
|
|
@@ -114,12 +114,12 @@ workflow definition
|
|
|
114
114
|
-> report
|
|
115
115
|
```
|
|
116
116
|
|
|
117
|
-
Each stage should have
|
|
118
|
-
should become input for the next
|
|
117
|
+
Each stage should have an artifact you can read. If a stage has a fault, its error
|
|
118
|
+
output should become input for the next fix step in place of going away into a
|
|
119
119
|
black box.
|
|
120
120
|
|
|
121
|
-
Operator views
|
|
122
|
-
while `--json` and `--format json`
|
|
121
|
+
Operator views keep to the same rule: console summaries point to plain files,
|
|
122
|
+
while `--json` and `--format json` keep output a script can use.
|
|
123
123
|
|
|
124
124
|
The release golden path is the regression form of this rule:
|
|
125
125
|
|
|
@@ -127,9 +127,9 @@ The release golden path is the regression form of this rule:
|
|
|
127
127
|
npm run golden-path
|
|
128
128
|
```
|
|
129
129
|
|
|
130
|
-
It
|
|
130
|
+
It puts the public CLI to work and then looks into state files for app metadata,
|
|
131
131
|
dispatch, worker manifest, result node, verifier node, candidate score, ranking,
|
|
132
|
-
selection, verifier-gated commit, report, and
|
|
132
|
+
selection, verifier-gated commit, report, and no ErrorFeedback.
|
|
133
133
|
|
|
134
134
|
The canonical app matrix is the userland regression form:
|
|
135
135
|
|
|
@@ -137,14 +137,14 @@ The canonical app matrix is the userland regression form:
|
|
|
137
137
|
npm run canonical-apps
|
|
138
138
|
```
|
|
139
139
|
|
|
140
|
-
It
|
|
140
|
+
It checks and plans every kept-up app without running full workers for
|
|
141
141
|
each app.
|
|
142
142
|
|
|
143
143
|
## 4. Isolated Workers
|
|
144
144
|
|
|
145
|
-
Workers should be
|
|
145
|
+
Workers should be kept apart by scope, state, and output.
|
|
146
146
|
|
|
147
|
-
|
|
147
|
+
Helpful layers for keeping apart:
|
|
148
148
|
|
|
149
149
|
- separate task prompts
|
|
150
150
|
- separate result files
|
|
@@ -153,35 +153,35 @@ Useful isolation layers:
|
|
|
153
153
|
- separate score/evidence records for competing candidates
|
|
154
154
|
- named sandbox profiles for read/write/execute/network/env policy
|
|
155
155
|
|
|
156
|
-
|
|
157
|
-
state
|
|
156
|
+
A worker fault should not damage the workflow kernel. A worker that has failed is a
|
|
157
|
+
state change, not a fault across the whole process.
|
|
158
158
|
|
|
159
|
-
Sandbox Profiles keep policy
|
|
160
|
-
policy in
|
|
161
|
-
against the write policy. The agent host
|
|
162
|
-
access, command
|
|
159
|
+
Sandbox Profiles keep policy clear. CW keeps the profile id and worked-out
|
|
160
|
+
policy in long-lasting state, checks paths, and takes or turns away worker output
|
|
161
|
+
against the write policy. The agent host is still the one responsible for OS-level file
|
|
162
|
+
access, command running, network access, and environment filtering.
|
|
163
163
|
|
|
164
164
|
## 5. Verifier-Gated Commits
|
|
165
165
|
|
|
166
|
-
CW should not
|
|
167
|
-
|
|
166
|
+
CW should not put every made answer back into the main workflow state.
|
|
167
|
+
Made work should go through evidence and verifier gates first.
|
|
168
168
|
|
|
169
|
-
The
|
|
169
|
+
The rule for merging we are for is:
|
|
170
170
|
|
|
171
171
|
```text
|
|
172
172
|
only verified state becomes committed state
|
|
173
173
|
```
|
|
174
174
|
|
|
175
|
-
For
|
|
175
|
+
For branches against one another, the shape is:
|
|
176
176
|
|
|
177
177
|
```text
|
|
178
178
|
candidate workers -> score records -> verifier-gated selection
|
|
179
179
|
-> verifier-gated commit()
|
|
180
180
|
```
|
|
181
181
|
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
committed state.
|
|
182
|
+
Snapshots with no gate are checkpoints. They are let through as records for check and
|
|
183
|
+
for taking up again, but reports and commit records must not put them forward as
|
|
184
|
+
verifier-gated committed state.
|
|
185
185
|
|
|
186
186
|
## 6. Practical Operating Rule
|
|
187
187
|
|
|
@@ -192,49 +192,49 @@ Verifiers decide what may be committed.
|
|
|
192
192
|
Hosts enforce runtime sandbox policy.
|
|
193
193
|
```
|
|
194
194
|
|
|
195
|
-
This keeps CW small,
|
|
195
|
+
This keeps CW small, open to looking into, and able to be grown.
|
|
196
196
|
|
|
197
197
|
## 7. FreeBSD Discipline (Binding Rules)
|
|
198
198
|
|
|
199
|
-
The principles above
|
|
200
|
-
systems engineering — and CW
|
|
199
|
+
The principles above come down from one tradition — the FreeBSD school of
|
|
200
|
+
systems engineering — and CW keeps to it strictly. In clear terms:
|
|
201
201
|
|
|
202
|
-
**POLA — Principle of Least Astonishment.** An
|
|
203
|
-
exit code, or flag never changes meaning or bytes
|
|
204
|
-
behavior
|
|
205
|
-
behavior byte-identical by default. (Example: live drive output is
|
|
202
|
+
**POLA — Principle of Least Astonishment.** An output, file layout,
|
|
203
|
+
exit code, or flag that is here now never changes meaning or bytes under an operator. New
|
|
204
|
+
behavior comes out behind a new verb/flag or an env toggle, with the earlier
|
|
205
|
+
behavior byte-identical by default. (Example: live drive output is added on top —
|
|
206
206
|
stderr only, TTY-gated, `CW_NO_STREAM=1` opt-out; the stdout payload and
|
|
207
|
-
evidence digest are
|
|
207
|
+
evidence digest are not changed.)
|
|
208
208
|
|
|
209
|
-
**Mechanism, not policy.** The kernel
|
|
209
|
+
**Mechanism, not policy.** The kernel gives mechanisms; policy is data in
|
|
210
210
|
userland. WHICH agent runs is config (`CW_AGENT_COMMAND` / agent-config), not
|
|
211
|
-
code; vendor-specific rendering
|
|
212
|
-
never in core. Core may
|
|
211
|
+
code; vendor-specific rendering is in wrappers under `scripts/agents/`,
|
|
212
|
+
never in core. Core may send a vendor's stream on; it never reads one apart.
|
|
213
213
|
|
|
214
214
|
**Rule of Silence.** stdout is data, stderr is diagnostics, and a
|
|
215
|
-
non-interactive run
|
|
216
|
-
and can be
|
|
215
|
+
non-interactive run says nothing on success. Anything friendly to a person is TTY-gated
|
|
216
|
+
and can be turned off; `--json` output is fixed and with nothing added so it goes together
|
|
217
217
|
in pipes.
|
|
218
218
|
|
|
219
|
-
**Fail closed, conservative defaults.**
|
|
220
|
-
`unverified`,
|
|
221
|
-
mode),
|
|
222
|
-
falls back
|
|
219
|
+
**Fail closed, conservative defaults.** Backends not yet configured probe as
|
|
220
|
+
`unverified`, telemetry that cannot be verified is made known loudly (or turned away in strict
|
|
221
|
+
mode), results that are not valid park the hop. CW never makes up a success and never
|
|
222
|
+
falls back with no word. Dull right answers beat clever features.
|
|
223
223
|
|
|
224
224
|
**Tools, not frameworks.** Zero runtime dependencies is a red line. Verbs do
|
|
225
|
-
one thing;
|
|
226
|
-
hidden
|
|
225
|
+
one thing; things come together through long-lasting files (`.cw/`) and pipes, not
|
|
226
|
+
hidden joining inside the process.
|
|
227
227
|
|
|
228
|
-
**Man pages are the contract.** Every
|
|
229
|
-
page
|
|
230
|
-
the documented commands
|
|
228
|
+
**Man pages are the contract.** Every capability that ships has a `docs/*.7.md`
|
|
229
|
+
page kept up to date in the same change, and doc-drift guards in the test suite keep
|
|
230
|
+
the documented commands true. Behavior with no docs is behavior not finished.
|
|
231
231
|
|
|
232
|
-
**style(9) spirit.** One
|
|
232
|
+
**style(9) spirit.** One same style for each layer; a diff is in keeping with the file
|
|
233
233
|
it touches and never reformats code it does not change.
|
|
234
234
|
|
|
235
|
-
**Release engineering.** Main is -CURRENT; a tag is -RELEASE: it
|
|
235
|
+
**Release engineering.** Main is -CURRENT; a tag is -RELEASE: it is there only
|
|
236
236
|
after the deterministic gate and an independent review pass, and cadence never
|
|
237
|
-
|
|
237
|
+
goes over the gate.
|
|
238
238
|
|
|
239
|
-
A change that
|
|
240
|
-
the capability it ships is
|
|
239
|
+
A change that goes against any rule in this section is turned down in review even if
|
|
240
|
+
the capability it ships is in other ways wanted.
|
|
@@ -1,43 +1,43 @@
|
|
|
1
1
|
# Vendor Manifest Loadability
|
|
2
2
|
|
|
3
|
-
CW ships one kernel to many AI clients.
|
|
4
|
-
|
|
5
|
-
Gemini, OpenCode) — see `gen-manifests(1)`. Each vendor that
|
|
6
|
-
server gets a
|
|
3
|
+
CW ships one kernel to many AI clients. One `manifest/plugin.manifest.json`
|
|
4
|
+
makes the plugin files for every vendor (Claude, Codex, the `agents` marketplace,
|
|
5
|
+
Gemini, OpenCode) — see `gen-manifests(1)`. Each vendor that opens up the MCP
|
|
6
|
+
server gets a made `mcp.json` that tells that client how to start it.
|
|
7
7
|
|
|
8
8
|
## The gap this closes
|
|
9
9
|
|
|
10
|
-
Two gates
|
|
11
|
-
|
|
10
|
+
Two gates keep watch over the manifests now, but neither one proves a vendor manifest
|
|
11
|
+
truly *boots*:
|
|
12
12
|
|
|
13
13
|
- `npm run gen:manifests -- --check` diffs the generated bytes against the
|
|
14
|
-
manifest source. It
|
|
14
|
+
manifest source. It sees drift, not a wrong-but-consistent command.
|
|
15
15
|
- `parity-check` boots `dist/mcp-server.js` **directly** — it never reads any
|
|
16
16
|
vendor's `mcp.json`, never resolves a `pluginRootVar`.
|
|
17
17
|
|
|
18
|
-
So a manifest could
|
|
18
|
+
So a manifest could give a broken `command`, `args`, or path and every gate
|
|
19
19
|
would stay green while no client could load it. Track C ("multi-vendor manifest
|
|
20
|
-
actually loaded by ≥2 real clients") was
|
|
20
|
+
actually loaded by ≥2 real clients") was claimed, not proven.
|
|
21
21
|
|
|
22
22
|
## The load proof
|
|
23
23
|
|
|
24
|
-
`npm run manifest:load-check` (the `vendor-manifest-load-smoke`, run
|
|
25
|
-
by `npm test`) closes it. For every vendor in `targets` that
|
|
24
|
+
`npm run manifest:load-check` (the `vendor-manifest-load-smoke`, run by itself
|
|
25
|
+
by `npm test`) closes it. For every vendor in `targets` that gives an `mcp`
|
|
26
26
|
output it:
|
|
27
27
|
|
|
28
28
|
1. reads the generated `mcp.json`;
|
|
29
|
-
2. resolves the server `command` + `args`
|
|
30
|
-
|
|
31
|
-
`./` for the rest)
|
|
29
|
+
2. resolves the server `command` + `args` in just the way that client does —
|
|
30
|
+
putting the vendor's `pluginRootVar` (`${CLAUDE_PLUGIN_ROOT}/` for Claude,
|
|
31
|
+
`./` for the rest) in place of the real plugin root;
|
|
32
32
|
3. spawns the server with `shell:false` (argv spawn, no shell);
|
|
33
|
-
4.
|
|
33
|
+
4. finishes a JSON-RPC `initialize` + `tools/list` round-trip.
|
|
34
34
|
|
|
35
|
-
Every vendor
|
|
36
|
-
`serverInfo.name` and
|
|
37
|
-
manifest drifted to
|
|
38
|
-
`pluginRootVar` —
|
|
35
|
+
Every vendor starts the same kernel, so the proof says they **agree**: one
|
|
36
|
+
`serverInfo.name` and the same tool count across all of them. A vendor whose
|
|
37
|
+
manifest drifted to a shape that will not boot — wrong path, wrong command, bad
|
|
38
|
+
`pluginRootVar` — does not pass this check, so it does not ship a dead plugin.
|
|
39
39
|
|
|
40
40
|
## See also
|
|
41
41
|
|
|
42
|
-
- `gen-manifests(1)` — one source
|
|
42
|
+
- `gen-manifests(1)` — one source makes every vendor manifest.
|
|
43
43
|
- `cli-mcp-parity(7)` — the CLI ↔ MCP capability-parity gate.
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
## NAME
|
|
4
4
|
|
|
5
|
-
Verifier-Gated Commit - commit only state that
|
|
5
|
+
Verifier-Gated Commit - commit only state that got past an evidence-backed verifier
|
|
6
6
|
|
|
7
7
|
## SYNOPSIS
|
|
8
8
|
|
|
@@ -25,26 +25,26 @@ commitState(run, {
|
|
|
25
25
|
|
|
26
26
|
## DESCRIPTION
|
|
27
27
|
|
|
28
|
-
Verifier-Gated Commit is the CW rule that
|
|
29
|
-
|
|
28
|
+
Verifier-Gated Commit is the CW rule that keeps committed state apart from
|
|
29
|
+
normal checkpoints:
|
|
30
30
|
|
|
31
31
|
```text
|
|
32
32
|
only verified state becomes committed state
|
|
33
33
|
```
|
|
34
34
|
|
|
35
|
-
A verifier-gated commit
|
|
35
|
+
A verifier-gated commit needs one of these inputs:
|
|
36
36
|
|
|
37
37
|
- a `verifier` state node with `verified` status and evidence
|
|
38
38
|
- a verified candidate selection that references such a verifier node
|
|
39
39
|
- a selected candidate whose selection references such a verifier node
|
|
40
40
|
|
|
41
|
-
The verifier gate
|
|
42
|
-
choice
|
|
41
|
+
The verifier gate has the final say. Candidate scores are evidence to help the
|
|
42
|
+
operator make a choice. They do not give the right to commit state.
|
|
43
43
|
|
|
44
44
|
## CHECKPOINTS
|
|
45
45
|
|
|
46
|
-
CW still writes
|
|
47
|
-
operator checkpoints. These records are checkpoints. They are
|
|
46
|
+
CW still writes inside snapshots for planning, dispatch, result recording, and
|
|
47
|
+
operator checkpoints. These records are checkpoints. They are good for audit,
|
|
48
48
|
resume, and rollback, but they are not verifier-gated committed state.
|
|
49
49
|
|
|
50
50
|
Checkpoint records have:
|
|
@@ -61,7 +61,7 @@ verifier-gated commit state node uses `status: "committed"`.
|
|
|
61
61
|
|
|
62
62
|
## COMMIT RECORDS
|
|
63
63
|
|
|
64
|
-
A verifier-gated commit
|
|
64
|
+
A verifier-gated commit writes gate metadata in the commit JSON and state node:
|
|
65
65
|
|
|
66
66
|
```json
|
|
67
67
|
{
|
|
@@ -74,7 +74,7 @@ A verifier-gated commit records gate metadata in the commit JSON and state node:
|
|
|
74
74
|
}
|
|
75
75
|
```
|
|
76
76
|
|
|
77
|
-
The `candidateId` and `selectionId` fields are
|
|
77
|
+
The `candidateId` and `selectionId` fields are there when the commit promotes
|
|
78
78
|
a candidate or candidate selection. The `evidence` field is copied from the
|
|
79
79
|
verifier node.
|
|
80
80
|
|
|
@@ -88,7 +88,7 @@ verifier node.
|
|
|
88
88
|
.cw/runs/<run-id>/report.md
|
|
89
89
|
```
|
|
90
90
|
|
|
91
|
-
Every blocked commit
|
|
91
|
+
Every blocked commit try writes an `error` state node and an ErrorFeedback
|
|
92
92
|
record before the command exits.
|
|
93
93
|
|
|
94
94
|
## FAILURE MODES
|
|
@@ -114,12 +114,12 @@ commit-selection-not-verified
|
|
|
114
114
|
commit-verifier-linkage-mismatch
|
|
115
115
|
```
|
|
116
116
|
|
|
117
|
-
Use `cw.js feedback list <run-id>` and `cw.js node graph <run-id>` to
|
|
117
|
+
Use `cw.js feedback list <run-id>` and `cw.js node graph <run-id>` to look at
|
|
118
118
|
the failed transition.
|
|
119
119
|
|
|
120
120
|
## CANDIDATES
|
|
121
121
|
|
|
122
|
-
A candidate can become committed state only after selection
|
|
122
|
+
A candidate can become committed state only after selection gets past the verifier
|
|
123
123
|
gate. Rejected, failed, unscored, unselected, or unverified candidates are
|
|
124
124
|
blocked.
|
|
125
125
|
|
|
@@ -131,10 +131,10 @@ candidate record -> score record -> verified selection -> verifier-gated commit
|
|
|
131
131
|
|
|
132
132
|
## COMPATIBILITY
|
|
133
133
|
|
|
134
|
-
Verifier-Gated Commit
|
|
134
|
+
Verifier-Gated Commit comes in with CW v0.1.7. It adds optional fields to
|
|
135
135
|
commit records and keeps older run state readable.
|
|
136
136
|
|
|
137
|
-
Programmatic snapshots that do not
|
|
138
|
-
The CLI `commit` command is
|
|
137
|
+
Programmatic snapshots that do not ask for a verifier gate stay checkpoints.
|
|
138
|
+
The CLI `commit` command is more strict: a plain by-hand commit fails closed unless
|
|
139
139
|
the operator passes `--allow-unverified-checkpoint`.
|
|
140
140
|
0.1.51
|