cool-workflow 0.1.82 → 0.1.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +124 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +8 -0
  12. package/dist/cli.js +12 -1
  13. package/dist/commit.js +5 -1
  14. package/dist/doctor.js +153 -0
  15. package/dist/mcp-server.js +11 -0
  16. package/dist/orchestrator.js +13 -0
  17. package/dist/reclamation/hash.js +72 -0
  18. package/dist/reclamation.js +25 -78
  19. package/dist/run-registry/queue.js +6 -7
  20. package/dist/run-registry.js +35 -24
  21. package/dist/scheduler.js +78 -53
  22. package/dist/version.js +1 -1
  23. package/dist/worker-isolation.js +22 -2
  24. package/docs/agent-delegation-drive.7.md +90 -86
  25. package/docs/agent-framework.md +33 -32
  26. package/docs/candidate-scoring.7.md +26 -24
  27. package/docs/canonical-workflow-apps.7.md +40 -40
  28. package/docs/capability-topology-registry.7.md +24 -24
  29. package/docs/cli-mcp-parity.7.md +226 -154
  30. package/docs/contract-migration-tooling.7.md +48 -41
  31. package/docs/control-plane-scheduling.7.md +45 -41
  32. package/docs/coordinator-blackboard.7.md +30 -30
  33. package/docs/dogfood-one-real-repo.7.md +44 -44
  34. package/docs/durable-state-and-locking.7.md +34 -30
  35. package/docs/end-to-end-golden-path.7.md +29 -29
  36. package/docs/error-feedback.7.md +27 -27
  37. package/docs/evidence-adoption-reasoning-chain.7.md +62 -58
  38. package/docs/execution-backends.7.md +84 -80
  39. package/docs/getting-started.md +35 -18
  40. package/docs/index.md +3 -3
  41. package/docs/mcp-app-surface.7.md +64 -64
  42. package/docs/multi-agent-cli-mcp-surface.7.md +82 -77
  43. package/docs/multi-agent-eval-replay-harness.7.md +59 -55
  44. package/docs/multi-agent-operator-ux.7.md +69 -65
  45. package/docs/multi-agent-runtime-core.7.md +39 -39
  46. package/docs/multi-agent-topologies.7.md +24 -24
  47. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  48. package/docs/node-snapshot-diff-replay.7.md +26 -22
  49. package/docs/observability-cost-accounting.7.md +49 -45
  50. package/docs/operator-ux.7.md +30 -30
  51. package/docs/pipeline-runner.7.md +31 -31
  52. package/docs/project-index.md +10 -5
  53. package/docs/real-execution-backends.7.md +47 -43
  54. package/docs/release-and-migration.7.md +42 -38
  55. package/docs/release-tooling.7.md +53 -49
  56. package/docs/routines.md +16 -16
  57. package/docs/run-registry-control-plane.7.md +120 -116
  58. package/docs/run-retention-reclamation.7.md +45 -41
  59. package/docs/sandbox-profiles.7.md +32 -32
  60. package/docs/scheduled-tasks.md +14 -14
  61. package/docs/security-trust-hardening.7.md +29 -29
  62. package/docs/source-context-profiles.7.md +28 -28
  63. package/docs/state-explosion-management.7.md +63 -59
  64. package/docs/state-node.7.md +8 -8
  65. package/docs/team-collaboration.7.md +62 -58
  66. package/docs/trust-model.md +126 -126
  67. package/docs/unix-principles.md +80 -80
  68. package/docs/vendor-manifest-loadability.7.md +20 -20
  69. package/docs/verifier-gated-commit.7.md +16 -16
  70. package/docs/web-desktop-workbench.7.md +69 -65
  71. package/docs/worker-isolation.7.md +34 -37
  72. package/docs/workflow-app-framework.7.md +38 -38
  73. package/manifest/plugin.manifest.json +4 -4
  74. package/package.json +3 -2
  75. package/scripts/canonical-apps.js +4 -4
  76. package/scripts/dogfood-release.js +1 -1
  77. package/scripts/gen-parity-doc.js +106 -0
  78. package/scripts/golden-path.js +4 -4
  79. package/dist/verifier-registry.js +0 -46
@@ -1,23 +1,24 @@
1
1
  # Contract Migration Tooling
2
2
 
3
- CW v0.1.36 makes schema migration a first-class, declared subsystem. Before
4
- v0.1.36 migration was ad-hoc and run-state-only: `RUN_STATE_MIGRATIONS` was an
5
- inline step array walked by `migrateRunState`, with no declared `up`-transform
6
- registry, no recorded compatibility PROOF, no round-trip/non-destruction
7
- guarantee, and NOTHING covering the workflow-app schema (an old app schema was
8
- flatly rejected, never migrated). v0.1.36 adds a declared registry, per-edge
9
- compatibility proofs, fail-closed reachability, and a round-trip prover — reusing
10
- the existing `migrateRunState` transform (no logic forked).
3
+ CW v0.1.36 makes schema migration a named, declared part of the system. Before
4
+ v0.1.36 migration was done one step at a time and only on run-state:
5
+ `RUN_STATE_MIGRATIONS` was an inline step array walked by `migrateRunState`,
6
+ with no declared `up`-transform registry, no kept compatibility PROOF, no
7
+ round-trip/non-destruction guarantee, and NOTHING covering the workflow-app
8
+ schema (an old app schema was turned away flatly, never migrated). v0.1.36 adds
9
+ a declared registry, per-edge compatibility proofs, fail-closed reachability,
10
+ and a round-trip prover — using again the existing `migrateRunState` transform
11
+ (no logic forked).
11
12
 
12
13
  ## The declared registry
13
14
 
14
- `migration list` is the single declared source for "what versions exist and how
15
- to advance them": one `MigrationContract` per schema (`run-state`,
15
+ `migration list` is the one declared source for "what versions exist and how
16
+ to move them forward": one `MigrationContract` per schema (`run-state`,
16
17
  `workflow-app`), each with `currentVersion`, `minVersion`, and an array of
17
18
  `MigrationEdge { from, to, description, proof }`. The run-state edges ARE
18
- `RUN_STATE_MIGRATIONS` (the transform is not duplicated). Each edge carries a
19
- mechanically-checkable `MigrationCompatibilityProof` — the invariant it preserves
20
- (`addsDefaulted`, `dropsNothing`), as data, not prose.
19
+ `RUN_STATE_MIGRATIONS` (the transform is not copied). Each edge carries a
20
+ machine-checkable `MigrationCompatibilityProof` — the invariant it keeps
21
+ (`addsDefaulted`, `dropsNothing`), as data, not as words.
21
22
 
22
23
  ```text
23
24
  migration list [--json]
@@ -25,20 +26,21 @@ migration list [--json]
25
26
 
26
27
  ## Fail closed on reachability
27
28
 
28
- Before transforming, the chain `detected -> current` is resolved. If a contract's
29
- detected version is below `minVersion`, above `currentVersion`, or has no chained
30
- path, the verdict is `unsupported` with a named reason and NO write — never a
31
- best-effort partial migration. (An older workflow-app, for which no edge exists
32
- yet, fails closed with a precise reason instead of being silently accepted.)
29
+ Before transforming, the chain `detected -> current` is worked out. If a
30
+ contract's detected version is below `minVersion`, above `currentVersion`, or
31
+ has no chained path, the verdict is `unsupported` with a named reason and NO
32
+ write — never a part-way migration that does its best. (An older workflow-app,
33
+ for which no edge exists yet, fails closed with an exact reason in place of
34
+ being taken in quietly.)
33
35
 
34
36
  ```text
35
37
  migration check <target> [--contract run-state|workflow-app] [--json]
36
38
  ```
37
39
 
38
40
  `<target>` is a run id (resolves to `.cw/runs/<id>/state.json`) or a path to a
39
- `state.json` / app manifest. The verdict reports `status`
41
+ `state.json` / app manifest. The verdict gives the `status`
40
42
  (`current|migrated|normalized|unsupported`), the detected/current versions, the
41
- resolved `chain`, the change count, and any errors.
43
+ resolved `chain`, the count of changes, and any errors.
42
44
 
43
45
  ## Round-trip / non-destruction proof
44
46
 
@@ -46,33 +48,34 @@ resolved `chain`, the change count, and any errors.
46
48
  migration prove <target> [--contract run-state|workflow-app] [--json]
47
49
  ```
48
50
 
49
- `migration prove` runs the chain and PROVES four properties, emitting a
51
+ `migration prove` runs the chain and PROVES four properties, putting out a
50
52
  deterministic, sha256-fingerprinted `MigrationProof`:
51
53
 
52
54
  - **validatesAtCurrent** — the result validates at `currentVersion`.
53
- - **appendOnly** — every source record/key survives into the output (recursive);
54
- nothing is destroyed.
55
- - **idempotent** — re-running migration on the output yields no further change.
56
- - **sourceImmutable** — `sourceHash == resultHash`-of-source: the original
55
+ - **appendOnly** — every source record/key lives on into the output (recursive);
56
+ nothing is lost.
57
+ - **idempotent** — running migration again on the output gives no further change.
58
+ - **sourceImmutable** — `sourceHash == resultHash`-of-source: the first
57
59
  snapshot is byte-unchanged (`migrateRunState` clones; the source `state.json` is
58
- never mutated).
60
+ never changed).
59
61
 
60
- `pass` is the conjunction. An `unsupported` verdict never transforms and never
61
- claims a positive proof.
62
+ `pass` is true when all of these are true. An `unsupported` verdict never
63
+ transforms and never claims a good proof.
62
64
 
63
65
  ## Append-only proof storage
64
66
 
65
- `migration prove` persists the `MigrationProof` beside the target under
66
- `migration/<fingerprint>.json` — a NEW file, never overwriting `state.json` or the
67
- source manifest. Re-deriving from disk reproduces the same fingerprint.
67
+ `migration prove` keeps the `MigrationProof` next to the target under
68
+ `migration/<fingerprint>.json` — a NEW file, never writing over `state.json` or
69
+ the source manifest. Working it out again from disk gives back the same
70
+ fingerprint.
68
71
 
69
72
  ## Surfaces & Compatibility
70
73
 
71
74
  `migration.list`/`check`/`prove` are declared `surface: "both"`, so
72
- `cw migration <verb> --json` and the `cw_migration_*` MCP tools render one core
73
- (`src/contract-migration.ts`). Additive: the run-state and workflow-app schema
74
- versions and `migrateRunState` are unchanged; the registry declares and proves
75
- over the existing transform. Pre-0.1.36 runs and apps load unchanged.
75
+ `cw migration <verb> --json` and the `cw_migration_*` MCP tools draw from one
76
+ core (`src/contract-migration.ts`). It only adds: the run-state and workflow-app
77
+ schema versions and `migrateRunState` are unchanged; the registry declares and
78
+ proves over the existing transform. Pre-0.1.36 runs and apps load unchanged.
76
79
 
77
80
  ## See Also
78
81
 
@@ -81,7 +84,7 @@ cli-mcp-parity(7)
81
84
 
82
85
  ## Control-Plane Scheduling (v0.1.37)
83
86
 
84
- priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed park over the v0.1.28 Run Registry queue; policy-as-data, deterministic. See control-plane-scheduling(7).
87
+ priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed park over the v0.1.28 Run Registry queue; policy-as-data, deterministic. See control-plane-scheduling(7) for more.
85
88
 
86
89
  ## Agent Delegation Drive (v0.1.38)
87
90
 
@@ -101,19 +104,19 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
101
104
 
102
105
  ## Robust Result Ingest (v0.1.42)
103
106
 
104
- capture findings/evidence from any reasonable agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
107
+ capture findings/evidence from any agent shape that makes sense (alt keys + prose), CW works out grounded evidence itself, give a warning on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
105
108
 
106
109
  ## No-False-Green Gate & Launch Prep (v0.1.43)
107
110
 
108
- Hard gate blocking empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
111
+ Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
109
112
 
110
113
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
111
114
 
112
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
115
+ Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) in place of the changeable working tree — getting rid of false-red/false-green from working-tree writes at the same time (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common way in to CW.
113
116
 
114
117
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
115
118
 
116
- Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
119
+ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49) on top.
117
120
  0.1.51
118
121
 
119
122
  0.1.76
@@ -126,7 +129,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
126
129
 
127
130
  ## Fast Architecture Review (v0.1.80)
128
131
 
129
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
132
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
130
133
 
131
134
  _No changes to the contract-migration subsystem in v0.1.81._
132
135
  _No changes in v0.1.82._
136
+
137
+ ## Hardening and Onboarding (v0.1.83)
138
+
139
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
@@ -2,24 +2,24 @@
2
2
 
3
3
  CW v0.1.37 adds Control-Plane Scheduling: a scheduling-policy layer over the
4
4
  v0.1.28 Run Registry queue. Before v0.1.37 the queue had ORDER (priority,
5
- `enqueuedAt`) but no policy — nothing limited how many runs were in flight, nothing
6
- retried a transient failure with backoff, and nothing bounded retries
7
- (`queue drain` would re-hand the same failing entry forever). v0.1.37 layers
8
- policy-as-data over the existing queue (no queue file duplicated): priority +
9
- readiness selection, a hard concurrency ceiling, leases, retry with computed
10
- backoff, and a fail-closed park state. The verbs use a distinct `sched` namespace,
11
- separate from the unrelated wall-clock `schedule` (loop/cron) scheduler.
12
-
13
- The core (`src/scheduling.ts`) is pure and deterministic — every function takes an
14
- injected `now`; "CW records readiness/order/leases, the host still executes the
5
+ `enqueuedAt`) but no policy — nothing kept down how many runs were in flight, nothing
6
+ tried again after a short-lived failure with backoff, and nothing put a limit on retries
7
+ (`queue drain` would hand out the same failing entry again and again, for ever). v0.1.37 puts
8
+ policy-as-data over the queue that is already there (no queue file is copied): priority +
9
+ readiness selection, a hard concurrency ceiling, leases, retry with worked-out
10
+ backoff, and a fail-closed park state. The verbs use their own `sched` namespace,
11
+ apart from the unrelated wall-clock `schedule` (loop/cron) scheduler.
12
+
13
+ The core (`src/scheduling.ts`) is pure and deterministic — every function is given an
14
+ injected `now`; "CW writes down readiness/order/leases, the host still runs the
15
15
  workers."
16
16
 
17
17
  ## Policy as data
18
18
 
19
19
  `SchedulingPolicy` is a plain, diffable file under `$CW_HOME/registry/
20
- scheduling-policy.json`, defaulting to conservative fail-closed values when
21
- absent: `maxConcurrent 1`, `maxAttempts 3`, `leaseTtlMs 300000`, backoff
22
- `baseMs 1000 * factor 2 ^ (attempts-1)` capped at `60000` (no jitter).
20
+ scheduling-policy.json`. When it is not there, it takes safe fail-closed values:
21
+ `maxConcurrent 1`, `maxAttempts 3`, `leaseTtlMs 300000`, backoff
22
+ `baseMs 1000 * factor 2 ^ (attempts-1)` with a top of `60000` (no jitter).
23
23
 
24
24
  ```text
25
25
  sched policy show [--json]
@@ -34,36 +34,36 @@ ready --lease--> leased --complete--> drained
34
34
  |__reset________/
35
35
  ```
36
36
 
37
- - **`sched plan`** — READ-ONLY: the would-be lease plan for the current
38
- queue+policy+now, deterministic and replayable, without mutating. Payload-
37
+ - **`sched plan`** — READ-ONLY: the lease plan that would be used for the current
38
+ queue+policy+now, deterministic and able to be run again, with no changes made. Payload-
39
39
  identical across CLI and MCP.
40
- - **`sched lease`** — claim eligible entries (priority order via `compareQueue`,
41
- skipping anything not yet eligible / parked / leased) as `leased` with a
40
+ - **`sched lease`** — take eligible entries (priority order via `compareQueue`,
41
+ jumping over anything not yet eligible / parked / leased) as `leased` with a
42
42
  `leaseId` and `leaseExpiresAt`. The **concurrency ceiling is a hard limit** —
43
- leasing stops at `maxConcurrent`; over-limit entries stay `ready`.
44
- - **`sched complete <leaseId>`** — terminal success (`drained`).
45
- - **`sched release <leaseId> [--failed]`** — failed releases count an attempt
46
- (retry/backoff or park); a clean release returns the entry to `ready`.
47
- - **`sched reclaim`** — an EXPIRED lease (the host died) is reclaimable and counts
48
- one failed attempt — recorded, not silently reset.
43
+ leasing stops at `maxConcurrent`; entries over the limit stay `ready`.
44
+ - **`sched complete <leaseId>`** — end success (`drained`).
45
+ - **`sched release <leaseId> [--failed]`** — failed releases count as an attempt
46
+ (retry/backoff or park); a clean release sends the entry back to `ready`.
47
+ - **`sched reclaim`** — an EXPIRED lease (the host died) can be reclaimed and counts
48
+ as one failed attempt — written down, not quietly reset.
49
49
  - **`sched reset <id>`** — operator recovery: a parked entry back to `ready`.
50
50
 
51
51
  ## Fail closed
52
52
 
53
- - **Concurrency is a hard ceiling** — never exceeded; `sched plan`/`lease` stop at
53
+ - **Concurrency is a hard ceiling** — never gone past; `sched plan`/`lease` stop at
54
54
  `maxConcurrent` in-flight leases.
55
55
  - **Park past budget** — when `attempts >= maxAttempts` the entry becomes `parked`
56
- with a `parkedReason` and is NEVER re-selected. `sched reset` is the only way
57
- back. The queue can never re-hand a failing entry forever.
58
- - **Backoff is deterministic** — a pure curve, no randomness; a retried entry sets
59
- `nextEligibleAt` and is skipped until then.
56
+ with a `parkedReason` and is NEVER picked again. `sched reset` is the only way
57
+ back. The queue can never hand out a failing entry for ever.
58
+ - **Backoff is deterministic** — a pure curve, nothing random; a retried entry sets
59
+ `nextEligibleAt` and is jumped over until then.
60
60
 
61
61
  ## Compatibility
62
62
 
63
- Additive: `RunQueueEntry` gains optional `attempts`/`leaseId`/`leaseExpiresAt`/
63
+ Additive: `RunQueueEntry` gets the optional `attempts`/`leaseId`/`leaseExpiresAt`/
64
64
  `nextEligibleAt`/`parkedReason` and two statuses (`leased`/`parked`); a pre-0.1.37
65
- `queue.json` loads unchanged (no scheduling fields = a plain ordered queue). The
66
- existing `queue add|list|drain|show` verbs are unchanged. No new database, no
65
+ `queue.json` loads with no change (no scheduling fields = a plain ordered queue). The
66
+ `queue add|list|drain|show` verbs that are already there do not change. No new database, no
67
67
  daemon-owned state.
68
68
 
69
69
  ## See Also
@@ -72,35 +72,35 @@ run-registry-control-plane(7), cli-mcp-parity(7), release-and-migration(7)
72
72
 
73
73
  ## Agent Delegation Drive (v0.1.38)
74
74
 
75
- spawn an external agent process per worker, capture result.md + attestation, auto-drive plan->dispatch->fulfill->accept->commit
75
+ start an outside agent process for each worker, take in result.md + attestation, and drive plan->dispatch->fulfill->accept->commit by itself
76
76
 
77
77
  ## Run Retention & Provable Reclamation (v0.1.39)
78
78
 
79
- tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the reconstructable bulk, prove it
79
+ tiered, append-only, cryptographically-verifiable run reclamation: shut the audit skeleton, free the bulk that can be built again, give proof of it
80
80
 
81
81
  ## Durable State & Locking (v0.1.40)
82
82
 
83
- atomic temp->rename writes + fsync-durability for authoritative stores; portable stale-stealing file lock serializing the cross-process read-modify-write stores
83
+ atomic temp->rename writes + fsync-durability for the authoritative stores; portable stale-stealing file lock that puts the cross-process read-modify-write stores in order, one at a time
84
84
 
85
85
  ## Self-Audit Hardening & Pure-Router Decomposition (v0.1.41)
86
86
 
87
- evidence grounding + durable audit append + symlink-hardened containment + deterministic worker ids + recursive redaction; BackendRegistry self-describing drivers (no per-id switches); orchestrator god-object decomposed into per-domain operation modules (pure loadRun->delegate router)
87
+ evidence grounding + durable audit append + symlink-hardened containment + deterministic worker ids + recursive redaction; BackendRegistry self-describing drivers (no per-id switches); the orchestrator god-object is broken up into per-domain operation modules (pure loadRun->delegate router)
88
88
 
89
89
  ## Robust Result Ingest (v0.1.42)
90
90
 
91
- capture findings/evidence from any reasonable agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
91
+ take in findings/evidence from any reasonable agent shape (alt keys + prose), CW works out grounded evidence by itself, give a warning on empty capture — this shuts the v0.1.41 live-drive 'accepted with 0 captured' failure
92
92
 
93
93
  ## No-False-Green Gate & Launch Prep (v0.1.43)
94
94
 
95
- Hard gate blocking empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
95
+ Hard gate that stops empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
96
96
 
97
97
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
98
98
 
99
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
99
+ Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — taking away false-red/false-green that came from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
100
100
 
101
101
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
102
102
 
103
- Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
103
+ Migration DAG with edges that can go both ways (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
104
104
  0.1.51
105
105
 
106
106
  0.1.76
@@ -113,7 +113,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
113
113
 
114
114
  ## Fast Architecture Review (v0.1.80)
115
115
 
116
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
116
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, Map and Assess results that can be used again, wrapper metrics that can be measured, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
117
117
 
118
118
  _No changes to the control-plane scheduling surface in v0.1.81._
119
- _No behavioral change in v0.1.82 (schedule/run ids are now deterministic-but-unique via a monotonic counter + pid instead of Math.random; ids stay collision-free)._
119
+ _No change in behavior in v0.1.82 (schedule/run ids are now deterministic-but-unique through a monotonic counter + pid in place of Math.random; ids stay collision-free)._
120
+
121
+ ## Hardening and Onboarding (v0.1.83)
122
+
123
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
@@ -7,15 +7,15 @@ CW v0.1.25 adds `blackboard summarize <run-id>` (MCP: `cw_blackboard_summarize`)
7
7
  a deterministic blackboard digest with topic rollups, thread summaries,
8
8
  unresolved questions, conflicts, decisions, artifacts, adopted and missing
9
9
  evidence, policy violations, judge rationale, recent changes, and high-signal
10
- records. The digest is a derived userland index: it preserves links back to
11
- source messages, contexts, artifacts, snapshots, coordinator decisions, and
12
- audit events, and never deletes raw records. See
10
+ records. The digest is a worked-out index made from other records: it keeps
11
+ links back to source messages, contexts, artifacts, snapshots, coordinator
12
+ decisions, and audit events, and never deletes raw records. See
13
13
  [state-explosion-management.7.md](state-explosion-management.7.md).
14
14
 
15
- This release defines stable primitives for shared context, messages, artifact
16
- indexing, snapshots, and coordinator decisions. It does not implement debate,
17
- judge, map-reduce, swarm, committee, or synthesis topologies yet. Those
18
- topologies should consume this substrate later.
15
+ This release gives fixed building blocks for shared context, messages, artifact
16
+ indexing, snapshots, and coordinator decisions. It does not yet build debate,
17
+ judge, map-reduce, swarm, committee, or synthesis topologies. Those topologies
18
+ are meant to use this base later.
19
19
 
20
20
  ## State Model
21
21
 
@@ -44,14 +44,14 @@ Runtime objects are:
44
44
  - `BlackboardSnapshot`
45
45
  - `CoordinatorDecision`
46
46
 
47
- Every record carries schema version, stable id, timestamps, author/source,
47
+ Every record has schema version, stable id, timestamps, author/source,
48
48
  scope, status, parent references, tags, metadata, and links back to workflow,
49
49
  multi-agent, worker, task, candidate, verifier, commit, audit, and evidence
50
- records where applicable.
50
+ records when they apply.
51
51
 
52
52
  ## Storage Layout
53
53
 
54
- CW mirrors blackboard state to durable local files:
54
+ CW copies blackboard state to local files that last:
55
55
 
56
56
  ```text
57
57
  .cw/runs/<run-id>/blackboard/
@@ -64,13 +64,13 @@ CW mirrors blackboard state to durable local files:
64
64
  decisions/<decision-id>.json
65
65
  ```
66
66
 
67
- `messages.jsonl` is append-friendly. `index.json` is regenerated
68
- deterministically from run state. CW does not store secrets or raw environment
67
+ `messages.jsonl` is good for adding to the end. `index.json` is made again the
68
+ same way from run state each time. CW does not keep secrets or raw environment
69
69
  values in blackboard metadata.
70
70
 
71
71
  ## Context Semantics
72
72
 
73
- Shared context supports:
73
+ Shared context takes these kinds:
74
74
 
75
75
  - `fact`
76
76
  - `constraint`
@@ -78,12 +78,12 @@ Shared context supports:
78
78
  - `question`
79
79
  - `decision`
80
80
 
81
- Context updates do not silently overwrite older records. If a new update has
81
+ Context updates do not quietly write over older records. If a new update has
82
82
  the same topic, kind, and key as an active context record but a different value,
83
83
  CW marks the records `conflicting` and records a `CoordinatorDecision`.
84
84
 
85
- Use `--supersedes <context-id>` to intentionally replace older context. The
86
- older record is marked `superseded`, and the new record links to it.
85
+ Use `--supersedes <context-id>` when you mean to take the place of older context.
86
+ The older record is marked `superseded`, and the new record links to it.
87
87
 
88
88
  ## Artifact Index
89
89
 
@@ -91,15 +91,15 @@ older record is marked `superseded`, and the new record links to it.
91
91
  locators, generated artifacts, reports, commit snapshots, and external paths.
92
92
 
93
93
  Artifact refs include kind, path or locator, owner, source, provenance,
94
- evidence refs, checksum when the path is a readable file, and trust audit links.
95
- Existing `StateArtifact` records remain valid; blackboard refs bridge them into
96
- shared coordination state instead of replacing them.
94
+ evidence refs, checksum when the path is a file that can be read, and trust audit
95
+ links. Existing `StateArtifact` records stay good; blackboard refs join them into
96
+ shared coordination state and do not take their place.
97
97
 
98
98
  ## Multi-Agent Integration
99
99
 
100
100
  `MultiAgentRun`, groups, roles, memberships, fanout, and fanin can link to a
101
101
  blackboard id and topic ids. Worker manifests for blackboard-enabled work
102
- include:
102
+ have:
103
103
 
104
104
  ```json
105
105
  {
@@ -112,8 +112,8 @@ include:
112
112
  }
113
113
  ```
114
114
 
115
- Accepted worker output can publish result summaries and artifacts into the
116
- blackboard. Fanin can require indexed blackboard evidence and fails closed when
115
+ Accepted worker output can put result summaries and artifacts into the
116
+ blackboard. Fanin can ask for indexed blackboard evidence and fails closed when
117
117
  required role memberships have no blackboard message or artifact refs.
118
118
 
119
119
  ## CLI
@@ -133,12 +133,12 @@ node scripts/cw.js coordinator summary <run-id>
133
133
  node scripts/cw.js coordinator decision <run-id> --kind conflict-resolution --outcome accepted --reason "..."
134
134
  ```
135
135
 
136
- The CLI is JSON-friendly by default for focused blackboard and coordinator
136
+ The CLI gives JSON by default for focused blackboard and coordinator
137
137
  commands.
138
138
 
139
139
  ## MCP Parity
140
140
 
141
- MCP exposes matching tools:
141
+ MCP gives the same tools:
142
142
 
143
143
  ```text
144
144
  cw_blackboard_summary
@@ -155,14 +155,14 @@ cw_coordinator_summary
155
155
  cw_coordinator_decision
156
156
  ```
157
157
 
158
- There is no intentional CLI-only behavior for core blackboard operations.
158
+ There is no CLI-only behavior on purpose for core blackboard operations.
159
159
 
160
160
  ## Operator UX
161
161
 
162
- `status`, `report --show`, and graph output include a Blackboard / Coordinator
162
+ `status`, `report --show`, and graph output have a Blackboard / Coordinator
163
163
  panel. It shows topics, message counts, open questions, conflicts, missing
164
- evidence, artifact counts, snapshot paths, ready-for-fanin state, and next
165
- recommended action.
164
+ evidence, artifact counts, snapshot paths, ready-for-fanin state, and the next
165
+ suggested action.
166
166
 
167
167
  Use:
168
168
 
@@ -177,7 +177,7 @@ node scripts/cw.js audit provenance <run-id>
177
177
  ## Migration
178
178
 
179
179
  Older v0.1.17 and earlier runs normalize with empty blackboard state and a
180
- `.cw/runs/<run-id>/blackboard/` path. Unknown user data is preserved.
180
+ `.cw/runs/<run-id>/blackboard/` path. User data that is not known is kept.
181
181
 
182
- Newer unsupported run-state schemas still fail closed.
182
+ Newer run-state schemas that are not supported still fail closed.
183
183
  0.1.51
@@ -1,9 +1,9 @@
1
1
  # Dogfood One Real Repo
2
2
 
3
- CW v0.1.16 proves the release workflow against the real Cool Workflow
4
- repository. The proof uses the canonical `release-cut` app, records isolated
5
- worker outputs, scores a release candidate, selects it only with verifier
6
- evidence, creates a verifier-gated CW state commit, and renders trust audit
3
+ CW v0.1.16 tests the release workflow against the real Cool Workflow
4
+ repository. The test uses the canonical `release-cut` app, keeps a record of
5
+ separate worker outputs, scores a release candidate, picks it only with verifier
6
+ evidence, makes a verifier-gated CW state commit, and shows trust audit
7
7
  provenance.
8
8
 
9
9
  ## Dry-Run Command
@@ -15,7 +15,7 @@ cd plugins/cool-workflow
15
15
  npm run dogfood:release
16
16
  ```
17
17
 
18
- The command targets the repository two directories above the package, uses
18
+ The command points at the repository two directories above the package, uses
19
19
  `release-cut`, sets `version=0.1.18`, `previousVersion=0.1.17`, the current git
20
20
  branch, and `dryRun=true`. It writes a machine-readable summary to:
21
21
 
@@ -23,13 +23,13 @@ branch, and `dryRun=true`. It writes a machine-readable summary to:
23
23
  .cw/runs/<run-id>/dogfood-summary.json
24
24
  ```
25
25
 
26
- The summary includes the run id, report path, audit summary path, provenance
26
+ The summary has the run id, report path, audit summary path, provenance
27
27
  counts, worker ids, candidate id, score id, selection id, commit or checkpoint
28
28
  id, command log paths, and the release verdict.
29
29
 
30
30
  ## Real Evidence
31
31
 
32
- The full dry-run collects real repository evidence from:
32
+ The full dry-run gets real repository evidence from:
33
33
 
34
34
  ```bash
35
35
  git status --short --branch
@@ -44,8 +44,8 @@ npm run release:check
44
44
  npm pack --dry-run --json
45
45
  ```
46
46
 
47
- Each command log is written under the worker `logs/` directory and cited in the
48
- worker `cw:result` evidence array. The release verdict worker carries the full
47
+ Each command log is written under the worker `logs/` directory and named in the
48
+ worker `cw:result` evidence array. The release verdict worker takes the full
49
49
  set of command locators into the release candidate, score, selection, and
50
50
  commit/checkpoint provenance.
51
51
 
@@ -72,14 +72,14 @@ node scripts/cw.js audit provenance <run-id> --candidate dogfood-release-0.1.18
72
72
  node scripts/cw.js audit provenance <run-id> --commit <commit-id>
73
73
  ```
74
74
 
75
- The report answers why the candidate is trusted by showing sandbox profiles,
76
- host attestations, evidence provenance, candidate scoring, acceptance rationale,
75
+ The report tells why the candidate is trusted by showing sandbox profiles,
76
+ host attestations, evidence provenance, candidate scoring, acceptance reasons,
77
77
  and the verifier-gated commit.
78
78
 
79
- The dogfood command remains a local release-engineering script rather than a new
80
- MCP tool because it composes existing first-class CW capabilities: `release-cut`
79
+ The dogfood command stays a local release-engineering script and not a new
80
+ MCP tool because it is built from existing first-class CW capabilities: `release-cut`
81
81
  planning, dispatch, worker manifests/output, candidate scoring/selection,
82
- commits, reports, and audit/provenance. MCP parity is preserved for the
82
+ commits, reports, and audit/provenance. MCP parity is kept for the
83
83
  inspectable state through the existing worker, candidate, commit, operator
84
84
  report, and audit tools.
85
85
 
@@ -91,14 +91,14 @@ report, and audit tools.
91
91
  node test/dogfood-release-smoke.js
92
92
  ```
93
93
 
94
- The smoke test executes `scripts/dogfood-release.js --smoke --json`. It still
94
+ The smoke test runs `scripts/dogfood-release.js --smoke --json`. It still
95
95
  uses the real repository, `release-cut`, worker manifests, trust audit records,
96
96
  candidate scoring, selection, verifier-gated commit, and a report, but keeps the
97
- command set smaller to avoid recursive release checking.
97
+ command set smaller so it does not do recursive release checking.
98
98
 
99
99
  ## Promote To Real Release Actions
100
100
 
101
- Dry-run mode never creates tags, pushes, publishes packages, or mutates a
101
+ Dry-run mode never makes tags, pushes, puts out packages, or changes a
102
102
  marketplace. Real actions are separate maintainer commands after the dogfood
103
103
  run passes:
104
104
 
@@ -110,42 +110,42 @@ git tag v0.1.18
110
110
  git push origin main --tags
111
111
  ```
112
112
 
113
- Package publish and plugin marketplace updates should be separate visible
114
- steps. If future execute flags are used, they must be explicit, for example
115
- `--execute --tag --confirm-release-actions=0.1.18`. The script refuses tag,
116
- push, or publish flags in dry-run mode and refuses execute mode without the
113
+ Package publish and plugin marketplace updates should be separate, clear
114
+ steps. If execute flags are used later, they must be stated openly, for example
115
+ `--execute --tag --confirm-release-actions=0.1.18`. The script says no to tag,
116
+ push, or publish flags in dry-run mode and says no to execute mode without the
117
117
  target-version confirmation.
118
118
 
119
119
  ## Safety Gates
120
120
 
121
- The dogfood command holds the candidate and writes an explicit checkpoint if
122
- any evidence command fails, version sync is incomplete, release docs are
123
- missing, audit records are unavailable, or verifier evidence is absent. A
124
- selected candidate requires score evidence and a verified verifier node; a
125
- verifier-gated commit requires the selected candidate, score, evidence, sandbox
126
- profile, worker, and acceptance rationale.
121
+ The dogfood command holds the candidate and writes a clear checkpoint if
122
+ any evidence command fails, version sync is not complete, release docs are
123
+ missing, audit records are not there, or verifier evidence is not present. A
124
+ selected candidate needs score evidence and a verified verifier node; a
125
+ verifier-gated commit needs the selected candidate, score, evidence, sandbox
126
+ profile, worker, and acceptance reasons.
127
127
 
128
- This is intentionally boring release engineering: local-first, inspectable,
128
+ This is release engineering made dull on purpose: local-first, inspectable,
129
129
  scriptable, and fail-closed.
130
130
 
131
131
  ## Architecture-Review Agent-Delegation Dogfood (v0.1.38)
132
132
 
133
133
  `scripts/dogfood-architecture-review.js` dogfoods the v0.1.38 Agent Delegation
134
- Drive: the `architecture-review` app driven end-to-end by the `agent` backend,
135
- with zero hand-written `result.md`.
134
+ Drive: the `architecture-review` app driven from end to end by the `agent` backend,
135
+ with no hand-written `result.md` at all.
136
136
 
137
- It splits into two halves, exactly like the release dogfood above:
137
+ It is cut into two halves, just like the release dogfood above:
138
138
 
139
139
  - **`--smoke` (CI-verifiable).** A hermetic STUB agent (no live binary, no second
140
140
  repo, no network, no model SDK) drives the real app to a committed audited
141
- report. `node scripts/dogfood-architecture-review.js --smoke --json` emits
141
+ report. `node scripts/dogfood-architecture-review.js --smoke --json` gives back
142
142
  `{ ok: true, mode: "smoke" }` with a `reportPath` and `auditSummaryPath` that
143
- exist, the Verdict node accepted, and `audit.byKind["worker.agent-delegation"]
144
- >= 1`. This is asserted under `npm test` (`test/dogfood-release-smoke.js`).
143
+ are there, the Verdict node accepted, and `audit.byKind["worker.agent-delegation"]
144
+ >= 1`. This is checked under `npm test` (`test/dogfood-release-smoke.js`).
145
145
 
146
- - **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL configured agent
146
+ - **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL set-up agent
147
147
  (`CW_AGENT_COMMAND`, e.g. `claude -p {{input}}` / `codex exec`, or
148
- `--agent-command`) against ONE real external repository:
148
+ `--agent-command`) against ONE real outside repository:
149
149
 
150
150
  ```bash
151
151
  CW_AGENT_COMMAND="claude -p {{input}}" \
@@ -154,15 +154,15 @@ It splits into two halves, exactly like the release dogfood above:
154
154
  ```
155
155
 
156
156
  This drives plan → dispatch → agent-fulfill → accept/verify → commit for every
157
- worker the planner emits, produces the committed audited risk report, and writes
158
- a `docs/dogfood/architecture-review-<repo>.md` provenance note recording the repo
159
- name and the agent-REPORTED model id. It depends on a live external agent binary
157
+ worker the planner emits, makes the committed audited risk report, and writes
158
+ a `docs/dogfood/architecture-review-<repo>.md` provenance note that keeps the repo
159
+ name and the agent-REPORTED model id. It needs a live outside agent binary
160
160
  and a second repository, which CI cannot have (CI is node/npm/git-only and
161
- hermetic), so it is **explicitly OUT of CI** — a maintainer bar run out-of-band,
162
- exactly like the "Promote To Real Release Actions" above. The CI/release gate is
163
- strictly the stub `--smoke` path.
161
+ hermetic), so it is **explicitly OUT of CI** — a maintainer step run out-of-band,
162
+ just like the "Promote To Real Release Actions" above. The CI/release gate is
163
+ only the stub `--smoke` path.
164
164
 
165
- The model runs in the external agent's process, never inside CW: this script
166
- spawns the agent and records its attested output; it imports no model SDK and
165
+ The model runs in the outside agent's process, never inside CW: this script
166
+ starts the agent and records its attested output; it brings in no model SDK and
167
167
  holds no API key.
168
168
  0.1.51