cool-workflow 0.1.82 → 0.1.83
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +124 -120
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +16 -8
- package/dist/capability-registry.js +8 -0
- package/dist/cli.js +12 -1
- package/dist/commit.js +5 -1
- package/dist/doctor.js +153 -0
- package/dist/mcp-server.js +11 -0
- package/dist/orchestrator.js +13 -0
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +25 -78
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +78 -53
- package/dist/version.js +1 -1
- package/dist/worker-isolation.js +22 -2
- package/docs/agent-delegation-drive.7.md +90 -86
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +226 -154
- package/docs/contract-migration-tooling.7.md +48 -41
- package/docs/control-plane-scheduling.7.md +45 -41
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +34 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +62 -58
- package/docs/execution-backends.7.md +84 -80
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +82 -77
- package/docs/multi-agent-eval-replay-harness.7.md +59 -55
- package/docs/multi-agent-operator-ux.7.md +69 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +26 -22
- package/docs/observability-cost-accounting.7.md +49 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +10 -5
- package/docs/real-execution-backends.7.md +47 -43
- package/docs/release-and-migration.7.md +42 -38
- package/docs/release-tooling.7.md +53 -49
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +120 -116
- package/docs/run-retention-reclamation.7.md +45 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +63 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +62 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +69 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/package.json +3 -2
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/dist/verifier-registry.js +0 -46
|
@@ -1,26 +1,26 @@
|
|
|
1
1
|
# Evidence Adoption Reasoning Chain
|
|
2
2
|
|
|
3
3
|
CW v0.1.26 adds the Evidence Adoption Reasoning Chain. Earlier releases can
|
|
4
|
-
already
|
|
4
|
+
already say *what* was adopted: `multi-agent evidence <run-id>` reports each
|
|
5
5
|
evidence item as `adopted`, `rejected`, `pending`, `superseded`, `conflicting`,
|
|
6
6
|
or `missing`, and traces the path worker result -> blackboard -> fanin ->
|
|
7
|
-
candidate score -> selection -> verifier-gated commit. This release
|
|
8
|
-
*why* each adoption
|
|
7
|
+
candidate score -> selection -> verifier-gated commit. This release says
|
|
8
|
+
*why* each adoption took place, as a first-class reasoning chain you can look into.
|
|
9
9
|
|
|
10
|
-
The design keeps the base-system observability
|
|
10
|
+
The design keeps the base-system observability way of thinking:
|
|
11
11
|
|
|
12
|
-
- raw state is the source
|
|
13
|
-
- the reasoning chain is a derived userland view
|
|
14
|
-
records and never
|
|
15
|
-
- mechanism is
|
|
12
|
+
- raw state is the true source
|
|
13
|
+
- the reasoning chain is a derived userland view; it never takes the place of source
|
|
14
|
+
records and never has authority over them
|
|
15
|
+
- mechanism is kept apart from policy: the chain takes in, stores, and renders the
|
|
16
16
|
recorded "why"; what counts as a *sufficient* reason stays with the verifier
|
|
17
17
|
and role policy
|
|
18
|
-
- fail closed, never
|
|
19
|
-
renders as `unexplained`, never a
|
|
20
|
-
adoption is never
|
|
18
|
+
- fail closed, never make a guess: a "why" that cannot be traced to a real record
|
|
19
|
+
renders as `unexplained`, never a made-up rationale, and an unexplained
|
|
20
|
+
adoption is never quietly handled as explained
|
|
21
21
|
- plain files, stable JSON, deterministic output
|
|
22
|
-
- backward compatible; pre-v0.1.26 run state loads and renders with derived
|
|
23
|
-
empty
|
|
22
|
+
- backward compatible; pre-v0.1.26 run state loads and renders with derived
|
|
23
|
+
reasoning records that are empty where absent
|
|
24
24
|
|
|
25
25
|
## What the chain records
|
|
26
26
|
|
|
@@ -30,22 +30,22 @@ makes the following traceable and machine-readable, per gate:
|
|
|
30
30
|
- DECISION - what was adopted/rejected and at which gate (`fanin`,
|
|
31
31
|
`candidate-score`, `selection`, `verifier`, or `commit`).
|
|
32
32
|
- BASIS - the concrete evidence refs, provenance source, parent evidence ids,
|
|
33
|
-
and audit event ids that
|
|
34
|
-
`EvidenceProvenance` and trust-audit records; they are not
|
|
33
|
+
and audit event ids that the decision is grounded on. These link to existing
|
|
34
|
+
`EvidenceProvenance` and trust-audit records; they are not copied.
|
|
35
35
|
- AUTHORITY - which role / membership / worker / scorer / verifier made the call,
|
|
36
|
-
and the role `policyRef` under which it was
|
|
36
|
+
and the role `policyRef` under which it was let through. Links to existing
|
|
37
37
|
trust / policy / audit records.
|
|
38
|
-
- RATIONALE - the
|
|
38
|
+
- RATIONALE - the clearly recorded reason. The chain reuses existing rationale
|
|
39
39
|
fields: selection `reason` and `AcceptanceRationale`, candidate score `notes`,
|
|
40
40
|
verifier commit-gate result, commit `reason`, `CoordinatorDecision.reason`, and
|
|
41
|
-
judge-rationale audit metadata. No new rationale source of truth is
|
|
42
|
-
- COUNTERFACTUAL - the rejected/losing
|
|
41
|
+
judge-rationale audit metadata. No new rationale source of truth is made.
|
|
42
|
+
- COUNTERFACTUAL - the rejected/losing other options (rejected candidates, failed
|
|
43
43
|
scores, rejected or superseded coordinator decisions) and the recorded reason
|
|
44
|
-
each lost, with a normalized score delta when
|
|
45
|
-
understood
|
|
44
|
+
each one lost, with a normalized score delta when it can be computed, so an adoption is
|
|
45
|
+
understood next to its other options.
|
|
46
46
|
- INTEGRITY - a `sourceFingerprint` and `valid|stale|absent` freshness so a
|
|
47
|
-
reader knows the
|
|
48
|
-
|
|
47
|
+
reader knows the reason still matches the records under it, plus the
|
|
48
|
+
clear `unexplained` state when a rationale is absent.
|
|
49
49
|
|
|
50
50
|
## Derived record model
|
|
51
51
|
|
|
@@ -61,14 +61,14 @@ rationale types by reference:
|
|
|
61
61
|
- `EvidenceReasoningReport` - the run-level report: `freshness`,
|
|
62
62
|
`sourceFingerprint`, `totals`, `chains`, and a `nextAction`.
|
|
63
63
|
|
|
64
|
-
Status values
|
|
64
|
+
Status values follow the existing evidence words and add the fail-closed
|
|
65
65
|
`unexplained` state. A chain is `explained` only when *every* decision-bearing
|
|
66
66
|
step is explained; if any adopting step has no traceable rationale the chain
|
|
67
67
|
rolls up to `unexplained`.
|
|
68
68
|
|
|
69
69
|
## Durable storage
|
|
70
70
|
|
|
71
|
-
`multi-agent reasoning <run-id> --refresh`
|
|
71
|
+
`multi-agent reasoning <run-id> --refresh` makes a durable, versioned,
|
|
72
72
|
provenance-backed index under `.cw/runs/<run-id>/reasoning/`:
|
|
73
73
|
|
|
74
74
|
- `index.json` - the `EvidenceReasoningIndex` (schema version, run id,
|
|
@@ -78,27 +78,27 @@ provenance-backed index under `.cw/runs/<run-id>/reasoning/`:
|
|
|
78
78
|
- `report.json` - the rendered report at refresh time.
|
|
79
79
|
|
|
80
80
|
Raw results, candidates, scores, selections, commits, blackboard records, and
|
|
81
|
-
audit events are never deleted or
|
|
82
|
-
|
|
81
|
+
audit events are never deleted or written over. The reasoning view is derived and
|
|
82
|
+
can be derived again; the index only keeps a snapshot for freshness comparison.
|
|
83
83
|
|
|
84
84
|
## Freshness
|
|
85
85
|
|
|
86
|
-
`multi-agent reasoning <run-id>`
|
|
87
|
-
and compares its `sourceFingerprint` against the
|
|
86
|
+
`multi-agent reasoning <run-id>` derives the chain again from current source state
|
|
87
|
+
and compares its `sourceFingerprint` against the kept index:
|
|
88
88
|
|
|
89
89
|
- `absent` - no index has been refreshed yet.
|
|
90
|
-
- `valid` - the
|
|
91
|
-
- `stale` - source records changed since the last refresh;
|
|
90
|
+
- `valid` - the kept fingerprint matches current source state.
|
|
91
|
+
- `stale` - source records changed since the last refresh; run again with
|
|
92
92
|
`--refresh`.
|
|
93
93
|
|
|
94
94
|
This follows the v0.1.25 state-explosion summary discipline exactly. Freshness
|
|
95
|
-
is a
|
|
95
|
+
is a state you can see, never a guess.
|
|
96
96
|
|
|
97
97
|
## Commands
|
|
98
98
|
|
|
99
99
|
`multi-agent reasoning <run-id>` (MCP: `cw_evidence_reasoning`) renders the
|
|
100
100
|
report. Add `--evidence <id>` to explain a single adoption, `--refresh` to
|
|
101
|
-
|
|
101
|
+
make the durable index first, and `--json` / `--format json` for the full
|
|
102
102
|
machine-readable report.
|
|
103
103
|
|
|
104
104
|
`multi-agent reasoning <run-id> --refresh` with no `--evidence` returns the
|
|
@@ -109,17 +109,17 @@ additive `rationaleStatus` field (`explained`, `unexplained`, or
|
|
|
109
109
|
`not-applicable`), so the existing evidence surface answers both *what* and
|
|
110
110
|
whether the *why* is recorded.
|
|
111
111
|
|
|
112
|
-
The console report adds
|
|
112
|
+
The console report adds one new panel, `Adoption Rationale`, next to the
|
|
113
113
|
existing operator panels. It is the only panel added by this release.
|
|
114
114
|
|
|
115
115
|
## Composition with graph views and compaction
|
|
116
116
|
|
|
117
|
-
The reasoning chain
|
|
117
|
+
The reasoning chain works together with the existing graph views, above all
|
|
118
118
|
`multi-agent graph <run-id> --view evidence`. A reasoning step is on the critical
|
|
119
119
|
path: every decision-gate node backing an adopted chain (candidate, score,
|
|
120
|
-
selection, commit, and fanin nodes) is
|
|
121
|
-
compaction and is never
|
|
122
|
-
score nodes, which
|
|
120
|
+
selection, commit, and fanin nodes) is kept safe from state-explosion
|
|
121
|
+
compaction and is never folded into a synthetic summary node. In particular
|
|
122
|
+
score nodes, which can be folded otherwise, stay open when they carry a
|
|
123
123
|
reasoning step.
|
|
124
124
|
|
|
125
125
|
## Eval / replay regression gates
|
|
@@ -132,7 +132,7 @@ the `Evidence Adoption Reasoning Chain` section of the replay report:
|
|
|
132
132
|
- `reasoning_chain_parity` - every chain's gates, decisions, rationale statuses,
|
|
133
133
|
and counterfactual counts match the baseline.
|
|
134
134
|
- `reasoning_unexplained_parity` - the set of `unexplained` chains is unchanged,
|
|
135
|
-
so a regression that hides or
|
|
135
|
+
so a regression that hides or makes up a rationale fails the gate.
|
|
136
136
|
|
|
137
137
|
These sections are optional on pre-v0.1.26 snapshots so older fixtures stay
|
|
138
138
|
loadable.
|
|
@@ -151,39 +151,39 @@ worker result / blackboard / coordinator decision
|
|
|
151
151
|
```
|
|
152
152
|
|
|
153
153
|
No daemon, no hidden dashboard, no LLM call. The chain is derived from recorded
|
|
154
|
-
state by `src/evidence-reasoning.ts` and rendered
|
|
154
|
+
state by `src/evidence-reasoning.ts` and rendered when asked for.
|
|
155
155
|
## CLI ↔ MCP Parity (v0.1.27)
|
|
156
156
|
|
|
157
|
-
Every command and tool
|
|
158
|
-
registry (`src/capability-registry.ts`) and
|
|
157
|
+
Every command and tool named above is declared in the v0.1.27 capability
|
|
158
|
+
registry (`src/capability-registry.ts`) and checked by `npm run parity:check`,
|
|
159
159
|
so `cw <cmd> --json` and the matching `cw_<tool>` result render one data source.
|
|
160
160
|
See [cli-mcp-parity.7.md](cli-mcp-parity.7.md).
|
|
161
161
|
|
|
162
162
|
## Run Registry / Control Plane (v0.1.28)
|
|
163
163
|
|
|
164
|
-
The runs
|
|
164
|
+
The runs talked about here are indexed, searchable, resumable, archivable, and
|
|
165
165
|
rerunnable across repos by the v0.1.28 Run Registry / Control Plane, which derives
|
|
166
166
|
a fingerprinted, fail-closed index over the same per-run `.cw/runs/<id>/state.json`
|
|
167
|
-
source
|
|
167
|
+
true source. See [run-registry-control-plane.7.md](run-registry-control-plane.7.md).
|
|
168
168
|
|
|
169
169
|
## Execution Backends (v0.1.29)
|
|
170
170
|
|
|
171
171
|
v0.1.29 lifts execution into a pluggable driver layer: one narrow `ExecutionBackend`
|
|
172
172
|
contract with interchangeable `node`/`bun`/`shell`/`container`/`remote`/`ci`
|
|
173
|
-
drivers,
|
|
173
|
+
drivers, picked by `--backend` (parallel to `--sandbox`) and looked at through
|
|
174
174
|
`backend list|show|probe`. The result/evidence envelope is schema-identical across
|
|
175
175
|
backends; the backend id + sandbox attestation are recorded as provenance, so this
|
|
176
|
-
surface is unchanged
|
|
176
|
+
surface is unchanged no matter which backend ran a run. See
|
|
177
177
|
[execution-backends.7.md](execution-backends.7.md).
|
|
178
178
|
## Web / Desktop Workbench (v0.1.30)
|
|
179
179
|
|
|
180
180
|
v0.1.30 adds the Web / Desktop Workbench: a read-only, localhost-only human
|
|
181
181
|
console that renders this surface (and the other four operator panels — run
|
|
182
182
|
graph, blackboard, worker logs, candidate compare, audit timeline) for any run,
|
|
183
|
-
reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR
|
|
183
|
+
reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR next to
|
|
184
184
|
the CLI and MCP that holds no authoritative state and forks no schema: each panel
|
|
185
185
|
equals its `cw <cmd> --json` payload byte-for-byte (parity-gated), and refresh
|
|
186
|
-
|
|
186
|
+
derives everything again from disk. See
|
|
187
187
|
[web-desktop-workbench.7.md](web-desktop-workbench.7.md).
|
|
188
188
|
|
|
189
189
|
## Observability + Cost Accounting (v0.1.31)
|
|
@@ -203,20 +203,20 @@ verbs are parity-gated and render read-only in the v0.1.30 Workbench. See
|
|
|
203
203
|
v0.1.32 adds Team Collaboration: a host-attested actor and append-only
|
|
204
204
|
approvals/rejections/comments/handoffs provenance-linked to a durable target,
|
|
205
205
|
plus a review gate that STACKS ON the verifier gate — required approvals from
|
|
206
|
-
authorized roles,
|
|
207
|
-
and never
|
|
206
|
+
authorized roles, made to hold inside `resolveCommitGate` AFTER the verifier checks
|
|
207
|
+
and never in place of them, failing closed on quorum/authority/self-approval and
|
|
208
208
|
recording who approved the very artifact that shipped. Policy (required approvals,
|
|
209
|
-
authorized roles, self-approval) is data, default
|
|
209
|
+
authorized roles, self-approval) is data, off by default (pre-v0.1.32 behavior
|
|
210
210
|
unchanged). The verbs are parity-gated and render read-only in the v0.1.30
|
|
211
211
|
Workbench. See [Team Collaboration](team-collaboration.7.md).
|
|
212
212
|
|
|
213
213
|
## Release Tooling (v0.1.33)
|
|
214
214
|
|
|
215
|
-
the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a
|
|
215
|
+
the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a release gate that has no repeats. See release-tooling(7).
|
|
216
216
|
|
|
217
217
|
## Real Execution Backend Integrations (v0.1.34)
|
|
218
218
|
|
|
219
|
-
container/remote/ci backends
|
|
219
|
+
container/remote/ci backends truly execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not there to use. See real-execution-backends(7).
|
|
220
220
|
|
|
221
221
|
## Node Snapshot / Diff / Replay (v0.1.35)
|
|
222
222
|
|
|
@@ -248,15 +248,15 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
|
|
|
248
248
|
|
|
249
249
|
## Robust Result Ingest (v0.1.42)
|
|
250
250
|
|
|
251
|
-
capture findings/evidence from any
|
|
251
|
+
capture findings/evidence from any agent shape that makes sense (alt keys + prose), CW derives grounded evidence itself, give a warning on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
252
252
|
|
|
253
253
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
254
254
|
|
|
255
|
-
Hard gate
|
|
255
|
+
Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
|
|
256
256
|
|
|
257
257
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
258
258
|
|
|
259
|
-
Release-readiness checks now
|
|
259
|
+
Release-readiness checks now check the committed blob (`git show HEAD:<path>`) instead of the changeable working tree — taking away false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
|
|
260
260
|
|
|
261
261
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
262
262
|
|
|
@@ -273,7 +273,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
273
273
|
|
|
274
274
|
## Fast Architecture Review (v0.1.80)
|
|
275
275
|
|
|
276
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results,
|
|
276
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
277
277
|
|
|
278
|
-
_No changes to the Evidence Adoption Reasoning Chain surface in v0.1.81. The v0.1.81 trust-audit `computeEventHash` fix
|
|
278
|
+
_No changes to the Evidence Adoption Reasoning Chain surface in v0.1.81. The v0.1.81 trust-audit `computeEventHash` fix makes the audit records under it that this chain links to by reference stronger, but the derived reasoning view, its commands, and its eval gates are unchanged._
|
|
279
279
|
_No changes in v0.1.82._
|
|
280
|
+
|
|
281
|
+
## Hardening and Onboarding (v0.1.83)
|
|
282
|
+
|
|
283
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|
|
@@ -17,25 +17,25 @@ node dist/cli.js worker manifest <run-id> <worker-id>
|
|
|
17
17
|
## DESCRIPTION
|
|
18
18
|
|
|
19
19
|
An execution backend is a CW driver: a thin adapter that runs a dispatched
|
|
20
|
-
task/worker somewhere, under the requested sandbox profile, and
|
|
21
|
-
canonical result envelope plus a sandbox attestation. v0.1.29
|
|
22
|
-
out of the kernel into this driver layer.
|
|
20
|
+
task/worker somewhere, under the requested sandbox profile, and keeps a record of
|
|
21
|
+
a canonical result envelope plus a sandbox attestation. v0.1.29 takes execution
|
|
22
|
+
out of the kernel and puts it into this driver layer.
|
|
23
23
|
|
|
24
24
|
The model is a BSD VFS / device-driver layer. There is ONE narrow
|
|
25
|
-
`ExecutionBackend` interface (the mechanism) and many
|
|
25
|
+
`ExecutionBackend` interface (the mechanism) and many drivers you can swap in and out
|
|
26
26
|
(`node`, `bun`, `shell`, `container`, `remote`, `ci`). The kernel —
|
|
27
27
|
orchestrator, dispatch, and pipeline-runner — never learns which backend ran a
|
|
28
|
-
task. WHAT to run and which evidence to
|
|
29
|
-
it runs is the driver's
|
|
28
|
+
task. WHAT to run and which evidence to keep is kernel policy; HOW and WHERE
|
|
29
|
+
it runs is the driver's business.
|
|
30
30
|
|
|
31
31
|
```text
|
|
32
32
|
selected backend -> sandbox attestation -> execution/delegation -> canonical envelope
|
|
33
33
|
```
|
|
34
34
|
|
|
35
|
-
The result envelope, evidence refs, and provenance a task
|
|
35
|
+
The result envelope, evidence refs, and provenance a task makes are
|
|
36
36
|
schema-identical no matter which backend ran it. The backend id and its sandbox
|
|
37
|
-
attestation are
|
|
38
|
-
the v0.1.28 run registry do not care which backend
|
|
37
|
+
attestation are kept AS provenance, so eval/replay, the verifier gates, and
|
|
38
|
+
the v0.1.28 run registry do not care which backend ran a run.
|
|
39
39
|
|
|
40
40
|
## THE CONTRACT
|
|
41
41
|
|
|
@@ -49,69 +49,69 @@ run(request) execute (or delegate) under a sandbox profile and return a
|
|
|
49
49
|
canonical ExecutionResultEnvelope { status, result, evidence, provenance }
|
|
50
50
|
```
|
|
51
51
|
|
|
52
|
-
`run` takes a dispatch/worker manifest plus a
|
|
53
|
-
|
|
54
|
-
(backend id + `SandboxAttestation` + optional delegation handle).
|
|
52
|
+
`run` takes a dispatch/worker manifest plus a fixed sandbox profile and
|
|
53
|
+
gives back `{ result, evidence }` (byte-stable across backends) and `provenance`
|
|
54
|
+
(backend id + `SandboxAttestation` + an optional delegation handle).
|
|
55
55
|
|
|
56
56
|
## THE SANDBOX PROFILE IS THE CONTRACT
|
|
57
57
|
|
|
58
58
|
Every backend MUST honor the five sandbox-profile dimensions: read, write,
|
|
59
|
-
command, network, env. For each dimension a driver
|
|
59
|
+
command, network, env. For each dimension a driver says it does one of:
|
|
60
60
|
|
|
61
61
|
`enforce`
|
|
62
|
-
: the driver
|
|
62
|
+
: the driver itself limits the dimension at execution time.
|
|
63
63
|
|
|
64
64
|
`attest`
|
|
65
|
-
: the driver
|
|
66
|
-
enforce it (
|
|
65
|
+
: the driver keeps a claim you can check, but it is up to the host/runner to
|
|
66
|
+
enforce it (this is the same split as the existing `sandbox.hostRequired`).
|
|
67
67
|
|
|
68
68
|
`unsupported`
|
|
69
|
-
: the driver can
|
|
69
|
+
: the driver can not enforce it or attest it.
|
|
70
70
|
|
|
71
|
-
A profile
|
|
71
|
+
A profile needs a dimension when it limits it (`command` when
|
|
72
72
|
`execute.mode != any`, `network` when `network.mode != any`, `env` when
|
|
73
|
-
`env.inherit` is false; read/write are always bounded). If a
|
|
74
|
-
is `unsupported`, or the backend is not ready, or the
|
|
75
|
-
|
|
76
|
-
attestation whose `status` is `refused`. It never
|
|
73
|
+
`env.inherit` is false; read/write are always bounded). If a needed dimension
|
|
74
|
+
is `unsupported`, or the backend is not ready, or the profile says no to the
|
|
75
|
+
command, the backend FAILS CLOSED: `run` returns `status: "refused"` with an
|
|
76
|
+
attestation whose `status` is `refused`. It never quietly drops down to an
|
|
77
77
|
unsandboxed execution.
|
|
78
78
|
|
|
79
79
|
## DRIVERS
|
|
80
80
|
|
|
81
81
|
`node` (default)
|
|
82
|
-
:
|
|
82
|
+
: Does pre-v0.1.29 behavior exactly. The host runs the worker in-process
|
|
83
83
|
under CW's worker-output acceptance (a delegate-host execution). When it
|
|
84
|
-
|
|
84
|
+
runs a command it enforces command + env through the Node child process and
|
|
85
85
|
attests read/write/network to the host.
|
|
86
86
|
|
|
87
87
|
`bun`
|
|
88
|
-
: Node-compatible by default, Bun-friendly.
|
|
89
|
-
runtime so evidence is byte-stable with `node`, and attests Bun
|
|
88
|
+
: Node-compatible by default, Bun-friendly. Runs through the Node-compatible
|
|
89
|
+
runtime so evidence is byte-stable with `node`, and attests that Bun is there
|
|
90
90
|
in provenance. Enforces command + env; attests read/write/network.
|
|
91
91
|
|
|
92
92
|
`shell`
|
|
93
|
-
: Runs a command/worker
|
|
93
|
+
: Runs a command/worker through the system shell (`/bin/sh -c`) under the sandbox
|
|
94
94
|
contract. Enforces command + env; attests read/write/network.
|
|
95
95
|
|
|
96
96
|
`container`
|
|
97
|
-
: Delegates to a container runtime (docker/podman) and
|
|
97
|
+
: Delegates to a container runtime (docker/podman) and keeps the
|
|
98
98
|
`image@digest` handle + attestation + result. A container can enforce all
|
|
99
|
-
five dimensions. Fails closed when no image
|
|
99
|
+
five dimensions. Fails closed when you give no image.
|
|
100
100
|
|
|
101
101
|
`remote`
|
|
102
|
-
: Delegates to a remote runner and
|
|
103
|
-
attestation + result. Fails closed when no endpoint is
|
|
102
|
+
: Delegates to a remote runner and keeps the endpoint + job handle +
|
|
103
|
+
attestation + result. Fails closed when no endpoint is set
|
|
104
104
|
(`CW_REMOTE_ENDPOINT` or `--endpoint`).
|
|
105
105
|
|
|
106
106
|
`ci`
|
|
107
|
-
: Delegates to a CI runner and
|
|
108
|
-
Fails closed when no CI job target is
|
|
107
|
+
: Delegates to a CI runner and keeps the job handle + attestation + result.
|
|
108
|
+
Fails closed when no CI job target is set (`CW_CI_ENDPOINT` or
|
|
109
109
|
`--job`).
|
|
110
110
|
|
|
111
111
|
CW DELEGATES; IT DOES NOT BECOME THE EXECUTOR. The local drivers run a thin
|
|
112
|
-
child process to
|
|
113
|
-
container/remote/ci drivers delegate and
|
|
114
|
-
result; they never
|
|
112
|
+
child process to take in evidence you can check (exit code + an output digest). The
|
|
113
|
+
container/remote/ci drivers delegate and keep a handle + attestation +
|
|
114
|
+
result; they never build a container runtime or a CI system over again.
|
|
115
115
|
|
|
116
116
|
## SELECTION
|
|
117
117
|
|
|
@@ -121,17 +121,17 @@ Backend selection parallels `--sandbox`:
|
|
|
121
121
|
--backend <id> (flag) > CW_BACKEND (env) > node (default)
|
|
122
122
|
```
|
|
123
123
|
|
|
124
|
-
Selection is
|
|
125
|
-
manifest, the RunDispatch) and
|
|
126
|
-
record's `backends` field. A per-task `backendId`
|
|
127
|
-
`backend list|show|probe` and the `--backend` flag are
|
|
128
|
-
`src/capability-registry.ts`, so `cw <cmd> --json` and `cw_<cmd>`
|
|
129
|
-
data source and
|
|
124
|
+
Selection is kept in run state (dispatch manifest, worker scope, worker
|
|
125
|
+
manifest, the RunDispatch) and shown in the v0.1.28 run registry as the
|
|
126
|
+
record's `backends` field. A per-task `backendId` takes the place of the run default.
|
|
127
|
+
`backend list|show|probe` and the `--backend` flag are set out once in
|
|
128
|
+
`src/capability-registry.ts`, so `cw <cmd> --json` and `cw_<cmd>` use one
|
|
129
|
+
data source and get past the v0.1.27 parity gate.
|
|
130
130
|
|
|
131
131
|
## EVIDENCE PARITY
|
|
132
132
|
|
|
133
|
-
The canonical evidence a local driver
|
|
134
|
-
backend
|
|
133
|
+
The canonical evidence a local driver keeps for a command run does not depend on the
|
|
134
|
+
backend:
|
|
135
135
|
|
|
136
136
|
```text
|
|
137
137
|
command:<command + args>
|
|
@@ -140,10 +140,10 @@ stdoutSha256:sha256:<hex>
|
|
|
140
140
|
```
|
|
141
141
|
|
|
142
142
|
Running CW's own self-verify (`node dist/cli.js list`) through `node`, `shell`,
|
|
143
|
-
and `bun`
|
|
144
|
-
`provenance.backendId` (and the attestation detail)
|
|
143
|
+
and `bun` gives byte-identical `result` and `evidence`; only
|
|
144
|
+
`provenance.backendId` (and the attestation detail) is not the same. The
|
|
145
145
|
`test/execution-backends-smoke.js` gate proves this, proves the fail-closed
|
|
146
|
-
refusals, proves the
|
|
146
|
+
refusals, proves the kept provenance and delegation handles, and proves the
|
|
147
147
|
verifier/registry stay backend-agnostic.
|
|
148
148
|
|
|
149
149
|
## ATTESTATION SHAPE
|
|
@@ -164,7 +164,7 @@ verifier/registry stay backend-agnostic.
|
|
|
164
164
|
}
|
|
165
165
|
```
|
|
166
166
|
|
|
167
|
-
A delegating driver
|
|
167
|
+
A delegating driver also keeps `handle` (for example
|
|
168
168
|
`{ "kind": "container", "ref": "img@sha256:..." }`).
|
|
169
169
|
|
|
170
170
|
## FILES
|
|
@@ -179,23 +179,23 @@ A delegating driver additionally records `handle` (e.g.
|
|
|
179
179
|
|
|
180
180
|
## FAILURE MODES
|
|
181
181
|
|
|
182
|
-
|
|
182
|
+
Backends it does not know fail closed with `backend-not-found` (CLI/dispatch/`CW_BACKEND`).
|
|
183
183
|
|
|
184
184
|
`run` returns `status: "refused"` with `attestation.status: "refused"` when:
|
|
185
185
|
|
|
186
|
-
- the
|
|
187
|
-
- a
|
|
186
|
+
- the sandbox profile says no to the command (`sandbox-command-denied`),
|
|
187
|
+
- a needed sandbox dimension is `unsupported` (`sandbox-unenforceable`),
|
|
188
188
|
- a local backend is not ready (`backend-not-ready`),
|
|
189
189
|
- a delegating backend has no delegation target (`delegation-target-missing`).
|
|
190
190
|
|
|
191
|
-
CW never
|
|
192
|
-
unsandboxed when the
|
|
191
|
+
CW never quietly drops down a backend you asked for, and never runs a task
|
|
192
|
+
unsandboxed when it can not honor the profile you asked for.
|
|
193
193
|
|
|
194
194
|
## COMPATIBILITY
|
|
195
195
|
|
|
196
|
-
Execution Backends
|
|
197
|
-
|
|
198
|
-
working and old run state loads unchanged (the backend fields are
|
|
196
|
+
Execution Backends come in with CW v0.1.29. The default (`node`) backend
|
|
197
|
+
does pre-v0.1.29 behavior exactly; runs with no backend picked keep
|
|
198
|
+
working and old run state loads unchanged (the backend fields are added on and
|
|
199
199
|
optional). The `ResultEnvelope` schema (`summary`, `findings`, `evidence`) is
|
|
200
200
|
unchanged — the backend id and attestation live in provenance and run state,
|
|
201
201
|
never in the result envelope.
|
|
@@ -208,23 +208,23 @@ run-registry-control-plane(7), security-trust-hardening(7)
|
|
|
208
208
|
## Web / Desktop Workbench (v0.1.30)
|
|
209
209
|
|
|
210
210
|
v0.1.30 adds the Web / Desktop Workbench: a read-only, localhost-only human
|
|
211
|
-
console that
|
|
211
|
+
console that shows this surface (and the other four operator panels — run
|
|
212
212
|
graph, blackboard, worker logs, candidate compare, audit timeline) for any run,
|
|
213
|
-
reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR
|
|
214
|
-
the CLI and MCP that
|
|
215
|
-
|
|
216
|
-
|
|
213
|
+
reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR next to
|
|
214
|
+
the CLI and MCP that keeps no authoritative state and forks no schema: each panel
|
|
215
|
+
is the same as its `cw <cmd> --json` payload byte-for-byte (parity-gated), and refresh
|
|
216
|
+
works everything out from disk over again. See
|
|
217
217
|
[web-desktop-workbench.7.md](web-desktop-workbench.7.md).
|
|
218
218
|
|
|
219
219
|
## Observability + Cost Accounting (v0.1.31)
|
|
220
220
|
|
|
221
221
|
v0.1.31 adds Observability + Cost Accounting: `metrics show`/`metrics summary`
|
|
222
|
-
|
|
222
|
+
work out durations, failure/verifier/acceptance rates (with sample counts and
|
|
223
223
|
fail-closed `n/a`), and host-attested token/cost from existing durable run state
|
|
224
|
-
— no metrics database, no collector daemon, no hidden counter. Usage is
|
|
225
|
-
and optional (
|
|
226
|
-
× a
|
|
227
|
-
verbs are parity-gated and
|
|
224
|
+
— no metrics database, no collector daemon, no hidden counter. Usage is added on
|
|
225
|
+
and optional (when not there ⇒ `unreported`, never 0); cost is `attested` (attested usage
|
|
226
|
+
× a kept pricing policy) or clearly `estimated`, with pricing as policy. Both
|
|
227
|
+
verbs are parity-gated and show read-only in the v0.1.30 Workbench. See
|
|
228
228
|
[observability-cost-accounting.7.md](observability-cost-accounting.7.md).
|
|
229
229
|
|
|
230
230
|
|
|
@@ -232,25 +232,25 @@ verbs are parity-gated and render read-only in the v0.1.30 Workbench. See
|
|
|
232
232
|
|
|
233
233
|
v0.1.32 adds Team Collaboration: a host-attested actor and append-only
|
|
234
234
|
approvals/rejections/comments/handoffs provenance-linked to a durable target,
|
|
235
|
-
plus a review gate that STACKS ON the verifier gate —
|
|
235
|
+
plus a review gate that STACKS ON the verifier gate — needed approvals from
|
|
236
236
|
authorized roles, enforced inside `resolveCommitGate` AFTER the verifier checks
|
|
237
|
-
and never
|
|
238
|
-
|
|
237
|
+
and never in place of them, failing closed on quorum/authority/self-approval and
|
|
238
|
+
keeping a record of who approved the very artifact that went out. Policy (required approvals,
|
|
239
239
|
authorized roles, self-approval) is data, default off (pre-v0.1.32 behavior
|
|
240
|
-
unchanged). The verbs are parity-gated and
|
|
240
|
+
unchanged). The verbs are parity-gated and show read-only in the v0.1.30
|
|
241
241
|
Workbench. See [Team Collaboration](team-collaboration.7.md).
|
|
242
242
|
|
|
243
243
|
## Release Tooling (v0.1.33)
|
|
244
244
|
|
|
245
|
-
the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a
|
|
245
|
+
the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a release gate that has no copies in it. See release-tooling(7).
|
|
246
246
|
|
|
247
247
|
## Real Execution Backend Integrations (v0.1.34)
|
|
248
248
|
|
|
249
|
-
container/remote/ci backends
|
|
249
|
+
container/remote/ci backends truly run (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not there to use. See real-execution-backends(7).
|
|
250
250
|
|
|
251
251
|
## Node Snapshot / Diff / Replay (v0.1.35)
|
|
252
252
|
|
|
253
|
-
per-node snapshot, structural diff, and isolated deterministic replay over StateNode,
|
|
253
|
+
per-node snapshot, structural diff, and isolated deterministic replay over StateNode, using the v0.1.23 eval harness over again; fail-closed on source drift (valid|stale|absent). See node-snapshot-diff-replay(7).
|
|
254
254
|
|
|
255
255
|
## Contract Migration Tooling (v0.1.36)
|
|
256
256
|
|
|
@@ -262,11 +262,11 @@ priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed pa
|
|
|
262
262
|
|
|
263
263
|
## Agent Delegation Drive (v0.1.38)
|
|
264
264
|
|
|
265
|
-
spawn an
|
|
265
|
+
spawn an outside agent process per worker, take in result.md + attestation, auto-drive plan->dispatch->fulfill->accept->commit
|
|
266
266
|
|
|
267
267
|
## Run Retention & Provable Reclamation (v0.1.39)
|
|
268
268
|
|
|
269
|
-
tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the
|
|
269
|
+
tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the bulk that can be built again, prove it
|
|
270
270
|
|
|
271
271
|
## Durable State & Locking (v0.1.40)
|
|
272
272
|
|
|
@@ -278,15 +278,15 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
|
|
|
278
278
|
|
|
279
279
|
## Robust Result Ingest (v0.1.42)
|
|
280
280
|
|
|
281
|
-
|
|
281
|
+
take in findings/evidence from any sensible agent shape (alt keys + prose), CW works out grounded evidence itself, give a warning on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
282
282
|
|
|
283
283
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
284
284
|
|
|
285
|
-
Hard gate
|
|
285
|
+
Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
|
|
286
286
|
|
|
287
287
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
288
288
|
|
|
289
|
-
Release-readiness checks now
|
|
289
|
+
Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — doing away with false-red/false-green from working-tree writes at the same time (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
|
|
290
290
|
|
|
291
291
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
292
292
|
|
|
@@ -303,7 +303,11 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
303
303
|
|
|
304
304
|
## Fast Architecture Review (v0.1.80)
|
|
305
305
|
|
|
306
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports,
|
|
306
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, Map and Assess results you can use again, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
307
307
|
|
|
308
308
|
_No changes to the execution-backends surface in v0.1.81._
|
|
309
|
-
_No behavioral change in v0.1.82 (the delegated child programs moved from inline `node -e` strings to `scripts/children/`; spawn argv and shell:false behavior are byte
|
|
309
|
+
_No behavioral change in v0.1.82 (the delegated child programs moved from inline `node -e` strings to `scripts/children/`; spawn argv and shell:false behavior are the same byte for byte)._
|
|
310
|
+
|
|
311
|
+
## Hardening and Onboarding (v0.1.83)
|
|
312
|
+
|
|
313
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|