cool-workflow 0.1.82 → 0.1.84
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +128 -120
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +16 -8
- package/dist/capability-registry.js +270 -0
- package/dist/cli/command-surface.js +1320 -0
- package/dist/cli.js +2 -1307
- package/dist/commit.js +5 -1
- package/dist/doctor.js +153 -0
- package/dist/mcp-server.js +15 -1451
- package/dist/mcp-surface.js +1441 -0
- package/dist/orchestrator.js +13 -0
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +25 -78
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +78 -53
- package/dist/version.js +1 -1
- package/dist/worker-accept/acceptance.js +114 -0
- package/dist/worker-accept/blackboard-fanout.js +80 -0
- package/dist/worker-accept/blackboard-linkage.js +19 -0
- package/dist/worker-accept/context.js +2 -0
- package/dist/worker-accept/telemetry-ledger.js +116 -0
- package/dist/worker-accept/validation.js +77 -0
- package/dist/worker-accept/verifier-completion.js +73 -0
- package/dist/worker-isolation.js +41 -446
- package/docs/agent-delegation-drive.7.md +94 -86
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +230 -154
- package/docs/contract-migration-tooling.7.md +52 -41
- package/docs/control-plane-scheduling.7.md +49 -41
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +38 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
- package/docs/execution-backends.7.md +88 -80
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
- package/docs/multi-agent-eval-replay-harness.7.md +63 -55
- package/docs/multi-agent-operator-ux.7.md +73 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +30 -22
- package/docs/observability-cost-accounting.7.md +53 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +16 -5
- package/docs/real-execution-backends.7.md +51 -43
- package/docs/release-and-migration.7.md +46 -38
- package/docs/release-tooling.7.md +67 -50
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +124 -116
- package/docs/run-retention-reclamation.7.md +49 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +67 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +66 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +73 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/package.json +3 -2
- package/scripts/bump-version.js +9 -1
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/scripts/parity-check.js +27 -57
- package/scripts/release-flow.js +7 -6
- package/scripts/sync-project-index.js +1 -1
- package/dist/verifier-registry.js +0 -46
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# Dogfood One Real Repo
|
|
2
2
|
|
|
3
|
-
CW v0.1.16
|
|
4
|
-
repository. The
|
|
5
|
-
worker outputs, scores a release candidate,
|
|
6
|
-
evidence,
|
|
3
|
+
CW v0.1.16 tests the release workflow against the real Cool Workflow
|
|
4
|
+
repository. The test uses the canonical `release-cut` app, keeps a record of
|
|
5
|
+
separate worker outputs, scores a release candidate, picks it only with verifier
|
|
6
|
+
evidence, makes a verifier-gated CW state commit, and shows trust audit
|
|
7
7
|
provenance.
|
|
8
8
|
|
|
9
9
|
## Dry-Run Command
|
|
@@ -15,7 +15,7 @@ cd plugins/cool-workflow
|
|
|
15
15
|
npm run dogfood:release
|
|
16
16
|
```
|
|
17
17
|
|
|
18
|
-
The command
|
|
18
|
+
The command points at the repository two directories above the package, uses
|
|
19
19
|
`release-cut`, sets `version=0.1.18`, `previousVersion=0.1.17`, the current git
|
|
20
20
|
branch, and `dryRun=true`. It writes a machine-readable summary to:
|
|
21
21
|
|
|
@@ -23,13 +23,13 @@ branch, and `dryRun=true`. It writes a machine-readable summary to:
|
|
|
23
23
|
.cw/runs/<run-id>/dogfood-summary.json
|
|
24
24
|
```
|
|
25
25
|
|
|
26
|
-
The summary
|
|
26
|
+
The summary has the run id, report path, audit summary path, provenance
|
|
27
27
|
counts, worker ids, candidate id, score id, selection id, commit or checkpoint
|
|
28
28
|
id, command log paths, and the release verdict.
|
|
29
29
|
|
|
30
30
|
## Real Evidence
|
|
31
31
|
|
|
32
|
-
The full dry-run
|
|
32
|
+
The full dry-run gets real repository evidence from:
|
|
33
33
|
|
|
34
34
|
```bash
|
|
35
35
|
git status --short --branch
|
|
@@ -44,8 +44,8 @@ npm run release:check
|
|
|
44
44
|
npm pack --dry-run --json
|
|
45
45
|
```
|
|
46
46
|
|
|
47
|
-
Each command log is written under the worker `logs/` directory and
|
|
48
|
-
worker `cw:result` evidence array. The release verdict worker
|
|
47
|
+
Each command log is written under the worker `logs/` directory and named in the
|
|
48
|
+
worker `cw:result` evidence array. The release verdict worker takes the full
|
|
49
49
|
set of command locators into the release candidate, score, selection, and
|
|
50
50
|
commit/checkpoint provenance.
|
|
51
51
|
|
|
@@ -72,14 +72,14 @@ node scripts/cw.js audit provenance <run-id> --candidate dogfood-release-0.1.18
|
|
|
72
72
|
node scripts/cw.js audit provenance <run-id> --commit <commit-id>
|
|
73
73
|
```
|
|
74
74
|
|
|
75
|
-
The report
|
|
76
|
-
host attestations, evidence provenance, candidate scoring, acceptance
|
|
75
|
+
The report tells why the candidate is trusted by showing sandbox profiles,
|
|
76
|
+
host attestations, evidence provenance, candidate scoring, acceptance reasons,
|
|
77
77
|
and the verifier-gated commit.
|
|
78
78
|
|
|
79
|
-
The dogfood command
|
|
80
|
-
MCP tool because it
|
|
79
|
+
The dogfood command stays a local release-engineering script and not a new
|
|
80
|
+
MCP tool because it is built from existing first-class CW capabilities: `release-cut`
|
|
81
81
|
planning, dispatch, worker manifests/output, candidate scoring/selection,
|
|
82
|
-
commits, reports, and audit/provenance. MCP parity is
|
|
82
|
+
commits, reports, and audit/provenance. MCP parity is kept for the
|
|
83
83
|
inspectable state through the existing worker, candidate, commit, operator
|
|
84
84
|
report, and audit tools.
|
|
85
85
|
|
|
@@ -91,14 +91,14 @@ report, and audit tools.
|
|
|
91
91
|
node test/dogfood-release-smoke.js
|
|
92
92
|
```
|
|
93
93
|
|
|
94
|
-
The smoke test
|
|
94
|
+
The smoke test runs `scripts/dogfood-release.js --smoke --json`. It still
|
|
95
95
|
uses the real repository, `release-cut`, worker manifests, trust audit records,
|
|
96
96
|
candidate scoring, selection, verifier-gated commit, and a report, but keeps the
|
|
97
|
-
command set smaller
|
|
97
|
+
command set smaller so it does not do recursive release checking.
|
|
98
98
|
|
|
99
99
|
## Promote To Real Release Actions
|
|
100
100
|
|
|
101
|
-
Dry-run mode never
|
|
101
|
+
Dry-run mode never makes tags, pushes, puts out packages, or changes a
|
|
102
102
|
marketplace. Real actions are separate maintainer commands after the dogfood
|
|
103
103
|
run passes:
|
|
104
104
|
|
|
@@ -110,42 +110,42 @@ git tag v0.1.18
|
|
|
110
110
|
git push origin main --tags
|
|
111
111
|
```
|
|
112
112
|
|
|
113
|
-
Package publish and plugin marketplace updates should be separate
|
|
114
|
-
steps. If
|
|
115
|
-
`--execute --tag --confirm-release-actions=0.1.18`. The script
|
|
116
|
-
push, or publish flags in dry-run mode and
|
|
113
|
+
Package publish and plugin marketplace updates should be separate, clear
|
|
114
|
+
steps. If execute flags are used later, they must be stated openly, for example
|
|
115
|
+
`--execute --tag --confirm-release-actions=0.1.18`. The script says no to tag,
|
|
116
|
+
push, or publish flags in dry-run mode and says no to execute mode without the
|
|
117
117
|
target-version confirmation.
|
|
118
118
|
|
|
119
119
|
## Safety Gates
|
|
120
120
|
|
|
121
|
-
The dogfood command holds the candidate and writes
|
|
122
|
-
any evidence command fails, version sync is
|
|
123
|
-
missing, audit records are
|
|
124
|
-
selected candidate
|
|
125
|
-
verifier-gated commit
|
|
126
|
-
profile, worker, and acceptance
|
|
121
|
+
The dogfood command holds the candidate and writes a clear checkpoint if
|
|
122
|
+
any evidence command fails, version sync is not complete, release docs are
|
|
123
|
+
missing, audit records are not there, or verifier evidence is not present. A
|
|
124
|
+
selected candidate needs score evidence and a verified verifier node; a
|
|
125
|
+
verifier-gated commit needs the selected candidate, score, evidence, sandbox
|
|
126
|
+
profile, worker, and acceptance reasons.
|
|
127
127
|
|
|
128
|
-
This is
|
|
128
|
+
This is release engineering made dull on purpose: local-first, inspectable,
|
|
129
129
|
scriptable, and fail-closed.
|
|
130
130
|
|
|
131
131
|
## Architecture-Review Agent-Delegation Dogfood (v0.1.38)
|
|
132
132
|
|
|
133
133
|
`scripts/dogfood-architecture-review.js` dogfoods the v0.1.38 Agent Delegation
|
|
134
|
-
Drive: the `architecture-review` app driven end
|
|
135
|
-
with
|
|
134
|
+
Drive: the `architecture-review` app driven from end to end by the `agent` backend,
|
|
135
|
+
with no hand-written `result.md` at all.
|
|
136
136
|
|
|
137
|
-
It
|
|
137
|
+
It is cut into two halves, just like the release dogfood above:
|
|
138
138
|
|
|
139
139
|
- **`--smoke` (CI-verifiable).** A hermetic STUB agent (no live binary, no second
|
|
140
140
|
repo, no network, no model SDK) drives the real app to a committed audited
|
|
141
|
-
report. `node scripts/dogfood-architecture-review.js --smoke --json`
|
|
141
|
+
report. `node scripts/dogfood-architecture-review.js --smoke --json` gives back
|
|
142
142
|
`{ ok: true, mode: "smoke" }` with a `reportPath` and `auditSummaryPath` that
|
|
143
|
-
|
|
144
|
-
>= 1`. This is
|
|
143
|
+
are there, the Verdict node accepted, and `audit.byKind["worker.agent-delegation"]
|
|
144
|
+
>= 1`. This is checked under `npm test` (`test/dogfood-release-smoke.js`).
|
|
145
145
|
|
|
146
|
-
- **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL
|
|
146
|
+
- **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL set-up agent
|
|
147
147
|
(`CW_AGENT_COMMAND`, e.g. `claude -p {{input}}` / `codex exec`, or
|
|
148
|
-
`--agent-command`) against ONE real
|
|
148
|
+
`--agent-command`) against ONE real outside repository:
|
|
149
149
|
|
|
150
150
|
```bash
|
|
151
151
|
CW_AGENT_COMMAND="claude -p {{input}}" \
|
|
@@ -154,15 +154,15 @@ It splits into two halves, exactly like the release dogfood above:
|
|
|
154
154
|
```
|
|
155
155
|
|
|
156
156
|
This drives plan → dispatch → agent-fulfill → accept/verify → commit for every
|
|
157
|
-
worker the planner emits,
|
|
158
|
-
a `docs/dogfood/architecture-review-<repo>.md` provenance note
|
|
159
|
-
name and the agent-REPORTED model id. It
|
|
157
|
+
worker the planner emits, makes the committed audited risk report, and writes
|
|
158
|
+
a `docs/dogfood/architecture-review-<repo>.md` provenance note that keeps the repo
|
|
159
|
+
name and the agent-REPORTED model id. It needs a live outside agent binary
|
|
160
160
|
and a second repository, which CI cannot have (CI is node/npm/git-only and
|
|
161
|
-
hermetic), so it is **explicitly OUT of CI** — a maintainer
|
|
162
|
-
|
|
163
|
-
|
|
161
|
+
hermetic), so it is **explicitly OUT of CI** — a maintainer step run out-of-band,
|
|
162
|
+
just like the "Promote To Real Release Actions" above. The CI/release gate is
|
|
163
|
+
only the stub `--smoke` path.
|
|
164
164
|
|
|
165
|
-
The model runs in the
|
|
166
|
-
|
|
165
|
+
The model runs in the outside agent's process, never inside CW: this script
|
|
166
|
+
starts the agent and records its attested output; it brings in no model SDK and
|
|
167
167
|
holds no API key.
|
|
168
168
|
0.1.51
|
|
@@ -1,81 +1,81 @@
|
|
|
1
1
|
# Durable State & Locking
|
|
2
2
|
|
|
3
|
-
CW v0.1.40
|
|
3
|
+
CW v0.1.40 fixes the durability gaps its own architecture self-audit found:
|
|
4
4
|
every authoritative write is now **atomic**, the audit-essential ones are
|
|
5
5
|
**fsync-durable**, and the cross-process read-modify-write stores are
|
|
6
6
|
**lock-serialized**. This is the hardening half of Run Retention & Provable
|
|
7
7
|
Reclamation (v0.1.39) — the reclamation transaction was already write-ahead, but
|
|
8
|
-
the kernel persistence primitive
|
|
9
|
-
non-atomic in-place `fs.writeFileSync`, the
|
|
8
|
+
the kernel persistence primitive under it (`state.ts:writeJson`) was a
|
|
9
|
+
non-atomic in-place `fs.writeFileSync`, the #1 P1 from the last verdict. That is now
|
|
10
10
|
fixed for the whole control plane, not just the tombstone.
|
|
11
11
|
|
|
12
12
|
## Atomic writes — order is the safety property
|
|
13
13
|
|
|
14
14
|
`writeJson(file, value, { durable? })` writes to a unique temp file and then
|
|
15
15
|
`rename(2)`s it over the target. Because rename is atomic on POSIX, a crash,
|
|
16
|
-
`SIGKILL`, or `ENOSPC`
|
|
16
|
+
`SIGKILL`, or `ENOSPC` part-way through a write can never leave a cut-short `state.json` that
|
|
17
17
|
throws `Invalid JSON` on reload — a reader always sees **EITHER the old bytes OR
|
|
18
|
-
the new bytes**, never a torn file. A failed rename
|
|
18
|
+
the new bytes**, never a torn file. A failed rename clears away its temp file, so no
|
|
19
19
|
half-written artifact is ever left behind.
|
|
20
20
|
|
|
21
|
-
With `{ durable: true }` the file is
|
|
22
|
-
|
|
23
|
-
|
|
21
|
+
With `{ durable: true }` the file is also `fsync`'d (and its directory
|
|
22
|
+
`fsync`'d as best it can) before the write counts as done, so the bytes
|
|
23
|
+
live through power loss. Durability is kept for **authoritative** state — `state.json`
|
|
24
24
|
(`saveCheckpoint`), the registry overlays (`archive.json`, `provenance.json`, the
|
|
25
25
|
home queue, `repos.json`), the scheduler store, and the reclamation `reclaimed.json`
|
|
26
26
|
— while high-frequency, rebuildable derived writes (node bodies, worker manifests,
|
|
27
|
-
the registry index) stay atomic-but-not-fsync'd so the cheap torn-write fix
|
|
27
|
+
the registry index) stay atomic-but-not-fsync'd so the cheap torn-write fix is used
|
|
28
28
|
everywhere without the fsync cost on the hot path.
|
|
29
29
|
|
|
30
30
|
## Locking — serialize the cross-process read-modify-write
|
|
31
31
|
|
|
32
32
|
The home queue (`queueAdd`/`queueDrain`), the archive overlay, the repos registry,
|
|
33
|
-
and the per-run reclamation chain are read-modify-write stores
|
|
33
|
+
and the per-run reclamation chain are read-modify-write stores changed by more than
|
|
34
34
|
one process (the long-running scheduler daemon and the CLI both touch the queue).
|
|
35
|
-
`withFileLock(targetPath, fn)` runs `fn` while
|
|
35
|
+
`withFileLock(targetPath, fn)` runs `fn` while it holds a portable advisory lock:
|
|
36
36
|
|
|
37
|
-
- **Portable** — an `O_EXCL` (`wx`) lockfile
|
|
38
|
-
so it works
|
|
39
|
-
- **Stale-stealing** — a lock older than the steal window (30 s) is
|
|
40
|
-
crashed holder can never
|
|
37
|
+
- **Portable** — an `O_EXCL` (`wx`) lockfile next to the target; no native `flock(2)`,
|
|
38
|
+
so it works the same way under CI (node/npm/git only).
|
|
39
|
+
- **Stale-stealing** — a lock older than the steal window (30 s) is taken back, so a
|
|
40
|
+
crashed holder can never block a store for good.
|
|
41
41
|
- **Always released** — the lock is removed in a `finally`, even if `fn` throws.
|
|
42
42
|
|
|
43
43
|
This makes the scheduling kernel's concurrency ceiling hold **across processes**,
|
|
44
|
-
not
|
|
44
|
+
not just within one: a newly-added queue task can no longer go missing under a
|
|
45
45
|
concurrent drain, and two reclaimers can no longer lose a tombstone
|
|
46
46
|
(freed-without-proof).
|
|
47
47
|
|
|
48
48
|
## Reclamation durability (the write-ahead seam, v0.1.40)
|
|
49
49
|
|
|
50
50
|
The v0.1.39 reclamation transaction proved the *tombstone* crash-safe, but the
|
|
51
|
-
result-node re-point that scratch reclamation
|
|
52
|
-
boundary. It is now inside it. `runReclamation` runs, in order:
|
|
51
|
+
result-node re-point that scratch reclamation needs lived outside that
|
|
52
|
+
boundary. It is now inside it. `runReclamation` runs, in this order:
|
|
53
53
|
|
|
54
54
|
1. extract + seal skeleton — and **refuse** (`skeleton-incomplete`) not only on a
|
|
55
|
-
missing key but if extraction dropped audit **content** the run
|
|
55
|
+
missing key but if extraction dropped audit **content** the run truly has
|
|
56
56
|
(a run with commits/evidence must seal them);
|
|
57
57
|
2. under the per-run lock: build the tombstone (reads `prevTombstoneHash`) and
|
|
58
58
|
commit it durably — atomic so the chain read-modify-write can never lose a link;
|
|
59
|
-
3. `prepareFree()` — re-point
|
|
60
|
-
`state.json`, and **prove** no
|
|
59
|
+
3. `prepareFree()` — re-point living nodes off the scratch, **durably persist**
|
|
60
|
+
`state.json`, and **prove** no living node points to a freed path (and each
|
|
61
61
|
re-pointed node's `loadNodeSnapshot` stays `valid`), failing closed
|
|
62
|
-
(`repoint-incomplete`)
|
|
62
|
+
(`repoint-incomplete`) if not;
|
|
63
63
|
4. only then free the bulk bytes.
|
|
64
64
|
|
|
65
65
|
A crash at any point now leaves EITHER the full run OR a complete tombstone with a
|
|
66
|
-
re-pointed, durably-persisted `state.json` — never a node
|
|
67
|
-
and never a tombstone whose capability claim
|
|
66
|
+
re-pointed, durably-persisted `state.json` — never a node that points to a freed path,
|
|
67
|
+
and never a tombstone whose capability claim is at odds with reality.
|
|
68
68
|
|
|
69
69
|
## Compatibility
|
|
70
70
|
|
|
71
|
-
|
|
71
|
+
Added on top and unseen by correct single-writer use. No schema change; pre-v0.1.40
|
|
72
72
|
runs and stores load unchanged. Atomicity and locking change only HOW the same
|
|
73
73
|
bytes are written, never WHAT — no audit, commit, or collaboration record is ever
|
|
74
74
|
rewritten.
|
|
75
75
|
|
|
76
76
|
## See Also
|
|
77
77
|
|
|
78
|
-
- `docs/run-retention-reclamation.7.md` — the v0.1.39 reclamation transaction this
|
|
78
|
+
- `docs/run-retention-reclamation.7.md` — the v0.1.39 reclamation transaction this makes harder.
|
|
79
79
|
- `docs/run-registry-control-plane.7.md` — the registry overlays + home queue now locked.
|
|
80
80
|
- `docs/control-plane-scheduling.7.md` — the concurrency ceiling now held across processes.
|
|
81
81
|
|
|
@@ -85,7 +85,7 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
|
|
|
85
85
|
|
|
86
86
|
## Robust Result Ingest (v0.1.42)
|
|
87
87
|
|
|
88
|
-
capture findings/evidence from any
|
|
88
|
+
capture findings/evidence from any sensible agent shape (alt keys + prose), CW works out grounded evidence itself, warn on empty capture — fixes the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
89
89
|
|
|
90
90
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
91
91
|
|
|
@@ -93,7 +93,7 @@ Hard gate blocking empty-capture verifier-gated commits, plus quickstart and lau
|
|
|
93
93
|
|
|
94
94
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
95
95
|
|
|
96
|
-
Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the
|
|
96
|
+
Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the changeable working tree — getting rid of false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
|
|
97
97
|
|
|
98
98
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
99
99
|
|
|
@@ -110,9 +110,17 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
110
110
|
|
|
111
111
|
## Fast Architecture Review (v0.1.80)
|
|
112
112
|
|
|
113
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results,
|
|
113
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
114
114
|
|
|
115
115
|
## Deterministic Tombstone Hash (v0.1.81)
|
|
116
116
|
|
|
117
|
-
The reclamation tombstone's freed-manifest is now path-sorted before it feeds `tombstoneHash`, so the same freed set always
|
|
117
|
+
The reclamation tombstone's freed-manifest is now path-sorted before it feeds `tombstoneHash`, so the same freed set always gives the same hash no matter the filesystem enumeration order. This takes a non-determinism out of the write-ahead chain (v0.1.39/v0.1.40), keeping the per-run tombstone hash-chain replayable and steady across hosts. Atomicity, locking, and the durable re-point seam are unchanged. v0.1.81 also adds import-time refusal (`CW_REQUIRE_ARCHIVE_INTEGRITY=1`) and restore-time trust-audit re-proving — see run-registry-control-plane(7).
|
|
118
118
|
_No changes in v0.1.82._
|
|
119
|
+
|
|
120
|
+
## Hardening and Onboarding (v0.1.83)
|
|
121
|
+
|
|
122
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|
|
123
|
+
|
|
124
|
+
## Privacy Release (v0.1.84)
|
|
125
|
+
|
|
126
|
+
No other change to this page in v0.1.84.
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# End-to-End Golden Path
|
|
2
2
|
|
|
3
|
-
Cool Workflow v0.1.10 added a deterministic golden path
|
|
4
|
-
system is
|
|
5
|
-
report generation.
|
|
3
|
+
Cool Workflow v0.1.10 added a deterministic golden path. It proves the base
|
|
4
|
+
system is joined up, from workflow app planning, through verifier-gated commit,
|
|
5
|
+
to report generation.
|
|
6
6
|
|
|
7
7
|
Run it from the plugin root:
|
|
8
8
|
|
|
@@ -14,13 +14,13 @@ npm run golden-path
|
|
|
14
14
|
The command uses only Node.js standard library APIs and the public CW CLI. It
|
|
15
15
|
does not use the network, sleeps, hidden daemon state, or real subagents.
|
|
16
16
|
|
|
17
|
-
v0.1.13 adds `test/mcp-app-surface-smoke.js
|
|
17
|
+
v0.1.13 adds `test/mcp-app-surface-smoke.js`. This is a near deterministic proof
|
|
18
18
|
that drives the same app/worker/candidate/commit/operator chain over MCP stdio
|
|
19
|
-
JSON-RPC
|
|
19
|
+
JSON-RPC, in place of direct CLI commands.
|
|
20
20
|
|
|
21
21
|
## What It Proves
|
|
22
22
|
|
|
23
|
-
The runner
|
|
23
|
+
The runner works through this chain:
|
|
24
24
|
|
|
25
25
|
```text
|
|
26
26
|
workflow app -> plan -> dispatch -> isolated worker -> candidate scoring
|
|
@@ -28,12 +28,12 @@ workflow app -> plan -> dispatch -> isolated worker -> candidate scoring
|
|
|
28
28
|
```
|
|
29
29
|
|
|
30
30
|
It uses the first-class `end-to-end-golden-path` app in
|
|
31
|
-
`apps/end-to-end-golden-path/`. The app has one phase and one
|
|
32
|
-
|
|
31
|
+
`apps/end-to-end-golden-path/`. The app has one phase and one worker task that
|
|
32
|
+
needs evidence, with the `readonly` sandbox profile.
|
|
33
33
|
|
|
34
34
|
## CLI Surface
|
|
35
35
|
|
|
36
|
-
The runner
|
|
36
|
+
The runner runs the same public commands that an operator would use:
|
|
37
37
|
|
|
38
38
|
```bash
|
|
39
39
|
node scripts/cw.js app validate end-to-end-golden-path
|
|
@@ -58,13 +58,13 @@ node scripts/cw.js graph <run-id>
|
|
|
58
58
|
node scripts/cw.js report <run-id> --show
|
|
59
59
|
```
|
|
60
60
|
|
|
61
|
-
After dispatch, the script reads the
|
|
62
|
-
|
|
61
|
+
After dispatch, the script reads the worker manifest it made, and writes a
|
|
62
|
+
good Markdown result to the worker's named `result.md`. The result has in it
|
|
63
63
|
a `cw:result` JSON fence with file:line evidence.
|
|
64
64
|
|
|
65
65
|
## Files Written
|
|
66
66
|
|
|
67
|
-
The runner
|
|
67
|
+
The runner makes a temporary workspace under the OS temp directory:
|
|
68
68
|
|
|
69
69
|
```text
|
|
70
70
|
<tmp>/
|
|
@@ -88,30 +88,30 @@ The runner creates a temporary workspace under the OS temp directory:
|
|
|
88
88
|
commits/
|
|
89
89
|
```
|
|
90
90
|
|
|
91
|
-
By default the workspace is
|
|
92
|
-
|
|
91
|
+
By default the workspace is kept on disk, so you can look at the report and
|
|
92
|
+
state. Tests run the same script with `--cleanup`.
|
|
93
93
|
|
|
94
94
|
## Invariants
|
|
95
95
|
|
|
96
|
-
The golden path
|
|
96
|
+
The golden path checks durable state, not just exit codes:
|
|
97
97
|
|
|
98
|
-
- run state
|
|
99
|
-
- MCP hosts can
|
|
98
|
+
- run state has the workflow app id and version metadata in it
|
|
99
|
+
- MCP hosts can do the flow again with `cw_app_run`, `cw_dispatch`,
|
|
100
100
|
`cw_worker_manifest`, `cw_worker_output`, `cw_candidate_score`,
|
|
101
101
|
`cw_candidate_select`, `cw_commit`, and operator summary tools
|
|
102
|
-
- dispatch
|
|
103
|
-
- the worker manifest
|
|
104
|
-
- the worker
|
|
105
|
-
- result and verifier nodes
|
|
106
|
-
- the verifier node
|
|
107
|
-
- `golden-candidate`
|
|
108
|
-
- candidate score and ranking files
|
|
109
|
-
- the
|
|
110
|
-
- the
|
|
102
|
+
- dispatch keeps a record of a worker id and `readonly` sandbox profile
|
|
103
|
+
- the worker manifest has the worked-out sandbox policy data in it
|
|
104
|
+
- the worker gets to `verified`
|
|
105
|
+
- result and verifier nodes are there
|
|
106
|
+
- the verifier node holds evidence
|
|
107
|
+
- `golden-candidate` gets to `verified` after selection
|
|
108
|
+
- candidate score and ranking files are there
|
|
109
|
+
- the last commit has `verifierGated: true` and `checkpoint: false`
|
|
110
|
+
- the last commit points to the selection, candidate, verifier node, and
|
|
111
111
|
evidence
|
|
112
|
-
- the report
|
|
113
|
-
- operator status, graph, report, and summary commands can
|
|
114
|
-
- no ErrorFeedback records are
|
|
112
|
+
- the report names the workflow app, candidates, and verifier-gated commit
|
|
113
|
+
- operator status, graph, report, and summary commands can look at the run
|
|
114
|
+
- no ErrorFeedback records are made
|
|
115
115
|
|
|
116
116
|
If this command fails, one of the base integration contracts is broken.
|
|
117
117
|
0.1.51
|
package/docs/error-feedback.7.md
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
## NAME
|
|
4
4
|
|
|
5
|
-
Error Feedback Loop -
|
|
5
|
+
Error Feedback Loop - diagnostic and correction state you can look into for Cool Workflow
|
|
6
6
|
|
|
7
7
|
## SYNOPSIS
|
|
8
8
|
|
|
@@ -27,14 +27,14 @@ const resolved = resolveFeedback(run, records[0].id, {
|
|
|
27
27
|
## DESCRIPTION
|
|
28
28
|
|
|
29
29
|
The Error Feedback Loop is the small layer between structured failures and
|
|
30
|
-
operator correction. It
|
|
31
|
-
|
|
32
|
-
|
|
30
|
+
operator correction. It keeps failures as long-lasting JSON, gives them plain
|
|
31
|
+
identifiers, makes optional correction tasks, and clears records only after
|
|
32
|
+
verifier evidence is there.
|
|
33
33
|
|
|
34
|
-
It does not
|
|
35
|
-
apps and operators
|
|
34
|
+
It does not fix code, do stages again, or own domain workflow behavior. Workflow
|
|
35
|
+
apps and operators say how corrections are put to use.
|
|
36
36
|
|
|
37
|
-
The loop
|
|
37
|
+
The loop goes like this:
|
|
38
38
|
|
|
39
39
|
```text
|
|
40
40
|
error -> classify -> feedback record -> correction task -> verify -> checkpoint
|
|
@@ -43,7 +43,7 @@ error -> classify -> feedback record -> correction task -> verify -> checkpoint
|
|
|
43
43
|
## FEEDBACK MODEL
|
|
44
44
|
|
|
45
45
|
Each feedback record is an `ErrorFeedbackRecord` with schema version `1`.
|
|
46
|
-
|
|
46
|
+
The chief fields are:
|
|
47
47
|
|
|
48
48
|
- `id`
|
|
49
49
|
- `runId`
|
|
@@ -65,11 +65,11 @@ Important fields are:
|
|
|
65
65
|
- `resolvedByNodeId`
|
|
66
66
|
- `metadata`
|
|
67
67
|
|
|
68
|
-
The runtime also keeps `run.feedback` in `state.json` for quick
|
|
68
|
+
The runtime also keeps `run.feedback` in `state.json` for a quick look.
|
|
69
69
|
|
|
70
70
|
## FAILURE CLASSIFICATION
|
|
71
71
|
|
|
72
|
-
Classifications are
|
|
72
|
+
Classifications are fixed, plain strings:
|
|
73
73
|
|
|
74
74
|
```text
|
|
75
75
|
contract-violation
|
|
@@ -83,21 +83,21 @@ runtime-error
|
|
|
83
83
|
unknown
|
|
84
84
|
```
|
|
85
85
|
|
|
86
|
-
Classification is
|
|
87
|
-
`PipelineContract` validation logic; it
|
|
88
|
-
|
|
86
|
+
Classification is careful. The feedback loop does not copy the
|
|
87
|
+
`PipelineContract` validation logic; it gives identifiers to structured errors
|
|
88
|
+
already made by StateNode, PipelineRunner, verifier, or CLI surfaces.
|
|
89
89
|
|
|
90
90
|
## CORRECTION TASKS
|
|
91
91
|
|
|
92
92
|
Correction tasks are normal task Markdown files under the run `tasks/`
|
|
93
|
-
directory. They
|
|
94
|
-
evidence,
|
|
93
|
+
directory. They take in the first error, the touched node/stage/contract, the
|
|
94
|
+
evidence, the looked-for verification command, and help on doing it again.
|
|
95
95
|
|
|
96
|
-
|
|
97
|
-
|
|
96
|
+
Making a correction task marks the feedback record as `tasked`. It does not
|
|
97
|
+
make code changes.
|
|
98
98
|
|
|
99
|
-
|
|
100
|
-
|
|
99
|
+
To resolve feedback you need a node id whose status is `verified` or `committed`.
|
|
100
|
+
Turned-down corrections are kept by setting status to `rejected`.
|
|
101
101
|
|
|
102
102
|
## FILES
|
|
103
103
|
|
|
@@ -111,7 +111,7 @@ Rejected corrections are preserved by setting status to `rejected`.
|
|
|
111
111
|
|
|
112
112
|
## EXAMPLES
|
|
113
113
|
|
|
114
|
-
|
|
114
|
+
Get together failed node errors:
|
|
115
115
|
|
|
116
116
|
```text
|
|
117
117
|
node dist/cli.js feedback collect <run-id>
|
|
@@ -123,7 +123,7 @@ List feedback records:
|
|
|
123
123
|
node dist/cli.js feedback list <run-id>
|
|
124
124
|
```
|
|
125
125
|
|
|
126
|
-
|
|
126
|
+
Give one feedback record:
|
|
127
127
|
|
|
128
128
|
```text
|
|
129
129
|
node dist/cli.js feedback show <run-id> <feedback-id>
|
|
@@ -135,19 +135,19 @@ Create a correction task:
|
|
|
135
135
|
node dist/cli.js feedback task <run-id> <feedback-id> --verify "npm test"
|
|
136
136
|
```
|
|
137
137
|
|
|
138
|
-
|
|
138
|
+
Clear it after a verified node:
|
|
139
139
|
|
|
140
140
|
```text
|
|
141
141
|
node dist/cli.js feedback resolve <run-id> <feedback-id> --node <verified-node-id>
|
|
142
142
|
```
|
|
143
143
|
|
|
144
|
-
All commands
|
|
144
|
+
All commands put out fixed JSON.
|
|
145
145
|
|
|
146
146
|
## COMPATIBILITY
|
|
147
147
|
|
|
148
|
-
Error Feedback
|
|
149
|
-
`feedbackDir` path metadata. Older runs
|
|
150
|
-
|
|
148
|
+
Error Feedback comes in with CW v0.1.4. It adds optional `feedback` state and
|
|
149
|
+
`feedbackDir` path metadata. Older runs can still be read; missing fields are
|
|
150
|
+
started up when the run is loaded.
|
|
151
151
|
|
|
152
|
-
|
|
152
|
+
The workflow, node, contract, pipeline, and CLI behavior you have now is kept.
|
|
153
153
|
0.1.51
|