cool-workflow 0.1.82 → 0.1.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +128 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +270 -0
  12. package/dist/cli/command-surface.js +1320 -0
  13. package/dist/cli.js +2 -1307
  14. package/dist/commit.js +5 -1
  15. package/dist/doctor.js +153 -0
  16. package/dist/mcp-server.js +15 -1451
  17. package/dist/mcp-surface.js +1441 -0
  18. package/dist/orchestrator.js +13 -0
  19. package/dist/reclamation/hash.js +72 -0
  20. package/dist/reclamation.js +25 -78
  21. package/dist/run-registry/queue.js +6 -7
  22. package/dist/run-registry.js +35 -24
  23. package/dist/scheduler.js +78 -53
  24. package/dist/version.js +1 -1
  25. package/dist/worker-accept/acceptance.js +114 -0
  26. package/dist/worker-accept/blackboard-fanout.js +80 -0
  27. package/dist/worker-accept/blackboard-linkage.js +19 -0
  28. package/dist/worker-accept/context.js +2 -0
  29. package/dist/worker-accept/telemetry-ledger.js +116 -0
  30. package/dist/worker-accept/validation.js +77 -0
  31. package/dist/worker-accept/verifier-completion.js +73 -0
  32. package/dist/worker-isolation.js +41 -446
  33. package/docs/agent-delegation-drive.7.md +94 -86
  34. package/docs/agent-framework.md +33 -32
  35. package/docs/candidate-scoring.7.md +26 -24
  36. package/docs/canonical-workflow-apps.7.md +40 -40
  37. package/docs/capability-topology-registry.7.md +24 -24
  38. package/docs/cli-mcp-parity.7.md +230 -154
  39. package/docs/contract-migration-tooling.7.md +52 -41
  40. package/docs/control-plane-scheduling.7.md +49 -41
  41. package/docs/coordinator-blackboard.7.md +30 -30
  42. package/docs/dogfood-one-real-repo.7.md +44 -44
  43. package/docs/durable-state-and-locking.7.md +38 -30
  44. package/docs/end-to-end-golden-path.7.md +29 -29
  45. package/docs/error-feedback.7.md +27 -27
  46. package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
  47. package/docs/execution-backends.7.md +88 -80
  48. package/docs/getting-started.md +35 -18
  49. package/docs/index.md +3 -3
  50. package/docs/mcp-app-surface.7.md +64 -64
  51. package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
  52. package/docs/multi-agent-eval-replay-harness.7.md +63 -55
  53. package/docs/multi-agent-operator-ux.7.md +73 -65
  54. package/docs/multi-agent-runtime-core.7.md +39 -39
  55. package/docs/multi-agent-topologies.7.md +24 -24
  56. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  57. package/docs/node-snapshot-diff-replay.7.md +30 -22
  58. package/docs/observability-cost-accounting.7.md +53 -45
  59. package/docs/operator-ux.7.md +30 -30
  60. package/docs/pipeline-runner.7.md +31 -31
  61. package/docs/project-index.md +16 -5
  62. package/docs/real-execution-backends.7.md +51 -43
  63. package/docs/release-and-migration.7.md +46 -38
  64. package/docs/release-tooling.7.md +67 -50
  65. package/docs/routines.md +16 -16
  66. package/docs/run-registry-control-plane.7.md +124 -116
  67. package/docs/run-retention-reclamation.7.md +49 -41
  68. package/docs/sandbox-profiles.7.md +32 -32
  69. package/docs/scheduled-tasks.md +14 -14
  70. package/docs/security-trust-hardening.7.md +29 -29
  71. package/docs/source-context-profiles.7.md +28 -28
  72. package/docs/state-explosion-management.7.md +67 -59
  73. package/docs/state-node.7.md +8 -8
  74. package/docs/team-collaboration.7.md +66 -58
  75. package/docs/trust-model.md +126 -126
  76. package/docs/unix-principles.md +80 -80
  77. package/docs/vendor-manifest-loadability.7.md +20 -20
  78. package/docs/verifier-gated-commit.7.md +16 -16
  79. package/docs/web-desktop-workbench.7.md +73 -65
  80. package/docs/worker-isolation.7.md +34 -37
  81. package/docs/workflow-app-framework.7.md +38 -38
  82. package/manifest/plugin.manifest.json +4 -4
  83. package/package.json +3 -2
  84. package/scripts/bump-version.js +9 -1
  85. package/scripts/canonical-apps.js +4 -4
  86. package/scripts/dogfood-release.js +1 -1
  87. package/scripts/gen-parity-doc.js +106 -0
  88. package/scripts/golden-path.js +4 -4
  89. package/scripts/parity-check.js +27 -57
  90. package/scripts/release-flow.js +7 -6
  91. package/scripts/sync-project-index.js +1 -1
  92. package/dist/verifier-registry.js +0 -46
@@ -1,9 +1,9 @@
1
1
  # Dogfood One Real Repo
2
2
 
3
- CW v0.1.16 proves the release workflow against the real Cool Workflow
4
- repository. The proof uses the canonical `release-cut` app, records isolated
5
- worker outputs, scores a release candidate, selects it only with verifier
6
- evidence, creates a verifier-gated CW state commit, and renders trust audit
3
+ CW v0.1.16 tests the release workflow against the real Cool Workflow
4
+ repository. The test uses the canonical `release-cut` app, keeps a record of
5
+ separate worker outputs, scores a release candidate, picks it only with verifier
6
+ evidence, makes a verifier-gated CW state commit, and shows trust audit
7
7
  provenance.
8
8
 
9
9
  ## Dry-Run Command
@@ -15,7 +15,7 @@ cd plugins/cool-workflow
15
15
  npm run dogfood:release
16
16
  ```
17
17
 
18
- The command targets the repository two directories above the package, uses
18
+ The command points at the repository two directories above the package, uses
19
19
  `release-cut`, sets `version=0.1.18`, `previousVersion=0.1.17`, the current git
20
20
  branch, and `dryRun=true`. It writes a machine-readable summary to:
21
21
 
@@ -23,13 +23,13 @@ branch, and `dryRun=true`. It writes a machine-readable summary to:
23
23
  .cw/runs/<run-id>/dogfood-summary.json
24
24
  ```
25
25
 
26
- The summary includes the run id, report path, audit summary path, provenance
26
+ The summary has the run id, report path, audit summary path, provenance
27
27
  counts, worker ids, candidate id, score id, selection id, commit or checkpoint
28
28
  id, command log paths, and the release verdict.
29
29
 
30
30
  ## Real Evidence
31
31
 
32
- The full dry-run collects real repository evidence from:
32
+ The full dry-run gets real repository evidence from:
33
33
 
34
34
  ```bash
35
35
  git status --short --branch
@@ -44,8 +44,8 @@ npm run release:check
44
44
  npm pack --dry-run --json
45
45
  ```
46
46
 
47
- Each command log is written under the worker `logs/` directory and cited in the
48
- worker `cw:result` evidence array. The release verdict worker carries the full
47
+ Each command log is written under the worker `logs/` directory and named in the
48
+ worker `cw:result` evidence array. The release verdict worker takes the full
49
49
  set of command locators into the release candidate, score, selection, and
50
50
  commit/checkpoint provenance.
51
51
 
@@ -72,14 +72,14 @@ node scripts/cw.js audit provenance <run-id> --candidate dogfood-release-0.1.18
72
72
  node scripts/cw.js audit provenance <run-id> --commit <commit-id>
73
73
  ```
74
74
 
75
- The report answers why the candidate is trusted by showing sandbox profiles,
76
- host attestations, evidence provenance, candidate scoring, acceptance rationale,
75
+ The report tells why the candidate is trusted by showing sandbox profiles,
76
+ host attestations, evidence provenance, candidate scoring, acceptance reasons,
77
77
  and the verifier-gated commit.
78
78
 
79
- The dogfood command remains a local release-engineering script rather than a new
80
- MCP tool because it composes existing first-class CW capabilities: `release-cut`
79
+ The dogfood command stays a local release-engineering script and not a new
80
+ MCP tool because it is built from existing first-class CW capabilities: `release-cut`
81
81
  planning, dispatch, worker manifests/output, candidate scoring/selection,
82
- commits, reports, and audit/provenance. MCP parity is preserved for the
82
+ commits, reports, and audit/provenance. MCP parity is kept for the
83
83
  inspectable state through the existing worker, candidate, commit, operator
84
84
  report, and audit tools.
85
85
 
@@ -91,14 +91,14 @@ report, and audit tools.
91
91
  node test/dogfood-release-smoke.js
92
92
  ```
93
93
 
94
- The smoke test executes `scripts/dogfood-release.js --smoke --json`. It still
94
+ The smoke test runs `scripts/dogfood-release.js --smoke --json`. It still
95
95
  uses the real repository, `release-cut`, worker manifests, trust audit records,
96
96
  candidate scoring, selection, verifier-gated commit, and a report, but keeps the
97
- command set smaller to avoid recursive release checking.
97
+ command set smaller so it does not do recursive release checking.
98
98
 
99
99
  ## Promote To Real Release Actions
100
100
 
101
- Dry-run mode never creates tags, pushes, publishes packages, or mutates a
101
+ Dry-run mode never makes tags, pushes, puts out packages, or changes a
102
102
  marketplace. Real actions are separate maintainer commands after the dogfood
103
103
  run passes:
104
104
 
@@ -110,42 +110,42 @@ git tag v0.1.18
110
110
  git push origin main --tags
111
111
  ```
112
112
 
113
- Package publish and plugin marketplace updates should be separate visible
114
- steps. If future execute flags are used, they must be explicit, for example
115
- `--execute --tag --confirm-release-actions=0.1.18`. The script refuses tag,
116
- push, or publish flags in dry-run mode and refuses execute mode without the
113
+ Package publish and plugin marketplace updates should be separate, clear
114
+ steps. If execute flags are used later, they must be stated openly, for example
115
+ `--execute --tag --confirm-release-actions=0.1.18`. The script says no to tag,
116
+ push, or publish flags in dry-run mode and says no to execute mode without the
117
117
  target-version confirmation.
118
118
 
119
119
  ## Safety Gates
120
120
 
121
- The dogfood command holds the candidate and writes an explicit checkpoint if
122
- any evidence command fails, version sync is incomplete, release docs are
123
- missing, audit records are unavailable, or verifier evidence is absent. A
124
- selected candidate requires score evidence and a verified verifier node; a
125
- verifier-gated commit requires the selected candidate, score, evidence, sandbox
126
- profile, worker, and acceptance rationale.
121
+ The dogfood command holds the candidate and writes a clear checkpoint if
122
+ any evidence command fails, version sync is not complete, release docs are
123
+ missing, audit records are not there, or verifier evidence is not present. A
124
+ selected candidate needs score evidence and a verified verifier node; a
125
+ verifier-gated commit needs the selected candidate, score, evidence, sandbox
126
+ profile, worker, and acceptance reasons.
127
127
 
128
- This is intentionally boring release engineering: local-first, inspectable,
128
+ This is release engineering made dull on purpose: local-first, inspectable,
129
129
  scriptable, and fail-closed.
130
130
 
131
131
  ## Architecture-Review Agent-Delegation Dogfood (v0.1.38)
132
132
 
133
133
  `scripts/dogfood-architecture-review.js` dogfoods the v0.1.38 Agent Delegation
134
- Drive: the `architecture-review` app driven end-to-end by the `agent` backend,
135
- with zero hand-written `result.md`.
134
+ Drive: the `architecture-review` app driven from end to end by the `agent` backend,
135
+ with no hand-written `result.md` at all.
136
136
 
137
- It splits into two halves, exactly like the release dogfood above:
137
+ It is cut into two halves, just like the release dogfood above:
138
138
 
139
139
  - **`--smoke` (CI-verifiable).** A hermetic STUB agent (no live binary, no second
140
140
  repo, no network, no model SDK) drives the real app to a committed audited
141
- report. `node scripts/dogfood-architecture-review.js --smoke --json` emits
141
+ report. `node scripts/dogfood-architecture-review.js --smoke --json` gives back
142
142
  `{ ok: true, mode: "smoke" }` with a `reportPath` and `auditSummaryPath` that
143
- exist, the Verdict node accepted, and `audit.byKind["worker.agent-delegation"]
144
- >= 1`. This is asserted under `npm test` (`test/dogfood-release-smoke.js`).
143
+ are there, the Verdict node accepted, and `audit.byKind["worker.agent-delegation"]
144
+ >= 1`. This is checked under `npm test` (`test/dogfood-release-smoke.js`).
145
145
 
146
- - **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL configured agent
146
+ - **Live full-drive (MAINTAINER-RUN, OUT OF CI).** With a REAL set-up agent
147
147
  (`CW_AGENT_COMMAND`, e.g. `claude -p {{input}}` / `codex exec`, or
148
- `--agent-command`) against ONE real external repository:
148
+ `--agent-command`) against ONE real outside repository:
149
149
 
150
150
  ```bash
151
151
  CW_AGENT_COMMAND="claude -p {{input}}" \
@@ -154,15 +154,15 @@ It splits into two halves, exactly like the release dogfood above:
154
154
  ```
155
155
 
156
156
  This drives plan → dispatch → agent-fulfill → accept/verify → commit for every
157
- worker the planner emits, produces the committed audited risk report, and writes
158
- a `docs/dogfood/architecture-review-<repo>.md` provenance note recording the repo
159
- name and the agent-REPORTED model id. It depends on a live external agent binary
157
+ worker the planner emits, makes the committed audited risk report, and writes
158
+ a `docs/dogfood/architecture-review-<repo>.md` provenance note that keeps the repo
159
+ name and the agent-REPORTED model id. It needs a live outside agent binary
160
160
  and a second repository, which CI cannot have (CI is node/npm/git-only and
161
- hermetic), so it is **explicitly OUT of CI** — a maintainer bar run out-of-band,
162
- exactly like the "Promote To Real Release Actions" above. The CI/release gate is
163
- strictly the stub `--smoke` path.
161
+ hermetic), so it is **explicitly OUT of CI** — a maintainer step run out-of-band,
162
+ just like the "Promote To Real Release Actions" above. The CI/release gate is
163
+ only the stub `--smoke` path.
164
164
 
165
- The model runs in the external agent's process, never inside CW: this script
166
- spawns the agent and records its attested output; it imports no model SDK and
165
+ The model runs in the outside agent's process, never inside CW: this script
166
+ starts the agent and records its attested output; it brings in no model SDK and
167
167
  holds no API key.
168
168
  0.1.51
@@ -1,81 +1,81 @@
1
1
  # Durable State & Locking
2
2
 
3
- CW v0.1.40 closes the durability seams its own architecture self-audit found:
3
+ CW v0.1.40 fixes the durability gaps its own architecture self-audit found:
4
4
  every authoritative write is now **atomic**, the audit-essential ones are
5
5
  **fsync-durable**, and the cross-process read-modify-write stores are
6
6
  **lock-serialized**. This is the hardening half of Run Retention & Provable
7
7
  Reclamation (v0.1.39) — the reclamation transaction was already write-ahead, but
8
- the kernel persistence primitive underneath it (`state.ts:writeJson`) was a
9
- non-atomic in-place `fs.writeFileSync`, the prior verdict's #1 P1. That is now
8
+ the kernel persistence primitive under it (`state.ts:writeJson`) was a
9
+ non-atomic in-place `fs.writeFileSync`, the #1 P1 from the last verdict. That is now
10
10
  fixed for the whole control plane, not just the tombstone.
11
11
 
12
12
  ## Atomic writes — order is the safety property
13
13
 
14
14
  `writeJson(file, value, { durable? })` writes to a unique temp file and then
15
15
  `rename(2)`s it over the target. Because rename is atomic on POSIX, a crash,
16
- `SIGKILL`, or `ENOSPC` mid-write can never leave a truncated `state.json` that
16
+ `SIGKILL`, or `ENOSPC` part-way through a write can never leave a cut-short `state.json` that
17
17
  throws `Invalid JSON` on reload — a reader always sees **EITHER the old bytes OR
18
- the new bytes**, never a torn file. A failed rename cleans up its temp file, so no
18
+ the new bytes**, never a torn file. A failed rename clears away its temp file, so no
19
19
  half-written artifact is ever left behind.
20
20
 
21
- With `{ durable: true }` the file is additionally `fsync`'d (and its directory
22
- best-effort `fsync`'d) before the write is considered complete, so the bytes
23
- survive power loss. Durability is reserved for **authoritative** state — `state.json`
21
+ With `{ durable: true }` the file is also `fsync`'d (and its directory
22
+ `fsync`'d as best it can) before the write counts as done, so the bytes
23
+ live through power loss. Durability is kept for **authoritative** state — `state.json`
24
24
  (`saveCheckpoint`), the registry overlays (`archive.json`, `provenance.json`, the
25
25
  home queue, `repos.json`), the scheduler store, and the reclamation `reclaimed.json`
26
26
  — while high-frequency, rebuildable derived writes (node bodies, worker manifests,
27
- the registry index) stay atomic-but-not-fsync'd so the cheap torn-write fix applies
27
+ the registry index) stay atomic-but-not-fsync'd so the cheap torn-write fix is used
28
28
  everywhere without the fsync cost on the hot path.
29
29
 
30
30
  ## Locking — serialize the cross-process read-modify-write
31
31
 
32
32
  The home queue (`queueAdd`/`queueDrain`), the archive overlay, the repos registry,
33
- and the per-run reclamation chain are read-modify-write stores mutated by more than
33
+ and the per-run reclamation chain are read-modify-write stores changed by more than
34
34
  one process (the long-running scheduler daemon and the CLI both touch the queue).
35
- `withFileLock(targetPath, fn)` runs `fn` while holding a portable advisory lock:
35
+ `withFileLock(targetPath, fn)` runs `fn` while it holds a portable advisory lock:
36
36
 
37
- - **Portable** — an `O_EXCL` (`wx`) lockfile beside the target; no native `flock(2)`,
38
- so it works identically under CI (node/npm/git only).
39
- - **Stale-stealing** — a lock older than the steal window (30 s) is reclaimed, so a
40
- crashed holder can never wedge a store forever.
37
+ - **Portable** — an `O_EXCL` (`wx`) lockfile next to the target; no native `flock(2)`,
38
+ so it works the same way under CI (node/npm/git only).
39
+ - **Stale-stealing** — a lock older than the steal window (30 s) is taken back, so a
40
+ crashed holder can never block a store for good.
41
41
  - **Always released** — the lock is removed in a `finally`, even if `fn` throws.
42
42
 
43
43
  This makes the scheduling kernel's concurrency ceiling hold **across processes**,
44
- not merely within one: a newly-added queue task can no longer vanish under a
44
+ not just within one: a newly-added queue task can no longer go missing under a
45
45
  concurrent drain, and two reclaimers can no longer lose a tombstone
46
46
  (freed-without-proof).
47
47
 
48
48
  ## Reclamation durability (the write-ahead seam, v0.1.40)
49
49
 
50
50
  The v0.1.39 reclamation transaction proved the *tombstone* crash-safe, but the
51
- result-node re-point that scratch reclamation depends on lived outside that
52
- boundary. It is now inside it. `runReclamation` runs, in order:
51
+ result-node re-point that scratch reclamation needs lived outside that
52
+ boundary. It is now inside it. `runReclamation` runs, in this order:
53
53
 
54
54
  1. extract + seal skeleton — and **refuse** (`skeleton-incomplete`) not only on a
55
- missing key but if extraction dropped audit **content** the run actually has
55
+ missing key but if extraction dropped audit **content** the run truly has
56
56
  (a run with commits/evidence must seal them);
57
57
  2. under the per-run lock: build the tombstone (reads `prevTombstoneHash`) and
58
58
  commit it durably — atomic so the chain read-modify-write can never lose a link;
59
- 3. `prepareFree()` — re-point surviving nodes off the scratch, **durably persist**
60
- `state.json`, and **prove** no surviving node references a freed path (and each
59
+ 3. `prepareFree()` — re-point living nodes off the scratch, **durably persist**
60
+ `state.json`, and **prove** no living node points to a freed path (and each
61
61
  re-pointed node's `loadNodeSnapshot` stays `valid`), failing closed
62
- (`repoint-incomplete`) otherwise;
62
+ (`repoint-incomplete`) if not;
63
63
  4. only then free the bulk bytes.
64
64
 
65
65
  A crash at any point now leaves EITHER the full run OR a complete tombstone with a
66
- re-pointed, durably-persisted `state.json` — never a node referencing a freed path,
67
- and never a tombstone whose capability claim diverges from reality.
66
+ re-pointed, durably-persisted `state.json` — never a node that points to a freed path,
67
+ and never a tombstone whose capability claim is at odds with reality.
68
68
 
69
69
  ## Compatibility
70
70
 
71
- Additive and invisible to correct single-writer use. No schema change; pre-v0.1.40
71
+ Added on top and unseen by correct single-writer use. No schema change; pre-v0.1.40
72
72
  runs and stores load unchanged. Atomicity and locking change only HOW the same
73
73
  bytes are written, never WHAT — no audit, commit, or collaboration record is ever
74
74
  rewritten.
75
75
 
76
76
  ## See Also
77
77
 
78
- - `docs/run-retention-reclamation.7.md` — the v0.1.39 reclamation transaction this hardens.
78
+ - `docs/run-retention-reclamation.7.md` — the v0.1.39 reclamation transaction this makes harder.
79
79
  - `docs/run-registry-control-plane.7.md` — the registry overlays + home queue now locked.
80
80
  - `docs/control-plane-scheduling.7.md` — the concurrency ceiling now held across processes.
81
81
 
@@ -85,7 +85,7 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
85
85
 
86
86
  ## Robust Result Ingest (v0.1.42)
87
87
 
88
- capture findings/evidence from any reasonable agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
88
+ capture findings/evidence from any sensible agent shape (alt keys + prose), CW works out grounded evidence itself, warn on empty capture — fixes the v0.1.41 live-drive 'accepted with 0 captured' failure
89
89
 
90
90
  ## No-False-Green Gate & Launch Prep (v0.1.43)
91
91
 
@@ -93,7 +93,7 @@ Hard gate blocking empty-capture verifier-gated commits, plus quickstart and lau
93
93
 
94
94
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
95
95
 
96
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
96
+ Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the changeable working tree — getting rid of false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
97
97
 
98
98
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
99
99
 
@@ -110,9 +110,17 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
110
110
 
111
111
  ## Fast Architecture Review (v0.1.80)
112
112
 
113
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
113
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without changing the full review contract.
114
114
 
115
115
  ## Deterministic Tombstone Hash (v0.1.81)
116
116
 
117
- The reclamation tombstone's freed-manifest is now path-sorted before it feeds `tombstoneHash`, so the same freed set always yields the same hash regardless of filesystem enumeration order. This removes a non-determinism from the write-ahead chain (v0.1.39/v0.1.40), keeping the per-run tombstone hash-chain replayable and stable across hosts. Atomicity, locking, and the durable re-point seam are unchanged. v0.1.81 also adds import-time refusal (`CW_REQUIRE_ARCHIVE_INTEGRITY=1`) and restore-time trust-audit re-proving — see run-registry-control-plane(7).
117
+ The reclamation tombstone's freed-manifest is now path-sorted before it feeds `tombstoneHash`, so the same freed set always gives the same hash no matter the filesystem enumeration order. This takes a non-determinism out of the write-ahead chain (v0.1.39/v0.1.40), keeping the per-run tombstone hash-chain replayable and steady across hosts. Atomicity, locking, and the durable re-point seam are unchanged. v0.1.81 also adds import-time refusal (`CW_REQUIRE_ARCHIVE_INTEGRITY=1`) and restore-time trust-audit re-proving — see run-registry-control-plane(7).
118
118
  _No changes in v0.1.82._
119
+
120
+ ## Hardening and Onboarding (v0.1.83)
121
+
122
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
123
+
124
+ ## Privacy Release (v0.1.84)
125
+
126
+ No other change to this page in v0.1.84.
@@ -1,8 +1,8 @@
1
1
  # End-to-End Golden Path
2
2
 
3
- Cool Workflow v0.1.10 added a deterministic golden path that proves the base
4
- system is connected from workflow app planning through verifier-gated commit and
5
- report generation.
3
+ Cool Workflow v0.1.10 added a deterministic golden path. It proves the base
4
+ system is joined up, from workflow app planning, through verifier-gated commit,
5
+ to report generation.
6
6
 
7
7
  Run it from the plugin root:
8
8
 
@@ -14,13 +14,13 @@ npm run golden-path
14
14
  The command uses only Node.js standard library APIs and the public CW CLI. It
15
15
  does not use the network, sleeps, hidden daemon state, or real subagents.
16
16
 
17
- v0.1.13 adds `test/mcp-app-surface-smoke.js`, a sibling deterministic proof
17
+ v0.1.13 adds `test/mcp-app-surface-smoke.js`. This is a near deterministic proof
18
18
  that drives the same app/worker/candidate/commit/operator chain over MCP stdio
19
- JSON-RPC instead of direct CLI commands.
19
+ JSON-RPC, in place of direct CLI commands.
20
20
 
21
21
  ## What It Proves
22
22
 
23
- The runner exercises this chain:
23
+ The runner works through this chain:
24
24
 
25
25
  ```text
26
26
  workflow app -> plan -> dispatch -> isolated worker -> candidate scoring
@@ -28,12 +28,12 @@ workflow app -> plan -> dispatch -> isolated worker -> candidate scoring
28
28
  ```
29
29
 
30
30
  It uses the first-class `end-to-end-golden-path` app in
31
- `apps/end-to-end-golden-path/`. The app has one phase and one evidence-required
32
- worker task with the `readonly` sandbox profile.
31
+ `apps/end-to-end-golden-path/`. The app has one phase and one worker task that
32
+ needs evidence, with the `readonly` sandbox profile.
33
33
 
34
34
  ## CLI Surface
35
35
 
36
- The runner performs the same public commands an operator would use:
36
+ The runner runs the same public commands that an operator would use:
37
37
 
38
38
  ```bash
39
39
  node scripts/cw.js app validate end-to-end-golden-path
@@ -58,13 +58,13 @@ node scripts/cw.js graph <run-id>
58
58
  node scripts/cw.js report <run-id> --show
59
59
  ```
60
60
 
61
- After dispatch, the script reads the generated worker manifest and writes a
62
- valid Markdown result to the worker's declared `result.md`. The result contains
61
+ After dispatch, the script reads the worker manifest it made, and writes a
62
+ good Markdown result to the worker's named `result.md`. The result has in it
63
63
  a `cw:result` JSON fence with file:line evidence.
64
64
 
65
65
  ## Files Written
66
66
 
67
- The runner creates a temporary workspace under the OS temp directory:
67
+ The runner makes a temporary workspace under the OS temp directory:
68
68
 
69
69
  ```text
70
70
  <tmp>/
@@ -88,30 +88,30 @@ The runner creates a temporary workspace under the OS temp directory:
88
88
  commits/
89
89
  ```
90
90
 
91
- By default the workspace is left on disk so the report and state can be
92
- inspected. Tests run the same script with `--cleanup`.
91
+ By default the workspace is kept on disk, so you can look at the report and
92
+ state. Tests run the same script with `--cleanup`.
93
93
 
94
94
  ## Invariants
95
95
 
96
- The golden path asserts durable state, not just exit codes:
96
+ The golden path checks durable state, not just exit codes:
97
97
 
98
- - run state includes workflow app id and version metadata
99
- - MCP hosts can reproduce the flow with `cw_app_run`, `cw_dispatch`,
98
+ - run state has the workflow app id and version metadata in it
99
+ - MCP hosts can do the flow again with `cw_app_run`, `cw_dispatch`,
100
100
  `cw_worker_manifest`, `cw_worker_output`, `cw_candidate_score`,
101
101
  `cw_candidate_select`, `cw_commit`, and operator summary tools
102
- - dispatch records a worker id and `readonly` sandbox profile
103
- - the worker manifest includes resolved sandbox policy data
104
- - the worker reaches `verified`
105
- - result and verifier nodes exist
106
- - the verifier node carries evidence
107
- - `golden-candidate` reaches `verified` after selection
108
- - candidate score and ranking files exist
109
- - the final commit has `verifierGated: true` and `checkpoint: false`
110
- - the final commit references the selection, candidate, verifier node, and
102
+ - dispatch keeps a record of a worker id and `readonly` sandbox profile
103
+ - the worker manifest has the worked-out sandbox policy data in it
104
+ - the worker gets to `verified`
105
+ - result and verifier nodes are there
106
+ - the verifier node holds evidence
107
+ - `golden-candidate` gets to `verified` after selection
108
+ - candidate score and ranking files are there
109
+ - the last commit has `verifierGated: true` and `checkpoint: false`
110
+ - the last commit points to the selection, candidate, verifier node, and
111
111
  evidence
112
- - the report mentions the workflow app, candidates, and verifier-gated commit
113
- - operator status, graph, report, and summary commands can inspect the run
114
- - no ErrorFeedback records are produced
112
+ - the report names the workflow app, candidates, and verifier-gated commit
113
+ - operator status, graph, report, and summary commands can look at the run
114
+ - no ErrorFeedback records are made
115
115
 
116
116
  If this command fails, one of the base integration contracts is broken.
117
117
  0.1.51
@@ -2,7 +2,7 @@
2
2
 
3
3
  ## NAME
4
4
 
5
- Error Feedback Loop - inspectable diagnostic and correction state for Cool Workflow
5
+ Error Feedback Loop - diagnostic and correction state you can look into for Cool Workflow
6
6
 
7
7
  ## SYNOPSIS
8
8
 
@@ -27,14 +27,14 @@ const resolved = resolveFeedback(run, records[0].id, {
27
27
  ## DESCRIPTION
28
28
 
29
29
  The Error Feedback Loop is the small layer between structured failures and
30
- operator correction. It records failures as durable JSON, classifies them with
31
- plain identifiers, creates optional correction tasks, and resolves records only
32
- after verifier evidence is present.
30
+ operator correction. It keeps failures as long-lasting JSON, gives them plain
31
+ identifiers, makes optional correction tasks, and clears records only after
32
+ verifier evidence is there.
33
33
 
34
- It does not repair code, retry stages, or own domain workflow behavior. Workflow
35
- apps and operators decide how corrections are applied.
34
+ It does not fix code, do stages again, or own domain workflow behavior. Workflow
35
+ apps and operators say how corrections are put to use.
36
36
 
37
- The loop follows:
37
+ The loop goes like this:
38
38
 
39
39
  ```text
40
40
  error -> classify -> feedback record -> correction task -> verify -> checkpoint
@@ -43,7 +43,7 @@ error -> classify -> feedback record -> correction task -> verify -> checkpoint
43
43
  ## FEEDBACK MODEL
44
44
 
45
45
  Each feedback record is an `ErrorFeedbackRecord` with schema version `1`.
46
- Important fields are:
46
+ The chief fields are:
47
47
 
48
48
  - `id`
49
49
  - `runId`
@@ -65,11 +65,11 @@ Important fields are:
65
65
  - `resolvedByNodeId`
66
66
  - `metadata`
67
67
 
68
- The runtime also keeps `run.feedback` in `state.json` for quick inspection.
68
+ The runtime also keeps `run.feedback` in `state.json` for a quick look.
69
69
 
70
70
  ## FAILURE CLASSIFICATION
71
71
 
72
- Classifications are stable, plain strings:
72
+ Classifications are fixed, plain strings:
73
73
 
74
74
  ```text
75
75
  contract-violation
@@ -83,21 +83,21 @@ runtime-error
83
83
  unknown
84
84
  ```
85
85
 
86
- Classification is conservative. The feedback loop does not duplicate
87
- `PipelineContract` validation logic; it classifies structured errors already
88
- produced by StateNode, PipelineRunner, verifier, or CLI surfaces.
86
+ Classification is careful. The feedback loop does not copy the
87
+ `PipelineContract` validation logic; it gives identifiers to structured errors
88
+ already made by StateNode, PipelineRunner, verifier, or CLI surfaces.
89
89
 
90
90
  ## CORRECTION TASKS
91
91
 
92
92
  Correction tasks are normal task Markdown files under the run `tasks/`
93
- directory. They include the original error, affected node/stage/contract,
94
- evidence, expected verification command, and retry guidance.
93
+ directory. They take in the first error, the touched node/stage/contract, the
94
+ evidence, the looked-for verification command, and help on doing it again.
95
95
 
96
- Creating a correction task marks the feedback record as `tasked`. It does not
97
- apply code changes.
96
+ Making a correction task marks the feedback record as `tasked`. It does not
97
+ make code changes.
98
98
 
99
- Resolving feedback requires a node id whose status is `verified` or `committed`.
100
- Rejected corrections are preserved by setting status to `rejected`.
99
+ To resolve feedback you need a node id whose status is `verified` or `committed`.
100
+ Turned-down corrections are kept by setting status to `rejected`.
101
101
 
102
102
  ## FILES
103
103
 
@@ -111,7 +111,7 @@ Rejected corrections are preserved by setting status to `rejected`.
111
111
 
112
112
  ## EXAMPLES
113
113
 
114
- Collect failed node errors:
114
+ Get together failed node errors:
115
115
 
116
116
  ```text
117
117
  node dist/cli.js feedback collect <run-id>
@@ -123,7 +123,7 @@ List feedback records:
123
123
  node dist/cli.js feedback list <run-id>
124
124
  ```
125
125
 
126
- Show one feedback record:
126
+ Give one feedback record:
127
127
 
128
128
  ```text
129
129
  node dist/cli.js feedback show <run-id> <feedback-id>
@@ -135,19 +135,19 @@ Create a correction task:
135
135
  node dist/cli.js feedback task <run-id> <feedback-id> --verify "npm test"
136
136
  ```
137
137
 
138
- Resolve after a verified node:
138
+ Clear it after a verified node:
139
139
 
140
140
  ```text
141
141
  node dist/cli.js feedback resolve <run-id> <feedback-id> --node <verified-node-id>
142
142
  ```
143
143
 
144
- All commands print stable JSON.
144
+ All commands put out fixed JSON.
145
145
 
146
146
  ## COMPATIBILITY
147
147
 
148
- Error Feedback is introduced in CW v0.1.4. It adds optional `feedback` state and
149
- `feedbackDir` path metadata. Older runs remain readable; missing fields are
150
- initialized when the run is loaded.
148
+ Error Feedback comes in with CW v0.1.4. It adds optional `feedback` state and
149
+ `feedbackDir` path metadata. Older runs can still be read; missing fields are
150
+ started up when the run is loaded.
151
151
 
152
- Existing workflow, node, contract, pipeline, and CLI behavior is preserved.
152
+ The workflow, node, contract, pipeline, and CLI behavior you have now is kept.
153
153
  0.1.51