cool-workflow 0.1.82 → 0.1.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +128 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +270 -0
  12. package/dist/cli/command-surface.js +1320 -0
  13. package/dist/cli.js +2 -1307
  14. package/dist/commit.js +5 -1
  15. package/dist/doctor.js +153 -0
  16. package/dist/mcp-server.js +15 -1451
  17. package/dist/mcp-surface.js +1441 -0
  18. package/dist/orchestrator.js +13 -0
  19. package/dist/reclamation/hash.js +72 -0
  20. package/dist/reclamation.js +25 -78
  21. package/dist/run-registry/queue.js +6 -7
  22. package/dist/run-registry.js +35 -24
  23. package/dist/scheduler.js +78 -53
  24. package/dist/version.js +1 -1
  25. package/dist/worker-accept/acceptance.js +114 -0
  26. package/dist/worker-accept/blackboard-fanout.js +80 -0
  27. package/dist/worker-accept/blackboard-linkage.js +19 -0
  28. package/dist/worker-accept/context.js +2 -0
  29. package/dist/worker-accept/telemetry-ledger.js +116 -0
  30. package/dist/worker-accept/validation.js +77 -0
  31. package/dist/worker-accept/verifier-completion.js +73 -0
  32. package/dist/worker-isolation.js +41 -446
  33. package/docs/agent-delegation-drive.7.md +94 -86
  34. package/docs/agent-framework.md +33 -32
  35. package/docs/candidate-scoring.7.md +26 -24
  36. package/docs/canonical-workflow-apps.7.md +40 -40
  37. package/docs/capability-topology-registry.7.md +24 -24
  38. package/docs/cli-mcp-parity.7.md +230 -154
  39. package/docs/contract-migration-tooling.7.md +52 -41
  40. package/docs/control-plane-scheduling.7.md +49 -41
  41. package/docs/coordinator-blackboard.7.md +30 -30
  42. package/docs/dogfood-one-real-repo.7.md +44 -44
  43. package/docs/durable-state-and-locking.7.md +38 -30
  44. package/docs/end-to-end-golden-path.7.md +29 -29
  45. package/docs/error-feedback.7.md +27 -27
  46. package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
  47. package/docs/execution-backends.7.md +88 -80
  48. package/docs/getting-started.md +35 -18
  49. package/docs/index.md +3 -3
  50. package/docs/mcp-app-surface.7.md +64 -64
  51. package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
  52. package/docs/multi-agent-eval-replay-harness.7.md +63 -55
  53. package/docs/multi-agent-operator-ux.7.md +73 -65
  54. package/docs/multi-agent-runtime-core.7.md +39 -39
  55. package/docs/multi-agent-topologies.7.md +24 -24
  56. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  57. package/docs/node-snapshot-diff-replay.7.md +30 -22
  58. package/docs/observability-cost-accounting.7.md +53 -45
  59. package/docs/operator-ux.7.md +30 -30
  60. package/docs/pipeline-runner.7.md +31 -31
  61. package/docs/project-index.md +16 -5
  62. package/docs/real-execution-backends.7.md +51 -43
  63. package/docs/release-and-migration.7.md +46 -38
  64. package/docs/release-tooling.7.md +67 -50
  65. package/docs/routines.md +16 -16
  66. package/docs/run-registry-control-plane.7.md +124 -116
  67. package/docs/run-retention-reclamation.7.md +49 -41
  68. package/docs/sandbox-profiles.7.md +32 -32
  69. package/docs/scheduled-tasks.md +14 -14
  70. package/docs/security-trust-hardening.7.md +29 -29
  71. package/docs/source-context-profiles.7.md +28 -28
  72. package/docs/state-explosion-management.7.md +67 -59
  73. package/docs/state-node.7.md +8 -8
  74. package/docs/team-collaboration.7.md +66 -58
  75. package/docs/trust-model.md +126 -126
  76. package/docs/unix-principles.md +80 -80
  77. package/docs/vendor-manifest-loadability.7.md +20 -20
  78. package/docs/verifier-gated-commit.7.md +16 -16
  79. package/docs/web-desktop-workbench.7.md +73 -65
  80. package/docs/worker-isolation.7.md +34 -37
  81. package/docs/workflow-app-framework.7.md +38 -38
  82. package/manifest/plugin.manifest.json +4 -4
  83. package/package.json +3 -2
  84. package/scripts/bump-version.js +9 -1
  85. package/scripts/canonical-apps.js +4 -4
  86. package/scripts/dogfood-release.js +1 -1
  87. package/scripts/gen-parity-doc.js +106 -0
  88. package/scripts/golden-path.js +4 -4
  89. package/scripts/parity-check.js +27 -57
  90. package/scripts/release-flow.js +7 -6
  91. package/scripts/sync-project-index.js +1 -1
  92. package/dist/verifier-registry.js +0 -46
@@ -1,36 +1,36 @@
1
1
  # Release And Migration Discipline
2
2
 
3
- CW v0.1.14 made release checks and durable run-state compatibility explicit.
3
+ CW v0.1.14 made release checks and durable run-state compatibility clear.
4
4
 
5
5
  ## Who Is Affected
6
6
 
7
7
  Maintainers cutting CW releases should use `npm run release:check` from
8
8
  `plugins/cool-workflow`. Operators loading old `.cw/runs/<run-id>/state.json`
9
- files can inspect compatibility with:
9
+ files can check compatibility with:
10
10
 
11
11
  ```bash
12
12
  node scripts/cw.js state check <run-id>
13
13
  ```
14
14
 
15
15
  Use `--state /path/to/state.json` when checking a state file outside the
16
- current `.cw/runs` tree. Add `--write` only when you deliberately want to write
16
+ current `.cw/runs` tree. Add `--write` only when you truly want to write
17
17
  the normalized/migrated state back to disk.
18
18
 
19
19
  ## State Policy
20
20
 
21
- The current durable run-state schema is `1`, defined by
21
+ The current durable run-state schema is `1`, set by
22
22
  `CURRENT_RUN_STATE_SCHEMA_VERSION` in `src/version.ts`.
23
23
 
24
- Loading state follows this order:
24
+ Loading state goes in this order:
25
25
 
26
26
  ```text
27
27
  read JSON -> detect schema -> migrate -> normalize -> validate -> report
28
28
  ```
29
29
 
30
- CW supports legacy run state with no `schemaVersion` as historical schema `0`
30
+ CW supports old run state with no `schemaVersion` as past schema `0`
31
31
  and migrates it to schema `1`. Schema versions newer than the runtime fail
32
- closed. Invalid state objects fail closed. Unknown user data is preserved by
33
- copying and adding required fields instead of rebuilding state from scratch.
32
+ closed. Bad state objects fail closed. Unknown user data is kept by
33
+ copying and adding required fields, not by building state again from the start.
34
34
 
35
35
  ## Dry Run
36
36
 
@@ -38,7 +38,7 @@ copying and adding required fields instead of rebuilding state from scratch.
38
38
 
39
39
  - detected and current schema versions
40
40
  - compatibility status: `current`, `migrated`, `normalized`, or `unsupported`
41
- - whether writing would be required
41
+ - whether writing would be needed
42
42
  - every field CW would add or normalize
43
43
  - warnings and errors
44
44
 
@@ -53,10 +53,10 @@ Fixture runs live in `test/fixtures/runs/` and cover:
53
53
  - Operator UX
54
54
  - v0.1.13 MCP/App Surface
55
55
 
56
- `npm run fixture-compat` copies each fixture into a temporary `.cw/runs` tree,
57
- runs migration, and proves `status`, `graph`, and `report` still operate. The
58
- fixture files are hashed before and after the test to prove they were not
59
- mutated.
56
+ `npm run fixture-compat` copies each fixture into a short-term `.cw/runs` tree,
57
+ runs migration, and shows `status`, `graph`, and `report` still work. The
58
+ fixture files are hashed before and after the test to show they were not
59
+ changed.
60
60
 
61
61
  ## Release Check
62
62
 
@@ -78,10 +78,10 @@ mutated.
78
78
  - `npm run version:sync`
79
79
 
80
80
  The command is dry-run and non-destructive. Tagging, pushing, and publishing
81
- remain manual release actions after the gate passes.
81
+ stay manual release actions after the gate passes.
82
82
 
83
83
  For v0.1.15, the same gate also includes the Security / Trust Hardening smoke
84
- test so audit/provenance coverage remains part of release discipline.
84
+ test so audit/provenance coverage stays part of release discipline.
85
85
 
86
86
  For v0.1.18, the gate includes Coordinator / Blackboard smoke coverage and
87
87
  fixture normalization for empty blackboard state on older runs.
@@ -111,7 +111,7 @@ summary metrics (`summary_freshness`, `compact_graph_parity`,
111
111
  `blackboard_digest_parity`, `critical_path_parity`, `evidence_digest_parity`,
112
112
  `expansion_ref_integrity`), and CLI/MCP parity. Summaries are derived userland
113
113
  indexes; raw blackboard, graph, audit, and evidence records are never deleted,
114
- and migrations remain backward compatible (pre-0.1.25 eval snapshots load with
114
+ and migrations stay backward compatible (pre-0.1.25 eval snapshots load with
115
115
  empty summary sections).
116
116
 
117
117
  For v0.1.26, the gate includes Evidence Adoption Reasoning Chain smoke coverage
@@ -121,40 +121,40 @@ reasoning steps exempt from compaction, eval/replay reasoning metrics
121
121
  and CLI/MCP parity. The reasoning chain is derived, never authoritative over raw
122
122
  state, and pre-0.1.26 snapshots load with empty reasoning sections.
123
123
 
124
- The host loop must preserve CLI/MCP parity, stable JSON responses,
124
+ The host loop must keep CLI/MCP parity, stable JSON responses,
125
125
  blackboard/audit provenance, evidence-required scoring, fail-closed selection,
126
126
  and compatibility with the lower-level topology, multi-agent, blackboard, and
127
127
  candidate primitives.
128
128
 
129
129
  For v0.1.16, release discipline adds Dogfood One Real Repo. `npm run
130
130
  dogfood:release` runs the canonical `release-cut` app against the real Cool
131
- Workflow repository in dry-run mode and produces a CW report, audit summary,
131
+ Workflow repository in dry-run mode and makes a CW report, audit summary,
132
132
  provenance, release candidate, score, selection, and verifier-gated
133
133
  commit/checkpoint. `npm run release:check` includes the dogfood smoke test so
134
- the wiring stays covered without recursively running the full release gate.
134
+ the wiring stays covered without running the full release gate inside itself.
135
135
 
136
136
  For v0.1.17, release discipline added Multi-Agent Runtime Core coverage.
137
137
  `npm run release:check` runs `test/multi-agent-runtime-core-smoke.js` directly
138
138
  and through `npm test`. Older fixture runs normalize with empty multi-agent
139
139
  state under `multiAgent` and `.cw/runs/<run-id>/multi-agent/`, while unknown
140
- user data remains preserved.
140
+ user data stays kept.
141
141
 
142
142
  ## Unsupported Cases
143
143
 
144
- CW does not silently load:
144
+ CW does not quietly load:
145
145
 
146
146
  - non-object JSON run state
147
147
  - run state with a schema version newer than the runtime
148
148
  - run state with a schema version below the supported minimum
149
149
  - state that cannot be normalized into the required runtime fields
150
150
 
151
- When compatibility is ambiguous, hold the release and add a fixture or migration
152
- step before proceeding.
151
+ When compatibility is not clear, hold the release and add a fixture or migration
152
+ step before going on.
153
153
  ## v0.1.27 — CLI ↔ MCP Parity
154
154
 
155
155
  v0.1.27 adds a declared capability registry and a fail-closed `npm run
156
- parity:check` (wired into `release:check`) guaranteeing the CLI and MCP surfaces
157
- are two renderings of one data source. No run-state schema change: pre-0.1.27
156
+ parity:check` (wired into `release:check`) that makes sure the CLI and MCP surfaces
157
+ are two views of one data source. No run-state schema change: pre-0.1.27
158
158
  runs load unchanged, and every pre-0.1.27 CLI command and MCP tool keeps working.
159
159
  See [cli-mcp-parity.7.md](cli-mcp-parity.7.md).
160
160
 
@@ -172,20 +172,20 @@ deleted and rebuilt from source. See
172
172
 
173
173
  v0.1.29 lifts execution into a pluggable driver layer: one narrow `ExecutionBackend`
174
174
  contract with interchangeable `node`/`bun`/`shell`/`container`/`remote`/`ci`
175
- drivers, selected by `--backend` (parallel to `--sandbox`) and inspected via
175
+ drivers, picked by `--backend` (parallel to `--sandbox`) and inspected via
176
176
  `backend list|show|probe`. The result/evidence envelope is schema-identical across
177
177
  backends; the backend id + sandbox attestation are recorded as provenance, so this
178
- surface is unchanged regardless of which backend executed a run. See
178
+ surface is unchanged no matter which backend executed a run. See
179
179
  [execution-backends.7.md](execution-backends.7.md).
180
180
  ## Web / Desktop Workbench (v0.1.30)
181
181
 
182
182
  v0.1.30 adds the Web / Desktop Workbench: a read-only, localhost-only human
183
183
  console that renders this surface (and the other four operator panels — run
184
184
  graph, blackboard, worker logs, candidate compare, audit timeline) for any run,
185
- reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR alongside
185
+ reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR next to
186
186
  the CLI and MCP that holds no authoritative state and forks no schema: each panel
187
187
  equals its `cw <cmd> --json` payload byte-for-byte (parity-gated), and refresh
188
- re-derives everything from disk. See
188
+ derives everything again from disk. See
189
189
  [web-desktop-workbench.7.md](web-desktop-workbench.7.md).
190
190
 
191
191
  ## Observability + Cost Accounting (v0.1.31)
@@ -197,11 +197,11 @@ database, no collector daemon, no hidden counter. The migration is ADDITIVE and
197
197
  backward compatible: an optional, host-attested `UsageRecord` rides on the
198
198
  task/worker record via the EXISTING result/worker intake (absent ⇒ `unreported`,
199
199
  never 0); `ResultEnvelope` and the run-state schema are unchanged (schema version
200
- stays 1), so old runs load and report `unreported` cost while still yielding
200
+ stays 1), so old runs load and report `unreported` cost while still giving
201
201
  correct time and rate metrics from their recorded timestamps and outcomes. Cost
202
- is `attested` only from attested usage × a recorded pricing policy; assumed
203
- pricing is a separate `estimated` figure. Pricing is POLICY supplied as data
204
- (`--pricing <path>|default`), out of the kernel. The per-run report persists a
202
+ is `attested` only from attested usage × a recorded pricing policy; guessed
203
+ pricing is a separate `estimated` figure. Pricing is POLICY given as data
204
+ (`--pricing <path>|default`), out of the kernel. The per-run report keeps a
205
205
  rebuildable, fingerprinted snapshot under `.cw/runs/<id>/metrics/`, and the
206
206
  cross-repo summary reports each snapshot's `valid|stale|absent` freshness against
207
207
  current source. See
@@ -214,7 +214,7 @@ v0.1.32 adds Team Collaboration: a host-attested actor and append-only
214
214
  approvals/rejections/comments/handoffs provenance-linked to a durable target,
215
215
  plus a review gate that STACKS ON the verifier gate — required approvals from
216
216
  authorized roles, enforced inside `resolveCommitGate` AFTER the verifier checks
217
- and never instead of them, failing closed on quorum/authority/self-approval and
217
+ and never in place of them, failing closed on quorum/authority/self-approval and
218
218
  recording who approved the very artifact that shipped. Policy (required approvals,
219
219
  authorized roles, self-approval) is data, default off (pre-v0.1.32 behavior
220
220
  unchanged). The verbs are parity-gated and render read-only in the v0.1.30
@@ -226,7 +226,7 @@ the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffo
226
226
 
227
227
  ## Real Execution Backend Integrations (v0.1.34)
228
228
 
229
- container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is unavailable. See real-execution-backends(7).
229
+ container/remote/ci backends really run (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not there. See real-execution-backends(7).
230
230
 
231
231
  ## Node Snapshot / Diff / Replay (v0.1.35)
232
232
 
@@ -262,11 +262,11 @@ capture findings/evidence from any reasonable agent shape (alt keys + prose), CW
262
262
 
263
263
  ## No-False-Green Gate & Launch Prep (v0.1.43)
264
264
 
265
- Hard gate blocking empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
265
+ Hard gate that blocks empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
266
266
 
267
267
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
268
268
 
269
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
269
+ Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — taking away false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
270
270
 
271
271
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
272
272
 
@@ -287,5 +287,13 @@ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, dif
287
287
 
288
288
  ## Migration Compatibility (v0.1.81)
289
289
 
290
- v0.1.81 is additive: every change is a new flag/verb/env (`audit verify`, `run inspect-archive`, `verify-import --strict`, `CW_REQUIRE_ARCHIVE_INTEGRITY`, `quickstart --resume`, `run resume --drive`) or an internal behavior-preserving carve. Run-state schema, existing outputs, files, and exit codes are byte-identical, so runs and archives from prior versions load and verify unchanged. No migration action is required.
290
+ v0.1.81 is additive: every change is a new flag/verb/env (`audit verify`, `run inspect-archive`, `verify-import --strict`, `CW_REQUIRE_ARCHIVE_INTEGRITY`, `quickstart --resume`, `run resume --drive`) or an internal behavior-preserving carve. Run-state schema, existing outputs, files, and exit codes are byte-identical, so runs and archives from earlier versions load and verify unchanged. No migration action is needed.
291
291
  _No changes in v0.1.82._
292
+
293
+ ## Hardening and Onboarding (v0.1.83)
294
+
295
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
296
+
297
+ ## Privacy Release (v0.1.84)
298
+
299
+ No other change to this page in v0.1.84.
@@ -1,13 +1,13 @@
1
1
  # Release Tooling
2
2
 
3
- CW v0.1.33 adds Release Tooling: the mechanical, repetitive part of cutting a tag
3
+ CW v0.1.33 adds Release Tooling: the mechanical, do-it-again part of cutting a tag
4
4
  becomes three deterministic scripts plus a de-duplicated release gate. Before
5
- v0.1.33 a release meant hand-editing the version across ~17 surfaces and recreating
6
- the same doc/test/CHANGELOG shapes by hand — slow, and the source of stale-version
7
- gate failures. This release leaves the kernel runtime untouched and moves the toil
8
- into tooling, so an author spends time on the feature, not the boilerplate.
5
+ v0.1.33 a release meant changing the version by hand across ~17 surfaces and making
6
+ the same doc/test/CHANGELOG shapes by hand — slow, and the cause of stale-version
7
+ gate failures. This release leaves the kernel runtime untouched and moves the hard
8
+ work into tooling, so an author gives time to the feature, not the boilerplate.
9
9
 
10
- The discipline is the same base-system separation used elsewhere: there is one
10
+ The way of working is the same base-system separation used in other places: there is one
11
11
  source of truth, and the mechanical surfaces are DERIVED from it, fail-closed.
12
12
 
13
13
  ## bump:version
@@ -19,16 +19,16 @@ npm run bump:version -- 0.1.33
19
19
 
20
20
  One command rewrites every STRUCTURED version surface from a single source
21
21
  (`package.json`): `package.json`, `package-lock.json`, `src/version.ts`,
22
- `manifest/plugin.manifest.json` (then `gen:manifests` propagates to the vendor
22
+ `manifest/plugin.manifest.json` (then `gen:manifests` sends it on to the vendor
23
23
  manifests), every `apps/*/app.json` (top-level `version` only, never
24
- `compatibility.minVersion`), and the scripts/tests that hard-code the current
25
- version as a current-version reference. The version string is swapped with a
26
- TARGETED `old -> new` replace, so historical references (a prior `minVersion`, a
27
- `pre-vX` note, a fixed demo version) are preserved. It then rebuilds `dist/`, runs
28
- `version:sync`, and reports the remaining prose-doc surfaces.
24
+ `compatibility.minVersion`), and the scripts/tests that fix the current
25
+ version in code as a current-version reference. The version string is changed with a
26
+ TARGETED `old -> new` replace, so older references (a past `minVersion`, a
27
+ `pre-vX` note, a fixed demo version) are kept. It then builds `dist/` again, runs
28
+ `version:sync`, and reports the prose-doc surfaces that are left.
29
29
 
30
- `version-sync-check.js` reads the expected version from `package.json`, so the
31
- checker can never drift from the bump source.
30
+ `version-sync-check.js` reads the looked-for version from `package.json`, so the
31
+ checker can never get out of step with the bump source.
32
32
 
33
33
  ## new:feature
34
34
 
@@ -36,11 +36,11 @@ checker can never drift from the bump source.
36
36
  node scripts/new-feature.js <slug> "<Title>" ["summary"]
37
37
  ```
38
38
 
39
- Scaffolds the per-tag boilerplate: the `docs/<slug>.7.md` skeleton, a runnable
39
+ Builds the per-tag boilerplate frame: the `docs/<slug>.7.md` skeleton, a runnable
40
40
  `test/<slug>-smoke.js` stub, and a `CHANGELOG` entry, then PRINTS the exact
41
41
  gate-file edits (capability registry, `version:sync` assertions, the `docs presence`
42
- list, the `npm test` chain). Gate files are printed, never auto-edited, so a
43
- scaffold can never silently break a release gate.
42
+ list, the `npm test` chain). Gate files are printed, never changed on their own, so a
43
+ new frame can never quietly break a release gate.
44
44
 
45
45
  ## forward-ref
46
46
 
@@ -48,17 +48,17 @@ scaffold can never silently break a release gate.
48
48
  node scripts/forward-ref-docs.js "<Title>" "<summary>"
49
49
  ```
50
50
 
51
- Appends a `## <Title> (vX)` forward-reference section to every doc `version:sync`
52
- requires to carry the current version (the repo's per-release documentation
53
- pattern). APPEND-ONLY and idempotent: it never rewrites a historical version label
54
- and re-running for the same version is a no-op.
51
+ Adds a `## <Title> (vX)` forward-reference section at the end of every doc `version:sync`
52
+ needs to carry the current version (the repo's per-release documentation
53
+ pattern). APPEND-ONLY and idempotent: it never rewrites an older version label
54
+ and running it again for the same version does nothing.
55
55
 
56
56
  ## De-duplicated release:check
57
57
 
58
- `release:check` previously ran `npm test` AND then re-ran ~15 of those same smoke
59
- tests individually (plus redundant `eval:replay`/`fixture-compat` re-runs). Every
60
- individual step is already covered by `npm test`, so they were removed — the gate
61
- keeps full coverage while dropping the duplicate wall time. The steps that remain
58
+ `release:check` before this ran `npm test` AND then ran ~15 of those same smoke
59
+ tests again one by one (plus extra `eval:replay`/`fixture-compat` re-runs). Every
60
+ single step is already covered by `npm test`, so they were taken out — the gate
61
+ keeps full coverage while cutting the doubled wall time. The steps that stay
62
62
  are the ones NOT covered by `npm test`: build, type check, `npm test`,
63
63
  canonical-apps, golden-path, parity, vendor-manifest drift, and `version:sync`.
64
64
 
@@ -66,8 +66,8 @@ canonical-apps, golden-path, parity, vendor-manifest drift, and `version:sync`.
66
66
 
67
67
  Release Tooling touches only the build/release surfaces. It adds no runtime
68
68
  capability, no CLI/MCP verb, and no run-state schema change; the kernel is
69
- unchanged. Older releases cut by hand remain valid — the scripts only standardize
70
- the mechanical surfaces a tag must update.
69
+ unchanged. Older releases cut by hand are still good — the scripts only make
70
+ the mechanical surfaces a tag must update the same each time.
71
71
 
72
72
  ## See Also
73
73
 
@@ -75,7 +75,7 @@ cli-mcp-parity(7), release-and-migration(7), dogfood-one-real-repo(7)
75
75
 
76
76
  ## Real Execution Backend Integrations (v0.1.34)
77
77
 
78
- container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is unavailable. See real-execution-backends(7).
78
+ container/remote/ci backends really run (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence next to node and fail-closed refusal when a runtime/endpoint is not there. See real-execution-backends(7).
79
79
 
80
80
  ## Node Snapshot / Diff / Replay (v0.1.35)
81
81
 
@@ -107,7 +107,7 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
107
107
 
108
108
  ## Robust Result Ingest (v0.1.42)
109
109
 
110
- capture findings/evidence from any reasonable agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
110
+ capture findings/evidence from any fair agent shape (alt keys + prose), CW works out grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
111
111
 
112
112
  ## No-False-Green Gate & Launch Prep (v0.1.43)
113
113
 
@@ -115,7 +115,7 @@ Hard gate blocking empty-capture verifier-gated commits, plus quickstart and lau
115
115
 
116
116
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
117
117
 
118
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
118
+ Release-readiness checks now check the committed blob (`git show HEAD:<path>`) and not the changeable working tree — taking away false-red/false-green from working-tree writes at the same time (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one shared way in to CW.
119
119
 
120
120
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
121
121
 
@@ -125,10 +125,10 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
125
125
 
126
126
  The gated release ritual — deterministic gate → independent reviewer → verdict →
127
127
  (tag) — is now ONE zero-dependency Node orchestrator that runs the same under any
128
- harness. It does not depend on a host's agent-orchestration primitive; the only
128
+ harness. It does not lean on a host's agent-orchestration primitive; the only
129
129
  LLM step (the reviewer) is **delegated** through CW's agent backend, so whichever
130
- model you configure does the review. CW spawns the agent argv-style (`shell:false`),
131
- inherits the agent's own credentials, and imports no model SDK — the red line.
130
+ model you set up does the review. CW starts the agent argv-style (`shell:false`),
131
+ takes on the agent's own credentials, and pulls in no model SDK — the red line.
132
132
 
133
133
  ```bash
134
134
  # check only (gate + independent review, no mutation):
@@ -139,48 +139,57 @@ node plugins/cool-workflow/scripts/release-flow.js --cut --version 0.1.77 [--pus
139
139
  node plugins/cool-workflow/scripts/release-flow.js --release --version 0.1.77 [--soft]
140
140
  ```
141
141
 
142
- The per-platform difference is config, not code — set the reviewer agent:
142
+ The per-platform difference is config, not code — set the reviewer agent here:
143
143
 
144
144
  | Platform | Reviewer config |
145
145
  |---|---|
146
- | Claude | `CW_AGENT_COMMAND="claude -p {{input}}"` |
146
+ | Claude | `CW_AGENT_COMMAND="claude -p --permission-mode acceptEdits {{input}}"` |
147
147
  | Codex | `CW_AGENT_COMMAND="codex exec {{input}}"` |
148
148
  | Gemini | `CW_AGENT_COMMAND="gemini -p {{input}}"` |
149
149
  | OpenCode | `CW_AGENT_COMMAND="opencode run -m <provider/model> {{input}}"` |
150
150
  | DeepSeek | via OpenCode (`-m deepseek/deepseek-chat`) or `CW_AGENT_ENDPOINT=<deepseek-compatible HTTP agent>` |
151
151
 
152
- `{{input}}` is substituted with the reviewer prompt file path. Gemini and OpenCode
152
+ The reviewer's last act is to **write** the verdict file, so a headless agent
153
+ needs file-write permission. For `claude -p`, recent CLIs default to a mode that
154
+ silently denies `Write` (no prompt in headless mode), so the reviewer reaches a
155
+ verdict but cannot persist it and the flow fails closed at `[3/3] verify` with
156
+ `no verdict written`. The `--permission-mode acceptEdits` flag in the preset above
157
+ fixes this; Read/Bash (which the review itself needs) keep working. The reviewer
158
+ CLI must also be logged in (`claude auth login` / `claude auth status` →
159
+ `loggedIn: true`) — a fresh shell or CI runner is not.
160
+
161
+ `{{input}}` is put in place of the reviewer prompt file path. Gemini and OpenCode
153
162
  also get generated MCP manifests (`.gemini-plugin/`, `.opencode-plugin/`) so the
154
- `cw_*` tools are available as MCP tools in those hosts. The verdict path
163
+ `cw_*` tools are there as MCP tools in those hosts. The verdict path
155
164
  (`.cw-release/review-<sha>.verdict`) and the tag-push CI backstop are unchanged.
156
165
 
157
166
  ### GitHub Release finishing step
158
167
 
159
- A `--cut --push` finishes by creating the **GitHub Release** for the tag, and
168
+ A `--cut --push` ends by creating the **GitHub Release** for the tag, and
160
169
  `--release --version x.y.z` creates-or-skips one for an already-pushed tag
161
- (backfill). The notes body is assembled from the `## x.y.z` CHANGELOG section as
170
+ (backfill). The notes body is put together from the `## x.y.z` CHANGELOG section as
162
171
  shipped at the tag, the independent reviewer's one-line capability, and a
163
172
  "Provenance & audit" footer linking the reviewed commit, the **committed** reviewer
164
173
  verdict, the full diff, and the provenance-attested npm version.
165
174
 
166
175
  This step is **distribution upside, not a correctness gate**: the load-bearing
167
- artifacts (the tag and the provenance-attested npm publish) already exist when it
168
- runs. Therefore `gh` is **not** part of the node/git portability floor — it runs
176
+ artifacts (the tag and the provenance-attested npm publish) are there already when it
177
+ runs. So `gh` is **not** part of the node/git portability floor — it runs
169
178
  ONLY in the human `--cut --push` / `--release` paths (never a gate or CI path) and
170
- is **idempotent** (skips if the Release already exists).
179
+ is **idempotent** (skips if the Release is there already).
171
180
 
172
- Failure semantics differ by mode: in the **`--cut --push` finishing step** an
181
+ Failure behavior is not the same by mode: in the **`--cut --push` finishing step** an
173
182
  absent/unauthenticated/erroring `gh` **skips with a stderr note and never fails the
174
- cut** (the tag and npm publish stand) — opt out entirely with `--no-release`. In the
175
- explicit **`--release` backfill** it **fails closed** (exit 1) with guidance, since
176
- the operator asked for it directly; add `--soft` to downgrade `--release` to the same
183
+ cut** (the tag and npm publish stand) — opt out fully with `--no-release`. In the
184
+ clear **`--release` backfill** it **fails closed** (exit 1) with guidance, since
185
+ the operator asked for it straight; add `--soft` to bring `--release` down to the same
177
186
  best-effort skip-not-fail behavior.
178
187
 
179
188
  Honesty: the notes claim the gated flow ("independent release-reviewer, verdict
180
189
  above") **only when a committed `APPROVED` verdict is found at the tag**; backfilling
181
- an ungated tag emits a neutral caveat instead and warns on stderr — the notes never
182
- assert a review that isn't there. Test seam: `CW_RELEASE_FLOW_GH_CMD` swaps the `gh`
183
- binary for a stub (spawned `shell:false`) so the smoke exercises it offline.
190
+ an ungated tag gives a plain caveat instead and warns on stderr — the notes never
191
+ claim a review that is not there. Test seam: `CW_RELEASE_FLOW_GH_CMD` puts a stub in place of the `gh`
192
+ binary (spawned `shell:false`) so the smoke runs it offline.
184
193
 
185
194
  0.1.51
186
195
 
@@ -192,7 +201,15 @@ binary for a stub (spawned `shell:false`) so the smoke exercises it offline.
192
201
 
193
202
  ## Fast Architecture Review (v0.1.80)
194
203
 
195
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
204
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, useful background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
196
205
 
197
206
  _No changes to the release-flow tooling in v0.1.81; this release was cut through the existing gate->review->tag flow._
198
207
  _No changes to the release-tooling contract in v0.1.82._
208
+
209
+ ## Hardening and Onboarding (v0.1.83)
210
+
211
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
212
+
213
+ ## Privacy Release (v0.1.84)
214
+
215
+ `release-flow` now writes reviewer input with repo-local paths, so local user home names do not enter the saved review prompt.
package/docs/routines.md CHANGED
@@ -1,9 +1,9 @@
1
1
  # Routines
2
2
 
3
- CW routines define a trigger, an event payload, match rules, and a generated
4
- prompt that an agent host can execute.
3
+ A CW routine has a trigger, an event payload, match rules, and a prompt it makes
4
+ for an agent host to run.
5
5
 
6
- CW stores routine data in:
6
+ CW keeps routine data in:
7
7
 
8
8
  ```text
9
9
  .cw/routines/triggers.json
@@ -43,9 +43,9 @@ node scripts/cw.js routine events
43
43
 
44
44
  ## Long Architecture Reviews
45
45
 
46
- Use `architecture-review-fast` for the foreground user path, then schedule the
47
- full `architecture-review` app as background work when a deep audit should not
48
- block an interactive session:
46
+ Use `architecture-review-fast` for the foreground user path. Then put the
47
+ full `architecture-review` app in line as background work when a deep look-over
48
+ should not get in the way of a back-and-forth session:
49
49
 
50
50
  ```bash
51
51
  node scripts/architecture-review-fast.js \
@@ -55,17 +55,17 @@ node scripts/architecture-review-fast.js \
55
55
  --schedule-full
56
56
  ```
57
57
 
58
- The wrapper creates a one-shot reminder schedule whose `workflowId` is
59
- `architecture-review`. The schedule prompt is policy. CW stores the schedule and
60
- records due events; the external agent host decides how to run the long review.
61
- The prompt includes the foreground fast run id, fast report path, source-context
62
- digest/profile, and asks the background agent to return the full review report
63
- path and digest.
64
- The `--metrics` flag is optional and reports foreground elapsed time plus
58
+ The wrapper makes a one-shot reminder schedule whose `workflowId` is
59
+ `architecture-review`. The schedule prompt is policy. CW keeps the schedule and
60
+ notes down due events; the outside agent host says how to run the long review.
61
+ The prompt has in it the foreground fast run id, fast report path, source-context
62
+ digest/profile, and it asks the background agent to give back the full review
63
+ report path and digest.
64
+ The `--metrics` flag is not required and it gives back foreground time used plus
65
65
  agent-spawn and result-cache-hit counts for the fast run.
66
66
 
67
67
  ## Boundary
68
68
 
69
- CW v0.1.1 does not provide managed cloud infrastructure. It provides a local
70
- routine bridge that can be connected to GitHub Actions, webhooks, cron, or a
71
- small HTTP adapter in a future release.
69
+ CW v0.1.1 does not give managed cloud infrastructure. It gives a local
70
+ routine bridge that may be joined to GitHub Actions, webhooks, cron, or a
71
+ small HTTP adapter in a later release.