cool-workflow 0.1.82 → 0.1.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +128 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +270 -0
  12. package/dist/cli/command-surface.js +1320 -0
  13. package/dist/cli.js +2 -1307
  14. package/dist/commit.js +5 -1
  15. package/dist/doctor.js +153 -0
  16. package/dist/mcp-server.js +15 -1451
  17. package/dist/mcp-surface.js +1441 -0
  18. package/dist/orchestrator.js +13 -0
  19. package/dist/reclamation/hash.js +72 -0
  20. package/dist/reclamation.js +25 -78
  21. package/dist/run-registry/queue.js +6 -7
  22. package/dist/run-registry.js +35 -24
  23. package/dist/scheduler.js +78 -53
  24. package/dist/version.js +1 -1
  25. package/dist/worker-accept/acceptance.js +114 -0
  26. package/dist/worker-accept/blackboard-fanout.js +80 -0
  27. package/dist/worker-accept/blackboard-linkage.js +19 -0
  28. package/dist/worker-accept/context.js +2 -0
  29. package/dist/worker-accept/telemetry-ledger.js +116 -0
  30. package/dist/worker-accept/validation.js +77 -0
  31. package/dist/worker-accept/verifier-completion.js +73 -0
  32. package/dist/worker-isolation.js +41 -446
  33. package/docs/agent-delegation-drive.7.md +94 -86
  34. package/docs/agent-framework.md +33 -32
  35. package/docs/candidate-scoring.7.md +26 -24
  36. package/docs/canonical-workflow-apps.7.md +40 -40
  37. package/docs/capability-topology-registry.7.md +24 -24
  38. package/docs/cli-mcp-parity.7.md +230 -154
  39. package/docs/contract-migration-tooling.7.md +52 -41
  40. package/docs/control-plane-scheduling.7.md +49 -41
  41. package/docs/coordinator-blackboard.7.md +30 -30
  42. package/docs/dogfood-one-real-repo.7.md +44 -44
  43. package/docs/durable-state-and-locking.7.md +38 -30
  44. package/docs/end-to-end-golden-path.7.md +29 -29
  45. package/docs/error-feedback.7.md +27 -27
  46. package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
  47. package/docs/execution-backends.7.md +88 -80
  48. package/docs/getting-started.md +35 -18
  49. package/docs/index.md +3 -3
  50. package/docs/mcp-app-surface.7.md +64 -64
  51. package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
  52. package/docs/multi-agent-eval-replay-harness.7.md +63 -55
  53. package/docs/multi-agent-operator-ux.7.md +73 -65
  54. package/docs/multi-agent-runtime-core.7.md +39 -39
  55. package/docs/multi-agent-topologies.7.md +24 -24
  56. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  57. package/docs/node-snapshot-diff-replay.7.md +30 -22
  58. package/docs/observability-cost-accounting.7.md +53 -45
  59. package/docs/operator-ux.7.md +30 -30
  60. package/docs/pipeline-runner.7.md +31 -31
  61. package/docs/project-index.md +16 -5
  62. package/docs/real-execution-backends.7.md +51 -43
  63. package/docs/release-and-migration.7.md +46 -38
  64. package/docs/release-tooling.7.md +67 -50
  65. package/docs/routines.md +16 -16
  66. package/docs/run-registry-control-plane.7.md +124 -116
  67. package/docs/run-retention-reclamation.7.md +49 -41
  68. package/docs/sandbox-profiles.7.md +32 -32
  69. package/docs/scheduled-tasks.md +14 -14
  70. package/docs/security-trust-hardening.7.md +29 -29
  71. package/docs/source-context-profiles.7.md +28 -28
  72. package/docs/state-explosion-management.7.md +67 -59
  73. package/docs/state-node.7.md +8 -8
  74. package/docs/team-collaboration.7.md +66 -58
  75. package/docs/trust-model.md +126 -126
  76. package/docs/unix-principles.md +80 -80
  77. package/docs/vendor-manifest-loadability.7.md +20 -20
  78. package/docs/verifier-gated-commit.7.md +16 -16
  79. package/docs/web-desktop-workbench.7.md +73 -65
  80. package/docs/worker-isolation.7.md +34 -37
  81. package/docs/workflow-app-framework.7.md +38 -38
  82. package/manifest/plugin.manifest.json +4 -4
  83. package/package.json +3 -2
  84. package/scripts/bump-version.js +9 -1
  85. package/scripts/canonical-apps.js +4 -4
  86. package/scripts/dogfood-release.js +1 -1
  87. package/scripts/gen-parity-doc.js +106 -0
  88. package/scripts/golden-path.js +4 -4
  89. package/scripts/parity-check.js +27 -57
  90. package/scripts/release-flow.js +7 -6
  91. package/scripts/sync-project-index.js +1 -1
  92. package/dist/verifier-registry.js +0 -46
@@ -1,34 +1,34 @@
1
1
  # Run Registry / Control Plane
2
2
 
3
- CW v0.1.28 adds the Run Registry / Control Plane: a layer that manages MANY
3
+ CW v0.1.28 adds the Run Registry / Control Plane: a layer that takes care of MANY
4
4
  workflow runs across repositories. Before v0.1.28 a run lived only under its
5
5
  repo's `.cw/runs/<id>/` and was loaded from the current directory
6
- (`loadRunFromCwd`); there was no cross-repo index and no unified lifecycle
7
- management. This release adds search, resume, archive, a durable queue,
8
- cross-repo history, and failed-run rerun — without changing the run-state schema
6
+ (`loadRunFromCwd`); there was no cross-repo index and no joined-up lifecycle
7
+ control. This release adds search, resume, archive, a durable queue,
8
+ cross-repo history, and failed-run rerun — without any change to the run-state schema
9
9
  and without taking ownership of source truth.
10
10
 
11
- The design follows the same base-system observability philosophy as
11
+ The design keeps to the same base-system observability idea as
12
12
  [State Explosion Management](state-explosion-management.7.md) and the
13
13
  [Evidence Adoption Reasoning Chain](evidence-adoption-reasoning-chain.7.md):
14
14
 
15
15
  - the per-run `.cw/runs/<id>/state.json` is the SINGLE source of truth
16
- - the registry is a DERIVED userland index, never a replacement for source records
16
+ - the registry is a DERIVED userland index, never a stand-in for source records
17
17
  - plain files, stable JSON, deterministic output
18
- - small composable commands and readable console views with full
19
- machine-readable output available
18
+ - small commands that join together and console views easy to read, with full
19
+ machine-readable output on offer
20
20
  - fail closed when the index is stale, a run's source changed, or its source is
21
- missing — never fabricate run status from the cache
22
- - append-only history: resume continues a run, rerun creates a NEW linked run,
21
+ missing — never make up run status from the cache
22
+ - append-only history: resume goes on with a run, rerun makes a NEW linked run,
23
23
  and archive marks rather than deletes
24
- - backward compatible; no hidden database; no daemon required to read state
24
+ - backward compatible; no hidden database; no daemon needed to read state
25
25
 
26
26
  ## Mechanism vs policy
27
27
 
28
28
  The registry is MECHANISM: a rebuildable cache over runs. POLICY — retention
29
- windows, queue ordering, and archive thresholds — is configurable and kept out
29
+ windows, queue ordering, and archive thresholds — can be set and is kept out
30
30
  of the index (`RunRegistryPolicy`, explicit flags). The index can be deleted and
31
- rebuilt from source at any time; it never holds authority a `state.json` does
31
+ built again from source at any time; it never holds power that a `state.json` does
32
32
  not.
33
33
 
34
34
  ## Derived index model
@@ -42,24 +42,24 @@ counts, `commitCount`, `verifierGatedCommitCount`, `openFeedbackCount`, a bounde
42
42
  per-record `freshness` (`valid`, `stale`, or `missing`), and optional
43
43
  `provenance`.
44
44
 
45
- A `RunRegistryIndex` aggregates records for a scope (`repo` or `home`) with its
45
+ A `RunRegistryIndex` brings together records for a scope (`repo` or `home`) with its
46
46
  own `sourceFingerprint`, the covered `repos`, the `queue`, and lifecycle
47
47
  `counts`. A `RunRegistryReport` wraps the index with explicit freshness
48
48
  (`valid`, `stale`, or `absent`) plus the `staleRuns` and `missingRuns` lists and
49
- a `nextAction`. Every read re-derives records from source; the persisted index is
49
+ a `nextAction`. Every read makes records again from source; the persisted index is
50
50
  only compared against, never trusted as the live status.
51
51
 
52
52
  During one index build, repo-level overlays (`archive.json` and
53
53
  `provenance.json`) are read once per repo and passed as an in-memory scan
54
- snapshot to each run record. This is a short-lived mechanism, not a persistent
55
- cache: the next registry command re-reads source state and overlays from disk, so
54
+ snapshot to each run record. This is a short-lived mechanism, not a lasting
55
+ cache: the next registry command reads source state and overlays again from disk, so
56
56
  freshness, fail-closed behavior, and output shape stay unchanged while large
57
- repos avoid repeated identical overlay reads.
57
+ repos keep clear of doing the same overlay reads over and over.
58
58
 
59
59
  ## Lifecycle state machine
60
60
 
61
- Lifecycle is CLASSIFIED from existing state, never invented. `deriveLifecycle`
62
- applies the following rules to a run's source state — first match wins:
61
+ Lifecycle is SORTED from state that is already there, never made up. `deriveLifecycle`
62
+ puts the following rules to a run's source state — first match wins:
63
63
 
64
64
  ```text
65
65
  1. running tasks > 0 -> running
@@ -71,14 +71,14 @@ applies the following rules to a run's source state — first match wins:
71
71
  7. otherwise -> queued
72
72
  ```
73
73
 
74
- `archived` is an OVERLAY disposition applied on top of this. The surfaced
75
- `lifecycle` becomes `archived`, but `derivedLifecycle` preserves the
76
- source-derived state so search and history can still match the underlying run.
74
+ `archived` is an OVERLAY state put on top of this. The shown
75
+ `lifecycle` becomes `archived`, but `derivedLifecycle` keeps the
76
+ source-derived state so search and history can still match the run under it.
77
77
  The classifier never reads the cache; it reads source `state.json`.
78
78
 
79
79
  ## Cross-repo layout
80
80
 
81
- State is plain files, readable and diffable:
81
+ State is plain files, easy to read and to diff:
82
82
 
83
83
  ```text
84
84
  <repo>/.cw/runs/<id>/state.json source of truth (unchanged, never owned here)
@@ -91,131 +91,131 @@ $CW_HOME/registry/index.json cross-repo derived index (rebuildable)
91
91
  $CW_HOME/registry/queue.json durable run queue (plain, ordered)
92
92
  ```
93
93
 
94
- The home registry root resolves from `CW_HOME`, then
94
+ The home registry root is worked out from `CW_HOME`, then
95
95
  `XDG_STATE_HOME/cool-workflow`, then `~/.local/state/cool-workflow`. A repo is
96
- registered into `repos.json` when it is refreshed (or when a queue entry names
97
- it). Reads never write: a search or show computes the repo set as the union of
96
+ put into `repos.json` when it is refreshed (or when a queue entry names
97
+ it). Reads never write: a search or show works out the repo set as the union of
98
98
  the registered repos and the current repo in memory, so reading the index never
99
- mutates discovery state.
99
+ changes discovery state.
100
100
 
101
101
  ## Search
102
102
 
103
103
  `run search` queries runs by `--app`, `--status`, time range (`--since`,
104
104
  `--until`), `--repo`, and free-text (`--text`, matched over runId, app, workflow,
105
105
  title, repo, lifecycle, loop stage, and a bounded digest of run inputs).
106
- Results are deterministic (ordered by `createdAt`, then `runId`) and paginated
106
+ Results are deterministic (ordered by `createdAt`, then `runId`) and in pages
107
107
  (`--limit`, `--offset`). Search is cross-repo by default (`--scope home`); use
108
- `--scope repo` to restrict to the current repo. Archived runs are included by
109
- default and can be excluded with `--include-archived false`.
108
+ `--scope repo` to keep to the current repo. Archived runs are taken in by
109
+ default and can be left out with `--include-archived false`.
110
110
 
111
111
  ## Resume
112
112
 
113
- `run resume <run-id>` resolves a run by id across the registry — not just the
114
- cwd — loads its durable state, and returns the next runnable tasks and next
115
- actions for the host to execute. Resume is read-only over source: it never
116
- mutates `state.json` and never un-archives a run.
113
+ `run resume <run-id>` finds a run by id across the registry — not just the
114
+ cwd — loads its durable state, and gives back the next runnable tasks and next
115
+ actions for the host to run. Resume is read-only over source: it never
116
+ changes `state.json` and never un-archives a run.
117
117
 
118
- `run resume <run-id> --drive` (or `--once` for a single step) hands the resolved
119
- run straight to the existing agent-delegation drive loop — it re-plans nothing and
118
+ `run resume <run-id> --drive` (or `--once` for a single step) hands the found
119
+ run straight to the agent-delegation drive loop that is already there — it plans nothing again and
120
120
  picks up the pending/running tasks deterministically from durable state — and
121
- augments the result with the drive outcome under a `drive` field. The default (no
121
+ adds the drive outcome to the result under a `drive` field. The default (no
122
122
  `--drive`) payload and `nextActions` stay byte-identical. An unconfigured agent
123
- yields `drive.status="blocked"` (fail-closed, never a fabricated completion); CW
124
- delegates worker execution to your agent and never runs a model itself.
123
+ gives `drive.status="blocked"` (fail-closed, never a made-up completion); CW
124
+ hands worker execution to your agent and never runs a model itself.
125
125
 
126
126
  ## Queue
127
127
 
128
- `queue add` appends a durable entry to `$CW_HOME/registry/queue.json` with an
128
+ `queue add` adds a durable entry to the end of `$CW_HOME/registry/queue.json` with an
129
129
  explicit `--priority` (lower drains first; ties break by enqueue time, then id).
130
130
  `queue list` prints the queue in policy order; `queue show <id>` shows one entry.
131
- `queue drain [--limit N]` marks the next ready entries drained and returns them —
132
- CW records order and readiness; the HOST still executes the workers. Nothing in
133
- the queue spawns work on its own.
131
+ `queue drain [--limit N]` marks the next ready entries drained and gives them back
132
+ CW keeps a record of order and readiness; the HOST still runs the workers. Nothing in
133
+ the queue starts work on its own.
134
134
 
135
135
  ## Archive
136
136
 
137
137
  `run archive <run-id>` writes an overlay mark to the owning repo's
138
138
  `registry/archive.json`; the run's `state.json` is never moved or deleted, and
139
- the run stays searchable (its `derivedLifecycle` is preserved). `--unarchive`
139
+ the run stays searchable (its `derivedLifecycle` is kept). `--unarchive`
140
140
  clears the mark. Retention is POLICY: `run archive --older-than-days N
141
- [--state completed --state failed]` archives eligible runs older than the window
141
+ [--state completed --state failed]` archives runs that fit and are older than the window
142
142
  without touching source truth. The default policy archives nothing
143
143
  (`archiveOlderThanDays = 0`) until a window is given.
144
144
 
145
145
  ## Rerun
146
146
 
147
- `run rerun <run-id>` re-runs a failed run as a NEW run: it reuses the original
148
- inputs and app, lands the new run beside the original (same repo), and records a
147
+ `run rerun <run-id>` runs a failed run again as a NEW run: it uses the first
148
+ inputs and app again, puts the new run next to the first one (same repo), and keeps a record of a
149
149
  provenance link (`rerunOf`, `rerunOfRepo`, `originRunId`, `generation`, `reason`)
150
- in the repo's `registry/provenance.json`. The original failed run is PRESERVED
151
- for audit — the past is never overwritten. Rerunning a rerun increments
150
+ in the repo's `registry/provenance.json`. The first failed run is KEPT
151
+ for audit — the past is never written over. Rerunning a rerun adds one to
152
152
  `generation` and keeps `originRunId` pinned to the chain root.
153
153
 
154
154
  ## Portable export, import, and restore verification
155
155
 
156
156
  `run export <run-id> --output PATH` writes a portable JSON archive for a run. The
157
- archive includes the run state plus run-local files, committed artifacts, audit
157
+ archive takes in the run state plus run-local files, committed artifacts, audit
158
158
  overlays, telemetry ledger files, per-file sha256 digests, file sizes, and a
159
- manifest digest. External repo-local artifact paths referenced by the run are
160
- copied into the archive under `external-artifacts/` and recorded with their
161
- original `sourcePath`; the source run is never mutated.
159
+ manifest digest. External repo-local artifact paths named by the run are
160
+ copied into the archive under `external-artifacts/` and kept with their
161
+ first `sourcePath`; the source run is never changed.
162
162
 
163
- `run import PATH --target DIR` restores the archive under
163
+ `run import PATH --target DIR` puts the archive back under
164
164
  `DIR/.cw/runs/<run-id>/`, rebases paths to the target repo, writes an
165
- `import-manifest.json`, refreshes the target repo registry, and immediately runs
166
- the same verification used by `run verify-import`. Restored partial runs can be
167
- resumed from the target repo; restored failed runs remain discoverable from the
168
- home registry and can be rerun as new linked runs. The import does not alter the
165
+ `import-manifest.json`, refreshes the target repo registry, and at once runs
166
+ the same verification used by `run verify-import`. Restored part runs can be
167
+ resumed from the target repo; restored failed runs can still be found from the
168
+ home registry and can be rerun as new linked runs. The import does not change the
169
169
  source repository or the source run.
170
170
 
171
- **Import-time refusal (fail-closed before any write).** Import verifies every
171
+ **Import-time refusal (fail-closed before any write).** Import checks every
172
172
  file digest, every file size, the file count, and the manifest digest *before*
173
- creating the target run directory — so a tampered archive is refused with a
174
- non-zero exit and a single `cw:` stderr line, leaving nothing on disk (no partial
175
- restore). Set `CW_REQUIRE_ARCHIVE_INTEGRITY=1` to additionally refuse an archive
173
+ making the target run directory — so a tampered archive is turned away with a
174
+ non-zero exit and a single `cw:` stderr line, leaving nothing on disk (no part
175
+ restore). Set `CW_REQUIRE_ARCHIVE_INTEGRITY=1` to also turn away an archive
176
176
  whose top-level integrity block is *absent* — closing the legacy fail-open seam
177
177
  where a stripped-integrity archive imported unverified. Unset (the default) keeps
178
178
  legacy integrity-less archives byte-identical; the flag is mechanism, not policy.
179
179
 
180
- `run verify-import <run-id> [--cwd DIR]` re-reads the restore manifest, recomputes
181
- every restored file digest, checks the manifest digest, verifies the telemetry
182
- ledger when one was restored, and re-proves the **trust-audit hash chain** (the
180
+ `run verify-import <run-id> [--cwd DIR]` reads the restore manifest again, works out
181
+ every restored file digest again, checks the manifest digest, checks the telemetry
182
+ ledger when one was restored, and proves the **trust-audit hash chain** again (the
183
183
  decisions / sandbox / commit-gate log, also restored under `audit/`). Missing
184
184
  manifests, digest mismatches, path escapes, unsupported archive schemas, unreadable
185
185
  files, telemetry-chain failures, or a forged audit chain (`trust-audit-invalid`)
186
- return explicit failed checks instead of a fabricated success. An archive with no
187
- audit log yields a passing `trust-audit` check (nothing to prove — no false-red).
186
+ give back explicit failed checks in place of a made-up success. An archive with no
187
+ audit log gives a passing `trust-audit` check (nothing to prove — no false-red).
188
188
 
189
189
  By default `verify-import` prints the result and exits 0 even when a check fails
190
190
  (it is a report). Pass `--strict` to make any failed restore check exit non-zero,
191
191
  so `cw run verify-import <run> --strict && restore` stops on a tampered archive.
192
192
 
193
193
  **Inspect an archive before restoring.** `run inspect-archive PATH [--json]`
194
- re-proves a portable archive's integrity *without writing anything* — contrast
195
- with `run import`, which validates as a side-effect of restoring a full
196
- `.cw/runs/<id>/` tree. It re-computes every embedded file's sha256 and size, the
197
- `integrity.fileCount` and manifest digest, and the whole-archive sha256, returning
198
- a structured `checks[]` — each failure names the offending `relativePath` with a
194
+ proves a portable archive's integrity again *without writing anything* — set it next to
195
+ `run import`, which checks as a side-effect of restoring a full
196
+ `.cw/runs/<id>/` tree. It works out every built-in file's sha256 and size again, the
197
+ `integrity.fileCount` and manifest digest, and the whole-archive sha256, giving back
198
+ a structured `checks[]` — each failure names the bad `relativePath` with a
199
199
  `digest-mismatch` / `size-mismatch` / `manifest-digest-mismatch` /
200
200
  `file-count-mismatch` code. It never throws: an unreadable path, invalid JSON, or an
201
201
  unknown `schemaVersion` (`schemaSupported:false`) is reported as a check, not a
202
202
  stacktrace — stdout is always valid JSON, diagnostics go to stderr. It exits `1`
203
203
  when `ok:false`, so `cw run inspect-archive <path> && cw run import <path>` stops
204
- before importing a bad archive. It is a faithful preview of import: under
204
+ before importing a bad archive. It is a true preview of import: under
205
205
  `CW_REQUIRE_ARCHIVE_INTEGRITY=1` a stripped-integrity archive (which import would
206
- refuse) also inspects as `ok:false`; with the env unset (default) an absent integrity
207
- block is merely reported, not failed.
206
+ turn away) also inspects as `ok:false`; with the env unset (default) an absent integrity
207
+ block is only reported, not failed.
208
208
 
209
- MCP exposes the same mechanisms as `cw_run_export`, `cw_run_import`,
209
+ MCP gives the same mechanisms as `cw_run_export`, `cw_run_import`,
210
210
  `cw_run_verify_import`, and `cw_run_inspect_archive`; the CLI and MCP paths share
211
211
  the same runtime functions.
212
212
 
213
213
  ## Cross-repo history
214
214
 
215
- `history` reads a unified timeline of runs across all registered repos
215
+ `history` reads one joined-up timeline of runs across all registered repos
216
216
  (newest first), each entry carrying its repo, lifecycle, loop stage, timestamps,
217
217
  freshness, and provenance back to its `.cw/runs/<id>/`. Filter with `--app` and
218
- `--status`; paginate with `--limit` and `--offset`.
218
+ `--status`; page with `--limit` and `--offset`.
219
219
 
220
220
  ## CLI
221
221
 
@@ -240,13 +240,13 @@ node scripts/cw.js queue drain [--limit N] [--repo PATH]
240
240
  node scripts/cw.js history [--app ID] [--status STATE] [--limit N] [--offset N] [--scope repo|home] [--json]
241
241
  ```
242
242
 
243
- Read commands print terse human panels by default (lifecycle, freshness, counts,
243
+ Read commands print short human panels by default (lifecycle, freshness, counts,
244
244
  and next action) and full machine output under `--json` or `--format json`.
245
245
 
246
246
  ## MCP parity
247
247
 
248
248
  Every command above is declared once in the v0.1.28 capability registry
249
- (`src/capability-registry.ts`) and rendered on both surfaces, so `cw <cmd>
249
+ (`src/capability-registry.ts`) and shown on both surfaces, so `cw <cmd>
250
250
  --json` is schema-identical to the matching `cw_<tool>` result and the pair
251
251
  passes `npm run parity:check`:
252
252
 
@@ -261,61 +261,61 @@ See [cli-mcp-parity.7.md](cli-mcp-parity.7.md).
261
261
 
262
262
  ## Freshness and fail-closed behavior
263
263
 
264
- `registry show` recomputes the current source fingerprint for every run and
264
+ `registry show` works out the current source fingerprint again for every run and
265
265
  compares it to the persisted index. If a run's source changed, the report status
266
266
  is `stale` and the run is named in `staleRuns`. If a persisted run's source is
267
- gone, the run is named in `missingRuns`, it is NOT fabricated into the current
267
+ gone, the run is named in `missingRuns`, it is NOT made up into the current
268
268
  records, and the next action is `registry refresh`. `run show` of a run whose
269
- source is missing returns `found: false` with `freshness: missing` and only the
270
- last-known persisted record, clearly flagged — never as a live status. An
271
- unreadable or unsupported run state is treated as missing, never as success.
269
+ source is missing gives back `found: false` with `freshness: missing` and only the
270
+ last-known persisted record, marked clearly — never as a live status. An
271
+ unreadable or unsupported run state is taken as missing, never as success.
272
272
 
273
273
  ## Migration
274
274
 
275
- Pre-0.1.28 single-repo runs and existing `.cw/runs/` layouts keep working with
275
+ Pre-0.1.28 single-repo runs and `.cw/runs/` layouts that are already there keep working with
276
276
  an empty, rebuildable registry: `registry show` reports `absent` until the first
277
277
  `registry refresh`, and every pre-0.1.28 CLI command and MCP tool is unchanged.
278
278
  No run-state schema change ships in v0.1.28; newer unsupported run-state schemas
279
279
  still fail closed. The registry, archive overlay, provenance overlay, queue, and
280
- home discovery set are all derived files that can be deleted and rebuilt from
280
+ home discovery set are all derived files that can be deleted and built again from
281
281
  source at any time.
282
282
 
283
283
  ## CLI ↔ MCP Parity (v0.1.28)
284
284
 
285
- Every command and tool referenced above is declared in the capability registry
286
- (`src/capability-registry.ts`) and validated by `npm run parity:check`, so
287
- `cw <cmd> --json` and the matching `cw_<tool>` result render one data source.
285
+ Every command and tool named above is declared in the capability registry
286
+ (`src/capability-registry.ts`) and checked by `npm run parity:check`, so
287
+ `cw <cmd> --json` and the matching `cw_<tool>` result show one data source.
288
288
  See [cli-mcp-parity.7.md](cli-mcp-parity.7.md).
289
289
 
290
290
  ## Execution Backends (v0.1.29)
291
291
 
292
292
  v0.1.29 lifts execution into a pluggable driver layer: one narrow `ExecutionBackend`
293
- contract with interchangeable `node`/`bun`/`shell`/`container`/`remote`/`ci`
294
- drivers, selected by `--backend` (parallel to `--sandbox`) and inspected via
293
+ contract with `node`/`bun`/`shell`/`container`/`remote`/`ci`
294
+ drivers you can swap, picked by `--backend` (parallel to `--sandbox`) and looked at through
295
295
  `backend list|show|probe`. The result/evidence envelope is schema-identical across
296
- backends; the backend id + sandbox attestation are recorded as provenance, so this
297
- surface is unchanged regardless of which backend executed a run. See
296
+ backends; the backend id + sandbox attestation are kept as provenance, so this
297
+ surface is unchanged no matter which backend ran a run. See
298
298
  [execution-backends.7.md](execution-backends.7.md).
299
299
  ## Web / Desktop Workbench (v0.1.30)
300
300
 
301
301
  v0.1.30 adds the Web / Desktop Workbench: a read-only, localhost-only human
302
- console that renders this surface (and the other four operator panels — run
302
+ console that shows this surface (and the other four operator panels — run
303
303
  graph, blackboard, worker logs, candidate compare, audit timeline) for any run,
304
- reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR alongside
304
+ reading the SAME capability `--json` payloads. It is a THIRD FRONT DOOR beside
305
305
  the CLI and MCP that holds no authoritative state and forks no schema: each panel
306
306
  equals its `cw <cmd> --json` payload byte-for-byte (parity-gated), and refresh
307
- re-derives everything from disk. See
307
+ makes everything again from disk. See
308
308
  [web-desktop-workbench.7.md](web-desktop-workbench.7.md).
309
309
 
310
310
  ## Observability + Cost Accounting (v0.1.31)
311
311
 
312
312
  v0.1.31 adds Observability + Cost Accounting: `metrics show`/`metrics summary`
313
- derive durations, failure/verifier/acceptance rates (with sample counts and
314
- fail-closed `n/a`), and host-attested token/cost from existing durable run state
313
+ work out durations, failure/verifier/acceptance rates (with sample counts and
314
+ fail-closed `n/a`), and host-attested token/cost from durable run state that is already there
315
315
  — no metrics database, no collector daemon, no hidden counter. Usage is additive
316
316
  and optional (absent ⇒ `unreported`, never 0); cost is `attested` (attested usage
317
317
  × a recorded pricing policy) or clearly `estimated`, with pricing as policy. Both
318
- verbs are parity-gated and render read-only in the v0.1.30 Workbench. See
318
+ verbs are parity-gated and show read-only in the v0.1.30 Workbench. See
319
319
  [observability-cost-accounting.7.md](observability-cost-accounting.7.md).
320
320
 
321
321
 
@@ -324,24 +324,24 @@ verbs are parity-gated and render read-only in the v0.1.30 Workbench. See
324
324
  v0.1.32 adds Team Collaboration: a host-attested actor and append-only
325
325
  approvals/rejections/comments/handoffs provenance-linked to a durable target,
326
326
  plus a review gate that STACKS ON the verifier gate — required approvals from
327
- authorized roles, enforced inside `resolveCommitGate` AFTER the verifier checks
328
- and never instead of them, failing closed on quorum/authority/self-approval and
329
- recording who approved the very artifact that shipped. Policy (required approvals,
327
+ authorized roles, made to hold inside `resolveCommitGate` AFTER the verifier checks
328
+ and never in place of them, failing closed on quorum/authority/self-approval and
329
+ keeping a record of who approved the very artifact that shipped. Policy (required approvals,
330
330
  authorized roles, self-approval) is data, default off (pre-v0.1.32 behavior
331
- unchanged). The verbs are parity-gated and render read-only in the v0.1.30
331
+ unchanged). The verbs are parity-gated and show read-only in the v0.1.30
332
332
  Workbench. See [Team Collaboration](team-collaboration.7.md).
333
333
 
334
334
  ## Release Tooling (v0.1.33)
335
335
 
336
- the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a de-duplicated release gate. See release-tooling(7).
336
+ the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a release gate that has no doubles. See release-tooling(7).
337
337
 
338
338
  ## Real Execution Backend Integrations (v0.1.34)
339
339
 
340
- container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is unavailable. See real-execution-backends(7).
340
+ container/remote/ci backends really run work (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not on hand. See real-execution-backends(7).
341
341
 
342
342
  ## Node Snapshot / Diff / Replay (v0.1.35)
343
343
 
344
- per-node snapshot, structural diff, and isolated deterministic replay over StateNode, reusing the v0.1.23 eval harness; fail-closed on source drift (valid|stale|absent). See node-snapshot-diff-replay(7).
344
+ per-node snapshot, structural diff, and on-its-own deterministic replay over StateNode, using the v0.1.23 eval harness again; fail-closed on source drift (valid|stale|absent). See node-snapshot-diff-replay(7).
345
345
 
346
346
  ## Contract Migration Tooling (v0.1.36)
347
347
 
@@ -353,11 +353,11 @@ priority + concurrency limits + lease lifecycle + retry/backoff + fail-closed pa
353
353
 
354
354
  ## Agent Delegation Drive (v0.1.38)
355
355
 
356
- spawn an external agent process per worker, capture result.md + attestation, auto-drive plan->dispatch->fulfill->accept->commit
356
+ start an external agent process per worker, take in result.md + attestation, auto-drive plan->dispatch->fulfill->accept->commit
357
357
 
358
358
  ## Run Retention & Provable Reclamation (v0.1.39)
359
359
 
360
- tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the reconstructable bulk, prove it
360
+ tiered, append-only, cryptographically-verifiable run reclamation: seal the audit skeleton, free the bulk that can be built again, prove it
361
361
 
362
362
  ## Durable State & Locking (v0.1.40)
363
363
 
@@ -369,15 +369,15 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
369
369
 
370
370
  ## Robust Result Ingest (v0.1.42)
371
371
 
372
- capture findings/evidence from any reasonable agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
372
+ take in findings/evidence from any sensible agent shape (alt keys + prose), CW makes grounded evidence itself, give a warning on empty capture — closes the v0.1.41 live-drive 'accepted with 0 captured' failure
373
373
 
374
374
  ## No-False-Green Gate & Launch Prep (v0.1.43)
375
375
 
376
- Hard gate blocking empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
376
+ Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
377
377
 
378
378
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
379
379
 
380
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
380
+ Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — doing away with false-red/false-green from working-tree writes at the same time (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
381
381
 
382
382
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
383
383
 
@@ -394,9 +394,17 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
394
394
 
395
395
  ## Fast Architecture Review (v0.1.80)
396
396
 
397
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
397
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, Map and Assess results you can use again, wrapper metrics you can measure, a background full-review handoff you can act on, and userland model policy flags for routing fast/strong workers without any change to the full review contract.
398
398
 
399
399
  ## Resume Drive, Inspect-Archive & Restore Re-Prove (v0.1.81)
400
400
 
401
- v0.1.81 adds `run resume <id> --drive/--once` (continue an interrupted run via the agent-drive loop; default resume stays read-only and byte-identical), `run inspect-archive PATH` (read-only archive integrity check that names any offending file without importing), and restore-time hardening: `verify-import` now re-proves the trust-audit chain on restore and gains `--strict`, and `CW_REQUIRE_ARCHIVE_INTEGRITY=1` refuses a stripped-integrity archive before any write.
402
- _No behavioral change in v0.1.82 (run resolution now threads an explicit base directory via CoolWorkflowRunner.withBaseDir instead of mutating process.cwd; the resolved run is unchanged)._
401
+ v0.1.81 adds `run resume <id> --drive/--once` (go on with a run that was stopped through the agent-drive loop; default resume stays read-only and byte-identical), `run inspect-archive PATH` (read-only archive integrity check that names any bad file without importing), and restore-time hardening: `verify-import` now proves the trust-audit chain again on restore and gains `--strict`, and `CW_REQUIRE_ARCHIVE_INTEGRITY=1` turns away a stripped-integrity archive before any write.
402
+ _No behavioral change in v0.1.82 (run resolution now threads an explicit base directory via CoolWorkflowRunner.withBaseDir in place of changing process.cwd; the resolved run is unchanged)._
403
+
404
+ ## Hardening and Onboarding (v0.1.83)
405
+
406
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
407
+
408
+ ## Privacy Release (v0.1.84)
409
+
410
+ No other change to this page in v0.1.84.