cool-workflow 0.1.82 → 0.1.84
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +128 -120
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +16 -8
- package/dist/capability-registry.js +270 -0
- package/dist/cli/command-surface.js +1320 -0
- package/dist/cli.js +2 -1307
- package/dist/commit.js +5 -1
- package/dist/doctor.js +153 -0
- package/dist/mcp-server.js +15 -1451
- package/dist/mcp-surface.js +1441 -0
- package/dist/orchestrator.js +13 -0
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +25 -78
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +78 -53
- package/dist/version.js +1 -1
- package/dist/worker-accept/acceptance.js +114 -0
- package/dist/worker-accept/blackboard-fanout.js +80 -0
- package/dist/worker-accept/blackboard-linkage.js +19 -0
- package/dist/worker-accept/context.js +2 -0
- package/dist/worker-accept/telemetry-ledger.js +116 -0
- package/dist/worker-accept/validation.js +77 -0
- package/dist/worker-accept/verifier-completion.js +73 -0
- package/dist/worker-isolation.js +41 -446
- package/docs/agent-delegation-drive.7.md +94 -86
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +230 -154
- package/docs/contract-migration-tooling.7.md +52 -41
- package/docs/control-plane-scheduling.7.md +49 -41
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +38 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
- package/docs/execution-backends.7.md +88 -80
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
- package/docs/multi-agent-eval-replay-harness.7.md +63 -55
- package/docs/multi-agent-operator-ux.7.md +73 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +30 -22
- package/docs/observability-cost-accounting.7.md +53 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +16 -5
- package/docs/real-execution-backends.7.md +51 -43
- package/docs/release-and-migration.7.md +46 -38
- package/docs/release-tooling.7.md +67 -50
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +124 -116
- package/docs/run-retention-reclamation.7.md +49 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +67 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +66 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +73 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/package.json +3 -2
- package/scripts/bump-version.js +9 -1
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/scripts/parity-check.js +27 -57
- package/scripts/release-flow.js +7 -6
- package/scripts/sync-project-index.js +1 -1
- package/dist/verifier-registry.js +0 -46
|
@@ -2,16 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
CW v0.1.39 adds Run Retention & Provable Reclamation: a tiered, append-only,
|
|
4
4
|
cryptographically-verifiable way to **free disk WITHOUT violating the audit/replay
|
|
5
|
-
moat**.
|
|
5
|
+
moat**. One day of dogfooding made ~1 GB across 200+ runs under
|
|
6
6
|
`.cw/runs/`, and before v0.1.39 there was **zero disk reclamation** — `run archive`
|
|
7
|
-
only marked an overlay (it never freed bytes), `sched reclaim`
|
|
8
|
-
leases (not disk), and worker scratch dirs were never cleaned.
|
|
9
|
-
|
|
7
|
+
only marked an overlay (it never freed bytes), `sched reclaim` got back expired
|
|
8
|
+
leases (not disk), and worker scratch dirs were never cleaned. Simple GC is
|
|
9
|
+
not allowed: all of CW's value is "don't trust, verify." So reclamation is a
|
|
10
10
|
**verifiable, append-only state transition** — freeing bytes leaves behind
|
|
11
|
-
cryptographic proof that what was freed
|
|
11
|
+
cryptographic proof that what was freed can be made again or has no worth, and that
|
|
12
12
|
the audit-essential subset is sealed.
|
|
13
13
|
|
|
14
|
-
This release
|
|
14
|
+
This release is built straight on a clear line of past work: v0.1.28's archive overlay
|
|
15
15
|
(`run-registry.ts` — "Archive is an overlay mark, not a delete"), v0.1.35's
|
|
16
16
|
per-node snapshot/diff/deterministic replay (`node-snapshot.ts`), v0.1.32's
|
|
17
17
|
append-only collaboration log, and v0.1.37's policy-as-data scheduling. It EXTENDS
|
|
@@ -26,37 +26,37 @@ reclaimed tombstone + skeleton + digests verify-only (or re-runnable-by-reconst
|
|
|
26
26
|
```
|
|
27
27
|
|
|
28
28
|
`archived` keeps its mark-only semantics, untouched. `reclaimed` is the NEW
|
|
29
|
-
disk-freeing tier
|
|
30
|
-
a future `forgotten` compliance tier (
|
|
29
|
+
disk-freeing tier over it. The lifecycle ceiling for this release is `reclaimed`;
|
|
30
|
+
a future `forgotten` compliance tier (dropping even the skeleton, keeping only
|
|
31
31
|
the chained tombstone hash) is out of scope — the `RunLifecycleState` union gains
|
|
32
|
-
ONLY `reclaimed`, and the hash chain is
|
|
32
|
+
ONLY `reclaimed`, and the hash chain is made to extend to it later.
|
|
33
33
|
|
|
34
34
|
## The red line — never delete what is audit-essential AND irreproducible
|
|
35
35
|
|
|
36
|
-
A byte
|
|
36
|
+
A byte can be freed ONLY if it is one of two classes:
|
|
37
37
|
|
|
38
|
-
1. **reconstructable** — deterministically
|
|
38
|
+
1. **reconstructable** — deterministically able to be made again from RETAINED inputs + a
|
|
39
39
|
recorded recipe + an `expectDigest`, or
|
|
40
40
|
2. **pure scratch** — zero audit value,
|
|
41
41
|
|
|
42
42
|
AND it is **referenced by no surviving evidence locator or audit/collaboration
|
|
43
|
-
event.** Any path that is neither class defaults to **RETAINED** (fail closed).
|
|
43
|
+
event.** Any path that is in neither class defaults to **RETAINED** (fail closed).
|
|
44
44
|
The hard ALLOW-LIST — never freed under any policy — is `state.json`, `audit/`,
|
|
45
45
|
`commits/`, the collaboration log, the attestation chain, `report.md`, and the new
|
|
46
46
|
`reclaimed.json` overlay.
|
|
47
47
|
|
|
48
|
-
The **skeleton** is the machine-checkable contract for what must
|
|
48
|
+
The **skeleton** is the machine-checkable contract for what must live through every
|
|
49
49
|
reclamation (`SKELETON_REQUIRED_KEYS` + `validateSkeleton()`): the final verdict,
|
|
50
50
|
every commit record, every evidence locator's content digest, the attestation
|
|
51
51
|
chain, the cost record, and the append-only audit + collaboration logs. If a
|
|
52
|
-
|
|
52
|
+
full skeleton cannot be pulled out, reclamation **refuses with
|
|
53
53
|
`skeleton-incomplete` and frees zero bytes.**
|
|
54
54
|
|
|
55
55
|
## Write-ahead, fail-closed sequencing — order is the safety property
|
|
56
56
|
|
|
57
|
-
The reclamation transaction is four
|
|
57
|
+
The reclamation transaction is four separate steps, each one able to be called on its own:
|
|
58
58
|
|
|
59
|
-
1. `extractSkeleton()` —
|
|
59
|
+
1. `extractSkeleton()` — pull out + seal the audit-essential subset.
|
|
60
60
|
2. `buildTombstone()` — write the full freed-manifest with a **pre-deletion
|
|
61
61
|
sha256 per path**, plus the hash chain.
|
|
62
62
|
3. `commitTombstone()` — **fsync** the tombstone into the append-only
|
|
@@ -64,9 +64,9 @@ The reclamation transaction is four discrete, individually-callable steps:
|
|
|
64
64
|
through the existing append-only trust-audit log.
|
|
65
65
|
4. `freeBulk()` — ONLY THEN free the bulk bytes.
|
|
66
66
|
|
|
67
|
-
A crash between any steps leaves **EITHER the full run OR a
|
|
68
|
-
never a half-deleted run with no proof.** This
|
|
69
|
-
`runReclamation(run, policy, { faultAfter })` throws a
|
|
67
|
+
A crash between any steps leaves **EITHER the full run OR a full tombstone —
|
|
68
|
+
never a half-deleted run with no proof.** This can be tested by design:
|
|
69
|
+
`runReclamation(run, policy, { faultAfter })` throws a made-up `ReclamationAbort`
|
|
70
70
|
after the named step (`skeleton` | `tombstone-write` | `tombstone-commit`) — never
|
|
71
71
|
by killing the process.
|
|
72
72
|
|
|
@@ -75,9 +75,9 @@ by killing the process.
|
|
|
75
75
|
The tombstone is a NEW `reclaimed.json` overlay (a peer of `archive.json`'s role).
|
|
76
76
|
Only the bulk DATA bytes are freed — no existing audit, state, or commit record is
|
|
77
77
|
ever rewritten. It is itself a new audit record, **hash-chained**: `tombstoneHash`
|
|
78
|
-
is
|
|
79
|
-
(genesis = sha256 of the sealed skeleton). `gc verify`
|
|
80
|
-
**
|
|
78
|
+
is worked out again from the freed-manifest + sealed skeleton + `prevTombstoneHash`
|
|
79
|
+
(genesis = sha256 of the sealed skeleton). `gc verify` works out `tombstoneHash`
|
|
80
|
+
again **on its own**, never trusting the stored value, so a changed registry entry
|
|
81
81
|
is caught — flipping a per-path sha256 fails with `tombstone-digest-mismatch`;
|
|
82
82
|
editing a hash link fails with `tombstone-chain-broken`.
|
|
83
83
|
|
|
@@ -90,22 +90,22 @@ enumerable `record.capabilityReason` (a closed set, e.g.
|
|
|
90
90
|
`snapshot-reclaimed-no-reconstruction` | `inputs-and-expectdigest-retained` |
|
|
91
91
|
`scratch-only-reclaimed`) — never free-text prose.
|
|
92
92
|
|
|
93
|
-
**Reconstruction is a
|
|
93
|
+
**Reconstruction is a separate code path, NOT live `verifyNodeReplay`.** A reclaimed
|
|
94
94
|
artifact making `loadNodeSnapshot` return `absent` is the EXPECTED fail-closed
|
|
95
95
|
signal. The reconstruction verifier re-runs the recorded recipe against the
|
|
96
96
|
RETAINED inputs (keyed on the retained-inputs digest) and compares the result's
|
|
97
|
-
sha256 to the tombstoned `expectDigest` — it never
|
|
97
|
+
sha256 to the tombstoned `expectDigest` — it never goes through the freed source
|
|
98
98
|
bytes. Flipping one retained input byte fails with `reconstruction-digest-mismatch`.
|
|
99
99
|
|
|
100
100
|
## The eager-scratch exception
|
|
101
101
|
|
|
102
|
-
Worker scratch is the one class reclaimed
|
|
102
|
+
Worker scratch is the one class reclaimed early. A worker's scratch dir is pure
|
|
103
103
|
scratch with zero audit value, and its `result.md` is already copied to
|
|
104
104
|
`results/<task-id>.md` and evidence-gated. Before the scratch is freed, the result
|
|
105
105
|
node's `worker-result` artifact (set by `recordWorkerOutput` to a path INSIDE the
|
|
106
106
|
scratch dir) is **re-pointed** to the retained `results/<task-id>.md` copy, and the
|
|
107
|
-
result-node snapshot is
|
|
108
|
-
node
|
|
107
|
+
result-node snapshot is shown to stay `valid` (not `absent`) — so no surviving
|
|
108
|
+
node points to a freed path. Opt out with `--keep-scratch`.
|
|
109
109
|
|
|
110
110
|
## CLI
|
|
111
111
|
|
|
@@ -115,14 +115,14 @@ cw gc run [run-id] [--reclaimAfterArchiveDays N] [--keep-scratch] [--keep-sna
|
|
|
115
115
|
cw gc verify <run-id> [--scope repo|home] [--json]
|
|
116
116
|
```
|
|
117
117
|
|
|
118
|
-
- `gc plan` is a pure **dry-run**: it
|
|
118
|
+
- `gc plan` is a pure **dry-run**: it works out eligible runs, the exact bytes that
|
|
119
119
|
WOULD be freed per kind, and the per-run capability downgrade. It frees nothing
|
|
120
120
|
(`plan.bytesToFree` equals the summed per-path sizes it lists).
|
|
121
|
-
- `gc run`
|
|
121
|
+
- `gc run` runs the write-ahead transaction for eligible runs, bounded by
|
|
122
122
|
`maxReclaimRuns` / `maxReclaimBytes`, fail-closed on any incomplete skeleton.
|
|
123
123
|
- `gc verify` re-proves a reclaimed run end-to-end.
|
|
124
124
|
|
|
125
|
-
Eligibility is explicit and fail-closed: a run
|
|
125
|
+
Eligibility is explicit and fail-closed: a run can be reclaimed exactly when its
|
|
126
126
|
**derived lifecycle is `completed` or `failed` AND it is archived AND it has no
|
|
127
127
|
open feedback AND it is past `reclaimAfterArchiveDays`.** `running` / `blocked` /
|
|
128
128
|
`queued` runs are NEVER reclaimable; the check reads live source state and fails
|
|
@@ -134,8 +134,8 @@ action, never a daemon.
|
|
|
134
134
|
## MCP
|
|
135
135
|
|
|
136
136
|
`cw_gc_plan`, `cw_gc_run`, and `cw_gc_verify` are the peers of the CLI verbs,
|
|
137
|
-
registered in the capability registry and
|
|
138
|
-
on drift). The read-only `gc plan` / `gc verify` payloads
|
|
137
|
+
registered in the capability registry and checked by `parity:check` (fail-closed
|
|
138
|
+
on drift). The read-only `gc plan` / `gc verify` payloads follow the now-derived-field
|
|
139
139
|
rule: only ISO timestamps may be now-derived.
|
|
140
140
|
|
|
141
141
|
## Policy-as-data
|
|
@@ -147,16 +147,16 @@ Back-compatible defaults reclaim nothing; pre-v0.1.39 runs load unchanged.
|
|
|
147
147
|
|
|
148
148
|
## Compatibility
|
|
149
149
|
|
|
150
|
-
Additive. The kernel `state.json` schema is unchanged
|
|
150
|
+
Additive. The kernel `state.json` schema is unchanged but for the new per-run
|
|
151
151
|
`reclaimed.json` overlay + policy fields; pre-v0.1.39 runs load unchanged. The
|
|
152
152
|
`RunLifecycleState` union gains only `reclaimed`. `run archive` keeps its mark-only
|
|
153
|
-
semantics. Nothing in the
|
|
153
|
+
semantics. Nothing in the first audit log is ever edited or wiped.
|
|
154
154
|
|
|
155
155
|
## See Also
|
|
156
156
|
|
|
157
157
|
- `docs/run-registry-control-plane.7.md` — the v0.1.28 archive overlay this extends.
|
|
158
|
-
- `docs/node-snapshot-diff-replay.7.md` — the v0.1.35 snapshot engine reconstruction
|
|
159
|
-
- `docs/control-plane-scheduling.7.md` — the v0.1.37 policy-as-data
|
|
158
|
+
- `docs/node-snapshot-diff-replay.7.md` — the v0.1.35 snapshot engine reconstruction sits beside.
|
|
159
|
+
- `docs/control-plane-scheduling.7.md` — the v0.1.37 policy-as-data line of work.
|
|
160
160
|
- `docs/team-collaboration.7.md` — the v0.1.32 append-only log sealed in the skeleton.
|
|
161
161
|
|
|
162
162
|
## Durable State & Locking (v0.1.40)
|
|
@@ -169,15 +169,15 @@ evidence grounding + durable audit append + symlink-hardened containment + deter
|
|
|
169
169
|
|
|
170
170
|
## Robust Result Ingest (v0.1.42)
|
|
171
171
|
|
|
172
|
-
capture findings/evidence from any
|
|
172
|
+
capture findings/evidence from any sensible agent shape (alt keys + prose), CW derives grounded evidence itself, warn on empty capture — shuts the v0.1.41 live-drive 'accepted with 0 captured' failure
|
|
173
173
|
|
|
174
174
|
## No-False-Green Gate & Launch Prep (v0.1.43)
|
|
175
175
|
|
|
176
|
-
Hard gate
|
|
176
|
+
Hard gate stopping empty-capture verifier-gated commits, plus quickstart and launch-prep docs.
|
|
177
177
|
|
|
178
178
|
## Release-Gate Determinism & Agents Vendor (v0.1.44)
|
|
179
179
|
|
|
180
|
-
Release-readiness checks now
|
|
180
|
+
Release-readiness checks now check the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — getting rid of false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter that gives any non-Claude AI agent one common interface to CW.
|
|
181
181
|
|
|
182
182
|
## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
|
|
183
183
|
|
|
@@ -194,9 +194,17 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
|
|
|
194
194
|
|
|
195
195
|
## Fast Architecture Review (v0.1.80)
|
|
196
196
|
|
|
197
|
-
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics,
|
|
197
|
+
Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, useful background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
|
|
198
198
|
|
|
199
199
|
## Deterministic Freed Manifest (v0.1.81)
|
|
200
200
|
|
|
201
|
-
The freed manifest is path-sorted before it feeds `tombstoneHash`, so reclamation's write-ahead tombstone hash-chain
|
|
201
|
+
The freed manifest is path-sorted before it feeds `tombstoneHash`, so reclamation's write-ahead tombstone hash-chain can be made again across hosts no matter the filesystem enumeration order. Reclaimed tiers, the re-point seam, and the default (reclaim-nothing) policy are unchanged.
|
|
202
202
|
_No changes in v0.1.82._
|
|
203
|
+
|
|
204
|
+
## Hardening and Onboarding (v0.1.83)
|
|
205
|
+
|
|
206
|
+
Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
|
|
207
|
+
|
|
208
|
+
## Privacy Release (v0.1.84)
|
|
209
|
+
|
|
210
|
+
No other change to this page in v0.1.84.
|
|
@@ -16,14 +16,14 @@ node dist/cli.js worker manifest <run-id> <worker-id>
|
|
|
16
16
|
|
|
17
17
|
## DESCRIPTION
|
|
18
18
|
|
|
19
|
-
A sandbox profile is a CW policy contract. It
|
|
20
|
-
worker
|
|
19
|
+
A sandbox profile is a CW policy contract. It says what the agent host lets a
|
|
20
|
+
worker read, write, execute, get to over the network, and take in through
|
|
21
21
|
environment variables.
|
|
22
22
|
|
|
23
|
-
|
|
24
|
-
process sandbox
|
|
23
|
+
By itself it is not a container, jail, chroot, seatbelt profile, packet filter,
|
|
24
|
+
or OS process sandbox. CW does profile validation, deterministic path
|
|
25
25
|
normalization, worker result acceptance, and durable feedback for denied worker
|
|
26
|
-
output. The agent host
|
|
26
|
+
output. The agent host has to do OS-level file access, process execution,
|
|
27
27
|
network access, and environment filtering.
|
|
28
28
|
|
|
29
29
|
The design goal is simple:
|
|
@@ -32,28 +32,28 @@ The design goal is simple:
|
|
|
32
32
|
named policy -> resolved worker manifest -> host enforcement -> CW acceptance
|
|
33
33
|
```
|
|
34
34
|
|
|
35
|
-
Profiles are
|
|
35
|
+
Profiles are picked at dispatch time and kept in run state, worker records,
|
|
36
36
|
dispatch manifests, worker manifests, feedback records, and reports.
|
|
37
37
|
|
|
38
38
|
## BUNDLED PROFILES
|
|
39
39
|
|
|
40
40
|
`default`
|
|
41
|
-
:
|
|
42
|
-
and write only accepted worker output paths unless
|
|
43
|
-
|
|
41
|
+
: Keeps the same Worker Isolation behavior. Workers may read the workspace
|
|
42
|
+
and write only accepted worker output paths, unless more `allowedPaths`
|
|
43
|
+
come from older APIs.
|
|
44
44
|
|
|
45
45
|
`readonly`
|
|
46
46
|
: Workers may read the workspace and write only worker-local output paths.
|
|
47
|
-
Network access is denied by profile. CW still
|
|
48
|
-
read-only mounts or
|
|
47
|
+
Network access is denied by profile. CW still needs the host to do
|
|
48
|
+
read-only mounts or an equal OS policy.
|
|
49
49
|
|
|
50
50
|
`workspace-write`
|
|
51
|
-
: Workers may read and write the workspace,
|
|
52
|
-
Use this only for workers
|
|
51
|
+
: Workers may read and write the workspace, and worker-local output paths too.
|
|
52
|
+
Use this only for workers that are meant to change repository files.
|
|
53
53
|
|
|
54
54
|
`locked-down`
|
|
55
55
|
: Workers may read only `input.md` and write only `result.md`. Command,
|
|
56
|
-
network, and inherited environment access are denied by policy.
|
|
56
|
+
network, and inherited environment access are all denied by policy.
|
|
57
57
|
|
|
58
58
|
## PROFILE SHAPE
|
|
59
59
|
|
|
@@ -73,14 +73,14 @@ Profile files use schema version `1`:
|
|
|
73
73
|
}
|
|
74
74
|
```
|
|
75
75
|
|
|
76
|
-
|
|
77
|
-
`$resultPath`, `$artifactsDir`, and `$logsDir`. Relative paths are
|
|
76
|
+
The path tokens you may use are `$cwd`, `$runDir`, `$workerDir`, `$inputPath`,
|
|
77
|
+
`$resultPath`, `$artifactsDir`, and `$logsDir`. Relative paths are worked out
|
|
78
78
|
from the run workspace. Empty paths, control characters, unknown tokens, and
|
|
79
|
-
`..` traversal are
|
|
79
|
+
`..` traversal are turned away.
|
|
80
80
|
|
|
81
81
|
`execute.mode` and `network.mode` are `none`, `allowlist`, or `any`.
|
|
82
82
|
Allowlisted commands or network targets are exact strings. Environment variable
|
|
83
|
-
names
|
|
83
|
+
names have to use normal shell identifier syntax.
|
|
84
84
|
|
|
85
85
|
## ENFORCEMENT
|
|
86
86
|
|
|
@@ -93,15 +93,15 @@ CW-enforced:
|
|
|
93
93
|
|
|
94
94
|
Host-required:
|
|
95
95
|
|
|
96
|
-
-
|
|
97
|
-
-
|
|
96
|
+
- stopping reads outside `readPaths`
|
|
97
|
+
- stopping writes before CW takes a result
|
|
98
98
|
- command execution restrictions
|
|
99
99
|
- network restrictions
|
|
100
100
|
- environment variable filtering
|
|
101
101
|
|
|
102
|
-
Worker manifests
|
|
103
|
-
`sandbox.hostRequired`. Do not
|
|
104
|
-
sandboxing unless the agent host
|
|
102
|
+
Worker manifests have both lists as `sandbox.enforcedByCW` and
|
|
103
|
+
`sandbox.hostRequired`. Do not put forward CW Sandbox Profiles as OS-level
|
|
104
|
+
sandboxing unless the agent host truly puts OS policy to work.
|
|
105
105
|
|
|
106
106
|
## FILES
|
|
107
107
|
|
|
@@ -118,20 +118,20 @@ sandboxing unless the agent host actually applies OS policy.
|
|
|
118
118
|
|
|
119
119
|
Unknown requested profiles fail closed with `sandbox-profile-not-found`.
|
|
120
120
|
|
|
121
|
-
|
|
121
|
+
Bad profile files fail validation with `sandbox-profile-invalid`.
|
|
122
122
|
|
|
123
|
-
Denied worker output writes
|
|
124
|
-
helpers also
|
|
125
|
-
`sandbox-command-denied` for hosts that want to
|
|
123
|
+
Denied worker output writes make `sandbox-write-denied` feedback. Runtime
|
|
124
|
+
helpers also give `sandbox-read-denied`, `sandbox-network-denied`, and
|
|
125
|
+
`sandbox-command-denied` for hosts that want to note down those decisions through
|
|
126
126
|
CW.
|
|
127
127
|
|
|
128
|
-
CW never
|
|
128
|
+
CW never quietly drops a requested profile down to `default`.
|
|
129
129
|
|
|
130
130
|
## COMPATIBILITY
|
|
131
131
|
|
|
132
|
-
Sandbox Profiles
|
|
133
|
-
|
|
132
|
+
Sandbox Profiles come in with CW v0.1.8. The legacy `allowedPaths` field
|
|
133
|
+
stays in worker scopes and manifests as the effective write-path alias for
|
|
134
134
|
older callers. New hosts should read `sandboxPolicy.readPaths` and
|
|
135
|
-
`sandboxPolicy.writePaths`, then
|
|
136
|
-
`sandboxPolicy.workerOutput
|
|
135
|
+
`sandboxPolicy.writePaths`, then put worker output allowances from
|
|
136
|
+
`sandboxPolicy.workerOutput` to work.
|
|
137
137
|
0.1.51
|
package/docs/scheduled-tasks.md
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# Scheduled Tasks
|
|
2
2
|
|
|
3
|
-
CW scheduled tasks
|
|
4
|
-
reminders, expiration, jitter, and
|
|
3
|
+
CW scheduled tasks let you make looping prompts, cron-like schedules, one-shot
|
|
4
|
+
reminders, expiration, jitter, and clear completion.
|
|
5
5
|
|
|
6
|
-
CW
|
|
6
|
+
CW keeps schedules in:
|
|
7
7
|
|
|
8
8
|
```text
|
|
9
9
|
.cw/schedules/tasks.json
|
|
@@ -11,7 +11,7 @@ CW stores schedules in:
|
|
|
11
11
|
|
|
12
12
|
## Commands
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
Make a `/loop`-ready schedule:
|
|
15
15
|
|
|
16
16
|
```bash
|
|
17
17
|
node scripts/cw.js loop \
|
|
@@ -19,7 +19,7 @@ node scripts/cw.js loop \
|
|
|
19
19
|
--prompt "Check this workflow and continue if work is due."
|
|
20
20
|
```
|
|
21
21
|
|
|
22
|
-
|
|
22
|
+
Make a loop:
|
|
23
23
|
|
|
24
24
|
```bash
|
|
25
25
|
node scripts/cw.js schedule create \
|
|
@@ -28,7 +28,7 @@ node scripts/cw.js schedule create \
|
|
|
28
28
|
--prompt "Check this workflow and continue if work is due."
|
|
29
29
|
```
|
|
30
30
|
|
|
31
|
-
|
|
31
|
+
Make a cron schedule:
|
|
32
32
|
|
|
33
33
|
```bash
|
|
34
34
|
node scripts/cw.js schedule create \
|
|
@@ -37,7 +37,7 @@ node scripts/cw.js schedule create \
|
|
|
37
37
|
--prompt "Run the due workflow scan."
|
|
38
38
|
```
|
|
39
39
|
|
|
40
|
-
|
|
40
|
+
Make a reminder:
|
|
41
41
|
|
|
42
42
|
```bash
|
|
43
43
|
node scripts/cw.js schedule create \
|
|
@@ -46,7 +46,7 @@ node scripts/cw.js schedule create \
|
|
|
46
46
|
--prompt "Remind me to inspect the report."
|
|
47
47
|
```
|
|
48
48
|
|
|
49
|
-
List and
|
|
49
|
+
List and look through:
|
|
50
50
|
|
|
51
51
|
```bash
|
|
52
52
|
node scripts/cw.js schedule list
|
|
@@ -59,13 +59,13 @@ node scripts/cw.js schedule history <schedule-id>
|
|
|
59
59
|
node scripts/cw.js schedule delete <schedule-id>
|
|
60
60
|
```
|
|
61
61
|
|
|
62
|
-
Run the local desktop-
|
|
62
|
+
Run the local desktop-like daemon one time:
|
|
63
63
|
|
|
64
64
|
```bash
|
|
65
65
|
node scripts/cw.js schedule daemon --once
|
|
66
66
|
```
|
|
67
67
|
|
|
68
|
-
Run it
|
|
68
|
+
Run it without stopping:
|
|
69
69
|
|
|
70
70
|
```bash
|
|
71
71
|
node scripts/cw.js schedule daemon --intervalSeconds 60
|
|
@@ -73,8 +73,8 @@ node scripts/cw.js schedule daemon --intervalSeconds 60
|
|
|
73
73
|
|
|
74
74
|
## Notes
|
|
75
75
|
|
|
76
|
-
-
|
|
77
|
-
-
|
|
78
|
-
- `jitterSeconds` can
|
|
76
|
+
- Time is measured to the minute.
|
|
77
|
+
- By default, expiration comes after 7 days.
|
|
78
|
+
- `jitterSeconds` can put space between runs.
|
|
79
79
|
- CW does not start the daemon by default. Use `schedule daemon`, cron, or
|
|
80
|
-
|
|
80
|
+
some other overseer to call `schedule due` and run due prompts.
|
|
@@ -2,13 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
CW v0.1.15 adds a local trust audit layer for worker sandbox decisions,
|
|
4
4
|
evidence provenance, candidate selection, and verifier-gated commits.
|
|
5
|
-
CW v0.1.22
|
|
5
|
+
CW v0.1.22 uses this same layer again for multi-agent role policy, blackboard
|
|
6
6
|
write audit, message provenance, judge rationale, panel decisions, and policy
|
|
7
7
|
violations.
|
|
8
8
|
|
|
9
9
|
## Audit Records
|
|
10
10
|
|
|
11
|
-
Every run has an audit directory:
|
|
11
|
+
Every run has an audit directory of its own:
|
|
12
12
|
|
|
13
13
|
```text
|
|
14
14
|
.cw/runs/<run-id>/audit/
|
|
@@ -17,37 +17,37 @@ Every run has an audit directory:
|
|
|
17
17
|
summary.json
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
`events.jsonl` is
|
|
21
|
-
|
|
20
|
+
`events.jsonl` is made so you can add to the end. `index.json` and `summary.json` are
|
|
21
|
+
fixed, repeatable look files that CW commands make again.
|
|
22
22
|
|
|
23
|
-
Each event
|
|
23
|
+
Each event keeps a record of:
|
|
24
24
|
|
|
25
25
|
- schema version, event id, timestamp, run id, kind, decision, and source
|
|
26
|
-
- actor, worker id, task id, node id, candidate id, score id, selection id, or commit id when
|
|
26
|
+
- actor, worker id, task id, node id, candidate id, score id, selection id, or commit id when it has a part to play
|
|
27
27
|
- sandbox profile id and policy snapshot/reference
|
|
28
|
-
- normalized path, command, network target, or env variable names when
|
|
28
|
+
- normalized path, command, network target, or env variable names when they have a part to play
|
|
29
29
|
- evidence references and parent audit event ids
|
|
30
30
|
- feedback ids for denied or failed decisions
|
|
31
31
|
|
|
32
|
-
Event sources are
|
|
32
|
+
Event sources are clear:
|
|
33
33
|
|
|
34
|
-
- `cw-validated`: CW checked a policy or gate
|
|
35
|
-
- `host-attested`: the agent host or operator
|
|
36
|
-
- `operator-recorded`: a
|
|
37
|
-
- `runtime-derived`: CW
|
|
34
|
+
- `cw-validated`: CW checked a policy or gate on the local machine.
|
|
35
|
+
- `host-attested`: the agent host or operator put down a record of what the host made certain.
|
|
36
|
+
- `operator-recorded`: a person or caller gave the record.
|
|
37
|
+
- `runtime-derived`: CW got the event from run state.
|
|
38
38
|
|
|
39
|
-
CW does not
|
|
40
|
-
|
|
39
|
+
CW does not keep secrets or raw environment values. Environment audit records
|
|
40
|
+
keep names only.
|
|
41
41
|
|
|
42
42
|
## Enforcement Boundary
|
|
43
43
|
|
|
44
|
-
CW
|
|
45
|
-
acceptance,
|
|
46
|
-
|
|
44
|
+
CW checks sandbox profiles, normalizes paths, checks worker output
|
|
45
|
+
acceptance, checks command/network/env decisions when asked, and keeps
|
|
46
|
+
lasting feedback for denied worker decisions.
|
|
47
47
|
|
|
48
|
-
The agent host must still
|
|
49
|
-
process execution
|
|
50
|
-
The audit layer
|
|
48
|
+
The agent host must still make certain of OS-level read isolation, write isolation,
|
|
49
|
+
limits on process execution, limits on network, and environment filtering.
|
|
50
|
+
The audit layer lets you look at that boundary; it is not a kernel.
|
|
51
51
|
|
|
52
52
|
## CLI
|
|
53
53
|
|
|
@@ -67,24 +67,24 @@ node scripts/cw.js audit decision <run-id> <worker-id> --network example.com
|
|
|
67
67
|
node scripts/cw.js audit decision <run-id> <worker-id> --env SECRET_NAME
|
|
68
68
|
```
|
|
69
69
|
|
|
70
|
-
Denied audit decisions are
|
|
71
|
-
records. Environment values are
|
|
70
|
+
Denied audit decisions are put into audit files and joined to feedback/error
|
|
71
|
+
records. Environment values are cut back to names.
|
|
72
72
|
|
|
73
73
|
## Evidence Provenance
|
|
74
74
|
|
|
75
|
-
`StateEvidence`
|
|
75
|
+
`StateEvidence` still works with older versions. v0.1.15 adds optional
|
|
76
76
|
`provenance` metadata that can point from:
|
|
77
77
|
|
|
78
78
|
```text
|
|
79
79
|
worker result -> result node -> verifier node -> candidate -> score -> selection -> commit
|
|
80
80
|
```
|
|
81
81
|
|
|
82
|
-
Candidate scores, selections, and verifier-gated commits
|
|
83
|
-
links
|
|
82
|
+
Candidate scores, selections, and verifier-gated commits keep provenance
|
|
83
|
+
links in place of only copying evidence arrays.
|
|
84
84
|
|
|
85
85
|
## Why Accepted
|
|
86
86
|
|
|
87
|
-
Selected candidates and verifier-gated commits
|
|
87
|
+
Selected candidates and verifier-gated commits come with an acceptance rationale:
|
|
88
88
|
|
|
89
89
|
- selected candidate id
|
|
90
90
|
- score id and score criteria
|
|
@@ -95,12 +95,12 @@ Selected candidates and verifier-gated commits carry an acceptance rationale:
|
|
|
95
95
|
- commit gate result
|
|
96
96
|
- audit event ids
|
|
97
97
|
|
|
98
|
-
Verifier-gated commits fail closed when the acceptance rationale
|
|
98
|
+
Verifier-gated commits fail closed when the acceptance rationale is not able to make clear
|
|
99
99
|
the evidence chain.
|
|
100
100
|
|
|
101
101
|
## MCP
|
|
102
102
|
|
|
103
|
-
The MCP server
|
|
103
|
+
The MCP server gives these like tools:
|
|
104
104
|
|
|
105
105
|
- `cw_audit_summary`
|
|
106
106
|
- `cw_audit_worker`
|
|
@@ -113,5 +113,5 @@ The MCP server exposes matching tools:
|
|
|
113
113
|
- `cw_audit_attest`
|
|
114
114
|
- `cw_audit_decision`
|
|
115
115
|
|
|
116
|
-
|
|
116
|
+
MCP tool names that are already there do not change.
|
|
117
117
|
0.1.51
|