cool-workflow 0.1.82 → 0.1.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +128 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +270 -0
  12. package/dist/cli/command-surface.js +1320 -0
  13. package/dist/cli.js +2 -1307
  14. package/dist/commit.js +5 -1
  15. package/dist/doctor.js +153 -0
  16. package/dist/mcp-server.js +15 -1451
  17. package/dist/mcp-surface.js +1441 -0
  18. package/dist/orchestrator.js +13 -0
  19. package/dist/reclamation/hash.js +72 -0
  20. package/dist/reclamation.js +25 -78
  21. package/dist/run-registry/queue.js +6 -7
  22. package/dist/run-registry.js +35 -24
  23. package/dist/scheduler.js +78 -53
  24. package/dist/version.js +1 -1
  25. package/dist/worker-accept/acceptance.js +114 -0
  26. package/dist/worker-accept/blackboard-fanout.js +80 -0
  27. package/dist/worker-accept/blackboard-linkage.js +19 -0
  28. package/dist/worker-accept/context.js +2 -0
  29. package/dist/worker-accept/telemetry-ledger.js +116 -0
  30. package/dist/worker-accept/validation.js +77 -0
  31. package/dist/worker-accept/verifier-completion.js +73 -0
  32. package/dist/worker-isolation.js +41 -446
  33. package/docs/agent-delegation-drive.7.md +94 -86
  34. package/docs/agent-framework.md +33 -32
  35. package/docs/candidate-scoring.7.md +26 -24
  36. package/docs/canonical-workflow-apps.7.md +40 -40
  37. package/docs/capability-topology-registry.7.md +24 -24
  38. package/docs/cli-mcp-parity.7.md +230 -154
  39. package/docs/contract-migration-tooling.7.md +52 -41
  40. package/docs/control-plane-scheduling.7.md +49 -41
  41. package/docs/coordinator-blackboard.7.md +30 -30
  42. package/docs/dogfood-one-real-repo.7.md +44 -44
  43. package/docs/durable-state-and-locking.7.md +38 -30
  44. package/docs/end-to-end-golden-path.7.md +29 -29
  45. package/docs/error-feedback.7.md +27 -27
  46. package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
  47. package/docs/execution-backends.7.md +88 -80
  48. package/docs/getting-started.md +35 -18
  49. package/docs/index.md +3 -3
  50. package/docs/mcp-app-surface.7.md +64 -64
  51. package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
  52. package/docs/multi-agent-eval-replay-harness.7.md +63 -55
  53. package/docs/multi-agent-operator-ux.7.md +73 -65
  54. package/docs/multi-agent-runtime-core.7.md +39 -39
  55. package/docs/multi-agent-topologies.7.md +24 -24
  56. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  57. package/docs/node-snapshot-diff-replay.7.md +30 -22
  58. package/docs/observability-cost-accounting.7.md +53 -45
  59. package/docs/operator-ux.7.md +30 -30
  60. package/docs/pipeline-runner.7.md +31 -31
  61. package/docs/project-index.md +16 -5
  62. package/docs/real-execution-backends.7.md +51 -43
  63. package/docs/release-and-migration.7.md +46 -38
  64. package/docs/release-tooling.7.md +67 -50
  65. package/docs/routines.md +16 -16
  66. package/docs/run-registry-control-plane.7.md +124 -116
  67. package/docs/run-retention-reclamation.7.md +49 -41
  68. package/docs/sandbox-profiles.7.md +32 -32
  69. package/docs/scheduled-tasks.md +14 -14
  70. package/docs/security-trust-hardening.7.md +29 -29
  71. package/docs/source-context-profiles.7.md +28 -28
  72. package/docs/state-explosion-management.7.md +67 -59
  73. package/docs/state-node.7.md +8 -8
  74. package/docs/team-collaboration.7.md +66 -58
  75. package/docs/trust-model.md +126 -126
  76. package/docs/unix-principles.md +80 -80
  77. package/docs/vendor-manifest-loadability.7.md +20 -20
  78. package/docs/verifier-gated-commit.7.md +16 -16
  79. package/docs/web-desktop-workbench.7.md +73 -65
  80. package/docs/worker-isolation.7.md +34 -37
  81. package/docs/workflow-app-framework.7.md +38 -38
  82. package/manifest/plugin.manifest.json +4 -4
  83. package/package.json +3 -2
  84. package/scripts/bump-version.js +9 -1
  85. package/scripts/canonical-apps.js +4 -4
  86. package/scripts/dogfood-release.js +1 -1
  87. package/scripts/gen-parity-doc.js +106 -0
  88. package/scripts/golden-path.js +4 -4
  89. package/scripts/parity-check.js +27 -57
  90. package/scripts/release-flow.js +7 -6
  91. package/scripts/sync-project-index.js +1 -1
  92. package/dist/verifier-registry.js +0 -46
@@ -2,48 +2,48 @@
2
2
 
3
3
  CW v0.1.32 adds Team Collaboration: a host-attested actor, append-only approvals,
4
4
  rejections, comments, and handoffs, and a review gate that STACKS ON the verifier
5
- gate. Before v0.1.32 there was no review/approval/comment/handoff/identity concept
6
- anywhere; the foundations already existed — trust-audit recorded every decision
7
- with an `actor`, candidate selection carried `selectedBy`, role policies existed,
8
- and commits were verifier-gated. This release adds the human-decision layer ON TOP
9
- of those mechanisms, without changing them and without taking ownership of source
5
+ gate. Before v0.1.32 there was no review/approval/comment/handoff/identity idea
6
+ anywhere; the base parts were already there — trust-audit kept a note of every
7
+ decision with an `actor`, candidate selection had `selectedBy`, role policies were
8
+ there, and commits were verifier-gated. This release adds the human-decision layer ON TOP
9
+ of those mechanisms. It does not change them and does not take ownership of source
10
10
  truth.
11
11
 
12
- The design follows the same base-system discipline as
12
+ The design keeps to the same base-system way as
13
13
  [Security / Trust Hardening](security-trust-hardening.7.md) and the
14
14
  [Verifier-Gated Commit](verifier-gated-commit.7.md):
15
15
 
16
16
  - the per-run `.cw/runs/<id>/state.json` is the SINGLE source of truth
17
- - collaboration records are an APPEND-ONLY log, never mutated in place
17
+ - collaboration records are an APPEND-ONLY log, never changed in place
18
18
  - identity is ATTESTED provenance, never authenticated; CW is not an auth server
19
- - the review gate is POLICY layered on the verifier MECHANISM — never a bypass
20
- - fail closed: missing authority, ambiguous role, or self-approval is a denial
19
+ - the review gate is POLICY put over the verifier MECHANISM — never a bypass
20
+ - fail closed: missing authority, unclear role, or self-approval is a denial
21
21
  - policy (required approvals, authorized roles, self-approval) is data, not kernel
22
- - backward compatible; every collaboration field is additive and optional
22
+ - backward compatible; every collaboration field is added on and optional
23
23
 
24
24
  ## Identity is attested, not authenticated
25
25
 
26
- An `Actor` is host-attested provenance, not an authenticated principal. CW records
27
- WHO acted; it does not verify a password, a token, or a signature — that is a host
28
- trust-boundary concern. `normalizeActor` maps an actor input to one of three
29
- provenances: `host-attested` (the host vouched, `--attested`), `operator-recorded`
30
- (supplied unverified), or `unattributed` (no identity supplied). An absent identity
31
- becomes the explicit `unattributed` actor — `{ kind: "unattributed", id:
32
- "unattributed", attested: false }` — never a fabricated one. Spoofing is recorded
33
- honestly as whatever provenance the host attested, not hidden. This extends the
26
+ An `Actor` is host-attested provenance, not an authenticated principal. CW keeps a
27
+ note of WHO acted; it does not check a password, a token, or a signature — that is a host
28
+ trust-boundary thing. `normalizeActor` maps an actor input to one of three
29
+ provenances: `host-attested` (the host said so, `--attested`), `operator-recorded`
30
+ (given but not checked), or `unattributed` (no identity given). A missing identity
31
+ becomes the plain `unattributed` actor — `{ kind: "unattributed", id:
32
+ "unattributed", attested: false }` — never a made-up one. Spoofing is kept on record
33
+ in a true way as whatever provenance the host attested, not hidden. This builds on the
34
34
  existing trust-audit `actor` string and the v0.1.29/v0.1.31 attestation pattern.
35
35
 
36
36
  ## Approvals and rejections are append-only and provenance-linked
37
37
 
38
38
  `approve` and `reject` append an `ApprovalRecord` to `run.collaboration.approvals`.
39
- Each record carries the actor, the decision, the durable target it attaches to, an
39
+ Each record holds the actor, the decision, the durable target it joins to, an
40
40
  optional rationale, the role the actor claims, and `auditEventIds` linking it to a
41
41
  `collaboration.approval`/`collaboration.rejection` event in the trust-audit log —
42
- exactly as `candidate.selection` records both a `CandidateSelection` and an audit
42
+ just as `candidate.selection` keeps a note of both a `CandidateSelection` and an audit
43
43
  event. The approved artifact (candidate/commit/selection) is NEVER edited in place:
44
- "who approved what" is a provenance link, not a field overwrite. A correction is a
45
- NEW record carrying `supersedes` (git-style); the superseded record stays in the
46
- log, no longer counts, and the original is unchanged.
44
+ "who approved what" is a provenance link, not a field overwrite. A fix is a
45
+ NEW record holding `supersedes` (git-style); the superseded record stays in the
46
+ log, no longer counts, and the original is left as it was.
47
47
 
48
48
  A target is one of `run | task | candidate | selection | commit | node`. "Who
49
49
  approved which candidate/commit" is answered by filtering the append-only records
@@ -54,76 +54,76 @@ by target.
54
54
  The verifier-gated commit is the MECHANISM (see
55
55
  [Verifier-Gated Commit](verifier-gated-commit.7.md)): `resolveCommitGate` accepts a
56
56
  commit only when a verified verifier node, a scored+verified candidate, and a
57
- complete acceptance rationale are present. A review gate is POLICY layered on top.
57
+ full acceptance rationale are present. A review gate is POLICY put on top.
58
58
  `reviewGateErrors` runs INSIDE `resolveCommitGate`, AFTER the verifier checks, and
59
- can only ADD errors — required approvals from authorized roles — never remove the
59
+ can only ADD errors — required approvals from authorized roles — never take away the
60
60
  verifier's. The same call guards candidate selection in `selectCandidate`.
61
61
 
62
62
  Data flow for a gated commit:
63
63
 
64
- 1. `resolveCommitGate` resolves the candidate/selection and runs every verifier
64
+ 1. `resolveCommitGate` works out the candidate/selection and runs every verifier
65
65
  check; if any fail the commit is blocked as before.
66
66
  2. If a `ReviewGatePolicy` applies to `commit` (or `selection`), `reviewGateErrors`
67
- derives the review state over the approvals targeting the commit AND its
67
+ works out the review state over the approvals pointing at the commit AND its
68
68
  underlying selection/candidate (you approve the candidate; the commit honors it).
69
69
  3. If the review state is not `approved`, a single `review-gate-missing-approvals`
70
- StateNodeError is appended, listing exactly which approvals are missing.
71
- `commitState` throws `CommitGateError`, recorded as append-only feedback.
70
+ StateNodeError is appended, listing just which approvals are missing.
71
+ `commitState` throws `CommitGateError`, kept on record as append-only feedback.
72
72
  4. Only when BOTH gates pass is the commit written — and it is stamped with a
73
- `CommitReviewProvenance` recording WHO approved the very artifact that shipped.
73
+ `CommitReviewProvenance` keeping a note of WHO approved the very artifact that shipped.
74
74
 
75
- Because the review errors are appended after the verifier errors and never replace
76
- them, an approval can never turn an unverified result into a committed one: an
75
+ Because the review errors are appended after the verifier errors and never take their
76
+ place, an approval can never turn an unverified result into a committed one: an
77
77
  approved-but-unverified candidate is still blocked by the verifier gate.
78
78
 
79
79
  ## Fail closed on authority and quorum
80
80
 
81
81
  `deriveReviewState` is a pure, deterministic projection of the append-only records
82
- plus a policy. It counts ONLY approvals that are, all at once: from an attested
82
+ plus a policy. It counts ONLY approvals that are, all at the same time: from an attested
83
83
  identity (when `requireAttestedActor`), from a role in `authorizedRoles` (or `*`),
84
84
  and not a self-approval (when `allowSelfApproval` is false; "self" is the
85
- candidate's producing worker and its selector). Distinct counted approvers must
86
- reach `requiredApprovals`. Anything short is not auto-passed; the status is:
85
+ candidate's producing worker and its selector). The number of separate counted approvers must
86
+ reach `requiredApprovals`. Anything less is not let through on its own; the status is:
87
87
 
88
88
  - `approved` — requirement met (or the target is not gated)
89
89
  - `pending` — gated, no blocking reject, fewer than required counted approvals
90
- - `blocked` — recorded approvals exist but none count (authority/self)
90
+ - `blocked` — recorded approvals are there but none count (authority/self)
91
91
  - `unattributed` — the only recorded approvals are from unattributed actors
92
92
  - `rejected` — an authorized, attested reject is a blocking veto
93
93
 
94
- Every disqualified approval is surfaced with its reason (`unattributed`,
94
+ Every approval that does not qualify is shown with its reason (`unattributed`,
95
95
  `unauthorized-role`, `self-approval`, `superseded`), so a reader can audit why an
96
- approval did not count. A target requiring N approvals with fewer recorded is
97
- BLOCKED, and the block records exactly what is missing.
96
+ approval did not count. A target needing N approvals with fewer recorded is
97
+ BLOCKED, and the block keeps a note of just what is missing.
98
98
 
99
99
  ## Comments and handoffs are state, not chat
100
100
 
101
101
  A `comment` appends a `CommentRecord` to a durable target with an actor, a thread
102
- id, and an audit link; threads are ordered by `createdAt` and never edited in
103
- place. A `handoff` appends a `HandoffRecord` — an explicit ownership transfer with
104
- a from-actor, a to-actor, and a reason — and the current owner of a run/task is
105
- DERIVED from the latest handoff, never an overwritten field. There is no side
106
- channel: the collaboration IS the durable, inspectable state, consistent with CW's
102
+ id, and an audit link; threads are put in order by `createdAt` and never edited in
103
+ place. A `handoff` appends a `HandoffRecord` — a clear ownership transfer with
104
+ a from-actor, a to-actor, and a reason — and the present owner of a run/task is
105
+ DERIVED from the newest handoff, never an overwritten field. There is no side
106
+ channel: the collaboration IS the durable, inspectable state, in keeping with CW's
107
107
  no-hidden-dashboard-database rule.
108
108
 
109
109
  ## Policy as data, kept out of the kernel
110
110
 
111
111
  `review policy <run-id>` writes a `ReviewGatePolicy` to `run.collaboration.policy`:
112
112
  `requiredApprovals` (0 = no gate), `authorizedRoles` (`*` = any), `allowSelfApproval`,
113
- `requireAttestedActor`, and `appliesTo` (target kinds). The default — absent policy
114
- or `requiredApprovals: 0` — requires no approvals, so pre-v0.1.32 runs and any run
115
- without a policy behave exactly as before. The policy is data; the kernel only
116
- enforces the mechanism.
113
+ `requireAttestedActor`, and `appliesTo` (target kinds). The default — no policy
114
+ or `requiredApprovals: 0` — needs no approvals, so pre-v0.1.32 runs and any run
115
+ without a policy act just as before. The policy is data; the kernel only
116
+ makes the mechanism hold.
117
117
 
118
118
  ## One source, every surface
119
119
 
120
120
  Each collaboration verb is declared once in `src/capability-registry.ts`, so
121
121
  `cw <cmd> --json` is schema-identical to `cw_<cmd>` and passes the parity gate. The
122
- read-only `review status` and `comment list` are byte-for-byte identical across CLI
123
- and MCP (the payload-identity probe strips only ISO timestamps; the only
122
+ read-only `review status` and `comment list` are byte-for-byte the same across CLI
123
+ and MCP (the payload-identity probe takes out only ISO timestamps; the only
124
124
  now-derived field in a review report is `generatedAt`). The v0.1.30 Workbench
125
- renders the review timeline and per-target approval state read-only as a sixth
126
- panel, embedding the `review status` payload verbatim. The v0.1.31 metrics report
125
+ shows the review timeline and per-target approval state read-only as a sixth
126
+ panel, putting in the `review status` payload word for word. The v0.1.31 metrics report
127
127
  adds derived approval-rate, time-to-approval, handoff-count, and reviewer-count,
128
128
  all from recorded timestamps — deterministic over a fixed snapshot.
129
129
 
@@ -141,7 +141,7 @@ cw review status <run-id> [--json]
141
141
 
142
142
  `<kind>` is one of `run | task | candidate | selection | commit | node`. Approve a
143
143
  candidate (or selection), then commit `--candidate`/`--selection`; the commit gate
144
- honors the candidate's approvals and records who approved the shipped commit.
144
+ honors the candidate's approvals and keeps a note of who approved the shipped commit.
145
145
 
146
146
  CW is the base system. Workflow apps are userland. Collaboration adds the human
147
147
  decision as durable, attested, append-only state — never a hidden dashboard, never
@@ -149,11 +149,11 @@ a bypass of the verifier gate.
149
149
 
150
150
  ## Release Tooling (v0.1.33)
151
151
 
152
- the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a de-duplicated release gate. See release-tooling(7).
152
+ the per-tag mechanical surfaces (version bump across 17 surfaces, feature scaffold, and the forward-reference docs) become deterministic scripts, with a de-duplicated release gate. See release-tooling(7) for more.
153
153
 
154
154
  ## Real Execution Backend Integrations (v0.1.34)
155
155
 
156
- container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is unavailable. See real-execution-backends(7).
156
+ container/remote/ci backends really execute (docker/podman run, remote/CI POST-and-poll) under the sandbox contract, with byte-stable evidence vs node and fail-closed refusal when a runtime/endpoint is not there to use. See real-execution-backends(7).
157
157
 
158
158
  ## Node Snapshot / Diff / Replay (v0.1.35)
159
159
 
@@ -193,11 +193,11 @@ Hard gate blocking empty-capture verifier-gated commits, plus quickstart and lau
193
193
 
194
194
  ## Release-Gate Determinism & Agents Vendor (v0.1.44)
195
195
 
196
- Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) instead of the mutable working tree — eliminating false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
196
+ Release-readiness checks now validate the committed blob (`git show HEAD:<path>`) in place of the mutable working tree — doing away with false-red/false-green from concurrent working-tree writes (iCloud/Spotlight/editor). Adds the `agents` vendor manifest target: a generated `.agents/plugins/cool-workflow/` adapter giving any non-Claude AI agent one common interface to CW.
197
197
 
198
198
  ## P1-P2 Fixes & CI Content Surfaces (v0.1.49)
199
199
 
200
- Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), plus CI content-surface determinism hardening (v0.1.49).
200
+ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.46), vendor-adapter registry (v0.1.47), state auto-compaction and P2 fixes (v0.1.48), and CI content-surface determinism hardening (v0.1.49).
201
201
  0.1.51
202
202
 
203
203
  0.1.76
@@ -210,7 +210,15 @@ Migration DAG with reversible edges (v0.1.45), capability auto-discovery (v0.1.4
210
210
 
211
211
  ## Fast Architecture Review (v0.1.80)
212
212
 
213
- Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, actionable background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
213
+ Adds the opt-in fast architecture-review lane: scoped JSONL source contexts, diff-aware exports, reusable Map and Assess results, measurable wrapper metrics, useful background full-review handoff, and userland model policy flags for routing fast/strong workers without changing the full review contract.
214
214
 
215
215
  _No changes to the team-collaboration surface in v0.1.81._
216
216
  _No changes in v0.1.82._
217
+
218
+ ## Hardening and Onboarding (v0.1.83)
219
+
220
+ Loaders fail closed on corrupt state; store writes are made safe under more than one writer; a new cw doctor checks your setup; help lists every command; and the docs are put into Basic English.
221
+
222
+ ## Privacy Release (v0.1.84)
223
+
224
+ No other change to this page in v0.1.84.