cool-workflow 0.1.82 → 0.1.84
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +2 -2
- package/.codex-plugin/plugin.json +4 -4
- package/README.md +128 -120
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +16 -8
- package/dist/capability-registry.js +270 -0
- package/dist/cli/command-surface.js +1320 -0
- package/dist/cli.js +2 -1307
- package/dist/commit.js +5 -1
- package/dist/doctor.js +153 -0
- package/dist/mcp-server.js +15 -1451
- package/dist/mcp-surface.js +1441 -0
- package/dist/orchestrator.js +13 -0
- package/dist/reclamation/hash.js +72 -0
- package/dist/reclamation.js +25 -78
- package/dist/run-registry/queue.js +6 -7
- package/dist/run-registry.js +35 -24
- package/dist/scheduler.js +78 -53
- package/dist/version.js +1 -1
- package/dist/worker-accept/acceptance.js +114 -0
- package/dist/worker-accept/blackboard-fanout.js +80 -0
- package/dist/worker-accept/blackboard-linkage.js +19 -0
- package/dist/worker-accept/context.js +2 -0
- package/dist/worker-accept/telemetry-ledger.js +116 -0
- package/dist/worker-accept/validation.js +77 -0
- package/dist/worker-accept/verifier-completion.js +73 -0
- package/dist/worker-isolation.js +41 -446
- package/docs/agent-delegation-drive.7.md +94 -86
- package/docs/agent-framework.md +33 -32
- package/docs/candidate-scoring.7.md +26 -24
- package/docs/canonical-workflow-apps.7.md +40 -40
- package/docs/capability-topology-registry.7.md +24 -24
- package/docs/cli-mcp-parity.7.md +230 -154
- package/docs/contract-migration-tooling.7.md +52 -41
- package/docs/control-plane-scheduling.7.md +49 -41
- package/docs/coordinator-blackboard.7.md +30 -30
- package/docs/dogfood-one-real-repo.7.md +44 -44
- package/docs/durable-state-and-locking.7.md +38 -30
- package/docs/end-to-end-golden-path.7.md +29 -29
- package/docs/error-feedback.7.md +27 -27
- package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
- package/docs/execution-backends.7.md +88 -80
- package/docs/getting-started.md +35 -18
- package/docs/index.md +3 -3
- package/docs/mcp-app-surface.7.md +64 -64
- package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
- package/docs/multi-agent-eval-replay-harness.7.md +63 -55
- package/docs/multi-agent-operator-ux.7.md +73 -65
- package/docs/multi-agent-runtime-core.7.md +39 -39
- package/docs/multi-agent-topologies.7.md +24 -24
- package/docs/multi-agent-trust-policy-audit.7.md +38 -38
- package/docs/node-snapshot-diff-replay.7.md +30 -22
- package/docs/observability-cost-accounting.7.md +53 -45
- package/docs/operator-ux.7.md +30 -30
- package/docs/pipeline-runner.7.md +31 -31
- package/docs/project-index.md +16 -5
- package/docs/real-execution-backends.7.md +51 -43
- package/docs/release-and-migration.7.md +46 -38
- package/docs/release-tooling.7.md +67 -50
- package/docs/routines.md +16 -16
- package/docs/run-registry-control-plane.7.md +124 -116
- package/docs/run-retention-reclamation.7.md +49 -41
- package/docs/sandbox-profiles.7.md +32 -32
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +29 -29
- package/docs/source-context-profiles.7.md +28 -28
- package/docs/state-explosion-management.7.md +67 -59
- package/docs/state-node.7.md +8 -8
- package/docs/team-collaboration.7.md +66 -58
- package/docs/trust-model.md +126 -126
- package/docs/unix-principles.md +80 -80
- package/docs/vendor-manifest-loadability.7.md +20 -20
- package/docs/verifier-gated-commit.7.md +16 -16
- package/docs/web-desktop-workbench.7.md +73 -65
- package/docs/worker-isolation.7.md +34 -37
- package/docs/workflow-app-framework.7.md +38 -38
- package/manifest/plugin.manifest.json +4 -4
- package/package.json +3 -2
- package/scripts/bump-version.js +9 -1
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/gen-parity-doc.js +106 -0
- package/scripts/golden-path.js +4 -4
- package/scripts/parity-check.js +27 -57
- package/scripts/release-flow.js +7 -6
- package/scripts/sync-project-index.js +1 -1
- package/dist/verifier-registry.js +0 -46
package/docs/trust-model.md
CHANGED
|
@@ -1,57 +1,57 @@
|
|
|
1
1
|
# Trust Model & Limitations
|
|
2
2
|
|
|
3
|
-
> **Read this before you trust a cool-workflow record.** This
|
|
3
|
+
> **Read this before you trust a cool-workflow record.** This page says
|
|
4
4
|
> exactly what CW's cryptographic guarantees prove, and — just as important —
|
|
5
|
-
> what they do **not** prove. We would
|
|
6
|
-
> have them
|
|
7
|
-
>
|
|
5
|
+
> what they do **not** prove. We would be happier to lose a doubting reader here than
|
|
6
|
+
> to have them put too much trust in a green check mark in production. If anything below
|
|
7
|
+
> says more than is true, it is a bug; please send it in.
|
|
8
8
|
|
|
9
|
-
CW is an **auditable control-plane**. It plans,
|
|
10
|
-
agent work — it does **not** run the model itself. That
|
|
11
|
-
choice is what the guarantees below
|
|
12
|
-
honest
|
|
9
|
+
CW is an **auditable control-plane**. It plans, sends out, records, and checks
|
|
10
|
+
agent work — it does **not** run the model itself. That one design
|
|
11
|
+
choice is what the guarantees below are built on, and it is also the cause of their
|
|
12
|
+
honest limit.
|
|
13
13
|
|
|
14
14
|
---
|
|
15
15
|
|
|
16
16
|
## TL;DR
|
|
17
17
|
|
|
18
18
|
- CW's ed25519 signature + hash-chained ledger prove **integrity and
|
|
19
|
-
attribution**: a recorded usage
|
|
20
|
-
been
|
|
19
|
+
attribution**: a recorded usage number was signed by the keyholder and has not
|
|
20
|
+
been changed since it was recorded. Both check again **offline** — the recorded
|
|
21
21
|
ledger's integrity with **no key at all** (`cw telemetry verify`), and each
|
|
22
|
-
`attested` signature with the **public key
|
|
23
|
-
--pubkey <public.pem>`; also
|
|
24
|
-
- They do **not** prove the
|
|
25
|
-
sign a
|
|
26
|
-
still
|
|
27
|
-
- **CW holds no private key.** It can verify, but it can
|
|
28
|
-
signature
|
|
22
|
+
`attested` signature with the **public key by itself** (`cw telemetry verify
|
|
23
|
+
--pubkey <public.pem>`; also done again by `cw demo tamper`).
|
|
24
|
+
- They do **not** prove the first number was **true**. A signer who is not honest can
|
|
25
|
+
sign a false number; the false number is then bound by cryptography to its signer, but it is
|
|
26
|
+
still false.
|
|
27
|
+
- **CW holds no private key.** It can verify, but it can not make a fake
|
|
28
|
+
signature and it can not measure usage itself (by design — see the red line below).
|
|
29
29
|
- The honest gap is **single-keyholder / no second party**: when the same
|
|
30
30
|
operator runs CW *and* holds the only signing key, integrity is real but there
|
|
31
|
-
is no
|
|
32
|
-
why we are
|
|
31
|
+
is no separate party giving word that the source was honest. **This is exactly
|
|
32
|
+
why we are looking for early integration partners** who give a separate
|
|
33
33
|
second party / co-signer. See [Closing the gap](#closing-the-gap-the-second-party).
|
|
34
34
|
|
|
35
35
|
---
|
|
36
36
|
|
|
37
37
|
## What the cryptography is, precisely
|
|
38
38
|
|
|
39
|
-
There are two
|
|
40
|
-
|
|
39
|
+
There are two separate parts. Mixing them up is the most common way to
|
|
40
|
+
say too much or too little about the guarantee, so they are kept apart here.
|
|
41
41
|
|
|
42
42
|
### 1. The telemetry signature (ed25519) — attribution of a reported number
|
|
43
43
|
|
|
44
|
-
The agent (the **executor**)
|
|
45
|
-
records that number
|
|
44
|
+
The agent (the **executor**) reports its own token usage. A control-plane that
|
|
45
|
+
records that number word for word is recording a **claim**. To make the claim into an
|
|
46
46
|
**attestation**, the executor signs a canonical payload with its **private key**:
|
|
47
47
|
|
|
48
48
|
```
|
|
49
49
|
sign({ usage, runId, taskId, promptDigest }) // ed25519, executor-side
|
|
50
50
|
```
|
|
51
51
|
|
|
52
|
-
The `runId` / `taskId` / `promptDigest` binding
|
|
53
|
-
signature to **this** hop, so a
|
|
54
|
-
|
|
52
|
+
The `runId` / `taskId` / `promptDigest` binding does important work: it ties the
|
|
53
|
+
signature to **this** hop, so a good signature from one task can not be used again
|
|
54
|
+
on another. `promptDigest` is the sha256 of the exact worker prompt CW gave
|
|
55
55
|
the agent.
|
|
56
56
|
|
|
57
57
|
CW then **verifies** that signature against an **operator-provisioned public
|
|
@@ -61,42 +61,42 @@ key**. CW holds *only* the public half. From `telemetry-attestation.ts`:
|
|
|
61
61
|
> ONLY the public key — it can verify, but can neither forge a signature nor (the
|
|
62
62
|
> red line) call a model to measure usage itself.
|
|
63
63
|
|
|
64
|
-
The result is one of three honest states,
|
|
65
|
-
|
|
64
|
+
The result is one of three honest states, shown clearly and never quietly
|
|
65
|
+
moved up to "trusted":
|
|
66
66
|
|
|
67
67
|
| State | Meaning |
|
|
68
68
|
|---|---|
|
|
69
|
-
| `attested` | A
|
|
70
|
-
| `unattested` | Usage was reported but the signature is missing,
|
|
69
|
+
| `attested` | A good ed25519 signature over the reported usage, bound to this run/task/prompt, checked against the set public key. |
|
|
70
|
+
| `unattested` | Usage was reported but the signature is missing, badly formed, made with the wrong key, or does not match the payload (changed or used again). Also: no trust key set. |
|
|
71
71
|
| `absent` | The agent reported no usage at all. |
|
|
72
72
|
|
|
73
73
|
Defaults are honest: no signature ⇒ `unattested`; no usage ⇒ `absent`. **Usage
|
|
74
|
-
is never
|
|
74
|
+
is never quietly recorded as trusted.** The opt-in `require-attested-telemetry`
|
|
75
75
|
policy fails the run closed on anything other than `attested`.
|
|
76
76
|
|
|
77
77
|
### 2. The hash-chained ledgers — tamper-evidence of the recorded log
|
|
78
78
|
|
|
79
|
-
A signature proves the agent *said* a number
|
|
80
|
-
prove that **CW recorded exactly that** and that **nobody
|
|
81
|
-
|
|
79
|
+
A signature proves the agent *said* a number while running. By itself it does not
|
|
80
|
+
prove that **CW recorded exactly that** and that **nobody changed the record
|
|
81
|
+
after**. That is the job of the append-only, hash-chained ledgers:
|
|
82
82
|
|
|
83
83
|
- **Telemetry ledger** (`telemetry.json`, one entry per agent hop): each entry
|
|
84
|
-
chains to the
|
|
85
|
-
entry)`. Flip a recorded verdict (`unattested` → `attested`) or
|
|
86
|
-
usage digest, and the chain no longer
|
|
87
|
-
- **Trust-audit event log** (`events.jsonl`): the same
|
|
84
|
+
chains to the one before through `prevHash`, and `recordHash = sha256(canonical
|
|
85
|
+
entry)`. Flip a recorded verdict (`unattested` → `attested`) or change a recorded
|
|
86
|
+
usage digest, and the chain no longer comes out the same.
|
|
87
|
+
- **Trust-audit event log** (`events.jsonl`): the same care put on
|
|
88
88
|
every recorded decision — sandbox path allow/deny, policy snapshots,
|
|
89
89
|
verifier-gated commits, collaboration approvals.
|
|
90
90
|
|
|
91
|
-
Verification **
|
|
92
|
-
value**, so
|
|
93
|
-
`verified = false`. A ledger that
|
|
94
|
-
it is
|
|
91
|
+
Verification **works out every hash on its own and never trusts the stored
|
|
92
|
+
value**, so a changed, reordered, removed, or cut-short entry flips
|
|
93
|
+
`verified = false`. A ledger that is there but can not be parsed **fails closed** —
|
|
94
|
+
it is taken as broken, never quietly as the clean empty chain.
|
|
95
95
|
|
|
96
96
|
This is all **offline**. The chain re-proof needs **no key at all**; add
|
|
97
97
|
`--pubkey <public.pem>` to re-run the signature **attribution** check against the
|
|
98
98
|
stored raw usage for every `attested` record. There is no telemetry service to
|
|
99
|
-
trust or
|
|
99
|
+
trust or break into — the record proves its own integrity, and a third-party auditor
|
|
100
100
|
can re-run both checks on their own machine.
|
|
101
101
|
|
|
102
102
|
---
|
|
@@ -104,79 +104,79 @@ can re-run both checks on their own machine.
|
|
|
104
104
|
## What this DOES prove
|
|
105
105
|
|
|
106
106
|
For telemetry, if `cw telemetry verify <run> --pubkey <public.pem>` reports green,
|
|
107
|
-
you can
|
|
107
|
+
you can put trust in **all** of the following, and only these:
|
|
108
108
|
|
|
109
|
-
1. **Attribution.** Each `attested` usage
|
|
110
|
-
|
|
111
|
-
prompt. It is **non-repudiable**: the signer
|
|
112
|
-
could not have been
|
|
109
|
+
1. **Attribution.** Each `attested` usage number was signed by the holder of the
|
|
110
|
+
set private key, over a payload bound to that one run, task, and
|
|
111
|
+
prompt. It is **non-repudiable**: the signer can not later say it is not theirs, and it
|
|
112
|
+
could not have been used again from a different hop.
|
|
113
113
|
2. **Tamper-evidence of the record.** The recorded ledger — verdicts, usage
|
|
114
|
-
digests, audit decisions — has not been
|
|
115
|
-
entries
|
|
116
|
-
can
|
|
117
|
-
|
|
114
|
+
digests, audit decisions — has not been changed, reordered, cut short, or had
|
|
115
|
+
entries taken out since it was written, *as far as a self-recomputable chain
|
|
116
|
+
can see* (see the threat-model note below). Light or part tampering,
|
|
117
|
+
damage by chance, cutting short, and faked unchained lines are all caught.
|
|
118
118
|
3. **Offline, independent re-verification.** Re-proving the recorded ledger needs
|
|
119
|
-
no network, no CW service, and no trust in our
|
|
120
|
-
verify`
|
|
121
|
-
`--pubkey`, the ed25519 **attribution** is
|
|
122
|
-
**public key
|
|
123
|
-
end-to-end, offline. The integrity claim does not
|
|
124
|
-
4. **CW never
|
|
125
|
-
calls a model. It
|
|
126
|
-
number to sign. What it records, it
|
|
119
|
+
no network, no CW service, and no trust in our setup — `cw telemetry
|
|
120
|
+
verify` works out the chain again on your machine (and needs no key to do it). With
|
|
121
|
+
`--pubkey`, the ed25519 **attribution** is checked again on its own with the
|
|
122
|
+
**public key by itself**; `cw demo tamper` does that sign-and-catch again
|
|
123
|
+
end-to-end, offline. The integrity claim does not rest on trusting us.
|
|
124
|
+
4. **CW never faked or measured anything.** CW holds no private key and never
|
|
125
|
+
calls a model. It can not make a signature, and it can not make up a usage
|
|
126
|
+
number to sign. What it records, it took in and checked.
|
|
127
127
|
|
|
128
128
|
---
|
|
129
129
|
|
|
130
130
|
## What this DOES NOT prove
|
|
131
131
|
|
|
132
|
-
|
|
133
|
-
not
|
|
132
|
+
Just as important. None of the following are inside the guarantee, and we will
|
|
133
|
+
not give any other idea:
|
|
134
134
|
|
|
135
135
|
1. **It does not prove the reported number is true.** A signature proves *who*
|
|
136
|
-
said it and that it *
|
|
137
|
-
source.
|
|
136
|
+
said it and that it *was not changed* — **not** that it was right at the
|
|
137
|
+
source. To quote the code's own honest limit:
|
|
138
138
|
|
|
139
139
|
> A dishonest keyholder can still sign a lie, but the lie is now
|
|
140
140
|
> cryptographically bound to its signer.
|
|
141
141
|
|
|
142
|
-
CW
|
|
143
|
-
calling the model — the red line it
|
|
142
|
+
CW on purpose does **not** measure usage on its own (to do so would mean
|
|
143
|
+
calling the model — the red line it will not cross). So the strongest honest
|
|
144
144
|
claim is **attribution, not ground-truth measurement**.
|
|
145
145
|
|
|
146
|
-
2. **It does not
|
|
146
|
+
2. **It does not guard against a single party who holds both roles.** If the
|
|
147
147
|
same operator runs CW, holds the signing private key, *and* controls the
|
|
148
|
-
machine the ledger lives on, then a green verdict
|
|
149
|
-
signed and that **that party's** record
|
|
150
|
-
bring in any *
|
|
148
|
+
machine the ledger lives on, then a green verdict gives word that **that party**
|
|
149
|
+
signed and that **that party's** record agrees with itself. It does not
|
|
150
|
+
bring in any *separate* party. Agreeing with itself is not third-party
|
|
151
151
|
verification.
|
|
152
152
|
|
|
153
|
-
3. **A
|
|
153
|
+
3. **A set local writer can re-chain the whole log.** The hash-chain's
|
|
154
154
|
genesis is `sha256(runId)` — a value the local writer knows. So the chain
|
|
155
|
-
|
|
156
|
-
**
|
|
157
|
-
|
|
155
|
+
sees changes to *part* of a log, but a writer who changes an entry and then
|
|
156
|
+
**works out every later hash** with CW's own sha256 makes a log that
|
|
157
|
+
verifies green again. From `trust-audit.ts`:
|
|
158
158
|
|
|
159
159
|
> THREAT MODEL (be honest about the limit): the genesis is sha256(runId), so
|
|
160
160
|
> this detects casual/partial tampering, accidental corruption, truncation,
|
|
161
161
|
> removal, and forged-unchained lines — but NOT a determined local writer who
|
|
162
162
|
> re-chains the WHOLE log with this module's own sha256 after an edit.
|
|
163
163
|
|
|
164
|
-
This is **
|
|
165
|
-
anchor the writer
|
|
164
|
+
This is **built in** to any local, self-recomputable chain. To close it needs an
|
|
165
|
+
anchor the writer can not make again. CW **can not make that anchor itself** —
|
|
166
166
|
because by design it holds no private key. The one cryptographic anchor that
|
|
167
|
-
|
|
167
|
+
is there is the **agent's** telemetry signature, which covers agent-reported
|
|
168
168
|
*usage* — it does **not** cover CW-only decisions (sandbox / policy /
|
|
169
|
-
commit-gate), which have no
|
|
169
|
+
commit-gate), which have no outside signer.
|
|
170
170
|
|
|
171
|
-
For those CW-only decisions, the only stronger guarantee
|
|
172
|
-
**operational**, not cryptographic: commit `events.jsonl` to an
|
|
171
|
+
For those CW-only decisions, the only stronger guarantee we have today is
|
|
172
|
+
**operational**, not cryptographic: commit `events.jsonl` to an outside
|
|
173
173
|
append-only medium (git history, a remote append-only log) that the local
|
|
174
|
-
writer
|
|
175
|
-
append-only log — not a
|
|
174
|
+
writer can not rewrite. The chain is a **clear step up** over a bare
|
|
175
|
+
append-only log — not a thing to use in place of an outside anchor.
|
|
176
176
|
|
|
177
177
|
4. **It says nothing about the quality, safety, or correctness of the work.**
|
|
178
|
-
Attestation is about *
|
|
179
|
-
the agent's output is good,
|
|
178
|
+
Attestation is about *where records come from and the integrity of records*, not about whether
|
|
179
|
+
the agent's output is good, safe, or even working. Other CW parts
|
|
180
180
|
(verifier gate, schema validation, evidence grounding) speak to that; the
|
|
181
181
|
cryptography here does not.
|
|
182
182
|
|
|
@@ -184,84 +184,84 @@ not imply otherwise:
|
|
|
184
184
|
|
|
185
185
|
## The single-keyholder limitation (stated plainly)
|
|
186
186
|
|
|
187
|
-
> **The
|
|
188
|
-
> verification/signing key, tamper-evidence proves that **records were not
|
|
189
|
-
> after the fact** — it does **not** prove that the **
|
|
190
|
-
> honest**. Integrity, yes. A
|
|
187
|
+
> **The main honest gap:** when the same operator runs CW and holds the only
|
|
188
|
+
> verification/signing key, tamper-evidence proves that **records were not changed
|
|
189
|
+
> after the fact** — it does **not** prove that the **first signer was
|
|
190
|
+
> honest**. Integrity, yes. A source you can trust, not for certain.
|
|
191
191
|
|
|
192
|
-
|
|
192
|
+
To put it plainly, in a single-party setup:
|
|
193
193
|
|
|
194
|
-
- The operator
|
|
194
|
+
- The operator makes the keypair.
|
|
195
195
|
- The operator's agent process signs usage with the private key.
|
|
196
196
|
- CW (run by the same operator) verifies with the public key and writes the
|
|
197
197
|
ledger to the operator's disk.
|
|
198
198
|
|
|
199
|
-
Every cryptographic check can pass while a
|
|
200
|
-
source number, or — given the genesis
|
|
201
|
-
chain. **Cryptography
|
|
202
|
-
Separation of duties is the property auditors
|
|
203
|
-
operator wearing both hats, it is
|
|
199
|
+
Every cryptographic check can pass while a single party who wants to lie makes up the
|
|
200
|
+
source number, or — given the genesis note above — rewrites the whole local
|
|
201
|
+
chain. **Cryptography can not make a second party that is not there.**
|
|
202
|
+
Separation of duties is the property auditors need everywhere; with one
|
|
203
|
+
operator wearing both hats, it is missing by design no matter how good the
|
|
204
204
|
math is.
|
|
205
205
|
|
|
206
|
-
We are not going to
|
|
207
|
-
|
|
206
|
+
We are not going to talk this point away. It is real, it is the most important
|
|
207
|
+
limit in this page, and it is the right point to bring up.
|
|
208
208
|
|
|
209
209
|
---
|
|
210
210
|
|
|
211
211
|
## Closing the gap: the second party
|
|
212
212
|
|
|
213
|
-
The fix is **not** more cryptography on one machine — it is
|
|
214
|
-
second party**, which is
|
|
215
|
-
This is why CW's near-term
|
|
216
|
-
mean by that
|
|
213
|
+
The fix is **not** more cryptography on one machine — it is a **separate
|
|
214
|
+
second party**, which is just the thing a single operator can not give itself.
|
|
215
|
+
This is why CW's near-term aim is **early integration partners**, and what we
|
|
216
|
+
mean by that plainly:
|
|
217
217
|
|
|
218
|
-
- **
|
|
218
|
+
- **A separate co-signer / second keyholder.** A second party (a different
|
|
219
219
|
team, a CI identity outside the operator's control, or a partner's signing
|
|
220
220
|
service) holds a key the operator does not. When that party counter-signs runs —
|
|
221
221
|
or *is* the executor that signs usage — a green verdict starts to mean
|
|
222
222
|
"two parties who do not fully trust each other agree," which is the property
|
|
223
|
-
single-party attestation
|
|
224
|
-
- **An
|
|
225
|
-
operator
|
|
226
|
-
git history on a remote the operator
|
|
227
|
-
for CW-only decisions
|
|
223
|
+
single-party attestation by its nature can not give.
|
|
224
|
+
- **An outside append-only anchor.** Pushing `events.jsonl` to a medium the local
|
|
225
|
+
operator can not rewrite (a partner-held log, a public transparency log, signed
|
|
226
|
+
git history on a remote the operator does not control) closes the re-chain gap
|
|
227
|
+
for CW-only decisions named above.
|
|
228
228
|
- **Separated execution and verification.** The party that *spends the money*
|
|
229
|
-
(runs the model) and the party that *keeps the books* (CW) being
|
|
230
|
-
different
|
|
231
|
-
|
|
229
|
+
(runs the model) and the party that *keeps the books* (CW) being truly
|
|
230
|
+
different bodies turns CW's separation-of-duties design from a plan
|
|
231
|
+
into an enforced fact.
|
|
232
232
|
|
|
233
|
-
If you are a
|
|
234
|
-
co-signer, an
|
|
235
|
-
|
|
236
|
-
and earn the second party than
|
|
237
|
-
than the math
|
|
233
|
+
If you are a possible partner who can give a separate second party — a
|
|
234
|
+
co-signer, an outside anchor, or separated execution — **that is the
|
|
235
|
+
work together we are now looking for.** We would rather ship this honestly
|
|
236
|
+
and earn the second party than cover over the gap with a claim that sounds stronger
|
|
237
|
+
than the math will back up.
|
|
238
238
|
|
|
239
239
|
---
|
|
240
240
|
|
|
241
241
|
## How to verify for yourself
|
|
242
242
|
|
|
243
|
-
- `cw telemetry verify <run>` —
|
|
244
|
-
chain linkage +
|
|
243
|
+
- `cw telemetry verify <run>` — proves the telemetry ledger's **integrity** again:
|
|
244
|
+
chain linkage + a per-record hash worked out on its own, so any change to a
|
|
245
245
|
recorded verdict or usage digest since record time flips it red. It needs **no
|
|
246
|
-
key** (it
|
|
246
|
+
key** (it proves the *recording* again). Add `--pubkey <pem-or-path>` to re-run the
|
|
247
247
|
ed25519 **signature** check for every `attested` record against the stored raw
|
|
248
|
-
usage;
|
|
248
|
+
usage; keys that can not be read, missing raw usage, digest mismatches, wrong keys, and
|
|
249
249
|
signature mismatches fail closed. Mirrored as `cw_telemetry_verify` on the MCP
|
|
250
250
|
surface.
|
|
251
|
-
- `cw demo tamper` — a
|
|
252
|
-
ed25519-signed ledger and then
|
|
253
|
-
|
|
254
|
-
signature over
|
|
251
|
+
- `cw demo tamper` — a sealed, offline, one-command proof: it builds a real
|
|
252
|
+
ed25519-signed ledger and then fakes it two ways — flips a recorded verdict and
|
|
253
|
+
works out the *local* record hash again (the chain still breaks), and uses a
|
|
254
|
+
signature again over blown-up tokens (ed25519 turns it down). Everything is checked with
|
|
255
255
|
the public key only. The `✗ DETECTED` lines are the point.
|
|
256
256
|
- Re-run either with **only the public key** on a machine we do not control. If it
|
|
257
|
-
|
|
257
|
+
does not come out the same, our integrity claim is false — hold us to it.
|
|
258
258
|
|
|
259
259
|
---
|
|
260
260
|
|
|
261
261
|
## One-line summary
|
|
262
262
|
|
|
263
|
-
CW's cryptography proves **records
|
|
263
|
+
CW's cryptography proves **records were not changed and were signed by the
|
|
264
264
|
keyholder** — strong, offline, public-key-verifiable **integrity and
|
|
265
265
|
attribution**. It does **not** prove the **source was honest**, and a single
|
|
266
|
-
operator holding both roles is the honest limit we are
|
|
266
|
+
operator holding both roles is the honest limit we are openly looking for
|
|
267
267
|
integration partners to close.
|