cool-workflow 0.1.82 → 0.1.84

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (92) hide show
  1. package/.claude-plugin/plugin.json +2 -2
  2. package/.codex-plugin/plugin.json +4 -4
  3. package/README.md +128 -120
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/end-to-end-golden-path/app.json +1 -1
  7. package/apps/pr-review-fix-ci/app.json +1 -1
  8. package/apps/release-cut/app.json +1 -1
  9. package/apps/research-synthesis/app.json +1 -1
  10. package/dist/capability-core.js +16 -8
  11. package/dist/capability-registry.js +270 -0
  12. package/dist/cli/command-surface.js +1320 -0
  13. package/dist/cli.js +2 -1307
  14. package/dist/commit.js +5 -1
  15. package/dist/doctor.js +153 -0
  16. package/dist/mcp-server.js +15 -1451
  17. package/dist/mcp-surface.js +1441 -0
  18. package/dist/orchestrator.js +13 -0
  19. package/dist/reclamation/hash.js +72 -0
  20. package/dist/reclamation.js +25 -78
  21. package/dist/run-registry/queue.js +6 -7
  22. package/dist/run-registry.js +35 -24
  23. package/dist/scheduler.js +78 -53
  24. package/dist/version.js +1 -1
  25. package/dist/worker-accept/acceptance.js +114 -0
  26. package/dist/worker-accept/blackboard-fanout.js +80 -0
  27. package/dist/worker-accept/blackboard-linkage.js +19 -0
  28. package/dist/worker-accept/context.js +2 -0
  29. package/dist/worker-accept/telemetry-ledger.js +116 -0
  30. package/dist/worker-accept/validation.js +77 -0
  31. package/dist/worker-accept/verifier-completion.js +73 -0
  32. package/dist/worker-isolation.js +41 -446
  33. package/docs/agent-delegation-drive.7.md +94 -86
  34. package/docs/agent-framework.md +33 -32
  35. package/docs/candidate-scoring.7.md +26 -24
  36. package/docs/canonical-workflow-apps.7.md +40 -40
  37. package/docs/capability-topology-registry.7.md +24 -24
  38. package/docs/cli-mcp-parity.7.md +230 -154
  39. package/docs/contract-migration-tooling.7.md +52 -41
  40. package/docs/control-plane-scheduling.7.md +49 -41
  41. package/docs/coordinator-blackboard.7.md +30 -30
  42. package/docs/dogfood-one-real-repo.7.md +44 -44
  43. package/docs/durable-state-and-locking.7.md +38 -30
  44. package/docs/end-to-end-golden-path.7.md +29 -29
  45. package/docs/error-feedback.7.md +27 -27
  46. package/docs/evidence-adoption-reasoning-chain.7.md +66 -58
  47. package/docs/execution-backends.7.md +88 -80
  48. package/docs/getting-started.md +35 -18
  49. package/docs/index.md +3 -3
  50. package/docs/mcp-app-surface.7.md +64 -64
  51. package/docs/multi-agent-cli-mcp-surface.7.md +86 -77
  52. package/docs/multi-agent-eval-replay-harness.7.md +63 -55
  53. package/docs/multi-agent-operator-ux.7.md +73 -65
  54. package/docs/multi-agent-runtime-core.7.md +39 -39
  55. package/docs/multi-agent-topologies.7.md +24 -24
  56. package/docs/multi-agent-trust-policy-audit.7.md +38 -38
  57. package/docs/node-snapshot-diff-replay.7.md +30 -22
  58. package/docs/observability-cost-accounting.7.md +53 -45
  59. package/docs/operator-ux.7.md +30 -30
  60. package/docs/pipeline-runner.7.md +31 -31
  61. package/docs/project-index.md +16 -5
  62. package/docs/real-execution-backends.7.md +51 -43
  63. package/docs/release-and-migration.7.md +46 -38
  64. package/docs/release-tooling.7.md +67 -50
  65. package/docs/routines.md +16 -16
  66. package/docs/run-registry-control-plane.7.md +124 -116
  67. package/docs/run-retention-reclamation.7.md +49 -41
  68. package/docs/sandbox-profiles.7.md +32 -32
  69. package/docs/scheduled-tasks.md +14 -14
  70. package/docs/security-trust-hardening.7.md +29 -29
  71. package/docs/source-context-profiles.7.md +28 -28
  72. package/docs/state-explosion-management.7.md +67 -59
  73. package/docs/state-node.7.md +8 -8
  74. package/docs/team-collaboration.7.md +66 -58
  75. package/docs/trust-model.md +126 -126
  76. package/docs/unix-principles.md +80 -80
  77. package/docs/vendor-manifest-loadability.7.md +20 -20
  78. package/docs/verifier-gated-commit.7.md +16 -16
  79. package/docs/web-desktop-workbench.7.md +73 -65
  80. package/docs/worker-isolation.7.md +34 -37
  81. package/docs/workflow-app-framework.7.md +38 -38
  82. package/manifest/plugin.manifest.json +4 -4
  83. package/package.json +3 -2
  84. package/scripts/bump-version.js +9 -1
  85. package/scripts/canonical-apps.js +4 -4
  86. package/scripts/dogfood-release.js +1 -1
  87. package/scripts/gen-parity-doc.js +106 -0
  88. package/scripts/golden-path.js +4 -4
  89. package/scripts/parity-check.js +27 -57
  90. package/scripts/release-flow.js +7 -6
  91. package/scripts/sync-project-index.js +1 -1
  92. package/dist/verifier-registry.js +0 -46
@@ -1,16 +1,16 @@
1
1
  # Unix-Inspired Workflow Principles
2
2
 
3
- CW borrows a small set of durable systems ideas and applies them to agent
3
+ CW takes a small group of long-lasting systems ideas and puts them to work in agent
4
4
  workflow engineering. These are design principles, not platform claims — but
5
- they are not optional: this project strictly follows the FreeBSD programming
6
- philosophy, and §7 below states the binding rules every change is reviewed
7
- against (mirrored as hard constraints in the repository's `AGENTS.md`).
5
+ they are not a free choice: this project keeps closely to the FreeBSD programming
6
+ way of thought, and §7 below gives the binding rules every change is checked
7
+ against (copied as hard limits in the repository's `AGENTS.md`).
8
8
 
9
9
  ## 1. Everything Is State
10
10
 
11
- Every meaningful workflow event should be represented as inspectable state.
11
+ Every workflow event with meaning should be kept as state you can look into.
12
12
 
13
- CW already stores:
13
+ CW keeps now:
14
14
 
15
15
  - workflow runs in `.cw/runs/<run-id>/state.json`
16
16
  - task prompts in `.cw/runs/<run-id>/tasks/`
@@ -25,22 +25,22 @@ CW already stores:
25
25
  - workflow app identity and version in `.cw/runs/<run-id>/state.json`
26
26
  - canonical app matrix run state in temporary `.cw/runs/<run-id>/` workspaces
27
27
  - golden path proof artifacts in temporary `.cw/runs/<run-id>/` workspaces
28
- - operator summaries derived from state without mutating run files
28
+ - operator summaries made from state without changing run files
29
29
  - MCP app-surface smoke runs driven through stdio JSON-RPC
30
30
 
31
- The practical rule is:
31
+ The working rule is:
32
32
 
33
33
  ```text
34
34
  prompt, task, dispatch, result, error, verifier decision, schedule, trigger
35
35
  = state that can be inspected, replayed, snapshotted, or compared
36
36
  ```
37
37
 
38
- This keeps the runtime deterministic and keeps agent work auditable.
38
+ This keeps the runtime fixed and certain, and keeps agent work open to check.
39
39
 
40
40
  ## 2. Small Kernel, Composable Userland
41
41
 
42
- CW should keep the kernel small. The kernel owns state transitions and stable
43
- contracts; workflow apps own domain behavior.
42
+ CW should keep the kernel small. The kernel is the owner of state changes and
43
+ fixed contracts; workflow apps are the owners of their field behavior.
44
44
 
45
45
  Core system calls:
46
46
 
@@ -56,8 +56,8 @@ schedule()
56
56
  trigger()
57
57
  ```
58
58
 
59
- The kernel should avoid hard-coded business logic. New behavior should usually
60
- enter as:
59
+ The kernel should keep away from hard-coded business logic. New behavior should
60
+ for the most part come in as:
61
61
 
62
62
  - a workflow app
63
63
  - a workflow app manifest under `apps/<app-id>/app.json`
@@ -66,20 +66,20 @@ enter as:
66
66
  - a routine trigger
67
67
  - an external worker
68
68
 
69
- Workflow App framework v0.1.9 makes this split concrete. The runner is the base
70
- system. Apps are userland: versioned, validated, inspectable definitions that
71
- can be listed, shown, validated, initialized, packaged, planned, and reported
72
- without depending on hidden runner internals.
69
+ Workflow App framework v0.1.9 makes this split solid and clear. The runner is the
70
+ base system. Apps are userland: versioned, checked definitions you can look into,
71
+ that can be listed, shown, validated, initialized, packaged, planned, and reported
72
+ without leaning on hidden runner internals.
73
73
 
74
- The v0.1.12 Operator UX layer is userland over state. It renders `status`,
75
- `graph`, `report --show`, and resource summaries without owning core
76
- transitions.
74
+ The v0.1.12 Operator UX layer is userland over state. It puts out `status`,
75
+ `graph`, `report --show`, and resource summaries without being the owner of core
76
+ changes.
77
77
 
78
- The v0.1.13 MCP app surface is the same discipline applied to agent hosts: a
79
- small JSON tool bridge over the base runtime, old names preserved, read-only
80
- inspection separated from mutation, and every mutation persisted to the run.
78
+ The v0.1.13 MCP app surface is the same way of work put to agent hosts: a
79
+ small JSON tool bridge over the base runtime, old names kept, read-only
80
+ looking-in kept apart from change, and every change put away into the run.
81
81
 
82
- The v0.1.13 canonical apps are maintained userland:
82
+ The v0.1.13 canonical apps are kept-up userland:
83
83
 
84
84
  ```text
85
85
  architecture-review
@@ -88,18 +88,18 @@ release-cut
88
88
  research-synthesis
89
89
  ```
90
90
 
91
- They keep domain prompts, inputs, evidence gates, and sandbox hints in app
92
- directories instead of in runner internals.
91
+ They keep field prompts, inputs, evidence gates, and sandbox hints in app
92
+ directories in place of runner internals.
93
93
 
94
- The v0.1.10 `end-to-end-golden-path` app is intentionally boring userland. It
95
- has one readonly worker task and exists to prove that the base system pipes are
96
- connected.
94
+ The v0.1.10 `end-to-end-golden-path` app is by design dull userland. It
95
+ has one readonly worker task and is here to give proof that the base system pipes are
96
+ joined up.
97
97
 
98
98
  ## 3. Pipelines Over Monoliths
99
99
 
100
- CW favors explicit data flow over hidden orchestration.
100
+ CW is for clear data flow in place of hidden control from above.
101
101
 
102
- The standard pipeline is:
102
+ The normal pipeline is:
103
103
 
104
104
  ```text
105
105
  workflow definition
@@ -114,12 +114,12 @@ workflow definition
114
114
  -> report
115
115
  ```
116
116
 
117
- Each stage should have a readable artifact. If a stage fails, its error output
118
- should become input for the next correction step instead of disappearing into a
117
+ Each stage should have an artifact you can read. If a stage has a fault, its error
118
+ output should become input for the next fix step in place of going away into a
119
119
  black box.
120
120
 
121
- Operator views follow the same rule: console summaries point to plain files,
122
- while `--json` and `--format json` preserve scriptable output.
121
+ Operator views keep to the same rule: console summaries point to plain files,
122
+ while `--json` and `--format json` keep output a script can use.
123
123
 
124
124
  The release golden path is the regression form of this rule:
125
125
 
@@ -127,9 +127,9 @@ The release golden path is the regression form of this rule:
127
127
  npm run golden-path
128
128
  ```
129
129
 
130
- It exercises the public CLI and then inspects state files for app metadata,
130
+ It puts the public CLI to work and then looks into state files for app metadata,
131
131
  dispatch, worker manifest, result node, verifier node, candidate score, ranking,
132
- selection, verifier-gated commit, report, and absence of ErrorFeedback.
132
+ selection, verifier-gated commit, report, and no ErrorFeedback.
133
133
 
134
134
  The canonical app matrix is the userland regression form:
135
135
 
@@ -137,14 +137,14 @@ The canonical app matrix is the userland regression form:
137
137
  npm run canonical-apps
138
138
  ```
139
139
 
140
- It validates and plans every maintained app without running full workers for
140
+ It checks and plans every kept-up app without running full workers for
141
141
  each app.
142
142
 
143
143
  ## 4. Isolated Workers
144
144
 
145
- Workers should be isolated by scope, state, and output.
145
+ Workers should be kept apart by scope, state, and output.
146
146
 
147
- Useful isolation layers:
147
+ Helpful layers for keeping apart:
148
148
 
149
149
  - separate task prompts
150
150
  - separate result files
@@ -153,35 +153,35 @@ Useful isolation layers:
153
153
  - separate score/evidence records for competing candidates
154
154
  - named sandbox profiles for read/write/execute/network/env policy
155
155
 
156
- Worker failure should not corrupt the workflow kernel. A failed worker is a
157
- state transition, not a process-wide failure.
156
+ A worker fault should not damage the workflow kernel. A worker that has failed is a
157
+ state change, not a fault across the whole process.
158
158
 
159
- Sandbox Profiles keep policy explicit. CW stores the profile id and resolved
160
- policy in durable state, validates paths, and accepts or rejects worker output
161
- against the write policy. The agent host remains responsible for OS-level file
162
- access, command execution, network access, and environment filtering.
159
+ Sandbox Profiles keep policy clear. CW keeps the profile id and worked-out
160
+ policy in long-lasting state, checks paths, and takes or turns away worker output
161
+ against the write policy. The agent host is still the one responsible for OS-level file
162
+ access, command running, network access, and environment filtering.
163
163
 
164
164
  ## 5. Verifier-Gated Commits
165
165
 
166
- CW should not merge every generated answer back into the main workflow state.
167
- Generated work should pass through evidence and verifier gates first.
166
+ CW should not put every made answer back into the main workflow state.
167
+ Made work should go through evidence and verifier gates first.
168
168
 
169
- The preferred merge rule is:
169
+ The rule for merging we are for is:
170
170
 
171
171
  ```text
172
172
  only verified state becomes committed state
173
173
  ```
174
174
 
175
- For competing branches, the shape is:
175
+ For branches against one another, the shape is:
176
176
 
177
177
  ```text
178
178
  candidate workers -> score records -> verifier-gated selection
179
179
  -> verifier-gated commit()
180
180
  ```
181
181
 
182
- Non-gated snapshots are checkpoints. They are allowed as audit and resume
183
- records, but reports and commit records must not present them as verifier-gated
184
- committed state.
182
+ Snapshots with no gate are checkpoints. They are let through as records for check and
183
+ for taking up again, but reports and commit records must not put them forward as
184
+ verifier-gated committed state.
185
185
 
186
186
  ## 6. Practical Operating Rule
187
187
 
@@ -192,49 +192,49 @@ Verifiers decide what may be committed.
192
192
  Hosts enforce runtime sandbox policy.
193
193
  ```
194
194
 
195
- This keeps CW small, inspectable, and extensible.
195
+ This keeps CW small, open to looking into, and able to be grown.
196
196
 
197
197
  ## 7. FreeBSD Discipline (Binding Rules)
198
198
 
199
- The principles above descend from one tradition — the FreeBSD school of
200
- systems engineering — and CW adheres to it strictly. Concretely:
199
+ The principles above come down from one tradition — the FreeBSD school of
200
+ systems engineering — and CW keeps to it strictly. In clear terms:
201
201
 
202
- **POLA — Principle of Least Astonishment.** An existing output, file layout,
203
- exit code, or flag never changes meaning or bytes underneath an operator. New
204
- behavior ships behind a new verb/flag or an env toggle, with the prior
205
- behavior byte-identical by default. (Example: live drive output is additive
202
+ **POLA — Principle of Least Astonishment.** An output, file layout,
203
+ exit code, or flag that is here now never changes meaning or bytes under an operator. New
204
+ behavior comes out behind a new verb/flag or an env toggle, with the earlier
205
+ behavior byte-identical by default. (Example: live drive output is added on top
206
206
  stderr only, TTY-gated, `CW_NO_STREAM=1` opt-out; the stdout payload and
207
- evidence digest are unchanged.)
207
+ evidence digest are not changed.)
208
208
 
209
- **Mechanism, not policy.** The kernel provides mechanisms; policy is data in
209
+ **Mechanism, not policy.** The kernel gives mechanisms; policy is data in
210
210
  userland. WHICH agent runs is config (`CW_AGENT_COMMAND` / agent-config), not
211
- code; vendor-specific rendering lives in wrappers under `scripts/agents/`,
212
- never in core. Core may forward a vendor's stream; it never parses one.
211
+ code; vendor-specific rendering is in wrappers under `scripts/agents/`,
212
+ never in core. Core may send a vendor's stream on; it never reads one apart.
213
213
 
214
214
  **Rule of Silence.** stdout is data, stderr is diagnostics, and a
215
- non-interactive run is silent on success. Anything human-friendly is TTY-gated
216
- and can be disabled; `--json` output is stable and undecorated so it composes
215
+ non-interactive run says nothing on success. Anything friendly to a person is TTY-gated
216
+ and can be turned off; `--json` output is fixed and with nothing added so it goes together
217
217
  in pipes.
218
218
 
219
- **Fail closed, conservative defaults.** Unconfigured backends probe as
220
- `unverified`, unverifiable telemetry is surfaced loudly (or refused in strict
221
- mode), invalid results park the hop. CW never fabricates a success and never
222
- falls back silently. Boring correctness beats clever features.
219
+ **Fail closed, conservative defaults.** Backends not yet configured probe as
220
+ `unverified`, telemetry that cannot be verified is made known loudly (or turned away in strict
221
+ mode), results that are not valid park the hop. CW never makes up a success and never
222
+ falls back with no word. Dull right answers beat clever features.
223
223
 
224
224
  **Tools, not frameworks.** Zero runtime dependencies is a red line. Verbs do
225
- one thing; composition happens through durable files (`.cw/`) and pipes, not
226
- hidden in-process coupling.
225
+ one thing; things come together through long-lasting files (`.cw/`) and pipes, not
226
+ hidden joining inside the process.
227
227
 
228
- **Man pages are the contract.** Every shipped capability has a `docs/*.7.md`
229
- page updated in the same change, and doc-drift guards in the test suite keep
230
- the documented commands honest. Undocumented behavior is unfinished behavior.
228
+ **Man pages are the contract.** Every capability that ships has a `docs/*.7.md`
229
+ page kept up to date in the same change, and doc-drift guards in the test suite keep
230
+ the documented commands true. Behavior with no docs is behavior not finished.
231
231
 
232
- **style(9) spirit.** One consistent style per layer; a diff matches the file
232
+ **style(9) spirit.** One same style for each layer; a diff is in keeping with the file
233
233
  it touches and never reformats code it does not change.
234
234
 
235
- **Release engineering.** Main is -CURRENT; a tag is -RELEASE: it exists only
235
+ **Release engineering.** Main is -CURRENT; a tag is -RELEASE: it is there only
236
236
  after the deterministic gate and an independent review pass, and cadence never
237
- overrides the gate.
237
+ goes over the gate.
238
238
 
239
- A change that violates any rule in this section is rejected in review even if
240
- the capability it ships is otherwise desirable.
239
+ A change that goes against any rule in this section is turned down in review even if
240
+ the capability it ships is in other ways wanted.
@@ -1,43 +1,43 @@
1
1
  # Vendor Manifest Loadability
2
2
 
3
- CW ships one kernel to many AI clients. A single `manifest/plugin.manifest.json`
4
- generates every vendor's plugin files (Claude, Codex, the `agents` marketplace,
5
- Gemini, OpenCode) — see `gen-manifests(1)`. Each vendor that exposes the MCP
6
- server gets a generated `mcp.json` telling that client how to launch it.
3
+ CW ships one kernel to many AI clients. One `manifest/plugin.manifest.json`
4
+ makes the plugin files for every vendor (Claude, Codex, the `agents` marketplace,
5
+ Gemini, OpenCode) — see `gen-manifests(1)`. Each vendor that opens up the MCP
6
+ server gets a made `mcp.json` that tells that client how to start it.
7
7
 
8
8
  ## The gap this closes
9
9
 
10
- Two gates already guard the manifests, but neither proves a vendor manifest
11
- actually *boots*:
10
+ Two gates keep watch over the manifests now, but neither one proves a vendor manifest
11
+ truly *boots*:
12
12
 
13
13
  - `npm run gen:manifests -- --check` diffs the generated bytes against the
14
- manifest source. It catches drift, not a wrong-but-consistent command.
14
+ manifest source. It sees drift, not a wrong-but-consistent command.
15
15
  - `parity-check` boots `dist/mcp-server.js` **directly** — it never reads any
16
16
  vendor's `mcp.json`, never resolves a `pluginRootVar`.
17
17
 
18
- So a manifest could declare a broken `command`, `args`, or path and every gate
18
+ So a manifest could give a broken `command`, `args`, or path and every gate
19
19
  would stay green while no client could load it. Track C ("multi-vendor manifest
20
- actually loaded by ≥2 real clients") was asserted, not proven.
20
+ actually loaded by ≥2 real clients") was claimed, not proven.
21
21
 
22
22
  ## The load proof
23
23
 
24
- `npm run manifest:load-check` (the `vendor-manifest-load-smoke`, run automatically
25
- by `npm test`) closes it. For every vendor in `targets` that declares an `mcp`
24
+ `npm run manifest:load-check` (the `vendor-manifest-load-smoke`, run by itself
25
+ by `npm test`) closes it. For every vendor in `targets` that gives an `mcp`
26
26
  output it:
27
27
 
28
28
  1. reads the generated `mcp.json`;
29
- 2. resolves the server `command` + `args` exactly as that client does —
30
- substituting the vendor's `pluginRootVar` (`${CLAUDE_PLUGIN_ROOT}/` for Claude,
31
- `./` for the rest) to the real plugin root;
29
+ 2. resolves the server `command` + `args` in just the way that client does —
30
+ putting the vendor's `pluginRootVar` (`${CLAUDE_PLUGIN_ROOT}/` for Claude,
31
+ `./` for the rest) in place of the real plugin root;
32
32
  3. spawns the server with `shell:false` (argv spawn, no shell);
33
- 4. completes a JSON-RPC `initialize` + `tools/list` round-trip.
33
+ 4. finishes a JSON-RPC `initialize` + `tools/list` round-trip.
34
34
 
35
- Every vendor launches the same kernel, so the proof asserts they **agree**: one
36
- `serverInfo.name` and an identical tool count across all of them. A vendor whose
37
- manifest drifted to an unbootable shape — wrong path, wrong command, bad
38
- `pluginRootVar` — fails this check instead of shipping a dead plugin.
35
+ Every vendor starts the same kernel, so the proof says they **agree**: one
36
+ `serverInfo.name` and the same tool count across all of them. A vendor whose
37
+ manifest drifted to a shape that will not boot — wrong path, wrong command, bad
38
+ `pluginRootVar` — does not pass this check, so it does not ship a dead plugin.
39
39
 
40
40
  ## See also
41
41
 
42
- - `gen-manifests(1)` — one source generates every vendor manifest.
42
+ - `gen-manifests(1)` — one source makes every vendor manifest.
43
43
  - `cli-mcp-parity(7)` — the CLI ↔ MCP capability-parity gate.
@@ -2,7 +2,7 @@
2
2
 
3
3
  ## NAME
4
4
 
5
- Verifier-Gated Commit - commit only state that passed an evidence-backed verifier
5
+ Verifier-Gated Commit - commit only state that got past an evidence-backed verifier
6
6
 
7
7
  ## SYNOPSIS
8
8
 
@@ -25,26 +25,26 @@ commitState(run, {
25
25
 
26
26
  ## DESCRIPTION
27
27
 
28
- Verifier-Gated Commit is the CW rule that separates committed state from
29
- ordinary checkpoints:
28
+ Verifier-Gated Commit is the CW rule that keeps committed state apart from
29
+ normal checkpoints:
30
30
 
31
31
  ```text
32
32
  only verified state becomes committed state
33
33
  ```
34
34
 
35
- A verifier-gated commit requires one of these inputs:
35
+ A verifier-gated commit needs one of these inputs:
36
36
 
37
37
  - a `verifier` state node with `verified` status and evidence
38
38
  - a verified candidate selection that references such a verifier node
39
39
  - a selected candidate whose selection references such a verifier node
40
40
 
41
- The verifier gate is authoritative. Candidate scores are evidence for operator
42
- choice, not authority to commit state.
41
+ The verifier gate has the final say. Candidate scores are evidence to help the
42
+ operator make a choice. They do not give the right to commit state.
43
43
 
44
44
  ## CHECKPOINTS
45
45
 
46
- CW still writes internal snapshots for planning, dispatch, result recording, and
47
- operator checkpoints. These records are checkpoints. They are useful for audit,
46
+ CW still writes inside snapshots for planning, dispatch, result recording, and
47
+ operator checkpoints. These records are checkpoints. They are good for audit,
48
48
  resume, and rollback, but they are not verifier-gated committed state.
49
49
 
50
50
  Checkpoint records have:
@@ -61,7 +61,7 @@ verifier-gated commit state node uses `status: "committed"`.
61
61
 
62
62
  ## COMMIT RECORDS
63
63
 
64
- A verifier-gated commit records gate metadata in the commit JSON and state node:
64
+ A verifier-gated commit writes gate metadata in the commit JSON and state node:
65
65
 
66
66
  ```json
67
67
  {
@@ -74,7 +74,7 @@ A verifier-gated commit records gate metadata in the commit JSON and state node:
74
74
  }
75
75
  ```
76
76
 
77
- The `candidateId` and `selectionId` fields are present when the commit promotes
77
+ The `candidateId` and `selectionId` fields are there when the commit promotes
78
78
  a candidate or candidate selection. The `evidence` field is copied from the
79
79
  verifier node.
80
80
 
@@ -88,7 +88,7 @@ verifier node.
88
88
  .cw/runs/<run-id>/report.md
89
89
  ```
90
90
 
91
- Every blocked commit attempt records an `error` state node and an ErrorFeedback
91
+ Every blocked commit try writes an `error` state node and an ErrorFeedback
92
92
  record before the command exits.
93
93
 
94
94
  ## FAILURE MODES
@@ -114,12 +114,12 @@ commit-selection-not-verified
114
114
  commit-verifier-linkage-mismatch
115
115
  ```
116
116
 
117
- Use `cw.js feedback list <run-id>` and `cw.js node graph <run-id>` to inspect
117
+ Use `cw.js feedback list <run-id>` and `cw.js node graph <run-id>` to look at
118
118
  the failed transition.
119
119
 
120
120
  ## CANDIDATES
121
121
 
122
- A candidate can become committed state only after selection passes the verifier
122
+ A candidate can become committed state only after selection gets past the verifier
123
123
  gate. Rejected, failed, unscored, unselected, or unverified candidates are
124
124
  blocked.
125
125
 
@@ -131,10 +131,10 @@ candidate record -> score record -> verified selection -> verifier-gated commit
131
131
 
132
132
  ## COMPATIBILITY
133
133
 
134
- Verifier-Gated Commit is introduced in CW v0.1.7. It adds optional fields to
134
+ Verifier-Gated Commit comes in with CW v0.1.7. It adds optional fields to
135
135
  commit records and keeps older run state readable.
136
136
 
137
- Programmatic snapshots that do not request a verifier gate remain checkpoints.
138
- The CLI `commit` command is stricter: a plain manual commit fails closed unless
137
+ Programmatic snapshots that do not ask for a verifier gate stay checkpoints.
138
+ The CLI `commit` command is more strict: a plain by-hand commit fails closed unless
139
139
  the operator passes `--allow-unverified-checkpoint`.
140
140
  0.1.51