cool-workflow 0.1.89 → 0.1.90
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/README.md +40 -1
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +120 -9
- package/dist/capability-registry.js +6 -0
- package/dist/cli/command-surface.js +94 -4
- package/dist/cli.js +26 -1
- package/dist/clones.js +162 -0
- package/dist/drive.js +35 -1
- package/dist/mcp/tool-call.js +4 -0
- package/dist/mcp/tool-definitions.js +5 -0
- package/dist/orchestrator/report.js +6 -0
- package/dist/orchestrator.js +12 -4
- package/dist/remote-source.js +444 -0
- package/dist/term.js +54 -8
- package/dist/version.js +1 -1
- package/docs/agent-delegation-drive.7.md +2 -0
- package/docs/cli-mcp-parity.7.md +7 -2
- package/docs/contract-migration-tooling.7.md +2 -0
- package/docs/control-plane-scheduling.7.md +2 -0
- package/docs/durable-state-and-locking.7.md +2 -0
- package/docs/evidence-adoption-reasoning-chain.7.md +2 -0
- package/docs/execution-backends.7.md +2 -0
- package/docs/multi-agent-cli-mcp-surface.7.md +2 -0
- package/docs/multi-agent-eval-replay-harness.7.md +2 -0
- package/docs/multi-agent-operator-ux.7.md +2 -0
- package/docs/node-snapshot-diff-replay.7.md +2 -0
- package/docs/observability-cost-accounting.7.md +2 -0
- package/docs/project-index.md +13 -4
- package/docs/real-execution-backends.7.md +2 -0
- package/docs/release-and-migration.7.md +2 -0
- package/docs/release-tooling.7.md +2 -0
- package/docs/remote-source-review.7.md +88 -0
- package/docs/run-registry-control-plane.7.md +2 -0
- package/docs/run-retention-reclamation.7.md +2 -0
- package/docs/state-explosion-management.7.md +2 -0
- package/docs/team-collaboration.7.md +2 -0
- package/docs/web-desktop-workbench.7.md +2 -0
- package/manifest/plugin.manifest.json +1 -1
- package/manifest/source-context-profiles.json +1 -1
- package/package.json +1 -1
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/golden-path.js +4 -4
package/docs/project-index.md
CHANGED
|
@@ -5,11 +5,11 @@ Generated from the current repository code on 2026-06-21 by `npm run sync:projec
|
|
|
5
5
|
## Snapshot
|
|
6
6
|
|
|
7
7
|
- Package: `cool-workflow`
|
|
8
|
-
- Version: `0.1.
|
|
9
|
-
- Source modules: `
|
|
8
|
+
- Version: `0.1.90`
|
|
9
|
+
- Source modules: `67`
|
|
10
10
|
- Workflow apps: `7`
|
|
11
|
-
- Docs: `
|
|
12
|
-
- Smoke tests: `
|
|
11
|
+
- Docs: `53`
|
|
12
|
+
- Smoke tests: `136`
|
|
13
13
|
- Repository: https://github.com/coo1white/cool-workflow
|
|
14
14
|
|
|
15
15
|
## Architecture
|
|
@@ -83,6 +83,7 @@ multi-agent host -> topology -> blackboard/coordinator
|
|
|
83
83
|
- [agent-config.ts](../src/agent-config.ts)
|
|
84
84
|
- [capability-core.ts](../src/capability-core.ts)
|
|
85
85
|
- [capability-registry.ts](../src/capability-registry.ts)
|
|
86
|
+
- [clones.ts](../src/clones.ts)
|
|
86
87
|
- [collaboration.ts](../src/collaboration.ts)
|
|
87
88
|
- [compare.ts](../src/compare.ts)
|
|
88
89
|
- [contract-migration.ts](../src/contract-migration.ts)
|
|
@@ -102,6 +103,7 @@ multi-agent host -> topology -> blackboard/coordinator
|
|
|
102
103
|
- [observability.ts](../src/observability.ts)
|
|
103
104
|
- [onramp.ts](../src/onramp.ts)
|
|
104
105
|
- [reclamation.ts](../src/reclamation.ts)
|
|
106
|
+
- [remote-source.ts](../src/remote-source.ts)
|
|
105
107
|
- [result-normalize.ts](../src/result-normalize.ts)
|
|
106
108
|
- [run-export.ts](../src/run-export.ts)
|
|
107
109
|
- [run-registry.ts](../src/run-registry.ts)
|
|
@@ -166,6 +168,7 @@ multi-agent host -> topology -> blackboard/coordinator
|
|
|
166
168
|
- [Release And Migration Discipline](release-and-migration.7.md)
|
|
167
169
|
- [Cool Workflow Release History](release-history.md)
|
|
168
170
|
- [Release Tooling](release-tooling.7.md)
|
|
171
|
+
- [Remote-Source Review (`--link`)](remote-source-review.7.md)
|
|
169
172
|
- [Verifiable Report Bundle](report-verifiable-bundle.7.md)
|
|
170
173
|
- [Routines](routines.md)
|
|
171
174
|
- [Run Registry / Control Plane](run-registry-control-plane.7.md)
|
|
@@ -203,9 +206,13 @@ Smoke tests mirror the public contracts. The high-signal suites are:
|
|
|
203
206
|
- [candidate-scoring-smoke.js](../test/candidate-scoring-smoke.js)
|
|
204
207
|
- [canonical-workflow-apps-smoke.js](../test/canonical-workflow-apps-smoke.js)
|
|
205
208
|
- [claude-p-agent-wrapper-smoke.js](../test/claude-p-agent-wrapper-smoke.js)
|
|
209
|
+
- [cli-arg-parsing-smoke.js](../test/cli-arg-parsing-smoke.js)
|
|
206
210
|
- [cli-command-surface-smoke.js](../test/cli-command-surface-smoke.js)
|
|
207
211
|
- [cli-jsonmode-parity-smoke.js](../test/cli-jsonmode-parity-smoke.js)
|
|
208
212
|
- [cli-mcp-parity-smoke.js](../test/cli-mcp-parity-smoke.js)
|
|
213
|
+
- [cli-progress-summary-smoke.js](../test/cli-progress-summary-smoke.js)
|
|
214
|
+
- [cli-recoverable-errors-smoke.js](../test/cli-recoverable-errors-smoke.js)
|
|
215
|
+
- [clones-gc-smoke.js](../test/clones-gc-smoke.js)
|
|
209
216
|
- [codex-agent-wrapper-smoke.js](../test/codex-agent-wrapper-smoke.js)
|
|
210
217
|
- [concurrency-default-smoke.js](../test/concurrency-default-smoke.js)
|
|
211
218
|
- [concurrent-failure-semantics-smoke.js](../test/concurrent-failure-semantics-smoke.js)
|
|
@@ -272,6 +279,8 @@ Smoke tests mirror the public contracts. The high-signal suites are:
|
|
|
272
279
|
- [release-flow-smoke.js](../test/release-flow-smoke.js)
|
|
273
280
|
- [release-gate-smoke.js](../test/release-gate-smoke.js)
|
|
274
281
|
- [release-tooling-smoke.js](../test/release-tooling-smoke.js)
|
|
282
|
+
- [remote-link-archive-smoke.js](../test/remote-link-archive-smoke.js)
|
|
283
|
+
- [remote-link-git-smoke.js](../test/remote-link-git-smoke.js)
|
|
275
284
|
- [report-bundle-smoke.js](../test/report-bundle-smoke.js)
|
|
276
285
|
- [report-verify-bundle-smoke.js](../test/report-verify-bundle-smoke.js)
|
|
277
286
|
- [result-normalize-smoke.js](../test/result-normalize-smoke.js)
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
# Remote-Source Review (`--link`)
|
|
2
|
+
|
|
3
|
+
CW v0.1.91 lets you point a review at **any repository on the internet** instead
|
|
4
|
+
of only a local path: `cw -q "what are the risks?" --link <url>`. CW materializes
|
|
5
|
+
the remote into a local checkout and runs the **existing** review pipeline against
|
|
6
|
+
it — identical downstream to reviewing a folder. A URL passed to `-dir`/`--repo`
|
|
7
|
+
is auto-detected, so `--link <url>` and `-dir <url>` are equivalent.
|
|
8
|
+
|
|
9
|
+
```bash
|
|
10
|
+
cw -q "What are the risks?" --link https://github.com/owner/repo
|
|
11
|
+
cw -q "What are the risks?" --link git@gitlab.com:owner/repo.git --ref v1.2.0
|
|
12
|
+
cw -q "What are the risks?" --link https://github.com/owner/repo/archive/refs/heads/main.tar.gz
|
|
13
|
+
cw -q "..." --link <url> --check # validate the URL + tooling WITHOUT fetching
|
|
14
|
+
```
|
|
15
|
+
|
|
16
|
+
## Sources
|
|
17
|
+
|
|
18
|
+
- **Git repositories**, any host: `https://`, `http://`, `ssh://`, `git://`, the
|
|
19
|
+
scp-style `git@host:owner/repo`, and `file://`. Cloned shallow (`--depth 1
|
|
20
|
+
--single-branch`); `--ref <branch|tag>` selects a ref. `commit` is the resolved
|
|
21
|
+
`HEAD` SHA.
|
|
22
|
+
- **Downloadable archives**: `.tar.gz` / `.tgz` / `.tar` / `.zip` (e.g. a GitHub
|
|
23
|
+
"Download ZIP" / codeload tarball). Fetched, extracted, and `git init`-snapshotted
|
|
24
|
+
into a local repo so the git-tracked source-context reader works unchanged.
|
|
25
|
+
`commit` is the **sha256 of the downloaded bytes** (a content address — there is
|
|
26
|
+
no git SHA).
|
|
27
|
+
|
|
28
|
+
## The red line — materialize source, do not internalize execution
|
|
29
|
+
|
|
30
|
+
`--link` only materializes the **source** to review. CW still **DELEGATES** worker
|
|
31
|
+
execution to the operator's configured agent backend (`claude -p`, `codex exec`, an
|
|
32
|
+
HTTP endpoint) exactly as a local review does; it never executes a model itself.
|
|
33
|
+
Cloning is non-deterministic network I/O, so it happens in the **capability layer**
|
|
34
|
+
(before `plan`), never in the replay-deterministic orchestrator core — which only
|
|
35
|
+
ever sees the resulting local path.
|
|
36
|
+
|
|
37
|
+
## Provenance — where the code came from, tamper-evidently
|
|
38
|
+
|
|
39
|
+
The sanitized origin rides through three surfaces:
|
|
40
|
+
|
|
41
|
+
- `run.inputs` → a `- Source: <url>@<commit>` line in `report.md`.
|
|
42
|
+
- the `--json` result's `remote { url, commit, kind, ref, cached }`.
|
|
43
|
+
- a hash-chained `source.clone` / `source.download` **trust-audit event** that
|
|
44
|
+
`cw audit verify <run-id>` re-proves — editing the recorded origin is detectable.
|
|
45
|
+
|
|
46
|
+
Credentials in a URL (`https://user:token@host/…`) are stripped before the URL is
|
|
47
|
+
used as a cache key, printed, persisted, or recorded; the raw URL reaches only a
|
|
48
|
+
single `git` argv element. Git/download diagnostics are credential-redacted before
|
|
49
|
+
they are ever surfaced.
|
|
50
|
+
|
|
51
|
+
## Fail closed
|
|
52
|
+
|
|
53
|
+
A bad URL, a blocked scheme, a network failure, or a credential-less private repo
|
|
54
|
+
produces an **explicit error and a non-zero exit** — never a fabricated review,
|
|
55
|
+
never a hang on an auth prompt (`GIT_TERMINAL_PROMPT=0`). Hardening:
|
|
56
|
+
|
|
57
|
+
- **Scheme allowlist** (https/http/ssh/git/file); `ext::`/`fd::` transport helpers
|
|
58
|
+
and `-`-leading option-injection are rejected; the URL is always a separate argv
|
|
59
|
+
element (never a shell string); repo hooks are disabled (`-c core.hooksPath=`).
|
|
60
|
+
- **Archive extraction** validates the entry listing for `..`/absolute traversal
|
|
61
|
+
BEFORE extracting, **rejects symlink/non-regular entries** (walked with `lstat`),
|
|
62
|
+
and bounds the decompression bomb by **declared** uncompressed size (gzip ISIZE /
|
|
63
|
+
`unzip -l`) before extracting and **actual** size (1 GiB) after.
|
|
64
|
+
- **SSRF**: http(s) redirects are followed manually and each hop is re-validated
|
|
65
|
+
(http(s) scheme + no private/loopback/link-local host) before connecting — a
|
|
66
|
+
public URL cannot redirect CW into an internal service.
|
|
67
|
+
|
|
68
|
+
## Cache — `cw clones`
|
|
69
|
+
|
|
70
|
+
Checkouts are cached, content-addressed, under
|
|
71
|
+
`~/.local/state/cool-workflow/clones/<hash>/` (honoring `CW_HOME`/`XDG_STATE_HOME`)
|
|
72
|
+
and reused on the next question; `--refresh` re-fetches. Manage the cache:
|
|
73
|
+
|
|
74
|
+
```bash
|
|
75
|
+
cw clones list # origin url, kind, commit, age, bytes
|
|
76
|
+
cw clones gc --older-than-days 30 # reclaim checkouts older than N days
|
|
77
|
+
cw clones gc --all # reclaim everything
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
`cw clones gc` deletes only paths it has proven are inside the clones cache (fail
|
|
81
|
+
closed). Both verbs have MCP peers (`cw_clones_list`, `cw_clones_gc`) with
|
|
82
|
+
byte-identical payloads.
|
|
83
|
+
|
|
84
|
+
## Determinism note
|
|
85
|
+
|
|
86
|
+
The cache is keyed on the URL (+ref), not on content: if a URL's content changes
|
|
87
|
+
upstream, the cached checkout is reused until `--refresh` (mirroring how a git
|
|
88
|
+
clone pins its resolved `HEAD`). Use `--refresh` to re-fetch the latest.
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
"_comment": "SINGLE SOURCE OF TRUTH for every vendor manifest. Edit THIS file, then run `npm run gen:manifests`. Do NOT hand-edit the generated vendor manifests (.claude-plugin/, .codex-plugin/, .agents/, .mcp.json) — `npm run gen:manifests -- --check` (run by release:check) will fail if they drift from this source.",
|
|
3
3
|
"identity": {
|
|
4
4
|
"name": "cool-workflow",
|
|
5
|
-
"version": "0.1.
|
|
5
|
+
"version": "0.1.90",
|
|
6
6
|
"license": "BSD-2-Clause",
|
|
7
7
|
"homepage": "https://github.com/coo1white/cool-workflow",
|
|
8
8
|
"author": {
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
},
|
|
26
26
|
"runtime": {
|
|
27
27
|
"description": "Runtime-kernel source context for state, orchestration, scheduling, execution, and shared types.",
|
|
28
|
-
"maxLines":
|
|
28
|
+
"maxLines": 48000,
|
|
29
29
|
"include": [
|
|
30
30
|
"plugins/cool-workflow/src/**",
|
|
31
31
|
"plugins/cool-workflow/package.json",
|
package/package.json
CHANGED
|
@@ -83,7 +83,7 @@ const canonicalApps = [
|
|
|
83
83
|
"--source",
|
|
84
84
|
"plugins/cool-workflow/docs/workflow-app-framework.7.md",
|
|
85
85
|
"--scope",
|
|
86
|
-
"Cool Workflow v0.1.
|
|
86
|
+
"Cool Workflow v0.1.90",
|
|
87
87
|
"--freshness",
|
|
88
88
|
"as of release preparation"
|
|
89
89
|
]
|
|
@@ -117,14 +117,14 @@ function main() {
|
|
|
117
117
|
assert.ok(summary, `${app.id} must appear in app list`);
|
|
118
118
|
assert.equal(summary.sourceKind, "app-directory");
|
|
119
119
|
assert.equal(summary.legacy, false);
|
|
120
|
-
assert.equal(summary.version, "0.1.
|
|
120
|
+
assert.equal(summary.version, "0.1.90");
|
|
121
121
|
|
|
122
122
|
const validation = runJson(["app", "validate", manifestPath]);
|
|
123
123
|
assert.equal(validation.valid, true, `${app.id} manifest must validate`);
|
|
124
124
|
|
|
125
125
|
const shown = runJson(["app", "show", app.id]);
|
|
126
126
|
assert.equal(shown.app.id, app.id);
|
|
127
|
-
assert.equal(shown.app.version, "0.1.
|
|
127
|
+
assert.equal(shown.app.version, "0.1.90");
|
|
128
128
|
assert.ok(shown.app.metadata.canonical, `${app.id} must be marked canonical`);
|
|
129
129
|
assert.ok(shown.app.sandboxProfiles.length > 0, `${app.id} must declare sandbox profiles`);
|
|
130
130
|
assertTaskIdsUnique(shown);
|
|
@@ -135,7 +135,7 @@ function main() {
|
|
|
135
135
|
const plan = runJson(["plan", app.id, ...app.args(workspace)]);
|
|
136
136
|
const state = JSON.parse(fs.readFileSync(plan.statePath, "utf8"));
|
|
137
137
|
assert.equal(state.workflow.app.id, app.id);
|
|
138
|
-
assert.equal(state.workflow.app.version, "0.1.
|
|
138
|
+
assert.equal(state.workflow.app.version, "0.1.90");
|
|
139
139
|
assert.equal(state.workflow.app.metadata.canonical, true);
|
|
140
140
|
assert.ok(state.tasks.some((task) => task.requiresEvidence), `${app.id} plan must include evidence gates`);
|
|
141
141
|
assert.ok(state.tasks.every((task) => task.sandboxProfileId), `${app.id} plan must include sandbox hints`);
|
|
@@ -6,7 +6,7 @@ const fs = require("node:fs");
|
|
|
6
6
|
const path = require("node:path");
|
|
7
7
|
const { CoolWorkflowRunner } = require("../dist/orchestrator.js");
|
|
8
8
|
|
|
9
|
-
const TARGET_VERSION = "0.1.
|
|
9
|
+
const TARGET_VERSION = "0.1.90";
|
|
10
10
|
const PREVIOUS_VERSION = "0.1.31";
|
|
11
11
|
const pluginRoot = path.resolve(__dirname, "..");
|
|
12
12
|
const repoRoot = path.resolve(pluginRoot, "..", "..");
|
package/scripts/golden-path.js
CHANGED
|
@@ -33,7 +33,7 @@ function main() {
|
|
|
33
33
|
const appValidation = runJson(["app", "validate", "end-to-end-golden-path"], pluginRoot);
|
|
34
34
|
assert.equal(appValidation.valid, true);
|
|
35
35
|
assert.equal(appValidation.summary.id, "end-to-end-golden-path");
|
|
36
|
-
assert.equal(appValidation.summary.version, "0.1.
|
|
36
|
+
assert.equal(appValidation.summary.version, "0.1.90");
|
|
37
37
|
|
|
38
38
|
const plan = runJson(
|
|
39
39
|
[
|
|
@@ -42,7 +42,7 @@ function main() {
|
|
|
42
42
|
"--repo",
|
|
43
43
|
tmp,
|
|
44
44
|
"--question",
|
|
45
|
-
"Prove the deterministic v0.1.
|
|
45
|
+
"Prove the deterministic v0.1.90 end-to-end golden path."
|
|
46
46
|
],
|
|
47
47
|
pluginRoot
|
|
48
48
|
);
|
|
@@ -52,7 +52,7 @@ function main() {
|
|
|
52
52
|
|
|
53
53
|
let state = readJson(plan.statePath);
|
|
54
54
|
assert.equal(state.workflow.app.id, "end-to-end-golden-path");
|
|
55
|
-
assert.equal(state.workflow.app.version, "0.1.
|
|
55
|
+
assert.equal(state.workflow.app.version, "0.1.90");
|
|
56
56
|
assert.equal(state.loopStage, "interpret");
|
|
57
57
|
|
|
58
58
|
const dispatch = runJson(["dispatch", plan.runId, "--limit", "1", "--sandbox", "readonly"], tmp);
|
|
@@ -195,7 +195,7 @@ function main() {
|
|
|
195
195
|
assert.equal(reportPath, plan.reportPath);
|
|
196
196
|
assert.ok(fs.existsSync(reportPath));
|
|
197
197
|
const report = fs.readFileSync(reportPath, "utf8");
|
|
198
|
-
assert.match(report, /Workflow App: end-to-end-golden-path@0\.1\.
|
|
198
|
+
assert.match(report, /Workflow App: end-to-end-golden-path@0\.1\.90/);
|
|
199
199
|
assert.match(report, /## Candidates/);
|
|
200
200
|
assert.match(report, /## Trust Audit/);
|
|
201
201
|
assert.match(report, /## Acceptance Rationale/);
|