cool-workflow 0.1.91 → 0.1.93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/.claude-plugin/plugin.json +1 -1
  2. package/.codex-plugin/plugin.json +1 -1
  3. package/README.md +111 -434
  4. package/apps/architecture-review/app.json +1 -1
  5. package/apps/architecture-review-fast/app.json +1 -1
  6. package/apps/architecture-review-fast/workflow.js +15 -2
  7. package/apps/end-to-end-golden-path/app.json +1 -1
  8. package/apps/pr-review-fix-ci/app.json +1 -1
  9. package/apps/release-cut/app.json +1 -1
  10. package/apps/research-synthesis/app.json +1 -1
  11. package/apps/research-synthesis/workflow.js +1 -1
  12. package/dist/capability-core.js +47 -0
  13. package/dist/capability-registry.js +2 -0
  14. package/dist/cli/command-surface.js +165 -1352
  15. package/dist/cli/format.js +56 -0
  16. package/dist/cli/handlers/audit.js +82 -0
  17. package/dist/cli/handlers/blackboard.js +81 -0
  18. package/dist/cli/handlers/candidate.js +40 -0
  19. package/dist/cli/handlers/clones.js +34 -0
  20. package/dist/cli/handlers/collaboration.js +61 -0
  21. package/dist/cli/handlers/eval.js +40 -0
  22. package/dist/cli/handlers/maintenance.js +107 -0
  23. package/dist/cli/handlers/multi-agent.js +165 -0
  24. package/dist/cli/handlers/node.js +41 -0
  25. package/dist/cli/handlers/operational.js +155 -0
  26. package/dist/cli/handlers/operator.js +146 -0
  27. package/dist/cli/handlers/registry.js +68 -0
  28. package/dist/cli/handlers/run.js +153 -0
  29. package/dist/cli/handlers/scheduling.js +126 -0
  30. package/dist/cli/handlers/workbench.js +41 -0
  31. package/dist/cli/handlers/worker.js +45 -0
  32. package/dist/cli/io.js +27 -0
  33. package/dist/cli/run-summary.js +45 -0
  34. package/dist/commit.js +0 -5
  35. package/dist/doctor.js +1 -0
  36. package/dist/execution-backend.js +0 -11
  37. package/dist/mcp/tool-call.js +2 -0
  38. package/dist/mcp/tool-definitions.js +8 -0
  39. package/dist/orchestrator/app-operations.js +205 -0
  40. package/dist/orchestrator/report.js +6 -1
  41. package/dist/orchestrator.js +41 -153
  42. package/dist/state-explosion.js +0 -7
  43. package/dist/term.js +0 -18
  44. package/dist/validation.js +0 -21
  45. package/dist/version.js +1 -1
  46. package/docs/agent-delegation-drive.7.md +2 -0
  47. package/docs/canonical-workflow-apps.7.md +12 -0
  48. package/docs/cli-mcp-parity.7.md +18 -1
  49. package/docs/contract-migration-tooling.7.md +2 -0
  50. package/docs/control-plane-scheduling.7.md +2 -0
  51. package/docs/durable-state-and-locking.7.md +2 -0
  52. package/docs/evidence-adoption-reasoning-chain.7.md +2 -0
  53. package/docs/execution-backends.7.md +2 -0
  54. package/docs/mcp-app-surface.7.md +12 -0
  55. package/docs/multi-agent-cli-mcp-surface.7.md +2 -0
  56. package/docs/multi-agent-eval-replay-harness.7.md +2 -0
  57. package/docs/multi-agent-operator-ux.7.md +2 -0
  58. package/docs/node-snapshot-diff-replay.7.md +2 -0
  59. package/docs/observability-cost-accounting.7.md +2 -0
  60. package/docs/project-index.md +15 -3
  61. package/docs/real-execution-backends.7.md +2 -0
  62. package/docs/release-and-migration.7.md +2 -0
  63. package/docs/release-tooling.7.md +11 -0
  64. package/docs/run-registry-control-plane.7.md +26 -2
  65. package/docs/run-retention-reclamation.7.md +2 -0
  66. package/docs/state-explosion-management.7.md +2 -0
  67. package/docs/team-collaboration.7.md +2 -0
  68. package/docs/web-desktop-workbench.7.md +2 -0
  69. package/manifest/plugin.manifest.json +1 -1
  70. package/package.json +3 -1
  71. package/scripts/agents/agent-adapter-core.js +179 -28
  72. package/scripts/agents/claude-p-agent.js +24 -7
  73. package/scripts/agents/codex-agent.js +1 -1
  74. package/scripts/agents/gemini-agent.js +1 -1
  75. package/scripts/agents/opencode-agent.js +1 -1
  76. package/scripts/architecture-review-fast.js +19 -5
  77. package/scripts/bump-version.js +20 -1
  78. package/scripts/canonical-apps.js +4 -4
  79. package/scripts/dogfood-release.js +1 -1
  80. package/scripts/golden-path.js +4 -4
  81. package/scripts/parity-check.js +9 -1
  82. package/scripts/release-check.js +5 -1
  83. package/scripts/sync-readme.js +123 -0
  84. package/scripts/version-sync-check.js +10 -1
@@ -3,7 +3,7 @@
3
3
  "id": "architecture-review",
4
4
  "title": "Architecture Review",
5
5
  "summary": "Map a repository architecture, assess risks, verify important findings, and synthesize an evidence-backed verdict.",
6
- "version": "0.1.91",
6
+ "version": "0.1.93",
7
7
  "author": "COOLWHITE LLC",
8
8
  "inputs": [
9
9
  {
@@ -3,7 +3,7 @@
3
3
  "id": "architecture-review-fast",
4
4
  "title": "Architecture Review Fast",
5
5
  "summary": "Run a shorter architecture review with parallel map and assess phases for faster first results.",
6
- "version": "0.1.91",
6
+ "version": "0.1.93",
7
7
  "author": "COOLWHITE LLC",
8
8
  "inputs": [
9
9
  {
@@ -100,7 +100,14 @@ module.exports = ({ workflow, phase, parallel, agent, artifact, input }) => {
100
100
  "Confirm real risks, downgrade unsupported claims, and list exact file paths, commands, logs, or unknowns.",
101
101
  "The cw:result evidence array must cite durable locators."
102
102
  ].join(" "),
103
- strongOptions("Evidence verifier", { requiresEvidence: true })
103
+ strongOptions("Evidence verifier", {
104
+ requiresEvidence: true,
105
+ // Cache the (expensive, ~146s live) verification by source digest +
106
+ // ALL upstream phase result digests. A hit only when source AND every
107
+ // Map/Assess output are byte-identical; the cached result still passes
108
+ // worker-output validation (requiresEvidence stays enforced).
109
+ resultCache: sourceContextResultCache({ includeCompletedResults: "previous-phases" })
110
+ })
104
111
  )
105
112
  ]),
106
113
  phase("Verdict", [
@@ -113,7 +120,13 @@ module.exports = ({ workflow, phase, parallel, agent, artifact, input }) => {
113
120
  "State when the full architecture-review app should be scheduled as a background routine.",
114
121
  "The cw:result evidence array must support the final verdict."
115
122
  ].join(" "),
116
- strongOptions("Fast verdict synthesizer", { requiresEvidence: true })
123
+ strongOptions("Fast verdict synthesizer", {
124
+ requiresEvidence: true,
125
+ // Cache the (~294s live, largest phase) synthesis by source digest +
126
+ // all upstream (Map/Assess/Verify) result digests. Busts on any
127
+ // upstream change; cached verdict re-passes evidence validation.
128
+ resultCache: sourceContextResultCache({ includeCompletedResults: "previous-phases" })
129
+ })
117
130
  )
118
131
  ])
119
132
  ]
@@ -3,7 +3,7 @@
3
3
  "id": "end-to-end-golden-path",
4
4
  "title": "End-to-End Golden Path",
5
5
  "summary": "Deterministic one-worker workflow app for proving the CW integration chain.",
6
- "version": "0.1.91",
6
+ "version": "0.1.93",
7
7
  "author": "COOLWHITE LLC",
8
8
  "inputs": [
9
9
  {
@@ -3,7 +3,7 @@
3
3
  "id": "pr-review-fix-ci",
4
4
  "title": "PR Review Fix CI",
5
5
  "summary": "Review a pull request or branch, inspect CI failures, diagnose actionable issues, optionally patch, verify, and summarize with evidence.",
6
- "version": "0.1.91",
6
+ "version": "0.1.93",
7
7
  "author": "COOLWHITE LLC",
8
8
  "inputs": [
9
9
  {
@@ -3,7 +3,7 @@
3
3
  "id": "release-cut",
4
4
  "title": "Release Cut",
5
5
  "summary": "Prepare a release with checklist discipline: version checks, changelog, tests, packaging, release notes, and final verification.",
6
- "version": "0.1.91",
6
+ "version": "0.1.93",
7
7
  "author": "COOLWHITE LLC",
8
8
  "inputs": [
9
9
  {
@@ -3,7 +3,7 @@
3
3
  "id": "research-synthesis",
4
4
  "title": "Research Synthesis",
5
5
  "summary": "Split a research question into claims, investigate sources, cross-check evidence, verify claims, and synthesize a concise answer.",
6
- "version": "0.1.91",
6
+ "version": "0.1.93",
7
7
  "author": "COOLWHITE LLC",
8
8
  "inputs": [
9
9
  {
@@ -41,7 +41,7 @@ module.exports = ({ workflow, phase, agent, artifact, input }) => {
41
41
  phase("Investigate", [
42
42
  agent(
43
43
  "investigate:primary-sources",
44
- "Investigate primary or official sources first from {{source}} for {{question}}. Return source titles, dates, authors or publishers, durable locators, key claims, and uncertainty. Mark missing retrieval needs explicitly.",
44
+ "Investigate primary or official sources first from {{source}} for {{question}}. The local files in your working directory are also possible primary sources: list them first, then read the ones that help and cite their paths. Return source titles, dates, authors or publishers, durable locators (a local file path with optional :line, or a URL), key claims, and uncertainty. Mark missing retrieval needs explicitly.",
45
45
  { sandboxProfileId: "readonly" }
46
46
  ),
47
47
  agent(
@@ -40,6 +40,7 @@ exports.runExportArchive = runExportArchive;
40
40
  exports.runImportArchive = runImportArchive;
41
41
  exports.runInspectArchive = runInspectArchive;
42
42
  exports.runVerifyImport = runVerifyImport;
43
+ exports.runRestoreArchive = runRestoreArchive;
43
44
  exports.reportBundle = reportBundle;
44
45
  exports.runVerifyReportBundle = runVerifyReportBundle;
45
46
  exports.queueAdd = queueAdd;
@@ -313,6 +314,52 @@ function runInspectArchive(_runner, args) {
313
314
  function runVerifyImport(runner, runId, args) {
314
315
  return (0, run_export_1.verifyImportedRun)(runner.withBaseDir(optionalString(args.cwd)).loadRun(runId));
315
316
  }
317
+ // Fail-closed atomic restore of a portable run archive. `run import` runs a
318
+ // verification (importRun returns it as ImportResult.verification) but does NOT
319
+ // fail on it — it exits 0 even when the telemetry-ledger or trust-audit hash chain
320
+ // does not verify, so a chain-tampered run imports with a fabricated success.
321
+ // `run restore` closes that gap in ONE step: it integrity-INSPECTS the archive
322
+ // FIRST (writing nothing), refuses a bad bundle before any import, then IMPORTS
323
+ // and REUSES importRun's verification verdict — reporting ok:true ONLY when verify
324
+ // passes. Pure composition of the existing functions (inspectArchive + importRun,
325
+ // whose own verification we reuse); no new crypto or IO logic, and no second
326
+ // re-hash. The CLI/MCP surfaces map ok:false to exit 1.
327
+ function runRestoreArchive(runner, args) {
328
+ const base = invocationCwd(args);
329
+ const archive = optionalString(args.archive || args.path || args.file);
330
+ if (!archive)
331
+ throw new Error("run restore requires an archive path (positional, --archive, --path, or --file)");
332
+ const resolvedArchive = node_path_1.default.resolve(base, archive);
333
+ const target = node_path_1.default.resolve(base, optionalString(args.target || args.repo || args.cwd) || base);
334
+ // (1) Integrity-inspect FIRST — read-only, writes nothing. A bad bundle is
335
+ // refused here, before any import touches the target tree (no partial restore).
336
+ const inspect = (0, run_export_1.inspectArchive)(resolvedArchive);
337
+ if (!inspect.ok) {
338
+ return { schemaVersion: 1, ok: false, target, inspect, imported: null, verify: null, registry: null };
339
+ }
340
+ // (2) Intact: import + refresh the target registry (mirrors runImportArchive).
341
+ const imported = (0, run_export_1.importRun)(resolvedArchive, target);
342
+ const registry = new run_registry_1.RunRegistry(target, runner.withBaseDir(target));
343
+ const registryReport = registry.refresh({ scope: "repo" });
344
+ // (3) REUSE the verification importRun already ran — it re-proves the same
345
+ // restored files PLUS the telemetry-ledger and trust-audit hash chains, but
346
+ // returns the verdict WITHOUT throwing. We do NOT re-run verifyImportedRun (that
347
+ // would re-hash every file a second time for no new information). The gap restore
348
+ // closes is exactly that `run import` ships this verdict and exits 0 even when it
349
+ // is false — restore fails-closed on it below (CLI maps ok:false → exit 1).
350
+ const verify = imported.verification;
351
+ return {
352
+ schemaVersion: 1,
353
+ // inspect.ok is guaranteed true here — the corrupt-archive case early-returned
354
+ // above — so the verdict is purely verify.ok (the telemetry/trust-audit chain).
355
+ ok: verify.ok,
356
+ target,
357
+ inspect,
358
+ imported: { ...imported, registry: registryReport },
359
+ verify,
360
+ registry: registryReport
361
+ };
362
+ }
316
363
  // Produce-and-prove: export a run to a portable bundle sealed with the operator's
317
364
  // trust key (defaulting to CW_AGENT_ATTEST_PUBKEY, same as `run export`), then
318
365
  // IMMEDIATELY verify the artifact offline the way a recipient will. The producer
@@ -395,6 +395,7 @@ const BUILTIN_CAPABILITIES = [
395
395
  { capability: "run.import", summary: "Restore a portable run archive into a target repo and verify restored file digests.", entry: "runImportArchive", surface: "both", cli: { path: ["run", "import"], jsonMode: "default" }, mcp: { tool: "cw_run_import", requiredArgs: ["archive|path|file"] } },
396
396
  { capability: "run.verify-import", summary: "Verify an imported run against its restore manifest and telemetry chain.", entry: "runVerifyImport", surface: "both", cli: { path: ["run", "verify-import"], jsonMode: "default" }, mcp: { tool: "cw_run_verify_import", requiredArgs: ["runId"] } },
397
397
  { capability: "run.inspect-archive", summary: "Read-only integrity inspection of a portable run archive without importing it.", entry: "runInspectArchive", surface: "both", cli: { path: ["run", "inspect-archive"], jsonMode: "default" }, mcp: { tool: "cw_run_inspect_archive", requiredArgs: ["archive|path|file"] } },
398
+ { capability: "run.restore", summary: "Fail-closed restore of a portable run archive: integrity-inspect, import, and verify in one step; refuses anything that does not verify.", entry: "runRestoreArchive", surface: "both", cli: { path: ["run", "restore"], jsonMode: "default" }, mcp: { tool: "cw_run_restore", requiredArgs: ["archive|path|file"] } },
398
399
  { capability: "report.verify-bundle", summary: "Offline self-contained verify of a portable run bundle: archive bytes + telemetry chain + trust-audit chain + embedded-key signatures.", entry: "runVerifyReportBundle", surface: "both", cli: { path: ["report", "verify-bundle"], caseTokens: ["report"], jsonMode: "default" }, mcp: { tool: "cw_report_verify_bundle", requiredArgs: ["archive|path|file|bundle"] } },
399
400
  { capability: "report.bundle", summary: "Produce-and-prove: export a run to a portable bundle sealed with the trust key, then self-verify it offline (fail-closed) so the producer knows it is verifiable before shipping.", entry: "reportBundle", surface: "both", cli: { path: ["report", "bundle"], caseTokens: ["report"], jsonMode: "default" }, mcp: { tool: "cw_report_bundle", requiredArgs: ["runId"] } },
400
401
  { capability: "run.drive", summary: "Preview the next agent-delegation drive step for a run (read-only, deterministic).", entry: "runDrivePreview", surface: "both", cli: { path: ["run", "drive"], caseTokens: ["run", "drive"], jsonMode: "default" }, mcp: { tool: "cw_run_drive" } },
@@ -655,6 +656,7 @@ const PAYLOAD_PROBE_DEFERRED_GROUPS = [
655
656
  "run.import",
656
657
  "run.verify-import",
657
658
  "run.inspect-archive",
659
+ "run.restore",
658
660
  "report.verify-bundle",
659
661
  "report.bundle",
660
662
  "queue.add",