cool-workflow 0.1.92 → 0.1.94
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/README.md +104 -129
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/architecture-review-fast/workflow.js +15 -2
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/capability-core.js +47 -0
- package/dist/capability-registry.js +2 -0
- package/dist/cli/command-surface.js +165 -1352
- package/dist/cli/format.js +56 -0
- package/dist/cli/handlers/audit.js +82 -0
- package/dist/cli/handlers/blackboard.js +81 -0
- package/dist/cli/handlers/candidate.js +40 -0
- package/dist/cli/handlers/clones.js +34 -0
- package/dist/cli/handlers/collaboration.js +61 -0
- package/dist/cli/handlers/eval.js +40 -0
- package/dist/cli/handlers/maintenance.js +107 -0
- package/dist/cli/handlers/multi-agent.js +165 -0
- package/dist/cli/handlers/node.js +41 -0
- package/dist/cli/handlers/operational.js +155 -0
- package/dist/cli/handlers/operator.js +146 -0
- package/dist/cli/handlers/registry.js +68 -0
- package/dist/cli/handlers/run.js +153 -0
- package/dist/cli/handlers/scheduling.js +126 -0
- package/dist/cli/handlers/workbench.js +41 -0
- package/dist/cli/handlers/worker.js +45 -0
- package/dist/cli/io.js +27 -0
- package/dist/cli/run-summary.js +45 -0
- package/dist/commit.js +0 -5
- package/dist/execution-backend.js +0 -11
- package/dist/mcp/tool-call.js +2 -0
- package/dist/mcp/tool-definitions.js +8 -0
- package/dist/orchestrator/app-operations.js +205 -0
- package/dist/orchestrator.js +41 -153
- package/dist/state-explosion.js +0 -7
- package/dist/term.js +0 -18
- package/dist/validation.js +0 -21
- package/dist/version.js +1 -1
- package/docs/agent-delegation-drive.7.md +13 -7
- package/docs/cli-mcp-parity.7.md +19 -2
- package/docs/contract-migration-tooling.7.md +3 -1
- package/docs/control-plane-scheduling.7.md +3 -1
- package/docs/durable-state-and-locking.7.md +3 -1
- package/docs/evidence-adoption-reasoning-chain.7.md +3 -1
- package/docs/execution-backends.7.md +3 -1
- package/docs/mcp-app-surface.7.md +12 -0
- package/docs/multi-agent-cli-mcp-surface.7.md +3 -1
- package/docs/multi-agent-eval-replay-harness.7.md +3 -1
- package/docs/multi-agent-operator-ux.7.md +3 -1
- package/docs/node-snapshot-diff-replay.7.md +3 -1
- package/docs/observability-cost-accounting.7.md +3 -1
- package/docs/project-index.md +16 -3
- package/docs/real-execution-backends.7.md +3 -1
- package/docs/release-and-migration.7.md +3 -1
- package/docs/release-tooling.7.md +3 -1
- package/docs/run-registry-control-plane.7.md +27 -3
- package/docs/run-retention-reclamation.7.md +3 -1
- package/docs/state-explosion-management.7.md +3 -1
- package/docs/team-collaboration.7.md +3 -1
- package/docs/web-desktop-workbench.7.md +3 -1
- package/manifest/plugin.manifest.json +1 -1
- package/package.json +1 -1
- package/scripts/agents/builtin-templates.json +3 -2
- package/scripts/agents/claude-p-agent.js +6 -6
- package/scripts/agents/codex-agent.js +17 -3
- package/scripts/agents/deepseek-agent.js +23 -0
- package/scripts/agents/gemini-opencode-agent.js +25 -0
- package/scripts/agents/opencode-agent.js +57 -8
- package/scripts/architecture-review-fast.js +19 -5
- package/scripts/bump-version.js +16 -0
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-release.js +1 -1
- package/scripts/golden-path.js +4 -4
- package/scripts/parity-check.js +9 -1
- package/scripts/release-flow.js +35 -0
- package/scripts/vendor-preflight.js +127 -0
- package/scripts/version-sync-check.js +5 -0
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cool-workflow",
|
|
3
3
|
"description": "A workflow control plane and run-time you are able to check: it sends out jobs in TypeScript, makes certain of work against facts before it goes through, puts state into fixed records, orders jobs by time, runs jobs again and again, gets a group of agents to do their parts together, and talks MCP. It gives the doing of the work to outside agents — it never runs the models itself.",
|
|
4
|
-
"version": "0.1.
|
|
4
|
+
"version": "0.1.94",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "COOLWHITE LLC"
|
|
7
7
|
},
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cool-workflow",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.94",
|
|
4
4
|
"description": "A workflow control plane and run-time you are able to check: it sends out jobs in TypeScript, makes certain of work against facts before it goes through, puts state into fixed records, orders jobs by time, runs jobs again and again, gets a group of agents to do their parts together, and talks MCP. It gives the doing of the work to outside agents — it never runs the models itself.",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "COOLWHITE LLC"
|
package/README.md
CHANGED
|
@@ -1,217 +1,192 @@
|
|
|
1
1
|
<!-- AUTO-GENERATED from /README.md by scripts/sync-readme.js — edit the root README, then run `npm run sync:readme`. DO NOT edit this file directly. -->
|
|
2
2
|
<div align="center">
|
|
3
3
|
|
|
4
|
-
|
|
4
|
+
<img src="https://raw.githubusercontent.com/coo1white/cool-workflow/main/docs/assets/cw-hero.png" alt="Cool Workflow — your AI report, already proven. Point your agent at any repo or folder and get a saved, cited report you can re-verify offline." width="100%">
|
|
5
5
|
|
|
6
|
-
|
|
6
|
+
<br><br>
|
|
7
7
|
|
|
8
|
-
[](https://github.com/coo1white/cool-workflow/actions/workflows/ci.yml)
|
|
8
|
+
[](https://github.com/coo1white/cool-workflow/actions/workflows/ci.yml)
|
|
9
9
|
[](https://www.npmjs.com/package/cool-workflow)
|
|
10
|
-
[](https://www.npmjs.com/package/cool-workflow)
|
|
10
|
+
[](https://www.npmjs.com/package/cool-workflow)
|
|
11
11
|
[](https://www.npmjs.com/package/cool-workflow)
|
|
12
12
|
[](https://github.com/coo1white/cool-workflow/tags)
|
|
13
13
|
[](https://github.com/coo1white/cool-workflow/blob/main/LICENSE)
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
### Get a saved, cited report from your AI agent — not a chat message you lose.
|
|
16
16
|
|
|
17
17
|
</div>
|
|
18
18
|
|
|
19
|
+
Point an AI coding agent at a repo (or any folder of docs) and Cool Workflow turns the run into a
|
|
20
|
+
**durable, inspectable workflow**: it plans the work, delegates each task to *your* agent, records and
|
|
21
|
+
verifies every result, then writes a report where every claim is cited to a `file.ts:42`.
|
|
22
|
+
|
|
23
|
+
> **The model is fuel. CW is the black-box recorder, the dashboard, and the gearbox — never the engine.**
|
|
24
|
+
> It never calls a model API, never holds your keys, and never uploads your code. Your agent spends the
|
|
25
|
+
> tokens; CW keeps the books — as plain JSON on your own disk.
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
19
29
|
## Install
|
|
20
30
|
|
|
21
31
|
```bash
|
|
22
32
|
npm install -g cool-workflow
|
|
23
33
|
```
|
|
24
34
|
|
|
25
|
-
|
|
26
|
-
|
|
35
|
+
<details>
|
|
36
|
+
<summary>Or install with <b>Homebrew</b></summary>
|
|
37
|
+
|
|
38
|
+
```bash
|
|
39
|
+
brew tap coo1white/cool-workflow https://github.com/coo1white/cool-workflow
|
|
40
|
+
brew install coo1white/cool-workflow/cool-workflow
|
|
41
|
+
cw version
|
|
42
|
+
```
|
|
27
43
|
|
|
28
|
-
|
|
44
|
+
Upgrade later with `brew update && brew upgrade cool-workflow`.
|
|
45
|
+
</details>
|
|
29
46
|
|
|
30
|
-
|
|
47
|
+
**You need:** Node.js v18+ and one agent CLI on your machine — `claude`, `codex`, `gemini`, or
|
|
48
|
+
`opencode` (all auto-detected). No agent yet? `cw demo` still works — **CW never runs a model itself.**
|
|
49
|
+
|
|
50
|
+
## Quick Start
|
|
51
|
+
|
|
52
|
+
### 1 · Prove it works — 30 seconds, no agent needed
|
|
31
53
|
|
|
32
54
|
```bash
|
|
33
55
|
cw demo tamper
|
|
56
|
+
# → builds a real signed ledger, forges it three ways, catches all three offline
|
|
34
57
|
# → VERDICT: tamper-evidence holds ✓
|
|
35
58
|
```
|
|
36
59
|
|
|
37
|
-
### 2
|
|
60
|
+
### 2 · Ask a question about your code — one command
|
|
38
61
|
|
|
39
62
|
```bash
|
|
40
63
|
cw -q "What are the main risks here?"
|
|
41
64
|
```
|
|
42
65
|
|
|
43
|
-
CW auto-detects the
|
|
44
|
-
|
|
66
|
+
CW auto-detects the current repo and the first agent on your `PATH`. Pin a specific one with a flag
|
|
67
|
+
(`-claude`, `-codex`, `-gemini`, `-deepseek`). Point it anywhere — no `cd` required — or review a
|
|
68
|
+
**remote repo by URL** and CW clones, snapshots, and reviews the checkout:
|
|
45
69
|
|
|
46
70
|
```bash
|
|
47
|
-
cw -q "What are the security risks?" -
|
|
48
|
-
cw -q "What are the
|
|
49
|
-
cw -q "What are the security risks?" -deepseek
|
|
71
|
+
cw -q "What are the security risks?" -dir /path/to/project
|
|
72
|
+
cw -q "What are the risks?" --link https://github.com/owner/repo
|
|
50
73
|
```
|
|
51
74
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
**Not just code.** Point CW at a folder of docs, notes, or papers and it reads the files
|
|
56
|
-
there as sources, then gives you the same saved, cited report:
|
|
75
|
+
**Not just code.** Aim CW at a folder of docs, notes, or papers and it reads them as sources for the
|
|
76
|
+
same saved, cited report:
|
|
57
77
|
|
|
58
78
|
```bash
|
|
59
79
|
cw quickstart research-synthesis --repo /path/to/papers \
|
|
60
80
|
--question "What do these papers conclude?"
|
|
61
81
|
```
|
|
62
82
|
|
|
63
|
-
|
|
64
|
-
updates in place instead of an endless wall:
|
|
83
|
+
### 3 · Open the report
|
|
65
84
|
|
|
66
|
-
|
|
67
|
-
● Read(execution-backend.ts)
|
|
68
|
-
⎿ 910 lines
|
|
69
|
-
● Grep(spawnSync)
|
|
70
|
-
⎿ 17 matches
|
|
71
|
-
✶ Searching worker-isolation.ts… (3s)
|
|
72
|
-
```
|
|
73
|
-
|
|
74
|
-
Each tool folds to a `● ToolName(arg)` line with a dim `⎿` result summary; older steps fold away (the
|
|
75
|
-
window stays a few rows) and the worker collapses to one line when done. It's compact by default
|
|
76
|
-
(reasoning hidden) — add `--verbose` for the full narration, `--full` to also print the report inline,
|
|
77
|
-
or `--no-color` to drop ANSI (`NO_COLOR` / `FORCE_COLOR` are honored too). The complete narration +
|
|
78
|
-
tool I/O is always saved to a per-worker `transcript.md` next to the result, and the cursor is
|
|
79
|
-
restored cleanly on Ctrl-C.
|
|
80
|
-
|
|
81
|
-
Review a project **from any directory** — no `cd` needed — by pointing at its folder
|
|
82
|
-
(`-d` / `--dir` / `--repo` are equivalent):
|
|
83
|
-
|
|
84
|
-
```bash
|
|
85
|
-
cw -q "What are the risks?" -dir /path/to/project
|
|
86
|
-
```
|
|
87
|
-
|
|
88
|
-
Or review a **remote repo by URL** — CW clones it, then reviews the checkout (`-l` / `--link`,
|
|
89
|
-
or pass the URL straight to `-dir`/`--repo`):
|
|
85
|
+
The command prints the path. Every finding carries a clickable `file.ts:42` pointer:
|
|
90
86
|
|
|
91
87
|
```bash
|
|
92
|
-
cw
|
|
93
|
-
cw -q "What are the risks?" --link git@gitlab.com:owner/repo.git --ref v1.2.0
|
|
88
|
+
cat .cw/runs/<run-id>/report.md
|
|
94
89
|
```
|
|
95
90
|
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
under `~/.local/state/cool-workflow/clones/` and reused next time (`--refresh` re-fetches; `cw clones
|
|
99
|
-
list`/`gc` manage it). The report records `Source: <url>@<commit>` plus a tamper-evident
|
|
100
|
-
`source.clone` event (`cw audit verify`). A credential-less private repo **fails closed** — it never
|
|
101
|
-
hangs on a prompt. Preview without fetching: `cw -q "…" --link <url> --check`.
|
|
91
|
+
While it runs you get a calm, Claude-Code-style live view — a compact rolling window of tool calls
|
|
92
|
+
that updates in place instead of an endless wall — and a clean findings table when it's done.
|
|
102
93
|
|
|
103
|
-
|
|
104
|
-
(id / severity / classification, not the full prose), the report path, and where the per-worker
|
|
105
|
-
transcripts live:
|
|
94
|
+
---
|
|
106
95
|
|
|
107
|
-
|
|
108
|
-
==> Map ✓ (6/6)
|
|
109
|
-
==> Verdict ✓
|
|
96
|
+
## Why Cool Workflow
|
|
110
97
|
|
|
111
|
-
|
|
98
|
+
Most agent tooling runs a whole task as one long prompt, then hands you a chat message. When the work
|
|
99
|
+
is long, parallel, or high-stakes, you can't tell what happened or trust the result. CW treats it as a
|
|
100
|
+
**runtime problem** — and rests on four commitments:
|
|
112
101
|
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
102
|
+
| Commitment | What it means for you |
|
|
103
|
+
|---|---|
|
|
104
|
+
| **Model as fuel, not engine** | CW never calls a model API. Execution is always delegated to your agent, so the backend is swappable and your credentials and code never leave your machine. |
|
|
105
|
+
| **Evidence-gated decisions** | Every adopted result records its **basis, authority, rationale, and the alternative it beat.** Missing evidence doesn't slip through — it fails closed to a visible `unexplained` state. |
|
|
106
|
+
| **Deterministic, local replay** | Every step is plain JSON under `.cw/runs/<id>/` — read it, diff it, resume it, replay it. No hidden database; the runtime never *guesses* success. |
|
|
107
|
+
| **Vendor-neutral by design** | One source-of-truth manifest generates every vendor adapter (Claude, Codex, …) over a shared CLI + MCP runtime, with a fail-closed drift check. No lock-in, no forked logic. |
|
|
118
108
|
|
|
119
|
-
|
|
120
|
-
stdout is pure data — all of this chrome goes to stderr (TTY only).
|
|
109
|
+
## How It Works
|
|
121
110
|
|
|
122
|
-
|
|
111
|
+
CW is a small TypeScript tool with **zero runtime dependencies**. It drives your agent over a repo — or
|
|
112
|
+
any folder — in saved, replayable stages, writing everything to disk as inspectable files. It never
|
|
113
|
+
imports a model SDK or stores an API key.
|
|
123
114
|
|
|
124
|
-
|
|
115
|
+
<div align="center">
|
|
116
|
+
<img src="https://raw.githubusercontent.com/coo1white/cool-workflow/main/docs/assets/cw-pipeline.png" alt="The CW pipeline: ask, plan, dispatch (delegated to your agent), verify (evidence gate, fails closed), commit verified state, and a saved, cited, signed report — every step recorded as durable .cw/ JSON." width="100%">
|
|
117
|
+
</div>
|
|
125
118
|
|
|
126
|
-
```
|
|
127
|
-
|
|
128
|
-
# → findings with clickable file.ts:42 pointers for every claim
|
|
119
|
+
```text
|
|
120
|
+
ask simple → run simple → verify simple → resume simple
|
|
129
121
|
```
|
|
130
122
|
|
|
131
|
-
## What
|
|
123
|
+
## What You Can Run
|
|
124
|
+
|
|
125
|
+
| Workflow | What it produces |
|
|
126
|
+
|---|---|
|
|
127
|
+
| `architecture-review` | Map a repo, rank risks, and back every claim with `file:line` evidence |
|
|
128
|
+
| `pr-review-fix-ci` | Review a PR or branch, diagnose CI, and propose + verify fixes |
|
|
129
|
+
| `research-synthesis` | Answer a question over a local folder of files — your docs, notes, or papers |
|
|
130
|
+
| `release-cut` | Run a gated, reviewed release with dry-run evidence |
|
|
132
131
|
|
|
133
132
|
```bash
|
|
134
|
-
cw
|
|
135
|
-
cw
|
|
136
|
-
cw doctor # check your setup
|
|
137
|
-
cw fix # show fix commands for setup issues
|
|
133
|
+
cw app list # see everything installed
|
|
134
|
+
cw doctor # check your setup → cw fix shows the fix commands
|
|
138
135
|
```
|
|
139
136
|
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
| `research-synthesis` | Answer a question over a local folder of files — your own docs, notes, or papers, not only code |
|
|
145
|
-
| `release-cut` | Run a gated, reviewed release |
|
|
146
|
-
|
|
147
|
-
**Multi-agent, when you need it.** Fan work out across agents with built-in topologies,
|
|
148
|
-
compose flows (a task can run a whole child workflow with `subWorkflow`, or a `loop()` phase
|
|
149
|
-
can keep iterating until a predicate or a token budget says stop) — and re-run fast:
|
|
150
|
-
`cw run <app> --drive --incremental` reuses every step whose inputs didn't change.
|
|
137
|
+
**Multi-agent, when you need it.** Fan work out across agents with built-in topologies, compose flows
|
|
138
|
+
(a task can run a whole child workflow with `subWorkflow`, or a `loop()` phase can iterate until a
|
|
139
|
+
predicate or token budget says stop), and re-run fast — `cw run <app> --drive --incremental` reuses
|
|
140
|
+
every step whose inputs didn't change.
|
|
151
141
|
|
|
152
142
|
<div align="center">
|
|
153
143
|
<img src="https://raw.githubusercontent.com/coo1white/cool-workflow/main/docs/assets/topologies.svg" alt="Built-in multi-agent topologies: map-reduce (fan out, fold in), debate (argue then draw a verdict), and judge-panel (N independent judges score one candidate)." width="92%">
|
|
154
144
|
</div>
|
|
155
145
|
|
|
156
|
-
|
|
157
|
-
your agent can plan a run, drive it, and verify a report without leaving the editor.
|
|
158
|
-
See the [wiki](https://github.com/coo1white/cool-workflow/wiki).
|
|
159
|
-
|
|
160
|
-
## Can I Trust the Report?
|
|
146
|
+
## Can You Trust the Report?
|
|
161
147
|
|
|
162
|
-
CW
|
|
163
|
-
`cw report verify-bundle` checks — offline, with nothing but the public key — that every signed
|
|
164
|
-
finding is in the report
|
|
165
|
-
|
|
148
|
+
CW doesn't run the model — it keeps the books. Your agent signs its findings (**ed25519**), and
|
|
149
|
+
`cw report verify-bundle` checks — **offline, with nothing but the public key** — that every signed
|
|
150
|
+
finding is in the report unaltered. Edit a finding, in the report or in the agent's own result, and the
|
|
151
|
+
check fails. CW holds no private key: the agent signs, CW only verifies.
|
|
166
152
|
|
|
167
153
|
```bash
|
|
168
|
-
cw demo tamper
|
|
169
|
-
cw
|
|
154
|
+
cw demo tamper # proves it in 30s — edits a signed result, watch it fail
|
|
155
|
+
cw -q "…" --bundle # seal a run into one portable file
|
|
156
|
+
cw report verify-bundle report.cwrun.json # anyone can re-check it offline, with just the file
|
|
170
157
|
```
|
|
171
158
|
|
|
172
|
-
|
|
159
|
+
This attests the agent's **signed findings** — not that nothing else was added or that nothing was left
|
|
160
|
+
out. For exactly what is and isn't proven, see the **[Trust Model](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/trust-model.md)**.
|
|
173
161
|
|
|
174
|
-
|
|
175
|
-
cw -q "…" --bundle # seal into one portable file
|
|
176
|
-
cw report verify-bundle report.cwrun.json # they check it offline
|
|
177
|
-
cw report verify-bundle report.cwrun.json \
|
|
178
|
-
--require-signatures # …and insist the findings are signed
|
|
179
|
-
```
|
|
162
|
+
## Use It From Your Editor
|
|
180
163
|
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
what is and is not proven, see the [Trust Model](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/trust-model.md).
|
|
164
|
+
CW exposes the same runtime over **MCP** — **Claude Desktop, Cursor, and VS Code call CW as a tool**, so
|
|
165
|
+
your agent can plan a run, drive it, and verify a report without leaving the editor. CLI and MCP share
|
|
166
|
+
one registry and are parity-checked. See the **[Wiki](https://github.com/coo1white/cool-workflow/wiki)**.
|
|
185
167
|
|
|
186
168
|
## Troubleshooting
|
|
187
169
|
|
|
188
170
|
| Problem | Fix |
|
|
189
171
|
|---|---|
|
|
190
|
-
| No agent found |
|
|
172
|
+
| No agent found | `cw doctor` — shows which agents are on your machine |
|
|
191
173
|
| `status: blocked` | Set `CW_AGENT_COMMAND=builtin:claude` or pass `-claude` |
|
|
192
174
|
| `claude: command not found` | Install Claude Code and run again |
|
|
193
175
|
| Where is my report? | `<repo>/.cw/runs/<id>/report.md` |
|
|
194
|
-
| Need the old README? | See [docs/readme-v0.1.87-full.md](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/readme-v0.1.87-full.md) |
|
|
195
176
|
|
|
196
|
-
##
|
|
197
|
-
|
|
198
|
-
CW is a small TypeScript tool with zero runtime deps. It drives your agent over a repo, or any
|
|
199
|
-
folder of files, in saved, replayable stages — it plans the work, dispatches each task to your agent, records and
|
|
200
|
-
verifies every result, then commits and renders the report — writing everything to disk as
|
|
201
|
-
inspectable files. It never imports a model SDK or stores an API key.
|
|
202
|
-
|
|
203
|
-
<div align="center">
|
|
204
|
-
<img src="https://raw.githubusercontent.com/coo1white/cool-workflow/main/docs/assets/pipeline.svg" alt="The CW pipeline: ask, plan, dispatch (fanning out to parallel agents), verify, commit, ending in a saved report.md with a clickable file.ts:42 citation. CW keeps the books; it never runs the model itself." width="100%">
|
|
205
|
-
</div>
|
|
177
|
+
## Docs & Wiki
|
|
206
178
|
|
|
207
|
-
|
|
179
|
+
New here? Start with the **[Wiki](https://github.com/coo1white/cool-workflow/wiki)** →
|
|
180
|
+
[Getting Started](https://github.com/coo1white/cool-workflow/wiki/Getting-Started) ·
|
|
181
|
+
[Mental Model](https://github.com/coo1white/cool-workflow/wiki/Mental-Model) ·
|
|
182
|
+
[Glossary](https://github.com/coo1white/cool-workflow/wiki/Glossary) ·
|
|
183
|
+
[Trust & Audit](https://github.com/coo1white/cool-workflow/wiki/Trust-And-Audit)
|
|
208
184
|
|
|
209
|
-
|
|
210
|
-
|
|
185
|
+
Building on CW? See the [Getting Started doc](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/getting-started.md),
|
|
186
|
+
[Project Index](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/project-index.md), and
|
|
187
|
+
[CLI ↔ MCP Parity](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/cli-mcp-parity.7.md).
|
|
211
188
|
|
|
212
|
-
CW dogfoods its own release process — every cut runs the `release-cut` workflow against this
|
|
213
|
-
repo. See the [full README](https://github.com/coo1white/cool-workflow/blob/main/plugins/cool-workflow/docs/readme-v0.1.87-full.md) for the
|
|
214
|
-
pre-v0.1.87 reference.
|
|
189
|
+
CW dogfoods its own release process — every cut runs the `release-cut` workflow against this repo.
|
|
215
190
|
|
|
216
191
|
## License
|
|
217
192
|
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"id": "architecture-review",
|
|
4
4
|
"title": "Architecture Review",
|
|
5
5
|
"summary": "Map a repository architecture, assess risks, verify important findings, and synthesize an evidence-backed verdict.",
|
|
6
|
-
"version": "0.1.
|
|
6
|
+
"version": "0.1.94",
|
|
7
7
|
"author": "COOLWHITE LLC",
|
|
8
8
|
"inputs": [
|
|
9
9
|
{
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"id": "architecture-review-fast",
|
|
4
4
|
"title": "Architecture Review Fast",
|
|
5
5
|
"summary": "Run a shorter architecture review with parallel map and assess phases for faster first results.",
|
|
6
|
-
"version": "0.1.
|
|
6
|
+
"version": "0.1.94",
|
|
7
7
|
"author": "COOLWHITE LLC",
|
|
8
8
|
"inputs": [
|
|
9
9
|
{
|
|
@@ -100,7 +100,14 @@ module.exports = ({ workflow, phase, parallel, agent, artifact, input }) => {
|
|
|
100
100
|
"Confirm real risks, downgrade unsupported claims, and list exact file paths, commands, logs, or unknowns.",
|
|
101
101
|
"The cw:result evidence array must cite durable locators."
|
|
102
102
|
].join(" "),
|
|
103
|
-
strongOptions("Evidence verifier", {
|
|
103
|
+
strongOptions("Evidence verifier", {
|
|
104
|
+
requiresEvidence: true,
|
|
105
|
+
// Cache the (expensive, ~146s live) verification by source digest +
|
|
106
|
+
// ALL upstream phase result digests. A hit only when source AND every
|
|
107
|
+
// Map/Assess output are byte-identical; the cached result still passes
|
|
108
|
+
// worker-output validation (requiresEvidence stays enforced).
|
|
109
|
+
resultCache: sourceContextResultCache({ includeCompletedResults: "previous-phases" })
|
|
110
|
+
})
|
|
104
111
|
)
|
|
105
112
|
]),
|
|
106
113
|
phase("Verdict", [
|
|
@@ -113,7 +120,13 @@ module.exports = ({ workflow, phase, parallel, agent, artifact, input }) => {
|
|
|
113
120
|
"State when the full architecture-review app should be scheduled as a background routine.",
|
|
114
121
|
"The cw:result evidence array must support the final verdict."
|
|
115
122
|
].join(" "),
|
|
116
|
-
strongOptions("Fast verdict synthesizer", {
|
|
123
|
+
strongOptions("Fast verdict synthesizer", {
|
|
124
|
+
requiresEvidence: true,
|
|
125
|
+
// Cache the (~294s live, largest phase) synthesis by source digest +
|
|
126
|
+
// all upstream (Map/Assess/Verify) result digests. Busts on any
|
|
127
|
+
// upstream change; cached verdict re-passes evidence validation.
|
|
128
|
+
resultCache: sourceContextResultCache({ includeCompletedResults: "previous-phases" })
|
|
129
|
+
})
|
|
117
130
|
)
|
|
118
131
|
])
|
|
119
132
|
]
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"id": "pr-review-fix-ci",
|
|
4
4
|
"title": "PR Review Fix CI",
|
|
5
5
|
"summary": "Review a pull request or branch, inspect CI failures, diagnose actionable issues, optionally patch, verify, and summarize with evidence.",
|
|
6
|
-
"version": "0.1.
|
|
6
|
+
"version": "0.1.94",
|
|
7
7
|
"author": "COOLWHITE LLC",
|
|
8
8
|
"inputs": [
|
|
9
9
|
{
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"id": "release-cut",
|
|
4
4
|
"title": "Release Cut",
|
|
5
5
|
"summary": "Prepare a release with checklist discipline: version checks, changelog, tests, packaging, release notes, and final verification.",
|
|
6
|
-
"version": "0.1.
|
|
6
|
+
"version": "0.1.94",
|
|
7
7
|
"author": "COOLWHITE LLC",
|
|
8
8
|
"inputs": [
|
|
9
9
|
{
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"id": "research-synthesis",
|
|
4
4
|
"title": "Research Synthesis",
|
|
5
5
|
"summary": "Split a research question into claims, investigate sources, cross-check evidence, verify claims, and synthesize a concise answer.",
|
|
6
|
-
"version": "0.1.
|
|
6
|
+
"version": "0.1.94",
|
|
7
7
|
"author": "COOLWHITE LLC",
|
|
8
8
|
"inputs": [
|
|
9
9
|
{
|
package/dist/capability-core.js
CHANGED
|
@@ -40,6 +40,7 @@ exports.runExportArchive = runExportArchive;
|
|
|
40
40
|
exports.runImportArchive = runImportArchive;
|
|
41
41
|
exports.runInspectArchive = runInspectArchive;
|
|
42
42
|
exports.runVerifyImport = runVerifyImport;
|
|
43
|
+
exports.runRestoreArchive = runRestoreArchive;
|
|
43
44
|
exports.reportBundle = reportBundle;
|
|
44
45
|
exports.runVerifyReportBundle = runVerifyReportBundle;
|
|
45
46
|
exports.queueAdd = queueAdd;
|
|
@@ -313,6 +314,52 @@ function runInspectArchive(_runner, args) {
|
|
|
313
314
|
function runVerifyImport(runner, runId, args) {
|
|
314
315
|
return (0, run_export_1.verifyImportedRun)(runner.withBaseDir(optionalString(args.cwd)).loadRun(runId));
|
|
315
316
|
}
|
|
317
|
+
// Fail-closed atomic restore of a portable run archive. `run import` runs a
|
|
318
|
+
// verification (importRun returns it as ImportResult.verification) but does NOT
|
|
319
|
+
// fail on it — it exits 0 even when the telemetry-ledger or trust-audit hash chain
|
|
320
|
+
// does not verify, so a chain-tampered run imports with a fabricated success.
|
|
321
|
+
// `run restore` closes that gap in ONE step: it integrity-INSPECTS the archive
|
|
322
|
+
// FIRST (writing nothing), refuses a bad bundle before any import, then IMPORTS
|
|
323
|
+
// and REUSES importRun's verification verdict — reporting ok:true ONLY when verify
|
|
324
|
+
// passes. Pure composition of the existing functions (inspectArchive + importRun,
|
|
325
|
+
// whose own verification we reuse); no new crypto or IO logic, and no second
|
|
326
|
+
// re-hash. The CLI/MCP surfaces map ok:false to exit 1.
|
|
327
|
+
function runRestoreArchive(runner, args) {
|
|
328
|
+
const base = invocationCwd(args);
|
|
329
|
+
const archive = optionalString(args.archive || args.path || args.file);
|
|
330
|
+
if (!archive)
|
|
331
|
+
throw new Error("run restore requires an archive path (positional, --archive, --path, or --file)");
|
|
332
|
+
const resolvedArchive = node_path_1.default.resolve(base, archive);
|
|
333
|
+
const target = node_path_1.default.resolve(base, optionalString(args.target || args.repo || args.cwd) || base);
|
|
334
|
+
// (1) Integrity-inspect FIRST — read-only, writes nothing. A bad bundle is
|
|
335
|
+
// refused here, before any import touches the target tree (no partial restore).
|
|
336
|
+
const inspect = (0, run_export_1.inspectArchive)(resolvedArchive);
|
|
337
|
+
if (!inspect.ok) {
|
|
338
|
+
return { schemaVersion: 1, ok: false, target, inspect, imported: null, verify: null, registry: null };
|
|
339
|
+
}
|
|
340
|
+
// (2) Intact: import + refresh the target registry (mirrors runImportArchive).
|
|
341
|
+
const imported = (0, run_export_1.importRun)(resolvedArchive, target);
|
|
342
|
+
const registry = new run_registry_1.RunRegistry(target, runner.withBaseDir(target));
|
|
343
|
+
const registryReport = registry.refresh({ scope: "repo" });
|
|
344
|
+
// (3) REUSE the verification importRun already ran — it re-proves the same
|
|
345
|
+
// restored files PLUS the telemetry-ledger and trust-audit hash chains, but
|
|
346
|
+
// returns the verdict WITHOUT throwing. We do NOT re-run verifyImportedRun (that
|
|
347
|
+
// would re-hash every file a second time for no new information). The gap restore
|
|
348
|
+
// closes is exactly that `run import` ships this verdict and exits 0 even when it
|
|
349
|
+
// is false — restore fails-closed on it below (CLI maps ok:false → exit 1).
|
|
350
|
+
const verify = imported.verification;
|
|
351
|
+
return {
|
|
352
|
+
schemaVersion: 1,
|
|
353
|
+
// inspect.ok is guaranteed true here — the corrupt-archive case early-returned
|
|
354
|
+
// above — so the verdict is purely verify.ok (the telemetry/trust-audit chain).
|
|
355
|
+
ok: verify.ok,
|
|
356
|
+
target,
|
|
357
|
+
inspect,
|
|
358
|
+
imported: { ...imported, registry: registryReport },
|
|
359
|
+
verify,
|
|
360
|
+
registry: registryReport
|
|
361
|
+
};
|
|
362
|
+
}
|
|
316
363
|
// Produce-and-prove: export a run to a portable bundle sealed with the operator's
|
|
317
364
|
// trust key (defaulting to CW_AGENT_ATTEST_PUBKEY, same as `run export`), then
|
|
318
365
|
// IMMEDIATELY verify the artifact offline the way a recipient will. The producer
|
|
@@ -395,6 +395,7 @@ const BUILTIN_CAPABILITIES = [
|
|
|
395
395
|
{ capability: "run.import", summary: "Restore a portable run archive into a target repo and verify restored file digests.", entry: "runImportArchive", surface: "both", cli: { path: ["run", "import"], jsonMode: "default" }, mcp: { tool: "cw_run_import", requiredArgs: ["archive|path|file"] } },
|
|
396
396
|
{ capability: "run.verify-import", summary: "Verify an imported run against its restore manifest and telemetry chain.", entry: "runVerifyImport", surface: "both", cli: { path: ["run", "verify-import"], jsonMode: "default" }, mcp: { tool: "cw_run_verify_import", requiredArgs: ["runId"] } },
|
|
397
397
|
{ capability: "run.inspect-archive", summary: "Read-only integrity inspection of a portable run archive without importing it.", entry: "runInspectArchive", surface: "both", cli: { path: ["run", "inspect-archive"], jsonMode: "default" }, mcp: { tool: "cw_run_inspect_archive", requiredArgs: ["archive|path|file"] } },
|
|
398
|
+
{ capability: "run.restore", summary: "Fail-closed restore of a portable run archive: integrity-inspect, import, and verify in one step; refuses anything that does not verify.", entry: "runRestoreArchive", surface: "both", cli: { path: ["run", "restore"], jsonMode: "default" }, mcp: { tool: "cw_run_restore", requiredArgs: ["archive|path|file"] } },
|
|
398
399
|
{ capability: "report.verify-bundle", summary: "Offline self-contained verify of a portable run bundle: archive bytes + telemetry chain + trust-audit chain + embedded-key signatures.", entry: "runVerifyReportBundle", surface: "both", cli: { path: ["report", "verify-bundle"], caseTokens: ["report"], jsonMode: "default" }, mcp: { tool: "cw_report_verify_bundle", requiredArgs: ["archive|path|file|bundle"] } },
|
|
399
400
|
{ capability: "report.bundle", summary: "Produce-and-prove: export a run to a portable bundle sealed with the trust key, then self-verify it offline (fail-closed) so the producer knows it is verifiable before shipping.", entry: "reportBundle", surface: "both", cli: { path: ["report", "bundle"], caseTokens: ["report"], jsonMode: "default" }, mcp: { tool: "cw_report_bundle", requiredArgs: ["runId"] } },
|
|
400
401
|
{ capability: "run.drive", summary: "Preview the next agent-delegation drive step for a run (read-only, deterministic).", entry: "runDrivePreview", surface: "both", cli: { path: ["run", "drive"], caseTokens: ["run", "drive"], jsonMode: "default" }, mcp: { tool: "cw_run_drive" } },
|
|
@@ -655,6 +656,7 @@ const PAYLOAD_PROBE_DEFERRED_GROUPS = [
|
|
|
655
656
|
"run.import",
|
|
656
657
|
"run.verify-import",
|
|
657
658
|
"run.inspect-archive",
|
|
659
|
+
"run.restore",
|
|
658
660
|
"report.verify-bundle",
|
|
659
661
|
"report.bundle",
|
|
660
662
|
"queue.add",
|