cool-workflow 0.1.98 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/README.md +18 -7
- package/apps/architecture-review/app.json +2 -2
- package/apps/architecture-review/workflow.js +12 -12
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/cli/dispatch.js +236 -0
- package/dist/cli/entry.js +120 -0
- package/dist/cli/io.js +21 -4
- package/dist/cli/parseargv.js +157 -0
- package/dist/cli.js +6 -33
- package/dist/core/capability-table.js +3518 -0
- package/dist/core/format/help.js +314 -0
- package/dist/{state-explosion/format.js → core/format/state-explosion-text.js} +10 -1
- package/dist/core/hash.js +137 -0
- package/dist/core/multi-agent/candidate-scoring.js +219 -0
- package/dist/core/multi-agent/collaboration.js +481 -0
- package/dist/core/multi-agent/coordinator.js +515 -0
- package/dist/core/multi-agent/eval-replay.js +306 -0
- package/dist/core/multi-agent/runtime.js +929 -0
- package/dist/core/multi-agent/topology.js +298 -0
- package/dist/core/multi-agent/trust-policy.js +197 -0
- package/dist/core/pipeline/commit-gate.js +320 -0
- package/dist/{pipeline-contract.js → core/pipeline/contract.js} +24 -37
- package/dist/core/pipeline/dispatch.js +103 -0
- package/dist/core/pipeline/drive-decide.js +227 -0
- package/dist/core/pipeline/error-feedback.js +161 -0
- package/dist/core/pipeline/loop-expansion.js +124 -0
- package/dist/{result-normalize.js → core/pipeline/result-normalize.js} +14 -37
- package/dist/core/pipeline/runner.js +230 -0
- package/dist/{contract-migration.js → core/state/contract-migration.js} +68 -92
- package/dist/{state-migrations.js → core/state/migrations.js} +103 -96
- package/dist/core/state/node-projection.js +95 -0
- package/dist/core/state/node-snapshot.js +230 -0
- package/dist/core/state/run-paths.js +93 -0
- package/dist/{schema-validate.js → core/state/schema-validate.js} +35 -28
- package/dist/core/state/schema.js +50 -0
- package/dist/core/state/state-explosion/digest.js +243 -0
- package/dist/core/state/state-explosion/graph.js +527 -0
- package/dist/{state-explosion → core/state/state-explosion}/helpers.js +34 -3
- package/dist/core/state/state-explosion/report.js +187 -0
- package/dist/{state-explosion → core/state/state-explosion}/size.js +25 -7
- package/dist/{state-node.js → core/state/state-node.js} +90 -113
- package/dist/core/state/types.js +19 -0
- package/dist/{validation.js → core/state/validation.js} +64 -131
- package/dist/core/trust/evidence-grounding.js +134 -0
- package/dist/core/trust/ledger.js +199 -0
- package/dist/{telemetry-attestation.js → core/trust/telemetry-attestation.js} +94 -68
- package/dist/core/trust/telemetry-ledger.js +127 -0
- package/dist/core/types.js +20 -0
- package/dist/core/version.js +16 -0
- package/dist/{workflow-app-framework.js → core/workflow-apps/app-schema.js} +337 -426
- package/dist/mcp/dispatch.js +104 -0
- package/dist/mcp/server.js +144 -0
- package/dist/mcp-server.js +6 -84
- package/dist/{agent-config.js → shell/agent-config.js} +118 -71
- package/dist/shell/app-run-cli.js +88 -0
- package/dist/shell/audit-cli.js +259 -0
- package/dist/shell/audit-provenance.js +83 -0
- package/dist/shell/candidate-scoring-io.js +459 -0
- package/dist/shell/collaboration-io.js +264 -0
- package/dist/shell/commit-summary.js +104 -0
- package/dist/shell/commit.js +290 -0
- package/dist/shell/coordinator-io.js +476 -0
- package/dist/shell/demo-cli.js +19 -0
- package/dist/shell/dispatch.js +162 -0
- package/dist/shell/doctor.js +292 -0
- package/dist/shell/drive.js +885 -0
- package/dist/shell/error-feedback-io.js +305 -0
- package/dist/shell/eval-io.js +473 -0
- package/dist/{multi-agent-eval/format.js → shell/eval-text.js} +78 -49
- package/dist/{evidence-reasoning.js → shell/evidence-reasoning.js} +124 -255
- package/dist/shell/exec-backend-cli.js +88 -0
- package/dist/shell/execution-backend/agent.js +507 -0
- package/dist/shell/execution-backend/ci.js +15 -0
- package/dist/shell/execution-backend/container.js +69 -0
- package/dist/shell/execution-backend/envelopes.js +55 -0
- package/dist/shell/execution-backend/local.js +113 -0
- package/dist/shell/execution-backend/probes.js +175 -0
- package/dist/shell/execution-backend/registry.js +402 -0
- package/dist/shell/execution-backend/remote.js +128 -0
- package/dist/shell/execution-backend/types.js +11 -0
- package/dist/shell/feedback-cli.js +81 -0
- package/dist/shell/feedback-operations.js +48 -0
- package/dist/shell/fs-atomic.js +276 -0
- package/dist/shell/harness.js +98 -0
- package/dist/shell/ledger-cli.js +212 -0
- package/dist/shell/ledger-io.js +169 -0
- package/dist/shell/man-cli.js +89 -0
- package/dist/shell/metrics-cli.js +100 -0
- package/dist/shell/multi-agent-cli.js +1002 -0
- package/dist/shell/multi-agent-host.js +563 -0
- package/dist/shell/multi-agent-io.js +387 -0
- package/dist/{multi-agent-operator-ux.js → shell/multi-agent-operator-ux.js} +234 -191
- package/dist/shell/node-store.js +124 -0
- package/dist/{observability/format.js → shell/observability-format.js} +7 -1
- package/dist/{observability/intake.js → shell/observability-intake.js} +79 -56
- package/dist/{observability.js → shell/observability.js} +159 -332
- package/dist/{onramp.js → shell/onramp.js} +11 -0
- package/dist/{operator-ux/format.js → shell/operator-ux-text.js} +250 -239
- package/dist/shell/operator-ux.js +431 -0
- package/dist/shell/orchestrator.js +231 -0
- package/dist/shell/pipeline-cli.js +667 -0
- package/dist/shell/pipeline.js +217 -0
- package/dist/shell/reclamation-io.js +1366 -0
- package/dist/shell/registry-cli.js +344 -0
- package/dist/{remote-source.js → shell/remote-source.js} +2 -2
- package/dist/shell/report-cli.js +101 -0
- package/dist/shell/report-view-cli.js +117 -0
- package/dist/{orchestrator → shell}/report.js +289 -282
- package/dist/shell/reporter.js +62 -0
- package/dist/shell/run-export-cli.js +106 -0
- package/dist/shell/run-export.js +680 -0
- package/dist/shell/run-registry-io.js +1014 -0
- package/dist/shell/run-store.js +164 -0
- package/dist/{sandbox-profile.js → shell/sandbox-profile.js} +134 -95
- package/dist/{scheduler.js → shell/scheduler-io.js} +257 -48
- package/dist/shell/scheduling-io.js +321 -0
- package/dist/shell/state-cli.js +181 -0
- package/dist/shell/state-explosion-cli.js +197 -0
- package/dist/shell/telemetry-cli.js +85 -0
- package/dist/{telemetry-demo.js → shell/telemetry-demo.js} +149 -119
- package/dist/shell/telemetry-ledger-io.js +132 -0
- package/dist/{term.js → shell/term.js} +36 -46
- package/dist/shell/topology-io.js +361 -0
- package/dist/shell/trust-audit.js +472 -0
- package/dist/{multi-agent-trust.js → shell/trust-policy-io.js} +67 -205
- package/dist/shell/verifier.js +48 -0
- package/dist/shell/workbench-host.js +258 -0
- package/dist/shell/workbench-text.js +18 -0
- package/dist/shell/workbench.js +170 -0
- package/dist/shell/worker-cli.js +124 -0
- package/dist/shell/worker-isolation.js +852 -0
- package/dist/shell/workflow-app-loader.js +650 -0
- package/docs/agent-delegation-drive.7.md +4 -0
- package/docs/cli-mcp-parity.7.md +282 -219
- package/docs/contract-migration-tooling.7.md +4 -0
- package/docs/control-plane-scheduling.7.md +4 -0
- package/docs/durable-state-and-locking.7.md +4 -0
- package/docs/evidence-adoption-reasoning-chain.7.md +4 -0
- package/docs/execution-backends.7.md +4 -0
- package/docs/multi-agent-cli-mcp-surface.7.md +4 -0
- package/docs/multi-agent-eval-replay-harness.7.md +4 -0
- package/docs/multi-agent-operator-ux.7.md +4 -0
- package/docs/node-snapshot-diff-replay.7.md +4 -0
- package/docs/observability-cost-accounting.7.md +6 -1
- package/docs/project-index.md +137 -71
- package/docs/real-execution-backends.7.md +4 -0
- package/docs/release-and-migration.7.md +4 -0
- package/docs/release-tooling.7.md +4 -0
- package/docs/remote-source-review.7.md +4 -4
- package/docs/report-verifiable-bundle.7.md +1 -1
- package/docs/run-registry-control-plane.7.md +4 -0
- package/docs/run-retention-reclamation.7.md +25 -0
- package/docs/security-trust-hardening.7.md +3 -1
- package/docs/state-explosion-management.7.md +4 -0
- package/docs/team-collaboration.7.md +4 -0
- package/docs/web-desktop-workbench.7.md +15 -1
- package/manifest/plugin.manifest.json +1 -1
- package/manifest/source-context-profiles.json +9 -13
- package/package.json +1 -1
- package/scripts/agents/agent-adapter-core.js +22 -2
- package/scripts/agents/claude-p-agent.js +8 -3
- package/scripts/agents/cw-attest-wrap.js +2 -2
- package/scripts/agents/gemini-agent.js +5 -1
- package/scripts/agents/opencode-agent.js +5 -1
- package/scripts/bump-version.js +4 -3
- package/scripts/canonical-apps.js +4 -4
- package/scripts/dogfood-architecture-review.js +2 -3
- package/scripts/dogfood-release.js +3 -3
- package/scripts/gen-parity-doc.js +15 -2
- package/scripts/golden-path.js +4 -4
- package/scripts/onramp-check.js +1 -1
- package/scripts/parity-check.js +38 -21
- package/scripts/release-flow.js +2 -2
- package/scripts/sync-project-index.js +51 -27
- package/scripts/validate-run-state-schema.js +2 -2
- package/scripts/version-sync-check.js +30 -30
- package/dist/candidate-scoring.js +0 -729
- package/dist/capability-core.js +0 -1189
- package/dist/capability-registry.js +0 -885
- package/dist/cli/command-surface.js +0 -494
- package/dist/cli/format.js +0 -56
- package/dist/cli/handlers/audit.js +0 -82
- package/dist/cli/handlers/blackboard.js +0 -81
- package/dist/cli/handlers/candidate.js +0 -40
- package/dist/cli/handlers/clones.js +0 -34
- package/dist/cli/handlers/collaboration.js +0 -61
- package/dist/cli/handlers/eval.js +0 -40
- package/dist/cli/handlers/ledger.js +0 -169
- package/dist/cli/handlers/maintenance.js +0 -107
- package/dist/cli/handlers/multi-agent.js +0 -165
- package/dist/cli/handlers/node.js +0 -41
- package/dist/cli/handlers/operational.js +0 -155
- package/dist/cli/handlers/operator.js +0 -146
- package/dist/cli/handlers/registry.js +0 -68
- package/dist/cli/handlers/run.js +0 -153
- package/dist/cli/handlers/scheduling.js +0 -132
- package/dist/cli/handlers/workbench.js +0 -41
- package/dist/cli/handlers/worker.js +0 -45
- package/dist/cli/run-summary.js +0 -45
- package/dist/clones.js +0 -162
- package/dist/collaboration.js +0 -726
- package/dist/commit.js +0 -592
- package/dist/compare.js +0 -18
- package/dist/coordinator/classify.js +0 -45
- package/dist/coordinator/paths.js +0 -42
- package/dist/coordinator/util.js +0 -126
- package/dist/coordinator.js +0 -990
- package/dist/daemon.js +0 -44
- package/dist/dispatch.js +0 -250
- package/dist/doctor.js +0 -212
- package/dist/drive.js +0 -864
- package/dist/error-feedback.js +0 -419
- package/dist/evidence-grounding.js +0 -184
- package/dist/execution-backend/agent.js +0 -354
- package/dist/execution-backend/probes.js +0 -112
- package/dist/execution-backend/util.js +0 -47
- package/dist/execution-backend.js +0 -961
- package/dist/gates.js +0 -48
- package/dist/harness.js +0 -61
- package/dist/ledger.js +0 -313
- package/dist/loop-expansion.js +0 -60
- package/dist/mcp/tool-call.js +0 -470
- package/dist/mcp/tool-definitions.js +0 -1066
- package/dist/mcp-surface.js +0 -30
- package/dist/multi-agent/graph.js +0 -84
- package/dist/multi-agent/helpers.js +0 -141
- package/dist/multi-agent/ids.js +0 -20
- package/dist/multi-agent/paths.js +0 -22
- package/dist/multi-agent-eval/normalize.js +0 -51
- package/dist/multi-agent-eval.js +0 -678
- package/dist/multi-agent-host.js +0 -777
- package/dist/multi-agent.js +0 -984
- package/dist/node-projection.js +0 -59
- package/dist/node-snapshot.js +0 -260
- package/dist/operator-ux.js +0 -631
- package/dist/orchestrator/app-operations.js +0 -211
- package/dist/orchestrator/audit-operations.js +0 -182
- package/dist/orchestrator/candidate-operations.js +0 -117
- package/dist/orchestrator/cli-options.js +0 -294
- package/dist/orchestrator/collaboration-operations.js +0 -86
- package/dist/orchestrator/feedback-operations.js +0 -81
- package/dist/orchestrator/host-operations.js +0 -78
- package/dist/orchestrator/lifecycle-operations.js +0 -650
- package/dist/orchestrator/migration-operations.js +0 -44
- package/dist/orchestrator/multi-agent-operations.js +0 -362
- package/dist/orchestrator/topology-operations.js +0 -84
- package/dist/orchestrator.js +0 -925
- package/dist/pipeline-runner.js +0 -285
- package/dist/reclamation/hash.js +0 -72
- package/dist/reclamation.js +0 -812
- package/dist/reporter.js +0 -67
- package/dist/run-export.js +0 -815
- package/dist/run-registry/derive.js +0 -175
- package/dist/run-registry/format.js +0 -124
- package/dist/run-registry/gc.js +0 -251
- package/dist/run-registry/policy.js +0 -16
- package/dist/run-registry/queue.js +0 -115
- package/dist/run-registry.js +0 -850
- package/dist/run-state-schema.js +0 -68
- package/dist/scheduling.js +0 -184
- package/dist/state-explosion.js +0 -1014
- package/dist/state.js +0 -367
- package/dist/telemetry-ledger.js +0 -196
- package/dist/topology.js +0 -565
- package/dist/triggers.js +0 -184
- package/dist/trust-audit.js +0 -644
- package/dist/types/blackboard.js +0 -2
- package/dist/types/candidate.js +0 -2
- package/dist/types/collaboration.js +0 -2
- package/dist/types/core.js +0 -2
- package/dist/types/drive.js +0 -10
- package/dist/types/error-feedback.js +0 -2
- package/dist/types/evidence-reasoning.js +0 -2
- package/dist/types/execution-backend.js +0 -2
- package/dist/types/multi-agent.js +0 -2
- package/dist/types/observability.js +0 -2
- package/dist/types/pipeline.js +0 -2
- package/dist/types/reclamation.js +0 -8
- package/dist/types/report-bundle.js +0 -6
- package/dist/types/result.js +0 -2
- package/dist/types/run-registry.js +0 -2
- package/dist/types/run.js +0 -2
- package/dist/types/sandbox.js +0 -2
- package/dist/types/schedule.js +0 -2
- package/dist/types/state-node.js +0 -2
- package/dist/types/topology.js +0 -2
- package/dist/types/trust.js +0 -2
- package/dist/types/workbench.js +0 -2
- package/dist/types/worker.js +0 -2
- package/dist/types/workflow-app.js +0 -2
- package/dist/types.js +0 -44
- package/dist/util/fingerprint.js +0 -19
- package/dist/util/fingerprint.test.js +0 -27
- package/dist/verifier.js +0 -78
- package/dist/version.js +0 -8
- package/dist/workbench-host.js +0 -192
- package/dist/workbench.js +0 -192
- package/dist/worker-accept/acceptance.js +0 -114
- package/dist/worker-accept/blackboard-fanout.js +0 -80
- package/dist/worker-accept/blackboard-linkage.js +0 -19
- package/dist/worker-accept/context.js +0 -2
- package/dist/worker-accept/telemetry-ledger.js +0 -126
- package/dist/worker-accept/validation.js +0 -77
- package/dist/worker-accept/verifier-completion.js +0 -73
- package/dist/worker-isolation/helpers.js +0 -51
- package/dist/worker-isolation/paths.js +0 -46
- package/dist/worker-isolation.js +0 -656
- package/dist/workflow-api.js +0 -131
- /package/dist/{types → core/types}/boundary.js +0 -0
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
// shell/app-run-cli.ts — `cw_app_run` and `cw_sandbox_choose`/`cw_sandbox_resolve`.
|
|
3
|
+
//
|
|
4
|
+
// GAP #24 port: v2 declared the cw_app_run + cw_sandbox_choose/resolve MCP
|
|
5
|
+
// tool rows but left their handlers as notYetImplemented. This restores the
|
|
6
|
+
// old build's `appRun` + `sandboxChoose` (src/capability-core.ts) as thin
|
|
7
|
+
// shell bodies over the same v2 `plan` + `showSandboxProfileCli` the CLI
|
|
8
|
+
// front door already uses, so the MCP surface no longer throws.
|
|
9
|
+
//
|
|
10
|
+
// Both are MCP-only in the old build (no CLI path row), so only an
|
|
11
|
+
// mcp.handler is wired for them in capability-table.ts.
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.sandboxChooseCli = sandboxChooseCli;
|
|
14
|
+
exports.appRunCli = appRunCli;
|
|
15
|
+
const pipeline_1 = require("./pipeline");
|
|
16
|
+
const workflow_app_loader_1 = require("./workflow-app-loader");
|
|
17
|
+
const exec_backend_cli_1 = require("./exec-backend-cli");
|
|
18
|
+
const operator_ux_1 = require("./operator-ux");
|
|
19
|
+
const run_store_1 = require("./run-store");
|
|
20
|
+
/** Keys that steer the run/tool call itself, never workflow inputs — the
|
|
21
|
+
* old build's `withoutRuntimeKeys` (src/capability-core.ts). */
|
|
22
|
+
const RUNTIME_KEYS = new Set(["cwd", "sandbox", "sandboxProfile", "sandboxProfileId", "appId", "workflowId", "inputs"]);
|
|
23
|
+
function withoutRuntimeKeys(args) {
|
|
24
|
+
const out = {};
|
|
25
|
+
for (const [key, value] of Object.entries(args)) {
|
|
26
|
+
if (RUNTIME_KEYS.has(key))
|
|
27
|
+
continue;
|
|
28
|
+
out[key] = value;
|
|
29
|
+
}
|
|
30
|
+
return out;
|
|
31
|
+
}
|
|
32
|
+
function optionalString(value) {
|
|
33
|
+
return typeof value === "string" && value.trim() ? value.trim() : undefined;
|
|
34
|
+
}
|
|
35
|
+
function sandboxProfileIdFrom(args) {
|
|
36
|
+
return optionalString(args.sandbox || args.sandboxProfile || args.sandboxProfileId || args.profileId);
|
|
37
|
+
}
|
|
38
|
+
function isRecord(value) {
|
|
39
|
+
return typeof value === "object" && value !== null && !Array.isArray(value);
|
|
40
|
+
}
|
|
41
|
+
/** `cw_sandbox_choose` / `cw_sandbox_resolve` — resolve + validate a profile
|
|
42
|
+
* choice. Byte-exact port of the old build's `sandboxChoose`
|
|
43
|
+
* (src/capability-core.ts): defaults to "readonly", returns the resolved
|
|
44
|
+
* profile object under `profile`. */
|
|
45
|
+
function sandboxChooseCli(args) {
|
|
46
|
+
const profileId = sandboxProfileIdFrom(args) || "readonly";
|
|
47
|
+
const profile = (0, exec_backend_cli_1.showSandboxProfileCli)(profileId, args);
|
|
48
|
+
return {
|
|
49
|
+
profileId,
|
|
50
|
+
sandboxProfileId: profile.id,
|
|
51
|
+
valid: true,
|
|
52
|
+
profile,
|
|
53
|
+
};
|
|
54
|
+
}
|
|
55
|
+
/** `cw_app_run` — create a run from an app id + structured inputs. Byte-exact
|
|
56
|
+
* port of the old build's `appRun` (src/capability-core.ts): merges
|
|
57
|
+
* `inputs` with the non-runtime args, plans a fresh run, and returns the
|
|
58
|
+
* run descriptor + a compact operator status. */
|
|
59
|
+
function appRunCli(args) {
|
|
60
|
+
const appId = String(args.appId || args.workflowId || "");
|
|
61
|
+
if (!appId)
|
|
62
|
+
throw new Error("cw_app_run requires an app id (appId)");
|
|
63
|
+
const inputs = isRecord(args.inputs) ? args.inputs : {};
|
|
64
|
+
const planOptions = { ...inputs, ...withoutRuntimeKeys(args) };
|
|
65
|
+
if (typeof args.cwd === "string" && args.cwd.trim())
|
|
66
|
+
planOptions.cwd = args.cwd;
|
|
67
|
+
if (planOptions.repo && !planOptions.cwd)
|
|
68
|
+
planOptions.cwd = planOptions.repo;
|
|
69
|
+
const sandboxProfileId = sandboxProfileIdFrom(args);
|
|
70
|
+
const resolvedSandbox = sandboxProfileId ? (0, exec_backend_cli_1.showSandboxProfileCli)(sandboxProfileId, args) : undefined;
|
|
71
|
+
const app = (0, workflow_app_loader_1.loadWorkflowApp)(appId);
|
|
72
|
+
const run = (0, pipeline_1.plan)(app, planOptions);
|
|
73
|
+
const status = (0, operator_ux_1.summarizeOperatorRun)((0, run_store_1.loadRunFromCwd)(run.id, run.cwd));
|
|
74
|
+
const appMeta = (run.workflow.app || {});
|
|
75
|
+
return {
|
|
76
|
+
runId: run.id,
|
|
77
|
+
workflowId: run.workflow.id,
|
|
78
|
+
appId: appMeta.id || appId,
|
|
79
|
+
appVersion: appMeta.version,
|
|
80
|
+
statePath: run.paths.state,
|
|
81
|
+
reportPath: run.paths.report,
|
|
82
|
+
pendingTasks: run.tasks.filter((task) => task.status === "pending").length,
|
|
83
|
+
operatorStatus: status,
|
|
84
|
+
nextActions: status.nextActions,
|
|
85
|
+
sandboxProfileId,
|
|
86
|
+
sandboxProfile: resolvedSandbox,
|
|
87
|
+
};
|
|
88
|
+
}
|
|
@@ -0,0 +1,259 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
// shell/audit-cli.ts — CLI/MCP-reachable body for `cw audit verify`.
|
|
3
|
+
//
|
|
4
|
+
// MILESTONE 8. Byte-exact port of the old build's capability-core.ts's
|
|
5
|
+
// `auditVerify`. A run id with no run directory at all is a hard load
|
|
6
|
+
// failure (loadRunFromCwd throws) — absence-is-ok only applies once a
|
|
7
|
+
// run exists but never wrote a trust-audit chain file, not to a missing
|
|
8
|
+
// run entirely.
|
|
9
|
+
//
|
|
10
|
+
// Evidence: SPEC/ledger-trust.md "CLI: `cw audit verify`";
|
|
11
|
+
// plugins/cool-workflow/src/capability-core.ts:1223-1249.
|
|
12
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
13
|
+
if (k2 === undefined) k2 = k;
|
|
14
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
15
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
16
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
17
|
+
}
|
|
18
|
+
Object.defineProperty(o, k2, desc);
|
|
19
|
+
}) : (function(o, m, k, k2) {
|
|
20
|
+
if (k2 === undefined) k2 = k;
|
|
21
|
+
o[k2] = m[k];
|
|
22
|
+
}));
|
|
23
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
24
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
25
|
+
}) : function(o, v) {
|
|
26
|
+
o["default"] = v;
|
|
27
|
+
});
|
|
28
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
29
|
+
var ownKeys = function(o) {
|
|
30
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
31
|
+
var ar = [];
|
|
32
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
33
|
+
return ar;
|
|
34
|
+
};
|
|
35
|
+
return ownKeys(o);
|
|
36
|
+
};
|
|
37
|
+
return function (mod) {
|
|
38
|
+
if (mod && mod.__esModule) return mod;
|
|
39
|
+
var result = {};
|
|
40
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
41
|
+
__setModuleDefault(result, mod);
|
|
42
|
+
return result;
|
|
43
|
+
};
|
|
44
|
+
})();
|
|
45
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
46
|
+
exports.auditVerifyCli = auditVerifyCli;
|
|
47
|
+
exports.auditSummaryCli = auditSummaryCli;
|
|
48
|
+
exports.auditMultiAgentCli = auditMultiAgentCli;
|
|
49
|
+
exports.auditPolicyCli = auditPolicyCli;
|
|
50
|
+
exports.auditJudgeCli = auditJudgeCli;
|
|
51
|
+
exports.auditWorkerCli = auditWorkerCli;
|
|
52
|
+
exports.auditProvenanceCli = auditProvenanceCli;
|
|
53
|
+
exports.auditRoleCli = auditRoleCli;
|
|
54
|
+
exports.auditBlackboardCli = auditBlackboardCli;
|
|
55
|
+
exports.auditAttestCli = auditAttestCli;
|
|
56
|
+
exports.auditDecisionCli = auditDecisionCli;
|
|
57
|
+
const path = __importStar(require("node:path"));
|
|
58
|
+
const trust_audit_1 = require("./trust-audit");
|
|
59
|
+
const run_store_1 = require("./run-store");
|
|
60
|
+
const trust_policy_io_1 = require("./trust-policy-io");
|
|
61
|
+
const report_1 = require("./report");
|
|
62
|
+
const audit_provenance_1 = require("./audit-provenance");
|
|
63
|
+
const worker_isolation_1 = require("./worker-isolation");
|
|
64
|
+
const sandbox_profile_1 = require("./sandbox-profile");
|
|
65
|
+
function invocationCwd(args) {
|
|
66
|
+
return typeof args.cwd === "string" && args.cwd.trim() ? path.resolve(args.cwd) : process.cwd();
|
|
67
|
+
}
|
|
68
|
+
function auditVerifyCli(runId, args) {
|
|
69
|
+
if (!runId)
|
|
70
|
+
throw new Error("audit verify requires a run id (cw audit verify <run-id>)");
|
|
71
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
72
|
+
const v = (0, trust_audit_1.verifyTrustAudit)(run);
|
|
73
|
+
return {
|
|
74
|
+
schemaVersion: 1,
|
|
75
|
+
runId: run.id,
|
|
76
|
+
present: v.present,
|
|
77
|
+
verified: v.verified,
|
|
78
|
+
eventCount: v.eventCount,
|
|
79
|
+
chained: v.chained,
|
|
80
|
+
unchained: v.unchained,
|
|
81
|
+
corruptLines: v.corruptLines,
|
|
82
|
+
failedChecks: v.checks.filter((c) => !c.pass).map((c) => ({ name: c.name, code: c.code })),
|
|
83
|
+
};
|
|
84
|
+
}
|
|
85
|
+
/** MILESTONE 11 (reporting/observability, workbench audit panels) —
|
|
86
|
+
* `cw audit summary`/`audit multi-agent`/`audit policy`/`audit judge`.
|
|
87
|
+
* These read the same trust-audit summary functions the report.md
|
|
88
|
+
* writer and multi-agent trust-policy layer already build, so panel
|
|
89
|
+
* data can never drift from the standalone commands' output. */
|
|
90
|
+
function auditSummaryCli(runId, args) {
|
|
91
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
92
|
+
return (0, trust_audit_1.summarizeTrustAudit)(run);
|
|
93
|
+
}
|
|
94
|
+
function auditMultiAgentCli(runId, args) {
|
|
95
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
96
|
+
return (0, trust_policy_io_1.summarizeMultiAgentTrust)(run);
|
|
97
|
+
}
|
|
98
|
+
function auditPolicyCli(runId, args) {
|
|
99
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
100
|
+
const summary = (0, trust_policy_io_1.summarizeMultiAgentTrust)(run);
|
|
101
|
+
return { schemaVersion: 1, runId: run.id, rolePolicies: summary.rolePolicies, permissionDecisions: summary.permissionDecisions, policyViolations: summary.policyViolations };
|
|
102
|
+
}
|
|
103
|
+
function auditJudgeCli(runId, args) {
|
|
104
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
105
|
+
const summary = (0, trust_policy_io_1.summarizeMultiAgentTrust)(run);
|
|
106
|
+
return { schemaVersion: 1, runId: run.id, judgeRationales: summary.judgeRationales, panelDecisions: summary.panelDecisions };
|
|
107
|
+
}
|
|
108
|
+
// ---------------------------------------------------------------------------
|
|
109
|
+
// Phase B: the audit worker/provenance/role/blackboard/attest/decision verbs
|
|
110
|
+
// the old flat build had (cli/handlers/audit.ts + orchestrator/
|
|
111
|
+
// audit-operations.ts). Ported here as thin loadRun -> delegate wrappers over
|
|
112
|
+
// audit-provenance.ts + trust-audit.ts primitives.
|
|
113
|
+
// ---------------------------------------------------------------------------
|
|
114
|
+
function optionalString(value) {
|
|
115
|
+
return typeof value === "string" && value.trim() ? value.trim() : Array.isArray(value) && typeof value[0] === "string" ? value[0] : undefined;
|
|
116
|
+
}
|
|
117
|
+
/** Sanitized env-var NAMES only (`FOO=bar` -> `FOO`); the value is dropped. */
|
|
118
|
+
function valuesOption(value) {
|
|
119
|
+
const raw = value === undefined || value === null || value === true ? [] : Array.isArray(value) ? value : [value];
|
|
120
|
+
return raw.map((entry) => String(entry).split("=")[0]).filter(Boolean);
|
|
121
|
+
}
|
|
122
|
+
/** Byte-exact port of the old build's inferAuditDecisionKind. */
|
|
123
|
+
function inferAuditDecisionKind(options) {
|
|
124
|
+
if (options.command)
|
|
125
|
+
return "sandbox.command";
|
|
126
|
+
if (options.network || options.networkTarget)
|
|
127
|
+
return "sandbox.network";
|
|
128
|
+
if (options.env || options.envVar)
|
|
129
|
+
return "sandbox.env";
|
|
130
|
+
return "sandbox.path";
|
|
131
|
+
}
|
|
132
|
+
/** `cw audit worker <run> <worker>` — every audited event for one worker. */
|
|
133
|
+
function auditWorkerCli(runId, workerId, args) {
|
|
134
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
135
|
+
return (0, audit_provenance_1.workerTrustAudit)(run, workerId);
|
|
136
|
+
}
|
|
137
|
+
/** `cw audit provenance <run> [--worker|--candidate|--commit <id>]`. */
|
|
138
|
+
function auditProvenanceCli(runId, args) {
|
|
139
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
140
|
+
return (0, audit_provenance_1.evidenceProvenance)(run, {
|
|
141
|
+
workerId: optionalString(args.worker ?? args.workerId),
|
|
142
|
+
candidateId: optionalString(args.candidate ?? args.candidateId),
|
|
143
|
+
commitId: optionalString(args.commit ?? args.commitId),
|
|
144
|
+
});
|
|
145
|
+
}
|
|
146
|
+
/** `cw audit role <run> <role>` — per-role policy + audit slice. */
|
|
147
|
+
function auditRoleCli(runId, roleId, args) {
|
|
148
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
149
|
+
const summary = (0, trust_policy_io_1.summarizeMultiAgentTrust)(run);
|
|
150
|
+
const events = (0, trust_audit_1.listTrustAuditEvents)(run).filter((event) => event.agentRoleId === roleId);
|
|
151
|
+
return {
|
|
152
|
+
schemaVersion: 1,
|
|
153
|
+
runId: run.id,
|
|
154
|
+
roleId,
|
|
155
|
+
role: run.multiAgent?.roles?.find((entry) => entry.id === roleId),
|
|
156
|
+
rolePolicies: summary.rolePolicies.filter((entry) => entry.subjectId === roleId),
|
|
157
|
+
permissionDecisions: events.filter((event) => event.kind === "multi-agent.permission"),
|
|
158
|
+
blackboardWrites: events.filter((event) => event.kind === "blackboard.write"),
|
|
159
|
+
messageProvenance: events.filter((event) => event.kind === "blackboard.message-provenance"),
|
|
160
|
+
judgeRationales: events.filter((event) => event.kind === "judge.rationale"),
|
|
161
|
+
panelDecisions: events.filter((event) => event.kind === "judge.panel-decision"),
|
|
162
|
+
policyViolations: events.filter((event) => event.kind === "policy.violation"),
|
|
163
|
+
events,
|
|
164
|
+
nextAction: `node scripts/cw.js audit multi-agent ${run.id} --json`,
|
|
165
|
+
};
|
|
166
|
+
}
|
|
167
|
+
/** `cw audit blackboard <run>` — blackboard write/provenance audit. */
|
|
168
|
+
function auditBlackboardCli(runId, args) {
|
|
169
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
170
|
+
const summary = (0, trust_policy_io_1.summarizeMultiAgentTrust)(run);
|
|
171
|
+
return {
|
|
172
|
+
schemaVersion: 1,
|
|
173
|
+
runId: run.id,
|
|
174
|
+
blackboardWrites: summary.blackboardWrites,
|
|
175
|
+
messageProvenance: summary.messageProvenance,
|
|
176
|
+
policyViolations: summary.policyViolations.filter((event) => event.blackboardId),
|
|
177
|
+
nextAction: summary.nextAction,
|
|
178
|
+
};
|
|
179
|
+
}
|
|
180
|
+
/** `cw audit attest <run> [--worker …] [--command|--network|--env|--note …]`
|
|
181
|
+
* — record a host/operator sandbox attestation. */
|
|
182
|
+
function auditAttestCli(runId, args) {
|
|
183
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
184
|
+
const workerId = optionalString(args.worker ?? args.workerId);
|
|
185
|
+
const worker = workerId ? (0, worker_isolation_1.getWorkerScope)(run, workerId) : undefined;
|
|
186
|
+
const event = (0, audit_provenance_1.recordHostAttestation)(run, {
|
|
187
|
+
actor: optionalString(args.actor) || "host",
|
|
188
|
+
workerId,
|
|
189
|
+
taskId: worker?.taskId || optionalString(args.task ?? args.taskId),
|
|
190
|
+
sandboxProfileId: worker?.sandboxProfileId || optionalString(args.sandboxProfileId),
|
|
191
|
+
policySnapshot: worker?.sandboxPolicy,
|
|
192
|
+
command: optionalString(args.command),
|
|
193
|
+
networkTarget: optionalString(args.network ?? args.networkTarget),
|
|
194
|
+
metadata: {
|
|
195
|
+
note: optionalString(args.note ?? args.message),
|
|
196
|
+
hostEnforced: args.hostEnforced === undefined ? undefined : Boolean(args.hostEnforced),
|
|
197
|
+
envVars: valuesOption(args.env ?? args.envVar ?? args.envVars),
|
|
198
|
+
},
|
|
199
|
+
});
|
|
200
|
+
(0, run_store_1.saveCheckpoint)(run);
|
|
201
|
+
return event;
|
|
202
|
+
}
|
|
203
|
+
/** `cw audit decision <run> <worker> --path|--command|--network|--env <t>`
|
|
204
|
+
* — validate a sandbox decision against the worker's policy, record it
|
|
205
|
+
* (fail-closed: a denied decision records a structured worker failure), and
|
|
206
|
+
* return the audit event. Byte-behavior port of the old recordAuditDecision. */
|
|
207
|
+
function auditDecisionCli(runId, workerId, args) {
|
|
208
|
+
const run = (0, run_store_1.loadRunFromCwd)(runId, invocationCwd(args));
|
|
209
|
+
return recordAuditDecision(run, workerId, args);
|
|
210
|
+
}
|
|
211
|
+
function recordAuditDecision(run, workerId, options) {
|
|
212
|
+
const worker = (0, worker_isolation_1.getWorkerScope)(run, workerId);
|
|
213
|
+
if (!worker)
|
|
214
|
+
throw new Error(`Unknown worker id for run ${run.id}: ${workerId}`);
|
|
215
|
+
const kind = optionalString(options.kind) || inferAuditDecisionKind(options);
|
|
216
|
+
const target = optionalString(options.path ?? options.command ?? options.network ?? options.networkTarget ?? options.env ?? options.envVar);
|
|
217
|
+
if (!target)
|
|
218
|
+
throw new Error("Missing audit decision target: provide --path, --command, --network, or --env");
|
|
219
|
+
const policy = worker.sandboxPolicy;
|
|
220
|
+
let denied = null;
|
|
221
|
+
if (kind === "sandbox.command") {
|
|
222
|
+
denied = policy ? (0, sandbox_profile_1.validateSandboxCommand)(policy, target, workerId) : null;
|
|
223
|
+
}
|
|
224
|
+
else if (kind === "sandbox.network") {
|
|
225
|
+
denied = policy ? (0, sandbox_profile_1.validateSandboxNetwork)(policy, target, workerId) : null;
|
|
226
|
+
}
|
|
227
|
+
else if (kind === "sandbox.env") {
|
|
228
|
+
const name = target.includes("=") ? target.split("=")[0] : target;
|
|
229
|
+
const allowed = Boolean(policy?.env.inherit || policy?.env.expose.includes(name));
|
|
230
|
+
denied = allowed ? null : { code: "sandbox-env-denied", message: `Worker ${workerId} env var is outside sandbox profile ${policy?.id || "unknown"}: ${name}` };
|
|
231
|
+
}
|
|
232
|
+
else {
|
|
233
|
+
denied = (0, worker_isolation_1.validateWorkerBoundary)(run, workerId, { path: target });
|
|
234
|
+
}
|
|
235
|
+
const feedbackIds = [];
|
|
236
|
+
if (denied) {
|
|
237
|
+
const failurePath = denied.path || (kind === "sandbox.path" ? path.resolve(target) : undefined);
|
|
238
|
+
const failure = (0, worker_isolation_1.recordWorkerFailure)(run, workerId, { code: denied.code, message: denied.message, at: new Date().toISOString(), path: failurePath, retryable: false }, { code: denied.code, path: failurePath, retryable: false, persist: false });
|
|
239
|
+
feedbackIds.push(...(failure.feedbackIds || []));
|
|
240
|
+
}
|
|
241
|
+
const envVars = kind === "sandbox.env" ? [target.includes("=") ? target.split("=")[0] : target] : undefined;
|
|
242
|
+
const event = (0, audit_provenance_1.recordSandboxPolicyDecision)(run, {
|
|
243
|
+
kind,
|
|
244
|
+
decision: denied ? "denied" : "allowed",
|
|
245
|
+
workerId,
|
|
246
|
+
taskId: worker.taskId,
|
|
247
|
+
sandboxProfileId: worker.sandboxProfileId,
|
|
248
|
+
policySnapshot: policy,
|
|
249
|
+
command: kind === "sandbox.command" ? target : undefined,
|
|
250
|
+
networkTarget: kind === "sandbox.network" ? target : undefined,
|
|
251
|
+
normalizedPath: kind === "sandbox.path" ? target : undefined,
|
|
252
|
+
envVars,
|
|
253
|
+
feedbackIds,
|
|
254
|
+
metadata: { code: denied?.code },
|
|
255
|
+
});
|
|
256
|
+
(0, report_1.writeReport)(run);
|
|
257
|
+
(0, run_store_1.saveCheckpoint)(run);
|
|
258
|
+
return event;
|
|
259
|
+
}
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
// shell/audit-provenance.ts — the trust-audit READ + record helpers the
|
|
3
|
+
// old flat build shipped inside src/trust-audit.ts but v2's
|
|
4
|
+
// shell/trust-audit.ts dropped: workerTrustAudit, evidenceProvenance, and
|
|
5
|
+
// the two thin record wrappers (recordHostAttestation,
|
|
6
|
+
// recordSandboxPolicyDecision). These are pure wrappers over the primitives
|
|
7
|
+
// shell/trust-audit.ts DOES export (listTrustAuditEvents,
|
|
8
|
+
// recordTrustAuditEvent), so they live in their own module rather than
|
|
9
|
+
// re-open the audited trust-audit.ts chain writer.
|
|
10
|
+
//
|
|
11
|
+
// Byte-behavior port of the old build's src/trust-audit.ts:354-620.
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.workerTrustAudit = workerTrustAudit;
|
|
14
|
+
exports.evidenceProvenance = evidenceProvenance;
|
|
15
|
+
exports.recordHostAttestation = recordHostAttestation;
|
|
16
|
+
exports.recordSandboxPolicyDecision = recordSandboxPolicyDecision;
|
|
17
|
+
const trust_audit_1 = require("./trust-audit");
|
|
18
|
+
/** `cw audit worker <run> <worker>` body — every audited event that
|
|
19
|
+
* touched one worker. Port of old workerTrustAudit. */
|
|
20
|
+
function workerTrustAudit(run, workerId) {
|
|
21
|
+
return { workerId, events: (0, trust_audit_1.listTrustAuditEvents)(run).filter((event) => event.workerId === workerId) };
|
|
22
|
+
}
|
|
23
|
+
/** `cw audit provenance <run>` body — the evidence chain (worker output ->
|
|
24
|
+
* candidate -> selection -> commit) and the audit events that produced it,
|
|
25
|
+
* filtered by candidate/commit/worker. Port of old evidenceProvenance. */
|
|
26
|
+
function evidenceProvenance(run, options = {}) {
|
|
27
|
+
const events = (0, trust_audit_1.listTrustAuditEvents)(run).filter((event) => {
|
|
28
|
+
if (options.candidateId && event.candidateId !== options.candidateId)
|
|
29
|
+
return false;
|
|
30
|
+
if (options.commitId && event.commitId !== options.commitId)
|
|
31
|
+
return false;
|
|
32
|
+
if (options.workerId && event.workerId !== options.workerId)
|
|
33
|
+
return false;
|
|
34
|
+
return true;
|
|
35
|
+
});
|
|
36
|
+
const evidence = [];
|
|
37
|
+
for (const node of run.nodes || [])
|
|
38
|
+
evidence.push(...(node.evidence || []));
|
|
39
|
+
for (const candidate of run.candidates || [])
|
|
40
|
+
evidence.push(...(candidate.evidence || []));
|
|
41
|
+
for (const selection of run.candidateSelections || [])
|
|
42
|
+
evidence.push(...(selection.evidence || []));
|
|
43
|
+
for (const commit of run.commits || [])
|
|
44
|
+
evidence.push(...(commit.evidence || []));
|
|
45
|
+
const filtered = evidence.filter((entry) => {
|
|
46
|
+
const provenance = entry.provenance;
|
|
47
|
+
if (options.candidateId && provenance?.candidateId !== options.candidateId)
|
|
48
|
+
return false;
|
|
49
|
+
if (options.commitId && provenance?.commitId !== options.commitId)
|
|
50
|
+
return false;
|
|
51
|
+
if (options.workerId && provenance?.workerId !== options.workerId)
|
|
52
|
+
return false;
|
|
53
|
+
return true;
|
|
54
|
+
});
|
|
55
|
+
return { runId: run.id, evidence: filtered, events };
|
|
56
|
+
}
|
|
57
|
+
/** Record a host/operator sandbox attestation event. Port of old
|
|
58
|
+
* recordHostAttestation. */
|
|
59
|
+
function recordHostAttestation(run, input) {
|
|
60
|
+
return (0, trust_audit_1.recordTrustAuditEvent)(run, {
|
|
61
|
+
...input,
|
|
62
|
+
kind: input.kind || "sandbox.host-attestation",
|
|
63
|
+
decision: "recorded",
|
|
64
|
+
source: "host-attested",
|
|
65
|
+
});
|
|
66
|
+
}
|
|
67
|
+
/** Record a cw-validated sandbox policy decision event. Port of old
|
|
68
|
+
* recordSandboxPolicyDecision. */
|
|
69
|
+
function recordSandboxPolicyDecision(run, input) {
|
|
70
|
+
const { envVars, ...rest } = input;
|
|
71
|
+
const event = (0, trust_audit_1.recordTrustAuditEvent)(run, {
|
|
72
|
+
...rest,
|
|
73
|
+
source: input.source || "cw-validated",
|
|
74
|
+
metadata: { ...(input.metadata || {}), ...(envVars && envVars.length ? { envVars } : {}) },
|
|
75
|
+
});
|
|
76
|
+
// The old event shape carried the sanitized env-var NAMES on the event
|
|
77
|
+
// itself; the record wrapper stamps them so `audit decision --env` can echo
|
|
78
|
+
// them back (the value is never stored — only the name, already stripped
|
|
79
|
+
// upstream).
|
|
80
|
+
if (envVars && envVars.length)
|
|
81
|
+
event.envVars = envVars;
|
|
82
|
+
return event;
|
|
83
|
+
}
|