cool-workflow 0.2.2 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/.codex-plugin/plugin.json +1 -1
- package/apps/architecture-review/app.json +1 -1
- package/apps/architecture-review-fast/app.json +1 -1
- package/apps/end-to-end-golden-path/app.json +1 -1
- package/apps/pr-review-fix-ci/app.json +1 -1
- package/apps/release-cut/app.json +1 -1
- package/apps/research-synthesis/app.json +1 -1
- package/dist/cli/dispatch.js +11 -5
- package/dist/cli/entry.js +41 -1
- package/dist/cli/io.js +6 -2
- package/dist/cli/parseargv.js +1 -0
- package/dist/core/capability-data.js +1 -0
- package/dist/core/format/completion.js +68 -0
- package/dist/core/format/help.js +25 -6
- package/dist/core/format/safe-json.js +73 -0
- package/dist/core/format/state-explosion-text.js +1 -1
- package/dist/core/multi-agent/candidate-scoring.js +5 -1
- package/dist/core/multi-agent/collaboration.js +3 -3
- package/dist/core/multi-agent/coordinator.js +5 -5
- package/dist/core/multi-agent/runtime.js +4 -4
- package/dist/core/multi-agent/topology.js +3 -3
- package/dist/core/pipeline/dispatch.js +18 -4
- package/dist/core/pipeline/drive-decide.js +2 -1
- package/dist/core/state/migrations.js +16 -1
- package/dist/core/state/state-explosion/digest.js +13 -13
- package/dist/core/state/state-explosion/graph.js +17 -11
- package/dist/core/state/state-explosion/report.js +6 -6
- package/dist/core/util/numeric-flag.js +40 -0
- package/dist/core/version.js +1 -1
- package/dist/mcp/server.js +99 -11
- package/dist/shell/audit-cli.js +57 -25
- package/dist/shell/coordinator-io.js +73 -13
- package/dist/shell/dispatch.js +1 -1
- package/dist/shell/doctor.js +80 -1
- package/dist/shell/drive.js +243 -49
- package/dist/shell/eval-text.js +2 -2
- package/dist/shell/evidence-reasoning.js +4 -4
- package/dist/shell/execution-backend/agent.js +20 -1
- package/dist/shell/execution-backend/container.js +4 -1
- package/dist/shell/execution-backend/local.js +4 -1
- package/dist/shell/feedback-cli.js +6 -6
- package/dist/shell/fs-atomic.js +218 -29
- package/dist/shell/man-cli.js +6 -0
- package/dist/shell/metrics-cli.js +2 -1
- package/dist/shell/multi-agent-cli.js +367 -323
- package/dist/shell/multi-agent-host.js +9 -9
- package/dist/shell/multi-agent-operator-ux.js +80 -38
- package/dist/shell/node-store.js +10 -4
- package/dist/shell/observability.js +1 -1
- package/dist/shell/operator-ux-text.js +22 -22
- package/dist/shell/operator-ux.js +15 -14
- package/dist/shell/orchestrator.js +49 -38
- package/dist/shell/pipeline-cli.js +87 -40
- package/dist/shell/reclamation-io.js +14 -4
- package/dist/shell/registry-cli.js +19 -17
- package/dist/shell/remote-source.js +13 -8
- package/dist/shell/report-cli.js +45 -0
- package/dist/shell/report.js +2 -1
- package/dist/shell/run-registry-io.js +77 -19
- package/dist/shell/run-store.js +74 -2
- package/dist/shell/scheduling-io.js +12 -13
- package/dist/shell/state-cli.js +2 -7
- package/dist/shell/state-explosion-cli.js +17 -9
- package/dist/shell/topology-io.js +36 -5
- package/dist/shell/trust-audit.js +224 -22
- package/dist/shell/trust-policy-io.js +1 -1
- package/dist/shell/worker-cli.js +35 -31
- package/dist/wiring/capability-table/basics.js +33 -8
- package/dist/wiring/capability-table/exec-backend.js +20 -11
- package/dist/wiring/capability-table/multi-agent.js +172 -165
- package/dist/wiring/capability-table/parity.js +1 -0
- package/dist/wiring/capability-table/pipeline.js +54 -42
- package/dist/wiring/capability-table/registry-core.js +29 -10
- package/dist/wiring/capability-table/reporting.js +137 -96
- package/dist/wiring/capability-table/scheduling-registry.js +195 -161
- package/dist/wiring/capability-table/state.js +36 -28
- package/dist/wiring/capability-table/trust-ledger.js +46 -22
- package/dist/wiring/capability-table/workflow-apps.js +83 -68
- package/docs/agent-delegation-drive.7.md +2 -0
- package/docs/candidate-scoring.7.md +1 -1
- package/docs/canonical-workflow-apps.7.md +7 -7
- package/docs/cli-mcp-parity.7.md +8 -3
- package/docs/contract-migration-tooling.7.md +2 -0
- package/docs/control-plane-scheduling.7.md +2 -0
- package/docs/coordinator-blackboard.7.md +17 -17
- package/docs/dogfood-one-real-repo.7.md +11 -11
- package/docs/durable-state-and-locking.7.md +2 -0
- package/docs/end-to-end-golden-path.7.md +14 -14
- package/docs/evidence-adoption-reasoning-chain.7.md +2 -0
- package/docs/execution-backends.7.md +2 -0
- package/docs/getting-started.md +37 -37
- package/docs/multi-agent-cli-mcp-surface.7.md +19 -17
- package/docs/multi-agent-eval-replay-harness.7.md +15 -13
- package/docs/multi-agent-operator-ux.7.md +21 -19
- package/docs/multi-agent-runtime-core.7.md +22 -22
- package/docs/multi-agent-topologies.7.md +6 -6
- package/docs/multi-agent-trust-policy-audit.7.md +11 -11
- package/docs/node-snapshot-diff-replay.7.md +2 -0
- package/docs/observability-cost-accounting.7.md +2 -0
- package/docs/operator-ux.7.md +34 -34
- package/docs/pipeline-runner.7.md +4 -4
- package/docs/project-index.md +27 -4
- package/docs/real-execution-backends.7.md +2 -0
- package/docs/release-and-migration.7.md +3 -1
- package/docs/release-tooling.7.md +2 -0
- package/docs/routines.md +4 -4
- package/docs/run-registry-control-plane.7.md +21 -19
- package/docs/run-retention-reclamation.7.md +2 -0
- package/docs/scheduled-tasks.md +14 -14
- package/docs/security-trust-hardening.7.md +15 -15
- package/docs/state-explosion-management.7.md +12 -10
- package/docs/team-collaboration.7.md +2 -0
- package/docs/trust-audit-anchor.7.md +2 -0
- package/docs/unix-principles.md +3 -1
- package/docs/verifier-gated-commit.7.md +1 -1
- package/docs/web-desktop-workbench.7.md +2 -0
- package/docs/workflow-app-framework.7.md +13 -13
- package/manifest/plugin.manifest.json +1 -1
- package/package.json +2 -2
- package/scripts/agents/claude-p-agent.js +2 -2
- package/scripts/block-unapproved-tag.sh +23 -2
- package/scripts/canonical-apps.js +4 -4
- package/scripts/children/batch-delegate-child.js +52 -2
- package/scripts/dogfood-release.js +1 -1
- package/scripts/fake-date-for-reproduction.js +44 -0
- package/scripts/golden-path.js +4 -4
- package/scripts/purity-baseline.json +3 -0
- package/scripts/release-flow.js +57 -1
- package/scripts/verdict-keygen.js +83 -0
- package/scripts/verify-bump-reproduction.sh +148 -0
- package/scripts/verify-verdict-signature.js +61 -0
- package/skills/cool-workflow/SKILL.md +9 -9
- package/skills/cool-workflow/references/commands.md +89 -88
- package/ui/workbench/app.css +37 -1
- package/ui/workbench/app.js +124 -6
|
@@ -0,0 +1,148 @@
|
|
|
1
|
+
#!/usr/bin/env bash
|
|
2
|
+
# verify-bump-reproduction.sh — closes the HEAD~1 verdict-replay bypass.
|
|
3
|
+
#
|
|
4
|
+
# release-gate.yml / npm-publish.yml tolerate a verdict written for the tag
|
|
5
|
+
# commit's PARENT (release-flow.js's cut() reviews content, then adds a
|
|
6
|
+
# mechanical version-bump + the verdict as a NEW child commit that actually
|
|
7
|
+
# gets tagged). A validly-signed verdict at the parent proves someone once
|
|
8
|
+
# approved THAT commit — it does NOT prove the child (the thing actually being
|
|
9
|
+
# tagged) is the deterministic bump cut() would have produced, rather than an
|
|
10
|
+
# attacker's own commit smuggling in arbitrary changes on top of an old,
|
|
11
|
+
# genuinely-approved parent (a real signature on a REPLAYED verdict).
|
|
12
|
+
#
|
|
13
|
+
# This script independently reproduces the bump: checks out the approved
|
|
14
|
+
# parent into a scratch worktree, runs the SAME bump:version/sync:project-index
|
|
15
|
+
# steps cut() runs, stages the SAME way cut() stages (git add -u + the
|
|
16
|
+
# explicit verdict/.sig paths, never -A), and requires the resulting tree to
|
|
17
|
+
# match the ACTUAL tagged commit's tree byte-for-byte. Any difference —
|
|
18
|
+
# anywhere, including a single added file — fails closed.
|
|
19
|
+
#
|
|
20
|
+
# Usage: verify-bump-reproduction.sh <approved-parent-sha> <tagged-sha> <verdict-repo-relative-path> [sig-repo-relative-path]
|
|
21
|
+
#
|
|
22
|
+
# Exit 0: the tagged commit's tree matches the reproduced bump exactly.
|
|
23
|
+
# Exit 1: mismatch, or any step failed (install, bump, sync, worktree, etc).
|
|
24
|
+
set -uo pipefail
|
|
25
|
+
|
|
26
|
+
# Where THIS SCRIPT ITSELF lives — distinct from REPO_ROOT (the git repo being
|
|
27
|
+
# operated ON, resolved below from the invocation cwd). These coincide in
|
|
28
|
+
# ordinary production use (the script runs from within the same checkout it
|
|
29
|
+
# verifies), but conflating them is wrong: REPO_ROOT could be an ARBITRARY git
|
|
30
|
+
# context (e.g. a test harness's throwaway clone of old history, which never
|
|
31
|
+
# has this script's own sibling files, since they postdate whatever was
|
|
32
|
+
# cloned). Sibling files this script depends on must be found relative to
|
|
33
|
+
# where it is installed, never relative to the repo it happens to be pointed at.
|
|
34
|
+
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
35
|
+
|
|
36
|
+
PARENT="${1:-}"
|
|
37
|
+
TAGGED="${2:-}"
|
|
38
|
+
VERDICT_REL="${3:-}"
|
|
39
|
+
SIG_REL="${4:-}"
|
|
40
|
+
if [[ -z "$PARENT" || -z "$TAGGED" || -z "$VERDICT_REL" ]]; then
|
|
41
|
+
echo "usage: verify-bump-reproduction.sh <parent-sha> <tagged-sha> <verdict-rel-path> [sig-rel-path]" >&2
|
|
42
|
+
exit 1
|
|
43
|
+
fi
|
|
44
|
+
|
|
45
|
+
REPO_ROOT="$(git rev-parse --show-toplevel)" || exit 1
|
|
46
|
+
SCRATCH_PARENT="$(mktemp -d)"
|
|
47
|
+
SCRATCH="$SCRATCH_PARENT/wt"
|
|
48
|
+
cleanup() {
|
|
49
|
+
git -C "$REPO_ROOT" worktree remove --force "$SCRATCH" >/dev/null 2>&1
|
|
50
|
+
rm -rf "$SCRATCH_PARENT"
|
|
51
|
+
}
|
|
52
|
+
trap cleanup EXIT
|
|
53
|
+
|
|
54
|
+
if ! git -C "$REPO_ROOT" worktree add --quiet --detach "$SCRATCH" "$PARENT" 2>/dev/null; then
|
|
55
|
+
echo "verify-bump-reproduction: could not create a scratch worktree at $PARENT" >&2
|
|
56
|
+
exit 1
|
|
57
|
+
fi
|
|
58
|
+
|
|
59
|
+
# The target version comes from the TAGGED commit (not the parent, which may
|
|
60
|
+
# still be pre-bump) — read via git plumbing, no separate checkout needed.
|
|
61
|
+
VERSION="$(git -C "$REPO_ROOT" show "$TAGGED:plugins/cool-workflow/package.json" 2>/dev/null | node -e '
|
|
62
|
+
let s=""; process.stdin.on("data",d=>s+=d).on("end",()=>{ try { process.stdout.write(JSON.parse(s).version||""); } catch { process.stdout.write(""); } });
|
|
63
|
+
')"
|
|
64
|
+
if [[ -z "$VERSION" ]]; then
|
|
65
|
+
echo "verify-bump-reproduction: could not read package.json version from tagged commit $TAGGED" >&2
|
|
66
|
+
exit 1
|
|
67
|
+
fi
|
|
68
|
+
|
|
69
|
+
# sync-project-index.js embeds a wall-clock "Generated on <date>" line. Pin it
|
|
70
|
+
# to the TAGGED commit's own committer date (UTC) via a Node --require preload
|
|
71
|
+
# that overrides the global Date constructor (fake-date-for-reproduction.js),
|
|
72
|
+
# NOT an application-level env var: the scratch worktree runs the APPROVED
|
|
73
|
+
# PARENT's OWN checked-out copy of sync-project-index.js, which for every
|
|
74
|
+
# release cut before this mechanism existed has no idea any such env var is
|
|
75
|
+
# meant to be read — an app-level opt-in is a no-op against code that doesn't
|
|
76
|
+
# know to opt in, so it can only ever "work" for releases cut after the
|
|
77
|
+
# mechanism landed (confirmed empirically: re-running an already-shipped
|
|
78
|
+
# release's real approved-parent/tagged pair on a later calendar day produced
|
|
79
|
+
# a tree mismatch whose ONLY diff was that one date line). A global override
|
|
80
|
+
# of the Date constructor, injected before any application code runs, is
|
|
81
|
+
# transparent to the code being executed regardless of which version it is.
|
|
82
|
+
CUT_DATE="$(TZ=UTC git -C "$REPO_ROOT" show -s --format=%cd --date=format-local:%Y-%m-%d "$TAGGED" 2>/dev/null)"
|
|
83
|
+
if [[ -z "$CUT_DATE" ]]; then
|
|
84
|
+
echo "verify-bump-reproduction: could not read the tagged commit's committer date" >&2
|
|
85
|
+
exit 1
|
|
86
|
+
fi
|
|
87
|
+
FAKE_DATE_PRELOAD="$SCRIPT_DIR/fake-date-for-reproduction.js"
|
|
88
|
+
|
|
89
|
+
# Each step's exit code is checked EXPLICITLY and immediately (not via a
|
|
90
|
+
# `cmd1 && cmd2 && cmd3` chain) — a chain's overall success can silently
|
|
91
|
+
# survive an earlier step's failure if a future edit ever loosens it (e.g.
|
|
92
|
+
# `&&` accidentally becoming `;`), which would flip this fail-closed gate to
|
|
93
|
+
# fail-open without changing its outward shape. stdout/stderr from each step
|
|
94
|
+
# are captured (not discarded to /dev/null) so a real failure — a transient
|
|
95
|
+
# npm registry hiccup vs. an actual reproduction mismatch — is distinguishable
|
|
96
|
+
# in the workflow log instead of both collapsing into the same generic message.
|
|
97
|
+
run_step() {
|
|
98
|
+
local label="$1"
|
|
99
|
+
shift
|
|
100
|
+
local out
|
|
101
|
+
out="$("$@" 2>&1)"
|
|
102
|
+
local code=$?
|
|
103
|
+
if [[ $code -ne 0 ]]; then
|
|
104
|
+
echo "verify-bump-reproduction: $label failed (exit $code):" >&2
|
|
105
|
+
echo "$out" >&2
|
|
106
|
+
return 1
|
|
107
|
+
fi
|
|
108
|
+
return 0
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
(
|
|
112
|
+
cd "$SCRATCH/plugins/cool-workflow" || exit 1
|
|
113
|
+
export NODE_OPTIONS="--require $FAKE_DATE_PRELOAD"
|
|
114
|
+
export CW_FAKE_DATE="$CUT_DATE"
|
|
115
|
+
run_step "npm install" npm install --no-package-lock --ignore-scripts || exit 1
|
|
116
|
+
run_step "bump:version" npm run bump:version -- "$VERSION" || exit 1
|
|
117
|
+
run_step "sync:project-index" npm run sync:project-index -- --repo-only || exit 1
|
|
118
|
+
)
|
|
119
|
+
BUMP_STATUS=$?
|
|
120
|
+
if [[ $BUMP_STATUS -ne 0 ]]; then
|
|
121
|
+
echo "verify-bump-reproduction: reproducing the bump for $PARENT -> v$VERSION failed" >&2
|
|
122
|
+
exit 1
|
|
123
|
+
fi
|
|
124
|
+
|
|
125
|
+
mkdir -p "$SCRATCH/.cw-release"
|
|
126
|
+
cp "$REPO_ROOT/$VERDICT_REL" "$SCRATCH/$VERDICT_REL" || exit 1
|
|
127
|
+
if [[ -n "$SIG_REL" && -f "$REPO_ROOT/$SIG_REL" ]]; then
|
|
128
|
+
cp "$REPO_ROOT/$SIG_REL" "$SCRATCH/$SIG_REL" || exit 1
|
|
129
|
+
fi
|
|
130
|
+
|
|
131
|
+
# Mirror cut()'s OWN staging exactly (git-add -u + the explicit verdict/.sig
|
|
132
|
+
# paths) — never -A, so an untracked stray left by npm/tooling in the scratch
|
|
133
|
+
# worktree can never silently ride into what we compare.
|
|
134
|
+
git -C "$SCRATCH" add -u
|
|
135
|
+
git -C "$SCRATCH" add -- "$VERDICT_REL"
|
|
136
|
+
if [[ -n "$SIG_REL" && -f "$SCRATCH/$SIG_REL" ]]; then
|
|
137
|
+
git -C "$SCRATCH" add -- "$SIG_REL"
|
|
138
|
+
fi
|
|
139
|
+
|
|
140
|
+
EXPECTED_TREE="$(git -C "$SCRATCH" write-tree)"
|
|
141
|
+
ACTUAL_TREE="$(git -C "$REPO_ROOT" rev-parse "$TAGGED^{tree}")"
|
|
142
|
+
|
|
143
|
+
if [[ "$EXPECTED_TREE" != "$ACTUAL_TREE" ]]; then
|
|
144
|
+
echo "verify-bump-reproduction: $TAGGED's tree ($ACTUAL_TREE) does not match the deterministic bump reproduced from approved parent $PARENT ($EXPECTED_TREE) — refusing" >&2
|
|
145
|
+
exit 1
|
|
146
|
+
fi
|
|
147
|
+
|
|
148
|
+
exit 0
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
"use strict";
|
|
3
|
+
|
|
4
|
+
// verify-verdict-signature.js — verify an ed25519 signature over a committed
|
|
5
|
+
// release verdict file, against the committed public key
|
|
6
|
+
// (.cw-release/verdict-signing.pub). Portable (node + node:crypto only) so
|
|
7
|
+
// CI (release-gate.yml, npm-publish.yml) and the local block-unapproved-tag.sh
|
|
8
|
+
// hook can all shell out to the SAME check instead of three drifting copies.
|
|
9
|
+
//
|
|
10
|
+
// Exit 0: signature verifies. Exit 1: missing file, unreadable key, or a
|
|
11
|
+
// signature that does not match (tampered verdict, wrong key, hand-written
|
|
12
|
+
// verdict with no real signature). Never throws uncaught — callers rely on
|
|
13
|
+
// the exit code alone, not stderr text.
|
|
14
|
+
//
|
|
15
|
+
// Usage: node verify-verdict-signature.js <verdict-file> <sig-file> <pubkey-file>
|
|
16
|
+
|
|
17
|
+
const fs = require("node:fs");
|
|
18
|
+
const crypto = require("node:crypto");
|
|
19
|
+
|
|
20
|
+
function fail(message) {
|
|
21
|
+
process.stderr.write(`verify-verdict-signature: ${message}\n`);
|
|
22
|
+
process.exit(1);
|
|
23
|
+
}
|
|
24
|
+
|
|
25
|
+
const [, , verdictPath, sigPath, pubkeyPath] = process.argv;
|
|
26
|
+
if (!verdictPath || !sigPath || !pubkeyPath) {
|
|
27
|
+
process.stderr.write("usage: verify-verdict-signature.js <verdict-file> <sig-file> <pubkey-file>\n");
|
|
28
|
+
process.exit(2);
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
let message;
|
|
32
|
+
try {
|
|
33
|
+
message = fs.readFileSync(verdictPath);
|
|
34
|
+
} catch (error) {
|
|
35
|
+
fail(`cannot read verdict file ${verdictPath}: ${error.message}`);
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
let signature;
|
|
39
|
+
try {
|
|
40
|
+
signature = Buffer.from(fs.readFileSync(sigPath, "utf8").trim(), "base64");
|
|
41
|
+
if (signature.length === 0) fail(`signature file ${sigPath} is empty`);
|
|
42
|
+
} catch (error) {
|
|
43
|
+
fail(`cannot read signature file ${sigPath}: ${error.message}`);
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
let publicKey;
|
|
47
|
+
try {
|
|
48
|
+
publicKey = crypto.createPublicKey(fs.readFileSync(pubkeyPath, "utf8"));
|
|
49
|
+
} catch (error) {
|
|
50
|
+
fail(`cannot read public key ${pubkeyPath}: ${error.message}`);
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
let ok = false;
|
|
54
|
+
try {
|
|
55
|
+
ok = crypto.verify(null, message, publicKey, signature);
|
|
56
|
+
} catch (error) {
|
|
57
|
+
fail(`verification error: ${error.message}`);
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
if (!ok) fail(`signature does not match ${verdictPath} (tampered, wrong key, or not a real signature)`);
|
|
61
|
+
process.exit(0);
|
|
@@ -62,16 +62,16 @@ Use this loop to explain workflow progress when reporting status.
|
|
|
62
62
|
## Operating Loop
|
|
63
63
|
|
|
64
64
|
1. Pick or create a workflow.
|
|
65
|
-
2. `
|
|
65
|
+
2. `cw plan <workflow-id> ...` from the plugin root (or the
|
|
66
66
|
absolute plugin script path).
|
|
67
|
-
3. `
|
|
67
|
+
3. `cw dispatch <run-id> --limit N` to create a dispatch
|
|
68
68
|
manifest for the current phase. Add `--sandbox <profile-id>` when an explicit
|
|
69
69
|
worker policy profile is needed.
|
|
70
70
|
4. If — and only if — the user explicitly asked for agents, spawn one subagent
|
|
71
71
|
per dispatched task with disjoint scopes.
|
|
72
72
|
5. Save each subagent summary to `.cw/runs/<run-id>/results/<task-id>.md`.
|
|
73
|
-
6. `
|
|
74
|
-
7. When all required work is complete, `
|
|
73
|
+
6. `cw result <run-id> <task-id> <result-file>`.
|
|
74
|
+
7. When all required work is complete, `cw report <run-id>`.
|
|
75
75
|
8. Synthesize the final user-facing answer from the report and verified
|
|
76
76
|
evidence.
|
|
77
77
|
|
|
@@ -114,11 +114,11 @@ report chain. See `references/commands.md` for the exact invocations.
|
|
|
114
114
|
## Essential Commands
|
|
115
115
|
|
|
116
116
|
```bash
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
117
|
+
cw list
|
|
118
|
+
cw plan architecture-review --repo /path/to/repo --question "Is this architecture sound?"
|
|
119
|
+
cw dispatch <run-id> --limit 6
|
|
120
|
+
cw result <run-id> <task-id> /path/to/result.md
|
|
121
|
+
cw report <run-id> --show
|
|
122
122
|
```
|
|
123
123
|
|
|
124
124
|
When working in this repository, the plugin root is `plugins/cool-workflow`.
|
|
@@ -26,19 +26,20 @@ absolute plugin script path. Run data is written to `.cw/runs/<run-id>/` under
|
|
|
26
26
|
## Discovery & apps
|
|
27
27
|
|
|
28
28
|
```bash
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
29
|
+
cw list
|
|
30
|
+
cw search architecture
|
|
31
|
+
cw app list
|
|
32
|
+
cw app show architecture-review
|
|
33
|
+
cw app show pr-review-fix-ci
|
|
34
|
+
cw app show release-cut
|
|
35
|
+
cw app show research-synthesis
|
|
36
|
+
cw app validate apps/architecture-review/app.json
|
|
37
|
+
cw app show workflow-app-framework-demo
|
|
38
|
+
cw app validate apps/workflow-app-framework-demo/app.json
|
|
39
|
+
cw app validate end-to-end-golden-path
|
|
40
|
+
cw app package workflow-app-framework-demo
|
|
41
|
+
cw app init my-app --title "My App"
|
|
42
|
+
cw init my-workflow --title "My Workflow"
|
|
42
43
|
```
|
|
43
44
|
|
|
44
45
|
The canonical app ids are `architecture-review`, `pr-review-fix-ci`,
|
|
@@ -62,16 +63,16 @@ harness; the reviewer is delegated via `CW_AGENT_COMMAND`/`CW_AGENT_ENDPOINT`
|
|
|
62
63
|
## Plan / dispatch / result / report
|
|
63
64
|
|
|
64
65
|
```bash
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
66
|
+
cw plan architecture-review --repo /path/to/repo --question "Is this architecture sound?"
|
|
67
|
+
cw status <run-id>
|
|
68
|
+
cw status <run-id> --json
|
|
69
|
+
cw graph <run-id>
|
|
70
|
+
cw graph <run-id> --json
|
|
71
|
+
cw dispatch <run-id> --limit 6
|
|
72
|
+
cw dispatch <run-id> --sandbox readonly
|
|
73
|
+
cw result <run-id> <task-id> /path/to/result.md
|
|
74
|
+
cw report <run-id>
|
|
75
|
+
cw report <run-id> --show
|
|
75
76
|
```
|
|
76
77
|
|
|
77
78
|
Operator UX is human-readable by default for `status`, `graph`, report
|
|
@@ -87,12 +88,12 @@ role, group, fanout/fanin, blackboard, coordinator, candidate, commit, and audit
|
|
|
87
88
|
records — deterministic recipes, not hidden autonomous coordination.
|
|
88
89
|
|
|
89
90
|
```bash
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
91
|
+
cw topology list
|
|
92
|
+
cw topology show map-reduce
|
|
93
|
+
cw topology validate map-reduce
|
|
94
|
+
cw topology apply <run-id> map-reduce --task task-id --mapper-count 2
|
|
95
|
+
cw topology summary <run-id>
|
|
96
|
+
cw topology graph <run-id>
|
|
96
97
|
```
|
|
97
98
|
|
|
98
99
|
## Multi-agent host surface
|
|
@@ -103,22 +104,22 @@ plumbing. It wraps the topology, multi-agent, blackboard, candidate, commit, and
|
|
|
103
104
|
audit primitives; it does not replace them.
|
|
104
105
|
|
|
105
106
|
```bash
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
107
|
+
cw multi-agent run <run-id> --topology judge-panel --task task-id
|
|
108
|
+
cw multi-agent status <run-id>
|
|
109
|
+
cw multi-agent step <run-id> --sandbox readonly
|
|
110
|
+
cw multi-agent blackboard <run-id> summary
|
|
111
|
+
cw multi-agent score <run-id> candidate-id --criterion correctness=1 --evidence ref
|
|
112
|
+
cw multi-agent select <run-id> candidate-id --reason "verified winner"
|
|
112
113
|
```
|
|
113
114
|
|
|
114
115
|
Operator views (who depends on whom, who is blocked, which evidence was adopted):
|
|
115
116
|
|
|
116
117
|
```bash
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
118
|
+
cw multi-agent summary <run-id>
|
|
119
|
+
cw multi-agent graph <run-id>
|
|
120
|
+
cw multi-agent dependencies <run-id>
|
|
121
|
+
cw multi-agent failures <run-id>
|
|
122
|
+
cw multi-agent evidence <run-id>
|
|
122
123
|
```
|
|
123
124
|
|
|
124
125
|
State Explosion Management — when a run grows too large to read, use derived,
|
|
@@ -126,11 +127,11 @@ provenance-backed digests (they never delete raw records and fail closed when
|
|
|
126
127
|
stale; every synthetic node carries source ids and an expansion command):
|
|
127
128
|
|
|
128
129
|
```bash
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
130
|
+
cw summary refresh <run-id>
|
|
131
|
+
cw summary show <run-id>
|
|
132
|
+
cw blackboard summarize <run-id>
|
|
133
|
+
cw multi-agent summarize <run-id>
|
|
134
|
+
cw multi-agent graph <run-id> --view compact|critical-path|failures|... [--focus <id>] [--depth <n>]
|
|
134
135
|
```
|
|
135
136
|
|
|
136
137
|
Trust / Policy / Audit — inspect role authority, message provenance, blackboard
|
|
@@ -138,11 +139,11 @@ write decisions, judge rationale, panel decisions, and why a result is trusted
|
|
|
138
139
|
(missing policy/evidence/provenance/rationale fail closed):
|
|
139
140
|
|
|
140
141
|
```bash
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
142
|
+
cw audit multi-agent <run-id>
|
|
143
|
+
cw audit policy <run-id>
|
|
144
|
+
cw audit role <run-id>
|
|
145
|
+
cw audit blackboard <run-id>
|
|
146
|
+
cw audit judge <run-id>
|
|
146
147
|
```
|
|
147
148
|
|
|
148
149
|
## Multi-agent low-level state
|
|
@@ -154,12 +155,12 @@ transitions, duplicate memberships, ambiguous dispatch attachment, and missing
|
|
|
154
155
|
fanin evidence fail closed.
|
|
155
156
|
|
|
156
157
|
```bash
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
158
|
+
cw multi-agent run <run-id> --id ma --objective "coordinated work"
|
|
159
|
+
cw multi-agent role <run-id> role --multi-agent-run ma --responsibility "do work" --required-evidence "result evidence"
|
|
160
|
+
cw multi-agent group <run-id> group --multi-agent-run ma --task task-id
|
|
161
|
+
cw multi-agent fanout <run-id> fanout --group group --reason "split work" --role role --task task-id
|
|
162
|
+
cw dispatch <run-id> --multi-agent-run ma --multi-agent-group group --multi-agent-role role --multi-agent-fanout fanout
|
|
163
|
+
cw multi-agent fanin <run-id> fanin --group group --fanout fanout --required-role role
|
|
163
164
|
```
|
|
164
165
|
|
|
165
166
|
## Eval & replay
|
|
@@ -168,12 +169,12 @@ Use when a topology-backed multi-agent run needs release-gate evidence.
|
|
|
168
169
|
Artifacts live under `.cw/evals/<suite-id>/` as plain JSON plus `report.md`.
|
|
169
170
|
|
|
170
171
|
```bash
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
172
|
+
cw eval snapshot <run-id> --id suite-id
|
|
173
|
+
cw eval replay .cw/evals/suite-id/snapshot.json
|
|
174
|
+
cw eval compare .cw/evals/suite-id/snapshot.json .cw/evals/suite-id/replay-run.json
|
|
175
|
+
cw eval score .cw/evals/suite-id/replay-run.json
|
|
176
|
+
cw eval gate .cw/evals/suite-id
|
|
177
|
+
cw eval report .cw/evals/suite-id/replay-run.json
|
|
177
178
|
```
|
|
178
179
|
|
|
179
180
|
## Blackboard & coordinator
|
|
@@ -183,14 +184,14 @@ context frames, artifact refs, snapshots, and coordinator decisions under
|
|
|
183
184
|
`.cw/runs/<run-id>/blackboard/`.
|
|
184
185
|
|
|
185
186
|
```bash
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
187
|
+
cw blackboard summary <run-id>
|
|
188
|
+
cw blackboard topic create <run-id> --id topic --title "Shared context"
|
|
189
|
+
cw blackboard message post <run-id> --topic topic --body "message"
|
|
190
|
+
cw blackboard context put <run-id> --topic topic --kind fact --key finding --value "evidence-backed fact"
|
|
191
|
+
cw blackboard artifact add <run-id> --topic topic --path /path/to/result.md --kind worker-result
|
|
192
|
+
cw blackboard snapshot <run-id>
|
|
193
|
+
cw coordinator summary <run-id>
|
|
194
|
+
cw coordinator decision <run-id> --kind conflict-resolution --outcome accepted --reason "evidence supports this"
|
|
194
195
|
```
|
|
195
196
|
|
|
196
197
|
## Sandbox profiles
|
|
@@ -201,10 +202,10 @@ CW enforces profile validation and worker result acceptance; the agent host
|
|
|
201
202
|
enforces OS/process/network/environment controls.
|
|
202
203
|
|
|
203
204
|
```bash
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
205
|
+
cw sandbox list
|
|
206
|
+
cw sandbox show readonly
|
|
207
|
+
cw sandbox validate ./site-sandbox.json
|
|
208
|
+
cw worker manifest <run-id> <worker-id>
|
|
208
209
|
```
|
|
209
210
|
|
|
210
211
|
## Commit, state & summaries
|
|
@@ -214,14 +215,14 @@ dry-runs migration and normalization; newer unsupported schemas fail closed and
|
|
|
214
215
|
unknown user data is preserved.
|
|
215
216
|
|
|
216
217
|
```bash
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
218
|
+
cw commit <run-id> --verifier <node-id> --reason "verified result"
|
|
219
|
+
cw commit <run-id> --selection <selection-id> --reason "verified winner"
|
|
220
|
+
cw commit <run-id> --allow-unverified-checkpoint --reason "manual checkpoint"
|
|
221
|
+
cw worker summary <run-id>
|
|
222
|
+
cw candidate summary <run-id>
|
|
223
|
+
cw feedback summary <run-id>
|
|
224
|
+
cw commit summary <run-id>
|
|
225
|
+
cw state check <run-id>
|
|
225
226
|
```
|
|
226
227
|
|
|
227
228
|
## Scheduling & routines
|
|
@@ -232,12 +233,12 @@ prompt is handled. `routine create`/`routine fire` handle API/GitHub trigger
|
|
|
232
233
|
events.
|
|
233
234
|
|
|
234
235
|
```bash
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
236
|
+
cw loop --intervalMinutes 30 --prompt "Continue this workflow."
|
|
237
|
+
cw schedule create --kind loop --intervalMinutes 30 --prompt "Continue this workflow."
|
|
238
|
+
cw schedule due
|
|
239
|
+
cw schedule daemon --once
|
|
240
|
+
cw routine create --kind github --prompt "Handle this GitHub event."
|
|
241
|
+
cw routine fire github payload.json
|
|
241
242
|
```
|
|
242
243
|
|
|
243
244
|
## Release & maintenance npm scripts
|
package/ui/workbench/app.css
CHANGED
|
@@ -12,6 +12,20 @@
|
|
|
12
12
|
--absent: #d29922;
|
|
13
13
|
--bad: #f85149;
|
|
14
14
|
}
|
|
15
|
+
@media (prefers-color-scheme: light) {
|
|
16
|
+
:root {
|
|
17
|
+
--bg: #f6f7f9;
|
|
18
|
+
--panel: #ffffff;
|
|
19
|
+
--panel-2: #eef0f4;
|
|
20
|
+
--ink: #1b1f27;
|
|
21
|
+
--muted: #5b6472;
|
|
22
|
+
--line: #d7dce4;
|
|
23
|
+
--accent: #1a6fd6;
|
|
24
|
+
--present: #1a7f37;
|
|
25
|
+
--absent: #9a6700;
|
|
26
|
+
--bad: #cf222e;
|
|
27
|
+
}
|
|
28
|
+
}
|
|
15
29
|
* { box-sizing: border-box; }
|
|
16
30
|
body {
|
|
17
31
|
margin: 0;
|
|
@@ -45,8 +59,17 @@ input[type="search"] {
|
|
|
45
59
|
}
|
|
46
60
|
.run-list li:hover { border-color: var(--accent); }
|
|
47
61
|
.run-list li.active { border-color: var(--accent); background: var(--panel-2); }
|
|
48
|
-
.run-list .rid { font-family: ui-monospace, monospace; font-size: 12px; }
|
|
62
|
+
.run-list .rid { font-family: ui-monospace, monospace; font-size: 12px; display: flex; align-items: center; gap: 6px; }
|
|
49
63
|
.run-list .meta { color: var(--muted); font-size: 11px; margin-top: 2px; }
|
|
64
|
+
.status-dot {
|
|
65
|
+
display: inline-block; width: 8px; height: 8px; border-radius: 50%; flex: none;
|
|
66
|
+
background: var(--muted);
|
|
67
|
+
}
|
|
68
|
+
.status-dot.running { background: var(--accent); }
|
|
69
|
+
.status-dot.completed { background: var(--present); }
|
|
70
|
+
.status-dot.queued, .status-dot.archived, .status-dot.reclaimed { background: var(--muted); }
|
|
71
|
+
.status-dot.blocked { background: var(--absent); }
|
|
72
|
+
.status-dot.failed { background: var(--bad); }
|
|
50
73
|
.detail { overflow-y: auto; padding: 16px 20px; }
|
|
51
74
|
.detail .empty { color: var(--muted); }
|
|
52
75
|
.tabs { display: flex; gap: 6px; flex-wrap: wrap; border-bottom: 1px solid var(--line); padding-bottom: 8px; margin-bottom: 12px; }
|
|
@@ -74,3 +97,16 @@ pre.json {
|
|
|
74
97
|
.kv { display: flex; gap: 16px; flex-wrap: wrap; padding: 8px 12px; font-size: 12px; color: var(--muted); }
|
|
75
98
|
.kv b { color: var(--ink); font-weight: 600; }
|
|
76
99
|
.err { color: var(--bad); }
|
|
100
|
+
.struct-block { padding: 10px 12px; border-top: 1px solid var(--line); }
|
|
101
|
+
.struct-block:first-child { border-top: none; }
|
|
102
|
+
.struct-block .struct-title { font-size: 11px; text-transform: uppercase; letter-spacing: 0.04em; color: var(--muted); margin-bottom: 6px; }
|
|
103
|
+
.struct-table { width: 100%; border-collapse: collapse; font-size: 12px; }
|
|
104
|
+
.struct-table th, .struct-table td {
|
|
105
|
+
text-align: left; padding: 4px 8px; border-bottom: 1px solid var(--line);
|
|
106
|
+
font-family: ui-monospace, SFMono-Regular, Menlo, monospace; vertical-align: top;
|
|
107
|
+
}
|
|
108
|
+
.struct-table th { color: var(--muted); font-weight: 400; }
|
|
109
|
+
.struct-edges { list-style: none; margin: 0; padding: 0; font-size: 12px; font-family: ui-monospace, SFMono-Regular, Menlo, monospace; }
|
|
110
|
+
.struct-edges li { padding: 3px 0; }
|
|
111
|
+
.struct-edges .arrow { color: var(--muted); padding: 0 6px; }
|
|
112
|
+
.struct-empty { color: var(--muted); font-size: 12px; }
|