cool-workflow 0.2.4 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (155) hide show
  1. package/.claude-plugin/plugin.json +1 -1
  2. package/.codex-plugin/plugin.json +1 -1
  3. package/.gemini-plugin/mcp.json +10 -0
  4. package/.gemini-plugin/plugin.json +40 -0
  5. package/.opencode-plugin/mcp.json +10 -0
  6. package/.opencode-plugin/plugin.json +40 -0
  7. package/README.md +204 -48
  8. package/apps/architecture-review/app.json +1 -1
  9. package/apps/architecture-review-fast/app.json +1 -1
  10. package/apps/end-to-end-golden-path/app.json +1 -1
  11. package/apps/pr-review-fix-ci/app.json +1 -1
  12. package/apps/release-cut/app.json +1 -1
  13. package/apps/research-synthesis/app.json +1 -1
  14. package/dist/cli/dispatch.js +32 -4
  15. package/dist/cli/entry.js +11 -19
  16. package/dist/cli/global-flags.js +113 -0
  17. package/dist/cli/parseargv.js +7 -1
  18. package/dist/core/capability-data.js +337 -8
  19. package/dist/core/format/help.js +73 -3
  20. package/dist/core/format/recovery-hint.js +32 -0
  21. package/dist/core/multi-agent/collaboration.js +35 -6
  22. package/dist/core/multi-agent/runtime.js +7 -0
  23. package/dist/core/multi-agent/trust-policy.js +7 -1
  24. package/dist/core/pipeline/contract.js +7 -0
  25. package/dist/core/pipeline/error-feedback.js +2 -2
  26. package/dist/core/state/run-paths.js +3 -30
  27. package/dist/core/trust/evidence-grounding.js +13 -1
  28. package/dist/core/util/cli-args.js +22 -0
  29. package/dist/core/version.js +1 -1
  30. package/dist/mcp/dispatch.js +22 -2
  31. package/dist/mcp/server.js +215 -36
  32. package/dist/mcp/tool-process.js +181 -0
  33. package/dist/mcp-server.js +28 -1
  34. package/dist/shell/agent-config.js +11 -2
  35. package/dist/shell/audit-cli.js +1 -1
  36. package/dist/shell/commit.js +8 -2
  37. package/dist/shell/coordinator-io.js +73 -1
  38. package/dist/shell/drive.js +195 -128
  39. package/dist/shell/error-feedback-io.js +6 -0
  40. package/dist/shell/execution-backend/agent.js +201 -26
  41. package/dist/shell/execution-backend/container.js +44 -10
  42. package/dist/shell/execution-backend/local.js +33 -0
  43. package/dist/shell/fs-atomic.js +96 -12
  44. package/dist/shell/ledger-cli.js +9 -2
  45. package/dist/shell/metrics-cli.js +1 -1
  46. package/dist/shell/multi-agent-cli.js +9 -2
  47. package/dist/shell/multi-agent-operator-ux.js +1 -1
  48. package/dist/shell/observability.js +7 -4
  49. package/dist/shell/onramp.js +48 -5
  50. package/dist/shell/operator-ux.js +1 -1
  51. package/dist/shell/perf-trace.js +136 -0
  52. package/dist/shell/pipeline.js +3 -2
  53. package/dist/shell/reclamation-io.js +10 -9
  54. package/dist/shell/report-view-cli.js +2 -0
  55. package/dist/shell/run-export-cli.js +5 -2
  56. package/dist/shell/run-export.js +293 -31
  57. package/dist/shell/run-registry-io.js +8 -0
  58. package/dist/shell/run-store.js +183 -3
  59. package/dist/shell/scheduler-io.js +101 -10
  60. package/dist/shell/state-explosion-cli.js +4 -1
  61. package/dist/shell/telemetry-demo.js +1 -1
  62. package/dist/shell/telemetry-ledger-io.js +36 -24
  63. package/dist/shell/trust-audit.js +178 -36
  64. package/dist/shell/workbench-host.js +121 -10
  65. package/dist/shell/workbench.js +83 -6
  66. package/dist/shell/worker-isolation.js +1 -1
  67. package/dist/wiring/capability-table/basics.js +5 -0
  68. package/dist/wiring/capability-table/exec-backend.js +40 -22
  69. package/dist/wiring/capability-table/parity.js +10 -5
  70. package/dist/wiring/capability-table/pipeline.js +32 -0
  71. package/dist/wiring/capability-table/registry-core.js +26 -3
  72. package/dist/wiring/capability-table/reporting.js +7 -1
  73. package/dist/wiring/capability-table/scheduling-registry.js +8 -2
  74. package/dist/wiring/capability-table/trust-ledger.js +54 -12
  75. package/docs/agent-delegation-drive.7.md +17 -0
  76. package/docs/cli-mcp-parity.7.md +46 -5
  77. package/docs/contract-migration-tooling.7.md +4 -0
  78. package/docs/control-plane-scheduling.7.md +38 -0
  79. package/docs/cross-agent-ledger.7.md +20 -8
  80. package/docs/durable-state-and-locking.7.md +4 -0
  81. package/docs/evidence-adoption-reasoning-chain.7.md +4 -0
  82. package/docs/execution-backends.7.md +4 -0
  83. package/docs/fix.7.md +4 -4
  84. package/docs/getting-started.md +40 -32
  85. package/docs/index.md +17 -0
  86. package/docs/launch/demo.tape +4 -3
  87. package/docs/mcp-app-surface.7.md +27 -0
  88. package/docs/multi-agent-cli-mcp-surface.7.md +4 -0
  89. package/docs/multi-agent-eval-replay-harness.7.md +4 -0
  90. package/docs/multi-agent-operator-ux.7.md +4 -0
  91. package/docs/node-snapshot-diff-replay.7.md +4 -0
  92. package/docs/observability-cost-accounting.7.md +4 -0
  93. package/docs/project-index.md +53 -9
  94. package/docs/real-execution-backends.7.md +4 -0
  95. package/docs/release-and-migration.7.md +4 -0
  96. package/docs/release-tooling.7.md +12 -0
  97. package/docs/routine.7.md +22 -0
  98. package/docs/run-registry-control-plane.7.md +37 -9
  99. package/docs/run-retention-reclamation.7.md +12 -4
  100. package/docs/state-explosion-management.7.md +4 -0
  101. package/docs/team-collaboration.7.md +4 -0
  102. package/docs/trust-audit-anchor.7.md +4 -0
  103. package/docs/web-desktop-workbench.7.md +72 -2
  104. package/docs/workflow-app-framework.7.md +31 -0
  105. package/manifest/plugin.manifest.json +1 -1
  106. package/manifest/source-context-profiles.json +4 -3
  107. package/package.json +6 -3
  108. package/scripts/agents/agent-adapter-core.js +26 -0
  109. package/scripts/agents/claude-p-agent.js +4 -1
  110. package/scripts/agents/codex-agent.js +4 -0
  111. package/scripts/agents/cw-attest-wrap.js +1 -1
  112. package/scripts/agents/gemini-agent.js +4 -0
  113. package/scripts/agents/opencode-agent.js +5 -0
  114. package/scripts/block-unapproved-tag.js +160 -0
  115. package/scripts/canonical-apps.js +4 -4
  116. package/scripts/children/batch-delegate-child.js +72 -4
  117. package/scripts/children/http-batch-delegate-child.js +132 -0
  118. package/scripts/children/http-delegate-child.js +8 -0
  119. package/scripts/dogfood-release.js +2 -2
  120. package/scripts/fake-date-for-reproduction.js +1 -1
  121. package/scripts/gen-manifests.js +32 -61
  122. package/scripts/golden-path.js +4 -4
  123. package/scripts/lang-policy-check.js +82 -0
  124. package/scripts/parity-check.js +42 -23
  125. package/scripts/purity-baseline.json +0 -3
  126. package/scripts/purity-gate.js +16 -3
  127. package/scripts/release-check.js +2 -1
  128. package/scripts/release-flow.js +169 -41
  129. package/scripts/release-gate.js +208 -0
  130. package/scripts/release-oneclick.js +38 -7
  131. package/scripts/release-tags.js +47 -0
  132. package/scripts/schema-version-inventory.json +31 -0
  133. package/scripts/validate-run-state-schema.js +95 -4
  134. package/scripts/verdict-keygen.js +2 -2
  135. package/scripts/verify-bump-reproduction.js +193 -0
  136. package/scripts/verify-release-verdict.js +139 -0
  137. package/scripts/verify-verdict-signature.js +1 -1
  138. package/ui/workbench/app.css +50 -10
  139. package/ui/workbench/app.js +269 -34
  140. package/ui/workbench/index.html +4 -2
  141. package/ui/workbench/inspection.js +51 -0
  142. package/ui/workbench/navigation.js +44 -0
  143. package/docs/agent-framework.md +0 -177
  144. package/docs/designs/handoff-ledger.md +0 -145
  145. package/docs/dogfood/resume-drive-real-agent-2026-06-14.md +0 -40
  146. package/docs/launch/launch-kit.md +0 -195
  147. package/docs/launch/pre-launch-checklist.md +0 -53
  148. package/docs/readme-v0.1.87-full.md +0 -301
  149. package/docs/routines.md +0 -101
  150. package/docs/scheduled-tasks.md +0 -80
  151. package/scripts/agents/claude-p-agent.sh +0 -9
  152. package/scripts/block-unapproved-tag.sh +0 -75
  153. package/scripts/release-gate.sh +0 -94
  154. package/scripts/verify-bump-reproduction.sh +0 -148
  155. package/scripts/verify-container-selfref.js +0 -64
@@ -1,301 +0,0 @@
1
- <div align="center">
2
-
3
- # Cool Workflow
4
-
5
- **Point an AI coding agent at a repo, get a saved report with real citations — not a chat message you lose.**
6
-
7
- [![CI](https://img.shields.io/github/actions/workflow/status/coo1white/cool-workflow/ci.yml?branch=main&style=flat-square&label=CI)](https://github.com/coo1white/cool-workflow/actions/workflows/ci.yml)
8
- [![npm](https://img.shields.io/npm/v/cool-workflow?style=flat-square&label=npm&color=cb3837)](https://www.npmjs.com/package/cool-workflow)
9
- [![downloads](https://img.shields.io/npm/dm/cool-workflow?style=flat-square&label=downloads)](https://www.npmjs.com/package/cool-workflow)
10
- [![provenance](https://img.shields.io/badge/npm-provenance-3178C6?style=flat-square)](https://www.npmjs.com/package/cool-workflow)
11
- [![release](https://img.shields.io/github/v/tag/coo1white/cool-workflow?style=flat-square&label=release&color=brightgreen&sort=semver)](https://github.com/coo1white/cool-workflow/tags)
12
- [![license](https://img.shields.io/badge/license-BSD--2--Clause-blue?style=flat-square)](LICENSE)
13
-
14
- <img src="docs/assets/cool-workflow-readme-promo.png" alt="Cool Workflow turns AI agent repo questions into saved, cited, tamper-evident reports." width="100%">
15
-
16
- </div>
17
-
18
- ## What is this, really?
19
-
20
- You put a question to an AI coding agent, it gives an answer in the chat, and
21
- then the answer is gone. Next week you put the same question and have to start
22
- all over again.
23
-
24
- **Cool Workflow (CW) makes that lost question into a kept job.** You point it at
25
- a code store with a question like *"what are the security risks here?"* It runs
26
- your AI agent over all the code in ordered steps and puts a **report file** on
27
- disk — every point backed by an exact `file.js:42` pointer to the line. You are
28
- able to run it again, give it to others, and even give proof that the report was
29
- not changed by anyone.
30
-
31
- ```
32
- you ask once CW gives you
33
- "what are the risks in my repo?" → a saved report.md with
34
- cited findings, repeatable
35
- ```
36
-
37
- It does **not** run the AI model itself. You give your own agent (for one, the
38
- `claude` command line) and CW keeps it working, makes a record of what took
39
- place, and checks the answer. Take CW as the *project manager*, and your agent
40
- as the *worker*.
41
-
42
- > New to this? You're in the right place — this README is a step-by-step start.
43
- > Deeper/advanced docs live in the [wiki](https://github.com/coo1white/cool-workflow/wiki).
44
-
45
- ---
46
-
47
- ## Project rule
48
-
49
- CW should stay a small, trusted tool, not a platform.
50
-
51
- ```text
52
- ask simple -> run simple -> verify simple -> resume simple
53
- ```
54
-
55
- The engineering base is FreeBSD-like: POLA first, fail closed, no silent
56
- fallback, stdout as data, stderr as diagnostics, and documented stable
57
- surfaces. The user-facing spirit is close to Homebrew: a small command
58
- surface, a strong `doctor` check, and clear next steps when a run is
59
- blocked or a report does not verify.
60
-
61
- That means CW should hide orchestration detail behind clear commands,
62
- keep `.cw/` state open to check, make recovery boring, and prefer a
63
- small tool that can be trusted over a broad agent platform.
64
-
65
- ---
66
-
67
- ## What you need
68
-
69
- 1. **Node.js** (v18+). Make a check with `node --version`.
70
- 2. **An AI agent on the command line.** The most simple is **Claude Code** —
71
- after you put it in you will have a `claude` command. Make a check with
72
- `claude --version`. (CW also works with `codex`, or any command/HTTP agent —
73
- but make your start with `claude`.)
74
-
75
- > No agent yet? You are still able to **see CW work** (next part, step 1)
76
- > without one. The full report needs an agent, because CW never makes a call to
77
- > a model itself.
78
-
79
- ---
80
-
81
- ## Quick start (3 steps)
82
-
83
- ### 1. See it run — no install, no agent, no API key
84
-
85
- ```bash
86
- npx cool-workflow demo tamper
87
- ```
88
-
89
- This gives proof of CW's chief trick in 30 seconds (more on that
90
- [below](#can-i-trust-the-report)). If you see `VERDICT: tamper-evidence holds ✓`,
91
- all is working.
92
-
93
- Not sure what to run next?
94
-
95
- ```bash
96
- npx cool-workflow doctor --onramp
97
- ```
98
-
99
- This prints the short path for a first run, the fast checks for source work, and
100
- the full gate to use before a release.
101
-
102
- From a source checkout, use:
103
-
104
- ```bash
105
- cd plugins/cool-workflow
106
- node scripts/cw.js doctor --onramp --changed-from origin/main
107
- ```
108
-
109
- ### 2. Check, then run a real review on your own repo
110
-
111
- First make a zero-write check. It does not make a run, write `.cw/`, or call
112
- your agent:
113
-
114
- ```bash
115
- npx cool-workflow quickstart architecture-review --check \
116
- --repo /path/to/your/project \
117
- --question "What are the main risks in this codebase?" \
118
- --agent-command builtin:claude
119
- ```
120
-
121
- If the check is good, run the review:
122
-
123
- ```bash
124
- npx cool-workflow quickstart architecture-review \
125
- --repo /path/to/your/project \
126
- --question "What are the main risks in this codebase?" \
127
- --agent-command builtin:claude
128
- ```
129
-
130
- If the report has to go to someone else, make the checked bundle in the same
131
- run:
132
-
133
- ```bash
134
- npx cool-workflow quickstart architecture-review \
135
- --repo /path/to/your/project \
136
- --question "What are the main risks in this codebase?" \
137
- --agent-command builtin:claude \
138
- --bundle
139
- ```
140
-
141
- - `--repo` — the folder you have a wish to get looked at.
142
- - `--question` — what you have a wish to be certain of.
143
- - `--agent-command builtin:claude` — make use of the Claude wrapper that comes
144
- with it (read-only; it never makes changes to your code).
145
- - `--agent-command builtin:codex` — make use of the Codex wrapper that comes
146
- with it (read-only; it never makes changes to your code).
147
-
148
- CW makes a plan of the work, keeps your agent working over your repo in steps,
149
- and gives out where it kept the report. For a living view in the window while
150
- every worker is at work, take it up with `CW_AGENT_STREAM=1`; the view goes to
151
- stderr only and the kept answer is not changed.
152
-
153
- > **No agent put in place?** CW comes to a safe stop and says so
154
- > (`status: blocked`) — it never makes up an answer. Put in `claude` and run it
155
- > again.
156
-
157
- ### 3. Read the report
158
-
159
- ```bash
160
- cat /path/to/your/project/.cw/runs/<run-id>/report.md
161
- ```
162
-
163
- You get a short account, ordered points, and **clickable pointers** like
164
- `src/server.js:18` for every point made — so you are able to make a check of
165
- each one yourself.
166
-
167
- ---
168
-
169
- ## Install it (optional)
170
-
171
- `npx` is ever working with no need to put it in. To get the short `cw` command
172
- everywhere:
173
-
174
- ```bash
175
- npm install -g cool-workflow # then use: cw … instead of npx cool-workflow …
176
- ```
177
-
178
- ---
179
-
180
- ## What else can it do?
181
-
182
- CW comes with a number of ready-made "jobs" (run `cw list` to see them all):
183
-
184
- | Command | What it does |
185
- |---|---|
186
- | `architecture-review` | Make a map of a repo's structure and put its true risks in order, with facts. |
187
- | `pr-review-fix-ci` | Go over a pull request, put forward fixes, make a check of CI. |
188
- | `research-synthesis` | Get together and make into one a fact-backed answer to a question. |
189
- | `release-cut` | Keep a gated, gone-over release moving. |
190
-
191
- It also puts the same acts out over **MCP**, so editors like Claude Desktop /
192
- Cursor / VS Code are able to make a call to CW as a tool. See the
193
- [wiki](https://github.com/coo1white/cool-workflow/wiki) for that and for
194
- multi-agent runs.
195
-
196
- ---
197
-
198
- ## Can I trust the report?
199
-
200
- This is what makes CW not the same as the rest. Because CW only *gives the work
201
- over* to your agent, it keeps a record of every step that makes any false change
202
- come to light: every agent's given token use is signed by secret-key science and
203
- chained by hash, so **changing the record after the fact has the chain broken** —
204
- and anyone is able to make the check again offline with only a public key.
205
-
206
- See it for yourself — the `demo tamper` from step 1 makes a false record in two
207
- ways and gets both:
208
-
209
- ```text
210
- ▶ LEDGER tamper
211
- after: ✗ DETECTED — the hash chain caught it: chain-link[2]: telemetry-chain-broken
212
- ▶ SIGNATURE tamper
213
- after: ✗ DETECTED — signature does not match reported usage
214
- VERDICT: tamper-evidence holds ✓ — every forgery caught offline, with only the public key.
215
- ```
216
-
217
- On a true run, make a check of any run's record yourself:
218
-
219
- ```bash
220
- cw telemetry verify <run-id>
221
- ```
222
-
223
- CW makes use of this on its own code — see the kept living-run proof in
224
- [`plugins/cool-workflow/docs/dogfood/`](plugins/cool-workflow/docs/dogfood/).
225
-
226
- The plain point: *the thing that uses up the tokens is not the thing that keeps
227
- the books.* That keeping-apart is normal in account-keeping — CW gives it to AI
228
- agents.
229
-
230
- ---
231
-
232
- ## Hand the report to someone — they can check it on their own
233
-
234
- A report you keep on your own machine is one thing. A report you can **give to
235
- someone** who then makes the check themselves is what you are really after. Add
236
- `--bundle` to the one command and CW seals the finished run into a single,
237
- self-checking file:
238
-
239
- ```bash
240
- npx cool-workflow quickstart architecture-review \
241
- --repo /path/to/your/project --question "What are the main risks?" \
242
- --agent-command builtin:claude --bundle --with-trust-key ./trust-pub.pem
243
- ```
244
-
245
- This puts a `report.cwrun.json` file **where you are** (not in the looked-at
246
- repo). The one file holds the report, the `file.js:42` pointers, the signed and
247
- hash-chained record, **and the public key**.
248
-
249
- Give that file to anyone. With no need for your repo, your keys given over on the
250
- side, or a put-in past `npx`, they make the check on their own — offline, with
251
- only the file:
252
-
253
- ```bash
254
- npx cool-workflow report verify-bundle report.cwrun.json
255
- ```
256
-
257
- If the bundle was changed in any way after the fact — the record, a signature, or
258
- the bytes — the check says so and comes to a stop (it gives back `ok: false` and a
259
- non-zero code), so a bundle you send on can never be a quiet lie. CW still never
260
- runs the model itself; it only keeps the books and makes the check.
261
-
262
- Want to see the whole thing in 30 seconds, with no agent and no key of your own?
263
-
264
- ```bash
265
- npx cool-workflow demo bundle
266
- ```
267
-
268
- It makes a real sealed bundle, makes two false changes to it, and shows the check
269
- getting **both** — offline, with only the public key the bundle carries.
270
-
271
- ---
272
-
273
- ## Troubleshooting
274
-
275
- | Problem | Fix |
276
- |---|---|
277
- | `status: blocked`, `agentConfigured: false` | No agent is in place. Put in `claude` (or give `--agent-command`). |
278
- | `claude: command not found` | Put in Claude Code so the `claude` command is there, then run again. |
279
- | Want to see the plan without running the AI | Put in `--preview` — it gives the steps and starts nothing. |
280
- | Want a live agent trace | Put `CW_AGENT_STREAM=1`. It is stderr-only, TTY-gated, and `CW_NO_STREAM=1` puts it off. |
281
- | Where did my report go? | The command gives out `reportPath`; it is under `<your-repo>/.cw/runs/<id>/report.md`. |
282
-
283
- ---
284
-
285
- ## How it works (one paragraph)
286
-
287
- CW is a small TypeScript/Node run-time that needs no other parts. It makes a
288
- record of the agent loop out in the open — *plan → dispatch → record → verify →
289
- commit → report* — as long-lasting files on disk, so a run is open to looking-at
290
- and able to be played again in place of a chat you let go. It never puts a model
291
- SDK inside and keeps no API key; your put-in-place agent does the thinking, CW
292
- does the book-keeping and the checking. For the structure, multi-agent
293
- working-together, execution backends, and the full CLI/MCP face, see the
294
- **[wiki](https://github.com/coo1white/cool-workflow/wiki)** and
295
- [`plugins/cool-workflow/docs/`](plugins/cool-workflow/docs/).
296
-
297
- ---
298
-
299
- ## License
300
-
301
- BSD-2-Clause. See [LICENSE](LICENSE). Built by COOLWHITE LLC.
package/docs/routines.md DELETED
@@ -1,101 +0,0 @@
1
- # Routines
2
-
3
- A CW routine has a trigger, an event payload, match rules, and a prompt it makes
4
- for an agent host to run.
5
-
6
- CW keeps routine data in:
7
-
8
- ```text
9
- .cw/routines/triggers.json
10
- .cw/routines/payloads/
11
- ```
12
-
13
- ## Commands
14
-
15
- Create an API trigger:
16
-
17
- ```bash
18
- cw routine create \
19
- --kind api \
20
- --prompt "Handle this API event."
21
- ```
22
-
23
- Create a GitHub trigger:
24
-
25
- ```bash
26
- cw routine create \
27
- --kind github \
28
- --prompt "Review this GitHub event." \
29
- --match '{"action":"opened"}'
30
- ```
31
-
32
- Fire a trigger from a payload file:
33
-
34
- ```bash
35
- cw routine fire github payload.json
36
- ```
37
-
38
- Inspect events:
39
-
40
- ```bash
41
- cw routine events
42
- ```
43
-
44
- ## Long Architecture Reviews
45
-
46
- Use `architecture-review-fast` for the foreground user path. Then put the
47
- full `architecture-review` app in line as background work when a deep look-over
48
- should not get in the way of a back-and-forth session:
49
-
50
- ```bash
51
- node scripts/architecture-review-fast.js \
52
- --repo /path/to/repo \
53
- --question "Is this architecture sound?" \
54
- --metrics \
55
- --schedule-full
56
- ```
57
-
58
- The wrapper makes a one-shot reminder schedule whose `workflowId` is
59
- `architecture-review`. The schedule prompt is policy. CW keeps the schedule and
60
- notes down due events; the outside agent host says how to run the long review.
61
- The prompt has in it the foreground fast run id, fast report path, source-context
62
- digest/profile, and it asks the background agent to give back the full review
63
- report path and digest.
64
- The `--metrics` flag is not required and it gives back foreground time used plus
65
- agent-spawn and result-cache-hit counts for the fast run.
66
-
67
- ## PDCA Blackboard Development Lessons
68
-
69
- When a task asks for agents to work together, first try the parts CW already
70
- has:
71
-
72
- - workflow apps give the work shape
73
- - worker output gives checked facts
74
- - the blackboard gives shared state
75
- - MCP gives tool access to the same state
76
- - smoke tests prove the loop
77
-
78
- Do not make a new MCP server when the existing server can show the same run
79
- state. Add a workflow app first, then prove the app with one smoke that uses
80
- both CLI and MCP.
81
-
82
- For a three-agent loop, keep the order plain:
83
-
84
- ```text
85
- plan -> build -> audit -> next action
86
- ```
87
-
88
- Each agent should write one blackboard message and, when there is a result
89
- file, one artifact ref. Take a snapshot after the audit and after the next
90
- action. If audit evidence is missing, let the worker evidence gate refuse the
91
- result instead of adding a new policy layer.
92
-
93
- Before a PR, base the branch on `origin/main`, run the generated-doc checks,
94
- and sync generated docs when the gate says they are stale. This keeps unrelated
95
- local commits and generated README/index drift out of the work.
96
-
97
- ## Boundary
98
-
99
- CW v0.1.1 does not give managed cloud infrastructure. It gives a local
100
- routine bridge that may be joined to GitHub Actions, webhooks, cron, or a
101
- small HTTP adapter in a later release.
@@ -1,80 +0,0 @@
1
- # Scheduled Tasks
2
-
3
- CW scheduled tasks let you make looping prompts, cron-like schedules, one-shot
4
- reminders, expiration, jitter, and clear completion.
5
-
6
- CW keeps schedules in:
7
-
8
- ```text
9
- .cw/schedules/tasks.json
10
- ```
11
-
12
- ## Commands
13
-
14
- Make a `/loop`-ready schedule:
15
-
16
- ```bash
17
- cw loop \
18
- --intervalMinutes 30 \
19
- --prompt "Check this workflow and continue if work is due."
20
- ```
21
-
22
- Make a loop:
23
-
24
- ```bash
25
- cw schedule create \
26
- --kind loop \
27
- --intervalMinutes 30 \
28
- --prompt "Check this workflow and continue if work is due."
29
- ```
30
-
31
- Make a cron schedule:
32
-
33
- ```bash
34
- cw schedule create \
35
- --kind cron \
36
- --cron "*/15 * * * *" \
37
- --prompt "Run the due workflow scan."
38
- ```
39
-
40
- Make a reminder:
41
-
42
- ```bash
43
- cw schedule create \
44
- --kind reminder \
45
- --delayMinutes 60 \
46
- --prompt "Remind me to inspect the report."
47
- ```
48
-
49
- List and look through:
50
-
51
- ```bash
52
- cw schedule list
53
- cw schedule due
54
- cw schedule complete <schedule-id>
55
- cw schedule pause <schedule-id>
56
- cw schedule resume <schedule-id>
57
- cw schedule run-now <schedule-id>
58
- cw schedule history <schedule-id>
59
- cw schedule delete <schedule-id>
60
- ```
61
-
62
- Run the local desktop-like daemon one time:
63
-
64
- ```bash
65
- cw schedule daemon --once
66
- ```
67
-
68
- Run it without stopping:
69
-
70
- ```bash
71
- cw schedule daemon --intervalSeconds 60
72
- ```
73
-
74
- ## Notes
75
-
76
- - Time is measured to the minute.
77
- - By default, expiration comes after 7 days.
78
- - `jitterSeconds` can put space between runs.
79
- - CW does not start the daemon by default. Use `schedule daemon`, cron, or
80
- some other overseer to call `schedule due` and run due prompts.
@@ -1,9 +0,0 @@
1
- #!/usr/bin/env bash
2
- # EXAMPLE operator agent config for CW Agent Delegation Drive — bash entry point.
3
- #
4
- # The single source of truth is claude-p-agent.js (the portable node version);
5
- # this shim only delegates so the two can never drift. Point CW at either:
6
- # CW_AGENT_COMMAND="node $(pwd)/scripts/agents/claude-p-agent.js {{input}} {{result}}"
7
- # CW_AGENT_COMMAND="bash $(pwd)/scripts/agents/claude-p-agent.sh {{input}} {{result}}"
8
- set -euo pipefail
9
- exec node "$(dirname "$0")/claude-p-agent.js" "$@"
@@ -1,75 +0,0 @@
1
- #!/usr/bin/env bash
2
- # block-unapproved-tag.sh — PreToolUse hook for the Bash tool.
3
- # Reads hook input JSON on stdin. If the command creates or pushes a tag,
4
- # require BOTH markers for the current HEAD sha:
5
- # .cw-release/gate-<sha>.ok (written by release-gate.sh)
6
- # .cw-release/review-<sha>.verdict (written by the release-reviewer agent, must contain APPROVED)
7
- # If .cw-release/verdict-signing.pub is committed (scripts/verdict-keygen.js),
8
- # also requires a valid ed25519 signature on the verdict (its .sig sidecar) —
9
- # opt-in, backward compatible with repos that haven't set up signing yet.
10
- # Exit 2 blocks the tool call; stderr is fed back to the agent.
11
- set -uo pipefail
12
-
13
- INPUT="$(cat)"
14
- # Parse the tool command with node, not jq: node is guaranteed present in this
15
- # Node project (and matches the repo's node/npm/git-only portability rule),
16
- # whereas jq is not installed in every Claude Code environment. A missing jq
17
- # would make this security hook silently fail OPEN (empty command → exit 0),
18
- # letting an unreviewed tag through. node keeps it portable and fail-closed.
19
- CMD="$(printf '%s' "$INPUT" | node -e 'let s="";process.stdin.on("data",d=>s+=d).on("end",()=>{try{process.stdout.write(String(JSON.parse(s)?.tool_input?.command||""))}catch{process.stdout.write("")}})' 2>/dev/null)"
20
- [[ -z "$CMD" ]] && exit 0
21
-
22
- # Only care about tag creation / tag push. Widened from the original pattern,
23
- # which missed the single most natural bypass form: `git push origin v0.2.3`
24
- # (a bare tag-shaped ref, no --tags flag and no refs/tags/ prefix) matched
25
- # neither side of the old alternation. Also now tolerates a global flag before
26
- # the tag subcommand (`git -C dir tag ...`) and the `--annotate` long form.
27
- if ! printf '%s' "$CMD" | grep -qE 'git(\s+-[A-Za-z]+\s+\S+)*\s+tag\s+(-a\s+|--annotate\s+)?v[0-9]|git\s+push\b.*(--tags|refs/tags|[[:space:]]v[0-9])'; then
28
- exit 0
29
- fi
30
-
31
- REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null)" || exit 0
32
- SHA="$(git -C "$REPO_ROOT" rev-parse HEAD)"
33
- # cut() commits the verdict ON TOP of the reviewed commit, so at tag time the
34
- # verdict filename is keyed on HEAD~1's sha, not HEAD's — the same
35
- # HEAD-or-HEAD~1 tolerance release-gate.yml uses. Without this, a manual
36
- # retag of a cut-produced commit was always blocked (v0.2.3 recovery).
37
- PARENT="$(git -C "$REPO_ROOT" rev-parse HEAD~1 2>/dev/null || echo none)"
38
- GATE=""
39
- VERDICT=""
40
- for C in "$SHA" "$PARENT"; do
41
- [[ "$C" == "none" ]] && continue
42
- if [[ -f "$REPO_ROOT/.cw-release/review-$C.verdict" ]]; then
43
- GATE="$REPO_ROOT/.cw-release/gate-$C.ok"
44
- VERDICT="$REPO_ROOT/.cw-release/review-$C.verdict"
45
- break
46
- fi
47
- done
48
- [[ -z "$VERDICT" ]] && VERDICT="$REPO_ROOT/.cw-release/review-$SHA.verdict"
49
- [[ -z "$GATE" ]] && GATE="$REPO_ROOT/.cw-release/gate-$SHA.ok"
50
-
51
- if [[ ! -f "$GATE" ]]; then
52
- echo "BLOCKED: no release-gate pass for HEAD $SHA (or its parent). Run plugins/cool-workflow/scripts/release-gate.sh first. Tagging without a green gate is forbidden." >&2
53
- exit 2
54
- fi
55
-
56
- if [[ ! -f "$VERDICT" ]] || ! grep -q '^APPROVED' "$VERDICT"; then
57
- echo "BLOCKED: no APPROVED verdict from the release-reviewer agent for HEAD $SHA (or its parent). Invoke the 'release-reviewer' subagent and obtain approval. Do not write the verdict file yourself — that is a gaming attempt and will be flagged in CI." >&2
58
- exit 2
59
- fi
60
-
61
- # Once .cw-release/verdict-signing.pub is committed (see scripts/verdict-keygen.js),
62
- # also require a valid ed25519 signature on the verdict — closing the gap this grep
63
- # alone can't: a plain APPROVED text match can't tell a real reviewer verdict from
64
- # one typed by hand. Absent that public key, this block is a no-op (unchanged,
65
- # grep-only behavior).
66
- PUBKEY="$REPO_ROOT/.cw-release/verdict-signing.pub"
67
- if [[ -f "$PUBKEY" ]]; then
68
- SIG="$VERDICT.sig"
69
- if [[ ! -f "$SIG" ]] || ! node "$REPO_ROOT/plugins/cool-workflow/scripts/verify-verdict-signature.js" "$VERDICT" "$SIG" "$PUBKEY" >/dev/null 2>&1; then
70
- echo "BLOCKED: verdict for HEAD $SHA has no valid signature, but verdict-signing.pub is committed so one is required. Do not hand-write or hand-sign a verdict — obtain a real reviewer approval via release-flow.js with CW_RELEASE_VERDICT_PRIVKEY set." >&2
71
- exit 2
72
- fi
73
- fi
74
-
75
- exit 0
@@ -1,94 +0,0 @@
1
- #!/usr/bin/env bash
2
- # release-gate.sh — deterministic release checks for cool-workflow.
3
- # Pass = writes .cw-release/gate-<HEAD-sha>.ok
4
- # This script encodes everything that does NOT need LLM judgment.
5
- set -euo pipefail
6
-
7
- REPO_ROOT="$(git rev-parse --show-toplevel)"
8
- cd "$REPO_ROOT"
9
- SHA="$(git rev-parse HEAD)"
10
- # Resolve the PREVIOUS release tag. When this script runs from CI on a tag push
11
- # (.github/workflows/release-gate.yml), HEAD already carries the tag being
12
- # released, so a plain `git describe` returns *that* tag and the diff range
13
- # collapses to empty — making substance/evidence/cadence false-fail every real
14
- # release. Exclude any tag that points at HEAD so we always compare against the
15
- # prior release (the parent commit's nearest tag).
16
- HEAD_TAGS="$(git tag --points-at HEAD 2>/dev/null || echo "")"
17
- PREV_TAG="$(git describe --tags --abbrev=0 2>/dev/null || echo "")"
18
- if [[ -n "$HEAD_TAGS" ]] && printf '%s\n' "$HEAD_TAGS" | grep -qxF "$PREV_TAG"; then
19
- PREV_TAG="$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")"
20
- fi
21
- MARKER_DIR="$REPO_ROOT/.cw-release"
22
- mkdir -p "$MARKER_DIR"
23
- FAIL=0
24
-
25
- say() { printf '%s\n' "$*"; }
26
- fail() { say "GATE FAIL: $*"; FAIL=1; }
27
-
28
- # --- 1. Build & tests (run, don't trust pasted output) -----------------
29
- say "[1/6] build"
30
- npm run --prefix plugins/cool-workflow build >/dev/null 2>&1 || fail "build failed"
31
-
32
- say "[2/6] tests"
33
- CW_TEST_CONCURRENCY=1 npm run test:gate --prefix plugins/cool-workflow >/dev/null 2>&1 || fail "tests failed"
34
-
35
- if [[ -n "$PREV_TAG" ]]; then
36
- RANGE="$PREV_TAG..HEAD"
37
-
38
- # --- 2. Substance: changes must exist outside src/types/ and dist/ ---
39
- # The spec (AGENTS.md / reviewer-agent.md Gate 1) is "at least one changed
40
- # file outside src/types/ and dist/" — ANY such file (src, scripts, docs,
41
- # workflows, tests). Count every changed path that is not under those two
42
- # generated/declaration-only trees; declared-but-unread spec accretion is the
43
- # reviewer agent's deeper judgment call, not this deterministic floor.
44
- say "[3/6] substance (diff outside src/types/ and dist/)"
45
- SUBSTANCE=$(git diff --name-only "$RANGE" \
46
- | grep -cvE '^plugins/cool-workflow/(src/types/|dist/)' || true)
47
- [[ "$SUBSTANCE" -gt 0 ]] || fail "only types/dist changed since $PREV_TAG (spec accretion)"
48
-
49
- # --- 3. Test evidence: test files must have changed ------------------
50
- say "[4/6] test evidence"
51
- TESTS_CHANGED=$(git diff --name-only "$RANGE" | grep -cE '\.(test|spec)\.|/tests?/' || true)
52
- [[ "$TESTS_CHANGED" -gt 0 ]] || fail "zero test changes since $PREV_TAG"
53
-
54
- # --- 4. Cadence: >=4 cycles logged OR >=24h since previous tag, or a recorded HOTFIX ---
55
- say "[5/6] cadence"
56
- CYCLES=0
57
- if [[ -f ITERATION_LOG.md && -n "$PREV_TAG" ]]; then
58
- CYCLES=$(git diff "$RANGE" -- ITERATION_LOG.md | grep -c '^+.*|' || true)
59
- fi
60
- PREV_TS=$(git log -1 --format=%ct "$PREV_TAG")
61
- NOW_TS=$(date +%s)
62
- HOURS=$(( (NOW_TS - PREV_TS) / 3600 ))
63
- # Hotfix path: an urgent fix may ship inside the cadence window, but ONLY via an
64
- # EXPLICIT, RECORDED declaration — a "HOTFIX:" line added to ITERATION_LOG.md in this
65
- # release range, carrying a reason. It is committed (auditable in the tag's history)
66
- # and echoed here, so the bypass is never silent and a reviewer sees the reason.
67
- HOTFIX="$(git diff "$RANGE" -- ITERATION_LOG.md | grep -E '^\+.*HOTFIX:' | head -1 | sed -E 's/^\+[[:space:]]*//' || true)"
68
- if [[ "$CYCLES" -lt 4 && "$HOURS" -lt 24 ]]; then
69
- if [[ -n "$HOTFIX" ]]; then
70
- say " cadence bypassed by recorded HOTFIX (${HOURS}h, ${CYCLES} cycle-lines): ${HOTFIX}"
71
- else
72
- fail "cadence: only $CYCLES cycles logged and ${HOURS}h since $PREV_TAG (need >=4 cycles, >=24h, or a recorded 'HOTFIX:' line in ITERATION_LOG.md)"
73
- fi
74
- fi
75
- else
76
- say "[3-5/6] no previous tag; substance/evidence/cadence checks skipped"
77
- fi
78
-
79
- # --- 5. Branch naming: forbid version-number branches -------------------
80
- say "[6/6] branch naming"
81
- BRANCH="$(git rev-parse --abbrev-ref HEAD)"
82
- if [[ "$BRANCH" =~ ^feat/(batch-)?v?[0-9]+ ]]; then
83
- fail "branch '$BRANCH' is version-number-driven; name the capability instead"
84
- fi
85
-
86
- # --- Verdict ------------------------------------------------------------
87
- if [[ "$FAIL" -ne 0 ]]; then
88
- rm -f "$MARKER_DIR/gate-$SHA.ok"
89
- say "RELEASE GATE: REJECTED ($SHA)"
90
- exit 1
91
- fi
92
-
93
- date -u +"%Y-%m-%dT%H:%M:%SZ" > "$MARKER_DIR/gate-$SHA.ok"
94
- say "RELEASE GATE: PASSED ($SHA) — next step: release-reviewer agent must record APPROVED"