cowork-harness 0.4.0 → 0.4.2

package/CHANGELOG.md

@@ -6,6 +6,28 @@ All notable changes to this project are documented here. The format is based on
 
 ## [Unreleased]
 
+## [0.4.2] — 2026-06-18
+
+### Added
+
+- **Platform baseline `desktop-1.13576.1`** — synced from the updated Claude Desktop (the app moved
+  `1.12603.1` → `1.13576.1`). `loadBaseline("latest")` now resolves to it. The embedded agent binary is
+  unchanged at `2.1.177` (the update changed the app shell + gate states, not the agent ELF); this baseline
+  also corrects the prior baselines' stale `2.1.170` agent pin to the actually-staged `2.1.177`. Egress
+  allowlist unchanged.
+
+## [0.4.1] — 2026-06-18
+
+### Fixed
+
+- **Agent-binary newest-staged fallback now applies on the real runtime paths** (container / hostloop, and
+  thus `skill` / `run` / `chat`), not just `sync`/tests. `resolveAgentBinary` had two private duplicates
+  (`container.ts`, `hostloop.ts`) **without** the 0.4.0 fallback, so a host with a newer staged
+  `claude-code-vm/<ver>` than the baseline expects still hard-failed with "Staged agent binary not found".
+  The duplicates were consolidated into the single exported resolver; a host that has staged a newer build
+  now falls back to it (with a warning) instead of failing. A structural test + CI guard prevent the
+  resolver from being re-duplicated.
+
 ## [0.4.0] — 2026-06-18
 
 The parsing/validation hardening + safety release: a current-tree code-review sweep plus fidelity and

package/baselines/desktop-1.13576.1.json

@@ -0,0 +1,220 @@
+{
+  "baselineVersion": 1,
+  "appVersion": "1.13576.1",
+  "agentVersion": "2.1.177",
+  "agentBinary": {
+    "stagedPath": "~/Library/Application Support/Claude/claude-code-vm/2.1.177/claude",
+    "format": "elf-aarch64"
+  },
+  "guest": {
+    "os": "linux",
+    "arch": "arm64",
+    "baseImage": "ubuntu:22.04"
+  },
+  "spawn": {
+    "configDirInGuest": "mnt/.claude",
+    "settingSources": [
+      "user"
+    ],
+    "permissionMode": "default",
+    "maxThinkingTokens": 31999,
+    "effortDefault": "medium",
+    "tools": [
+      "Task",
+      "Bash",
+      "Glob",
+      "Grep",
+      "Read",
+      "Edit",
+      "Write",
+      "NotebookEdit",
+      "WebFetch",
+      "TaskCreate",
+      "TaskUpdate",
+      "TaskGet",
+      "TaskList",
+      "TaskStop",
+      "WebSearch",
+      "Skill",
+      "REPL",
+      "JavaScript",
+      "AskUserQuestion",
+      "ToolSearch"
+    ],
+    "allowedTools": [
+      "Task",
+      "Bash",
+      "Glob",
+      "Grep",
+      "Read",
+      "Edit",
+      "Write",
+      "NotebookEdit",
+      "WebFetch",
+      "TaskCreate",
+      "TaskUpdate",
+      "TaskGet",
+      "TaskList",
+      "TaskStop",
+      "WebSearch",
+      "Skill",
+      "REPL",
+      "JavaScript",
+      "ToolSearch"
+    ],
+    "env": {
+      "CLAUDE_CODE_IS_COWORK": "1",
+      "CLAUDE_CODE_ENTRYPOINT": "local-agent",
+      "CLAUDE_CODE_TAGS": "lam_session_type:chat",
+      "CLAUDE_CODE_PROVIDER_MANAGED_BY_HOST": "1",
+      "CLAUDE_CODE_ENABLE_ASK_USER_QUESTION_TOOL": "true",
+      "CLAUDE_CODE_DISABLE_CRON": "1",
+      "CLAUDE_CODE_DISABLE_BACKGROUND_TASKS": "1",
+      "CLAUDE_CODE_DISABLE_AGENTS_FLEET": "1",
+      "CLAUDE_CODE_ENABLE_APPEND_SUBAGENT_PROMPT": "1",
+      "CLAUDE_CODE_ENABLE_TASKS": "true",
+      "CLAUDE_CODE_DISABLE_TERMINAL_TITLE": "1",
+      "ENABLE_PROMPT_CACHING_1H": "1",
+      "DISABLE_MICROCOMPACT": "1",
+      "MCP_CONNECTION_NONBLOCKING": "true"
+    },
+    "promptTemplate": "prompts/desktop-1.12603.1/system-prompt-append.md",
+    "subagentAppend": "prompts/desktop-1.12603.1/subagent-append-vm.md",
+    "$comment": "Binary-verified Desktop->agent spawn contract (asar 1.12603.1). See docs/cowork-spawn-contract-1.12603.1.md.",
+    "$comment_notSet": "Deliberately NOT set: CLAUDE_CODE_USE_COWORK_PLUGINS (Desktop never sets it; would flip the agent to cowork_settings.json/cowork_plugins). Host-derived (TZ, account UUIDs, WORKSPACE_HOST_PATHS, OTEL) injected at runtime, not pinned.",
+    "$comment_prompts": "Reconstructed cowork-specific sections (not the full base prompt — not cleanly extractable). The main append is delivered via the --append-system-prompt CLI flag (layered on the agent's built-in base prompt), NOT the initialize handshake; only the subagent append goes over initialize (appendSubagentSystemPrompt), gated on CLAUDE_CODE_ENABLE_APPEND_SUBAGENT_PROMPT."
+  },
+  "mountLayout": {
+    "sessionRoot": "/sessions/{sessionId}",
+    "cwd": "/sessions/{sessionId}",
+    "mntRoot": "/sessions/{sessionId}/mnt",
+    "mounts": [
+      {
+        "name": "uploads",
+        "mountPath": "uploads",
+        "mode": "r",
+        "purpose": "user-uploaded files (read-only — asar 'ro')"
+      },
+      {
+        "name": "projects",
+        "mountPath": ".projects/{projectId}",
+        "mode": "rw",
+        "purpose": "selected work folders (a Space) — delete denied by default (asar IX)"
+      },
+      {
+        "name": "local-plugins",
+        "mountPath": ".local-plugins/cache",
+        "mode": "r",
+        "purpose": "marketplace skills/plugins, runtime-discovered"
+      },
+      {
+        "name": "remote-plugins",
+        "mountPath": ".remote-plugins",
+        "mode": "r",
+        "purpose": "org-remote plugins, runtime-discovered"
+      },
+      {
+        "name": "outputs",
+        "mountPath": "outputs",
+        "mode": "rw",
+        "purpose": "session outputs/artifacts — delete denied by default (asar IX); rwd only when approved"
+      }
+    ]
+  },
+  "network": {
+    "mode": "gvisor",
+    "allowKind": "allowlist",
+    "allowDomains": [
+      "sentry.io",
+      "preview.claude.ai",
+      "downloads.claude.ai",
+      "api.anthropic.com",
+      "a-cdn.anthropic.com",
+      "a-api.anthropic.com",
+      "console.anthropic.com",
+      "api-staging.anthropic.com",
+      "www.anthropic.com",
+      "docs.anthropic.com",
+      "mcp-proxy.anthropic.com",
+      "pivot.claude.ai",
+      "support.anthropic.com",
+      "assets.claude.ai"
+    ]
+  },
+  "bgEnvStrip": {
+    "knownVars": [
+      "CLAUDE_CODE_OAUTH_TOKEN",
+      "CLAUDE_CODE_SESSION_KIND",
+      "CLAUDE_CODE_SESSION_ID",
+      "CLAUDE_CODE_SESSION_NAME",
+      "CLAUDE_CODE_SESSION_LOG"
+    ]
+  },
+  "$comment": "Platform baseline auto-derived by `cowork-harness sync` from a live Claude Desktop install + app.asar. VOLATILE per-release facts only. Regenerate per release; review the diff. Captured 2026-06-12 on macOS arm64.",
+  "capturedAt": "2026-06-17",
+  "platform": "darwin-arm64",
+  "settings": {
+    "autoMountFolders": {
+      "key": "autoMountFolders",
+      "default": false
+    },
+    "localAgentModeTrustedFolders": {
+      "key": "localAgentModeTrustedFolders",
+      "default": []
+    }
+  },
+  "provenance": {
+    "asarPath": "/Applications/Claude.app/Contents/Resources/app.asar",
+    "asarFingerprint": "88b6968a8a249dbf",
+    "gates": {
+      "$comment": "Production GrowthBook gate states decoded from ~/Library/Application Support/Claude/fcache (standard interactive Anthropic account, 2026-06-13; binary-verified app.asar 1.12603.1). Pin per release. Behavior-affecting gates the harness models: 1143815894 (loop), 1648655587 (dispatch cap), 1978029737 (web_fetch routing). Telemetry/auth-internal gates omitted.",
+      "bridgeSdkTransport:583857784": {
+        "on": true,
+        "source": "force",
+        "value": true,
+        "note": "— Cowork uses the SDK-based transport (control protocol), confirming the harness's sdkMcpServers/mcp_message path is the production transport."
+      },
+      "hostLoop:1143815894": {
+        "on": true,
+        "source": "force",
+        "value": true
+      },
+      "taskDispatchLimiter:1648655587": {
+        "on": true,
+        "source": "force",
+        "value": {
+          "perTask": 1,
+          "global": 3
+        },
+        "note": "perTask=1 global=3 (host-side SKIP: recordSkipAndEmit/GCA.PerTaskLimit — NOT queue/deny). A dispatch session launches <=1 sub-task; <=3 concurrent globally."
+      },
+      "coworkRuntimeConfig:1978029737": {
+        "on": true,
+        "source": "force",
+        "value": {
+          "sessionsBridgePollBlockMs": 30,
+          "coworkNativeFilePreview": true,
+          "coworkWebFetchViaApi": true,
+          "coworkWebFetchPrompt": true,
+          "workspaceBashWaitLonger": true
+        },
+        "note": "coworkWebFetchViaApi=true coworkWebFetchPrompt=true workspaceBashWaitLonger=true sessionsBridgePollBlockMs=30 — web_fetch is host/API-routed (POST /api/organizations/<org>/cowork/web_fetch), NOT container egress; gated by a separate web-fetch hostname allowlist + URL provenance."
+      },
+      "cliPlugin:2307090146": {
+        "on": false,
+        "source": "defaultValue",
+        "value": false,
+        "note": "— the CLI-plugin credential broker is dark-launched off for standard interactive accounts (Ch23/L106)."
+      },
+      "pluginSyncSparkplug:2340532315": {
+        "on": true,
+        "source": "force",
+        "value": true,
+        "note": "— startup syncPlugins(); plugins load via --plugin-dir (registry inert in-VM)."
+      }
+    },
+    "eipcChannelUuid": "4f426349-8d6f-45f3-ae22-280fef323564",
+    "$comment": "eipcChannelUuid is per-build; recorded for provenance only — the harness does not use Desktop IPC."
+  },
+  "requireFullVmSandbox": null
+}

package/dist/runtime/container.js

@@ -1,9 +1,7 @@
 import { spawn } from "node:child_process";
-import { existsSync } from "node:fs";
 import { resolve, join } from "node:path";
-import { homedir } from "node:os";
 import { DEFAULT_MAX_THINKING_TOKENS } from "../types.js";
-import { resolveMounts } from "../baseline.js";
+import { resolveMounts, resolveAgentBinary } from "../baseline.js";
 import { agentArgs, spawnEnv, dockerRunArgv, resolveMaxThinkingTokens } from "./argv.js";
 import { runtimeAuthEnv } from "./host-env.js";
 import { stageWorkspace } from "./stage.js";
@@ -60,18 +58,3 @@ export function spawnContainer(scenario, baseline, plan, outDir, sessionId, opts
     });
     return spawn(runner, dockerArgs, { stdio: ["pipe", "pipe", "pipe"] });
 }
-/** Resolve the staged Linux agent binary on the host (override: COWORK_AGENT_BINARY). */
-function resolveAgentBinary(baseline) {
-    const override = process.env.COWORK_AGENT_BINARY;
-    if (override) {
-        if (!existsSync(override))
-            throw new Error(`COWORK_AGENT_BINARY not found: ${override}`);
-        return resolve(override);
-    }
-    const staged = (baseline.agentBinary?.stagedPath ?? "").replace(/^~(?=$|\/)/, homedir());
-    if (!staged || !existsSync(staged)) {
-        throw new Error(`Staged agent binary not found at "${staged}". It is extracted from your Claude Desktop install ` +
-            `(claude-code-vm/<ver>/claude). Open Cowork once to stage it, or set COWORK_AGENT_BINARY to its path.`);
-    }
-    return resolve(staged);
-}

package/dist/runtime/hostloop.js

@@ -1,11 +1,10 @@
 import { warn } from "../io.js";
 import { spawn } from "node:child_process";
-import { existsSync, readFileSync } from "node:fs";
+import { readFileSync } from "node:fs";
 import { resolve, join } from "node:path";
-import { homedir } from "node:os";
 import { fileURLToPath } from "node:url";
 import { DEFAULT_MAX_THINKING_TOKENS } from "../types.js";
-import { resolveMounts } from "../baseline.js";
+import { resolveMounts, resolveAgentBinary } from "../baseline.js";
 import { makeWorkspaceHandler } from "../hostloop/workspace-handler.js";
 import { agentArgs, spawnEnv, dockerRunArgv, resolveMaxThinkingTokens } from "./argv.js";
 import { runtimeAuthEnv } from "./host-env.js";
@@ -116,16 +115,3 @@ function hostLoopShellSection(vmMnt, appVersion) {
         .join(vmMnt)
         .trim();
 }
-function resolveAgentBinary(baseline) {
-    const override = process.env.COWORK_AGENT_BINARY;
-    if (override) {
-        if (!existsSync(override))
-            throw new Error(`COWORK_AGENT_BINARY not found: ${override}`);
-        return resolve(override);
-    }
-    const staged = (baseline.agentBinary?.stagedPath ?? "").replace(/^~(?=$|\/)/, homedir());
-    if (!staged || !existsSync(staged)) {
-        throw new Error(`Staged agent binary not found at "${staged}". Open Cowork once to stage it, or set COWORK_AGENT_BINARY.`);
-    }
-    return resolve(staged);
-}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cowork-harness",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "Scriptable, CI-friendly harness for Claude Cowork's runtime contract for testing skills across scenarios — same agent, mounts, egress allowlist, permission protocol, and sandbox limitations.",
   "license": "MIT",
   "type": "module",