Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion GOAL_PROMPT.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ This file is the current goal-mode entrypoint. Historical phase prompts live in

Current phase:

- v1.11 JS Dynamic Runtime MVP is planned as the next implementation contract.
- v1.11 JS Dynamic Runtime MVP is implemented in the current working tree; next phase is not selected yet.

Latest decisions:

Expand All @@ -31,6 +31,12 @@ Latest decisions:
SHA-256 in v1.11. CWF must never grant more authority than the parent Codex
session already has. Generated scripts must be previewed and approved before
execution.
- v1.11 implementation closeout: `dynamic-js` now supports local preview-first
`workflow.js` harnesses, AST policy validation with Acorn, Node Permission
Model child execution, parent CWF JSON-RPC APIs, read-only agent mutation
detection, strict `inherit-session` gating, dynamic artifacts, CLI preview
smoke, and documentation updates. Controlled live Codex-worker smoke still
requires Ender approval.

Archived phase prompts:

Expand Down
40 changes: 38 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ A lightweight, Codex-native workflow layer for multi-agent engineering review.

中文文档: [README.zh-CN.md](README.zh-CN.md)

Codex Flow lets you run repeatable multi-worker workflows using only Codex-native surfaces: no external LLM routers, no private adapters, no separate agent platform. The public pack is read-only by default: review workflows start Codex workers in parallel and aggregate their findings into a stable reduced JSON envelope plus a readable Markdown report. v1.4 ships one narrow gated write workflow, `doc-refresh`, for documentation-only edits after preview and explicit approval. v1.10 adds a safer general write-worker path for bounded patch-mode workflows: a writer works in an isolated target, Codex Flow extracts `artifacts/proposed.patch`, checks `write_policy` paths, runs `git apply --check --3way`, then applies only after the existing approval gate and drift check.
Codex Flow lets you run repeatable multi-worker workflows using only Codex-native surfaces: no external LLM routers, no private adapters, no separate agent platform. The public pack is read-only by default: review workflows start Codex workers in parallel and aggregate their findings into a stable reduced JSON envelope plus a readable Markdown report. v1.4 ships one narrow gated write workflow, `doc-refresh`, for documentation-only edits after preview and explicit approval. v1.10 adds a safer general write-worker path for bounded patch-mode workflows: a writer works in an isolated target, Codex Flow extracts `artifacts/proposed.patch`, checks `write_policy` paths, runs `git apply --check --3way`, then applies only after the existing approval gate and drift check. v1.11 adds the first JavaScript dynamic workflow runtime: local `workflow.js` harnesses are parsed with an AST policy, copied into run artifacts, previewed, approved, then executed in a Node Permission Model child process that can only talk to parent CWF through JSON-RPC. The implemented preview also includes intent-to-preview generation, built-in local dynamic templates, local save/reuse with SHA-bound trust metadata, and guarded dynamic `safePatch`.

The long-term shape (post-v1) is a thin layer over Codex itself: Codex owns threads, subagents, sandbox, approvals, permissions, skills, plugins, and worktrees; Codex Flow owns workflow specs, run-state evidence, gates, reducer output, and artifact manifests.

Expand All @@ -22,6 +22,7 @@ The default catalog includes:
- `research-crosscheck`: source fidelity and unsupported-claim review for research or documentation diffs
- `release-review`: ship readiness, rollout, rollback, and regression review
- `doc-refresh`: gated documentation-only write workflow with dry-run preview, approval, diff summary, rollback, and verification artifacts
- `dynamic-js`: preview-first JavaScript harness execution through `cwf.git`, `cwf.agent.run`, `cwf.safePatch`, `cwf.map`, `cwf.artifacts`, and `cwf.report`

The reducer merges duplicate findings, drops weak unsupported claims, ranks severity, preserves worker provenance, and writes a final report. If a worker fails or falls back from malformed structured output, the final verdict can be `DEGRADED` and the report says which evidence is partial.

Expand Down Expand Up @@ -68,6 +69,19 @@ cwf run doc-refresh --target <repo>
cwf run workflows/diff-review.yaml --target <repo>
```

Preview a local dynamic JavaScript workflow:

```bash
cwf dynamic list
cwf dynamic show change-summary
cwf dynamic generate --goal "Summarize this repo diff" --target <repo>
cwf dynamic run fixtures/dynamic/read-only.workflow.js --target <repo>
cwf dynamic run change-summary --target <repo>
cwf dynamic save ./workflow.js --id local-review
cwf approve <run-id> approve-dynamic
cwf resume <run-id>
```

Run in the background:

```bash
Expand Down Expand Up @@ -117,6 +131,18 @@ Duplicate workflow ids fail clearly instead of picking one silently.

Gated workflows can pause before a risky or write-capable phase. `cwf status` and `cwf show` explain the waiting gate and print the exact approve/reject commands. `cwf approve <run-id> <gate-id>` records the approval, and `cwf resume <run-id>` continues only pending phases. `cwf reject <run-id> <gate-id> --reason <text>` stops the run cleanly. Write workflows write `artifacts/write-plan.md`, `artifacts/dry-run-preview.md`, `artifacts/verification-plan.md`, and `artifacts/rollback.md` before approval. After approval the writer runs in an isolated target, CWF stores `artifacts/proposed.patch`, checks `write_policy` paths and `git apply --check --3way`, applies the patch, and records diff, verification, and rollback artifacts. The bundled `doc-refresh` workflow uses `direct-docs` only as a docs/readme/release-note policy preset; it still goes through the same isolated patch apply path.

Dynamic JavaScript workflows are also gated. `cwf dynamic run <workflow.js-or-id> --target <repo>` writes `artifacts/workflow.js`, `workflow.sha256`, `dynamic-preview.md`, `dynamic-capabilities.json`, and `dynamic-budget.json`, then pauses at `approve-dynamic`. The script must export one async default function. The AST gate rejects imports, dynamic import, `require`, `eval`, `Function`, `globalThis`, `process`, `fetch`, constructor/prototype escape paths, direct shell strings, and call expressions outside `cwf` or approved builtins. Execution fails closed unless the child process can run with Node Permission Model active and without target repo filesystem, network, child-process, worker, native-addon, WASI, FFI, or inspector permissions. `cwf.agent.run` defaults to `read-only`; read-only agents fail the run if the target diff changes. `cwf.safePatch.apply` is the only dynamic write path that applies patches directly: the script must declare `metadata.safe_patch_policy` so the policy is visible in preview, and the runtime `write_policy` must exactly match that metadata. CWF stores `dynamic-proposed.patch`, checks policy and `git apply --check --3way`, applies through the parent process, runs verification, records rollback evidence, and reverse-applies the patch if verification fails. `inherit-session` is allowed only for `generated-current-session` scripts with matching SHA-256 and a known write-capable parent permission cap; copied, remote, unknown, and hash-mismatched workflows fail closed. Remote dynamic workflow URLs cannot run directly; inspect and save a local trusted copy first.

Dynamic template discovery is local-only:

```text
./workflows/dynamic/
./.codex-flow/dynamic-workflows/
~/.codex-workflows/dynamic/
```

`cwf dynamic save <workflow.js> --id <trusted-id>` copies a validated script into `~/.codex-workflows/dynamic/` and writes a `.trust.json` sidecar bound to the source SHA-256. If the saved script changes without a matching trust record, discovery fails instead of running the tampered copy.

`cwf desktop result` bridges completed filesystem runs back into Codex. When CWF is launched by a Codex skill from an active conversation, the primary UX is for the skill to read the completed run and answer in that same conversation. `--print` prints a concise handoff prompt for that path. Without app-server, the command still writes `artifacts/handoff-prompt.md`. `--new-thread` and `--thread <thread-id>` require a Codex CLI with app-server support, a running app-server daemon, and remote control enabled:

```bash
Expand Down Expand Up @@ -145,6 +171,15 @@ Run artifacts are stored under:
tests.json
safety.json
artifacts/
workflow.js
workflow.sha256
dynamic-preview.md
dynamic-capabilities.json
dynamic-budget.json
dynamic-events.jsonl
dynamic-final.json
dynamic-proposed.patch
dynamic-safe-patch.json
write-plan.md
dry-run-preview.md
verification-plan.md
Expand Down Expand Up @@ -219,7 +254,7 @@ It does not attempt exact product parity with Claude Code Dynamic Workflows:

- no native `/workflows` UI
- no automatic `workflow` keyword trigger
- no generated JavaScript workflow scripts
- no unrestricted `node workflow.js`; JavaScript dynamic workflows must pass preview, AST policy, approval, and permissioned child-process execution
- no non-Codex model routing
- no web UI

Expand All @@ -231,6 +266,7 @@ See [docs/claude-vs-codex-workflows.md](docs/claude-vs-codex-workflows.md).
- `doc-refresh` remains the only bundled user-facing write workflow. It is documentation-only, gated, reversible, and applies through the isolated patch path after explicit approval.
- General non-doc write-capable workflows must declare `write_policy` and use patch mode. CWF refuses paths outside `allowed_paths`, forbidden paths, target drift after preview, `git apply --check --3way` conflicts, and failed workflow verification commands. If patch-mode verification fails after apply, CWF attempts to reverse-apply the same proposed patch before returning a failed run.
- `direct-docs` is a compatibility policy for `doc-refresh`; source/config write workflows must use explicit patch-mode policy with their own allowed paths and verification commands.
- Dynamic JavaScript workflows do not receive `fs`, `process`, network, shell, or target repo access. All git, agent, artifact, and report actions go through parent CWF APIs.
- GitHub PR output is local by default. Nothing is posted unless `cwf github-pr` is run with explicit `--post --repo <owner/repo> --pr <number>`.
- Workflow suggestions are YAML specs only. They are validated after generation, but they are not installed or run automatically.
- Reviews tracked git diffs; untracked file contents are not included.
Expand Down
36 changes: 35 additions & 1 deletion README.zh-CN.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

一个轻量的 Codex 原生工作流层,用来把一次工程审查拆成多个 Codex worker(工作者)并行做,再合成一份可追踪的 reduced JSON 和 Markdown 报告。

它只依赖 Codex 原生能力:不接第三方模型路由,不接私有 adapter,不再造一个单独的 agent 平台。公开版默认还是只读 workflow;v1.4 额外带一个很窄的 `doc-refresh`,只允许文档写入,并且必须先生成 preview、过 gate、显式 approve 后才进入写入阶段。v1.10 增加了更安全的通用写 worker 路径:writer 先在 isolated target 里产出 `artifacts/proposed.patch`,CWF 检查 allowed/forbidden path,跑 `git apply --check --3way`,再 apply 到真实 target;非文档写必须声明显式 `write_policy`。
它只依赖 Codex 原生能力:不接第三方模型路由,不接私有 adapter,不再造一个单独的 agent 平台。公开版默认还是只读 workflow;v1.4 额外带一个很窄的 `doc-refresh`,只允许文档写入,并且必须先生成 preview、过 gate、显式 approve 后才进入写入阶段。v1.10 增加了更安全的通用写 worker 路径:writer 先在 isolated target 里产出 `artifacts/proposed.patch`,CWF 检查 allowed/forbidden path,跑 `git apply --check --3way`,再 apply 到真实 target;非文档写必须声明显式 `write_policy`。v1.11 增加第一版 JavaScript dynamic workflow runtime:本地 `workflow.js` 先过 AST policy、复制到 run artifacts、生成 preview、显式 approve,再放进 Node Permission Model child process 执行;child 只能通过 JSON-RPC 调 parent CWF API。这个 preview 面现在还包括 intent-to-preview 生成、内置本地 dynamic template、本地 save/reuse + SHA trust metadata,以及受控 dynamic `safePatch`。

Codex 负责线程、子 agent、权限和写文件边界;Codex Flow 负责 workflow spec、run store、events、gate、reducer 和 artifact manifest。

Expand Down Expand Up @@ -60,6 +60,19 @@ cwf run doc-refresh --target <repo>
cwf run workflows/diff-review.yaml --target <repo>
```

本地 dynamic JavaScript workflow 先 preview,不会直接启动 worker:

```bash
cwf dynamic list
cwf dynamic show change-summary
cwf dynamic generate --goal "Summarize this repo diff" --target <repo>
cwf dynamic run fixtures/dynamic/read-only.workflow.js --target <repo>
cwf dynamic run change-summary --target <repo>
cwf dynamic save ./workflow.js --id local-review
cwf approve <run-id> approve-dynamic
cwf resume <run-id>
```

大 diff 推荐后台跑:

```bash
Expand Down Expand Up @@ -139,6 +152,18 @@ worker 执行现在走 adapter 层,但仍然只使用 Codex。默认是 `codex

带 gate 的 workflow 会在风险步骤前暂停。`cwf status` / `cwf show` 会直接说明卡在哪个 gate,并给出 approve / reject 命令。`cwf approve <run-id> <gate-id>` 记录批准,`cwf resume <run-id>` 只继续还没完成的后续 phase;`cwf reject <run-id> <gate-id> --reason <text>` 会干净地停止 run。写 workflow 在 approval 前只写 run artifact(`write-plan.md`、`dry-run-preview.md`、`verification-plan.md`、`rollback.md`)。approval 后 writer 只在 isolated target 里写,CWF 保存 `proposed.patch`,检查 `write_policy` 路径和 `git apply --check --3way` 后才 apply 到真实 target,并记录 diff、verification 和 rollback artifact。如果 verification 在 apply 后失败,CWF 会尝试用同一个 patch 做 reverse apply,然后返回 failed run。内置 `doc-refresh` 的 `direct-docs` 只是 docs/readme/release-note policy preset,也走同一条 isolated patch apply 路径;源码/配置写入要用显式 patch policy。

Dynamic JavaScript workflow 也是 gated。`cwf dynamic run <workflow.js-or-id> --target <repo>` 会写 `artifacts/workflow.js`、`workflow.sha256`、`dynamic-preview.md`、`dynamic-capabilities.json`、`dynamic-budget.json`,然后停在 `approve-dynamic`。脚本只能导出一个 async default function。AST gate 会拒绝 import、dynamic import、`require`、`eval`、`Function`、`globalThis`、`process`、`fetch`、constructor/prototype escape、直接 shell 字符串,以及不从 `cwf` 或允许 builtin 发起的 call expression。执行时 child process 必须启用 Node Permission Model,且不给 target repo filesystem、network、child-process、worker、native-addon、WASI、FFI、inspector 权限。`cwf.agent.run` 默认 `read-only`;read-only worker 如果改动 target diff,会让 run failed。`cwf.safePatch.apply` 是 dynamic runtime 里唯一会直接 apply patch 的写路径:脚本必须先声明 `metadata.safe_patch_policy`,让 policy 出现在 preview 里;runtime 传入的 `write_policy` 必须和 metadata 完全一致。CWF 会保存 `dynamic-proposed.patch`,检查 policy 和 `git apply --check --3way`,由 parent process apply,跑 verification,记录 rollback evidence;如果 verification 失败,会尝试 reverse apply,然后返回 failed run。`inherit-session` 只允许 `generated-current-session`、SHA-256 匹配、parent permission cap 已知且可写的脚本,copied/remote/unknown/hash mismatch 都 fail closed。远程 dynamic workflow URL 不能直接运行,必须先 inspect 并保存本地 trusted copy。

Dynamic template discovery 只扫本地:

```text
./workflows/dynamic/
./.codex-flow/dynamic-workflows/
~/.codex-workflows/dynamic/
```

`cwf dynamic save <workflow.js> --id <trusted-id>` 会把通过校验的脚本复制到 `~/.codex-workflows/dynamic/`,并写一个绑定 SHA-256 的 `.trust.json` sidecar。保存后的脚本如果被改但 trust record 没同步,discovery 会失败,不会继续运行。

`cwf desktop result` 用来把已完成的文件系统 run 带回 Codex。如果 CWF 是由当前 Codex 会话里的 skill 发起,主路径应该是 skill 读取 run 结果,然后直接在这个发起会话里回复。`--print` 会打印一段适合这条路径的简洁 handoff prompt;不依赖 app-server 时也会写 `artifacts/handoff-prompt.md`。`--new-thread` 和 `--thread <thread-id>` 需要支持 app-server 的 Codex CLI、运行中的 app-server daemon,以及已开启 remote control:

```bash
Expand Down Expand Up @@ -196,6 +221,15 @@ Artifacts:
tests.json
safety.json
artifacts/
workflow.js
workflow.sha256
dynamic-preview.md
dynamic-capabilities.json
dynamic-budget.json
dynamic-events.jsonl
dynamic-final.json
dynamic-proposed.patch
dynamic-safe-patch.json
write-plan.md
dry-run-preview.md
verification-plan.md
Expand Down
16 changes: 15 additions & 1 deletion RELEASE_NOTES.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,28 @@ Codex Flow 1.0.0 is the first stable public release of the Codex-native workflow
- `research-crosscheck`
- `release-review`

## Implemented Preview

- Dynamic JavaScript workflow runtime:
- `cwf dynamic generate`
- `cwf dynamic list`
- `cwf dynamic show`
- `cwf dynamic save`
- `cwf dynamic run`
- Built-in local dynamic templates:
- `change-summary`
- `docs-change-check`
- SHA-bound local trust metadata for saved dynamic workflows
- Guarded dynamic `cwf.safePatch.apply` with preview-visible `metadata.safe_patch_policy`, runtime policy match checks, `git apply --check --3way`, verification, and rollback-on-verification-failure evidence

## Public Boundary

Codex Flow 1.0.0 intentionally does not include:

- non-Codex model routing
- private adapters
- remote workflow marketplace
- generated JavaScript workflow execution
- remote dynamic workflow execution by URL
- broad production write-capable workflows beyond gated documentation refresh
- automatic GitHub posting
- automatic installation or execution of generated workflow suggestions
Expand Down
Loading