@openwop/openwop-conformance 1.1.0 → 1.2.0

package/fixtures/conformance-subworkflow-input-mapping-child.json

@@ -0,0 +1,27 @@
+{
+  "id": "conformance-subworkflow-input-mapping-child",
+  "name": "Conformance: subWorkflow Input Mapping (RFC 0022 §B) — child",
+  "version": "1.0",
+  "description": "Child fixture for `conformance-subworkflow-input-mapping`. Declares a single `receivedPrdId` variable with `defaultValue: 'baked-in'` — the parent's `inputMapping: { receivedPrdId: 'currentPrdId' }` MUST override this default at child-run-create time per RFC 0022 §B. The body is a noop identity node; the assertion (the child's final `receivedPrdId` variable) is read from the child run's variables_json via `GET /v1/runs/{runId}`.",
+  "nodes": [
+    {
+      "id": "noop",
+      "typeId": "core.identity",
+      "name": "Noop (asserts via final variables)",
+      "position": { "x": 0, "y": 0 },
+      "config": {},
+      "inputs": {}
+    }
+  ],
+  "edges": [],
+  "triggers": [
+    { "id": "manual", "type": "manual", "enabled": true }
+  ],
+  "variables": [
+    { "name": "receivedPrdId", "type": "string", "defaultValue": "baked-in" }
+  ],
+  "metadata": {
+    "tags": ["conformance", "rfc-0022", "subworkflow", "input-mapping", "child"]
+  },
+  "settings": { "timeout": 5000 }
+}

package/fixtures/conformance-subworkflow-input-mapping.json

@@ -0,0 +1,33 @@
+{
+  "id": "conformance-subworkflow-input-mapping",
+  "name": "Conformance: subWorkflow Input Mapping (RFC 0022 §B)",
+  "version": "1.0",
+  "description": "RFC 0022 §B — host honors `inputMapping` on `core.subWorkflow` and seeds child variables from parent-variable projections. The parent fixture sets its `currentPrdId='prd-1'`, then invokes the child fixture (`conformance-subworkflow-input-mapping-child`) via `core.subWorkflow` with `inputMapping: { receivedPrdId: 'currentPrdId' }`. The child workflow declares `receivedPrdId.defaultValue='baked-in'` — the RFC normates that `inputMapping` MUST override matching `defaultValue` declarations. The scenario inspects the child run's final variables and asserts `receivedPrdId === 'prd-1'`. See subworkflow-input-mapping.test.ts.",
+  "nodes": [
+    {
+      "id": "subwf-call",
+      "typeId": "core.subWorkflow",
+      "name": "Invoke child with inputMapping",
+      "position": { "x": 0, "y": 0 },
+      "config": {
+        "workflowId": "conformance-subworkflow-input-mapping-child",
+        "waitForCompletion": true,
+        "onChildFailure": "fail-parent",
+        "inputMapping": { "receivedPrdId": "currentPrdId" }
+      },
+      "inputs": {}
+    }
+  ],
+  "edges": [],
+  "triggers": [
+    { "id": "manual", "type": "manual", "enabled": true }
+  ],
+  "variables": [
+    { "name": "currentPrdId", "type": "string", "defaultValue": "prd-1" }
+  ],
+  "metadata": {
+    "tags": ["conformance", "rfc-0022", "subworkflow", "input-mapping"],
+    "requiresCapability": "capabilities.subWorkflow.inputMapping"
+  },
+  "settings": { "timeout": 10000 }
+}

package/fixtures.md

@@ -58,12 +58,22 @@ All fixtures MUST advertise:
 | Interrupt — Auth Required | `conformance-interrupt-auth-required` | Verifies `openwop-interrupt-auth-required` profile (bearer-token resume only) | `completed` after bearer resolve | unbounded (suspends) |
 | Interrupt — Parent/Child Cancel | `conformance-interrupt-parent-child-cancel` + `conformance-interrupt-parent-child-cancel-child` | Verifies `openwop-interrupt-parent-child` cancel cascade | `cancelled` (both runs) | ≤ 30s |
 | Agent Identity | `conformance-agent-identity` | Phase 1 — `RunSnapshot.agent` / `runOrchestrator` AgentRef wire-shape | `completed` | ≤ 10s |
-| Agent Reasoning | `conformance-agent-reasoning` | Phase 1 — `agent.*` event family emission + `callId` pairing | `completed` | ≤ 15s |
-| Agent Low-Confidence | `conformance-agent-low-confidence` | Phase 1 / CP-1 — confidence < threshold suspends with `node.suspended { reason: 'low-confidence' }` | `waiting-approval` (suspends) | unbounded (suspends) |
+| Agent Reasoning | `conformance-agent-reasoning` | Phase 1 / RFC 0023 — `agent.*` event family emission + `callId` pairing on `core.conformance.mock-agent` | `completed` | ≤ 15s |
+| Agent Low-Confidence | `conformance-agent-low-confidence` | Phase 1 / CP-1 / RFC 0023 — `core.conformance.mock-agent` emits `agent.decided` with confidence < threshold; host MUST follow with `node.suspended { reason: 'low-confidence' }` | `waiting-approval` (suspends) | unbounded (suspends) |
 | Message Reducer | `conformance-message-reducer` | Phase 1 — `message` reducer idempotency on duplicate `messageId` | `completed` | ≤ 10s |
 | Agent Pack Install | `conformance-agent-pack-install` | Phase 2 — pack `agents[]` surface as AgentManifest at `GET /v1/packs` | `completed` | ≤ 5s |
 | Agent Pack Export | `conformance-agent-pack-export` | Phase 2 — workspace agents project to AgentManifest at `GET /v1/packs/export` | `completed` | ≤ 5s |
 | Agent Pack Provenance | `conformance-agent-pack-provenance` | Phase 2 — `sourceManifestId` provenance round-trip | `completed` | ≤ 10s |
+| Agent Pack Handoff Schema Validation | `conformance-agent-pack-handoff-schema-validation` | Phase 2 / HV-1 — host validates dispatch payloads against `handoff.taskSchemaRef` AND return payloads against `handoff.returnSchemaRef` per RFC 0003 §D. Three branches: valid-task → `completed`; invalid-task → `failed` with structured violation; mock-return-violation → violation surfaced before persistence. | varies by scenario | ≤ 5s |
+| Dispatch Input Mapping | `conformance-dispatch-input-mapping` | RFC 0022 §A / HVMAP-1a — host honors `inputMapping` on `core.dispatch`. Capability-gated on `capabilities.agents.dispatchMapping`. | `completed` | ≤ 5s |
+| Dispatch Output Mapping | `conformance-dispatch-output-mapping` | RFC 0022 §A / HVMAP-1b — host harvests child variables via `outputMapping` on `core.dispatch`. Capability-gated on `capabilities.agents.dispatchMapping`. | `completed` | ≤ 5s |
+| Dispatch Cross-Worker Handoff | `conformance-dispatch-cross-worker-handoff` | RFC 0022 §A / HVMAP-1c — sequential fan-out: child-a writes via `perWorkerOutputMappings`, child-b reads via `perWorkerInputMappings`. Capability-gated on `capabilities.agents.dispatchMapping`. | `completed` | ≤ 10s |
+| subWorkflow Input Mapping | `conformance-subworkflow-input-mapping` | RFC 0022 §B / HVMAP-2 — host honors `inputMapping` on `core.subWorkflow`; overrides matching `defaultValue` declarations on the child. Capability-gated on `capabilities.subWorkflow.inputMapping`. | `completed` | ≤ 10s |
+| subWorkflow Input Mapping (child) | `conformance-subworkflow-input-mapping-child` | RFC 0022 §B / HVMAP-2 — child workflow for the input-mapping scenario. Declares `receivedPrdId.defaultValue='baked-in'`; parent's `inputMapping` MUST override that default. Single noop node; final variables read via `GET /v1/runs/{runId}` for the assertion. | `completed` | ≤ 5s |
+| Dispatch Input Mapping (child) | `conformance-dispatch-input-mapping-child` | RFC 0022 §A / HVMAP-1a — child workflow for the dispatch input-mapping scenario. Single noop node; the scenario reads this child's `inputs_json` via `GET /v1/runs/{childRunId}` and asserts `inputs.childGreeting === 'Alice'`. | `completed` | ≤ 5s |
+| Dispatch Output Mapping (child) | `conformance-dispatch-output-mapping-child` | RFC 0022 §A / HVMAP-1b — child workflow for the dispatch output-mapping scenario. Declares `childOutcome.defaultValue='done'`; on terminal, parent's `outputMapping` harvests `childOutcome → parentResult`. | `completed` | ≤ 5s |
+| Dispatch Cross-Worker Handoff (child-a) | `conformance-dispatch-cross-worker-handoff-child-a` | RFC 0022 §A / HVMAP-1c — first child of the cross-worker-handoff scenario. Declares `output.defaultValue='hello'`; on terminal, parent's `perWorkerOutputMappings.child-a` harvests `output → sharedVar`. | `completed` | ≤ 5s |
+| Dispatch Cross-Worker Handoff (child-b) | `conformance-dispatch-cross-worker-handoff-child-b` | RFC 0022 §A + §D / HVMAP-1c — second child of the cross-worker-handoff scenario. Sequential fan-out — runs after child-a; receives parent's `sharedVar` via `perWorkerInputMappings.child-b` onto its `input` input. Scenario reads child-b's `inputs_json` to assert `inputs.input === 'hello'`. | `completed` | ≤ 5s |
 | Agent Memory Round-Trip | `conformance-agent-memory-roundtrip` | Phase 3 — `MemoryAdapter.list/get` write → read | `completed` | ≤ 15s |
 | Agent Memory Cross-Tenant | `conformance-agent-memory-cross-tenant` | Phase 3 / CTI-1 — cross-tenant probe MUST return `[]` / `null` | `completed` | ≤ 10s |
 | Agent Memory Redaction | `conformance-agent-memory-redaction` | Phase 3 / SR-1 — BYOK plaintext surfaces as `[REDACTED:<id>]` on read | `completed` | ≤ 15s |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openwop/openwop-conformance",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Production-ready black-box conformance suite for OpenWOP v1.0 compliant servers.",
   "repository": {
     "type": "git",

package/schemas/README.md

@@ -6,11 +6,17 @@
 |---|---|---|
 | `agent-manifest.schema.json` | `node-packs.md` + agent-pack RFCs | Agent manifest entries distributed alongside node-pack manifests |
 | `agent-ref.schema.json` | `agent-memory.md` + agent-identity RFC | Multi-Agent Shift Phase 1 — slim runtime AgentRef projection carried on `RunSnapshot.agent` / `runOrchestrator`, `WorkflowNode.agent?`, and `agent.*` event payloads |
+| `ai-envelope.schema.json` | `ai-envelope.md` | FINAL v1.1 — inbound LLM-emission envelope. Top-level shape (`type` / `schemaVersion` / `envelopeId` / `correlationId` / `payload` / `meta` / `partial`). Per-kind payload schemas under `envelopes/`. Distinct from `RunEventDoc` (outbound) and `error-envelope.schema.json` (host HTTP errors). |
+| `envelopes/clarification.request.schema.json` | `ai-envelope.md` §"Universal kinds" | FINAL v1.1 — payload for the universal `clarification.request` kind; engine lifts to `kind: "clarification"` `InterruptPayload`. |
+| `envelopes/schema.request.schema.json` | `ai-envelope.md` §"Universal kinds" | FINAL v1.1 — LLM asks the engine for a kind's JSON Schema. Counts against `Capabilities.limits.schemaRounds`. |
+| `envelopes/schema.response.schema.json` | `ai-envelope.md` §"Universal kinds" | FINAL v1.1 — side-channel ack for `schema.request`. Never surfaces to users. |
+| `envelopes/error.schema.json` | `ai-envelope.md` §"Universal kinds" | FINAL v1.1 — LLM's deliberate error report. Distinct from `error-envelope.schema.json` (host HTTP errors). |
 | `audit-verify-result.schema.json` | `auth-profiles.md` §`openwop-audit-log-integrity` | Response payload from `GET /v1/audit/verify` — chain-validity verdict + checkpoints + anomalies |
 | `capabilities.schema.json` | `capabilities.md` | `/.well-known/openwop` response — protocolVersion + supportedEnvelopes + schemaVersions + limits + optional v1 discovery surface |
 | `channel-written-payload.schema.json` | `channels-and-reducers.md` §Channel write event | Payload of the `channel.written` RunEvent — write input + reducer name |
 | `conversation-event.schema.json` | `channels-and-reducers.md` + conversation RFC | Multi-turn conversation event shape for orchestrator-driven HITL flows |
 | `conversation-turn.schema.json` | `channels-and-reducers.md` + conversation RFC | Conversation turn shape for user/agent/system messages |
+| `core-conformance-mock-agent-config.schema.json` | `node-packs.md` + RFC 0023 | Config shape for the conformance-only `core.conformance.mock-agent` typeId — drives `agent.*` event emission on cue (`mockReasoning` / `mockToolCalls` / `mockHandoff` / `mockDecision` / `mockConfidence`). Hosts MUST refuse this typeId for production tenants unless `capabilities.conformance.mockAgent` is advertised. |
 | `debug-bundle.schema.json` | `debug-bundle.md` | Portable run diagnostic export from `GET /v1/runs/{runId}/debug-bundle` |
 | `dispatch-config.schema.json` | `node-packs.md` + dispatch RFC | Configuration shape for `core.dispatch` / sub-workflow routing |
 | `error-envelope.schema.json` | `rest-endpoints.md` + `auth.md` | Canonical `{error, message, details?}` shape returned on every non-2xx |
@@ -27,6 +33,7 @@
 | `run-snapshot.schema.json` | `rest-endpoints.md` §RunSnapshot | Projected run state from `GET /v1/runs/{runId}` |
 | `security-advisory.schema.json` | `registry-operations.md` + INCIDENT-RESPONSE runbook | Registry-owned CVE advisory record at `registry/security/advisories.json`. One entry per disclosed vulnerability — id, severity, affected pack-name + SemVer range, optional fixedIn/advisoryUrl/credits. Enforced by `check-advisories.mjs` in `.github/workflows/registry-publish.yml`. |
 | `suspend-request.schema.json` | `interrupt.md` | `InterruptPayload` with 8 `kind` discriminators (approval, clarification, external-event, custom, conversation.start, conversation.exchange, conversation.close, low-confidence) |
+| `workflow-chain-pack-manifest.schema.json` | `workflow-chain-packs.md` + RFC 0013 | Manifest for workflow-chain packs (`kind: "workflow-chain"`) — pre-configured DAG fragments expanded inline at workflow-author time. Peer to `node-pack-manifest.schema.json`; disjoint via the `kind` discriminator. |
 | `workflow-definition.schema.json` | `channels-and-reducers.md` + `node-packs.md` | DAG of nodes + edges + triggers + variables + channels |
 
 ## Validating against the schemas

package/schemas/agent-ref.schema.json

@@ -10,7 +10,7 @@
       "type": "string",
       "minLength": 3,
       "maxLength": 256,
-      "description": "Globally-unique agent identifier. Naming convention mirrors `node-packs.md` §Naming — `<tier>.<org>.<pack>.<agent>` for vendor/community packs (`vendor.acme.support.tier1`); `core.<name>` for spec-canonical agents (`core.chat`, `core.research`); `host:<id>` slim-runtime form for host-internal AgentRefs that don't ship as packs. Host-internal `host:<id>` agents are valid AgentRefs at the wire level but MUST NOT be published as manifests (the `host:` namespace is reserved for runtime synthesis)."
+      "description": "Globally-unique agent identifier. Naming convention mirrors `node-packs.md` §Naming — `<tier>.<org>.<pack>.<agent>` for vendor/community packs (`vendor.acme.support.tier1`); `core.<name>` for spec-canonical agents (`core.chat`, `core.research`); `host:<id>` slim-runtime form for host-internal AgentRefs that don't ship as packs. Host-internal `host:<id>` agents are valid AgentRefs at the wire level but MUST NOT be published as manifests (the `host:` namespace is reserved for runtime synthesis). External-identity-system compatibility (STD-4): hosts MAY map an `agentId` to a W3C DID, an A2A AgentCard URL, an AGNTCY gateway identifier, or other external identity primitive via host-internal mapping tables. The external identifier MUST NOT be embedded as the wire-level `agentId` (doing so would force resolver dependencies on every consumer); carry it under vendor metadata or as the `host:<scheme>:<id>` form. See `spec/v1/agent-ref-positioning.md` §\"Composition rules\" for the recommended mapping conventions."
     },
     "name": {
       "type": "string",

package/schemas/ai-envelope.schema.json

@@ -0,0 +1,106 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/ai-envelope.schema.json",
+  "title": "AIEnvelope",
+  "description": "Canonical inbound wire format for a typed, structured emission produced by an LLM during workflow execution. Distinct from `RunEventDoc` (which is the outbound run event log envelope). Per `spec/v1/ai-envelope.md`. The top-level shape is closed (`additionalProperties: false`); the `payload` shape is selected by the `type` discriminator and validated against a per-kind schema at `schemas/envelopes/{type}.schema.json` (universals) or a host-published vendor location. Hosts advertise the kind catalog via `Capabilities.supportedEnvelopes` and the per-kind active version via `Capabilities.schemaVersions`. Status: FINAL v1.1 (promoted 2026-05-18 via RFC 0021).",
+  "type": "object",
+  "required": ["type", "envelopeId", "correlationId", "payload", "meta"],
+  "properties": {
+    "type": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 256,
+      "description": "Discriminator for payload shape, kind routing, and Envelope Contract gate. Universal kinds (always allowed): `clarification.request`, `schema.request`, `schema.response`, `error`. Vendor kinds MUST be namespaced per `spec/v1/host-extensions.md` (e.g., `vendor.myndhyve.prd.create`). Pre-v1.x unnamespaced kinds (`prd.create`, `theme.create`, `tasks.create`) MAY appear in `Capabilities.supportedEnvelopes` for backward compatibility; v1.x hosts SHOULD prefer the namespaced form."
+    },
+    "schemaVersion": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Per-kind schema version. Absent → treat as 0. Matched against `Capabilities.schemaVersions[type]`. When the emitted version is lower than the advertised floor, engines under `envelopeStrictness: 'warn'` (default) MUST attempt validation against the advertised version and log `envelope_schema_version_drift`; engines under `envelopeStrictness: 'strict'` MUST refuse with `unknown_schema_version`. When higher than advertised, engines MUST refuse regardless of strictness."
+    },
+    "envelopeId": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 128,
+      "description": "Globally unique envelope id. Generated by the engine if absent on receipt; consumers MUST treat as opaque. Distinct from `correlationId` (which is the dedup/replay key)."
+    },
+    "correlationId": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 128,
+      "description": "Caller-stable identifier for dedup, replay short-circuit, and causal chaining. Two envelopes in the same run with the same `correlationId` MUST be treated as a re-emission (engine returns the cached outcome). Same-`correlationId` envelopes with different `type` values MUST be refused with `envelope_correlation_conflict`. The engine propagates `correlationId` onto resulting `RunEventDoc.causationId`. Recommended construction: `${runId}:${nodeId}:${turnIndex}:${kindHash}`."
+    },
+    "nodeId": {
+      "type": "string",
+      "minLength": 1,
+      "maxLength": 128,
+      "description": "Set when the emitting node is identifiable. Lifted to top-level for per-node projection without payload coercion (mirrors `RunEventDoc.nodeId`). Engines MAY populate from execution context when absent."
+    },
+    "payload": {
+      "description": "Discriminated payload. Shape selected by `type`. Validated against the per-kind schema at `schemas/envelopes/{type}.schema.json` (universals) or a host-published vendor schema. Top-level accepts any JSON value because per-kind schemas vary; strict validation is per-kind, not at this layer.",
+      "type": ["object", "array", "string", "number", "boolean", "null"]
+    },
+    "meta": {
+      "$ref": "#/$defs/EnvelopeMeta"
+    },
+    "partial": {
+      "$ref": "#/$defs/PartialInfo"
+    }
+  },
+  "additionalProperties": false,
+  "$defs": {
+    "EnvelopeMeta": {
+      "type": "object",
+      "required": ["source", "ts"],
+      "properties": {
+        "source": {
+          "type": "string",
+          "enum": ["ai-generation", "user", "system"],
+          "description": "Provenance of this emission. `ai-generation` — LLM emitted this in a node turn. `user` — relayed from a user action (form fill, approval gate). `system` — engine-synthesized (e.g., resume value normalization). Gates approval-flow re-routing per `ai-envelope.md` §\"Source attribution\" (LLM-generated mutations route through approval gates; user-supplied mutations bypass them when the user is already authenticated)."
+        },
+        "contentTrust": {
+          "type": "string",
+          "enum": ["trusted", "untrusted"],
+          "description": "Trust tag mirroring `RunEventDoc.contentTrust`. Hosts MUST set `untrusted` when the payload origin is an MCP tool result per `mcp-integration.md` or an A2A inbound message per `a2a-integration.md`. The engine MUST propagate this onto any `RunEventDoc` emitted as a consequence of the envelope. Approval gates MUST refuse to advance on `untrusted` envelopes (refusal code `untrusted_content_blocks_approval`)."
+        },
+        "ts": {
+          "type": "string",
+          "format": "date-time",
+          "description": "ISO 8601 UTC timestamp of emission."
+        },
+        "traceparent": {
+          "type": "string",
+          "description": "Optional W3C trace-context value (`traceparent` header format) for distributed tracing propagation. Engines that export OTel spans for envelope acceptance SHOULD honor this value as the parent span when present."
+        },
+        "label": {
+          "type": "string",
+          "maxLength": 256,
+          "description": "Optional human-readable label for ops dashboards (e.g., `\"Draft PRD #2\"`). Never used for routing; never persisted into event payloads in a security-relevant way. (in-flight)"
+        }
+      },
+      "additionalProperties": false,
+      "description": "Wire metadata. See `spec/v1/ai-envelope.md` §EnvelopeMeta."
+    },
+    "PartialInfo": {
+      "type": "object",
+      "required": ["isPartial", "index", "total"],
+      "properties": {
+        "isPartial": {
+          "type": "boolean",
+          "description": "True for all chunks of a partial emission EXCEPT the final one. The final chunk carries `isPartial: false` and signals reassembly completion. (in-flight)"
+        },
+        "index": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "0-indexed chunk position. (in-flight)"
+        },
+        "total": {
+          "type": "integer",
+          "minimum": -1,
+          "description": "Total expected chunks. -1 when unknown (streaming without precount). (in-flight)"
+        }
+      },
+      "additionalProperties": false,
+      "description": "Present when the envelope is one fragment of a streamed emission. Cross-transport reassembly is open (see gap E1 in `ai-envelope.md`)."
+    }
+  }
+}

package/schemas/capabilities.schema.json

@@ -49,6 +49,23 @@
       "additionalProperties": false,
       "description": "Hard limits enforced by the engine. See capabilities.md §3."
     },
+    "envelopeStrictness": {
+      "type": "string",
+      "enum": ["warn", "strict"],
+      "description": "AI Envelope schema-version drift handling per `spec/v1/ai-envelope.md` §\"Capability handshake integration\" (DRAFT v1.x). Optional in v1.x; default when absent is `warn`. Under `warn`, the engine MUST attempt validation against the advertised version of a kind and log `envelope_schema_version_drift` when the emitted `schemaVersion` is lower than advertised. Under `strict`, the same condition MUST cause refusal with `unknown_schema_version`. Emitted `schemaVersion` higher than advertised MUST refuse regardless of strictness."
+    },
+    "envelopeContracts": {
+      "type": "object",
+      "description": "AI Envelope contract-gating advertisement per `spec/v1/ai-envelope.md` §\"Capability handshake integration\" (DRAFT v1.x). Optional in v1.x. When `advertised: true`, the host's node-pack manifests carry `EnvelopeContract` blocks per `ai-envelope.md` §\"Envelope Contract\"; tooling and conformance scenarios gate on this flag. When `advertised: false` or the block is absent, hosts MAY accept envelopes without per-typeId `accepts[]` enforcement.",
+      "required": ["advertised"],
+      "properties": {
+        "advertised": {
+          "type": "boolean",
+          "description": "Host's node-pack manifests carry `EnvelopeContract` blocks."
+        }
+      },
+      "additionalProperties": false
+    },
     "extensions": {
       "type": "object",
       "description": "Optional per-canvas-type or per-workflow extensions (additional envelope types, override limits)."
@@ -84,11 +101,11 @@
     },
     "nodePackRuntimes": {
       "type": "object",
-      "description": "Optional v1 advertisement of node-pack runtimes the host loads. See `node-packs.md` §runtime formats and RFC 0008 (WASM ABI). Hosts that don't load packs MAY omit this block entirely.",
+      "description": "Optional v1 advertisement of node-pack runtimes the host loads. See `node-packs.md` §runtime formats and RFC 0008 (WASM ABI). Hosts that don't load packs MAY omit this block entirely. NOTE: this block intentionally uses `additionalProperties: true` (here and on the nested runtime objects) so a future RFC may add a runtime type (e.g., `python-wasm`, `js-wasm`) without a breaking-change rev of this schema; the trade is that a strict-mode validator will accept arbitrary extra keys under these objects. A future RFC that promotes the open-set fields to first-class SHOULD tighten them to `additionalProperties: false` in the same RFC.",
       "properties": {
         "wasm": {
           "type": "object",
-          "description": "WASM core-module runtime per RFC 0008. Hosts that load `runtime.language: \"wasm\"` packs MUST advertise `supported: true` and at least one entry in `abiVersions[]`.",
+          "description": "WASM core-module runtime per RFC 0008. Hosts that load `runtime.language: \"wasm\"` packs MUST advertise `supported: true` and at least one entry in `abiVersions[]`. `additionalProperties: true` preserved for future RFC 0008 amendments (e.g., per-pack memory accounting fields).",
           "required": ["supported"],
           "properties": {
             "supported": {
@@ -125,7 +142,7 @@
         },
         "wasmComponent": {
           "type": "object",
-          "description": "WASM Component Model variant (WIT-defined interfaces). Reserved for hosts that load `runtime.language: \"wasm-component\"` packs.",
+          "description": "WASM Component Model variant (WIT-defined interfaces). Reserved for hosts that load `runtime.language: \"wasm-component\"` packs. `additionalProperties: true` preserved until the Component Model spec stabilises in the v1.x line; tighten in the RFC that promotes wasm-component to a first-class runtime alongside `wasm`.",
           "properties": {
             "supported": { "type": "boolean" }
           },
@@ -266,6 +283,17 @@
       },
       "additionalProperties": true
     },
+    "conformance": {
+      "type": "object",
+      "description": "Conformance-only capability block (RFC 0023). Advertises which conformance-only typeIds (`core.conformance.*`) the host has registered. Hosts that don't ship conformance-only typeIds omit this block entirely. Production deployments SHOULD omit this block; conformance-only typeIds carry test hooks (e.g., `mockReasoning`, `mockConfidence`) that MUST NOT be reachable from production tenants.",
+      "properties": {
+        "mockAgent": {
+          "type": "boolean",
+          "description": "RFC 0023 §B.2. When `true`, the host has registered the `core.conformance.mock-agent` typeId. The scenarios `agentReasoningEvents.test.ts` and `agentConfidenceEscalation.test.ts` rely on the typeId being reachable. Hosts that register the typeId only for workflow ids matching the conformance fixture prefix (`conformance-*`) and refuse it for other tenants MAY still advertise `true` — the advertisement says only that the typeId is reachable from the conformance suite, not that it is reachable from arbitrary workflows."
+        }
+      },
+      "additionalProperties": false
+    },
     "fixtures": {
       "type": "array",
       "items": { "type": "string", "minLength": 1 },
@@ -311,6 +339,11 @@
           "type": "boolean",
           "description": "Phase 6. When `true`, host advertises that it implements the `core.dispatch` Core typeId AND honors the conservative-path commitment CP-2 (`core.dispatch` MUST NOT mutate the run's DAG mid-run). Implies (but does NOT require) `agents.orchestrator: true`."
         },
+        "dispatchMapping": {
+          "type": "boolean",
+          "default": false,
+          "description": "Phase 6.1 (RFC 0022 §A). When `true`, host honors `inputMapping` / `outputMapping` / `perWorkerInputMappings` / `perWorkerOutputMappings` on `DispatchConfig` — building child inputs from parent variables before dispatch and harvesting child variables into parent variables on completion. Implies (but does NOT require) `agents.dispatch: true`. Hosts that set `agents.dispatch: true` but omit / `false` this flag MUST refuse workflows that carry non-empty mapping fields at registration with `validation_error` + `details.requiredCapability: 'agents.dispatchMapping'`."
+        },
         "reasoning": {
           "type": "object",
           "description": "Phase 1 reasoning-event verbosity configuration.",
@@ -331,10 +364,274 @@
       },
       "additionalProperties": true
     },
+    "memory": {
+      "type": "object",
+      "description": "MemoryAdapter capability block per RFC 0004 + the optional compaction profile per RFC 0012. Hosts that don't wire any memory surface omit the entire block.",
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "When `true`, host implements the four-operation MemoryAdapter contract (`list`, `get`, `put`, `delete`) per RFC 0004 §A."
+        },
+        "maxEntrySizeBytes": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Upper bound on `MemoryEntry.content` size. Hosts SHOULD reject `put` exceeding this with `validation_error`."
+        },
+        "ttlSupported": {
+          "type": "boolean",
+          "description": "When `true`, host honors `expiresAt` per RFC 0004 §E."
+        },
+        "compaction": {
+          "type": "object",
+          "description": "RFC 0012 Memory Compaction Profile (Accepted 2026-05-15). Hosts that distill many short-lived MemoryEntry rows into fewer long-lived ones MAY advertise here; advertising implies the SR-1 carry-forward invariant (`SECURITY/invariants.yaml` row `memory-compaction-sr-1-carry-forward`).",
+          "required": ["supported"],
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "REQUIRED when the sub-block is present. When `true`, host performs compaction over `longTerm` memory and emits the `memory.compacted` event per `observability.md` §Canonical event vocabulary."
+            },
+            "trigger": {
+              "type": "string",
+              "enum": ["host-managed", "client-requested", "both"],
+              "description": "REQUIRED when `supported: true` per RFC 0012 §A (enforced via the `if/then` clause). `host-managed` runs on a host-internal schedule clients do not control. `client-requested` and `both` are reserved enum values; v1.x normates only `host-managed`."
+            },
+            "maxInputEntries": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Informational ceiling on how many source entries one compaction call collapses. Not wire-enforced."
+            },
+            "maxOutputBytes": {
+              "type": "integer",
+              "minimum": 0,
+              "description": "Informational ceiling on the distilled entry size. SHOULD be ≤ `memory.maxEntrySizeBytes`."
+            }
+          },
+          "additionalProperties": false,
+          "if": { "properties": { "supported": { "const": true } }, "required": ["supported"] },
+          "then": { "required": ["supported", "trigger"] }
+        }
+      },
+      "additionalProperties": true
+    },
     "conversationPrimitive": {
       "type": "boolean",
       "description": "Multi-Agent Shift Phase 4. When `true`, host advertises that it implements the `core.conversationGate` typeId AND honors the `conversation.start` / `conversation.exchange` / `conversation.close` suspend variants. Hosts that don't claim this fall back to `clarification.requested` interrupts for multi-turn user interjections."
     },
+    "subWorkflow": {
+      "type": "object",
+      "description": "Capability surface for `core.subWorkflow` extensions. The baseline `core.subWorkflow` contract (RFC 0007 + `node-packs.md` §contract) is unconditional and does NOT require a capability flag; this object carries the additive extensions a host MAY support. Added by RFC 0022 §B + §C.",
+      "properties": {
+        "inputMapping": {
+          "type": "boolean",
+          "default": false,
+          "description": "RFC 0022 §B. When `true`, host honors the `inputMapping` field on `core.subWorkflow` configs — seeding the child workflow's initial variable bag from `parentVariables[parentKey]` projections, overriding any matching `variables[].defaultValue` declaration on the child. When `false` or absent, hosts MUST refuse workflows that carry a non-empty `inputMapping` at registration with `validation_error` + `details.requiredCapability: 'subWorkflow.inputMapping'`. Silent ignore is NOT conformant."
+        }
+      },
+      "additionalProperties": false
+    },
+    "fs": {
+      "type": "object",
+      "description": "RFC 0014 (`Active`). Filesystem capability — read/write/list/stat/delete inside a sandbox root. Required by the `core.openwop.files` pack. Hosts MUST resolve every input path relative to `sandboxRoot`, reject any path that escapes via `..` segments or symlinks, and enforce `maxFileSizeBytes` on write. Path-traversal rejection is normative — see `SECURITY/invariants.yaml` row `fs-path-traversal`.",
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "Host advertises `ctx.fs.{read,write,delete,stat,list}`. `false` (or omission) signals the host does NOT expose a filesystem surface; `core.openwop.files` registration MUST refuse on such hosts."
+        },
+        "sandboxRoot": {
+          "type": "string",
+          "description": "Absolute path. Every fs operation is resolved relative to this root. MUST be set when `supported: true`."
+        },
+        "maxFileSizeBytes": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Per-file size cap enforced on write. 0 = unlimited (NOT recommended). Reads of files larger than this MAY return `file_too_large`."
+        },
+        "image": {
+          "type": "object",
+          "description": "Image-processing sub-capability. Optional.",
+          "properties": {
+            "supported": { "type": "boolean" },
+            "formats": {
+              "type": "array",
+              "items": { "type": "string", "enum": ["jpeg", "png", "webp", "avif", "gif"] }
+            }
+          },
+          "additionalProperties": false
+        },
+        "pdf": {
+          "type": "object",
+          "description": "PDF-processing sub-capability. Optional.",
+          "properties": {
+            "supported": { "type": "boolean" }
+          },
+          "additionalProperties": false
+        },
+        "transport": {
+          "type": "object",
+          "description": "Network file-transport sub-capabilities. Optional.",
+          "properties": {
+            "ftp": { "type": "boolean" },
+            "sftp": { "type": "boolean" },
+            "ssh": { "type": "boolean" }
+          },
+          "additionalProperties": false
+        }
+      },
+      "if": { "properties": { "supported": { "const": true } }, "required": ["supported"] },
+      "then": { "required": ["supported", "sandboxRoot"] },
+      "additionalProperties": false
+    },
+    "kvStorage": {
+      "type": "object",
+      "description": "RFC 0015 (`Active`). TTL-aware key-value store with atomic increment + compare-and-swap. Required by `core.openwop.storage` kv-* nodes. Hosts MUST partition values by tenant (`kv-cross-tenant-isolation` invariant) and atomically apply increments + CAS when those flags are advertised.",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "maxKeyBytes": { "type": "integer", "minimum": 0 },
+        "maxValueBytes": { "type": "integer", "minimum": 0 },
+        "maxTtlSeconds": { "type": "integer", "minimum": 0 },
+        "atomicIncrement": { "type": "boolean" },
+        "compareAndSwap": { "type": "boolean" }
+      },
+      "additionalProperties": false
+    },
+    "tableStorage": {
+      "type": "object",
+      "description": "RFC 0016 (`Active`). Structured-record store with user-defined schemas. Sibling to kvStorage. Cross-tenant isolation enforced (mirrors RFC 0015 invariant).",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "maxRowsPerTable": { "type": "integer", "minimum": 0 },
+        "maxColumnsPerRow": { "type": "integer", "minimum": 0 },
+        "indexable": { "type": "boolean" },
+        "fullTextSearch": { "type": "boolean" }
+      },
+      "additionalProperties": false
+    },
+    "queueBus": {
+      "type": "object",
+      "description": "RFC 0017 (`Active`). Inbound queue + stream capability — publish, consume (trigger), ack/nack/dead-letter. Cross-tenant message isolation invariant (`queue-cross-tenant-isolation`). Sibling to host.messaging (which is outbound-egress-only).",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "backends": {
+          "type": "array",
+          "items": { "type": "string", "enum": ["rabbitmq", "kafka", "sqs", "sns", "pubsub", "mqtt", "nats", "redis-streams", "in-memory"] }
+        },
+        "deadLetterSupported": { "type": "boolean" },
+        "stream": {
+          "type": "object",
+          "properties": {
+            "supported": { "type": "boolean" },
+            "fromBeginning": { "type": "boolean" }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+    "sql": {
+      "type": "object",
+      "description": "RFC 0018 (`Active`). SQL database adapter with parametric-only enforcement. Hosts MUST reject non-parametric queries that inline user input (`sql-parametric-only` invariant — guards against SQL injection across every workflow).",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "datasources": { "type": "array", "items": { "type": "object", "additionalProperties": true } },
+        "transactions": { "type": "boolean" },
+        "drivers": {
+          "type": "array",
+          "items": { "type": "string", "enum": ["postgres", "mysql", "mariadb", "sqlite", "mssql", "clickhouse", "snowflake", "bigquery", "duckdb"] }
+        }
+      },
+      "additionalProperties": false
+    },
+    "nosql": {
+      "type": "object",
+      "description": "RFC 0018 (`Active`). MongoDB-shape document store adapter.",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "datasources": { "type": "array" },
+        "drivers": { "type": "array", "items": { "type": "string", "enum": ["mongodb", "dynamodb", "cosmosdb", "firestore"] } }
+      },
+      "additionalProperties": false
+    },
+    "vectorStore": {
+      "type": "object",
+      "description": "RFC 0018 (`Active`). Vector-DB capability for k-NN search.",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "collections": { "type": "array" },
+        "backends": {
+          "type": "array",
+          "items": { "type": "string", "enum": ["pinecone", "qdrant", "weaviate", "milvus", "pgvector", "redis", "mongodb-atlas", "chroma", "azure-ai-search", "in-memory"] }
+        }
+      },
+      "additionalProperties": false
+    },
+    "searchIndex": {
+      "type": "object",
+      "description": "RFC 0018 (`Active`). Full-text search index adapter.",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "indexes": { "type": "array" },
+        "backends": {
+          "type": "array",
+          "items": { "type": "string", "enum": ["elasticsearch", "opensearch", "meilisearch", "typesense", "algolia"] }
+        }
+      },
+      "additionalProperties": false
+    },
+    "blobStorage": {
+      "type": "object",
+      "description": "RFC 0019 (`Active`). Binary artifact store with presigned URLs. Per-bucket tenant isolation. Presigned URLs MUST expire at the advertised TTL.",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "buckets": { "type": "array" },
+        "presignSupported": { "type": "boolean" },
+        "maxObjectBytes": { "type": "integer", "minimum": 0 }
+      },
+      "additionalProperties": false
+    },
+    "cache": {
+      "type": "object",
+      "description": "RFC 0019 (`Active`). TTL cache for HTTP / AI response memoization. Per-tenant scoping; TTL drift ≤ 1s.",
+      "properties": {
+        "supported": { "type": "boolean" },
+        "maxValueBytes": { "type": "integer", "minimum": 0 },
+        "maxTtlSeconds": { "type": "integer", "minimum": 0 }
+      },
+      "additionalProperties": false
+    },
+    "workflowChainPacks": {
+      "type": "object",
+      "description": "RFC 0013 (Phase 1, `Draft`). When `supported: true`, the host's workflow editor implements workflow-chain pack expansion per `workflow-chain-packs.md` — author drops a chain tile, host resolves the pack, prompts for `parameters`, substitutes `{{params.<name>}}` placeholders, rewrites node ids, splices the resulting DAG into the parent workflow. Hosts that don't implement expansion omit this block (or set `supported: false`); conformance scenarios under `conformance/src/scenarios/workflow-chain-*.test.ts` skip cleanly against those hosts.",
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "Whether the host's workflow editor implements chain expansion at author time. `false` (or omission) signals the host does NOT consume workflow-chain packs."
+        }
+      },
+      "required": ["supported"],
+      "additionalProperties": false
+    },
+    "mcp": {
+      "type": "object",
+      "description": "RFC 0020 (`Active`). MCP (Model Context Protocol) composition surface. The client half is consumed implicitly via `host.mcp` host-surface; this block adds the optional server half — workflow exposed AS an MCP server with bidirectional sampling/elicitation bridges.",
+      "properties": {
+        "supported": { "type": "boolean", "description": "Host advertises a client-side MCP surface (ctx.mcp.*). See spec/v1/mcp-integration.md." },
+        "serverMount": {
+          "type": "object",
+          "description": "Server-side MCP composition (workflow IS an MCP server). When supported, the host mounts an MCP endpoint and routes inbound tools/call, resources/read, prompts/get into workflows. Inbound MUST be treated as `trustBoundary: 'untrusted'`.",
+          "properties": {
+            "supported": { "type": "boolean" },
+            "transports": {
+              "type": "array",
+              "items": { "type": "string", "enum": ["stdio", "streamable-http"] }
+            },
+            "samplingBridge": { "type": "boolean", "description": "Inbound sampling/createMessage bridges to the workflow's ctx.callAI." },
+            "elicitationBridge": { "type": "boolean", "description": "Inbound elicitation/create bridges to ctx.suspend." }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
     "compliance": {
       "type": "object",
       "description": "Privacy / compliance behavior advertised to clients (closes O5). Lets consumers know what masking mode is in effect so a `\"[REDACTED]\"` value in event log payloads is recognizable as a server-side mask vs an upstream null.",