@openwop/openwop-conformance 1.10.0 → 1.11.0

package/schemas/eval-summary.schema.json

@@ -0,0 +1,92 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/eval-summary.schema.json",
+  "title": "EvalSummary",
+  "description": "RFC 0081 §C. The terminal scorecard of an eval run (the `mode: \"eval\"` projection over `POST /v1/runs`, RFC 0081 §B): the aggregate + per-task scores, cost, latency, schema-validity, and safety findings, plus the suite provenance and (for `regression` mode) the score delta vs a baseline. Set as the eval run's output and served by `GET /v1/runs/{runId}/eval-summary`. SECURITY invariant `eval-summary-no-content-leak`: the summary carries scores, ids, counts, and redaction-safe safety descriptors only — NEVER task output bodies, rubric prose, model completions, prompts, or credential material (SR-1). A consumer reads the run's normal projection for any body.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["suiteId", "suiteVersion", "aggregateScore", "passed", "taskCount", "passedCount", "tasks"],
+  "properties": {
+    "suiteId": {
+      "type": "string",
+      "pattern": "^[a-z0-9.-]+\\.evals\\.[a-z0-9-]+$",
+      "description": "The `agent-eval-suite.schema.json#suiteId` this summary scores."
+    },
+    "suiteVersion": {
+      "type": "string",
+      "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$",
+      "description": "The pinned suite version the run executed (mirrors `eval.started.suiteVersion`)."
+    },
+    "evaluatedModelClass": {
+      "type": "string",
+      "enum": ["reasoning", "writing", "coding", "research", "classification", "general"],
+      "description": "MAY. The `AgentManifest.modelClass` (RFC 0002) the run was evaluated against, so a score is read against its model. Present when the host resolves a concrete class."
+    },
+    "aggregateScore": {
+      "type": "number",
+      "minimum": 0,
+      "maximum": 1,
+      "description": "The suite-level score (0.0–1.0): the aggregation (host-defined, typically the mean) of per-task scores."
+    },
+    "passed": {
+      "type": "boolean",
+      "description": "Whether the run cleared the suite's `thresholds` (RFC 0081 §A) — `aggregateScore >= passScore` AND, when declared, `totalCostUsd <= maxCostUsd` AND the p95 latency bar. The load-bearing flag an RFC 0082 deployment gate may require (`requiredEval`)."
+    },
+    "taskCount": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Number of tasks executed."
+    },
+    "passedCount": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Number of tasks that individually passed."
+    },
+    "totalCostUsd": {
+      "type": "number",
+      "minimum": 0,
+      "description": "MAY. Total cost of the run, summed from the per-task RFC 0026 `provider.usage` events (the scalar only — never a pricing breakdown or rate card; `eval-summary-no-content-leak`)."
+    },
+    "tasks": {
+      "type": "array",
+      "description": "Per-task results, in suite order. Each entry is content-free: scores, scalars, ids, and redaction-safe safety descriptors only.",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["taskId", "score", "passed"],
+        "properties": {
+          "taskId": { "type": "string", "pattern": "^[a-z0-9][a-z0-9-]*$", "description": "The `agent-eval-suite` task id." },
+          "score": { "type": "number", "minimum": 0, "maximum": 1, "description": "Task score (0.0–1.0)." },
+          "passed": { "type": "boolean", "description": "Whether this task individually met its bar." },
+          "costUsd": { "type": "number", "minimum": 0, "description": "MAY. Task cost (scalar)." },
+          "latencyMs": { "type": "integer", "minimum": 0, "description": "MAY. Task wall-clock latency." },
+          "schemaValid": { "type": "boolean", "description": "MAY. Whether the task output validated against the agent's `handoff.returnSchemaRef` (when structured-output enforcement is in effect)." },
+          "safetyFindings": {
+            "type": "array",
+            "description": "MAY. Redaction-safe safety findings (primarily `adversarial` mode). Each is a `{kind, severity}` descriptor — NO excerpted content, prompt, or completion text (`eval-summary-no-content-leak`).",
+            "items": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": ["kind", "severity"],
+              "properties": {
+                "kind": { "type": "string", "minLength": 1, "description": "Finding category (e.g. `jailbreak`, `pii-leak`, `unsafe-tool-call`) — a category label, not excerpted content." },
+                "severity": { "type": "string", "enum": ["low", "medium", "high", "critical"], "description": "Finding severity." }
+              }
+            }
+          }
+        }
+      }
+    },
+    "regression": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "MAY. Present for `regression` mode. The score delta vs a baseline eval run, plus a pointer to the RFC 0054 `:diff` for the structural divergence. Content-free.",
+      "required": ["baselineRunId", "scoreDelta"],
+      "properties": {
+        "baselineRunId": { "type": "string", "minLength": 1, "description": "The prior eval run this run is compared against." },
+        "scoreDelta": { "type": "number", "minimum": -1, "maximum": 1, "description": "`aggregateScore` minus the baseline's (negative ⇒ regression)." },
+        "diffRef": { "type": "string", "description": "MAY. A pointer to `GET /v1/runs/{runId}:diff?against={baselineRunId}` (RFC 0054) for the structural delta." }
+      }
+    }
+  }
+}

package/schemas/node-pack-manifest.schema.json

@@ -366,6 +366,23 @@
         "minRuntimeVersion": {
           "type": "string",
           "description": "Minimum host runtime version (e.g., `node>=20`, `python>=3.10`, `go>=1.22`)."
+        },
+        "requires": {
+          "type": "array",
+          "uniqueItems": true,
+          "description": "RFC 0076. Abstract platform primitives the pack's runtime code exercises, for install-time sandbox gating. Runtime-agnostic (not language builtin names). Absent or [] ⇒ no elevated platform needs. A sandbox host MUST evaluate this at install time and refuse (`pack_runtime_requirement_unmet`) any primitive it will not grant; see node-packs.md §\"Runtime platform requirements\".",
+          "items": {
+            "oneOf": [
+              { "const": "net.dns", "description": "Resolves hostnames (e.g., SSRF pre-flight)." },
+              { "const": "net.outbound", "description": "Opens outbound network connections / fetch." },
+              { "const": "crypto", "description": "Primitives beyond the standard hashing the host already provides." },
+              { "const": "subprocess", "description": "Spawns a child process (composes with the RFC 0069 exec-class contract when the host advertises it)." },
+              { "const": "fs.read", "description": "Reads the local filesystem." },
+              { "const": "fs.write", "description": "Writes the local filesystem." },
+              { "const": "env.read", "description": "Reads the process environment (may expose deployment secrets if the host does not scrub it)." },
+              { "const": "clock", "description": "Reads wall-clock time as a behavioral input — gated for REPLAY determinism, not access control. A pack that branches on the clock is non-deterministic on replay (replay.md)." }
+            ]
+          }
         }
       },
       "additionalProperties": false

package/schemas/org-chart-responsibility-view.schema.json

@@ -0,0 +1,26 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/org-chart-responsibility-view.schema.json",
+  "title": "OrgChartResponsibilityView",
+  "description": "RFC 0087 §D. Response body for `GET /v1/agents/org-chart/{departmentId}` — one department's subtree + the derived responsibility roll-up (the union of its members' RFC 0086 workflow portfolios, recursively through sub-departments unless `?recursive=false`). A read-only VIEW computed from live roster entries: it grants nothing (§B `org-position-no-authority-escalation`) and stores nothing. Tenant-scoped per RFC 0074.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["department", "members", "responsibilities"],
+  "properties": {
+    "department": {
+      "$ref": "./agent-org-chart.schema.json#/$defs/Department",
+      "description": "The department this view is rooted at."
+    },
+    "members": {
+      "type": "array",
+      "items": { "$ref": "./agent-org-chart.schema.json#/$defs/Member" },
+      "description": "The department's members (and, by default, its sub-departments' members)."
+    },
+    "responsibilities": {
+      "type": "array",
+      "items": { "type": "string", "minLength": 1 },
+      "uniqueItems": true,
+      "description": "The union of the members' RFC 0086 `workflows[]` portfolios — 'what this department is collectively responsible for'. Deduped; descriptive only."
+    }
+  }
+}

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n75 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n94 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -79,12 +79,31 @@
         "memory.written":            { "$ref": "#/$defs/memoryWritten" },
         "agent.memory.consolidated": { "$ref": "#/$defs/agentMemoryConsolidated" },
         "commitment.fired":          { "$ref": "#/$defs/commitmentFired" },
+        "agent.invocation.started":  { "$ref": "#/$defs/agentInvocationStarted" },
+        "agent.invocation.completed":{ "$ref": "#/$defs/agentInvocationCompleted" },
         "workspace.updated":         { "$ref": "#/$defs/workspaceUpdated" },
         "core.workflowChain.event":  { "$ref": "#/$defs/coreWorkflowChainEvent" },
         "core.workflowChain.confidence-escalated": { "$ref": "#/$defs/coreWorkflowChainConfidenceEscalated" },
         "connector.authorized":      { "$ref": "#/$defs/connectorAuthorized" },
         "connector.auth_expired":    { "$ref": "#/$defs/connectorAuthExpired" },
-        "authorization.decided":     { "$ref": "#/$defs/authorizationDecided" }
+        "authorization.decided":     { "$ref": "#/$defs/authorizationDecided" },
+        "eval.started":              { "$ref": "#/$defs/evalStarted" },
+        "eval.scored":               { "$ref": "#/$defs/evalScored" },
+        "eval.completed":            { "$ref": "#/$defs/evalCompleted" },
+        "deployment.promoted":       { "$ref": "#/$defs/deploymentPromoted" },
+        "deployment.rolled-back":    { "$ref": "#/$defs/deploymentRolledBack" },
+        "deployment.canary.adjusted":{ "$ref": "#/$defs/deploymentCanaryAdjusted" },
+        "deployment.state.changed":  { "$ref": "#/$defs/deploymentStateChanged" },
+        "roster.run.initiated":      { "$ref": "#/$defs/rosterRunInitiated" },
+        "tool.session.opened":       { "$ref": "#/$defs/toolSessionOpened" },
+        "tool.session.closed":       { "$ref": "#/$defs/toolSessionClosed" },
+        "egress.decided":            { "$ref": "#/$defs/egressDecided" },
+        "trigger.subscription.state.changed": { "$ref": "#/$defs/triggerSubscriptionStateChanged" },
+        "trigger.delivery.attempted":         { "$ref": "#/$defs/triggerDeliveryAttempted" },
+        "budget.reserved":           { "$ref": "#/$defs/budgetReserved" },
+        "budget.consumed":           { "$ref": "#/$defs/budgetConsumed" },
+        "budget.threshold.crossed":  { "$ref": "#/$defs/budgetThresholdCrossed" },
+        "budget.exhausted":          { "$ref": "#/$defs/budgetExhausted" }
       }
     },
 
@@ -744,7 +763,7 @@
       "description": "Emitted when a CapabilityLimit is exceeded. Protocol-level limits use the engine kinds (clarificationRounds / schemaRounds / envelopesPerTurn / maxNodeExecutions). RFC 0008 §K WASM-runtime caps use the wasm-* kinds (memory ceiling, fuel exhaustion, execution-time wall-clock). RFC 0058 run-execution bounds use the run-scoped run-duration (wall-clock timeout; limit=resolvedMs, observed=elapsedMs) and loop-iterations (agent-loop ceiling; limit=resolvedMax, observed=iterationCount) kinds.",
       "required": ["kind", "limit", "observed"],
       "properties": {
-        "kind":     { "type": "string", "enum": ["clarification", "schema", "envelopes", "node-executions", "wasm-memory", "wasm-fuel", "wasm-execution-time", "run-duration", "loop-iterations"] },
+        "kind":     { "type": "string", "enum": ["clarification", "schema", "envelopes", "node-executions", "wasm-memory", "wasm-fuel", "wasm-execution-time", "run-duration", "loop-iterations", "budget-tokens", "budget-cost", "budget-tool-calls", "budget-retries"] },
         "limit":    { "type": "integer", "minimum": 0 },
         "observed": { "type": "integer", "minimum": 0 },
         "nodeId":   { "type": "string" }
@@ -1360,6 +1379,40 @@
       "additionalProperties": true
     },
 
+    "agentInvocationStarted": {
+      "type": "object",
+      "description": "RFC 0077. Emitted by a host advertising `capabilities.agents.liveRuntime.supported: true` as the FIRST agent-scoped event of a live manifest invocation, bracketing the existing `agent.*` family with `agent.invocation.completed`. Content-free: identifiers + selection metadata only — prompt/task content is served by the run's normal projection, never on this event. A recorded-fact event per `replay.md` §\"Recorded-fact events\": on replay it is re-emitted from the log and the host MUST NOT regenerate its `invocationId` (or any identifier). Distinct from the deterministic RFC 0070 sample floor.",
+      "required": ["invocationId", "agentId", "source"],
+      "properties": {
+        "invocationId":     { "type": "string", "minLength": 1, "description": "Host-defined id correlating this agent invocation within its run, UNIQUE-WITHIN-RUN (not a mandated global id-space). Distinct from `runId` — one run MAY dispatch several invocations (multiple agent nodes, or a handoff chain) — but a host MAY derive it from an existing per-node-execution receipt id (e.g. `runId:nodeId:seq`) or mint a UUID; a single-invocation run MAY reuse `runId`. Recorded-fact: re-read from the log on replay, never regenerated (`replay.md` §\"Recorded-fact events\"). Correlates to the matching `agent.invocation.completed`." },
+        "agentId":          { "type": "string", "minLength": 1, "description": "The manifest agentId being invoked (matches `AgentManifest.agentId`)." },
+        "source":           { "type": "string", "enum": ["workflow-node", "run-api", "chat-mention"], "description": "Which entry point launched the invocation. All sources emit this identical family." },
+        "modelClass":       { "type": "string", "description": "MAY — the manifest's abstract `modelClass`. Always populatable at start." },
+        "resolvedModel":    { "type": "string", "description": "MAY — the concrete model the host selected. OPTIONAL: modelClass→concrete resolution MAY happen downstream (with capability-gated fallback substitution), so a dispatch-time start event genuinely may not know it; a host MAY also omit for deployment-privacy." },
+        "resolvedProvider": { "type": "string", "description": "MAY — the concrete provider the host routed to (aligns with `capabilities.aiProviders.supported` / RFC 0067 `authModes`). OPTIONAL, same rationale as `resolvedModel`." },
+        "resolvedAgentVersion": { "type": "string", "description": "MAY — RFC 0082 §B. When this invocation's `AgentRef` bound a `channel` (rather than an exact `version`), the concrete agent-definition version the host pinned per-(run, agentId, channel) at first resolution. A RECORDED FACT: re-read from the log on replay and NEVER re-resolved against a moved channel (the whole event is recorded-fact). Absent when the ref used an exact `version` or host-default resolution." },
+        "resolvedChannel":  { "type": "string", "description": "MAY — RFC 0082 §B. The named `channel` the `AgentRef` bound (mirrors `AgentRef.channel`), for which `resolvedAgentVersion` is the pinned resolution. Content-free label; present only when the ref bound a channel." },
+        "toolSurfaceCount": { "type": "integer", "minimum": 0, "description": "MAY — number of tools in the constructed surface after `toolAllowlist` filtering. Content-free count, not the tool ids." },
+        "memoryBound":      { "type": "boolean", "description": "MAY — whether a long-term memory backend was bound for the invocation." }
+      },
+      "additionalProperties": true
+    },
+
+    "agentInvocationCompleted": {
+      "type": "object",
+      "description": "RFC 0077. Emitted by a host advertising `capabilities.agents.liveRuntime.supported: true` as the LAST agent-scoped event of a live manifest invocation (after the terminal `agent.decided`). Content-free: identifiers + outcome metadata only — the result body is served by the run's normal projection. A recorded-fact event per `replay.md` §\"Recorded-fact events\": re-read from the log on replay, never regenerated.",
+      "required": ["invocationId", "agentId", "outcome"],
+      "properties": {
+        "invocationId":    { "type": "string", "minLength": 1, "description": "Correlates to the `agent.invocation.started` `invocationId`. Recorded-fact: never regenerated on replay." },
+        "agentId":         { "type": "string", "minLength": 1, "description": "The manifest agentId." },
+        "outcome":         { "type": "string", "enum": ["completed", "handed-off", "escalated", "refused", "failed"], "description": "Terminal disposition. `completed`: produced a (schema-valid, if enforced) terminal result. `handed-off`: control passed to another agent (`agent.handoff`). `escalated`: confidence escalation fired (RFC 0002 §F). `refused`: the model refused (RFC 0032 refusal envelope) — never a silent substitution. `failed`: an error terminated the invocation." },
+        "schemaValidated": { "type": "boolean", "description": "MAY — whether the terminal result was validated against `handoff.returnSchemaRef` (true only when `liveRuntime.structuredOutput` is advertised and a `returnSchemaRef` exists)." },
+        "confidence":      { "type": "number", "minimum": 0, "maximum": 1, "description": "MAY — the terminal `agent.decided` confidence, mirrored for convenience. Content-free scalar." },
+        "enqueuedRunId":   { "type": "string", "minLength": 1, "description": "MAY — id of a follow-on run the invocation enqueued (e.g. a sub-run), when applicable." }
+      },
+      "additionalProperties": true
+    },
+
     "workspaceUpdated": {
       "description": "RFC 0059. Emitted by a host advertising `capabilities.workspace.supported: true` on each successful `PUT`/`DELETE` of a workspace file, attributing the change to the file `path` + resulting `version`. Content-free: carries the path + version only — the file body is served by the read-side (`GET /v1/host/workspace/files/{path}`), already SR-1-redacted (RFC 0059 §E WSR-1). On replay the event is re-read from the log, never regenerated. MUST NOT be emitted unless `capabilities.workspace.supported: true`. The proposed SECURITY invariant `workspace-cross-tenant-isolation` (WCT-1) applies to the read-side that resolves these paths.",
       "type": "object",
@@ -1369,6 +1422,236 @@
         "path":    { "type": "string", "minLength": 1, "description": "Workspace-relative path of the file that changed (matches `workspace-file.schema.json#path`)." },
         "version": { "type": "integer", "minimum": 1, "description": "The file's resulting monotonic version after the write. On delete, the tombstone version when `versioned: true`." }
       }
+    },
+
+    "evalStarted": {
+      "type": "object",
+      "description": "RFC 0081 §C. Emitted ONCE at the start of an eval run (a `mode: \"eval\"` run, RFC 0081 §B) by a host advertising `capabilities.agents.evalSuite.supported: true`. Content-free: suite provenance + counts only. A recorded-fact event per `replay.md` §\"Recorded-fact events\".",
+      "required": ["suiteId", "suiteVersion", "taskCount", "modes"],
+      "properties": {
+        "suiteId":      { "type": "string", "minLength": 1, "description": "The `agent-eval-suite.schema.json#suiteId` being run." },
+        "suiteVersion": { "type": "string", "minLength": 1, "description": "The pinned suite SemVer." },
+        "taskCount":    { "type": "integer", "minimum": 0, "description": "Number of tasks the run will execute." },
+        "modes":        { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["golden", "rubric", "adversarial", "regression", "live-shadow"] }, "description": "The eval modes this run exercises (RFC 0081 §D)." },
+        "baselineRunId": { "type": "string", "minLength": 1, "description": "MAY — for `regression` mode, the prior eval run this run is scored against." }
+      },
+      "additionalProperties": true
+    },
+
+    "evalScored": {
+      "type": "object",
+      "description": "RFC 0081 §C. Emitted ONCE PER TASK, after that task's terminal `agent.decided`, so a streaming consumer sees results land incrementally. Content-free: the task id + scalars + counts ONLY — NEVER the task output, rubric prose, or model completion (SECURITY invariant `eval-summary-no-content-leak`). A recorded-fact event.",
+      "required": ["taskId", "score", "passed"],
+      "properties": {
+        "taskId":            { "type": "string", "minLength": 1, "description": "The `agent-eval-suite` task id." },
+        "score":             { "type": "number", "minimum": 0, "maximum": 1, "description": "Task score (0.0–1.0)." },
+        "passed":            { "type": "boolean", "description": "Whether the task met its bar." },
+        "costUsd":           { "type": "number", "minimum": 0, "description": "MAY — task cost (scalar; summed from RFC 0026 `provider.usage`). NEVER a pricing breakdown." },
+        "latencyMs":         { "type": "integer", "minimum": 0, "description": "MAY — task wall-clock latency." },
+        "schemaValid":       { "type": "boolean", "description": "MAY — whether the output validated against `handoff.returnSchemaRef`." },
+        "safetyFindingCount": { "type": "integer", "minimum": 0, "description": "MAY — count of safety findings for the task (the redaction-safe descriptors live on `EvalSummary`; the event carries the count only)." }
+      },
+      "additionalProperties": true
+    },
+
+    "evalCompleted": {
+      "type": "object",
+      "description": "RFC 0081 §C. Emitted ONCE, after all tasks and before `run.completed`. Content-free: aggregate scalars only. A recorded-fact event. The full scorecard is the run's output (`eval-summary.schema.json`), served by `GET /v1/runs/{runId}/eval-summary`.",
+      "required": ["aggregateScore", "passed", "taskCount", "passedCount"],
+      "properties": {
+        "aggregateScore":        { "type": "number", "minimum": 0, "maximum": 1, "description": "The suite-level score (0.0–1.0)." },
+        "passed":                { "type": "boolean", "description": "Whether the run cleared the suite thresholds — the flag an RFC 0082 deployment gate MAY require." },
+        "taskCount":             { "type": "integer", "minimum": 0, "description": "Tasks executed." },
+        "passedCount":           { "type": "integer", "minimum": 0, "description": "Tasks that individually passed." },
+        "regressionVsBaseline":  { "type": "number", "minimum": -1, "maximum": 1, "description": "MAY — for `regression` mode, `aggregateScore` minus the baseline's (negative ⇒ regression)." }
+      },
+      "additionalProperties": true
+    },
+    "toolSessionOpened": {
+      "type": "object",
+      "description": "RFC 0078 §D. Emitted when the host opens a multi-step tool session, bracketing one or more RFC 0064 `agent.toolCalled`/`agent.toolReturned` call events. Content-free: identifiers only — never tool arguments, results, or credential material (SR-1). Emitted only when `capabilities.toolCatalog.sessionLifecycle: true`.",
+      "required": ["sessionId", "toolId"],
+      "properties": {
+        "sessionId": { "type": "string", "minLength": 1, "description": "Host-unique id correlating the opened/closed pair + the bracketed call events." },
+        "toolId":    { "type": "string", "minLength": 1, "description": "The `ToolDescriptor.toolId` the session is for (`<scope>:<tool-id>`)." }
+      },
+      "additionalProperties": true
+    },
+    "toolSessionClosed": {
+      "type": "object",
+      "description": "RFC 0078 §D. Emitted when the host closes a multi-step tool session opened by `tool.session.opened`. Content-free: identifiers + a closed-enum outcome only — never tool arguments, results, or credential material (SR-1).",
+      "required": ["sessionId", "toolId", "outcome"],
+      "properties": {
+        "sessionId": { "type": "string", "minLength": 1, "description": "Matches the `tool.session.opened` `sessionId`." },
+        "toolId":    { "type": "string", "minLength": 1, "description": "The `ToolDescriptor.toolId` the session was for." },
+        "outcome":   { "type": "string", "enum": ["completed", "failed", "cancelled"], "description": "Terminal disposition of the session. Content-free — no failure detail/result on the payload." }
+      },
+      "additionalProperties": true
+    },
+    "egressDecided": {
+      "type": "object",
+      "description": "RFC 0079 §B. Emitted when a host evaluates a credentialed egress (via `ctx.http.safeFetch` / a tool) against credential provenance + the SSRF guard. Content-free: identifiers + decision only — no credential value, no request/response body (SR-1). On replay re-read from the log, never regenerated (the decision is a recorded fact). Emitted only when `capabilities.httpClient.egressPolicy.supported: true`.",
+      "required": ["decision", "destination"],
+      "properties": {
+        "decision":     { "type": "string", "enum": ["allowed", "denied", "downgraded", "approval-required"], "description": "`allowed`: egress proceeds with the credential; `denied`: blocked (out-of-audience / expired / SSRF / unevaluable provenance — fail-closed); `downgraded`: proceeds WITHOUT the credential (anonymous egress, when host policy permits); `approval-required`: suspended pending an RFC 0051 approval interrupt." },
+        "destination":  { "type": "string", "minLength": 1, "description": "The egress destination **host/authority ONLY** (`api.stripe.com`) — NOT a path, query, or full URL (SR-1: a path/query can carry secrets; the host MUST strip them for this canonical content-free event). A host whose internal audit retains the path keeps that on its vendor `x-host-*` variant, never here." },
+        "credentialId": { "type": "string", "minLength": 1, "description": "MAY — the provenance `credentialId` considered (absent for an anonymous / denied-pre-credential egress)." },
+        "reason":       { "type": "string", "enum": ["ok", "out-of-audience", "expired", "ssrf-blocked", "provenance-unevaluable", "scope-denied", "policy-denied"], "description": "MAY — a machine-stable reason code (a CLOSED enum — a free-form reason is a leak vector that would let a host spill the blocked URL/host/header into it, defeating `egress-decision-no-secret-leak`). The load-bearing field is `decision`." },
+        "auditCorrelationId": { "type": "string", "minLength": 1, "description": "MAY — correlates to the provenance descriptor + host audit log." }
+      },
+      "additionalProperties": true
+    },
+    "triggerSubscriptionStateChanged": {
+      "type": "object",
+      "description": "RFC 0083 §C. Emitted when a trigger subscription changes state (the §B four-state machine). Content-free: identifiers + states only — no inbound payload, headers, or credential material (SR-1). Emitted only when `capabilities.triggerBridge.supported: true`.",
+      "required": ["subscriptionId", "source", "fromState", "toState"],
+      "properties": {
+        "subscriptionId": { "type": "string", "minLength": 1, "description": "The TriggerSubscription this state change is for." },
+        "source":         { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"], "description": "The subscription source." },
+        "fromState":      { "type": "string", "enum": ["active", "paused", "failed", "dead-lettered"], "description": "Prior state." },
+        "toState":        { "type": "string", "enum": ["active", "paused", "failed", "dead-lettered"], "description": "New state." },
+        "reason":         { "type": "string", "enum": ["retry-exhausted", "operator-paused", "signature-invalid", "backpressure", "source-removed", "provenance-unevaluable"], "description": "MAY — a machine-stable reason code (a CLOSED enum — a free-form reason is a leak vector that would let a host spill an inbound URL/host/header into it). The load-bearing field is `toState`." }
+      },
+      "additionalProperties": true
+    },
+    "triggerDeliveryAttempted": {
+      "type": "object",
+      "description": "RFC 0083 §C. Emitted on each inbound-delivery attempt against an active subscription. Content-free: the subscription id, the dedup key, the attempt counter, the outcome, and the resulting runId only — NEVER the inbound body, headers, or credential material (SR-1).",
+      "required": ["subscriptionId", "dedupKey", "attempt", "outcome"],
+      "properties": {
+        "subscriptionId": { "type": "string", "minLength": 1, "description": "The TriggerSubscription the delivery is for." },
+        "dedupKey":       { "type": "string", "minLength": 1, "description": "The de-duplication key (§C-1). MUST be a **host-opaque** stable key (e.g. `hash(subscriptionId + inbound-event-id)`); it MUST NOT embed inbound body / path / header content in cleartext (SR-1 — a key like `POST /webhook/orders/12345?token=…` would leak). A repeat within retention is a no-op returning the prior runId." },
+        "attempt":        { "type": "integer", "minimum": 1, "description": "1-based attempt counter." },
+        "outcome":        { "type": "string", "enum": ["delivered", "retrying", "dead-lettered"], "description": "`delivered`: the run started; `retrying`: failed, will retry per policy; `dead-lettered`: retries exhausted, routed to the RFC 0053 sink (no run)." },
+        "runId":          { "type": "string", "minLength": 1, "description": "MAY — the run started by a `delivered` outcome (the run's `run.started` carries this delivery's id as `causationId`, RFC 0040). Absent for `retrying` / `dead-lettered`." }
+      },
+      "additionalProperties": true
+    },
+    "budgetReserved": {
+      "type": "object",
+      "description": "RFC 0084 §C. Emitted once at run start with the resolved effective budget (`min` across run/workflow/agent/project scopes, clamped to the host ceiling). A recorded fact — replay re-reads it, never re-resolves (§B). Content-free: dimension ceilings + scope only, no pricing breakdown (SR-1, `budget-no-pricing-leak`).",
+      "required": ["effectiveBudget", "scope"],
+      "properties": {
+        "effectiveBudget": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "The resolved per-dimension ceilings (a subset of the BudgetPolicy dimensions).",
+          "properties": {
+            "maxTokens": { "type": "integer", "minimum": 0 },
+            "maxCostUsd": { "type": "number", "minimum": 0 },
+            "maxToolCalls": { "type": "integer", "minimum": 0 },
+            "maxRetries": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "scope": { "type": "string", "enum": ["run", "workflow", "agent", "project"], "description": "The binding scope the effective budget resolved from (§B)." }
+      },
+      "additionalProperties": false
+    },
+    "budgetConsumed": {
+      "type": "object",
+      "description": "RFC 0084 §C. A running projection of spend, derived from the existing events (`provider.usage` tokens/cost, `agent.toolCalled`, `node.retried`) — NOT a new measurement (no double-counting). The host MAY coalesce. Content-free: dimension name + integers only, no pricing breakdown / rate card (SR-1).",
+      "required": ["dimension", "consumed", "limit"],
+      "properties": {
+        "dimension": { "type": "string", "enum": ["tokens", "cost", "toolCalls", "retries"], "description": "Which budget dimension this projection is for." },
+        "consumed":  { "type": "number", "minimum": 0, "description": "Amount consumed so far (tokens/calls/retries are integers; cost is a number in the host's `costEstimateUsd` units)." },
+        "limit":     { "type": "number", "minimum": 0, "description": "The effective ceiling for the dimension." },
+        "remaining": { "type": "number", "description": "MAY — `limit - consumed`." }
+      },
+      "additionalProperties": false
+    },
+    "budgetThresholdCrossed": {
+      "type": "object",
+      "description": "RFC 0084 §C. Emitted once per dimension when consumption crosses `thresholdPercent`. Content-free.",
+      "required": ["dimension", "consumed", "limit", "percent"],
+      "properties": {
+        "dimension": { "type": "string", "enum": ["tokens", "cost", "toolCalls", "retries"] },
+        "consumed":  { "type": "number", "minimum": 0 },
+        "limit":     { "type": "number", "minimum": 0 },
+        "percent":   { "type": "number", "minimum": 0, "maximum": 100, "description": "The percent-of-limit threshold crossed." }
+      },
+      "additionalProperties": false
+    },
+    "budgetExhausted": {
+      "type": "object",
+      "description": "RFC 0084 §C. Emitted when a dimension hits its limit. For a hard dimension this is followed by `cap.breached{kind:\"budget-*\"}` → `run.failed{budget_exhausted}` (or, with `onExhaustion:\"interrupt\"`, an approval interrupt). Content-free.",
+      "required": ["dimension", "consumed", "limit"],
+      "properties": {
+        "dimension": { "type": "string", "enum": ["tokens", "cost", "toolCalls", "retries"] },
+        "consumed":  { "type": "number", "minimum": 0 },
+        "limit":     { "type": "number", "minimum": 0 }
+      },
+      "additionalProperties": false
+    },
+
+    "deploymentPromoted": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted on the deployment-management run when a version is promoted into a new lifecycle state (the §E contract: authorized via RFC 0049 `deploy:*`, gated via RFC 0051 `approvalGate`, eval-verified via RFC 0081 when `requiredEval` is configured). Content-free: ids / state / scalars / content-free references only — NEVER a manifest body, prompt, or credential (SECURITY invariant `deployment-event-no-content-leak`; `additionalProperties:false` enforces it). A recorded-fact event per `replay.md` §\"Recorded-fact events\". Audit-logged with the acting principal (`auth.md`).",
+      "additionalProperties": false,
+      "required": ["agentId", "toVersion", "toState"],
+      "properties": {
+        "agentId":        { "type": "string", "minLength": 1, "description": "The promoted agent's id." },
+        "fromVersion":    { "type": "string", "minLength": 1, "description": "MAY — the version previously occupying the target channel/state (absent on a first promotion)." },
+        "toVersion":      { "type": "string", "minLength": 1, "description": "The version promoted." },
+        "toState":        { "type": "string", "enum": ["draft", "test", "staged", "active", "paused", "deprecated", "rolled-back"], "description": "The lifecycle state entered." },
+        "channel":        { "type": "string", "minLength": 1, "description": "MAY — the named channel this promotion targets (when promoting to a channel)." },
+        "canaryPercent":  { "type": "integer", "minimum": 0, "maximum": 100, "description": "MAY — the canary traffic share assigned (when promoting `active` at < 100)." },
+        "evalRunId":      { "type": "string", "minLength": 1, "description": "MAY — the RFC 0081 eval run whose `EvalSummary.passed` gated this promotion (the §E evidence)." },
+        "approvalGateId": { "type": "string", "minLength": 1, "description": "MAY — the RFC 0051 approvalGate that authorized this promotion." }
+      }
+    },
+
+    "deploymentRolledBack": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted when an `active` version is rolled back and a prior version restored to `active`. Content-free (`deployment-event-no-content-leak`). Recorded-fact; audit-logged.",
+      "additionalProperties": false,
+      "required": ["agentId", "fromVersion", "toVersion", "rollbackPointer"],
+      "properties": {
+        "agentId":         { "type": "string", "minLength": 1, "description": "The agent's id." },
+        "fromVersion":     { "type": "string", "minLength": 1, "description": "The version that was rolled back (left `active`)." },
+        "toVersion":       { "type": "string", "minLength": 1, "description": "The version restored to `active`." },
+        "rollbackPointer": { "type": "string", "minLength": 1, "description": "The recovery target the rolled-back record points to (= `toVersion`)." },
+        "reason":          { "type": "string", "minLength": 1, "description": "MAY — a short redaction-safe rollback reason label (NOT free-text content; same posture as `run.dead_lettered.reason`)." }
+      }
+    },
+
+    "deploymentCanaryAdjusted": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted when an `active` version's canary traffic share changes. Content-free (`deployment-event-no-content-leak`). Recorded-fact; audit-logged.",
+      "additionalProperties": false,
+      "required": ["agentId", "version", "fromPercent", "toPercent"],
+      "properties": {
+        "agentId":     { "type": "string", "minLength": 1, "description": "The agent's id." },
+        "version":     { "type": "string", "minLength": 1, "description": "The version whose canary share changed." },
+        "fromPercent": { "type": "integer", "minimum": 0, "maximum": 100, "description": "The prior canary percent." },
+        "toPercent":   { "type": "integer", "minimum": 0, "maximum": 100, "description": "The new canary percent." }
+      }
+    },
+
+    "deploymentStateChanged": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted on any non-promotion lifecycle transition (pause / resume / deprecate). Content-free (`deployment-event-no-content-leak`). Recorded-fact; audit-logged.",
+      "additionalProperties": false,
+      "required": ["agentId", "version", "fromState", "toState"],
+      "properties": {
+        "agentId":   { "type": "string", "minLength": 1, "description": "The agent's id." },
+        "version":   { "type": "string", "minLength": 1, "description": "The version whose state changed." },
+        "fromState": { "type": "string", "enum": ["draft", "test", "staged", "active", "paused", "deprecated", "rolled-back"], "description": "The prior state." },
+        "toState":   { "type": "string", "enum": ["draft", "test", "staged", "active", "paused", "deprecated", "rolled-back"], "description": "The new state." }
+      }
+    },
+    "rosterRunInitiated": {
+      "type": "object",
+      "description": "RFC 0086 §C. Emitted once, immediately after `run.started` and before any agent invocation, when a trigger (RFC 0052 schedule / RFC 0083 durable work item) fires a workflow in a roster member's portfolio — attributing the run to the standing agent. Content-free (`roster-attribution-no-content`): ids + persona + trigger source ONLY — never the work-item body, prompt, or credential material (SR-1). A recorded-fact event (replay.md §'Recorded-fact events'): re-emitted from the log on replay, identifiers never regenerated, so the run stays attributed to the same member even if the entry was since renamed or deleted.",
+      "additionalProperties": false,
+      "required": ["rosterId", "persona", "agentId", "workflowId", "triggerSource"],
+      "properties": {
+        "rosterId":   { "type": "string", "minLength": 1, "description": "The standing agent instance the run is attributed to (a `host:<id>` AgentRef agentId)." },
+        "persona":    { "type": "string", "minLength": 1, "description": "The member's human display name (e.g. \"Sally\")." },
+        "agentId":    { "type": "string", "minLength": 1, "description": "The manifest agentId the member instantiates (`agentRef.agentId`)." },
+        "workflowId": { "type": "string", "minLength": 1, "description": "The portfolio workflow this run executes." },
+        "triggerSource": { "type": "string", "minLength": 1, "description": "What fired the run: an RFC 0083 source (`schedule`/`webhook`/`queue`/`email`/`form`) or a host-extension source name (e.g. a vendor Kanban bridge)." },
+        "triggerSubscriptionId": { "type": "string", "minLength": 1, "description": "MAY. The RFC 0083 trigger-subscription id when the fire came through the durable trigger bridge, so trigger → run → roster is traceable via /ancestry (RFC 0040)." }
+      }
     }
   }
 }

package/schemas/run-event.schema.json

@@ -123,6 +123,25 @@
         "agent.toolReturned",
         "agent.handoff",
         "agent.decided",
+        "agent.invocation.started",
+        "agent.invocation.completed",
+        "eval.started",
+        "eval.scored",
+        "eval.completed",
+        "deployment.promoted",
+        "deployment.rolled-back",
+        "deployment.canary.adjusted",
+        "deployment.state.changed",
+        "roster.run.initiated",
+        "tool.session.opened",
+        "tool.session.closed",
+        "egress.decided",
+        "trigger.subscription.state.changed",
+        "trigger.delivery.attempted",
+        "budget.reserved",
+        "budget.consumed",
+        "budget.threshold.crossed",
+        "budget.exhausted",
         "runOrchestrator.decided",
         "node.dispatched",
         "conversation.opened",

package/schemas/tool-descriptor.schema.json

@@ -0,0 +1,63 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/tool-descriptor.schema.json",
+  "title": "ToolDescriptor",
+  "description": "RFC 0078. A portable, read-only description of one tool, unifying the five openwop tool surfaces (node-pack / workflow / MCP / connector / host-extension) behind one stable shape. Returned by `GET /v1/tools` + `GET /v1/tools/{toolId}` when the host advertises `capabilities.toolCatalog.supported: true`. The descriptor DESCRIBES a tool; it never carries credential material (SR-1) and is not an invocation path (tools are invoked on their existing surfaces).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["toolId", "source", "safetyTier"],
+  "properties": {
+    "toolId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Stable, host-unique tool identifier in the `<scope>:<tool-id>` form RFC 0077 `toolAllowlist` references (`openwop:` core, `mcp:` MCP-namespaced, `connector:` connector, `<vendor>.<host>` / `x-host-<vendor>-*` host-extension). The keyspace SPANS sources so a single allowlist entry resolves to exactly one descriptor; the `<scope>` prefix disambiguates by construction (RFC 0078 §UQ1). MUST be stable across catalog reads for a given host version so an agent's `toolAllowlist` keeps resolving."
+    },
+    "source": {
+      "type": "string",
+      "enum": ["node-pack", "workflow", "mcp", "connector", "host-extension"],
+      "description": "Which surface backs the tool. `node-pack`: a pack typeId (RFC 0003); `workflow`: a workflow-as-tool (`core.subWorkflow` / RFC 0013); `mcp`: an MCP server tool (`host.mcp`); `connector`: an RFC 0045 connector action; `host-extension`: an `x-host-<vendor>-*` scope (RFC 0069)."
+    },
+    "title": { "type": "string", "description": "MAY — human-readable name for UI." },
+    "description": { "type": "string", "description": "MAY — one-line summary for a tool picker." },
+    "inputSchema": { "type": "object", "description": "MAY — JSON Schema (2020-12) for the tool's arguments. Absent ⇒ opaque/host-interpreted args. RECOMMENDED (not required) to be the RFC 0030 Tier-1 universal subset for tools that feed an LLM tool-call (RFC 0078 §UQ2)." },
+    "outputSchema": { "type": "object", "description": "MAY — JSON Schema for the tool's result." },
+    "auth": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "MAY — what the caller must supply/hold to invoke. Composes RFC 0049 (scopes) + RFC 0046 (credentials).",
+      "properties": {
+        "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true, "description": "RFC 0049 scopes the principal MUST hold; per-tool authorization fails closed (RFC 0064 §C)." },
+        "credentialRef": { "type": "boolean", "description": "true ⇒ the tool needs a host-stored credential reference (RFC 0046); the catalog NEVER carries credential material (SR-1)." }
+      }
+    },
+    "egress": {
+      "type": "string",
+      "enum": ["none", "safe-fetch", "host-mediated", "host-owned"],
+      "description": "MAY — outbound-network posture. `none`: no egress; `safe-fetch`: via the host's RFC 0076 §B `ctx.http.safeFetch` (SSRF-guarded); `host-mediated`: host-proxied non-safeFetch; `host-owned`: the host owns the egress story (e.g. a host-extension)."
+    },
+    "approval": {
+      "type": "string",
+      "enum": ["never", "conditional", "always"],
+      "description": "MAY — whether invocation requires an RFC 0051 approval interrupt. `conditional` ⇒ host-policy (e.g. over a cost/scope threshold)."
+    },
+    "replayPolicy": {
+      "type": "string",
+      "enum": ["deterministic", "idempotent", "non-deterministic"],
+      "description": "MAY — replay posture (`replay.md`). `deterministic`: pure/replay-safe; `idempotent`: safe under the Layer-2 idempotency key (`idempotency.md`); `non-deterministic`: the host MUST cache the observable result (RFC 0041 §C) so replay reproduces the sequence."
+    },
+    "safetyTier": {
+      "type": "string",
+      "enum": ["pure", "read", "write", "exec"],
+      "description": "REQUIRED. The tool's DATA-EFFECT classification: `pure`: no external side effects; `read`: reads external state; `write`: mutates external state; `exec`: arbitrary-command/`exec`-class — per RFC 0069 this MUST have `source: \"host-extension\"` (exec is never protocol-tier). A consumer uses this to gate/warn. The host MUST ASSIGN `safetyTier` explicitly as per-tool metadata; it is NOT derivable from a permission / approval / risk tier — those are an ORTHOGONAL authorization axis (a read-only tool can be high-approval/restricted while being `safetyTier:\"read\"`). A host that mechanically maps its risk tier onto `safetyTier` mis-advertises."
+    },
+    "costHint": { "type": "string", "enum": ["low", "medium", "high"], "description": "MAY — advisory cost magnitude for planning UX. Non-normative." },
+    "latencyHint": { "type": "string", "enum": ["low", "medium", "high"], "description": "MAY — advisory latency magnitude. Non-normative." }
+  },
+  "allOf": [
+    {
+      "$comment": "RFC 0078 §C-1 / §F-4: an exec-tier tool MUST be host-extension-sourced (RFC 0069 — exec is never protocol-tier).",
+      "if": { "properties": { "safetyTier": { "const": "exec" } }, "required": ["safetyTier"] },
+      "then": { "properties": { "source": { "const": "host-extension" } }, "required": ["source"] }
+    }
+  ]
+}