@openwop/openwop-conformance 1.20.0 → 1.23.0

package/schemas/agent-manifest.schema.json

@@ -51,6 +51,12 @@
       "items": { "type": "string", "minLength": 1 },
       "description": "Tool identifiers the agent MAY invoke. Format: `<scope>:<tool-id>` where scope is `openwop:` (Core/protocol tools), `mcp:` (MCP-namespaced tools), or `<vendor>.<host>` for host-extension tools. Hosts MUST enforce this allowlist when dispatching the agent (see RFC 0002 §A14 mapping for the reference-impl `ToolPermissionService.filterTools(harnessRole)` derivation pattern). Hosts MAY treat absence as `[]` (no tools) or as `*` (host-default tool surface) — that policy is host-configured."
     },
+    "requiresCapabilities": {
+      "type": "array",
+      "uniqueItems": true,
+      "items": { "type": "string", "minLength": 1 },
+      "description": "RFC 0092. Host-capability keys this agent needs to run fully — the agent-layer analogue of a node-pack's `peerDependencies`. Dotted identifiers from the discovery vocabulary (`capabilities.md` / `host-capabilities.md`), e.g. `host.workspace`, `aiProviders.toolCalling`, `multiAgent.executionModel.verifier`. A host that does NOT advertise a listed key MUST surface this agent as degraded on `GET /v1/agents` via the existing `degraded[]` inventory field (RFC 0072 §C); it MAY still dispatch at the RFC 0070 floor, but a silent satisfied-looking entry is non-conformant. Advisory about NEED only — never widens the agent's authority. Absent ⇒ no declared requirements."
+    },
     "memoryShape": {
       "type": "object",
       "description": "Declares which memory backends the agent reads/writes. Hosts that advertise `capabilities.agents.memoryBackends` MAY filter manifests during install based on these flags. The full memory-shape contract lands in RFC 0004 (Phase 3); RFC 0003 only declares the descriptor field and reserves `longTerm: true` as the redaction-harness trigger.",

package/schemas/capabilities.schema.json

@@ -64,6 +64,11 @@
           "type": "number",
           "minimum": 0,
           "description": "RFC 0084. Engine-side cost ceiling clamping `RunOptions.configurable.budget.maxCostUsd`. Optional; only meaningful with `capabilities.budget`."
+        },
+        "maxRequestBodyBytes": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "RFC 0094 §H. Maximum REST request body size (bytes) the host accepts. Optional v1 field per `capabilities.md` §3 (previously documented as reserved — the closed `limits` object made advertising it a schema-validation failure). Hosts that advertise it MUST enforce it."
         }
       },
       "additionalProperties": false,
@@ -279,6 +284,34 @@
       "items": { "type": "string", "enum": ["rest", "mcp", "a2a", "grpc"] },
       "description": "Optional v1 transport advertisement. REST is required whether or not this field is present."
     },
+    "grpc": {
+      "type": "object",
+      "description": "RFC 0094 §H. gRPC transport advertisement per `grpc-transport.md` §\"Capability advertisement\". Optional — absent ⇒ the host exposes no gRPC transport. A host that exposes the gRPC surface advertises this block AND includes `\"grpc\"` in `supportedTransports`. REST + SSE remain exposed regardless.",
+      "required": ["supported", "service", "tls"],
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "Toggle — `true` when the gRPC surface is live."
+        },
+        "endpoint": {
+          "type": "string",
+          "minLength": 1,
+          "pattern": "^grpcs?://",
+          "description": "Full URI: `grpc://` (cleartext, intra-trusted-network only) OR `grpcs://` (TLS). Hosts SHOULD require TLS in production."
+        },
+        "service": {
+          "type": "string",
+          "const": "openwop.v1.Engine",
+          "description": "Canonical service name. v1 hosts MUST use `openwop.v1.Engine` per `grpc-transport.md` §\"Field semantics\"."
+        },
+        "tls": {
+          "type": "string",
+          "enum": ["required", "optional", "disabled"],
+          "description": "TLS posture. Production hosts MUST set `\"required\"`."
+        }
+      },
+      "additionalProperties": false
+    },
     "configurable": {
       "type": "object",
       "description": "Optional v1 per-run overlay schema — what `RunOptions.configurable` keys this server honors."
@@ -403,6 +436,22 @@
       },
       "additionalProperties": false
     },
+    "connections": {
+      "type": "object",
+      "description": "RFC 0095 (`Draft`). Connection packs — portable, registry-distributable provider definitions (`kind: \"connection\"`, `connection-pack-manifest.schema.json`) that the RFC 0045/0047 `provider` string resolves against. Only useful alongside `oauth.supported` (RFC 0047) or `credentials.supported` (RFC 0046); a host SHOULD NOT advertise this block without at least one of those.",
+      "required": ["packsSupported"],
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "OPTIONAL convenience flag mirroring the other capability families. RFC 0095 keys behavior on `packsSupported`; hosts MAY also advertise `supported` for family-shape uniformity."
+        },
+        "packsSupported": {
+          "type": "boolean",
+          "description": "RFC 0095 §C. When `true`, the host installs `kind: \"connection\"` registry packs and MUST implement the §B.6 resolution contract: an RFC 0045 connector's `auth.provider` (or an RFC 0047 `host.oauth` provider string) resolves against the installed connection pack whose `provider.id` matches, with installed-vs-built-in precedence per SemVer §11 and `connection_provider_unresolved` / `connection_provider_conflict` diagnostics. When `false` or absent, connection packs are not loaded and provider resolution stays implementation-defined."
+        }
+      },
+      "additionalProperties": false
+    },
     "credentials": {
       "type": "object",
       "description": "RFC 0046 (`Draft`). Portable credential resolution + lifecycle contract — sibling to `secrets`, first-class store-at-rest + workspace sharing + two-key-overlap rotation. A pack references a credential by `{ ref, scope }` (see `credential-reference.schema.json`); the host resolves it into the node sandbox ONLY — never into inputs, persisted variables, channels, any run.* event payload, the debug bundle, or replay state (SECURITY invariant `credential-payload-redaction`). Supersedes the informal BYOK annex; the `secrets` advertisement stays valid.",
@@ -553,8 +602,18 @@
             "version": {
               "type": "integer",
               "minimum": 1,
-              "maximum": 5,
-              "description": "Profile version. 1 = Phase 1 (execution-loop framework + planner→worker handoff). 2 = Phase 2 (confidence-floor escalation + agent-memory lifecycle, RFC 0039). 3 = Phase 3 (cross-host causation, RFC 0040). 4 = Phase 4 (replay determinism under nondeterministic models, RFC 0041). 5 = Phase 5 (stateful agent-loop lifecycle — per-iteration workspace+memory snapshot inputs, the observable `iteration` counter on `runOrchestrator.decided`, and stateful HITL resume, RFC 0061). A host advertising `version: N` MUST implement all phases 1..N additively."
+              "maximum": 6,
+              "description": "Profile version. 1 = Phase 1 (execution-loop framework + planner→worker handoff). 2 = Phase 2 (confidence-floor escalation + agent-memory lifecycle, RFC 0039). 3 = Phase 3 (cross-host causation, RFC 0040). 4 = Phase 4 (replay determinism under nondeterministic models, RFC 0041). 5 = Phase 5 (stateful agent-loop lifecycle — per-iteration workspace+memory snapshot inputs, the observable `iteration` counter on `runOrchestrator.decided`, and stateful HITL resume, RFC 0061). 6 = Phase 6 (verifier/critic turn — the `agent.verified` event + `successCriteria` on the `terminate` decision, RFC 0090). A host advertising `version: N` MUST implement all phases 1..N additively."
+            },
+            "verifier": {
+              "type": "object",
+              "additionalProperties": false,
+              "required": ["supported"],
+              "description": "RFC 0090 (`version >= 6`). The verifier/critic turn: the host emits `agent.verified` over a prior result and (optionally) gates commit on the verdict. Absent ⇒ no verifier turn; conformance scenarios soft-skip.",
+              "properties": {
+                "supported": { "type": "boolean", "description": "Host emits `agent.verified` and honors RFC 0090 §A. Applies only when `version >= 6`." },
+                "gating": { "type": "boolean", "description": "Host enforces the RFC 0090 §B commit-gating contract: a `fail` verdict blocks merge/terminate (fail-closed, composing RFC 0063); `revise` routes back to an actor turn. Absent/false ⇒ the verdict is observability-only." }
+              }
             },
             "confidenceEscalationFloor": {
               "type": "number",
@@ -686,6 +745,20 @@
           "uniqueItems": true,
           "description": "Subset of `supported` for which BYOK is permitted. Empty array → all calls use platform-managed keys; non-empty → clients MAY pass `ai.credentialRef` in `RunOptions.configurable` for matching providers."
         },
+        "input": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "RFC 0091. Multimodal PERCEPTION input on `ctx.callAI` — the modalities a `callAI` message ContentPart may carry as model INPUT. Absent ⇒ text-only (today's behavior); a `string` message content is always valid. Distinct from `imageGeneration` (output) and the `ai-envelope.md` media emission types (output).",
+          "properties": {
+            "modalities": {
+              "type": "array",
+              "uniqueItems": true,
+              "items": { "type": "string", "enum": ["text", "image", "audio", "document"] },
+              "description": "Input modalities the host's `callAI` accepts as ContentParts. `text` is implicit even when omitted. A ContentPart whose `type` is not advertised here MUST be rejected with `unsupported_modality` (never silently dropped)."
+            },
+            "maxBytesPerPart": { "type": "integer", "minimum": 1, "description": "Optional host cap on a single inline (`data`) or `mediaRef` part." }
+          }
+        },
         "authModes": {
           "type": "object",
           "description": "RFC 0067 (`Draft`). Optional per-provider advertisement of HOW the host expects a provider's credential to be supplied. Keys are provider ids appearing in `supported`; values are the auth modes the host honors for that provider. Absent ⇒ no advertisement: a provider in `byok` defaults to `apiKey` semantics (client passes `ai.credentialRef`); a provider in `supported` but not in `byok` defaults to `none` (platform-managed). This map only DESCRIBES the supply mechanism — `oauth-pkce`/`oauth-device` flow mechanics compose RFC 0047 `host.oauth` and resolve credentials by `ref` (RFC 0046), never on `ai.credentialRef`. A provider with `apiKey` MUST appear in `byok`; a provider whose modes are exactly `[\"none\"]` MUST NOT appear in `byok`. Consumers MUST ignore an auth mode they don't recognize rather than reject the discovery doc.",

package/schemas/connection-pack-manifest.schema.json

@@ -0,0 +1,161 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/connection-pack-manifest.schema.json",
+  "title": "ConnectionPackManifest",
+  "description": "RFC 0095. Manifest for a published OpenWOP connection pack — `pack.json` at the pack root with `kind: \"connection\"`. Peer to and disjoint from `node-pack-manifest.schema.json` (RFC 0003), `prompt-pack-manifest.schema.json` (RFC 0028), and `workflow-chain-pack-manifest.schema.json` (RFC 0013) via the `kind` discriminator. A connection pack is a portable PROVIDER definition — the authorize/token/revoke endpoints, the read/write OAuth scope catalog, and how the integration is reached (an MCP server, an OpenAPI surface, or a core integration node). It carries NO secret: the OAuth client credential is a host concern (RFC 0047), supplied out of band. When installed, it makes an RFC 0045 connector's `auth.provider` / an RFC 0047 `host.oauth` provider string resolve against `provider.id` instead of host-locked code. See `spec/v1/connection-packs.md`.",
+  "type": "object",
+  "required": ["name", "version", "kind", "engines", "provider"],
+  "additionalProperties": false,
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Reverse-DNS pack name per `node-packs.md` §Naming. Reserved scopes are identical (`core.*` / `vendor.<org>.*` / `community.<author>.*` / `private.<host>.*`). Mirror of `prompt-pack-manifest.schema.json#/properties/name`.",
+      "pattern": "^(core|vendor|community|private)\\.[a-z][a-z0-9_-]*(\\.[a-z][a-zA-Z0-9_-]*)+$",
+      "minLength": 1,
+      "maxLength": 256
+    },
+    "version": {
+      "type": "string",
+      "description": "Pack-level SemVer 2.0.0.",
+      "pattern": "^\\d+\\.\\d+\\.\\d+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$"
+    },
+    "kind": {
+      "type": "string",
+      "const": "connection",
+      "description": "Pack kind discriminator. MUST be the literal string `\"connection\"` for this schema."
+    },
+    "description": { "type": "string", "maxLength": 1024 },
+    "author": { "type": "string" },
+    "license": { "type": "string", "description": "SPDX license identifier (e.g., `Apache-2.0`)." },
+    "homepage": { "type": "string", "format": "uri" },
+    "repository": { "type": "string", "format": "uri" },
+    "keywords": {
+      "type": "array",
+      "items": { "type": "string", "maxLength": 64 },
+      "maxItems": 50
+    },
+    "engines": {
+      "type": "object",
+      "required": ["openwop"],
+      "additionalProperties": false,
+      "properties": {
+        "openwop": { "type": "string", "description": "SemVer range of the openwop spec version this pack targets." }
+      }
+    },
+    "provider": {
+      "type": "object",
+      "description": "The portable provider definition. Exactly one per connection pack.",
+      "required": ["id", "displayName", "category", "auth", "reach"],
+      "additionalProperties": false,
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[a-z][a-z0-9-]*$",
+          "description": "Stable provider id an RFC 0045/0047 `provider` string resolves to, e.g. `github`."
+        },
+        "displayName": { "type": "string", "minLength": 1 },
+        "category": {
+          "type": "string",
+          "enum": ["communication", "docs", "crm", "dev", "storage", "email-calendar", "ticketing", "data-warehouse", "marketing", "finance", "hr", "esignature", "support", "project-management", "payments", "other"]
+        },
+        "auth": {
+          "type": "object",
+          "required": ["kind"],
+          "additionalProperties": false,
+          "properties": {
+            "kind": { "type": "string", "enum": ["oauth2", "api_key", "bearer", "basic"] },
+            "authFlow": { "type": "string", "enum": ["pkce", "client_credentials", "manual", "none"] },
+            "scopeModel": {
+              "type": "string",
+              "enum": ["groups", "coarse", "capabilities"],
+              "default": "groups",
+              "description": "`groups` = read/write scope groups (Google/Jira/Graph). `coarse` = a single read-vs-write toggle (Stripe Connect read_only/read_write). `capabilities` = consent is a static developer-portal capability set, not per-request scopes (Notion)."
+            },
+            "endpoints": {
+              "type": "object",
+              "additionalProperties": false,
+              "description": "Fixed, manifest-declared https endpoints (RFC 0095 §B.3). Never derived from runtime user input — not an SSRF surface.",
+              "properties": {
+                "authorize": { "type": "string", "format": "uri", "pattern": "^https://" },
+                "token": { "type": "string", "format": "uri", "pattern": "^https://" },
+                "revoke": { "type": "string", "format": "uri", "pattern": "^https://" }
+              }
+            },
+            "scopes": {
+              "type": "object",
+              "additionalProperties": false,
+              "description": "Read/write scope groups. `write` is requested as a SEPARATE re-consent step (RFC 0095 §B.4).",
+              "properties": {
+                "read": { "type": "array", "items": { "$ref": "#/$defs/ScopeGroup" } },
+                "write": { "type": "array", "items": { "$ref": "#/$defs/ScopeGroup" } }
+              }
+            },
+            "instanceUrlTemplate": {
+              "type": "string",
+              "description": "For per-account-host providers (Snowflake/NetSuite/ServiceNow): a template the host fills per connection, e.g. `https://{account}.snowflakecomputing.com`. Its presence signals the provider cannot use a single global OAuth app."
+            }
+          }
+        },
+        "reach": {
+          "type": "object",
+          "minProperties": 1,
+          "maxProperties": 1,
+          "additionalProperties": false,
+          "description": "Exactly ONE of mcp | openapi | integration — which core node injects the resolved credential (RFC 0095 §B.5).",
+          "properties": {
+            "mcp": {
+              "type": "object",
+              "required": ["server"],
+              "additionalProperties": false,
+              "properties": {
+                "server": {
+                  "type": "object",
+                  "required": ["url", "transport"],
+                  "additionalProperties": false,
+                  "properties": {
+                    "url": { "type": "string", "format": "uri", "pattern": "^https://" },
+                    "transport": { "type": "string", "enum": ["http", "sse"] }
+                  }
+                }
+              }
+            },
+            "openapi": {
+              "type": "object",
+              "required": ["ref"],
+              "additionalProperties": false,
+              "properties": {
+                "ref": { "type": "string", "description": "URL or in-pack path of the OpenAPI document for core.openwop.http.openapi-call." }
+              }
+            },
+            "integration": {
+              "type": "object",
+              "required": ["node"],
+              "additionalProperties": false,
+              "properties": {
+                "node": { "type": "string", "description": "A core.openwop.integration.* node typeId." }
+              }
+            }
+          }
+        },
+        "consumerNodes": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "The core node typeIds that consume this provider's credential (e.g. core.openwop.mcp.invoke-tool)."
+        },
+        "docsUrl": { "type": "string", "format": "uri" }
+      }
+    }
+  },
+  "$defs": {
+    "ScopeGroup": {
+      "type": "object",
+      "required": ["key", "label", "scopes"],
+      "additionalProperties": false,
+      "properties": {
+        "key": { "type": "string", "pattern": "^[a-z][a-z0-9._-]*$" },
+        "label": { "type": "string", "minLength": 1 },
+        "scopes": { "type": "array", "items": { "type": "string" }, "description": "The provider's raw scope strings, e.g. `https://www.googleapis.com/auth/drive.readonly`." }
+      }
+    }
+  }
+}

package/schemas/orchestrator-decision.schema.json

@@ -64,6 +64,19 @@
           "minimum": 0,
           "maximum": 1,
           "description": "RFC 0039 §A — supervisor's stated confidence in this termination decision, in [0, 1]. Optional; absent means 'no opinion stated' (NOT low confidence). Hosts advertising `capabilities.multiAgent.executionModel.version >= 2` MUST honor a confidence floor as documented on NextWorkerDecision.confidence above; the same MUST applies to TerminateDecision because a confidently-wrong terminate is the same class of failure as a confidently-wrong dispatch."
+        },
+        "successCriteria": {
+          "type": "array",
+          "description": "RFC 0090 (`multiAgent.executionModel.version >= 6`). Optional structured convergence record — the conditions the supervisor judged when terminating. Content-free: criterion keys + booleans only, never result content. When present, a terminate with any `met: false` entry signals a give-up (NOT goal-satisfied); consumers MUST NOT treat such a run as a success. Absent ⇒ today's free-text `reason` semantics, unchanged.",
+          "items": {
+            "type": "object",
+            "additionalProperties": false,
+            "required": ["key", "met"],
+            "properties": {
+              "key": { "type": "string", "minLength": 1, "description": "Criterion identifier (e.g. `goal-answered`)." },
+              "met": { "type": "boolean", "description": "Whether the supervisor judged this criterion satisfied." }
+            }
+          }
         }
       },
       "additionalProperties": false

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n94 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n95 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -70,6 +70,7 @@
         "agent.toolReturned":        { "$ref": "#/$defs/agentToolReturned" },
         "agent.handoff":             { "$ref": "#/$defs/agentHandoff" },
         "agent.decided":             { "$ref": "#/$defs/agentDecided" },
+        "agent.verified":            { "$ref": "#/$defs/agentVerified" },
         "runOrchestrator.decided":   { "$ref": "#/$defs/runOrchestratorDecided" },
         "node.dispatched":           { "$ref": "#/$defs/nodeDispatched" },
         "conversation.opened":       { "$ref": "#/$defs/conversationOpened" },
@@ -422,7 +423,7 @@
       "properties": {
         "nodeId":      { "type": "string", "minLength": 1 },
         "interruptId": { "type": "string", "minLength": 1 },
-        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom"] },
+        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom", "conversation.start", "conversation.exchange", "conversation.close", "low-confidence"], "description": "RFC 0094 §E — the full kind union `interrupt.md` defines (mirrors suspend-request.schema.json). Conversation kinds are gated on the conversation capability per capabilities.md." },
         "key":         { "type": "string", "minLength": 1 }
       },
       "additionalProperties": true
@@ -607,7 +608,7 @@
       "properties": {
         "nodeId":      { "type": "string" },
         "interruptId": { "type": "string" },
-        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom"] },
+        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom", "conversation.start", "conversation.exchange", "conversation.close", "low-confidence"], "description": "RFC 0094 §E — the full kind union `interrupt.md` defines (mirrors suspend-request.schema.json). Conversation kinds are gated on the conversation capability per capabilities.md." },
         "resumeValue": {}
       },
       "additionalProperties": true
@@ -635,12 +636,13 @@
 
     "outputChunk": {
       "type": "object",
-      "description": "Emitted for streaming output (e.g., LLM token chunks). Stream-mode `messages` consumers see these. Tiered metadata per stream-modes.md §messages (S2 closure): bare {nodeId, chunk} is the minimum compliant payload; `meta` adds Tier 1 typed slots and a Tier 2 provider-pass-through escape hatch.",
-      "required": ["nodeId", "chunk"],
+      "description": "Emitted for streaming output (e.g., LLM token chunks). Stream-mode `messages` consumers see these. RFC 0094 §D single-sources the `ai.message.chunk` payload here: bare {nodeId, runId, chunk, isLast} is the minimum compliant payload per stream-modes.md §messages (the prior {nodeId, chunk}-only required set was the defective restatement). Tiered metadata per stream-modes.md §messages (S2 closure): `meta` adds Tier 1 typed slots and a Tier 2 provider-pass-through escape hatch.",
+      "required": ["nodeId", "runId", "chunk", "isLast"],
       "properties": {
         "nodeId":  { "type": "string", "minLength": 1 },
+        "runId":   { "type": "string", "minLength": 1, "description": "Run this chunk belongs to. Required so multiplexed consumers (mixed-mode streams, fan-in UIs) can route chunks without out-of-band context." },
         "chunk":   { "type": "string" },
-        "isLast":  { "type": "boolean" },
+        "isLast":  { "type": "boolean", "description": "True for the final chunk of a given AI node call. Required — both reference consumers rely on it for fold termination." },
         "channel": { "type": "string", "description": "Optional sub-stream identifier when a node emits multiple parallel streams." },
         "meta":    { "$ref": "#/$defs/_chunkMeta" }
       },
@@ -1254,6 +1256,21 @@
       "additionalProperties": true
     },
 
+    "agentVerified": {
+      "type": "object",
+      "description": "RFC 0090 (`multiAgent.executionModel.version >= 6`). A critic agent's independent verdict over a prior result, emitted before the result is committed/merged. Content-free: names the target + verdict + (optional) criteria KEYS, never the verified content (SECURITY invariant `verifier-no-content-leak`). A `fail` verdict on a `verifier.gating: true` host MUST block the merge/terminate; `revise` SHOULD route back to another actor turn (bounded by `maxLoopIterations`, RFC 0058).",
+      "required": ["agentId", "target", "verdict"],
+      "properties": {
+        "agentId":  { "type": "string", "minLength": 3, "maxLength": 256, "description": "AgentRef.agentId of the verifying (critic) agent. SHOULD differ from the agent whose work is checked; a host MAY allow self-verification but MUST keep verifier identity inspectable." },
+        "target":   { "type": "string", "minLength": 1, "description": "Opaque reference to what was checked — the eventId of the verified `agent.decided`, a child runId, or a tool callId. Chains the verdict to its subject." },
+        "verdict":  { "type": "string", "enum": ["pass", "fail", "revise"], "description": "`pass`: acceptable, MAY commit/terminate. `fail`: rejected; a `verifier.gating` host MUST NOT commit it. `revise`: needs another actor turn; SHOULD route back, not terminate." },
+        "criteria": { "type": "array", "items": { "type": "string", "minLength": 1 }, "uniqueItems": true, "description": "Optional closed list of the criteria KEYS evaluated (e.g. `[\"schema-valid\",\"grounded\"]`). Keys only — never per-criterion verdict text — for SIEM safety." },
+        "confidence": { "type": "number", "minimum": 0, "maximum": 1, "description": "Optional verifier confidence in `[0,1]` — the critic's confidence in its OWN verdict, distinct from the actor's `agent.decided.confidence`. MAY drive the RFC 0039 escalation contract." },
+        "causationHostId": { "type": "string", "minLength": 1, "description": "RFC 0040 §A — cross-host causation pointer when the verified target lives on a different host." }
+      },
+      "additionalProperties": false
+    },
+
     "runOrchestratorDecided": {
       "type": "object",
       "description": "Multi-Agent Shift Phase 5. Emitted exactly once per orchestrator decision by a `core.orchestrator.supervisor` node (or host-extension equivalent). Carries the deciding agent's identity and the typed `OrchestratorDecision` (see `orchestrator-decision.schema.json`). The envelope's top-level `nodeId` carries the supervisor node-id; the payload does NOT duplicate it.",

package/schemas/run-event.schema.json

@@ -25,7 +25,15 @@
       "maxLength": 128
     },
     "type": {
-      "$ref": "#/$defs/RunEventType"
+      "description": "Event-type discriminator. RFC 0094 §C: either a protocol-owned type from the authoritative `RunEventType` catalog, or a correctly-prefixed vendor-extension event per `host-extensions.md` §\"Vendor-prefixed namespaces\" (dotted name whose first segment is the vendor's short identifier or reverse-DNS label — e.g. `acme.canvas.published` — and is NOT a protocol-owned/registry-reserved prefix). Aligns the schema with `COMPATIBILITY.md` (\"Clients MUST ignore unknown event types\") and `version-negotiation.md` (readers ignore unknown).",
+      "anyOf": [
+        { "$ref": "#/$defs/RunEventType" },
+        {
+          "type": "string",
+          "pattern": "^(?!(?:openwop|core|community|vendor|private|local)\\.)[a-z][a-zA-Z0-9_-]*(\\.[a-zA-Z0-9_-]+)+$",
+          "description": "Vendor-extension event type: two or more dot-separated segments; the leading segment is the vendor prefix and MUST NOT be one of the protocol-owned / registry-reserved prefixes (`openwop.*`, `core.*`, `community.*`, `vendor.*`, `private.*`, `local.*`) per `host-extensions.md` §\"Canonical prefixes\"."
+        }
+      ]
     },
     "payload": {
       "description": "Event-type-specific payload. Servers MAY validate against per-type schemas; this top-level schema accepts any JSON value.",
@@ -57,7 +65,8 @@
       "maxLength": 128
     }
   },
-  "additionalProperties": false,
+  "$comment": "RFC 0094 §G + COMPATIBILITY.md §\"Schema closure\": RunEventDoc is a SERVER-EMITTED shape, so it is open (`additionalProperties: true`) — v1.x hosts may add optional fields additively without breaking schema-validating clients. Client-submitted shapes stay closed at their outermost composition.",
+  "additionalProperties": true,
   "$defs": {
     "RunEventType": {
       "type": "string",
@@ -123,6 +132,7 @@
         "agent.toolReturned",
         "agent.handoff",
         "agent.decided",
+        "agent.verified",
         "agent.invocation.started",
         "agent.invocation.completed",
         "eval.started",

package/schemas/run-options.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-options.schema.json",
   "title": "RunOptions",
-  "description": "Per-run parameter overlay supplied by the caller in `POST /v1/runs`. See `run-options.md` for full semantics. Reserved keys are typed; unknown keys in `configurable` pass through to the engine.",
+  "description": "Per-run parameter overlay supplied by the caller in `POST /v1/runs`. See `run-options.md` for full semantics. Reserved keys are typed; unknown keys in `configurable` pass through to the engine. RFC 0094 §A: this schema is OPEN at its own root (no `additionalProperties: false`) because it participates in the composed `createRun` request body in `api/openapi.yaml`; the closure (`unevaluatedProperties: false`) lives at that composition site, the only place JSON Schema 2020-12 can express closure over an `allOf`.",
   "type": "object",
   "properties": {
     "configurable": {
@@ -21,7 +21,6 @@
       "description": "Free-form caller metadata. Persisted on the run doc; surfaces back via `RunSnapshot.metadata`. Server MAY enforce a serialized-size limit (recommended: 50KB)."
     }
   },
-  "additionalProperties": false,
   "$defs": {
     "Configurable": {
       "type": "object",

package/schemas/run-snapshot.schema.json

@@ -28,9 +28,10 @@
         "waiting-external",
         "completed",
         "failed",
+        "cancelling",
         "cancelled"
       ],
-      "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
+      "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. `cancelling` (RFC 0094 §B) is the transitional state between a cancel request being accepted and the terminal `cancelled` — `rest-endpoints.md` and the OpenAPI cancel responses already document the transition; a snapshot read during the cancel cascade carries it. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
     },
     "owner": {
       "type": "object",

package/schemas/suspend-request.schema.json

@@ -76,6 +76,11 @@
           "type": "string",
           "enum": ["single-veto", "majority"],
           "default": "single-veto"
+        },
+        "overrideBypassesQuorum": {
+          "type": "boolean",
+          "default": false,
+          "description": "RFC 0093 §D2 (pins RFC 0051 UQ 2). When `true`, a configured override principal (per `interrupt-profiles.md` §approval-gate `override.requiredRole`) MAY bypass the quorum (`requiredApprovals`) and release the gate alone. Default `false`: an override principal's approval counts as ONE quorum vote; quorum still applies. Optional, additive."
         }
       }
     },

package/src/scenarios/agent-capability-degraded-projection.test.ts

@@ -0,0 +1,108 @@
+/**
+ * Agent capability-requirement degraded projection (RFC 0092 §B) — behavioral.
+ *
+ * Gated on `capabilities.agents.manifestRuntime` (root-first per RFC 0073).
+ * Soft-skips when unadvertised (default) / hard-fails under
+ * `OPENWOP_REQUIRE_BEHAVIOR=true`. The always-on wire-shape coverage lives in
+ * `agent-requires-capabilities-shape.test.ts` (the `requiresCapabilities[]`
+ * field); this asserts host BEHAVIOR on the NORMATIVE `GET /v1/agents` inventory:
+ *
+ *   §B iff-contract — when an agent's `requiresCapabilities[]` names a key the
+ *   host does NOT advertise, that key MUST appear in the inventory entry's
+ *   `degraded[]` (the canonical RFC 0072 §C field — NOT a `degradedCapabilities`
+ *   field). An agent whose requirements are all satisfied MUST omit `degraded`
+ *   (or carry it empty). `degraded[]` members are unique, non-empty strings.
+ *
+ *   Non-vacuity — the inventory MUST be non-empty. When
+ *   `OPENWOP_DEGRADED_CAPABILITY_AGENT_ID` names an agent the host knows is
+ *   capability-degraded (its `requiresCapabilities` names an unadvertised key),
+ *   the degraded branch is asserted NON-VACUOUSLY against that agent.
+ *
+ * Black-box on the normative path — no POST seam.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0092-agent-capability-requirements.md
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0072-agent-inventory-and-dispatch.md (§C degraded[])
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readManifestRuntimeCap, listManifestAgents } from '../lib/agentRuntime.js';
+
+interface InventoryEntry {
+  agentId?: string;
+  requiresCapabilities?: unknown;
+  degraded?: unknown;
+  [k: string]: unknown;
+}
+
+describe('agent-capability-degraded-projection (RFC 0092 §B)', () => {
+  it('surfaces unmet requiresCapabilities in degraded[] and nothing on the rest', async () => {
+    const mr = await readManifestRuntimeCap();
+    if (!behaviorGate('openwop-agent-capability-degraded', mr?.supported === true)) return;
+
+    const inv = await listManifestAgents();
+    if (inv === null) return; // cap advertised but /v1/agents unserved — soft-skip
+    const agents = (inv.agents ?? []) as InventoryEntry[];
+
+    // Non-vacuity: an advertising + serving host MUST expose its inventory.
+    expect(
+      agents.length >= 1,
+      driver.describe('RFC 0072 §A', 'GET /v1/agents MUST return the installed manifest agents'),
+    ).toBe(true);
+
+    // §B well-formedness on EVERY entry: degraded[], when present, is a unique
+    // list of non-empty strings.
+    for (const a of agents) {
+      const d = a.degraded;
+      if (d !== undefined) {
+        expect(
+          Array.isArray(d),
+          driver.describe('agent-inventory-response.schema.json', `degraded MUST be an array when present (agent ${a.agentId})`),
+        ).toBe(true);
+        if (Array.isArray(d)) {
+          for (const k of d) {
+            expect(
+              typeof k === 'string' && k.length > 0,
+              driver.describe('RFC 0072 §C', `degraded[] members MUST be non-empty strings (agent ${a.agentId}, got ${String(k)})`),
+            ).toBe(true);
+          }
+          expect(
+            new Set(d as string[]).size === d.length,
+            driver.describe('RFC 0092 §B', `degraded[] MUST be unique (agent ${a.agentId})`),
+          ).toBe(true);
+        }
+      }
+    }
+
+    // Non-vacuous degraded branch when the host names a known capability-degraded agent.
+    const degradedId = process.env.OPENWOP_DEGRADED_CAPABILITY_AGENT_ID;
+    if (degradedId) {
+      const target = agents.find((a) => a.agentId === degradedId);
+      expect(
+        target !== undefined,
+        driver.describe('RFC 0092 §B', `OPENWOP_DEGRADED_CAPABILITY_AGENT_ID=${degradedId} MUST appear in the inventory`),
+      ).toBe(true);
+      if (target) {
+        const d = target.degraded;
+        expect(
+          Array.isArray(d) && d.length >= 1,
+          driver.describe('RFC 0092 §B', 'the named capability-degraded agent MUST carry a non-empty degraded[]'),
+        ).toBe(true);
+        // When the entry also exposes requiresCapabilities, every degraded key
+        // MUST be one the agent actually requires (the projection is a subset of
+        // requirements, never invented).
+        if (Array.isArray(d) && Array.isArray(target.requiresCapabilities)) {
+          const req = new Set(target.requiresCapabilities as unknown[]);
+          for (const k of d) {
+            expect(
+              req.has(k),
+              driver.describe('RFC 0092 §B', `a degraded[] key MUST be one the agent requires (got ${String(k)})`),
+            ).toBe(true);
+          }
+        }
+      }
+    }
+  });
+});