@openwop/openwop-conformance 1.23.0 → 1.25.0

package/schemas/README.md

@@ -10,6 +10,9 @@
 | `agent-eval-suite.schema.json` | `agent-evaluation.md` (RFC 0081) | Portable agent evaluation suite — tasks + golden/rubric `expected` + deterministic fixtures + allowed model classes + pass/fail thresholds, pack-distributed via `evalSuiteRef` |
 | `agent-manifest.schema.json` | `node-packs.md` + agent-pack RFCs | Agent manifest entries distributed alongside node-pack manifests |
 | `eval-summary.schema.json` | `agent-evaluation.md` (RFC 0081) | The content-free eval-run scorecard — aggregate + per-task scores/cost/latency/safety-findings + regression delta; served by `GET /v1/runs/{runId}/eval-summary` (SECURITY invariant `eval-summary-no-content-leak`) |
+| `proposal.schema.json` | `agent-memory.md` §"Reviewable learning" (RFC 0096) | Reviewable-learning proposal — an INERT, draft-state reusable artifact (agent-pack/workflow-chain-pack/prompt-template/automation) synthesized from run traces; MUST NOT influence any run until `applied`; activation delegated to RFC 0051/0049 (SECURITY invariants `proposal-inert-until-applied`, `proposal-no-resynthesis`) |
+| `goal.schema.json` | `agent-runtime.md` §"Standing goals" (RFC 0097) | Standing goal — a durable objective with judge-based (RFC 0090) completion + bounded (RFC 0058) continuation; completion is the judge's verdict, never client-set (SECURITY invariants `goal-continuation-bounded`, `goal-completion-judge-only`) |
+| `export-bundle.schema.json` | `portability.md` (RFC 0098) | Portable agent-platform export bundle — a tenant's reusable estate (agents/packs/templates/connection-refs/schedules/roster/org-chart) for cross-host migration; carries NO credential values, only refs (SECURITY invariant `export-bundle-no-credential-material`) |
 | `agent-ref.schema.json` | `agent-memory.md` + agent-identity RFC | Multi-Agent Shift Phase 1 — slim runtime AgentRef projection carried on `RunSnapshot.agent` / `runOrchestrator`, `WorkflowNode.agent?`, and `agent.*` event payloads |
 | `agent-roster-entry.schema.json` | `agent-roster.md` (RFC 0086) | Standing agent INSTANCE — a named, tenant-scoped `host:<id>` agent (the "digital-twin employee") that references a manifest/deployment (`agentRef`) and owns a `workflows[]` portfolio; the discovery shape behind `GET /v1/agents/roster` + the `roster` inventory projection |
 | `agent-org-chart.schema.json` | `agent-org-chart.md` (RFC 0087) | Tenant-scoped, DESCRIPTIVE grouping of roster members into departments + roles with acyclic `reportsTo` edges; carries NO authority field (every object `additionalProperties:false`) per the `org-position-no-authority-escalation` invariant; the discovery shape behind `GET /v1/agents/org-chart` |
@@ -61,6 +64,9 @@
 | `credential-provenance.schema.json` | `host-capabilities.md` §"Credential provenance + egress policy" (RFC 0079) | Metadata about a host-issued credential at the tool/egress boundary — `credentialId`/`issuer`/`audiences`(+scopes/expiry/redaction/audit-correlation). Secret-free (SR-1); the §C audience-binding MUST is evaluated against `audiences`. |
 | `security-advisory.schema.json` | `registry-operations.md` + INCIDENT-RESPONSE runbook | Registry-owned CVE advisory record at `registry/security/advisories.json`. One entry per disclosed vulnerability — id, severity, affected pack-name + SemVer range, optional fixedIn/advisoryUrl/credits. Enforced by `check-advisories.mjs` in `.github/workflows/registry-publish.yml`. |
 | `trigger-subscription.schema.json` | `trigger-bridge.md` (RFC 0083) | Durable inbound-trigger subscription record — `subscriptionId`/`source`/`state` (active/paused/failed/dead-lettered) + `dedupEnabled`/`retryPolicy` + the webhooks.md register keys. Backs the `openwop-trigger-bridge` profile; content-free of inbound payloads (SR-1). |
+| `trigger-event.schema.json` | `trigger-bridge.md` §F (RFC 0099) | The normalized external-event envelope handed to a started run as `ctx.triggerData` (webhook/email/form). In-run only — never event-logged; `trigger.delivery.attempted` stays content-free. Per-source one-of; `contentTrust: "untrusted"`; `AttachmentRef.ref` is a host-internal handle, never a fetchable URL (`trigger-ingestion-ssrf` / `trigger-ingestion-content-redaction`). |
+| `trigger-subscription-registration.schema.json` | `trigger-bridge.md` §F (RFC 0099) | The `POST /v1/trigger-subscriptions` create request — binds an external `source` to a `workflowId` with a dedup config + a source-authenticity `verification` policy. The portable create surface RFC 0083 UQ1 left per-source. |
+| `a2a-task-state.schema.json` | `a2a-integration.md` §"Async / durable Tasks" (RFC 0100) | The durable, persisted projection of an A2A `Task` an OpenWOP host keeps per backing run when `a2a.durableTasks: true` — `taskId == runId`, lowercase-hyphen `state`, `interruptKind`, optional SSRF-guarded `PushConfig`. Content-free of run inputs/outputs/artifacts (SR-1 / `a2a-push-egress-ssrf`). |
 | `budget-policy.schema.json` | `budget-policy.md` (RFC 0084) | The reserved `budget` run-options shape — `maxTokens`/`maxCostUsd`/`maxToolCalls`/`maxRetries`/`modelAllow[]`/`modelDeny[]`/`thresholdPercent`/`onExhaustion`. Enforceable per-run spend governance; wall-time/iterations delegated to RFC 0058 (`additionalProperties:false`). Content-free events; no pricing on the wire (`budget-no-pricing-leak`). |
 | `tool-descriptor.schema.json` | `tool-catalog.md` (RFC 0078) | Portable read-only description of one tool unifying the five tool surfaces (node-pack/workflow/mcp/connector/host-extension) — stable `toolId`, source, I/O schemas, auth/egress/approval requirements, replay policy, and `safetyTier` (`exec` ⇒ `host-extension`, RFC 0069). Returned by `GET /v1/tools`; secret-free (SR-1). |
 | `suspend-request.schema.json` | `interrupt.md` | `InterruptPayload` with 8 `kind` discriminators (approval, clarification, external-event, custom, conversation.start, conversation.exchange, conversation.close, low-confidence) |

package/schemas/a2a-task-state.schema.json

@@ -0,0 +1,78 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/a2a-task-state.schema.json",
+  "title": "A2ATaskState",
+  "description": "RFC 0100 §2. The durable, persisted projection of an A2A `Task` an OpenWOP host keeps per backing run when it advertises `capabilities.a2a.durableTasks: true` — durable for the run's whole lifecycle (surviving caller disconnect, host restart within retention, and HITL pauses) so `tasks/get` returns live state after a disconnect. It is the persisted form of the `a2a-integration.md` §\"State projection (forward)\" mapping, NOT a new mapping. Content-free of run inputs/outputs/artifacts/credential material (SR-1 / `a2a-integration.md` trust boundary) — artifacts project to A2A `Artifact`s over the A2A transport, not into this record.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["taskId", "runId", "state", "updatedAt"],
+  "properties": {
+    "taskId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The A2A Task.id. MUST equal the backing OpenWOP `runId` (a2a-integration.md §2 — 'the returned runId becomes the A2A Task.id')."
+    },
+    "runId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The backing OpenWOP run. Bound 1:1 to `taskId`."
+    },
+    "contextId": {
+      "type": "string",
+      "description": "The A2A context_id (carried as the run tag `a2a:ctx_*` per a2a-integration.md §2)."
+    },
+    "state": {
+      "type": "string",
+      "enum": ["submitted", "working", "input-required", "auth-required", "completed", "failed", "canceled", "rejected"],
+      "description": "The A2A 0.3 JSON-RPC wire form (lowercase-hyphen — a2a-integration.md §'Wire-shape spelling drift'). Projected from `run.status` per a2a-integration.md §'State projection (forward)': pending→submitted, running→working, paused→working, waiting-approval/waiting-input→input-required, completed→completed, failed→failed, cancelled→canceled. `auth-required` is carried for reverse-direction fidelity only; the forward projection never sets it (openwop has no native auth interrupt — a2a-integration.md drift point #3)."
+    },
+    "interruptKind": {
+      "type": "string",
+      "enum": ["approval", "clarification"],
+      "description": "Present iff `state == 'input-required'`. Disambiguates a2a-integration.md drift point #2 (both approval + clarification project to INPUT_REQUIRED) — carried in `Task.metadata.openwop.interrupt.kind`, the `metadata.openwop.*` shape the doc's Future-work asks to codify."
+    },
+    "updatedAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When the projected state last changed."
+    },
+    "pushConfig": { "$ref": "#/$defs/PushConfig" }
+  },
+  "$defs": {
+    "PushConfig": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["url"],
+      "description": "RFC 0100 §4. A caller-registered A2A push-notification config for this Task.",
+      "properties": {
+        "url": {
+          "type": "string",
+          "format": "uri",
+          "description": "Caller-registered push target. The host MUST validate it through the RFC 0093 webhook-egress SSRF guard before any push (no private/loopback/link-local target) — SECURITY invariant `a2a-push-egress-ssrf`."
+        },
+        "tokenFingerprint": {
+          "type": "string",
+          "maxLength": 32,
+          "description": "MAY — a truncated/salted digest of the caller's push-auth token (NEVER the raw token; same SR-1 rule as RFC 0083's `secretFingerprint`). The A2A push HMAC details (A2A §4.3.3) stay inside the A2A layer per a2a-integration.md."
+        }
+      }
+    }
+  },
+  "examples": [
+    {
+      "taskId": "run_x",
+      "runId": "run_x",
+      "contextId": "ctx_42",
+      "state": "input-required",
+      "interruptKind": "approval",
+      "updatedAt": "2026-06-13T19:00:00Z",
+      "pushConfig": { "url": "https://caller.example.com/a2a/push", "tokenFingerprint": "a1b2c3d4e5f6" }
+    },
+    {
+      "taskId": "run_y",
+      "runId": "run_y",
+      "state": "completed",
+      "updatedAt": "2026-06-13T19:05:00Z"
+    }
+  ]
+}

package/schemas/capabilities.schema.json

@@ -1119,6 +1119,54 @@
           "type": "boolean",
           "default": false,
           "description": "RFC 0063 (`Active`). When `true`, host honors the optional `outputAttestation` block on `core.subWorkflow`: computes a content checksum (RFC 8785 JCS + SHA-256, the `replay.md` recipe) over a child's harvested outputs and surfaces it as the additive optional `attestation` object on the existing `core.workflowChain.event { phase: 'output.harvested' }` (RFC 0037) BEFORE applying `outputMapping`; when the config sets `requireApproval: true`, suspends the parent via an `approval` interrupt (RFC 0051) before merge and fails closed (no `accept`/`edit-accept` ⇒ no merge). Reuses RFC 0051's `approval` kind + RFC 0049 scopes for `principalScope` — no new interrupt kind, event type, or error code. Hosts that omit / `false` this flag treat `outputAttestation` as inert (blind merge, today's behavior)."
+        },
+        "proposals": {
+          "type": "object",
+          "description": "RFC 0096 (`Active`). Reviewable learning — the host synthesizes reusable artifacts (skills/packs/templates/automations) from run/tool traces as INERT, reviewable drafts that MUST NOT influence the resolution, planning, or execution of any run until an authorized principal activates them. A host advertising this serves the `/v1/host/sample/proposals` surface (promotable to `/v1/proposals`) and emits the content-free `proposal.created` / `proposal.activated` events. Activation is delegated to RFC 0051 approval-gate or RFC 0049 RBAC — no new authorization path. On `apply` the installed artifact MUST byte-match the last-persisted `artifact` (no silent re-synthesis). Hosts that omit this block do not synthesize proposals; the conformance scenarios skip cleanly.",
+          "additionalProperties": false,
+          "required": ["artifactKinds", "activation"],
+          "properties": {
+            "artifactKinds": {
+              "type": "array",
+              "items": { "type": "string", "enum": ["agent-pack", "workflow-chain-pack", "prompt-template", "automation"] },
+              "uniqueItems": true,
+              "description": "Which reusable artifact kinds the host can propose. `agent-pack` (RFC 0003), `workflow-chain-pack` (RFC 0013), `prompt-template` (RFC 0027), `automation` (RFC 0052 scheduled job)."
+            },
+            "duplicationDetection": {
+              "type": "boolean",
+              "default": false,
+              "description": "When `true`, the host populates `Proposal.duplicateOf` with an existing artifact ref the proposal restates/overlaps (the 'Curator' duplication signal)."
+            },
+            "activation": {
+              "type": "string",
+              "enum": ["approval-gate", "direct-rbac"],
+              "description": "`approval-gate`: `apply` MUST drive an RFC 0051 gate (role/scope/quorum, audited override) and MUST NOT install unless granted/overridden. `direct-rbac`: `apply` requires only the RFC 0049 scope the host advertises for activation."
+            }
+          }
+        },
+        "goals": {
+          "type": "object",
+          "description": "RFC 0097 (`Active`). Standing goals — a durable objective with explicit completion criteria, evaluated by a host-side judge (RFC 0090 verifier or host evaluator), that keeps an agent working across turns/runs until the judge is satisfied, a declared RFC 0058 bound is crossed, or the agent escalates (RFC 0044). A host advertising this serves `/v1/host/sample/goals` (promotable to `/v1/goals`) and emits the content-free `goal.evaluated` / `goal.closed` events. Completion MUST be the judge's verdict — a client MUST NOT set `state: satisfied` directly. Continuation MUST be bounded. Hosts that omit this block do not run standing goals; the conformance scenarios skip cleanly.",
+          "additionalProperties": false,
+          "required": ["judge", "continuation"],
+          "properties": {
+            "judge": {
+              "type": "string",
+              "enum": ["verifier", "host"],
+              "description": "`verifier`: completion is an RFC 0090 verifier verdict. `host`: an opaque host evaluator."
+            },
+            "continuation": {
+              "type": "array",
+              "items": { "type": "string", "enum": ["schedule", "commitment", "heartbeat", "manual"] },
+              "uniqueItems": true,
+              "description": "How a goal re-engages work between judge checks. `schedule` (RFC 0052), `commitment` (RFC 0068), `heartbeat` (RFC 0060), `manual`."
+            },
+            "requiresBounds": {
+              "type": "boolean",
+              "default": true,
+              "description": "When `true` (default), a goal MUST declare valid RFC 0058 `bounds` before it may activate; a `POST /goals` without bounds returns 422. The host MUST stop continuation and set `state: bound-exceeded` when any declared bound (iteration count / accumulated cost / wall-clock deadline) is crossed."
+            }
+          }
         }
       },
       "additionalProperties": true
@@ -1466,7 +1514,31 @@
             "backoff": { "type": "string", "enum": ["none", "fixed", "exponential"], "description": "Backoff strategy between attempts." }
           }
         },
-        "sources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"] }, "description": "Which trigger sources bridge uniformly. A source listed here MUST have a registerable `TriggerSubscription` driven through the four-state machine AND emit the two `trigger.*` events for that source — the list MUST NOT over-claim a source the host has as a feature but does not wire as a durable trigger subscription. A consumer MUST tolerate any subset." }
+        "sources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"] }, "description": "Which trigger sources bridge uniformly. A source listed here MUST have a registerable `TriggerSubscription` driven through the four-state machine AND emit the two `trigger.*` events for that source — the list MUST NOT over-claim a source the host has as a feature but does not wire as a durable trigger subscription. A consumer MUST tolerate any subset." },
+        "ingestion": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "RFC 0099 §F.3 (additive). External-event ingestion advertisement — which of `sources[]` the host actually ingests from EXTERNALLY-originated events (`webhook`/`email`/`form`), normalizing each to a `TriggerEvent` (`trigger-event.schema.json`) and starting a run. Absent ⇒ the host does NOT externally-ingest (today's behavior — schedule/queue only). A source in `externalSources[]` MUST actually accept an external event, normalize it, and start a run — over-claiming is a dishonest advertisement. A consumer MUST tolerate any subset.",
+          "properties": {
+            "externalSources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "email", "form"] }, "description": "Which of `sources[]` are EXTERNALLY ingested per RFC 0099. The honesty gate — each MUST normalize to a `TriggerEvent` and start a run." },
+            "maxBodyBytes": { "type": "integer", "minimum": 1, "description": "Inbound body cap (webhook body / email / form), reusing the RFC 0076 §B response-cap discipline." },
+            "verification": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook-signature", "email-dmarc", "form-origin"] }, "description": "Which source-authenticity checks the host performs. An advertised check MUST actually be performed (RFC 0099 §F.3 / UQ1)." },
+            "registrationEndpoint": { "type": "boolean", "description": "`true` ⇒ the host serves `POST /v1/trigger-subscriptions` (RFC 0099 §F.2) for portable external-event subscription creation." }
+          }
+        }
+      }
+    },
+    "a2a": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "RFC 0100 (`Active`). The host exposes itself as an A2A (Agent2Agent) agent. `supported: true` alone ⇒ the SYNCHRONOUS `message/send` → poll `tasks/get` round-trip already specified by `a2a-integration.md` (today's behavior — no regression). The optional `streaming`/`pushNotifications`/`durableTasks` flags gate the RFC 0100 async/durable additions (resubscribe re-attach, push config, persisted `A2ATaskState` so `tasks/get` returns live state after disconnect). Absent block ⇒ no A2A advertisement.",
+      "required": ["supported", "agentCardUrl"],
+      "properties": {
+        "supported": { "type": "boolean", "description": "Host exposes itself as an A2A agent." },
+        "agentCardUrl": { "type": "string", "format": "uri", "description": "The A2A 0.3 well-known agent card URL (`/.well-known/agent-card.json`)." },
+        "streaming": { "type": "boolean", "description": "Host supports `message/stream` + `tasks/resubscribe` (A2A `capabilities.streaming`). Gates the RFC 0100 §3 resubscribe re-attach." },
+        "pushNotifications": { "type": "boolean", "description": "Host supports A2A push-notification config (A2A `capabilities.push_notifications`). Gates the RFC 0100 §4 push contract; a caller-supplied `pushConfig.url` is SSRF-validated (`a2a-push-egress-ssrf`)." },
+        "durableTasks": { "type": "boolean", "description": "RFC 0100 §2. Host PERSISTS the projected Task (`A2ATaskState`) per backing run; `tasks/get` returns live state after disconnect. Absent/false ⇒ synchronous round-trip only." }
       }
     },
     "budget": {
@@ -1979,6 +2051,36 @@
         }
       },
       "additionalProperties": false
+    },
+    "portability": {
+      "type": "object",
+      "description": "RFC 0098 (`Active`). Export/import of a tenant's reusable estate (agents 0070, packs 0003/0013, prompt templates 0027, connection *refs* 0045/0095, schedules 0052, roster/org-chart 0086/0087). An export bundle carries NO credential values — only refs to be re-bound at the destination (RFC 0046/0079). Import maps the estate onto the destination's RFC 0048 identity, MUST offer a no-write dry-run plan, MUST be idempotent, and is gated by an RFC 0049 scope. A host advertising this serves `/v1/host/sample/{export,import}` (promotable to `/v1/{export,import}`) and emits the content-free `import.applied` event. Hosts that omit this block neither export nor import; the conformance scenarios skip cleanly.",
+      "additionalProperties": false,
+      "properties": {
+        "export": {
+          "type": "boolean",
+          "default": false,
+          "description": "Host can emit an export bundle for the caller's tenant/workspace via `GET /export`."
+        },
+        "import": {
+          "type": "boolean",
+          "default": false,
+          "description": "Host can import an export bundle via `POST /import`. When `true`, `dryRun` MUST also be `true` (a no-write plan preview is mandatory)."
+        },
+        "kinds": {
+          "type": "array",
+          "items": { "type": "string", "enum": ["agent", "pack", "prompt-template", "connection-ref", "schedule", "roster", "org-chart"] },
+          "uniqueItems": true,
+          "description": "Estate kinds this host can export/import."
+        },
+        "dryRun": {
+          "type": "boolean",
+          "default": true,
+          "description": "Import supports a no-write plan preview (`POST /import?dryRun=true`). MUST be true if `import` is true."
+        }
+      },
+      "if": { "properties": { "import": { "const": true } }, "required": ["import"] },
+      "then": { "properties": { "dryRun": { "const": true } }, "required": ["dryRun"] }
     }
   },
   "additionalProperties": true

package/schemas/export-bundle.schema.json

@@ -0,0 +1,66 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/export-bundle.schema.json",
+  "title": "ExportBundle",
+  "description": "RFC 0098 §B. A portable agent-platform export bundle — a tenant's reusable estate (agents, packs, prompt templates, connection refs, schedules, roster/org-chart) composed for migration between openwop hosts (or import from an external platform via an adapter). The bundle MUST NOT contain credential VALUES: `connection-ref` items carry only refs/provider ids per RFC 0046/0079; the importer reports unbound refs in `secretsToRebind` and re-binds secrets at the destination. All imported entities are re-owned to the caller's RFC 0048 identity; `source.originPrincipal` is informational only and grants no access. Gated on the `portability` capability.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["bundleVersion", "source", "items"],
+  "properties": {
+    "bundleVersion": {
+      "const": "1",
+      "description": "Bundle schema version. Importers MUST reject a bundleVersion they do not understand."
+    },
+    "source": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["origin"],
+      "description": "Provenance of the bundle. Informational only — never a source of authority at the destination.",
+      "properties": {
+        "origin": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Origin host base URL or adapter id (e.g. 'adapter:openclaw')."
+        },
+        "exportedAt": { "type": "string", "format": "date-time" },
+        "originPrincipal": {
+          "type": ["string", "null"],
+          "default": null,
+          "description": "Opaque source identity, informational only. MUST NOT grant any access at the destination."
+        }
+      }
+    },
+    "items": {
+      "type": "array",
+      "description": "The estate, in arbitrary order; `dependsOn` edges define apply order (topological; a cycle is a 422).",
+      "items": {
+        "type": "object",
+        "additionalProperties": false,
+        "required": ["kind", "ref", "payload"],
+        "properties": {
+          "kind": {
+            "type": "string",
+            "enum": ["agent", "pack", "prompt-template", "connection-ref", "schedule", "roster", "org-chart"],
+            "description": "Estate kind. `agent` (RFC 0070), `pack` (RFC 0003/0013), `prompt-template` (RFC 0027), `connection-ref` (RFC 0045/0095 — refs only), `schedule` (RFC 0052), `roster` (RFC 0086), `org-chart` (RFC 0087)."
+          },
+          "ref": {
+            "type": "string",
+            "minLength": 1,
+            "description": "Stable id within the bundle, used as the target of `dependsOn` edges."
+          },
+          "dependsOn": {
+            "type": "array",
+            "items": { "type": "string" },
+            "default": [],
+            "description": "Refs of other items that MUST be applied before this one (topological order)."
+          },
+          "payload": {
+            "type": "object",
+            "description": "The kind's existing schema (RFC 0070 manifest, 0003/0013 pack, 0027 template, 0045/0095 connection *ref*, 0052 job, 0086 roster, 0087 org-chart). Deliberately open here because each kind validates against its own schema. For `connection-ref`, the payload MUST carry only refs/provider ids — a literal credential value is rejected (422).",
+            "$comment": "Intentionally open object — validated against the kind's own schema; connection-ref payloads MUST NOT contain credential values (export-bundle-no-credential-material)."
+          }
+        }
+      }
+    }
+  }
+}

package/schemas/goal.schema.json

@@ -0,0 +1,104 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/goal.schema.json",
+  "title": "Goal",
+  "description": "RFC 0097 §B. A standing goal — a durable objective with explicit completion criteria, evaluated by a host-side judge (RFC 0090 verifier verdict or an opaque host evaluator), that keeps an agent working across turns and runs until the judge is satisfied, a declared RFC 0058 bound is crossed, or the agent escalates (RFC 0044). Completion MUST be the judge's verdict — a client MUST NOT set `state: satisfied` directly. Continuation MUST be bounded. `objective` and any verdict payload are SR-1 redaction-safe. Gated on the `agents.goals` capability.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["id", "objective", "state", "completion", "continuation", "bounds", "owner", "createdAt"],
+  "properties": {
+    "id": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Host-assigned identifier."
+    },
+    "objective": {
+      "type": "string",
+      "description": "The standing objective. SR-1 redaction-safe — no secrets/PII."
+    },
+    "state": {
+      "type": "string",
+      "enum": ["active", "satisfied", "escalated", "abandoned", "bound-exceeded"],
+      "description": "Lifecycle state. `satisfied` is set ONLY by the host on a judge verdict, never by a client. `bound-exceeded` is set when a declared bound is crossed; `escalated` when an RFC 0044 confidence-escalation interrupt fires against the goal; `abandoned` on explicit abandon."
+    },
+    "completion": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["check"],
+      "description": "How the goal's completion is judged.",
+      "properties": {
+        "check": {
+          "type": "string",
+          "enum": ["verifier", "host"],
+          "description": "`verifier`: completion is an RFC 0090 verifier verdict. `host`: an opaque host evaluator."
+        },
+        "verifierRef": {
+          "type": ["string", "null"],
+          "default": null,
+          "description": "RFC 0090 verifier id when `check = verifier`."
+        },
+        "lastVerdict": {
+          "type": ["object", "null"],
+          "default": null,
+          "additionalProperties": false,
+          "description": "Most recent judge verdict. Content-free re: objective text. Non-deterministic judge output — MUST be persisted (carried in the `goal.evaluated` event / checkpoint) and never recomputed on replay/fork.",
+          "properties": {
+            "satisfied": { "type": "boolean" },
+            "confidence": { "type": "number", "minimum": 0, "maximum": 1 },
+            "runId": { "type": "string", "description": "The run this verdict evaluated (RFC 0040 causation-compatible)." }
+          }
+        }
+      }
+    },
+    "continuation": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["mode"],
+      "description": "How the goal re-engages work between judge checks.",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["schedule", "commitment", "heartbeat", "manual"],
+          "description": "`schedule` (RFC 0052), `commitment` (RFC 0068), `heartbeat` (RFC 0060), `manual`."
+        },
+        "armRef": {
+          "type": ["string", "null"],
+          "default": null,
+          "description": "The RFC 0052 job / RFC 0068 commitment / RFC 0060 heartbeat that re-engages work for this goal."
+        }
+      }
+    },
+    "bounds": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "RFC 0058 execution bounds. The host MUST stop continuation and set `state: bound-exceeded` when any declared bound is crossed. When `agents.goals.requiresBounds` is true, at least one bound MUST be present before the goal may activate.",
+      "properties": {
+        "maxLoopIterations": { "type": "integer", "minimum": 1, "description": "RFC 0058. Max contributing iterations before the goal is bound-exceeded." },
+        "runTimeoutMs": { "type": "integer", "minimum": 0, "description": "RFC 0058. Wall-clock deadline (ms) for the standing goal." },
+        "maxCostUsd": { "type": "number", "minimum": 0, "description": "RFC 0084. Accumulated cost ceiling across contributing runs." }
+      }
+    },
+    "progress": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Continuation progress so far.",
+      "properties": {
+        "iterations": { "type": "integer", "minimum": 0 },
+        "contributingRunIds": { "type": "array", "items": { "type": "string" }, "description": "RFC 0040 causation-compatible." }
+      }
+    },
+    "owner": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["tenant"],
+      "description": "RFC 0048 identity triple. Redaction-safe — `principal` is an opaque id, never PII or credential material.",
+      "properties": {
+        "tenant": { "type": "string", "minLength": 1 },
+        "workspace": { "type": "string", "minLength": 1 },
+        "principal": { "type": "string", "minLength": 1 }
+      }
+    },
+    "createdAt": { "type": "string", "format": "date-time" },
+    "updatedAt": { "type": "string", "format": "date-time" }
+  }
+}

package/schemas/proposal.schema.json

@@ -0,0 +1,84 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/proposal.schema.json",
+  "title": "Proposal",
+  "description": "RFC 0096 §B. A reviewable-learning proposal — an INERT, draft-state reusable artifact (skill/pack/template/automation) the host synthesized from run/tool traces, that MUST NOT influence the resolution, planning, or execution of any run while in any state other than `applied`. Activation is delegated to RFC 0051 approval-gate or RFC 0049 RBAC (no new authorization path). On `apply` the installed artifact MUST byte-match the last-persisted `artifact` (no silent re-synthesis). `rationale` and `provenance.sourceRunIds` are SR-1 redaction-safe (no secrets/PII). Gated on the `agents.proposals` capability.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["id", "kind", "state", "artifact", "provenance", "owner", "createdAt"],
+  "properties": {
+    "id": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Host-assigned identifier, stable across revisions."
+    },
+    "kind": {
+      "type": "string",
+      "enum": ["agent-pack", "workflow-chain-pack", "prompt-template", "automation"],
+      "description": "The reusable artifact kind. `agent-pack` (RFC 0003), `workflow-chain-pack` (RFC 0013), `prompt-template` (RFC 0027), `automation` (RFC 0052 scheduled job)."
+    },
+    "state": {
+      "type": "string",
+      "enum": ["draft", "revised", "applied", "rejected", "archived"],
+      "description": "Lifecycle state. Only `applied` may influence a run. `draft`/`revised` are inert; `rejected`/`archived` are terminal-inert."
+    },
+    "title": {
+      "type": "string",
+      "description": "Human-facing label. SR-1 redaction-safe."
+    },
+    "rationale": {
+      "type": "string",
+      "description": "Plain-language justification. SR-1 redaction-safe — no secrets/PII."
+    },
+    "artifact": {
+      "type": "object",
+      "description": "The proposed artifact, shaped by `kind` (an RFC 0003 pack manifest, an RFC 0013 chain pack, an RFC 0027 template, an RFC 0052 job spec). Inert until applied. Deliberately open (`additionalProperties` not constrained here) because the payload conforms to the kind's own existing schema, validated by the host at `apply` (malformed-for-kind ⇒ 422).",
+      "$comment": "Intentionally open object — the artifact body is validated against the kind's own schema, not this envelope."
+    },
+    "provenance": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["sourceRunIds"],
+      "description": "Where the proposal came from.",
+      "properties": {
+        "sourceRunIds": {
+          "type": "array",
+          "items": { "type": "string", "minLength": 1 },
+          "description": "Runs whose traces produced this proposal (RFC 0040 causation-compatible). SR-1 redaction-safe."
+        },
+        "synthesizerModel": {
+          "type": "string",
+          "description": "Opaque identifier of the model/process that synthesized the draft."
+        }
+      }
+    },
+    "duplicateOf": {
+      "type": ["string", "null"],
+      "default": null,
+      "description": "Existing artifact ref this proposal restates/overlaps, when `agents.proposals.duplicationDetection` is on. `null` when unknown or detection is off."
+    },
+    "owner": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["tenant"],
+      "description": "RFC 0048 identity triple that owns this proposal. Redaction-safe — `principal` is an opaque id, never PII or credential material. Single-tenant hosts populate at least `tenant`.",
+      "properties": {
+        "tenant": { "type": "string", "minLength": 1, "description": "Top-level isolation boundary." },
+        "workspace": { "type": "string", "minLength": 1, "description": "Optional sub-tenant within the tenant (RFC 0048 workspace)." },
+        "principal": { "type": "string", "minLength": 1, "description": "Acting identity (user or agent) — opaque id, never PII." }
+      }
+    },
+    "activation": {
+      "type": ["object", "null"],
+      "default": null,
+      "description": "Populated only when `state: applied`: the RFC 0051 approval reference (if `activation = approval-gate`) and the resulting installed artifact ref.",
+      "additionalProperties": false,
+      "properties": {
+        "approvalId": { "type": ["string", "null"], "description": "RFC 0051 approval/gate id when activation routed through an approval gate." },
+        "installedArtifactRef": { "type": "string", "description": "Ref of the artifact installed on `apply` (RFC 0043 install path)." }
+      }
+    },
+    "createdAt": { "type": "string", "format": "date-time" },
+    "updatedAt": { "type": "string", "format": "date-time" }
+  }
+}

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n95 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n100 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -104,7 +104,12 @@
         "budget.reserved":           { "$ref": "#/$defs/budgetReserved" },
         "budget.consumed":           { "$ref": "#/$defs/budgetConsumed" },
         "budget.threshold.crossed":  { "$ref": "#/$defs/budgetThresholdCrossed" },
-        "budget.exhausted":          { "$ref": "#/$defs/budgetExhausted" }
+        "budget.exhausted":          { "$ref": "#/$defs/budgetExhausted" },
+        "proposal.created":          { "$ref": "#/$defs/proposalCreated" },
+        "proposal.activated":        { "$ref": "#/$defs/proposalActivated" },
+        "goal.evaluated":            { "$ref": "#/$defs/goalEvaluated" },
+        "goal.closed":               { "$ref": "#/$defs/goalClosed" },
+        "import.applied":            { "$ref": "#/$defs/importApplied" }
       }
     },
 
@@ -122,6 +127,79 @@
       }
     },
 
+    "proposalCreated": {
+      "description": "RFC 0096 §D. Emitted when the host synthesizes a reviewable-learning draft. Content-free: ids / kind / content-free references only — NEVER the artifact body or the rationale text (those live behind the authed read). Redaction-safe (SECURITY invariant `proposal-inert-until-applied` covers the behavior; SR-1 covers the payload). MUST NOT be emitted unless `capabilities.agents.proposals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["proposalId", "kind"],
+      "properties": {
+        "proposalId": { "type": "string", "minLength": 1, "description": "The created proposal's stable id." },
+        "kind": { "type": "string", "enum": ["agent-pack", "workflow-chain-pack", "prompt-template", "automation"], "description": "The proposed artifact kind." },
+        "sourceRunIds": { "type": "array", "items": { "type": "string" }, "description": "Runs whose traces produced the draft (RFC 0040 causation-compatible). Ids only — no trace content." },
+        "duplicateOf": { "type": ["string", "null"], "description": "Existing artifact ref the proposal restates/overlaps, when duplication detection is on; else null." }
+      }
+    },
+
+    "proposalActivated": {
+      "description": "RFC 0096 §D. Emitted on a successful `apply`. Content-free: ids / content-free references only — NEVER the installed artifact body. MUST NOT be emitted unless `capabilities.agents.proposals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["proposalId", "kind", "installedArtifactRef"],
+      "properties": {
+        "proposalId": { "type": "string", "minLength": 1 },
+        "kind": { "type": "string", "enum": ["agent-pack", "workflow-chain-pack", "prompt-template", "automation"] },
+        "approvalId": { "type": ["string", "null"], "description": "RFC 0051 approval id when activation routed through an approval gate; null for direct-rbac." },
+        "installedArtifactRef": { "type": "string", "minLength": 1, "description": "Ref of the artifact installed on apply (RFC 0043)." }
+      }
+    },
+
+    "goalEvaluated": {
+      "description": "RFC 0097 §D. Emitted after each judge check on a standing goal. Content-free: NO objective text. The verdict (`satisfied`/`confidence`) is non-deterministic judge output — it is RECORDED here and MUST NOT be recomputed on replay/fork (`replay.md`). MUST NOT be emitted unless `capabilities.agents.goals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["goalId", "satisfied", "runId", "iterations"],
+      "properties": {
+        "goalId": { "type": "string", "minLength": 1 },
+        "satisfied": { "type": "boolean", "description": "The judge's verdict for this check." },
+        "confidence": { "type": "number", "minimum": 0, "maximum": 1, "description": "Judge confidence in [0,1]." },
+        "runId": { "type": "string", "minLength": 1, "description": "The run this verdict evaluated (RFC 0040 causation-compatible)." },
+        "iterations": { "type": "integer", "minimum": 0, "description": "Contributing iterations so far." }
+      }
+    },
+
+    "goalClosed": {
+      "description": "RFC 0097 §D. Emitted when a standing goal stops continuation. Content-free. MUST NOT be emitted unless `capabilities.agents.goals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["goalId", "finalState"],
+      "properties": {
+        "goalId": { "type": "string", "minLength": 1 },
+        "finalState": { "type": "string", "enum": ["satisfied", "escalated", "abandoned", "bound-exceeded"], "description": "Terminal state the goal closed in." }
+      }
+    },
+
+    "importApplied": {
+      "description": "RFC 0098 §D. Emitted when an estate import is applied. Content-free: counts + ref-only — NO item payloads, NO secret values (SECURITY invariant `export-bundle-no-credential-material`). MUST NOT be emitted unless `capabilities.portability` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["bundleOrigin", "counts"],
+      "properties": {
+        "bundleOrigin": { "type": "string", "minLength": 1, "description": "The bundle's `source.origin` — informational only." },
+        "counts": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "Per-action item tallies.",
+          "properties": {
+            "created": { "type": "integer", "minimum": 0 },
+            "updated": { "type": "integer", "minimum": 0 },
+            "skipped": { "type": "integer", "minimum": 0 },
+            "failed": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "secretsToRebind": { "type": "array", "items": { "type": "string" }, "description": "Provider/ref ids whose secrets must be re-bound at the destination. Refs only — never secret values." }
+      }
+    },
+
     "connectorAuthorized": {
       "description": "RFC 0047 — emitted when the host acquires (or re-authorizes) a third-party OAuth token on a user's behalf via the `host.oauth` flow. Redaction-safe: carries the credential REFERENCE (RFC 0046), never token material. MUST NOT be emitted unless `capabilities.oauth.supported: true`.",
       "type": "object",

package/schemas/run-event.schema.json

@@ -166,7 +166,12 @@
         "core.workflowChain.confidence-escalated",
         "connector.authorized",
         "connector.auth_expired",
-        "authorization.decided"
+        "authorization.decided",
+        "proposal.created",
+        "proposal.activated",
+        "goal.evaluated",
+        "goal.closed",
+        "import.applied"
       ]
     }
   }