@openwop/openwop-conformance 1.24.0 → 1.26.0

package/schemas/a2a-task-state.schema.json

@@ -0,0 +1,78 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/a2a-task-state.schema.json",
+  "title": "A2ATaskState",
+  "description": "RFC 0100 §2. The durable, persisted projection of an A2A `Task` an OpenWOP host keeps per backing run when it advertises `capabilities.a2a.durableTasks: true` — durable for the run's whole lifecycle (surviving caller disconnect, host restart within retention, and HITL pauses) so `tasks/get` returns live state after a disconnect. It is the persisted form of the `a2a-integration.md` §\"State projection (forward)\" mapping, NOT a new mapping. Content-free of run inputs/outputs/artifacts/credential material (SR-1 / `a2a-integration.md` trust boundary) — artifacts project to A2A `Artifact`s over the A2A transport, not into this record.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["taskId", "runId", "state", "updatedAt"],
+  "properties": {
+    "taskId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The A2A Task.id. MUST equal the backing OpenWOP `runId` (a2a-integration.md §2 — 'the returned runId becomes the A2A Task.id')."
+    },
+    "runId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The backing OpenWOP run. Bound 1:1 to `taskId`."
+    },
+    "contextId": {
+      "type": "string",
+      "description": "The A2A context_id (carried as the run tag `a2a:ctx_*` per a2a-integration.md §2)."
+    },
+    "state": {
+      "type": "string",
+      "enum": ["submitted", "working", "input-required", "auth-required", "completed", "failed", "canceled", "rejected"],
+      "description": "The A2A 0.3 JSON-RPC wire form (lowercase-hyphen — a2a-integration.md §'Wire-shape spelling drift'). Projected from `run.status` per a2a-integration.md §'State projection (forward)': pending→submitted, running→working, paused→working, waiting-approval/waiting-input→input-required, completed→completed, failed→failed, cancelled→canceled. `auth-required` is carried for reverse-direction fidelity only; the forward projection never sets it (openwop has no native auth interrupt — a2a-integration.md drift point #3)."
+    },
+    "interruptKind": {
+      "type": "string",
+      "enum": ["approval", "clarification"],
+      "description": "Present iff `state == 'input-required'`. Disambiguates a2a-integration.md drift point #2 (both approval + clarification project to INPUT_REQUIRED) — carried in `Task.metadata.openwop.interrupt.kind`, the `metadata.openwop.*` shape the doc's Future-work asks to codify."
+    },
+    "updatedAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When the projected state last changed."
+    },
+    "pushConfig": { "$ref": "#/$defs/PushConfig" }
+  },
+  "$defs": {
+    "PushConfig": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["url"],
+      "description": "RFC 0100 §4. A caller-registered A2A push-notification config for this Task.",
+      "properties": {
+        "url": {
+          "type": "string",
+          "format": "uri",
+          "description": "Caller-registered push target. The host MUST validate it through the RFC 0093 webhook-egress SSRF guard before any push (no private/loopback/link-local target) — SECURITY invariant `a2a-push-egress-ssrf`."
+        },
+        "tokenFingerprint": {
+          "type": "string",
+          "maxLength": 32,
+          "description": "MAY — a truncated/salted digest of the caller's push-auth token (NEVER the raw token; same SR-1 rule as RFC 0083's `secretFingerprint`). The A2A push HMAC details (A2A §4.3.3) stay inside the A2A layer per a2a-integration.md."
+        }
+      }
+    }
+  },
+  "examples": [
+    {
+      "taskId": "run_x",
+      "runId": "run_x",
+      "contextId": "ctx_42",
+      "state": "input-required",
+      "interruptKind": "approval",
+      "updatedAt": "2026-06-13T19:00:00Z",
+      "pushConfig": { "url": "https://caller.example.com/a2a/push", "tokenFingerprint": "a1b2c3d4e5f6" }
+    },
+    {
+      "taskId": "run_y",
+      "runId": "run_y",
+      "state": "completed",
+      "updatedAt": "2026-06-13T19:05:00Z"
+    }
+  ]
+}

package/schemas/capabilities.schema.json

@@ -1514,7 +1514,31 @@
             "backoff": { "type": "string", "enum": ["none", "fixed", "exponential"], "description": "Backoff strategy between attempts." }
           }
         },
-        "sources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"] }, "description": "Which trigger sources bridge uniformly. A source listed here MUST have a registerable `TriggerSubscription` driven through the four-state machine AND emit the two `trigger.*` events for that source — the list MUST NOT over-claim a source the host has as a feature but does not wire as a durable trigger subscription. A consumer MUST tolerate any subset." }
+        "sources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"] }, "description": "Which trigger sources bridge uniformly. A source listed here MUST have a registerable `TriggerSubscription` driven through the four-state machine AND emit the two `trigger.*` events for that source — the list MUST NOT over-claim a source the host has as a feature but does not wire as a durable trigger subscription. A consumer MUST tolerate any subset." },
+        "ingestion": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "RFC 0099 §F.3 (additive). External-event ingestion advertisement — which of `sources[]` the host actually ingests from EXTERNALLY-originated events (`webhook`/`email`/`form`), normalizing each to a `TriggerEvent` (`trigger-event.schema.json`) and starting a run. Absent ⇒ the host does NOT externally-ingest (today's behavior — schedule/queue only). A source in `externalSources[]` MUST actually accept an external event, normalize it, and start a run — over-claiming is a dishonest advertisement. A consumer MUST tolerate any subset.",
+          "properties": {
+            "externalSources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "email", "form"] }, "description": "Which of `sources[]` are EXTERNALLY ingested per RFC 0099. The honesty gate — each MUST normalize to a `TriggerEvent` and start a run." },
+            "maxBodyBytes": { "type": "integer", "minimum": 1, "description": "Inbound body cap (webhook body / email / form), reusing the RFC 0076 §B response-cap discipline." },
+            "verification": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook-signature", "email-dmarc", "form-origin"] }, "description": "Which source-authenticity checks the host performs. An advertised check MUST actually be performed (RFC 0099 §F.3 / UQ1)." },
+            "registrationEndpoint": { "type": "boolean", "description": "`true` ⇒ the host serves `POST /v1/trigger-subscriptions` (RFC 0099 §F.2) for portable external-event subscription creation." }
+          }
+        }
+      }
+    },
+    "a2a": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "RFC 0100 (`Active`). The host exposes itself as an A2A (Agent2Agent) agent. `supported: true` alone ⇒ the SYNCHRONOUS `message/send` → poll `tasks/get` round-trip already specified by `a2a-integration.md` (today's behavior — no regression). The optional `streaming`/`pushNotifications`/`durableTasks` flags gate the RFC 0100 async/durable additions (resubscribe re-attach, push config, persisted `A2ATaskState` so `tasks/get` returns live state after disconnect). Absent block ⇒ no A2A advertisement.",
+      "required": ["supported", "agentCardUrl"],
+      "properties": {
+        "supported": { "type": "boolean", "description": "Host exposes itself as an A2A agent." },
+        "agentCardUrl": { "type": "string", "format": "uri", "description": "The A2A 0.3 well-known agent card URL (`/.well-known/agent-card.json`)." },
+        "streaming": { "type": "boolean", "description": "Host supports `message/stream` + `tasks/resubscribe` (A2A `capabilities.streaming`). Gates the RFC 0100 §3 resubscribe re-attach." },
+        "pushNotifications": { "type": "boolean", "description": "Host supports A2A push-notification config (A2A `capabilities.push_notifications`). Gates the RFC 0100 §4 push contract; a caller-supplied `pushConfig.url` is SSRF-validated (`a2a-push-egress-ssrf`)." },
+        "durableTasks": { "type": "boolean", "description": "RFC 0100 §2. Host PERSISTS the projected Task (`A2ATaskState`) per backing run; `tasks/get` returns live state after disconnect. Absent/false ⇒ synchronous round-trip only." }
       }
     },
     "budget": {

package/schemas/envelopes/ui.a2ui-surface.schema.json

@@ -0,0 +1,154 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/envelopes/ui.a2ui-surface.schema.json",
+  "title": "UiA2uiSurfacePayload",
+  "description": "Payload for the OPTIONAL, advertised `ui.a2ui-surface` AI Envelope kind (RFC 0102). Carries a declarative A2UI interface surface — a closed component tree the consumer renders with native widgets, routing user actions back to the producing agent WITHOUT executing any agent-supplied code. `ui.*` is a core, un-namespaced content-primitive family beside `media.*` (ai-envelope.md §\"A2UI surfaces\" / §\"Vendor-namespaced kinds\"). Not one of the four MUST-recognize universal kinds; an unrecognizing consumer falls back to store-without-render.",
+  "type": "object",
+  "required": ["catalogVersion", "surface"],
+  "additionalProperties": false,
+  "properties": {
+    "reasoning": {
+      "type": "string",
+      "description": "OPTIONAL per RFC 0030 §A — the model's reasoning, conventionally the first property of a kind whose payload benefits from multi-step composition."
+    },
+    "catalogVersion": {
+      "type": "string",
+      "enum": ["0.9.1"],
+      "description": "REQUIRED — the A2UI catalog version the surface targets. This enum IS the host's supported-version set (ai-envelope.md §\"A2UI surfaces\"); it is never a free string the producer invents. A consumer MUST refuse an unknown/higher version with `unknown_schema_version`. Pinning the version in the payload keeps `:fork`/replay deterministic after the external A2UI standard ships a breaking version."
+    },
+    "surface": {
+      "$ref": "#/$defs/surface",
+      "description": "REQUIRED — the A2UI surface document: a closed component tree (ai-envelope.md §\"A2UI surfaces\"). Self-contained: renderable from the payload alone, never a live reference into an external catalog."
+    }
+  },
+  "$defs": {
+    "surface": {
+      "type": "object",
+      "required": ["components"],
+      "additionalProperties": false,
+      "properties": {
+        "title": {
+          "type": "string",
+          "description": "OPTIONAL display title for the surface."
+        },
+        "components": {
+          "type": "array",
+          "description": "The flat, ordered component list. Each element is one of the host's day-1 catalog components, discriminated by the single-string-enum `component` field. `anyOf` (not `oneOf`) per ai-envelope.md §\"Schema discipline\".",
+          "items": { "$ref": "#/$defs/component" }
+        }
+      }
+    },
+    "component": {
+      "description": "A single A2UI component. Closed set (day-1 catalog 0.9.1); the `component` discriminator is a single-string-enum per branch.",
+      "anyOf": [
+        { "$ref": "#/$defs/heading" },
+        { "$ref": "#/$defs/text" },
+        { "$ref": "#/$defs/fieldText" },
+        { "$ref": "#/$defs/fieldDate" },
+        { "$ref": "#/$defs/fieldSelect" },
+        { "$ref": "#/$defs/fieldCheckbox" },
+        { "$ref": "#/$defs/actionButton" }
+      ]
+    },
+    "heading": {
+      "type": "object",
+      "required": ["component", "text"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["heading"] },
+        "text": { "type": "string" },
+        "level": { "type": "integer", "minimum": 1, "maximum": 6 }
+      }
+    },
+    "text": {
+      "type": "object",
+      "required": ["component", "text"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["text"] },
+        "text": { "type": "string" }
+      }
+    },
+    "fieldText": {
+      "type": "object",
+      "required": ["component", "id", "label"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["field.text"] },
+        "id": { "type": "string", "description": "Binding key; the collected value is keyed by `id` in the resume value." },
+        "label": { "type": "string" },
+        "placeholder": { "type": "string" },
+        "required": { "type": "boolean" }
+      }
+    },
+    "fieldDate": {
+      "type": "object",
+      "required": ["component", "id", "label"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["field.date"] },
+        "id": { "type": "string" },
+        "label": { "type": "string" },
+        "required": { "type": "boolean" }
+      }
+    },
+    "fieldSelect": {
+      "type": "object",
+      "required": ["component", "id", "label", "options"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["field.select"] },
+        "id": { "type": "string" },
+        "label": { "type": "string" },
+        "required": { "type": "boolean" },
+        "options": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "object",
+            "required": ["value", "label"],
+            "additionalProperties": false,
+            "properties": {
+              "value": { "type": "string" },
+              "label": { "type": "string" }
+            }
+          }
+        }
+      }
+    },
+    "fieldCheckbox": {
+      "type": "object",
+      "required": ["component", "id", "label"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["field.checkbox"] },
+        "id": { "type": "string" },
+        "label": { "type": "string" },
+        "default": { "type": "boolean" }
+      }
+    },
+    "actionButton": {
+      "type": "object",
+      "required": ["component", "id", "label", "action"],
+      "additionalProperties": false,
+      "properties": {
+        "component": { "type": "string", "enum": ["action.button"] },
+        "id": { "type": "string" },
+        "label": { "type": "string" },
+        "action": {
+          "type": "object",
+          "required": ["target"],
+          "additionalProperties": false,
+          "description": "Confined action (ai-envelope.md §\"A2UI surfaces\" rule 2). `target` resolves to exactly one host-allowlisted destination — a run interrupt resume or a conversation exchange — never an arbitrary URL, endpoint, or network egress. Enforced by the `a2ui-action-confinement` + `a2ui-surface-no-network-egress` SECURITY invariants.",
+          "properties": {
+            "target": {
+              "type": "string",
+              "enum": ["resume", "exchange"],
+              "description": "`resume` → the collected field values become the interrupt `resumeValue` (interrupt.md). `exchange` → the values become a conversation exchange message (RFC 0005)."
+            }
+          }
+        }
+      }
+    }
+  }
+}

package/schemas/trigger-event.schema.json

@@ -0,0 +1,149 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/trigger-event.schema.json",
+  "title": "TriggerEvent",
+  "description": "RFC 0099 §F.1. The normalized external-event envelope a host hands a started run as `ctx.triggerData` when an externally-originated event (`webhook`/`email`/`form`) is delivered to an `active` TriggerSubscription (RFC 0083). This is an IN-RUN payload only — it never appears on the durable event log; the `trigger.delivery.attempted` event stays content-free (RFC 0083 §C / SECURITY `trigger-ingestion-content-redaction`). A TriggerEvent carries exactly the per-source sub-object matching its `source`. All content is `untrusted` (SECURITY `threat-model-prompt-injection.md`).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["source", "subscriptionId", "deliveryId", "receivedAt"],
+  "properties": {
+    "source": {
+      "type": "string",
+      "enum": ["webhook", "email", "form"],
+      "description": "Which external source originated the event. A TriggerEvent MUST carry exactly the per-source sub-object matching this value and MUST NOT carry the others (RFC 0099 §F.1)."
+    },
+    "subscriptionId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The RFC 0083 §B subscription this event was delivered to."
+    },
+    "deliveryId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Stable per-delivery id; equals the `causationId` stamped on `run.started` (RFC 0083 §C-3 / RFC 0040)."
+    },
+    "dedupKey": {
+      "type": "string",
+      "description": "The host-opaque dedup key (RFC 0083 §C-1). Present iff the subscription's `dedupEnabled`. MUST NOT embed inbound body/header content in cleartext (SECURITY `trigger-ingestion-content-redaction`)."
+    },
+    "receivedAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When the host received the external event."
+    },
+    "verified": {
+      "type": "boolean",
+      "description": "Whether the host verified the source's authenticity (webhook signature / email DMARC / form CSRF+origin) before delivery per the subscription's `verification` policy (RFC 0099 §F.2). A run MUST be able to gate on this."
+    },
+    "contentTrust": {
+      "type": "string",
+      "enum": ["untrusted"],
+      "description": "Always `untrusted`. Inbound external content reaching an LLM node MUST be wrapped per `threat-model-prompt-injection.md` §UNTRUSTED; a TriggerEvent MUST NOT directly advance a HITL approval gate (the `prompt-injection-mcp-no-approval` invariant generalizes)."
+    },
+    "webhook": { "$ref": "#/$defs/WebhookEvent" },
+    "email": { "$ref": "#/$defs/EmailEvent" },
+    "form": { "$ref": "#/$defs/FormEvent" }
+  },
+  "allOf": [
+    {
+      "description": "RFC 0099 §F.1 — a TriggerEvent MUST carry exactly the per-source sub-object matching its `source` and MUST NOT carry the others.",
+      "if": { "properties": { "source": { "const": "webhook" } } },
+      "then": { "not": { "anyOf": [{ "required": ["email"] }, { "required": ["form"] }] } }
+    },
+    {
+      "if": { "properties": { "source": { "const": "email" } } },
+      "then": { "not": { "anyOf": [{ "required": ["webhook"] }, { "required": ["form"] }] } }
+    },
+    {
+      "if": { "properties": { "source": { "const": "form" } } },
+      "then": { "not": { "anyOf": [{ "required": ["webhook"] }, { "required": ["email"] }] } }
+    }
+  ],
+  "$defs": {
+    "WebhookEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"webhook\"`.",
+      "properties": {
+        "method": { "type": "string", "enum": ["POST", "PUT", "PATCH"] },
+        "headers": {
+          "type": "object",
+          "additionalProperties": { "type": "string" },
+          "description": "Host-allowlisted headers only — a host MUST NOT pass through `Authorization`, `Cookie`, `Proxy-Authorization`, or any header carrying credential material (RFC 0099 §F.1 / SECURITY `trigger-ingestion-content-redaction`)."
+        },
+        "body": {
+          "description": "The parsed JSON body, or a string for non-JSON. Bounded by `triggerBridge.ingestion.maxBodyBytes`."
+        }
+      }
+    },
+    "EmailEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"email\"`.",
+      "properties": {
+        "from": { "type": "string" },
+        "to": { "type": "array", "items": { "type": "string" } },
+        "subject": { "type": "string" },
+        "text": { "type": "string" },
+        "html": { "type": "string" },
+        "attachments": { "type": "array", "items": { "$ref": "#/$defs/AttachmentRef" } }
+      }
+    },
+    "FormEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"form\"`.",
+      "properties": {
+        "fields": { "type": "object", "additionalProperties": true, "description": "The submitted field map." },
+        "files": { "type": "array", "items": { "$ref": "#/$defs/AttachmentRef" } }
+      }
+    },
+    "AttachmentRef": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["ref"],
+      "description": "A host-internal opaque handle to a resolved attachment/upload — NEVER a raw external URL the run is expected to fetch itself (RFC 0099 §F.1/§F.4). The host resolves and ingests attachments through its SSRF guard (SECURITY `trigger-ingestion-ssrf`), then hands the run an internal ref.",
+      "properties": {
+        "ref": {
+          "type": "string",
+          "minLength": 1,
+          "description": "A host-internal opaque handle (e.g. a `host.blobStorage` key)."
+        },
+        "filename": { "type": "string" },
+        "mediaType": { "type": "string" },
+        "bytes": { "type": "integer", "minimum": 0 }
+      }
+    }
+  },
+  "examples": [
+    {
+      "source": "email",
+      "subscriptionId": "sub_7",
+      "deliveryId": "dlv_a1b2",
+      "dedupKey": "msgid:abc@in.example.com",
+      "receivedAt": "2026-06-13T18:04:11Z",
+      "verified": true,
+      "contentTrust": "untrusted",
+      "email": {
+        "from": "customer@example.org",
+        "to": ["triage-support+sub_7@in.example.com"],
+        "subject": "Cannot log in",
+        "text": "I keep getting a 403.",
+        "attachments": [{ "ref": "blob_a1", "filename": "screenshot.png", "mediaType": "image/png", "bytes": 20481 }]
+      }
+    },
+    {
+      "source": "webhook",
+      "subscriptionId": "sub_9",
+      "deliveryId": "dlv_c3d4",
+      "receivedAt": "2026-06-13T18:10:00Z",
+      "verified": true,
+      "contentTrust": "untrusted",
+      "webhook": {
+        "method": "POST",
+        "headers": { "X-Event-Type": "issue.created" },
+        "body": { "issue": { "id": 42, "title": "Bug" } }
+      }
+    }
+  ]
+}

package/schemas/trigger-subscription-registration.schema.json

@@ -0,0 +1,67 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/trigger-subscription-registration.schema.json",
+  "title": "TriggerSubscriptionRegistration",
+  "description": "RFC 0099 §F.2. The portable create request for an external-event trigger subscription, served by `POST /v1/trigger-subscriptions`. Binds an external source (`webhook`/`email`/`form`) to a Workflow to start, with a dedup config and a source-authenticity verification policy. This is the unified create surface RFC 0083 UQ1 left per-source. The response returns the created `TriggerSubscription` (RFC 0083 §B) plus a source-specific `binding`; the binding secret/URL is returned ONCE at creation and is not re-fetchable in cleartext (SR-1).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["source", "workflowId"],
+  "properties": {
+    "source": {
+      "type": "string",
+      "enum": ["webhook", "email", "form"],
+      "description": "The external source this subscription ingests. MUST appear in the host's `capabilities.triggerBridge.ingestion.externalSources[]`."
+    },
+    "workflowId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The Workflow a delivered event starts (the run's `workflowId`). MUST resolve under the caller's RFC 0048 owner triple — a registration MUST NOT bind a workflow the caller cannot start (RFC 0049 scope check)."
+    },
+    "dedupEnabled": {
+      "type": "boolean",
+      "default": true,
+      "description": "Per RFC 0083 §C-1. Defaults true for external sources — at-least-once inbound delivery without dedup is a footgun."
+    },
+    "retryPolicy": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Delivery retry policy (RFC 0083 §C-2). Same shape as `trigger-subscription.schema.json#/properties/retryPolicy`. On exhaustion the delivery transitions to `dead-lettered` (RFC 0053).",
+      "properties": {
+        "maxAttempts": { "type": "integer", "minimum": 1, "description": "Maximum delivery attempts before dead-lettering." },
+        "backoff": { "type": "string", "enum": ["none", "fixed", "exponential"], "description": "Backoff strategy between attempts." }
+      }
+    },
+    "verification": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Source-authenticity policy. The host MUST verify per this policy BEFORE delivery and stamp `TriggerEvent.verified`; an event failing a `required` verification MUST NOT start a run (it transitions `trigger.delivery.attempted{outcome:'dead-lettered'}` with `trigger.subscription.state.changed.reason:'signature-invalid'`).",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["required", "best-effort", "none"],
+          "default": "required",
+          "description": "`required`: an unverified event is dead-lettered, no run. `best-effort`: the host verifies when it can and stamps `verified` accordingly but still delivers. `none`: no verification."
+        }
+      }
+    },
+    "inputMapping": {
+      "type": "object",
+      "additionalProperties": true,
+      "description": "OPTIONAL host-extension hint mapping `TriggerEvent` fields onto the workflow's `inputs`. Non-normative shape (host-specific); absent ⇒ the run receives the whole `TriggerEvent` as `ctx.triggerData`."
+    }
+  },
+  "examples": [
+    {
+      "source": "email",
+      "workflowId": "triage-support",
+      "dedupEnabled": true,
+      "verification": { "mode": "required" }
+    },
+    {
+      "source": "webhook",
+      "workflowId": "ingest-jira-issue",
+      "verification": { "mode": "required" },
+      "retryPolicy": { "maxAttempts": 5, "backoff": "exponential" }
+    }
+  ]
+}

package/src/lib/profiles.ts

@@ -236,15 +236,18 @@ export function isMemory(c: DiscoveryPayload): boolean {
 }
 
 /**
- * `openwop-trigger-bridge` predicate (RFC 0083). Host composes the durable
- * inbound-work contract: advertises the `triggerBridge`, has a `deadLetter`
- * sink for exhausted deliveries, and has at least one durable inbound source
- * (queue bus, durable webhooks, or scheduling). Capability families are
+ * `openwop-trigger-bridge` predicate (RFC 0083, widened by RFC 0099). Host
+ * composes the durable inbound-work contract: advertises the `triggerBridge`,
+ * has a `deadLetter` sink for exhausted deliveries, and has at least one
+ * durable inbound source (queue bus, durable webhooks, scheduling, OR — per
+ * RFC 0099 — externally-ingested `email`/`form` via
+ * `triggerBridge.ingestion.externalSources[]`). Capability families are
  * document-root properties (RFC 0073), so this reads `c.triggerBridge` /
- * `c.deadLetter` / `c.queueBus` / `c.webhooks` / `c.scheduling`.
+ * `c.deadLetter` / `c.queueBus` / `c.webhooks` / `c.scheduling`. The RFC 0099
+ * widening only ADDS disjuncts — a host already in the profile stays in it.
  *
  * @see spec/v1/profiles.md §`openwop-trigger-bridge`
- * @see spec/v1/trigger-bridge.md
+ * @see spec/v1/trigger-bridge.md §D / §F
  */
 export function isTriggerBridge(c: DiscoveryPayload): boolean {
   if (!isCore(c)) return false;
@@ -253,10 +256,16 @@ export function isTriggerBridge(c: DiscoveryPayload): boolean {
   if (!supported(c.triggerBridge)) return false;
   if (!supported(c.deadLetter)) return false;
   const webhooks = c.webhooks as { durable?: unknown } | undefined;
+  // RFC 0099: an externally-ingested email/form source is a durable inbound
+  // source for the profile (it rides the same four-state machine + dead-letter).
+  const ingestion = (c.triggerBridge as { ingestion?: { externalSources?: unknown } } | undefined)?.ingestion;
+  const externalSources = Array.isArray(ingestion?.externalSources) ? (ingestion!.externalSources as unknown[]) : [];
+  const externalEmailOrForm = externalSources.includes('email') || externalSources.includes('form');
   const durableSource =
     supported(c.queueBus) ||
     supported(c.scheduling) ||
-    (webhooks != null && typeof webhooks === 'object' && webhooks.durable === true);
+    (webhooks != null && typeof webhooks === 'object' && webhooks.durable === true) ||
+    externalEmailOrForm;
   return durableSource;
 }