@openwop/openwop-conformance 1.6.1 → 1.11.0

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n71 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n94 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -76,11 +76,34 @@
         "conversation.exchanged":    { "$ref": "#/$defs/conversationExchanged" },
         "conversation.closed":       { "$ref": "#/$defs/conversationClosed" },
         "memory.compacted":          { "$ref": "#/$defs/memoryCompacted" },
+        "memory.written":            { "$ref": "#/$defs/memoryWritten" },
+        "agent.memory.consolidated": { "$ref": "#/$defs/agentMemoryConsolidated" },
+        "commitment.fired":          { "$ref": "#/$defs/commitmentFired" },
+        "agent.invocation.started":  { "$ref": "#/$defs/agentInvocationStarted" },
+        "agent.invocation.completed":{ "$ref": "#/$defs/agentInvocationCompleted" },
+        "workspace.updated":         { "$ref": "#/$defs/workspaceUpdated" },
         "core.workflowChain.event":  { "$ref": "#/$defs/coreWorkflowChainEvent" },
         "core.workflowChain.confidence-escalated": { "$ref": "#/$defs/coreWorkflowChainConfidenceEscalated" },
         "connector.authorized":      { "$ref": "#/$defs/connectorAuthorized" },
         "connector.auth_expired":    { "$ref": "#/$defs/connectorAuthExpired" },
-        "authorization.decided":     { "$ref": "#/$defs/authorizationDecided" }
+        "authorization.decided":     { "$ref": "#/$defs/authorizationDecided" },
+        "eval.started":              { "$ref": "#/$defs/evalStarted" },
+        "eval.scored":               { "$ref": "#/$defs/evalScored" },
+        "eval.completed":            { "$ref": "#/$defs/evalCompleted" },
+        "deployment.promoted":       { "$ref": "#/$defs/deploymentPromoted" },
+        "deployment.rolled-back":    { "$ref": "#/$defs/deploymentRolledBack" },
+        "deployment.canary.adjusted":{ "$ref": "#/$defs/deploymentCanaryAdjusted" },
+        "deployment.state.changed":  { "$ref": "#/$defs/deploymentStateChanged" },
+        "roster.run.initiated":      { "$ref": "#/$defs/rosterRunInitiated" },
+        "tool.session.opened":       { "$ref": "#/$defs/toolSessionOpened" },
+        "tool.session.closed":       { "$ref": "#/$defs/toolSessionClosed" },
+        "egress.decided":            { "$ref": "#/$defs/egressDecided" },
+        "trigger.subscription.state.changed": { "$ref": "#/$defs/triggerSubscriptionStateChanged" },
+        "trigger.delivery.attempted":         { "$ref": "#/$defs/triggerDeliveryAttempted" },
+        "budget.reserved":           { "$ref": "#/$defs/budgetReserved" },
+        "budget.consumed":           { "$ref": "#/$defs/budgetConsumed" },
+        "budget.threshold.crossed":  { "$ref": "#/$defs/budgetThresholdCrossed" },
+        "budget.exhausted":          { "$ref": "#/$defs/budgetExhausted" }
       }
     },
 
@@ -161,6 +184,24 @@
           "items": { "type": "string" },
           "description": "On phase `output.harvested`: which parent-variable keys were populated by the dispatch config's outputMapping per RFC 0022 §A. SHOULD be present; conformance asserts presence when outputMapping is non-empty."
         },
+        "attestation": {
+          "type": "object",
+          "description": "RFC 0063 (when `capabilities.agents.subRunAttestation: true` AND the `core.subWorkflow` node sets `outputAttestation.checksum: true`). A content checksum over the child's harvested output object, computed BEFORE `outputMapping` is applied so the parent (or a downstream node) can verify integrity — host-independent because the recipe is RFC 8785 JCS canonicalization + SHA-256 (the `replay.md` recipe, RFC 0041), enabling verification of a child that ran on a different host (RFC 0040). Advisory: the host does NOT itself reject on checksum mismatch; that is parent policy.",
+          "additionalProperties": false,
+          "required": ["checksum", "algorithm"],
+          "properties": {
+            "checksum": {
+              "type": "string",
+              "minLength": 1,
+              "description": "Lowercase hex digest of the canonicalized harvested-output object. Content-free: a hash, never the outputs themselves."
+            },
+            "algorithm": {
+              "type": "string",
+              "enum": ["sha256"],
+              "description": "Hash algorithm. `sha256` is the only v1 value; the enum reserves the axis for a future agility migration without a wire-shape break."
+            }
+          }
+        },
         "error": {
           "$ref": "#/$defs/_errorObject",
           "description": "On phases `dispatch.failed` / `child.failed` / `child.cancelled`: the canonical error envelope."
@@ -585,7 +626,9 @@
         "artifactType": { "type": "string", "minLength": 1 },
         "nodeId":       { "type": "string" },
         "version":      { "type": "string" },
-        "summary":      { "type": "string" }
+        "summary":      { "type": "string" },
+        "registered":   { "type": "boolean", "description": "RFC 0071. True when `artifactType` resolves to a registered artifact type (pack- or host-registered) and the payload was validated against its schema; false for unregistered/host-local types accepted without schema validation. Optional; absent ⇒ treat as true, preserving pre-RFC-0071 semantics. See artifact-type-packs.md §\"Binding the existing artifact surfaces\"." },
+        "registrationSource": { "type": "string", "enum": ["pack", "host"], "description": "RFC 0075. Provenance of a registered type: `pack` (matches an installed artifact-type pack) or `host` (a host-native type the host validates against a host-known schema, independent of any pack — e.g. an AI host's built-in artifact types). Optional; meaningful only when `registered: true`. Absent ⇒ unspecified provenance (existing semantics)." }
       },
       "additionalProperties": true
     },
@@ -717,10 +760,10 @@
 
     "capBreached": {
       "type": "object",
-      "description": "Emitted when a CapabilityLimit is exceeded. Protocol-level limits use the four engine kinds (clarificationRounds / schemaRounds / envelopesPerTurn / maxNodeExecutions). RFC 0008 §K WASM-runtime caps use the wasm-* kinds (memory ceiling, fuel exhaustion, execution-time wall-clock).",
+      "description": "Emitted when a CapabilityLimit is exceeded. Protocol-level limits use the engine kinds (clarificationRounds / schemaRounds / envelopesPerTurn / maxNodeExecutions). RFC 0008 §K WASM-runtime caps use the wasm-* kinds (memory ceiling, fuel exhaustion, execution-time wall-clock). RFC 0058 run-execution bounds use the run-scoped run-duration (wall-clock timeout; limit=resolvedMs, observed=elapsedMs) and loop-iterations (agent-loop ceiling; limit=resolvedMax, observed=iterationCount) kinds.",
       "required": ["kind", "limit", "observed"],
       "properties": {
-        "kind":     { "type": "string", "enum": ["clarification", "schema", "envelopes", "node-executions", "wasm-memory", "wasm-fuel", "wasm-execution-time"] },
+        "kind":     { "type": "string", "enum": ["clarification", "schema", "envelopes", "node-executions", "wasm-memory", "wasm-fuel", "wasm-execution-time", "run-duration", "loop-iterations", "budget-tokens", "budget-cost", "budget-tool-calls", "budget-retries"] },
         "limit":    { "type": "integer", "minimum": 0 },
         "observed": { "type": "integer", "minimum": 0 },
         "nodeId":   { "type": "string" }
@@ -1160,6 +1203,9 @@
         "toolName":  { "type": "string", "minLength": 1, "description": "Tool identifier (typically a node-pack typeId or function name)." },
         "callId":    { "type": "string", "minLength": 1, "description": "Unique correlation id linking this call to the subsequent `agent.toolReturned`. Hosts SHOULD use UUIDs or content-addressable hashes." },
         "inputs":    { "description": "Tool inputs. Shape is tool-specific; consumers MUST NOT assume an object." },
+        "argsHash":  { "type": "string", "description": "RFC 0064 (when `capabilities.toolHooks.prePostEvents`). SHA-256 over RFC 8785 JCS-canonicalized args with resolved secrets already redacted (SR-1) — the SIEM-safe, content-free alternative to `inputs`. Raw key material MUST NOT enter the hash input." },
+        "principal": { "type": "string", "description": "RFC 0064. RFC 0048 principal id the call is attributed to (`core.system` for non-agent host egress)." },
+        "transport": { "type": "string", "enum": ["mcp", "http", "native"], "description": "RFC 0064. How the tool was reached." },
         "causationHostId": { "type": "string", "minLength": 1, "description": "RFC 0040 §A — optional cross-host causation pointer. Present + non-empty when this event's `causationId` points at an event on a DIFFERENT host; absent when same-host. MUST equal the originating host's `crossHostCausation.hostId`." }
       },
       "additionalProperties": true
@@ -1175,6 +1221,8 @@
         "callId":    { "type": "string", "minLength": 1 },
         "outcome":   { "description": "Tool result. Discriminated by host on success vs error; payload shape is tool-specific." },
         "error":     { "$ref": "#/$defs/_errorObject", "description": "Set on tool-execution failure. Mutually exclusive with `outcome`." },
+        "status":     { "type": "string", "enum": ["ok", "error", "forbidden", "rate_limited"], "description": "RFC 0064 (when `capabilities.toolHooks.prePostEvents`). Tool-hooks outcome. `forbidden`/`rate_limited` mean the tool was never invoked (per-tool authz / rate-limit gate)." },
+        "durationMs": { "type": "integer", "minimum": 0, "description": "RFC 0064. Wall-clock tool duration; recorded in the event and re-emitted verbatim on replay/`:fork` (MUST NOT be recomputed from a clock, per `replay.md`). Absent when the call never started (`forbidden`/`rate_limited`)." },
         "causationHostId": { "type": "string", "minLength": 1, "description": "RFC 0040 §A — optional cross-host causation pointer. Present + non-empty when this event's `causationId` points at an event on a DIFFERENT host; absent when same-host. MUST equal the originating host's `crossHostCausation.hostId`." }
       },
       "additionalProperties": true
@@ -1213,6 +1261,7 @@
       "properties": {
         "agentId":  { "type": "string", "minLength": 3, "maxLength": 256, "description": "AgentRef.agentId of the orchestrator. MUST equal `RunSnapshot.runOrchestrator.agentId` for the run's lifetime — orchestrator identity is set at first decision and does not change." },
         "decision": { "$ref": "orchestrator-decision.schema.json" },
+        "iteration": { "type": "integer", "minimum": 1, "description": "RFC 0061 (`multiAgent.executionModel.version >= 5`). 1-based, monotonic count of orchestrator turns in this run — the observable loop-iteration counter that `maxLoopIterations` (RFC 0058) bounds; a breach emits `cap.breached { kind: 'loop-iterations', observed: <this+1> }`. A `version >= 5` host MUST set it on every `runOrchestrator.decided`, incrementing by exactly 1 per turn and surviving a stateful HITL resume unchanged. Recorded in the event and re-emitted verbatim on replay/`:fork`, never recomputed (`replay.md`). Omitted by hosts on `version < 5`." },
         "causationHostId": { "type": "string", "minLength": 1, "description": "RFC 0040 §A — optional cross-host causation pointer. Present + non-empty when this event's `causationId` points at an event on a DIFFERENT host; absent when same-host. MUST equal the originating host's `crossHostCausation.hostId`." }
       },
       "additionalProperties": false
@@ -1275,9 +1324,334 @@
         "sourceIds":   { "type": "array", "items": { "type": "string", "minLength": 1 }, "description": "Ids of entries collapsed into outputId. Hosts MAY omit when sourceCount > 100; the `compacted-from:<runId>` tag convention (RFC 0012 §C) becomes the authoritative provenance signal. When present, MUST be exhaustive within the array (no 'and N more' semantics)." },
         "sourceCount": { "type": "integer", "minimum": 1, "description": "Total source entries collapsed, including any not enumerated in `sourceIds`." },
         "trigger":     { "type": "string", "enum": ["host-managed", "client-requested", "both"], "description": "Matches `capabilities.memory.compaction.trigger`; indicates which trigger path drove this run. v1.x normates only `host-managed`." },
-        "byteSize":    { "type": "integer", "minimum": 0, "description": "Byte size of the resulting MemoryEntry.content." }
+        "byteSize":    { "type": "integer", "minimum": 0, "description": "Byte size of the resulting MemoryEntry.content." },
+        "distillation": {
+          "type": "object",
+          "description": "RFC 0062 (when `capabilities.memory.distillation.supported: true`). Present when this compaction is part of a budgeted distillation run (a scheduled or on-demand 'dream'). Absent for a plain RFC 0012 compaction. Carries the token-budget accounting + whether the memory index was refreshed — not a parallel `memory.distilled` event.",
+          "additionalProperties": false,
+          "required": ["tokenBudget", "tokensUsed"],
+          "properties": {
+            "tokenBudget":  { "type": "integer", "minimum": 1, "description": "Effective per-run budget honored (≤ advertised `maxTokenBudget`), counted against the advertised `tokenizerName`." },
+            "tokensUsed":   { "type": "integer", "minimum": 0, "description": "Total input+output tokens the distillation consumed, best-effort-honest per the advertised tokenizer (±10% tolerance). MUST be ≤ `tokenBudget` on a successful run." },
+            "indexUpdated": { "type": "boolean", "description": "Whether this run refreshed the memory-index workspace file (`MEMORY-INDEX.json`, RFC 0059). When `true`, a `workspace.updated` event was also emitted for that path." }
+          }
+        }
+      },
+      "additionalProperties": true
+    },
+    "memoryWritten": {
+      "type": "object",
+      "description": "RFC 0057. Emitted by a host advertising `capabilities.memory.attribution.emitsWriteEvents: true` for each memory write a run makes, attributing it to the node (and agent, when known) that caused it. Content-free: identifiers + non-secret tags only — the entry content is served by the read-side (`MemoryAdapter.get`), already SR-1-redacted. On replay the event is re-read from the log, never regenerated (the host MUST NOT mint a new `memoryId` or timestamp at replay time). SECURITY invariants `memory-attribution-no-content` + `memory-attribution-tenant-scoped` apply.",
+      "required": ["memoryRef", "memoryId"],
+      "properties": {
+        "memoryRef": { "type": "string", "minLength": 1, "description": "Opaque MemoryAdapter handle (RFC 0004 §C) the entry was written under; resolvable via the read-side." },
+        "memoryId":  { "type": "string", "minLength": 1, "description": "Host-issued, stable entry id; correlates to `MemoryAdapter.get(memoryRef, memoryId)`." },
+        "nodeId":    { "type": "string", "minLength": 1, "description": "SHOULD — the node whose execution caused the write. Omitted only for writes with no node attribution (e.g. host session-end auto-memory)." },
+        "agentId":   { "type": "string", "minLength": 1, "description": "MAY — the agent identity (AgentRef per RFC 0002) behind the write, when known." },
+        "tags":      { "type": "array", "items": { "type": "string" }, "description": "MAY — the entry's non-secret labels. MUST NOT carry secret material (the no-content invariant covers payload bodies)." }
+      },
+      "additionalProperties": true
+    },
+    "agentMemoryConsolidated": {
+      "type": "object",
+      "description": "RFC 0068 (`Draft`). Emitted by a host advertising `capabilities.agents.memoryConsolidation.supported: true` after a background consolidation pass over LONG-TERM memory (merge/dedup/supersede/strengthen). Content-free: identifiers + counts only — entry content is served by the SR-1-redacted read-side (`MemoryAdapter.get`). On replay the event is re-read from the log, never regenerated. Distinct from RFC 0062 `memory.compacted` (token-budgeted distillation of transactional memory). SR-1 carry-forward (RFC 0004) + CTI-1 apply to the consolidated entries.",
+      "required": ["memoryRef", "inputCount", "outputCount"],
+      "properties": {
+        "memoryRef":   { "type": "string", "minLength": 1, "description": "Opaque MemoryAdapter handle (RFC 0004 §C) the consolidation pass operated over. Bounds the pass to a single memory scope (CTI-1)." },
+        "inputCount":  { "type": "integer", "minimum": 0, "description": "Long-term entries considered by the pass." },
+        "outputCount": { "type": "integer", "minimum": 0, "description": "Long-term entries remaining after the pass. MUST be <= inputCount for a pass that only merges/dedups; a strengthen-only pass MAY leave outputCount == inputCount." },
+        "mergedIds":   { "type": "array", "items": { "type": "string", "minLength": 1 }, "description": "MAY — ids of entries collapsed/superseded by the pass. Hosts MAY omit when inputCount is large; consumers MUST tolerate absence." },
+        "trigger":     { "type": "string", "enum": ["host-managed", "scheduled", "on-demand"], "description": "MAY — which initiation path drove this pass (mirrors `agents.memoryConsolidation.schedule`)." }
+      },
+      "additionalProperties": true
+    },
+    "commitmentFired": {
+      "type": "object",
+      "description": "RFC 0068 (`Draft`). Emitted by a host advertising `capabilities.agents.commitments.supported: true` when an inferred standing commitment fires. Content-free: identifiers + condition kind only — the intention text lives in SR-1-redacted memory (`MemoryAdapter.get(memoryRef, memoryId)`). The fired arm composes RFC 0052 (time) or RFC 0060 (predicate). On replay the event is re-read from the log, never regenerated (the host MUST NOT re-infer or re-fire a commitment at replay time). CTI-1: the commitment, its memory provenance, and any run it enqueues MUST share the source memory's tenant.",
+      "required": ["commitmentId", "memoryRef", "condition"],
+      "properties": {
+        "commitmentId":  { "type": "string", "minLength": 1, "description": "Host-issued, stable id for the inferred commitment. Correlates repeated observability across re-evaluations of the same commitment." },
+        "memoryRef":     { "type": "string", "minLength": 1, "description": "Opaque MemoryAdapter handle of the memory scope the commitment was inferred from (provenance + CTI-1 tenant binding)." },
+        "memoryId":      { "type": "string", "minLength": 1, "description": "MAY — id of the source `MemoryEntry` the commitment was inferred from, when a single entry is attributable. Resolvable via `MemoryAdapter.get`; content is read SR-1-redacted from the read-side." },
+        "condition":     { "type": "string", "enum": ["time", "predicate"], "description": "Which fire-condition kind triggered. `time` composes RFC 0052; `predicate` composes RFC 0060." },
+        "enqueuedRunId": { "type": "string", "minLength": 1, "description": "MAY — id of the run the fired commitment enqueued, when the host initiates one. Absent when the commitment fires as a notification without a run." }
+      },
+      "additionalProperties": true
+    },
+
+    "agentInvocationStarted": {
+      "type": "object",
+      "description": "RFC 0077. Emitted by a host advertising `capabilities.agents.liveRuntime.supported: true` as the FIRST agent-scoped event of a live manifest invocation, bracketing the existing `agent.*` family with `agent.invocation.completed`. Content-free: identifiers + selection metadata only — prompt/task content is served by the run's normal projection, never on this event. A recorded-fact event per `replay.md` §\"Recorded-fact events\": on replay it is re-emitted from the log and the host MUST NOT regenerate its `invocationId` (or any identifier). Distinct from the deterministic RFC 0070 sample floor.",
+      "required": ["invocationId", "agentId", "source"],
+      "properties": {
+        "invocationId":     { "type": "string", "minLength": 1, "description": "Host-defined id correlating this agent invocation within its run, UNIQUE-WITHIN-RUN (not a mandated global id-space). Distinct from `runId` — one run MAY dispatch several invocations (multiple agent nodes, or a handoff chain) — but a host MAY derive it from an existing per-node-execution receipt id (e.g. `runId:nodeId:seq`) or mint a UUID; a single-invocation run MAY reuse `runId`. Recorded-fact: re-read from the log on replay, never regenerated (`replay.md` §\"Recorded-fact events\"). Correlates to the matching `agent.invocation.completed`." },
+        "agentId":          { "type": "string", "minLength": 1, "description": "The manifest agentId being invoked (matches `AgentManifest.agentId`)." },
+        "source":           { "type": "string", "enum": ["workflow-node", "run-api", "chat-mention"], "description": "Which entry point launched the invocation. All sources emit this identical family." },
+        "modelClass":       { "type": "string", "description": "MAY — the manifest's abstract `modelClass`. Always populatable at start." },
+        "resolvedModel":    { "type": "string", "description": "MAY — the concrete model the host selected. OPTIONAL: modelClass→concrete resolution MAY happen downstream (with capability-gated fallback substitution), so a dispatch-time start event genuinely may not know it; a host MAY also omit for deployment-privacy." },
+        "resolvedProvider": { "type": "string", "description": "MAY — the concrete provider the host routed to (aligns with `capabilities.aiProviders.supported` / RFC 0067 `authModes`). OPTIONAL, same rationale as `resolvedModel`." },
+        "resolvedAgentVersion": { "type": "string", "description": "MAY — RFC 0082 §B. When this invocation's `AgentRef` bound a `channel` (rather than an exact `version`), the concrete agent-definition version the host pinned per-(run, agentId, channel) at first resolution. A RECORDED FACT: re-read from the log on replay and NEVER re-resolved against a moved channel (the whole event is recorded-fact). Absent when the ref used an exact `version` or host-default resolution." },
+        "resolvedChannel":  { "type": "string", "description": "MAY — RFC 0082 §B. The named `channel` the `AgentRef` bound (mirrors `AgentRef.channel`), for which `resolvedAgentVersion` is the pinned resolution. Content-free label; present only when the ref bound a channel." },
+        "toolSurfaceCount": { "type": "integer", "minimum": 0, "description": "MAY — number of tools in the constructed surface after `toolAllowlist` filtering. Content-free count, not the tool ids." },
+        "memoryBound":      { "type": "boolean", "description": "MAY — whether a long-term memory backend was bound for the invocation." }
+      },
+      "additionalProperties": true
+    },
+
+    "agentInvocationCompleted": {
+      "type": "object",
+      "description": "RFC 0077. Emitted by a host advertising `capabilities.agents.liveRuntime.supported: true` as the LAST agent-scoped event of a live manifest invocation (after the terminal `agent.decided`). Content-free: identifiers + outcome metadata only — the result body is served by the run's normal projection. A recorded-fact event per `replay.md` §\"Recorded-fact events\": re-read from the log on replay, never regenerated.",
+      "required": ["invocationId", "agentId", "outcome"],
+      "properties": {
+        "invocationId":    { "type": "string", "minLength": 1, "description": "Correlates to the `agent.invocation.started` `invocationId`. Recorded-fact: never regenerated on replay." },
+        "agentId":         { "type": "string", "minLength": 1, "description": "The manifest agentId." },
+        "outcome":         { "type": "string", "enum": ["completed", "handed-off", "escalated", "refused", "failed"], "description": "Terminal disposition. `completed`: produced a (schema-valid, if enforced) terminal result. `handed-off`: control passed to another agent (`agent.handoff`). `escalated`: confidence escalation fired (RFC 0002 §F). `refused`: the model refused (RFC 0032 refusal envelope) — never a silent substitution. `failed`: an error terminated the invocation." },
+        "schemaValidated": { "type": "boolean", "description": "MAY — whether the terminal result was validated against `handoff.returnSchemaRef` (true only when `liveRuntime.structuredOutput` is advertised and a `returnSchemaRef` exists)." },
+        "confidence":      { "type": "number", "minimum": 0, "maximum": 1, "description": "MAY — the terminal `agent.decided` confidence, mirrored for convenience. Content-free scalar." },
+        "enqueuedRunId":   { "type": "string", "minLength": 1, "description": "MAY — id of a follow-on run the invocation enqueued (e.g. a sub-run), when applicable." }
+      },
+      "additionalProperties": true
+    },
+
+    "workspaceUpdated": {
+      "description": "RFC 0059. Emitted by a host advertising `capabilities.workspace.supported: true` on each successful `PUT`/`DELETE` of a workspace file, attributing the change to the file `path` + resulting `version`. Content-free: carries the path + version only — the file body is served by the read-side (`GET /v1/host/workspace/files/{path}`), already SR-1-redacted (RFC 0059 §E WSR-1). On replay the event is re-read from the log, never regenerated. MUST NOT be emitted unless `capabilities.workspace.supported: true`. The proposed SECURITY invariant `workspace-cross-tenant-isolation` (WCT-1) applies to the read-side that resolves these paths.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["path", "version"],
+      "properties": {
+        "path":    { "type": "string", "minLength": 1, "description": "Workspace-relative path of the file that changed (matches `workspace-file.schema.json#path`)." },
+        "version": { "type": "integer", "minimum": 1, "description": "The file's resulting monotonic version after the write. On delete, the tombstone version when `versioned: true`." }
+      }
+    },
+
+    "evalStarted": {
+      "type": "object",
+      "description": "RFC 0081 §C. Emitted ONCE at the start of an eval run (a `mode: \"eval\"` run, RFC 0081 §B) by a host advertising `capabilities.agents.evalSuite.supported: true`. Content-free: suite provenance + counts only. A recorded-fact event per `replay.md` §\"Recorded-fact events\".",
+      "required": ["suiteId", "suiteVersion", "taskCount", "modes"],
+      "properties": {
+        "suiteId":      { "type": "string", "minLength": 1, "description": "The `agent-eval-suite.schema.json#suiteId` being run." },
+        "suiteVersion": { "type": "string", "minLength": 1, "description": "The pinned suite SemVer." },
+        "taskCount":    { "type": "integer", "minimum": 0, "description": "Number of tasks the run will execute." },
+        "modes":        { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["golden", "rubric", "adversarial", "regression", "live-shadow"] }, "description": "The eval modes this run exercises (RFC 0081 §D)." },
+        "baselineRunId": { "type": "string", "minLength": 1, "description": "MAY — for `regression` mode, the prior eval run this run is scored against." }
+      },
+      "additionalProperties": true
+    },
+
+    "evalScored": {
+      "type": "object",
+      "description": "RFC 0081 §C. Emitted ONCE PER TASK, after that task's terminal `agent.decided`, so a streaming consumer sees results land incrementally. Content-free: the task id + scalars + counts ONLY — NEVER the task output, rubric prose, or model completion (SECURITY invariant `eval-summary-no-content-leak`). A recorded-fact event.",
+      "required": ["taskId", "score", "passed"],
+      "properties": {
+        "taskId":            { "type": "string", "minLength": 1, "description": "The `agent-eval-suite` task id." },
+        "score":             { "type": "number", "minimum": 0, "maximum": 1, "description": "Task score (0.0–1.0)." },
+        "passed":            { "type": "boolean", "description": "Whether the task met its bar." },
+        "costUsd":           { "type": "number", "minimum": 0, "description": "MAY — task cost (scalar; summed from RFC 0026 `provider.usage`). NEVER a pricing breakdown." },
+        "latencyMs":         { "type": "integer", "minimum": 0, "description": "MAY — task wall-clock latency." },
+        "schemaValid":       { "type": "boolean", "description": "MAY — whether the output validated against `handoff.returnSchemaRef`." },
+        "safetyFindingCount": { "type": "integer", "minimum": 0, "description": "MAY — count of safety findings for the task (the redaction-safe descriptors live on `EvalSummary`; the event carries the count only)." }
+      },
+      "additionalProperties": true
+    },
+
+    "evalCompleted": {
+      "type": "object",
+      "description": "RFC 0081 §C. Emitted ONCE, after all tasks and before `run.completed`. Content-free: aggregate scalars only. A recorded-fact event. The full scorecard is the run's output (`eval-summary.schema.json`), served by `GET /v1/runs/{runId}/eval-summary`.",
+      "required": ["aggregateScore", "passed", "taskCount", "passedCount"],
+      "properties": {
+        "aggregateScore":        { "type": "number", "minimum": 0, "maximum": 1, "description": "The suite-level score (0.0–1.0)." },
+        "passed":                { "type": "boolean", "description": "Whether the run cleared the suite thresholds — the flag an RFC 0082 deployment gate MAY require." },
+        "taskCount":             { "type": "integer", "minimum": 0, "description": "Tasks executed." },
+        "passedCount":           { "type": "integer", "minimum": 0, "description": "Tasks that individually passed." },
+        "regressionVsBaseline":  { "type": "number", "minimum": -1, "maximum": 1, "description": "MAY — for `regression` mode, `aggregateScore` minus the baseline's (negative ⇒ regression)." }
+      },
+      "additionalProperties": true
+    },
+    "toolSessionOpened": {
+      "type": "object",
+      "description": "RFC 0078 §D. Emitted when the host opens a multi-step tool session, bracketing one or more RFC 0064 `agent.toolCalled`/`agent.toolReturned` call events. Content-free: identifiers only — never tool arguments, results, or credential material (SR-1). Emitted only when `capabilities.toolCatalog.sessionLifecycle: true`.",
+      "required": ["sessionId", "toolId"],
+      "properties": {
+        "sessionId": { "type": "string", "minLength": 1, "description": "Host-unique id correlating the opened/closed pair + the bracketed call events." },
+        "toolId":    { "type": "string", "minLength": 1, "description": "The `ToolDescriptor.toolId` the session is for (`<scope>:<tool-id>`)." }
+      },
+      "additionalProperties": true
+    },
+    "toolSessionClosed": {
+      "type": "object",
+      "description": "RFC 0078 §D. Emitted when the host closes a multi-step tool session opened by `tool.session.opened`. Content-free: identifiers + a closed-enum outcome only — never tool arguments, results, or credential material (SR-1).",
+      "required": ["sessionId", "toolId", "outcome"],
+      "properties": {
+        "sessionId": { "type": "string", "minLength": 1, "description": "Matches the `tool.session.opened` `sessionId`." },
+        "toolId":    { "type": "string", "minLength": 1, "description": "The `ToolDescriptor.toolId` the session was for." },
+        "outcome":   { "type": "string", "enum": ["completed", "failed", "cancelled"], "description": "Terminal disposition of the session. Content-free — no failure detail/result on the payload." }
       },
       "additionalProperties": true
+    },
+    "egressDecided": {
+      "type": "object",
+      "description": "RFC 0079 §B. Emitted when a host evaluates a credentialed egress (via `ctx.http.safeFetch` / a tool) against credential provenance + the SSRF guard. Content-free: identifiers + decision only — no credential value, no request/response body (SR-1). On replay re-read from the log, never regenerated (the decision is a recorded fact). Emitted only when `capabilities.httpClient.egressPolicy.supported: true`.",
+      "required": ["decision", "destination"],
+      "properties": {
+        "decision":     { "type": "string", "enum": ["allowed", "denied", "downgraded", "approval-required"], "description": "`allowed`: egress proceeds with the credential; `denied`: blocked (out-of-audience / expired / SSRF / unevaluable provenance — fail-closed); `downgraded`: proceeds WITHOUT the credential (anonymous egress, when host policy permits); `approval-required`: suspended pending an RFC 0051 approval interrupt." },
+        "destination":  { "type": "string", "minLength": 1, "description": "The egress destination **host/authority ONLY** (`api.stripe.com`) — NOT a path, query, or full URL (SR-1: a path/query can carry secrets; the host MUST strip them for this canonical content-free event). A host whose internal audit retains the path keeps that on its vendor `x-host-*` variant, never here." },
+        "credentialId": { "type": "string", "minLength": 1, "description": "MAY — the provenance `credentialId` considered (absent for an anonymous / denied-pre-credential egress)." },
+        "reason":       { "type": "string", "enum": ["ok", "out-of-audience", "expired", "ssrf-blocked", "provenance-unevaluable", "scope-denied", "policy-denied"], "description": "MAY — a machine-stable reason code (a CLOSED enum — a free-form reason is a leak vector that would let a host spill the blocked URL/host/header into it, defeating `egress-decision-no-secret-leak`). The load-bearing field is `decision`." },
+        "auditCorrelationId": { "type": "string", "minLength": 1, "description": "MAY — correlates to the provenance descriptor + host audit log." }
+      },
+      "additionalProperties": true
+    },
+    "triggerSubscriptionStateChanged": {
+      "type": "object",
+      "description": "RFC 0083 §C. Emitted when a trigger subscription changes state (the §B four-state machine). Content-free: identifiers + states only — no inbound payload, headers, or credential material (SR-1). Emitted only when `capabilities.triggerBridge.supported: true`.",
+      "required": ["subscriptionId", "source", "fromState", "toState"],
+      "properties": {
+        "subscriptionId": { "type": "string", "minLength": 1, "description": "The TriggerSubscription this state change is for." },
+        "source":         { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"], "description": "The subscription source." },
+        "fromState":      { "type": "string", "enum": ["active", "paused", "failed", "dead-lettered"], "description": "Prior state." },
+        "toState":        { "type": "string", "enum": ["active", "paused", "failed", "dead-lettered"], "description": "New state." },
+        "reason":         { "type": "string", "enum": ["retry-exhausted", "operator-paused", "signature-invalid", "backpressure", "source-removed", "provenance-unevaluable"], "description": "MAY — a machine-stable reason code (a CLOSED enum — a free-form reason is a leak vector that would let a host spill an inbound URL/host/header into it). The load-bearing field is `toState`." }
+      },
+      "additionalProperties": true
+    },
+    "triggerDeliveryAttempted": {
+      "type": "object",
+      "description": "RFC 0083 §C. Emitted on each inbound-delivery attempt against an active subscription. Content-free: the subscription id, the dedup key, the attempt counter, the outcome, and the resulting runId only — NEVER the inbound body, headers, or credential material (SR-1).",
+      "required": ["subscriptionId", "dedupKey", "attempt", "outcome"],
+      "properties": {
+        "subscriptionId": { "type": "string", "minLength": 1, "description": "The TriggerSubscription the delivery is for." },
+        "dedupKey":       { "type": "string", "minLength": 1, "description": "The de-duplication key (§C-1). MUST be a **host-opaque** stable key (e.g. `hash(subscriptionId + inbound-event-id)`); it MUST NOT embed inbound body / path / header content in cleartext (SR-1 — a key like `POST /webhook/orders/12345?token=…` would leak). A repeat within retention is a no-op returning the prior runId." },
+        "attempt":        { "type": "integer", "minimum": 1, "description": "1-based attempt counter." },
+        "outcome":        { "type": "string", "enum": ["delivered", "retrying", "dead-lettered"], "description": "`delivered`: the run started; `retrying`: failed, will retry per policy; `dead-lettered`: retries exhausted, routed to the RFC 0053 sink (no run)." },
+        "runId":          { "type": "string", "minLength": 1, "description": "MAY — the run started by a `delivered` outcome (the run's `run.started` carries this delivery's id as `causationId`, RFC 0040). Absent for `retrying` / `dead-lettered`." }
+      },
+      "additionalProperties": true
+    },
+    "budgetReserved": {
+      "type": "object",
+      "description": "RFC 0084 §C. Emitted once at run start with the resolved effective budget (`min` across run/workflow/agent/project scopes, clamped to the host ceiling). A recorded fact — replay re-reads it, never re-resolves (§B). Content-free: dimension ceilings + scope only, no pricing breakdown (SR-1, `budget-no-pricing-leak`).",
+      "required": ["effectiveBudget", "scope"],
+      "properties": {
+        "effectiveBudget": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "The resolved per-dimension ceilings (a subset of the BudgetPolicy dimensions).",
+          "properties": {
+            "maxTokens": { "type": "integer", "minimum": 0 },
+            "maxCostUsd": { "type": "number", "minimum": 0 },
+            "maxToolCalls": { "type": "integer", "minimum": 0 },
+            "maxRetries": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "scope": { "type": "string", "enum": ["run", "workflow", "agent", "project"], "description": "The binding scope the effective budget resolved from (§B)." }
+      },
+      "additionalProperties": false
+    },
+    "budgetConsumed": {
+      "type": "object",
+      "description": "RFC 0084 §C. A running projection of spend, derived from the existing events (`provider.usage` tokens/cost, `agent.toolCalled`, `node.retried`) — NOT a new measurement (no double-counting). The host MAY coalesce. Content-free: dimension name + integers only, no pricing breakdown / rate card (SR-1).",
+      "required": ["dimension", "consumed", "limit"],
+      "properties": {
+        "dimension": { "type": "string", "enum": ["tokens", "cost", "toolCalls", "retries"], "description": "Which budget dimension this projection is for." },
+        "consumed":  { "type": "number", "minimum": 0, "description": "Amount consumed so far (tokens/calls/retries are integers; cost is a number in the host's `costEstimateUsd` units)." },
+        "limit":     { "type": "number", "minimum": 0, "description": "The effective ceiling for the dimension." },
+        "remaining": { "type": "number", "description": "MAY — `limit - consumed`." }
+      },
+      "additionalProperties": false
+    },
+    "budgetThresholdCrossed": {
+      "type": "object",
+      "description": "RFC 0084 §C. Emitted once per dimension when consumption crosses `thresholdPercent`. Content-free.",
+      "required": ["dimension", "consumed", "limit", "percent"],
+      "properties": {
+        "dimension": { "type": "string", "enum": ["tokens", "cost", "toolCalls", "retries"] },
+        "consumed":  { "type": "number", "minimum": 0 },
+        "limit":     { "type": "number", "minimum": 0 },
+        "percent":   { "type": "number", "minimum": 0, "maximum": 100, "description": "The percent-of-limit threshold crossed." }
+      },
+      "additionalProperties": false
+    },
+    "budgetExhausted": {
+      "type": "object",
+      "description": "RFC 0084 §C. Emitted when a dimension hits its limit. For a hard dimension this is followed by `cap.breached{kind:\"budget-*\"}` → `run.failed{budget_exhausted}` (or, with `onExhaustion:\"interrupt\"`, an approval interrupt). Content-free.",
+      "required": ["dimension", "consumed", "limit"],
+      "properties": {
+        "dimension": { "type": "string", "enum": ["tokens", "cost", "toolCalls", "retries"] },
+        "consumed":  { "type": "number", "minimum": 0 },
+        "limit":     { "type": "number", "minimum": 0 }
+      },
+      "additionalProperties": false
+    },
+
+    "deploymentPromoted": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted on the deployment-management run when a version is promoted into a new lifecycle state (the §E contract: authorized via RFC 0049 `deploy:*`, gated via RFC 0051 `approvalGate`, eval-verified via RFC 0081 when `requiredEval` is configured). Content-free: ids / state / scalars / content-free references only — NEVER a manifest body, prompt, or credential (SECURITY invariant `deployment-event-no-content-leak`; `additionalProperties:false` enforces it). A recorded-fact event per `replay.md` §\"Recorded-fact events\". Audit-logged with the acting principal (`auth.md`).",
+      "additionalProperties": false,
+      "required": ["agentId", "toVersion", "toState"],
+      "properties": {
+        "agentId":        { "type": "string", "minLength": 1, "description": "The promoted agent's id." },
+        "fromVersion":    { "type": "string", "minLength": 1, "description": "MAY — the version previously occupying the target channel/state (absent on a first promotion)." },
+        "toVersion":      { "type": "string", "minLength": 1, "description": "The version promoted." },
+        "toState":        { "type": "string", "enum": ["draft", "test", "staged", "active", "paused", "deprecated", "rolled-back"], "description": "The lifecycle state entered." },
+        "channel":        { "type": "string", "minLength": 1, "description": "MAY — the named channel this promotion targets (when promoting to a channel)." },
+        "canaryPercent":  { "type": "integer", "minimum": 0, "maximum": 100, "description": "MAY — the canary traffic share assigned (when promoting `active` at < 100)." },
+        "evalRunId":      { "type": "string", "minLength": 1, "description": "MAY — the RFC 0081 eval run whose `EvalSummary.passed` gated this promotion (the §E evidence)." },
+        "approvalGateId": { "type": "string", "minLength": 1, "description": "MAY — the RFC 0051 approvalGate that authorized this promotion." }
+      }
+    },
+
+    "deploymentRolledBack": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted when an `active` version is rolled back and a prior version restored to `active`. Content-free (`deployment-event-no-content-leak`). Recorded-fact; audit-logged.",
+      "additionalProperties": false,
+      "required": ["agentId", "fromVersion", "toVersion", "rollbackPointer"],
+      "properties": {
+        "agentId":         { "type": "string", "minLength": 1, "description": "The agent's id." },
+        "fromVersion":     { "type": "string", "minLength": 1, "description": "The version that was rolled back (left `active`)." },
+        "toVersion":       { "type": "string", "minLength": 1, "description": "The version restored to `active`." },
+        "rollbackPointer": { "type": "string", "minLength": 1, "description": "The recovery target the rolled-back record points to (= `toVersion`)." },
+        "reason":          { "type": "string", "minLength": 1, "description": "MAY — a short redaction-safe rollback reason label (NOT free-text content; same posture as `run.dead_lettered.reason`)." }
+      }
+    },
+
+    "deploymentCanaryAdjusted": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted when an `active` version's canary traffic share changes. Content-free (`deployment-event-no-content-leak`). Recorded-fact; audit-logged.",
+      "additionalProperties": false,
+      "required": ["agentId", "version", "fromPercent", "toPercent"],
+      "properties": {
+        "agentId":     { "type": "string", "minLength": 1, "description": "The agent's id." },
+        "version":     { "type": "string", "minLength": 1, "description": "The version whose canary share changed." },
+        "fromPercent": { "type": "integer", "minimum": 0, "maximum": 100, "description": "The prior canary percent." },
+        "toPercent":   { "type": "integer", "minimum": 0, "maximum": 100, "description": "The new canary percent." }
+      }
+    },
+
+    "deploymentStateChanged": {
+      "type": "object",
+      "description": "RFC 0082 §D. Emitted on any non-promotion lifecycle transition (pause / resume / deprecate). Content-free (`deployment-event-no-content-leak`). Recorded-fact; audit-logged.",
+      "additionalProperties": false,
+      "required": ["agentId", "version", "fromState", "toState"],
+      "properties": {
+        "agentId":   { "type": "string", "minLength": 1, "description": "The agent's id." },
+        "version":   { "type": "string", "minLength": 1, "description": "The version whose state changed." },
+        "fromState": { "type": "string", "enum": ["draft", "test", "staged", "active", "paused", "deprecated", "rolled-back"], "description": "The prior state." },
+        "toState":   { "type": "string", "enum": ["draft", "test", "staged", "active", "paused", "deprecated", "rolled-back"], "description": "The new state." }
+      }
+    },
+    "rosterRunInitiated": {
+      "type": "object",
+      "description": "RFC 0086 §C. Emitted once, immediately after `run.started` and before any agent invocation, when a trigger (RFC 0052 schedule / RFC 0083 durable work item) fires a workflow in a roster member's portfolio — attributing the run to the standing agent. Content-free (`roster-attribution-no-content`): ids + persona + trigger source ONLY — never the work-item body, prompt, or credential material (SR-1). A recorded-fact event (replay.md §'Recorded-fact events'): re-emitted from the log on replay, identifiers never regenerated, so the run stays attributed to the same member even if the entry was since renamed or deleted.",
+      "additionalProperties": false,
+      "required": ["rosterId", "persona", "agentId", "workflowId", "triggerSource"],
+      "properties": {
+        "rosterId":   { "type": "string", "minLength": 1, "description": "The standing agent instance the run is attributed to (a `host:<id>` AgentRef agentId)." },
+        "persona":    { "type": "string", "minLength": 1, "description": "The member's human display name (e.g. \"Sally\")." },
+        "agentId":    { "type": "string", "minLength": 1, "description": "The manifest agentId the member instantiates (`agentRef.agentId`)." },
+        "workflowId": { "type": "string", "minLength": 1, "description": "The portfolio workflow this run executes." },
+        "triggerSource": { "type": "string", "minLength": 1, "description": "What fired the run: an RFC 0083 source (`schedule`/`webhook`/`queue`/`email`/`form`) or a host-extension source name (e.g. a vendor Kanban bridge)." },
+        "triggerSubscriptionId": { "type": "string", "minLength": 1, "description": "MAY. The RFC 0083 trigger-subscription id when the fire came through the durable trigger bridge, so trigger → run → roster is traceable via /ancestry (RFC 0040)." }
+      }
     }
   }
 }

package/schemas/run-event.schema.json

@@ -123,12 +123,35 @@
         "agent.toolReturned",
         "agent.handoff",
         "agent.decided",
+        "agent.invocation.started",
+        "agent.invocation.completed",
+        "eval.started",
+        "eval.scored",
+        "eval.completed",
+        "deployment.promoted",
+        "deployment.rolled-back",
+        "deployment.canary.adjusted",
+        "deployment.state.changed",
+        "roster.run.initiated",
+        "tool.session.opened",
+        "tool.session.closed",
+        "egress.decided",
+        "trigger.subscription.state.changed",
+        "trigger.delivery.attempted",
+        "budget.reserved",
+        "budget.consumed",
+        "budget.threshold.crossed",
+        "budget.exhausted",
         "runOrchestrator.decided",
         "node.dispatched",
         "conversation.opened",
         "conversation.exchanged",
         "conversation.closed",
         "memory.compacted",
+        "memory.written",
+        "agent.memory.consolidated",
+        "commitment.fired",
+        "workspace.updated",
         "core.workflowChain.event",
         "core.workflowChain.confidence-escalated",
         "connector.authorized",

package/schemas/tool-descriptor.schema.json

@@ -0,0 +1,63 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/tool-descriptor.schema.json",
+  "title": "ToolDescriptor",
+  "description": "RFC 0078. A portable, read-only description of one tool, unifying the five openwop tool surfaces (node-pack / workflow / MCP / connector / host-extension) behind one stable shape. Returned by `GET /v1/tools` + `GET /v1/tools/{toolId}` when the host advertises `capabilities.toolCatalog.supported: true`. The descriptor DESCRIBES a tool; it never carries credential material (SR-1) and is not an invocation path (tools are invoked on their existing surfaces).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["toolId", "source", "safetyTier"],
+  "properties": {
+    "toolId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Stable, host-unique tool identifier in the `<scope>:<tool-id>` form RFC 0077 `toolAllowlist` references (`openwop:` core, `mcp:` MCP-namespaced, `connector:` connector, `<vendor>.<host>` / `x-host-<vendor>-*` host-extension). The keyspace SPANS sources so a single allowlist entry resolves to exactly one descriptor; the `<scope>` prefix disambiguates by construction (RFC 0078 §UQ1). MUST be stable across catalog reads for a given host version so an agent's `toolAllowlist` keeps resolving."
+    },
+    "source": {
+      "type": "string",
+      "enum": ["node-pack", "workflow", "mcp", "connector", "host-extension"],
+      "description": "Which surface backs the tool. `node-pack`: a pack typeId (RFC 0003); `workflow`: a workflow-as-tool (`core.subWorkflow` / RFC 0013); `mcp`: an MCP server tool (`host.mcp`); `connector`: an RFC 0045 connector action; `host-extension`: an `x-host-<vendor>-*` scope (RFC 0069)."
+    },
+    "title": { "type": "string", "description": "MAY — human-readable name for UI." },
+    "description": { "type": "string", "description": "MAY — one-line summary for a tool picker." },
+    "inputSchema": { "type": "object", "description": "MAY — JSON Schema (2020-12) for the tool's arguments. Absent ⇒ opaque/host-interpreted args. RECOMMENDED (not required) to be the RFC 0030 Tier-1 universal subset for tools that feed an LLM tool-call (RFC 0078 §UQ2)." },
+    "outputSchema": { "type": "object", "description": "MAY — JSON Schema for the tool's result." },
+    "auth": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "MAY — what the caller must supply/hold to invoke. Composes RFC 0049 (scopes) + RFC 0046 (credentials).",
+      "properties": {
+        "scopes": { "type": "array", "items": { "type": "string" }, "uniqueItems": true, "description": "RFC 0049 scopes the principal MUST hold; per-tool authorization fails closed (RFC 0064 §C)." },
+        "credentialRef": { "type": "boolean", "description": "true ⇒ the tool needs a host-stored credential reference (RFC 0046); the catalog NEVER carries credential material (SR-1)." }
+      }
+    },
+    "egress": {
+      "type": "string",
+      "enum": ["none", "safe-fetch", "host-mediated", "host-owned"],
+      "description": "MAY — outbound-network posture. `none`: no egress; `safe-fetch`: via the host's RFC 0076 §B `ctx.http.safeFetch` (SSRF-guarded); `host-mediated`: host-proxied non-safeFetch; `host-owned`: the host owns the egress story (e.g. a host-extension)."
+    },
+    "approval": {
+      "type": "string",
+      "enum": ["never", "conditional", "always"],
+      "description": "MAY — whether invocation requires an RFC 0051 approval interrupt. `conditional` ⇒ host-policy (e.g. over a cost/scope threshold)."
+    },
+    "replayPolicy": {
+      "type": "string",
+      "enum": ["deterministic", "idempotent", "non-deterministic"],
+      "description": "MAY — replay posture (`replay.md`). `deterministic`: pure/replay-safe; `idempotent`: safe under the Layer-2 idempotency key (`idempotency.md`); `non-deterministic`: the host MUST cache the observable result (RFC 0041 §C) so replay reproduces the sequence."
+    },
+    "safetyTier": {
+      "type": "string",
+      "enum": ["pure", "read", "write", "exec"],
+      "description": "REQUIRED. The tool's DATA-EFFECT classification: `pure`: no external side effects; `read`: reads external state; `write`: mutates external state; `exec`: arbitrary-command/`exec`-class — per RFC 0069 this MUST have `source: \"host-extension\"` (exec is never protocol-tier). A consumer uses this to gate/warn. The host MUST ASSIGN `safetyTier` explicitly as per-tool metadata; it is NOT derivable from a permission / approval / risk tier — those are an ORTHOGONAL authorization axis (a read-only tool can be high-approval/restricted while being `safetyTier:\"read\"`). A host that mechanically maps its risk tier onto `safetyTier` mis-advertises."
+    },
+    "costHint": { "type": "string", "enum": ["low", "medium", "high"], "description": "MAY — advisory cost magnitude for planning UX. Non-normative." },
+    "latencyHint": { "type": "string", "enum": ["low", "medium", "high"], "description": "MAY — advisory latency magnitude. Non-normative." }
+  },
+  "allOf": [
+    {
+      "$comment": "RFC 0078 §C-1 / §F-4: an exec-tier tool MUST be host-extension-sourced (RFC 0069 — exec is never protocol-tier).",
+      "if": { "properties": { "safetyTier": { "const": "exec" } }, "required": ["safetyTier"] },
+      "then": { "properties": { "source": { "const": "host-extension" } }, "required": ["source"] }
+    }
+  ]
+}