open-classify 0.2.0 → 0.5.0

package/dist/src/stock.d.ts

@@ -1,32 +1,27 @@
-import type { DownstreamModelTier, ModelSpecialization } from "./enums.js";
-export interface StockClassifierMessageInput {
+import type { DownstreamModelTier, ModelSpecialization, PromptInjectionRiskLevel } from "./enums.js";
+import type { ReservedFieldName } from "./reserved-fields.js";
+export interface ClassifierMessageInput {
     readonly role: "user" | "assistant";
     readonly text: string;
 }
-export interface StockClassifierInput {
-    readonly messages: ReadonlyArray<StockClassifierMessageInput>;
+export interface ClassifierMessageWindowInput {
+    readonly messages: ReadonlyArray<ClassifierMessageInput>;
 }
 export interface FinalReplySignal {
-    readonly reply: string;
+    readonly text: string;
 }
 export interface AckReplySignal {
-    readonly reply: string;
+    readonly text: string;
 }
 export interface RoutingSignal {
     readonly model_tier?: DownstreamModelTier;
-    readonly specialization?: ModelSpecialization;
-}
-export interface TierSignal {
-    readonly model_tier?: DownstreamModelTier;
-}
-export interface SpecializationSignal {
-    readonly specialization?: ModelSpecialization;
+    readonly model_specialization?: ModelSpecialization;
 }
 export interface ToolsSignal {
     readonly tools: ReadonlyArray<string>;
 }
 export interface PromptInjectionSignal {
-    readonly risk_level: "normal" | "suspicious" | "high_risk" | "unknown";
+    readonly risk_level: PromptInjectionRiskLevel;
 }
 export type Certainty = "no_signal" | "very_weak" | "weak" | "tentative" | "reasonable" | "strong" | "very_strong" | "near_certain";
 export declare const CERTAINTY_VALUES: readonly ["no_signal", "very_weak", "weak", "tentative", "reasonable", "strong", "very_strong", "near_certain"];
@@ -35,68 +30,37 @@ export interface ClassifierOutputMetadata {
     readonly reason: string;
     readonly certainty: Certainty;
 }
-export interface PreflightClassifierOutput extends ClassifierOutputMetadata {
-    readonly final_reply?: FinalReplySignal;
-    readonly ack_reply?: AckReplySignal;
-}
-export type RoutingClassifierOutput = TierSignal & ClassifierOutputMetadata;
-export type ModelSpecializationClassifierOutput = SpecializationSignal & ClassifierOutputMetadata;
-export type ToolsClassifierOutput = ToolsSignal & ClassifierOutputMetadata;
-export type PromptInjectionClassifierOutput = PromptInjectionSignal & ClassifierOutputMetadata;
-export interface CustomClassifierOutputValue extends ClassifierOutputMetadata {
-    readonly output: unknown;
+export interface ClassifierOutput extends ClassifierOutputMetadata {
+    readonly [key: string]: unknown;
 }
-export interface StockClassifierOutputs {
-    readonly preflight: PreflightClassifierOutput;
-    readonly routing: RoutingClassifierOutput;
-    readonly model_specialization: ModelSpecializationClassifierOutput;
-    readonly tools: ToolsClassifierOutput;
-    readonly prompt_injection: PromptInjectionClassifierOutput;
-}
-export declare const STOCK_CLASSIFIER_NAMES: readonly ["preflight", "routing", "model_specialization", "tools", "prompt_injection"];
-export type StockClassifierName = (typeof STOCK_CLASSIFIER_NAMES)[number];
-export type StockClassifierOutput = StockClassifierOutputs[StockClassifierName];
-export type ClassifierOutput = StockClassifierOutput | CustomClassifierOutputValue;
 export interface ToolDefinition {
     readonly id: string;
     readonly description: string;
 }
-interface ManifestCommon {
+export type AppliesTo = "user" | "assistant" | "both";
+export declare const APPLIES_TO_VALUES: readonly ["user", "assistant", "both"];
+export interface JsonClassifierManifest {
+    readonly name: string;
     readonly version: string;
     readonly purpose: string;
-    readonly order: number;
+    readonly dispatch_order?: number;
+    readonly applies_to?: AppliesTo;
+    readonly reserved_fields?: ReadonlyArray<ReservedFieldName>;
+    readonly allowed_tools?: ReadonlyArray<ToolDefinition>;
+    readonly output_schema?: unknown;
+    readonly fallback: ClassifierOutput;
     readonly backend?: {
         readonly ollama?: {
             readonly base_model?: string;
         };
     };
 }
-export interface StockJsonManifest<Name extends StockClassifierName = StockClassifierName> extends ManifestCommon {
-    readonly kind: "stock";
-    readonly name: Name;
-    readonly fallback: StockClassifierOutputs[Name];
-    readonly tools?: ReadonlyArray<ToolDefinition>;
-}
-export interface CustomJsonManifest extends ManifestCommon {
-    readonly kind: "custom";
-    readonly name: string;
-    readonly fallback: CustomClassifierOutputValue;
-    readonly output_schema: unknown;
-}
-export type JsonClassifierManifest = StockJsonManifest | CustomJsonManifest;
-export interface RuntimeStockManifest<Name extends StockClassifierName = StockClassifierName> extends StockJsonManifest<Name> {
+export interface RuntimeClassifierManifest extends JsonClassifierManifest {
     readonly systemPrompt: string;
+    readonly composedOutputSchema: unknown;
+    readonly reservedFields: ReadonlyArray<ReservedFieldName>;
+    readonly appliesTo: AppliesTo;
 }
-export interface RuntimeCustomManifest extends CustomJsonManifest {
-    readonly systemPrompt: string;
-}
-export type RuntimeClassifierManifest = RuntimeStockManifest | RuntimeCustomManifest;
-export declare function isStockManifest(manifest: RuntimeClassifierManifest): manifest is RuntimeStockManifest;
-export declare function isCustomManifest(manifest: RuntimeClassifierManifest): manifest is RuntimeCustomManifest;
-export interface CustomClassifierOutput {
+export interface ClassifierAuditOutput extends ClassifierOutput {
     readonly classifier: string;
-    readonly reason: string;
-    readonly certainty: Certainty;
-    readonly output: unknown;
 }
-export {};

package/dist/src/stock.js

@@ -1,3 +1,9 @@
+// Classifier type contracts.
+//
+// Every classifier — reserved-field-bearing or not — uses the same manifest
+// shape and emits the same output envelope: `{ reason, certainty, ...payload }`
+// where `payload` may include any subset of the classifier's declared
+// reserved fields plus its custom (schema-validated) properties.
 export const CERTAINTY_VALUES = [
     "no_signal",
     "very_weak",
@@ -18,17 +24,4 @@ export const certaintyScore = {
     very_strong: 0.88,
     near_certain: 0.97,
 };
-export const STOCK_CLASSIFIER_NAMES = [
-    "preflight",
-    "routing",
-    "model_specialization",
-    "tools",
-    "prompt_injection",
-];
-// Helper: narrow a manifest to its stock kind for callers that know the name.
-export function isStockManifest(manifest) {
-    return manifest.kind === "stock";
-}
-export function isCustomManifest(manifest) {
-    return manifest.kind === "custom";
-}
+export const APPLIES_TO_VALUES = ["user", "assistant", "both"];

package/docs/adding-a-classifier.md

@@ -1,36 +1,28 @@
 # Adding a classifier
 
-Most additions are custom classifiers. You drop two files in a directory; the runtime picks them up. No TypeScript registry edits required.
+Every classifier — reserved-field-bearing or pure custom — uses the same two-file layout. There is no separate "stock" vs "custom" distinction; the runtime only cares about which reserved fields a classifier opts into.
 
-## 1. Pick a directory
-
-Custom classifier:
+## 1. Create the directory
 
 ```
-src/classifiers/custom/<name>/
+src/classifiers/<name>/
 ├── manifest.json
 └── prompt.md
 ```
 
-Stock classifier names are closed (`preflight`, `routing`, `model_specialization`, `tools`, `prompt_injection`). You generally don't add new stock classifiers — extend behavior with a custom one instead.
+The directory name must match `manifest.json`'s `name` field. Top-level directories starting with `_` (like `_prompts/`) are reserved for shared assets and skipped by the loader.
 
 ## 2. Write the manifest
 
+Minimal example — a pure-custom classifier that emits tags. You don't need to provide JSON examples; the runtime synthesizes one from your schema and shows it to the model.
+
 ```json
 {
-  "kind": "custom",
   "name": "topic_tags",
   "version": "1.0.0",
   "purpose": "Tag the message with a small set of topic labels for analytics.",
-  "order": 70,
-  "fallback": {
-    "reason": "Classifier failed; no tags generated.",
-    "certainty": "no_signal",
-    "output": { "tags": [] }
-  },
+  "dispatch_order": 70,
   "output_schema": {
-    "type": "object",
-    "additionalProperties": false,
     "required": ["tags"],
     "properties": {
       "tags": {
@@ -38,37 +30,70 @@ Stock classifier names are closed (`preflight`, `routing`, `model_specialization
         "items": { "type": "string", "minLength": 1, "maxLength": 40 }
       }
     }
+  },
+  "fallback": {
+    "reason": "Classifier failed; no tags generated.",
+    "certainty": "no_signal",
+    "tags": []
   }
 }
 ```
 
+If your classifier's behavior is nuanced enough that hand-picked examples would help the model (preflight is one), add an `output_schema.examples` array. The runtime validates each example against the composed schema at load time, so a broken example fails the build.
+
+To also influence routing, opt into a reserved field:
+
+```json
+{
+  "name": "topic_tags",
+  "version": "1.0.0",
+  "purpose": "Tag the message and pick a specialization for the downstream model.",
+  "dispatch_order": 70,
+  "reserved_fields": ["model_specialization"],
+  "output_schema": {
+    "required": ["tags"],
+    "properties": {
+      "tags": { "type": "array", "items": { "type": "string" } }
+    }
+  },
+  "fallback": {
+    "reason": "Classifier failed.",
+    "certainty": "no_signal",
+    "tags": []
+  }
+}
+```
+
+The runtime knows `model_specialization` is a reserved field and injects its canonical enum values into the prompt automatically. You don't paste enum values in your `prompt.md`.
+
 Rules:
 
 - `name` must match the directory name.
-- `name` must not collide with a stock classifier name.
-- `order` must not collide with any other classifier.
-- `fallback` must validate against your `output_schema`.
+- Reserved field names cannot appear in `output_schema.properties`; declare them in `reserved_fields` instead.
+- `reason` and `certainty` are added to the composed schema by the runtime — don't declare them.
+- `fallback` must validate against the composed schema. Reserved fields are optional in fallback (a "no signal" fallback usually omits them).
+- `output_schema.examples` (JSON Schema standard) must validate against the composed schema at load time, so a broken example fails the build, not the model call.
 
 See [manifests.md](manifests.md) for the full field list.
 
 ## 3. Write the prompt
 
-`prompt.md` is the classifier-specific instruction text. The runtime composes it with an auto-generated preamble that describes the JSON output envelope, so your prompt can focus on the classification rule:
+`prompt.md` is the classifier-specific instruction text. The runtime composes it with auto-generated sections describing the JSON contract and the reserved fields you opted into, so your prompt can focus on the classification rule:
 
 ```markdown
 You are the topic_tags classifier.
 
-Tags are short single-word topic labels (lowercase, no spaces). Use at most five.
+`tags` are short single-word topic labels (lowercase, no spaces). Use at most five.
 Return an empty array when no clear topic applies.
 Do not invent tags for vague or ambiguous messages.
 ```
 
-Keep it focused. Don't put aggregation or routing rules in prompts — those live in the runtime and catalog.
+Don't paste enum values for reserved fields — the runtime injects them with canonical wording so they never drift from `src/enums.ts`.
 
 ## 4. Build and test
 
 ```sh
-npm run build   # validates the manifest, sorts the registry, copies assets
+npm run build   # validates the manifest, composes the schema, copies assets
 npm test
 ```
 
@@ -77,14 +102,33 @@ If the manifest is malformed, the loader throws `ClassifierManifestError` with t
 ## 5. Consume the output
 
 ```ts
-const classify = createClassifier({ catalog });
+const { classify } = createClassifier({ catalog });
 const result = await classify(input);
-if (result.action === "route") {
-  const tags = result.classifier_outputs.topic_tags?.tags ?? [];
-}
+const tags = result.classifier_outputs.topic_tags?.tags ?? [];
 ```
 
-`result.audit.custom_outputs[]` carries the same data with required `reason` and `certainty` metadata if you need to inspect them.
+`result.audit.classifier_outputs[]` carries the same data with `reason` and `certainty` attached if you need to inspect them.
+
+## Targeting the assistant response
+
+Classifiers run against the user message by default. To run a classifier against the assistant's reply instead (or in addition), set `applies_to` in the manifest:
+
+- `"user"` (default) — only `classify()` runs it.
+- `"assistant"` — only `inspect()` runs it.
+- `"both"` — both passes run it.
+
+Use `inspect()` from `createClassifier()` for the assistant-side pass. It returns a lean shape (`target_message_hash` + `classifier_outputs`) — no routing, no audit envelope. The built-in `prompt_injection` ships tagged `"both"` so it runs on both sides.
+
+```ts
+const { inspect } = createClassifier({ catalog });
+const post = await inspect({
+  messages: [
+    { role: "user", text: "Summarize the contract." },
+    { role: "assistant", text: "The contract has three notable risks…" },
+  ],
+});
+const risk = post.classifier_outputs.prompt_injection?.risk_level;
+```
 
 ## Choosing the classifier model
 
@@ -96,15 +140,13 @@ For apps and OSS installs, prefer `open-classify.config.json`:
     "provider": "ollama",
     "defaultModel": "gemma4:e4b-it-q4_K_M",
     "models": {
-      "custom": {
-        "topic_tags": "qwen2.5:7b-instruct-q4_K_M"
-      }
+      "topic_tags": "qwen2.5:7b-instruct-q4_K_M"
     }
   }
 }
 ```
 
-`runner.defaultModel` applies to every classifier without an override. `runner.models.stock` contains built-in classifier ids; `runner.models.custom` contains custom classifier ids.
+`runner.defaultModel` applies to every classifier without an override. `runner.models` is a flat map keyed by classifier name — there is no separate stock/custom split.
 
 Classifier manifests may also carry an Ollama hint for packaged classifiers:
 
@@ -125,7 +167,7 @@ import { classifyOpenClassifyInput, loadCatalog } from "open-classify";
 
 const runClassifier: RunClassifier = async (name, input, signal) => {
   // call OpenAI, Anthropic, a remote service, etc.
-  // return a ClassifierOutput matching the classifier's contract.
+  // return a ClassifierOutput matching the classifier's composed schema.
 };
 
 await classifyOpenClassifyInput(input, { runClassifier, catalog: loadCatalog(...) });

package/docs/manifests.md

@@ -1,127 +1,168 @@
 # Manifest reference
 
-Every classifier directory contains a `manifest.json`. Custom classifiers also contain a `prompt.md`. Stock prompt markdown lives in `src/classifiers/stock/prompts/` and is assembled at runtime.
-
-## Layout
+Every classifier lives in `src/classifiers/<name>/` and contains exactly two files:
 
 ```
 src/classifiers/
-  stock/prompts/              # built-in prompt markdown
-    base.md
-    confidence.md
-    reason.md
-    tier.md
-    specialty.md
-    tools-output.md
-    tools.md
-  stock/<name>/                # built-in classifier
-    manifest.json
-  custom/<name>/               # caller-defined classifier
+  _prompts/                   # shared base markdown (base.md, reason.md, confidence.md)
+  <classifier_name>/
     manifest.json
     prompt.md
 ```
 
-The `kind` field in the manifest must match the parent directory (`stock` or `custom`). Mismatches are rejected at load time.
+The loader skips any top-level directory whose name starts with `_` (those are shared assets, not classifiers).
 
-## Common fields
+## Fields
 
 | Field | Required | Description |
 |---|---|---|
-| `kind` | yes | `"stock"` or `"custom"` |
 | `name` | yes | Classifier id. Must match the directory name. |
 | `version` | yes | Contract version surfaced in `meta.classifiers[name].version`. |
-| `purpose` | yes | Human-readable description. |
-| `order` | yes | Integer sort key. Duplicate orders are rejected. |
-| `fallback` | yes | Output emitted when the classifier errors or times out. Must validate against the kind's output contract. |
+| `purpose` | yes | Human-readable description of the classifier's job. Treated as a hard scope boundary in the prompt. |
+| `dispatch_order` | no | Non-negative integer scheduling priority. Lower runs first. Omit to schedule this classifier last (treated as +Infinity). Duplicate names are rejected; duplicate dispatch_orders are allowed and schedule adjacent. |
+| `applies_to` | no | One of `"user"`, `"assistant"`, `"both"`. Controls which pipeline pass the classifier participates in: `classify()` runs `"user"` + `"both"`; `inspect()` runs `"assistant"` + `"both"`. Defaults to `"user"`. |
+| `reserved_fields` | no | Array of reserved field names this classifier may emit at the top level of its output. |
+| `allowed_tools` | conditional | Required if `reserved_fields` includes `"tools"`; rejected otherwise. Array of `{ id, description }` listing the tool ids the classifier may pick from. |
+| `output_schema` | no | JSON Schema (Ajv-validated). Describes only the custom (non-reserved) properties. The runtime composes this with canonical sub-schemas for any declared reserved fields plus `reason` and `certainty`. |
+| `output_schema.examples` | no | Array of full example outputs (reserved + custom + `reason` + `certainty`). Validated against the composed schema at load time. Omit it and the runtime synthesizes a JSON skeleton example from the schema. |
+| `fallback` | yes | Output emitted when the classifier errors or times out. Must validate against the composed schema; reserved fields are optional in fallback. |
 | `backend.ollama.base_model` | no | Packaged Ollama model hint for this classifier. User config and function options take precedence. |
 
-## Stock manifests
-
-Stock manifests use a closed set of names (`preflight`, `routing`, `model_specialization`, `tools`, `prompt_injection`). The runtime knows each name's signal type, so there's no `emits` field. Fallbacks must satisfy the signal contract for that name (see [signals.md](signals.md)).
+## Reserved fields
 
-The `tools` classifier additionally takes:
+Reserved fields are well-known output keys the aggregator knows how to consume. The runtime owns their JSON Schema sub-schemas and prompt fragments — your manifest just opts in.
 
-| Field | Required | Description |
+| Reserved field | Shape | What the aggregator does with it |
 |---|---|---|
-| `tools` | no | Array of `{ id, description }`. Restricts which tool ids the classifier may emit. |
+| `final_reply` | `{ text: string ≤200 chars }` | Surfaced in `audit.final_reply`; caller can return as the terminal reply |
+| `ack_reply` | `{ text: string ≤200 chars }` | Surfaced in `audit.ack_reply`; caller can show as an acknowledgement |
+| `model_tier` | one of `DOWNSTREAM_MODEL_TIER_VALUES` | Soft constraint for catalog resolver |
+| `model_specialization` | one of `MODEL_SPECIALIZATION_VALUES` | Soft constraint for catalog resolver |
+| `tools` | array of allowed tool ids | Sets `downstream.tools` |
+| `risk_level` | one of `PROMPT_INJECTION_RISK_LEVEL_VALUES` | Surfaced in `audit.prompt_injection` |
+
+`final_reply` and `ack_reply` are mutually exclusive — a single output may contain at most one.
 
-Example (`src/classifiers/stock/prompt_injection/manifest.json`):
+When multiple classifiers emit the same reserved field, the highest-certainty contributor wins. Ties are broken by manifest `dispatch_order` ascending (the first encountered in registry order keeps the slot). Classifiers without `dispatch_order` sort last for tie-break purposes too.
+
+## Example: reserved-only manifest
 
 ```json
 {
-  "kind": "stock",
-  "name": "prompt_injection",
+  "name": "routing",
   "version": "1.0.0",
-  "purpose": "Assess whether the target message contains prompt-injection attempts.",
-  "order": 50,
+  "purpose": "Recommend the downstream model tier.",
+  "dispatch_order": 20,
+  "reserved_fields": ["model_tier"],
+  "output_schema": {
+    "examples": [
+      { "reason": "Simple factual question.", "certainty": "near_certain", "model_tier": "local_fast" },
+      { "reason": "Multi-step refactor.", "certainty": "very_strong", "model_tier": "frontier_coding" }
+    ]
+  },
   "fallback": {
-    "reason": "Classifier failed; prompt-injection risk is unknown.",
-    "certainty": "no_signal",
-    "risk_level": "unknown"
+    "reason": "Classifier failed; no routing signal.",
+    "certainty": "no_signal"
   }
 }
 ```
 
-## Custom manifests
+The runtime injects the `model_tier` enum and the canonical prompt fragment automatically. Your `prompt.md` only needs to explain the classification rule.
 
-| Field | Required | Description |
-|---|---|---|
-| `output_schema` | yes | JSON Schema (Ajv-validated) for the `output` payload. |
-
-Custom classifier names must not collide with any stock classifier name.
-
-Example:
+## Example: custom-only manifest
 
 ```json
 {
-  "kind": "custom",
   "name": "memory_retrieval_queries",
   "version": "1.0.0",
-  "purpose": "Generate saved-memory query hints for caller-owned memory retrieval.",
-  "order": 60,
-  "fallback": {
-    "reason": "Classifier failed; no memory queries generated.",
-    "certainty": "no_signal",
-    "output": { "queries": [] }
-  },
+  "purpose": "Generate retrieval queries likely to surface helpful user-specific context for the downstream model.",
+  "dispatch_order": 60,
   "output_schema": {
-    "type": "object",
-    "additionalProperties": false,
     "required": ["queries"],
     "properties": {
       "queries": {
         "type": "array", "maxItems": 5,
-        "items": { "type": "string", "minLength": 1, "maxLength": 120 }
+        "items": { "type": "string", "minLength": 1, "maxLength": 120 },
+        "uniqueItems": true
       }
-    }
+    },
+    "examples": [
+      {
+        "reason": "Saved code-review preferences could improve the response.",
+        "certainty": "strong",
+        "queries": ["user code review preferences"]
+      },
+      {
+        "reason": "No saved memories likely to help.",
+        "certainty": "very_strong",
+        "queries": []
+      }
+    ]
+  },
+  "fallback": {
+    "reason": "Classifier failed; no memory queries generated.",
+    "certainty": "no_signal",
+    "queries": []
   }
 }
 ```
 
-## Prompt files
+## Example: hybrid manifest
+
+A manifest may declare both reserved fields and custom properties; they sit alongside each other at the top level of every output.
 
-Stock prompt files live together in `src/classifiers/stock/prompts/`. The runtime assembles shared markdown (`base.md`, `reason.md`, `confidence.md`, `classifier-header.md`) with focused stock sections such as `tier.md`, `specialty.md`, `tools-output.md`, and the stock classifier file (`preflight.md`, `routing.md`, `model_specialization.md`, `tools.md`, or `prompt_injection.md`).
+```json
+{
+  "name": "task_router",
+  "version": "1.0.0",
+  "purpose": "Pick the downstream tier and estimate token usage.",
+  "dispatch_order": 25,
+  "reserved_fields": ["model_tier", "model_specialization"],
+  "output_schema": {
+    "required": ["estimated_tokens"],
+    "properties": {
+      "estimated_tokens": { "type": "integer", "minimum": 0 }
+    },
+    "examples": [
+      {
+        "reason": "Code refactor needs reasoning.",
+        "certainty": "very_strong",
+        "model_tier": "frontier_strong",
+        "model_specialization": "coding",
+        "estimated_tokens": 12000
+      }
+    ]
+  },
+  "fallback": {
+    "reason": "Classifier failed.",
+    "certainty": "no_signal",
+    "estimated_tokens": 0
+  }
+}
+```
 
-Dynamic prompt sections use small markdown slots. For example, `tools.md` contains `{{allowed_tools}}`, and the runtime renders the allowed tool list from the tools manifest.
+## Prompt files
 
-Custom `prompt.md` is the classifier-specific instruction text. The runtime composes it with the shared JSON output envelope, so prompts can stay focused on classifier behavior:
+`prompt.md` is the classifier-specific instruction text. The runtime composes the system prompt at load time from:
 
-- what the classifier decides
-- when to emit each declared field
-- when to omit optional fields
-- short examples only when they clarify a boundary
+1. Shared base sections (JSON-only contract, `reason` + `certainty` rules) from `src/classifiers/_prompts/`
+2. The classifier header (name and purpose, with the purpose stated as a hard scope boundary)
+3. Auto-injected fragments for each declared reserved field (canonical enum values included, so you can't drift)
+4. Your `prompt.md`
+5. A JSON example of a complete output: the `output_schema.examples` if you provided any, otherwise a synthesized skeleton derived from the schema
 
-Do not put aggregation or model-id rules in prompts — those live in the runtime and catalog.
+Keep `prompt.md` focused on classification behavior — when to emit each field, when to omit, when to abstain. Don't paste enum values for reserved fields; the runtime does that for you.
 
 ## Validation rejections
 
 The loader rejects manifests that:
 
-- declare unsupported fields
-- collide on `name` or `order`
-- have an empty custom `prompt.md`
-- declare a custom name that matches a stock classifier
-- declare `kind` that doesn't match the parent directory
-- have a `fallback` that doesn't satisfy the signal or `output_schema`
-- are missing `output_schema` on a custom classifier
-- declare `tools` on any classifier other than the `tools` stock classifier
+- declare unsupported fields at the manifest root
+- collide with another classifier on `name`
+- include a reserved field name in `output_schema.properties`
+- include `reason` or `certainty` in `output_schema.properties`
+- list `allowed_tools` without `tools` in `reserved_fields` (or vice versa)
+- have a `fallback` that doesn't validate against the composed schema
+- have an `output_schema.examples[]` entry that doesn't validate against the composed schema
+- have an empty `prompt.md`
+- have a `name` that doesn't match the parent directory