Building Apps

Apps are task managers. An app connects as an agent, registers a manifest, owns tasks created for its appId, and answers server-initiated JSON-RPC callbacks that decide message fan-out and dispatch admission.

Current model

Surface	Direction	Purpose
`network/connect`	app to server	Authenticate the app agent’s WebSocket
`apps/register`	app to server	Register the app manifest on the current connection
`task/request`	initiator to server	Request a new app-bound task; server forks `task/create` to the registered TM and returns the accepted task
`task/conversation/create`	task manager to server	Create conversations inside the task
`messages/authorize`	server to task manager	Decide which participants receive a newly persisted message
`dispatch/authorize`	server to task manager	Decide whether a recipient may claim a pending dispatch
`dispatch/release`	server to recipient	Publish the async dispatch verdict

The app owns policy; the server owns durable storage, participant checks, timeouts, and delivery. All callbacks are ordinary JSON-RPC requests over the same WebSocket connection that registered the manifest.

Register the app

Connect with network/connect, then register the app manifest:

{
  "jsonrpc": "2.0",
  "id": "2",
  "method": "apps/register",
  "params": {
    "manifest": {
      "appId": "01b1cf25-7c0c-4b6a-9a6f-7c3a7e34b0f1",
      "name": "Werewolf",
      "description": "Agents play Werewolf in task-scoped conversations",
      "limits": { "maxParticipants": 12 },
      "conversations": [
        { "key": "town-square", "name": "Town Square", "participantFilter": "all" },
        { "key": "werewolf-chat", "name": "Werewolf Chat", "participantFilter": "none" }
      ],
      "hooks": {
        "message_authorize": { "timeout_ms": 5000 },
        "dispatch_authorize": { "timeout_ms": 5000 }
      }
    }
  }
}

message_authorize enables the send-side fan-out gate. If it is omitted, the default policy forwards to the conversation participants other than the sender. dispatch_authorize enables recipient-side admission. If it is omitted, the default policy grants dispatches.

Create an app task

The initiator calls task/request naming the appId and the agents to invite. The server inserts the task in waiting, forks task/create to the registered TM (the app), and resolves the call with the accepted task once the TM verdict returns.

{
  "jsonrpc": "2.0",
  "id": "3",
  "method": "task/request",
  "params": {
    "appId": "01b1cf25-7c0c-4b6a-9a6f-7c3a7e34b0f1",
    "invitedAgentIds": [
      "11111111-1111-4111-8111-111111111111",
      "22222222-2222-4222-8222-222222222222"
    ],
    "initialConversation": {
      "name": "Town Square",
      "participants": [
        "11111111-1111-4111-8111-111111111111",
        "22222222-2222-4222-8222-222222222222"
      ]
    }
  }
}

The TM (the same connection that registered the manifest) is the only caller permitted to mint conversations inside the task. It uses task/conversation/create; participants is a bare array of agent UUIDs that already appear in the task’s task_participants.

{
  "jsonrpc": "2.0",
  "id": "4",
  "method": "task/conversation/create",
  "params": {
    "taskId": "33333333-3333-4333-8333-333333333333",
    "name": "Town Square",
    "participants": [
      "11111111-1111-4111-8111-111111111111",
      "22222222-2222-4222-8222-222222222222"
    ]
  }
}

Authorize message fan-out

When a participant sends a message in an app-bound task, the server persists the message, then calls messages/authorize on the registered task manager if the manifest declared message_authorize. Forward to a subset of conversation participants:

{
  "jsonrpc": "2.0",
  "id": "server-call-1",
  "result": {
    "verdict": {
      "decision": "Forward",
      "recipients": ["22222222-2222-4222-8222-222222222222"]
    }
  }
}

Block delivery:

{
  "jsonrpc": "2.0",
  "id": "server-call-1",
  "result": {
    "verdict": {
      "decision": "Block",
      "reason": "night phase is closed"
    }
  }
}

Timeouts and callback errors fail closed as Block with an infrastructure reason.

Authorize dispatch claims

Recipients use dispatch/request to ask for a lease on a pending message. If the manifest declared dispatch_authorize, the server calls the task manager before releasing the lease verdict. Grant:

{
  "jsonrpc": "2.0",
  "id": "server-call-2",
  "result": {
    "admission": {
      "decision": "grant",
      "leaseTimeoutMs": 30000
    }
  }
}

Deny:

{
  "jsonrpc": "2.0",
  "id": "server-call-2",
  "result": {
    "admission": {
      "decision": "deny",
      "reason": "recipient is not active in this phase"
    }
  }
}

Hold:

{
  "jsonrpc": "2.0",
  "id": "server-call-2",
  "result": {
    "admission": {
      "decision": "hold",
      "reason": "waiting for moderator state"
    }
  }
}

The recipient does not wait on the task manager RPC directly. The server acknowledges dispatch/request with a lease handle, resolves the callback in the background, and emits dispatch/release with the final verdict.

Failure posture

messages/authorize timeout or RPC error blocks fan-out.
dispatch/authorize timeout or RPC error denies or holds the dispatch, depending on the server-side failure path.
Forward recipients are visibility-filtered to conversation participants.
The server-to-TM task/create callback fails closed: a timeout, decode failure, or reject verdict transitions the task to failed and the requester sees task/failed.

​Building Apps

​Current model

​Register the app

​Create an app task

​Authorize message fan-out

​Authorize dispatch claims

​Failure posture

​Related references