@alexkroman1/aai 1.0.6 → 1.2.0

package/sdk/allowed-hosts.test.ts

@@ -0,0 +1,236 @@
+// Copyright 2025 the AAI authors. MIT license.
+import { describe, expect, test } from "vitest";
+import { matchesAllowedHost, validateAllowedHostPattern } from "./allowed-hosts.ts";
+
+describe("validateAllowedHostPattern", () => {
+  describe("valid patterns", () => {
+    test("accepts exact hostname", () => {
+      expect(validateAllowedHostPattern("api.weather.com")).toEqual({
+        valid: true,
+      });
+    });
+
+    test("accepts exact hostname without subdomain", () => {
+      expect(validateAllowedHostPattern("example.com")).toEqual({ valid: true });
+    });
+
+    test("accepts wildcard subdomain", () => {
+      expect(validateAllowedHostPattern("*.mycompany.com")).toEqual({
+        valid: true,
+      });
+    });
+
+    test("accepts wildcard with multiple domain levels", () => {
+      expect(validateAllowedHostPattern("*.api.mycompany.com")).toEqual({
+        valid: true,
+      });
+    });
+  });
+
+  describe("rejects bare wildcards", () => {
+    test("rejects bare *", () => {
+      const result = validateAllowedHostPattern("*");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/bare/i);
+    });
+
+    test("rejects bare **", () => {
+      const result = validateAllowedHostPattern("**");
+      expect(result.valid).toBe(false);
+    });
+  });
+
+  describe("rejects wildcard in non-leading position", () => {
+    test("rejects wildcard in middle position", () => {
+      const result = validateAllowedHostPattern("api.*.com");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects wildcard at end", () => {
+      const result = validateAllowedHostPattern("api.com.*");
+      expect(result.valid).toBe(false);
+    });
+  });
+
+  describe("rejects IP addresses", () => {
+    test("rejects IPv4 address", () => {
+      const result = validateAllowedHostPattern("192.168.1.1");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/ip/i);
+    });
+
+    test("rejects IPv4 loopback", () => {
+      const result = validateAllowedHostPattern("127.0.0.1");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects IPv6 address", () => {
+      const result = validateAllowedHostPattern("::1");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/ip/i);
+    });
+
+    test("rejects full IPv6 address", () => {
+      const result = validateAllowedHostPattern("2001:db8::1");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/ip/i);
+    });
+  });
+
+  describe("rejects private TLDs", () => {
+    test("rejects *.local", () => {
+      const result = validateAllowedHostPattern("*.local");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects *.internal", () => {
+      const result = validateAllowedHostPattern("*.internal");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects *.localhost", () => {
+      const result = validateAllowedHostPattern("*.localhost");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects exact match foo.local", () => {
+      const result = validateAllowedHostPattern("foo.local");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects exact match foo.internal", () => {
+      const result = validateAllowedHostPattern("foo.internal");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects exact match foo.localhost", () => {
+      const result = validateAllowedHostPattern("foo.localhost");
+      expect(result.valid).toBe(false);
+    });
+  });
+
+  describe("rejects cloud metadata hostnames", () => {
+    test("rejects metadata.google.internal", () => {
+      const result = validateAllowedHostPattern("metadata.google.internal");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects instance-data.ec2.internal", () => {
+      const result = validateAllowedHostPattern("instance-data.ec2.internal");
+      expect(result.valid).toBe(false);
+    });
+  });
+
+  describe("rejects empty and malformed patterns", () => {
+    test("rejects empty string", () => {
+      const result = validateAllowedHostPattern("");
+      expect(result.valid).toBe(false);
+    });
+
+    test("rejects pattern with protocol", () => {
+      const result = validateAllowedHostPattern("https://api.example.com");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/protocol/i);
+    });
+
+    test("rejects pattern with path", () => {
+      const result = validateAllowedHostPattern("api.example.com/path");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/path/i);
+    });
+
+    test("rejects pattern with query", () => {
+      const result = validateAllowedHostPattern("api.example.com?query=1");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/query/i);
+    });
+
+    test("rejects pattern with port", () => {
+      const result = validateAllowedHostPattern("api.example.com:8080");
+      expect(result.valid).toBe(false);
+      expect((result as { valid: false; reason: string }).reason).toMatch(/port/i);
+    });
+  });
+});
+
+describe("matchesAllowedHost", () => {
+  describe("exact matching", () => {
+    test("exact match", () => {
+      expect(matchesAllowedHost("api.example.com", ["api.example.com"])).toBe(true);
+    });
+
+    test("case-insensitive exact match", () => {
+      expect(matchesAllowedHost("API.Example.COM", ["api.example.com"])).toBe(true);
+    });
+
+    test("strips trailing dot from hostname", () => {
+      expect(matchesAllowedHost("api.example.com.", ["api.example.com"])).toBe(true);
+    });
+
+    test("exact match doesn't match subdomain", () => {
+      expect(matchesAllowedHost("sub.api.example.com", ["api.example.com"])).toBe(false);
+    });
+
+    test("exact match doesn't match parent domain", () => {
+      expect(matchesAllowedHost("example.com", ["api.example.com"])).toBe(false);
+    });
+  });
+
+  describe("wildcard matching", () => {
+    test("wildcard matches one subdomain level", () => {
+      expect(matchesAllowedHost("foo.example.com", ["*.example.com"])).toBe(true);
+    });
+
+    test("wildcard matches multiple subdomain levels", () => {
+      expect(matchesAllowedHost("a.b.example.com", ["*.example.com"])).toBe(true);
+    });
+
+    test("wildcard does not match bare domain", () => {
+      expect(matchesAllowedHost("example.com", ["*.example.com"])).toBe(false);
+    });
+
+    test("wildcard is case-insensitive", () => {
+      expect(matchesAllowedHost("FOO.Example.COM", ["*.example.com"])).toBe(true);
+    });
+  });
+
+  describe("no match", () => {
+    test("no match returns false", () => {
+      expect(matchesAllowedHost("other.com", ["api.example.com"])).toBe(false);
+    });
+
+    test("empty patterns returns false", () => {
+      expect(matchesAllowedHost("api.example.com", [])).toBe(false);
+    });
+  });
+
+  describe("multiple patterns", () => {
+    test("matches against multiple patterns — first matches", () => {
+      expect(matchesAllowedHost("api.example.com", ["api.example.com", "other.com"])).toBe(true);
+    });
+
+    test("matches against multiple patterns — second matches", () => {
+      expect(matchesAllowedHost("other.com", ["api.example.com", "other.com"])).toBe(true);
+    });
+
+    test("matches against multiple patterns — none match", () => {
+      expect(matchesAllowedHost("nope.com", ["api.example.com", "other.com"])).toBe(false);
+    });
+  });
+
+  describe("port handling", () => {
+    test("port in hostname is stripped before matching exact", () => {
+      expect(matchesAllowedHost("api.weather.com:8080", ["api.weather.com"])).toBe(true);
+    });
+
+    test("port with wildcard pattern", () => {
+      expect(matchesAllowedHost("sub.example.com:443", ["*.example.com"])).toBe(true);
+    });
+  });
+
+  describe("IDN/punycode", () => {
+    test("ASCII hostnames compared normally", () => {
+      expect(matchesAllowedHost("xn--nxasmq6b.com", ["xn--nxasmq6b.com"])).toBe(true);
+    });
+  });
+});

package/sdk/allowed-hosts.ts

@@ -0,0 +1,113 @@
+// Copyright 2025 the AAI authors. MIT license.
+/**
+ * Allowlist matching for outbound host validation.
+ *
+ * Used at deploy time (manifest validation) and at runtime (SSRF enforcement)
+ * to restrict which external hosts an agent is permitted to contact.
+ *
+ * Lives in sdk/ because it has zero Node.js dependencies and can run in any
+ * environment (browser, Deno, Node.js sandboxes).
+ */
+
+/** Private/special-use TLDs that must never appear in allowedHosts patterns. */
+const BLOCKED_TLDS = ["local", "internal", "localhost"];
+
+/**
+ * Regex that matches an IPv4 address (four decimal octets separated by dots).
+ * Anchored so partial matches like "192.168.1.1.example.com" don't trigger it.
+ */
+const IPV4_RE = /^(\d{1,3}\.){3}\d{1,3}$/;
+
+type ValidationResult = { valid: true } | { valid: false; reason: string };
+
+function fail(reason: string): { valid: false; reason: string } {
+  return { valid: false, reason };
+}
+
+function checkStructural(pattern: string): ValidationResult | null {
+  if (pattern === "") return fail("Pattern must not be empty.");
+  if (pattern.includes("://"))
+    return fail("Pattern must not include a protocol (e.g. remove 'https://').");
+  if (pattern.includes("/")) return fail("Pattern must not include a path component (remove '/').");
+  if (pattern.includes("?")) return fail("Pattern must not include a query string (remove '?').");
+  if (pattern.startsWith("[") || pattern.includes("::"))
+    return fail("IP address literals are not allowed in allowedHosts patterns.");
+  if (pattern.includes(":"))
+    return fail("Pattern must not include a port number (e.g. remove ':8080').");
+  return null;
+}
+
+function checkWildcard(pattern: string): ValidationResult | null {
+  if (!pattern.includes("*")) return null;
+  if (pattern === "*" || pattern === "**")
+    return fail("Bare wildcard '*' is not allowed. Use '*.example.com' to allow all subdomains.");
+  const wildcardIndex = pattern.indexOf("*");
+  if (wildcardIndex !== 0 || pattern[1] !== ".")
+    return fail("Wildcard '*' may only appear as the leading segment (e.g. '*.example.com').");
+  if (pattern.lastIndexOf("*") !== 0)
+    return fail("Only a single leading wildcard segment is supported.");
+  return null;
+}
+
+function checkHostPart(hostPart: string): ValidationResult | null {
+  if (IPV4_RE.test(hostPart))
+    return fail("IP address literals are not allowed in allowedHosts patterns.");
+  const tld = hostPart.split(".").at(-1)?.toLowerCase() ?? "";
+  if (BLOCKED_TLDS.includes(tld))
+    return fail(`Patterns ending in '.${tld}' are not allowed (private/special-use TLD).`);
+  return null;
+}
+
+/**
+ * Validate a single `allowedHosts` pattern at deploy time.
+ *
+ * Returns `{ valid: true }` for acceptable patterns or
+ * `{ valid: false; reason: string }` with a human-readable rejection reason.
+ */
+export function validateAllowedHostPattern(pattern: string): ValidationResult {
+  const structural = checkStructural(pattern);
+  if (structural !== null) return structural;
+
+  const wildcard = checkWildcard(pattern);
+  if (wildcard !== null) return wildcard;
+
+  const hostPart = pattern.startsWith("*.") ? pattern.slice(2) : pattern;
+  const hostCheck = checkHostPart(hostPart);
+  if (hostCheck !== null) return hostCheck;
+
+  return { valid: true };
+}
+
+/**
+ * Test whether `hostname` matches any pattern in `patterns`.
+ *
+ * - Exact match is case-insensitive; trailing dots on the hostname are stripped.
+ * - Wildcard pattern `*.example.com` matches any hostname ending with
+ *   `.example.com` (one or more labels), but does NOT match `example.com` itself.
+ * - A port suffix on `hostname` (e.g. `api.example.com:8080`) is stripped before
+ *   matching.
+ * - Returns `false` when `patterns` is empty.
+ */
+export function matchesAllowedHost(hostname: string, patterns: string[]): boolean {
+  if (patterns.length === 0) return false;
+
+  // Strip port — only when there are no brackets (IPv6 bracket notation).
+  const portIndex = hostname.lastIndexOf(":");
+  let host = portIndex !== -1 && !hostname.includes("[") ? hostname.slice(0, portIndex) : hostname;
+
+  // Normalise: lowercase + strip trailing dot
+  host = host.toLowerCase().replace(/\.$/, "");
+
+  for (const pattern of patterns) {
+    const p = pattern.toLowerCase();
+    if (p.startsWith("*.")) {
+      // Wildcard: hostname must end with the suffix (e.g. ".example.com")
+      const suffix = p.slice(1); // ".example.com"
+      if (host.endsWith(suffix) && host.length > suffix.length) return true;
+    } else if (host === p) {
+      return true;
+    }
+  }
+
+  return false;
+}

package/sdk/exports.test.ts

@@ -0,0 +1,31 @@
+// Copyright 2025 the AAI authors. MIT license.
+/**
+ * Export surface snapshot tests for all four aai subpath exports.
+ *
+ * These tests catch accidental export additions or removals. If a snapshot
+ * breaks, it signals a potentially breaking API change that should be
+ * reviewed and documented with a changeset.
+ */
+import { describe, expect, test } from "vitest";
+
+describe("export surface stability", () => {
+  test("@alexkroman1/aai main export", async () => {
+    const mod = await import("@alexkroman1/aai");
+    expect(Object.keys(mod).sort()).toMatchSnapshot();
+  });
+
+  test("@alexkroman1/aai/protocol export", async () => {
+    const mod = await import("@alexkroman1/aai/protocol");
+    expect(Object.keys(mod).sort()).toMatchSnapshot();
+  });
+
+  test("@alexkroman1/aai/manifest export", async () => {
+    const mod = await import("@alexkroman1/aai/manifest");
+    expect(Object.keys(mod).sort()).toMatchSnapshot();
+  });
+
+  test("@alexkroman1/aai/runtime export", async () => {
+    const mod = await import("@alexkroman1/aai/runtime");
+    expect(Object.keys(mod).sort()).toMatchSnapshot();
+  });
+});

package/sdk/manifest-barrel.ts

@@ -1,12 +1,18 @@
 // Copyright 2025 the AAI authors. MIT license.
 /**
- * Manifest barrel — agent manifest parsing and tool schema conversion.
+ * Manifest barrel — agent config conversion and tool schema handling.
  *
- * Used by aai-cli (scanner, bundler) and aai-server (tests).
+ * Used by aai-cli (bundler) and aai-server (rpc-schemas).
  */
 
-// biome-ignore-all lint/performance/noReExportAll: barrel file by design
-
-export * from "./_internal-types.ts";
-export * from "./manifest.ts";
-export * from "./system-prompt.ts";
+export {
+  type AgentConfig,
+  AgentConfigSchema,
+  type AgentConfigSource,
+  agentToolsToSchemas,
+  EMPTY_PARAMS,
+  type ExecuteTool,
+  type ToolSchema,
+  ToolSchemaSchema,
+  toAgentConfig,
+} from "./_internal-types.ts";

package/sdk/manifest.test.ts

@@ -1,6 +1,9 @@
 // Copyright 2025 the AAI authors. MIT license.
-import { describe, expect, test } from "vitest";
-import { parseManifest } from "./manifest.ts";
+import fc from "fast-check";
+import { describe, expect, expectTypeOf, test } from "vitest";
+import { type Manifest, parseManifest } from "./manifest.ts";
+import type { AgentConfig, ToolSchema } from "./manifest-barrel.ts";
+import { agentToolsToSchemas, toAgentConfig } from "./manifest-barrel.ts";
 
 describe("parseManifest", () => {
   test("minimal manifest requires only name", () => {
@@ -12,6 +15,7 @@ describe("parseManifest", () => {
       maxSteps: 5,
       toolChoice: "auto",
       builtinTools: [],
+      allowedHosts: [],
       tools: {},
     });
   });
@@ -53,4 +57,101 @@ describe("parseManifest", () => {
   test("rejects unknown builtinTools", () => {
     expect(() => parseManifest({ name: "X", builtinTools: ["not_a_tool"] })).toThrow();
   });
+
+  test("allowedHosts defaults to empty array when omitted", () => {
+    const result = parseManifest({ name: "test" });
+    expect(result.allowedHosts).toEqual([]);
+  });
+
+  test("allowedHosts passes through valid patterns", () => {
+    const result = parseManifest({
+      name: "test",
+      allowedHosts: ["api.weather.com", "*.mycompany.com"],
+    });
+    expect(result.allowedHosts).toEqual(["api.weather.com", "*.mycompany.com"]);
+  });
+
+  test("rejects invalid allowedHosts pattern", () => {
+    expect(() => parseManifest({ name: "test", allowedHosts: ["*"] })).toThrow();
+  });
+
+  test("rejects allowedHosts with IP address", () => {
+    expect(() => parseManifest({ name: "test", allowedHosts: ["192.168.1.1"] })).toThrow();
+  });
+
+  test("rejects allowedHosts with private TLD", () => {
+    expect(() => parseManifest({ name: "test", allowedHosts: ["*.internal"] })).toThrow();
+  });
+
+  test("rejects allowedHosts with protocol", () => {
+    expect(() =>
+      parseManifest({ name: "test", allowedHosts: ["https://api.example.com"] }),
+    ).toThrow();
+  });
+});
+
+// ── Property-based tests ─────────────────────────────────────────────────
+
+describe("property: parseManifest", () => {
+  test("valid manifests always parse", () => {
+    const validManifestArb = fc.record({
+      name: fc.string({ minLength: 1 }),
+      systemPrompt: fc.option(fc.string(), { nil: undefined }),
+      greeting: fc.option(fc.string(), { nil: undefined }),
+      maxSteps: fc.option(fc.integer({ min: 1, max: 100 }), { nil: undefined }),
+      toolChoice: fc.option(fc.constantFrom("auto" as const, "required" as const), {
+        nil: undefined,
+      }),
+    });
+
+    fc.assert(
+      fc.property(validManifestArb, (manifest) => {
+        const result = parseManifest(manifest);
+        expect(result.name).toBe(manifest.name);
+        expect(result.maxSteps).toBeGreaterThan(0);
+        expect(["auto", "required"]).toContain(result.toolChoice);
+      }),
+    );
+  });
+
+  test("missing name throws", () => {
+    // Generate objects that never have a `name` field
+    const noNameArb = fc.record({
+      systemPrompt: fc.option(fc.string(), { nil: undefined }),
+      greeting: fc.option(fc.string(), { nil: undefined }),
+      maxSteps: fc.option(fc.integer({ min: 1, max: 100 }), { nil: undefined }),
+    });
+
+    fc.assert(
+      fc.property(noNameArb, (obj) => {
+        expect(() => parseManifest(obj)).toThrow();
+      }),
+    );
+  });
+});
+
+describe("manifest type contracts", () => {
+  test("parseManifest returns Manifest", () => {
+    const result = parseManifest({ name: "test" });
+    expectTypeOf(result).toEqualTypeOf<Manifest>();
+  });
+
+  test("parseManifest accepts unknown input", () => {
+    expectTypeOf(parseManifest).parameter(0).toBeUnknown();
+  });
+
+  test("toAgentConfig returns AgentConfig", () => {
+    const config = toAgentConfig({ name: "test", systemPrompt: "p", greeting: "g" });
+    expectTypeOf(config).toEqualTypeOf<AgentConfig>();
+  });
+
+  test("agentToolsToSchemas returns ToolSchema[]", () => {
+    const schemas = agentToolsToSchemas({});
+    expectTypeOf(schemas).toEqualTypeOf<ToolSchema[]>();
+  });
+
+  test("Manifest has allowedHosts as string[]", () => {
+    const result = parseManifest({ name: "test" });
+    expectTypeOf(result.allowedHosts).toEqualTypeOf<string[]>();
+  });
 });

package/sdk/manifest.ts

@@ -7,6 +7,7 @@
  */
 
 import { z } from "zod";
+import { validateAllowedHostPattern } from "./allowed-hosts.ts";
 import { BuiltinToolSchema, DEFAULT_GREETING, DEFAULT_SYSTEM_PROMPT } from "./types.ts";
 
 /**
@@ -43,6 +44,8 @@ export type Manifest = {
   theme?: Record<string, string> | undefined;
   /** Custom tool definitions keyed by tool name. */
   tools: Record<string, ToolManifest>;
+  /** Hostnames the agent is allowed to fetch. Empty = no fetch access. */
+  allowedHosts: string[];
 };
 
 const ToolManifestSchema = z.object({
@@ -61,6 +64,21 @@ const ManifestSchema = z.object({
   idleTimeoutMs: z.number().int().positive().optional(),
   theme: z.record(z.string(), z.string()).optional(),
   tools: z.record(z.string(), ToolManifestSchema).optional(),
+  allowedHosts: z
+    .array(z.string())
+    .optional()
+    .superRefine((hosts, ctx) => {
+      if (!hosts) return;
+      for (const h of hosts) {
+        const result = validateAllowedHostPattern(h);
+        if (!result.valid) {
+          ctx.addIssue({
+            code: z.ZodIssueCode.custom,
+            message: `Invalid allowedHosts pattern "${h}": ${result.reason}`,
+          });
+        }
+      }
+    }),
 });
 
 /**
@@ -85,5 +103,6 @@ export function parseManifest(input: unknown): Manifest {
     idleTimeoutMs: parsed.idleTimeoutMs,
     theme: parsed.theme,
     tools: parsed.tools ?? {},
+    allowedHosts: parsed.allowedHosts ?? [],
   };
 }

package/sdk/protocol-compat.test.ts

@@ -15,7 +15,6 @@ import {
   MAX_TOOL_RESULT_CHARS,
 } from "./constants.ts";
 import {
-  AUDIO_FORMAT,
   ClientMessageSchema,
   KvRequestSchema,
   ServerMessageSchema,
@@ -35,7 +34,6 @@ type Fixture = {
   ClientMessage: Record<string, unknown>[];
   KvRequest: Record<string, unknown>[];
   constants: {
-    AUDIO_FORMAT: string;
     DEFAULT_STT_SAMPLE_RATE: number;
     DEFAULT_TTS_SAMPLE_RATE: number;
     MAX_TOOL_RESULT_CHARS: number;
@@ -161,10 +159,6 @@ describe.each(fixtureFiles)("compat fixture: %s", (filename) => {
   // ── Constants stability ─────────────────────────────────────────
 
   describe("constants stability", () => {
-    test("AUDIO_FORMAT unchanged", () => {
-      expect(AUDIO_FORMAT).toBe(fixture.constants.AUDIO_FORMAT);
-    });
-
     test("DEFAULT_STT_SAMPLE_RATE unchanged", () => {
       expect(DEFAULT_STT_SAMPLE_RATE).toBe(fixture.constants.DEFAULT_STT_SAMPLE_RATE);
     });

package/sdk/protocol-snapshot.test.ts

@@ -14,7 +14,6 @@ import {
 } from "./constants.ts";
 import type { ClientEvent, ClientMessage, ServerMessage } from "./protocol.ts";
 import {
-  AUDIO_FORMAT,
   ClientEventSchema,
   ClientMessageSchema,
   KvRequestSchema,
@@ -24,10 +23,6 @@ import {
 // ── Constants ────────────────────────────────────────────────────────────
 
 describe("protocol constants", () => {
-  test("audio format", () => {
-    expect(AUDIO_FORMAT).toMatchInlineSnapshot(`"pcm16"`);
-  });
-
   test("sample rates", () => {
     expect(DEFAULT_STT_SAMPLE_RATE).toMatchInlineSnapshot("16000");
     expect(DEFAULT_TTS_SAMPLE_RATE).toMatchInlineSnapshot("24000");
@@ -77,6 +72,7 @@ describe("server→client event wire format", () => {
     ["reset", { type: "reset" }],
     ["idle_timeout", { type: "idle_timeout" }],
     ["error", { type: "error", code: "stt", message: "Speech recognition failed" }],
+    ["custom_event", { type: "custom_event", event: "game_state", data: { hp: 10 } }],
   ];
 
   test.each(valid)("%s parses successfully", (_label, event) => {
@@ -94,6 +90,12 @@ describe("server→client event wire format", () => {
     ).toBe(false);
   });
 
+  test("rejects custom_event with empty event name", () => {
+    expect(
+      ClientEventSchema.safeParse({ type: "custom_event", event: "", data: null }).success,
+    ).toBe(false);
+  });
+
   test("rejects tool_call_done with oversized result", () => {
     expect(
       ClientEventSchema.safeParse({