@eddacraft/anvil-kindling-integration 0.1.0

package/src/malicious-ai.test.ts

@@ -0,0 +1,949 @@
+/**
+ * Malicious AI Test Suite (KINDLING-011)
+ *
+ * Proves read-only enforcement by testing that:
+ * 1. No write/update/delete operations exist on query interfaces
+ * 2. Global queries (no scope/ID) are rejected
+ * 3. Queries exceeding limits are truncated
+ * 4. Observations with sensitive data are caught
+ * 5. Invalid scopes and free-text search are rejected
+ *
+ * These tests prove Kindling is LLM-safe by construction.
+ * If user AI wants memory, it must bring its own store.
+ */
+
+import { describe, it, expect } from 'vitest';
+import {
+  // Observation contract
+  validateObservation,
+  containsSensitiveData,
+  ObservationSchema,
+  type Observation,
+
+  // Query contract
+  validateQueryRequest,
+  validateQueryResponse,
+  QueryRequestSchema,
+  SessionQuerySchema,
+  PlanQuerySchema,
+  GateQuerySchema,
+  ActionQuerySchema,
+  type QueryRequest,
+  type QueryResponse,
+} from './index.js';
+
+// =============================================================================
+// Test Helpers
+// =============================================================================
+
+const VALID_UUID = '550e8400-e29b-41d4-a716-446655440000';
+const VALID_TIMESTAMP = '2026-02-15T10:00:00.000Z';
+
+function makeValidSessionQuery(): QueryRequest {
+  return {
+    scope: 'session',
+    session_id: VALID_UUID,
+    shape: 'timeline',
+    format: 'json',
+    max_results: 100,
+    max_payload_bytes: 1024 * 1024,
+  };
+}
+
+function makeValidQueryResponse(
+  overrides: Partial<{
+    result_count: number;
+    truncated: boolean;
+    truncation_reason: 'max_results' | 'max_payload_bytes' | 'none';
+    observations: unknown[];
+  }> = {}
+): QueryResponse {
+  return {
+    metadata: {
+      query_id: VALID_UUID,
+      executed_at: VALID_TIMESTAMP,
+      contract_version: '1.0.0',
+      result_count: overrides.result_count ?? 0,
+      truncated: overrides.truncated ?? false,
+      truncation_reason: overrides.truncation_reason ?? 'none',
+    },
+    observations: (overrides.observations ?? []) as QueryResponse['observations'],
+  };
+}
+
+function makeValidSessionStartObservation(): Observation {
+  return {
+    kind: 'session_start',
+    session_id: VALID_UUID,
+    timestamp: VALID_TIMESTAMP,
+    context: {
+      working_directory: '/home/user/project',
+      anvil_version: '1.0.0',
+      command: 'anvil check',
+      args: ['--watch'],
+      environment: 'development',
+    },
+  } as Observation;
+}
+
+// =============================================================================
+// 1. Read-Only Enforcement: No Write/Update/Delete Operations
+// =============================================================================
+
+describe('Read-only enforcement (anti-mutation)', () => {
+  it('QueryRequest schema has no write operation field', () => {
+    const queryWithWrite = {
+      ...makeValidSessionQuery(),
+      operation: 'write',
+    };
+    // The extra field should be stripped or ignored by Zod,
+    // but the query should still only allow read semantics
+    const result = QueryRequestSchema.safeParse(queryWithWrite);
+    if (result.success) {
+      // Even if parsing succeeds, the result should not have 'operation'
+      expect((result.data as Record<string, unknown>)['operation']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept write() method signature', () => {
+    // Attempt to disguise a write as a query
+    const maliciousQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      write: { kind: 'session_start', data: 'injected' },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['write']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept update() method signature', () => {
+    const maliciousQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      update: { observation_id: VALID_UUID, payload: { modified: true } },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['update']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept delete() method signature', () => {
+    const maliciousQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      delete: { observation_id: VALID_UUID },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['delete']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept annotate()', () => {
+    const maliciousQuery = {
+      scope: 'gate',
+      gate_eval_id: 'gate-001',
+      shape: 'entity',
+      annotate: { note: 'AI thinks this gate should have passed' },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['annotate']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept tag()', () => {
+    const maliciousQuery = {
+      scope: 'action',
+      action_id: 'action-001',
+      shape: 'entity',
+      tag: ['important', 'review-needed'],
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['tag']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept learn()', () => {
+    const maliciousQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      learn: { pattern: 'gate failures on Mondays', confidence: 0.8 },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['learn']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept embed()', () => {
+    const maliciousQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      embed: { model: 'text-embedding-3-large', store_embeddings: true },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['embed']).toBeUndefined();
+    }
+  });
+
+  it('QueryRequest does not accept infer()', () => {
+    const maliciousQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      infer: { prompt: 'What patterns do you see?', store_result: true },
+    };
+    const result = QueryRequestSchema.safeParse(maliciousQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['infer']).toBeUndefined();
+    }
+  });
+
+  it('Observation contract exports only validate + containsSensitiveData (no mutators)', () => {
+    // Verify the exported validation functions exist and work
+    expect(typeof validateObservation).toBe('function');
+    expect(typeof containsSensitiveData).toBe('function');
+
+    // Verify no write/update/delete functions are exported from the module
+    // We check by ensuring the contract is purely declarative
+    const obs = makeValidSessionStartObservation();
+    const validation = validateObservation(obs);
+    expect(validation.success).toBe(true);
+  });
+});
+
+// =============================================================================
+// 2. Global Query Rejection (Mandatory Scoping)
+// =============================================================================
+
+describe('Global query rejection (mandatory scoping)', () => {
+  it('rejects query with no scope', () => {
+    const globalQuery = {
+      shape: 'list',
+      format: 'json',
+      max_results: 100,
+    };
+    const result = validateQueryRequest(globalQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects query with invalid scope "global"', () => {
+    const globalQuery = {
+      scope: 'global',
+      shape: 'list',
+      format: 'json',
+      max_results: 100,
+    };
+    const result = validateQueryRequest(globalQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects query with invalid scope "all"', () => {
+    const allQuery = {
+      scope: 'all',
+      shape: 'list',
+      format: 'json',
+      max_results: 100,
+    };
+    const result = validateQueryRequest(allQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects query with invalid scope "search"', () => {
+    const searchQuery = {
+      scope: 'search',
+      query: 'find all gate failures',
+      shape: 'list',
+    };
+    const result = validateQueryRequest(searchQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects session query without session_id', () => {
+    const noIdQuery = {
+      scope: 'session',
+      shape: 'timeline',
+      format: 'json',
+    };
+    const result = SessionQuerySchema.safeParse(noIdQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects plan query without plan_id', () => {
+    const noIdQuery = {
+      scope: 'plan',
+      shape: 'entity',
+      format: 'json',
+    };
+    const result = PlanQuerySchema.safeParse(noIdQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects gate query without gate_eval_id', () => {
+    const noIdQuery = {
+      scope: 'gate',
+      shape: 'entity',
+      format: 'json',
+    };
+    const result = GateQuerySchema.safeParse(noIdQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects action query without action_id', () => {
+    const noIdQuery = {
+      scope: 'action',
+      shape: 'entity',
+      format: 'json',
+    };
+    const result = ActionQuerySchema.safeParse(noIdQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects free-text search query', () => {
+    const freeTextQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      free_text: 'gate failures last week',
+    };
+    const result = QueryRequestSchema.safeParse(freeTextQuery);
+    if (result.success) {
+      // Even if it parses, the free_text field must not be in the result
+      expect((result.data as Record<string, unknown>)['free_text']).toBeUndefined();
+    }
+  });
+
+  it('rejects semantic search query', () => {
+    const semanticQuery = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'list',
+      semantic_search: 'similar gate failures',
+      embedding_model: 'text-embedding-3-large',
+    };
+    const result = QueryRequestSchema.safeParse(semanticQuery);
+    if (result.success) {
+      expect((result.data as Record<string, unknown>)['semantic_search']).toBeUndefined();
+      expect((result.data as Record<string, unknown>)['embedding_model']).toBeUndefined();
+    }
+  });
+
+  it('rejects cross-project query scope', () => {
+    const crossProjectQuery = {
+      scope: 'cross_project',
+      project_ids: ['project-1', 'project-2'],
+      shape: 'list',
+    };
+    const result = validateQueryRequest(crossProjectQuery);
+    expect(result.success).toBe(false);
+  });
+
+  it('only allows 4 valid scopes: session, plan, gate, action', () => {
+    const validScopes = ['session', 'plan', 'gate', 'action'];
+    const invalidScopes = [
+      'global',
+      'all',
+      'search',
+      'cross_project',
+      'similarity',
+      'embedding',
+      'pattern',
+      'trend',
+      'anomaly',
+    ];
+
+    for (const scope of invalidScopes) {
+      const query = { scope, shape: 'list', format: 'json' };
+      const result = validateQueryRequest(query);
+      expect(result.success).toBe(false);
+    }
+
+    // Valid scopes need their required IDs
+    for (const scope of validScopes) {
+      const query = { scope, shape: 'list', format: 'json' };
+      // These will fail due to missing IDs, which is correct -- scope alone is not enough
+      const result = validateQueryRequest(query);
+      // session/gate/action should fail (missing required ID)
+      // plan might also fail (missing plan_id)
+      if (scope !== 'plan') {
+        expect(result.success).toBe(false);
+      }
+    }
+  });
+});
+
+// =============================================================================
+// 3. Query Limits Enforcement (Anti-Vacuum-Cleaner)
+// =============================================================================
+
+describe('Query limits enforcement (anti-vacuum-cleaner)', () => {
+  it('max_results cannot exceed 1000', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_results: 10000,
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('max_results must be positive', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_results: 0,
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('max_results must be an integer', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_results: 50.5,
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('max_payload_bytes cannot exceed 10MB', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_payload_bytes: 100 * 1024 * 1024, // 100MB
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('max_payload_bytes must be positive', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_payload_bytes: 0,
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('defaults max_results to 100 when not specified', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.max_results).toBe(100);
+    }
+  });
+
+  it('defaults max_payload_bytes to 1MB when not specified', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.max_payload_bytes).toBe(1024 * 1024);
+    }
+  });
+
+  it('QueryResponse tracks truncation status', () => {
+    const truncatedResponse = makeValidQueryResponse({
+      result_count: 1000,
+      truncated: true,
+      truncation_reason: 'max_results',
+    });
+    const result = validateQueryResponse(truncatedResponse);
+    expect(result.success).toBe(true);
+    if (result.success && result.data) {
+      expect(result.data.metadata.truncated).toBe(true);
+      expect(result.data.metadata.truncation_reason).toBe('max_results');
+    }
+  });
+
+  it('QueryResponse tracks payload bytes truncation', () => {
+    const truncatedResponse = makeValidQueryResponse({
+      result_count: 50,
+      truncated: true,
+      truncation_reason: 'max_payload_bytes',
+    });
+    const result = validateQueryResponse(truncatedResponse);
+    expect(result.success).toBe(true);
+    if (result.success && result.data) {
+      expect(result.data.metadata.truncated).toBe(true);
+      expect(result.data.metadata.truncation_reason).toBe('max_payload_bytes');
+    }
+  });
+
+  it('accepts queries at exactly the max_results limit (1000)', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_results: 1000,
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts queries at exactly the max_payload_bytes limit (10MB)', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      max_payload_bytes: 10 * 1024 * 1024,
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+  });
+});
+
+// =============================================================================
+// 4. Sensitive Data Detection
+// =============================================================================
+
+describe('Sensitive data detection in observations', () => {
+  it('detects passwords in observation payload', () => {
+    const obs: Observation = {
+      kind: 'action_executed',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      action_id: 'action-001',
+      action_type: 'command',
+      details: {
+        command: 'mysql -u root --password=secret123',
+        working_directory: '/home/user',
+      },
+      outcome: 'success',
+      duration_ms: 100,
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(true);
+    expect(result.issues.length).toBeGreaterThan(0);
+    expect(result.issues.some((i) => /password|token|key/i.test(i))).toBe(true);
+  });
+
+  it('detects API keys in observation payload', () => {
+    const obs: Observation = {
+      kind: 'action_executed',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      action_id: 'action-002',
+      action_type: 'command',
+      details: {
+        command: 'curl -H "Authorization: Bearer sk-abc123api_key_here"',
+        working_directory: '/home/user',
+      },
+      outcome: 'success',
+      duration_ms: 50,
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(true);
+    expect(result.issues.some((i) => /password|token|key/i.test(i))).toBe(true);
+  });
+
+  it('detects AWS credentials in observation payload', () => {
+    const obs: Observation = {
+      kind: 'action_executed',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      action_id: 'action-003',
+      action_type: 'command',
+      details: {
+        command: 'export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE',
+        working_directory: '/home/user',
+      },
+      outcome: 'success',
+      duration_ms: 10,
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(true);
+    expect(result.issues.some((i) => /AWS/i.test(i))).toBe(true);
+  });
+
+  it('detects email addresses in observation payload', () => {
+    const obs: Observation = {
+      kind: 'human_input',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      input_type: 'approval',
+      context: {
+        prompt: 'Approve deployment?',
+      },
+      decision: 'approved',
+      user_identifier: 'admin@company.com',
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(true);
+    expect(result.issues.some((i) => /email/i.test(i))).toBe(true);
+  });
+
+  it('detects private keys in observation payload', () => {
+    const obs: Observation = {
+      kind: 'action_executed',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      action_id: 'action-004',
+      action_type: 'command',
+      details: {
+        command: 'ssh -i ~/.ssh/private_key user@host',
+        working_directory: '/home/user',
+      },
+      outcome: 'success',
+      duration_ms: 5000,
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(true);
+  });
+
+  it('passes clean observations without sensitive data', () => {
+    const obs: Observation = {
+      kind: 'gate_evaluated',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      gate_eval_id: 'gate-001',
+      gate_id: 'architecture',
+      inputs: {
+        file_count: 5,
+        changed_files: ['src/index.ts', 'src/config.ts'],
+      },
+      outcome: 'pass',
+      rules_evaluated: ['no-circular-deps', 'layer-boundaries'],
+      enforcement: 'blocking',
+      duration_ms: 250,
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(false);
+    expect(result.issues).toHaveLength(0);
+  });
+
+  it('detects secrets embedded in error messages', () => {
+    const obs: Observation = {
+      kind: 'error',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      error_id: 'err-001',
+      error_type: 'command_failure',
+      context: {
+        component: 'deployment',
+      },
+      error_message: 'Failed to authenticate with token sk-live-abc123def456',
+      recoverable: false,
+    } as Observation;
+
+    const result = containsSensitiveData(obs);
+    expect(result.hasSensitiveData).toBe(true);
+  });
+});
+
+// =============================================================================
+// 5. Observation Schema Validation (Correctness Boundary)
+// =============================================================================
+
+describe('Observation schema validation (correctness boundary)', () => {
+  it('validates a correct session_start observation', () => {
+    const obs = {
+      kind: 'session_start',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      context: {
+        working_directory: '/home/user/project',
+        anvil_version: '1.0.0',
+        command: 'anvil check',
+        args: [],
+        environment: 'development',
+      },
+    };
+    const result = validateObservation(obs);
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects observation with unknown kind', () => {
+    const obs = {
+      kind: 'ai_inference',
+      session_id: VALID_UUID,
+      timestamp: VALID_TIMESTAMP,
+      inference: 'I think the build will fail next time',
+    };
+    const result = validateObservation(obs);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects observation without session_id', () => {
+    const obs = {
+      kind: 'session_start',
+      timestamp: VALID_TIMESTAMP,
+      context: {
+        working_directory: '/home/user/project',
+        anvil_version: '1.0.0',
+        command: 'anvil check',
+        args: [],
+        environment: 'development',
+      },
+    };
+    const result = validateObservation(obs);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects observation with invalid timestamp format', () => {
+    const obs = {
+      kind: 'session_start',
+      session_id: VALID_UUID,
+      timestamp: 'yesterday',
+      context: {
+        working_directory: '/home/user/project',
+        anvil_version: '1.0.0',
+        command: 'anvil check',
+        args: [],
+        environment: 'development',
+      },
+    };
+    const result = validateObservation(obs);
+    expect(result.success).toBe(false);
+  });
+
+  it('validates all 11 observation kinds are accepted', () => {
+    const kinds = [
+      'session_start',
+      'session_end',
+      'plan_created',
+      'plan_edited',
+      'plan_approved',
+      'plan_rejected',
+      'action_executed',
+      'gate_evaluated',
+      'constraint_applied',
+      'human_input',
+      'error',
+    ];
+    // Just verify the schema discriminator recognises all kinds
+    for (const kind of kinds) {
+      const obs = { kind };
+      const result = ObservationSchema.safeParse(obs);
+      // Will fail for missing fields, but should NOT fail for unknown kind
+      if (!result.success) {
+        const errorStr = JSON.stringify(result.error.format());
+        // The error should be about missing fields, not about the kind being invalid
+        expect(errorStr).not.toContain('Invalid discriminator value');
+      }
+    }
+  });
+});
+
+// =============================================================================
+// 6. Query Shape and Format Validation
+// =============================================================================
+
+describe('Query shape and format validation', () => {
+  it('only allows valid shapes: timeline, list, entity', () => {
+    const invalidShapes = ['graph', 'tree', 'embedding_space', 'similarity_matrix'];
+    for (const shape of invalidShapes) {
+      const query = {
+        scope: 'session',
+        session_id: VALID_UUID,
+        shape,
+      };
+      const result = SessionQuerySchema.safeParse(query);
+      expect(result.success).toBe(false);
+    }
+  });
+
+  it('only allows valid formats: json, text', () => {
+    const invalidFormats = ['xml', 'csv', 'embedding', 'binary'];
+    for (const format of invalidFormats) {
+      const query = {
+        scope: 'session',
+        session_id: VALID_UUID,
+        shape: 'timeline',
+        format,
+      };
+      const result = SessionQuerySchema.safeParse(query);
+      expect(result.success).toBe(false);
+    }
+  });
+
+  it('defaults format to json when not specified', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.format).toBe('json');
+    }
+  });
+});
+
+// =============================================================================
+// 7. Query Response Output Guarantees
+// =============================================================================
+
+describe('Query response output guarantees', () => {
+  it('response must include metadata with query_id and executed_at', () => {
+    const responseWithoutMeta = {
+      observations: [],
+    };
+    const result = validateQueryResponse(responseWithoutMeta);
+    expect(result.success).toBe(false);
+  });
+
+  it('response metadata must include contract_version', () => {
+    const responseNoVersion = {
+      metadata: {
+        query_id: VALID_UUID,
+        executed_at: VALID_TIMESTAMP,
+        result_count: 0,
+        truncated: false,
+      },
+      observations: [],
+    };
+    const result = validateQueryResponse(responseNoVersion);
+    expect(result.success).toBe(false);
+  });
+
+  it('response must include truncation status', () => {
+    const responseNoTruncation = {
+      metadata: {
+        query_id: VALID_UUID,
+        executed_at: VALID_TIMESTAMP,
+        contract_version: '1.0.0',
+        result_count: 0,
+      },
+      observations: [],
+    };
+    const result = validateQueryResponse(responseNoTruncation);
+    expect(result.success).toBe(false);
+  });
+
+  it('valid response passes validation', () => {
+    const response = makeValidQueryResponse();
+    const result = validateQueryResponse(response);
+    expect(result.success).toBe(true);
+  });
+});
+
+// =============================================================================
+// 8. Time Bounds Validation
+// =============================================================================
+
+describe('Time bounds validation', () => {
+  it('accepts valid ISO8601 time_after', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      time_after: '2026-01-01T00:00:00.000Z',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts valid ISO8601 time_before', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      time_before: '2026-12-31T23:59:59.999Z',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects invalid time_after format', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      time_after: 'last week',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects natural language time expressions', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+      time_after: '3 days ago',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+});
+
+// =============================================================================
+// 9. Session ID Format Validation
+// =============================================================================
+
+describe('Session ID format validation', () => {
+  it('accepts valid UUID session_id', () => {
+    const query = {
+      scope: 'session',
+      session_id: VALID_UUID,
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects non-UUID session_id', () => {
+    const query = {
+      scope: 'session',
+      session_id: 'not-a-uuid',
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects wildcard session_id', () => {
+    const query = {
+      scope: 'session',
+      session_id: '*',
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects SQL injection in session_id', () => {
+    const query = {
+      scope: 'session',
+      session_id: "'; DROP TABLE observations; --",
+      shape: 'timeline',
+    };
+    const result = SessionQuerySchema.safeParse(query);
+    expect(result.success).toBe(false);
+  });
+});