@openwop/openwop-conformance 1.1.1 → 1.2.0

package/src/scenarios/aiEnvelope.correlationReplay.test.ts

@@ -0,0 +1,69 @@
+/**
+ * aiEnvelope.correlationReplay — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. Behavioral assertions stay `it.todo()` until a
+ * reference host wires the accept path and the cross-process replay seam.
+ *
+ * Summary: two envelopes in the same run with the same `correlationId` MUST
+ * be treated as a re-emission. The second invocation returns the cached
+ * `EnvelopeOutcome` synchronously without re-invoking the handler. After
+ * process death + recovery, the engine MUST consult the run event log via
+ * `causationId = correlationId` and return the cached outcome — the handler
+ * runs at most once per `correlationId` per run lifetime. A re-emission with
+ * the same `correlationId` but a different `type` MUST be refused with
+ * `envelope_correlation_conflict`.
+ *
+ * @see spec/v1/ai-envelope.md §"Replay determinism"
+ * @see spec/v1/interrupt.md §"Replay determinism" (parallel contract)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function isEnvelopeContractsAdvertised(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const block = top && typeof top === 'object' ? (top['envelopeContracts'] as Record<string, unknown> | undefined) : undefined;
+  return Boolean(block && block['advertised'] === true);
+}
+
+describe('aiEnvelope.correlationReplay: advertisement shape (FINAL v1.1)', () => {
+  it('host that advertises envelopeContracts.advertised:true claims the replay-determinism contract', async () => {
+    if (!(await isEnvelopeContractsAdvertised())) return; // not opted in — skip
+    // The contract has no separate capability flag — advertising
+    // envelopeContracts is the claim. The behavioral assertions below
+    // exercise the contract; this advertisement-shape test exists so
+    // a "no envelope contracts at all" host doesn't appear in failure
+    // reports for this scenario.
+    expect(true).toBe(true);
+  });
+});
+
+describe('aiEnvelope.correlationReplay: engine-state placeholders', () => {
+  // The 4 assertions below require the engine to maintain a per-run
+  // correlationId → cached-outcome map AND project envelope acceptance
+  // onto RunEventDocs with `causationId = envelope.correlationId`.
+  //
+  // The reference workflow-engine sample's `acceptEnvelope` is a pure
+  // function (host/envelopeAcceptor.ts) — it validates + categorizes
+  // a single envelope without tracking state across calls. Promoting
+  // these to behavioral requires either:
+  //   (a) extending the acceptor with an injected dedup store
+  //       (per-run correlationId map keyed by runId), OR
+  //   (b) a higher-level test seam that wires the acceptor into the
+  //       run lifecycle + event log.
+  //
+  // (b) is the spec-faithful path (per ai-envelope.md §"Replay
+  // determinism" the dedup is engine-level, not acceptor-level).
+  // Tracked as host-impl follow-up.
+  it.todo('emit envelope twice with same correlationId → second returns cached outcome; no duplicate RunEventDocs');
+  it.todo('emit envelope with correlationId C, then with same C and different type → refuse envelope_correlation_conflict');
+  it.todo('cross-process replay: process-death after accept; recovered process re-emits same correlationId → cached outcome, no handler re-invocation');
+  it.todo('resulting RunEventDoc.causationId equals the envelope.correlationId (causal chain preserved)');
+});

package/src/scenarios/aiEnvelope.redaction.test.ts

@@ -0,0 +1,73 @@
+/**
+ * aiEnvelope.redaction — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. Behavioral assertions stay `it.todo()` until a
+ * reference host wires the envelope accept path through the BYOK redaction
+ * harness.
+ *
+ * Summary: AI Envelopes MUST route through the same BYOK redaction harness
+ * applied to a fresh `MemoryEntry.put` per `agent-memory.md` §"SR-1
+ * secret-redaction invariant". The fact that the LLM was instructed not to
+ * emit secrets is NOT evidence to skip redaction — the model can hallucinate
+ * secret-shaped substrings from prompt context, in-context examples, or tool
+ * results. Redacted material MUST NOT appear in resulting `RunEventDoc`s,
+ * OTel span attributes, debug-bundle exports, or error envelopes returned to
+ * the client. The pass runs AFTER validation and BEFORE dedup/handler routing
+ * in the production-flow ordering.
+ *
+ * @see spec/v1/ai-envelope.md §"Redaction (SR-1 carry-forward)"
+ * @see spec/v1/agent-memory.md §"SR-1 secret-redaction invariant"
+ * @see SECURITY/invariants.yaml#envelope-redaction-sr-1-carry-forward
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function isBYOKAdvertised(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const secrets = top && typeof top === 'object' ? top['secrets'] : undefined;
+  return Boolean(secrets && typeof secrets === 'object');
+}
+
+describe('aiEnvelope.redaction: advertisement shape (FINAL v1.1)', () => {
+  it('hosts advertising envelopeContracts AND secrets honor SR-1 carry-forward', async () => {
+    if (!(await isBYOKAdvertised())) return; // BYOK not advertised — skip
+    // The contract is invariant-based, not capability-flag-based. The
+    // advertisement-shape check is just "the host claims a BYOK surface";
+    // behavioral assertions below exercise the redaction invariant.
+    expect(true).toBe(true);
+  });
+});
+
+describe('aiEnvelope.redaction: BYOK-redaction placeholders', () => {
+  // The 6 assertions below require the engine's BYOK redaction pipeline
+  // (per SECURITY/threat-model-secret-leakage.md SR-1 carry-forward) to
+  // hook into envelope acceptance AND every downstream surface that
+  // persists envelope content (RunEventDoc, OTel span attributes,
+  // debug-bundle export, error envelope projection).
+  //
+  // The reference workflow-engine sample's `acceptEnvelope` is pure +
+  // doesn't touch payload contents. Redaction lives at a different
+  // layer (BYOK secretResolver + event-log sanitizer). Promoting these
+  // to behavioral requires either:
+  //   (a) chaining the acceptor through `stripSecretsFromPersisted`
+  //       before persisting the recorded view, OR
+  //   (b) an end-to-end test that plants a BYOK canary in an envelope
+  //       payload, runs through the full accept → emit → persist → export
+  //       chain, and asserts the canary is absent on every output.
+  //
+  // (b) is the spec-faithful path. Tracked as host-impl follow-up.
+  it.todo('emit envelope whose payload contains a known BYOK substring → substring absent from emitted RunEventDocs');
+  it.todo('redacted substring absent from OTel envelope_* span attributes');
+  it.todo('redacted substring absent from debug-bundle export');
+  it.todo('redacted substring absent from error envelope on validation refusal (no leak via error path)');
+  it.todo('redaction marker is the canonical [REDACTED:<reason>] form, NOT a model-generated <REDACTED> string');
+  it.todo('redaction runs AFTER schema validation: a payload with redacted-shaped substrings still validates structurally');
+});

package/src/scenarios/aiEnvelope.schemaDrift.test.ts

@@ -0,0 +1,87 @@
+/**
+ * aiEnvelope.schemaDrift — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. This scenario asserts the advertisement shape
+ * for hosts that opt into envelopeContracts and the optional
+ * `envelopeStrictness` knob; behavioral assertions stay `it.todo()` until
+ * a reference host wires the accept path.
+ *
+ * Summary: an LLM emits an envelope whose `schemaVersion` is lower than the
+ * host's advertised floor for that kind (`Capabilities.schemaVersions[kind]`).
+ * Under `envelopeStrictness: "warn"` (default) the engine MUST attempt
+ * validation against the advertised version and log `envelope_schema_version_drift`.
+ * Under `envelopeStrictness: "strict"` the engine MUST refuse with
+ * `unknown_schema_version`. When the emitted `schemaVersion` is HIGHER than
+ * advertised, the engine MUST refuse regardless of strictness.
+ *
+ * @see spec/v1/ai-envelope.md §"Schema discipline"
+ * @see spec/v1/ai-envelope.md §"Capability handshake integration"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function isEnvelopeContractsAdvertised(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const block = top && typeof top === 'object' ? (top['envelopeContracts'] as Record<string, unknown> | undefined) : undefined;
+  return Boolean(block && block['advertised'] === true);
+}
+
+describe('aiEnvelope.schemaDrift: advertisement shape (FINAL v1.1)', () => {
+  it('capabilities.envelopeStrictness is either absent (treated as "warn") or "warn" | "strict"', async () => {
+    const res = await driver.get('/.well-known/openwop');
+    const body = res.json as DiscoveryDoc | undefined;
+    const top = body?.capabilities as Record<string, unknown> | undefined;
+    const val = top && typeof top === 'object' ? top['envelopeStrictness'] : undefined;
+    if (val === undefined) return; // absent → treated as 'warn'; skip
+    expect(
+      val === 'warn' || val === 'strict',
+      driver.describe(
+        'ai-envelope.md §"Capability handshake integration"',
+        'envelopeStrictness MUST be the literal string "warn" or "strict" when present',
+      ),
+    ).toBe(true);
+  });
+
+  it('schemaVersions is non-empty when envelopeContracts.advertised: true', async () => {
+    if (!(await isEnvelopeContractsAdvertised())) return; // not opted in — skip
+    const res = await driver.get('/.well-known/openwop');
+    const body = res.json as { schemaVersions?: Record<string, number>; capabilities?: { schemaVersions?: Record<string, number> } } | undefined;
+    const versions = body?.schemaVersions ?? body?.capabilities?.schemaVersions ?? {};
+    expect(
+      Object.keys(versions).length > 0,
+      driver.describe(
+        'ai-envelope.md §"Schema version advertisement"',
+        'schemaVersions MUST be non-empty when envelopeContracts.advertised is true',
+      ),
+    ).toBe(true);
+  });
+});
+
+describe('aiEnvelope.schemaDrift: engine-strictness placeholders', () => {
+  // The 4 assertions below require the engine to read both:
+  //   (a) `Capabilities.schemaVersions[<kind>]` — the advertised floor
+  //       version the host implements for the kind, AND
+  //   (b) `Capabilities.envelopeStrictness` — the run-level knob that
+  //       decides whether below-floor versions warn or refuse.
+  //
+  // The reference workflow-engine sample's `acceptEnvelope` validates
+  // `schemaVersion` as a top-level structural field but does NOT yet
+  // cross-reference it against the host's advertised floor or apply
+  // the strictness knob. Promoting these to behavioral requires
+  // threading both pieces of state through `AcceptOptions` (or making
+  // the acceptor close over a discovery snapshot). Tracked as host-
+  // impl follow-up; the OTel span attribute (`envelope_schema_version_drift`)
+  // is engine-projection scope.
+  it.todo('emit envelope with schemaVersion below advertised floor under strictness:"warn" → warn-and-continue');
+  it.todo('emit envelope with schemaVersion below advertised floor under strictness:"strict" → refuse unknown_schema_version');
+  it.todo('emit envelope with schemaVersion ABOVE advertised floor → refuse regardless of strictness');
+  it.todo('drift logs include envelope_schema_version_drift attribute on the OTel span');
+});

package/src/scenarios/aiEnvelope.trustBoundaryPropagation.test.ts

@@ -0,0 +1,143 @@
+/**
+ * aiEnvelope.trustBoundaryPropagation — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. Behavioral assertions stay `it.todo()` until a
+ * reference host wires the MCP-tool-result → envelope → RunEventDoc trust path.
+ *
+ * Summary: when a node consumes content from an untrusted source (MCP tool
+ * result per `mcp-integration.md`, A2A inbound message per `a2a-integration.md`),
+ * any envelope it subsequently emits whose payload incorporates that content
+ * MUST carry `meta.contentTrust: "untrusted"`. The engine MUST propagate this
+ * onto every `RunEventDoc` emitted as a consequence (`RunEventDoc.contentTrust
+ * = "untrusted"`). Downstream LLM nodes re-consuming these events MUST treat
+ * the content as untrusted per `SECURITY/threat-model-prompt-injection.md`.
+ * Approval gates MUST refuse to advance on `untrusted` envelopes with refusal
+ * code `untrusted_content_blocks_approval`.
+ *
+ * @see spec/v1/ai-envelope.md §"Trust boundary"
+ * @see spec/v1/mcp-integration.md §"Trust boundary"
+ * @see spec/v1/a2a-integration.md §"Trust boundary"
+ * @see SECURITY/threat-model-prompt-injection.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readMcpTrustBoundary(): Promise<string | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const mcp = top && typeof top === 'object' ? (top['mcpClient'] as Record<string, unknown> | undefined) : undefined;
+  if (!mcp || typeof mcp !== 'object') return null;
+  const tb = mcp['trustBoundary'];
+  return typeof tb === 'string' ? tb : null;
+}
+
+describe('aiEnvelope.trustBoundaryPropagation: advertisement shape (FINAL v1.1)', () => {
+  it('hosts advertising mcpClient declare trustBoundary as "untrusted"', async () => {
+    const tb = await readMcpTrustBoundary();
+    if (tb === null) return; // host doesn't advertise mcpClient — skip
+    expect(
+      tb,
+      driver.describe(
+        'mcp-integration.md §"Trust boundary"',
+        'mcpClient.trustBoundary MUST be "untrusted" — MCP tool results are always untrusted input',
+      ),
+    ).toBe('untrusted');
+  });
+});
+
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; normalizedMeta?: { contentTrust?: string } } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; normalizedMeta?: { contentTrust?: string } } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+
+describe('aiEnvelope.trustBoundaryPropagation: behavioral normalization (FINAL v1.1)', () => {
+  it('envelope with meta.contentTrust:"untrusted" → normalizedMeta.contentTrust:"untrusted"', async () => {
+    const r = await accept({
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-tb-1',
+      correlationId: 'r:n:0:tb1',
+      payload: { questions: [{ id: 'q1', question: 'why?' }] },
+      meta: { ...baseMeta, contentTrust: 'untrusted' },
+    });
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    expect(
+      r.body.normalizedMeta?.contentTrust,
+      driver.describe(
+        'ai-envelope.md §"Trust boundary"',
+        'envelope-supplied contentTrust:"untrusted" MUST propagate to normalizedMeta',
+      ),
+    ).toBe('untrusted');
+  });
+
+  it('envelope with no meta.contentTrust + runTrustBoundary:"untrusted" → normalizedMeta.contentTrust:"untrusted" (run-level propagation)', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-tb-2',
+        correlationId: 'r:n:0:tb2',
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      { runTrustBoundary: 'untrusted' },
+    );
+    if (r.status === 404) return;
+    expect(r.body.normalizedMeta?.contentTrust).toBe('untrusted');
+  });
+
+  it('envelope-supplied contentTrust takes precedence over runTrustBoundary (per-emission decision)', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-tb-3',
+        correlationId: 'r:n:0:tb3',
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: { ...baseMeta, contentTrust: 'trusted' },
+      },
+      { runTrustBoundary: 'untrusted' }, // explicit conflict — envelope wins
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.normalizedMeta?.contentTrust,
+      driver.describe(
+        'ai-envelope.md §"Trust boundary"',
+        'per-emission contentTrust MUST take precedence — trusted envelope emitted after MCP tool result does NOT inherit untrusted',
+      ),
+    ).toBe('trusted');
+  });
+
+  it('no contentTrust + no runTrustBoundary → default "trusted"', async () => {
+    const r = await accept({
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-tb-default',
+      correlationId: 'r:n:0:tbdef',
+      payload: { questions: [{ id: 'q1', question: 'why?' }] },
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(r.body.normalizedMeta?.contentTrust).toBe('trusted');
+  });
+});
+
+describe('aiEnvelope.trustBoundaryPropagation: engine-integration placeholders', () => {
+  // These require the engine to project normalizedMeta.contentTrust
+  // onto RunEventDoc.contentTrust + enforce the approval-gate refusal
+  // path. The pure-function acceptor surfaces normalizedMeta; engine
+  // wiring is host-impl scope.
+  it.todo('engine projects normalizedMeta.contentTrust onto RunEventDoc.contentTrust');
+  it.todo('approval gate refuses to advance on untrusted envelope with untrusted_content_blocks_approval');
+  it.todo('downstream LLM node re-consuming untrusted RunEventDoc applies <UNTRUSTED> wrap per prompt-injection invariant');
+});

package/src/scenarios/aiEnvelope.universalKinds.test.ts

@@ -0,0 +1,176 @@
+/**
+ * aiEnvelope.universalKinds — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. This scenario asserts the advertisement shape
+ * for hosts that opt into the new envelope-contracts surface
+ * (`capabilities.envelopeContracts.advertised: true`) and keeps the deeper
+ * behavioral assertions as `it.todo()` until a reference host wires the
+ * accept path.
+ *
+ * Summary: hosts MUST advertise the four universal kinds (`clarification.request`,
+ * `schema.request`, `schema.response`, `error`) in `capabilities.supportedEnvelopes`
+ * once they opt in. Universals are always-allowed; Envelope Contract gates MUST NOT
+ * refuse them.
+ *
+ * @see spec/v1/ai-envelope.md §"Universal kinds"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+  supportedEnvelopes?: string[];
+}
+
+const UNIVERSALS = ['clarification.request', 'schema.request', 'schema.response', 'error'] as const;
+
+async function readEnvelopeContracts(): Promise<{ advertised: boolean } | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const block = top && typeof top === 'object' ? (top['envelopeContracts'] as Record<string, unknown> | undefined) : undefined;
+  if (!block || typeof block !== 'object') return null;
+  return { advertised: block['advertised'] === true };
+}
+
+async function readSupportedEnvelopes(): Promise<string[] | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  // `supportedEnvelopes` is required v1 at the top level of the discovery payload
+  // per capabilities.schema.json. Some hosts nest it under `capabilities`.
+  const top = body?.supportedEnvelopes ?? (body?.capabilities as { supportedEnvelopes?: string[] } | undefined)?.supportedEnvelopes;
+  return Array.isArray(top) ? top : null;
+}
+
+describe('aiEnvelope.universalKinds: advertisement shape (FINAL v1.1)', () => {
+  it('capabilities.envelopeContracts is either absent or a well-formed object', async () => {
+    const block = await readEnvelopeContracts();
+    if (block === null) return; // host doesn't opt in — skip
+    expect(
+      typeof block.advertised,
+      driver.describe(
+        'ai-envelope.md §"Capability handshake integration"',
+        'capabilities.envelopeContracts.advertised MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('opted-in hosts advertise every universal kind in supportedEnvelopes', async () => {
+    const block = await readEnvelopeContracts();
+    if (block === null || !block.advertised) return; // not opted in — skip
+    const advertised = await readSupportedEnvelopes();
+    expect(
+      Array.isArray(advertised),
+      driver.describe(
+        'capabilities.schema.json §supportedEnvelopes',
+        'supportedEnvelopes MUST be present as an array on hosts that advertise envelopeContracts',
+      ),
+    ).toBe(true);
+    for (const kind of UNIVERSALS) {
+      expect(
+        advertised!.includes(kind),
+        driver.describe(
+          'ai-envelope.md §"Universal kinds"',
+          `supportedEnvelopes MUST include "${kind}" — universals are always-allowed`,
+        ),
+      ).toBe(true);
+    }
+  });
+});
+
+// Behavioral assertions through the workflow-engine sample's env-gated
+// `POST /v1/host/sample/envelope/accept` seam (the RFC 0021 §A
+// AIEnvelopeAcceptor reference implementation at
+// `apps/workflow-engine/backend/typescript/src/host/envelopeAcceptor.ts`).
+// Each test soft-skips on HTTP 404 (host doesn't expose the seam) so
+// non-sample hosts keep the advertisement-shape coverage above.
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; reason?: string; details?: unknown[]; envelopeId?: string } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; reason?: string; details?: unknown[]; envelopeId?: string } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+
+describe('aiEnvelope.universalKinds: behavioral accept via /v1/host/sample/envelope/accept (FINAL v1.1)', () => {
+  it('accept clarification.request with valid payload → status: accepted', async () => {
+    const r = await accept({
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-uk-clar',
+      correlationId: 'r:n:0:clar',
+      payload: { questions: [{ id: 'q1', question: 'Which provider?' }] },
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(r.body.status, driver.describe('ai-envelope.md §"Universal kinds"', 'valid clarification.request MUST be accepted')).toBe('accepted');
+  });
+
+  it('accept schema.request → status: accepted', async () => {
+    const r = await accept({
+      type: 'schema.request',
+      schemaVersion: 1,
+      envelopeId: 'env-uk-sr',
+      correlationId: 'r:n:0:sr',
+      payload: { envelopeType: 'vendor.acme.prd.create' },
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+  });
+
+  it('accept schema.response (ack:true) → status: accepted', async () => {
+    const r = await accept({
+      type: 'schema.response',
+      schemaVersion: 1,
+      envelopeId: 'env-uk-sresp',
+      correlationId: 'r:n:0:sresp',
+      payload: { envelopeType: 'vendor.acme.prd.create', ack: true },
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+  });
+
+  it('accept error envelope (LLM-emitted) → status: accepted (distinct from host-level ErrorEnvelope)', async () => {
+    const r = await accept({
+      type: 'error',
+      schemaVersion: 1,
+      envelopeId: 'env-uk-err',
+      correlationId: 'r:n:0:err',
+      payload: { code: 'validation_failed', message: 'I cannot produce JSON matching that schema' },
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(r.body.status, driver.describe('ai-envelope.md §error', 'LLM-emitted error envelope MUST be accepted (NOT the host HTTP ErrorEnvelope)')).toBe('accepted');
+  });
+
+  it('refuse invalid clarification.request (missing questions[]) → status: invalid', async () => {
+    const r = await accept({
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-uk-bad',
+      correlationId: 'r:n:0:bad',
+      payload: { contextType: 'form-field' }, // missing required `questions`
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe('ai-envelope.md §"Schema discipline"', 'malformed payload MUST be rejected with invalid'),
+    ).toBe('invalid');
+    expect(Array.isArray(r.body.details), 'invalid outcome MUST carry validation details').toBe(true);
+  });
+});
+
+describe('aiEnvelope.universalKinds: engine-integration placeholders', () => {
+  // These assert behaviors beyond the pure-function acceptor — they
+  // need the engine to lift envelopes into interrupts / re-inject
+  // schemas / emit log.appended events. Tracked separately; the
+  // acceptor seam above covers the 5 wire-level assertions.
+  it.todo('lift clarification.request to kind:"clarification" interrupt per interrupt.md');
+  it.todo('schema.request triggers next-turn schema re-injection (host responsibility)');
+  it.todo('schema.response counted (or exempt) against limits.envelopesPerTurn per host policy');
+  it.todo('error envelope projects to log.appended (level: "error"), NOT node.failed');
+});

package/src/scenarios/append-ordering.test.ts

@@ -26,11 +26,21 @@ const SKIP = !FIXTURE;
 interface ChannelWrittenPayload {
   channel?: string;
   value?: unknown;
+  /**
+   * Per `channel-written-payload.schema.json` — present on inbound
+   * cross-engine writes per `channels-and-reducers.md §"Across
+   * engines"`. When ANY event in the run carries this field, the
+   * cross-engine assertions (CF-8) MUST hold in addition to the
+   * intra-engine ordering rule.
+   */
+  sourceEngineId?: string;
+  sourceRunId?: string;
 }
 
 interface RunEvent {
   type: string;
   sequence: number;
+  eventId?: string;
   payload?: ChannelWrittenPayload;
 }
 
@@ -74,6 +84,40 @@ describe.skipIf(SKIP)('append-ordering: folded channel reflects event sequence',
       }
     }
 
+    // CF-8: cross-engine ordering rule. When ANY channel.written
+    // event carries `sourceEngineId`, the owner-engine MUST have
+    // assigned the recorded `sequence` at append time and the event
+    // log MUST remain strictly monotonic regardless of source. The
+    // intra-engine check above already verifies monotonicity per
+    // channel; here we additionally verify (1) at least one cross-
+    // engine and one own-engine write coexist correctly, and (2) any
+    // tie in the secondary `(sequence, eventId)` order is broken
+    // deterministically (no two events share both fields).
+    const allWrites = Array.from(byChannel.values()).flat();
+    const crossEngineWrites = allWrites.filter(
+      (e) => typeof e.payload?.sourceEngineId === 'string',
+    );
+    if (crossEngineWrites.length > 0) {
+      // Property: every cross-engine event carries BOTH sourceEngineId
+      // AND sourceRunId (per channel-written-payload.schema.json).
+      for (const e of crossEngineWrites) {
+        expect(typeof e.payload?.sourceRunId, driver.describe(
+          'channel-written-payload.schema.json',
+          'cross-engine writes MUST carry sourceRunId alongside sourceEngineId',
+        )).toBe('string');
+      }
+      // Property: (sequence, eventId) is a total order — no duplicates.
+      const seen = new Set<string>();
+      for (const e of allWrites) {
+        const key = `${e.sequence}::${e.eventId ?? ''}`;
+        expect(seen.has(key), driver.describe(
+          'channels-and-reducers.md §"Tie-breaking when sequences collide"',
+          `(sequence, eventId) MUST be unique across the run — duplicate found: ${key}`,
+        )).toBe(false);
+        seen.add(key);
+      }
+    }
+
     // Cross-check against the projected channel state on the run snapshot
     // (when surfaced) — projected array length MUST equal the number of writes.
     const snapshot = await driver.get(`/v1/runs/${encodeURIComponent(runId)}`);