@openwop/openwop-conformance 1.1.1 → 1.3.0

package/src/scenarios/aiEnvelope.redaction.test.ts

@@ -0,0 +1,253 @@
+/**
+ * aiEnvelope.redaction — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. Behavioral assertions stay `it.todo()` until a
+ * reference host wires the envelope accept path through the BYOK redaction
+ * harness.
+ *
+ * Summary: AI Envelopes MUST route through the same BYOK redaction harness
+ * applied to a fresh `MemoryEntry.put` per `agent-memory.md` §"SR-1
+ * secret-redaction invariant". The fact that the LLM was instructed not to
+ * emit secrets is NOT evidence to skip redaction — the model can hallucinate
+ * secret-shaped substrings from prompt context, in-context examples, or tool
+ * results. Redacted material MUST NOT appear in resulting `RunEventDoc`s,
+ * OTel span attributes, debug-bundle exports, or error envelopes returned to
+ * the client. The pass runs AFTER validation and BEFORE dedup/handler routing
+ * in the production-flow ordering.
+ *
+ * @see spec/v1/ai-envelope.md §"Redaction (SR-1 carry-forward)"
+ * @see spec/v1/agent-memory.md §"SR-1 secret-redaction invariant"
+ * @see SECURITY/invariants.yaml#envelope-redaction-sr-1-carry-forward
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function isBYOKAdvertised(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const secrets = top && typeof top === 'object' ? top['secrets'] : undefined;
+  return Boolean(secrets && typeof secrets === 'object');
+}
+
+describe('aiEnvelope.redaction: advertisement shape (FINAL v1.1)', () => {
+  it('hosts advertising envelopeContracts AND secrets honor SR-1 carry-forward', async () => {
+    if (!(await isBYOKAdvertised())) return; // BYOK not advertised — skip
+    // The contract is invariant-based, not capability-flag-based. The
+    // advertisement-shape check is just "the host claims a BYOK surface";
+    // behavioral assertions below exercise the redaction invariant.
+    expect(true).toBe(true);
+  });
+});
+
+// Behavioral assertions through the workflow-engine sample's env-gated
+// `POST /v1/host/sample/envelope/accept` seam. The seam threads a
+// `byokCanaries: string[]` option into AcceptOptions so the acceptor
+// can apply the §"Redaction (SR-1 carry-forward)" pass on accepted
+// envelopes, returning `redactedPayload` in the outcome. Each test
+// soft-skips on HTTP 404 (host doesn't expose the seam).
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; reason?: string; redactedPayload?: unknown; redactionCount?: number; details?: unknown[] } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; reason?: string; redactedPayload?: unknown; redactionCount?: number; details?: unknown[] } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+const CANARY_VALUE = 'sk-canary-DO-NOT-LEAK-9d7f3a2b';
+const CANARY_SECRET_ID = 'byok-secret-test-fixture-001';
+const CANARIES = [{ value: CANARY_VALUE, secretId: CANARY_SECRET_ID }];
+const CANONICAL_MARKER = `[REDACTED:${CANARY_SECRET_ID}]`;
+
+describe('aiEnvelope.redaction: behavioral acceptor-level scrub (FINAL v1.1)', () => {
+  it('canary in payload → substituted with canonical SR-1 [REDACTED:<secretId>] marker per agent-memory.md:66', async () => {
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-1',
+        correlationId: 'r:n:0:red1',
+        payload: { code: 'leak_demo', message: `tool result included ${CANARY_VALUE} verbatim` },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    expect(r.body.redactionCount, 'redactionCount MUST be > 0 when canary appears').toBeGreaterThan(0);
+    expect(
+      JSON.stringify(r.body.redactedPayload).includes(CANARY_VALUE),
+      driver.describe('ai-envelope.md §"Redaction (SR-1 carry-forward)"', 'canary plaintext MUST be absent from the redacted view'),
+    ).toBe(false);
+    expect(
+      JSON.stringify(r.body.redactedPayload),
+      driver.describe('agent-memory.md §SR-1 line 66', 'persisted entry MUST carry [REDACTED:<secretId>] in place of the plaintext'),
+    ).toContain(CANONICAL_MARKER);
+  });
+
+  it('canary across nested object fields → all occurrences scrubbed with canonical marker', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-red-nested',
+        correlationId: 'r:n:0:rednested',
+        payload: {
+          questions: [
+            { id: 'q1', question: `What is ${CANARY_VALUE}?` },
+            { id: 'q2', question: 'unrelated', context: { trace: `${CANARY_VALUE}/${CANARY_VALUE}` } },
+          ],
+        },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    expect(
+      JSON.stringify(r.body.redactedPayload).includes(CANARY_VALUE),
+      'no canary plaintext remnant anywhere in the redacted view (recursive scrub)',
+    ).toBe(false);
+    // q1's question (1 occurrence), q2's context.trace (2 occurrences) = total 3
+    expect(r.body.redactionCount).toBe(3);
+  });
+
+  it('multiple canaries → each substituted with its own secretId marker', async () => {
+    const C1 = { value: 'sk-canary-alpha-xxxx', secretId: 'secret-alpha' };
+    const C2 = { value: 'sk-canary-beta-yyyy', secretId: 'secret-beta' };
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-multi',
+        correlationId: 'r:n:0:redmulti',
+        payload: { code: 'multi_leak', message: `first=${C1.value}, second=${C2.value}` },
+        meta: baseMeta,
+      },
+      { byokCanaries: [C1, C2] },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    const view = JSON.stringify(r.body.redactedPayload);
+    expect(view.includes(C1.value)).toBe(false);
+    expect(view.includes(C2.value)).toBe(false);
+    expect(
+      view.includes(`[REDACTED:${C1.secretId}]`) && view.includes(`[REDACTED:${C2.secretId}]`),
+      driver.describe('agent-memory.md §SR-1', 'each canary MUST be substituted with its OWN [REDACTED:<secretId>] marker'),
+    ).toBe(true);
+  });
+
+  it('redaction runs AFTER schema validation: payload with [REDACTED:...]-shaped substrings still validates', async () => {
+    // The error-kind payload schema requires { code, message }. A pre-redacted
+    // marker in the message MUST NOT trip validation.
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-shape',
+        correlationId: 'r:n:0:redshape',
+        payload: { code: 'demo', message: 'already had [REDACTED:secret-prior] before we saw it' },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES }, // canary NOT in payload; substitution count expected 0
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe('ai-envelope.md §"Redaction (SR-1 carry-forward)"', 'redaction MUST run AFTER schema validation; pre-existing markers do not affect validation'),
+    ).toBe('accepted');
+    // No canary present → redactionCount absent or 0
+    expect(r.body.redactionCount ?? 0).toBe(0);
+  });
+
+  it('canary in invalid envelope (validation refusal) → error response MUST NOT echo the canary plaintext', async () => {
+    // ISO 8601 violation triggers an `invalid` outcome BEFORE the redaction
+    // pass runs. The acceptor's validation-detail extractor MUST NOT echo
+    // the payload contents into the error response.
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-leak',
+        correlationId: 'r:n:0:redleak',
+        payload: { code: 'demo', message: `secret value is ${CANARY_VALUE}` },
+        meta: { ...baseMeta, ts: 'tomorrow' }, // bad ts → invalid
+      },
+      { byokCanaries: CANARIES },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('invalid');
+    const bodyString = JSON.stringify(r.body);
+    expect(
+      bodyString.includes(CANARY_VALUE),
+      driver.describe(
+        'SECURITY/threat-model-secret-leakage.md §SR-1',
+        'error response on validation refusal MUST NOT echo BYOK canary plaintext',
+      ),
+    ).toBe(false);
+  });
+});
+
+// E.2 OTel scrape + E.3 debug-bundle seams.
+import { queryTestSpans, exportDebugBundle, isOtelSeamAvailable } from '../lib/otel-scrape.js';
+import { resetTestSeam } from '../lib/event-log-query.js';
+
+describe('aiEnvelope.redaction: OTel + debug-bundle scrape (E.2 + E.3)', () => {
+  it('redacted canary plaintext MUST be absent from OTel envelope_* span attributes', async () => {
+    if (!(await isOtelSeamAvailable())) return;
+    const runId = `r-red-otel-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-otel-1',
+        correlationId: `${runId}:n:0:red-otel`,
+        payload: { code: 'leak_demo', message: `tool result included ${CANARY_VALUE} verbatim` },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES, projectTo: { runId, nodeId: 'n' } },
+    );
+    const spans = await queryTestSpans({ runId });
+    if (!spans.ok) return;
+    const allAttrs = spans.data.flatMap((s) => Object.values(s.attributes).map((v) => String(v)));
+    expect(
+      allAttrs.some((v) => v.includes(CANARY_VALUE)),
+      driver.describe(
+        'SECURITY/threat-model-secret-leakage.md §SR-1',
+        'BYOK canary plaintext MUST NOT appear in any OTel envelope_* span attribute',
+      ),
+    ).toBe(false);
+    await resetTestSeam();
+  });
+
+  it('redacted canary plaintext MUST be absent from debug-bundle export', async () => {
+    if (!(await isOtelSeamAvailable())) return;
+    const runId = `r-red-bundle-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-red-bundle-1',
+        correlationId: `${runId}:n:0:red-bundle`,
+        payload: { questions: [{ id: 'q1', question: `embed ${CANARY_VALUE} here` }] },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES, projectTo: { runId, nodeId: 'n' } },
+    );
+    const bundle = await exportDebugBundle(runId);
+    if (!bundle.ok) return;
+    const serialized = JSON.stringify(bundle.data);
+    expect(
+      serialized.includes(CANARY_VALUE),
+      driver.describe(
+        'SECURITY/threat-model-secret-leakage.md §SR-1',
+        'BYOK canary plaintext MUST NOT appear in the debug-bundle export (events + spans)',
+      ),
+    ).toBe(false);
+    await resetTestSeam();
+  });
+});

package/src/scenarios/aiEnvelope.schemaDrift.test.ts

@@ -0,0 +1,226 @@
+/**
+ * aiEnvelope.schemaDrift — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. This scenario asserts the advertisement shape
+ * for hosts that opt into envelopeContracts and the optional
+ * `envelopeStrictness` knob; behavioral assertions stay `it.todo()` until
+ * a reference host wires the accept path.
+ *
+ * Summary: an LLM emits an envelope whose `schemaVersion` is lower than the
+ * host's advertised floor for that kind (`Capabilities.schemaVersions[kind]`).
+ * Under `envelopeStrictness: "warn"` (default) the engine MUST attempt
+ * validation against the advertised version and log `envelope_schema_version_drift`.
+ * Under `envelopeStrictness: "strict"` the engine MUST refuse with
+ * `unknown_schema_version`. When the emitted `schemaVersion` is HIGHER than
+ * advertised, the engine MUST refuse regardless of strictness.
+ *
+ * @see spec/v1/ai-envelope.md §"Schema discipline"
+ * @see spec/v1/ai-envelope.md §"Capability handshake integration"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function isEnvelopeContractsAdvertised(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const block = top && typeof top === 'object' ? (top['envelopeContracts'] as Record<string, unknown> | undefined) : undefined;
+  return Boolean(block && block['advertised'] === true);
+}
+
+describe('aiEnvelope.schemaDrift: advertisement shape (FINAL v1.1)', () => {
+  it('capabilities.envelopeStrictness is either absent (treated as "warn") or "warn" | "strict"', async () => {
+    const res = await driver.get('/.well-known/openwop');
+    const body = res.json as DiscoveryDoc | undefined;
+    const top = body?.capabilities as Record<string, unknown> | undefined;
+    const val = top && typeof top === 'object' ? top['envelopeStrictness'] : undefined;
+    if (val === undefined) return; // absent → treated as 'warn'; skip
+    expect(
+      val === 'warn' || val === 'strict',
+      driver.describe(
+        'ai-envelope.md §"Capability handshake integration"',
+        'envelopeStrictness MUST be the literal string "warn" or "strict" when present',
+      ),
+    ).toBe(true);
+  });
+
+  it('schemaVersions is non-empty when envelopeContracts.advertised: true', async () => {
+    if (!(await isEnvelopeContractsAdvertised())) return; // not opted in — skip
+    const res = await driver.get('/.well-known/openwop');
+    const body = res.json as { schemaVersions?: Record<string, number>; capabilities?: { schemaVersions?: Record<string, number> } } | undefined;
+    const versions = body?.schemaVersions ?? body?.capabilities?.schemaVersions ?? {};
+    expect(
+      Object.keys(versions).length > 0,
+      driver.describe(
+        'ai-envelope.md §"Schema version advertisement"',
+        'schemaVersions MUST be non-empty when envelopeContracts.advertised is true',
+      ),
+    ).toBe(true);
+  });
+});
+
+// Behavioral assertions through the workflow-engine sample's env-gated
+// `POST /v1/host/sample/envelope/accept` seam. The seam threads
+// `schemaVersionFloor` + `envelopeStrictness` into AcceptOptions so the
+// pure-function acceptor can apply the §"Schema discipline" gate.
+// Each test soft-skips on HTTP 404 (host doesn't expose the seam).
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; reason?: string; details?: unknown[] } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; reason?: string; details?: unknown[] } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+
+describe('aiEnvelope.schemaDrift: behavioral strictness gate (FINAL v1.1)', () => {
+  it('schemaVersion below advertised floor under strictness:"warn" → accepted (warn-and-continue)', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 0, // below the v1 floor
+        envelopeId: 'env-drift-warn',
+        correlationId: 'r:n:0:driftwarn',
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      {
+        schemaVersionFloor: { 'clarification.request': 1 },
+        envelopeStrictness: 'warn',
+      },
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe(
+        'ai-envelope.md §"Schema discipline"',
+        'below-floor schemaVersion under strictness:warn MUST be accepted (drift projected at engine level)',
+      ),
+    ).toBe('accepted');
+  });
+
+  it('schemaVersion below advertised floor under strictness:"strict" → invalid unknown_schema_version', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 0,
+        envelopeId: 'env-drift-strict',
+        correlationId: 'r:n:0:driftstrict',
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      {
+        schemaVersionFloor: { 'clarification.request': 1 },
+        envelopeStrictness: 'strict',
+      },
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe(
+        'ai-envelope.md §"Schema discipline"',
+        'below-floor schemaVersion under strictness:strict MUST refuse with unknown_schema_version',
+      ),
+    ).toBe('invalid');
+    expect(r.body.reason).toContain('unknown_schema_version');
+  });
+
+  it('schemaVersion ABOVE advertised floor → invalid regardless of strictness (host doesn\'t know future version)', async () => {
+    for (const strictness of ['warn', 'strict'] as const) {
+      const r = await accept(
+        {
+          type: 'clarification.request',
+          schemaVersion: 99,
+          envelopeId: `env-drift-above-${strictness}`,
+          correlationId: `r:n:0:driftabove-${strictness}`,
+          payload: { questions: [{ id: 'q1', question: 'why?' }] },
+          meta: baseMeta,
+        },
+        {
+          schemaVersionFloor: { 'clarification.request': 1 },
+          envelopeStrictness: strictness,
+        },
+      );
+      if (r.status === 404) return;
+      expect(
+        r.body.status,
+        driver.describe(
+          'ai-envelope.md §"Schema discipline"',
+          `above-floor schemaVersion MUST refuse regardless of strictness (got ${strictness})`,
+        ),
+      ).toBe('invalid');
+      expect(r.body.reason).toContain('unknown_schema_version');
+    }
+  });
+
+  it('refused above-floor envelope carries instancePath /schemaVersion in details', async () => {
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 5,
+        envelopeId: 'env-drift-details',
+        correlationId: 'r:n:0:driftdetails',
+        payload: { code: 'x', message: 'y' },
+        meta: baseMeta,
+      },
+      {
+        schemaVersionFloor: { error: 1 },
+        envelopeStrictness: 'warn', // above-floor → invalid regardless
+      },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('invalid');
+    expect(Array.isArray(r.body.details)).toBe(true);
+    const paths = (r.body.details ?? []).map((d: unknown) => (d as { instancePath?: string }).instancePath);
+    expect(
+      paths.includes('/schemaVersion'),
+      driver.describe(
+        'ai-envelope.md §"Schema discipline"',
+        'schema-drift refusal MUST cite /schemaVersion as the violating field',
+      ),
+    ).toBe(true);
+  });
+});
+
+// E.2 OTel scrape seam.
+import { queryTestSpans, isOtelSeamAvailable } from '../lib/otel-scrape.js';
+import { resetTestSeam } from '../lib/event-log-query.js';
+
+describe('aiEnvelope.schemaDrift: OTel drift attribute projection (E.2)', () => {
+  it('below-floor + strictness:warn → OTel span MUST carry envelope_schema_version_drift attribute', async () => {
+    if (!(await isOtelSeamAvailable())) return;
+    const runId = `r-drift-otel-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 0, // below the v1 floor
+        envelopeId: 'env-drift-otel-1',
+        correlationId: `${runId}:n:0:drift-otel`,
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      {
+        schemaVersionFloor: { 'clarification.request': 1 },
+        envelopeStrictness: 'warn',
+        projectTo: { runId, nodeId: 'n' },
+      },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+
+    const spans = await queryTestSpans({ runId });
+    if (!spans.ok) return;
+    expect(
+      spans.data.some((s) => s.attributes.envelope_schema_version_drift === true),
+      driver.describe(
+        'ai-envelope.md §"Schema discipline"',
+        'below-floor accept under strictness:warn MUST project envelope_schema_version_drift attribute on the OTel span',
+      ),
+    ).toBe(true);
+    await resetTestSeam();
+  });
+});

package/src/scenarios/aiEnvelope.trustBoundaryPropagation.test.ts

@@ -0,0 +1,194 @@
+/**
+ * aiEnvelope.trustBoundaryPropagation — FINAL v1.1 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: DRAFT (advertisement-shape). `spec/v1/ai-envelope.md` landed
+ * 2026-05-17 as DRAFT v1.x. Behavioral assertions stay `it.todo()` until a
+ * reference host wires the MCP-tool-result → envelope → RunEventDoc trust path.
+ *
+ * Summary: when a node consumes content from an untrusted source (MCP tool
+ * result per `mcp-integration.md`, A2A inbound message per `a2a-integration.md`),
+ * any envelope it subsequently emits whose payload incorporates that content
+ * MUST carry `meta.contentTrust: "untrusted"`. The engine MUST propagate this
+ * onto every `RunEventDoc` emitted as a consequence (`RunEventDoc.contentTrust
+ * = "untrusted"`). Downstream LLM nodes re-consuming these events MUST treat
+ * the content as untrusted per `SECURITY/threat-model-prompt-injection.md`.
+ * Approval gates MUST refuse to advance on `untrusted` envelopes with refusal
+ * code `untrusted_content_blocks_approval`.
+ *
+ * @see spec/v1/ai-envelope.md §"Trust boundary"
+ * @see spec/v1/mcp-integration.md §"Trust boundary"
+ * @see spec/v1/a2a-integration.md §"Trust boundary"
+ * @see SECURITY/threat-model-prompt-injection.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readMcpTrustBoundary(): Promise<string | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const mcp = top && typeof top === 'object' ? (top['mcpClient'] as Record<string, unknown> | undefined) : undefined;
+  if (!mcp || typeof mcp !== 'object') return null;
+  const tb = mcp['trustBoundary'];
+  return typeof tb === 'string' ? tb : null;
+}
+
+describe('aiEnvelope.trustBoundaryPropagation: advertisement shape (FINAL v1.1)', () => {
+  it('hosts advertising mcpClient declare trustBoundary as "untrusted"', async () => {
+    const tb = await readMcpTrustBoundary();
+    if (tb === null) return; // host doesn't advertise mcpClient — skip
+    expect(
+      tb,
+      driver.describe(
+        'mcp-integration.md §"Trust boundary"',
+        'mcpClient.trustBoundary MUST be "untrusted" — MCP tool results are always untrusted input',
+      ),
+    ).toBe('untrusted');
+  });
+});
+
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; normalizedMeta?: { contentTrust?: string } } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; normalizedMeta?: { contentTrust?: string } } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+
+describe('aiEnvelope.trustBoundaryPropagation: behavioral normalization (FINAL v1.1)', () => {
+  it('envelope with meta.contentTrust:"untrusted" → normalizedMeta.contentTrust:"untrusted"', async () => {
+    const r = await accept({
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-tb-1',
+      correlationId: 'r:n:0:tb1',
+      payload: { questions: [{ id: 'q1', question: 'why?' }] },
+      meta: { ...baseMeta, contentTrust: 'untrusted' },
+    });
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    expect(
+      r.body.normalizedMeta?.contentTrust,
+      driver.describe(
+        'ai-envelope.md §"Trust boundary"',
+        'envelope-supplied contentTrust:"untrusted" MUST propagate to normalizedMeta',
+      ),
+    ).toBe('untrusted');
+  });
+
+  it('envelope with no meta.contentTrust + runTrustBoundary:"untrusted" → normalizedMeta.contentTrust:"untrusted" (run-level propagation)', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-tb-2',
+        correlationId: 'r:n:0:tb2',
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      { runTrustBoundary: 'untrusted' },
+    );
+    if (r.status === 404) return;
+    expect(r.body.normalizedMeta?.contentTrust).toBe('untrusted');
+  });
+
+  it('envelope-supplied contentTrust takes precedence over runTrustBoundary (per-emission decision)', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-tb-3',
+        correlationId: 'r:n:0:tb3',
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: { ...baseMeta, contentTrust: 'trusted' },
+      },
+      { runTrustBoundary: 'untrusted' }, // explicit conflict — envelope wins
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.normalizedMeta?.contentTrust,
+      driver.describe(
+        'ai-envelope.md §"Trust boundary"',
+        'per-emission contentTrust MUST take precedence — trusted envelope emitted after MCP tool result does NOT inherit untrusted',
+      ),
+    ).toBe('trusted');
+  });
+
+  it('no contentTrust + no runTrustBoundary → default "trusted"', async () => {
+    const r = await accept({
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-tb-default',
+      correlationId: 'r:n:0:tbdef',
+      payload: { questions: [{ id: 'q1', question: 'why?' }] },
+      meta: baseMeta,
+    });
+    if (r.status === 404) return;
+    expect(r.body.normalizedMeta?.contentTrust).toBe('trusted');
+  });
+});
+
+// E.1 engine-projection via the test-only event-log seam.
+import { queryTestEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
+
+describe('aiEnvelope.trustBoundaryPropagation: engine projection via event-log seam', () => {
+  it('normalizedMeta.contentTrust:"untrusted" MUST project onto RunEventDoc.contentTrust', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-tb-proj-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-tb-proj-1',
+        correlationId: `${runId}:n:0:tb-proj`,
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: { ...baseMeta, contentTrust: 'untrusted' },
+      },
+      { projectTo: { runId, nodeId: 'n' } },
+    );
+    const events = await queryTestEvents(runId, { type: 'interrupt.requested' });
+    if (!events.ok || events.events.length === 0) return;
+    expect(
+      events.events[0]!.contentTrust,
+      driver.describe(
+        'ai-envelope.md §"Trust boundary"',
+        'engine MUST project normalizedMeta.contentTrust:"untrusted" onto every consequent RunEventDoc.contentTrust',
+      ),
+    ).toBe('untrusted');
+    await resetTestSeam();
+  });
+
+  it('trusted envelope projects RunEventDoc.contentTrust:"trusted" (default + explicit both verified)', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-tb-trusted-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-tb-proj-trusted',
+        correlationId: `${runId}:n:0:tb-trusted`,
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta, // no contentTrust → default 'trusted'
+      },
+      { projectTo: { runId, nodeId: 'n' } },
+    );
+    const events = await queryTestEvents(runId, { type: 'interrupt.requested' });
+    if (!events.ok || events.events.length === 0) return;
+    expect(events.events[0]!.contentTrust).toBe('trusted');
+    await resetTestSeam();
+  });
+});
+
+describe('aiEnvelope.trustBoundaryPropagation: approval-gate refusal placeholder', () => {
+  // Approval-gate refusal (`untrusted_content_blocks_approval`) requires
+  // wiring the acceptor's normalizedMeta onto the engine's approval-gate
+  // resume handler. Tracked under Thread E.4 of the test-coverage plan
+  // (approval-gate refusal seam); the projection seam alone can't drive
+  // a resume-with-untrusted assertion.
+  it.todo('approval gate refuses to advance on untrusted envelope with untrusted_content_blocks_approval (needs approval-gate resume seam)');
+  it.todo('downstream LLM node re-consuming untrusted RunEventDoc applies <UNTRUSTED> wrap per prompt-injection invariant (needs node-execution seam)');
+});