@openwop/openwop-conformance 1.20.0 → 1.23.0

package/src/scenarios/agent-channel-dispatch.test.ts

@@ -129,12 +129,12 @@ describe.skipIf(HTTP_SKIP)('agent-channel-dispatch (RFC 0082 §B): production ru
       ),
     ).toBe(true);
     expect(
-      started!.payload.resolvedChannel === BOUND_CHANNEL,
+      started!.payload.resolvedChannel,
       driver.describe(
         'agent-deployment.md §B',
         `agent.invocation.started MUST carry the bound channel as resolvedChannel ("${BOUND_CHANNEL}")`,
       ),
-    ).toBe(true);
+    ).toBe(BOUND_CHANNEL);
     const pinnedVersion = started!.payload.resolvedAgentVersion;
     expect(
       typeof pinnedVersion === 'string' && (pinnedVersion as string).length > 0,
@@ -166,18 +166,26 @@ describe.skipIf(HTTP_SKIP)('agent-channel-dispatch (RFC 0082 §B): production ru
       driver.describe('agent-deployment.md §B', 'a replay fork MUST re-emit agent.invocation.started'),
     ).toBe(true);
     expect(
-      fork1Started!.payload.resolvedAgentVersion === pinnedVersion,
+      fork1Started!.payload.resolvedAgentVersion,
       driver.describe(
         'agent-deployment.md §B',
         'a replay MUST re-read the recorded resolvedAgentVersion (NOT re-resolve the channel)',
       ),
-    ).toBe(true);
+    ).toBe(pinnedVersion);
 
     // ---- Leg 3 (seam-guarded): move the channel, prove non-re-resolution -
     // The strongest form of §B: after the original pin, MOVE `stable` to a new
     // active version via the optional deployment seam. A replay fork of the
     // ORIGINAL run MUST still carry the ORIGINAL pin — proving the host re-reads
     // the recorded fact rather than re-resolving the (now-moved) channel.
+    //
+    // TEST ISOLATION: this promotes the bound agent's `stable` head via the
+    // conformance-only seam and does NOT roll it back — the seam exposes no
+    // rollback primitive (see agentDeployment.ts: scenarios are promote /
+    // unauthorized / eval-gate-unmet / channel-pin, no `rollback`). Scenarios are
+    // independent and the seam is conformance-only (404/403 in production), so the
+    // un-restored head is benign; hosts SHOULD nonetheless run the suite against an
+    // isolated/ephemeral deployment store rather than shared production state.
     const moved = await driveDeploymentTransition({
       scenario: 'promote',
       agentId: BOUND_AGENT_ID,
@@ -217,18 +225,18 @@ describe.skipIf(HTTP_SKIP)('agent-channel-dispatch (RFC 0082 §B): production ru
     await pollUntilTerminal(fork2RunId, { timeoutMs: 15_000 });
     const fork2Started = await firstInvocationStarted(fork2RunId);
     expect(
-      fork2Started?.payload.resolvedAgentVersion === pinnedVersion,
+      fork2Started?.payload.resolvedAgentVersion,
       driver.describe(
         'agent-deployment.md §B',
         'after the channel moves, a replay of the original run MUST still carry the ORIGINAL pin — never re-resolving the moved channel',
       ),
-    ).toBe(true);
+    ).toBe(pinnedVersion);
     expect(
-      fork2Started?.payload.resolvedAgentVersion !== movedVersion,
+      fork2Started?.payload.resolvedAgentVersion,
       driver.describe(
         'agent-deployment.md §B',
         'a replay MUST NOT resolve to the post-move version (proves the recorded fact is re-read, not re-resolved)',
       ),
-    ).toBe(true);
+    ).not.toBe(movedVersion);
   });
 });

package/src/scenarios/agent-requires-capabilities-shape.test.ts

@@ -0,0 +1,64 @@
+/**
+ * Agent-level capability requirements (RFC 0092).
+ *
+ * Always-on, server-free schema-shape probe of the additive
+ * `AgentManifest.requiresCapabilities[]`: a manifest WITH it validates, a
+ * manifest WITHOUT it still validates (absent ⇒ no requirements), and a
+ * non-string-array value is rejected.
+ *
+ * The degraded-projection behavior (an unmet key surfaced in the inventory
+ * `degraded[]`) is gated on `agents.manifestRuntime` and lands with a reference
+ * host (RFC 0092 §Conformance — deferred to Active → Accepted).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0092-agent-capability-requirements.md
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0072-agent-inventory-and-dispatch.md (the degraded[] marker)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const BASE = 'https://openwop.dev/spec/v1/';
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+describe('agent-requires-capabilities-shape: AgentManifest.requiresCapabilities (RFC 0092 §A, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  for (const f of readdirSync(SCHEMAS_DIR)) {
+    if (f.endsWith('.schema.json')) {
+      try {
+        ajv.addSchema(loadSchema(f));
+      } catch {
+        /* duplicate/ignore */
+      }
+    }
+  }
+  const manifest = ajv.getSchema(`${BASE}agent-manifest.schema.json`)!;
+
+  const base = { agentId: 'core.openwop.agents.demo', persona: 'Demo', modelClass: 'general', systemPrompt: 'do it' };
+
+  it('a manifest WITH requiresCapabilities validates', () => {
+    expect(
+      manifest({ ...base, requiresCapabilities: ['host.workspace', 'aiProviders.toolCalling'] }),
+      why('RFC 0092 §A', 'a manifest declaring requiresCapabilities MUST validate'),
+    ).toBe(true);
+  });
+
+  it('a manifest WITHOUT it still validates (absent ⇒ no requirements)', () => {
+    expect(manifest(base), why('RFC 0092 §A', 'requiresCapabilities is optional')).toBe(true);
+  });
+
+  it('rejects a non-string-array value', () => {
+    expect(
+      manifest({ ...base, requiresCapabilities: [123] }),
+      why('RFC 0092 §A', 'requiresCapabilities items MUST be non-empty strings'),
+    ).toBe(false);
+  });
+});

package/src/scenarios/agent-verifier-shape.test.ts

@@ -0,0 +1,106 @@
+/**
+ * Agent verifier turn + convergence criteria (RFC 0090).
+ *
+ * Always-on, server-free schema-shape probe. Verifies:
+ *   - the `agentVerified` payload $def validates a content-free verdict and
+ *     rejects an out-of-enum `verdict` and a content-carrying payload
+ *     (additionalProperties:false — `verifier-no-content-leak`);
+ *   - `agent.verified` appears in the RunEventType enum;
+ *   - the `terminate` OrchestratorDecision accepts the additive `successCriteria`;
+ *   - `capabilities.multiAgent.executionModel` accepts `version: 6` + the
+ *     `verifier { supported, gating }` sub-block (and rejects version 7).
+ *
+ * Behavioral assertions (a `verifier.gating` host blocking a merge on `fail`)
+ * are gated on `capabilities.multiAgent.executionModel.verifier.gating` and land
+ * with a reference host (RFC 0090 §Conformance — deferred to Active → Accepted).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0090-agent-verifier-and-convergence.md
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/multi-agent-execution.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const BASE = 'https://openwop.dev/spec/v1/';
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+/** Register every corpus schema so relative cross-file $refs resolve. */
+function newAjvWithCorpus(): Ajv2020 {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  for (const f of readdirSync(SCHEMAS_DIR)) {
+    if (f.endsWith('.schema.json')) {
+      try {
+        ajv.addSchema(loadSchema(f));
+      } catch {
+        /* duplicate/ignore */
+      }
+    }
+  }
+  return ajv;
+}
+
+describe('agent-verifier-shape: agent.verified payload (RFC 0090 §A, server-free)', () => {
+  const ajv = newAjvWithCorpus();
+  const verified = ajv.getSchema(`${BASE}run-event-payloads.schema.json#/$defs/agentVerified`);
+
+  it('a conforming content-free verdict validates', () => {
+    expect(verified, 'the agentVerified $def MUST exist').toBeTruthy();
+    expect(
+      verified!({ agentId: 'core.openwop.verifier', target: 'evt-42', verdict: 'pass', criteria: ['grounded'], confidence: 0.9 }),
+      why('RFC 0090 §A', 'a conforming agent.verified payload MUST validate'),
+    ).toBe(true);
+  });
+
+  it('rejects an out-of-enum verdict', () => {
+    expect(verified!({ agentId: 'c', target: 'e', verdict: 'ok' }), why('RFC 0090 §A', 'verdict MUST be pass|fail|revise')).toBe(false);
+  });
+
+  it('rejects a content-carrying payload (verifier-no-content-leak)', () => {
+    expect(
+      verified!({ agentId: 'c', target: 'e', verdict: 'fail', result: 'the secret answer' }),
+      why('RFC 0090 §SECURITY', 'agent.verified MUST be content-free (additionalProperties:false)'),
+    ).toBe(false);
+  });
+});
+
+describe('agent-verifier-shape: RunEventType + terminate + capability (RFC 0090)', () => {
+  const ajv = newAjvWithCorpus();
+
+  it('agent.verified is registered in the RunEventType enum', () => {
+    const runEvent = loadSchema('run-event.schema.json') as { $defs?: { RunEventType?: { enum?: string[] } } };
+    expect(
+      runEvent.$defs?.RunEventType?.enum?.includes('agent.verified'),
+      why('RFC 0090 §A', 'agent.verified MUST appear in the RunEventType enum'),
+    ).toBe(true);
+  });
+
+  it('the terminate decision accepts the additive successCriteria', () => {
+    const decision = ajv.getSchema(`${BASE}orchestrator-decision.schema.json`)!;
+    expect(
+      decision({ kind: 'terminate', reason: 'goal-reached', successCriteria: [{ key: 'goal-answered', met: true }] }),
+      why('RFC 0090 §C', 'terminate MUST accept successCriteria[{key,met}]'),
+    ).toBe(true);
+    expect(
+      decision({ kind: 'terminate', successCriteria: [{ key: 'x' }] }),
+      why('RFC 0090 §C', 'a successCriteria entry MUST require both key and met'),
+    ).toBe(false);
+  });
+
+  it('capabilities accepts executionModel.version 6 + verifier sub-block', () => {
+    const execModel = ajv.getSchema(`${BASE}capabilities.schema.json#/properties/multiAgent/properties/executionModel`);
+    expect(execModel, 'the executionModel sub-schema MUST exist').toBeTruthy();
+    expect(
+      execModel!({ supported: true, version: 6, verifier: { supported: true, gating: true } }),
+      why('RFC 0090 §D', 'version:6 + verifier{supported,gating} MUST validate'),
+    ).toBe(true);
+    expect(execModel!({ supported: true, version: 7 }), why('RFC 0090 §D', 'version above the ceiling MUST be rejected')).toBe(false);
+  });
+});

package/src/scenarios/aiproviders-input-shape.test.ts

@@ -0,0 +1,69 @@
+/**
+ * Multimodal perception input (RFC 0091).
+ *
+ * Always-on, server-free schema-shape probe of the additive
+ * `capabilities.aiProviders.input` block: the `modalities` enum is closed
+ * (text/image/audio/document) and `maxBytesPerPart` is a positive integer.
+ *
+ * Behavioral assertions (a host accepting an image ContentPart on callAI and
+ * rejecting an unadvertised modality with `unsupported_modality`) are gated on
+ * `aiProviders.input.modalities` and land with a reference host
+ * (RFC 0091 §Conformance — deferred to Active → Accepted).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0091-multimodal-perception-input.md
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/host-capabilities.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync, readdirSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const BASE = 'https://openwop.dev/spec/v1/';
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+describe('aiproviders-input-shape: callAI perception input (RFC 0091 §B, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  for (const f of readdirSync(SCHEMAS_DIR)) {
+    if (f.endsWith('.schema.json')) {
+      try {
+        ajv.addSchema(loadSchema(f));
+      } catch {
+        /* duplicate/ignore */
+      }
+    }
+  }
+  const input = ajv.getSchema(`${BASE}capabilities.schema.json#/properties/aiProviders/properties/input`);
+
+  it('the aiProviders.input sub-schema exists', () => {
+    expect(input, 'capabilities.aiProviders.input MUST be declared').toBeTruthy();
+  });
+
+  it('accepts a conforming modalities advertisement', () => {
+    expect(
+      input!({ modalities: ['text', 'image', 'document'], maxBytesPerPart: 1048576 }),
+      why('RFC 0091 §B', 'a conforming input advertisement MUST validate'),
+    ).toBe(true);
+  });
+
+  it('rejects an out-of-enum modality', () => {
+    expect(
+      input!({ modalities: ['text', 'video'] }),
+      why('RFC 0091 §B', 'modalities is a closed enum (text/image/audio/document)'),
+    ).toBe(false);
+  });
+
+  it('rejects a non-positive maxBytesPerPart', () => {
+    expect(
+      input!({ modalities: ['text'], maxBytesPerPart: 0 }),
+      why('RFC 0091 §B', 'maxBytesPerPart MUST be a positive integer'),
+    ).toBe(false);
+  });
+});

package/src/scenarios/callai-multimodal.test.ts

@@ -0,0 +1,86 @@
+/**
+ * Multimodal perception input on callAI (RFC 0091 §A/§B) — behavioral.
+ *
+ * Gated on `capabilities.aiProviders.input.modalities` including a non-text
+ * modality (root-first per RFC 0073). Soft-skips when unadvertised (default) /
+ * hard-fails under `OPENWOP_REQUIRE_BEHAVIOR=true`. The always-on wire-shape
+ * coverage lives in `aiproviders-input-shape.test.ts`; this asserts host
+ * BEHAVIOR via the documented host-sample callAI seam
+ * `POST /v1/host/sample/ai/call` (soft-skips on 404 until a host wires it):
+ *
+ *   - an ADVERTISED non-text modality (e.g. an `image` ContentPart) is ACCEPTED
+ *     (not rejected as unsupported);
+ *   - an UNADVERTISED modality MUST be rejected with the canonical
+ *     `unsupported_modality` error — never silently dropped (RFC 0091 §A).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0091-multimodal-perception-input.md
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/host-capabilities.md (§host.aiProviders)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const ALL_MODALITIES = ['text', 'image', 'audio', 'document'];
+
+/** Read the canonical error code from a seam response body (tolerant of
+ *  `{error}` / `{code}` / `{error:{code}}` shapes). */
+function errCode(json: unknown): string | undefined {
+  const j = json as { error?: unknown; code?: unknown };
+  if (typeof j?.code === 'string') return j.code;
+  if (typeof j?.error === 'string') return j.error;
+  const e = j?.error as { code?: unknown } | undefined;
+  if (e && typeof e.code === 'string') return e.code;
+  return undefined;
+}
+
+const SEAM = '/v1/host/sample/ai/call';
+
+describe('callai-multimodal (RFC 0091 §A/§B)', () => {
+  it('accepts an advertised non-text modality and rejects an unadvertised one with unsupported_modality', async () => {
+    const ai = await readCapabilityFamily<Record<string, unknown>>('aiProviders');
+    const input = ai?.input as { modalities?: unknown } | undefined;
+    const modalities = Array.isArray(input?.modalities) ? (input!.modalities as string[]) : [];
+    const advertisedNonText = modalities.filter((m) => m !== 'text');
+    // Gate on advertising at least one non-text input modality.
+    if (!behaviorGate('openwop-callai-multimodal', advertisedNonText.length > 0)) return;
+
+    const accepted = advertisedNonText[0]!; // an advertised non-text modality
+    const unadvertised = ALL_MODALITIES.find((m) => m !== 'text' && !modalities.includes(m));
+
+    // 1) An advertised modality part is ACCEPTED (not an unsupported_modality refusal).
+    const okPart =
+      accepted === 'image'
+        ? { type: 'image', mimeType: 'image/png', dataBase64: 'iVBORw0KGgo=' }
+        : accepted === 'audio'
+          ? { type: 'audio', mimeType: 'audio/mp3', dataBase64: 'AAAA' }
+          : { type: 'file', mimeType: 'application/pdf', dataBase64: 'JVBERi0=' };
+    const okRes = await driver.post(SEAM, {
+      messages: [{ role: 'user', content: [{ type: 'text', text: 'describe this' }, okPart] }],
+    });
+    if (okRes.status === 404) return; // seam unwired — soft-skip the whole behavioral suite
+    expect(
+      errCode(okRes.json) !== 'unsupported_modality',
+      driver.describe('RFC 0091 §B', `an advertised modality (${accepted}) MUST NOT be rejected as unsupported_modality`),
+    ).toBe(true);
+
+    // 2) An unadvertised modality MUST be rejected with unsupported_modality.
+    if (unadvertised) {
+      const badPart =
+        unadvertised === 'audio'
+          ? { type: 'audio', mimeType: 'audio/mp3', dataBase64: 'AAAA' }
+          : unadvertised === 'document'
+            ? { type: 'file', mimeType: 'application/pdf', dataBase64: 'JVBERi0=' }
+            : { type: 'image', mimeType: 'image/png', dataBase64: 'iVBORw0KGgo=' };
+      const badRes = await driver.post(SEAM, {
+        messages: [{ role: 'user', content: [badPart] }],
+      });
+      expect(
+        errCode(badRes.json) === 'unsupported_modality',
+        driver.describe('RFC 0091 §A', `an unadvertised modality (${unadvertised}) MUST be rejected with unsupported_modality (never silently dropped)`),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/connection-pack-manifest-valid.test.ts

@@ -0,0 +1,122 @@
+/**
+ * Connection-pack manifest validity — `connection-packs.md` §Manifest clauses 1/3
+ * + `schemas/connection-pack-manifest.schema.json` (RFC 0095 §A).
+ *
+ * Always-on, server-free schema probe. Exercises the new
+ * `connection-pack-manifest.schema.json` with the canonical positive fixture
+ * and the kind-discriminator negatives:
+ *
+ *   1. Positive: the `connection-pack-github` fixture (a complete `kind:
+ *      "connection"` manifest, MCP reach) validates cleanly.
+ *   2. Capability shape: `capabilities.schema.json` declares
+ *      `connections.packsSupported` (RFC 0095 §C).
+ *   3. Negative — kind discriminator: the same manifest with `kind: "node"`
+ *      is rejected (`const` violation) — the discriminator routes a
+ *      connection manifest away from the other pack schemas.
+ *   4. Negative — kind/contents mixing: a manifest carrying BOTH `provider`
+ *      AND `nodes[]` is rejected. Surface-level outcome at the registry is
+ *      `pack_kind_invalid` per `node-packs.md` §"Pack kinds"; schema-level
+ *      outcome is an `additionalProperties` violation on `nodes`.
+ *   5. Negative — non-https token endpoint: `http://` is rejected with a
+ *      `pattern` violation (clause 3).
+ *   6. Positive — a SemVer prerelease `version` (`1.0.0-alpha.1`) is
+ *      schema-VALID: prerelease *precedence* (clause 6, SemVer §11) is a
+ *      host resolution concern, not a manifest-shape constraint.
+ *
+ * Behavioral resolution legs live in `connection-provider-resolution.test.ts`
+ * (capability-gated on `capabilities.connections.packsSupported`).
+ *
+ * @see spec/v1/connection-packs.md
+ * @see schemas/connection-pack-manifest.schema.json
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import type { ErrorObject } from 'ajv';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { auth: Record<string, unknown> };
+};
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+describe('category: connection-pack manifest validation (RFC 0095 §A)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const schema = JSON.parse(readFileSync(SCHEMA_PATH, 'utf8'));
+  const validate = ajv.compile(schema);
+
+  const failsWith = (manifest: unknown, keyword: string): ErrorObject[] => {
+    const ok = validate(manifest);
+    expect(ok).toBe(false);
+    return (validate.errors ?? []).filter((e) => e.keyword === keyword);
+  };
+
+  it('positive: the connection-pack-github fixture validates cleanly', () => {
+    expect(
+      validate(fixture()),
+      `connection-packs.md §Manifest clause 1: a well-formed kind:"connection" manifest MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+
+  it('capabilities.schema.json declares connections.packsSupported (RFC 0095 §C)', () => {
+    const caps = JSON.parse(readFileSync(join(SCHEMAS_DIR, 'capabilities.schema.json'), 'utf8')) as {
+      properties?: Record<string, { properties?: Record<string, unknown>; required?: string[] }>;
+    };
+    const connections = caps.properties?.connections;
+    expect(connections, 'capabilities.md §connections — the connections block MUST be declared').toBeDefined();
+    expect(
+      connections?.properties?.packsSupported,
+      'RFC 0095 §C — connections.packsSupported MUST be declared',
+    ).toBeDefined();
+  });
+
+  it('negative: the kind discriminator routes other kinds away (kind: "node" rejected)', () => {
+    const m = { ...fixture(), kind: 'node' };
+    const errs = failsWith(m, 'const');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 1: kind MUST be the const "connection"',
+    ).toBeGreaterThan(0);
+  });
+
+  it('negative: a manifest mixing provider and nodes[] is rejected (pack_kind_invalid at the registry)', () => {
+    const m = {
+      ...fixture(),
+      nodes: [{ typeId: 'vendor.acme.x', version: '1.0.0', category: 'data', role: 'pure' }],
+    };
+    const errs = failsWith(m, 'additionalProperties');
+    expect(
+      errs.some((e) => (e.params as { additionalProperty?: string }).additionalProperty === 'nodes'),
+      'node-packs.md §"Pack kinds": one kind per pack — a foreign `nodes[]` field MUST be rejected (additionalProperties:false)',
+    ).toBe(true);
+  });
+
+  it('negative: a non-https token endpoint is rejected (clause 3)', () => {
+    const m = fixture();
+    (m.provider.auth.endpoints as Record<string, string>).token = 'http://example.com/token';
+    const errs = failsWith(m, 'pattern');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 3: auth endpoints MUST be absolute https:// URLs',
+    ).toBeGreaterThan(0);
+  });
+
+  it('positive: a SemVer prerelease version is schema-valid (precedence is a host concern, clause 6)', () => {
+    const m = { ...fixture(), version: '1.0.0-alpha.1' };
+    expect(
+      validate(m),
+      `connection-packs.md §Manifest clause 6: prerelease ordering is resolution-time SemVer §11, not manifest shape. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});

package/src/scenarios/connection-pack-no-credential-material.test.ts

@@ -0,0 +1,125 @@
+/**
+ * Connection packs carry NO credential material — `connection-packs.md`
+ * §Manifest clause 2 (RFC 0095 §B.2). Public test for the protocol-tier
+ * SECURITY invariant `connection-pack-no-credential-material`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema probe — every name on the normative
+ *      minimum blocklist (`clientSecret`, `client_secret`, `apiKey`,
+ *      `api_key`, `token`, `accessToken`, `refreshToken`, `password`,
+ *      `privateKey`, `secret`), injected at the manifest root, under
+ *      `provider`, and under `provider.auth`, is rejected by
+ *      `connection-pack-manifest.schema.json` (`additionalProperties:false`
+ *      everywhere — the schema layer never admits a secret-named field).
+ *      The single normative EXEMPTION — the property named `token` at
+ *      exactly `provider.auth.endpoints.token` (the OAuth token-endpoint
+ *      URL) — IS schema-valid.
+ *
+ *   B. Capability-gated behavioral leg — on a host advertising
+ *      `capabilities.connections.packsSupported: true` that exposes the
+ *      `POST /v1/host/sample/connection-packs/install` test seam
+ *      (`host-sample-test-seams.md`), installing a manifest that carries
+ *      `clientSecret` MUST be rejected with the SPECIFIC error code
+ *      `connection_pack_credential_material` — not a generic schema-shape
+ *      error — because clause 2 requires the credential-material scan to
+ *      run BEFORE generic schema validation. Hosts without the seam
+ *      soft-skip (404); unadvertised hosts skip via the behavior gate.
+ *
+ * @see spec/v1/connection-packs.md
+ * @see SECURITY/invariants.yaml id: connection-pack-no-credential-material
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+const BLOCKLIST = [
+  'clientSecret',
+  'client_secret',
+  'apiKey',
+  'api_key',
+  'token',
+  'accessToken',
+  'refreshToken',
+  'password',
+  'privateKey',
+  'secret',
+] as const;
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { auth: Record<string, unknown> };
+};
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+describe('connection-pack-no-credential-material: schema layer (always-on, server-free)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const validate = ajv.compile(JSON.parse(readFileSync(SCHEMA_PATH, 'utf8')));
+
+  it('every blocklisted property name is schema-rejected at the root, provider, and auth levels', () => {
+    for (const name of BLOCKLIST) {
+      const atRoot = { ...fixture(), [name]: 'xxx' };
+      const atProvider = fixture();
+      (atProvider.provider as Record<string, unknown>)[name] = 'xxx';
+      const atAuth = fixture();
+      (atAuth.provider.auth as Record<string, unknown>)[name] = 'xxx';
+      for (const [where, m] of [['root', atRoot], ['provider', atProvider], ['provider.auth', atAuth]] as const) {
+        expect(
+          validate(m),
+          `SECURITY invariant connection-pack-no-credential-material — a property named "${name}" at ${where} MUST NOT validate (additionalProperties:false)`,
+        ).toBe(false);
+      }
+    }
+  });
+
+  it('the exemption: provider.auth.endpoints.token (the token-endpoint URL) IS valid', () => {
+    const m = fixture();
+    expect(
+      typeof (m.provider.auth.endpoints as Record<string, string>).token,
+      'fixture sanity — the github fixture declares the token endpoint',
+    ).toBe('string');
+    expect(
+      validate(m),
+      `connection-packs.md §Manifest clause 2 — the property named "token" at exactly provider.auth.endpoints.token is the OAuth token-endpoint URL and MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});
+
+describe('connection-pack-no-credential-material: specific rejection code (capability-gated, RFC 0095 §B.2)', () => {
+  it('installing a manifest carrying clientSecret is rejected with connection_pack_credential_material', async () => {
+    const connections = await readCapabilityFamily<{ packsSupported?: boolean }>('connections');
+    if (!behaviorGate('connections.packsSupported', connections?.packsSupported === true)) return;
+
+    const leaky = fixture();
+    (leaky.provider.auth as Record<string, unknown>).clientSecret = 'ghs_conformance_canary';
+    const res = await driver.post('/v1/host/sample/connection-packs/install', { manifest: leaky });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+
+    const body = res.json as { installed?: boolean; errors?: Array<{ code?: string }> } | undefined;
+    expect(
+      body?.installed,
+      driver.describe('connection-packs.md §Manifest clause 2', 'a manifest carrying credential material MUST NOT install'),
+    ).toBe(false);
+    expect(
+      (body?.errors ?? []).some((e) => e.code === 'connection_pack_credential_material'),
+      driver.describe(
+        'connection-packs.md §Manifest clause 2',
+        'the credential-material scan runs BEFORE generic schema validation — the SPECIFIC code connection_pack_credential_material MUST surface, not a generic shape error',
+      ),
+    ).toBe(true);
+  });
+});