@openwop/openwop-conformance 1.21.0 → 1.23.0

package/schemas/capabilities.schema.json

@@ -64,6 +64,11 @@
           "type": "number",
           "minimum": 0,
           "description": "RFC 0084. Engine-side cost ceiling clamping `RunOptions.configurable.budget.maxCostUsd`. Optional; only meaningful with `capabilities.budget`."
+        },
+        "maxRequestBodyBytes": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "RFC 0094 §H. Maximum REST request body size (bytes) the host accepts. Optional v1 field per `capabilities.md` §3 (previously documented as reserved — the closed `limits` object made advertising it a schema-validation failure). Hosts that advertise it MUST enforce it."
         }
       },
       "additionalProperties": false,
@@ -279,6 +284,34 @@
       "items": { "type": "string", "enum": ["rest", "mcp", "a2a", "grpc"] },
       "description": "Optional v1 transport advertisement. REST is required whether or not this field is present."
     },
+    "grpc": {
+      "type": "object",
+      "description": "RFC 0094 §H. gRPC transport advertisement per `grpc-transport.md` §\"Capability advertisement\". Optional — absent ⇒ the host exposes no gRPC transport. A host that exposes the gRPC surface advertises this block AND includes `\"grpc\"` in `supportedTransports`. REST + SSE remain exposed regardless.",
+      "required": ["supported", "service", "tls"],
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "Toggle — `true` when the gRPC surface is live."
+        },
+        "endpoint": {
+          "type": "string",
+          "minLength": 1,
+          "pattern": "^grpcs?://",
+          "description": "Full URI: `grpc://` (cleartext, intra-trusted-network only) OR `grpcs://` (TLS). Hosts SHOULD require TLS in production."
+        },
+        "service": {
+          "type": "string",
+          "const": "openwop.v1.Engine",
+          "description": "Canonical service name. v1 hosts MUST use `openwop.v1.Engine` per `grpc-transport.md` §\"Field semantics\"."
+        },
+        "tls": {
+          "type": "string",
+          "enum": ["required", "optional", "disabled"],
+          "description": "TLS posture. Production hosts MUST set `\"required\"`."
+        }
+      },
+      "additionalProperties": false
+    },
     "configurable": {
       "type": "object",
       "description": "Optional v1 per-run overlay schema — what `RunOptions.configurable` keys this server honors."
@@ -403,6 +436,22 @@
       },
       "additionalProperties": false
     },
+    "connections": {
+      "type": "object",
+      "description": "RFC 0095 (`Draft`). Connection packs — portable, registry-distributable provider definitions (`kind: \"connection\"`, `connection-pack-manifest.schema.json`) that the RFC 0045/0047 `provider` string resolves against. Only useful alongside `oauth.supported` (RFC 0047) or `credentials.supported` (RFC 0046); a host SHOULD NOT advertise this block without at least one of those.",
+      "required": ["packsSupported"],
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "OPTIONAL convenience flag mirroring the other capability families. RFC 0095 keys behavior on `packsSupported`; hosts MAY also advertise `supported` for family-shape uniformity."
+        },
+        "packsSupported": {
+          "type": "boolean",
+          "description": "RFC 0095 §C. When `true`, the host installs `kind: \"connection\"` registry packs and MUST implement the §B.6 resolution contract: an RFC 0045 connector's `auth.provider` (or an RFC 0047 `host.oauth` provider string) resolves against the installed connection pack whose `provider.id` matches, with installed-vs-built-in precedence per SemVer §11 and `connection_provider_unresolved` / `connection_provider_conflict` diagnostics. When `false` or absent, connection packs are not loaded and provider resolution stays implementation-defined."
+        }
+      },
+      "additionalProperties": false
+    },
     "credentials": {
       "type": "object",
       "description": "RFC 0046 (`Draft`). Portable credential resolution + lifecycle contract — sibling to `secrets`, first-class store-at-rest + workspace sharing + two-key-overlap rotation. A pack references a credential by `{ ref, scope }` (see `credential-reference.schema.json`); the host resolves it into the node sandbox ONLY — never into inputs, persisted variables, channels, any run.* event payload, the debug bundle, or replay state (SECURITY invariant `credential-payload-redaction`). Supersedes the informal BYOK annex; the `secrets` advertisement stays valid.",

package/schemas/connection-pack-manifest.schema.json

@@ -0,0 +1,161 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/connection-pack-manifest.schema.json",
+  "title": "ConnectionPackManifest",
+  "description": "RFC 0095. Manifest for a published OpenWOP connection pack — `pack.json` at the pack root with `kind: \"connection\"`. Peer to and disjoint from `node-pack-manifest.schema.json` (RFC 0003), `prompt-pack-manifest.schema.json` (RFC 0028), and `workflow-chain-pack-manifest.schema.json` (RFC 0013) via the `kind` discriminator. A connection pack is a portable PROVIDER definition — the authorize/token/revoke endpoints, the read/write OAuth scope catalog, and how the integration is reached (an MCP server, an OpenAPI surface, or a core integration node). It carries NO secret: the OAuth client credential is a host concern (RFC 0047), supplied out of band. When installed, it makes an RFC 0045 connector's `auth.provider` / an RFC 0047 `host.oauth` provider string resolve against `provider.id` instead of host-locked code. See `spec/v1/connection-packs.md`.",
+  "type": "object",
+  "required": ["name", "version", "kind", "engines", "provider"],
+  "additionalProperties": false,
+  "properties": {
+    "name": {
+      "type": "string",
+      "description": "Reverse-DNS pack name per `node-packs.md` §Naming. Reserved scopes are identical (`core.*` / `vendor.<org>.*` / `community.<author>.*` / `private.<host>.*`). Mirror of `prompt-pack-manifest.schema.json#/properties/name`.",
+      "pattern": "^(core|vendor|community|private)\\.[a-z][a-z0-9_-]*(\\.[a-z][a-zA-Z0-9_-]*)+$",
+      "minLength": 1,
+      "maxLength": 256
+    },
+    "version": {
+      "type": "string",
+      "description": "Pack-level SemVer 2.0.0.",
+      "pattern": "^\\d+\\.\\d+\\.\\d+(?:-[0-9A-Za-z.-]+)?(?:\\+[0-9A-Za-z.-]+)?$"
+    },
+    "kind": {
+      "type": "string",
+      "const": "connection",
+      "description": "Pack kind discriminator. MUST be the literal string `\"connection\"` for this schema."
+    },
+    "description": { "type": "string", "maxLength": 1024 },
+    "author": { "type": "string" },
+    "license": { "type": "string", "description": "SPDX license identifier (e.g., `Apache-2.0`)." },
+    "homepage": { "type": "string", "format": "uri" },
+    "repository": { "type": "string", "format": "uri" },
+    "keywords": {
+      "type": "array",
+      "items": { "type": "string", "maxLength": 64 },
+      "maxItems": 50
+    },
+    "engines": {
+      "type": "object",
+      "required": ["openwop"],
+      "additionalProperties": false,
+      "properties": {
+        "openwop": { "type": "string", "description": "SemVer range of the openwop spec version this pack targets." }
+      }
+    },
+    "provider": {
+      "type": "object",
+      "description": "The portable provider definition. Exactly one per connection pack.",
+      "required": ["id", "displayName", "category", "auth", "reach"],
+      "additionalProperties": false,
+      "properties": {
+        "id": {
+          "type": "string",
+          "pattern": "^[a-z][a-z0-9-]*$",
+          "description": "Stable provider id an RFC 0045/0047 `provider` string resolves to, e.g. `github`."
+        },
+        "displayName": { "type": "string", "minLength": 1 },
+        "category": {
+          "type": "string",
+          "enum": ["communication", "docs", "crm", "dev", "storage", "email-calendar", "ticketing", "data-warehouse", "marketing", "finance", "hr", "esignature", "support", "project-management", "payments", "other"]
+        },
+        "auth": {
+          "type": "object",
+          "required": ["kind"],
+          "additionalProperties": false,
+          "properties": {
+            "kind": { "type": "string", "enum": ["oauth2", "api_key", "bearer", "basic"] },
+            "authFlow": { "type": "string", "enum": ["pkce", "client_credentials", "manual", "none"] },
+            "scopeModel": {
+              "type": "string",
+              "enum": ["groups", "coarse", "capabilities"],
+              "default": "groups",
+              "description": "`groups` = read/write scope groups (Google/Jira/Graph). `coarse` = a single read-vs-write toggle (Stripe Connect read_only/read_write). `capabilities` = consent is a static developer-portal capability set, not per-request scopes (Notion)."
+            },
+            "endpoints": {
+              "type": "object",
+              "additionalProperties": false,
+              "description": "Fixed, manifest-declared https endpoints (RFC 0095 §B.3). Never derived from runtime user input — not an SSRF surface.",
+              "properties": {
+                "authorize": { "type": "string", "format": "uri", "pattern": "^https://" },
+                "token": { "type": "string", "format": "uri", "pattern": "^https://" },
+                "revoke": { "type": "string", "format": "uri", "pattern": "^https://" }
+              }
+            },
+            "scopes": {
+              "type": "object",
+              "additionalProperties": false,
+              "description": "Read/write scope groups. `write` is requested as a SEPARATE re-consent step (RFC 0095 §B.4).",
+              "properties": {
+                "read": { "type": "array", "items": { "$ref": "#/$defs/ScopeGroup" } },
+                "write": { "type": "array", "items": { "$ref": "#/$defs/ScopeGroup" } }
+              }
+            },
+            "instanceUrlTemplate": {
+              "type": "string",
+              "description": "For per-account-host providers (Snowflake/NetSuite/ServiceNow): a template the host fills per connection, e.g. `https://{account}.snowflakecomputing.com`. Its presence signals the provider cannot use a single global OAuth app."
+            }
+          }
+        },
+        "reach": {
+          "type": "object",
+          "minProperties": 1,
+          "maxProperties": 1,
+          "additionalProperties": false,
+          "description": "Exactly ONE of mcp | openapi | integration — which core node injects the resolved credential (RFC 0095 §B.5).",
+          "properties": {
+            "mcp": {
+              "type": "object",
+              "required": ["server"],
+              "additionalProperties": false,
+              "properties": {
+                "server": {
+                  "type": "object",
+                  "required": ["url", "transport"],
+                  "additionalProperties": false,
+                  "properties": {
+                    "url": { "type": "string", "format": "uri", "pattern": "^https://" },
+                    "transport": { "type": "string", "enum": ["http", "sse"] }
+                  }
+                }
+              }
+            },
+            "openapi": {
+              "type": "object",
+              "required": ["ref"],
+              "additionalProperties": false,
+              "properties": {
+                "ref": { "type": "string", "description": "URL or in-pack path of the OpenAPI document for core.openwop.http.openapi-call." }
+              }
+            },
+            "integration": {
+              "type": "object",
+              "required": ["node"],
+              "additionalProperties": false,
+              "properties": {
+                "node": { "type": "string", "description": "A core.openwop.integration.* node typeId." }
+              }
+            }
+          }
+        },
+        "consumerNodes": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "The core node typeIds that consume this provider's credential (e.g. core.openwop.mcp.invoke-tool)."
+        },
+        "docsUrl": { "type": "string", "format": "uri" }
+      }
+    }
+  },
+  "$defs": {
+    "ScopeGroup": {
+      "type": "object",
+      "required": ["key", "label", "scopes"],
+      "additionalProperties": false,
+      "properties": {
+        "key": { "type": "string", "pattern": "^[a-z][a-z0-9._-]*$" },
+        "label": { "type": "string", "minLength": 1 },
+        "scopes": { "type": "array", "items": { "type": "string" }, "description": "The provider's raw scope strings, e.g. `https://www.googleapis.com/auth/drive.readonly`." }
+      }
+    }
+  }
+}

package/schemas/run-event-payloads.schema.json

@@ -423,7 +423,7 @@
       "properties": {
         "nodeId":      { "type": "string", "minLength": 1 },
         "interruptId": { "type": "string", "minLength": 1 },
-        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom"] },
+        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom", "conversation.start", "conversation.exchange", "conversation.close", "low-confidence"], "description": "RFC 0094 §E — the full kind union `interrupt.md` defines (mirrors suspend-request.schema.json). Conversation kinds are gated on the conversation capability per capabilities.md." },
         "key":         { "type": "string", "minLength": 1 }
       },
       "additionalProperties": true
@@ -608,7 +608,7 @@
       "properties": {
         "nodeId":      { "type": "string" },
         "interruptId": { "type": "string" },
-        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom"] },
+        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom", "conversation.start", "conversation.exchange", "conversation.close", "low-confidence"], "description": "RFC 0094 §E — the full kind union `interrupt.md` defines (mirrors suspend-request.schema.json). Conversation kinds are gated on the conversation capability per capabilities.md." },
         "resumeValue": {}
       },
       "additionalProperties": true
@@ -636,12 +636,13 @@
 
     "outputChunk": {
       "type": "object",
-      "description": "Emitted for streaming output (e.g., LLM token chunks). Stream-mode `messages` consumers see these. Tiered metadata per stream-modes.md §messages (S2 closure): bare {nodeId, chunk} is the minimum compliant payload; `meta` adds Tier 1 typed slots and a Tier 2 provider-pass-through escape hatch.",
-      "required": ["nodeId", "chunk"],
+      "description": "Emitted for streaming output (e.g., LLM token chunks). Stream-mode `messages` consumers see these. RFC 0094 §D single-sources the `ai.message.chunk` payload here: bare {nodeId, runId, chunk, isLast} is the minimum compliant payload per stream-modes.md §messages (the prior {nodeId, chunk}-only required set was the defective restatement). Tiered metadata per stream-modes.md §messages (S2 closure): `meta` adds Tier 1 typed slots and a Tier 2 provider-pass-through escape hatch.",
+      "required": ["nodeId", "runId", "chunk", "isLast"],
       "properties": {
         "nodeId":  { "type": "string", "minLength": 1 },
+        "runId":   { "type": "string", "minLength": 1, "description": "Run this chunk belongs to. Required so multiplexed consumers (mixed-mode streams, fan-in UIs) can route chunks without out-of-band context." },
         "chunk":   { "type": "string" },
-        "isLast":  { "type": "boolean" },
+        "isLast":  { "type": "boolean", "description": "True for the final chunk of a given AI node call. Required — both reference consumers rely on it for fold termination." },
         "channel": { "type": "string", "description": "Optional sub-stream identifier when a node emits multiple parallel streams." },
         "meta":    { "$ref": "#/$defs/_chunkMeta" }
       },

package/schemas/run-event.schema.json

@@ -25,7 +25,15 @@
       "maxLength": 128
     },
     "type": {
-      "$ref": "#/$defs/RunEventType"
+      "description": "Event-type discriminator. RFC 0094 §C: either a protocol-owned type from the authoritative `RunEventType` catalog, or a correctly-prefixed vendor-extension event per `host-extensions.md` §\"Vendor-prefixed namespaces\" (dotted name whose first segment is the vendor's short identifier or reverse-DNS label — e.g. `acme.canvas.published` — and is NOT a protocol-owned/registry-reserved prefix). Aligns the schema with `COMPATIBILITY.md` (\"Clients MUST ignore unknown event types\") and `version-negotiation.md` (readers ignore unknown).",
+      "anyOf": [
+        { "$ref": "#/$defs/RunEventType" },
+        {
+          "type": "string",
+          "pattern": "^(?!(?:openwop|core|community|vendor|private|local)\\.)[a-z][a-zA-Z0-9_-]*(\\.[a-zA-Z0-9_-]+)+$",
+          "description": "Vendor-extension event type: two or more dot-separated segments; the leading segment is the vendor prefix and MUST NOT be one of the protocol-owned / registry-reserved prefixes (`openwop.*`, `core.*`, `community.*`, `vendor.*`, `private.*`, `local.*`) per `host-extensions.md` §\"Canonical prefixes\"."
+        }
+      ]
     },
     "payload": {
       "description": "Event-type-specific payload. Servers MAY validate against per-type schemas; this top-level schema accepts any JSON value.",
@@ -57,7 +65,8 @@
       "maxLength": 128
     }
   },
-  "additionalProperties": false,
+  "$comment": "RFC 0094 §G + COMPATIBILITY.md §\"Schema closure\": RunEventDoc is a SERVER-EMITTED shape, so it is open (`additionalProperties: true`) — v1.x hosts may add optional fields additively without breaking schema-validating clients. Client-submitted shapes stay closed at their outermost composition.",
+  "additionalProperties": true,
   "$defs": {
     "RunEventType": {
       "type": "string",

package/schemas/run-options.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-options.schema.json",
   "title": "RunOptions",
-  "description": "Per-run parameter overlay supplied by the caller in `POST /v1/runs`. See `run-options.md` for full semantics. Reserved keys are typed; unknown keys in `configurable` pass through to the engine.",
+  "description": "Per-run parameter overlay supplied by the caller in `POST /v1/runs`. See `run-options.md` for full semantics. Reserved keys are typed; unknown keys in `configurable` pass through to the engine. RFC 0094 §A: this schema is OPEN at its own root (no `additionalProperties: false`) because it participates in the composed `createRun` request body in `api/openapi.yaml`; the closure (`unevaluatedProperties: false`) lives at that composition site, the only place JSON Schema 2020-12 can express closure over an `allOf`.",
   "type": "object",
   "properties": {
     "configurable": {
@@ -21,7 +21,6 @@
       "description": "Free-form caller metadata. Persisted on the run doc; surfaces back via `RunSnapshot.metadata`. Server MAY enforce a serialized-size limit (recommended: 50KB)."
     }
   },
-  "additionalProperties": false,
   "$defs": {
     "Configurable": {
       "type": "object",

package/schemas/run-snapshot.schema.json

@@ -28,9 +28,10 @@
         "waiting-external",
         "completed",
         "failed",
+        "cancelling",
         "cancelled"
       ],
-      "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
+      "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. `cancelling` (RFC 0094 §B) is the transitional state between a cancel request being accepted and the terminal `cancelled` — `rest-endpoints.md` and the OpenAPI cancel responses already document the transition; a snapshot read during the cancel cascade carries it. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
     },
     "owner": {
       "type": "object",

package/schemas/suspend-request.schema.json

@@ -76,6 +76,11 @@
           "type": "string",
           "enum": ["single-veto", "majority"],
           "default": "single-veto"
+        },
+        "overrideBypassesQuorum": {
+          "type": "boolean",
+          "default": false,
+          "description": "RFC 0093 §D2 (pins RFC 0051 UQ 2). When `true`, a configured override principal (per `interrupt-profiles.md` §approval-gate `override.requiredRole`) MAY bypass the quorum (`requiredApprovals`) and release the gate alone. Default `false`: an override principal's approval counts as ONE quorum vote; quorum still applies. Optional, additive."
         }
       }
     },

package/src/scenarios/connection-pack-manifest-valid.test.ts

@@ -0,0 +1,122 @@
+/**
+ * Connection-pack manifest validity — `connection-packs.md` §Manifest clauses 1/3
+ * + `schemas/connection-pack-manifest.schema.json` (RFC 0095 §A).
+ *
+ * Always-on, server-free schema probe. Exercises the new
+ * `connection-pack-manifest.schema.json` with the canonical positive fixture
+ * and the kind-discriminator negatives:
+ *
+ *   1. Positive: the `connection-pack-github` fixture (a complete `kind:
+ *      "connection"` manifest, MCP reach) validates cleanly.
+ *   2. Capability shape: `capabilities.schema.json` declares
+ *      `connections.packsSupported` (RFC 0095 §C).
+ *   3. Negative — kind discriminator: the same manifest with `kind: "node"`
+ *      is rejected (`const` violation) — the discriminator routes a
+ *      connection manifest away from the other pack schemas.
+ *   4. Negative — kind/contents mixing: a manifest carrying BOTH `provider`
+ *      AND `nodes[]` is rejected. Surface-level outcome at the registry is
+ *      `pack_kind_invalid` per `node-packs.md` §"Pack kinds"; schema-level
+ *      outcome is an `additionalProperties` violation on `nodes`.
+ *   5. Negative — non-https token endpoint: `http://` is rejected with a
+ *      `pattern` violation (clause 3).
+ *   6. Positive — a SemVer prerelease `version` (`1.0.0-alpha.1`) is
+ *      schema-VALID: prerelease *precedence* (clause 6, SemVer §11) is a
+ *      host resolution concern, not a manifest-shape constraint.
+ *
+ * Behavioral resolution legs live in `connection-provider-resolution.test.ts`
+ * (capability-gated on `capabilities.connections.packsSupported`).
+ *
+ * @see spec/v1/connection-packs.md
+ * @see schemas/connection-pack-manifest.schema.json
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import type { ErrorObject } from 'ajv';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { auth: Record<string, unknown> };
+};
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+describe('category: connection-pack manifest validation (RFC 0095 §A)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const schema = JSON.parse(readFileSync(SCHEMA_PATH, 'utf8'));
+  const validate = ajv.compile(schema);
+
+  const failsWith = (manifest: unknown, keyword: string): ErrorObject[] => {
+    const ok = validate(manifest);
+    expect(ok).toBe(false);
+    return (validate.errors ?? []).filter((e) => e.keyword === keyword);
+  };
+
+  it('positive: the connection-pack-github fixture validates cleanly', () => {
+    expect(
+      validate(fixture()),
+      `connection-packs.md §Manifest clause 1: a well-formed kind:"connection" manifest MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+
+  it('capabilities.schema.json declares connections.packsSupported (RFC 0095 §C)', () => {
+    const caps = JSON.parse(readFileSync(join(SCHEMAS_DIR, 'capabilities.schema.json'), 'utf8')) as {
+      properties?: Record<string, { properties?: Record<string, unknown>; required?: string[] }>;
+    };
+    const connections = caps.properties?.connections;
+    expect(connections, 'capabilities.md §connections — the connections block MUST be declared').toBeDefined();
+    expect(
+      connections?.properties?.packsSupported,
+      'RFC 0095 §C — connections.packsSupported MUST be declared',
+    ).toBeDefined();
+  });
+
+  it('negative: the kind discriminator routes other kinds away (kind: "node" rejected)', () => {
+    const m = { ...fixture(), kind: 'node' };
+    const errs = failsWith(m, 'const');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 1: kind MUST be the const "connection"',
+    ).toBeGreaterThan(0);
+  });
+
+  it('negative: a manifest mixing provider and nodes[] is rejected (pack_kind_invalid at the registry)', () => {
+    const m = {
+      ...fixture(),
+      nodes: [{ typeId: 'vendor.acme.x', version: '1.0.0', category: 'data', role: 'pure' }],
+    };
+    const errs = failsWith(m, 'additionalProperties');
+    expect(
+      errs.some((e) => (e.params as { additionalProperty?: string }).additionalProperty === 'nodes'),
+      'node-packs.md §"Pack kinds": one kind per pack — a foreign `nodes[]` field MUST be rejected (additionalProperties:false)',
+    ).toBe(true);
+  });
+
+  it('negative: a non-https token endpoint is rejected (clause 3)', () => {
+    const m = fixture();
+    (m.provider.auth.endpoints as Record<string, string>).token = 'http://example.com/token';
+    const errs = failsWith(m, 'pattern');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 3: auth endpoints MUST be absolute https:// URLs',
+    ).toBeGreaterThan(0);
+  });
+
+  it('positive: a SemVer prerelease version is schema-valid (precedence is a host concern, clause 6)', () => {
+    const m = { ...fixture(), version: '1.0.0-alpha.1' };
+    expect(
+      validate(m),
+      `connection-packs.md §Manifest clause 6: prerelease ordering is resolution-time SemVer §11, not manifest shape. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});

package/src/scenarios/connection-pack-no-credential-material.test.ts

@@ -0,0 +1,125 @@
+/**
+ * Connection packs carry NO credential material — `connection-packs.md`
+ * §Manifest clause 2 (RFC 0095 §B.2). Public test for the protocol-tier
+ * SECURITY invariant `connection-pack-no-credential-material`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema probe — every name on the normative
+ *      minimum blocklist (`clientSecret`, `client_secret`, `apiKey`,
+ *      `api_key`, `token`, `accessToken`, `refreshToken`, `password`,
+ *      `privateKey`, `secret`), injected at the manifest root, under
+ *      `provider`, and under `provider.auth`, is rejected by
+ *      `connection-pack-manifest.schema.json` (`additionalProperties:false`
+ *      everywhere — the schema layer never admits a secret-named field).
+ *      The single normative EXEMPTION — the property named `token` at
+ *      exactly `provider.auth.endpoints.token` (the OAuth token-endpoint
+ *      URL) — IS schema-valid.
+ *
+ *   B. Capability-gated behavioral leg — on a host advertising
+ *      `capabilities.connections.packsSupported: true` that exposes the
+ *      `POST /v1/host/sample/connection-packs/install` test seam
+ *      (`host-sample-test-seams.md`), installing a manifest that carries
+ *      `clientSecret` MUST be rejected with the SPECIFIC error code
+ *      `connection_pack_credential_material` — not a generic schema-shape
+ *      error — because clause 2 requires the credential-material scan to
+ *      run BEFORE generic schema validation. Hosts without the seam
+ *      soft-skip (404); unadvertised hosts skip via the behavior gate.
+ *
+ * @see spec/v1/connection-packs.md
+ * @see SECURITY/invariants.yaml id: connection-pack-no-credential-material
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+const BLOCKLIST = [
+  'clientSecret',
+  'client_secret',
+  'apiKey',
+  'api_key',
+  'token',
+  'accessToken',
+  'refreshToken',
+  'password',
+  'privateKey',
+  'secret',
+] as const;
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { auth: Record<string, unknown> };
+};
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+describe('connection-pack-no-credential-material: schema layer (always-on, server-free)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const validate = ajv.compile(JSON.parse(readFileSync(SCHEMA_PATH, 'utf8')));
+
+  it('every blocklisted property name is schema-rejected at the root, provider, and auth levels', () => {
+    for (const name of BLOCKLIST) {
+      const atRoot = { ...fixture(), [name]: 'xxx' };
+      const atProvider = fixture();
+      (atProvider.provider as Record<string, unknown>)[name] = 'xxx';
+      const atAuth = fixture();
+      (atAuth.provider.auth as Record<string, unknown>)[name] = 'xxx';
+      for (const [where, m] of [['root', atRoot], ['provider', atProvider], ['provider.auth', atAuth]] as const) {
+        expect(
+          validate(m),
+          `SECURITY invariant connection-pack-no-credential-material — a property named "${name}" at ${where} MUST NOT validate (additionalProperties:false)`,
+        ).toBe(false);
+      }
+    }
+  });
+
+  it('the exemption: provider.auth.endpoints.token (the token-endpoint URL) IS valid', () => {
+    const m = fixture();
+    expect(
+      typeof (m.provider.auth.endpoints as Record<string, string>).token,
+      'fixture sanity — the github fixture declares the token endpoint',
+    ).toBe('string');
+    expect(
+      validate(m),
+      `connection-packs.md §Manifest clause 2 — the property named "token" at exactly provider.auth.endpoints.token is the OAuth token-endpoint URL and MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});
+
+describe('connection-pack-no-credential-material: specific rejection code (capability-gated, RFC 0095 §B.2)', () => {
+  it('installing a manifest carrying clientSecret is rejected with connection_pack_credential_material', async () => {
+    const connections = await readCapabilityFamily<{ packsSupported?: boolean }>('connections');
+    if (!behaviorGate('connections.packsSupported', connections?.packsSupported === true)) return;
+
+    const leaky = fixture();
+    (leaky.provider.auth as Record<string, unknown>).clientSecret = 'ghs_conformance_canary';
+    const res = await driver.post('/v1/host/sample/connection-packs/install', { manifest: leaky });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+
+    const body = res.json as { installed?: boolean; errors?: Array<{ code?: string }> } | undefined;
+    expect(
+      body?.installed,
+      driver.describe('connection-packs.md §Manifest clause 2', 'a manifest carrying credential material MUST NOT install'),
+    ).toBe(false);
+    expect(
+      (body?.errors ?? []).some((e) => e.code === 'connection_pack_credential_material'),
+      driver.describe(
+        'connection-packs.md §Manifest clause 2',
+        'the credential-material scan runs BEFORE generic schema validation — the SPECIFIC code connection_pack_credential_material MUST surface, not a generic shape error',
+      ),
+    ).toBe(true);
+  });
+});