@openwop/openwop-conformance 1.21.0 → 1.24.0

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n95 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n100 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -104,7 +104,12 @@
         "budget.reserved":           { "$ref": "#/$defs/budgetReserved" },
         "budget.consumed":           { "$ref": "#/$defs/budgetConsumed" },
         "budget.threshold.crossed":  { "$ref": "#/$defs/budgetThresholdCrossed" },
-        "budget.exhausted":          { "$ref": "#/$defs/budgetExhausted" }
+        "budget.exhausted":          { "$ref": "#/$defs/budgetExhausted" },
+        "proposal.created":          { "$ref": "#/$defs/proposalCreated" },
+        "proposal.activated":        { "$ref": "#/$defs/proposalActivated" },
+        "goal.evaluated":            { "$ref": "#/$defs/goalEvaluated" },
+        "goal.closed":               { "$ref": "#/$defs/goalClosed" },
+        "import.applied":            { "$ref": "#/$defs/importApplied" }
       }
     },
 
@@ -122,6 +127,79 @@
       }
     },
 
+    "proposalCreated": {
+      "description": "RFC 0096 §D. Emitted when the host synthesizes a reviewable-learning draft. Content-free: ids / kind / content-free references only — NEVER the artifact body or the rationale text (those live behind the authed read). Redaction-safe (SECURITY invariant `proposal-inert-until-applied` covers the behavior; SR-1 covers the payload). MUST NOT be emitted unless `capabilities.agents.proposals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["proposalId", "kind"],
+      "properties": {
+        "proposalId": { "type": "string", "minLength": 1, "description": "The created proposal's stable id." },
+        "kind": { "type": "string", "enum": ["agent-pack", "workflow-chain-pack", "prompt-template", "automation"], "description": "The proposed artifact kind." },
+        "sourceRunIds": { "type": "array", "items": { "type": "string" }, "description": "Runs whose traces produced the draft (RFC 0040 causation-compatible). Ids only — no trace content." },
+        "duplicateOf": { "type": ["string", "null"], "description": "Existing artifact ref the proposal restates/overlaps, when duplication detection is on; else null." }
+      }
+    },
+
+    "proposalActivated": {
+      "description": "RFC 0096 §D. Emitted on a successful `apply`. Content-free: ids / content-free references only — NEVER the installed artifact body. MUST NOT be emitted unless `capabilities.agents.proposals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["proposalId", "kind", "installedArtifactRef"],
+      "properties": {
+        "proposalId": { "type": "string", "minLength": 1 },
+        "kind": { "type": "string", "enum": ["agent-pack", "workflow-chain-pack", "prompt-template", "automation"] },
+        "approvalId": { "type": ["string", "null"], "description": "RFC 0051 approval id when activation routed through an approval gate; null for direct-rbac." },
+        "installedArtifactRef": { "type": "string", "minLength": 1, "description": "Ref of the artifact installed on apply (RFC 0043)." }
+      }
+    },
+
+    "goalEvaluated": {
+      "description": "RFC 0097 §D. Emitted after each judge check on a standing goal. Content-free: NO objective text. The verdict (`satisfied`/`confidence`) is non-deterministic judge output — it is RECORDED here and MUST NOT be recomputed on replay/fork (`replay.md`). MUST NOT be emitted unless `capabilities.agents.goals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["goalId", "satisfied", "runId", "iterations"],
+      "properties": {
+        "goalId": { "type": "string", "minLength": 1 },
+        "satisfied": { "type": "boolean", "description": "The judge's verdict for this check." },
+        "confidence": { "type": "number", "minimum": 0, "maximum": 1, "description": "Judge confidence in [0,1]." },
+        "runId": { "type": "string", "minLength": 1, "description": "The run this verdict evaluated (RFC 0040 causation-compatible)." },
+        "iterations": { "type": "integer", "minimum": 0, "description": "Contributing iterations so far." }
+      }
+    },
+
+    "goalClosed": {
+      "description": "RFC 0097 §D. Emitted when a standing goal stops continuation. Content-free. MUST NOT be emitted unless `capabilities.agents.goals` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["goalId", "finalState"],
+      "properties": {
+        "goalId": { "type": "string", "minLength": 1 },
+        "finalState": { "type": "string", "enum": ["satisfied", "escalated", "abandoned", "bound-exceeded"], "description": "Terminal state the goal closed in." }
+      }
+    },
+
+    "importApplied": {
+      "description": "RFC 0098 §D. Emitted when an estate import is applied. Content-free: counts + ref-only — NO item payloads, NO secret values (SECURITY invariant `export-bundle-no-credential-material`). MUST NOT be emitted unless `capabilities.portability` is advertised.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["bundleOrigin", "counts"],
+      "properties": {
+        "bundleOrigin": { "type": "string", "minLength": 1, "description": "The bundle's `source.origin` — informational only." },
+        "counts": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "Per-action item tallies.",
+          "properties": {
+            "created": { "type": "integer", "minimum": 0 },
+            "updated": { "type": "integer", "minimum": 0 },
+            "skipped": { "type": "integer", "minimum": 0 },
+            "failed": { "type": "integer", "minimum": 0 }
+          }
+        },
+        "secretsToRebind": { "type": "array", "items": { "type": "string" }, "description": "Provider/ref ids whose secrets must be re-bound at the destination. Refs only — never secret values." }
+      }
+    },
+
     "connectorAuthorized": {
       "description": "RFC 0047 — emitted when the host acquires (or re-authorizes) a third-party OAuth token on a user's behalf via the `host.oauth` flow. Redaction-safe: carries the credential REFERENCE (RFC 0046), never token material. MUST NOT be emitted unless `capabilities.oauth.supported: true`.",
       "type": "object",
@@ -423,7 +501,7 @@
       "properties": {
         "nodeId":      { "type": "string", "minLength": 1 },
         "interruptId": { "type": "string", "minLength": 1 },
-        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom"] },
+        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom", "conversation.start", "conversation.exchange", "conversation.close", "low-confidence"], "description": "RFC 0094 §E — the full kind union `interrupt.md` defines (mirrors suspend-request.schema.json). Conversation kinds are gated on the conversation capability per capabilities.md." },
         "key":         { "type": "string", "minLength": 1 }
       },
       "additionalProperties": true
@@ -608,7 +686,7 @@
       "properties": {
         "nodeId":      { "type": "string" },
         "interruptId": { "type": "string" },
-        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom"] },
+        "kind":        { "type": "string", "enum": ["approval", "clarification", "external-event", "custom", "conversation.start", "conversation.exchange", "conversation.close", "low-confidence"], "description": "RFC 0094 §E — the full kind union `interrupt.md` defines (mirrors suspend-request.schema.json). Conversation kinds are gated on the conversation capability per capabilities.md." },
         "resumeValue": {}
       },
       "additionalProperties": true
@@ -636,12 +714,13 @@
 
     "outputChunk": {
       "type": "object",
-      "description": "Emitted for streaming output (e.g., LLM token chunks). Stream-mode `messages` consumers see these. Tiered metadata per stream-modes.md §messages (S2 closure): bare {nodeId, chunk} is the minimum compliant payload; `meta` adds Tier 1 typed slots and a Tier 2 provider-pass-through escape hatch.",
-      "required": ["nodeId", "chunk"],
+      "description": "Emitted for streaming output (e.g., LLM token chunks). Stream-mode `messages` consumers see these. RFC 0094 §D single-sources the `ai.message.chunk` payload here: bare {nodeId, runId, chunk, isLast} is the minimum compliant payload per stream-modes.md §messages (the prior {nodeId, chunk}-only required set was the defective restatement). Tiered metadata per stream-modes.md §messages (S2 closure): `meta` adds Tier 1 typed slots and a Tier 2 provider-pass-through escape hatch.",
+      "required": ["nodeId", "runId", "chunk", "isLast"],
       "properties": {
         "nodeId":  { "type": "string", "minLength": 1 },
+        "runId":   { "type": "string", "minLength": 1, "description": "Run this chunk belongs to. Required so multiplexed consumers (mixed-mode streams, fan-in UIs) can route chunks without out-of-band context." },
         "chunk":   { "type": "string" },
-        "isLast":  { "type": "boolean" },
+        "isLast":  { "type": "boolean", "description": "True for the final chunk of a given AI node call. Required — both reference consumers rely on it for fold termination." },
         "channel": { "type": "string", "description": "Optional sub-stream identifier when a node emits multiple parallel streams." },
         "meta":    { "$ref": "#/$defs/_chunkMeta" }
       },

package/schemas/run-event.schema.json

@@ -25,7 +25,15 @@
       "maxLength": 128
     },
     "type": {
-      "$ref": "#/$defs/RunEventType"
+      "description": "Event-type discriminator. RFC 0094 §C: either a protocol-owned type from the authoritative `RunEventType` catalog, or a correctly-prefixed vendor-extension event per `host-extensions.md` §\"Vendor-prefixed namespaces\" (dotted name whose first segment is the vendor's short identifier or reverse-DNS label — e.g. `acme.canvas.published` — and is NOT a protocol-owned/registry-reserved prefix). Aligns the schema with `COMPATIBILITY.md` (\"Clients MUST ignore unknown event types\") and `version-negotiation.md` (readers ignore unknown).",
+      "anyOf": [
+        { "$ref": "#/$defs/RunEventType" },
+        {
+          "type": "string",
+          "pattern": "^(?!(?:openwop|core|community|vendor|private|local)\\.)[a-z][a-zA-Z0-9_-]*(\\.[a-zA-Z0-9_-]+)+$",
+          "description": "Vendor-extension event type: two or more dot-separated segments; the leading segment is the vendor prefix and MUST NOT be one of the protocol-owned / registry-reserved prefixes (`openwop.*`, `core.*`, `community.*`, `vendor.*`, `private.*`, `local.*`) per `host-extensions.md` §\"Canonical prefixes\"."
+        }
+      ]
     },
     "payload": {
       "description": "Event-type-specific payload. Servers MAY validate against per-type schemas; this top-level schema accepts any JSON value.",
@@ -57,7 +65,8 @@
       "maxLength": 128
     }
   },
-  "additionalProperties": false,
+  "$comment": "RFC 0094 §G + COMPATIBILITY.md §\"Schema closure\": RunEventDoc is a SERVER-EMITTED shape, so it is open (`additionalProperties: true`) — v1.x hosts may add optional fields additively without breaking schema-validating clients. Client-submitted shapes stay closed at their outermost composition.",
+  "additionalProperties": true,
   "$defs": {
     "RunEventType": {
       "type": "string",
@@ -157,7 +166,12 @@
         "core.workflowChain.confidence-escalated",
         "connector.authorized",
         "connector.auth_expired",
-        "authorization.decided"
+        "authorization.decided",
+        "proposal.created",
+        "proposal.activated",
+        "goal.evaluated",
+        "goal.closed",
+        "import.applied"
       ]
     }
   }

package/schemas/run-options.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-options.schema.json",
   "title": "RunOptions",
-  "description": "Per-run parameter overlay supplied by the caller in `POST /v1/runs`. See `run-options.md` for full semantics. Reserved keys are typed; unknown keys in `configurable` pass through to the engine.",
+  "description": "Per-run parameter overlay supplied by the caller in `POST /v1/runs`. See `run-options.md` for full semantics. Reserved keys are typed; unknown keys in `configurable` pass through to the engine. RFC 0094 §A: this schema is OPEN at its own root (no `additionalProperties: false`) because it participates in the composed `createRun` request body in `api/openapi.yaml`; the closure (`unevaluatedProperties: false`) lives at that composition site, the only place JSON Schema 2020-12 can express closure over an `allOf`.",
   "type": "object",
   "properties": {
     "configurable": {
@@ -21,7 +21,6 @@
       "description": "Free-form caller metadata. Persisted on the run doc; surfaces back via `RunSnapshot.metadata`. Server MAY enforce a serialized-size limit (recommended: 50KB)."
     }
   },
-  "additionalProperties": false,
   "$defs": {
     "Configurable": {
       "type": "object",

package/schemas/run-snapshot.schema.json

@@ -28,9 +28,10 @@
         "waiting-external",
         "completed",
         "failed",
+        "cancelling",
         "cancelled"
       ],
-      "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
+      "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. `cancelling` (RFC 0094 §B) is the transitional state between a cancel request being accepted and the terminal `cancelled` — `rest-endpoints.md` and the OpenAPI cancel responses already document the transition; a snapshot read during the cancel cascade carries it. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
     },
     "owner": {
       "type": "object",

package/schemas/suspend-request.schema.json

@@ -76,6 +76,11 @@
           "type": "string",
           "enum": ["single-veto", "majority"],
           "default": "single-veto"
+        },
+        "overrideBypassesQuorum": {
+          "type": "boolean",
+          "default": false,
+          "description": "RFC 0093 §D2 (pins RFC 0051 UQ 2). When `true`, a configured override principal (per `interrupt-profiles.md` §approval-gate `override.requiredRole`) MAY bypass the quorum (`requiredApprovals`) and release the gate alone. Default `false`: an override principal's approval counts as ONE quorum vote; quorum still applies. Optional, additive."
         }
       }
     },

package/src/scenarios/connection-pack-manifest-valid.test.ts

@@ -0,0 +1,122 @@
+/**
+ * Connection-pack manifest validity — `connection-packs.md` §Manifest clauses 1/3
+ * + `schemas/connection-pack-manifest.schema.json` (RFC 0095 §A).
+ *
+ * Always-on, server-free schema probe. Exercises the new
+ * `connection-pack-manifest.schema.json` with the canonical positive fixture
+ * and the kind-discriminator negatives:
+ *
+ *   1. Positive: the `connection-pack-github` fixture (a complete `kind:
+ *      "connection"` manifest, MCP reach) validates cleanly.
+ *   2. Capability shape: `capabilities.schema.json` declares
+ *      `connections.packsSupported` (RFC 0095 §C).
+ *   3. Negative — kind discriminator: the same manifest with `kind: "node"`
+ *      is rejected (`const` violation) — the discriminator routes a
+ *      connection manifest away from the other pack schemas.
+ *   4. Negative — kind/contents mixing: a manifest carrying BOTH `provider`
+ *      AND `nodes[]` is rejected. Surface-level outcome at the registry is
+ *      `pack_kind_invalid` per `node-packs.md` §"Pack kinds"; schema-level
+ *      outcome is an `additionalProperties` violation on `nodes`.
+ *   5. Negative — non-https token endpoint: `http://` is rejected with a
+ *      `pattern` violation (clause 3).
+ *   6. Positive — a SemVer prerelease `version` (`1.0.0-alpha.1`) is
+ *      schema-VALID: prerelease *precedence* (clause 6, SemVer §11) is a
+ *      host resolution concern, not a manifest-shape constraint.
+ *
+ * Behavioral resolution legs live in `connection-provider-resolution.test.ts`
+ * (capability-gated on `capabilities.connections.packsSupported`).
+ *
+ * @see spec/v1/connection-packs.md
+ * @see schemas/connection-pack-manifest.schema.json
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import type { ErrorObject } from 'ajv';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { auth: Record<string, unknown> };
+};
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+describe('category: connection-pack manifest validation (RFC 0095 §A)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const schema = JSON.parse(readFileSync(SCHEMA_PATH, 'utf8'));
+  const validate = ajv.compile(schema);
+
+  const failsWith = (manifest: unknown, keyword: string): ErrorObject[] => {
+    const ok = validate(manifest);
+    expect(ok).toBe(false);
+    return (validate.errors ?? []).filter((e) => e.keyword === keyword);
+  };
+
+  it('positive: the connection-pack-github fixture validates cleanly', () => {
+    expect(
+      validate(fixture()),
+      `connection-packs.md §Manifest clause 1: a well-formed kind:"connection" manifest MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+
+  it('capabilities.schema.json declares connections.packsSupported (RFC 0095 §C)', () => {
+    const caps = JSON.parse(readFileSync(join(SCHEMAS_DIR, 'capabilities.schema.json'), 'utf8')) as {
+      properties?: Record<string, { properties?: Record<string, unknown>; required?: string[] }>;
+    };
+    const connections = caps.properties?.connections;
+    expect(connections, 'capabilities.md §connections — the connections block MUST be declared').toBeDefined();
+    expect(
+      connections?.properties?.packsSupported,
+      'RFC 0095 §C — connections.packsSupported MUST be declared',
+    ).toBeDefined();
+  });
+
+  it('negative: the kind discriminator routes other kinds away (kind: "node" rejected)', () => {
+    const m = { ...fixture(), kind: 'node' };
+    const errs = failsWith(m, 'const');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 1: kind MUST be the const "connection"',
+    ).toBeGreaterThan(0);
+  });
+
+  it('negative: a manifest mixing provider and nodes[] is rejected (pack_kind_invalid at the registry)', () => {
+    const m = {
+      ...fixture(),
+      nodes: [{ typeId: 'vendor.acme.x', version: '1.0.0', category: 'data', role: 'pure' }],
+    };
+    const errs = failsWith(m, 'additionalProperties');
+    expect(
+      errs.some((e) => (e.params as { additionalProperty?: string }).additionalProperty === 'nodes'),
+      'node-packs.md §"Pack kinds": one kind per pack — a foreign `nodes[]` field MUST be rejected (additionalProperties:false)',
+    ).toBe(true);
+  });
+
+  it('negative: a non-https token endpoint is rejected (clause 3)', () => {
+    const m = fixture();
+    (m.provider.auth.endpoints as Record<string, string>).token = 'http://example.com/token';
+    const errs = failsWith(m, 'pattern');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 3: auth endpoints MUST be absolute https:// URLs',
+    ).toBeGreaterThan(0);
+  });
+
+  it('positive: a SemVer prerelease version is schema-valid (precedence is a host concern, clause 6)', () => {
+    const m = { ...fixture(), version: '1.0.0-alpha.1' };
+    expect(
+      validate(m),
+      `connection-packs.md §Manifest clause 6: prerelease ordering is resolution-time SemVer §11, not manifest shape. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});

package/src/scenarios/connection-pack-no-credential-material.test.ts

@@ -0,0 +1,125 @@
+/**
+ * Connection packs carry NO credential material — `connection-packs.md`
+ * §Manifest clause 2 (RFC 0095 §B.2). Public test for the protocol-tier
+ * SECURITY invariant `connection-pack-no-credential-material`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema probe — every name on the normative
+ *      minimum blocklist (`clientSecret`, `client_secret`, `apiKey`,
+ *      `api_key`, `token`, `accessToken`, `refreshToken`, `password`,
+ *      `privateKey`, `secret`), injected at the manifest root, under
+ *      `provider`, and under `provider.auth`, is rejected by
+ *      `connection-pack-manifest.schema.json` (`additionalProperties:false`
+ *      everywhere — the schema layer never admits a secret-named field).
+ *      The single normative EXEMPTION — the property named `token` at
+ *      exactly `provider.auth.endpoints.token` (the OAuth token-endpoint
+ *      URL) — IS schema-valid.
+ *
+ *   B. Capability-gated behavioral leg — on a host advertising
+ *      `capabilities.connections.packsSupported: true` that exposes the
+ *      `POST /v1/host/sample/connection-packs/install` test seam
+ *      (`host-sample-test-seams.md`), installing a manifest that carries
+ *      `clientSecret` MUST be rejected with the SPECIFIC error code
+ *      `connection_pack_credential_material` — not a generic schema-shape
+ *      error — because clause 2 requires the credential-material scan to
+ *      run BEFORE generic schema validation. Hosts without the seam
+ *      soft-skip (404); unadvertised hosts skip via the behavior gate.
+ *
+ * @see spec/v1/connection-packs.md
+ * @see SECURITY/invariants.yaml id: connection-pack-no-credential-material
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+const BLOCKLIST = [
+  'clientSecret',
+  'client_secret',
+  'apiKey',
+  'api_key',
+  'token',
+  'accessToken',
+  'refreshToken',
+  'password',
+  'privateKey',
+  'secret',
+] as const;
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { auth: Record<string, unknown> };
+};
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+describe('connection-pack-no-credential-material: schema layer (always-on, server-free)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const validate = ajv.compile(JSON.parse(readFileSync(SCHEMA_PATH, 'utf8')));
+
+  it('every blocklisted property name is schema-rejected at the root, provider, and auth levels', () => {
+    for (const name of BLOCKLIST) {
+      const atRoot = { ...fixture(), [name]: 'xxx' };
+      const atProvider = fixture();
+      (atProvider.provider as Record<string, unknown>)[name] = 'xxx';
+      const atAuth = fixture();
+      (atAuth.provider.auth as Record<string, unknown>)[name] = 'xxx';
+      for (const [where, m] of [['root', atRoot], ['provider', atProvider], ['provider.auth', atAuth]] as const) {
+        expect(
+          validate(m),
+          `SECURITY invariant connection-pack-no-credential-material — a property named "${name}" at ${where} MUST NOT validate (additionalProperties:false)`,
+        ).toBe(false);
+      }
+    }
+  });
+
+  it('the exemption: provider.auth.endpoints.token (the token-endpoint URL) IS valid', () => {
+    const m = fixture();
+    expect(
+      typeof (m.provider.auth.endpoints as Record<string, string>).token,
+      'fixture sanity — the github fixture declares the token endpoint',
+    ).toBe('string');
+    expect(
+      validate(m),
+      `connection-packs.md §Manifest clause 2 — the property named "token" at exactly provider.auth.endpoints.token is the OAuth token-endpoint URL and MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});
+
+describe('connection-pack-no-credential-material: specific rejection code (capability-gated, RFC 0095 §B.2)', () => {
+  it('installing a manifest carrying clientSecret is rejected with connection_pack_credential_material', async () => {
+    const connections = await readCapabilityFamily<{ packsSupported?: boolean }>('connections');
+    if (!behaviorGate('connections.packsSupported', connections?.packsSupported === true)) return;
+
+    const leaky = fixture();
+    (leaky.provider.auth as Record<string, unknown>).clientSecret = 'ghs_conformance_canary';
+    const res = await driver.post('/v1/host/sample/connection-packs/install', { manifest: leaky });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+
+    const body = res.json as { installed?: boolean; errors?: Array<{ code?: string }> } | undefined;
+    expect(
+      body?.installed,
+      driver.describe('connection-packs.md §Manifest clause 2', 'a manifest carrying credential material MUST NOT install'),
+    ).toBe(false);
+    expect(
+      (body?.errors ?? []).some((e) => e.code === 'connection_pack_credential_material'),
+      driver.describe(
+        'connection-packs.md §Manifest clause 2',
+        'the credential-material scan runs BEFORE generic schema validation — the SPECIFIC code connection_pack_credential_material MUST surface, not a generic shape error',
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/connection-pack-reach-exclusive.test.ts

@@ -0,0 +1,85 @@
+/**
+ * Connection-pack reach exclusivity — `connection-packs.md` §Manifest clause 5
+ * (RFC 0095 §B.5).
+ *
+ * Always-on, server-free schema probe. `provider.reach` MUST specify exactly
+ * ONE of `mcp` / `openapi` / `integration` — the schema pins this with
+ * `minProperties: 1` + `maxProperties: 1` + `additionalProperties: false`:
+ *
+ *   1. Positive: each of the three reach modes validates alone.
+ *   2. Negative — two modes (`mcp` + `openapi`) → `maxProperties` violation.
+ *   3. Negative — zero modes (`reach: {}`) → `minProperties` violation.
+ *   4. Negative — an unknown mode (`grpc`) → `additionalProperties` violation.
+ *
+ * @see spec/v1/connection-packs.md
+ * @see schemas/connection-pack-manifest.schema.json
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import type { ErrorObject } from 'ajv';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+
+const SCHEMA_PATH = join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json');
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+const MCP = { mcp: { server: { url: 'https://api.githubcopilot.com/mcp/', transport: 'http' } } };
+const OPENAPI = { openapi: { ref: 'https://api.github.com/openapi.json' } };
+const INTEGRATION = { integration: { node: 'core.openwop.integration.github' } };
+
+type Manifest = Record<string, unknown> & { provider: Record<string, unknown> };
+
+function withReach(reach: Record<string, unknown>): Manifest {
+  const m = JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+  m.provider.reach = reach;
+  return m;
+}
+
+describe('connection-pack-reach-exclusive (RFC 0095 §B.5)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const validate = ajv.compile(JSON.parse(readFileSync(SCHEMA_PATH, 'utf8')));
+
+  const failsWith = (manifest: unknown, keyword: string): ErrorObject[] => {
+    const ok = validate(manifest);
+    expect(ok).toBe(false);
+    return (validate.errors ?? []).filter((e) => e.keyword === keyword);
+  };
+
+  it('positive: each reach mode validates alone', () => {
+    for (const reach of [MCP, OPENAPI, INTEGRATION]) {
+      expect(
+        validate(withReach(reach)),
+        `connection-packs.md §Manifest clause 5: a single reach mode (${Object.keys(reach)[0]}) MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+      ).toBe(true);
+    }
+  });
+
+  it('negative: two reach modes are rejected (maxProperties:1)', () => {
+    const errs = failsWith(withReach({ ...MCP, ...OPENAPI }), 'maxProperties');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 5: reach MUST specify exactly one of mcp/openapi/integration',
+    ).toBeGreaterThan(0);
+  });
+
+  it('negative: an empty reach is rejected (minProperties:1)', () => {
+    const errs = failsWith(withReach({}), 'minProperties');
+    expect(
+      errs.length,
+      'connection-packs.md §Manifest clause 5: reach MUST declare a mode — an empty object is invalid',
+    ).toBeGreaterThan(0);
+  });
+
+  it('negative: an unknown reach mode is rejected (additionalProperties:false)', () => {
+    const errs = failsWith(withReach({ grpc: { url: 'https://example.com' } }), 'additionalProperties');
+    expect(
+      errs.some((e) => (e.params as { additionalProperty?: string }).additionalProperty === 'grpc'),
+      'connection-packs.md §Manifest clause 5: the reach vocabulary is closed (mcp | openapi | integration)',
+    ).toBe(true);
+  });
+});

package/src/scenarios/connection-pack-write-reconsent.test.ts

@@ -0,0 +1,91 @@
+/**
+ * Connection-pack write re-consent — `connection-packs.md` §Manifest clause 4
+ * (RFC 0095 §B.4) — behavioral.
+ *
+ * Capability-gated on `capabilities.connections.packsSupported: true`
+ * (soft-skips when unadvertised; hard-fails under
+ * `OPENWOP_REQUIRE_BEHAVIOR=true`). Drives the
+ * `POST /v1/host/sample/connection-packs/consent-plan` test seam
+ * (`host-sample-test-seams.md`); hosts that haven't wired the seam
+ * soft-skip (404).
+ *
+ * For a `scopeModel: "groups"` oauth2 provider, requesting read AND write
+ * scope groups MUST plan write as a SEPARATE consent step — a host MUST NOT
+ * bundle write scopes into the initial read authorization (composes with the
+ * RFC 0047 write-re-consent pattern):
+ *
+ *   1. The plan has ≥ 2 steps when both read and write groups are requested.
+ *   2. The FIRST (initial) authorization step carries no write scope group.
+ *   3. A read-only request plans a single step (no spurious re-consent).
+ *
+ * @see spec/v1/connection-packs.md
+ * @see spec/v1/host-sample-test-seams.md
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { FIXTURES_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+interface ConsentStep {
+  groups?: Array<{ key?: string; access?: 'read' | 'write' }>;
+  includesWrite?: boolean;
+}
+
+interface ConsentPlan {
+  steps?: ConsentStep[];
+}
+
+describe('connection-pack-write-reconsent (RFC 0095 §B.4)', () => {
+  it('write scope groups are a separate consent step, never bundled into the initial read authorization', async () => {
+    const connections = await readCapabilityFamily<{ packsSupported?: boolean }>('connections');
+    if (!behaviorGate('connections.packsSupported', connections?.packsSupported === true)) return;
+
+    const manifest = JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Record<string, unknown>;
+    await driver.post('/v1/host/sample/connection-packs/install', { manifest });
+
+    const res = await driver.post('/v1/host/sample/connection-packs/consent-plan', {
+      provider: 'github',
+      requested: ['read', 'write'],
+    });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+
+    const plan = res.json as ConsentPlan | undefined;
+    const steps = plan?.steps ?? [];
+    expect(
+      steps.length >= 2,
+      driver.describe(
+        'connection-packs.md §Manifest clause 4',
+        'requesting read + write scope groups MUST plan write as a SEPARATE consent step (≥ 2 steps)',
+      ),
+    ).toBe(true);
+    const first = steps[0] ?? {};
+    const firstHasWrite =
+      first.includesWrite === true || (first.groups ?? []).some((g) => g.access === 'write');
+    expect(
+      firstHasWrite,
+      driver.describe(
+        'connection-packs.md §Manifest clause 4',
+        'the INITIAL authorization step MUST NOT bundle write scopes',
+      ),
+    ).toBe(false);
+
+    const readOnly = await driver.post('/v1/host/sample/connection-packs/consent-plan', {
+      provider: 'github',
+      requested: ['read'],
+    });
+    if (readOnly.status !== 404 && readOnly.status !== 403) {
+      const roSteps = (readOnly.json as ConsentPlan | undefined)?.steps ?? [];
+      expect(
+        roSteps.length,
+        driver.describe('connection-packs.md §Manifest clause 4', 'a read-only request plans a single consent step'),
+      ).toBe(1);
+    }
+  });
+});