@openwop/openwop-conformance 1.24.0 → 1.25.0

package/schemas/capabilities.schema.json

@@ -1514,7 +1514,31 @@
             "backoff": { "type": "string", "enum": ["none", "fixed", "exponential"], "description": "Backoff strategy between attempts." }
           }
         },
-        "sources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"] }, "description": "Which trigger sources bridge uniformly. A source listed here MUST have a registerable `TriggerSubscription` driven through the four-state machine AND emit the two `trigger.*` events for that source — the list MUST NOT over-claim a source the host has as a feature but does not wire as a durable trigger subscription. A consumer MUST tolerate any subset." }
+        "sources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "schedule", "queue", "email", "form"] }, "description": "Which trigger sources bridge uniformly. A source listed here MUST have a registerable `TriggerSubscription` driven through the four-state machine AND emit the two `trigger.*` events for that source — the list MUST NOT over-claim a source the host has as a feature but does not wire as a durable trigger subscription. A consumer MUST tolerate any subset." },
+        "ingestion": {
+          "type": "object",
+          "additionalProperties": false,
+          "description": "RFC 0099 §F.3 (additive). External-event ingestion advertisement — which of `sources[]` the host actually ingests from EXTERNALLY-originated events (`webhook`/`email`/`form`), normalizing each to a `TriggerEvent` (`trigger-event.schema.json`) and starting a run. Absent ⇒ the host does NOT externally-ingest (today's behavior — schedule/queue only). A source in `externalSources[]` MUST actually accept an external event, normalize it, and start a run — over-claiming is a dishonest advertisement. A consumer MUST tolerate any subset.",
+          "properties": {
+            "externalSources": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook", "email", "form"] }, "description": "Which of `sources[]` are EXTERNALLY ingested per RFC 0099. The honesty gate — each MUST normalize to a `TriggerEvent` and start a run." },
+            "maxBodyBytes": { "type": "integer", "minimum": 1, "description": "Inbound body cap (webhook body / email / form), reusing the RFC 0076 §B response-cap discipline." },
+            "verification": { "type": "array", "uniqueItems": true, "items": { "type": "string", "enum": ["webhook-signature", "email-dmarc", "form-origin"] }, "description": "Which source-authenticity checks the host performs. An advertised check MUST actually be performed (RFC 0099 §F.3 / UQ1)." },
+            "registrationEndpoint": { "type": "boolean", "description": "`true` ⇒ the host serves `POST /v1/trigger-subscriptions` (RFC 0099 §F.2) for portable external-event subscription creation." }
+          }
+        }
+      }
+    },
+    "a2a": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "RFC 0100 (`Active`). The host exposes itself as an A2A (Agent2Agent) agent. `supported: true` alone ⇒ the SYNCHRONOUS `message/send` → poll `tasks/get` round-trip already specified by `a2a-integration.md` (today's behavior — no regression). The optional `streaming`/`pushNotifications`/`durableTasks` flags gate the RFC 0100 async/durable additions (resubscribe re-attach, push config, persisted `A2ATaskState` so `tasks/get` returns live state after disconnect). Absent block ⇒ no A2A advertisement.",
+      "required": ["supported", "agentCardUrl"],
+      "properties": {
+        "supported": { "type": "boolean", "description": "Host exposes itself as an A2A agent." },
+        "agentCardUrl": { "type": "string", "format": "uri", "description": "The A2A 0.3 well-known agent card URL (`/.well-known/agent-card.json`)." },
+        "streaming": { "type": "boolean", "description": "Host supports `message/stream` + `tasks/resubscribe` (A2A `capabilities.streaming`). Gates the RFC 0100 §3 resubscribe re-attach." },
+        "pushNotifications": { "type": "boolean", "description": "Host supports A2A push-notification config (A2A `capabilities.push_notifications`). Gates the RFC 0100 §4 push contract; a caller-supplied `pushConfig.url` is SSRF-validated (`a2a-push-egress-ssrf`)." },
+        "durableTasks": { "type": "boolean", "description": "RFC 0100 §2. Host PERSISTS the projected Task (`A2ATaskState`) per backing run; `tasks/get` returns live state after disconnect. Absent/false ⇒ synchronous round-trip only." }
       }
     },
     "budget": {

package/schemas/trigger-event.schema.json

@@ -0,0 +1,149 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/trigger-event.schema.json",
+  "title": "TriggerEvent",
+  "description": "RFC 0099 §F.1. The normalized external-event envelope a host hands a started run as `ctx.triggerData` when an externally-originated event (`webhook`/`email`/`form`) is delivered to an `active` TriggerSubscription (RFC 0083). This is an IN-RUN payload only — it never appears on the durable event log; the `trigger.delivery.attempted` event stays content-free (RFC 0083 §C / SECURITY `trigger-ingestion-content-redaction`). A TriggerEvent carries exactly the per-source sub-object matching its `source`. All content is `untrusted` (SECURITY `threat-model-prompt-injection.md`).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["source", "subscriptionId", "deliveryId", "receivedAt"],
+  "properties": {
+    "source": {
+      "type": "string",
+      "enum": ["webhook", "email", "form"],
+      "description": "Which external source originated the event. A TriggerEvent MUST carry exactly the per-source sub-object matching this value and MUST NOT carry the others (RFC 0099 §F.1)."
+    },
+    "subscriptionId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The RFC 0083 §B subscription this event was delivered to."
+    },
+    "deliveryId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Stable per-delivery id; equals the `causationId` stamped on `run.started` (RFC 0083 §C-3 / RFC 0040)."
+    },
+    "dedupKey": {
+      "type": "string",
+      "description": "The host-opaque dedup key (RFC 0083 §C-1). Present iff the subscription's `dedupEnabled`. MUST NOT embed inbound body/header content in cleartext (SECURITY `trigger-ingestion-content-redaction`)."
+    },
+    "receivedAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When the host received the external event."
+    },
+    "verified": {
+      "type": "boolean",
+      "description": "Whether the host verified the source's authenticity (webhook signature / email DMARC / form CSRF+origin) before delivery per the subscription's `verification` policy (RFC 0099 §F.2). A run MUST be able to gate on this."
+    },
+    "contentTrust": {
+      "type": "string",
+      "enum": ["untrusted"],
+      "description": "Always `untrusted`. Inbound external content reaching an LLM node MUST be wrapped per `threat-model-prompt-injection.md` §UNTRUSTED; a TriggerEvent MUST NOT directly advance a HITL approval gate (the `prompt-injection-mcp-no-approval` invariant generalizes)."
+    },
+    "webhook": { "$ref": "#/$defs/WebhookEvent" },
+    "email": { "$ref": "#/$defs/EmailEvent" },
+    "form": { "$ref": "#/$defs/FormEvent" }
+  },
+  "allOf": [
+    {
+      "description": "RFC 0099 §F.1 — a TriggerEvent MUST carry exactly the per-source sub-object matching its `source` and MUST NOT carry the others.",
+      "if": { "properties": { "source": { "const": "webhook" } } },
+      "then": { "not": { "anyOf": [{ "required": ["email"] }, { "required": ["form"] }] } }
+    },
+    {
+      "if": { "properties": { "source": { "const": "email" } } },
+      "then": { "not": { "anyOf": [{ "required": ["webhook"] }, { "required": ["form"] }] } }
+    },
+    {
+      "if": { "properties": { "source": { "const": "form" } } },
+      "then": { "not": { "anyOf": [{ "required": ["webhook"] }, { "required": ["email"] }] } }
+    }
+  ],
+  "$defs": {
+    "WebhookEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"webhook\"`.",
+      "properties": {
+        "method": { "type": "string", "enum": ["POST", "PUT", "PATCH"] },
+        "headers": {
+          "type": "object",
+          "additionalProperties": { "type": "string" },
+          "description": "Host-allowlisted headers only — a host MUST NOT pass through `Authorization`, `Cookie`, `Proxy-Authorization`, or any header carrying credential material (RFC 0099 §F.1 / SECURITY `trigger-ingestion-content-redaction`)."
+        },
+        "body": {
+          "description": "The parsed JSON body, or a string for non-JSON. Bounded by `triggerBridge.ingestion.maxBodyBytes`."
+        }
+      }
+    },
+    "EmailEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"email\"`.",
+      "properties": {
+        "from": { "type": "string" },
+        "to": { "type": "array", "items": { "type": "string" } },
+        "subject": { "type": "string" },
+        "text": { "type": "string" },
+        "html": { "type": "string" },
+        "attachments": { "type": "array", "items": { "$ref": "#/$defs/AttachmentRef" } }
+      }
+    },
+    "FormEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"form\"`.",
+      "properties": {
+        "fields": { "type": "object", "additionalProperties": true, "description": "The submitted field map." },
+        "files": { "type": "array", "items": { "$ref": "#/$defs/AttachmentRef" } }
+      }
+    },
+    "AttachmentRef": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["ref"],
+      "description": "A host-internal opaque handle to a resolved attachment/upload — NEVER a raw external URL the run is expected to fetch itself (RFC 0099 §F.1/§F.4). The host resolves and ingests attachments through its SSRF guard (SECURITY `trigger-ingestion-ssrf`), then hands the run an internal ref.",
+      "properties": {
+        "ref": {
+          "type": "string",
+          "minLength": 1,
+          "description": "A host-internal opaque handle (e.g. a `host.blobStorage` key)."
+        },
+        "filename": { "type": "string" },
+        "mediaType": { "type": "string" },
+        "bytes": { "type": "integer", "minimum": 0 }
+      }
+    }
+  },
+  "examples": [
+    {
+      "source": "email",
+      "subscriptionId": "sub_7",
+      "deliveryId": "dlv_a1b2",
+      "dedupKey": "msgid:abc@in.example.com",
+      "receivedAt": "2026-06-13T18:04:11Z",
+      "verified": true,
+      "contentTrust": "untrusted",
+      "email": {
+        "from": "customer@example.org",
+        "to": ["triage-support+sub_7@in.example.com"],
+        "subject": "Cannot log in",
+        "text": "I keep getting a 403.",
+        "attachments": [{ "ref": "blob_a1", "filename": "screenshot.png", "mediaType": "image/png", "bytes": 20481 }]
+      }
+    },
+    {
+      "source": "webhook",
+      "subscriptionId": "sub_9",
+      "deliveryId": "dlv_c3d4",
+      "receivedAt": "2026-06-13T18:10:00Z",
+      "verified": true,
+      "contentTrust": "untrusted",
+      "webhook": {
+        "method": "POST",
+        "headers": { "X-Event-Type": "issue.created" },
+        "body": { "issue": { "id": 42, "title": "Bug" } }
+      }
+    }
+  ]
+}

package/schemas/trigger-subscription-registration.schema.json

@@ -0,0 +1,67 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/trigger-subscription-registration.schema.json",
+  "title": "TriggerSubscriptionRegistration",
+  "description": "RFC 0099 §F.2. The portable create request for an external-event trigger subscription, served by `POST /v1/trigger-subscriptions`. Binds an external source (`webhook`/`email`/`form`) to a Workflow to start, with a dedup config and a source-authenticity verification policy. This is the unified create surface RFC 0083 UQ1 left per-source. The response returns the created `TriggerSubscription` (RFC 0083 §B) plus a source-specific `binding`; the binding secret/URL is returned ONCE at creation and is not re-fetchable in cleartext (SR-1).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["source", "workflowId"],
+  "properties": {
+    "source": {
+      "type": "string",
+      "enum": ["webhook", "email", "form"],
+      "description": "The external source this subscription ingests. MUST appear in the host's `capabilities.triggerBridge.ingestion.externalSources[]`."
+    },
+    "workflowId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The Workflow a delivered event starts (the run's `workflowId`). MUST resolve under the caller's RFC 0048 owner triple — a registration MUST NOT bind a workflow the caller cannot start (RFC 0049 scope check)."
+    },
+    "dedupEnabled": {
+      "type": "boolean",
+      "default": true,
+      "description": "Per RFC 0083 §C-1. Defaults true for external sources — at-least-once inbound delivery without dedup is a footgun."
+    },
+    "retryPolicy": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Delivery retry policy (RFC 0083 §C-2). Same shape as `trigger-subscription.schema.json#/properties/retryPolicy`. On exhaustion the delivery transitions to `dead-lettered` (RFC 0053).",
+      "properties": {
+        "maxAttempts": { "type": "integer", "minimum": 1, "description": "Maximum delivery attempts before dead-lettering." },
+        "backoff": { "type": "string", "enum": ["none", "fixed", "exponential"], "description": "Backoff strategy between attempts." }
+      }
+    },
+    "verification": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Source-authenticity policy. The host MUST verify per this policy BEFORE delivery and stamp `TriggerEvent.verified`; an event failing a `required` verification MUST NOT start a run (it transitions `trigger.delivery.attempted{outcome:'dead-lettered'}` with `trigger.subscription.state.changed.reason:'signature-invalid'`).",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["required", "best-effort", "none"],
+          "default": "required",
+          "description": "`required`: an unverified event is dead-lettered, no run. `best-effort`: the host verifies when it can and stamps `verified` accordingly but still delivers. `none`: no verification."
+        }
+      }
+    },
+    "inputMapping": {
+      "type": "object",
+      "additionalProperties": true,
+      "description": "OPTIONAL host-extension hint mapping `TriggerEvent` fields onto the workflow's `inputs`. Non-normative shape (host-specific); absent ⇒ the run receives the whole `TriggerEvent` as `ctx.triggerData`."
+    }
+  },
+  "examples": [
+    {
+      "source": "email",
+      "workflowId": "triage-support",
+      "dedupEnabled": true,
+      "verification": { "mode": "required" }
+    },
+    {
+      "source": "webhook",
+      "workflowId": "ingest-jira-issue",
+      "verification": { "mode": "required" },
+      "retryPolicy": { "maxAttempts": 5, "backoff": "exponential" }
+    }
+  ]
+}

package/src/lib/profiles.ts

@@ -236,15 +236,18 @@ export function isMemory(c: DiscoveryPayload): boolean {
 }
 
 /**
- * `openwop-trigger-bridge` predicate (RFC 0083). Host composes the durable
- * inbound-work contract: advertises the `triggerBridge`, has a `deadLetter`
- * sink for exhausted deliveries, and has at least one durable inbound source
- * (queue bus, durable webhooks, or scheduling). Capability families are
+ * `openwop-trigger-bridge` predicate (RFC 0083, widened by RFC 0099). Host
+ * composes the durable inbound-work contract: advertises the `triggerBridge`,
+ * has a `deadLetter` sink for exhausted deliveries, and has at least one
+ * durable inbound source (queue bus, durable webhooks, scheduling, OR — per
+ * RFC 0099 — externally-ingested `email`/`form` via
+ * `triggerBridge.ingestion.externalSources[]`). Capability families are
  * document-root properties (RFC 0073), so this reads `c.triggerBridge` /
- * `c.deadLetter` / `c.queueBus` / `c.webhooks` / `c.scheduling`.
+ * `c.deadLetter` / `c.queueBus` / `c.webhooks` / `c.scheduling`. The RFC 0099
+ * widening only ADDS disjuncts — a host already in the profile stays in it.
  *
  * @see spec/v1/profiles.md §`openwop-trigger-bridge`
- * @see spec/v1/trigger-bridge.md
+ * @see spec/v1/trigger-bridge.md §D / §F
  */
 export function isTriggerBridge(c: DiscoveryPayload): boolean {
   if (!isCore(c)) return false;
@@ -253,10 +256,16 @@ export function isTriggerBridge(c: DiscoveryPayload): boolean {
   if (!supported(c.triggerBridge)) return false;
   if (!supported(c.deadLetter)) return false;
   const webhooks = c.webhooks as { durable?: unknown } | undefined;
+  // RFC 0099: an externally-ingested email/form source is a durable inbound
+  // source for the profile (it rides the same four-state machine + dead-letter).
+  const ingestion = (c.triggerBridge as { ingestion?: { externalSources?: unknown } } | undefined)?.ingestion;
+  const externalSources = Array.isArray(ingestion?.externalSources) ? (ingestion!.externalSources as unknown[]) : [];
+  const externalEmailOrForm = externalSources.includes('email') || externalSources.includes('form');
   const durableSource =
     supported(c.queueBus) ||
     supported(c.scheduling) ||
-    (webhooks != null && typeof webhooks === 'object' && webhooks.durable === true);
+    (webhooks != null && typeof webhooks === 'object' && webhooks.durable === true) ||
+    externalEmailOrForm;
   return durableSource;
 }
 

package/src/scenarios/a2a-task-roundtrip.test.ts

@@ -36,12 +36,20 @@
  */
 
 import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
 import { driver } from '../lib/driver.js';
 import { getA2AFakePeer } from '../lib/a2a-fake-peer.js';
 import { isFixtureAdvertised } from '../lib/fixtures.js';
 import { pollUntilTerminal, pollUntilStatus } from '../lib/polling.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
 
 const ROUNDTRIP_FIXTURE = 'conformance-a2a-task-roundtrip';
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
 
 /** Resolve the A2A endpoint to probe: real-peer env wins; otherwise the in-process fake. */
 function probePeer(): { url: string; isReal: boolean } | null {
@@ -266,3 +274,131 @@ describe('a2a-task-roundtrip: drift point #4 — REJECTED projects to failed', (
     )).toBe(true);
   });
 });
+
+// ─── RFC 0100: async / durable A2A tasks ──────────────────────────────
+// Capability-shape always-on + durable-get / resubscribe / push-SSRF gated.
+
+describe('a2a-task-roundtrip: A2ATaskState + a2a capability shape (always-on, server-free; RFC 0100)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const taskStateSchema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, 'a2a-task-state.schema.json'), 'utf8'),
+  );
+  const capabilitiesSchema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, 'capabilities.schema.json'), 'utf8'),
+  );
+  const validateTaskState = ajv.compile(taskStateSchema);
+  const a2aBlockSchema = capabilitiesSchema.properties?.a2a;
+
+  it('a conforming A2ATaskState validates with the lowercase-hyphen state enum and taskId == runId', () => {
+    const ok = {
+      taskId: 'run_x',
+      runId: 'run_x',
+      contextId: 'ctx_42',
+      state: 'input-required',
+      interruptKind: 'approval',
+      updatedAt: '2026-06-13T19:00:00Z',
+    };
+    expect(
+      validateTaskState(ok),
+      `a2a-task-state.schema.json MUST accept a conforming record. Errors: ${JSON.stringify(validateTaskState.errors)}`,
+    ).toBe(true);
+  });
+
+  it('an UPPERCASE state fails (the persisted/wire form is the A2A v0.3 lowercase-hyphen variant)', () => {
+    expect(
+      validateTaskState({ taskId: 'r', runId: 'r', state: 'WORKING', updatedAt: '2026-06-13T19:00:00Z' }),
+      'a2a-integration.md spelling-drift note — the persisted A2ATaskState.state MUST be the lowercase-hyphen form',
+    ).toBe(false);
+  });
+
+  it('an A2ATaskState carrying run inputs/artifacts inline fails (additionalProperties:false; SR-1)', () => {
+    expect(
+      validateTaskState({
+        taskId: 'r',
+        runId: 'r',
+        state: 'completed',
+        updatedAt: '2026-06-13T19:00:00Z',
+        inputs: { secret: 'x' },
+      }),
+      'SECURITY a2a-push-egress-ssrf / SR-1 — the persisted record MUST NOT carry run inputs/outputs/artifacts inline',
+    ).toBe(false);
+  });
+
+  it('a PushConfig requires `url` and structurally rejects a raw (non-truncated) push token', () => {
+    const validatePush = ajv.compile({
+      $ref: 'https://openwop.dev/spec/v1/a2a-task-state.schema.json#/$defs/PushConfig',
+      $defs: taskStateSchema.$defs,
+    });
+    expect(validatePush({ tokenFingerprint: 'a1b2' }), 'PushConfig MUST require `url`').toBe(false);
+    expect(
+      validatePush({ url: 'https://caller.example.com/push', tokenFingerprint: 'a'.repeat(33) }),
+      'SECURITY a2a-push-egress-ssrf — tokenFingerprint maxLength:32 structurally rejects a full-length raw token (SR-1)',
+    ).toBe(false);
+    expect(
+      validatePush({ url: 'https://caller.example.com/push', tokenFingerprint: 'a1b2c3d4' }),
+      'a truncated fingerprint + uri url MUST validate',
+    ).toBe(true);
+  });
+
+  it('the capabilities.a2a block shape is declared (supported + agentCardUrl required; three optional booleans)', () => {
+    expect(a2aBlockSchema, 'capabilities.schema.json MUST declare the a2a block').toBeDefined();
+    expect(a2aBlockSchema.required).toEqual(expect.arrayContaining(['supported', 'agentCardUrl']));
+    expect(a2aBlockSchema.additionalProperties).toBe(false);
+    const validateA2A = ajv.compile({ ...a2aBlockSchema, $id: 'urn:test:a2a-block' });
+    expect(
+      validateA2A({ supported: true, agentCardUrl: 'https://example.com/.well-known/agent-card.json', durableTasks: true }),
+      `a conforming a2a block MUST validate. Errors: ${JSON.stringify(validateA2A.errors)}`,
+    ).toBe(true);
+    expect(validateA2A({ supported: true }), 'agentCardUrl is required').toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2a-task-roundtrip: durable tasks/get after disconnect (gated on a2a.durableTasks; RFC 0100)', () => {
+  it('a paused-at-HITL run projects a live input-required task on a later tasks/get read', async () => {
+    const a2a = await readCapabilityFamily<{ durableTasks?: boolean }>('a2a');
+    if (!behaviorGate('a2a.durableTasks', a2a?.durableTasks === true)) return;
+
+    // Host-extension durable-task read seam (RFC 0100 §2). The host drives a
+    // backing run to a paused HITL state; we read the persisted projection
+    // WITHOUT holding the original connection.
+    const start = await driver.post('/v1/host/sample/a2a/tasks/start', {
+      scenario: 'paused-at-approval',
+    });
+    if (start.status === 404 || start.status === 403) return; // seam unwired — soft-skip
+    const taskId = (start.json as { taskId?: string })?.taskId;
+    if (!taskId) return;
+
+    const read = await driver.get(`/v1/host/sample/a2a/tasks/${encodeURIComponent(taskId)}`);
+    if (read.status === 404 || read.status === 403) return;
+    const state = read.json as { state?: string; runId?: string; metadata?: { openwop?: { interrupt?: { kind?: string } } } };
+    expect(
+      state.state,
+      driver.describe('a2a-integration.md §"Async / durable Tasks"', 'tasks/get after disconnect MUST return the live input-required projection (not a stale working)'),
+    ).toBe('input-required');
+    expect(
+      state.runId,
+      driver.describe('a2a-task-state.schema.json', 'taskId MUST equal the backing runId'),
+    ).toBe(taskId);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2a-task-roundtrip: push-config SSRF (gated on a2a.pushNotifications; RFC 0100)', () => {
+  it('registering a pushConfig.url at a private address is refused (a2a-push-egress-ssrf)', async () => {
+    const a2a = await readCapabilityFamily<{ pushNotifications?: boolean }>('a2a');
+    if (!behaviorGate('a2a.pushNotifications', a2a?.pushNotifications === true)) return;
+
+    const res = await driver.post('/v1/host/sample/a2a/tasks/push-config', {
+      taskId: 'run_x',
+      url: 'http://10.0.0.5/push',
+    });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status >= 400,
+      driver.describe(
+        'a2a-integration.md §"Async / durable Tasks"',
+        'a2a-push-egress-ssrf — a caller-supplied pushConfig.url at a private/loopback address MUST be refused before any push',
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/fixtures-valid.test.ts

@@ -188,6 +188,44 @@ describe('fixtures: connection-pack-manifest schema validity', () => {
   }
 });
 
+describe('fixtures: trigger-event + registration schema validity', () => {
+  // External-event ingestion fixtures live in `fixtures/trigger-events/`
+  // (RFC 0099). They are schema-level proof points validated against the
+  // `TriggerEvent` / `TriggerSubscriptionRegistration` schemas — NOT seeded
+  // into a workflow store. A fixture is dispatched to the right schema by a
+  // filename convention: `trigger-event-*` → trigger-event.schema.json;
+  // `trigger-subscription-registration-*` → the registration schema.
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  // The registration schema $refs the subscription schema; register it.
+  ajv.addSchema(JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-subscription.schema.json'), 'utf8')));
+  const validateEvent = ajv.compile(JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-event.schema.json'), 'utf8')));
+  const validateReg = ajv.compile(
+    JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-subscription-registration.schema.json'), 'utf8')),
+  );
+
+  const dir = join(FIXTURES_DIR, 'trigger-events');
+  const files = readdirSync(dir)
+    .filter((f) => f.endsWith('.json'))
+    .sort();
+
+  it('finds at least one trigger-event fixture (RFC 0099 coverage)', () => {
+    expect(files.length).toBeGreaterThan(0);
+  });
+
+  for (const file of files) {
+    it(`trigger-events/${file} validates against its schema`, () => {
+      const data = JSON.parse(readFileSync(join(dir, file), 'utf8'));
+      const validate = file.startsWith('trigger-subscription-registration') ? validateReg : validateEvent;
+      const ok = validate(data);
+      const errors = (validate.errors ?? [])
+        .map((e: ErrorObject) => `${e.instancePath || '/'}: ${e.message}`)
+        .join('\n');
+      expect(ok, `Fixture trigger-events/${file} fails its schema:\n${errors}`).toBe(true);
+    });
+  }
+});
+
 describe('fixtures: prompt-template schema validity', () => {
   // PromptTemplate fixtures live in `fixtures/prompt-templates/` per
   // RFC 0027 §A. Like pack manifests, they're schema-level proof points,