@openwop/openwop-conformance 1.24.0 → 1.26.0

package/src/scenarios/a2a-task-roundtrip.test.ts

@@ -36,12 +36,20 @@
  */
 
 import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
 import { driver } from '../lib/driver.js';
 import { getA2AFakePeer } from '../lib/a2a-fake-peer.js';
 import { isFixtureAdvertised } from '../lib/fixtures.js';
 import { pollUntilTerminal, pollUntilStatus } from '../lib/polling.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
 
 const ROUNDTRIP_FIXTURE = 'conformance-a2a-task-roundtrip';
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
 
 /** Resolve the A2A endpoint to probe: real-peer env wins; otherwise the in-process fake. */
 function probePeer(): { url: string; isReal: boolean } | null {
@@ -266,3 +274,131 @@ describe('a2a-task-roundtrip: drift point #4 — REJECTED projects to failed', (
     )).toBe(true);
   });
 });
+
+// ─── RFC 0100: async / durable A2A tasks ──────────────────────────────
+// Capability-shape always-on + durable-get / resubscribe / push-SSRF gated.
+
+describe('a2a-task-roundtrip: A2ATaskState + a2a capability shape (always-on, server-free; RFC 0100)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const taskStateSchema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, 'a2a-task-state.schema.json'), 'utf8'),
+  );
+  const capabilitiesSchema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, 'capabilities.schema.json'), 'utf8'),
+  );
+  const validateTaskState = ajv.compile(taskStateSchema);
+  const a2aBlockSchema = capabilitiesSchema.properties?.a2a;
+
+  it('a conforming A2ATaskState validates with the lowercase-hyphen state enum and taskId == runId', () => {
+    const ok = {
+      taskId: 'run_x',
+      runId: 'run_x',
+      contextId: 'ctx_42',
+      state: 'input-required',
+      interruptKind: 'approval',
+      updatedAt: '2026-06-13T19:00:00Z',
+    };
+    expect(
+      validateTaskState(ok),
+      `a2a-task-state.schema.json MUST accept a conforming record. Errors: ${JSON.stringify(validateTaskState.errors)}`,
+    ).toBe(true);
+  });
+
+  it('an UPPERCASE state fails (the persisted/wire form is the A2A v0.3 lowercase-hyphen variant)', () => {
+    expect(
+      validateTaskState({ taskId: 'r', runId: 'r', state: 'WORKING', updatedAt: '2026-06-13T19:00:00Z' }),
+      'a2a-integration.md spelling-drift note — the persisted A2ATaskState.state MUST be the lowercase-hyphen form',
+    ).toBe(false);
+  });
+
+  it('an A2ATaskState carrying run inputs/artifacts inline fails (additionalProperties:false; SR-1)', () => {
+    expect(
+      validateTaskState({
+        taskId: 'r',
+        runId: 'r',
+        state: 'completed',
+        updatedAt: '2026-06-13T19:00:00Z',
+        inputs: { secret: 'x' },
+      }),
+      'SECURITY a2a-push-egress-ssrf / SR-1 — the persisted record MUST NOT carry run inputs/outputs/artifacts inline',
+    ).toBe(false);
+  });
+
+  it('a PushConfig requires `url` and structurally rejects a raw (non-truncated) push token', () => {
+    const validatePush = ajv.compile({
+      $ref: 'https://openwop.dev/spec/v1/a2a-task-state.schema.json#/$defs/PushConfig',
+      $defs: taskStateSchema.$defs,
+    });
+    expect(validatePush({ tokenFingerprint: 'a1b2' }), 'PushConfig MUST require `url`').toBe(false);
+    expect(
+      validatePush({ url: 'https://caller.example.com/push', tokenFingerprint: 'a'.repeat(33) }),
+      'SECURITY a2a-push-egress-ssrf — tokenFingerprint maxLength:32 structurally rejects a full-length raw token (SR-1)',
+    ).toBe(false);
+    expect(
+      validatePush({ url: 'https://caller.example.com/push', tokenFingerprint: 'a1b2c3d4' }),
+      'a truncated fingerprint + uri url MUST validate',
+    ).toBe(true);
+  });
+
+  it('the capabilities.a2a block shape is declared (supported + agentCardUrl required; three optional booleans)', () => {
+    expect(a2aBlockSchema, 'capabilities.schema.json MUST declare the a2a block').toBeDefined();
+    expect(a2aBlockSchema.required).toEqual(expect.arrayContaining(['supported', 'agentCardUrl']));
+    expect(a2aBlockSchema.additionalProperties).toBe(false);
+    const validateA2A = ajv.compile({ ...a2aBlockSchema, $id: 'urn:test:a2a-block' });
+    expect(
+      validateA2A({ supported: true, agentCardUrl: 'https://example.com/.well-known/agent-card.json', durableTasks: true }),
+      `a conforming a2a block MUST validate. Errors: ${JSON.stringify(validateA2A.errors)}`,
+    ).toBe(true);
+    expect(validateA2A({ supported: true }), 'agentCardUrl is required').toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2a-task-roundtrip: durable tasks/get after disconnect (gated on a2a.durableTasks; RFC 0100)', () => {
+  it('a paused-at-HITL run projects a live input-required task on a later tasks/get read', async () => {
+    const a2a = await readCapabilityFamily<{ durableTasks?: boolean }>('a2a');
+    if (!behaviorGate('a2a.durableTasks', a2a?.durableTasks === true)) return;
+
+    // Host-extension durable-task read seam (RFC 0100 §2). The host drives a
+    // backing run to a paused HITL state; we read the persisted projection
+    // WITHOUT holding the original connection.
+    const start = await driver.post('/v1/host/sample/a2a/tasks/start', {
+      scenario: 'paused-at-approval',
+    });
+    if (start.status === 404 || start.status === 403) return; // seam unwired — soft-skip
+    const taskId = (start.json as { taskId?: string })?.taskId;
+    if (!taskId) return;
+
+    const read = await driver.get(`/v1/host/sample/a2a/tasks/${encodeURIComponent(taskId)}`);
+    if (read.status === 404 || read.status === 403) return;
+    const state = read.json as { state?: string; runId?: string; metadata?: { openwop?: { interrupt?: { kind?: string } } } };
+    expect(
+      state.state,
+      driver.describe('a2a-integration.md §"Async / durable Tasks"', 'tasks/get after disconnect MUST return the live input-required projection (not a stale working)'),
+    ).toBe('input-required');
+    expect(
+      state.runId,
+      driver.describe('a2a-task-state.schema.json', 'taskId MUST equal the backing runId'),
+    ).toBe(taskId);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2a-task-roundtrip: push-config SSRF (gated on a2a.pushNotifications; RFC 0100)', () => {
+  it('registering a pushConfig.url at a private address is refused (a2a-push-egress-ssrf)', async () => {
+    const a2a = await readCapabilityFamily<{ pushNotifications?: boolean }>('a2a');
+    if (!behaviorGate('a2a.pushNotifications', a2a?.pushNotifications === true)) return;
+
+    const res = await driver.post('/v1/host/sample/a2a/tasks/push-config', {
+      taskId: 'run_x',
+      url: 'http://10.0.0.5/push',
+    });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status >= 400,
+      driver.describe(
+        'a2a-integration.md §"Async / durable Tasks"',
+        'a2a-push-egress-ssrf — a caller-supplied pushConfig.url at a private/loopback address MUST be refused before any push',
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/a2ui-surface-degrades.test.ts

@@ -0,0 +1,54 @@
+/**
+ * a2ui-surface-degrades — RFC 0102 §A point: graceful degradation.
+ *
+ * A consumer that does NOT advertise `ui.a2ui-surface` and receives one
+ * MUST fall back to store-without-render and MUST NOT fail the run (N6;
+ * `ui.a2ui-surface` is an OPTIONAL advertised kind, not a MUST-recognize
+ * universal kind — precedent `artifact-type-store-without-render`).
+ *
+ * Always-on (server-free): `ui.a2ui-surface` is NOT one of the four
+ * universal kinds, so a non-advertising consumer is entitled to degrade.
+ * Capability-gated (HTTP): posting the kind to a host that does not list it
+ * in `supportedEnvelopes` is gated (run not failed), not accepted.
+ *
+ * @see RFCS/0102-a2ui-agent-authored-interface-surfaces.md §A
+ * @see spec/v1/ai-envelope.md §"A2UI surfaces"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+const UNIVERSAL_KINDS = ['clarification.request', 'schema.request', 'schema.response', 'error'];
+
+describe('a2ui-surface-degrades: optional-advertised, not universal (RFC 0102 §A)', () => {
+  it('ui.a2ui-surface is NOT a MUST-recognize universal kind', () => {
+    expect(
+      UNIVERSAL_KINDS.includes('ui.a2ui-surface'),
+      'ai-envelope.md §"A2UI surfaces": ui.a2ui-surface MUST be optional/advertised so an unrecognizing consumer may store-without-render',
+    ).toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2ui-surface-degrades: unadvertised kind is gated, run survives (RFC 0102 §A)', () => {
+  it('posting ui.a2ui-surface to a host that does not advertise it → gated (not failed)', async () => {
+    const res = await driver.post('/v1/host/sample/envelope/accept', {
+      envelope: {
+        type: 'ui.a2ui-surface',
+        schemaVersion: 1,
+        envelopeId: 'env-a2ui-degrade-1',
+        correlationId: 'run-a2ui:node-1:turn-0:deg',
+        payload: { catalogVersion: '0.9.1', surface: { components: [] } },
+        meta: { source: 'ai-generation', ts: '2026-06-15T10:00:00Z' },
+      },
+      hostSupportedEnvelopes: ['clarification.request'], // does not advertise ui.a2ui-surface
+    });
+    if (res.status === 404) return; // seam absent — soft-skip
+    expect(res.status).toBe(200);
+    const body = res.json as { status?: string };
+    expect(
+      body.status,
+      driver.describe('RFC 0102 §A (N6)', 'an unadvertised ui.a2ui-surface MUST be gated, never crash the run'),
+    ).toBe('gated');
+  });
+});

package/src/scenarios/a2ui-surface-replay.test.ts

@@ -0,0 +1,84 @@
+/**
+ * a2ui-surface-replay — RFC 0102 §A.6: replay determinism by correlationId.
+ *
+ * The surface envelope replays by `correlationId` (ai-envelope.md §"Replay
+ * determinism"); on recovery/`:fork` the cached outcome is returned and the
+ * surface is NEVER regenerated. Re-emission with the same correlationId but a
+ * divergent `type` refuses with `envelope_correlation_conflict`. Durable
+ * state is exactly `(surface envelope, submitted resume value)`.
+ *
+ * Always-on (server-free): the surface payload is self-contained (no external
+ * `$ref`), the precondition that makes a stored surface replay deterministically
+ * after the external A2UI catalog ships a breaking version.
+ * Capability-gated (HTTP): same correlationId + different type → conflict.
+ *
+ * @see RFCS/0102-a2ui-agent-authored-interface-surfaces.md §A.6
+ * @see spec/v1/ai-envelope.md §"Replay determinism"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { driver } from '../lib/driver.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+const schema = JSON.parse(
+  readFileSync(join(SCHEMAS_DIR, 'envelopes/ui.a2ui-surface.schema.json'), 'utf8'),
+) as Record<string, unknown>;
+
+function refStrings(node: unknown, out: string[]): void {
+  if (!node || typeof node !== 'object') return;
+  if (Array.isArray(node)) {
+    node.forEach((n) => refStrings(n, out));
+    return;
+  }
+  const obj = node as Record<string, unknown>;
+  if (typeof obj['$ref'] === 'string') out.push(obj['$ref'] as string);
+  Object.values(obj).forEach((v) => refStrings(v, out));
+}
+
+describe('a2ui-surface-replay: self-contained surface (RFC 0102 §A.6)', () => {
+  it('all $refs are internal (#/...) — surface renders from the payload alone on replay', () => {
+    const refs: string[] = [];
+    refStrings(schema, refs);
+    const external = refs.filter((r) => !r.startsWith('#'));
+    expect(
+      external,
+      'RFC 0102 §A.6: a stored surface MUST be self-contained for deterministic :fork/replay (no live external-catalog ref)',
+    ).toEqual([]);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2ui-surface-replay: correlationId conflict on type divergence (RFC 0102 §A.6)', () => {
+  const base = {
+    schemaVersion: 1,
+    correlationId: 'run-a2ui:node-1:turn-0:rep',
+    payload: { catalogVersion: '0.9.1', surface: { components: [] } },
+    meta: { source: 'ai-generation', ts: '2026-06-15T10:00:00Z' },
+  };
+
+  it('re-emission with same correlationId + different type → envelope_correlation_conflict', async () => {
+    const first = await driver.post('/v1/host/sample/envelope/accept', {
+      envelope: { ...base, type: 'ui.a2ui-surface', envelopeId: 'env-a2ui-rep-1' },
+      hostSupportedEnvelopes: ['ui.a2ui-surface', 'clarification.request'],
+    });
+    if (first.status === 404) return; // seam absent — soft-skip
+
+    const conflict = await driver.post('/v1/host/sample/envelope/accept', {
+      envelope: {
+        ...base,
+        type: 'clarification.request',
+        envelopeId: 'env-a2ui-rep-2',
+        payload: { questions: [{ id: 'q', question: 'x' }] },
+      },
+      hostSupportedEnvelopes: ['ui.a2ui-surface', 'clarification.request'],
+    });
+    if (conflict.status === 404) return;
+    const body = conflict.json as { status?: string; reason?: string };
+    expect(
+      body.reason ?? '',
+      driver.describe('ai-envelope.md §"Replay determinism"', 'same correlationId + divergent type MUST conflict'),
+    ).toContain('envelope_correlation_conflict');
+  });
+});

package/src/scenarios/a2ui-surface-shape.test.ts

@@ -0,0 +1,162 @@
+/**
+ * a2ui-surface-shape — RFC 0102 §A wire-shape conformance (server-free).
+ *
+ * Asserts (always-on, Ajv2020, no host required):
+ *   1. `schemas/envelopes/ui.a2ui-surface.schema.json` compiles under Ajv2020.
+ *   2. A positive surface payload (closed catalog components, advertised
+ *      `catalogVersion`, a confined resume/exchange action) validates.
+ *   3. Negatives fail per the closed schema:
+ *        - missing required `catalogVersion` / `surface`
+ *        - an out-of-catalog component object (additionalProperties:false)
+ *        - a component carrying an extra/script-bearing property
+ *        - a `catalogVersion` the schema does not enumerate
+ *        - an `action.button` whose `action.target` is outside
+ *          `enum["resume","exchange"]` (the structural half of
+ *          `a2ui-action-confinement`), or carries an arbitrary URL field.
+ *
+ * The closed `anyOf` `surface` shape is the enabling precondition for the
+ * render-side invariants `a2ui-surface-no-code-exec` /
+ * `a2ui-surface-no-network-egress` (reference-app probes): a surface that
+ * smuggles a script-bearing field or an unconfined action target fails
+ * validation before it can reach a renderer.
+ *
+ * @see RFCS/0102-a2ui-agent-authored-interface-surfaces.md §A
+ * @see spec/v1/ai-envelope.md §"A2UI surfaces"
+ * @see schemas/envelopes/ui.a2ui-surface.schema.json
+ * @see SECURITY/invariants.yaml (a2ui-action-confinement)
+ */
+
+import { describe, it, expect } from 'vitest';
+import Ajv2020 from 'ajv/dist/2020.js';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const ajv = new Ajv2020({ strict: false, allErrors: true });
+const schema = JSON.parse(
+  readFileSync(join(SCHEMAS_DIR, 'envelopes/ui.a2ui-surface.schema.json'), 'utf8'),
+) as Record<string, unknown>;
+
+function positivePayload(): Record<string, unknown> {
+  return {
+    catalogVersion: '0.9.1',
+    surface: {
+      title: 'Schedule the kickoff',
+      components: [
+        { component: 'heading', text: 'Kickoff', level: 2 },
+        { component: 'text', text: 'Pick a date and confirm.' },
+        { component: 'field.text', id: 'name', label: 'Your name', required: true },
+        { component: 'field.date', id: 'when', label: 'Date' },
+        {
+          component: 'field.select',
+          id: 'room',
+          label: 'Room',
+          options: [
+            { value: 'a', label: 'Room A' },
+            { value: 'b', label: 'Room B' },
+          ],
+        },
+        { component: 'field.checkbox', id: 'remind', label: 'Remind me', default: true },
+        { component: 'action.button', id: 'go', label: 'Confirm', action: { target: 'resume' } },
+      ],
+    },
+    reasoning: 'Collect the kickoff details.',
+  };
+}
+
+describe('a2ui-surface-shape: schema compile + round-trip (RFC 0102 §A)', () => {
+  const validate = ajv.compile(schema);
+
+  it('ui.a2ui-surface.schema.json compiles under Ajv2020', () => {
+    expect(
+      validate,
+      'RFC 0102 §A: the core ui.a2ui-surface payload schema MUST compile',
+    ).toBeTypeOf('function');
+  });
+
+  it('accepts a positive surface payload (closed catalog + confined action)', () => {
+    const ok = validate(positivePayload());
+    expect(
+      ok,
+      `RFC 0102 §A: positive surface MUST validate; errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+
+  it('accepts an exchange-targeted action (the other confined target)', () => {
+    const p = positivePayload();
+    (p.surface as { components: Array<Record<string, unknown>> }).components = [
+      { component: 'action.button', id: 'send', label: 'Send', action: { target: 'exchange' } },
+    ];
+    expect(validate(p)).toBe(true);
+  });
+
+  it('rejects a payload missing required `catalogVersion`', () => {
+    const p = positivePayload();
+    delete p.catalogVersion;
+    expect(validate(p), 'RFC 0102 §A: `catalogVersion` is REQUIRED').toBe(false);
+  });
+
+  it('rejects a payload missing required `surface`', () => {
+    const p = positivePayload();
+    delete p.surface;
+    expect(validate(p), 'RFC 0102 §A: `surface` is REQUIRED').toBe(false);
+  });
+
+  it('rejects a `catalogVersion` the schema does not enumerate (unknown version)', () => {
+    const p = positivePayload();
+    p.catalogVersion = '9.9.9';
+    expect(
+      validate(p),
+      'RFC 0102 §A.3: an unadvertised catalogVersion MUST fail the enumerated set',
+    ).toBe(false);
+  });
+
+  it('rejects an out-of-catalog component object (additionalProperties:false)', () => {
+    const p = positivePayload();
+    (p.surface as { components: Array<Record<string, unknown>> }).components = [
+      { component: 'iframe', src: 'https://evil.example/x' } as Record<string, unknown>,
+    ];
+    expect(
+      validate(p),
+      'RFC 0102 §A.1: an out-of-catalog component MUST fail the closed anyOf',
+    ).toBe(false);
+  });
+
+  it('rejects a known component carrying an extra (script-bearing) property', () => {
+    const p = positivePayload();
+    (p.surface as { components: Array<Record<string, unknown>> }).components = [
+      { component: 'heading', text: 'Hi', onClick: "fetch('https://evil')" } as Record<string, unknown>,
+    ];
+    expect(
+      validate(p),
+      'RFC 0102 §A.1: additionalProperties:false MUST reject a smuggled code field',
+    ).toBe(false);
+  });
+
+  it('rejects an action whose target is outside enum["resume","exchange"] (action confinement)', () => {
+    const p = positivePayload();
+    (p.surface as { components: Array<Record<string, unknown>> }).components = [
+      { component: 'action.button', id: 'x', label: 'X', action: { target: 'http://evil.example' } },
+    ];
+    expect(
+      validate(p),
+      'RFC 0102 §A.4 / SECURITY a2ui-action-confinement: an action target outside resume/exchange MUST be rejected',
+    ).toBe(false);
+  });
+
+  it('rejects an action carrying an arbitrary URL field (no unconfined egress target)', () => {
+    const p = positivePayload();
+    (p.surface as { components: Array<Record<string, unknown>> }).components = [
+      {
+        component: 'action.button',
+        id: 'x',
+        label: 'X',
+        action: { target: 'resume', url: 'https://evil.example/exfil' } as Record<string, unknown>,
+      },
+    ];
+    expect(
+      validate(p),
+      'RFC 0102 §A.4: action additionalProperties:false MUST reject an arbitrary URL target',
+    ).toBe(false);
+  });
+});

package/src/scenarios/a2ui-surface-version-refusal.test.ts

@@ -0,0 +1,77 @@
+/**
+ * a2ui-surface-version-refusal — RFC 0102 §A.3 (C3): catalog version is a
+ * host-enumerated set, not a free string. A `catalogVersion` the host does
+ * not advertise MUST be refused with `unknown_schema_version`
+ * (ai-envelope.md §"Schema version advertisement"), and the stored surface
+ * MUST be self-contained for deterministic `:fork`/replay.
+ *
+ * Always-on (server-free): the core schema enumerates `catalogVersion`
+ * (closed set), so a non-advertised version fails validation; the schema
+ * carries no external `$ref` (surface is self-contained).
+ * Capability-gated (HTTP): a live host refuses an unadvertised version.
+ *
+ * @see RFCS/0102-a2ui-agent-authored-interface-surfaces.md §A.3
+ * @see spec/v1/ai-envelope.md §"A2UI surfaces", §"Schema version advertisement"
+ */
+
+import { describe, it, expect } from 'vitest';
+import Ajv2020 from 'ajv/dist/2020.js';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { driver } from '../lib/driver.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+const schema = JSON.parse(
+  readFileSync(join(SCHEMAS_DIR, 'envelopes/ui.a2ui-surface.schema.json'), 'utf8'),
+) as Record<string, unknown>;
+
+function hasAbsoluteRef(node: unknown): boolean {
+  if (!node || typeof node !== 'object') return false;
+  if (Array.isArray(node)) return node.some(hasAbsoluteRef);
+  const obj = node as Record<string, unknown>;
+  if (typeof obj['$ref'] === 'string' && !(obj['$ref'] as string).startsWith('#')) return true;
+  return Object.values(obj).some(hasAbsoluteRef);
+}
+
+describe('a2ui-surface-version-refusal: enumerated catalogVersion (RFC 0102 §A.3)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  const validate = ajv.compile(schema);
+
+  it('catalogVersion is a closed enum — an unadvertised version fails validation', () => {
+    const ok = validate({ catalogVersion: '9.9.9', surface: { components: [] } });
+    expect(
+      ok,
+      'RFC 0102 §A.3: a catalogVersion outside the host-enumerated set MUST fail (→ unknown_schema_version at runtime)',
+    ).toBe(false);
+  });
+
+  it('surface payload is self-contained — no external $ref (replay determinism)', () => {
+    expect(
+      hasAbsoluteRef(schema),
+      'RFC 0102 §A.3: the surface MUST be self-contained, never a live external-catalog reference',
+    ).toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2ui-surface-version-refusal: live host refuses unadvertised version (RFC 0102 §A.3)', () => {
+  it('ui.a2ui-surface with an unadvertised catalogVersion → refused', async () => {
+    const res = await driver.post('/v1/host/sample/envelope/accept', {
+      envelope: {
+        type: 'ui.a2ui-surface',
+        schemaVersion: 1,
+        envelopeId: 'env-a2ui-ver-1',
+        correlationId: 'run-a2ui:node-1:turn-0:ver',
+        payload: { catalogVersion: '9.9.9', surface: { components: [] } },
+        meta: { source: 'ai-generation', ts: '2026-06-15T10:00:00Z' },
+      },
+      hostSupportedEnvelopes: ['ui.a2ui-surface'],
+    });
+    if (res.status === 404) return; // seam absent — soft-skip
+    const body = res.json as { status?: string; reason?: string };
+    expect(
+      body.status === 'invalid' || body.status === 'refused',
+      driver.describe('RFC 0102 §A.3', 'an unadvertised catalogVersion MUST be refused'),
+    ).toBe(true);
+  });
+});

package/src/scenarios/a2ui-untrusted-blocks-approval.test.ts

@@ -0,0 +1,68 @@
+/**
+ * a2ui-untrusted-blocks-approval — RFC 0102 §A.5: an untrusted-authored
+ * surface MUST NOT advance an approval gate.
+ *
+ * A `ui.a2ui-surface` emitted by a node that consumed untrusted MCP/A2A
+ * content carries `meta.contentTrust: 'untrusted'`; the existing
+ * `untrusted_content_blocks_approval` rule then blocks that surface from
+ * advancing an `approval` interrupt. This is a composition of the existing
+ * untrusted-content rule for the new kind, not a new taint primitive.
+ *
+ * Always-on (server-free): `ui.a2ui-surface` is an advertised (non-universal)
+ * kind, so the envelope trust-boundary machinery (`meta.contentTrust`) applies
+ * to it exactly as to any other envelope — the precondition for the block.
+ * Capability-gated (HTTP): an untrusted surface bound to an approval interrupt
+ * is refused.
+ *
+ * @see RFCS/0102-a2ui-agent-authored-interface-surfaces.md §A.5
+ * @see spec/v1/ai-envelope.md §"A2UI surfaces", §"Trust boundary"
+ * @see SECURITY/invariants.yaml (a2ui-untrusted-blocks-approval, untrusted_content_blocks_approval)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+const UNIVERSAL_KINDS = ['clarification.request', 'schema.request', 'schema.response', 'error'];
+
+describe('a2ui-untrusted-blocks-approval: trust machinery applies (RFC 0102 §A.5)', () => {
+  it('ui.a2ui-surface is an advertised kind subject to meta.contentTrust gating (not universal/always-allowed)', () => {
+    expect(
+      UNIVERSAL_KINDS.includes('ui.a2ui-surface'),
+      'ai-envelope.md §"A2UI surfaces" / §"Trust boundary": a ui.a2ui-surface is trust-gated like any advertised envelope, so an untrusted surface is subject to untrusted_content_blocks_approval',
+    ).toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2ui-untrusted-blocks-approval: untrusted surface cannot drive an approval (RFC 0102 §A.5)', () => {
+  it('an untrusted-marked ui.a2ui-surface bound to an approval interrupt is refused', async () => {
+    const res = await driver.post('/v1/host/sample/envelope/accept', {
+      envelope: {
+        type: 'ui.a2ui-surface',
+        schemaVersion: 1,
+        envelopeId: 'env-a2ui-untrusted-1',
+        correlationId: 'run-a2ui:node-1:turn-0:unt',
+        payload: {
+          catalogVersion: '0.9.1',
+          surface: {
+            components: [
+              { component: 'action.button', id: 'approve', label: 'Approve', action: { target: 'resume' } },
+            ],
+          },
+        },
+        meta: { source: 'ai-generation', ts: '2026-06-15T10:00:00Z', contentTrust: 'untrusted' },
+      },
+      hostSupportedEnvelopes: ['ui.a2ui-surface'],
+      boundInterruptKind: 'approval',
+    });
+    if (res.status === 404) return; // seam absent — soft-skip
+    const body = res.json as { status?: string; reason?: string };
+    expect(
+      body.status === 'blocked' || (body.reason ?? '').includes('untrusted'),
+      driver.describe(
+        'RFC 0102 §A.5',
+        'an untrusted ui.a2ui-surface MUST NOT advance an approval interrupt (untrusted_content_blocks_approval)',
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/fixtures-valid.test.ts

@@ -188,6 +188,44 @@ describe('fixtures: connection-pack-manifest schema validity', () => {
   }
 });
 
+describe('fixtures: trigger-event + registration schema validity', () => {
+  // External-event ingestion fixtures live in `fixtures/trigger-events/`
+  // (RFC 0099). They are schema-level proof points validated against the
+  // `TriggerEvent` / `TriggerSubscriptionRegistration` schemas — NOT seeded
+  // into a workflow store. A fixture is dispatched to the right schema by a
+  // filename convention: `trigger-event-*` → trigger-event.schema.json;
+  // `trigger-subscription-registration-*` → the registration schema.
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  // The registration schema $refs the subscription schema; register it.
+  ajv.addSchema(JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-subscription.schema.json'), 'utf8')));
+  const validateEvent = ajv.compile(JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-event.schema.json'), 'utf8')));
+  const validateReg = ajv.compile(
+    JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-subscription-registration.schema.json'), 'utf8')),
+  );
+
+  const dir = join(FIXTURES_DIR, 'trigger-events');
+  const files = readdirSync(dir)
+    .filter((f) => f.endsWith('.json'))
+    .sort();
+
+  it('finds at least one trigger-event fixture (RFC 0099 coverage)', () => {
+    expect(files.length).toBeGreaterThan(0);
+  });
+
+  for (const file of files) {
+    it(`trigger-events/${file} validates against its schema`, () => {
+      const data = JSON.parse(readFileSync(join(dir, file), 'utf8'));
+      const validate = file.startsWith('trigger-subscription-registration') ? validateReg : validateEvent;
+      const ok = validate(data);
+      const errors = (validate.errors ?? [])
+        .map((e: ErrorObject) => `${e.instancePath || '/'}: ${e.message}`)
+        .join('\n');
+      expect(ok, `Fixture trigger-events/${file} fails its schema:\n${errors}`).toBe(true);
+    });
+  }
+});
+
 describe('fixtures: prompt-template schema validity', () => {
   // PromptTemplate fixtures live in `fixtures/prompt-templates/` per
   // RFC 0027 §A. Like pack manifests, they're schema-level proof points,