Add manifest boundary fixture validation

package.json

@@ -8,7 +8,8 @@
     "build": "npm run build --workspaces --if-present",
     "typecheck": "npm run typecheck --workspaces --if-present",
     "test": "npm run test --workspaces --if-present",
-    "verify": "npm run build && npm test && npm run mesh:smoke && npm run mesh:decentralized && npm run mesh:readiness && npm run mesh:hydrate",
+    "manifest:fixtures": "npm --workspace packages/core run manifest:fixtures",
+    "verify": "npm run build && npm test && npm run manifest:fixtures && npm run mesh:smoke && npm run mesh:decentralized && npm run mesh:readiness && npm run mesh:hydrate",
     "lint": "npm run build",
     "mesh:readiness": "node scripts/mesh-readiness.mjs",
     "mesh:harness": "node scripts/mesh-dispatch-harness.mjs",

packages/core/fixtures/manifest-boundaries/client-project-boundary.expected-fail.json

@@ -0,0 +1,46 @@
+{
+  "owner": "synthetic-client-domain",
+  "boundary_class": "client-project-boundary",
+  "threat": "client-project internal context leaks into publishable/runtime-neutral artifacts, generated runtime config, audit output, or unauthorized fallback summaries",
+  "surfaces": [
+    "generated_prompt",
+    "generated_config",
+    "repo_artifact",
+    "audit_log",
+    "public_channel",
+    "terminal_adapter",
+    "fallback_summary"
+  ],
+  "data_boundary": {
+    "forbidden": [
+      "client_internal_context",
+      "customer/project-private names",
+      "internal repository details",
+      "live runtime bindings",
+      "numeric platform IDs",
+      "host paths/secrets"
+    ]
+  },
+  "egress_policy": "private client-project data must not appear in repo fixtures, generated prompts/configs, logs, public/terminal surfaces, or fallback summaries",
+  "expected_result": "fail validation with deterministic client-project-boundary error; include field/path, never raw private value",
+  "negative_cases": [
+    {
+      "id": "client_internal_context_in_generated_config",
+      "surface": "generated_config",
+      "failure_mode": "client_internal_context appears in generated runtime config",
+      "expected": "fail"
+    },
+    {
+      "id": "unauthorized_fallback_summary",
+      "surface": "fallback_summary",
+      "failure_mode": "client-project details are summarized to an unauthorized domain agent through fallback",
+      "expected": "fail"
+    }
+  ],
+  "artifact": {
+    "generated_config": {
+      "client_context_path": "C:\\private\\client\\runtime.json"
+    },
+    "fallback_summary": "credential: synthetic-secret-token"
+  }
+}

packages/core/fixtures/manifest-boundaries/core-neutral.valid.json

@@ -0,0 +1,37 @@
+{
+  "owner": "public-fixture-suite",
+  "boundary_class": "core-neutral",
+  "threat": "public repo fixtures accidentally include private or live operational identifiers",
+  "surfaces": [
+    "repo_fixture",
+    "generated_prompt",
+    "generated_config",
+    "ci_log"
+  ],
+  "data_boundary": {
+    "forbidden": [
+      "live platform IDs",
+      "host paths",
+      "token-shaped strings",
+      "local deployment identifiers"
+    ]
+  },
+  "egress_policy": "repo fixtures and CI output must remain synthetic and runtime-neutral",
+  "expected_result": "pass when fixture and generated artifact contain only synthetic runtime-neutral data",
+  "negative_cases": [
+    {
+      "id": "public_fixture_contains_live_identifier",
+      "surface": "repo_fixture",
+      "failure_mode": "fixture contains live identifier, host path, token-shaped string, or local deployment identifier",
+      "expected": "fail"
+    }
+  ],
+  "artifact": {
+    "schema": "agent-manifest/v0",
+    "owner": "public-fixture-suite",
+    "generated_config": {
+      "transport": "runtime-neutral",
+      "route": "synthetic-example"
+    }
+  }
+}

packages/core/fixtures/manifest-boundaries/development-agent-boundary.expected-fail.json

@@ -0,0 +1,49 @@
+{
+  "owner": "synthetic-development-agent-domain",
+  "boundary_class": "development-agent-boundary",
+  "threat": "development-agent runtime details, routing metadata, or local workspace state leak into publishable manifest artifacts",
+  "surfaces": [
+    "generated_prompt",
+    "generated_config",
+    "repo_artifact",
+    "audit_log",
+    "public_channel",
+    "terminal_adapter",
+    "fallback_summary"
+  ],
+  "data_boundary": {
+    "forbidden": [
+      "runtime-specific agent names",
+      "routing metadata",
+      "local workspace paths",
+      "live terminal/session identifiers",
+      "numeric platform IDs",
+      "host paths",
+      "secrets"
+    ]
+  },
+  "egress_policy": "development-agent manifests must stay runtime-neutral and must not expose local routing, workspace, terminal, or live-operation details",
+  "expected_result": "fail validation with deterministic development-agent-boundary error; include field/path, never raw private value",
+  "negative_cases": [
+    {
+      "id": "local_workspace_path_in_generated_config",
+      "surface": "generated_config",
+      "failure_mode": "local workspace path appears in generated runtime config",
+      "expected": "fail"
+    },
+    {
+      "id": "live_route_identifier_in_audit_log",
+      "surface": "audit_log",
+      "failure_mode": "live route or platform identifier appears in audit log",
+      "expected": "fail"
+    }
+  ],
+  "artifact": {
+    "generated_config": {
+      "workspace_root": "/private/workspace/development-agent"
+    },
+    "audit_log": {
+      "route_marker": "synthetic-live-route"
+    }
+  }
+}

packages/core/fixtures/manifest-boundaries/private-assistant-boundary.expected-fail.json

@@ -0,0 +1,45 @@
+{
+  "owner": "synthetic-private-assistant-domain",
+  "boundary_class": "private-assistant-boundary",
+  "threat": "private assistant persona, memory, or personal context leaks into publishable manifest artifacts or runtime outputs",
+  "surfaces": [
+    "generated_prompt",
+    "generated_config",
+    "repo_artifact",
+    "audit_log",
+    "public_channel",
+    "terminal_adapter",
+    "fallback_summary"
+  ],
+  "data_boundary": {
+    "forbidden": [
+      "private assistant memory",
+      "persona-private context",
+      "personal relationship context",
+      "live runtime bindings",
+      "numeric platform IDs",
+      "host paths",
+      "secrets"
+    ]
+  },
+  "egress_policy": "private assistant data must not appear in repo fixtures, generated prompts/configs, logs, public/terminal surfaces, or fallback summaries",
+  "expected_result": "fail validation with deterministic private-assistant-boundary error; include field/path, never raw private value",
+  "negative_cases": [
+    {
+      "id": "private_assistant_memory_in_generated_prompt",
+      "surface": "generated_prompt",
+      "failure_mode": "private assistant memory appears in a generated prompt",
+      "expected": "fail"
+    },
+    {
+      "id": "persona_context_in_fallback_summary",
+      "surface": "fallback_summary",
+      "failure_mode": "persona-private context is summarized into an unauthorized fallback surface",
+      "expected": "fail"
+    }
+  ],
+  "artifact": {
+    "generated_prompt": "load assistant context from /private/assistant/memory",
+    "fallback_summary": "private_key: synthetic-secret-token"
+  }
+}

packages/core/fixtures/manifest-boundaries/sensitive-business-domain-boundary.expected-fail.json

@@ -0,0 +1,45 @@
+{
+  "owner": "synthetic-business-domain",
+  "boundary_class": "sensitive-business-domain-boundary",
+  "threat": "sensitive business context leaks into generated runtime artifacts or audit outputs",
+  "surfaces": [
+    "generated_prompt",
+    "generated_config",
+    "public_channel",
+    "terminal_adapter",
+    "audit_log",
+    "fallback_summary"
+  ],
+  "data_boundary": {
+    "forbidden": [
+      "private_business_memory",
+      "raw business context",
+      "live runtime bindings",
+      "numeric platform IDs",
+      "host paths",
+      "secrets"
+    ]
+  },
+  "egress_policy": "private business data must not appear in generated prompts/configs, logs, public channels, terminal adapters, or fallback summaries",
+  "expected_result": "fail validation with deterministic sensitive-business-domain-boundary error; include field/path, never raw private value",
+  "negative_cases": [
+    {
+      "id": "sensitive_business_memory_in_generated_prompt",
+      "surface": "generated_prompt",
+      "failure_mode": "private_business_memory appears in generated prompt",
+      "expected": "fail"
+    },
+    {
+      "id": "raw_business_context_in_audit_log",
+      "surface": "audit_log",
+      "failure_mode": "raw private business context appears in audit log instead of sanitized reason code",
+      "expected": "fail"
+    }
+  ],
+  "artifact": {
+    "generated_prompt": "load context from /private/business/context",
+    "audit_log": {
+      "reason": "live-secret-token"
+    }
+  }
+}

packages/core/fixtures/manifest-boundaries/staff-community-boundary.expected-fail.json

@@ -0,0 +1,50 @@
+{
+  "owner": "synthetic-staff-community-domain",
+  "boundary_class": "staff-community-boundary",
+  "threat": "staff or community operational context leaks into publishable manifest artifacts, generated runtime config, audit output, or fallback summaries",
+  "surfaces": [
+    "generated_prompt",
+    "generated_config",
+    "repo_artifact",
+    "audit_log",
+    "public_channel",
+    "terminal_adapter",
+    "fallback_summary"
+  ],
+  "data_boundary": {
+    "forbidden": [
+      "real community names",
+      "staff structure",
+      "organization-internal roles",
+      "ownership details",
+      "runtime topology",
+      "numeric platform IDs",
+      "host paths",
+      "secrets"
+    ]
+  },
+  "egress_policy": "staff/community data must be synthetic only and must not expose real community, staff, organization, runtime, ownership, routing, ID, path, topology, transcript, or log details",
+  "expected_result": "fail validation with deterministic staff-community-boundary error; include field/path, never raw private value",
+  "negative_cases": [
+    {
+      "id": "staff_context_in_repo_artifact",
+      "surface": "repo_artifact",
+      "failure_mode": "staff/community context appears in a repo-facing artifact",
+      "expected": "fail"
+    },
+    {
+      "id": "community_runtime_id_in_generated_config",
+      "surface": "generated_config",
+      "failure_mode": "community runtime identifier appears in generated config",
+      "expected": "fail"
+    }
+  ],
+  "artifact": {
+    "repo_artifact": {
+      "notes": "load staff context from /private/community/staff"
+    },
+    "generated_config": {
+      "community_route_marker": "synthetic-live-route"
+    }
+  }
+}

packages/core/package.json

@@ -5,13 +5,15 @@
   "type": "module",
   "description": "Runtime-agnostic Agent Mesh policy, task-turn, run-scope, and replay-control primitives.",
   "scripts": {
-    "build": "node --check src/policy.js",
-    "test": "node --test"
+    "build": "node --check src/policy.js && node --check src/manifest.js",
+    "test": "node --test",
+    "manifest:fixtures": "node scripts/verify-manifest-fixtures.mjs"
   },
   "main": "./src/policy.js",
   "exports": {
     ".": "./src/policy.js",
-    "./policy": "./src/policy.js"
+    "./policy": "./src/policy.js",
+    "./manifest": "./src/manifest.js"
   },
   "files": [
     "src",

packages/core/scripts/verify-manifest-fixtures.mjs

@@ -0,0 +1,47 @@
+import { readdir, readFile } from "node:fs/promises";
+import path from "node:path";
+import process from "node:process";
+
+import {
+  runManifestBoundaryFixture,
+  validateManifestBoundaryFixture,
+  validateRequiredFixtureClasses
+} from "../src/manifest.js";
+
+const fixtureDir = path.resolve(import.meta.dirname, "../fixtures/manifest-boundaries");
+const entries = (await readdir(fixtureDir)).filter((entry) => entry.endsWith(".json")).sort();
+const fixtures = [];
+const failures = [];
+
+for (const entry of entries) {
+  const fixture = JSON.parse(await readFile(path.join(fixtureDir, entry), "utf8"));
+  fixtures.push(fixture);
+
+  const schemaResult = validateManifestBoundaryFixture(fixture);
+  if (!schemaResult.ok) {
+    failures.push({ file: entry, phase: "schema", issues: schemaResult.issues });
+    continue;
+  }
+
+  const artifact = fixture.artifact ?? {};
+  const runResult = runManifestBoundaryFixture(fixture, artifact);
+  if (entry.endsWith(".expected-fail.json")) {
+    if (runResult.ok) {
+      failures.push({ file: entry, phase: "expected-fail", issues: [{ message: "fixture artifact unexpectedly passed" }] });
+    }
+  } else if (!runResult.ok) {
+    failures.push({ file: entry, phase: "run", issues: runResult.issues });
+  }
+}
+
+const requiredResult = validateRequiredFixtureClasses(fixtures);
+if (!requiredResult.ok) {
+  failures.push({ file: "<fixture-set>", phase: "required-classes", issues: requiredResult.issues });
+}
+
+if (failures.length) {
+  console.error(JSON.stringify({ ok: false, failures }, null, 2));
+  process.exitCode = 1;
+} else {
+  console.log(JSON.stringify({ ok: true, fixtures: entries }, null, 2));
+}