Context
Secure Host Interfaces need conformance tests at the workstation boundary.
The host interface layer connects local terminal, browser, editor, and agent tool surfaces to an internal Podman-backed Agent Machine. This needs deterministic contracts and receipts, not just implementation code.
workstation-contracts already defines workstation/CI contracts, IPC v0 reference harnesses, deterministic transcripts, and run receipts. It is the right conformance home for host-interface adapter behavior.
Scope
Add workstation contract fixtures for:
- terminal PTY attach envelope
- browser broker request/response envelope
- editor broker request/response envelope
- agent tool broker envelope for OpenCLAW/OpenClaw and Hermes
- deny-by-default cases
- grant expiration and revocation cases
- evidence receipt shape
Acceptance criteria
- Schemas or fixtures validate with existing repo validation flow.
- IPC transcript examples show broker handshake and capability negotiation.
- Receipts include workspace id, interface kind, policy hash, grant id, denial/allow result, and redaction summary.
- No production runner implementation added here.
- No secrets or local machine paths committed.
Non-goals
- Do not implement the production broker.
- Do not vendor VS Code, browser-use, OpenCLAW, or Hermes code.
- Do not define SourceOS canonical schemas here if they belong in
sourceos-spec.
Context
Secure Host Interfaces need conformance tests at the workstation boundary.
The host interface layer connects local terminal, browser, editor, and agent tool surfaces to an internal Podman-backed Agent Machine. This needs deterministic contracts and receipts, not just implementation code.
workstation-contractsalready defines workstation/CI contracts, IPC v0 reference harnesses, deterministic transcripts, and run receipts. It is the right conformance home for host-interface adapter behavior.Scope
Add workstation contract fixtures for:
Acceptance criteria
Non-goals
sourceos-spec.