mcpact_manifest/

lib.rs

//! Manifest parser, schema, and validator.

mod audit_paths;
mod conformance;
mod signature;

pub use audit_paths::{resolve_audit_jsonl_path, resolve_audit_jsonl_path_beside_manifest};
pub use conformance::{ConformanceCorpus, CorpusError, ReplayError, ReplayOutcome};

pub use signature::{
    parse_signing_seed, sign_manifest, signing_digest, signing_payload, verify_package_signature,
    verify_package_signature_trusted, verify_package_signature_with_anchor,
    verify_signature_fields, SignatureTrust, TrustAnchor, ALGORITHM_ED25519, TRUSTED_KEYS_ENV,
};

use camino::Utf8PathBuf;
use indexmap::IndexMap;
use mcpact_core::{ApprovalMode, AuthorityClass, TrustCeiling};
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
use std::{fs, path::Path};
use thiserror::Error;

/// Current manifest schema version.
pub const SCHEMA_VERSION: &str = "mcpact.manifest.v1";

/// McPact manifest.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct Manifest {
    /// Schema version. Must be `mcpact.manifest.v1`.
    pub schema_version: String,
    /// Generated package settings.
    pub package: PackageSpec,
    /// Source CLI settings.
    pub cli: CliSpec,
    /// Optional audit settings.
    #[serde(default)]
    pub audit: AuditSpec,
    /// Tool contracts.
    #[serde(default)]
    pub tools: Vec<ToolSpec>,
}

/// Generated package metadata.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct PackageSpec {
    /// Generated crate name.
    pub name: String,
    /// Version string.
    #[serde(default = "default_version")]
    pub version: String,
    /// Description.
    #[serde(default)]
    pub description: String,
    /// Trust ceiling for this manifest.
    #[serde(default = "default_trust_ceiling")]
    pub trust: TrustCeiling,
    /// Optional ed25519 signature over canonical unsigned manifest TOML.
    #[serde(default)]
    pub signature: Option<PackageSignature>,
}

/// Ed25519 manifest signature metadata.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct PackageSignature {
    /// Signature algorithm (`ed25519`).
    pub algorithm: String,
    /// Base64-encoded verifying key (32 bytes).
    pub public_key: String,
    /// Base64-encoded signature (64 bytes) over SHA-256(canonical TOML).
    pub signature: String,
}

/// CLI binary metadata.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct CliSpec {
    /// Logical name.
    pub name: String,
    /// Binary path or name to execute.
    pub binary: String,
    /// Command used to get version.
    #[serde(default)]
    pub version_command: Vec<String>,
    /// Optional working directory relative to launch workspace.
    #[serde(default)]
    #[schemars(with = "Option<String>")]
    pub default_cwd: Option<Utf8PathBuf>,
}

/// Audit settings.
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize, JsonSchema)]
pub struct AuditSpec {
    /// Sink kind: `jsonl`, `cloudevents` (otel/cortex deferred).
    #[serde(default = "default_audit_sink")]
    pub sink: String,
    /// Path for local JSONL evidence (relative to server cwd unless `xdg_state`).
    #[serde(default = "default_audit_path")]
    pub path: String,
    /// When true, JSONL path is `$XDG_STATE_HOME/mcpact/<package>/audit.jsonl`.
    #[serde(default)]
    pub xdg_state: bool,
    /// Optional CloudEvents HTTP endpoint when `sink = "cloudevents"`.
    #[serde(default)]
    pub url: Option<String>,
}

impl AuditSpec {
    /// Validate sink kind is supported at runtime.
    pub fn validate_sink(&self, report: &mut ValidationReport) {
        match self.sink.as_str() {
            "jsonl" | "cloudevents" => {}
            "otel" | "cortex" => {
                report.errors.push(format!(
                    "audit.sink `{}` is not yet supported (see ADR-0027)",
                    self.sink
                ));
            }
            other => report.errors.push(format!(
                "unknown audit.sink `{other}` (expected jsonl or cloudevents)"
            )),
        }
    }
}

impl Default for AuditSpec {
    fn default() -> Self {
        Self {
            sink: default_audit_sink(),
            path: default_audit_path(),
            xdg_state: false,
            url: None,
        }
    }
}

/// Tool contract.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct ToolSpec {
    /// MCP tool name.
    pub name: String,
    /// Optional UI title.
    #[serde(default)]
    pub title: Option<String>,
    /// Tool description.
    #[serde(default)]
    pub description: String,
    /// Fixed argv prefix after binary.
    #[serde(default)]
    pub command: Vec<String>,
    /// Args keyed by input name.
    #[serde(default)]
    pub args: IndexMap<String, ArgSpec>,
    /// Output policy.
    #[serde(default)]
    pub output: OutputSpec,
    /// Authority and policy declaration.
    #[serde(default)]
    pub policy: PolicySpec,
    /// Environment policy.
    #[serde(default)]
    pub env: EnvSpec,
}

/// Argument contract.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct ArgSpec {
    /// Argument type.
    #[serde(rename = "type")]
    pub arg_type: ArgType,
    /// Whether value is required.
    #[serde(default)]
    pub required: bool,
    /// Help text.
    #[serde(default)]
    pub description: String,
    /// CLI flag, e.g. `--format`.
    #[serde(default)]
    pub flag: Option<String>,
    /// Positional index.
    #[serde(default)]
    pub position: Option<u32>,
    /// Allowed enum values.
    #[serde(default)]
    pub values: Vec<String>,
    /// Default value.
    #[serde(default)]
    pub default: Option<serde_json::Value>,
    /// Permit multiple values.
    #[serde(default)]
    pub multiple: bool,
    /// For path args, require existence.
    #[serde(default)]
    pub must_exist: bool,
    /// For path args, require path to stay inside workspace.
    #[serde(default)]
    pub within_workspace: bool,
    /// Redact this arg from audit records.
    #[serde(default)]
    pub redact: bool,
}

/// Supported argument types.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, JsonSchema)]
#[serde(rename_all = "kebab-case")]
pub enum ArgType {
    /// UTF-8 string argument.
    String,
    /// Filesystem path argument.
    Path,
    /// Enumerated string argument.
    Enum,
    /// Boolean flag.
    Bool,
    /// Signed integer argument.
    Integer,
    /// Floating-point argument.
    Number,
    /// JSON value argument.
    Json,
}

/// Output contract.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct OutputSpec {
    /// Output mode: text, json, sarif.
    #[serde(default = "default_output_mode")]
    pub mode: String,
    /// Max stdout bytes.
    #[serde(default = "default_output_cap")]
    pub max_bytes: usize,
    /// Whether stderr is returned to the model.
    #[serde(default)]
    pub expose_stderr: bool,
}

impl Default for OutputSpec {
    fn default() -> Self {
        Self {
            mode: default_output_mode(),
            max_bytes: default_output_cap(),
            expose_stderr: false,
        }
    }
}

/// Policy declaration.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct PolicySpec {
    /// Tool authority class.
    #[serde(default = "default_authority")]
    pub authority: AuthorityClass,
    /// Declared read-only marker.
    #[serde(default)]
    pub read_only: bool,
    /// Whether command can use network.
    #[serde(default)]
    pub network: bool,
    /// Whether command writes files.
    #[serde(default)]
    pub writes_files: bool,
    /// Approval mode.
    #[serde(default = "default_approval")]
    pub approval: ApprovalMode,
    /// Backcompat convenience; true maps to Always at validation time.
    #[serde(default)]
    pub requires_approval: bool,
    /// Timeout seconds.
    #[serde(default = "default_timeout")]
    pub timeout_seconds: u64,
}

impl Default for PolicySpec {
    fn default() -> Self {
        Self {
            authority: default_authority(),
            read_only: false,
            network: false,
            writes_files: false,
            approval: default_approval(),
            requires_approval: false,
            timeout_seconds: default_timeout(),
        }
    }
}

/// Environment policy.
#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
pub struct EnvSpec {
    /// Whether to inherit parent environment.
    #[serde(default)]
    pub inherit: bool,
    /// Allowed variables when not inheriting all.
    #[serde(default)]
    pub allow: Vec<String>,
    /// Explicit variables to set.
    #[serde(default)]
    pub set: IndexMap<String, String>,
}

impl Default for EnvSpec {
    fn default() -> Self {
        Self {
            inherit: false,
            allow: Vec::new(),
            set: IndexMap::new(),
        }
    }
}

/// Validation report.
#[derive(Debug, Clone, Default, Serialize, Deserialize, JsonSchema)]
pub struct ValidationReport {
    /// Errors block generation.
    pub errors: Vec<String>,
    /// Warnings do not block generation but lower confidence.
    pub warnings: Vec<String>,
}

impl ValidationReport {
    /// True when no errors are present.
    #[must_use]
    pub fn is_ok(&self) -> bool {
        self.errors.is_empty()
    }
}

/// Manifest errors.
#[derive(Debug, Error)]
pub enum ManifestError {
    /// File IO failed.
    #[error("manifest I/O failed: {0}")]
    Io(#[from] std::io::Error),
    /// TOML parse failed.
    #[error("manifest parse failed: {0}")]
    Toml(#[from] toml::de::Error),
    /// Validation failed.
    #[error("manifest validation failed: {0:?}")]
    Validation(Vec<String>),
}

impl Manifest {
    /// Load a manifest from TOML file and validate strictly.
    pub fn load(path: impl AsRef<Path>) -> Result<Self, ManifestError> {
        let text = fs::read_to_string(path)?;
        Self::parse(&text)
    }

    /// Parse TOML manifest and validate strictly.
    pub fn parse(text: &str) -> Result<Self, ManifestError> {
        let manifest: Self = toml::from_str(text)?;
        manifest.validate_strict()?;
        Ok(manifest)
    }

    /// Validate and return a report.
    #[must_use]
    pub fn validate(&self) -> ValidationReport {
        let mut report = ValidationReport::default();
        if self.schema_version != SCHEMA_VERSION {
            report
                .errors
                .push(format!("schema_version must be {SCHEMA_VERSION}"));
        }
        if self.package.name.trim().is_empty() {
            report.errors.push("package.name is required".into());
        }
        if self.cli.binary.trim().is_empty() {
            report.errors.push("cli.binary is required".into());
        }
        if self.tools.is_empty() {
            report.errors.push("at least one tool is required".into());
        }
        for tool in &self.tools {
            validate_tool(tool, &mut report);
        }
        self.audit.validate_sink(&mut report);
        match self.package.trust {
            TrustCeiling::Signed | TrustCeiling::Verified if self.package.signature.is_none() => {
                report.errors.push(format!(
                    "package.trust {:?} requires package.signature",
                    self.package.trust
                ));
            }
            _ => {}
        }
        if self.package.signature.is_some() {
            if let Err(err) = verify_package_signature(self) {
                report
                    .errors
                    .push(format!("package.signature invalid: {err}"));
            }
        }
        report
    }

    /// Verified-pack layout checks (requires manifest path on disk).
    ///
    /// A `Verified` pack must ship a `README.md` and a `tests/conformance.jsonl`
    /// beside its manifest. The conformance corpus is no longer accepted on
    /// existence alone: it is parsed and structurally validated via
    /// [`ConformanceCorpus::parse`], so an empty or malformed corpus — which
    /// could never be replayed and proves nothing — now fails validation
    /// fail-closed. A full *replay* of the corpus against a built server is the
    /// caller's job (see [`ConformanceCorpus::replay`] and `mcpact verify
    /// --replay`), since that requires building the generated crate; this keeps
    /// the always-on `validate` path cheap while still refusing to call a pack
    /// `Verified` when its replay contract is not a real one.
    pub fn validate_pack_layout(&self, path: impl AsRef<Path>, report: &mut ValidationReport) {
        if self.package.trust != TrustCeiling::Verified {
            return;
        }
        let base = path.as_ref().parent().unwrap_or_else(|| Path::new("."));
        if !base.join("README.md").is_file() {
            report
                .errors
                .push("Verified pack missing `README.md` beside manifest".into());
        }
        let corpus_path = base.join("tests/conformance.jsonl");
        if !corpus_path.is_file() {
            report
                .errors
                .push("Verified pack missing `tests/conformance.jsonl` beside manifest".into());
        } else if let Err(err) = ConformanceCorpus::parse_file(&corpus_path) {
            report.errors.push(format!(
                "Verified pack `tests/conformance.jsonl` is not a replayable conformance corpus: {err}"
            ));
        }
    }

    /// Validate and return an error when blocking issues exist.
    pub fn validate_strict(&self) -> Result<(), ManifestError> {
        let report = self.validate();
        if report.is_ok() {
            Ok(())
        } else {
            Err(ManifestError::Validation(report.errors))
        }
    }
}

fn validate_tool(tool: &ToolSpec, report: &mut ValidationReport) {
    if !is_valid_tool_name(&tool.name) {
        report.errors.push(format!(
            "tool name `{}` must be snake_case ASCII",
            tool.name
        ));
    }
    if tool
        .command
        .iter()
        .any(|a| a == "sh" || a == "bash" || a == "-c")
    {
        report.errors.push(format!(
            "tool `{}` appears to request shell execution",
            tool.name
        ));
    }
    if tool.policy.authority.is_high_risk()
        && !tool.policy.requires_approval
        && tool.policy.approval == ApprovalMode::Never
    {
        report.errors.push(format!(
            "tool `{}` has high-risk authority `{}` but no approval policy",
            tool.name, tool.policy.authority
        ));
    }
    if tool.policy.read_only && (tool.policy.writes_files || tool.policy.authority.is_high_risk()) {
        report.warnings.push(format!(
            "tool `{}` is read_only but declares writes/high-risk authority",
            tool.name
        ));
    }
    for (name, arg) in &tool.args {
        if !is_valid_arg_name(name) {
            report.errors.push(format!(
                "tool `{}` arg `{}` has invalid name",
                tool.name, name
            ));
        }
        if matches!(arg.arg_type, ArgType::Enum) && arg.values.is_empty() {
            report.errors.push(format!(
                "tool `{}` enum arg `{}` has no values",
                tool.name, name
            ));
        }
        if arg.flag.as_deref().is_some_and(|f| !f.starts_with('-')) {
            report.errors.push(format!(
                "tool `{}` arg `{}` flag must start with -",
                tool.name, name
            ));
        }
    }
}

/// Validate MCP-compatible tool name subset.
#[must_use]
pub fn is_valid_tool_name(name: &str) -> bool {
    !name.is_empty()
        && name
            .chars()
            .all(|c| c.is_ascii_lowercase() || c.is_ascii_digit() || c == '_')
        && name.chars().next().is_some_and(|c| c.is_ascii_lowercase())
}

/// Validate generated Rust field name subset.
#[must_use]
pub fn is_valid_arg_name(name: &str) -> bool {
    is_valid_tool_name(name)
}

fn default_version() -> String {
    "0.1.0".into()
}
fn default_trust_ceiling() -> TrustCeiling {
    TrustCeiling::Reviewed
}
fn default_audit_sink() -> String {
    "jsonl".into()
}
fn default_audit_path() -> String {
    ".mcpact/audit.jsonl".into()
}
fn default_output_mode() -> String {
    "text".into()
}
fn default_output_cap() -> usize {
    1_048_576
}
fn default_authority() -> AuthorityClass {
    AuthorityClass::Observe
}
fn default_approval() -> ApprovalMode {
    ApprovalMode::Never
}
fn default_timeout() -> u64 {
    60
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    const VALID: &str = r#"
schema_version = "mcpact.manifest.v1"

[package]
name = "mcp-taudit"
trust = "Reviewed"

[cli]
name = "taudit"
binary = "taudit"
version_command = ["--version"]

[[tools]]
name = "scan_pipeline"
description = "scan a pipeline"
command = ["scan"]

[tools.args.path]
type = "path"
required = true
position = 1
must_exist = true
within_workspace = true

[tools.args.format]
type = "enum"
required = false
flag = "--format"
values = ["json", "sarif"]
default = "json"

[tools.output]
mode = "json"
max_bytes = 1048576

[tools.policy]
authority = "Analyze"
read_only = true
network = false
writes_files = false
approval = "never"
timeout_seconds = 60
"#;

    #[test]
    fn parses_valid_manifest() {
        let manifest = Manifest::parse(VALID).unwrap();
        assert_eq!(manifest.tools[0].name, "scan_pipeline");
        assert!(manifest.validate().is_ok());
    }

    #[test]
    fn rejects_high_risk_without_approval() {
        let text = VALID.replace("Analyze", "Destroy");
        let err = Manifest::parse(&text).unwrap_err();
        assert!(format!("{err}").contains("high-risk"));
    }

    #[test]
    fn rejects_shell_in_command() {
        let text = VALID.replace("command = [\"scan\"]", "command = [\"sh\", \"-c\"]");
        let err = Manifest::parse(&text).unwrap_err();
        assert!(format!("{err}").contains("shell"));
    }

    #[test]
    fn rejects_wrong_schema_version() {
        let text = VALID.replace("mcpact.manifest.v1", "mcpact.manifest.v0");
        let err = Manifest::parse(&text).unwrap_err();
        assert!(format!("{err}").contains("schema_version"));
    }

    #[test]
    fn rejects_invalid_tool_name() {
        let mut manifest = Manifest::parse(VALID).unwrap();
        manifest.tools[0].name = "Bad-Name".into();
        assert!(!manifest.validate().is_ok());
    }

    #[test]
    fn rejects_enum_without_values() {
        let text = VALID.replace("values = [\"json\", \"sarif\"]", "values = []");
        let err = Manifest::parse(&text).unwrap_err();
        assert!(format!("{err}").contains("enum"));
    }

    #[test]
    fn all_example_adapters_validate() {
        let root = PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("../../examples/adapters");
        for name in [
            "taudit",
            "cargo",
            "gh-readonly",
            "terraform-plan",
            "fixture-echo",
            "signed-fixture-echo",
        ] {
            let path = root.join(name).join("mcpact.toml");
            let manifest = Manifest::load(&path).unwrap_or_else(|e| panic!("{name}: {e}"));
            assert!(manifest.validate().is_ok(), "{name} manifest invalid");
        }
    }

    // -----------------------------------------------------------------------
    // Failure-mode test M-1: env_clear default invariant
    //
    // Documents and locks in the verdict from
    // value-sheet/18-cross-product-test/v2/results/per-tool-failure-mode-tests-results/composite.md
    // (test M-1, 2026-05-19): EnvSpec::default().inherit MUST be false so the
    // mcpact-runtime non-inherit branch unconditionally clears the env. A
    // regression that flips this default would silently re-enable env
    // inheritance for every generated tool.
    // -----------------------------------------------------------------------

    #[test]
    fn env_spec_default_does_not_inherit_env() {
        // Failure-mode test M-1 — see value-sheet/18-cross-product-test/v2/results/per-tool-failure-mode-tests-results/composite.md
        let env = EnvSpec::default();
        assert!(
            !env.inherit,
            "EnvSpec::default().inherit MUST be false; a regression would silently re-enable env inheritance"
        );
        assert!(
            env.allow.is_empty(),
            "EnvSpec::default().allow MUST be empty so allow-list path is also a no-op"
        );
        assert!(env.set.is_empty(), "EnvSpec::default().set MUST be empty");
    }

    #[test]
    fn env_spec_inherit_default_in_serde_is_false() {
        // Failure-mode test M-1 — guards the #[serde(default)] on `inherit`.
        // A manifest with no `[tools.env]` block should produce inherit=false.
        let m = Manifest::parse(VALID).unwrap();
        assert!(
            !m.tools[0].env.inherit,
            "tool with no [tools.env] block should default to inherit=false"
        );
    }

    // -----------------------------------------------------------------------
    // Verified-pack layout enforcement: `Verified` no longer collapses to
    // file-existence. The conformance corpus must be a structurally-valid,
    // replayable MCP request sequence or validation fails fail-closed.
    // -----------------------------------------------------------------------

    fn scratch_dir(tag: &str) -> PathBuf {
        let dir = std::env::temp_dir().join(format!(
            "mcpact-layout-test-{tag}-{}-{:?}",
            std::process::id(),
            std::time::SystemTime::now()
                .duration_since(std::time::UNIX_EPOCH)
                .unwrap()
                .as_nanos()
        ));
        fs::create_dir_all(dir.join("tests")).unwrap();
        dir
    }

    fn verified_manifest() -> Manifest {
        let mut m = Manifest::parse(VALID).unwrap();
        m.package.trust = TrustCeiling::Verified;
        m
    }

    const GOOD_CORPUS: &str = concat!(
        r#"{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}"#,
        "\n",
        r#"{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"scan_pipeline"}}"#,
    );

    #[test]
    fn verified_layout_passes_with_valid_corpus() {
        let dir = scratch_dir("good");
        fs::write(dir.join("README.md"), "# pack").unwrap();
        fs::write(dir.join("tests/conformance.jsonl"), GOOD_CORPUS).unwrap();
        let manifest_path = dir.join("mcpact.toml");

        let mut report = ValidationReport::default();
        verified_manifest().validate_pack_layout(&manifest_path, &mut report);
        assert!(
            report.is_ok(),
            "valid verified layout should pass: {:?}",
            report.errors
        );
        let _ = fs::remove_dir_all(&dir);
    }

    #[test]
    fn verified_layout_fails_closed_on_empty_corpus() {
        let dir = scratch_dir("empty");
        fs::write(dir.join("README.md"), "# pack").unwrap();
        // File EXISTS but is empty — the old existence-only check passed here.
        fs::write(dir.join("tests/conformance.jsonl"), "\n   \n").unwrap();
        let manifest_path = dir.join("mcpact.toml");

        let mut report = ValidationReport::default();
        verified_manifest().validate_pack_layout(&manifest_path, &mut report);
        assert!(
            !report.is_ok(),
            "an empty conformance corpus must NOT satisfy Verified"
        );
        assert!(
            report.errors.iter().any(|e| e.contains("replayable")),
            "error should explain the corpus is not replayable: {:?}",
            report.errors
        );
        let _ = fs::remove_dir_all(&dir);
    }

    #[test]
    fn verified_layout_fails_closed_on_malformed_corpus() {
        let dir = scratch_dir("malformed");
        fs::write(dir.join("README.md"), "# pack").unwrap();
        // Present, non-empty, but not a JSON-RPC request sequence.
        fs::write(dir.join("tests/conformance.jsonl"), "this is not json\n").unwrap();
        let manifest_path = dir.join("mcpact.toml");

        let mut report = ValidationReport::default();
        verified_manifest().validate_pack_layout(&manifest_path, &mut report);
        assert!(
            !report.is_ok(),
            "a malformed conformance corpus must NOT satisfy Verified"
        );
        let _ = fs::remove_dir_all(&dir);
    }
}

#[cfg(test)]
mod proptest_roundtrip {
    use super::*;
    use proptest::prelude::*;

    proptest! {
        #[test]
        fn audit_spec_toml_roundtrip(
            path in r"(\.?/?[a-zA-Z0-9_./-]{0,48})",
            xdg in any::<bool>(),
            sink in prop_oneof!["jsonl", "cloudevents"],
        ) {
            let spec = AuditSpec {
                sink: sink.to_string(),
                path,
                xdg_state: xdg,
                url: None,
            };
            let encoded = toml::to_string(&spec).expect("encode audit spec");
            let decoded: AuditSpec = toml::from_str(&encoded).expect("decode audit spec");
            prop_assert_eq!(spec, decoded);
        }

        #[test]
        fn manifest_json_roundtrip(name in r"[a-z][a-z0-9_]{2,24}") {
            let manifest = Manifest {
                schema_version: SCHEMA_VERSION.into(),
                package: PackageSpec {
                    name: format!("mcp-{name}"),
                    version: "0.1.0".into(),
                    description: "proptest".into(),
                    trust: TrustCeiling::Reviewed,
                    signature: None,
                },
                cli: CliSpec {
                    name: name.clone(),
                    binary: name,
                    version_command: vec!["--version".into()],
                    default_cwd: None,
                },
                tools: vec![ToolSpec {
                    name: "probe_tool".into(),
                    title: None,
                    description: String::new(),
                    command: vec!["scan".into()],
                    args: IndexMap::new(),
                    output: OutputSpec::default(),
                    policy: PolicySpec {
                        authority: AuthorityClass::Observe,
                        read_only: true,
                        network: false,
                        writes_files: false,
                        approval: ApprovalMode::Never,
                        requires_approval: false,
                        timeout_seconds: 30,
                    },
                    env: EnvSpec::default(),
                }],
                audit: AuditSpec::default(),
            };
            let json = serde_json::to_string(&manifest).expect("serialize");
            let back: Manifest = serde_json::from_str(&json).expect("deserialize");
            prop_assert_eq!(&manifest.package.name, &back.package.name);
            prop_assert_eq!(&manifest.tools[0].name, &back.tools[0].name);
        }
    }
}