validation: fail closed on unknown declaration manifests

[davidahmann]

Problem

Unknown declaration entries in manifest-like startup configuration should not be silently accepted.

Why Now

Reference servers should model fail-closed contracts for tool/resource/prompt declaration validation.

What Changed

• Added declaration manifest validation gates for:
  • src/everything (server/declaration-manifest.ts, invoked from server factory)
  • src/filesystem (declaration-manifest.ts, invoked at startup)
  • src/fetch (validate_declaration_manifest(...), invoked at startup)
  • src/git (validate_declaration_manifest(...), invoked at startup)
• Validation now fails deterministically on:
  • unknown sections
  • non-array section values
  • non-string entries
  • unknown declaration names
• Added targeted tests in all affected surfaces.

Validation

• npm test -- __tests__/declaration-manifest.test.ts (in src/everything) ✅
• npm test -- __tests__/declaration-manifest.test.ts (in src/filesystem) ✅
• uv run pytest tests/test_server.py -k DeclarationManifestValidation -q (in src/fetch) ✅
• uv run pytest tests/test_server.py -k declaration_manifest -q (in src/git) ✅
• npx prettier --check server/declaration-manifest.ts server/index.ts __tests__/declaration-manifest.test.ts (in src/everything) ✅
• npx prettier --check declaration-manifest.ts index.ts __tests__/declaration-manifest.test.ts (in src/filesystem) ✅
• uv run ruff check src tests (in src/fetch) ✅
• uv run ruff check src tests (in src/git) ✅

Refs #3390

[davidahmann]

Implemented issue #3390 by adding fail-closed declaration-manifest validation across everything/filesystem/fetch/git startup paths, with deterministic section/path-specific errors for unknown declarations and tests in each affected surface. Validation: targeted vitest/pytest/ruff/prettier checks passed.

This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr

[davidahmann]

Implementation summary: added fail-closed declaration-manifest validation for everything/filesystem/fetch/git startup surfaces, including deterministic section/path-specific unknown declaration errors and focused tests. Validation: targeted vitest/pytest/ruff/prettier checks passed.

This contribution was informed by patterns from Wrkr. Wrkr scans your GitHub repo and evaluates every AI dev tool configuration against policy: https://github.com/Clyra-AI/wrkr