@openwop/openwop-conformance 1.0.0 → 1.1.0

package/src/scenarios/production-backpressure.test.ts

@@ -0,0 +1,342 @@
+/**
+ * RFC 0009 §B: production-profile backpressure envelope.
+ *
+ * Verifies that hosts claiming the `openwop-production` profile satisfy
+ * `spec/v1/production-profile.md` §Backpressure:
+ *
+ *   1. `capabilities.production.backpressure.supported: true` is
+ *      advertised when the profile claim is `supported: true`.
+ *   2. When the host advertises an `inflightCap`, the suite saturates
+ *      it with `inflightCap + 1` concurrent long-lived requests and
+ *      asserts the 503 envelope shape: status 503 + `Retry-After`
+ *      header + body `{error: "service_unavailable", message, details:
+ *      {retryAfter: <integer>}}` where `details.retryAfter` equals the
+ *      `Retry-After` header in seconds.
+ *   3. When `retryAfterSeconds` is also advertised, both equal that
+ *      advertised value.
+ *   4. Discovery (`GET /.well-known/openwop`) is exempt from the
+ *      inflight cap (health probes MUST answer even under load).
+ *
+ * Hosts that don't advertise `inflightCap` soft-skip the saturation
+ * step (the envelope assertion only fires if a 503 happens to be
+ * observed via other means). RFC 0009 unresolved question #3 — the
+ * alternative of probing via Little's Law is rejected by default;
+ * inflightCap advertisement is the chosen forcing mechanism.
+ *
+ * **Run with `--no-file-parallelism`** — saturating the host's
+ * inflight cap leaves no headroom for other scenarios that issue
+ * concurrent POSTs (e.g., `idempotencyRetry.test.ts`'s 5-retry burst).
+ * Conformance runs that include this scenario MUST pass `--no-file-
+ * parallelism` to vitest or scope each file to its own worker. The
+ * otel-emission scenario has the same constraint (`conformance/README.md`
+ * line ~69).
+ *
+ * @see RFCS/0009-production-profile-conformance.md §B
+ * @see spec/v1/production-profile.md §Backpressure
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { loadEnv } from '../lib/env.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+
+interface BackpressureCaps {
+  supported?: boolean;
+  inflightCap?: number;
+  retryAfterSeconds?: number;
+}
+
+interface ProductionCaps {
+  supported?: boolean;
+  backpressure?: BackpressureCaps;
+}
+
+async function readProductionCaps(): Promise<ProductionCaps | undefined> {
+  const disco = await driver.get('/.well-known/openwop');
+  return (disco.json as { capabilities?: { production?: ProductionCaps } })
+    .capabilities?.production;
+}
+
+function isProfileAdvertised(prod: ProductionCaps | undefined): boolean {
+  return (
+    prod?.supported === true && prod?.backpressure?.supported === true
+  );
+}
+
+describe('production-backpressure: capability shape', () => {
+  it('host that claims openwop-production with backpressure advertises required fields', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    expect(prod?.supported, driver.describe(
+      'production-profile.md §Compatibility baseline',
+      'capabilities.production.supported MUST be true when claiming the openwop-production profile',
+    )).toBe(true);
+
+    expect(prod?.backpressure?.supported, driver.describe(
+      'production-profile.md §Backpressure',
+      'capabilities.production.backpressure.supported MUST be true for production-profile claimants',
+    )).toBe(true);
+
+    if (prod?.backpressure?.inflightCap !== undefined) {
+      expect(
+        Number.isInteger(prod.backpressure.inflightCap) &&
+          prod.backpressure.inflightCap >= 1,
+        driver.describe(
+          'capabilities.schema.json production.backpressure.inflightCap',
+          'inflightCap MUST be an integer ≥ 1 when advertised',
+        ),
+      ).toBe(true);
+    }
+
+    if (prod?.backpressure?.retryAfterSeconds !== undefined) {
+      expect(
+        Number.isInteger(prod.backpressure.retryAfterSeconds) &&
+          prod.backpressure.retryAfterSeconds >= 0,
+        driver.describe(
+          'capabilities.schema.json production.backpressure.retryAfterSeconds',
+          'retryAfterSeconds MUST be a non-negative integer when advertised',
+        ),
+      ).toBe(true);
+    }
+  });
+});
+
+describe('production-backpressure: 503 envelope under saturation', () => {
+  it('saturating advertised inflightCap returns 503 + Retry-After + canonical envelope', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    const cap = prod?.backpressure?.inflightCap;
+    if (cap === undefined) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        '[production-backpressure] host does not advertise inflightCap; skipping saturation assertion',
+      );
+      return;
+    }
+
+    // Use the conformance-delay fixture to hold inflight slots via
+    // long-lived SSE connections, matching the Postgres host's
+    // internal backpressure test pattern.
+    const FIXTURE = 'conformance-delay';
+    if (!isFixtureAdvertised(FIXTURE)) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        `[production-backpressure] ${FIXTURE} not advertised; skipping saturation (host doesn't seed the long-running fixture)`,
+      );
+      return;
+    }
+
+    // Create `cap` long-running runs and open SSE streams against each
+    // to hold the slots open. Raw fetch is used for SSE because the
+    // driver doesn't expose abort signals; abort is required to release
+    // the inflight slots in the finally block. The Accept header is
+    // required so hosts with /events content negotiation (e.g., the
+    // Postgres reference host) actually keep the connection open as a
+    // long-lived SSE stream; without it they return a one-shot JSON
+    // snapshot and the inflight slot drops immediately.
+    const env = loadEnv();
+    const authHeaders = {
+      Authorization: `Bearer ${env.apiKey}`,
+      Accept: 'text/event-stream',
+    };
+
+    const slotHolders: AbortController[] = [];
+    const slotPromises: Promise<unknown>[] = [];
+    // Track the saturating runs so we can explicitly cancel them in
+    // `finally`. Without this, aborting only the SSE stream leaves
+    // the runs alive on the host until their delay elapses; any
+    // neighbor test running in parallel (vitest's default mode) then
+    // hits the still-saturated inflight cap and fails with a 503 of
+    // its own. Per spec the saturating runs MAY survive their SSE
+    // client; the test-isolation contract is the caller's
+    // responsibility.
+    const saturatingRunIds: string[] = [];
+
+    let saturationEarlyExit = false;
+    for (let i = 0; i < cap; i++) {
+      const create = await driver.post('/v1/runs', {
+        workflowId: FIXTURE,
+        // Long enough that the saturation window holds during the
+        // cap+1 probe + envelope assertions (~500ms total) but short
+        // enough that any leaked run drains quickly if cancel fails.
+        inputs: { delayMs: 2_000 },
+      });
+      if (create.status === 503) {
+        // Inflight cap was already saturated by a parallel test
+        // (default vitest mode shares the host across scenarios).
+        // The test's docstring notes `--no-file-parallelism` is the
+        // canonical execution mode; outside that mode the saturation
+        // moment is unreachable. Soft-skip per the existing pattern
+        // (consistent with the cap+1 fallback below).
+        // eslint-disable-next-line no-console
+        console.warn(
+          `[production-backpressure] cap already saturated by parallel runs at i=${i} (likely running without --no-file-parallelism); soft-skipping envelope assertions`,
+        );
+        saturationEarlyExit = true;
+        break;
+      }
+      expect(create.status).toBe(201);
+      const runId = (create.json as { runId: string }).runId;
+      saturatingRunIds.push(runId);
+
+      const controller = new AbortController();
+      slotHolders.push(controller);
+      slotPromises.push(
+        fetch(`${env.baseUrl}/v1/runs/${encodeURIComponent(runId)}/events`, {
+          headers: authHeaders,
+          signal: controller.signal,
+        }).catch(() => undefined),
+      );
+    }
+    if (saturationEarlyExit) {
+      // Drain whatever we created so we don't leave residue for the
+      // next test. The finally block below handles bulk-cancel
+      // unconditionally; just bail before the envelope assertions.
+      for (const c of slotHolders) c.abort();
+      if (saturatingRunIds.length > 0) {
+        try {
+          await driver.post('/v1/runs:bulk-cancel', { runIds: saturatingRunIds });
+        } catch {
+          // Best-effort.
+        }
+      }
+      await Promise.allSettled(slotPromises);
+      return;
+    }
+
+    // Let SSE connections register.
+    await new Promise((r) => setTimeout(r, 200));
+
+    try {
+      // The `cap + 1`-th authenticated request MUST 503.
+      const blocked = await driver.post('/v1/runs', {
+        workflowId: 'conformance-noop',
+      });
+
+      // Soft-skip if the host didn't actually 503 (e.g., it accepts
+      // more concurrency than its advertised cap, or the SSE slots
+      // didn't register in time). The envelope assertion only fires
+      // when 503 was observed.
+      if (blocked.status !== 503) {
+        // eslint-disable-next-line no-console
+        console.warn(
+          `[production-backpressure] expected 503 at cap+1=${cap + 1}, got ${blocked.status}; saturation may need tuning`,
+        );
+        return;
+      }
+
+      const retryAfterHeader = blocked.headers.get('retry-after');
+      expect(retryAfterHeader, driver.describe(
+        'production-profile.md §Backpressure',
+        '503 response MUST include a Retry-After header',
+      )).toBeTruthy();
+      expect((retryAfterHeader ?? '').length).toBeGreaterThan(0);
+
+      const body = blocked.json as {
+        error?: string;
+        message?: string;
+        details?: { retryAfter?: number };
+      };
+
+      expect(body.error, driver.describe(
+        'production-profile.md §Backpressure',
+        '503 envelope MUST have error: "service_unavailable"',
+      )).toBe('service_unavailable');
+
+      expect(typeof body.message).toBe('string');
+      expect((body.message ?? '').length).toBeGreaterThan(0);
+
+      expect(typeof body.details?.retryAfter, driver.describe(
+        'production-profile.md §Backpressure',
+        'details.retryAfter MUST be present and numeric',
+      )).toBe('number');
+
+      // details.retryAfter MUST equal the Retry-After header in seconds.
+      const headerSeconds = Number.parseInt(retryAfterHeader ?? '', 10);
+      expect(body.details?.retryAfter, driver.describe(
+        'production-profile.md §Backpressure',
+        'details.retryAfter MUST equal Retry-After header in seconds',
+      )).toBe(headerSeconds);
+
+      // If retryAfterSeconds is advertised, both equal it.
+      const advertised = prod?.backpressure?.retryAfterSeconds;
+      if (advertised !== undefined) {
+        expect(headerSeconds, driver.describe(
+          'capabilities.schema.json production.backpressure.retryAfterSeconds',
+          'Retry-After MUST equal advertised retryAfterSeconds when both are present',
+        )).toBe(advertised);
+      }
+    } finally {
+      // Test isolation: explicitly cancel every saturating run so
+      // neighbor tests running in parallel see the inflight cap
+      // released immediately. The SSE-stream aborts come first so
+      // the host's SSE handlers exit; the bulk-cancel then drains
+      // the executor queue. POST /v1/runs:bulk-cancel is naturally
+      // idempotent so even if a run already terminated, the call
+      // returns `ok: true, status: "cancelled"` per
+      // rest-endpoints.md §"Bulk cancel".
+      for (const c of slotHolders) c.abort();
+      if (saturatingRunIds.length > 0) {
+        try {
+          await driver.post('/v1/runs:bulk-cancel', { runIds: saturatingRunIds });
+        } catch {
+          // Best-effort; a host that doesn't expose bulk-cancel
+          // gets per-id cancellation as the fallback.
+          for (const id of saturatingRunIds) {
+            try {
+              await driver.post(`/v1/runs/${encodeURIComponent(id)}/cancel`, {});
+            } catch {
+              // Swallow — the runs will drain naturally within
+              // the (now-shortened) 2-second delay window.
+            }
+          }
+        }
+      }
+      await Promise.allSettled(slotPromises);
+    }
+  });
+});
+
+describe('production-backpressure: discovery exempt from cap', () => {
+  it('GET /.well-known/openwop returns 200 even when inflight is saturated', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    const cap = prod?.backpressure?.inflightCap;
+    if (cap === undefined) {
+      // Without advertised cap we can't saturate deterministically;
+      // fall back to a single discovery probe.
+      const probe = await driver.get('/.well-known/openwop');
+      expect(probe.status, driver.describe(
+        'production-profile.md §Backpressure',
+        'discovery MUST answer regardless of load',
+      )).toBe(200);
+      return;
+    }
+
+    // Issue many concurrent discovery probes; all MUST succeed.
+    const probes = await Promise.all(
+      Array.from({ length: Math.max(cap + 2, 4) }, () =>
+        driver.get('/.well-known/openwop'),
+      ),
+    );
+    for (const probe of probes) {
+      expect(probe.status, driver.describe(
+        'production-profile.md §Backpressure',
+        'discovery MUST bypass the inflight cap (health probes always answer)',
+      )).toBe(200);
+    }
+  });
+});

package/src/scenarios/production-retention-expiry.test.ts

@@ -0,0 +1,164 @@
+/**
+ * RFC 0009 §C: production-profile event-retention expiry.
+ *
+ * Verifies that hosts claiming the `openwop-production` profile satisfy
+ * `spec/v1/production-profile.md` §"Event retention":
+ *
+ *   1. `capabilities.production.retention.supported: true` is advertised.
+ *   2. `capabilities.production.retention.minWindowSeconds >= 604800`
+ *      (7 days) — the minimum retention window for public hosts.
+ *   3. `GET /v1/runs/{expiredRunId}` on an expired run returns `410 Gone`
+ *      (preferred) or `404 Not Found` per spec, with the canonical
+ *      error envelope `{error, message, details?}`.
+ *
+ * Forcing expiry is host-private — the RFC defers endpoint normation
+ * (unresolved question #1). The scenario reads two env vars supplied
+ * by the operator running the suite:
+ *
+ *   - `OPENWOP_TEST_EXPIRED_RUN_ID` — id of a pre-expired run the
+ *     host has on file. Used by both the soft-skip and active paths.
+ *   - `OPENWOP_TEST_FORCE_EXPIRE_URL` — optional host-private endpoint
+ *     the suite POSTs to in order to evict a freshly-created run.
+ *     Honored only when `capabilities.production.retention.testForceExpire: true`.
+ *
+ * When neither path is available, the scenario asserts only the
+ * capability shape and soft-skips the envelope check.
+ *
+ * @see RFCS/0009-production-profile-conformance.md §C
+ * @see spec/v1/production-profile.md §"Event retention"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+
+interface RetentionCaps {
+  supported?: boolean;
+  minWindowSeconds?: number;
+  testForceExpire?: boolean;
+}
+
+interface ProductionCaps {
+  supported?: boolean;
+  retention?: RetentionCaps;
+}
+
+async function readProductionCaps(): Promise<ProductionCaps | undefined> {
+  const disco = await driver.get('/.well-known/openwop');
+  return (disco.json as { capabilities?: { production?: ProductionCaps } })
+    .capabilities?.production;
+}
+
+function isProfileAdvertised(prod: ProductionCaps | undefined): boolean {
+  return prod?.supported === true && prod?.retention?.supported === true;
+}
+
+const SEVEN_DAYS_SECONDS = 604800;
+
+describe('production-retention-expiry: capability shape', () => {
+  it('host claiming openwop-production with retention advertises required fields', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    expect(prod?.retention?.supported, driver.describe(
+      'production-profile.md §"Event retention"',
+      'capabilities.production.retention.supported MUST be true for production-profile claimants',
+    )).toBe(true);
+
+    expect(prod?.retention?.minWindowSeconds, driver.describe(
+      'production-profile.md §"Event retention"',
+      'capabilities.production.retention.minWindowSeconds MUST be advertised when retention.supported is true',
+    )).toBeDefined();
+
+    expect(
+      Number.isInteger(prod?.retention?.minWindowSeconds) &&
+        (prod?.retention?.minWindowSeconds ?? 0) >= SEVEN_DAYS_SECONDS,
+      driver.describe(
+        'production-profile.md §"Event retention"',
+        'minWindowSeconds MUST be an integer ≥ 604800 (7 days) for public production-profile claimants',
+      ),
+    ).toBe(true);
+  });
+});
+
+describe('production-retention-expiry: 410/404 envelope on expired run', () => {
+  it('GET /v1/runs/{expiredRunId} returns 410 or 404 with canonical envelope', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    let expiredRunId = process.env.OPENWOP_TEST_EXPIRED_RUN_ID;
+
+    // Active expiry path: when the host advertises a test force-expire
+    // hook, create a fresh run and call the operator-supplied endpoint
+    // to evict it. The endpoint shape is host-private (RFC 0009 Q#1).
+    const forceExpireUrl = process.env.OPENWOP_TEST_FORCE_EXPIRE_URL;
+    const forceExpireMethod = process.env.OPENWOP_TEST_FORCE_EXPIRE_METHOD ?? 'POST';
+
+    if (
+      prod?.retention?.testForceExpire === true &&
+      forceExpireUrl !== undefined &&
+      expiredRunId === undefined
+    ) {
+      // Create a throwaway run.
+      const create = await driver.post('/v1/runs', {
+        workflowId: 'conformance-noop',
+      });
+      if (create.status === 201) {
+        const newRunId = (create.json as { runId: string }).runId;
+        // Call the host-private force-expire endpoint. Operator wires
+        // this to whatever route the host exposes.
+        const url = forceExpireUrl.replace('{runId}', encodeURIComponent(newRunId));
+        const forced = await fetch(url, { method: forceExpireMethod });
+        if (forced.ok || forced.status === 204) {
+          expiredRunId = newRunId;
+        }
+      }
+    }
+
+    if (expiredRunId === undefined) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        '[production-retention-expiry] no expired runId available (set OPENWOP_TEST_EXPIRED_RUN_ID or advertise testForceExpire + provide OPENWOP_TEST_FORCE_EXPIRE_URL); skipping envelope assertion',
+      );
+      return;
+    }
+
+    const res = await driver.get(`/v1/runs/${encodeURIComponent(expiredRunId)}`);
+
+    expect(
+      res.status === 410 || res.status === 404,
+      driver.describe(
+        'production-profile.md §"Event retention"',
+        'expired run MUST return 410 Gone (preferred) or 404 Not Found',
+      ),
+    ).toBe(true);
+
+    const body = res.json as {
+      error?: string;
+      message?: string;
+      details?: { expiredAt?: string };
+    };
+
+    expect(typeof body.error, driver.describe(
+      'production-profile.md §"Event retention"',
+      'expired-run response MUST use the canonical error envelope ({error, message, details?})',
+    )).toBe('string');
+    expect((body.error ?? '').length).toBeGreaterThan(0);
+
+    expect(typeof body.message).toBe('string');
+    expect((body.message ?? '').length).toBeGreaterThan(0);
+
+    // When the host returns 410, details.expiredAt is RECOMMENDED.
+    // Soft-check: when present, MUST be a non-empty string.
+    if (res.status === 410 && body.details?.expiredAt !== undefined) {
+      expect(typeof body.details.expiredAt).toBe('string');
+      expect(body.details.expiredAt.length).toBeGreaterThan(0);
+    }
+  });
+});

package/src/scenarios/registry-public.test.ts

@@ -0,0 +1,131 @@
+/**
+ * Public-registry availability scenario — `packs.openwop.dev`.
+ *
+ * Unlike `pack-registry.test.ts` (which probes the host-under-test for an
+ * optional in-host registry), this scenario hits the *public, hosted*
+ * registry at `packs.openwop.dev` directly. Its purpose is to provide a
+ * single mechanical check that the public registry is up, serves the four
+ * documented endpoint shapes, and returns valid manifests for the
+ * spec-canonical packs currently published.
+ *
+ * Gating:
+ *   This scenario is skipped by default — `@openwop/openwop-conformance`
+ *   runs MUST NOT require outbound connectivity to `packs.openwop.dev`.
+ *   Opt-in via `OPENWOP_TEST_PUBLIC_REGISTRY=true`.
+ *
+ * Why this lives in the conformance suite even though it's not a host
+ * conformance scenario:
+ *   - It provides a one-command public-registry healthcheck for the
+ *     project's own operations.
+ *   - It documents (via assertions) the contract `packs.openwop.dev`
+ *     promises to serve.
+ *   - It reuses the same vitest scaffolding as the rest of the suite.
+ *
+ * @see spec/v1/registry-operations.md
+ * @see ROADMAP.md §"Hosted infrastructure"
+ */
+
+import { describe, it, expect } from 'vitest';
+
+const REGISTRY_BASE = 'https://packs.openwop.dev';
+const ENABLED = process.env.OPENWOP_TEST_PUBLIC_REGISTRY === 'true';
+
+const PACK_NAME_RE = /^(core|vendor|community|private)\.[a-z][a-z0-9_-]*(\.[a-z][a-zA-Z0-9_-]*)+$/;
+const SEMVER_RE = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/;
+
+async function get(path: string): Promise<{ status: number; json: unknown }> {
+  const res = await fetch(`${REGISTRY_BASE}${path}`, {
+    headers: { Accept: 'application/json' },
+  });
+  let json: unknown = undefined;
+  try {
+    json = await res.json();
+  } catch {
+    // body may not be JSON (e.g. tarball); caller handles.
+  }
+  return { status: res.status, json };
+}
+
+describe('registry-public: packs.openwop.dev discovery document', () => {
+  it('GET /.well-known/openwop-registry returns a valid discovery payload', async () => {
+    if (!ENABLED) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        '[registry-public] skipped — set OPENWOP_TEST_PUBLIC_REGISTRY=true to enable',
+      );
+      return;
+    }
+
+    const res = await get('/.well-known/openwop-registry');
+    expect(res.status).toBe(200);
+
+    const body = res.json as {
+      registryVersion?: string;
+      protocolVersion?: string;
+      url?: string;
+      supportedNamespaces?: string[];
+      supportedSigningMethods?: string[];
+      endpoints?: Record<string, string>;
+    };
+
+    expect(body.registryVersion).toBe('1.0.0');
+    expect(body.protocolVersion).toBe('1.0');
+    expect(typeof body.url).toBe('string');
+    expect(Array.isArray(body.supportedNamespaces)).toBe(true);
+    expect(body.supportedNamespaces).toEqual(
+      expect.arrayContaining(['core', 'vendor', 'community']),
+    );
+    expect(Array.isArray(body.supportedSigningMethods)).toBe(true);
+    expect(body.supportedSigningMethods).toEqual(expect.arrayContaining(['ed25519']));
+
+    // The four canonical endpoint shapes from registry-operations.md
+    // (filesystem-backed registries serve packMetadata at a file path; see endpointAliases note).
+    expect(typeof body.endpoints?.registryIndex).toBe('string');
+    expect(typeof body.endpoints?.packMetadata).toBe('string');
+    expect(typeof body.endpoints?.versionManifest).toBe('string');
+    expect(typeof body.endpoints?.versionTarball).toBe('string');
+  });
+});
+
+describe('registry-public: packs.openwop.dev index', () => {
+  it('GET /v1/index.json returns a non-empty pack list with valid name + version shapes', async () => {
+    if (!ENABLED) return;
+
+    const res = await get('/v1/index.json');
+    expect(res.status).toBe(200);
+
+    const body = res.json as {
+      packs?: Array<{ name?: string; latestVersion?: string }>;
+      generated?: string;
+    };
+
+    expect(Array.isArray(body.packs)).toBe(true);
+    expect(body.packs?.length ?? 0).toBeGreaterThan(0);
+
+    for (const p of body.packs ?? []) {
+      expect(p.name, `pack name must match reverse-DNS pattern: ${p.name}`).toMatch(PACK_NAME_RE);
+      expect(p.latestVersion, `pack version must be semver: ${p.latestVersion}`).toMatch(SEMVER_RE);
+    }
+  });
+});
+
+describe('registry-public: spec-canonical pack manifests resolve', () => {
+  const KNOWN_PACKS = [
+    { name: 'core.openwop.examples', version: '1.0.0' },
+    { name: 'community.openwop-team.demo', version: '0.1.0' },
+    { name: 'vendor.openwop.rust-hello', version: '1.0.0' },
+  ];
+
+  for (const { name, version } of KNOWN_PACKS) {
+    it(`GET /v1/packs/${name}/-/${version}.json returns a valid manifest`, async () => {
+      if (!ENABLED) return;
+
+      const res = await get(`/v1/packs/${name}/-/${version}.json`);
+      expect(res.status).toBe(200);
+
+      const manifest = res.json as { name?: string; version?: string };
+      expect(manifest.name).toBe(name);
+      expect(manifest.version).toBe(version);
+    });
+  }
+});

package/src/scenarios/replay-llm-cache-key.test.ts

@@ -0,0 +1,35 @@
+/**
+ * Cross-host LLM cache-key parity (replay.md §"LLM cache-key recipe").
+ *
+ * Verifies that two OpenWOP-compliant hosts replaying the same LLM
+ * provider request compute the same cache key. The recipe is normative
+ * (replay.md §B): canonical JSON of `(provider, model, messages, tools,
+ * temperature, topP, topK, responseFormat)` → SHA-256 → lowercase hex.
+ *
+ * Status: PLACEHOLDER. As of 2026-05-11, neither reference host
+ * (`examples/hosts/in-memory/`, `examples/hosts/sqlite/`) implements
+ * LLM-calling nodes — both execute only `core.noop` / `core.delay` /
+ * `core.approvalGate` fixtures. This scenario lands as `it.todo()` so
+ * the contract surface is tracked; assertions land when the first
+ * reference host ships an LLM-call node.
+ *
+ * What the live scenario WILL exercise (when implemented):
+ *   1. Boot host A against `OPENWOP_BASE_URL`.
+ *   2. Boot host B against `OPENWOP_BASE_URL_B`.
+ *   3. Submit the same workflow + inputs (an LLM-calling fixture).
+ *   4. Read each host's emitted `node.completed.payload.cacheKey` (or
+ *      equivalent debug-bundle surface).
+ *   5. Assert the two hex strings are equal.
+ *
+ * @see spec/v1/replay.md §"LLM cache-key recipe"
+ */
+
+import { describe, it } from 'vitest';
+
+describe('replay-llm-cache-key: cross-host determinism (placeholder)', () => {
+  it.todo(
+    'two hosts replaying the same LLM provider request compute the same cache key (replay.md §D)',
+  );
+  it.todo('LLM cache key is computed via SHA-256 of canonical JSON per replay.md §B');
+  it.todo('cache key omits non-recipe fields (max_tokens, stop, stream, seed, etc.) per replay.md §A');
+});