@openwop/openwop-conformance 1.0.0 → 1.1.1

package/src/scenarios/otel-trace-propagation-subworkflow.test.ts

@@ -0,0 +1,139 @@
+/**
+ * Track 11 close-out: cross-run trace-context propagation across
+ * `core.subWorkflow` invocation.
+ *
+ * `otel-trace-propagation.test.ts` verifies that a single run's spans
+ * inherit an inbound `traceparent`'s traceId. This scenario closes the
+ * remaining gap (`conformance/coverage.md` row 52: "Cross-host
+ * propagation across `core.subWorkflow` invocation"): when a parent
+ * run with a known inbound traceparent dispatches a child run via
+ * `core.subWorkflow`, the CHILD run's emitted spans MUST also share
+ * the parent's traceId — distributed traces stitch across the
+ * sub-workflow boundary without operator-side correlation hacks.
+ *
+ * Operator-tier value: in production deployments, a sub-workflow may
+ * execute on a different host instance (`core.subWorkflow` is a
+ * dispatch boundary, not necessarily an in-process call). The
+ * traceparent-propagation contract guarantees the operator's OTel
+ * backend can render parent + child as one trace tree even when
+ * they're on separate hosts.
+ *
+ * Skip conditions:
+ *   - Collector disabled.
+ *   - Host doesn't advertise `capabilities.observability`.
+ *   - `conformance-subworkflow-parent` fixture not advertised (host
+ *     doesn't implement `core.subWorkflow`).
+ *
+ * @see spec/v1/observability.md §"Trace context propagation"
+ * @see spec/v1/node-packs.md §`core.subWorkflow`
+ * @see conformance/coverage.md row 52
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+import { getCollector, waitForRunSpans } from '../lib/otel-collector.js';
+
+const PARENT_FIXTURE = 'conformance-subworkflow-parent';
+
+interface RunEvent {
+  type: string;
+  nodeId?: string;
+  payload?: { outputs?: { childRunId?: string } };
+}
+
+function makeTraceparent(): { header: string; traceId: string } {
+  // W3C format: 00-<32 hex traceId>-<16 hex spanId>-01.
+  // Use a distinct id from the parent-only scenario so collector
+  // matching is unambiguous when both scenarios run back-to-back.
+  const traceId = '7c3e51b9d2a04e6f8b1c0d2e3f4a5b6c';
+  const spanId = '00f067aa0ba902b7';
+  return { header: `00-${traceId}-${spanId}-01`, traceId };
+}
+
+async function isObservabilityAdvertised(): Promise<boolean> {
+  try {
+    const disco = await driver.get('/.well-known/openwop');
+    const caps = (disco.json as { capabilities?: { observability?: unknown } }).capabilities ?? {};
+    return caps.observability !== undefined;
+  } catch {
+    return false;
+  }
+}
+
+describe('otel-trace-propagation-subworkflow: traceparent threads parent → child via core.subWorkflow', () => {
+  it('child run spans inherit the parent run\'s inbound traceId', async () => {
+    if (!getCollector()) {
+      // eslint-disable-next-line no-console
+      console.warn('[otel-trace-propagation-subworkflow] collector not started; skipping');
+      return;
+    }
+    if (!isFixtureAdvertised(PARENT_FIXTURE)) {
+      // eslint-disable-next-line no-console
+      console.warn(`[otel-trace-propagation-subworkflow] ${PARENT_FIXTURE} not advertised; skipping`);
+      return;
+    }
+    if (!(await isObservabilityAdvertised())) {
+      // eslint-disable-next-line no-console
+      console.warn('[otel-trace-propagation-subworkflow] capabilities.observability not advertised; skipping');
+      return;
+    }
+
+    const collector = getCollector()!;
+    collector.reset();
+
+    const { header, traceId } = makeTraceparent();
+    const create = await driver.post(
+      '/v1/runs',
+      { workflowId: PARENT_FIXTURE },
+      { headers: { traceparent: header } },
+    );
+    expect(create.status).toBe(201);
+    const parentRunId = (create.json as { runId: string }).runId;
+
+    await pollUntilTerminal(parentRunId, { timeoutMs: 30_000 });
+
+    // Walk the parent's event log to discover the child run id.
+    const eventsRes = await driver.get(
+      `/v1/runs/${encodeURIComponent(parentRunId)}/events/poll?lastSequence=0&timeout=1`,
+    );
+    expect(eventsRes.status).toBe(200);
+    const events = (eventsRes.json as { events?: RunEvent[] } | undefined)?.events ?? [];
+
+    const subwfCompleted = events.find(
+      (e) => e.type === 'node.completed' && e.nodeId === 'subwf-call',
+    );
+    expect(subwfCompleted, driver.describe(
+      'node-packs.md §core.subWorkflow',
+      'parent event log MUST include node.completed for the subwf-call node',
+    )).toBeDefined();
+
+    const childRunId = subwfCompleted?.payload?.outputs?.childRunId;
+    expect(typeof childRunId, driver.describe(
+      'node-packs.md §core.subWorkflow outputSchema',
+      'subwf-call node.completed payload MUST carry outputs.childRunId',
+    )).toBe('string');
+
+    // Both parent + child spans MUST share the inbound traceId.
+    const parentSpans = await waitForRunSpans(parentRunId, { timeoutMs: 10_000, minCount: 1 });
+    const childSpans = await waitForRunSpans(childRunId!, { timeoutMs: 10_000, minCount: 1 });
+
+    expect(parentSpans.length, 'collector MUST receive ≥1 span for the parent run').toBeGreaterThan(0);
+    expect(childSpans.length, 'collector MUST receive ≥1 span for the child run').toBeGreaterThan(0);
+
+    const wantTrace = traceId.toLowerCase();
+
+    const parentMatching = parentSpans.filter((s) => s.traceId.toLowerCase() === wantTrace);
+    expect(parentMatching.length, driver.describe(
+      'observability.md §"Trace context propagation"',
+      'parent-run spans MUST share the inbound traceparent traceId',
+    )).toBeGreaterThan(0);
+
+    const childMatching = childSpans.filter((s) => s.traceId.toLowerCase() === wantTrace);
+    expect(childMatching.length, driver.describe(
+      'observability.md §"Trace context propagation" + node-packs.md §core.subWorkflow',
+      'child-run spans dispatched via core.subWorkflow MUST inherit the parent run\'s traceId so distributed traces stitch across the dispatch boundary',
+    )).toBeGreaterThan(0);
+  });
+});

package/src/scenarios/pause-resume.test.ts

@@ -107,3 +107,122 @@ describe.skipIf(SKIP)('pause/resume: :resume on a non-paused run returns 409', (
     });
   });
 });
+
+describe.skipIf(SKIP)('pause/resume: pause is idempotent when already paused', () => {
+  it(':pause on an already-paused run is a no-op (200/202) — idempotent', async () => {
+    const create = await driver.post('/v1/runs', {
+      workflowId: FIXTURE!,
+      inputs: { delaySeconds: 30 },
+    });
+    expect(create.status).toBe(201);
+    const runId = (create.json as { runId: string }).runId;
+    await pollUntilStatus(runId, 'running', { timeoutMs: 10_000 });
+
+    const first = await driver.post(`/v1/runs/${encodeURIComponent(runId)}:pause`, {});
+    if (first.status === 404) {
+      await driver.post(`/v1/runs/${encodeURIComponent(runId)}/cancel`, {
+        reason: 'conformance-cleanup',
+      });
+      return;
+    }
+    expect([200, 202]).toContain(first.status);
+    await pollUntilStatus(runId, 'paused', { timeoutMs: 10_000 });
+
+    // Idempotent second :pause — MUST NOT 409 just because the run is
+    // already paused. 200/202 are both acceptable per the additive
+    // contract; 409 would force callers to read state before calling.
+    const second = await driver.post(`/v1/runs/${encodeURIComponent(runId)}:pause`, {});
+    expect(
+      [200, 202].includes(second.status),
+      driver.describe(
+        'rest-endpoints.md POST /v1/runs/{runId}:pause',
+        ':pause on an already-paused run MUST be idempotent (200/202), not 409',
+      ),
+    ).toBe(true);
+
+    await driver.post(`/v1/runs/${encodeURIComponent(runId)}/cancel`, {
+      reason: 'conformance-cleanup',
+    });
+  });
+});
+
+describe.skipIf(SKIP)('pause/resume: :pause on a terminal run returns 409', () => {
+  it(':pause on a completed/cancelled/failed run MUST return 409', async () => {
+    const create = await driver.post('/v1/runs', {
+      workflowId: 'conformance-noop',
+    });
+    if (create.status !== 201) return; // conformance-noop not seeded; skip cleanly
+    const runId = (create.json as { runId: string }).runId;
+    await pollUntilTerminal(runId, { timeoutMs: 10_000 });
+
+    const pause = await driver.post(`/v1/runs/${encodeURIComponent(runId)}:pause`, {});
+    if (pause.status === 404) return;
+    expect(pause.status, driver.describe(
+      'rest-endpoints.md POST /v1/runs/{runId}:pause',
+      ':pause on a terminal run MUST return 409',
+    )).toBe(409);
+
+    const body = pause.json as { error?: string; details?: { runStatus?: string } };
+    expect(body.error).toBe('conflict');
+    // Spec requires `details.runStatus` to disclose the terminal state so
+    // the caller can decide whether to retry or surface the conflict.
+    expect(['completed', 'failed', 'cancelled']).toContain(body.details?.runStatus);
+  });
+});
+
+describe.skipIf(SKIP)('pause/resume: :pause-during-suspend race', () => {
+  it(':pause MUST NOT silently override an active interrupt suspend', async () => {
+    // If the host seeds an approval fixture, drive a suspend then attempt
+    // :pause. The expected behavior is that :pause either (a) noops with
+    // 409 because the run is already waiting-approval (not in a pausable
+    // state), or (b) accepts and stacks pause atop the suspend with the
+    // run's terminal state still being waiting-approval. Either is
+    // acceptable; what's NOT acceptable is the host quietly flipping
+    // status to `paused` and discarding the suspended interrupt.
+    if (!isFixtureAdvertised('conformance-approval')) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        '[pause-resume] conformance-approval not advertised; skipping :pause-during-suspend race subtest',
+      );
+      return;
+    }
+    const create = await driver.post('/v1/runs', { workflowId: 'conformance-approval' });
+    expect(create.status).toBe(201);
+    const runId = (create.json as { runId: string }).runId;
+    await pollUntilStatus(runId, 'waiting-approval', { timeoutMs: 10_000 });
+
+    const pause = await driver.post(`/v1/runs/${encodeURIComponent(runId)}:pause`, {
+      reason: 'race-test',
+    });
+    if (pause.status === 404) {
+      // Cleanup.
+      await driver.post(`/v1/runs/${encodeURIComponent(runId)}/cancel`, {
+        reason: 'conformance-cleanup',
+      });
+      return;
+    }
+
+    // Either rejection (preferred) or stacked-pause is OK; silent override is not.
+    if (pause.status === 409) {
+      const body = pause.json as { details?: { runStatus?: string } };
+      expect(body.details?.runStatus, driver.describe(
+        'rest-endpoints.md POST /v1/runs/{runId}:pause',
+        ':pause-during-suspend MUST surface the active waiting-* status in the conflict envelope',
+      )).toMatch(/^waiting-/);
+    } else {
+      // Stacked-pause accepted: verify the run's reported status still
+      // surfaces the underlying suspend — the host MUST NOT lose track
+      // of the interrupt waiting for resolution.
+      const snap = await driver.get(`/v1/runs/${encodeURIComponent(runId)}`);
+      const status = (snap.json as { status: string }).status;
+      expect(
+        status === 'paused' || status.startsWith('waiting-'),
+        ':pause-during-suspend MUST NOT silently discard the active interrupt',
+      ).toBe(true);
+    }
+
+    await driver.post(`/v1/runs/${encodeURIComponent(runId)}/cancel`, {
+      reason: 'conformance-cleanup',
+    });
+  });
+});

package/src/scenarios/production-backpressure.test.ts

@@ -0,0 +1,342 @@
+/**
+ * RFC 0009 §B: production-profile backpressure envelope.
+ *
+ * Verifies that hosts claiming the `openwop-production` profile satisfy
+ * `spec/v1/production-profile.md` §Backpressure:
+ *
+ *   1. `capabilities.production.backpressure.supported: true` is
+ *      advertised when the profile claim is `supported: true`.
+ *   2. When the host advertises an `inflightCap`, the suite saturates
+ *      it with `inflightCap + 1` concurrent long-lived requests and
+ *      asserts the 503 envelope shape: status 503 + `Retry-After`
+ *      header + body `{error: "service_unavailable", message, details:
+ *      {retryAfter: <integer>}}` where `details.retryAfter` equals the
+ *      `Retry-After` header in seconds.
+ *   3. When `retryAfterSeconds` is also advertised, both equal that
+ *      advertised value.
+ *   4. Discovery (`GET /.well-known/openwop`) is exempt from the
+ *      inflight cap (health probes MUST answer even under load).
+ *
+ * Hosts that don't advertise `inflightCap` soft-skip the saturation
+ * step (the envelope assertion only fires if a 503 happens to be
+ * observed via other means). RFC 0009 unresolved question #3 — the
+ * alternative of probing via Little's Law is rejected by default;
+ * inflightCap advertisement is the chosen forcing mechanism.
+ *
+ * **Run with `--no-file-parallelism`** — saturating the host's
+ * inflight cap leaves no headroom for other scenarios that issue
+ * concurrent POSTs (e.g., `idempotencyRetry.test.ts`'s 5-retry burst).
+ * Conformance runs that include this scenario MUST pass `--no-file-
+ * parallelism` to vitest or scope each file to its own worker. The
+ * otel-emission scenario has the same constraint (`conformance/README.md`
+ * line ~69).
+ *
+ * @see RFCS/0009-production-profile-conformance.md §B
+ * @see spec/v1/production-profile.md §Backpressure
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { loadEnv } from '../lib/env.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+
+interface BackpressureCaps {
+  supported?: boolean;
+  inflightCap?: number;
+  retryAfterSeconds?: number;
+}
+
+interface ProductionCaps {
+  supported?: boolean;
+  backpressure?: BackpressureCaps;
+}
+
+async function readProductionCaps(): Promise<ProductionCaps | undefined> {
+  const disco = await driver.get('/.well-known/openwop');
+  return (disco.json as { capabilities?: { production?: ProductionCaps } })
+    .capabilities?.production;
+}
+
+function isProfileAdvertised(prod: ProductionCaps | undefined): boolean {
+  return (
+    prod?.supported === true && prod?.backpressure?.supported === true
+  );
+}
+
+describe('production-backpressure: capability shape', () => {
+  it('host that claims openwop-production with backpressure advertises required fields', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    expect(prod?.supported, driver.describe(
+      'production-profile.md §Compatibility baseline',
+      'capabilities.production.supported MUST be true when claiming the openwop-production profile',
+    )).toBe(true);
+
+    expect(prod?.backpressure?.supported, driver.describe(
+      'production-profile.md §Backpressure',
+      'capabilities.production.backpressure.supported MUST be true for production-profile claimants',
+    )).toBe(true);
+
+    if (prod?.backpressure?.inflightCap !== undefined) {
+      expect(
+        Number.isInteger(prod.backpressure.inflightCap) &&
+          prod.backpressure.inflightCap >= 1,
+        driver.describe(
+          'capabilities.schema.json production.backpressure.inflightCap',
+          'inflightCap MUST be an integer ≥ 1 when advertised',
+        ),
+      ).toBe(true);
+    }
+
+    if (prod?.backpressure?.retryAfterSeconds !== undefined) {
+      expect(
+        Number.isInteger(prod.backpressure.retryAfterSeconds) &&
+          prod.backpressure.retryAfterSeconds >= 0,
+        driver.describe(
+          'capabilities.schema.json production.backpressure.retryAfterSeconds',
+          'retryAfterSeconds MUST be a non-negative integer when advertised',
+        ),
+      ).toBe(true);
+    }
+  });
+});
+
+describe('production-backpressure: 503 envelope under saturation', () => {
+  it('saturating advertised inflightCap returns 503 + Retry-After + canonical envelope', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    const cap = prod?.backpressure?.inflightCap;
+    if (cap === undefined) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        '[production-backpressure] host does not advertise inflightCap; skipping saturation assertion',
+      );
+      return;
+    }
+
+    // Use the conformance-delay fixture to hold inflight slots via
+    // long-lived SSE connections, matching the Postgres host's
+    // internal backpressure test pattern.
+    const FIXTURE = 'conformance-delay';
+    if (!isFixtureAdvertised(FIXTURE)) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        `[production-backpressure] ${FIXTURE} not advertised; skipping saturation (host doesn't seed the long-running fixture)`,
+      );
+      return;
+    }
+
+    // Create `cap` long-running runs and open SSE streams against each
+    // to hold the slots open. Raw fetch is used for SSE because the
+    // driver doesn't expose abort signals; abort is required to release
+    // the inflight slots in the finally block. The Accept header is
+    // required so hosts with /events content negotiation (e.g., the
+    // Postgres reference host) actually keep the connection open as a
+    // long-lived SSE stream; without it they return a one-shot JSON
+    // snapshot and the inflight slot drops immediately.
+    const env = loadEnv();
+    const authHeaders = {
+      Authorization: `Bearer ${env.apiKey}`,
+      Accept: 'text/event-stream',
+    };
+
+    const slotHolders: AbortController[] = [];
+    const slotPromises: Promise<unknown>[] = [];
+    // Track the saturating runs so we can explicitly cancel them in
+    // `finally`. Without this, aborting only the SSE stream leaves
+    // the runs alive on the host until their delay elapses; any
+    // neighbor test running in parallel (vitest's default mode) then
+    // hits the still-saturated inflight cap and fails with a 503 of
+    // its own. Per spec the saturating runs MAY survive their SSE
+    // client; the test-isolation contract is the caller's
+    // responsibility.
+    const saturatingRunIds: string[] = [];
+
+    let saturationEarlyExit = false;
+    for (let i = 0; i < cap; i++) {
+      const create = await driver.post('/v1/runs', {
+        workflowId: FIXTURE,
+        // Long enough that the saturation window holds during the
+        // cap+1 probe + envelope assertions (~500ms total) but short
+        // enough that any leaked run drains quickly if cancel fails.
+        inputs: { delayMs: 2_000 },
+      });
+      if (create.status === 503) {
+        // Inflight cap was already saturated by a parallel test
+        // (default vitest mode shares the host across scenarios).
+        // The test's docstring notes `--no-file-parallelism` is the
+        // canonical execution mode; outside that mode the saturation
+        // moment is unreachable. Soft-skip per the existing pattern
+        // (consistent with the cap+1 fallback below).
+        // eslint-disable-next-line no-console
+        console.warn(
+          `[production-backpressure] cap already saturated by parallel runs at i=${i} (likely running without --no-file-parallelism); soft-skipping envelope assertions`,
+        );
+        saturationEarlyExit = true;
+        break;
+      }
+      expect(create.status).toBe(201);
+      const runId = (create.json as { runId: string }).runId;
+      saturatingRunIds.push(runId);
+
+      const controller = new AbortController();
+      slotHolders.push(controller);
+      slotPromises.push(
+        fetch(`${env.baseUrl}/v1/runs/${encodeURIComponent(runId)}/events`, {
+          headers: authHeaders,
+          signal: controller.signal,
+        }).catch(() => undefined),
+      );
+    }
+    if (saturationEarlyExit) {
+      // Drain whatever we created so we don't leave residue for the
+      // next test. The finally block below handles bulk-cancel
+      // unconditionally; just bail before the envelope assertions.
+      for (const c of slotHolders) c.abort();
+      if (saturatingRunIds.length > 0) {
+        try {
+          await driver.post('/v1/runs:bulk-cancel', { runIds: saturatingRunIds });
+        } catch {
+          // Best-effort.
+        }
+      }
+      await Promise.allSettled(slotPromises);
+      return;
+    }
+
+    // Let SSE connections register.
+    await new Promise((r) => setTimeout(r, 200));
+
+    try {
+      // The `cap + 1`-th authenticated request MUST 503.
+      const blocked = await driver.post('/v1/runs', {
+        workflowId: 'conformance-noop',
+      });
+
+      // Soft-skip if the host didn't actually 503 (e.g., it accepts
+      // more concurrency than its advertised cap, or the SSE slots
+      // didn't register in time). The envelope assertion only fires
+      // when 503 was observed.
+      if (blocked.status !== 503) {
+        // eslint-disable-next-line no-console
+        console.warn(
+          `[production-backpressure] expected 503 at cap+1=${cap + 1}, got ${blocked.status}; saturation may need tuning`,
+        );
+        return;
+      }
+
+      const retryAfterHeader = blocked.headers.get('retry-after');
+      expect(retryAfterHeader, driver.describe(
+        'production-profile.md §Backpressure',
+        '503 response MUST include a Retry-After header',
+      )).toBeTruthy();
+      expect((retryAfterHeader ?? '').length).toBeGreaterThan(0);
+
+      const body = blocked.json as {
+        error?: string;
+        message?: string;
+        details?: { retryAfter?: number };
+      };
+
+      expect(body.error, driver.describe(
+        'production-profile.md §Backpressure',
+        '503 envelope MUST have error: "service_unavailable"',
+      )).toBe('service_unavailable');
+
+      expect(typeof body.message).toBe('string');
+      expect((body.message ?? '').length).toBeGreaterThan(0);
+
+      expect(typeof body.details?.retryAfter, driver.describe(
+        'production-profile.md §Backpressure',
+        'details.retryAfter MUST be present and numeric',
+      )).toBe('number');
+
+      // details.retryAfter MUST equal the Retry-After header in seconds.
+      const headerSeconds = Number.parseInt(retryAfterHeader ?? '', 10);
+      expect(body.details?.retryAfter, driver.describe(
+        'production-profile.md §Backpressure',
+        'details.retryAfter MUST equal Retry-After header in seconds',
+      )).toBe(headerSeconds);
+
+      // If retryAfterSeconds is advertised, both equal it.
+      const advertised = prod?.backpressure?.retryAfterSeconds;
+      if (advertised !== undefined) {
+        expect(headerSeconds, driver.describe(
+          'capabilities.schema.json production.backpressure.retryAfterSeconds',
+          'Retry-After MUST equal advertised retryAfterSeconds when both are present',
+        )).toBe(advertised);
+      }
+    } finally {
+      // Test isolation: explicitly cancel every saturating run so
+      // neighbor tests running in parallel see the inflight cap
+      // released immediately. The SSE-stream aborts come first so
+      // the host's SSE handlers exit; the bulk-cancel then drains
+      // the executor queue. POST /v1/runs:bulk-cancel is naturally
+      // idempotent so even if a run already terminated, the call
+      // returns `ok: true, status: "cancelled"` per
+      // rest-endpoints.md §"Bulk cancel".
+      for (const c of slotHolders) c.abort();
+      if (saturatingRunIds.length > 0) {
+        try {
+          await driver.post('/v1/runs:bulk-cancel', { runIds: saturatingRunIds });
+        } catch {
+          // Best-effort; a host that doesn't expose bulk-cancel
+          // gets per-id cancellation as the fallback.
+          for (const id of saturatingRunIds) {
+            try {
+              await driver.post(`/v1/runs/${encodeURIComponent(id)}/cancel`, {});
+            } catch {
+              // Swallow — the runs will drain naturally within
+              // the (now-shortened) 2-second delay window.
+            }
+          }
+        }
+      }
+      await Promise.allSettled(slotPromises);
+    }
+  });
+});
+
+describe('production-backpressure: discovery exempt from cap', () => {
+  it('GET /.well-known/openwop returns 200 even when inflight is saturated', async () => {
+    const prod = await readProductionCaps();
+
+    if (!behaviorGate('openwop-production', isProfileAdvertised(prod))) {
+      return;
+    }
+
+    const cap = prod?.backpressure?.inflightCap;
+    if (cap === undefined) {
+      // Without advertised cap we can't saturate deterministically;
+      // fall back to a single discovery probe.
+      const probe = await driver.get('/.well-known/openwop');
+      expect(probe.status, driver.describe(
+        'production-profile.md §Backpressure',
+        'discovery MUST answer regardless of load',
+      )).toBe(200);
+      return;
+    }
+
+    // Issue many concurrent discovery probes; all MUST succeed.
+    const probes = await Promise.all(
+      Array.from({ length: Math.max(cap + 2, 4) }, () =>
+        driver.get('/.well-known/openwop'),
+      ),
+    );
+    for (const probe of probes) {
+      expect(probe.status, driver.describe(
+        'production-profile.md §Backpressure',
+        'discovery MUST bypass the inflight cap (health probes always answer)',
+      )).toBe(200);
+    }
+  });
+});