@openwop/openwop-conformance 1.0.0 → 1.1.1

package/fixtures/conformance-subworkflow-parent.json

@@ -14,7 +14,7 @@
     },
     {
       "id": "subwf-call",
-      "typeId": "core.control.subWorkflow",
+      "typeId": "core.subWorkflow",
       "name": "Invoke Child",
       "position": { "x": 200, "y": 0 },
       "config": {

package/fixtures/conformance-wasm-pack-memory-cap-breach.json

@@ -0,0 +1,23 @@
+{
+  "id": "conformance-wasm-pack-memory-cap-breach",
+  "name": "Conformance: WASM Pack Memory-Cap Breach (Positive Path)",
+  "version": "1.0",
+  "description": "RFC 0008 §K fixture. Invokes the deliberately-misbehaving Rust pack (`vendor.openwop.misbehaving.memory-bomb`) which attempts a 1 GiB allocation beyond the host's `memoryPagesMax` ceiling. Hosts MUST trap or terminate the instance and emit `cap.breached` with `kind: 'wasm-memory'`, then terminate the run as `failed`. The misbehaving pack lives at `examples/packs/rust-misbehaving-memory/`; build it with `cargo build --target wasm32-unknown-unknown --release` before running the scenario end-to-end. Fixture-only — the pack is NOT signed for the registry.",
+  "nodes": [
+    {
+      "id": "bomb",
+      "typeId": "vendor.openwop.misbehaving.memory-bomb",
+      "name": "Memory bomb",
+      "position": { "x": 0, "y": 0 },
+      "config": {},
+      "inputs": {}
+    }
+  ],
+  "edges": [],
+  "triggers": [
+    { "id": "manual", "type": "manual", "enabled": true }
+  ],
+  "variables": [],
+  "metadata": { "tags": ["conformance", "wasm", "node-pack", "rfc-0008", "cap-breach", "misbehaving"] },
+  "settings": { "timeout": 0 }
+}

package/fixtures/openwop-smoke-byok-roundtrip.json

@@ -0,0 +1,25 @@
+{
+  "id": "openwop-smoke-byok-roundtrip",
+  "name": "Conformance: BYOK Roundtrip",
+  "version": "1.0",
+  "description": "End-to-end BYOK secret-resolution smoke fixture. Single node 'resolve-secret' (typeId conformance.secret.echo) fetches the host-provisioned canary secret 'openwop-conformance-canary-secret' via the host's SecretResolver, then emits the SHA-256 hex + byte length to the run's variables — never the raw value. Spec: run-options.md §'Credential references' + auth.md §'Secret resolution' + observability.md §'Redaction'.",
+  "nodes": [
+    {
+      "id": "resolve-secret",
+      "typeId": "conformance.secret.echo",
+      "name": "Resolve Canary Secret",
+      "position": { "x": 0, "y": 0 },
+      "config": {
+        "secretId": "openwop-conformance-canary-secret"
+      },
+      "inputs": {}
+    }
+  ],
+  "edges": [],
+  "triggers": [
+    { "id": "manual", "type": "manual", "enabled": true }
+  ],
+  "variables": [],
+  "metadata": { "tags": ["conformance", "byok", "secrets", "smoke"] },
+  "settings": { "timeout": 10000, "maxRetries": 0 }
+}

package/fixtures.md

@@ -78,6 +78,9 @@ All fixtures MUST advertise:
 | MCP Tool Roundtrip | `conformance-mcp-tool-roundtrip` | Track 6 — host invokes a tool on the conformance suite's synthetic MCP server; trust-boundary visibility in the event log | `completed` | ≤ 30s |
 | A2A Task Roundtrip | `conformance-a2a-task-roundtrip` | Track 6 — host consumes the conformance suite's synthetic A2A peer; covers drift points #3 (`AUTH_REQUIRED`) and #4 (`REJECTED`) | `failed` or `waiting-input` (per `driftScenario` input) | ≤ 30s |
 | WASM Pack Roundtrip | `conformance-wasm-pack-roundtrip` | RFC 0008 — invokes `vendor.openwop.rust-hello.greet` (loaded WASM pack); exercises required exports + at least one import | `completed` | ≤ 10s |
+| WASM Pack Memory-Cap Breach | `conformance-wasm-pack-memory-cap-breach` | RFC 0008 §K — invokes the deliberately-misbehaving `vendor.openwop.misbehaving.memory-bomb` pack (allocates 1 GiB beyond the host's `memoryPagesMax`). Host MUST emit `cap.breached` with `kind: "wasm-memory"` and drive the run to terminal `failed`. Misbehaving pack lives at `examples/packs/rust-misbehaving-memory/` and is fixture-only (NOT signed for registry publication). | `failed` (with `cap.breached`) | ≤ 10s |
+| Configurable Schema | `conformance-configurable-schema` | Track 13 — workflow declares `configurableSchema` (`additionalProperties: false`, `recursionLimit: integer ≥ 1`). Suite verifies `GET /v1/workflows/{id}` surfaces the schema AND `POST /v1/runs` with a mismatched `configurable` returns `validation_error`. | `completed` (with accepted overlay) | ≤ 5s |
+| Smoke — BYOK Roundtrip | `openwop-smoke-byok-roundtrip` | End-to-end BYOK secret-resolution smoke. Single `conformance.secret.echo` node fetches the host-provisioned canary secret `openwop-conformance-canary-secret`, emits SHA-256 hex + byte length to variables — never the raw value. Spec: `run-options.md` §"Credential references" + `auth.md` §"Secret resolution" + `observability.md` §"Redaction". | `completed` | ≤ 10s |
 
 The `messages`-mode stream fixture (AI token streaming) is covered by the deterministic mock-provider surface in `spec/v1/run-options.md`. Hosts that do not advertise `Capabilities.testing.mockProviders` skip-equivalent on those scenarios.
 
@@ -321,6 +324,24 @@ Both items are tracked as v1.x conformance expansion work.
 
 ---
 
+## `openwop-smoke-byok-roundtrip` (BYOK end-to-end smoke fixture)
+
+> **Status: included in the v1.0 conformance baseline.** Server-side `conformance.secret.echo` support is exercised by `src/scenarios/byok-roundtrip.test.ts`.
+
+- **Purpose**: verify the BYOK secret-resolution roundtrip end-to-end. A host that advertises `capabilities.secrets.supported: true` MUST resolve the canary `openwop-conformance-canary-secret` via its `SecretResolver` and surface only the SHA-256 hex + byte length on every observable channel (variables, events, debug bundle, logs). The raw value MUST NOT leak per `observability.md` §"Redaction" + `threat-model-secret-leakage.md` §SR-1.
+- **Topology**: single node `resolve-secret` with `typeId: conformance.secret.echo`, `config.secretId: "openwop-conformance-canary-secret"`. Resolves the canary, hashes it, and writes `{secretSha256, secretLength}` to the run's `variables.resolve-secret`.
+- **Conformance test driver**:
+  1. POST `/v1/runs` with `{workflowId: "openwop-smoke-byok-roundtrip"}`.
+  2. Poll until terminal.
+  3. **Assert** terminal status is `completed`.
+  4. **Assert** `variables['resolve-secret'].secretSha256` matches `^[0-9a-f]{64}$`.
+  5. **Assert** `variables['resolve-secret'].secretLength > 0`.
+  6. **Assert** event log does NOT contain a suspicious payload echoing the raw secret (regex check across `value`/`password`/`plaintext`/`raw_secret` adjacent to `secretSha256`).
+
+Hosts that don't ship a BYOK SecretResolver MAY return `404` / `422` on the start-run call; the scenario soft-skips in that case.
+
+---
+
 ## `conformance-channel-ttl` (closes C3 — channel TTL reducer fold)
 
 > **Status: included in the v1.0 conformance baseline.** Server-side `core.channelWrite` support is exercised by `src/scenarios/channel-ttl.test.ts`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openwop/openwop-conformance",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "Production-ready black-box conformance suite for OpenWOP v1.0 compliant servers.",
   "repository": {
     "type": "git",
@@ -22,10 +22,12 @@
     "schemas",
     "vitest.config.ts",
     "README.md",
+    "CHANGELOG.md",
     "LICENSE"
   ],
   "scripts": {
     "test": "vitest run",
+    "test:strict": "vitest run --no-file-parallelism",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit",
     "build:cli": "tsc -p tsconfig.build.json && chmod +x dist/cli.js",

package/schemas/README.md

@@ -6,6 +6,7 @@
 |---|---|---|
 | `agent-manifest.schema.json` | `node-packs.md` + agent-pack RFCs | Agent manifest entries distributed alongside node-pack manifests |
 | `agent-ref.schema.json` | `agent-memory.md` + agent-identity RFC | Multi-Agent Shift Phase 1 — slim runtime AgentRef projection carried on `RunSnapshot.agent` / `runOrchestrator`, `WorkflowNode.agent?`, and `agent.*` event payloads |
+| `audit-verify-result.schema.json` | `auth-profiles.md` §`openwop-audit-log-integrity` | Response payload from `GET /v1/audit/verify` — chain-validity verdict + checkpoints + anomalies |
 | `capabilities.schema.json` | `capabilities.md` | `/.well-known/openwop` response — protocolVersion + supportedEnvelopes + schemaVersions + limits + optional v1 discovery surface |
 | `channel-written-payload.schema.json` | `channels-and-reducers.md` §Channel write event | Payload of the `channel.written` RunEvent — write input + reducer name |
 | `conversation-event.schema.json` | `channels-and-reducers.md` + conversation RFC | Multi-turn conversation event shape for orchestrator-driven HITL flows |
@@ -16,12 +17,15 @@
 | `memory-entry.schema.json` | memory-layer RFC | Persisted agent memory entry shape |
 | `memory-list-options.schema.json` | memory-layer RFC | Query options for listing agent memory entries |
 | `node-pack-manifest.schema.json` | `node-packs.md` | Pack manifest (`pack.json`) — name, version, engines, nodes[], runtime, signing |
+| `pack-lockfile.schema.json` | `node-packs.md` §"Dependency resolution + lockfile" | Reproducible-build lockfile pinning resolved pack versions + SHA-256 integrity + Ed25519 signature for the entire workspace dependency graph |
+| `registry-version-manifest.schema.json` | `registry-operations.md` | Registry-augmented version manifest served at `GET /v1/packs/{name}/-/{version}.json`. Extends the bare pack-manifest contract with registry-side metadata (integrity hash, signing-block polymorphism, lifecycle flags). Enforced by the `Validate version manifests against registry-version-manifest schema` step in `.github/workflows/registry-publish.yml`. |
 | `orchestrator-decision.schema.json` | `node-packs.md` + orchestrator RFC | Decision output shape for orchestrator routing nodes |
 | `run-event-payloads.schema.json` | `run-event.schema.json` §RunEventType | Per-RunEventType payload contracts, indexed by `$defs.<typeId>` for opt-in strict validation |
 | `run-event.schema.json` | `version-negotiation.md` + `RunEventDoc` | Event log envelope + event type enum |
 | `run-options.schema.json` | `run-options.md` | Per-run input overlay (configurable + tags + metadata) on `POST /v1/runs` |
 | `run-orchestrator-decided-event.schema.json` | orchestrator RFC + `observability.md` | Event payload for orchestrator decisions |
 | `run-snapshot.schema.json` | `rest-endpoints.md` §RunSnapshot | Projected run state from `GET /v1/runs/{runId}` |
+| `security-advisory.schema.json` | `registry-operations.md` + INCIDENT-RESPONSE runbook | Registry-owned CVE advisory record at `registry/security/advisories.json`. One entry per disclosed vulnerability — id, severity, affected pack-name + SemVer range, optional fixedIn/advisoryUrl/credits. Enforced by `check-advisories.mjs` in `.github/workflows/registry-publish.yml`. |
 | `suspend-request.schema.json` | `interrupt.md` | `InterruptPayload` with 8 `kind` discriminators (approval, clarification, external-event, custom, conversation.start, conversation.exchange, conversation.close, low-confidence) |
 | `workflow-definition.schema.json` | `channels-and-reducers.md` + `node-packs.md` | DAG of nodes + edges + triggers + variables + channels |
 

package/schemas/audit-verify-result.schema.json

@@ -0,0 +1,90 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/audit-verify-result.schema.json",
+  "title": "AuditVerifyResult",
+  "description": "Response payload from `GET /v1/audit/verify` per spec/v1/auth-profiles.md §`openwop-audit-log-integrity` §4 'Verification endpoint'. Hosts advertising the audit-log-integrity profile MUST return this shape on the verify endpoint when called with a valid `audit:read`-scoped credential. The shape carries the verifier's chain-validity verdict, the in-range signed checkpoints, and any anomaly records the verifier detected while re-walking the hash chain.",
+  "type": "object",
+  "required": ["fromSeq", "toSeq", "chainValid", "checkpoints", "anomalies"],
+  "properties": {
+    "fromSeq": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Echo of the caller's `fromSeq` query parameter. The verifier MUST re-walk entries [fromSeq, toSeq] inclusive."
+    },
+    "toSeq": {
+      "type": "integer",
+      "minimum": 0,
+      "description": "Echo of the caller's `toSeq` query parameter. MUST be >= fromSeq."
+    },
+    "chainValid": {
+      "type": "boolean",
+      "description": "True when every entry's `prevHash` matches the SHA-256 of the prior entry's RFC 8785 JCS canonicalization AND every signed checkpoint in `checkpoints[]` verifies against the host's advertised `auditLogIntegrity.checkpointPublicKey`. False when ANY break or invalid signature is detected; `anomalies[]` enumerates the breaks."
+    },
+    "checkpointsValid": {
+      "type": "boolean",
+      "description": "OPTIONAL companion bit: true when every checkpoint signature in `checkpoints[]` verifies. Distinguishes 'chain broken but checkpoints OK' from 'checkpoints forged but chain intact'. Hosts MAY omit when `chainValid` already conveys the verdict; clients that distinguish the two failure modes SHOULD prefer hosts that surface this bit explicitly."
+    },
+    "checkpoints": {
+      "type": "array",
+      "description": "Signed checkpoints emitted within [fromSeq, toSeq]. Order: ascending by `atSequence`. Empty array MUST appear when no checkpoint was emitted in the window (not omitted).",
+      "items": { "$ref": "#/$defs/Checkpoint" }
+    },
+    "anomalies": {
+      "type": "array",
+      "description": "One entry per detected hash-chain break in [fromSeq, toSeq]. Empty array MUST appear when chainValid is true (not omitted).",
+      "items": { "$ref": "#/$defs/Anomaly" }
+    }
+  },
+  "additionalProperties": false,
+  "$defs": {
+    "Checkpoint": {
+      "type": "object",
+      "required": ["checkpoint", "atSequence", "merkleRoot", "signature"],
+      "properties": {
+        "checkpoint": {
+          "type": "string",
+          "minLength": 1,
+          "maxLength": 256,
+          "description": "Host-issued checkpoint id. Globally unique within the host's audit log."
+        },
+        "atSequence": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Audit-log sequence number at which the checkpoint was minted. Inclusive — the entry at this sequence is covered by the checkpoint's merkleRoot."
+        },
+        "merkleRoot": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Hex-encoded SHA-256 Merkle root over the canonicalized entries 0..atSequence inclusive. Verifiers re-compute and compare; mismatch implies chain mutation between two checkpoints."
+        },
+        "signature": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Base64-encoded Ed25519 signature over the checkpoint's canonical JSON (excluding the `signature` field itself), produced with the host's advertised `auditLogIntegrity.checkpointPublicKey`."
+        }
+      },
+      "additionalProperties": false
+    },
+    "Anomaly": {
+      "type": "object",
+      "required": ["atSeq", "expectedPrevHash", "actualPrevHash"],
+      "properties": {
+        "atSeq": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Sequence number of the entry whose `prevHash` failed verification."
+        },
+        "expectedPrevHash": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Hex-encoded SHA-256 the verifier computed from the prior entry's RFC 8785 JCS canonicalization."
+        },
+        "actualPrevHash": {
+          "type": "string",
+          "description": "The `prevHash` value the audit-log entry actually carries. Empty string when the field is missing (a structural anomaly distinct from a hash mismatch)."
+        }
+      },
+      "additionalProperties": false
+    }
+  }
+}

package/schemas/capabilities.schema.json

@@ -82,9 +82,80 @@
       "type": "object",
       "description": "Optional v1 per-run overlay schema — what `RunOptions.configurable` keys this server honors."
     },
+    "nodePackRuntimes": {
+      "type": "object",
+      "description": "Optional v1 advertisement of node-pack runtimes the host loads. See `node-packs.md` §runtime formats and RFC 0008 (WASM ABI). Hosts that don't load packs MAY omit this block entirely. NOTE: this block intentionally uses `additionalProperties: true` (here and on the nested runtime objects) so a future RFC may add a runtime type (e.g., `python-wasm`, `js-wasm`) without a breaking-change rev of this schema; the trade is that a strict-mode validator will accept arbitrary extra keys under these objects. A future RFC that promotes the open-set fields to first-class SHOULD tighten them to `additionalProperties: false` in the same RFC.",
+      "properties": {
+        "wasm": {
+          "type": "object",
+          "description": "WASM core-module runtime per RFC 0008. Hosts that load `runtime.language: \"wasm\"` packs MUST advertise `supported: true` and at least one entry in `abiVersions[]`. `additionalProperties: true` preserved for future RFC 0008 amendments (e.g., per-pack memory accounting fields).",
+          "required": ["supported"],
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "Host loads RFC 0008 WASM packs."
+            },
+            "abiVersions": {
+              "type": "array",
+              "items": {
+                "type": "integer",
+                "minimum": 1
+              },
+              "uniqueItems": true,
+              "minItems": 1,
+              "description": "ABI versions the loader accepts. v1.1 hosts MUST include `1`. Packs declaring `openwop_abi_version()` outside this list MUST be rejected at load time per RFC 0008 §H."
+            },
+            "maxMemoryBytes": {
+              "type": "integer",
+              "minimum": 1048576,
+              "maximum": 8589934592,
+              "description": "Per-pack memory ceiling enforced by the host loader. Range: 1 MiB ≤ value ≤ 8 GiB. RFC 0008 §K — when a pack exceeds this, the host MUST emit `cap.breached` with `kind: \"wasm-memory\"`."
+            },
+            "loadedPacks": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "minLength": 1
+              },
+              "uniqueItems": true,
+              "description": "Pack names that passed instantiation (ABI check + load). Packs rejected per RFC 0008 §H MUST NOT appear here. Hosts MAY advertise this for observability; conformance asserts rejection by absence (Track 7)."
+            }
+          },
+          "additionalProperties": true
+        },
+        "wasmComponent": {
+          "type": "object",
+          "description": "WASM Component Model variant (WIT-defined interfaces). Reserved for hosts that load `runtime.language: \"wasm-component\"` packs. `additionalProperties: true` preserved until the Component Model spec stabilises in the v1.x line; tighten in the RFC that promotes wasm-component to a first-class runtime alongside `wasm`.",
+          "properties": {
+            "supported": { "type": "boolean" }
+          },
+          "additionalProperties": true
+        }
+      },
+      "additionalProperties": true
+    },
     "observability": {
       "type": "object",
-      "description": "Optional v1 hints about emitted spans/metrics/logs. See observability.md."
+      "description": "Optional v1 hints about emitted spans/metrics/logs. See observability.md.",
+      "properties": {
+        "otel": {
+          "type": "object",
+          "description": "OTel-specific advertisement. Hosts that emit OTLP traces/metrics MAY advertise the transport protocols they support so collectors can configure exporters accordingly. Track 11 follow-up.",
+          "properties": {
+            "exportProtocols": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "enum": ["http/json", "http/protobuf", "grpc"]
+              },
+              "uniqueItems": true,
+              "description": "OTLP export protocols the host supports emitting. `http/json` and `http/protobuf` are mandatory for hosts advertising OTel emission; `grpc` is opt-in per Track 11."
+            }
+          },
+          "additionalProperties": true
+        }
+      },
+      "additionalProperties": true
     },
     "minClientVersion": {
       "type": "string",
@@ -260,6 +331,55 @@
       },
       "additionalProperties": true
     },
+    "memory": {
+      "type": "object",
+      "description": "MemoryAdapter capability block per RFC 0004 + the optional compaction profile per RFC 0012. Hosts that don't wire any memory surface omit the entire block.",
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "When `true`, host implements the four-operation MemoryAdapter contract (`list`, `get`, `put`, `delete`) per RFC 0004 §A."
+        },
+        "maxEntrySizeBytes": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Upper bound on `MemoryEntry.content` size. Hosts SHOULD reject `put` exceeding this with `validation_error`."
+        },
+        "ttlSupported": {
+          "type": "boolean",
+          "description": "When `true`, host honors `expiresAt` per RFC 0004 §E."
+        },
+        "compaction": {
+          "type": "object",
+          "description": "RFC 0012 Memory Compaction Profile (Accepted 2026-05-15). Hosts that distill many short-lived MemoryEntry rows into fewer long-lived ones MAY advertise here; advertising implies the SR-1 carry-forward invariant (`SECURITY/invariants.yaml` row `memory-compaction-sr-1-carry-forward`).",
+          "required": ["supported"],
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "REQUIRED when the sub-block is present. When `true`, host performs compaction over `longTerm` memory and emits the `memory.compacted` event per `observability.md` §Canonical event vocabulary."
+            },
+            "trigger": {
+              "type": "string",
+              "enum": ["host-managed", "client-requested", "both"],
+              "description": "REQUIRED when `supported: true` per RFC 0012 §A (enforced via the `if/then` clause). `host-managed` runs on a host-internal schedule clients do not control. `client-requested` and `both` are reserved enum values; v1.x normates only `host-managed`."
+            },
+            "maxInputEntries": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Informational ceiling on how many source entries one compaction call collapses. Not wire-enforced."
+            },
+            "maxOutputBytes": {
+              "type": "integer",
+              "minimum": 0,
+              "description": "Informational ceiling on the distilled entry size. SHOULD be ≤ `memory.maxEntrySizeBytes`."
+            }
+          },
+          "additionalProperties": false,
+          "if": { "properties": { "supported": { "const": true } }, "required": ["supported"] },
+          "then": { "required": ["supported", "trigger"] }
+        }
+      },
+      "additionalProperties": true
+    },
     "conversationPrimitive": {
       "type": "boolean",
       "description": "Multi-Agent Shift Phase 4. When `true`, host advertises that it implements the `core.conversationGate` typeId AND honors the `conversation.start` / `conversation.exchange` / `conversation.close` suspend variants. Hosts that don't claim this fall back to `clarification.requested` interrupts for multi-turn user interjections."
@@ -281,6 +401,227 @@
         }
       },
       "additionalProperties": true
+    },
+    "production": {
+      "type": "object",
+      "description": "Production-profile advertisement (see production-profile.md). Optional in v1; absence means the host does not claim the openwop-production profile. When `supported: true`, the host claims every MUST in production-profile.md and conformance scenarios gated on this block MUST run. Landed by RFC 0009.",
+      "required": ["supported"],
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "Host claims the openwop-production profile end-to-end (production-profile.md)."
+        },
+        "backpressure": {
+          "type": "object",
+          "description": "Backpressure envelope advertisement (production-profile.md §Backpressure).",
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "Host returns 503 + Retry-After + canonical envelope under load per production-profile.md §Backpressure."
+            },
+            "inflightCap": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Optional host-side concurrent-inflight cap the conformance suite can saturate. When advertised, the production-backpressure scenario issues `inflightCap + 1` concurrent long-lived requests to deterministically force a 503. When absent, the scenario soft-skips the saturation step (envelope assertion still runs if a 503 happens to fire)."
+            },
+            "retryAfterSeconds": {
+              "type": "integer",
+              "minimum": 0,
+              "maximum": 86400,
+              "description": "Optional advertised Retry-After value in seconds the host returns on 503. When present, MUST equal both the `Retry-After` header and the `details.retryAfter` body field per production-profile.md. Upper bound 86400 (24h) — values beyond that are operationally indistinguishable from 'permanently denied'. Hosts needing longer holds SHOULD omit `Retry-After` entirely (RFC 0009 Q#2)."
+            }
+          },
+          "additionalProperties": false
+        },
+        "retention": {
+          "type": "object",
+          "description": "Event-retention advertisement (production-profile.md §\"Event retention\").",
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "Host enforces event-log retention with a documented minimum window."
+            },
+            "minWindowSeconds": {
+              "type": "integer",
+              "minimum": 604800,
+              "description": "Documented minimum retention window in seconds. Per production-profile.md §\"Event retention\", MUST be ≥ 604800 (7 days) for public hosts; development-only hosts MAY advertise a smaller window but MUST NOT claim `supported: true` while doing so."
+            },
+            "testForceExpire": {
+              "type": "boolean",
+              "description": "Host exposes a test-only force-expire hook the conformance suite can call (URL/method supplied via `OPENWOP_TEST_FORCE_EXPIRE_URL` / `OPENWOP_TEST_FORCE_EXPIRE_METHOD` env vars). When `false`, the production-retention-expiry scenario asserts only the 410/404 envelope shape on an operator-supplied already-expired run id (via `OPENWOP_TEST_EXPIRED_RUN_ID`); otherwise it soft-skips. RFC 0009 unresolved question #1 — endpoint normation is deferred."
+            }
+          },
+          "additionalProperties": false
+        },
+        "debugBundle": {
+          "type": "object",
+          "description": "Debug-bundle truncation advertisement (production-profile.md §\"Debug bundle behavior\"). Stricter than the existing `capabilities.debugBundle.supported` advertised per debug-bundle.md — this block adds the production-profile MUSTs (truncation metadata, redaction).",
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "Host claims production-profile debug-bundle behavior end-to-end."
+            },
+            "truncationMetadata": {
+              "type": "boolean",
+              "description": "When `true`, host surfaces `truncated: true` + non-empty `truncatedReason` per debug-bundle.md §\"Bundle size limits\" when caps are reached."
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+    "auth": {
+      "type": "object",
+      "description": "Auth-profile advertisement (auth-profiles.md). Optional in v1; absence preserves the baseline bearer-token contract from auth.md. RFC 0010 formalized this block; `additionalProperties: true` permits existing informal usages (`auth.auditLogIntegrity` from the audit-log-integrity profile) to continue alongside the formal sub-blocks defined here.",
+      "properties": {
+        "profiles": {
+          "type": "array",
+          "items": { "type": "string", "minLength": 1 },
+          "uniqueItems": true,
+          "description": "Auth profiles the host claims. Canonical ids: `openwop-audit-log-integrity` (auth-profiles.md §Audit-log integrity), `openwop-auth-api-key-rotation`, `openwop-auth-oauth2-client-credentials`, `openwop-auth-oidc-user-bearer`, `openwop-auth-mtls`. Clients SHOULD tolerate unknown profile ids."
+        },
+        "rotation": {
+          "type": "object",
+          "description": "API-key rotation advertisement (auth-profiles.md §`openwop-auth-api-key-rotation`).",
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "Host claims the openwop-auth-api-key-rotation profile (old+new key overlap during a documented grace window)."
+            },
+            "minGraceSeconds": {
+              "type": "integer",
+              "minimum": 0,
+              "description": "Minimum rotation grace window in seconds. auth-profiles.md SHOULDs production-profile hosts to ≥ 86400 (24h). The conformance scenario tolerates any non-negative value but warns in behavior mode when < 86400."
+            }
+          },
+          "additionalProperties": false
+        },
+        "oauth2": {
+          "type": "object",
+          "description": "OAuth2 client-credentials advertisement (auth-profiles.md §`openwop-auth-oauth2-client-credentials`).",
+          "properties": {
+            "supported": { "type": "boolean" },
+            "issuer": {
+              "type": "string",
+              "format": "uri",
+              "description": "Token issuer URL the host trusts. Tokens MUST carry a matching `iss` claim."
+            },
+            "audience": {
+              "type": "string",
+              "description": "Audience the host requires. Tokens MUST carry a matching `aud` claim."
+            },
+            "supportedAlgorithms": {
+              "type": "array",
+              "items": { "type": "string", "minLength": 1 },
+              "uniqueItems": true,
+              "description": "JWS signing algorithms the host accepts (canonical: RS256, ES256). Hosts MUST reject tokens signed with algorithms outside this list."
+            }
+          },
+          "additionalProperties": false
+        },
+        "oidc": {
+          "type": "object",
+          "description": "OIDC user-bearer advertisement (auth-profiles.md §`openwop-auth-oidc-user-bearer`).",
+          "properties": {
+            "supported": { "type": "boolean" },
+            "issuers": {
+              "type": "array",
+              "items": { "type": "string", "format": "uri" },
+              "minItems": 1,
+              "uniqueItems": true,
+              "description": "Trusted OIDC issuer URLs. The host accepts tokens whose `iss` claim matches any entry."
+            },
+            "audience": {
+              "type": "string",
+              "description": "Audience identifier the host requires in OIDC tokens."
+            },
+            "supportedScopeMapping": {
+              "type": "string",
+              "enum": ["group-claim", "scope-claim", "host-acl"],
+              "description": "How the host derives openwop scopes from the OIDC token. `group-claim`: from `groups` claim via host config. `scope-claim`: from `scope` claim directly. `host-acl`: from a host-side mapping table (sub → scope)."
+            },
+            "introspectionIntervalSeconds": {
+              "type": "integer",
+              "minimum": 0,
+              "description": "Maximum interval at which the host SHOULD re-introspect a cached token to detect IdP revocation. auth-profiles.md recommends `min(exp - now, 300)`."
+            }
+          },
+          "additionalProperties": false
+        },
+        "mtls": {
+          "type": "object",
+          "description": "mTLS advertisement (auth-profiles.md §`openwop-auth-mtls`).",
+          "properties": {
+            "supported": { "type": "boolean" },
+            "required": {
+              "type": "boolean",
+              "description": "When `true`, the host rejects bearer-only requests (mTLS required for all authenticated calls). When `false`, mTLS is optional and complements bearer auth."
+            },
+            "subjectMapping": {
+              "type": "string",
+              "enum": ["cn", "san-dns", "san-uri"],
+              "description": "How the host derives the transport principal from the client certificate. `cn`: subject CN. `san-dns`: subjectAltName DNS entry. `san-uri`: subjectAltName URI entry."
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": true
+    },
+    "discovery": {
+      "type": "object",
+      "description": "Discovery advertisement (capabilities-change-detection.md). Optional in v1; absence means the host serves only the public unauthenticated payload at /.well-known/openwop. Landed by RFC 0011.",
+      "properties": {
+        "authScoped": {
+          "type": "object",
+          "description": "Auth-scoped discovery advertisement (capabilities-change-detection.md §\"Scoped capability views\"). Hosts that return a different payload when called with Authorization than when called anonymously declare it here. The authenticated view MUST still satisfy the base capabilities.schema.json shape per the spec annex.",
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "Host returns an authenticated/tenant-scoped capability view when the discovery endpoint is called with valid bearer credentials."
+            },
+            "mode": {
+              "type": "string",
+              "enum": ["same-endpoint", "extension-endpoint"],
+              "description": "How the host exposes the auth-scoped view. `same-endpoint`: the canonical /.well-known/openwop returns a narrowed/enriched view when authenticated. `extension-endpoint`: a separate host route carries the scoped view (path advertised via `endpointPath`). Hosts using the third pattern from the spec annex (documentation pointer in the public payload) MAY omit this field."
+            },
+            "endpointPath": {
+              "type": "string",
+              "pattern": "^/",
+              "description": "When `mode: \"extension-endpoint\"` is advertised, the leading-slash relative path the host serves the scoped view from. The conformance scenario hits this path with bearer credentials. Absolute URLs are rejected at the schema level."
+            }
+          },
+          "additionalProperties": false
+        }
+      },
+      "additionalProperties": false
+    },
+    "i18n": {
+      "type": "object",
+      "description": "Locale-negotiation advertisement per spec/v1/i18n.md. Optional in v1; absence means the host serves a single locale always (typically `en`). When `supported: true`, the host honors `Accept-Language` on every protected route and emits `Content-Language` on responses carrying localized text.",
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "Host honors `Accept-Language` and returns localized human-facing text when negotiable."
+        },
+        "defaultLocale": {
+          "type": "string",
+          "pattern": "^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8}){0,3}$",
+          "description": "BCP 47 language tag the host falls back to when no `Accept-Language` matches `supportedLocales`. Default: `\"en\"` when omitted."
+        },
+        "supportedLocales": {
+          "type": "array",
+          "minItems": 1,
+          "uniqueItems": true,
+          "items": {
+            "type": "string",
+            "pattern": "^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8}){0,3}$"
+          },
+          "description": "BCP 47 tags of locales the host has validated end-to-end for human-facing text. MUST contain `defaultLocale` when both are present."
+        }
+      },
+      "additionalProperties": false
     }
   },
   "additionalProperties": true

package/schemas/node-pack-manifest.schema.json

@@ -192,8 +192,8 @@
       "properties": {
         "language": {
           "type": "string",
-          "enum": ["javascript", "python", "go", "wasm", "remote"],
-          "description": "How the engine loads the pack. See node-packs.md §runtime formats."
+          "enum": ["javascript", "python", "go", "wasm", "wasm-component", "remote"],
+          "description": "How the engine loads the pack. See node-packs.md §runtime formats. `wasm` is the core-module WASM ABI (RFC 0008). `wasm-component` is the WASM Component Model variant (WIT-defined interfaces); hosts that advertise `capabilities.nodePackRuntimes.wasmComponent.supported: true` load it via wasmtime / wasmer Component Model runtimes. Both share the openwop ABI envelope; the wasm-component variant uses WIT interfaces instead of hand-rolled imports/exports."
         },
         "entry": {
           "type": "string",
@@ -201,8 +201,8 @@
         },
         "format": {
           "type": "string",
-          "enum": ["esm", "cjs", "wheel", "binary", "shared-library", "wasm"],
-          "description": "Runtime-specific format hint. `esm`/`cjs` for JS, `wheel` for Python, `binary`/`shared-library` for Go, `wasm` for wasm."
+          "enum": ["esm", "cjs", "wheel", "binary", "shared-library", "wasm", "wasm-component"],
+          "description": "Runtime-specific format hint. `esm`/`cjs` for JS, `wheel` for Python, `binary`/`shared-library` for Go, `wasm` for core-module WASM (RFC 0008), `wasm-component` for WASM Component Model preview 3+ (WIT-defined interfaces, additive RFC 0008.1)."
         },
         "minRuntimeVersion": {
           "type": "string",