@openwop/openwop-conformance 1.0.0

package/src/scenarios/providerPolicyEnforcement.test.ts

@@ -0,0 +1,132 @@
+/**
+ * Provider-policy enforcement scenarios — extends `policies.test.ts`
+ * (which covers discovery-shape only) with denial-error-shape contracts
+ * for hosts that advertise enforcement.
+ *
+ * Why discovery-shape vs full enforcement:
+ *
+ *   Real enforcement requires a configured policy document AND a
+ *   working AI provider invocation, AND admin write access to set the
+ *   policy under test. None of those are black-box reproducible. The
+ *   conformance suite gates on the wire shape of denial responses +
+ *   SECURITY/invariants.yaml entries.
+ *
+ * Profile gating:
+ *
+ *   - Hosts that don't advertise `aiProviders.policies` skip-equivalent
+ *     (no policy enforcement to verify).
+ *   - Hosts that advertise it MUST honor the documented denial reason
+ *     enum + the closed mode set per spec/v1/capabilities.md
+ *     §"`aiProviders.policies`".
+ *
+ * Cross-references SECURITY/threat-model-provider-policy.md invariants
+ * `provider-policy-pre-dispatch` · `provider-policy-disabled-hard` ·
+ * `provider-policy-restricted-glob` · `provider-policy-restricted-fail-closed`.
+ *
+ * @see spec/v1/capabilities.md §"`aiProviders.policies`"
+ * @see SECURITY/threat-model-provider-policy.md
+ * @see SECURITY/invariants.yaml — provider-policy-* entries
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const CANONICAL_MODES = ['disabled', 'optional', 'required', 'restricted'] as const;
+
+// Documented denial-reason enum from spec/v1/capabilities.md.
+const DOCUMENTED_DENIAL_REASONS = [
+  'provider_disabled',
+  'byok_required',
+  'byok_required_but_unresolved',
+  'model_not_allowed',
+] as const;
+
+interface PoliciesShape {
+  modes?: unknown;
+  scopes?: unknown;
+  errorCode?: unknown;
+}
+
+async function fetchPolicies(): Promise<PoliciesShape | null> {
+  const res = await driver.get('/.well-known/openwop', { authenticated: false });
+  if (res.status !== 200) return null;
+  const body = res.json as { aiProviders?: { policies?: PoliciesShape } };
+  return body.aiProviders?.policies ?? null;
+}
+
+describe('provider-policy-enforcement: closed mode set per spec/v1/capabilities.md §`aiProviders.policies`', () => {
+  it('every advertised mode is one of the four canonical values', async () => {
+    const policies = await fetchPolicies();
+    if (policies === null || !Array.isArray(policies.modes)) return;
+
+    for (const mode of policies.modes) {
+      expect(typeof mode, driver.describe(
+        'capabilities.md §"`aiProviders.policies`"',
+        'each entry in policies.modes MUST be a string',
+      )).toBe('string');
+      expect(
+        (CANONICAL_MODES as readonly string[]).includes(mode as string),
+        driver.describe(
+          'capabilities.md §"`aiProviders.policies`"',
+          `mode "${String(mode)}" is not in the closed canonical set [${CANONICAL_MODES.join(', ')}]`,
+        ),
+      ).toBe(true);
+    }
+  });
+
+  it('hosts that support `restricted` MUST also support `optional` (default no-restriction case)', async () => {
+    const policies = await fetchPolicies();
+    if (policies === null || !Array.isArray(policies.modes)) return;
+    const modes = policies.modes as string[];
+    if (!modes.includes('restricted')) return;
+    expect(modes.includes('optional'), driver.describe(
+      'spec/v1/profiles.md §`openwop-provider-policy`',
+      'a host advertising `restricted` MUST also advertise `optional` so workflows without policy hit the default permissive case',
+    )).toBe(true);
+  });
+
+  it('errorCode is a non-empty string when present', async () => {
+    const policies = await fetchPolicies();
+    if (policies === null || policies.errorCode === undefined) return;
+    expect(typeof policies.errorCode, driver.describe(
+      'capabilities.md §"`aiProviders.policies`"',
+      'aiProviders.policies.errorCode MUST be a string when present',
+    )).toBe('string');
+    expect((policies.errorCode as string).length, driver.describe(
+      'capabilities.md §"`aiProviders.policies`"',
+      'aiProviders.policies.errorCode MUST be non-empty when present',
+    )).toBeGreaterThan(0);
+  });
+});
+
+describe('provider-policy-enforcement: scope advertisement', () => {
+  it('scopes contains only non-empty strings when present', async () => {
+    const policies = await fetchPolicies();
+    if (policies === null) return;
+    if (!Array.isArray(policies.scopes)) return;
+
+    for (const scope of policies.scopes) {
+      expect(typeof scope === 'string' && scope.length > 0, driver.describe(
+        'capabilities.md §"`aiProviders.policies`"',
+        'each entry in policies.scopes MUST be a non-empty string',
+      )).toBe(true);
+    }
+  });
+});
+
+describe('provider-policy-enforcement: documented denial reasons enumeration', () => {
+  it('lists are non-empty (sanity check on documentation drift)', () => {
+    // Self-test. If the documented denial-reason set drifts and this
+    // file isn't updated, scenario authors will be surprised. This
+    // assertion catches that — an empty CANONICAL_MODES or DOCUMENTED_
+    // DENIAL_REASONS would indicate the test file got truncated.
+    expect(CANONICAL_MODES.length, driver.describe(
+      'spec/v1/capabilities.md §"`aiProviders.policies`"',
+      'closed mode set MUST be the four canonical values',
+    )).toBe(4);
+    expect(DOCUMENTED_DENIAL_REASONS.length, driver.describe(
+      'openwop/openwop@0bebfb0 — denial-reason enum alignment',
+      'documented denial-reason set is non-empty',
+    )).toBeGreaterThan(0);
+  });
+});

package/src/scenarios/rate-limit-envelope.test.ts

@@ -0,0 +1,97 @@
+/**
+ * Track 13: normative 429 envelope shape (rest-endpoints.md v1.1).
+ *
+ * Verifies that any 429 response produced by the host conforms to the
+ * canonical envelope shape and supplemental `details` keys.
+ *
+ * Verifies:
+ *   1. `error === 'rate_limited'`.
+ *   2. `Retry-After` header present and integer-seconds.
+ *   3. When `details.retryAfterMs` is present, it is consistent with
+ *      `Retry-After`.
+ *   4. `details.scope` is one of {"tenant", "route", "global", "key"}.
+ *   5. No top-level keys outside `{error, message, details}`.
+ *
+ * Soft-skip behavior: hosts that don't surface 429 during the test
+ * window (low traffic) emit a warning rather than fail. To exercise this
+ * scenario the conformance harness MAY set OPENWOP_FORCE_RATE_LIMIT=true
+ * which signals the host to fabricate a 429 against a test-only key.
+ *
+ * @see spec/v1/rest-endpoints.md §"429 Too Many Requests envelope"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const ALLOWED_SCOPES = new Set(['tenant', 'route', 'global', 'key']);
+const FORCE = process.env.OPENWOP_FORCE_RATE_LIMIT === 'true';
+
+describe('rate-limit-envelope: 429 conforms to canonical shape', () => {
+  it('when a 429 is observed, the response body satisfies the v1.1 contract', async () => {
+    // Drive a burst to provoke a 429 against a benign endpoint. If the host
+    // is generous, this will not trip — that is acceptable; the test
+    // is observational and skips its assertions when no 429 occurs.
+    let last: Awaited<ReturnType<typeof driver.get>> | null = null;
+    for (let i = 0; i < (FORCE ? 200 : 50); i++) {
+      const r = await driver.get('/.well-known/openwop');
+      last = r;
+      if (r.status === 429) break;
+    }
+
+    if (!last || last.status !== 429) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        '[rate-limit-envelope] no 429 observed within burst; skipping shape assertions',
+      );
+      return;
+    }
+
+    const retryAfter = last.headers.get('retry-after');
+    expect(retryAfter, driver.describe(
+      'rest-endpoints.md §"429 Too Many Requests envelope"',
+      '429 response MUST set Retry-After header',
+    )).not.toBeNull();
+
+    const body = last.json as {
+      error?: string;
+      message?: string;
+      details?: { retryAfterMs?: number; scope?: string; limit?: number; observedRate?: number };
+      [k: string]: unknown;
+    };
+
+    expect(body.error, driver.describe(
+      'rest-endpoints.md §"429 Too Many Requests envelope"',
+      "429 body MUST carry error === 'rate_limited'",
+    )).toBe('rate_limited');
+    expect(typeof body.message).toBe('string');
+
+    // additionalProperties: false on error-envelope.schema.json
+    const topKeys = Object.keys(body).filter(
+      (k) => !['error', 'message', 'details'].includes(k),
+    );
+    expect(topKeys, driver.describe(
+      'error-envelope.schema.json additionalProperties: false',
+      '429 envelope MUST NOT carry top-level keys outside {error, message, details}',
+    )).toEqual([]);
+
+    if (body.details?.scope !== undefined) {
+      expect(ALLOWED_SCOPES.has(body.details.scope), driver.describe(
+        'rest-endpoints.md §"429 Too Many Requests envelope"',
+        "details.scope MUST be one of {'tenant','route','global','key'} when present",
+      )).toBe(true);
+    }
+
+    const retryAfterSec = Number(retryAfter);
+    if (
+      body.details?.retryAfterMs !== undefined &&
+      !Number.isNaN(retryAfterSec) &&
+      retryAfterSec > 0
+    ) {
+      const diff = Math.abs(body.details.retryAfterMs / 1000 - retryAfterSec);
+      expect(diff, driver.describe(
+        'rest-endpoints.md §"429 Too Many Requests envelope"',
+        'details.retryAfterMs MUST be consistent with Retry-After header (±1s)',
+      )).toBeLessThanOrEqual(1.5);
+    }
+  });
+});

package/src/scenarios/redaction.test.ts

@@ -0,0 +1,254 @@
+/**
+ * Redaction conformance scenarios — `capabilities.md` §"Secrets" + NFR-7.
+ *
+ * These are vendor-neutral assertions that any OpenWOP-compliant server
+ * doesn't leak secret material in observable surfaces. The scenarios
+ * gate cleanly on the host's advertised capabilities:
+ *
+ *   - **Discovery shape contract** runs against every host. It verifies
+ *     `secrets` and `aiProviders` advertisements are well-formed
+ *     regardless of whether the host supports BYOK.
+ *
+ *   - **Bearer-token redaction** runs against every host. The 401
+ *     response when an invalid Bearer token is supplied MUST NOT
+ *     echo the token back. This is universal — applies even to hosts
+ *     that don't advertise `secrets.supported: true`.
+ *
+ *   - **credentialRef echo control** runs ONLY when the host advertises
+ *     `secrets.supported: true`. Per `capabilities.md` §"aiProviders":
+ *     `RunOptions.configurable.ai.credentialRef` is opaque + host-
+ *     resolved; servers MUST NOT include the value in any RunEvent,
+ *     log line, span attribute, error message, or export. The scenario
+ *     plants a canary as `credentialRef` on a noop run and asserts
+ *     the canary doesn't appear in any event payload.
+ *
+ * **Why these scenarios live here, not just in-tree:**
+ *
+ * Spec rule NFR-7 is normative: "any code path that emits a `RunEvent`
+ * / OTel span / log line / error / export MUST NOT contain raw key
+ * material." The reference implementation has its own in-process
+ * canary harness (which can mock + intercept logger output). But other
+ * OpenWOP-compliant servers — including non-OpenWOP ones — need to
+ * verify the same invariant black-box, against their HTTP surface.
+ * That's what these scenarios cover.
+ *
+ * **Limitations:**
+ *
+ * The conformance suite only sees what the HTTP surface emits — it
+ * can't read a host's stdout / Cloud Logging / OTel collector.
+ * Hosts MUST run their own internal redaction tests (mocking the
+ * logger / tracer / etc.) to cover those surfaces. These scenarios
+ * cover only the response-body + run-event-stream surfaces, which are
+ * the cross-implementation interop contract.
+ *
+ * @see capabilities.md §"Secrets" + §"aiProviders"
+ * @see lib/canaries.ts — canary fixtures + detector
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import {
+  CANARIES,
+  CANARY_MARKER,
+  assertNoCanaryLeak,
+  captureToText,
+  getCanary,
+} from '../lib/canaries.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+
+const NOOP_WORKFLOW_ID = 'conformance-noop';
+const SKIP_NO_NOOP = !isFixtureAdvertised(NOOP_WORKFLOW_ID);
+
+// ─── Discovery shape contract (always runs) ───────────────────────────
+
+describe('redaction: /.well-known/openwop secrets+aiProviders shape contract', () => {
+  it('secrets is well-formed regardless of supported value', async () => {
+    const res = await driver.get('/.well-known/openwop', { authenticated: false });
+    expect(res.status).toBe(200);
+
+    const body = res.json as { secrets?: unknown } | undefined;
+    const secrets = body?.secrets;
+
+    if (secrets === undefined) {
+      // Optional v1 field — hosts MAY omit. Spec-allowed; nothing to assert.
+      return;
+    }
+
+    // Per capabilities.schema.json: `secrets.supported` is REQUIRED
+    // when secrets is present.
+    const s = secrets as {
+      supported?: unknown;
+      scopes?: unknown;
+      resolution?: unknown;
+    };
+    expect(typeof s.supported, driver.describe(
+      'capabilities.md §"Secrets"',
+      'secrets.supported MUST be a boolean',
+    )).toBe('boolean');
+
+    // When `supported === true`, scopes MUST be a non-empty array
+    // (a host claiming secrets must declare at least one scope) AND
+    // resolution MUST be 'host-managed' (only allowed value in v1.x).
+    if (s.supported === true) {
+      expect(Array.isArray(s.scopes), driver.describe(
+        'capabilities.md §"Secrets"',
+        'when secrets.supported is true, scopes MUST be a string[]',
+      )).toBe(true);
+      const scopes = s.scopes as string[];
+      expect(scopes.length, driver.describe(
+        'capabilities.md §"Secrets"',
+        'when secrets.supported is true, scopes MUST be non-empty',
+      )).toBeGreaterThanOrEqual(1);
+      for (const scope of scopes) {
+        expect(['tenant', 'user', 'run']).toContain(scope);
+      }
+      expect(s.resolution, driver.describe(
+        'capabilities.md §"Secrets"',
+        'resolution MUST be "host-managed" in v1.x',
+      )).toBe('host-managed');
+    }
+  });
+
+  it('aiProviders is well-formed when present (byok ⊆ supported)', async () => {
+    const res = await driver.get('/.well-known/openwop', { authenticated: false });
+    const body = res.json as { aiProviders?: unknown } | undefined;
+    const ap = body?.aiProviders as
+      | { supported?: unknown; byok?: unknown }
+      | undefined;
+
+    if (ap === undefined) return; // Optional v1 field — hosts MAY omit.
+
+    if (ap.supported !== undefined) {
+      expect(Array.isArray(ap.supported)).toBe(true);
+      const supported = ap.supported as string[];
+      const supportedSet = new Set(supported);
+
+      if (ap.byok !== undefined) {
+        expect(Array.isArray(ap.byok)).toBe(true);
+        const byok = ap.byok as string[];
+        for (const id of byok) {
+          expect(supportedSet.has(id), driver.describe(
+            'capabilities.md §"aiProviders"',
+            `byok entry "${id}" MUST appear in aiProviders.supported`,
+          )).toBe(true);
+        }
+      }
+    }
+  });
+});
+
+// ─── Bearer-token redaction (always runs) ─────────────────────────────
+
+describe('redaction: 401 response MUST NOT echo invalid Bearer token (NFR-7)', () => {
+  it.each(CANARIES.filter((c) => c.label === 'jwt-bearer' || c.label === 'byok-credential-ref').map((c) => [c.label, c.value]))(
+    'canary "%s" planted in Authorization header is not echoed in 401 body',
+    async (_label, canaryValue) => {
+      // Drive the canonical authenticated route with a synthetic
+      // bearer that the server cannot validate. The 401 body MUST
+      // NOT echo the canary back. Per NFR-7, even error envelopes
+      // are observable surfaces and MUST be canary-clean.
+      const res = await driver.post(
+        '/v1/runs',
+        { workflowId: NOOP_WORKFLOW_ID, tenantId: 'conformance-tenant' },
+        {
+          authenticated: false,
+          headers: { Authorization: `Bearer ${canaryValue}` },
+        },
+      );
+
+      // We don't assert a specific status — different hosts have
+      // different auth models (Firebase JWT, API-key, etc.). The
+      // ONE assertion: no canary in response.
+      const responseText = captureToText(res.json) + '\n' + res.text;
+      assertNoCanaryLeak(responseText, 'invalid-bearer-401-body');
+    },
+  );
+
+  it('the marker substring alone never appears in a 401 body (universal)', async () => {
+    const res = await driver.post(
+      '/v1/runs',
+      { workflowId: NOOP_WORKFLOW_ID, tenantId: 'conformance-tenant' },
+      {
+        authenticated: false,
+        headers: { Authorization: `Bearer ${CANARY_MARKER}-direct-marker` },
+      },
+    );
+    const responseText = captureToText(res.json) + '\n' + res.text;
+    expect(responseText).not.toContain(CANARY_MARKER);
+  });
+});
+
+// ─── credentialRef echo control (gated on secrets.supported) ──────────
+
+describe.skipIf(SKIP_NO_NOOP)('redaction: credentialRef value MUST NOT appear in event payloads (gated on secrets.supported)', () => {
+  it('skips when host does NOT advertise secrets.supported', async () => {
+    const cap = await driver.get('/.well-known/openwop', { authenticated: false });
+    const supported =
+      (cap.json as { secrets?: { supported?: boolean } } | undefined)?.secrets
+        ?.supported ?? false;
+
+    if (supported !== true) {
+      // Spec-allowed — this scenario only applies to hosts that opt
+      // into BYOK. Pass trivially.
+      expect(supported).not.toBe(true);
+      return;
+    }
+
+    // Real assertion path: plant a canary as credentialRef on a noop
+    // run, complete the run, then poll all events and assert no event
+    // payload contains the canary. The credentialRef is allowed to
+    // round-trip via `RunSnapshot.configurable` (per run-options.md
+    // §configurable echo) — but per capabilities.md §"aiProviders"
+    // it MUST NOT appear in any RunEvent payload.
+    const c = getCanary('byok-credential-ref');
+    const create = await driver.post('/v1/runs', {
+      workflowId: NOOP_WORKFLOW_ID,
+      tenantId: 'conformance-tenant',
+      configurable: { ai: { credentialRef: c.value } },
+    });
+    if (create.status !== 201) {
+      // Auth-required hosts may 401 here without an API key. The
+      // conformance suite is expected to provide OPENWOP_API_KEY for the
+      // full scenario; if the key is missing or invalid, the suite's
+      // earlier auth scenarios already catch that. Bail with a non-
+      // assertion — this scenario is opt-in.
+      return;
+    }
+    const runId = (create.json as { runId: string }).runId;
+
+    // Wait briefly for the noop to complete + emit terminal events.
+    // We use poll-with-timeout rather than SSE to keep this scenario
+    // transport-agnostic (some hosts might gate SSE behind a feature
+    // flag).
+    let lastSeq = 0;
+    let isComplete = false;
+    let iterations = 0;
+    let allEvents: string[] = [];
+    while (!isComplete && iterations < 5) {
+      iterations++;
+      const poll = await driver.get(
+        `/v1/runs/${encodeURIComponent(runId)}/events/poll?lastSequence=${lastSeq}&timeout=5`,
+      );
+      const pollBody = poll.json as
+        | { events?: unknown[]; isComplete?: boolean }
+        | undefined;
+      const events = pollBody?.events ?? [];
+      isComplete = pollBody?.isComplete === true;
+      for (const ev of events) {
+        allEvents.push(captureToText(ev));
+        const seq = (ev as { sequence?: number }).sequence;
+        if (typeof seq === 'number' && seq > lastSeq) lastSeq = seq;
+      }
+      if (events.length === 0 && !isComplete) {
+        // No new events — small backoff before re-poll.
+        await new Promise((r) => setTimeout(r, 500));
+      }
+    }
+
+    // Canonical assertion: across ALL captured event payloads, no
+    // canary value MAY appear. credentialRef may round-trip via
+    // snapshot.configurable but MUST NOT touch any event.
+    const allEventsText = allEvents.join('\n');
+    assertNoCanaryLeak(allEventsText, 'credentialRef-event-stream');
+  });
+});

package/src/scenarios/redactionAdversarial.test.ts

@@ -0,0 +1,162 @@
+/**
+ * Adversarial redaction scenarios — extends `redaction.test.ts` with
+ * canary-injection through every untrusted input surface.
+ *
+ * `redaction.test.ts` covers the structural contract (`/.well-known/openwop`
+ * shape, bearer-token redaction, basic credentialRef control). This
+ * file pushes further: under hostile inputs, the host's redaction
+ * pipeline MUST hold across every observable surface.
+ *
+ * Surfaces covered:
+ *
+ *   1. **Workflow inputs** — submit a run whose inputs contain canary
+ *      values; assert no event payload echoes the canary verbatim.
+ *      (Every host gates on this — even hosts that don't claim
+ *      `openwop-secrets` mustn't echo arbitrary input values into events
+ *      verbatim where the field shape suggests credential.)
+ *
+ *   2. **Run-creation request body in 4xx error responses** — submit
+ *      a syntactically-valid POST whose `workflowId` references a
+ *      non-existent workflow; the host returns 404. The error message
+ *      MUST NOT echo the entire input object verbatim, since that path
+ *      could leak embedded canaries.
+ *
+ *   3. **Long bearer-shaped strings in inputs** — long base64-shape
+ *      runs (entropy proxy for token shape) MUST NOT round-trip into
+ *      event payloads when they appear in non-credential field names.
+ *      This is a defense-in-depth check; hosts MAY echo non-credential
+ *      input verbatim, but a leak in this surface is a higher-severity
+ *      defect.
+ *
+ * Profile gating:
+ *
+ *   - Surfaces 1 + 2 run against every conforming host.
+ *   - Surface 3 is `@advisory-redaction` — recommended but not gating.
+ *
+ * Cross-references SECURITY/threat-model-secret-leakage.md invariants
+ * `secret-leakage-eventlog-payload`, `secret-leakage-error-envelope`,
+ * `secret-leakage-stream-chunk`.
+ *
+ * @see SECURITY/threat-model-secret-leakage.md
+ * @see SECURITY/invariants.yaml — secret-leakage-* entries
+ * @see spec/v1/capabilities.md §"Secrets" + NFR-7
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { CANARIES, CANARY_MARKER, getCanary } from '../lib/canaries.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+
+const NOOP_WORKFLOW_ID = 'conformance-noop';
+const SKIP_NO_NOOP = !isFixtureAdvertised(NOOP_WORKFLOW_ID);
+
+describe.skipIf(SKIP_NO_NOOP)('redaction-adversarial: workflow input canaries', () => {
+  it('OpenAI-shaped canary in arbitrary input field MUST NOT appear verbatim in any event-stream payload', async () => {
+    const canary = getCanary('openai').value;
+
+    const create = await driver.post('/v1/runs', {
+      workflowId: NOOP_WORKFLOW_ID,
+      inputs: {
+        // Use a field name that does NOT signal "credential" — host has no
+        // semantic reason to mask this, BUT it also has no reason to echo
+        // arbitrary input values verbatim into RunEvent payloads.
+        // For conformance-noop (which has NO declared variables), the
+        // host SHOULD NOT propagate inputs verbatim into events.
+        userSuppliedField: canary,
+      },
+    });
+    expect(create.status, driver.describe('rest-endpoints.md', 'noop run create returns 201')).toBe(201);
+    const runId = (create.json as { runId: string }).runId;
+
+    await pollUntilTerminal(runId);
+
+    const events = await driver.get(
+      `/v1/runs/${encodeURIComponent(runId)}/events/poll`,
+    );
+    if (events.status !== 200) {
+      // Host doesn't expose polling; SSE is the alternative. Skip-equivalent.
+      return;
+    }
+
+    const eventsText = events.text;
+    expect(eventsText.includes(canary), driver.describe(
+      'capabilities.md §"Secrets" + NFR-7',
+      'canary value submitted as workflow input MUST NOT appear verbatim in event poll response',
+    )).toBe(false);
+    expect(eventsText.includes(CANARY_MARKER), driver.describe(
+      'NFR-7',
+      'canary marker substring MUST NOT appear in event poll response',
+    )).toBe(false);
+  });
+});
+
+describe('redaction-adversarial: error-envelope canaries', () => {
+  it('JWT-shaped canary in workflowId of a 404-failing request MUST NOT echo verbatim in error response', async () => {
+    const canary = getCanary('jwt-bearer').value;
+    const res = await driver.post('/v1/runs', {
+      workflowId: `nonexistent-${canary}`,
+      inputs: {},
+    });
+    expect(
+      [400, 404].includes(res.status),
+      driver.describe('rest-endpoints.md', 'unknown workflowId returns 400 or 404'),
+    ).toBe(true);
+
+    const responseText = res.text;
+    // Hosts MAY echo the workflowId in the error message — that's a
+    // legitimate UX choice. The redaction concern is the canary value
+    // shape (JWT-style) appearing verbatim. Per
+    // SECURITY/invariants.yaml `secret-leakage-error-envelope`, the
+    // host SHOULD sanitize entropy-shaped substrings even when echoing
+    // the workflowId.
+    expect(responseText.includes(canary), driver.describe(
+      'SECURITY/invariants.yaml secret-leakage-error-envelope',
+      'JWT-shaped canary submitted in workflowId SHOULD NOT echo verbatim in 4xx error envelope',
+    )).toBe(false);
+  });
+});
+
+describe.skipIf(SKIP_NO_NOOP)('redaction-adversarial: bearer-shaped strings round-trip', () => {
+  it('Anthropic-shaped canary embedded in non-credential input MUST NOT appear verbatim in events', async () => {
+    // Plant a canary distinct from the first scenario to avoid
+    // collisions if the host caches inputs across runs.
+    const canary = getCanary('anthropic').value;
+
+    const create = await driver.post('/v1/runs', {
+      workflowId: NOOP_WORKFLOW_ID,
+      inputs: {
+        descriptiveText: `Some description containing ${canary} embedded`,
+      },
+    });
+    expect(create.status).toBe(201);
+    const runId = (create.json as { runId: string }).runId;
+
+    await pollUntilTerminal(runId);
+
+    const events = await driver.get(
+      `/v1/runs/${encodeURIComponent(runId)}/events/poll`,
+    );
+    if (events.status !== 200) return;
+
+    expect(events.text.includes(canary), driver.describe(
+      'capabilities.md §"Secrets" + NFR-7',
+      'Anthropic-shaped canary embedded in arbitrary input MUST NOT appear verbatim in events',
+    )).toBe(false);
+  });
+});
+
+describe('redaction-adversarial: every canary fixture carries the marker substring', () => {
+  it('every canary in CANARIES has the marker substring', () => {
+    // Self-test on the lib/canaries.ts contract. Every canary value MUST
+    // include CANARY_MARKER so the leak detector finds it unambiguously.
+    // If this fails the canary harness has a bug — every other
+    // adversarial scenario depends on this property.
+    for (const c of CANARIES) {
+      expect(c.value.includes(CANARY_MARKER), driver.describe(
+        'lib/canaries.ts',
+        `every canary fixture MUST contain CANARY_MARKER (offender label: ${c.label})`,
+      )).toBe(true);
+    }
+  });
+});