@openwop/openwop-conformance 1.1.0 → 1.1.1

package/README.md

@@ -92,7 +92,7 @@ Exit code is non-zero on any failed assertion.
 
 ## What's Covered
 
-The current suite has 103 scenario files under `src/scenarios/`. This includes 18 Multi-Agent Shift scenarios (Phases 1-5) added 2026-05-10, the `registry-public.test.ts` public-registry healthcheck added 2026-05-11 (opt-in via `OPENWOP_TEST_PUBLIC_REGISTRY=true`), the `replay-llm-cache-key.test.ts` placeholder added 2026-05-11 (three `it.todo()` cases for the cross-host LLM cache-key recipe per `replay.md` §"LLM cache-key recipe"), the two `production-*.test.ts` scenarios added 2026-05-11 for the `openwop-production` profile per RFC 0009 (`production-backpressure.test.ts`, `production-retention-expiry.test.ts`), the four `auth-*.test.ts` scenarios added 2026-05-11/12 for the production-auth profiles per RFC 0010 (`auth-api-key-rotation.test.ts`, `auth-oauth2-client-credentials.test.ts`, `auth-oidc-user-bearer.test.ts`, `auth-mtls.test.ts` (opt-in via `OPENWOP_TEST_MTLS=1`)), `replay-retention-expiry.test.ts` added 2026-05-12 (capability shape + 410/422 envelope per `replay.md` §"Retention and garbage collection"), `bulk-cancel.test.ts` added 2026-05-12 (Phase B close-out of R1 — `POST /v1/runs:bulk-cancel`), the two Phase H launch-blocker advertisement-contract scenarios added 2026-05-12 (`mcp-toolcall-redaction.test.ts` for the MCP-1 invariant per `host-capabilities.md §host.mcp` + `threat-model-prompt-injection.md §UNTRUSTED`, and `http-client-ssrf.test.ts` for the SSRF + body-size cap advertisement contract on `capabilities.httpClient`), and the `wasm-pack-abi-version-rejection.test.ts` Track 7 scenario added 2026-05-12 for the ABI-mismatch positive path via the `vendor.openwop.misbehaving-abi` pack per RFC 0008 §H. The maintained scenario-to-spec map lives in [`coverage.md`](./coverage.md); this README keeps the operator quickstart and the historical scenario notes below.
+The current suite has 107 scenario files under `src/scenarios/`. This includes 18 Multi-Agent Shift scenarios (Phases 1-5) added 2026-05-10, the `registry-public.test.ts` public-registry healthcheck added 2026-05-11 (opt-in via `OPENWOP_TEST_PUBLIC_REGISTRY=true`), the `replay-llm-cache-key.test.ts` placeholder added 2026-05-11 (three `it.todo()` cases for the cross-host LLM cache-key recipe per `replay.md` §"LLM cache-key recipe"), the two `production-*.test.ts` scenarios added 2026-05-11 for the `openwop-production` profile per RFC 0009 (`production-backpressure.test.ts`, `production-retention-expiry.test.ts`), the four `auth-*.test.ts` scenarios added 2026-05-11/12 for the production-auth profiles per RFC 0010 (`auth-api-key-rotation.test.ts`, `auth-oauth2-client-credentials.test.ts`, `auth-oidc-user-bearer.test.ts`, `auth-mtls.test.ts` (opt-in via `OPENWOP_TEST_MTLS=1`)), `replay-retention-expiry.test.ts` added 2026-05-12 (capability shape + 410/422 envelope per `replay.md` §"Retention and garbage collection"), `bulk-cancel.test.ts` added 2026-05-12 (Phase B close-out of R1 — `POST /v1/runs:bulk-cancel`), the two Phase H launch-blocker advertisement-contract scenarios added 2026-05-12 (`mcp-toolcall-redaction.test.ts` for the MCP-1 invariant per `host-capabilities.md §host.mcp` + `threat-model-prompt-injection.md §UNTRUSTED`, and `http-client-ssrf.test.ts` for the SSRF + body-size cap advertisement contract on `capabilities.httpClient`), the `wasm-pack-abi-version-rejection.test.ts` Track 7 scenario added 2026-05-12 for the ABI-mismatch positive path via the `vendor.openwop.misbehaving-abi` pack per RFC 0008 §H, the `otel-trace-propagation-subworkflow.test.ts` Track 11 close-out added 2026-05-13 (parent + child run spans share the inbound traceparent's traceId across the `core.subWorkflow` dispatch boundary), and the three RFC 0012 (Memory Compaction Profile, `Active`) scenarios added 2026-05-13/14: `memory-compaction-sr1-carry-forward.test.ts` (load-bearing SR-1 §D), `memory-compaction-event-emitted.test.ts` (canonical §B payload shape), and `memory-compaction-provenance-tag.test.ts` (soft assertion on §C `compacted-from:<id>` convention). All three gate on `capabilities.memory.compaction.supported` + the host's test seam at `/v1/test/memory/{seed,compact}` (Postgres reference host enables both via `OPENWOP_MEMORY_COMPACTION=true OPENWOP_TEST_TRIGGER_COMPACTION=true`). The maintained scenario-to-spec map lives in [`coverage.md`](./coverage.md); this README keeps the operator quickstart and the historical scenario notes below.
 
 High-level coverage includes:
 
@@ -171,7 +171,7 @@ Server-required (added in 1.7.0):
 |---|---|---|
 | **Redaction** | [`capabilities.md`](../spec/v1/capabilities.md) §"Secrets" + NFR-7 + §"aiProviders" | Vendor-neutral assertions that the server doesn't leak secret material. Three scenario groups: (a) discovery shape contract — `secrets` + `aiProviders` advertisements are well-formed regardless of `secrets.supported`; when `supported === true`, scopes MUST be non-empty + `resolution === 'host-managed'`; `byok ⊆ supported`. (b) bearer-token redaction — invalid Bearer canary in `Authorization` header is not echoed in the 401 response body. (c) credentialRef echo control — gated on `secrets.supported === true`; canary planted in `configurable.ai.credentialRef` MUST NOT appear in any RunEvent payload (poll-based capture; transport-agnostic). Uses runtime-built canary fixtures (`lib/canaries.ts`) that defeat static secret scanners. 6 scenarios. |
 
-Current source tree: 103 scenario files. Use [`coverage.md`](./coverage.md) for current grade/gap tracking.
+Current source tree: 107 scenario files. Use [`coverage.md`](./coverage.md) for current grade/gap tracking.
 
 ## Remaining Gaps
 

package/coverage.md

@@ -22,7 +22,7 @@
 | Sub-workflows and dispatch | `subworkflow.test.ts`, `multi-node-ordering.test.ts` | B+ | Parallel fan-out floors by scale tier, parent/child cancellation. |
 | Node packs and registry | `pack-registry.test.ts`, `pack-registry-publish.test.ts`, `maliciousManifest.test.ts`, `wasm-pack-load.test.ts`, `wasm-pack-invoke-completed.test.ts`, `wasm-pack-invoke-suspended.test.ts`, `wasm-pack-replay-determinism.test.ts`, `wasm-pack-memory-cap.test.ts`, `wasm-pack-abi-version-rejection.test.ts` | A | RFC 0008 WASM ABI scenarios landed 2026-05-10; gated on `capabilities.nodePackRuntimes.wasm.supported`. Memory-cap positive path closed 2026-05-12 via `examples/packs/rust-misbehaving-memory/` + in-memory loader's `memory.grow` probe + `capBreached.kind` schema extension. ABI-mismatch positive path closed 2026-05-12 via `examples/packs/rust-misbehaving-abi/` (declares ABI 999) + new `capabilities.nodePackRuntimes.wasm.loadedPacks[]` discovery field (rejected packs omitted). Remaining: hosted registry interoperability once `packs.openwop.dev` exists. |
 | Secrets and redaction | `redaction.test.ts`, `redactionAdversarial.test.ts`, `byok-roundtrip.test.ts` | A- | Cross-provider BYOK matrix and debug-bundle redaction under high volume. |
-| Observability and diagnostics | `cost-attribution.test.ts`, `debugBundle.test.ts`, `otel-emission.test.ts`, `otel-trace-propagation.test.ts`, `metric-emission.test.ts`, `otel-emission-grpc.test.ts` | A | OTLP collector accepts all three OTLP transports: HTTP-JSON (2026-05-11), HTTP-protobuf (2026-05-12), gRPC over h2c HTTP/2 (2026-05-12 — hand-rolled framing at `conformance/src/lib/grpc-framing.ts`). Zero new npm deps for any of them. Opt-in via `OPENWOP_OTEL_COLLECTOR=true` (+ `OPENWOP_OTEL_COLLECTOR_GRPC=true` for the gRPC variant). Hosts advertise supported transports via `capabilities.observability.otel.exportProtocols ⊆ {http/json, http/protobuf, grpc}`; conformance scenario gates on the array. |
+| Observability and diagnostics | `cost-attribution.test.ts`, `debugBundle.test.ts`, `otel-emission.test.ts`, `otel-trace-propagation.test.ts`, `otel-trace-propagation-subworkflow.test.ts`, `metric-emission.test.ts`, `otel-emission-grpc.test.ts` | A | OTLP collector accepts all three OTLP transports: HTTP-JSON (2026-05-11), HTTP-protobuf (2026-05-12), gRPC over h2c HTTP/2 (2026-05-12 — hand-rolled framing at `conformance/src/lib/grpc-framing.ts`). Zero new npm deps for any of them. Opt-in via `OPENWOP_OTEL_COLLECTOR=true` (+ `OPENWOP_OTEL_COLLECTOR_GRPC=true` for the gRPC variant). Hosts advertise supported transports via `capabilities.observability.otel.exportProtocols ⊆ {http/json, http/protobuf, grpc}`; conformance scenario gates on the array. Trace-context propagation closed 2026-05-13 with `otel-trace-propagation-subworkflow.test.ts` asserting parent + child spans share the inbound traceparent across the `core.subWorkflow` dispatch boundary. |
 | Fixtures and corpus validity | `fixtures-valid.test.ts`, `fixtures-gating.test.ts`, `spec-corpus-validity.test.ts` | A | Keep fixture manifest synchronized as new optional profiles land. |
 | Run control — pause/resume | `pause-resume.test.ts` | B | Lifecycle + 409-on-non-paused covered; remaining: pause-during-suspend race, immediate-vs-drain-current-node policy assertion. |
 | Rate-limit envelope | `rate-limit-envelope.test.ts` | B− | Shape validation when 429 observed; remaining: deterministic 429-induction harness so the scenario reliably triggers under CI. |
@@ -48,8 +48,8 @@ Seventeen scenarios (or scenario groups) validate optional profiles where the ho
 | `webhook-sig-algorithm.test.ts` | `X-openwop-Signature-Algorithm: v1` (`webhooks.md`) | C+ (discovery shape) | `host-pending` | End-to-end signed delivery against a test receiver |
 | `pause-resume.test.ts` | `pauseRun` / `resumeRun` lifecycle (`rest-endpoints.md`) | B (lifecycle + 409-on-non-paused) | partial | Pause-during-suspend race; immediate-vs-drain policy assertion |
 | `append-ordering.test.ts` | `append` reducer ordering (`channels-and-reducers.md`) | B (intra-engine) | partial | Cross-engine multi-engine fixture |
-| `otel-emission.test.ts`, `otel-emission-grpc.test.ts` | `openwop.*` OTel spans (`observability.md`) | A (OTLP/HTTP-JSON + OTLP/HTTP-protobuf + OTLP/gRPC all accepted; collector content-type-routes JSON/protobuf and the gRPC HTTP/2 path frame-decodes via `grpc-framing.ts`) | full | Cross-host trace-context propagation across `core.subWorkflow` (filed under `otel-trace-propagation.test.ts` Remaining) |
-| `otel-trace-propagation.test.ts` | W3C trace-context propagation (`observability.md`) | B (trace continuity across `runs:fork` + interrupt resolve) | partial | Cross-host propagation across `core.subWorkflow` invocation |
+| `otel-emission.test.ts`, `otel-emission-grpc.test.ts` | `openwop.*` OTel spans (`observability.md`) | A (OTLP/HTTP-JSON + OTLP/HTTP-protobuf + OTLP/gRPC all accepted; collector content-type-routes JSON/protobuf and the gRPC HTTP/2 path frame-decodes via `grpc-framing.ts`) | full | — |
+| `otel-trace-propagation.test.ts`, `otel-trace-propagation-subworkflow.test.ts` | W3C trace-context propagation (`observability.md`) | A (trace continuity across `runs:fork` + interrupt resolve + `core.subWorkflow` parent→child boundary; closed 2026-05-13 — subWorkflow scenario asserts both parent + child spans share the inbound traceparent's traceId) | full | — |
 | `wasm-pack-*.test.ts` (six scenarios) | `capabilities.nodePackRuntimes.wasm` (`RFCS/0008`) | A (load + invoke + replay + memory-cap positive-path + ABI-mismatch positive-path) | full | Memory-cap positive path closed 2026-05-12 via misbehaving-memory pack + `memory.grow` probe in loader. ABI-mismatch positive path closed 2026-05-12 via misbehaving-abi pack + `loadedPacks[]` discovery field. |
 | `production-backpressure.test.ts`, `production-retention-expiry.test.ts`, `restart-during-run.test.ts`, `staleClaim.test.ts`, `debug-bundle-truncation.test.ts`, `idempotency.test.ts`, `idempotencyRetry.test.ts` (seven scenarios) | `openwop-production` (`production-profile.md`, RFC 0009) | A− (capability shape + 503 envelope under saturation + discovery-exemption; durable-restart + debug-bundle-truncation predicates exercised end-to-end; retention-expiry envelope soft-skipped pending RFC 0009 Q#1) | host-pass | Postgres reference host advertises `capabilities.production.supported: true` since 2026-05-11 and passes all 11 assertions across the 5 non-opt-in scenarios under `OPENWOP_REQUIRE_BEHAVIOR=true` with `--no-file-parallelism` (the backpressure scenario saturates the inflight cap; parallel file execution collides with `idempotencyRetry.test.ts`'s burst). RFC 0009 unresolved questions #1 (force-expire endpoint normation) + #3 (inflightCap vs probing) gate the path to A. |
 | `auth-api-key-rotation.test.ts` | `openwop-auth-api-key-rotation` (`auth-profiles.md`, RFC 0010) | B (capability shape + secondary-key overlap when env-supplied + canary-redaction) | `host-pending` | Reference host advertises the profile + supplies `OPENWOP_TEST_SECONDARY_API_KEY` for the overlap check. |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openwop/openwop-conformance",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "description": "Production-ready black-box conformance suite for OpenWOP v1.0 compliant servers.",
   "repository": {
     "type": "git",

package/schemas/capabilities.schema.json

@@ -84,11 +84,11 @@
     },
     "nodePackRuntimes": {
       "type": "object",
-      "description": "Optional v1 advertisement of node-pack runtimes the host loads. See `node-packs.md` §runtime formats and RFC 0008 (WASM ABI). Hosts that don't load packs MAY omit this block entirely.",
+      "description": "Optional v1 advertisement of node-pack runtimes the host loads. See `node-packs.md` §runtime formats and RFC 0008 (WASM ABI). Hosts that don't load packs MAY omit this block entirely. NOTE: this block intentionally uses `additionalProperties: true` (here and on the nested runtime objects) so a future RFC may add a runtime type (e.g., `python-wasm`, `js-wasm`) without a breaking-change rev of this schema; the trade is that a strict-mode validator will accept arbitrary extra keys under these objects. A future RFC that promotes the open-set fields to first-class SHOULD tighten them to `additionalProperties: false` in the same RFC.",
       "properties": {
         "wasm": {
           "type": "object",
-          "description": "WASM core-module runtime per RFC 0008. Hosts that load `runtime.language: \"wasm\"` packs MUST advertise `supported: true` and at least one entry in `abiVersions[]`.",
+          "description": "WASM core-module runtime per RFC 0008. Hosts that load `runtime.language: \"wasm\"` packs MUST advertise `supported: true` and at least one entry in `abiVersions[]`. `additionalProperties: true` preserved for future RFC 0008 amendments (e.g., per-pack memory accounting fields).",
           "required": ["supported"],
           "properties": {
             "supported": {
@@ -125,7 +125,7 @@
         },
         "wasmComponent": {
           "type": "object",
-          "description": "WASM Component Model variant (WIT-defined interfaces). Reserved for hosts that load `runtime.language: \"wasm-component\"` packs.",
+          "description": "WASM Component Model variant (WIT-defined interfaces). Reserved for hosts that load `runtime.language: \"wasm-component\"` packs. `additionalProperties: true` preserved until the Component Model spec stabilises in the v1.x line; tighten in the RFC that promotes wasm-component to a first-class runtime alongside `wasm`.",
           "properties": {
             "supported": { "type": "boolean" }
           },
@@ -331,6 +331,55 @@
       },
       "additionalProperties": true
     },
+    "memory": {
+      "type": "object",
+      "description": "MemoryAdapter capability block per RFC 0004 + the optional compaction profile per RFC 0012. Hosts that don't wire any memory surface omit the entire block.",
+      "properties": {
+        "supported": {
+          "type": "boolean",
+          "description": "When `true`, host implements the four-operation MemoryAdapter contract (`list`, `get`, `put`, `delete`) per RFC 0004 §A."
+        },
+        "maxEntrySizeBytes": {
+          "type": "integer",
+          "minimum": 1,
+          "description": "Upper bound on `MemoryEntry.content` size. Hosts SHOULD reject `put` exceeding this with `validation_error`."
+        },
+        "ttlSupported": {
+          "type": "boolean",
+          "description": "When `true`, host honors `expiresAt` per RFC 0004 §E."
+        },
+        "compaction": {
+          "type": "object",
+          "description": "RFC 0012 Memory Compaction Profile (Accepted 2026-05-15). Hosts that distill many short-lived MemoryEntry rows into fewer long-lived ones MAY advertise here; advertising implies the SR-1 carry-forward invariant (`SECURITY/invariants.yaml` row `memory-compaction-sr-1-carry-forward`).",
+          "required": ["supported"],
+          "properties": {
+            "supported": {
+              "type": "boolean",
+              "description": "REQUIRED when the sub-block is present. When `true`, host performs compaction over `longTerm` memory and emits the `memory.compacted` event per `observability.md` §Canonical event vocabulary."
+            },
+            "trigger": {
+              "type": "string",
+              "enum": ["host-managed", "client-requested", "both"],
+              "description": "REQUIRED when `supported: true` per RFC 0012 §A (enforced via the `if/then` clause). `host-managed` runs on a host-internal schedule clients do not control. `client-requested` and `both` are reserved enum values; v1.x normates only `host-managed`."
+            },
+            "maxInputEntries": {
+              "type": "integer",
+              "minimum": 1,
+              "description": "Informational ceiling on how many source entries one compaction call collapses. Not wire-enforced."
+            },
+            "maxOutputBytes": {
+              "type": "integer",
+              "minimum": 0,
+              "description": "Informational ceiling on the distilled entry size. SHOULD be ≤ `memory.maxEntrySizeBytes`."
+            }
+          },
+          "additionalProperties": false,
+          "if": { "properties": { "supported": { "const": true } }, "required": ["supported"] },
+          "then": { "required": ["supported", "trigger"] }
+        }
+      },
+      "additionalProperties": true
+    },
     "conversationPrimitive": {
       "type": "boolean",
       "description": "Multi-Agent Shift Phase 4. When `true`, host advertises that it implements the `core.conversationGate` typeId AND honors the `conversation.start` / `conversation.exchange` / `conversation.close` suspend variants. Hosts that don't claim this fall back to `clarification.requested` interrupts for multi-turn user interjections."

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n47 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n48 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -56,7 +56,8 @@
         "runOrchestrator.decided":   { "$ref": "#/$defs/runOrchestratorDecided" },
         "conversation.opened":       { "$ref": "#/$defs/conversationOpened" },
         "conversation.exchanged":    { "$ref": "#/$defs/conversationExchanged" },
-        "conversation.closed":       { "$ref": "#/$defs/conversationClosed" }
+        "conversation.closed":       { "$ref": "#/$defs/conversationClosed" },
+        "memory.compacted":          { "$ref": "#/$defs/memoryCompacted" }
       }
     },
 
@@ -658,6 +659,21 @@
         "turnCount":      { "type": "integer", "minimum": 0, "description": "Total turns completed in this conversation (number of `conversation.exchanged` events emitted)." }
       },
       "additionalProperties": true
+    },
+
+    "memoryCompacted": {
+      "type": "object",
+      "description": "RFC 0012 (Memory Compaction Profile). Emitted by a host advertising `capabilities.memory.compaction.supported: true` each time a compaction run completes, regardless of trigger. `outputId` MUST be readable via `MemoryAdapter.get(memoryRef, outputId)` until normal TTL eviction. SR-1 carry-forward (RFC 0012 §D) applies: the host MUST route compacted entry content through the same BYOK redaction harness applied to a fresh `put`.",
+      "required": ["memoryRef", "outputId", "sourceCount", "trigger", "byteSize"],
+      "properties": {
+        "memoryRef":   { "type": "string", "minLength": 1, "description": "Opaque MemoryAdapter handle per RFC 0004 §C. Bounds compaction to a single memory scope." },
+        "outputId":    { "type": "string", "minLength": 1, "description": "Id of the new MemoryEntry created by compaction." },
+        "sourceIds":   { "type": "array", "items": { "type": "string", "minLength": 1 }, "description": "Ids of entries collapsed into outputId. Hosts MAY omit when sourceCount > 100; the `compacted-from:<runId>` tag convention (RFC 0012 §C) becomes the authoritative provenance signal. When present, MUST be exhaustive within the array (no 'and N more' semantics)." },
+        "sourceCount": { "type": "integer", "minimum": 1, "description": "Total source entries collapsed, including any not enumerated in `sourceIds`." },
+        "trigger":     { "type": "string", "enum": ["host-managed", "client-requested", "both"], "description": "Matches `capabilities.memory.compaction.trigger`; indicates which trigger path drove this run. v1.x normates only `host-managed`." },
+        "byteSize":    { "type": "integer", "minimum": 0, "description": "Byte size of the resulting MemoryEntry.content." }
+      },
+      "additionalProperties": true
     }
   }
 }

package/schemas/run-event.schema.json

@@ -109,7 +109,8 @@
         "runOrchestrator.decided",
         "conversation.opened",
         "conversation.exchanged",
-        "conversation.closed"
+        "conversation.closed",
+        "memory.compacted"
       ]
     }
   }

package/src/lib/behavior-gate.ts

@@ -18,6 +18,18 @@
  *     scenario exercises real behavior — useful for hosts that want to
  *     claim full coverage in `INTEROP-MATRIX.md`.
  *
+ *   - **Strict-mode opt-out (skip in strict mode too):** set
+ *     `OPENWOP_OPTED_OUT_PROFILES=name1,name2,...` to declare that the
+ *     host operator has deliberately chosen NOT to implement those
+ *     profiles. In strict mode the gate skips them with a "honest
+ *     opt-out" log line instead of failing — minimal hosts that
+ *     advertise only what they implement can still go strict-mode
+ *     green without falsifying capability claims. Conflict check:
+ *     if a profile appears in BOTH `OPENWOP_OPTED_OUT_PROFILES` AND
+ *     the host's discovery `capabilities.auth.profiles[]` (or
+ *     equivalent), the gate logs a loud warning — opt-outs and
+ *     advertisements are mutually exclusive.
+ *
  * Usage:
  *
  *   ```ts
@@ -42,18 +54,45 @@ import { loadEnv } from './env.js';
 
 /**
  * Returns true if the scenario should proceed with assertions (advertised),
- * false if the scenario should `return` early (default-mode skip). In strict
- * mode (`OPENWOP_REQUIRE_BEHAVIOR=true`), throws if not advertised — so the
- * caller never actually receives `false` in that mode.
+ * false if the scenario should `return` early (default-mode skip OR
+ * strict-mode honest opt-out). In strict mode (`OPENWOP_REQUIRE_BEHAVIOR=true`)
+ * with `profileName` NOT in `OPENWOP_OPTED_OUT_PROFILES`, throws — so the
+ * caller never receives `false` in that combination.
+ *
+ * If the host BOTH advertises the profile AND the operator listed it in
+ * the opt-out env var, surface a warning (likely typo) and treat as
+ * advertised (proceed). Advertisement always wins over opt-out: opting
+ * out of a profile you actually implement is meaningless.
  */
 export function behaviorGate(profileName: string, advertised: boolean): boolean {
+  const env = loadEnv();
+  const optedOut = env.optedOutProfiles.has(profileName);
+
+  if (advertised && optedOut) {
+    // eslint-disable-next-line no-console
+    console.warn(
+      `[${profileName}] both ADVERTISED by the host AND listed in OPENWOP_OPTED_OUT_PROFILES — ` +
+        `opt-out is ignored. Remove from the env var to clear this warning.`,
+    );
+  }
+
   if (advertised) return true;
 
-  const env = loadEnv();
+  if (optedOut) {
+    // Honest opt-out: the operator declared the host does not implement
+    // this profile. Skip in BOTH default and strict mode.
+    // eslint-disable-next-line no-console
+    console.warn(
+      `[${profileName}] honest opt-out (OPENWOP_OPTED_OUT_PROFILES); skipping`,
+    );
+    return false;
+  }
+
   if (env.requireBehavior) {
     expect(
       advertised,
-      `OPENWOP_REQUIRE_BEHAVIOR=true: host MUST advertise the ${profileName} profile for this scenario to run. ` +
+      `OPENWOP_REQUIRE_BEHAVIOR=true: host MUST advertise the ${profileName} profile for this scenario to run, ` +
+        `or declare opt-out via OPENWOP_OPTED_OUT_PROFILES=${profileName}. ` +
         `See conformance/coverage.md §"Capability-gated scenarios".`,
     ).toBe(true);
     // expect.toBe(true) throws; we won't reach here.

package/src/lib/env.ts

@@ -16,6 +16,15 @@
  *     Default is false — scenarios skip with a warning so default conformance
  *     runs cover what the host has implemented. See `lib/behavior-gate.ts`
  *     and `conformance/coverage.md` §"Capability-gated scenarios".
+ *
+ *   OPENWOP_OPTED_OUT_PROFILES — comma-separated profile names the host
+ *     operator has DELIBERATELY chosen not to implement. In strict mode
+ *     these scenarios skip (logged as "honest opt-out") rather than
+ *     failing — distinguishes "host doesn't claim this surface" (good)
+ *     from "host claims but doesn't deliver" (bug). Lets honest minimal
+ *     hosts go strict-mode green without falsifying capability claims.
+ *     Example for SQLite:
+ *       OPENWOP_OPTED_OUT_PROFILES=openwop-production,openwop-auth-mtls
  */
 
 export interface ConformanceEnv {
@@ -24,6 +33,15 @@ export interface ConformanceEnv {
   readonly implementationName: string;
   readonly implementationVersion: string;
   readonly requireBehavior: boolean;
+  /**
+   * Profiles the host operator has declared the host does NOT claim. Set
+   * via `OPENWOP_OPTED_OUT_PROFILES=name1,name2`. In strict mode, the
+   * behavior-gate honors this set as PASS-by-opt-out rather than failing
+   * the scenario. Never include a profile the host actually advertises —
+   * that's a typo, not an opt-out, and `behaviorGate` will surface a
+   * warning if it detects the conflict.
+   */
+  readonly optedOutProfiles: ReadonlySet<string>;
 }
 
 let cached: ConformanceEnv | null = null;
@@ -48,12 +66,21 @@ export function loadEnv(): ConformanceEnv {
   // Strip trailing slash so URL composition is consistent.
   const normalizedBase = baseUrl.replace(/\/$/, '');
 
+  const optedOutRaw = process.env.OPENWOP_OPTED_OUT_PROFILES?.trim() ?? '';
+  const optedOutProfiles = new Set(
+    optedOutRaw
+      .split(',')
+      .map((s) => s.trim())
+      .filter((s) => s.length > 0),
+  );
+
   cached = {
     baseUrl: normalizedBase,
     apiKey,
     implementationName: process.env.OPENWOP_IMPLEMENTATION_NAME?.trim() ?? 'unknown',
     implementationVersion: process.env.OPENWOP_IMPLEMENTATION_VERSION?.trim() ?? 'unknown',
     requireBehavior: process.env.OPENWOP_REQUIRE_BEHAVIOR === 'true',
+    optedOutProfiles,
   };
   return cached;
 }

package/src/scenarios/mcp-tool-roundtrip.test.ts

@@ -32,15 +32,22 @@
  *     probe at a real MCP server. Auto-detects the transport from the
  *     server's `Content-Type` response header:
  *       - `application/json` → single-JSON response, parsed as one
- *         JSON-RPC frame.
+ *         JSON-RPC frame. Verified end-to-end against
+ *         `@modelcontextprotocol/sdk@1.29.0` `enableJsonResponse: true`
+ *         streamable-http servers (2026-05-12).
  *       - `text/event-stream` → streamable-http+SSE; the probe reads
  *         SSE frames until it finds one whose `data:` payload matches
- *         the JSON-RPC `id` we sent, then returns that frame.
+ *         the JSON-RPC `id` we sent, then returns that frame. Verified
+ *         end-to-end against `@modelcontextprotocol/sdk@1.29.0`
+ *         streamable-http servers WITHOUT `enableJsonResponse`
+ *         (2026-05-13).
  *     The stdio transport (default for `modelcontextprotocol/servers`
- *     reference servers) is still out of scope — those run as a child
- *     process speaking JSON-RPC over stdin/stdout, no HTTP endpoint to
- *     point env vars at. Operators wanting interop evidence against
- *     stdio servers run them under a `mcp-bridge` HTTP adapter.
+ *     reference servers) is HTTP-incompatible by design — those run
+ *     as a child process speaking JSON-RPC over stdin/stdout, no HTTP
+ *     endpoint. Operators collecting interop evidence against stdio
+ *     servers run them under the documented HTTP-to-stdio bridge at
+ *     `examples/mcp-stdio-bridge/` (verified end-to-end 2026-05-13;
+ *     probe + bridge + `echo-stdio-server.mjs` round-trip passes 2/2).
  *     Assertions stay shape-only: tools/list returns ≥1 tool, a
  *     tools/call returns valid MCP content (a `result.content` array,
  *     possibly `isError: true` — both are spec-conformant).

package/src/scenarios/memory-compaction-event-emitted.test.ts

@@ -0,0 +1,121 @@
+/**
+ * RFC 0012 §B — `memory.compacted` event emission shape.
+ *
+ * Verifies that hosts advertising
+ * `capabilities.memory.compaction.supported: true` emit a canonical
+ * `memory.compacted` event payload per `run-event-payloads.schema.json`
+ * §`memoryCompacted` whenever a compaction run completes.
+ *
+ * Required fields per the schema:
+ *   - `memoryRef` (string, non-empty)
+ *   - `outputId` (string, non-empty)
+ *   - `sourceCount` (integer ≥ 1)
+ *   - `trigger` (closed enum: `host-managed | client-requested | both`)
+ *   - `byteSize` (integer ≥ 0)
+ *
+ * Optional:
+ *   - `sourceIds` (array of non-empty strings; exhaustive within the
+ *     array — no "and N more" semantics — when present)
+ *
+ * Gating identical to `memory-compaction-sr1-carry-forward.test.ts`:
+ * capability advertisement + test seam reachable.
+ *
+ * @see RFCS/0012-memory-compaction-profile.md §B
+ * @see schemas/run-event-payloads.schema.json §memoryCompacted
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const MEMORY_REF = 'mem_tenant:default_agent:conformance-rfc0012-event_longTerm';
+
+interface MemoryCaps {
+  compaction?: { supported?: boolean };
+}
+
+async function isCompactionAdvertised(): Promise<boolean> {
+  const disco = await driver.get('/.well-known/openwop');
+  const memory = (disco.json as { capabilities?: { memory?: MemoryCaps } }).capabilities?.memory;
+  return memory?.compaction?.supported === true;
+}
+
+async function isTestSeamReachable(): Promise<boolean> {
+  const r = await driver.post('/v1/test/memory/compact', {});
+  return r.status !== 404;
+}
+
+describe('memory-compaction-event-emitted: canonical memory.compacted payload shape', () => {
+  it('compaction run returns a canonical memoryCompacted payload', async () => {
+    if (!(await isCompactionAdvertised())) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-event] capabilities.memory.compaction.supported not advertised; skipping');
+      return;
+    }
+    if (!(await isTestSeamReachable())) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-event] test seam unreachable; skipping');
+      return;
+    }
+
+    const seed = await driver.post('/v1/test/memory/seed', {
+      memoryRef: MEMORY_REF,
+      entries: [
+        { id: `event-src-${Date.now()}-a`, content: 'First memory entry.' },
+        { id: `event-src-${Date.now()}-b`, content: 'Second memory entry.' },
+        { id: `event-src-${Date.now()}-c`, content: 'Third memory entry.' },
+      ],
+    });
+    expect(seed.status).toBe(201);
+
+    const compactRes = await driver.post('/v1/test/memory/compact', {
+      memoryRef: MEMORY_REF,
+    });
+    expect(compactRes.status).toBe(200);
+
+    const event = compactRes.json as {
+      type?: string;
+      payload?: Record<string, unknown>;
+    };
+
+    expect(event.type, driver.describe(
+      'observability.md §"Canonical run lifecycle event names"',
+      'event MUST be type=memory.compacted',
+    )).toBe('memory.compacted');
+
+    const payload = event.payload ?? {};
+
+    expect(typeof payload.memoryRef, driver.describe(
+      'RFC 0012 §B / run-event-payloads.schema.json §memoryCompacted',
+      'memoryRef MUST be a non-empty string',
+    )).toBe('string');
+    expect((payload.memoryRef as string).length).toBeGreaterThan(0);
+
+    expect(typeof payload.outputId, driver.describe(
+      'RFC 0012 §B',
+      'outputId MUST be a string identifying the distilled entry',
+    )).toBe('string');
+    expect((payload.outputId as string).length).toBeGreaterThan(0);
+
+    expect(Number.isInteger(payload.sourceCount), driver.describe(
+      'RFC 0012 §B',
+      'sourceCount MUST be an integer',
+    )).toBe(true);
+    expect(payload.sourceCount as number).toBeGreaterThanOrEqual(1);
+
+    expect(['host-managed', 'client-requested', 'both']).toContain(payload.trigger);
+
+    expect(Number.isInteger(payload.byteSize), driver.describe(
+      'RFC 0012 §B',
+      'byteSize MUST be an integer',
+    )).toBe(true);
+    expect(payload.byteSize as number).toBeGreaterThanOrEqual(0);
+
+    if (payload.sourceIds !== undefined) {
+      expect(Array.isArray(payload.sourceIds)).toBe(true);
+      for (const id of payload.sourceIds as unknown[]) {
+        expect(typeof id, 'sourceIds entries MUST be strings').toBe('string');
+        expect((id as string).length).toBeGreaterThan(0);
+      }
+    }
+  });
+});

package/src/scenarios/memory-compaction-provenance-tag.test.ts

@@ -0,0 +1,116 @@
+/**
+ * RFC 0012 §C — `compacted-from:<id>` provenance tag convention.
+ *
+ * The distilled entry SHOULD (not MUST) carry a tag of the form
+ * `compacted-from:<compactionRunId>` where `<compactionRunId>` is a
+ * host-issued opaque identifier. This lets `MemoryAdapter.list`
+ * consumers detect compacted entries without needing access to the
+ * `memory.compacted` event stream.
+ *
+ * SOFT ASSERTION: log-and-warn if absent, fail only if a present tag
+ * is malformed. Hosts with structurally-constrained tag-spaces (legacy
+ * tag-prefix discipline, fixed-vocabulary tagging) MAY omit this —
+ * the `memory.compacted` event itself remains the canonical provenance
+ * signal.
+ *
+ * Gating identical to the other RFC 0012 scenarios.
+ *
+ * @see RFCS/0012-memory-compaction-profile.md §C
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const MEMORY_REF = 'mem_tenant:default_agent:conformance-rfc0012-tag_longTerm';
+const COMPACTED_FROM_RE = /^compacted-from:[^\s:][^\s]*$/;
+
+interface MemoryCaps {
+  compaction?: { supported?: boolean };
+}
+
+interface MemoryListResponse {
+  entries?: Array<{ id?: string; tags?: string[] }>;
+}
+
+async function isCompactionAdvertised(): Promise<boolean> {
+  const disco = await driver.get('/.well-known/openwop');
+  const memory = (disco.json as { capabilities?: { memory?: MemoryCaps } }).capabilities?.memory;
+  return memory?.compaction?.supported === true;
+}
+
+async function isTestSeamReachable(): Promise<boolean> {
+  const r = await driver.post('/v1/test/memory/compact', {});
+  return r.status !== 404;
+}
+
+describe('memory-compaction-provenance-tag: compacted-from:<id> tag follows §C convention', () => {
+  it('compacted entry carries a well-formed compacted-from tag, OR omits it cleanly (no malformed tags)', async () => {
+    if (!(await isCompactionAdvertised())) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-tag] capabilities.memory.compaction.supported not advertised; skipping');
+      return;
+    }
+    if (!(await isTestSeamReachable())) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-tag] test seam unreachable; skipping');
+      return;
+    }
+
+    // Seed + compact.
+    const seedStamp = Date.now();
+    const seed = await driver.post('/v1/test/memory/seed', {
+      memoryRef: MEMORY_REF,
+      entries: [
+        { id: `tag-src-${seedStamp}-1`, content: 'Source content alpha.' },
+        { id: `tag-src-${seedStamp}-2`, content: 'Source content beta.' },
+      ],
+    });
+    expect(seed.status).toBe(201);
+
+    const compactRes = await driver.post('/v1/test/memory/compact', {
+      memoryRef: MEMORY_REF,
+    });
+    expect(compactRes.status).toBe(200);
+
+    const event = compactRes.json as { payload?: { outputId?: string } };
+    const outputId = event.payload?.outputId;
+    expect(typeof outputId).toBe('string');
+
+    // Resolve the entry via the wire MemoryAdapter list surface (no
+    // direct get-by-id wire endpoint; we filter list results).
+    // Hosts that don't expose memory:list on the wire skip — this is
+    // a `MemoryAdapter.list` surface check, which the canonical
+    // capabilities.memory.supported claim already covers.
+    const listRes = await driver.get(
+      `/v1/memory/${encodeURIComponent(MEMORY_REF)}?limit=50`,
+    );
+    if (listRes.status === 404) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-tag] host does not expose memory:list at /v1/memory/{ref}; skipping tag inspection (canonical provenance signal remains the memory.compacted event itself)');
+      return;
+    }
+    expect(listRes.status, 'memory:list MUST return 200 when reachable').toBe(200);
+
+    const body = (listRes.json as MemoryListResponse) ?? {};
+    const entries = body.entries ?? [];
+    const output = entries.find((e) => e.id === outputId);
+    if (!output) {
+      // eslint-disable-next-line no-console
+      console.warn(`[rfc0012-tag] outputId ${outputId} not visible via memory:list; cannot inspect tags`);
+      return;
+    }
+    const tags = output.tags ?? [];
+
+    // RFC 0012 §C: SHOULD-tag, soft assertion.
+    const provenance = tags.find((t) => t.startsWith('compacted-from:'));
+    if (provenance === undefined) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-tag] output entry has no compacted-from:<id> tag — RFC 0012 §C is SHOULD, not MUST; pass with warning');
+      return;
+    }
+    expect(provenance, driver.describe(
+      'RFC 0012 §C',
+      'compacted-from tag MUST match `compacted-from:<id>` shape (non-empty id, no whitespace) when present',
+    )).toMatch(COMPACTED_FROM_RE);
+  });
+});

package/src/scenarios/memory-compaction-sr1-carry-forward.test.ts

@@ -0,0 +1,127 @@
+/**
+ * RFC 0012 §D — SR-1 carry-forward through memory compaction.
+ *
+ * Verifies the load-bearing security claim of RFC 0012 (Memory
+ * Compaction Profile, `Active` 2026-05-13 — comment window closes
+ * 2026-05-20): when a host advertising
+ * `capabilities.memory.compaction.supported: true` produces a
+ * compacted `MemoryEntry`, the derived content MUST pass the
+ * same BYOK redaction harness as a fresh `put`. The fact that
+ * source entries were SR-1-compliant at original `put` time is
+ * NOT evidence to skip redaction on derived content — summarization
+ * models can introduce secret-shaped substrings (hallucinated
+ * tokens, format-leaks from in-context examples) not present in
+ * any source.
+ *
+ * Gating:
+ *   - `capabilities.memory.compaction.supported` MUST be `true`.
+ *   - Host MUST expose the test seam at `POST /v1/test/memory/{seed,
+ *     compact}` — gated on the host's `OPENWOP_TEST_TRIGGER_COMPACTION`
+ *     env var. Without it the scenario can't synchronously drive
+ *     compaction (RFC 0012 normates only `trigger: 'host-managed'`).
+ *     The seam itself is host-implementation-specific; the conformance
+ *     suite skips when the seam isn't reachable.
+ *
+ * @see RFCS/0012-memory-compaction-profile.md §D
+ * @see SECURITY/invariants.yaml `memory-compaction-sr-1-carry-forward`
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const MEMORY_REF = 'mem_tenant:default_agent:conformance-rfc0012-sr1_longTerm';
+
+interface MemoryCaps {
+  compaction?: { supported?: boolean };
+}
+
+async function isCompactionAdvertised(): Promise<boolean> {
+  const disco = await driver.get('/.well-known/openwop');
+  const memory = (disco.json as { capabilities?: { memory?: MemoryCaps } }).capabilities?.memory;
+  return memory?.compaction?.supported === true;
+}
+
+async function isTestSeamReachable(): Promise<boolean> {
+  // Probe the seam with an empty body — expects 400 if reachable
+  // (validation_error on missing memoryRef), 404 when disabled.
+  const r = await driver.post('/v1/test/memory/compact', {});
+  return r.status !== 404;
+}
+
+describe('memory-compaction-sr1-carry-forward: derived content passes the BYOK redaction harness', () => {
+  it('compacted MemoryEntry content MUST NOT carry source-side form-leak signatures', async () => {
+    if (!(await isCompactionAdvertised())) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-sr1] capabilities.memory.compaction.supported not advertised; skipping');
+      return;
+    }
+    if (!(await isTestSeamReachable())) {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-sr1] test seam /v1/test/memory/compact unreachable; skipping (set host\'s OPENWOP_TEST_TRIGGER_COMPACTION=true)');
+      return;
+    }
+
+    // 1. Seed source entries containing:
+    //    - The canonical `[BYOK:...]` form-leak signature (placeholder
+    //      surfaces verbatim — should be caught by SR-1 carry-forward).
+    //    - A non-canonical `<REDACTED:...>` marker that the host's
+    //      redaction harness should re-canonicalize.
+    //    - Plain, non-sensitive prose.
+    const seed = await driver.post('/v1/test/memory/seed', {
+      memoryRef: MEMORY_REF,
+      entries: [
+        { id: `sr1-src-${Date.now()}-1`, content: 'User confirmed: [BYOK:hk_live_canary_42]' },
+        { id: `sr1-src-${Date.now()}-2`, content: 'Resolved <REDACTED:db-prod-creds> outage.' },
+        { id: `sr1-src-${Date.now()}-3`, content: 'Customer asked about pricing tiers.' },
+      ],
+    });
+    expect(seed.status, 'seed endpoint MUST return 201 when reachable').toBe(201);
+
+    // 2. Drive compaction synchronously.
+    const compactRes = await driver.post('/v1/test/memory/compact', {
+      memoryRef: MEMORY_REF,
+    });
+    expect(compactRes.status, 'compact MUST return 200 with ≥2 source entries').toBe(200);
+
+    const event = compactRes.json as {
+      type?: string;
+      payload?: { outputId?: string; memoryRef?: string };
+      // Out-of-band field from the test seam carrying the persisted
+      // entry bytes; the wire-level `memory.compacted` event does NOT
+      // carry content. Required for SR-1 verification — the canonical
+      // event payload is shape-only and would pass this scenario
+      // trivially without it.
+      outputContent?: string;
+    };
+    expect(event.type, 'event payload MUST be type=memory.compacted').toBe('memory.compacted');
+
+    if (typeof event.outputContent !== 'string') {
+      // eslint-disable-next-line no-console
+      console.warn('[rfc0012-sr1] test seam did not return outputContent; the wire-level memory.compacted shape does not surface content so without a host-side seam we cannot verify §D end-to-end. Skipping.');
+      return;
+    }
+
+    // The load-bearing assertion: the PERSISTED entry content (what
+    // future MemoryAdapter.get / list consumers would see) MUST NOT
+    // carry source-side form-leak signatures. A host that skips its
+    // BYOK redaction pass on derived content fails here.
+    expect(event.outputContent.includes('[BYOK:hk_live_canary_42]'), driver.describe(
+      'RFC 0012 §D',
+      'derived MemoryEntry.content MUST NOT carry source-side [BYOK:...] form-leak signatures (SR-1 carry-forward)',
+    )).toBe(false);
+    expect(event.outputContent.includes('<REDACTED:db-prod-creds>'), driver.describe(
+      'RFC 0012 §D',
+      'derived MemoryEntry.content MUST NOT echo non-canonical <REDACTED:...> markers from sources',
+    )).toBe(false);
+
+    // Positive: the canonical `[REDACTED:...]` placeholder MUST be
+    // present where SR-1 carry-forward re-substituted a source-side
+    // leak. Pinning this prevents a host from "passing" by simply
+    // stripping source content rather than redacting it (which would
+    // also lose audit signal).
+    expect(event.outputContent, driver.describe(
+      'RFC 0012 §D',
+      'derived MemoryEntry.content MUST carry canonical [REDACTED:...] placeholders where source-side leaks were re-substituted',
+    )).toMatch(/\[REDACTED:[^\]]+\]/);
+  });
+});

package/src/scenarios/multi-region-idempotency.test.ts

@@ -2,18 +2,29 @@
  * Track 13: multi-region idempotency capability shape (idempotency.md v1.1).
  *
  * Verifies that hosts advertising the multi-region idempotency annex
- * surface a valid `capabilities.idempotency.crossRegion` value. The
- * end-to-end partition behavior cannot be exercised black-box; this
- * scenario validates the discovery-document shape so clients can rely
- * on the capability for routing decisions.
+ * surface a valid `capabilities.idempotency.crossRegion` value AND, when
+ * claiming `'best-effort'` or `'strict'`, expose the operator-tier
+ * metric names per `idempotency.md` §"Operator surface".
+ *
+ * The annex's partition-replay convergence rule cannot be exercised
+ * black-box (it requires multi-region host deployment under a real
+ * partition); the algorithm itself is verified in-process via the
+ * Postgres host's `multi-region-idempotency.test.ts` smoke against
+ * the canonical resolver. This scenario validates the discovery-
+ * document shape so clients can rely on the capability for routing
+ * decisions.
  *
  * @see spec/v1/idempotency.md §"Multi-region idempotency"
+ * @see examples/hosts/postgres/src/multi-region.ts (canonical resolver)
  */
 
 import { describe, it, expect } from 'vitest';
 import { driver } from '../lib/driver.js';
 
 const ALLOWED = new Set(['single-region', 'best-effort', 'strict']);
+const REQUIRED_METRICS_WHEN_MULTI_REGION = [
+  'openwop.idempotency.cross_region_conflicts_total',
+];
 
 interface IdempotencyCaps {
   supported?: boolean;
@@ -22,6 +33,10 @@ interface IdempotencyCaps {
   crossRegion?: string;
 }
 
+interface ObservabilityCaps {
+  metrics?: { names?: string[] };
+}
+
 describe('multi-region-idempotency: capability shape', () => {
   it('idempotency.crossRegion (when advertised) MUST be one of the closed enum', async () => {
     const disco = await driver.get('/.well-known/openwop');
@@ -49,4 +64,24 @@ describe('multi-region-idempotency: capability shape', () => {
       expect(idem.layer2RetentionSeconds).toBeGreaterThan(0);
     }
   });
+
+  it('multi-region hosts SHOULD expose the cross-region conflict counter per §"Operator surface"', async () => {
+    const disco = await driver.get('/.well-known/openwop');
+    const caps = (disco.json as { capabilities?: { idempotency?: IdempotencyCaps; observability?: ObservabilityCaps } })
+      .capabilities;
+    const crossRegion = caps?.idempotency?.crossRegion;
+
+    if (crossRegion !== 'best-effort' && crossRegion !== 'strict') {
+      // Single-region hosts have no conflicts to count — skip.
+      return;
+    }
+
+    const advertised = new Set(caps?.observability?.metrics?.names ?? []);
+    for (const name of REQUIRED_METRICS_WHEN_MULTI_REGION) {
+      expect(advertised.has(name), driver.describe(
+        'idempotency.md §"Operator surface"',
+        `multi-region hosts SHOULD advertise metric "${name}" so operators can monitor conflict frequency`,
+      )).toBe(true);
+    }
+  });
 });

package/src/scenarios/otel-trace-propagation-subworkflow.test.ts

@@ -0,0 +1,139 @@
+/**
+ * Track 11 close-out: cross-run trace-context propagation across
+ * `core.subWorkflow` invocation.
+ *
+ * `otel-trace-propagation.test.ts` verifies that a single run's spans
+ * inherit an inbound `traceparent`'s traceId. This scenario closes the
+ * remaining gap (`conformance/coverage.md` row 52: "Cross-host
+ * propagation across `core.subWorkflow` invocation"): when a parent
+ * run with a known inbound traceparent dispatches a child run via
+ * `core.subWorkflow`, the CHILD run's emitted spans MUST also share
+ * the parent's traceId — distributed traces stitch across the
+ * sub-workflow boundary without operator-side correlation hacks.
+ *
+ * Operator-tier value: in production deployments, a sub-workflow may
+ * execute on a different host instance (`core.subWorkflow` is a
+ * dispatch boundary, not necessarily an in-process call). The
+ * traceparent-propagation contract guarantees the operator's OTel
+ * backend can render parent + child as one trace tree even when
+ * they're on separate hosts.
+ *
+ * Skip conditions:
+ *   - Collector disabled.
+ *   - Host doesn't advertise `capabilities.observability`.
+ *   - `conformance-subworkflow-parent` fixture not advertised (host
+ *     doesn't implement `core.subWorkflow`).
+ *
+ * @see spec/v1/observability.md §"Trace context propagation"
+ * @see spec/v1/node-packs.md §`core.subWorkflow`
+ * @see conformance/coverage.md row 52
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+import { getCollector, waitForRunSpans } from '../lib/otel-collector.js';
+
+const PARENT_FIXTURE = 'conformance-subworkflow-parent';
+
+interface RunEvent {
+  type: string;
+  nodeId?: string;
+  payload?: { outputs?: { childRunId?: string } };
+}
+
+function makeTraceparent(): { header: string; traceId: string } {
+  // W3C format: 00-<32 hex traceId>-<16 hex spanId>-01.
+  // Use a distinct id from the parent-only scenario so collector
+  // matching is unambiguous when both scenarios run back-to-back.
+  const traceId = '7c3e51b9d2a04e6f8b1c0d2e3f4a5b6c';
+  const spanId = '00f067aa0ba902b7';
+  return { header: `00-${traceId}-${spanId}-01`, traceId };
+}
+
+async function isObservabilityAdvertised(): Promise<boolean> {
+  try {
+    const disco = await driver.get('/.well-known/openwop');
+    const caps = (disco.json as { capabilities?: { observability?: unknown } }).capabilities ?? {};
+    return caps.observability !== undefined;
+  } catch {
+    return false;
+  }
+}
+
+describe('otel-trace-propagation-subworkflow: traceparent threads parent → child via core.subWorkflow', () => {
+  it('child run spans inherit the parent run\'s inbound traceId', async () => {
+    if (!getCollector()) {
+      // eslint-disable-next-line no-console
+      console.warn('[otel-trace-propagation-subworkflow] collector not started; skipping');
+      return;
+    }
+    if (!isFixtureAdvertised(PARENT_FIXTURE)) {
+      // eslint-disable-next-line no-console
+      console.warn(`[otel-trace-propagation-subworkflow] ${PARENT_FIXTURE} not advertised; skipping`);
+      return;
+    }
+    if (!(await isObservabilityAdvertised())) {
+      // eslint-disable-next-line no-console
+      console.warn('[otel-trace-propagation-subworkflow] capabilities.observability not advertised; skipping');
+      return;
+    }
+
+    const collector = getCollector()!;
+    collector.reset();
+
+    const { header, traceId } = makeTraceparent();
+    const create = await driver.post(
+      '/v1/runs',
+      { workflowId: PARENT_FIXTURE },
+      { headers: { traceparent: header } },
+    );
+    expect(create.status).toBe(201);
+    const parentRunId = (create.json as { runId: string }).runId;
+
+    await pollUntilTerminal(parentRunId, { timeoutMs: 30_000 });
+
+    // Walk the parent's event log to discover the child run id.
+    const eventsRes = await driver.get(
+      `/v1/runs/${encodeURIComponent(parentRunId)}/events/poll?lastSequence=0&timeout=1`,
+    );
+    expect(eventsRes.status).toBe(200);
+    const events = (eventsRes.json as { events?: RunEvent[] } | undefined)?.events ?? [];
+
+    const subwfCompleted = events.find(
+      (e) => e.type === 'node.completed' && e.nodeId === 'subwf-call',
+    );
+    expect(subwfCompleted, driver.describe(
+      'node-packs.md §core.subWorkflow',
+      'parent event log MUST include node.completed for the subwf-call node',
+    )).toBeDefined();
+
+    const childRunId = subwfCompleted?.payload?.outputs?.childRunId;
+    expect(typeof childRunId, driver.describe(
+      'node-packs.md §core.subWorkflow outputSchema',
+      'subwf-call node.completed payload MUST carry outputs.childRunId',
+    )).toBe('string');
+
+    // Both parent + child spans MUST share the inbound traceId.
+    const parentSpans = await waitForRunSpans(parentRunId, { timeoutMs: 10_000, minCount: 1 });
+    const childSpans = await waitForRunSpans(childRunId!, { timeoutMs: 10_000, minCount: 1 });
+
+    expect(parentSpans.length, 'collector MUST receive ≥1 span for the parent run').toBeGreaterThan(0);
+    expect(childSpans.length, 'collector MUST receive ≥1 span for the child run').toBeGreaterThan(0);
+
+    const wantTrace = traceId.toLowerCase();
+
+    const parentMatching = parentSpans.filter((s) => s.traceId.toLowerCase() === wantTrace);
+    expect(parentMatching.length, driver.describe(
+      'observability.md §"Trace context propagation"',
+      'parent-run spans MUST share the inbound traceparent traceId',
+    )).toBeGreaterThan(0);
+
+    const childMatching = childSpans.filter((s) => s.traceId.toLowerCase() === wantTrace);
+    expect(childMatching.length, driver.describe(
+      'observability.md §"Trace context propagation" + node-packs.md §core.subWorkflow',
+      'child-run spans dispatched via core.subWorkflow MUST inherit the parent run\'s traceId so distributed traces stitch across the dispatch boundary',
+    )).toBeGreaterThan(0);
+  });
+});

package/src/scenarios/registry-public.test.ts

@@ -26,6 +26,7 @@
  */
 
 import { describe, it, expect } from 'vitest';
+import { createHash, createPublicKey, verify as cryptoVerify } from 'node:crypto';
 
 const REGISTRY_BASE = 'https://packs.openwop.dev';
 const ENABLED = process.env.OPENWOP_TEST_PUBLIC_REGISTRY === 'true';
@@ -129,3 +130,93 @@ describe('registry-public: spec-canonical pack manifests resolve', () => {
     });
   }
 });
+
+describe('registry-public: tarball + signature + Ed25519 verify roundtrip', () => {
+  // core.openwop.examples@1.0.0 is the canonical reference pack for this
+  // check: published since the registry MVP, signed with the
+  // `openwop-registry-root` key over the whole tarball (method='ed25519').
+  // The same recipe applies to any pack at the registry; this scenario
+  // exercises the worst-case full roundtrip so clients have a wire-level
+  // contract for verifying packs before installing them.
+  //
+  // What gets asserted, in order:
+  //   1. Version manifest, tarball, signature, and public key all 200.
+  //   2. SRI integrity in the manifest matches a fresh sha256 of the
+  //      tarball bytes — protects against tarball tampering between
+  //      publish + retrieval.
+  //   3. Detached Ed25519 signature verifies against the public key over
+  //      the bytes the publisher signed (per signing.method).
+  const PACK_NAME = 'core.openwop.examples';
+  const PACK_VERSION = '1.0.0';
+
+  async function getBinary(path: string): Promise<{ status: number; bytes: Buffer }> {
+    const res = await fetch(`${REGISTRY_BASE}${path}`);
+    const ab = await res.arrayBuffer();
+    return { status: res.status, bytes: Buffer.from(ab) };
+  }
+
+  async function getText(path: string): Promise<{ status: number; body: string }> {
+    const res = await fetch(`${REGISTRY_BASE}${path}`);
+    const body = await res.text();
+    return { status: res.status, body };
+  }
+
+  it(`tarball + sig + public key all retrievable, SRI matches, Ed25519 verifies for ${PACK_NAME}@${PACK_VERSION}`, async () => {
+    if (!ENABLED) return;
+
+    // 1. Manifest (JSON).
+    const manifestRes = await get(`/v1/packs/${PACK_NAME}/-/${PACK_VERSION}.json`);
+    expect(manifestRes.status).toBe(200);
+    const manifest = manifestRes.json as {
+      signing?: { method?: string; keyId?: string; publicKeyUrl?: string };
+      integrity?: string;
+    };
+    expect(typeof manifest.signing?.method).toBe('string');
+    expect(typeof manifest.signing?.keyId).toBe('string');
+    expect(typeof manifest.integrity).toBe('string');
+
+    // 2. Tarball.
+    const tarball = await getBinary(`/v1/packs/${PACK_NAME}/-/${PACK_VERSION}.tgz`);
+    expect(tarball.status, 'tarball MUST be retrievable').toBe(200);
+    expect(tarball.bytes.byteLength, 'tarball MUST be non-empty').toBeGreaterThan(0);
+
+    // 3. Detached signature (64-byte raw Ed25519).
+    const sig = await getBinary(`/v1/packs/${PACK_NAME}/-/${PACK_VERSION}.sig`);
+    expect(sig.status, 'signature MUST be retrievable').toBe(200);
+    expect(sig.bytes.byteLength, 'Ed25519 detached signature MUST be 64 bytes').toBe(64);
+
+    // 4. Public key — fetch from the publisher-declared URL when present,
+    //    else fall back to the canonical `/keys/<keyId>.pub` shape.
+    const keyUrl = manifest.signing!.publicKeyUrl ?? `/keys/${manifest.signing!.keyId}.pub`;
+    const keyRes = await getText(keyUrl);
+    expect(keyRes.status, `public key MUST be retrievable at ${keyUrl}`).toBe(200);
+    const publicKey = createPublicKey(keyRes.body);
+
+    // 5. SRI integrity check: `sha256-<base64>=` MUST match a fresh
+    //    sha256 of the tarball bytes per registry-operations.md.
+    expect(manifest.integrity).toMatch(/^sha256-[A-Za-z0-9+/]+=*$/);
+    const expectedSri = `sha256-${createHash('sha256').update(tarball.bytes).digest('base64')}`;
+    expect(expectedSri, 'SRI integrity in manifest MUST match a fresh sha256 of the tarball').toBe(
+      manifest.integrity,
+    );
+
+    // 6. Ed25519 verification. Two canonical signing conventions per
+    //    `node-packs.md` §"Signing recipe": `method=ed25519` signs the
+    //    whole tarball; `method=manual` signs the pack.json bytes inside
+    //    the tarball. core.openwop.examples uses `ed25519`.
+    const method = manifest.signing!.method;
+    expect(['ed25519', 'manual']).toContain(method);
+
+    // For `ed25519` the signed bytes are the tarball; for `manual` the
+    // signed bytes are pack.json extracted from the tarball. This
+    // scenario picks `core.openwop.examples` specifically because it's
+    // `method=ed25519` — the simpler path. Extending to `manual` would
+    // require the tarball extractor from registry/scripts/verify-
+    // signatures.mjs which is intentionally out of scope here.
+    if (method !== 'ed25519') return;
+
+    const verified = cryptoVerify(null, tarball.bytes, publicKey, sig.bytes);
+    expect(verified, `Ed25519 signature over ${PACK_NAME}@${PACK_VERSION}.tgz MUST verify against ${manifest.signing!.keyId}`)
+      .toBe(true);
+  });
+});

package/src/scenarios/spec-corpus-validity.test.ts

@@ -789,11 +789,14 @@ describe.skipIf(
   () => {
     // describe.skipIf still evaluates the body for test registration; defaults guard against null
     // dirname() when sources are missing under the published-tarball layout. it() blocks below are
-    // skipped at run time, so the path values are never actually read.
+    // skipped at run time, so the path values are never actually read. The sentinel is
+    // intentionally an obviously-invalid path so a stack trace from any future code that DOES
+    // dereference it points the reader at this comment.
+    const UNUSED_IN_PUBLISHED_LAYOUT = '/__sdk_paths_unused_in_published_layout__';
     const sdkSources = {
-      typescript: TYPESCRIPT_RUN_HELPERS_PATH ?? '.',
-      python: PYTHON_TYPES_PATH ?? '.',
-      go: GO_TYPES_PATH ?? '.',
+      typescript: TYPESCRIPT_RUN_HELPERS_PATH ?? UNUSED_IN_PUBLISHED_LAYOUT,
+      python: PYTHON_TYPES_PATH ?? UNUSED_IN_PUBLISHED_LAYOUT,
+      go: GO_TYPES_PATH ?? UNUSED_IN_PUBLISHED_LAYOUT,
     };
     const sdkReadmes = {
       typescript: pathResolve(dirname(sdkSources.typescript), '..', 'README.md'),
@@ -1145,8 +1148,10 @@ describe.skipIf(README_PATH === null)('spec-corpus: local Markdown links resolve
 
         const target = pathResolve(dirname(file), decoded);
         // Published-tarball layout: the conformance README references ../spec/v1/... and other paths
-        // that resolve OUTSIDE the package boundary. Repo layout has the full tree available.
-        if (LAYOUT === 'published' && !target.startsWith(repoRoot)) continue;
+        // that resolve OUTSIDE the package boundary. Repo layout has the full tree available. The
+        // `target === repoRoot || target.startsWith(repoRoot + sep)` form avoids a sibling-path
+        // false-negative when repoRoot=/foo/bar and target=/foo/barbaz.
+        if (LAYOUT === 'published' && target !== repoRoot && !target.startsWith(repoRoot + '/')) continue;
         expect(
           existsSync(target),
           `${relFile} links to missing local target: ${link}`,