@openwop/openwop-conformance 1.1.0 → 1.2.0

package/src/scenarios/otel-trace-propagation-subworkflow.test.ts

@@ -0,0 +1,139 @@
+/**
+ * Track 11 close-out: cross-run trace-context propagation across
+ * `core.subWorkflow` invocation.
+ *
+ * `otel-trace-propagation.test.ts` verifies that a single run's spans
+ * inherit an inbound `traceparent`'s traceId. This scenario closes the
+ * remaining gap (`conformance/coverage.md` row 52: "Cross-host
+ * propagation across `core.subWorkflow` invocation"): when a parent
+ * run with a known inbound traceparent dispatches a child run via
+ * `core.subWorkflow`, the CHILD run's emitted spans MUST also share
+ * the parent's traceId — distributed traces stitch across the
+ * sub-workflow boundary without operator-side correlation hacks.
+ *
+ * Operator-tier value: in production deployments, a sub-workflow may
+ * execute on a different host instance (`core.subWorkflow` is a
+ * dispatch boundary, not necessarily an in-process call). The
+ * traceparent-propagation contract guarantees the operator's OTel
+ * backend can render parent + child as one trace tree even when
+ * they're on separate hosts.
+ *
+ * Skip conditions:
+ *   - Collector disabled.
+ *   - Host doesn't advertise `capabilities.observability`.
+ *   - `conformance-subworkflow-parent` fixture not advertised (host
+ *     doesn't implement `core.subWorkflow`).
+ *
+ * @see spec/v1/observability.md §"Trace context propagation"
+ * @see spec/v1/node-packs.md §`core.subWorkflow`
+ * @see conformance/coverage.md row 52
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { isFixtureAdvertised } from '../lib/fixtures.js';
+import { getCollector, waitForRunSpans } from '../lib/otel-collector.js';
+
+const PARENT_FIXTURE = 'conformance-subworkflow-parent';
+
+interface RunEvent {
+  type: string;
+  nodeId?: string;
+  payload?: { outputs?: { childRunId?: string } };
+}
+
+function makeTraceparent(): { header: string; traceId: string } {
+  // W3C format: 00-<32 hex traceId>-<16 hex spanId>-01.
+  // Use a distinct id from the parent-only scenario so collector
+  // matching is unambiguous when both scenarios run back-to-back.
+  const traceId = '7c3e51b9d2a04e6f8b1c0d2e3f4a5b6c';
+  const spanId = '00f067aa0ba902b7';
+  return { header: `00-${traceId}-${spanId}-01`, traceId };
+}
+
+async function isObservabilityAdvertised(): Promise<boolean> {
+  try {
+    const disco = await driver.get('/.well-known/openwop');
+    const caps = (disco.json as { capabilities?: { observability?: unknown } }).capabilities ?? {};
+    return caps.observability !== undefined;
+  } catch {
+    return false;
+  }
+}
+
+describe('otel-trace-propagation-subworkflow: traceparent threads parent → child via core.subWorkflow', () => {
+  it('child run spans inherit the parent run\'s inbound traceId', async () => {
+    if (!getCollector()) {
+      // eslint-disable-next-line no-console
+      console.warn('[otel-trace-propagation-subworkflow] collector not started; skipping');
+      return;
+    }
+    if (!isFixtureAdvertised(PARENT_FIXTURE)) {
+      // eslint-disable-next-line no-console
+      console.warn(`[otel-trace-propagation-subworkflow] ${PARENT_FIXTURE} not advertised; skipping`);
+      return;
+    }
+    if (!(await isObservabilityAdvertised())) {
+      // eslint-disable-next-line no-console
+      console.warn('[otel-trace-propagation-subworkflow] capabilities.observability not advertised; skipping');
+      return;
+    }
+
+    const collector = getCollector()!;
+    collector.reset();
+
+    const { header, traceId } = makeTraceparent();
+    const create = await driver.post(
+      '/v1/runs',
+      { workflowId: PARENT_FIXTURE },
+      { headers: { traceparent: header } },
+    );
+    expect(create.status).toBe(201);
+    const parentRunId = (create.json as { runId: string }).runId;
+
+    await pollUntilTerminal(parentRunId, { timeoutMs: 30_000 });
+
+    // Walk the parent's event log to discover the child run id.
+    const eventsRes = await driver.get(
+      `/v1/runs/${encodeURIComponent(parentRunId)}/events/poll?lastSequence=0&timeout=1`,
+    );
+    expect(eventsRes.status).toBe(200);
+    const events = (eventsRes.json as { events?: RunEvent[] } | undefined)?.events ?? [];
+
+    const subwfCompleted = events.find(
+      (e) => e.type === 'node.completed' && e.nodeId === 'subwf-call',
+    );
+    expect(subwfCompleted, driver.describe(
+      'node-packs.md §core.subWorkflow',
+      'parent event log MUST include node.completed for the subwf-call node',
+    )).toBeDefined();
+
+    const childRunId = subwfCompleted?.payload?.outputs?.childRunId;
+    expect(typeof childRunId, driver.describe(
+      'node-packs.md §core.subWorkflow outputSchema',
+      'subwf-call node.completed payload MUST carry outputs.childRunId',
+    )).toBe('string');
+
+    // Both parent + child spans MUST share the inbound traceId.
+    const parentSpans = await waitForRunSpans(parentRunId, { timeoutMs: 10_000, minCount: 1 });
+    const childSpans = await waitForRunSpans(childRunId!, { timeoutMs: 10_000, minCount: 1 });
+
+    expect(parentSpans.length, 'collector MUST receive ≥1 span for the parent run').toBeGreaterThan(0);
+    expect(childSpans.length, 'collector MUST receive ≥1 span for the child run').toBeGreaterThan(0);
+
+    const wantTrace = traceId.toLowerCase();
+
+    const parentMatching = parentSpans.filter((s) => s.traceId.toLowerCase() === wantTrace);
+    expect(parentMatching.length, driver.describe(
+      'observability.md §"Trace context propagation"',
+      'parent-run spans MUST share the inbound traceparent traceId',
+    )).toBeGreaterThan(0);
+
+    const childMatching = childSpans.filter((s) => s.traceId.toLowerCase() === wantTrace);
+    expect(childMatching.length, driver.describe(
+      'observability.md §"Trace context propagation" + node-packs.md §core.subWorkflow',
+      'child-run spans dispatched via core.subWorkflow MUST inherit the parent run\'s traceId so distributed traces stitch across the dispatch boundary',
+    )).toBeGreaterThan(0);
+  });
+});

package/src/scenarios/pause-resume.test.ts

@@ -226,3 +226,46 @@ describe.skipIf(SKIP)('pause/resume: :pause-during-suspend race', () => {
     });
   });
 });
+
+// CF-2 close-out — drain-policy discrimination per
+// `capabilities.md` §`runs.pauseResume`. When a host advertises
+// `drainPolicies[]`, each advertised value MUST be accepted with 202.
+// Skips entirely when no advertisement is present.
+describe.skipIf(SKIP)('pause/resume: drainPolicy discrimination per capabilities advertisement', () => {
+  it('every drainPolicy advertised by the host is accepted on :pause', async () => {
+    const disco = await driver.get('/.well-known/openwop');
+    const drainPolicies =
+      (disco.json as {
+        capabilities?: { runs?: { pauseResume?: { drainPolicies?: string[] } } };
+      }).capabilities?.runs?.pauseResume?.drainPolicies ?? [];
+    if (drainPolicies.length === 0) {
+      // eslint-disable-next-line no-console
+      console.warn('[pause-resume] host advertises no drainPolicies; skipping policy-discrimination subtest');
+      return;
+    }
+
+    for (const policy of drainPolicies) {
+      const create = await driver.post('/v1/runs', {
+        workflowId: FIXTURE!,
+        inputs: { delaySeconds: 30 },
+      });
+      expect(create.status).toBe(201);
+      const runId = (create.json as { runId: string }).runId;
+
+      await pollUntilStatus(runId, 'running', { timeoutMs: 10_000 });
+
+      const pause = await driver.post(`/v1/runs/${encodeURIComponent(runId)}:pause`, {
+        reason: `conformance-drainpolicy-${policy}`,
+        drainPolicy: policy,
+      });
+      expect(pause.status, driver.describe(
+        'capabilities.md §`runs.pauseResume.drainPolicies` + rest-endpoints.md POST /v1/runs/{runId}:pause',
+        `host-advertised drainPolicy='${policy}' MUST be accepted on :pause`,
+      )).toBe(202);
+
+      await driver.post(`/v1/runs/${encodeURIComponent(runId)}/cancel`, {
+        reason: 'conformance-cleanup',
+      });
+    }
+  });
+});

package/src/scenarios/queue-ack-nack-dlq.test.ts

@@ -0,0 +1,67 @@
+/**
+ * queue-ack-nack-dlq — RFC 0017 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0017 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.queueBus` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: nack returns for redelivery; deadLetter routes to the configured DLQ.
+ *
+ * @see RFCS/0017-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('queue-ack-nack-dlq: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('deadLetterSupported is a boolean when set', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const subParts = ["deadLetterSupported"];
+    let sub: unknown = cap;
+    for (const p of subParts) {
+      if (sub && typeof sub === 'object') sub = (sub as Record<string, unknown>)[p];
+      else { sub = undefined; break; }
+    }
+    if (sub === undefined) return; // optional sub-field
+    expect(
+      typeof sub,
+      driver.describe(
+        'RFC 0017 §A',
+        'queueBus.deadLetterSupported MUST be boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('queue-ack-nack-dlq: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("nack(requeue=true) → message is redelivered on next consume");
+  it.todo("deadLetter → message appears on the configured DLQ");
+});

package/src/scenarios/queue-cross-tenant-isolation.test.ts

@@ -0,0 +1,66 @@
+/**
+ * queue-cross-tenant-isolation — RFC 0017 §C + SECURITY/invariants.yaml
+ * `queue-cross-tenant-isolation`.
+ *
+ * Status: ACTIVE (advertisement + behavioral). Asserts that messages
+ * published under tenant A on topic T MUST NOT be consumed under tenant B
+ * on the same topic.
+ *
+ * @see RFCS/0017-host-queue-bus-capability.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+async function call(tenantId: string, op: string, args: Record<string, unknown>) {
+  return driver.post('/v1/host/sample/test/surface', { tenantId, surface: 'queueBus', op, args });
+}
+
+describe('queue-cross-tenant-isolation: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return;
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('queue-cross-tenant-isolation: behavioral (RFC 0017 §C)', () => {
+  it('publish under tenant A → consume under tenant B returns not-found', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const topic = `xtenant.${Date.now()}.${Math.random().toString(36).slice(2, 6)}`;
+
+    const pubRes = await call('tenant-a', 'publish', { topic, payload: { hello: 'A' } });
+    if (pubRes.status === 404) return;
+    expect(pubRes.status, 'publish MUST succeed').toBe(200);
+
+    const consRes = await call('tenant-b', 'consume', { topic, timeoutMs: 100 });
+    expect(consRes.status).toBe(200);
+    const body = consRes.json as { found?: boolean };
+    expect(
+      body.found,
+      driver.describe(
+        'SECURITY/invariants.yaml queue-cross-tenant-isolation',
+        'tenant B MUST NOT consume tenant A messages on the same topic',
+      ),
+    ).toBe(false);
+  });
+});

package/src/scenarios/queue-publish-consume-roundtrip.test.ts

@@ -0,0 +1,48 @@
+/**
+ * queue-publish-consume-roundtrip — RFC 0017 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0017 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.queueBus` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: publish + consume + ack roundtrip.
+ *
+ * @see RFCS/0017-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('queue-publish-consume-roundtrip: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('queue-publish-consume-roundtrip: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("publish → consume returns the message with the right payload + headers");
+  it.todo("ack removes the message; subsequent consume returns not-found within timeout");
+});

package/src/scenarios/registry-public.test.ts

@@ -26,6 +26,7 @@
  */
 
 import { describe, it, expect } from 'vitest';
+import { createHash, createPublicKey, verify as cryptoVerify } from 'node:crypto';
 
 const REGISTRY_BASE = 'https://packs.openwop.dev';
 const ENABLED = process.env.OPENWOP_TEST_PUBLIC_REGISTRY === 'true';
@@ -129,3 +130,93 @@ describe('registry-public: spec-canonical pack manifests resolve', () => {
     });
   }
 });
+
+describe('registry-public: tarball + signature + Ed25519 verify roundtrip', () => {
+  // core.openwop.examples@1.0.0 is the canonical reference pack for this
+  // check: published since the registry MVP, signed with the
+  // `openwop-registry-root` key over the whole tarball (method='ed25519').
+  // The same recipe applies to any pack at the registry; this scenario
+  // exercises the worst-case full roundtrip so clients have a wire-level
+  // contract for verifying packs before installing them.
+  //
+  // What gets asserted, in order:
+  //   1. Version manifest, tarball, signature, and public key all 200.
+  //   2. SRI integrity in the manifest matches a fresh sha256 of the
+  //      tarball bytes — protects against tarball tampering between
+  //      publish + retrieval.
+  //   3. Detached Ed25519 signature verifies against the public key over
+  //      the bytes the publisher signed (per signing.method).
+  const PACK_NAME = 'core.openwop.examples';
+  const PACK_VERSION = '1.0.0';
+
+  async function getBinary(path: string): Promise<{ status: number; bytes: Buffer }> {
+    const res = await fetch(`${REGISTRY_BASE}${path}`);
+    const ab = await res.arrayBuffer();
+    return { status: res.status, bytes: Buffer.from(ab) };
+  }
+
+  async function getText(path: string): Promise<{ status: number; body: string }> {
+    const res = await fetch(`${REGISTRY_BASE}${path}`);
+    const body = await res.text();
+    return { status: res.status, body };
+  }
+
+  it(`tarball + sig + public key all retrievable, SRI matches, Ed25519 verifies for ${PACK_NAME}@${PACK_VERSION}`, async () => {
+    if (!ENABLED) return;
+
+    // 1. Manifest (JSON).
+    const manifestRes = await get(`/v1/packs/${PACK_NAME}/-/${PACK_VERSION}.json`);
+    expect(manifestRes.status).toBe(200);
+    const manifest = manifestRes.json as {
+      signing?: { method?: string; keyId?: string; publicKeyUrl?: string };
+      integrity?: string;
+    };
+    expect(typeof manifest.signing?.method).toBe('string');
+    expect(typeof manifest.signing?.keyId).toBe('string');
+    expect(typeof manifest.integrity).toBe('string');
+
+    // 2. Tarball.
+    const tarball = await getBinary(`/v1/packs/${PACK_NAME}/-/${PACK_VERSION}.tgz`);
+    expect(tarball.status, 'tarball MUST be retrievable').toBe(200);
+    expect(tarball.bytes.byteLength, 'tarball MUST be non-empty').toBeGreaterThan(0);
+
+    // 3. Detached signature (64-byte raw Ed25519).
+    const sig = await getBinary(`/v1/packs/${PACK_NAME}/-/${PACK_VERSION}.sig`);
+    expect(sig.status, 'signature MUST be retrievable').toBe(200);
+    expect(sig.bytes.byteLength, 'Ed25519 detached signature MUST be 64 bytes').toBe(64);
+
+    // 4. Public key — fetch from the publisher-declared URL when present,
+    //    else fall back to the canonical `/keys/<keyId>.pub` shape.
+    const keyUrl = manifest.signing!.publicKeyUrl ?? `/keys/${manifest.signing!.keyId}.pub`;
+    const keyRes = await getText(keyUrl);
+    expect(keyRes.status, `public key MUST be retrievable at ${keyUrl}`).toBe(200);
+    const publicKey = createPublicKey(keyRes.body);
+
+    // 5. SRI integrity check: `sha256-<base64>=` MUST match a fresh
+    //    sha256 of the tarball bytes per registry-operations.md.
+    expect(manifest.integrity).toMatch(/^sha256-[A-Za-z0-9+/]+=*$/);
+    const expectedSri = `sha256-${createHash('sha256').update(tarball.bytes).digest('base64')}`;
+    expect(expectedSri, 'SRI integrity in manifest MUST match a fresh sha256 of the tarball').toBe(
+      manifest.integrity,
+    );
+
+    // 6. Ed25519 verification. Two canonical signing conventions per
+    //    `node-packs.md` §"Signing recipe": `method=ed25519` signs the
+    //    whole tarball; `method=manual` signs the pack.json bytes inside
+    //    the tarball. core.openwop.examples uses `ed25519`.
+    const method = manifest.signing!.method;
+    expect(['ed25519', 'manual']).toContain(method);
+
+    // For `ed25519` the signed bytes are the tarball; for `manual` the
+    // signed bytes are pack.json extracted from the tarball. This
+    // scenario picks `core.openwop.examples` specifically because it's
+    // `method=ed25519` — the simpler path. Extending to `manual` would
+    // require the tarball extractor from registry/scripts/verify-
+    // signatures.mjs which is intentionally out of scope here.
+    if (method !== 'ed25519') return;
+
+    const verified = cryptoVerify(null, tarball.bytes, publicKey, sig.bytes);
+    expect(verified, `Ed25519 signature over ${PACK_NAME}@${PACK_VERSION}.tgz MUST verify against ${manifest.signing!.keyId}`)
+      .toBe(true);
+  });
+});

package/src/scenarios/search-bm25-roundtrip.test.ts

@@ -0,0 +1,47 @@
+/**
+ * search-bm25-roundtrip — RFC 0018 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0018 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.searchIndex` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: index then query returns relevant documents.
+ *
+ * @see RFCS/0018-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["searchIndex"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('search-bm25-roundtrip: advertisement shape (RFC 0018)', () => {
+  it('capabilities.searchIndex is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §searchIndex',
+        'capabilities.searchIndex.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('search-bm25-roundtrip: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("index 3 docs → query returns relevance-ranked hits");
+});

package/src/scenarios/spec-corpus-validity.test.ts

@@ -69,7 +69,23 @@ import {
 // ── Helpers ─────────────────────────────────────────────────────────────
 
 function listJsonFiles(dir: string): string[] {
-  return readdirSync(dir).filter((f) => f.endsWith('.json'));
+  // Recurse into subdirectories so e.g. `schemas/envelopes/*.schema.json`
+  // appears as `envelopes/<file>` to match the README's path-prefixed
+  // table entries. Preserves the non-recursive-relative-output contract
+  // for files directly under `dir`.
+  const out: string[] = [];
+  const walk = (subPath: string): void => {
+    const fullPath = subPath === '' ? dir : `${dir}/${subPath}`;
+    for (const entry of readdirSync(fullPath, { withFileTypes: true })) {
+      if (entry.isDirectory()) {
+        walk(subPath === '' ? entry.name : `${subPath}/${entry.name}`);
+      } else if (entry.isFile() && entry.name.endsWith('.json')) {
+        out.push(subPath === '' ? entry.name : `${subPath}/${entry.name}`);
+      }
+    }
+  };
+  walk('');
+  return out;
 }
 
 function listScenarioTestFiles(dir: string): string[] {
@@ -789,11 +805,14 @@ describe.skipIf(
   () => {
     // describe.skipIf still evaluates the body for test registration; defaults guard against null
     // dirname() when sources are missing under the published-tarball layout. it() blocks below are
-    // skipped at run time, so the path values are never actually read.
+    // skipped at run time, so the path values are never actually read. The sentinel is
+    // intentionally an obviously-invalid path so a stack trace from any future code that DOES
+    // dereference it points the reader at this comment.
+    const UNUSED_IN_PUBLISHED_LAYOUT = '/__sdk_paths_unused_in_published_layout__';
     const sdkSources = {
-      typescript: TYPESCRIPT_RUN_HELPERS_PATH ?? '.',
-      python: PYTHON_TYPES_PATH ?? '.',
-      go: GO_TYPES_PATH ?? '.',
+      typescript: TYPESCRIPT_RUN_HELPERS_PATH ?? UNUSED_IN_PUBLISHED_LAYOUT,
+      python: PYTHON_TYPES_PATH ?? UNUSED_IN_PUBLISHED_LAYOUT,
+      go: GO_TYPES_PATH ?? UNUSED_IN_PUBLISHED_LAYOUT,
     };
     const sdkReadmes = {
       typescript: pathResolve(dirname(sdkSources.typescript), '..', 'README.md'),
@@ -1145,8 +1164,10 @@ describe.skipIf(README_PATH === null)('spec-corpus: local Markdown links resolve
 
         const target = pathResolve(dirname(file), decoded);
         // Published-tarball layout: the conformance README references ../spec/v1/... and other paths
-        // that resolve OUTSIDE the package boundary. Repo layout has the full tree available.
-        if (LAYOUT === 'published' && !target.startsWith(repoRoot)) continue;
+        // that resolve OUTSIDE the package boundary. Repo layout has the full tree available. The
+        // `target === repoRoot || target.startsWith(repoRoot + sep)` form avoids a sibling-path
+        // false-negative when repoRoot=/foo/bar and target=/foo/barbaz.
+        if (LAYOUT === 'published' && target !== repoRoot && !target.startsWith(repoRoot + '/')) continue;
         expect(
           existsSync(target),
           `${relFile} links to missing local target: ${link}`,

package/src/scenarios/sql-injection-rejection.test.ts

@@ -0,0 +1,84 @@
+/**
+ * sql-injection-rejection — RFC 0018 §C + SECURITY/invariants.yaml
+ * `sql-parametric-only`.
+ *
+ * Status: ACTIVE (advertisement + behavioral). The host's SQL surface
+ * MUST treat parameter values as literal data, not SQL fragments. We
+ * verify by binding an injection-shape string as a parameter and
+ * confirming it returns no rows (parametric binding turns it into a
+ * literal value comparison rather than an OR-true).
+ *
+ * @see RFCS/0018-host-sql-vector-search-capability.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["sql"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+async function call(op: string, args: Record<string, unknown>) {
+  return driver.post('/v1/host/sample/test/surface', { tenantId: 'tenant-a', surface: 'sql', op, args });
+}
+
+describe('sql-injection-rejection: advertisement shape (RFC 0018)', () => {
+  it('capabilities.sql is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return;
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §sql',
+        'capabilities.sql.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('sql-injection-rejection: behavioral (RFC 0018 §C)', () => {
+  it('parametric SELECT with bound user input rejects injection-shape strings as data', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+
+    const create = await call('execute', {
+      sql: `CREATE TABLE IF NOT EXISTS sql_inj_t (id TEXT PRIMARY KEY, body TEXT)`,
+      params: [],
+    });
+    if (create.status === 404) return;
+    await call('execute', { sql: `INSERT OR REPLACE INTO sql_inj_t VALUES (?, ?)`, params: ['k1', 'ok'] });
+
+    // Parametric round-trip MUST succeed.
+    const okRes = await call('query', {
+      sql: `SELECT body FROM sql_inj_t WHERE id = ?`,
+      params: ['k1'],
+    });
+    expect(okRes.status).toBe(200);
+    const okBody = okRes.json as { rows?: Array<Record<string, unknown>> };
+    expect(okBody.rows?.[0]?.body, 'parametric round-trip MUST return stored value').toBe('ok');
+
+    // Injection-shape input MUST be bound as a literal value, not SQL.
+    const attack = `' OR '1'='1`;
+    const attackRes = await call('query', {
+      sql: `SELECT body FROM sql_inj_t WHERE id = ?`,
+      params: [attack],
+    });
+    expect(attackRes.status).toBe(200);
+    const attackBody = attackRes.json as { rows?: Array<Record<string, unknown>> };
+    expect(
+      Array.isArray(attackBody.rows) ? attackBody.rows.length : -1,
+      driver.describe(
+        'SECURITY/invariants.yaml sql-parametric-only',
+        'parametric binding MUST treat injection-shape input as a literal value, not SQL',
+      ),
+    ).toBe(0);
+  });
+});