@openwop/openwop-conformance 1.1.1 → 1.2.0

package/src/scenarios/mcp-server-untrusted-args.test.ts

@@ -0,0 +1,105 @@
+/**
+ * mcp-server-untrusted-args — RFC 0020 §D + SECURITY/invariants.yaml
+ * `mcp-server-untrusted-args`.
+ *
+ * Status: ACTIVE (advertisement + behavioral). Asserts that tools/call
+ * with arguments violating the registered inputSchema is rejected with
+ * JSON-RPC `-32602 invalid params` BEFORE any workflow side-effects.
+ *
+ * @see RFCS/0020-host-mcp-server-composition.md
+ * @see SECURITY/invariants.yaml — mcp-server-untrusted-args
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const cur = (top && typeof top === 'object') ? (top as Record<string, unknown>)["mcp"] : undefined;
+  const final = (cur && typeof cur === 'object') ? (cur as Record<string, unknown>)["serverMount"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+async function rpc(method: string, params?: Record<string, unknown>) {
+  const id = Math.floor(Math.random() * 1e6);
+  const req: Record<string, unknown> = { jsonrpc: '2.0', id, method };
+  if (params !== undefined) req.params = params;
+  const res = await driver.post('/v1/host/sample/mcp', req);
+  return { status: res.status, body: res.json as { result?: unknown; error?: { code: number; message: string; data?: unknown } } };
+}
+
+const TEST_TOOL_NAME = `inj_${Date.now()}_${Math.random().toString(36).slice(2, 6)}`;
+
+async function registerStrictWorkflow(): Promise<boolean> {
+  const res = await driver.post('/v1/host/sample/workflows', {
+    workflowId: `mcp.untrusted.${Date.now()}`,
+    nodes: [
+      {
+        nodeId: 'expose',
+        typeId: 'core.openwop.mcp.expose-tool',
+        config: {
+          name: TEST_TOOL_NAME,
+          description: 'Strict-schema tool',
+          inputSchema: {
+            type: 'object',
+            properties: { text: { type: 'string' } },
+            required: ['text'],
+            additionalProperties: false,
+          },
+        },
+      },
+    ],
+  });
+  return res.status === 200 || res.status === 201;
+}
+
+describe('mcp-server-untrusted-args: advertisement shape (RFC 0020)', () => {
+  it('capabilities.mcp.serverMount is well-formed when present', async () => {
+    const cap = await readCap();
+    if (cap === null) return;
+    expect(typeof cap.supported).toBe('boolean');
+  });
+});
+
+describe('mcp-server-untrusted-args: behavioral (RFC 0020 §D)', () => {
+  it('tools/call with malformed arguments is rejected with JSON-RPC -32602 BEFORE workflow start', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    if (!(await registerStrictWorkflow())) return;
+
+    const r = await rpc('tools/call', {
+      name: TEST_TOOL_NAME,
+      arguments: { wrongField: 'no' },
+    });
+    if (r.status === 404) return;
+    expect(r.status, 'JSON-RPC envelope MUST 200').toBe(200);
+    expect(
+      r.body.error?.code,
+      driver.describe(
+        'SECURITY/invariants.yaml mcp-server-untrusted-args',
+        'malformed arguments MUST be rejected with -32602 invalid params before workflow start',
+      ),
+    ).toBe(-32602);
+    expect(r.body.error?.data, 'error.data MUST carry validation violations').toBeDefined();
+  });
+
+  it('tools/call with valid arguments is accepted', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const r = await rpc('tools/call', {
+      name: TEST_TOOL_NAME,
+      arguments: { text: 'hello' },
+    });
+    if (r.status === 404) return;
+    expect(r.status).toBe(200);
+    if (r.body.error) {
+      expect(r.body.error.code, 'valid args MUST NOT trigger -32602').not.toBe(-32602);
+    }
+  });
+});

package/src/scenarios/pause-resume.test.ts

@@ -226,3 +226,46 @@ describe.skipIf(SKIP)('pause/resume: :pause-during-suspend race', () => {
     });
   });
 });
+
+// CF-2 close-out — drain-policy discrimination per
+// `capabilities.md` §`runs.pauseResume`. When a host advertises
+// `drainPolicies[]`, each advertised value MUST be accepted with 202.
+// Skips entirely when no advertisement is present.
+describe.skipIf(SKIP)('pause/resume: drainPolicy discrimination per capabilities advertisement', () => {
+  it('every drainPolicy advertised by the host is accepted on :pause', async () => {
+    const disco = await driver.get('/.well-known/openwop');
+    const drainPolicies =
+      (disco.json as {
+        capabilities?: { runs?: { pauseResume?: { drainPolicies?: string[] } } };
+      }).capabilities?.runs?.pauseResume?.drainPolicies ?? [];
+    if (drainPolicies.length === 0) {
+      // eslint-disable-next-line no-console
+      console.warn('[pause-resume] host advertises no drainPolicies; skipping policy-discrimination subtest');
+      return;
+    }
+
+    for (const policy of drainPolicies) {
+      const create = await driver.post('/v1/runs', {
+        workflowId: FIXTURE!,
+        inputs: { delaySeconds: 30 },
+      });
+      expect(create.status).toBe(201);
+      const runId = (create.json as { runId: string }).runId;
+
+      await pollUntilStatus(runId, 'running', { timeoutMs: 10_000 });
+
+      const pause = await driver.post(`/v1/runs/${encodeURIComponent(runId)}:pause`, {
+        reason: `conformance-drainpolicy-${policy}`,
+        drainPolicy: policy,
+      });
+      expect(pause.status, driver.describe(
+        'capabilities.md §`runs.pauseResume.drainPolicies` + rest-endpoints.md POST /v1/runs/{runId}:pause',
+        `host-advertised drainPolicy='${policy}' MUST be accepted on :pause`,
+      )).toBe(202);
+
+      await driver.post(`/v1/runs/${encodeURIComponent(runId)}/cancel`, {
+        reason: 'conformance-cleanup',
+      });
+    }
+  });
+});

package/src/scenarios/queue-ack-nack-dlq.test.ts

@@ -0,0 +1,67 @@
+/**
+ * queue-ack-nack-dlq — RFC 0017 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0017 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.queueBus` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: nack returns for redelivery; deadLetter routes to the configured DLQ.
+ *
+ * @see RFCS/0017-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('queue-ack-nack-dlq: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('deadLetterSupported is a boolean when set', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const subParts = ["deadLetterSupported"];
+    let sub: unknown = cap;
+    for (const p of subParts) {
+      if (sub && typeof sub === 'object') sub = (sub as Record<string, unknown>)[p];
+      else { sub = undefined; break; }
+    }
+    if (sub === undefined) return; // optional sub-field
+    expect(
+      typeof sub,
+      driver.describe(
+        'RFC 0017 §A',
+        'queueBus.deadLetterSupported MUST be boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('queue-ack-nack-dlq: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("nack(requeue=true) → message is redelivered on next consume");
+  it.todo("deadLetter → message appears on the configured DLQ");
+});

package/src/scenarios/queue-cross-tenant-isolation.test.ts

@@ -0,0 +1,66 @@
+/**
+ * queue-cross-tenant-isolation — RFC 0017 §C + SECURITY/invariants.yaml
+ * `queue-cross-tenant-isolation`.
+ *
+ * Status: ACTIVE (advertisement + behavioral). Asserts that messages
+ * published under tenant A on topic T MUST NOT be consumed under tenant B
+ * on the same topic.
+ *
+ * @see RFCS/0017-host-queue-bus-capability.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+async function call(tenantId: string, op: string, args: Record<string, unknown>) {
+  return driver.post('/v1/host/sample/test/surface', { tenantId, surface: 'queueBus', op, args });
+}
+
+describe('queue-cross-tenant-isolation: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return;
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('queue-cross-tenant-isolation: behavioral (RFC 0017 §C)', () => {
+  it('publish under tenant A → consume under tenant B returns not-found', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const topic = `xtenant.${Date.now()}.${Math.random().toString(36).slice(2, 6)}`;
+
+    const pubRes = await call('tenant-a', 'publish', { topic, payload: { hello: 'A' } });
+    if (pubRes.status === 404) return;
+    expect(pubRes.status, 'publish MUST succeed').toBe(200);
+
+    const consRes = await call('tenant-b', 'consume', { topic, timeoutMs: 100 });
+    expect(consRes.status).toBe(200);
+    const body = consRes.json as { found?: boolean };
+    expect(
+      body.found,
+      driver.describe(
+        'SECURITY/invariants.yaml queue-cross-tenant-isolation',
+        'tenant B MUST NOT consume tenant A messages on the same topic',
+      ),
+    ).toBe(false);
+  });
+});

package/src/scenarios/queue-publish-consume-roundtrip.test.ts

@@ -0,0 +1,48 @@
+/**
+ * queue-publish-consume-roundtrip — RFC 0017 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0017 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.queueBus` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: publish + consume + ack roundtrip.
+ *
+ * @see RFCS/0017-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('queue-publish-consume-roundtrip: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('queue-publish-consume-roundtrip: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("publish → consume returns the message with the right payload + headers");
+  it.todo("ack removes the message; subsequent consume returns not-found within timeout");
+});

package/src/scenarios/search-bm25-roundtrip.test.ts

@@ -0,0 +1,47 @@
+/**
+ * search-bm25-roundtrip — RFC 0018 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0018 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.searchIndex` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: index then query returns relevant documents.
+ *
+ * @see RFCS/0018-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["searchIndex"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('search-bm25-roundtrip: advertisement shape (RFC 0018)', () => {
+  it('capabilities.searchIndex is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §searchIndex',
+        'capabilities.searchIndex.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('search-bm25-roundtrip: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("index 3 docs → query returns relevance-ranked hits");
+});

package/src/scenarios/spec-corpus-validity.test.ts

@@ -69,7 +69,23 @@ import {
 // ── Helpers ─────────────────────────────────────────────────────────────
 
 function listJsonFiles(dir: string): string[] {
-  return readdirSync(dir).filter((f) => f.endsWith('.json'));
+  // Recurse into subdirectories so e.g. `schemas/envelopes/*.schema.json`
+  // appears as `envelopes/<file>` to match the README's path-prefixed
+  // table entries. Preserves the non-recursive-relative-output contract
+  // for files directly under `dir`.
+  const out: string[] = [];
+  const walk = (subPath: string): void => {
+    const fullPath = subPath === '' ? dir : `${dir}/${subPath}`;
+    for (const entry of readdirSync(fullPath, { withFileTypes: true })) {
+      if (entry.isDirectory()) {
+        walk(subPath === '' ? entry.name : `${subPath}/${entry.name}`);
+      } else if (entry.isFile() && entry.name.endsWith('.json')) {
+        out.push(subPath === '' ? entry.name : `${subPath}/${entry.name}`);
+      }
+    }
+  };
+  walk('');
+  return out;
 }
 
 function listScenarioTestFiles(dir: string): string[] {

package/src/scenarios/sql-injection-rejection.test.ts

@@ -0,0 +1,84 @@
+/**
+ * sql-injection-rejection — RFC 0018 §C + SECURITY/invariants.yaml
+ * `sql-parametric-only`.
+ *
+ * Status: ACTIVE (advertisement + behavioral). The host's SQL surface
+ * MUST treat parameter values as literal data, not SQL fragments. We
+ * verify by binding an injection-shape string as a parameter and
+ * confirming it returns no rows (parametric binding turns it into a
+ * literal value comparison rather than an OR-true).
+ *
+ * @see RFCS/0018-host-sql-vector-search-capability.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["sql"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+async function call(op: string, args: Record<string, unknown>) {
+  return driver.post('/v1/host/sample/test/surface', { tenantId: 'tenant-a', surface: 'sql', op, args });
+}
+
+describe('sql-injection-rejection: advertisement shape (RFC 0018)', () => {
+  it('capabilities.sql is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return;
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §sql',
+        'capabilities.sql.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('sql-injection-rejection: behavioral (RFC 0018 §C)', () => {
+  it('parametric SELECT with bound user input rejects injection-shape strings as data', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+
+    const create = await call('execute', {
+      sql: `CREATE TABLE IF NOT EXISTS sql_inj_t (id TEXT PRIMARY KEY, body TEXT)`,
+      params: [],
+    });
+    if (create.status === 404) return;
+    await call('execute', { sql: `INSERT OR REPLACE INTO sql_inj_t VALUES (?, ?)`, params: ['k1', 'ok'] });
+
+    // Parametric round-trip MUST succeed.
+    const okRes = await call('query', {
+      sql: `SELECT body FROM sql_inj_t WHERE id = ?`,
+      params: ['k1'],
+    });
+    expect(okRes.status).toBe(200);
+    const okBody = okRes.json as { rows?: Array<Record<string, unknown>> };
+    expect(okBody.rows?.[0]?.body, 'parametric round-trip MUST return stored value').toBe('ok');
+
+    // Injection-shape input MUST be bound as a literal value, not SQL.
+    const attack = `' OR '1'='1`;
+    const attackRes = await call('query', {
+      sql: `SELECT body FROM sql_inj_t WHERE id = ?`,
+      params: [attack],
+    });
+    expect(attackRes.status).toBe(200);
+    const attackBody = attackRes.json as { rows?: Array<Record<string, unknown>> };
+    expect(
+      Array.isArray(attackBody.rows) ? attackBody.rows.length : -1,
+      driver.describe(
+        'SECURITY/invariants.yaml sql-parametric-only',
+        'parametric binding MUST treat injection-shape input as a literal value, not SQL',
+      ),
+    ).toBe(0);
+  });
+});

package/src/scenarios/sql-transaction-atomicity.test.ts

@@ -0,0 +1,66 @@
+/**
+ * sql-transaction-atomicity — RFC 0018 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0018 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.sql` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: transactions MUST be atomic; partial failure rolls back.
+ *
+ * @see RFCS/0018-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["sql"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('sql-transaction-atomicity: advertisement shape (RFC 0018)', () => {
+  it('capabilities.sql is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §sql',
+        'capabilities.sql.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('transactions is a boolean when set', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const subParts = ["transactions"];
+    let sub: unknown = cap;
+    for (const p of subParts) {
+      if (sub && typeof sub === 'object') sub = (sub as Record<string, unknown>)[p];
+      else { sub = undefined; break; }
+    }
+    if (sub === undefined) return; // optional sub-field
+    expect(
+      typeof sub,
+      driver.describe(
+        'RFC 0018 §A',
+        'sql.transactions MUST be boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('sql-transaction-atomicity: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("transaction with N statements where N-th fails → no rows from earlier statements visible");
+});

package/src/scenarios/stream-subscribe-from-beginning.test.ts

@@ -0,0 +1,66 @@
+/**
+ * stream-subscribe-from-beginning — RFC 0017 advertisement-shape verification + behavioral placeholders.
+ *
+ * Status: ACTIVE (advertisement-shape). RFC 0017 promoted to `Active`
+ * 2026-05-17. The matching `capabilities.queueBus` block has landed in
+ * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
+ * shape against any host that boots the conformance suite, and keeps the
+ * deeper behavioral assertions as `it.todo()` until a reference host wires
+ * a test seam.
+ *
+ * Summary: Stream subscribers with fromBeginning=true receive records published before subscription.
+ *
+ * @see RFCS/0017-*.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+async function readCap(): Promise<Record<string, unknown> | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const final = (top && typeof top === 'object') ? (top as Record<string, unknown>)["queueBus"] : undefined;
+  return (final && typeof final === 'object' ? (final as Record<string, unknown>) : null);
+}
+
+describe('stream-subscribe-from-beginning: advertisement shape (RFC 0017)', () => {
+  it('capabilities.queueBus is either absent or a well-formed object', async () => {
+    const cap = await readCap();
+    if (cap === null) return; // host doesn't advertise — skip
+    expect(
+      typeof cap.supported,
+      driver.describe(
+        'capabilities.schema.json §queueBus',
+        'capabilities.queueBus.supported MUST be a boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('stream.supported is a boolean when set', async () => {
+    const cap = await readCap();
+    if (!cap || cap.supported !== true) return;
+    const subParts = ["stream","supported"];
+    let sub: unknown = cap;
+    for (const p of subParts) {
+      if (sub && typeof sub === 'object') sub = (sub as Record<string, unknown>)[p];
+      else { sub = undefined; break; }
+    }
+    if (sub === undefined) return; // optional sub-field
+    expect(
+      typeof sub,
+      driver.describe(
+        'RFC 0017 §A',
+        'queueBus.stream.supported MUST be boolean when present',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('stream-subscribe-from-beginning: behavioral assertions (placeholders — need host test seam)', () => {
+  it.todo("publish 5 records then subscribe(fromBeginning=true) → consumer receives all 5");
+});