@openwop/openwop-conformance 1.10.0 → 1.11.0

package/src/scenarios/egress-provenance-shape.test.ts

@@ -0,0 +1,137 @@
+/**
+ * Credential provenance + egress policy — descriptor + event + capability shapes (RFC 0079).
+ *
+ * Always-on, server-free schema-shape probe. Verifies that:
+ *   - `credential-provenance.schema.json` compiles and round-trips a conforming
+ *     `CredentialProvenance`, and rejects the malformed (`audiences: []` —
+ *     `minItems:1`, a credential with no audience can't be bound to anything;
+ *     a missing REQUIRED `credentialId`; an unknown property under
+ *     `additionalProperties:false`).
+ *   - the descriptor + the `egress.decided` payload are CONTENT-FREE OF THE
+ *     SECRET: neither schema declares a secret-value property (the public test
+ *     for the protocol-tier SECURITY invariant `egress-decision-no-secret-leak`).
+ *   - the `egress.decided` payload $def validates a conforming content-free
+ *     record and rejects an out-of-enum `decision` (`ok` is a `reason`, not a
+ *     `decision` — the canonical allow value is `allowed`), and requires
+ *     `decision` + `destination`.
+ *   - `egress.decided` appears in the RunEventType enum.
+ *   - `capabilities.httpClient.egressPolicy` is declared with `supported` /
+ *     `decisions`.
+ *
+ * Behavioral assertions (the §C audience-binding MUST — a credential bound to
+ * audience A on an egress to B → denied/downgraded, never allowed-with-credential;
+ * fail-closed on unevaluable provenance) are gated on
+ * `capabilities.httpClient.egressPolicy.supported` and land in
+ * `egress-audience-binding.test.ts` + `egress-decision-content-free.test.ts`
+ * (deferred per RFC 0079 §Conformance — reference host deferred). That binding is
+ * tracked as the reference-impl-tier `egress-credential-audience-bound` invariant
+ * until a host wires it (RFC 0035 precedent). This scenario asserts the wire
+ * contract, not host behavior.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/host-capabilities.md (§"Credential provenance + egress policy")
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0079-credential-provenance-and-egress-policy.md
+ *   - https://github.com/openwop/openwop/blob/main/SECURITY/invariants.yaml (egress-decision-no-secret-leak)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+/** Property names that would betray a secret value leaking onto the wire. */
+const SECRET_PROP_NAMES = ['secret', 'value', 'token', 'apiKey', 'authorization', 'password', 'credential'];
+
+describe('egress-provenance-shape: CredentialProvenance (RFC 0079 §A, server-free)', () => {
+  const ajv = addFormats(new Ajv2020({ strict: false }));
+  const provenance = loadSchema('credential-provenance.schema.json');
+  const validate = ajv.compile(provenance);
+
+  it('a conforming descriptor validates', () => {
+    expect(
+      validate({ credentialId: 'cred-stripe-1', issuer: 'host', audiences: ['api.stripe.com'], expiresAt: '2026-12-01T00:00:00Z', scopes: ['egress:stripe:charge'], redactionPolicy: 'always' }),
+      why('host-capabilities.md §"Credential provenance + egress policy"', 'a conforming CredentialProvenance MUST validate'),
+    ).toBe(true);
+  });
+
+  it('audiences: [] is rejected (minItems:1 — a credential needs ≥1 audience to bind)', () => {
+    expect(validate({ credentialId: 'c', issuer: 'host', audiences: [] }), why('RFC 0079 §A', 'audiences MUST have ≥1 entry')).toBe(false);
+  });
+
+  it('a missing REQUIRED credentialId is rejected', () => {
+    expect(validate({ issuer: 'host', audiences: ['a'] }), why('RFC 0079 §A', 'credentialId is REQUIRED')).toBe(false);
+  });
+
+  it('an unknown property is rejected (additionalProperties:false)', () => {
+    expect(validate({ credentialId: 'c', issuer: 'host', audiences: ['a'], secretValue: 'sk-live-xxx' }), why('RFC 0079 §A', 'CredentialProvenance MUST be additionalProperties:false')).toBe(false);
+  });
+
+  it('declares no secret-value property (egress-decision-no-secret-leak)', () => {
+    const props = Object.keys((provenance.properties ?? {}) as Record<string, unknown>);
+    for (const p of props) {
+      expect(
+        SECRET_PROP_NAMES.includes(p.toLowerCase()),
+        why('SECURITY invariant egress-decision-no-secret-leak', `CredentialProvenance MUST NOT declare a secret-bearing property (${p})`),
+      ).toBe(false);
+    }
+  });
+});
+
+describe('egress-provenance-shape: egress.decided event (RFC 0079 §B, server-free)', () => {
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = addFormats(new Ajv2020({ strict: false }));
+  const validate = ajv.compile({
+    $schema: 'https://json-schema.org/draft/2020-12/schema',
+    $defs: (payloads as { $defs: Record<string, unknown> }).$defs,
+    $ref: '#/$defs/egressDecided',
+  } as Record<string, unknown>);
+
+  it('validates a content-free decision and enforces the decision enum + required fields', () => {
+    expect(validate({ decision: 'allowed', destination: 'api.stripe.com', credentialId: 'cred-stripe-1', reason: 'ok' }), why('RFC 0079 §B', 'a conforming egress.decided MUST validate')).toBe(true);
+    expect(validate({ decision: 'denied', destination: 'attacker.example', credentialId: 'cred-stripe-1', reason: 'out-of-audience' }), why('RFC 0079 §B', 'a denied decision MUST validate')).toBe(true);
+    expect(validate({ decision: 'ok', destination: 'a' }), why('RFC 0079 §B', 'the canonical allow value is "allowed", not "ok"')).toBe(false);
+    expect(validate({ destination: 'a' }), why('RFC 0079 §B', 'decision is REQUIRED')).toBe(false);
+    expect(validate({ decision: 'allowed' }), why('RFC 0079 §B', 'destination is REQUIRED')).toBe(false);
+  });
+
+  it('reason is a CLOSED enum — a free-form / URL-bearing reason is rejected (egress-decision-no-secret-leak)', () => {
+    expect(validate({ decision: 'denied', destination: 'attacker.example', reason: 'out-of-audience' }), why('egress-decision-no-secret-leak', 'a conventional reason code MUST validate')).toBe(true);
+    expect(
+      validate({ decision: 'denied', destination: 'attacker.example', reason: 'https://attacker.example/leak?token=sk-live-xxx' }),
+      why('egress-decision-no-secret-leak', 'a free-form / URL-bearing reason MUST be rejected (it would defeat the content-free guarantee)'),
+    ).toBe(false);
+  });
+
+  it('the egressDecided $def declares no secret-value property', () => {
+    const def = ((payloads.$defs as Record<string, { properties?: Record<string, unknown> }>).egressDecided.properties) ?? {};
+    for (const p of Object.keys(def)) {
+      expect(SECRET_PROP_NAMES.includes(p.toLowerCase()), why('egress-decision-no-secret-leak', `egress.decided MUST NOT declare a secret-bearing property (${p})`)).toBe(false);
+    }
+  });
+
+  it('egress.decided is in the RunEventType enum', () => {
+    const runEvent = loadSchema('run-event.schema.json');
+    const enumVals = ((runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum) ?? [];
+    expect(enumVals.includes('egress.decided'), why('run-event.schema.json', 'egress.decided MUST be in the RunEventType enum')).toBe(true);
+  });
+});
+
+describe('egress-provenance-shape: capability advertisement (RFC 0079 §D, server-free)', () => {
+  it('capabilities.httpClient.egressPolicy is declared with its sub-flags', () => {
+    const caps = loadSchema('capabilities.schema.json');
+    const httpClient = (caps.properties as Record<string, { properties?: Record<string, { properties?: Record<string, unknown> }> }>).httpClient;
+    const egressPolicy = httpClient?.properties?.egressPolicy;
+    expect(egressPolicy, why('capabilities.md §httpClient', 'httpClient.egressPolicy MUST be declared')).toBeDefined();
+    for (const flag of ['supported', 'decisions']) {
+      expect(egressPolicy?.properties?.[flag], why('host-capabilities.md §"Credential provenance + egress policy"', `egressPolicy.${flag} MUST be declared`)).toBeDefined();
+    }
+  });
+});

package/src/scenarios/memory-capability-model-shape.test.ts

@@ -0,0 +1,186 @@
+/**
+ * Memory capability model — reconciled dimensions + degraded-projection shapes (RFC 0080).
+ *
+ * Always-on, server-free schema-shape probe. Verifies that:
+ *   - `capabilities.memory` declares the additive `writable` / `search` / `retention`
+ *     dimensions (RFC 0080 §A), without disturbing the existing
+ *     `supported` / `compaction` / `distillation` / `attribution` fields.
+ *   - the `memory.search` / `memory.retention` sub-blocks validate conforming
+ *     instances and reject malformed ones (`retention.ttl` non-boolean; an
+ *     unknown `search.modes` enum value; an unknown property under
+ *     `additionalProperties:false`).
+ *   - `agent-inventory-response` declares the `memoryDegraded` (bool) +
+ *     `degradedMemoryDimensions` (closed enum of the eight §A dimension names)
+ *     inventory fields (RFC 0080 §C), and rejects an out-of-enum dimension.
+ *   - the eight §A dimension names are stable (the `degradedMemoryDimensions` enum).
+ *   - `deriveProfiles` surfaces `openwop-memory` for a read/write + long-term
+ *     payload and withholds it for a `writable:false` payload (the §D predicate).
+ *
+ * Behavioral assertions (a live `GET /v1/agents` stamping `memoryDegraded` when an
+ * agent's `memoryShape` exceeds the host's reconciled model) are gated on
+ * `capabilities.agents.manifestRuntime` + `memory` and land in
+ * `memory-degraded-projection.test.ts` (deferred per RFC 0080 §Conformance — the
+ * degraded projection soft-skips until a reference host computes it). This scenario
+ * asserts the wire contract, not host behavior.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/agent-memory.md (§"Memory capability model")
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/profiles.md (§`openwop-memory`)
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0080-agent-memory-capability-reconciliation.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { deriveProfiles } from '../lib/profiles.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+/** The canonical eight RFC 0080 §A dimension names, in table order. */
+const DIMENSIONS = [
+  'read',
+  'write',
+  'search',
+  'long-term-durability',
+  'compaction',
+  'attribution',
+  'replay-snapshot',
+  'retention',
+] as const;
+
+describe('memory-capability-model-shape: reconciled dimensions (RFC 0080 §A, server-free)', () => {
+  const caps = loadSchema('capabilities.schema.json');
+  const memory = (caps.properties as Record<string, { properties?: Record<string, unknown> }>).memory;
+
+  it('capabilities.memory declares the additive writable / search / retention dimensions', () => {
+    for (const dim of ['writable', 'search', 'retention']) {
+      expect(
+        memory?.properties?.[dim],
+        why('agent-memory.md §"Memory capability model"', `capabilities.memory.${dim} MUST be declared (RFC 0080 §A)`),
+      ).toBeDefined();
+    }
+  });
+
+  it('the pre-existing memory fields are untouched (additive, no relocation)', () => {
+    for (const dim of ['supported', 'compaction', 'distillation', 'attribution']) {
+      expect(
+        memory?.properties?.[dim],
+        why('COMPATIBILITY.md §2.1', `capabilities.memory.${dim} MUST remain (RFC 0080 is additive)`),
+      ).toBeDefined();
+    }
+  });
+
+  it('memory.search / memory.retention validate conforming instances and reject malformed ones', () => {
+    const ajv = addFormats(new Ajv2020({ strict: false }));
+    // Wrap the extracted sub-block in a standalone schema (no external $refs in the block).
+    const validate = ajv.compile({
+      $schema: 'https://json-schema.org/draft/2020-12/schema',
+      type: 'object',
+      additionalProperties: false,
+      properties: { memory },
+    } as Record<string, unknown>);
+
+    expect(
+      validate({ memory: { supported: true, writable: false, search: { supported: true, modes: ['semantic', 'filter'] }, retention: { ttl: true, forget: true } } }),
+      why('capabilities.md §memory', 'a full reconciled-memory advertisement MUST validate'),
+    ).toBe(true);
+
+    expect(
+      validate({ memory: { retention: { ttl: 'yes' } } }),
+      why('RFC 0080 §A', 'retention.ttl MUST be boolean'),
+    ).toBe(false);
+
+    expect(
+      validate({ memory: { search: { supported: true, modes: ['fuzzy'] } } }),
+      why('RFC 0080 §A', 'search.modes MUST be the closed enum [semantic, filter]'),
+    ).toBe(false);
+
+    expect(
+      validate({ memory: { search: { supported: true, unknownField: 1 } } }),
+      why('RFC 0080 §A', 'memory.search MUST be additionalProperties:false'),
+    ).toBe(false);
+  });
+});
+
+describe('memory-capability-model-shape: degraded projection (RFC 0080 §C, server-free)', () => {
+  const inventory = loadSchema('agent-inventory-response.schema.json');
+
+  it('agent-inventory-response declares memoryDegraded + degradedMemoryDimensions', () => {
+    const entry = ((inventory.$defs as Record<string, { properties?: Record<string, unknown> }>)
+      .AgentInventoryEntry).properties;
+    expect(
+      entry?.memoryDegraded,
+      why('agent-memory.md §C-1', 'memoryDegraded MUST be declared on the inventory entry'),
+    ).toBeDefined();
+    expect(
+      entry?.degradedMemoryDimensions,
+      why('agent-memory.md §C-1', 'degradedMemoryDimensions MUST be declared on the inventory entry'),
+    ).toBeDefined();
+  });
+
+  it('degradedMemoryDimensions enumerates exactly the eight §A dimension names', () => {
+    const entry = ((inventory.$defs as Record<string, { properties?: Record<string, { items?: { enum?: string[] } }> }>)
+      .AgentInventoryEntry).properties;
+    const enumVals = entry?.degradedMemoryDimensions?.items?.enum ?? [];
+    expect(
+      [...enumVals].sort(),
+      why('agent-memory.md §A', 'the degraded-dimension enum MUST be the eight reconciled dimensions'),
+    ).toEqual([...DIMENSIONS].sort());
+  });
+
+  it('the inventory schema round-trips a degraded entry and rejects an out-of-enum dimension', () => {
+    const ajv = addFormats(new Ajv2020({ strict: false }));
+    const validate = ajv.compile(inventory);
+    const base = {
+      agentId: 'a', persona: 'A', label: 'A', modelClass: 'standard',
+      packName: 'p', packVersion: '1.0.0', toolAllowlist: [], hasHandoffSchemas: false,
+    };
+    expect(
+      validate({ total: 1, agents: [{ ...base, memoryDegraded: true, degradedMemoryDimensions: ['write', 'long-term-durability'] }] }),
+      why('agent-memory.md §C-1', 'a degraded inventory entry MUST validate'),
+    ).toBe(true);
+    expect(
+      validate({ total: 1, agents: [{ ...base, memoryDegraded: true, degradedMemoryDimensions: ['telepathy'] }] }),
+      why('agent-memory.md §C-1', 'an out-of-enum degraded dimension MUST be rejected'),
+    ).toBe(false);
+  });
+});
+
+describe('memory-capability-model-shape: openwop-memory derivation (RFC 0080 §D, server-free)', () => {
+  it('deriveProfiles surfaces openwop-memory for a read/write + long-term host', () => {
+    const c = {
+      protocolVersion: '1.0',
+      supportedEnvelopes: ['clarification.request'],
+      schemaVersions: {},
+      limits: { clarificationRounds: 1, schemaRounds: 1, envelopesPerTurn: 1 },
+      memory: { supported: true },
+      agents: { memoryBackends: ['long-term'] },
+    } as Record<string, unknown>;
+    expect(
+      deriveProfiles(c).includes('openwop-memory'),
+      why('profiles.md §openwop-memory', 'a read/write + long-term host MUST derive openwop-memory'),
+    ).toBe(true);
+  });
+
+  it('deriveProfiles withholds openwop-memory from a read-only (writable:false) host', () => {
+    const c = {
+      protocolVersion: '1.0',
+      supportedEnvelopes: ['clarification.request'],
+      schemaVersions: {},
+      limits: { clarificationRounds: 1, schemaRounds: 1, envelopesPerTurn: 1 },
+      memory: { supported: true, writable: false },
+      agents: { memoryBackends: ['long-term'] },
+    } as Record<string, unknown>;
+    expect(
+      deriveProfiles(c).includes('openwop-memory'),
+      why('profiles.md §openwop-memory', 'a read-only host MUST NOT derive openwop-memory'),
+    ).toBe(false);
+  });
+});

package/src/scenarios/oauth-authorization-code-roundtrip.test.ts

@@ -0,0 +1,145 @@
+/**
+ * oauth-authorization-code-roundtrip — RFC 0047 §C (the authorization-code grant
+ * end-to-end) + §C.2 / `credential-payload-redaction`.
+ *
+ * Closes the RFC 0047 Tier-2 gap: `oauth-capability-shape` proves the discovery
+ * block is well-formed and `oauth-connector-redaction` proves an already-acquired
+ * token doesn't leak — but nothing exercised the actual authorization-code DANCE
+ * (redirect → callback → token exchange) against a known provider. This scenario
+ * drives that roundtrip against ONE canonical synthetic provider whose endpoints a
+ * conformance test double serves, so a host can prove the grant without a live IdP.
+ *
+ * The synthetic provider + its canned exchange are defined in
+ * `fixtures/oauth-providers/synthetic.json`; the constants below mirror it (kept
+ * inline so the scenario runs from the published tarball without fixture-path
+ * resolution, exactly like `oauth-connector-redaction`'s TOKEN_CANARY).
+ *
+ * Capability-gated: skips unless the host advertises
+ * `capabilities.oauth.supported = true` AND lists `authorization_code` in
+ * `capabilities.oauth.grants`. Behavioral probe drives the optional host seam
+ * `POST /v1/host/sample/oauth/authorize-code-roundtrip`; a 404 (seam not wired)
+ * is a soft-skip — this is a Tier-2 host-pending scenario.
+ *
+ * Asserts, when the seam is present:
+ *   1. The roundtrip succeeds and returns a credential REFERENCE (the token was
+ *      acquired + persisted as a host.credentials entry), never the token itself.
+ *   2. `connector.authorized` carries `{ provider, credentialRef, scopes }` and
+ *      none of the token / refresh / code / state / redirectUri / codeVerifier.
+ *   3. RFC 0047 §C — the authorization code, redirect URI, state, and PKCE
+ *      verifier MUST NOT appear on ANY run-visible surface; §C.2 — neither MUST
+ *      the access/refresh token (the canaries are absent from the whole response).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md §C
+ * @see conformance/fixtures/oauth-providers/synthetic.json
+ * @see SECURITY/invariants.yaml id: credential-payload-redaction
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+  grants?: string[];
+}
+
+// Mirrors fixtures/oauth-providers/synthetic.json — keep in sync.
+const SYNTHETIC = {
+  provider: 'synthetic',
+  authUrl: 'https://oauth.synthetic.openwop.test/authorize',
+  tokenUrl: 'https://oauth.synthetic.openwop.test/token',
+  scopes: ['openwop.read', 'openwop.write'],
+  authorizationCode: 'openwop-synthetic-auth-code-1f4b9e',
+  state: 'openwop-synthetic-state-7c2a8d',
+  redirectUri: 'https://host.example/openwop/oauth/callback',
+  codeVerifier: 'openwop-synthetic-pkce-verifier-3e9f1b2c5a7d4e8f0a1b2c3d4e5f6a7b',
+  accessTokenCanary: 'OPENWOP_OAUTH_TOKEN_CANARY_9d4c1f7a',
+  refreshTokenCanary: 'OPENWOP_OAUTH_REFRESH_CANARY_2b8e6a3f',
+} as const;
+
+// Values that MUST NOT appear on any run-visible surface (RFC 0047 §C + §C.2).
+const SECRET_VALUES: readonly string[] = [
+  SYNTHETIC.accessTokenCanary,
+  SYNTHETIC.refreshTokenCanary,
+  SYNTHETIC.authorizationCode,
+  SYNTHETIC.state,
+  SYNTHETIC.codeVerifier,
+];
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  return capabilityFamily<DiscoveryOAuth>(res.json, 'oauth') ?? null;
+}
+
+describe('oauth-authorization-code-roundtrip: the grant dance (RFC 0047 §C)', () => {
+  it('acquires a token via authorization_code and returns a reference, never the token', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported) return; // capability-gated
+    if (!Array.isArray(oauth.grants) || !oauth.grants.includes('authorization_code')) return; // grant-gated
+
+    // Seam contract: the host performs the full authorization-code roundtrip
+    // against the synthetic provider's authUrl/tokenUrl, persists the acquired
+    // token as a host.credentials entry, and returns the run-observable surfaces
+    // (events incl. connector.authorized + snapshot + any debug bundle) plus the
+    // resulting credentialRef.
+    const res = await driver.post('/v1/host/sample/oauth/authorize-code-roundtrip', {
+      provider: SYNTHETIC.provider,
+      authUrl: SYNTHETIC.authUrl,
+      tokenUrl: SYNTHETIC.tokenUrl,
+      scopes: SYNTHETIC.scopes,
+      authorizationCode: SYNTHETIC.authorizationCode,
+      state: SYNTHETIC.state,
+      redirectUri: SYNTHETIC.redirectUri,
+      codeVerifier: SYNTHETIC.codeVerifier,
+      accessTokenCanary: SYNTHETIC.accessTokenCanary,
+      refreshTokenCanary: SYNTHETIC.refreshTokenCanary,
+    });
+    // A host that hasn't wired the seam soft-skips (Tier-2, host-pending).
+    if (res.status === 404) return;
+
+    expect(
+      res.status,
+      driver.describe(
+        'RFC 0047 §C',
+        'the authorize-code-roundtrip seam MUST perform the authorization_code grant against the synthetic provider and return the run observable surfaces',
+      ),
+    ).toBeLessThan(400);
+
+    const body = (res.json ?? {}) as { credentialRef?: unknown };
+    expect(
+      typeof body.credentialRef === 'string' && body.credentialRef.length > 0,
+      driver.describe(
+        'RFC 0047 §C',
+        'a successful roundtrip MUST resolve to a credential REFERENCE (token persisted as a host.credentials entry), not the raw token',
+      ),
+    ).toBe(true);
+
+    // §C + §C.2 — no secret material anywhere in the observable response.
+    const serialized = JSON.stringify(res.json ?? {});
+    for (const secret of SECRET_VALUES) {
+      expect(
+        serialized.includes(secret),
+        driver.describe(
+          'RFC 0047 §C / SECURITY/invariants.yaml credential-payload-redaction',
+          `the authorization code, state, PKCE verifier, and acquired token material MUST NOT appear on any run-visible surface — leaked: ${secret.slice(0, 16)}…`,
+        ),
+      ).toBe(false);
+    }
+
+    // §C — connector.authorized carries the reference + scopes, never the token.
+    const events = (res.json as { events?: Array<{ type?: string; payload?: Record<string, unknown> }> })?.events;
+    if (Array.isArray(events)) {
+      const authorized = events.find((e) => e?.type === 'connector.authorized');
+      if (authorized?.payload) {
+        const keys = Object.keys(authorized.payload);
+        expect(
+          keys.includes('credentialRef') && !keys.includes('access_token') && !keys.includes('refresh_token'),
+          driver.describe(
+            'RFC 0047 §C',
+            'connector.authorized MUST carry { provider, credentialRef, scopes } and MUST NOT carry token material',
+          ),
+        ).toBe(true);
+      }
+    }
+  });
+});

package/src/scenarios/runtime-requires-install-gate.test.ts

@@ -0,0 +1,92 @@
+/**
+ * Pack runtime-requirements install gate — `registry-operations.md`
+ * §"Runtime-requirement install gate" + `node-packs.md` §"Runtime platform
+ * requirements" (RFC 0076 §A).
+ *
+ * Seam-gated behavioral scenarios for the install-time gate. A sandbox host MUST
+ * evaluate a pack's `runtime.requires[]` against the primitives it will grant
+ * and refuse install (`pack_runtime_requirement_unmet`) for any it won't grant —
+ * rather than silently installing and failing at first invocation (the
+ * `node:dns/promises` trial-load failure that motivated RFC 0076). A non-gating
+ * host SHOULD instead project `runtime.requires[]` onto the pack's inventory
+ * entry for operator visibility.
+ *
+ *   1. install-grant — requires ⊆ grant-set ⇒ install succeeds.
+ *   2. install-refuse — a required primitive the host won't grant ⇒
+ *      `pack_runtime_requirement_unmet { unmet, manifest, advice? }`, reusing the
+ *      `capability_not_provided` envelope shape.
+ *   3. non-sandbox projection — a host that does NOT gate platform access
+ *      installs and projects the declared requires[] for visibility (the §A SHOULD).
+ *
+ * All three drive `POST /v1/host/sample/packs/install-gate` and soft-skip when
+ * the host doesn't wire the seam (404). Behavior grade is `host-pending` until a
+ * runtime-requires-gating host (MyndHyve is the first adopter) lights it up.
+ *
+ * @see spec/v1/registry-operations.md §"Runtime-requirement install gate"
+ * @see spec/v1/host-sample-test-seams.md §"Open seams"
+ * @see RFCS/0076-pack-runtime-requirements-and-host-safe-fetch.md §A
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { installGate } from '../lib/runtimeRequires.js';
+
+function manifest(requires: string[]) {
+  return {
+    name: 'vendor.example.http',
+    version: '1.0.0',
+    engines: { openwop: '>=1.1 <2.0.0' },
+    runtime: { language: 'javascript', entry: 'index.mjs', requires },
+    nodes: [{ typeId: 'vendor.example.http.fetch', version: '1.0.0', category: 'integration', role: 'side-effect' }],
+  };
+}
+
+describe('runtime-requires install gate (RFC 0076 §A)', () => {
+  it('install-grant: requires ⊆ grant-set ⇒ install succeeds', async () => {
+    const res = await installGate({ manifest: manifest(['net.dns']), grantSet: ['net.dns', 'net.outbound'] });
+    if (res === null) return; // seam absent — soft-skip
+    expect(
+      res.status,
+      driver.describe('registry-operations.md §"Runtime-requirement install gate"', 'a pack whose runtime.requires are all grantable MUST install (no refusal)'),
+    ).toBe(200);
+    expect(
+      res.body.outcome,
+      driver.describe('registry-operations.md §"Runtime-requirement install gate"', 'a granted install reports outcome:"installed"'),
+    ).toBe('installed');
+  });
+
+  it('install-refuse: an ungrantable primitive ⇒ pack_runtime_requirement_unmet', async () => {
+    const res = await installGate({ manifest: manifest(['net.dns']), grantSet: [] });
+    if (res === null) return; // seam absent — soft-skip
+    expect(
+      res.status,
+      driver.describe('registry-operations.md §"Runtime-requirement install gate"', 'a pack requiring an ungranted primitive MUST be refused at install (not at first invocation)'),
+    ).toBe(400);
+    expect(
+      res.body.error,
+      driver.describe('registry-operations.md §"Runtime-requirement install gate"', 'the refusal MUST carry error code pack_runtime_requirement_unmet'),
+    ).toBe('pack_runtime_requirement_unmet');
+    expect(
+      Array.isArray(res.body.unmet) && (res.body.unmet as unknown[]).includes('net.dns'),
+      driver.describe('registry-operations.md §"Runtime-requirement install gate"', 'unmet[] MUST list the ungranted primitive(s) (capability_not_provided envelope)'),
+    ).toBe(true);
+    expect(
+      typeof res.body.manifest === 'string' && (res.body.manifest as string).includes('vendor.example.http'),
+      driver.describe('registry-operations.md §"Runtime-requirement install gate"', 'the refusal MUST name the offending manifest (name@version)'),
+    ).toBe(true);
+  });
+
+  it('non-sandbox projection: a non-gating host installs and projects requires[] (§A SHOULD)', async () => {
+    const res = await installGate({ manifest: manifest(['net.dns', 'net.outbound']), gating: false });
+    if (res === null) return; // seam absent — soft-skip
+    // A non-gating host installs unconditionally; the SHOULD is the projection.
+    // If the host gates anyway (returns 400) the projection SHOULD does not apply — tolerate either install shape.
+    if (res.status !== 200) return;
+    if (res.body.requiresProjected === undefined) return; // SHOULD, not MUST — a non-projecting host is conformant
+    const projected = res.body.requiresProjected as unknown;
+    expect(
+      Array.isArray(projected) && ['net.dns', 'net.outbound'].every((t) => (projected as unknown[]).includes(t)),
+      driver.describe('node-packs.md §"Runtime platform requirements"', 'a non-gating host that projects SHOULD surface the declared runtime.requires[] on the inventory entry verbatim'),
+    ).toBe(true);
+  });
+});