@openwop/openwop-conformance 1.10.0 → 1.12.0

package/src/scenarios/agent-roster-shape.test.ts

@@ -0,0 +1,146 @@
+/**
+ * Standing agent roster — entry + capability + attribution-event shapes (RFC 0086).
+ *
+ * Always-on, server-free schema-shape probe. Verifies that:
+ *   - `capabilities.agents.roster` is declared with its `supported` /
+ *     `installScope` / `portfolioTriggerSources` sub-flags.
+ *   - `agent-roster-entry.schema.json` compiles and round-trips a conforming
+ *     entry, and rejects malformed ones (a non-`host:` rosterId; an `agentRef`
+ *     carrying BOTH `version` and `channel` — the RFC 0082 §A XOR rule).
+ *   - the `roster.run.initiated` payload $def validates a conforming
+ *     content-free attribution record and requires its ids + persona.
+ *   - `roster.run.initiated` is CONTENT-FREE: a payload carrying a work-item
+ *     `body` or a `prompt` is rejected (`additionalProperties:false`). This is
+ *     the public test for the protocol-tier SECURITY invariant
+ *     `roster-attribution-no-content`.
+ *   - the `AgentInventoryEntry` carries the additive optional `roster`
+ *     portfolio projection (RFC 0086 §B).
+ *   - `roster.run.initiated` appears in the RunEventType enum.
+ *
+ * Behavioral assertions (a scheduled portfolio fire emitting roster.run.initiated
+ * before agent.invocation.started; the work-item causation chain; the replay
+ * re-read; cross-tenant 404) are gated on `capabilities.agents.roster.supported`
+ * and land at Active → Accepted (reference-host roster store deferred per RFC 0086
+ * §Conformance). This scenario asserts the wire contract, not host behavior.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/agent-roster.md
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0086-standing-agent-roster-and-workflow-portfolio.md
+ *   - https://github.com/openwop/openwop/blob/main/SECURITY/invariants.yaml (roster-attribution-no-content)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+/** Server-free assertion-message helper. */
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+describe('agent-roster-shape: capability advertisement (RFC 0086, server-free)', () => {
+  it('the capabilities schema declares agents.roster with its sub-flags', () => {
+    const caps = loadSchema('capabilities.schema.json');
+    const agents = (caps.properties as Record<string, { properties?: Record<string, { properties?: Record<string, unknown> }> }>).agents;
+    const roster = agents?.properties?.roster;
+    expect(roster, why('capabilities.md §agents', 'agents.roster MUST be declared')).toBeDefined();
+    for (const flag of ['supported', 'installScope', 'portfolioTriggerSources']) {
+      expect(roster?.properties?.[flag], why('agent-roster.md §F', `agents.roster.${flag} MUST be declared`)).toBeDefined();
+    }
+  });
+});
+
+describe('agent-roster-shape: roster entry (RFC 0086 §A, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const entry = ajv.compile(loadSchema('agent-roster-entry.schema.json'));
+
+  it('AgentRosterEntry validates a conforming entry', () => {
+    const good = {
+      rosterId: 'host:sally-marketing',
+      persona: 'Sally',
+      agentRef: { agentId: 'core.openwop.agents.brief-writer', channel: 'stable' },
+      workflows: ['marketing-email-campaign'],
+      owner: { tenantId: 'acme', workspaceId: 'growth' },
+      enabled: true,
+    };
+    expect(entry(good), why('RFC 0086 §A', 'a conforming roster entry MUST validate')).toBe(true);
+  });
+
+  it('rejects a non-host: rosterId and an agentRef carrying both version and channel', () => {
+    const base = {
+      rosterId: 'host:sally-marketing',
+      persona: 'Sally',
+      agentRef: { agentId: 'core.openwop.agents.brief-writer' },
+      owner: { tenantId: 'acme' },
+    };
+    expect(entry({ ...base, rosterId: 'core.openwop.agents.sally' }), why('RFC 0086 §A', 'a non-`host:` rosterId MUST be rejected')).toBe(false);
+    expect(
+      entry({ ...base, agentRef: { agentId: 'core.x.y.z', version: '1.0.0', channel: 'stable' } }),
+      why('RFC 0082 §A', 'an agentRef with BOTH version and channel MUST be rejected'),
+    ).toBe(false);
+    expect(entry({ persona: 'x', agentRef: { agentId: 'core.x.y.z' }, owner: { tenantId: 'acme' } }), why('RFC 0086 §A', 'a roster entry without rosterId MUST be rejected')).toBe(false);
+  });
+});
+
+describe('agent-roster-shape: roster.run.initiated event (RFC 0086 §C, server-free)', () => {
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  ajv.addSchema(payloads, 'payloads');
+  const initiated = ajv.getSchema('payloads#/$defs/rosterRunInitiated');
+
+  it('roster.run.initiated validates a content-free attribution record and requires its ids', () => {
+    expect(initiated, 'the rosterRunInitiated $def MUST exist').toBeTruthy();
+    expect(
+      initiated!({ rosterId: 'host:sally-marketing', persona: 'Sally', agentId: 'core.openwop.agents.brief-writer', workflowId: 'marketing-email-campaign', triggerSource: 'schedule' }),
+      why('RFC 0086 §C', 'a conforming roster.run.initiated payload MUST validate'),
+    ).toBe(true);
+    expect(initiated!({ rosterId: 'host:s', persona: 'S' }), why('RFC 0086 §C', 'roster.run.initiated without agentId/workflowId/triggerSource MUST be rejected')).toBe(false);
+  });
+
+  it('roster.run.initiated is content-free — a work-item body and a prompt are rejected (roster-attribution-no-content)', () => {
+    const base = { rosterId: 'host:s', persona: 'S', agentId: 'a.b.c.d', workflowId: 'wf', triggerSource: 'queue' };
+    expect(
+      initiated!({ ...base, body: 'the card description' }),
+      why('SECURITY invariant roster-attribution-no-content', 'roster.run.initiated MUST NOT carry the work-item body'),
+    ).toBe(false);
+    expect(
+      initiated!({ ...base, prompt: 'system: …' }),
+      why('SECURITY invariant roster-attribution-no-content', 'roster.run.initiated MUST NOT carry prompt content'),
+    ).toBe(false);
+  });
+});
+
+describe('agent-roster-shape: inventory projection + enum (RFC 0086 §B, server-free)', () => {
+  it('AgentInventoryEntry carries the additive optional roster portfolio projection', () => {
+    const inv = loadSchema('agent-inventory-response.schema.json');
+    const entry = (inv.$defs as Record<string, { properties?: Record<string, unknown> }>).AgentInventoryEntry?.properties ?? {};
+    expect(entry.roster, why('RFC 0086 §B', 'AgentInventoryEntry.roster (the portfolio projection) MUST be declared')).toBeDefined();
+  });
+
+  it('roster.run.initiated appears in the RunEventType enum', () => {
+    const runEvent = loadSchema('run-event.schema.json');
+    const enumVals = (runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum ?? [];
+    expect(enumVals).toContain('roster.run.initiated');
+  });
+
+  it('the GET /v1/agents/roster response schema validates + rejects extras (RFC 0086 §B)', () => {
+    const ajv = new Ajv2020({ strict: false, allErrors: true });
+    addFormats(ajv);
+    ajv.addSchema(loadSchema('agent-roster-entry.schema.json'), 'https://openwop.dev/spec/v1/agent-roster-entry.schema.json');
+    const resp = ajv.compile(loadSchema('agent-roster-response.schema.json'));
+    const good = {
+      roster: [{ rosterId: 'host:sally', persona: 'Sally', agentRef: { agentId: 'core.x.y.z' }, owner: { tenantId: 'acme' } }],
+      total: 1,
+    };
+    expect(resp(good), why('RFC 0086 §B', 'a conforming GET /v1/agents/roster response MUST validate')).toBe(true);
+    expect(resp({ ...good, unexpected: true }), why('RFC 0086 §B', 'an extra top-level property MUST be rejected')).toBe(false);
+    expect(resp({ roster: [] }), why('RFC 0086 §B', 'the response MUST require `total`')).toBe(false);
+  });
+});

package/src/scenarios/budget-policy-shape.test.ts

@@ -0,0 +1,136 @@
+/**
+ * Budget, quota, and cost policy — policy + events + cap.breached kinds (RFC 0084).
+ *
+ * Always-on, server-free schema-shape probe. Verifies that:
+ *   - `budget-policy.schema.json` round-trips a conforming `BudgetPolicy` and
+ *     rejects the malformed (the §A orthogonality guard — a wall-time field is
+ *     rejected by `additionalProperties:false`, because wall-time is RFC 0058's
+ *     `runTimeoutMs`; a `thresholdPercent` out of 0..100; an out-of-enum
+ *     `onExhaustion`).
+ *   - the four `budget.{reserved,consumed,threshold.crossed,exhausted}` payload
+ *     $defs validate conforming content-free records and reject malformed ones.
+ *   - the four new `cap.breached.kind` values (`budget-tokens`/`budget-cost`/
+ *     `budget-tool-calls`/`budget-retries`) are present in the enum.
+ *   - the four `budget.*` event names appear in the RunEventType enum.
+ *   - the `budget.*` payloads are CONTENT-FREE OF PRICING: none declares a
+ *     rate-card / per-token-price / model-prose property (the public test for the
+ *     protocol-tier SECURITY invariant `budget-no-pricing-leak`).
+ *   - `capabilities.budget` + `limits.maxBudget{Tokens,CostUsd}` are declared.
+ *
+ * Behavioral assertions (accrue → threshold → exhaust → `cap.breached{budget-cost}`
+ * → `run.failed{budget_exhausted}`; `budget_model_denied`; the advisory no-stop
+ * path) are gated on `capabilities.budget.supported` + `enforce` and land in
+ * `budget-enforcement.test.ts` (deferred per RFC 0084 §Conformance — reference host
+ * deferred). This scenario asserts the wire contract, not host behavior.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/budget-policy.md
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0084-budget-quota-and-cost-policy.md
+ *   - https://github.com/openwop/openwop/blob/main/SECURITY/invariants.yaml (budget-no-pricing-leak)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+/** Property names that would betray pricing / credential prose leaking onto a budget event. */
+const PRICING_PROP_NAMES = ['ratecard', 'pricepertoken', 'unitprice', 'pricing', 'rate', 'credential', 'apikey', 'model'];
+
+describe('budget-policy-shape: BudgetPolicy (RFC 0084 §A, server-free)', () => {
+  const ajv = addFormats(new Ajv2020({ strict: false }));
+  const validate = ajv.compile(loadSchema('budget-policy.schema.json'));
+
+  it('a conforming budget policy validates', () => {
+    expect(
+      validate({ maxTokens: 200000, maxCostUsd: 1.0, maxToolCalls: 50, maxRetries: 10, modelAllow: ['claude-*'], modelDeny: ['gpt-4-32k'], thresholdPercent: 80, onExhaustion: 'fail' }),
+      why('budget-policy.md §A', 'a conforming BudgetPolicy MUST validate'),
+    ).toBe(true);
+  });
+
+  it('the orthogonality guard: a wall-time field is rejected (it is RFC 0058 runTimeoutMs)', () => {
+    expect(validate({ maxCostUsd: 1.0, maxWallTimeMs: 60000 }), why('budget-policy.md §A/§E', 'wall-time is NOT a budget dimension')).toBe(false);
+  });
+
+  it('rejects an out-of-range thresholdPercent and an out-of-enum onExhaustion', () => {
+    expect(validate({ thresholdPercent: 120 }), why('budget-policy.md §A', 'thresholdPercent MUST be 0..100')).toBe(false);
+    expect(validate({ onExhaustion: 'explode' }), why('budget-policy.md §A', 'onExhaustion is a closed enum')).toBe(false);
+  });
+});
+
+describe('budget-policy-shape: budget.* events + cap.breached kinds (RFC 0084 §C/§D, server-free)', () => {
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = addFormats(new Ajv2020({ strict: false }));
+  const compile = (defName: string) => ajv.compile({
+    $schema: 'https://json-schema.org/draft/2020-12/schema',
+    $defs: (payloads as { $defs: Record<string, unknown> }).$defs,
+    $ref: `#/$defs/${defName}`,
+  } as Record<string, unknown>);
+
+  it('the four budget.* payloads validate conforming content-free records', () => {
+    expect(compile('budgetReserved')({ effectiveBudget: { maxCostUsd: 1.0 }, scope: 'run' }), why('budget-policy.md §C', 'budget.reserved MUST validate')).toBe(true);
+    expect(compile('budgetConsumed')({ dimension: 'cost', consumed: 0.7, limit: 1.0, remaining: 0.3 }), why('budget-policy.md §C', 'budget.consumed MUST validate')).toBe(true);
+    expect(compile('budgetThresholdCrossed')({ dimension: 'cost', consumed: 0.8, limit: 1.0, percent: 80 }), why('budget-policy.md §C', 'budget.threshold.crossed MUST validate')).toBe(true);
+    expect(compile('budgetExhausted')({ dimension: 'cost', consumed: 1.02, limit: 1.0 }), why('budget-policy.md §C', 'budget.exhausted MUST validate')).toBe(true);
+  });
+
+  it('rejects an out-of-enum dimension and a missing required field', () => {
+    expect(compile('budgetConsumed')({ dimension: 'vibes', consumed: 1, limit: 2 }), why('budget-policy.md §C', 'dimension is a closed enum')).toBe(false);
+    expect(compile('budgetExhausted')({ dimension: 'cost', consumed: 1.0 }), why('budget-policy.md §C', 'limit is REQUIRED')).toBe(false);
+  });
+
+  it('the cap.breached kind enum carries the four budget-* values', () => {
+    const kinds = ((payloads.$defs as Record<string, { properties?: Record<string, { enum?: string[] }> }>).capBreached.properties?.kind?.enum) ?? [];
+    for (const k of ['budget-tokens', 'budget-cost', 'budget-tool-calls', 'budget-retries']) {
+      expect(kinds.includes(k), why('budget-policy.md §D', `cap.breached.kind MUST include ${k}`)).toBe(true);
+    }
+  });
+
+  it('all four budget.* event names appear in the RunEventType enum', () => {
+    const runEvent = loadSchema('run-event.schema.json');
+    const enumVals = ((runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum) ?? [];
+    for (const name of ['budget.reserved', 'budget.consumed', 'budget.threshold.crossed', 'budget.exhausted']) {
+      expect(enumVals.includes(name), why('run-event.schema.json', `${name} MUST be in the RunEventType enum`)).toBe(true);
+    }
+  });
+
+  it('the budget.* payloads declare no pricing/credential property (budget-no-pricing-leak)', () => {
+    const defs = payloads.$defs as Record<string, { properties?: Record<string, unknown> }>;
+    for (const def of ['budgetReserved', 'budgetConsumed', 'budgetThresholdCrossed', 'budgetExhausted']) {
+      for (const p of Object.keys(defs[def].properties ?? {})) {
+        expect(PRICING_PROP_NAMES.includes(p.toLowerCase()), why('budget-no-pricing-leak', `${def} MUST NOT declare a pricing-bearing property (${p})`)).toBe(false);
+      }
+    }
+  });
+
+  it('the budget.* payloads are additionalProperties:false — a rate-card field on an INSTANCE is rejected', () => {
+    // The aggregate cost total (the user's own budget) is permitted; the host's per-unit rate card is not.
+    // additionalProperties:false makes the rejection structural, not just a declared-property check.
+    expect(compile('budgetConsumed')({ dimension: 'cost', consumed: 0.8, limit: 1.0 }), why('budget-policy.md §F', 'an aggregate cost total (the user budget) MUST validate')).toBe(true);
+    expect(
+      compile('budgetConsumed')({ dimension: 'cost', consumed: 0.8, limit: 1.0, ratePerToken: 0.000003 }),
+      why('budget-no-pricing-leak', 'a rate-card / per-token-price field MUST be rejected (additionalProperties:false)'),
+    ).toBe(false);
+  });
+});
+
+describe('budget-policy-shape: capability advertisement (RFC 0084 §E, server-free)', () => {
+  it('capabilities.budget + limits.maxBudget{Tokens,CostUsd} are declared', () => {
+    const caps = loadSchema('capabilities.schema.json');
+    const props = caps.properties as Record<string, { properties?: Record<string, unknown> }>;
+    for (const flag of ['supported', 'dimensions', 'enforce', 'scopes']) {
+      expect(props.budget?.properties?.[flag], why('budget-policy.md §E', `capabilities.budget.${flag} MUST be declared`)).toBeDefined();
+    }
+    for (const ceiling of ['maxBudgetTokens', 'maxBudgetCostUsd']) {
+      expect(props.limits?.properties?.[ceiling], why('budget-policy.md §E', `limits.${ceiling} MUST be declared`)).toBeDefined();
+    }
+  });
+});

package/src/scenarios/egress-provenance-shape.test.ts

@@ -0,0 +1,137 @@
+/**
+ * Credential provenance + egress policy — descriptor + event + capability shapes (RFC 0079).
+ *
+ * Always-on, server-free schema-shape probe. Verifies that:
+ *   - `credential-provenance.schema.json` compiles and round-trips a conforming
+ *     `CredentialProvenance`, and rejects the malformed (`audiences: []` —
+ *     `minItems:1`, a credential with no audience can't be bound to anything;
+ *     a missing REQUIRED `credentialId`; an unknown property under
+ *     `additionalProperties:false`).
+ *   - the descriptor + the `egress.decided` payload are CONTENT-FREE OF THE
+ *     SECRET: neither schema declares a secret-value property (the public test
+ *     for the protocol-tier SECURITY invariant `egress-decision-no-secret-leak`).
+ *   - the `egress.decided` payload $def validates a conforming content-free
+ *     record and rejects an out-of-enum `decision` (`ok` is a `reason`, not a
+ *     `decision` — the canonical allow value is `allowed`), and requires
+ *     `decision` + `destination`.
+ *   - `egress.decided` appears in the RunEventType enum.
+ *   - `capabilities.httpClient.egressPolicy` is declared with `supported` /
+ *     `decisions`.
+ *
+ * Behavioral assertions (the §C audience-binding MUST — a credential bound to
+ * audience A on an egress to B → denied/downgraded, never allowed-with-credential;
+ * fail-closed on unevaluable provenance) are gated on
+ * `capabilities.httpClient.egressPolicy.supported` and land in
+ * `egress-audience-binding.test.ts` + `egress-decision-content-free.test.ts`
+ * (deferred per RFC 0079 §Conformance — reference host deferred). That binding is
+ * tracked as the reference-impl-tier `egress-credential-audience-bound` invariant
+ * until a host wires it (RFC 0035 precedent). This scenario asserts the wire
+ * contract, not host behavior.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/host-capabilities.md (§"Credential provenance + egress policy")
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0079-credential-provenance-and-egress-policy.md
+ *   - https://github.com/openwop/openwop/blob/main/SECURITY/invariants.yaml (egress-decision-no-secret-leak)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+/** Property names that would betray a secret value leaking onto the wire. */
+const SECRET_PROP_NAMES = ['secret', 'value', 'token', 'apiKey', 'authorization', 'password', 'credential'];
+
+describe('egress-provenance-shape: CredentialProvenance (RFC 0079 §A, server-free)', () => {
+  const ajv = addFormats(new Ajv2020({ strict: false }));
+  const provenance = loadSchema('credential-provenance.schema.json');
+  const validate = ajv.compile(provenance);
+
+  it('a conforming descriptor validates', () => {
+    expect(
+      validate({ credentialId: 'cred-stripe-1', issuer: 'host', audiences: ['api.stripe.com'], expiresAt: '2026-12-01T00:00:00Z', scopes: ['egress:stripe:charge'], redactionPolicy: 'always' }),
+      why('host-capabilities.md §"Credential provenance + egress policy"', 'a conforming CredentialProvenance MUST validate'),
+    ).toBe(true);
+  });
+
+  it('audiences: [] is rejected (minItems:1 — a credential needs ≥1 audience to bind)', () => {
+    expect(validate({ credentialId: 'c', issuer: 'host', audiences: [] }), why('RFC 0079 §A', 'audiences MUST have ≥1 entry')).toBe(false);
+  });
+
+  it('a missing REQUIRED credentialId is rejected', () => {
+    expect(validate({ issuer: 'host', audiences: ['a'] }), why('RFC 0079 §A', 'credentialId is REQUIRED')).toBe(false);
+  });
+
+  it('an unknown property is rejected (additionalProperties:false)', () => {
+    expect(validate({ credentialId: 'c', issuer: 'host', audiences: ['a'], secretValue: 'sk-live-xxx' }), why('RFC 0079 §A', 'CredentialProvenance MUST be additionalProperties:false')).toBe(false);
+  });
+
+  it('declares no secret-value property (egress-decision-no-secret-leak)', () => {
+    const props = Object.keys((provenance.properties ?? {}) as Record<string, unknown>);
+    for (const p of props) {
+      expect(
+        SECRET_PROP_NAMES.includes(p.toLowerCase()),
+        why('SECURITY invariant egress-decision-no-secret-leak', `CredentialProvenance MUST NOT declare a secret-bearing property (${p})`),
+      ).toBe(false);
+    }
+  });
+});
+
+describe('egress-provenance-shape: egress.decided event (RFC 0079 §B, server-free)', () => {
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = addFormats(new Ajv2020({ strict: false }));
+  const validate = ajv.compile({
+    $schema: 'https://json-schema.org/draft/2020-12/schema',
+    $defs: (payloads as { $defs: Record<string, unknown> }).$defs,
+    $ref: '#/$defs/egressDecided',
+  } as Record<string, unknown>);
+
+  it('validates a content-free decision and enforces the decision enum + required fields', () => {
+    expect(validate({ decision: 'allowed', destination: 'api.stripe.com', credentialId: 'cred-stripe-1', reason: 'ok' }), why('RFC 0079 §B', 'a conforming egress.decided MUST validate')).toBe(true);
+    expect(validate({ decision: 'denied', destination: 'attacker.example', credentialId: 'cred-stripe-1', reason: 'out-of-audience' }), why('RFC 0079 §B', 'a denied decision MUST validate')).toBe(true);
+    expect(validate({ decision: 'ok', destination: 'a' }), why('RFC 0079 §B', 'the canonical allow value is "allowed", not "ok"')).toBe(false);
+    expect(validate({ destination: 'a' }), why('RFC 0079 §B', 'decision is REQUIRED')).toBe(false);
+    expect(validate({ decision: 'allowed' }), why('RFC 0079 §B', 'destination is REQUIRED')).toBe(false);
+  });
+
+  it('reason is a CLOSED enum — a free-form / URL-bearing reason is rejected (egress-decision-no-secret-leak)', () => {
+    expect(validate({ decision: 'denied', destination: 'attacker.example', reason: 'out-of-audience' }), why('egress-decision-no-secret-leak', 'a conventional reason code MUST validate')).toBe(true);
+    expect(
+      validate({ decision: 'denied', destination: 'attacker.example', reason: 'https://attacker.example/leak?token=sk-live-xxx' }),
+      why('egress-decision-no-secret-leak', 'a free-form / URL-bearing reason MUST be rejected (it would defeat the content-free guarantee)'),
+    ).toBe(false);
+  });
+
+  it('the egressDecided $def declares no secret-value property', () => {
+    const def = ((payloads.$defs as Record<string, { properties?: Record<string, unknown> }>).egressDecided.properties) ?? {};
+    for (const p of Object.keys(def)) {
+      expect(SECRET_PROP_NAMES.includes(p.toLowerCase()), why('egress-decision-no-secret-leak', `egress.decided MUST NOT declare a secret-bearing property (${p})`)).toBe(false);
+    }
+  });
+
+  it('egress.decided is in the RunEventType enum', () => {
+    const runEvent = loadSchema('run-event.schema.json');
+    const enumVals = ((runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum) ?? [];
+    expect(enumVals.includes('egress.decided'), why('run-event.schema.json', 'egress.decided MUST be in the RunEventType enum')).toBe(true);
+  });
+});
+
+describe('egress-provenance-shape: capability advertisement (RFC 0079 §D, server-free)', () => {
+  it('capabilities.httpClient.egressPolicy is declared with its sub-flags', () => {
+    const caps = loadSchema('capabilities.schema.json');
+    const httpClient = (caps.properties as Record<string, { properties?: Record<string, { properties?: Record<string, unknown> }> }>).httpClient;
+    const egressPolicy = httpClient?.properties?.egressPolicy;
+    expect(egressPolicy, why('capabilities.md §httpClient', 'httpClient.egressPolicy MUST be declared')).toBeDefined();
+    for (const flag of ['supported', 'decisions']) {
+      expect(egressPolicy?.properties?.[flag], why('host-capabilities.md §"Credential provenance + egress policy"', `egressPolicy.${flag} MUST be declared`)).toBeDefined();
+    }
+  });
+});

package/src/scenarios/memory-capability-model-shape.test.ts

@@ -0,0 +1,186 @@
+/**
+ * Memory capability model — reconciled dimensions + degraded-projection shapes (RFC 0080).
+ *
+ * Always-on, server-free schema-shape probe. Verifies that:
+ *   - `capabilities.memory` declares the additive `writable` / `search` / `retention`
+ *     dimensions (RFC 0080 §A), without disturbing the existing
+ *     `supported` / `compaction` / `distillation` / `attribution` fields.
+ *   - the `memory.search` / `memory.retention` sub-blocks validate conforming
+ *     instances and reject malformed ones (`retention.ttl` non-boolean; an
+ *     unknown `search.modes` enum value; an unknown property under
+ *     `additionalProperties:false`).
+ *   - `agent-inventory-response` declares the `memoryDegraded` (bool) +
+ *     `degradedMemoryDimensions` (closed enum of the eight §A dimension names)
+ *     inventory fields (RFC 0080 §C), and rejects an out-of-enum dimension.
+ *   - the eight §A dimension names are stable (the `degradedMemoryDimensions` enum).
+ *   - `deriveProfiles` surfaces `openwop-memory` for a read/write + long-term
+ *     payload and withholds it for a `writable:false` payload (the §D predicate).
+ *
+ * Behavioral assertions (a live `GET /v1/agents` stamping `memoryDegraded` when an
+ * agent's `memoryShape` exceeds the host's reconciled model) are gated on
+ * `capabilities.agents.manifestRuntime` + `memory` and land in
+ * `memory-degraded-projection.test.ts` (deferred per RFC 0080 §Conformance — the
+ * degraded projection soft-skips until a reference host computes it). This scenario
+ * asserts the wire contract, not host behavior.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/agent-memory.md (§"Memory capability model")
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/profiles.md (§`openwop-memory`)
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0080-agent-memory-capability-reconciliation.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { deriveProfiles } from '../lib/profiles.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+/** The canonical eight RFC 0080 §A dimension names, in table order. */
+const DIMENSIONS = [
+  'read',
+  'write',
+  'search',
+  'long-term-durability',
+  'compaction',
+  'attribution',
+  'replay-snapshot',
+  'retention',
+] as const;
+
+describe('memory-capability-model-shape: reconciled dimensions (RFC 0080 §A, server-free)', () => {
+  const caps = loadSchema('capabilities.schema.json');
+  const memory = (caps.properties as Record<string, { properties?: Record<string, unknown> }>).memory;
+
+  it('capabilities.memory declares the additive writable / search / retention dimensions', () => {
+    for (const dim of ['writable', 'search', 'retention']) {
+      expect(
+        memory?.properties?.[dim],
+        why('agent-memory.md §"Memory capability model"', `capabilities.memory.${dim} MUST be declared (RFC 0080 §A)`),
+      ).toBeDefined();
+    }
+  });
+
+  it('the pre-existing memory fields are untouched (additive, no relocation)', () => {
+    for (const dim of ['supported', 'compaction', 'distillation', 'attribution']) {
+      expect(
+        memory?.properties?.[dim],
+        why('COMPATIBILITY.md §2.1', `capabilities.memory.${dim} MUST remain (RFC 0080 is additive)`),
+      ).toBeDefined();
+    }
+  });
+
+  it('memory.search / memory.retention validate conforming instances and reject malformed ones', () => {
+    const ajv = addFormats(new Ajv2020({ strict: false }));
+    // Wrap the extracted sub-block in a standalone schema (no external $refs in the block).
+    const validate = ajv.compile({
+      $schema: 'https://json-schema.org/draft/2020-12/schema',
+      type: 'object',
+      additionalProperties: false,
+      properties: { memory },
+    } as Record<string, unknown>);
+
+    expect(
+      validate({ memory: { supported: true, writable: false, search: { supported: true, modes: ['semantic', 'filter'] }, retention: { ttl: true, forget: true } } }),
+      why('capabilities.md §memory', 'a full reconciled-memory advertisement MUST validate'),
+    ).toBe(true);
+
+    expect(
+      validate({ memory: { retention: { ttl: 'yes' } } }),
+      why('RFC 0080 §A', 'retention.ttl MUST be boolean'),
+    ).toBe(false);
+
+    expect(
+      validate({ memory: { search: { supported: true, modes: ['fuzzy'] } } }),
+      why('RFC 0080 §A', 'search.modes MUST be the closed enum [semantic, filter]'),
+    ).toBe(false);
+
+    expect(
+      validate({ memory: { search: { supported: true, unknownField: 1 } } }),
+      why('RFC 0080 §A', 'memory.search MUST be additionalProperties:false'),
+    ).toBe(false);
+  });
+});
+
+describe('memory-capability-model-shape: degraded projection (RFC 0080 §C, server-free)', () => {
+  const inventory = loadSchema('agent-inventory-response.schema.json');
+
+  it('agent-inventory-response declares memoryDegraded + degradedMemoryDimensions', () => {
+    const entry = ((inventory.$defs as Record<string, { properties?: Record<string, unknown> }>)
+      .AgentInventoryEntry).properties;
+    expect(
+      entry?.memoryDegraded,
+      why('agent-memory.md §C-1', 'memoryDegraded MUST be declared on the inventory entry'),
+    ).toBeDefined();
+    expect(
+      entry?.degradedMemoryDimensions,
+      why('agent-memory.md §C-1', 'degradedMemoryDimensions MUST be declared on the inventory entry'),
+    ).toBeDefined();
+  });
+
+  it('degradedMemoryDimensions enumerates exactly the eight §A dimension names', () => {
+    const entry = ((inventory.$defs as Record<string, { properties?: Record<string, { items?: { enum?: string[] } }> }>)
+      .AgentInventoryEntry).properties;
+    const enumVals = entry?.degradedMemoryDimensions?.items?.enum ?? [];
+    expect(
+      [...enumVals].sort(),
+      why('agent-memory.md §A', 'the degraded-dimension enum MUST be the eight reconciled dimensions'),
+    ).toEqual([...DIMENSIONS].sort());
+  });
+
+  it('the inventory schema round-trips a degraded entry and rejects an out-of-enum dimension', () => {
+    const ajv = addFormats(new Ajv2020({ strict: false }));
+    const validate = ajv.compile(inventory);
+    const base = {
+      agentId: 'a', persona: 'A', label: 'A', modelClass: 'standard',
+      packName: 'p', packVersion: '1.0.0', toolAllowlist: [], hasHandoffSchemas: false,
+    };
+    expect(
+      validate({ total: 1, agents: [{ ...base, memoryDegraded: true, degradedMemoryDimensions: ['write', 'long-term-durability'] }] }),
+      why('agent-memory.md §C-1', 'a degraded inventory entry MUST validate'),
+    ).toBe(true);
+    expect(
+      validate({ total: 1, agents: [{ ...base, memoryDegraded: true, degradedMemoryDimensions: ['telepathy'] }] }),
+      why('agent-memory.md §C-1', 'an out-of-enum degraded dimension MUST be rejected'),
+    ).toBe(false);
+  });
+});
+
+describe('memory-capability-model-shape: openwop-memory derivation (RFC 0080 §D, server-free)', () => {
+  it('deriveProfiles surfaces openwop-memory for a read/write + long-term host', () => {
+    const c = {
+      protocolVersion: '1.0',
+      supportedEnvelopes: ['clarification.request'],
+      schemaVersions: {},
+      limits: { clarificationRounds: 1, schemaRounds: 1, envelopesPerTurn: 1 },
+      memory: { supported: true },
+      agents: { memoryBackends: ['long-term'] },
+    } as Record<string, unknown>;
+    expect(
+      deriveProfiles(c).includes('openwop-memory'),
+      why('profiles.md §openwop-memory', 'a read/write + long-term host MUST derive openwop-memory'),
+    ).toBe(true);
+  });
+
+  it('deriveProfiles withholds openwop-memory from a read-only (writable:false) host', () => {
+    const c = {
+      protocolVersion: '1.0',
+      supportedEnvelopes: ['clarification.request'],
+      schemaVersions: {},
+      limits: { clarificationRounds: 1, schemaRounds: 1, envelopesPerTurn: 1 },
+      memory: { supported: true, writable: false },
+      agents: { memoryBackends: ['long-term'] },
+    } as Record<string, unknown>;
+    expect(
+      deriveProfiles(c).includes('openwop-memory'),
+      why('profiles.md §openwop-memory', 'a read-only host MUST NOT derive openwop-memory'),
+    ).toBe(false);
+  });
+});