@openwop/openwop-conformance 1.13.0 → 1.14.0

package/src/lib/egressPolicy.ts

@@ -0,0 +1,76 @@
+/**
+ * Shared helpers for the RFC 0079 `httpClient.egressPolicy` conformance
+ * scenarios. Lives in lib/ (not a `*.test.ts`) so scenarios import it via
+ * `../lib/egressPolicy.js`.
+ *
+ * Egress policy is a BEHAVIOR layered over the RFC 0076 `safeFetch` — there is
+ * no new normative read endpoint. The behavior is driven through the
+ * host-sample egress-decision seam (`POST /v1/host/sample/egress/decide`): a
+ * host-issued credential carries `audiences[]` (RFC 0079 §A provenance), and an
+ * egress whose destination is OUTSIDE those audiences MUST emit
+ * `egress.decided { decision: "denied"|"downgraded", reason: "out-of-audience" }`
+ * and MUST NOT attach the credential (the §C confused-deputy MUST, backing the
+ * `egress-credential-audience-bound` invariant). A provenance-unevaluable egress
+ * MUST be `denied { reason: "provenance-unevaluable" }` — fail-closed. The seam
+ * is OPTIONAL — scenarios soft-skip on 404/405.
+ *
+ * Gating uses the `httpClient.egressPolicy.supported` capability flag from the
+ * live discovery doc (root-first per RFC 0073).
+ *
+ * @see RFCS/0079-credential-provenance-and-egress-policy.md
+ * @see spec/v1/host-capabilities.md (§"Credential provenance + egress policy")
+ */
+import { driver } from './driver.js';
+import { readCapabilityFamily } from './discovery-capabilities.js';
+
+/** Reads `httpClient.egressPolicy` from discovery (root-first per RFC 0073);
+ *  null when unadvertised. */
+export async function readEgressPolicyCap(): Promise<Record<string, unknown> | null> {
+  const http = await readCapabilityFamily<{ egressPolicy?: unknown }>('httpClient');
+  const ep = http?.egressPolicy;
+  return ep && typeof ep === 'object' ? (ep as Record<string, unknown>) : null;
+}
+
+export interface EgressDecision {
+  decision?: string;
+  reason?: string;
+  destination?: string;
+  /** Whether the host-issued credential was attached to the egress (§C — MUST
+   *  be false for an out-of-audience / unevaluable decision). */
+  credentialAttached?: boolean;
+  /** Set when the seam ran a canary credential and the canary leaked into any
+   *  observable surface (the SR-1 negative — MUST stay false/absent). */
+  canaryLeaked?: boolean;
+  runId?: string;
+  [k: string]: unknown;
+}
+
+/**
+ * Drive one egress decision through the host-sample seam (RFC 0079 §C).
+ * `scenario`:
+ *   - `out-of-audience`        — credential bound to audience A, egress to B;
+ *                                MUST deny/downgrade + NOT attach the credential.
+ *   - `provenance-unevaluable` — egress whose provenance can't be evaluated;
+ *                                MUST deny fail-closed.
+ *   - `in-audience`            — control: egress within audience; MAY allow.
+ *   - `canary`                 — seed a credential whose value is a known canary
+ *                                and assert it never appears on the wire (SR-1).
+ * Returns null when the seam is unwired (404/405).
+ */
+export async function driveEgress(
+  body: { scenario: 'out-of-audience' | 'provenance-unevaluable' | 'in-audience' | 'canary' },
+): Promise<EgressDecision | null> {
+  const res = await driver.post('/v1/host/sample/egress/decide', body);
+  if (res.status === 404 || res.status === 405) return null;
+  return (res.json as EgressDecision | undefined) ?? {};
+}
+
+/** The closed egress-decision vocabulary (RFC 0079 §B). */
+export const EGRESS_DECISIONS = ['allowed', 'denied', 'downgraded', 'approval-required'];
+/** The closed egress-reason vocabulary (RFC 0079 §B — a CLOSED enum so a host
+ *  cannot spill a blocked URL/host/header into a free-form reason). */
+export const EGRESS_REASONS = ['ok', 'out-of-audience', 'expired', 'ssrf-blocked', 'provenance-unevaluable', 'scope-denied', 'policy-denied'];
+/** Content keys an `egress.decided` payload / provenance descriptor MUST NEVER
+ *  carry (SR-1 / `egress-decision-no-secret-leak`): no secret value, no blocked
+ *  URL/header spill. */
+export const EGRESS_CONTENT_FORBIDDEN = ['secret', 'credential', 'credentials', 'token', 'apiKey', 'password', 'url', 'header', 'headers', 'body'];

package/src/lib/profiles.ts

@@ -362,6 +362,21 @@ export function agentPlatformSatisfiedTerms(c: DiscoveryPayload): readonly strin
   return checks.filter(([, ok]) => ok).map(([id]) => id);
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// `openwop-core-standard` operational-annex predicate (RFC 0088). Like the
+// agent-platform annex above, this is NOT a closed-catalog profile (so it is
+// absent from deriveProfiles) — it is an operational ANNEX whose claim is backed
+// by the §C floor scenarios passing black-box. This helper computes only the §B
+// discovery predicate (the floor of MUSTs with black-box production-path proof).
+//
+// @see spec/v1/core-standard-profile.md
+// ─────────────────────────────────────────────────────────────────────────────
+
+/** The `openwop-core-standard` floor discovery predicate — RFC 0088 §B. */
+export function isCoreStandard(c: DiscoveryPayload): boolean {
+  return isCore(c) && isInterrupts(c) && (isStreamSse(c) || isStreamPoll(c));
+}
+
 /**
  * Derive the full profile set from a discovery payload.
  *

package/src/lib/sandbox-timeout-worker.mjs

@@ -0,0 +1,31 @@
+// Suite-local worker for the RFC 0035 §B wall-clock-timeout conformance probe.
+//
+// Instantiates ONE WASM module on a dedicated worker thread and runs its entry.
+// The main thread (see `probeTimeout` in wasm-sandbox-probe.ts) races a
+// kill-timer against this worker: a non-terminating module (the
+// `misbehaving-timeout` fixture) never posts and is terminated at the wall-clock
+// cap → `sandbox_timeout`; a well-behaved module posts its result first. Mirrors
+// the reference host's `examples/hosts/wasm-sandbox/src/sandbox-worker.mjs`; the
+// suite carries its own copy so the published conformance package is
+// self-contained (no dependency on the reference host).
+import { workerData, parentPort } from 'node:worker_threads';
+
+const { wasmBytes, entry, arg, memoryMaxPages } = workerData;
+
+try {
+  const memory = new WebAssembly.Memory({ initial: 1, maximum: memoryMaxPages });
+  const instance = new WebAssembly.Instance(new WebAssembly.Module(wasmBytes), { env: { memory } });
+  const fn = instance.exports[entry];
+  if (typeof fn !== 'function') {
+    parentPort.postMessage({ ok: false, code: 'sandbox_invocation_error' });
+  } else {
+    const result = fn(arg); // a non-terminating module never returns — the host kill-timer fires
+    parentPort.postMessage({ ok: true, result: Number(result) });
+  }
+} catch (err) {
+  const message = err instanceof Error ? err.message : String(err);
+  const code = /out of bounds memory access|memory access out of bounds/i.test(message)
+    ? 'sandbox_memory_exceeded'
+    : 'sandbox_invocation_error';
+  parentPort.postMessage({ ok: false, code });
+}

package/src/lib/toolCatalog.ts

@@ -0,0 +1,81 @@
+/**
+ * Shared helpers for the RFC 0078 `toolCatalog` conformance scenarios.
+ * Lives in lib/ (not a `*.test.ts`) so scenarios import it via
+ * `../lib/toolCatalog.js`.
+ *
+ * Two surfaces:
+ *   - the NORMATIVE reads (`GET /v1/tools` + `GET /v1/tools/{toolId}`, RFC 0078
+ *     §B), exercised black-box; and
+ *   - the host-sample tool-session seam (`POST /v1/host/sample/tools/session-run`),
+ *     used to drive the §D `tool.session.{opened,closed}` bracket over the RFC
+ *     0064 call events so the ordering + content-free guarantees can be asserted
+ *     against the test event-log seam. The seam is OPTIONAL — scenarios soft-skip
+ *     on 404/405 (the reference session lifecycle is deferred per RFC 0078
+ *     §Conformance).
+ *
+ * Gating uses the `toolCatalog.supported` (and `toolCatalog.sessionLifecycle`)
+ * capability flags from the live discovery doc (root-first per RFC 0073).
+ *
+ * @see RFCS/0078-portable-tool-catalog-and-tool-session-contract.md
+ * @see spec/v1/tool-catalog.md
+ */
+import { driver } from './driver.js';
+import { readCapabilityFamily } from './discovery-capabilities.js';
+
+/** Reads `toolCatalog` from discovery (root-first per RFC 0073); null when
+ *  unadvertised. */
+export async function readToolCatalogCap(): Promise<Record<string, unknown> | null> {
+  const tc = await readCapabilityFamily<Record<string, unknown>>('toolCatalog');
+  return tc && typeof tc === 'object' ? tc : null;
+}
+
+export interface ToolDescriptor {
+  toolId?: string;
+  source?: string;
+  safetyTier?: string;
+  [k: string]: unknown;
+}
+
+/** GET the NORMATIVE tool catalog (RFC 0078 §B `GET /v1/tools`); null when the
+ *  host doesn't serve it (404/405/501). */
+export async function listTools(): Promise<ToolDescriptor[] | null> {
+  const res = await driver.get('/v1/tools');
+  if (res.status === 404 || res.status === 405 || res.status === 501) return null;
+  return (res.json as ToolDescriptor[] | undefined) ?? [];
+}
+
+/** GET one tool by id (RFC 0078 §B `GET /v1/tools/{toolId}`); returns
+ *  `{ status, descriptor }` so a caller can distinguish a 404 (absent /
+ *  unauthorized / unadvertised) from a served descriptor. */
+export async function getTool(
+  toolId: string,
+): Promise<{ status: number; descriptor: ToolDescriptor | undefined }> {
+  const res = await driver.get(`/v1/tools/${encodeURIComponent(toolId)}`);
+  return { status: res.status, descriptor: res.json as ToolDescriptor | undefined };
+}
+
+export interface ToolSessionResult {
+  runId?: string;
+  sessionId?: string;
+  toolId?: string;
+}
+
+/** Drive one tool-session interaction through the host-sample seam (RFC 0078
+ *  §D). Persists `tool.session.opened` → RFC 0064 call events → `tool.session.closed`
+ *  to the durable run-event log (read back via the run event-log read seam).
+ *  Returns null when the seam is unwired (404/405). */
+export async function driveToolSession(
+  body: { toolId?: string } = {},
+): Promise<ToolSessionResult | null> {
+  const res = await driver.post('/v1/host/sample/tools/session-run', body);
+  if (res.status === 404 || res.status === 405) return null;
+  return (res.json as ToolSessionResult | undefined) ?? {};
+}
+
+/** The closed tool-source vocabulary (RFC 0078 §C). */
+export const TOOL_SOURCES = ['node-pack', 'workflow', 'mcp', 'connector', 'host-extension'];
+/** The closed safety-tier vocabulary (RFC 0078 §C). */
+export const SAFETY_TIERS = ['pure', 'read', 'write', 'exec'];
+/** Content keys a `ToolDescriptor` / `tool.session.*` MUST NEVER carry (SR-1):
+ *  no credential/secret material. */
+export const TOOL_CONTENT_FORBIDDEN = ['secret', 'credential', 'credentials', 'token', 'apiKey', 'password'];

package/src/lib/wasm-sandbox-probe.ts

@@ -0,0 +1,168 @@
+/**
+ * Portable WASM-sandbox probe — the suite-local reference for the RFC 0035 §B
+ * isolation invariants.
+ *
+ * The conformance suite is a standalone package, so it carries its own compact,
+ * server-free probe (no host, no worker) rather than importing a reference
+ * host's executor. It proves the invariants that hold *by construction* in any
+ * WebAssembly sandbox:
+ *
+ *   - escape attempts (fs / env / network / process) and the capability gate are
+ *     proven by STATIC inspection of `WebAssembly.Module.imports()` — a WASM
+ *     module has no ambient host access, so a forbidden operation can only be a
+ *     declared import; a sandbox refuses any import it did not grant, failing
+ *     closed BEFORE instantiation.
+ *   - the memory bound is proven by instantiating with a capped host memory and
+ *     observing the engine trap on an access past the bound.
+ *   - isolated-context is proven by instantiating the same module twice and
+ *     observing no shared mutable state.
+ *
+ * The `timeout` invariant requires thread preemption (a worker kill-timer) and is
+ * proven at reference-impl tier by the WASM host's `test/sandbox.test.ts`; it is
+ * intentionally NOT exercised here (an in-process infinite loop cannot be
+ * interrupted server-free).
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B
+ * @see examples/hosts/wasm-sandbox/ (the reference host this mirrors)
+ */
+import { Worker } from 'node:worker_threads';
+import { fileURLToPath } from 'node:url';
+
+export type SandboxErrorCode =
+  | 'sandbox_memory_exceeded'
+  | 'sandbox_timeout'
+  | 'sandbox_capability_denied'
+  | 'sandbox_escape_attempt'
+  | 'sandbox_invocation_error';
+
+export type EscapeKind = 'host-fs-escape' | 'host-env-leak' | 'network-escape' | 'host-process-escape';
+
+export interface ProbeResult {
+  readonly ok: boolean;
+  readonly result?: number;
+  readonly code?: SandboxErrorCode;
+  readonly escapeKind?: EscapeKind;
+  readonly requestedCapability?: string;
+}
+
+const WASM_PAGE_BYTES = 65536;
+
+// Minimal local types for the Node-global `WebAssembly` value. The full
+// `WebAssembly.*` namespace types live in lib.dom (not @types/node); rather than
+// widen the suite's global lib (which would pull in conflicting DOM `fetch`/
+// `BodyInit` types), we declare exactly what this probe uses and read the global.
+interface WAModule {
+  readonly __wasmModule?: never;
+}
+interface WAInstance {
+  readonly exports: Record<string, unknown>;
+}
+interface WAImportDescriptor {
+  readonly module: string;
+  readonly name: string;
+}
+const WA = (globalThis as unknown as {
+  WebAssembly: {
+    Module: { new (bytes: Uint8Array): WAModule; imports(m: WAModule): readonly WAImportDescriptor[] };
+    Instance: { new (m: WAModule, imports: Record<string, Record<string, unknown>>): WAInstance };
+    Memory: { new (descriptor: { initial: number; maximum: number }): unknown };
+  };
+}).WebAssembly;
+
+function escapeKindFor(name: string): EscapeKind {
+  if (/^fd_|^path_/.test(name)) return 'host-fs-escape';
+  if (/^environ_/.test(name)) return 'host-env-leak';
+  if (/^sock_/.test(name)) return 'network-escape';
+  return 'host-process-escape';
+}
+
+/** Static capability gate — the first un-granted import, or `null` if all are host-provided. */
+function gateImports(module: WAModule, allowedHostCalls: readonly string[]): ProbeResult | null {
+  const allowed = new Set(allowedHostCalls);
+  for (const imp of WA.Module.imports(module)) {
+    if (imp.module === 'env' && imp.name === 'memory') continue;
+    if (imp.module === 'openwop') {
+      if (allowed.has(imp.name)) continue;
+      return { ok: false, code: 'sandbox_capability_denied', requestedCapability: imp.name };
+    }
+    return { ok: false, code: 'sandbox_escape_attempt', escapeKind: escapeKindFor(imp.name) };
+  }
+  return null;
+}
+
+/**
+ * Probe one WASM-compiled typeId under the RFC 0035 sandbox contract, server-free.
+ * Statically gates imports; for a fully-granted module, instantiates with a
+ * capped host memory and runs the entry, classifying any trap. Does NOT spawn a
+ * worker — callers MUST NOT pass a non-terminating module (see `timeout` note).
+ */
+export function probeSandboxed(
+  wasmBytes: Uint8Array,
+  config: { readonly allowedHostCalls: readonly string[]; readonly memoryLimitBytes: number },
+  entry = 'invoke',
+  arg = 0,
+): ProbeResult {
+  let module: WAModule;
+  try {
+    module = new WA.Module(wasmBytes);
+  } catch {
+    return { ok: false, code: 'sandbox_invocation_error' };
+  }
+  const gate = gateImports(module, config.allowedHostCalls);
+  if (gate) return gate;
+
+  const memoryMaxPages = Math.max(1, Math.ceil(config.memoryLimitBytes / WASM_PAGE_BYTES));
+  try {
+    const memory = new WA.Memory({ initial: 1, maximum: memoryMaxPages });
+    const openwop: Record<string, (x: number) => number> = {};
+    for (const name of config.allowedHostCalls) openwop[name] = (x: number): number => x;
+    const instance = new WA.Instance(module, { env: { memory }, openwop });
+    const fn = instance.exports[entry];
+    if (typeof fn !== 'function') return { ok: false, code: 'sandbox_invocation_error' };
+    return { ok: true, result: Number((fn as (a: number) => number)(arg)) };
+  } catch (e) {
+    const message = e instanceof Error ? e.message : String(e);
+    if (/out of bounds memory access|memory access out of bounds/i.test(message)) {
+      return { ok: false, code: 'sandbox_memory_exceeded' };
+    }
+    return { ok: false, code: 'sandbox_invocation_error' };
+  }
+}
+
+const timeoutWorkerPath = fileURLToPath(new URL('./sandbox-timeout-worker.mjs', import.meta.url));
+
+/**
+ * Worker-based timeout probe — RFC 0035 §B invariant 6 (`node-pack-sandbox-timeout`).
+ * A wall-clock cap can only be enforced by THREAD PREEMPTION: a same-thread timer
+ * cannot interrupt a synchronous WASM loop. So this spawns a worker thread running
+ * the module and races a main-thread kill-timer. A non-terminating module →
+ * `sandbox_timeout` (the worker is terminated at `wallClockLimitMs`); a module that
+ * completes within the budget posts its result first. This is the worker-driven
+ * counterpart to the server-free `probeSandboxed` (which deliberately cannot run a
+ * non-terminating module).
+ */
+export function probeTimeout(
+  wasmBytes: Uint8Array,
+  config: { readonly memoryLimitBytes: number; readonly wallClockLimitMs: number },
+  entry = 'invoke',
+  arg = 0,
+): Promise<ProbeResult> {
+  const memoryMaxPages = Math.max(1, Math.ceil(config.memoryLimitBytes / WASM_PAGE_BYTES));
+  return new Promise((resolve) => {
+    const worker = new Worker(timeoutWorkerPath, { workerData: { wasmBytes, entry, arg, memoryMaxPages } });
+    let settled = false;
+    const finish = (r: ProbeResult): void => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      void worker.terminate();
+      resolve(r);
+    };
+    const timer = setTimeout(() => finish({ ok: false, code: 'sandbox_timeout' }), config.wallClockLimitMs);
+    worker.on('message', (m: { ok: boolean; result?: number; code?: SandboxErrorCode }) => {
+      if (m.ok) finish(m.result === undefined ? { ok: true } : { ok: true, result: m.result });
+      else finish({ ok: false, code: m.code ?? 'sandbox_invocation_error' });
+    });
+    worker.on('error', () => finish({ ok: false, code: 'sandbox_invocation_error' }));
+  });
+}

package/src/scenarios/core-standard-profile.test.ts

@@ -0,0 +1,75 @@
+/**
+ * openwop-core-standard — operational-annex predicate derivation (RFC 0088).
+ *
+ * Always-on, server-free derivation probe. Verifies that `isCoreStandard`
+ * derives the Core Standard Profile floor correctly from representative
+ * discovery payloads (RFC 0088 §B / core-standard-profile.md §B):
+ *   - a host meeting openwop-core + openwop-interrupts + a transport is core-standard;
+ *   - a bare openwop-core host (no interrupts) is NOT core-standard — the floor is
+ *     deliberately stricter than the v1 minimum;
+ *   - a host with no event transport (supportedTransports: []) fails the floor;
+ *   - the floor is the AND of three existing closed-catalog predicates (it composes,
+ *     it does not redefine — so it is absent from deriveProfiles()).
+ *
+ * The LIVE aggregate-evidence assertion (does every §C floor scenario actually
+ * pass against a host claiming the profile?) is the `Active → Accepted` step per
+ * RFC 0088 §C — already satisfied by MyndHyve + all reference hosts, asserted via
+ * each constituent scenario, and deferred here. This scenario asserts the
+ * discovery-predicate derivation only.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/core-standard-profile.md
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0088-core-standard-profile.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { isCoreStandard, isCore, deriveProfiles } from '../lib/profiles.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+const CORE = {
+  protocolVersion: '1.0',
+  supportedEnvelopes: ['clarification.request'],
+  schemaVersions: {},
+  limits: { clarificationRounds: 1, schemaRounds: 1, envelopesPerTurn: 1 },
+};
+
+describe('core-standard-profile: floor predicate (RFC 0088 §B, server-free)', () => {
+  it('a host meeting core + interrupts + a default transport is core-standard', () => {
+    // No supportedTransports ⇒ both stream predicates default-true (profiles.md).
+    const c = { ...CORE };
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'core + interrupts + transport ⇒ core-standard')).toBe(true);
+  });
+
+  it('a bare openwop-core host without interrupts is NOT core-standard', () => {
+    // openwop-core minimum, but no clarification.request ⇒ fails openwop-interrupts.
+    const c = { ...CORE, supportedEnvelopes: ['schema.request'] };
+    expect(isCore(c), why('profiles.md §openwop-core', 'still a valid openwop-core host')).toBe(true);
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'the floor is stricter than the v1 minimum')).toBe(false);
+  });
+
+  it('a host advertising no event transport fails the floor', () => {
+    const c = { ...CORE, supportedTransports: [] as string[] };
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'at least one event transport is required')).toBe(false);
+  });
+
+  it('a host advertising the rest transport satisfies the transport term', () => {
+    const c = { ...CORE, supportedTransports: ['rest'] };
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'rest transport ⇒ stream term satisfied')).toBe(true);
+  });
+
+  it('a non-1.x host is not core-standard', () => {
+    const c = { ...CORE, protocolVersion: '2.0' };
+    expect(isCoreStandard(c), why('profiles.md §openwop-core', 'core-standard implies openwop-core (1.x)')).toBe(false);
+  });
+});
+
+describe('core-standard-profile: composes, does not redefine (RFC 0088 §A, server-free)', () => {
+  it('openwop-core-standard is an annex, NOT a closed-catalog profile (absent from deriveProfiles)', () => {
+    const c = { ...CORE };
+    expect(
+      (deriveProfiles(c) as readonly string[]).includes('openwop-core-standard'),
+      why('core-standard-profile.md §A', 'the annex is not a closed-catalog predicate'),
+    ).toBe(false);
+  });
+});

package/src/scenarios/egress-audience-binding.test.ts

@@ -0,0 +1,81 @@
+/**
+ * Credential-audience-bound egress (RFC 0079 §C) — behavioral KEYSTONE.
+ *
+ * Gated on `httpClient.egressPolicy.supported` (root-first per RFC 0073).
+ * Soft-skips when unadvertised (default) / hard-fails under
+ * `OPENWOP_REQUIRE_BEHAVIOR=true`. The always-on wire-shape coverage lives in
+ * `egress-provenance-shape.test.ts`; this asserts host BEHAVIOR — the §C
+ * confused-deputy MUST that backs the `egress-credential-audience-bound`
+ * SECURITY invariant:
+ *
+ *   1. OUT-OF-AUDIENCE — a host-issued credential bound to audience A, used for
+ *      an egress to destination B (B ∉ A), MUST be `denied` or `downgraded`
+ *      with `reason: "out-of-audience"`, and the credential MUST NOT be attached
+ *      to the egress (`credentialAttached !== true`).
+ *   2. PROVENANCE-UNEVALUABLE — an egress whose credential provenance cannot be
+ *      evaluated MUST be `denied` with `reason: "provenance-unevaluable"`
+ *      (fail-closed, not fail-open).
+ *
+ * The decision is driven through the OPTIONAL host-sample egress seam
+ * (`POST /v1/host/sample/egress/decide`) — soft-skip on 404/405. The decision
+ * reason is a CLOSED enum so a host cannot spill a blocked URL/host into a
+ * free-form string (SR-1, asserted in `egress-decision-content-free.test.ts`).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/host-capabilities.md (§"Credential provenance + egress policy")
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0079-credential-provenance-and-egress-policy.md
+ *   - https://github.com/openwop/openwop/blob/main/SECURITY/invariants.yaml (egress-credential-audience-bound)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readEgressPolicyCap, driveEgress, EGRESS_DECISIONS, EGRESS_REASONS } from '../lib/egressPolicy.js';
+
+describe('egress-audience-binding (RFC 0079 §C)', () => {
+  it('denies/downgrades an out-of-audience egress without attaching the credential, and fails closed on unevaluable provenance', async () => {
+    const cap = await readEgressPolicyCap();
+    if (!behaviorGate('openwop-egress-audience-binding', cap?.supported === true)) return;
+
+    // ---- Leg 1: out-of-audience — deny|downgrade + credential NOT attached --
+    const oob = await driveEgress({ scenario: 'out-of-audience' });
+    if (oob === null) return; // egress seam absent — soft-skip the whole behavior
+    expect(
+      oob.decision === 'denied' || oob.decision === 'downgraded',
+      driver.describe('host-capabilities.md §"Credential provenance + egress policy"', 'an out-of-audience egress MUST be denied or downgraded'),
+    ).toBe(true);
+    expect(
+      typeof oob.decision === 'string' && EGRESS_DECISIONS.includes(oob.decision),
+      driver.describe('run-event-payloads.schema.json#egressDecided', 'decision MUST be in the closed enum'),
+    ).toBe(true);
+    expect(
+      oob.reason === 'out-of-audience',
+      driver.describe('RFC 0079 §C', 'an out-of-audience denial MUST carry reason "out-of-audience"'),
+    ).toBe(true);
+    expect(
+      oob.credentialAttached !== true,
+      driver.describe('SECURITY/invariants.yaml egress-credential-audience-bound', 'the host MUST NOT attach a credential whose audience excludes the destination (confused-deputy)'),
+    ).toBe(true);
+
+    // ---- Leg 2: provenance-unevaluable — fail closed (deny) ----------------
+    const uneval = await driveEgress({ scenario: 'provenance-unevaluable' });
+    if (uneval !== null) {
+      expect(
+        uneval.decision === 'denied',
+        driver.describe('RFC 0079 §C', 'an egress with unevaluable provenance MUST fail closed (denied)'),
+      ).toBe(true);
+      expect(
+        uneval.reason === 'provenance-unevaluable',
+        driver.describe('RFC 0079 §C', 'a provenance-unevaluable denial MUST carry reason "provenance-unevaluable"'),
+      ).toBe(true);
+      expect(
+        typeof uneval.reason === 'string' && EGRESS_REASONS.includes(uneval.reason),
+        driver.describe('run-event-payloads.schema.json#egressDecided', 'reason MUST be in the closed enum'),
+      ).toBe(true);
+      expect(
+        uneval.credentialAttached !== true,
+        driver.describe('SECURITY/invariants.yaml egress-credential-audience-bound', 'a fail-closed egress MUST NOT attach the credential'),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/egress-decision-content-free.test.ts

@@ -0,0 +1,57 @@
+/**
+ * Egress-decision secret non-leak (RFC 0079 §F / SR-1) — behavioral.
+ *
+ * Gated on `httpClient.egressPolicy.supported` (root-first per RFC 0073).
+ * Soft-skips when unadvertised (default) / hard-fails under
+ * `OPENWOP_REQUIRE_BEHAVIOR=true`. Backs the `egress-decision-no-secret-leak`
+ * guarantee: an `egress.decided` payload is metadata-only — it MUST NOT carry
+ * the credential value, nor spill the blocked URL/host/header/body into a
+ * free-form field, and its `reason` MUST be drawn from the CLOSED vocabulary
+ * (so a host cannot smuggle a blocked destination into the reason string).
+ *
+ * Drives the host-sample seam with a `canary` credential whose value is a known
+ * sentinel and asserts the sentinel never surfaces in the decision
+ * (`canaryLeaked !== true`) and that the payload carries none of the forbidden
+ * content keys. Soft-skips on 404/405.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/host-capabilities.md (§"Credential provenance + egress policy")
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0079-credential-provenance-and-egress-policy.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readEgressPolicyCap, driveEgress, EGRESS_REASONS, EGRESS_CONTENT_FORBIDDEN } from '../lib/egressPolicy.js';
+
+describe('egress-decision-content-free (RFC 0079 §F / SR-1)', () => {
+  it('never leaks the credential value or the blocked destination into the egress.decided payload', async () => {
+    const cap = await readEgressPolicyCap();
+    if (!behaviorGate('openwop-egress-decision-content-free', cap?.supported === true)) return;
+
+    const res = await driveEgress({ scenario: 'canary' });
+    if (res === null) return; // seam absent — soft-skip
+
+    // The canary sentinel MUST NOT appear anywhere observable.
+    expect(
+      res.canaryLeaked !== true,
+      driver.describe('RFC 0079 §F (SR-1)', 'the credential value (canary) MUST NOT leak into any observable surface'),
+    ).toBe(true);
+
+    // No forbidden content keys on the decision payload.
+    for (const forbidden of EGRESS_CONTENT_FORBIDDEN) {
+      expect(
+        !(forbidden in res),
+        driver.describe('RFC 0079 §F (SR-1)', `egress.decided MUST be content-free (no ${forbidden})`),
+      ).toBe(true);
+    }
+
+    // The reason stays in the closed vocabulary — no free-form destination spill.
+    if (res.reason !== undefined) {
+      expect(
+        typeof res.reason === 'string' && EGRESS_REASONS.includes(res.reason),
+        driver.describe('run-event-payloads.schema.json#egressDecided', 'reason MUST be in the closed enum (no free-form spill)'),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/multi-agent-confidence-escalation.test.ts

@@ -49,7 +49,7 @@
 import { describe, it, expect } from 'vitest';
 import { driver } from '../lib/driver.js';
 import { isFixtureAdvertised } from '../lib/fixtures.js';
-import { pollUntilTerminal } from '../lib/polling.js';
+import { pollUntil } from '../lib/polling.js';
 import { capabilityFamily } from '../lib/discovery-capabilities.js';
 
 const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
@@ -111,12 +111,17 @@ describe.skipIf(BEHAVIORAL_SKIP)('multi-agent-confidence-escalation: behavioral
     expect(create.status).toBe(201);
     const runId = (create.json as { runId: string }).runId;
 
-    const terminal = await pollUntilTerminal(runId);
-    // RFC 0039 escalation suspends the parent — NOT a terminal `completed`.
-    // The conformance pollUntilTerminal returns when the run reaches any
-    // settled status. RFC 0039 §A gives hosts a choice: clarify-kind
-    // escalation (→ waiting-clarification) OR escalate-kind approval
-    // (→ waiting-approval).
+    // RFC 0039 confidence escalation SUSPENDS the parent (a `waiting-*` status)
+    // — it is NOT a terminal `completed`/`failed`/`cancelled`. So poll until the
+    // run either suspends or settles; polling only for terminal statuses
+    // (`pollUntilTerminal`, whose set is {completed,failed,cancelled}) would time
+    // out before the suspension is ever observed — the cause of the prior flake.
+    const terminal = await pollUntil(runId, (s) => {
+      const st = s.status as string;
+      return st.startsWith('waiting-') || st === 'completed' || st === 'failed' || st === 'cancelled';
+    });
+    // RFC 0039 §A gives hosts a choice: clarify-kind escalation
+    // (→ waiting-clarification) OR escalate-kind approval (→ waiting-approval).
     //
     // RFC 0044 routing: when the host advertises
     // `capabilities.multiAgent.executionModel.confidenceEscalationInterruptKind`