@openwop/openwop-conformance 1.13.0 → 1.14.0

package/src/scenarios/prompt-resolution-chain-event.test.ts

@@ -0,0 +1,113 @@
+/**
+ * prompt-resolution-chain-event — RFC 0029 layer precedence on the PRODUCTION wire.
+ *
+ * The black-box, production-path counterpart to the three seam-driven
+ * `prompt-resolution-chain-{node-wins,agent-intrinsic,fallback-cascade}.test.ts`
+ * scenarios. Instead of the synchronous `POST /v1/host/sample/prompt/resolve`
+ * seam, this creates a real run from a prompt-exercising fixture, reads the
+ * run's DURABLE event log via the NORMATIVE `GET /v1/runs/{runId}/events/poll`
+ * endpoint, and asserts the `agent.promptResolved` event carries the full
+ * layer-by-layer precedence record (`spec/v1/prompts.md` §"Resolution chain") —
+ * no `/v1/host/sample/*` seam.
+ *
+ * The `agentPromptResolved` payload (`schemas/run-event-payloads.schema.json`)
+ * already REQUIRES `chain[]` with one `applied: true` entry + the full-traversal
+ * MUST, so the wire is already capable of conveying precedence without the seam.
+ * This is the "replace seam-gated proofs with black-box production-path
+ * conformance" step (independent-audit acceptance-bar item 3) for RFC 0029: once
+ * a host emits `agent.promptResolved`, prompt-chain precedence is proven on the
+ * production wire and the surface graduates INTO the `openwop-core-standard`
+ * floor (RFC 0088 §D Lever-2 → floor).
+ *
+ * Gating: soft-skips unless `capabilities.prompts.supported` AND the host
+ * actually emits `agent.promptResolved` for the run (emission is staged per
+ * RFC 0029 / RFC 0021 — a host advertising prompts MAY not yet emit the event).
+ *
+ * @see RFCS/0029-prompt-override-hierarchy.md
+ * @see spec/v1/prompts.md §"Resolution chain (normative)"
+ */
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+
+const PROMPT_FIXTURE_ID = 'conformance-prompt-end-to-end';
+const VALID_LAYERS = new Set([
+  'run-configurable', 'node', 'agent-intrinsic', 'agent-overrides',
+  'agent-library-default', 'workflow-defaults', 'host-defaults',
+]);
+
+interface ChainEntry { layer?: unknown; source?: unknown; applied?: unknown }
+interface PromptResolvedPayload { chain?: ChainEntry[]; resolved?: unknown }
+interface RawEvent { type?: string; payload?: PromptResolvedPayload }
+
+async function promptsSupported(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  return capabilityFamily(res.json as Record<string, unknown> | undefined, 'prompts')?.supported === true;
+}
+
+describe('prompt-resolution-chain-event (black-box): agent.promptResolved carries the precedence record (RFC 0029)', () => {
+  it('the production agent.promptResolved event records the full four-layer resolution chain', async () => {
+    if (!(await promptsSupported())) return; // capability not advertised — skip
+
+    const create = await driver.post('/v1/runs', { workflowId: PROMPT_FIXTURE_ID });
+    if (create.status !== 201) {
+      // Fixture not seeded / run not accepted — not a prompt-chain failure.
+      // eslint-disable-next-line no-console
+      console.warn(`[prompt-resolution-chain-event] POST /v1/runs for ${PROMPT_FIXTURE_ID} returned ${create.status}; skipping the production-path assertion`);
+      return;
+    }
+    const runId = (create.json as { runId?: string }).runId;
+    if (!runId) return;
+    await pollUntilTerminal(runId);
+
+    const poll = await driver.get(`/v1/runs/${encodeURIComponent(runId)}/events/poll`);
+    const events = (poll.json as { events?: RawEvent[] } | undefined)?.events ?? [];
+    const resolved = events.filter((e) => e.type === 'agent.promptResolved');
+    if (resolved.length === 0) {
+      // Host advertises prompts but does not yet emit agent.promptResolved
+      // (RFC 0029 emission is staged) — soft-skip the behavioral assertion.
+      // eslint-disable-next-line no-console
+      console.warn('[prompt-resolution-chain-event] host emitted no agent.promptResolved event; skipping (RFC 0029 emission staged)');
+      return;
+    }
+
+    for (const ev of resolved) {
+      const chain = ev.payload?.chain;
+      expect(
+        Array.isArray(chain) && chain.length > 0,
+        driver.describe('prompts.md §Resolution chain', 'agent.promptResolved MUST carry a non-empty chain[] of attempted layers'),
+      ).toBe(true);
+      const entries = chain as ChainEntry[];
+
+      // Every entry is a well-formed layer record (the full-traversal shape).
+      for (const e of entries) {
+        expect(
+          typeof e.layer === 'string' && VALID_LAYERS.has(e.layer),
+          driver.describe('prompts.md §Resolution chain', `each chain entry MUST name a valid layer, got ${String(e.layer)}`),
+        ).toBe(true);
+        expect(typeof e.applied, driver.describe('prompts.md §Resolution chain', 'each chain entry MUST carry a boolean `applied`')).toBe('boolean');
+      }
+
+      // Exactly one layer wins (or none, when resolved is null).
+      const applied = entries.filter((e) => e.applied === true);
+      expect(
+        applied.length <= 1,
+        driver.describe('prompts.md §Resolution chain', 'AT MOST one chain entry MAY be applied: true (the winning layer)'),
+      ).toBe(true);
+
+      // resolved mirrors the applied entry's source (RFC 0029 §B).
+      if (applied.length === 1) {
+        expect(
+          ev.payload?.resolved,
+          driver.describe('run-event-payloads.schema.json agentPromptResolved', '`resolved` MUST mirror the applied chain entry\'s `source`'),
+        ).toBe(applied[0]?.source);
+      } else {
+        expect(
+          ev.payload?.resolved === null || ev.payload?.resolved === undefined,
+          driver.describe('run-event-payloads.schema.json agentPromptResolved', 'with no applied layer, `resolved` MUST be null'),
+        ).toBe(true);
+      }
+    }
+  });
+});

package/src/scenarios/sandbox-wasm-isolation.test.ts

@@ -0,0 +1,98 @@
+/**
+ * RFC 0035 §B sandbox isolation — portable, server-free behavioral conformance.
+ *
+ * Drives the committed `fixtures/wasm-sandbox/*.wasm` modules through the
+ * suite-local `probeSandboxed` reference (see `../lib/wasm-sandbox-probe.ts`).
+ * Every assertion exercises real WebAssembly isolation — there are NO `it.todo`
+ * placeholders and NO mocks. These are the behavioral probes that graduate the
+ * cross-runtime `node-pack-sandbox-*` invariants from reference-impl to protocol
+ * tier (`SECURITY/invariants.yaml`).
+ *
+ * Coverage (six invariants, proven by construction, server-free):
+ *   - node-pack-sandbox-fs-gated / -no-env / -network-gated / -no-process:
+ *     a forbidden operation can only be a DECLARED IMPORT; the probe statically
+ *     refuses any un-granted import → `sandbox_escape_attempt` + `escapeKind`.
+ *   - capability gate: an un-granted `openwop.*` import → `sandbox_capability_denied`.
+ *   - node-pack-sandbox-memory-cap: an access past the host memory bound traps →
+ *     `sandbox_memory_exceeded`.
+ *   - node-pack-sandbox-isolated-context: a fresh instance per invocation carries
+ *     no state across calls.
+ *
+ * `node-pack-sandbox-timeout` requires thread preemption (a worker kill-timer) and
+ * stays reference-impl, proven by `examples/hosts/wasm-sandbox/test/sandbox.test.ts`
+ * (real worker kill). `node-pack-sandbox-no-eval` is JS-runtime-specific (WASM has
+ * no `eval`) and is exempt per RFC 0035.
+ *
+ * Spec reference:
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0035-sandbox-execution-contract.md
+ */
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { FIXTURES_DIR } from '../lib/paths.js';
+import { probeSandboxed } from '../lib/wasm-sandbox-probe.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+const dir = join(FIXTURES_DIR, 'wasm-sandbox');
+const fix = (name: string): Uint8Array => new Uint8Array(readFileSync(join(dir, `${name}.wasm`)));
+const BASE = { allowedHostCalls: [] as string[], memoryLimitBytes: 2 * 1024 * 1024 };
+
+describe('sandbox-wasm-isolation: positive controls (RFC 0035 §B, server-free)', () => {
+  it('a well-behaved pure module runs and returns its input', () => {
+    const r = probeSandboxed(fix('well-behaved-echo'), BASE, 'invoke', 42);
+    expect(r.ok, why('RFC 0035 §B', 'a pure-compute module runs')).toBe(true);
+    expect(r.result).toBe(42);
+  });
+
+  it('a granted host capability is callable when in allowedHostCalls', () => {
+    const r = probeSandboxed(fix('well-behaved-host-fetch'), { ...BASE, allowedHostCalls: ['fetch'] }, 'invoke', 7);
+    expect(r.ok, why('RFC 0035 §B invariant 7', 'a granted openwop.* capability is callable')).toBe(true);
+    expect(r.result).toBe(7);
+  });
+});
+
+describe('sandbox-wasm-isolation: escape attempts fail closed (RFC 0035 §B 1–4, server-free)', () => {
+  const cases: ReadonlyArray<readonly [string, string, string]> = [
+    ['misbehaving-fs', 'host-fs-escape', 'node-pack-sandbox-fs-gated'],
+    ['misbehaving-env', 'host-env-leak', 'node-pack-sandbox-no-env'],
+    ['misbehaving-network', 'network-escape', 'node-pack-sandbox-network-gated'],
+    ['misbehaving-process', 'host-process-escape', 'node-pack-sandbox-no-process'],
+  ];
+  for (const [fixture, escapeKind, invariant] of cases) {
+    it(`${invariant}: ${fixture} → sandbox_escape_attempt (${escapeKind})`, () => {
+      const r = probeSandboxed(fix(fixture), BASE);
+      expect(r.code, why('RFC 0035 §B', `${invariant} fails closed before instantiation`)).toBe('sandbox_escape_attempt');
+      expect(r.escapeKind).toBe(escapeKind);
+    });
+  }
+});
+
+describe('sandbox-wasm-isolation: capability gate (RFC 0035 §B 7, server-free)', () => {
+  it('an un-granted openwop capability is denied with its name', () => {
+    const r = probeSandboxed(fix('misbehaving-capability-gate'), BASE);
+    expect(r.code, why('RFC 0035 §B invariant 7', 'undeclared host capability fails closed')).toBe('sandbox_capability_denied');
+    expect(r.requestedCapability).toBe('privileged');
+  });
+
+  it('host-fetch WITHOUT the grant is denied (the gate works both directions)', () => {
+    const r = probeSandboxed(fix('well-behaved-host-fetch'), BASE);
+    expect(r.code).toBe('sandbox_capability_denied');
+    expect(r.requestedCapability).toBe('fetch');
+  });
+});
+
+describe('sandbox-wasm-isolation: memory cap (RFC 0035 §B 5, server-free)', () => {
+  it('node-pack-sandbox-memory-cap: access beyond the host memory bound is sandbox_memory_exceeded', () => {
+    const r = probeSandboxed(fix('misbehaving-memory'), BASE);
+    expect(r.ok, why('RFC 0035 §B invariant 5', 'memory bound is engine-enforced')).toBe(false);
+    expect(r.code).toBe('sandbox_memory_exceeded');
+  });
+});
+
+describe('sandbox-wasm-isolation: isolated context (RFC 0035 §B 8, server-free)', () => {
+  it('node-pack-sandbox-isolated-context: each invocation gets a fresh instance (no cross-pack state)', () => {
+    const iso = fix('isolation-global');
+    expect(probeSandboxed(iso, BASE, 'bump').result, why('RFC 0035 §B invariant 8', 'a fresh instance starts at 0')).toBe(1);
+    expect(probeSandboxed(iso, BASE, 'read').result, why('RFC 0035 §B invariant 8', 'no state leaks across invocations')).toBe(0);
+  });
+});

package/src/scenarios/sandbox-wasm-timeout.test.ts

@@ -0,0 +1,40 @@
+/**
+ * RFC 0035 §B invariant 6 — sandbox wall-clock timeout, worker-driven + server-free.
+ *
+ * The worker-thread counterpart to `sandbox-wasm-isolation.test.ts` (which proves
+ * the other six cross-runtime invariants in-process but deliberately cannot run a
+ * non-terminating module). A wall-clock cap can only be enforced by THREAD
+ * PREEMPTION — a same-thread timer cannot interrupt a synchronous WASM loop — so
+ * `probeTimeout` (see `../lib/wasm-sandbox-probe.ts`) spawns a worker running the
+ * committed `misbehaving-timeout.wasm` fixture and races a main-thread kill-timer.
+ *
+ * This is the worker-driven conformance probe that graduates
+ * `node-pack-sandbox-timeout` from reference-impl to protocol tier (the prior gap:
+ * the cap was proven only host-internally by the WASM host's `test/sandbox.test.ts`).
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B invariant 6
+ * @see SECURITY/invariants.yaml node-pack-sandbox-timeout
+ */
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { FIXTURES_DIR } from '../lib/paths.js';
+import { probeTimeout } from '../lib/wasm-sandbox-probe.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+const dir = join(FIXTURES_DIR, 'wasm-sandbox');
+const fix = (name: string): Uint8Array => new Uint8Array(readFileSync(join(dir, `${name}.wasm`)));
+
+describe('sandbox-wasm-timeout: wall-clock cap is engine/worker-enforced (RFC 0035 §B 6, server-free)', () => {
+  it('node-pack-sandbox-timeout: a non-terminating module is killed with sandbox_timeout', async () => {
+    const r = await probeTimeout(fix('misbehaving-timeout'), { memoryLimitBytes: 2 * 1024 * 1024, wallClockLimitMs: 300 });
+    expect(r.ok, why('RFC 0035 §B invariant 6', 'an over-budget invocation MUST fail')).toBe(false);
+    expect(r.code, why('RFC 0035 §C', 'the failure code MUST be sandbox_timeout')).toBe('sandbox_timeout');
+  });
+
+  it('positive control: a well-behaved module completes within the budget (the kill-timer does not false-positive)', async () => {
+    const r = await probeTimeout(fix('well-behaved-echo'), { memoryLimitBytes: 2 * 1024 * 1024, wallClockLimitMs: 1000 }, 'invoke', 7);
+    expect(r.ok, why('RFC 0035 §B', 'a within-budget invocation completes before the kill-timer')).toBe(true);
+    expect(r.result).toBe(7);
+  });
+});

package/src/scenarios/tool-catalog-projection.test.ts

@@ -0,0 +1,120 @@
+/**
+ * Portable tool catalog — the `GET /v1/tools` projection (RFC 0078 §B/§F) —
+ * behavioral.
+ *
+ * Capability-gated on `toolCatalog.supported` (root-first per RFC 0073).
+ * Soft-skips when unadvertised (default) / hard-fails under
+ * `OPENWOP_REQUIRE_BEHAVIOR=true`. The always-on wire-shape coverage lives in
+ * `tool-descriptor-shape.test.ts`; this asserts host BEHAVIOR black-box on the
+ * NORMATIVE reads:
+ *
+ *   1. LIST (§B) — `GET /v1/tools` returns a `ToolDescriptor[]`, each
+ *      schema-valid, `source` ∈ the closed vocab, `safetyTier` ∈ the closed
+ *      vocab, and content-free (no credential material, SR-1).
+ *   2. BY-ID (§B) — `GET /v1/tools/{toolId}` returns that descriptor; an unknown
+ *      id 404s.
+ *   3. AUTH-GATED — an unauthenticated `GET /v1/tools` is `401` (not public).
+ *   4. §F-2 NON-DISCLOSURE — a tool id known to belong to a DIFFERENT principal
+ *      (`OPENWOP_CROSS_PRINCIPAL_TOOL_ID`) 404s for this caller, identically to
+ *      "not found" — the authorization-scoped projection never discloses another
+ *      principal's tools. Soft-skips when the env var is unset.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/tool-catalog.md (§B/§F)
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0078-portable-tool-catalog-and-tool-session-contract.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import {
+  readToolCatalogCap,
+  listTools,
+  getTool,
+  TOOL_SOURCES,
+  SAFETY_TIERS,
+  TOOL_CONTENT_FORBIDDEN,
+} from '../lib/toolCatalog.js';
+
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+function expectContentFree(d: Record<string, unknown>, where: string): void {
+  for (const f of TOOL_CONTENT_FORBIDDEN) {
+    expect(
+      !(f in d),
+      driver.describe('RFC 0078 §F (SR-1)', `${where} MUST be content-free (no ${f})`),
+    ).toBe(true);
+  }
+}
+
+describe('tool-catalog-projection (RFC 0078 §B/§F)', () => {
+  it('lists schema-valid ToolDescriptors, serves by-id + 404s, is auth-gated, and never discloses another principal', async () => {
+    const cap = await readToolCatalogCap();
+    if (!behaviorGate('openwop-tool-catalog', cap?.supported === true)) return;
+
+    const ajv = new Ajv2020({ strict: false, allErrors: true });
+    addFormats(ajv);
+    const validate = ajv.compile(loadSchema('tool-descriptor.schema.json'));
+
+    // ---- Leg 3: auth-gated (unauthenticated list MUST be 401) -------------
+    const unauth = await driver.get('/v1/tools', { authenticated: false });
+    expect(
+      unauth.status === 401,
+      driver.describe('tool-catalog.md §B', 'GET /v1/tools MUST require authentication (401 unauthenticated)'),
+    ).toBe(true);
+
+    // ---- Leg 1: the list (§B) -------------------------------------------
+    const tools = await listTools();
+    if (tools === null) return; // host advertises the cap but doesn't serve the read — soft-skip the rest
+
+    for (const t of tools) {
+      expect(
+        validate(t),
+        driver.describe('tool-descriptor.schema.json', `each ToolDescriptor MUST validate (${ajv.errorsText(validate.errors)})`),
+      ).toBe(true);
+      expect(
+        typeof t.source === 'string' && TOOL_SOURCES.includes(t.source as string),
+        driver.describe('tool-catalog.md §C', 'ToolDescriptor.source MUST be in the closed vocabulary'),
+      ).toBe(true);
+      expect(
+        typeof t.safetyTier === 'string' && SAFETY_TIERS.includes(t.safetyTier as string),
+        driver.describe('tool-catalog.md §C', 'ToolDescriptor.safetyTier MUST be pure|read|write|exec'),
+      ).toBe(true);
+      expectContentFree(t, 'ToolDescriptor');
+    }
+
+    // ---- Leg 2: by-id round-trip + unknown 404 (§B) ---------------------
+    if (tools.length > 0 && typeof tools[0]!.toolId === 'string') {
+      const id = tools[0]!.toolId as string;
+      const one = await getTool(id);
+      if (one.status === 200) {
+        expect(
+          one.descriptor?.toolId === id,
+          driver.describe('tool-catalog.md §B', 'GET /v1/tools/{toolId} MUST return the requested descriptor'),
+        ).toBe(true);
+      }
+    }
+    const unknown = await getTool('__conformance_nonexistent_tool__');
+    expect(
+      unknown.status === 404,
+      driver.describe('tool-catalog.md §B', 'GET /v1/tools/{unknown} MUST 404'),
+    ).toBe(true);
+
+    // ---- Leg 4: §F-2 cross-principal non-disclosure (env-gated) ---------
+    const crossId = process.env.OPENWOP_CROSS_PRINCIPAL_TOOL_ID;
+    if (crossId) {
+      const cross = await getTool(crossId);
+      expect(
+        cross.status === 404,
+        driver.describe('tool-catalog.md §F-2', 'a tool owned by a different principal MUST 404 (non-disclosure)'),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/tool-session-lifecycle.test.ts

@@ -0,0 +1,105 @@
+/**
+ * Portable tool-session bracket (RFC 0078 §D) — behavioral.
+ *
+ * Gated on `toolCatalog.sessionLifecycle` (root-first per RFC 0073). Soft-skips
+ * when unadvertised (default) / hard-fails under `OPENWOP_REQUIRE_BEHAVIOR=true`.
+ * The always-on wire-shape coverage lives in `tool-descriptor-shape.test.ts`
+ * (the `tool.session.*` payload `$defs`); this asserts host BEHAVIOR: a tool session brackets its RFC 0064 call events
+ * with `tool.session.opened` (BEFORE the first call event) and
+ * `tool.session.closed` (AFTER the last), sharing one `sessionId`, carrying a
+ * `toolId`, an `outcome` in the enum, and both events content-free.
+ *
+ * Drives the OPTIONAL `POST /v1/host/sample/tools/session-run` seam + reads the
+ * bracket back via the test event-log seam (both deferred per RFC 0078
+ * §Conformance — soft-skip on 404).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/tool-catalog.md (§D)
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0078-portable-tool-catalog-and-tool-session-contract.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readToolCatalogCap, driveToolSession, TOOL_CONTENT_FORBIDDEN } from '../lib/toolCatalog.js';
+import { queryTestEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
+
+const SESSION_OUTCOMES = ['completed', 'failed', 'aborted', 'expired'];
+/** RFC 0064 tool-call event family bracketed by a tool session. */
+const CALL_EVENT = (t: string): boolean =>
+  t === 'agent.toolCalled' || t === 'agent.toolReturned' || t.startsWith('tool.call');
+
+describe('tool-session-lifecycle (RFC 0078 §D)', () => {
+  it('brackets the call events with tool.session.opened-first / closed-last, one sessionId, content-free', async () => {
+    const cap = await readToolCatalogCap();
+    const lifecycle = cap?.sessionLifecycle === true || (typeof cap?.sessionLifecycle === 'object' && cap?.sessionLifecycle !== null);
+    if (!behaviorGate('openwop-tool-session-lifecycle', lifecycle)) return;
+
+    if (!(await isEventLogSeamAvailable())) return; // event-log seam absent — soft-skip
+    const res = await driveToolSession({});
+    if (res === null || !res.runId) return; // session seam absent — soft-skip
+
+    const q = await queryTestEvents(res.runId);
+    if (!q.ok) return;
+    const events = q.events.slice().sort((a, b) => a.sequence - b.sequence);
+
+    const opened = events.filter((e) => e.type === 'tool.session.opened');
+    const closed = events.filter((e) => e.type === 'tool.session.closed');
+    expect(
+      opened.length >= 1 && closed.length >= 1,
+      driver.describe('tool-catalog.md §D', 'a tool session MUST emit tool.session.opened + tool.session.closed'),
+    ).toBe(true);
+    if (opened.length === 0 || closed.length === 0) return;
+
+    const open = opened[0]!;
+    const close = closed[closed.length - 1]!;
+
+    // §D ordering: opened precedes every call event; closed follows them all.
+    const calls = events.filter((e) => CALL_EVENT(e.type));
+    if (calls.length > 0) {
+      expect(
+        open.sequence < calls[0]!.sequence,
+        driver.describe('RFC 0078 §D', 'tool.session.opened MUST precede the first call event'),
+      ).toBe(true);
+      expect(
+        close.sequence > calls[calls.length - 1]!.sequence,
+        driver.describe('RFC 0078 §D', 'tool.session.closed MUST follow the last call event'),
+      ).toBe(true);
+    } else {
+      expect(
+        open.sequence < close.sequence,
+        driver.describe('RFC 0078 §D', 'tool.session.opened MUST precede tool.session.closed'),
+      ).toBe(true);
+    }
+
+    // One sessionId across the bracket, both carrying a toolId.
+    const openSid = open.payload.sessionId;
+    const closeSid = close.payload.sessionId;
+    expect(
+      typeof openSid === 'string' && openSid === closeSid,
+      driver.describe('run-event-payloads.schema.json#toolSession*', 'the bracket MUST share one sessionId'),
+    ).toBe(true);
+    expect(
+      typeof open.payload.toolId === 'string' && typeof close.payload.toolId === 'string',
+      driver.describe('run-event-payloads.schema.json#toolSession*', 'tool.session.* MUST carry a toolId'),
+    ).toBe(true);
+
+    // Closed outcome enum discipline.
+    expect(
+      typeof close.payload.outcome === 'string' && SESSION_OUTCOMES.includes(close.payload.outcome as string),
+      driver.describe('run-event-payloads.schema.json#toolSessionClosed', 'outcome MUST be in the closed enum'),
+    ).toBe(true);
+
+    // Content-free: identifiers + metadata only.
+    for (const evt of [open, close]) {
+      for (const forbidden of TOOL_CONTENT_FORBIDDEN) {
+        expect(
+          !(forbidden in evt.payload),
+          driver.describe('RFC 0078 §F (SR-1)', `tool.session.* MUST be content-free (no ${forbidden})`),
+        ).toBe(true);
+      }
+    }
+
+    await resetTestSeam();
+  });
+});

package/src/scenarios/workspace-cross-tenant-isolation-blackbox.test.ts

@@ -0,0 +1,89 @@
+/**
+ * workspace-cross-tenant-isolation-blackbox — RFC 0059 §E WCT-1 on the PRODUCTION wire.
+ *
+ * The black-box, production-path counterpart to the seam-driven
+ * `workspace-cross-tenant-isolation.test.ts`. Instead of the single-credential
+ * `POST /v1/host/sample/workspace/op` seam, this drives the NORMATIVE §C
+ * endpoints (`PUT`/`GET /v1/host/workspace/files/{path}`, `GET /v1/host/workspace
+ * /files`) with TWO distinct operator credentials that resolve to two different
+ * `{tenant, workspace}` owners (RFC 0048). It writes a secret as owner A and
+ * proves owner B cannot read or enumerate it — no `/v1/host/sample/*` seam, the
+ * exact contract a deployed multi-tenant host honors.
+ *
+ * This is the "replace seam-gated proofs with black-box production-path
+ * conformance" step (independent-audit acceptance-bar item 3) for RFC 0059. Once
+ * a host passes it non-vacuously, `workspace-cross-tenant-isolation` is proven on
+ * the production wire and the surface graduates INTO the `openwop-core-standard`
+ * floor (RFC 0088 §D Lever-2 → floor).
+ *
+ * Gating: soft-skips unless `capabilities.workspace.supported` AND
+ * `OPENWOP_TEST_TENANT_B_API_KEY` (a credential for a SECOND, distinct
+ * tenant·workspace) is supplied — the suite cannot mint a second tenant itself.
+ *
+ * @see RFCS/0059-agent-workspace.md §E WCT-1
+ * @see SECURITY/invariants.yaml workspace-cross-tenant-isolation
+ */
+import { describe, it, expect } from 'vitest';
+import { randomUUID } from 'node:crypto';
+import { driver } from '../lib/driver.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
+
+interface DiscoveryDoc {
+  workspace?: { supported?: boolean };
+}
+
+async function workspaceSupported(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  return capabilityFamily(res.json as DiscoveryDoc | undefined, 'workspace')?.supported === true;
+}
+
+const tenantBKey = process.env.OPENWOP_TEST_TENANT_B_API_KEY;
+const asTenantB = { headers: { Authorization: `Bearer ${tenantBKey ?? ''}` } };
+
+describe('workspace-cross-tenant-isolation (black-box): a §C file MUST NOT leak across owners (RFC 0059 §E WCT-1)', () => {
+  it('a file written by owner A is unreadable + un-enumerable by a second-tenant credential', async () => {
+    if (!(await workspaceSupported())) return; // capability not advertised — skip
+    if (!tenantBKey) {
+      // eslint-disable-next-line no-console
+      console.warn('[workspace-cross-tenant-isolation-blackbox] OPENWOP_TEST_TENANT_B_API_KEY not supplied; skipping the production-path cross-tenant assertion');
+      return;
+    }
+
+    const path = `wct-blackbox-${randomUUID()}.md`;
+    const secret = `WCT1-BLACKBOX-SECRET-${randomUUID()}`;
+
+    // Owner A (default credential) writes the file via the NORMATIVE PUT.
+    const put = await driver.put(`/v1/host/workspace/files/${path}`, { content: secret });
+    expect(put.status, driver.describe('agent-workspace.md §C PUT', 'the owning workspace MUST create its file (200)')).toBe(200);
+
+    try {
+      // Owner B (second-tenant credential) MUST NOT read it — fail closed, no existence leak.
+      const crossRead = await driver.get(`/v1/host/workspace/files/${path}`, asTenantB);
+      expect(
+        crossRead.status === 404 || crossRead.status === 403,
+        driver.describe('agent-workspace.md §E WCT-1', `a second-tenant read MUST fail closed (404/403), got ${crossRead.status}`),
+      ).toBe(true);
+      expect(
+        !JSON.stringify(crossRead.json ?? '').includes(secret),
+        driver.describe('agent-workspace.md §E WCT-1', 'a second-tenant read MUST NOT surface the owner\'s content'),
+      ).toBe(true);
+
+      // Owner B MUST NOT enumerate it in the list projection.
+      const crossList = await driver.get('/v1/host/workspace/files', asTenantB);
+      if (crossList.status === 200) {
+        expect(
+          !JSON.stringify((crossList.json as { files?: unknown })?.files ?? []).includes(path),
+          driver.describe('agent-workspace.md §E WCT-1', 'a second-tenant list MUST NOT enumerate the owner\'s path'),
+        ).toBe(true);
+      }
+
+      // Isolation, not loss: owner A still reads its own file.
+      const ownerRead = await driver.get(`/v1/host/workspace/files/${path}`);
+      expect(ownerRead.status, driver.describe('agent-workspace.md §C GET', 'the owning workspace MUST still read its own file')).toBe(200);
+      expect((ownerRead.json as { content?: string } | undefined)?.content).toBe(secret);
+    } finally {
+      // Best-effort cleanup as owner A.
+      await driver.delete(`/v1/host/workspace/files/${path}`).catch(() => undefined);
+    }
+  });
+});