@openwop/openwop-conformance 1.13.0 → 1.15.0

package/src/lib/discovery-capabilities.ts

@@ -1,16 +1,19 @@
 /**
- * Shared root-first reader for `/.well-known/openwop` capability families.
+ * Shared document-root reader for `/.well-known/openwop` capability families.
  *
  * Per `spec/v1/capabilities.md` §"Document-root layout" (RFC 0073), every
  * capability family (`agents`, `secrets`, `aiProviders`, `auth`, `memory`,
  * `multiAgent`, `authorization`, …) is a property of the discovery document
  * ROOT — `capabilities.schema.json` defines no `capabilities` wrapper property.
- * A top-level `capabilities` object is a deprecated legacy shape; the suite
- * reads the root first and falls back to a `capabilities.*` wrapper only
- * through the v1.x migration window. Standardizes the ad-hoc dual-read that
- * already existed (e.g. `aiEnvelope.capBreached.test.ts`,
- * `ai-envelope-shape.test.ts`) into one accessor so every helper reads the
- * same way.
+ * Root is the normative MUST, so the suite reads the ROOT ONLY: a host that
+ * serves families exclusively under a deprecated top-level `capabilities`
+ * wrapper is already non-conformant, and the suite grades it as such rather
+ * than tolerating the legacy shape. RFC 0073 Phase 4 dropped the
+ * wrapper-fallback the accessor previously carried through the v1.x migration
+ * window; the host-side mirror + the schema's `additionalProperties` tolerance
+ * retire together at v2.0 (they serve laggard *clients* reading discovery, not
+ * the host emission the suite grades). Standardizes the read so every helper
+ * reads the same way.
  *
  * @see spec/v1/capabilities.md §"Document-root layout"
  * @see RFCS/0073-capability-document-root-layout.md
@@ -18,9 +21,10 @@
 import { driver } from './driver.js';
 
 /**
- * Read one capability family from an already-fetched discovery doc: document
- * root first, deprecated `capabilities.*` wrapper as a fallback. Returns
- * `undefined` when the family is advertised in neither location.
+ * Read one capability family from an already-fetched discovery doc at the
+ * document root. Returns `undefined` when the family is not a root property —
+ * a deprecated top-level `capabilities` wrapper is NOT consulted (root is the
+ * RFC 0073 MUST).
  */
 export function capabilityFamily<T = Record<string, unknown>>(
   doc: unknown,
@@ -28,18 +32,13 @@ export function capabilityFamily<T = Record<string, unknown>>(
 ): T | undefined {
   if (!doc || typeof doc !== 'object') return undefined;
   const root = (doc as Record<string, unknown>)[name];
-  if (root !== undefined) return root as T;
-  const wrapper = (doc as { capabilities?: unknown }).capabilities;
-  if (wrapper && typeof wrapper === 'object') {
-    return (wrapper as Record<string, unknown>)[name] as T | undefined;
-  }
-  return undefined;
+  return root === undefined ? undefined : (root as T);
 }
 
 /**
- * Fetch `/.well-known/openwop` and return one capability family (root-first,
- * wrapper-fallback). `undefined` when the host returns non-200 or doesn't
- * advertise the family.
+ * Fetch `/.well-known/openwop` and return one capability family from the
+ * document root. `undefined` when the host returns non-200 or doesn't
+ * advertise the family at the root.
  */
 export async function readCapabilityFamily<T = Record<string, unknown>>(
   name: string,

package/src/lib/egressPolicy.ts

@@ -0,0 +1,76 @@
+/**
+ * Shared helpers for the RFC 0079 `httpClient.egressPolicy` conformance
+ * scenarios. Lives in lib/ (not a `*.test.ts`) so scenarios import it via
+ * `../lib/egressPolicy.js`.
+ *
+ * Egress policy is a BEHAVIOR layered over the RFC 0076 `safeFetch` — there is
+ * no new normative read endpoint. The behavior is driven through the
+ * host-sample egress-decision seam (`POST /v1/host/sample/egress/decide`): a
+ * host-issued credential carries `audiences[]` (RFC 0079 §A provenance), and an
+ * egress whose destination is OUTSIDE those audiences MUST emit
+ * `egress.decided { decision: "denied"|"downgraded", reason: "out-of-audience" }`
+ * and MUST NOT attach the credential (the §C confused-deputy MUST, backing the
+ * `egress-credential-audience-bound` invariant). A provenance-unevaluable egress
+ * MUST be `denied { reason: "provenance-unevaluable" }` — fail-closed. The seam
+ * is OPTIONAL — scenarios soft-skip on 404/405.
+ *
+ * Gating uses the `httpClient.egressPolicy.supported` capability flag from the
+ * live discovery doc (root-first per RFC 0073).
+ *
+ * @see RFCS/0079-credential-provenance-and-egress-policy.md
+ * @see spec/v1/host-capabilities.md (§"Credential provenance + egress policy")
+ */
+import { driver } from './driver.js';
+import { readCapabilityFamily } from './discovery-capabilities.js';
+
+/** Reads `httpClient.egressPolicy` from discovery (root-first per RFC 0073);
+ *  null when unadvertised. */
+export async function readEgressPolicyCap(): Promise<Record<string, unknown> | null> {
+  const http = await readCapabilityFamily<{ egressPolicy?: unknown }>('httpClient');
+  const ep = http?.egressPolicy;
+  return ep && typeof ep === 'object' ? (ep as Record<string, unknown>) : null;
+}
+
+export interface EgressDecision {
+  decision?: string;
+  reason?: string;
+  destination?: string;
+  /** Whether the host-issued credential was attached to the egress (§C — MUST
+   *  be false for an out-of-audience / unevaluable decision). */
+  credentialAttached?: boolean;
+  /** Set when the seam ran a canary credential and the canary leaked into any
+   *  observable surface (the SR-1 negative — MUST stay false/absent). */
+  canaryLeaked?: boolean;
+  runId?: string;
+  [k: string]: unknown;
+}
+
+/**
+ * Drive one egress decision through the host-sample seam (RFC 0079 §C).
+ * `scenario`:
+ *   - `out-of-audience`        — credential bound to audience A, egress to B;
+ *                                MUST deny/downgrade + NOT attach the credential.
+ *   - `provenance-unevaluable` — egress whose provenance can't be evaluated;
+ *                                MUST deny fail-closed.
+ *   - `in-audience`            — control: egress within audience; MAY allow.
+ *   - `canary`                 — seed a credential whose value is a known canary
+ *                                and assert it never appears on the wire (SR-1).
+ * Returns null when the seam is unwired (404/405).
+ */
+export async function driveEgress(
+  body: { scenario: 'out-of-audience' | 'provenance-unevaluable' | 'in-audience' | 'canary' },
+): Promise<EgressDecision | null> {
+  const res = await driver.post('/v1/host/sample/egress/decide', body);
+  if (res.status === 404 || res.status === 405) return null;
+  return (res.json as EgressDecision | undefined) ?? {};
+}
+
+/** The closed egress-decision vocabulary (RFC 0079 §B). */
+export const EGRESS_DECISIONS = ['allowed', 'denied', 'downgraded', 'approval-required'];
+/** The closed egress-reason vocabulary (RFC 0079 §B — a CLOSED enum so a host
+ *  cannot spill a blocked URL/host/header into a free-form reason). */
+export const EGRESS_REASONS = ['ok', 'out-of-audience', 'expired', 'ssrf-blocked', 'provenance-unevaluable', 'scope-denied', 'policy-denied'];
+/** Content keys an `egress.decided` payload / provenance descriptor MUST NEVER
+ *  carry (SR-1 / `egress-decision-no-secret-leak`): no secret value, no blocked
+ *  URL/header spill. */
+export const EGRESS_CONTENT_FORBIDDEN = ['secret', 'credential', 'credentials', 'token', 'apiKey', 'password', 'url', 'header', 'headers', 'body'];

package/src/lib/otel-collector.ts

@@ -83,6 +83,23 @@ export interface CapturedMetric {
   };
 }
 
+/**
+ * One place where a canary string was found inside the captured OTLP
+ * export. Returned by `OtelCollector.findCanaryLeakage()` so a leak
+ * assertion can name the offending surface (which span, which attribute)
+ * rather than just `true`.
+ */
+export interface CanaryLeak {
+  /** Which captured surface leaked: a span field or a metric data point. */
+  readonly surface: 'span.name' | 'span.attribute' | 'span.resourceAttribute' | 'metric.attribute';
+  /** The span/metric name the leak was found under. */
+  readonly emitterName: string;
+  /** Attribute key when `surface` is an attribute; `undefined` for `span.name`. */
+  readonly key: string | undefined;
+  /** Stringified value (or the name itself) that contained the canary. */
+  readonly value: string;
+}
+
 /**
  * Decode an OTLP attribute-value object into a primitive. Returns `null`
  * when the value shape is unrecognized.
@@ -235,6 +252,61 @@ export class OtelCollector {
     return this._spans.filter((s) => s.name === name);
   }
 
+  /**
+   * Scan every captured span (name + attribute keys/values + resource
+   * attribute keys/values) and metric data-point attribute for the given
+   * canary substring, returning one `CanaryLeak` per hit.
+   *
+   * This is the collector-side complement to the host's
+   * `GET /v1/host/sample/test/otel/spans` scrape seam: the scrape seam
+   * reports what the host *says* it emitted; this method inspects what
+   * the host's OTLP exporter *actually shipped over the wire* to the
+   * collector. A host could redact in its scrape seam yet still leak on
+   * the real export — only collector-side inspection catches that, which
+   * is the gap `docs/KNOWN-LIMITS.md` tracked for
+   * `secret-leakage-otel-attribute` / `-debug-bundle-otel`.
+   *
+   * The match is a plain substring test (case-sensitive) so an attribute
+   * value that merely *embeds* the canary (e.g. inside a JSON blob or an
+   * error message) is still caught. Empty/whitespace canaries return no
+   * hits — a guard against vacuous "everything leaks" assertions.
+   *
+   * @see SECURITY/invariants.yaml secret-leakage-otel-attribute
+   * @see SECURITY/threat-model-secret-leakage.md
+   */
+  findCanaryLeakage(canary: string): readonly CanaryLeak[] {
+    const hits: CanaryLeak[] = [];
+    if (canary.trim() === '') return hits;
+    const contains = (v: unknown): string | null => {
+      const s = typeof v === 'string' ? v : JSON.stringify(v);
+      return s !== undefined && s.includes(canary) ? s : null;
+    };
+    for (const sp of this._spans) {
+      if (sp.name.includes(canary)) {
+        hits.push({ surface: 'span.name', emitterName: sp.name, key: undefined, value: sp.name });
+      }
+      for (const [key, val] of sp.attributes) {
+        const m = contains(val) ?? (key.includes(canary) ? key : null);
+        if (m !== null) hits.push({ surface: 'span.attribute', emitterName: sp.name, key, value: m });
+      }
+      for (const [key, val] of sp.resourceAttributes) {
+        const m = contains(val) ?? (key.includes(canary) ? key : null);
+        if (m !== null) {
+          hits.push({ surface: 'span.resourceAttribute', emitterName: sp.name, key, value: m });
+        }
+      }
+    }
+    for (const metric of this._metrics) {
+      for (const [key, val] of metric.dataPoint.attributes) {
+        const m = contains(val) ?? (key.includes(canary) ? key : null);
+        if (m !== null) {
+          hits.push({ surface: 'metric.attribute', emitterName: metric.name, key, value: m });
+        }
+      }
+    }
+    return hits;
+  }
+
   metrics(): readonly CapturedMetric[] {
     return this._metrics;
   }

package/src/lib/profiles.ts

@@ -362,6 +362,21 @@ export function agentPlatformSatisfiedTerms(c: DiscoveryPayload): readonly strin
   return checks.filter(([, ok]) => ok).map(([id]) => id);
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// `openwop-core-standard` operational-annex predicate (RFC 0088). Like the
+// agent-platform annex above, this is NOT a closed-catalog profile (so it is
+// absent from deriveProfiles) — it is an operational ANNEX whose claim is backed
+// by the §C floor scenarios passing black-box. This helper computes only the §B
+// discovery predicate (the floor of MUSTs with black-box production-path proof).
+//
+// @see spec/v1/core-standard-profile.md
+// ─────────────────────────────────────────────────────────────────────────────
+
+/** The `openwop-core-standard` floor discovery predicate — RFC 0088 §B. */
+export function isCoreStandard(c: DiscoveryPayload): boolean {
+  return isCore(c) && isInterrupts(c) && (isStreamSse(c) || isStreamPoll(c));
+}
+
 /**
  * Derive the full profile set from a discovery payload.
  *

package/src/lib/sandbox-timeout-worker.mjs

@@ -0,0 +1,31 @@
+// Suite-local worker for the RFC 0035 §B wall-clock-timeout conformance probe.
+//
+// Instantiates ONE WASM module on a dedicated worker thread and runs its entry.
+// The main thread (see `probeTimeout` in wasm-sandbox-probe.ts) races a
+// kill-timer against this worker: a non-terminating module (the
+// `misbehaving-timeout` fixture) never posts and is terminated at the wall-clock
+// cap → `sandbox_timeout`; a well-behaved module posts its result first. Mirrors
+// the reference host's `examples/hosts/wasm-sandbox/src/sandbox-worker.mjs`; the
+// suite carries its own copy so the published conformance package is
+// self-contained (no dependency on the reference host).
+import { workerData, parentPort } from 'node:worker_threads';
+
+const { wasmBytes, entry, arg, memoryMaxPages } = workerData;
+
+try {
+  const memory = new WebAssembly.Memory({ initial: 1, maximum: memoryMaxPages });
+  const instance = new WebAssembly.Instance(new WebAssembly.Module(wasmBytes), { env: { memory } });
+  const fn = instance.exports[entry];
+  if (typeof fn !== 'function') {
+    parentPort.postMessage({ ok: false, code: 'sandbox_invocation_error' });
+  } else {
+    const result = fn(arg); // a non-terminating module never returns — the host kill-timer fires
+    parentPort.postMessage({ ok: true, result: Number(result) });
+  }
+} catch (err) {
+  const message = err instanceof Error ? err.message : String(err);
+  const code = /out of bounds memory access|memory access out of bounds/i.test(message)
+    ? 'sandbox_memory_exceeded'
+    : 'sandbox_invocation_error';
+  parentPort.postMessage({ ok: false, code });
+}

package/src/lib/toolCatalog.ts

@@ -0,0 +1,81 @@
+/**
+ * Shared helpers for the RFC 0078 `toolCatalog` conformance scenarios.
+ * Lives in lib/ (not a `*.test.ts`) so scenarios import it via
+ * `../lib/toolCatalog.js`.
+ *
+ * Two surfaces:
+ *   - the NORMATIVE reads (`GET /v1/tools` + `GET /v1/tools/{toolId}`, RFC 0078
+ *     §B), exercised black-box; and
+ *   - the host-sample tool-session seam (`POST /v1/host/sample/tools/session-run`),
+ *     used to drive the §D `tool.session.{opened,closed}` bracket over the RFC
+ *     0064 call events so the ordering + content-free guarantees can be asserted
+ *     against the test event-log seam. The seam is OPTIONAL — scenarios soft-skip
+ *     on 404/405 (the reference session lifecycle is deferred per RFC 0078
+ *     §Conformance).
+ *
+ * Gating uses the `toolCatalog.supported` (and `toolCatalog.sessionLifecycle`)
+ * capability flags from the live discovery doc (root-first per RFC 0073).
+ *
+ * @see RFCS/0078-portable-tool-catalog-and-tool-session-contract.md
+ * @see spec/v1/tool-catalog.md
+ */
+import { driver } from './driver.js';
+import { readCapabilityFamily } from './discovery-capabilities.js';
+
+/** Reads `toolCatalog` from discovery (root-first per RFC 0073); null when
+ *  unadvertised. */
+export async function readToolCatalogCap(): Promise<Record<string, unknown> | null> {
+  const tc = await readCapabilityFamily<Record<string, unknown>>('toolCatalog');
+  return tc && typeof tc === 'object' ? tc : null;
+}
+
+export interface ToolDescriptor {
+  toolId?: string;
+  source?: string;
+  safetyTier?: string;
+  [k: string]: unknown;
+}
+
+/** GET the NORMATIVE tool catalog (RFC 0078 §B `GET /v1/tools`); null when the
+ *  host doesn't serve it (404/405/501). */
+export async function listTools(): Promise<ToolDescriptor[] | null> {
+  const res = await driver.get('/v1/tools');
+  if (res.status === 404 || res.status === 405 || res.status === 501) return null;
+  return (res.json as ToolDescriptor[] | undefined) ?? [];
+}
+
+/** GET one tool by id (RFC 0078 §B `GET /v1/tools/{toolId}`); returns
+ *  `{ status, descriptor }` so a caller can distinguish a 404 (absent /
+ *  unauthorized / unadvertised) from a served descriptor. */
+export async function getTool(
+  toolId: string,
+): Promise<{ status: number; descriptor: ToolDescriptor | undefined }> {
+  const res = await driver.get(`/v1/tools/${encodeURIComponent(toolId)}`);
+  return { status: res.status, descriptor: res.json as ToolDescriptor | undefined };
+}
+
+export interface ToolSessionResult {
+  runId?: string;
+  sessionId?: string;
+  toolId?: string;
+}
+
+/** Drive one tool-session interaction through the host-sample seam (RFC 0078
+ *  §D). Persists `tool.session.opened` → RFC 0064 call events → `tool.session.closed`
+ *  to the durable run-event log (read back via the run event-log read seam).
+ *  Returns null when the seam is unwired (404/405). */
+export async function driveToolSession(
+  body: { toolId?: string } = {},
+): Promise<ToolSessionResult | null> {
+  const res = await driver.post('/v1/host/sample/tools/session-run', body);
+  if (res.status === 404 || res.status === 405) return null;
+  return (res.json as ToolSessionResult | undefined) ?? {};
+}
+
+/** The closed tool-source vocabulary (RFC 0078 §C). */
+export const TOOL_SOURCES = ['node-pack', 'workflow', 'mcp', 'connector', 'host-extension'];
+/** The closed safety-tier vocabulary (RFC 0078 §C). */
+export const SAFETY_TIERS = ['pure', 'read', 'write', 'exec'];
+/** Content keys a `ToolDescriptor` / `tool.session.*` MUST NEVER carry (SR-1):
+ *  no credential/secret material. */
+export const TOOL_CONTENT_FORBIDDEN = ['secret', 'credential', 'credentials', 'token', 'apiKey', 'password'];

package/src/lib/wasm-sandbox-probe.ts

@@ -0,0 +1,168 @@
+/**
+ * Portable WASM-sandbox probe — the suite-local reference for the RFC 0035 §B
+ * isolation invariants.
+ *
+ * The conformance suite is a standalone package, so it carries its own compact,
+ * server-free probe (no host, no worker) rather than importing a reference
+ * host's executor. It proves the invariants that hold *by construction* in any
+ * WebAssembly sandbox:
+ *
+ *   - escape attempts (fs / env / network / process) and the capability gate are
+ *     proven by STATIC inspection of `WebAssembly.Module.imports()` — a WASM
+ *     module has no ambient host access, so a forbidden operation can only be a
+ *     declared import; a sandbox refuses any import it did not grant, failing
+ *     closed BEFORE instantiation.
+ *   - the memory bound is proven by instantiating with a capped host memory and
+ *     observing the engine trap on an access past the bound.
+ *   - isolated-context is proven by instantiating the same module twice and
+ *     observing no shared mutable state.
+ *
+ * The `timeout` invariant requires thread preemption (a worker kill-timer) and is
+ * proven at reference-impl tier by the WASM host's `test/sandbox.test.ts`; it is
+ * intentionally NOT exercised here (an in-process infinite loop cannot be
+ * interrupted server-free).
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B
+ * @see examples/hosts/wasm-sandbox/ (the reference host this mirrors)
+ */
+import { Worker } from 'node:worker_threads';
+import { fileURLToPath } from 'node:url';
+
+export type SandboxErrorCode =
+  | 'sandbox_memory_exceeded'
+  | 'sandbox_timeout'
+  | 'sandbox_capability_denied'
+  | 'sandbox_escape_attempt'
+  | 'sandbox_invocation_error';
+
+export type EscapeKind = 'host-fs-escape' | 'host-env-leak' | 'network-escape' | 'host-process-escape';
+
+export interface ProbeResult {
+  readonly ok: boolean;
+  readonly result?: number;
+  readonly code?: SandboxErrorCode;
+  readonly escapeKind?: EscapeKind;
+  readonly requestedCapability?: string;
+}
+
+const WASM_PAGE_BYTES = 65536;
+
+// Minimal local types for the Node-global `WebAssembly` value. The full
+// `WebAssembly.*` namespace types live in lib.dom (not @types/node); rather than
+// widen the suite's global lib (which would pull in conflicting DOM `fetch`/
+// `BodyInit` types), we declare exactly what this probe uses and read the global.
+interface WAModule {
+  readonly __wasmModule?: never;
+}
+interface WAInstance {
+  readonly exports: Record<string, unknown>;
+}
+interface WAImportDescriptor {
+  readonly module: string;
+  readonly name: string;
+}
+const WA = (globalThis as unknown as {
+  WebAssembly: {
+    Module: { new (bytes: Uint8Array): WAModule; imports(m: WAModule): readonly WAImportDescriptor[] };
+    Instance: { new (m: WAModule, imports: Record<string, Record<string, unknown>>): WAInstance };
+    Memory: { new (descriptor: { initial: number; maximum: number }): unknown };
+  };
+}).WebAssembly;
+
+function escapeKindFor(name: string): EscapeKind {
+  if (/^fd_|^path_/.test(name)) return 'host-fs-escape';
+  if (/^environ_/.test(name)) return 'host-env-leak';
+  if (/^sock_/.test(name)) return 'network-escape';
+  return 'host-process-escape';
+}
+
+/** Static capability gate — the first un-granted import, or `null` if all are host-provided. */
+function gateImports(module: WAModule, allowedHostCalls: readonly string[]): ProbeResult | null {
+  const allowed = new Set(allowedHostCalls);
+  for (const imp of WA.Module.imports(module)) {
+    if (imp.module === 'env' && imp.name === 'memory') continue;
+    if (imp.module === 'openwop') {
+      if (allowed.has(imp.name)) continue;
+      return { ok: false, code: 'sandbox_capability_denied', requestedCapability: imp.name };
+    }
+    return { ok: false, code: 'sandbox_escape_attempt', escapeKind: escapeKindFor(imp.name) };
+  }
+  return null;
+}
+
+/**
+ * Probe one WASM-compiled typeId under the RFC 0035 sandbox contract, server-free.
+ * Statically gates imports; for a fully-granted module, instantiates with a
+ * capped host memory and runs the entry, classifying any trap. Does NOT spawn a
+ * worker — callers MUST NOT pass a non-terminating module (see `timeout` note).
+ */
+export function probeSandboxed(
+  wasmBytes: Uint8Array,
+  config: { readonly allowedHostCalls: readonly string[]; readonly memoryLimitBytes: number },
+  entry = 'invoke',
+  arg = 0,
+): ProbeResult {
+  let module: WAModule;
+  try {
+    module = new WA.Module(wasmBytes);
+  } catch {
+    return { ok: false, code: 'sandbox_invocation_error' };
+  }
+  const gate = gateImports(module, config.allowedHostCalls);
+  if (gate) return gate;
+
+  const memoryMaxPages = Math.max(1, Math.ceil(config.memoryLimitBytes / WASM_PAGE_BYTES));
+  try {
+    const memory = new WA.Memory({ initial: 1, maximum: memoryMaxPages });
+    const openwop: Record<string, (x: number) => number> = {};
+    for (const name of config.allowedHostCalls) openwop[name] = (x: number): number => x;
+    const instance = new WA.Instance(module, { env: { memory }, openwop });
+    const fn = instance.exports[entry];
+    if (typeof fn !== 'function') return { ok: false, code: 'sandbox_invocation_error' };
+    return { ok: true, result: Number((fn as (a: number) => number)(arg)) };
+  } catch (e) {
+    const message = e instanceof Error ? e.message : String(e);
+    if (/out of bounds memory access|memory access out of bounds/i.test(message)) {
+      return { ok: false, code: 'sandbox_memory_exceeded' };
+    }
+    return { ok: false, code: 'sandbox_invocation_error' };
+  }
+}
+
+const timeoutWorkerPath = fileURLToPath(new URL('./sandbox-timeout-worker.mjs', import.meta.url));
+
+/**
+ * Worker-based timeout probe — RFC 0035 §B invariant 6 (`node-pack-sandbox-timeout`).
+ * A wall-clock cap can only be enforced by THREAD PREEMPTION: a same-thread timer
+ * cannot interrupt a synchronous WASM loop. So this spawns a worker thread running
+ * the module and races a main-thread kill-timer. A non-terminating module →
+ * `sandbox_timeout` (the worker is terminated at `wallClockLimitMs`); a module that
+ * completes within the budget posts its result first. This is the worker-driven
+ * counterpart to the server-free `probeSandboxed` (which deliberately cannot run a
+ * non-terminating module).
+ */
+export function probeTimeout(
+  wasmBytes: Uint8Array,
+  config: { readonly memoryLimitBytes: number; readonly wallClockLimitMs: number },
+  entry = 'invoke',
+  arg = 0,
+): Promise<ProbeResult> {
+  const memoryMaxPages = Math.max(1, Math.ceil(config.memoryLimitBytes / WASM_PAGE_BYTES));
+  return new Promise((resolve) => {
+    const worker = new Worker(timeoutWorkerPath, { workerData: { wasmBytes, entry, arg, memoryMaxPages } });
+    let settled = false;
+    const finish = (r: ProbeResult): void => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      void worker.terminate();
+      resolve(r);
+    };
+    const timer = setTimeout(() => finish({ ok: false, code: 'sandbox_timeout' }), config.wallClockLimitMs);
+    worker.on('message', (m: { ok: boolean; result?: number; code?: SandboxErrorCode }) => {
+      if (m.ok) finish(m.result === undefined ? { ok: true } : { ok: true, result: m.result });
+      else finish({ ok: false, code: m.code ?? 'sandbox_invocation_error' });
+    });
+    worker.on('error', () => finish({ ok: false, code: 'sandbox_invocation_error' }));
+  });
+}

package/src/scenarios/core-standard-profile.test.ts

@@ -0,0 +1,75 @@
+/**
+ * openwop-core-standard — operational-annex predicate derivation (RFC 0088).
+ *
+ * Always-on, server-free derivation probe. Verifies that `isCoreStandard`
+ * derives the Core Standard Profile floor correctly from representative
+ * discovery payloads (RFC 0088 §B / core-standard-profile.md §B):
+ *   - a host meeting openwop-core + openwop-interrupts + a transport is core-standard;
+ *   - a bare openwop-core host (no interrupts) is NOT core-standard — the floor is
+ *     deliberately stricter than the v1 minimum;
+ *   - a host with no event transport (supportedTransports: []) fails the floor;
+ *   - the floor is the AND of three existing closed-catalog predicates (it composes,
+ *     it does not redefine — so it is absent from deriveProfiles()).
+ *
+ * The LIVE aggregate-evidence assertion (does every §C floor scenario actually
+ * pass against a host claiming the profile?) is the `Active → Accepted` step per
+ * RFC 0088 §C — already satisfied by MyndHyve + all reference hosts, asserted via
+ * each constituent scenario, and deferred here. This scenario asserts the
+ * discovery-predicate derivation only.
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/core-standard-profile.md
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0088-core-standard-profile.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { isCoreStandard, isCore, deriveProfiles } from '../lib/profiles.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+
+const CORE = {
+  protocolVersion: '1.0',
+  supportedEnvelopes: ['clarification.request'],
+  schemaVersions: {},
+  limits: { clarificationRounds: 1, schemaRounds: 1, envelopesPerTurn: 1 },
+};
+
+describe('core-standard-profile: floor predicate (RFC 0088 §B, server-free)', () => {
+  it('a host meeting core + interrupts + a default transport is core-standard', () => {
+    // No supportedTransports ⇒ both stream predicates default-true (profiles.md).
+    const c = { ...CORE };
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'core + interrupts + transport ⇒ core-standard')).toBe(true);
+  });
+
+  it('a bare openwop-core host without interrupts is NOT core-standard', () => {
+    // openwop-core minimum, but no clarification.request ⇒ fails openwop-interrupts.
+    const c = { ...CORE, supportedEnvelopes: ['schema.request'] };
+    expect(isCore(c), why('profiles.md §openwop-core', 'still a valid openwop-core host')).toBe(true);
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'the floor is stricter than the v1 minimum')).toBe(false);
+  });
+
+  it('a host advertising no event transport fails the floor', () => {
+    const c = { ...CORE, supportedTransports: [] as string[] };
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'at least one event transport is required')).toBe(false);
+  });
+
+  it('a host advertising the rest transport satisfies the transport term', () => {
+    const c = { ...CORE, supportedTransports: ['rest'] };
+    expect(isCoreStandard(c), why('core-standard-profile.md §B', 'rest transport ⇒ stream term satisfied')).toBe(true);
+  });
+
+  it('a non-1.x host is not core-standard', () => {
+    const c = { ...CORE, protocolVersion: '2.0' };
+    expect(isCoreStandard(c), why('profiles.md §openwop-core', 'core-standard implies openwop-core (1.x)')).toBe(false);
+  });
+});
+
+describe('core-standard-profile: composes, does not redefine (RFC 0088 §A, server-free)', () => {
+  it('openwop-core-standard is an annex, NOT a closed-catalog profile (absent from deriveProfiles)', () => {
+    const c = { ...CORE };
+    expect(
+      (deriveProfiles(c) as readonly string[]).includes('openwop-core-standard'),
+      why('core-standard-profile.md §A', 'the annex is not a closed-catalog predicate'),
+    ).toBe(false);
+  });
+});