@openwop/openwop-conformance 1.13.0 → 1.15.0

package/src/scenarios/tool-session-lifecycle.test.ts

@@ -0,0 +1,105 @@
+/**
+ * Portable tool-session bracket (RFC 0078 §D) — behavioral.
+ *
+ * Gated on `toolCatalog.sessionLifecycle` (root-first per RFC 0073). Soft-skips
+ * when unadvertised (default) / hard-fails under `OPENWOP_REQUIRE_BEHAVIOR=true`.
+ * The always-on wire-shape coverage lives in `tool-descriptor-shape.test.ts`
+ * (the `tool.session.*` payload `$defs`); this asserts host BEHAVIOR: a tool session brackets its RFC 0064 call events
+ * with `tool.session.opened` (BEFORE the first call event) and
+ * `tool.session.closed` (AFTER the last), sharing one `sessionId`, carrying a
+ * `toolId`, an `outcome` in the enum, and both events content-free.
+ *
+ * Drives the OPTIONAL `POST /v1/host/sample/tools/session-run` seam + reads the
+ * bracket back via the test event-log seam (both deferred per RFC 0078
+ * §Conformance — soft-skip on 404).
+ *
+ * Spec references:
+ *   - https://github.com/openwop/openwop/blob/main/spec/v1/tool-catalog.md (§D)
+ *   - https://github.com/openwop/openwop/blob/main/RFCS/0078-portable-tool-catalog-and-tool-session-contract.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readToolCatalogCap, driveToolSession, TOOL_CONTENT_FORBIDDEN } from '../lib/toolCatalog.js';
+import { queryTestEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
+
+const SESSION_OUTCOMES = ['completed', 'failed', 'aborted', 'expired'];
+/** RFC 0064 tool-call event family bracketed by a tool session. */
+const CALL_EVENT = (t: string): boolean =>
+  t === 'agent.toolCalled' || t === 'agent.toolReturned' || t.startsWith('tool.call');
+
+describe('tool-session-lifecycle (RFC 0078 §D)', () => {
+  it('brackets the call events with tool.session.opened-first / closed-last, one sessionId, content-free', async () => {
+    const cap = await readToolCatalogCap();
+    const lifecycle = cap?.sessionLifecycle === true || (typeof cap?.sessionLifecycle === 'object' && cap?.sessionLifecycle !== null);
+    if (!behaviorGate('openwop-tool-session-lifecycle', lifecycle)) return;
+
+    if (!(await isEventLogSeamAvailable())) return; // event-log seam absent — soft-skip
+    const res = await driveToolSession({});
+    if (res === null || !res.runId) return; // session seam absent — soft-skip
+
+    const q = await queryTestEvents(res.runId);
+    if (!q.ok) return;
+    const events = q.events.slice().sort((a, b) => a.sequence - b.sequence);
+
+    const opened = events.filter((e) => e.type === 'tool.session.opened');
+    const closed = events.filter((e) => e.type === 'tool.session.closed');
+    expect(
+      opened.length >= 1 && closed.length >= 1,
+      driver.describe('tool-catalog.md §D', 'a tool session MUST emit tool.session.opened + tool.session.closed'),
+    ).toBe(true);
+    if (opened.length === 0 || closed.length === 0) return;
+
+    const open = opened[0]!;
+    const close = closed[closed.length - 1]!;
+
+    // §D ordering: opened precedes every call event; closed follows them all.
+    const calls = events.filter((e) => CALL_EVENT(e.type));
+    if (calls.length > 0) {
+      expect(
+        open.sequence < calls[0]!.sequence,
+        driver.describe('RFC 0078 §D', 'tool.session.opened MUST precede the first call event'),
+      ).toBe(true);
+      expect(
+        close.sequence > calls[calls.length - 1]!.sequence,
+        driver.describe('RFC 0078 §D', 'tool.session.closed MUST follow the last call event'),
+      ).toBe(true);
+    } else {
+      expect(
+        open.sequence < close.sequence,
+        driver.describe('RFC 0078 §D', 'tool.session.opened MUST precede tool.session.closed'),
+      ).toBe(true);
+    }
+
+    // One sessionId across the bracket, both carrying a toolId.
+    const openSid = open.payload.sessionId;
+    const closeSid = close.payload.sessionId;
+    expect(
+      typeof openSid === 'string' && openSid === closeSid,
+      driver.describe('run-event-payloads.schema.json#toolSession*', 'the bracket MUST share one sessionId'),
+    ).toBe(true);
+    expect(
+      typeof open.payload.toolId === 'string' && typeof close.payload.toolId === 'string',
+      driver.describe('run-event-payloads.schema.json#toolSession*', 'tool.session.* MUST carry a toolId'),
+    ).toBe(true);
+
+    // Closed outcome enum discipline.
+    expect(
+      typeof close.payload.outcome === 'string' && SESSION_OUTCOMES.includes(close.payload.outcome as string),
+      driver.describe('run-event-payloads.schema.json#toolSessionClosed', 'outcome MUST be in the closed enum'),
+    ).toBe(true);
+
+    // Content-free: identifiers + metadata only.
+    for (const evt of [open, close]) {
+      for (const forbidden of TOOL_CONTENT_FORBIDDEN) {
+        expect(
+          !(forbidden in evt.payload),
+          driver.describe('RFC 0078 §F (SR-1)', `tool.session.* MUST be content-free (no ${forbidden})`),
+        ).toBe(true);
+      }
+    }
+
+    await resetTestSeam();
+  });
+});

package/src/scenarios/workspace-cross-tenant-isolation-blackbox.test.ts

@@ -0,0 +1,89 @@
+/**
+ * workspace-cross-tenant-isolation-blackbox — RFC 0059 §E WCT-1 on the PRODUCTION wire.
+ *
+ * The black-box, production-path counterpart to the seam-driven
+ * `workspace-cross-tenant-isolation.test.ts`. Instead of the single-credential
+ * `POST /v1/host/sample/workspace/op` seam, this drives the NORMATIVE §C
+ * endpoints (`PUT`/`GET /v1/host/workspace/files/{path}`, `GET /v1/host/workspace
+ * /files`) with TWO distinct operator credentials that resolve to two different
+ * `{tenant, workspace}` owners (RFC 0048). It writes a secret as owner A and
+ * proves owner B cannot read or enumerate it — no `/v1/host/sample/*` seam, the
+ * exact contract a deployed multi-tenant host honors.
+ *
+ * This is the "replace seam-gated proofs with black-box production-path
+ * conformance" step (independent-audit acceptance-bar item 3) for RFC 0059. Once
+ * a host passes it non-vacuously, `workspace-cross-tenant-isolation` is proven on
+ * the production wire and the surface graduates INTO the `openwop-core-standard`
+ * floor (RFC 0088 §D Lever-2 → floor).
+ *
+ * Gating: soft-skips unless `capabilities.workspace.supported` AND
+ * `OPENWOP_TEST_TENANT_B_API_KEY` (a credential for a SECOND, distinct
+ * tenant·workspace) is supplied — the suite cannot mint a second tenant itself.
+ *
+ * @see RFCS/0059-agent-workspace.md §E WCT-1
+ * @see SECURITY/invariants.yaml workspace-cross-tenant-isolation
+ */
+import { describe, it, expect } from 'vitest';
+import { randomUUID } from 'node:crypto';
+import { driver } from '../lib/driver.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
+
+interface DiscoveryDoc {
+  workspace?: { supported?: boolean };
+}
+
+async function workspaceSupported(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  return capabilityFamily(res.json as DiscoveryDoc | undefined, 'workspace')?.supported === true;
+}
+
+const tenantBKey = process.env.OPENWOP_TEST_TENANT_B_API_KEY;
+const asTenantB = { headers: { Authorization: `Bearer ${tenantBKey ?? ''}` } };
+
+describe('workspace-cross-tenant-isolation (black-box): a §C file MUST NOT leak across owners (RFC 0059 §E WCT-1)', () => {
+  it('a file written by owner A is unreadable + un-enumerable by a second-tenant credential', async () => {
+    if (!(await workspaceSupported())) return; // capability not advertised — skip
+    if (!tenantBKey) {
+      // eslint-disable-next-line no-console
+      console.warn('[workspace-cross-tenant-isolation-blackbox] OPENWOP_TEST_TENANT_B_API_KEY not supplied; skipping the production-path cross-tenant assertion');
+      return;
+    }
+
+    const path = `wct-blackbox-${randomUUID()}.md`;
+    const secret = `WCT1-BLACKBOX-SECRET-${randomUUID()}`;
+
+    // Owner A (default credential) writes the file via the NORMATIVE PUT.
+    const put = await driver.put(`/v1/host/workspace/files/${path}`, { content: secret });
+    expect(put.status, driver.describe('agent-workspace.md §C PUT', 'the owning workspace MUST create its file (200)')).toBe(200);
+
+    try {
+      // Owner B (second-tenant credential) MUST NOT read it — fail closed, no existence leak.
+      const crossRead = await driver.get(`/v1/host/workspace/files/${path}`, asTenantB);
+      expect(
+        crossRead.status === 404 || crossRead.status === 403,
+        driver.describe('agent-workspace.md §E WCT-1', `a second-tenant read MUST fail closed (404/403), got ${crossRead.status}`),
+      ).toBe(true);
+      expect(
+        !JSON.stringify(crossRead.json ?? '').includes(secret),
+        driver.describe('agent-workspace.md §E WCT-1', 'a second-tenant read MUST NOT surface the owner\'s content'),
+      ).toBe(true);
+
+      // Owner B MUST NOT enumerate it in the list projection.
+      const crossList = await driver.get('/v1/host/workspace/files', asTenantB);
+      if (crossList.status === 200) {
+        expect(
+          !JSON.stringify((crossList.json as { files?: unknown })?.files ?? []).includes(path),
+          driver.describe('agent-workspace.md §E WCT-1', 'a second-tenant list MUST NOT enumerate the owner\'s path'),
+        ).toBe(true);
+      }
+
+      // Isolation, not loss: owner A still reads its own file.
+      const ownerRead = await driver.get(`/v1/host/workspace/files/${path}`);
+      expect(ownerRead.status, driver.describe('agent-workspace.md §C GET', 'the owning workspace MUST still read its own file')).toBe(200);
+      expect((ownerRead.json as { content?: string } | undefined)?.content).toBe(secret);
+    } finally {
+      // Best-effort cleanup as owner A.
+      await driver.delete(`/v1/host/workspace/files/${path}`).catch(() => undefined);
+    }
+  });
+});