@openwop/openwop-conformance 1.15.0 → 1.18.0

package/src/scenarios/otel-collector-canary-inspection.test.ts

@@ -104,6 +104,44 @@ function metricsPayload(metricName: string, attrs: Record<string, string>): unkn
   };
 }
 
+// NOTE: assertions here intentionally use bare `expect(...)` rather than
+// `expect(..., driver.describe('spec.md §section', 'requirement'))`. This is a
+// HARNESS self-test — it verifies the conformance collector's own
+// `findCanaryLeakage()` inspector, not a host's compliance with a spec
+// requirement, so there is no spec section to cite (consistent with other
+// library-level tests, e.g. `sandbox-wasm-isolation.test.ts`). The
+// host-facing, spec-citing assertion lives in the collector-export block of
+// `secret-leakage-otel-attribute.test.ts`.
+/**
+ * Build a traces export with `spanCount` spans that all share ONE resource
+ * (hence one set of resource attributes). Used to prove resource-attribute
+ * leaks are deduped to a single hit rather than reported once per span.
+ */
+function multiSpanSharedResourcePayload(spanCount: number, resourceAttrs: Record<string, string>): unknown {
+  const toAttrs = (m: Record<string, string>) =>
+    Object.entries(m).map(([key, value]) => ({ key, value: { stringValue: value } }));
+  return {
+    resourceSpans: [
+      {
+        resource: { attributes: toAttrs(resourceAttrs) },
+        scopeSpans: [
+          {
+            scope: { name: 'openwop' },
+            spans: Array.from({ length: spanCount }, (_unused, i) => ({
+              traceId: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',
+              spanId: `span${i}`.padEnd(16, '0'),
+              name: `openwop.node.execute.${i}`,
+              startTimeUnixNano: '1',
+              endTimeUnixNano: '2',
+              attributes: toAttrs({ 'openwop.node.id': `n${i}` }),
+            })),
+          },
+        ],
+      },
+    ],
+  };
+}
+
 describe('otel-collector-canary-inspection: collector inspects real OTLP exports', () => {
   let collector: OtelCollector | null = null;
 
@@ -179,6 +217,18 @@ describe('otel-collector-canary-inspection: collector inspects real OTLP exports
     expect(metricLeak!.emitterName).toBe('openwop.node.duration');
   });
 
+  it('dedups a resource-attribute leak to ONE hit even when shared across many spans', async () => {
+    collector = new OtelCollector();
+    await collector.start();
+    // 5 spans sharing one resource whose attribute leaks the canary. Without
+    // dedup this would report 5 identical resource-attribute hits.
+    await postTraces(multiSpanSharedResourcePayload(5, { 'service.name': 'host', 'deployment.token': CANARY }));
+
+    const leaks = collector.findCanaryLeakage(CANARY);
+    const resourceLeaks = leaks.filter((l) => l.surface === 'span.resourceAttribute' && l.key === 'deployment.token');
+    expect(resourceLeaks.length).toBe(1);
+  });
+
   it('reports ZERO hits when the host redacts the canary before export (positive control)', async () => {
     collector = new OtelCollector();
     await collector.start();

package/src/scenarios/replay-observable-sequence-determinism.test.ts

@@ -109,17 +109,42 @@ async function readEvents(runId: string): Promise<RunEventDoc[]> {
 }
 
 /**
- * Strip volatile per-event fields so two runs of the same workflow are
- * comparable. Removes the run id, freshly-minted event ids/ULIDs, and the
- * per-region observed-at clock (RFC 0036 §E carve-out) wherever they
- * appear at the event top level.
+ * Volatile field names that differ legitimately between an original run and
+ * its replay: freshly-minted event ids/ULIDs, the run id, and per-region
+ * clock fields (RFC 0036 §E carve-out). Stripped wherever they appear —
+ * including NESTED inside payloads — so the byte-equivalence comparison
+ * tolerates only these carve-outs and flags any other divergence.
  */
-function stripVolatile(ev: RunEventDoc): Record<string, unknown> {
-  const clone = JSON.parse(JSON.stringify(ev)) as Record<string, unknown>;
-  for (const k of ['eventId', 'runId', 'observedAt', 'timestamp', 'occurredAt', 'emittedAt', 'id']) {
-    delete clone[k];
-  }
-  return clone;
+const VOLATILE_KEYS = new Set([
+  'eventId',
+  'runId',
+  'observedAt',
+  'timestamp',
+  'occurredAt',
+  'emittedAt',
+  'id',
+]);
+
+/**
+ * Recursively strip {@link VOLATILE_KEYS} from an event so two runs of the
+ * same workflow are comparable. Recurses into nested objects + arrays (a
+ * host that buries a clock or ULID inside a payload is normalized too),
+ * leaving every non-volatile field intact for the equivalence assertion.
+ */
+function stripVolatile(ev: RunEventDoc): unknown {
+  const walk = (node: unknown): unknown => {
+    if (Array.isArray(node)) return node.map(walk);
+    if (node !== null && typeof node === 'object') {
+      const out: Record<string, unknown> = {};
+      for (const [k, v] of Object.entries(node as Record<string, unknown>)) {
+        if (VOLATILE_KEYS.has(k)) continue;
+        out[k] = walk(v);
+      }
+      return out;
+    }
+    return node;
+  };
+  return walk(JSON.parse(JSON.stringify(ev)));
 }
 
 /** Create the fixture run; returns null (with a skip) if it isn't advertised. */

package/src/scenarios/trigger-bridge-delivery.test.ts

@@ -36,7 +36,7 @@ import {
   DELIVERY_OUTCOMES,
   SUBSCRIPTION_STATES,
 } from '../lib/triggerBridge.js';
-import { queryTestEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
+import { queryTestEvents, requireEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
 
 const CONTENT_FREE_FORBIDDEN = ['body', 'headers', 'payload', 'secret', 'credentials', 'token', 'apiKey'];
 
@@ -57,69 +57,105 @@ describe('trigger-bridge-delivery (RFC 0083 §C)', () => {
     // ---- Leg 1: dedup → effectively-once (§C-1) ---------------------------
     const dedup = await driveDelivery({ scenario: 'dedup', dedupKey: 'conformance-dedup-key', source: 'queue' });
     if (dedup === null) return; // delivery seam unwired — soft-skip the whole behavioral suite
-    if (dedup.runId || dedup.subscriptionId) {
-      const subId = dedup.subscriptionId;
-      const q = await queryTestEvents(dedup.runId ?? '__dedup__', { type: 'trigger.delivery.attempted' });
-      if (q.ok) {
-        const deliveredForKey = q.events.filter(
-          (e) => e.payload.dedupKey === 'conformance-dedup-key' && e.payload.outcome === 'delivered',
-        );
-        // Effectively-once: a repeated dedupKey MUST NOT produce two 'delivered' attempts.
-        expect(
-          deliveredForKey.length <= 1,
-          driver.describe('trigger-bridge.md §C-1', 'a repeated dedupKey MUST be effectively-once (≤1 delivered attempt)'),
-        ).toBe(true);
-        for (const e of q.events) {
-          expect(
-            typeof e.payload.outcome === 'string' && DELIVERY_OUTCOMES.includes(e.payload.outcome as string),
-            driver.describe('run-event-payloads.schema.json#triggerDeliveryAttempted', 'outcome MUST be delivered|retrying|dead-lettered'),
-          ).toBe(true);
-          expectContentFree(e.payload, 'trigger.delivery.attempted');
-        }
-      }
-      void subId;
+
+    // The profile is derived AND the seam is wired — missing evidence is a
+    // FAILURE, not a soft-skip. A repeated dedupKey MUST be effectively-once:
+    // EXACTLY one delivered attempt for the key (zero would mean no delivery at all).
+    const dedupQueryId = dedup.runId ?? '__dedup__';
+    const dedupEvents = requireEvents(
+      await queryTestEvents(dedupQueryId, { type: 'trigger.delivery.attempted' }),
+      'trigger.delivery.attempted (dedup)',
+    );
+    const deliveredForKey = dedupEvents.filter(
+      (e) => e.payload.dedupKey === 'conformance-dedup-key' && e.payload.outcome === 'delivered',
+    );
+    expect(
+      deliveredForKey.length === 1,
+      driver.describe('trigger-bridge.md §C-1', 'a repeated dedupKey MUST be effectively-once — EXACTLY one delivered attempt (not zero, not two)'),
+    ).toBe(true);
+    for (const e of dedupEvents) {
+      expect(
+        typeof e.payload.outcome === 'string' && DELIVERY_OUTCOMES.includes(e.payload.outcome as string),
+        driver.describe('run-event-payloads.schema.json#triggerDeliveryAttempted', 'outcome MUST be delivered|retrying|dead-lettered'),
+      ).toBe(true);
+      expectContentFree(e.payload, 'trigger.delivery.attempted');
     }
 
     // ---- Leg 2: retry → dead-letter (§C-2 + RFC 0053) --------------------
     const exhaust = await driveDelivery({ scenario: 'exhaust', source: 'webhook' });
-    if (exhaust && (exhaust.runId || exhaust.subscriptionId)) {
-      const key = exhaust.runId ?? '__exhaust__';
-      const dq = await queryTestEvents(key, { type: 'trigger.delivery.attempted' });
-      if (dq.ok && dq.events.length > 0) {
-        const terminal = dq.events.sort((a, b) => a.sequence - b.sequence)[dq.events.length - 1]!;
-        expect(
-          terminal.payload.outcome === 'dead-lettered',
-          driver.describe('trigger-bridge.md §C-2', 'an exhausted retry policy MUST terminate in a dead-lettered delivery'),
-        ).toBe(true);
-      }
-      const sq = await queryTestEvents(key, { type: 'trigger.subscription.state.changed' });
-      if (sq.ok && sq.events.length > 0) {
-        const toDeadLetter = sq.events.some((e) => e.payload.toState === 'dead-lettered');
-        expect(
-          toDeadLetter,
-          driver.describe('trigger-bridge.md §B', 'the subscription MUST transition to dead-lettered on exhaustion'),
-        ).toBe(true);
-        for (const e of sq.events) {
-          expect(
-            typeof e.payload.toState === 'string' && SUBSCRIPTION_STATES.includes(e.payload.toState as string),
-            driver.describe('trigger-bridge.md §B', 'toState MUST be in the four-state vocabulary'),
-          ).toBe(true);
-          expectContentFree(e.payload, 'trigger.subscription.state.changed');
-        }
-      }
+    expect(
+      exhaust !== null,
+      driver.describe('trigger-bridge.md §C-2', 'the exhaust scenario MUST be wired when the delivery seam is'),
+    ).toBe(true);
+    const exKey = exhaust!.runId ?? '__exhaust__';
+    const exhaustEvents = requireEvents(
+      await queryTestEvents(exKey, { type: 'trigger.delivery.attempted' }),
+      'trigger.delivery.attempted (exhaust)',
+    );
+    expect(
+      exhaustEvents.length >= 1,
+      driver.describe('trigger-bridge.md §C-2', 'an exhausted delivery MUST emit ≥1 trigger.delivery.attempted'),
+    ).toBe(true);
+    const terminal = exhaustEvents.sort((a, b) => a.sequence - b.sequence)[exhaustEvents.length - 1]!;
+    expect(
+      terminal.payload.outcome === 'dead-lettered',
+      driver.describe('trigger-bridge.md §C-2', 'an exhausted retry policy MUST terminate in a dead-lettered delivery'),
+    ).toBe(true);
+    const stateEvents = requireEvents(
+      await queryTestEvents(exKey, { type: 'trigger.subscription.state.changed' }),
+      'trigger.subscription.state.changed (exhaust)',
+    );
+    expect(
+      stateEvents.length >= 1,
+      driver.describe('trigger-bridge.md §B', 'exhaustion MUST emit ≥1 trigger.subscription.state.changed'),
+    ).toBe(true);
+    expect(
+      stateEvents.some((e) => e.payload.toState === 'dead-lettered'),
+      driver.describe('trigger-bridge.md §B', 'the subscription MUST transition to dead-lettered on exhaustion'),
+    ).toBe(true);
+    for (const e of stateEvents) {
+      expect(
+        typeof e.payload.toState === 'string' && SUBSCRIPTION_STATES.includes(e.payload.toState as string),
+        driver.describe('trigger-bridge.md §B', 'toState MUST be in the four-state vocabulary'),
+      ).toBe(true);
+      expectContentFree(e.payload, 'trigger.subscription.state.changed');
     }
 
     // ---- Leg 3: delivery → run causation (§C / RFC 0040) -----------------
+    // §C: "the run started by a successful delivery MUST carry the delivery's
+    // id as causationId on its run.started." The delivery's id is the
+    // trigger.delivery.attempted{delivered} event's id, so we assert EQUALITY
+    // (not merely "a causation id exists") — the trigger→run link MUST resolve.
     const delivered = await driveDelivery({ scenario: 'deliver', source: 'schedule' });
-    if (delivered?.runId) {
-      const rq = await queryTestEvents(delivered.runId, { type: 'run.started' });
-      if (rq.ok && rq.events[0]) {
-        expect(
-          typeof rq.events[0].causationId === 'string' && (rq.events[0].causationId as string).length > 0,
-          driver.describe('trigger-bridge.md §C / RFC 0040', 'the delivered run.started MUST carry the delivery causationId (resolvable via /ancestry)'),
-        ).toBe(true);
-      }
-    }
+    expect(
+      delivered !== null && typeof delivered.runId === 'string' && (delivered.runId as string).length > 0,
+      driver.describe('trigger-bridge.md §C', 'a successful delivery MUST create a run'),
+    ).toBe(true);
+    const deliveredRunId = delivered!.runId as string;
+    const attemptEvents = requireEvents(
+      await queryTestEvents(deliveredRunId, { type: 'trigger.delivery.attempted' }),
+      'trigger.delivery.attempted (deliver)',
+    );
+    const deliveredEvent = attemptEvents.find((e) => e.payload.outcome === 'delivered');
+    expect(
+      deliveredEvent !== undefined,
+      driver.describe('trigger-bridge.md §C-1', 'a successful delivery MUST emit a trigger.delivery.attempted{outcome:delivered}'),
+    ).toBe(true);
+    const runStartedEvents = requireEvents(
+      await queryTestEvents(deliveredRunId, { type: 'run.started' }),
+      'run.started (deliver)',
+    );
+    expect(
+      runStartedEvents.length >= 1,
+      driver.describe('trigger-bridge.md §C', 'a delivered run MUST emit run.started'),
+    ).toBe(true);
+    const runStarted = runStartedEvents.sort((a, b) => a.sequence - b.sequence)[0]!;
+    expect(
+      typeof runStarted.causationId === 'string' &&
+        (runStarted.causationId as string).length > 0 &&
+        runStarted.causationId === deliveredEvent!.eventId,
+      driver.describe('trigger-bridge.md §C / RFC 0040', 'run.started.causationId MUST EQUAL the delivery id (the trigger.delivery.attempted{delivered} eventId) — resolvable via /ancestry'),
+    ).toBe(true);
 
     await resetTestSeam();
   });