@openwop/openwop-conformance 1.18.0 → 1.18.1

package/CHANGELOG.md

@@ -4,6 +4,14 @@
 
 _No unreleased changes._
 
+## [1.18.1] — 2026-06-01 — RFC 0050 SAML behavioral leg: full 7-variant seam coverage
+
+Standalone conformance patch — published via the `openwop-conformance/v1.18.1` per-package tag (PUBLISHING.md §"CI automation"; only the `publish-conformance` job runs), NOT a coordinated spec-corpus release. `EXPECTED_CONFORMANCE_VERSION` advances to `1.18.1` in lockstep. No new scenario file → patch bump.
+
+### Changed — RFC 0050 `auth-saml-profile` opt-in behavioral leg
+
+Expanded the opt-in `auth/saml/validate` behavioral leg from a single `alg-none` negative to the **full RFC 0050 §A variant set driven over the host's live seam**: 1 positive (valid, signed, in-window, non-wrapped → MUST be accepted, 2xx) + 6 negatives (`alg-none`, `unsigned`, `bad-signature`, `expired`, `not-yet-valid`, `signature-wrapping` → MUST be rejected, non-2xx). The signature-wrapping (XSW) case is the load-bearing security property. This makes the behavioral cert **non-vacuous against a host's real XML-DSig ACS** (distinct from the in-process reference suite, which proves the assertions detectably malformed against the bundled oracle, not the host). Still gated on `OPENWOP_TEST_SAML_IDP_URL` (an operator-supplied HTTP synthetic IdP serving the bundled `createSyntheticSamlIdp()` assertions) + the `openwop-auth-saml` advertisement; soft-skips otherwise. The steward prerequisite for graduating RFC 0050 `Active → Accepted` on a host with a real SAML ACS. Scenario docstring updated `Draft → Active`.
+
 ## [1.18.0] — 2026-06-01 — RFC 0085 openwop-agent-platform live aggregate-evidence gate
 
 Standalone conformance minor — a scenario addition published via the `openwop-conformance/v1.18.0` per-package tag (PUBLISHING.md §"CI automation"; only the `publish-conformance` job runs), NOT a coordinated spec-corpus release. `EXPECTED_CONFORMANCE_VERSION` advances to `1.18.0` in lockstep. The steward prerequisite that lets MyndHyve run the RFC 0085 §C live aggregate-evidence scenario non-vacuously under `OPENWOP_REQUIRE_BEHAVIOR=true` to graduate the `openwop-agent-platform` meta-profile from `Active` to `Accepted` — the capstone of the agent-platform program. The normative surface (the `nondeterminismPolicy.declared` flag + the `isAgentPlatform*` predicate helpers + the operational annex) already shipped — this release is the gated test surface only.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openwop/openwop-conformance",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "description": "Production-ready black-box conformance suite for OpenWOP v1.0 compliant servers.",
   "repository": {
     "type": "git",

package/src/scenarios/auth-saml-profile.test.ts

@@ -1,16 +1,20 @@
 /**
  * auth-saml-profile — RFC 0050: openwop-auth-saml profile.
  *
- * Status: DRAFT. RFC 0050 (SAML / SCIM enterprise identity profiles) is
- * `Draft`. The profile is documented in `auth-profiles.md`
+ * Status: ACTIVE. RFC 0050 (SAML / SCIM enterprise identity profiles) is
+ * `Active`. The profile is documented in `auth-profiles.md`
  * §`openwop-auth-saml` and reserved in `capabilities.auth.profiles`.
  *
  * Capability shape runs unconditionally when the profile is advertised.
- * The assertion-validation behavior (1 positive + ≥6 negatives: bad
- * signature, `alg:none`, absent signature, `NotOnOrAfter` expiry,
- * `NotBefore` not-yet-valid, signature-wrapping) is opt-in via
- * `OPENWOP_TEST_SAML_IDP_URL` (operator-supplied synthetic IdP), because
- * a deterministic XML-DSig signer harness isn't bundled yet — follows the
+ * The assertion-validation behavior is exercised over the host's live
+ * `auth/saml/validate` seam for the FULL §A variant set — 1 positive
+ * (valid, signed, in-window, non-wrapped → accepted) + 6 negatives
+ * (`alg:none`, unsigned, bad-signature, `NotOnOrAfter` expiry, `NotBefore`
+ * not-yet-valid, signature-wrapping → rejected). This behavioral leg is
+ * opt-in via `OPENWOP_TEST_SAML_IDP_URL` (an operator-supplied HTTP
+ * synthetic IdP serving the bundled `createSyntheticSamlIdp()` assertions),
+ * because it requires a live host ACS + an HTTP IdP the seam can resolve
+ * variants from — the in-process minter below is not a server. Follows the
  * `auth-mtls.test.ts` opt-in precedent. Soft-skips otherwise.
  *
  * @see RFCS/0050-saml-scim-enterprise-identity-profiles.md
@@ -65,19 +69,52 @@ describe('auth-saml-profile: advertisement shape (RFC 0050)', () => {
 describe('auth-saml-profile: assertion validation (RFC 0050 §A — opt-in)', () => {
   const idpUrl = process.env.OPENWOP_TEST_SAML_IDP_URL;
 
-  it('rejects an `alg:none` / unsigned assertion (synthetic IdP required)', async () => {
+  // The host's real SAML ACS is driven over the `auth/saml/validate` seam for
+  // every variant the bundled synthetic IdP mints — the full RFC 0050 §A MUST
+  // list, not just one negative. The seam receives `{ idpUrl, variant }`,
+  // resolves `{ certificatePem, assertion }` of that variant from the
+  // operator-supplied synthetic IdP, runs it through the host's genuine
+  // validator, and answers 2xx (accepted) / non-2xx (rejected). This is the
+  // NON-VACUOUS behavioral leg: it exercises the host's ACS on the live wire,
+  // distinct from the in-process reference suite below (which proves the
+  // assertions are detectably malformed against the bundled oracle, not the
+  // host). All legs soft-skip until `OPENWOP_TEST_SAML_IDP_URL` is supplied.
+  const gated = (): boolean => idpUrl !== undefined && idpUrl.length > 0;
+
+  it('ACCEPTS a valid signed, in-window, non-wrapped assertion (synthetic IdP required)', async () => {
     const profiles = await readProfiles();
     if (profiles === null || !profiles.includes(SAML_PROFILE)) return; // capability-gated
-    if (idpUrl === undefined || idpUrl.length === 0) return; // opt-in: synthetic-IdP harness not provided
-    // With a synthetic IdP, an `alg:none`/unsigned assertion presented to the
-    // host's SAML ACS MUST be rejected with `unauthenticated`.
-    const res = await driver.post('/v1/host/sample/auth/saml/validate', { idpUrl, variant: 'alg-none' });
+    if (!gated()) return; // opt-in: synthetic-IdP harness not provided
+    const res = await driver.post('/v1/host/sample/auth/saml/validate', { idpUrl, variant: 'valid' });
     if (res.status === 404) return; // seam unwired
     expect(
       res.status,
-      driver.describe('RFC 0050 §A', 'an `alg:none`/unsigned SAML assertion MUST be rejected (non-2xx)'),
-    ).toBeGreaterThanOrEqual(400);
+      driver.describe('RFC 0050 §A', 'a valid signed, in-window, non-wrapped SAML assertion MUST be accepted (2xx)'),
+    ).toBeLessThan(400);
   });
+
+  // The 6 negatives the RFC 0050 §A MUST list requires a host to reject. The
+  // signature-wrapping (XSW) case is the load-bearing security property — a
+  // host MUST bind the validated signature to the consumed assertion.
+  const negatives: ReadonlyArray<[Exclude<SamlVariant, 'valid'>, string]> = [
+    ['alg-none', 'an `alg:none` SAML assertion MUST be rejected (non-2xx)'],
+    ['unsigned', 'an unsigned SAML assertion MUST be rejected (non-2xx)'],
+    ['bad-signature', 'a SAML assertion with an invalid signature MUST be rejected (non-2xx)'],
+    ['expired', 'a SAML assertion past `NotOnOrAfter` MUST be rejected (non-2xx)'],
+    ['not-yet-valid', 'a SAML assertion before `NotBefore` MUST be rejected (non-2xx)'],
+    ['signature-wrapping', 'a signature-wrapped (XSW) SAML assertion MUST be rejected (non-2xx)'],
+  ];
+
+  for (const [variant, requirement] of negatives) {
+    it(`REJECTS the ${variant} assertion over the seam (synthetic IdP required)`, async () => {
+      const profiles = await readProfiles();
+      if (profiles === null || !profiles.includes(SAML_PROFILE)) return; // capability-gated
+      if (!gated()) return; // opt-in: synthetic-IdP harness not provided
+      const res = await driver.post('/v1/host/sample/auth/saml/validate', { idpUrl, variant });
+      if (res.status === 404) return; // seam unwired
+      expect(res.status, driver.describe('RFC 0050 §A', requirement)).toBeGreaterThanOrEqual(400);
+    });
+  }
 });
 
 describe('category: auth-saml synthetic-IdP reference suite (RFC 0050 §A)', () => {