@openwop/openwop-conformance 1.2.0 → 1.3.0

package/src/scenarios/aiEnvelope.contractRefusal.test.ts

@@ -137,14 +137,132 @@ describe('aiEnvelope.contractRefusal: behavioral accept-gate (FINAL v1.1)', () =
   });
 });
 
-describe('aiEnvelope.contractRefusal: engine-integration placeholders', () => {
-  // These require the engine to project gated outcomes onto RunEventDocs
-  // / node.failed events / log.appended (level: warn) per refusalMode.
-  // The pure-function acceptor surfaces `gated` outcomes; the engine
-  // projects them to the event log.
-  it.todo('node.failed event carries error.code = "envelope_contract_violation"');
-  it.todo('refused envelope error.details.acceptedTypes lists the declared accepts[]');
-  it.todo('refused envelope error.details.refusedType names the emitted type');
-  it.todo('refusalMode:"discard-and-warn" emits log.appended level:"warn" instead of node.failed');
-  it.todo('capability-gated typeId refusal stacks atop Envelope Contract refusal (host.aiEnvelope absent → typeId refused first)');
+// E.1 engine-projection via the test-only event-log seam.
+import { queryTestEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
+
+describe('aiEnvelope.contractRefusal: engine projection via event-log seam', () => {
+  it('gated (fail-node) → node.failed { error.code: "envelope_contract_violation" }', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-cr-fail-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const r = await accept(
+      {
+        type: 'vendor.x.bar.create',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-proj-1',
+        correlationId: `${runId}:n:0:cr-proj-1`,
+        payload: {},
+        meta: baseMeta,
+      },
+      {
+        hostSupportedEnvelopes: ['vendor.x.bar.create', 'vendor.x.foo.create'],
+        nodeAllowedKinds: ['vendor.x.foo.create'],
+        projectTo: { runId, nodeId: 'n', refusalMode: 'fail-node' },
+      },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('gated');
+    const events = await queryTestEvents(runId, { type: 'node.failed' });
+    if (!events.ok || events.events.length === 0) return;
+    const err = events.events[0]!.payload.error as { code?: string; details?: { refusedType?: string; acceptedTypes?: string[] } };
+    expect(
+      err.code,
+      driver.describe('ai-envelope.md §"Envelope Contract"', 'gated outcome MUST project to node.failed with error.code = envelope_contract_violation'),
+    ).toBe('envelope_contract_violation');
+  });
+
+  it('refused envelope: error.details.refusedType names emitted kind; acceptedTypes lists allowed kinds', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-cr-details-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'vendor.x.bar.create',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-proj-details',
+        correlationId: `${runId}:n:0:cr-details`,
+        payload: {},
+        meta: baseMeta,
+      },
+      {
+        hostSupportedEnvelopes: ['vendor.x.bar.create', 'vendor.x.foo.create'],
+        nodeAllowedKinds: ['vendor.x.foo.create'],
+        projectTo: { runId, nodeId: 'n' },
+      },
+    );
+    const events = await queryTestEvents(runId, { type: 'node.failed' });
+    if (!events.ok || events.events.length === 0) return;
+    const details = (events.events[0]!.payload.error as { details?: { refusedType?: string; acceptedTypes?: string[] } }).details;
+    expect(details?.refusedType).toBe('vendor.x.bar.create');
+    expect(
+      Array.isArray(details?.acceptedTypes) && details!.acceptedTypes!.includes('vendor.x.foo.create'),
+      driver.describe('ai-envelope.md §"Envelope Contract"', 'error.details.acceptedTypes MUST list the node\'s declared accepts[] (plus universals)'),
+    ).toBe(true);
+  });
+
+  it('refusalMode:"discard-and-warn" → log.appended { level: "warn" } instead of node.failed', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-cr-warn-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'vendor.x.bar.create',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-proj-warn',
+        correlationId: `${runId}:n:0:cr-warn`,
+        payload: {},
+        meta: baseMeta,
+      },
+      {
+        hostSupportedEnvelopes: ['vendor.x.bar.create'],
+        nodeAllowedKinds: ['vendor.x.foo.create'], // gated
+        projectTo: { runId, nodeId: 'n', refusalMode: 'discard-and-warn' },
+      },
+    );
+    const warnEvents = await queryTestEvents(runId, { type: 'log.appended' });
+    const failEvents = await queryTestEvents(runId, { type: 'node.failed' });
+    if (!warnEvents.ok || !failEvents.ok) return;
+    expect(
+      warnEvents.events.some((e) => (e.payload as { level?: string }).level === 'warn'),
+      driver.describe('ai-envelope.md §"Envelope Contract"', 'discard-and-warn MUST emit log.appended at warn level'),
+    ).toBe(true);
+    expect(
+      failEvents.events.length,
+      driver.describe('ai-envelope.md §"Envelope Contract"', 'discard-and-warn MUST NOT emit node.failed'),
+    ).toBe(0);
+    await resetTestSeam();
+  });
+
+  it('host-gate refusal (hostSupportedEnvelopes) projects to node.failed with envelope_contract_violation', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-cr-host-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'vendor.unadvertised.kind',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-proj-host',
+        correlationId: `${runId}:n:0:cr-host`,
+        payload: {},
+        meta: baseMeta,
+      },
+      {
+        hostSupportedEnvelopes: ['vendor.advertised.only'],
+        nodeAllowedKinds: ['vendor.unadvertised.kind'],
+        projectTo: { runId, nodeId: 'n' },
+      },
+    );
+    const events = await queryTestEvents(runId, { type: 'node.failed' });
+    if (!events.ok || events.events.length === 0) return;
+    expect(
+      (events.events[0]!.payload.error as { code?: string }).code,
+      driver.describe('ai-envelope.md §"Capability handshake integration"', 'host-gate refusal MUST project to node.failed envelope_contract_violation (stacks above node-gate)'),
+    ).toBe('envelope_contract_violation');
+  });
+});
+
+describe('aiEnvelope.contractRefusal: capability-stacking placeholder', () => {
+  // Capability-gated typeId refusal stacking (host.aiEnvelope absent →
+  // typeId refused FIRST, before envelope contract gate) requires
+  // the workflow-register handler to consult host.aiEnvelope BEFORE
+  // dispatching envelope acceptance. Tracked under Thread E (engine
+  // integration of acceptor into node execution path); the seam
+  // alone can't verify the ordering.
+  it.todo('capability-gated typeId refusal stacks atop Envelope Contract refusal (host.aiEnvelope absent → typeId refused first; needs node-execution wiring)');
 });

package/src/scenarios/aiEnvelope.correlationReplay.test.ts

@@ -45,25 +45,240 @@ describe('aiEnvelope.correlationReplay: advertisement shape (FINAL v1.1)', () =>
   });
 });
 
-describe('aiEnvelope.correlationReplay: engine-state placeholders', () => {
-  // The 4 assertions below require the engine to maintain a per-run
-  // correlationId → cached-outcome map AND project envelope acceptance
-  // onto RunEventDocs with `causationId = envelope.correlationId`.
-  //
-  // The reference workflow-engine sample's `acceptEnvelope` is a pure
-  // function (host/envelopeAcceptor.ts) — it validates + categorizes
-  // a single envelope without tracking state across calls. Promoting
-  // these to behavioral requires either:
-  //   (a) extending the acceptor with an injected dedup store
-  //       (per-run correlationId map keyed by runId), OR
-  //   (b) a higher-level test seam that wires the acceptor into the
-  //       run lifecycle + event log.
-  //
-  // (b) is the spec-faithful path (per ai-envelope.md §"Replay
-  // determinism" the dedup is engine-level, not acceptor-level).
-  // Tracked as host-impl follow-up.
-  it.todo('emit envelope twice with same correlationId → second returns cached outcome; no duplicate RunEventDocs');
-  it.todo('emit envelope with correlationId C, then with same C and different type → refuse envelope_correlation_conflict');
-  it.todo('cross-process replay: process-death after accept; recovered process re-emits same correlationId → cached outcome, no handler re-invocation');
-  it.todo('resulting RunEventDoc.causationId equals the envelope.correlationId (causal chain preserved)');
+// Behavioral assertions through the workflow-engine sample's env-gated
+// `POST /v1/host/sample/envelope/accept` seam. The seam accepts a flat
+// `priorCorrelations` array (each entry: `{correlationId, outcome, envelopeType}`)
+// that the acceptor consumes as the per-run dedup store. Each test
+// soft-skips on HTTP 404 (host doesn't expose the seam).
+//
+// The cross-process replay assertion (process death + recovery) still
+// stays deferred — it requires a higher-level lifecycle seam that
+// persists the dedup state, which is engine scope, not acceptor scope.
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; reason?: string; envelopeId?: string; normalizedMeta?: { contentTrust?: string } } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; reason?: string; envelopeId?: string; normalizedMeta?: { contentTrust?: string } } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+
+describe('aiEnvelope.correlationReplay: behavioral in-process dedup (FINAL v1.1)', () => {
+  it('same correlationId re-emission returns the cached outcome unchanged', async () => {
+    const envelope = {
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-cr-replay-1',
+      correlationId: 'r:n:0:replay1',
+      payload: { questions: [{ id: 'q1', question: 'why?' }] },
+      meta: baseMeta,
+    };
+    const first = await accept(envelope);
+    if (first.status === 404) return;
+    expect(first.body.status).toBe('accepted');
+    const cachedOutcome = first.body;
+
+    const second = await accept(envelope, {
+      priorCorrelations: [
+        {
+          correlationId: 'r:n:0:replay1',
+          outcome: cachedOutcome,
+          envelopeType: 'clarification.request',
+        },
+      ],
+    });
+    expect(
+      second.body.status,
+      driver.describe(
+        'ai-envelope.md §"Replay determinism"',
+        'second emission with same correlationId MUST return the cached outcome (handler runs at most once per correlationId)',
+      ),
+    ).toBe('accepted');
+    expect(second.body.envelopeId).toBe(cachedOutcome.envelopeId);
+  });
+
+  it('same correlationId, different envelope type → invalid envelope_correlation_conflict', async () => {
+    const r = await accept(
+      {
+        type: 'error', // re-using a correlationId previously bound to clarification.request
+        schemaVersion: 1,
+        envelopeId: 'env-cr-conflict',
+        correlationId: 'r:n:0:conflict',
+        payload: { code: 'x', message: 'y' },
+        meta: baseMeta,
+      },
+      {
+        priorCorrelations: [
+          {
+            correlationId: 'r:n:0:conflict',
+            outcome: { status: 'accepted', envelopeId: 'env-prior', recordedEventIds: [], normalizedMeta: { contentTrust: 'trusted' } },
+            envelopeType: 'clarification.request',
+          },
+        ],
+      },
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe(
+        'ai-envelope.md §"Replay determinism"',
+        'same correlationId with different type MUST refuse envelope_correlation_conflict',
+      ),
+    ).toBe('invalid');
+    expect(r.body.reason).toContain('envelope_correlation_conflict');
+  });
+
+  it('cached outcome of any status (invalid/gated/breached) replays identically', async () => {
+    // Plant a `gated` cached outcome; second emission MUST return the same gated outcome
+    // (handler MUST NOT re-run, even if conditions might now accept).
+    const cached = {
+      status: 'gated' as const,
+      reason: 'envelope type \'vendor.x.foo\' not advertised',
+      allowedKinds: ['clarification.request', 'schema.request', 'schema.response', 'error'],
+    };
+    const r = await accept(
+      {
+        type: 'vendor.x.foo',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-cached-gated',
+        correlationId: 'r:n:0:cachedgated',
+        payload: {},
+        meta: baseMeta,
+      },
+      {
+        hostSupportedEnvelopes: ['vendor.x.foo'], // would otherwise accept
+        priorCorrelations: [
+          {
+            correlationId: 'r:n:0:cachedgated',
+            outcome: cached,
+            envelopeType: 'vendor.x.foo',
+          },
+        ],
+      },
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe(
+        'ai-envelope.md §"Replay determinism"',
+        'cached non-accepted outcome MUST replay identically (handler at most once per correlationId)',
+      ),
+    ).toBe('gated');
+  });
+});
+
+// E.1 engine-projection via the test-only event-log seam.
+import { queryTestEvents, isEventLogSeamAvailable, resetTestSeam } from '../lib/event-log-query.js';
+
+describe('aiEnvelope.correlationReplay: causationId projection via event-log seam', () => {
+  it('resulting RunEventDoc.causationId MUST equal the envelope.correlationId (causal chain preserved)', async () => {
+    if (!(await isEventLogSeamAvailable())) return;
+    const runId = `r-cr-cause-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const correlationId = `${runId}:n:0:causationId-link`;
+    await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-cause-1',
+        correlationId,
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      { projectTo: { runId, nodeId: 'n' } },
+    );
+    const events = await queryTestEvents(runId);
+    if (!events.ok || events.events.length === 0) return;
+    for (const e of events.events) {
+      expect(
+        e.causationId,
+        driver.describe('ai-envelope.md §"Replay determinism"', 'every event projected from an envelope MUST carry causationId === envelope.correlationId'),
+      ).toBe(correlationId);
+    }
+    await resetTestSeam();
+  });
+});
+
+describe('aiEnvelope.correlationReplay: cross-process replay via persisted dedup', () => {
+  // Cross-process replay proven WITHOUT actually killing the process:
+  // when a caller supplies `persistedDedup: { runId }`, the seam reads
+  // the persisted store BEFORE consulting the in-memory priorCorrelations
+  // and writes the outcome back after a successful accept. A second
+  // call from the same (or a hypothetically-restarted) process with
+  // ONLY persistedDedup set — no in-memory priorCorrelations — MUST
+  // return the same outcome as the first. That is the cross-process
+  // semantics: the persisted store is the source of truth, the in-
+  // memory map a per-process accelerator.
+  it('persisted outcome replays for the same correlationId even with NO in-memory priorCorrelations', async () => {
+    const runId = `r-cr-persist-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const correlationId = `${runId}:n:0:persist1`;
+    const envelope = {
+      type: 'clarification.request',
+      schemaVersion: 1,
+      envelopeId: 'env-cr-persist-1',
+      correlationId,
+      payload: { questions: [{ id: 'q1', question: 'why?' }] },
+      meta: baseMeta,
+    };
+    // First accept persists the outcome under (runId, correlationId).
+    const first = await accept(envelope, { persistedDedup: { runId } });
+    if (first.status === 404) return; // seam not exposed — soft-skip
+    expect(first.body.status).toBe('accepted');
+    const cachedEnvelopeId = first.body.envelopeId;
+
+    // Second accept — same correlationId, NO priorCorrelations passed
+    // in-band. If the persisted store is consulted, the cached outcome
+    // is returned (same envelopeId). If only the in-memory map were
+    // used, the handler would re-run and mint a different envelopeId
+    // (or accept again with the original — either way, NOT the proof
+    // of cross-process semantics).
+    const second = await accept(envelope, { persistedDedup: { runId } });
+    expect(
+      second.body.envelopeId,
+      driver.describe(
+        'ai-envelope.md §"Replay determinism"',
+        'persisted outcome MUST replay across calls without an in-memory priorCorrelations map (cross-process recovery semantics)',
+      ),
+    ).toBe(cachedEnvelopeId);
+    expect(second.body.status).toBe('accepted');
+  });
+
+  it('persisted store enforces envelope_correlation_conflict across calls', async () => {
+    const runId = `r-cr-persist-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    const correlationId = `${runId}:n:0:conflict1`;
+    // First accept: clarification.request.
+    const first = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-persist-conflict-1',
+        correlationId,
+        payload: { questions: [{ id: 'q1', question: 'why?' }] },
+        meta: baseMeta,
+      },
+      { persistedDedup: { runId } },
+    );
+    if (first.status === 404) return;
+    expect(first.body.status).toBe('accepted');
+
+    // Second accept: same correlationId, different envelope type, NO
+    // in-memory priorCorrelations — the conflict MUST be served from
+    // the persisted store.
+    const second = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-cr-persist-conflict-2',
+        correlationId,
+        payload: { code: 'x', message: 'y' },
+        meta: baseMeta,
+      },
+      { persistedDedup: { runId } },
+    );
+    expect(
+      second.body.status,
+      driver.describe(
+        'ai-envelope.md §"Replay determinism"',
+        'persisted store MUST surface envelope_correlation_conflict on type mismatch without an in-memory priorCorrelations map',
+      ),
+    ).toBe('invalid');
+    expect(second.body.reason).toContain('envelope_correlation_conflict');
+  });
 });

package/src/scenarios/aiEnvelope.redaction.test.ts

@@ -46,28 +46,208 @@ describe('aiEnvelope.redaction: advertisement shape (FINAL v1.1)', () => {
   });
 });
 
-describe('aiEnvelope.redaction: BYOK-redaction placeholders', () => {
-  // The 6 assertions below require the engine's BYOK redaction pipeline
-  // (per SECURITY/threat-model-secret-leakage.md SR-1 carry-forward) to
-  // hook into envelope acceptance AND every downstream surface that
-  // persists envelope content (RunEventDoc, OTel span attributes,
-  // debug-bundle export, error envelope projection).
-  //
-  // The reference workflow-engine sample's `acceptEnvelope` is pure +
-  // doesn't touch payload contents. Redaction lives at a different
-  // layer (BYOK secretResolver + event-log sanitizer). Promoting these
-  // to behavioral requires either:
-  //   (a) chaining the acceptor through `stripSecretsFromPersisted`
-  //       before persisting the recorded view, OR
-  //   (b) an end-to-end test that plants a BYOK canary in an envelope
-  //       payload, runs through the full accept → emit → persist → export
-  //       chain, and asserts the canary is absent on every output.
-  //
-  // (b) is the spec-faithful path. Tracked as host-impl follow-up.
-  it.todo('emit envelope whose payload contains a known BYOK substring → substring absent from emitted RunEventDocs');
-  it.todo('redacted substring absent from OTel envelope_* span attributes');
-  it.todo('redacted substring absent from debug-bundle export');
-  it.todo('redacted substring absent from error envelope on validation refusal (no leak via error path)');
-  it.todo('redaction marker is the canonical [REDACTED:<reason>] form, NOT a model-generated <REDACTED> string');
-  it.todo('redaction runs AFTER schema validation: a payload with redacted-shaped substrings still validates structurally');
+// Behavioral assertions through the workflow-engine sample's env-gated
+// `POST /v1/host/sample/envelope/accept` seam. The seam threads a
+// `byokCanaries: string[]` option into AcceptOptions so the acceptor
+// can apply the §"Redaction (SR-1 carry-forward)" pass on accepted
+// envelopes, returning `redactedPayload` in the outcome. Each test
+// soft-skips on HTTP 404 (host doesn't expose the seam).
+async function accept(envelope: unknown, opts: Record<string, unknown> = {}): Promise<{ status: number; body: { status?: string; reason?: string; redactedPayload?: unknown; redactionCount?: number; details?: unknown[] } }> {
+  const res = await driver.post('/v1/host/sample/envelope/accept', { envelope, ...opts });
+  return { status: res.status, body: res.json as { status?: string; reason?: string; redactedPayload?: unknown; redactionCount?: number; details?: unknown[] } };
+}
+
+const baseMeta = { source: 'ai-generation' as const, ts: '2026-05-18T10:00:00Z' };
+const CANARY_VALUE = 'sk-canary-DO-NOT-LEAK-9d7f3a2b';
+const CANARY_SECRET_ID = 'byok-secret-test-fixture-001';
+const CANARIES = [{ value: CANARY_VALUE, secretId: CANARY_SECRET_ID }];
+const CANONICAL_MARKER = `[REDACTED:${CANARY_SECRET_ID}]`;
+
+describe('aiEnvelope.redaction: behavioral acceptor-level scrub (FINAL v1.1)', () => {
+  it('canary in payload → substituted with canonical SR-1 [REDACTED:<secretId>] marker per agent-memory.md:66', async () => {
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-1',
+        correlationId: 'r:n:0:red1',
+        payload: { code: 'leak_demo', message: `tool result included ${CANARY_VALUE} verbatim` },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    expect(r.body.redactionCount, 'redactionCount MUST be > 0 when canary appears').toBeGreaterThan(0);
+    expect(
+      JSON.stringify(r.body.redactedPayload).includes(CANARY_VALUE),
+      driver.describe('ai-envelope.md §"Redaction (SR-1 carry-forward)"', 'canary plaintext MUST be absent from the redacted view'),
+    ).toBe(false);
+    expect(
+      JSON.stringify(r.body.redactedPayload),
+      driver.describe('agent-memory.md §SR-1 line 66', 'persisted entry MUST carry [REDACTED:<secretId>] in place of the plaintext'),
+    ).toContain(CANONICAL_MARKER);
+  });
+
+  it('canary across nested object fields → all occurrences scrubbed with canonical marker', async () => {
+    const r = await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-red-nested',
+        correlationId: 'r:n:0:rednested',
+        payload: {
+          questions: [
+            { id: 'q1', question: `What is ${CANARY_VALUE}?` },
+            { id: 'q2', question: 'unrelated', context: { trace: `${CANARY_VALUE}/${CANARY_VALUE}` } },
+          ],
+        },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    expect(
+      JSON.stringify(r.body.redactedPayload).includes(CANARY_VALUE),
+      'no canary plaintext remnant anywhere in the redacted view (recursive scrub)',
+    ).toBe(false);
+    // q1's question (1 occurrence), q2's context.trace (2 occurrences) = total 3
+    expect(r.body.redactionCount).toBe(3);
+  });
+
+  it('multiple canaries → each substituted with its own secretId marker', async () => {
+    const C1 = { value: 'sk-canary-alpha-xxxx', secretId: 'secret-alpha' };
+    const C2 = { value: 'sk-canary-beta-yyyy', secretId: 'secret-beta' };
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-multi',
+        correlationId: 'r:n:0:redmulti',
+        payload: { code: 'multi_leak', message: `first=${C1.value}, second=${C2.value}` },
+        meta: baseMeta,
+      },
+      { byokCanaries: [C1, C2] },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('accepted');
+    const view = JSON.stringify(r.body.redactedPayload);
+    expect(view.includes(C1.value)).toBe(false);
+    expect(view.includes(C2.value)).toBe(false);
+    expect(
+      view.includes(`[REDACTED:${C1.secretId}]`) && view.includes(`[REDACTED:${C2.secretId}]`),
+      driver.describe('agent-memory.md §SR-1', 'each canary MUST be substituted with its OWN [REDACTED:<secretId>] marker'),
+    ).toBe(true);
+  });
+
+  it('redaction runs AFTER schema validation: payload with [REDACTED:...]-shaped substrings still validates', async () => {
+    // The error-kind payload schema requires { code, message }. A pre-redacted
+    // marker in the message MUST NOT trip validation.
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-shape',
+        correlationId: 'r:n:0:redshape',
+        payload: { code: 'demo', message: 'already had [REDACTED:secret-prior] before we saw it' },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES }, // canary NOT in payload; substitution count expected 0
+    );
+    if (r.status === 404) return;
+    expect(
+      r.body.status,
+      driver.describe('ai-envelope.md §"Redaction (SR-1 carry-forward)"', 'redaction MUST run AFTER schema validation; pre-existing markers do not affect validation'),
+    ).toBe('accepted');
+    // No canary present → redactionCount absent or 0
+    expect(r.body.redactionCount ?? 0).toBe(0);
+  });
+
+  it('canary in invalid envelope (validation refusal) → error response MUST NOT echo the canary plaintext', async () => {
+    // ISO 8601 violation triggers an `invalid` outcome BEFORE the redaction
+    // pass runs. The acceptor's validation-detail extractor MUST NOT echo
+    // the payload contents into the error response.
+    const r = await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-leak',
+        correlationId: 'r:n:0:redleak',
+        payload: { code: 'demo', message: `secret value is ${CANARY_VALUE}` },
+        meta: { ...baseMeta, ts: 'tomorrow' }, // bad ts → invalid
+      },
+      { byokCanaries: CANARIES },
+    );
+    if (r.status === 404) return;
+    expect(r.body.status).toBe('invalid');
+    const bodyString = JSON.stringify(r.body);
+    expect(
+      bodyString.includes(CANARY_VALUE),
+      driver.describe(
+        'SECURITY/threat-model-secret-leakage.md §SR-1',
+        'error response on validation refusal MUST NOT echo BYOK canary plaintext',
+      ),
+    ).toBe(false);
+  });
+});
+
+// E.2 OTel scrape + E.3 debug-bundle seams.
+import { queryTestSpans, exportDebugBundle, isOtelSeamAvailable } from '../lib/otel-scrape.js';
+import { resetTestSeam } from '../lib/event-log-query.js';
+
+describe('aiEnvelope.redaction: OTel + debug-bundle scrape (E.2 + E.3)', () => {
+  it('redacted canary plaintext MUST be absent from OTel envelope_* span attributes', async () => {
+    if (!(await isOtelSeamAvailable())) return;
+    const runId = `r-red-otel-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'error',
+        schemaVersion: 1,
+        envelopeId: 'env-red-otel-1',
+        correlationId: `${runId}:n:0:red-otel`,
+        payload: { code: 'leak_demo', message: `tool result included ${CANARY_VALUE} verbatim` },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES, projectTo: { runId, nodeId: 'n' } },
+    );
+    const spans = await queryTestSpans({ runId });
+    if (!spans.ok) return;
+    const allAttrs = spans.data.flatMap((s) => Object.values(s.attributes).map((v) => String(v)));
+    expect(
+      allAttrs.some((v) => v.includes(CANARY_VALUE)),
+      driver.describe(
+        'SECURITY/threat-model-secret-leakage.md §SR-1',
+        'BYOK canary plaintext MUST NOT appear in any OTel envelope_* span attribute',
+      ),
+    ).toBe(false);
+    await resetTestSeam();
+  });
+
+  it('redacted canary plaintext MUST be absent from debug-bundle export', async () => {
+    if (!(await isOtelSeamAvailable())) return;
+    const runId = `r-red-bundle-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+    await accept(
+      {
+        type: 'clarification.request',
+        schemaVersion: 1,
+        envelopeId: 'env-red-bundle-1',
+        correlationId: `${runId}:n:0:red-bundle`,
+        payload: { questions: [{ id: 'q1', question: `embed ${CANARY_VALUE} here` }] },
+        meta: baseMeta,
+      },
+      { byokCanaries: CANARIES, projectTo: { runId, nodeId: 'n' } },
+    );
+    const bundle = await exportDebugBundle(runId);
+    if (!bundle.ok) return;
+    const serialized = JSON.stringify(bundle.data);
+    expect(
+      serialized.includes(CANARY_VALUE),
+      driver.describe(
+        'SECURITY/threat-model-secret-leakage.md §SR-1',
+        'BYOK canary plaintext MUST NOT appear in the debug-bundle export (events + spans)',
+      ),
+    ).toBe(false);
+    await resetTestSeam();
+  });
 });