@openwop/openwop-conformance 1.21.0 → 1.24.0

package/src/scenarios/connection-provider-resolution.test.ts

@@ -0,0 +1,153 @@
+/**
+ * Connection-pack provider resolution — `connection-packs.md` §Manifest
+ * clauses 6 + 8 (RFC 0095 §B.6/§B.8) — behavioral.
+ *
+ * Capability-gated on `capabilities.connections.packsSupported: true`
+ * (soft-skips when unadvertised; hard-fails under
+ * `OPENWOP_REQUIRE_BEHAVIOR=true`). Drives the host through the
+ * `POST /v1/host/sample/connection-packs/{install,resolve}` test seams
+ * (`host-sample-test-seams.md`); hosts that haven't wired the seams
+ * soft-skip (404).
+ *
+ *   1. INSTALL + RESOLVE (§B.6) — installing the `connection-pack-github`
+ *      fixture makes `provider: "github"` resolve with `source: "pack"`.
+ *   2. UNRESOLVED (§B.6) — a provider with no installed pack and no
+ *      built-in fails with `connection_provider_unresolved`.
+ *   3. PRERELEASE CONFLICT (§B.6, SemVer §11) — an installed prerelease
+ *      (`1.0.0-alpha.1`) does NOT outrank a built-in `1.0.0` (prerelease <
+ *      release); the host MUST surface `connection_provider_conflict`
+ *      rather than silently choosing.
+ *   4. REJECTION ISOLATION (§B.8) — a rejected manifest (credential
+ *      material) means NOT INSTALLED, nothing more: a subsequent valid
+ *      install on the same host MUST still succeed (one bad pack never
+ *      takes down the install path).
+ *
+ * @see spec/v1/connection-packs.md
+ * @see spec/v1/host-sample-test-seams.md
+ * @see RFCS/0095-connection-packs-portable-provider-definitions.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { FIXTURES_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const FIXTURE_PATH = join(FIXTURES_DIR, 'connection-packs', 'connection-pack-github.json');
+
+type Manifest = Record<string, unknown> & {
+  provider: Record<string, unknown> & { id: string };
+};
+
+interface InstallResult {
+  installed?: boolean;
+  errors?: Array<{ code?: string; path?: string }>;
+}
+
+interface ResolveResult {
+  resolved?: boolean;
+  source?: 'pack' | 'builtin';
+  version?: string;
+  code?: string;
+}
+
+function fixture(): Manifest {
+  return JSON.parse(readFileSync(FIXTURE_PATH, 'utf8')) as Manifest;
+}
+
+async function gate(): Promise<boolean> {
+  const connections = await readCapabilityFamily<{ packsSupported?: boolean }>('connections');
+  return behaviorGate('connections.packsSupported', connections?.packsSupported === true);
+}
+
+describe('connection-provider-resolution (RFC 0095 §B.6/§B.8)', () => {
+  it('an installed pack resolves its provider id; an unknown provider is unresolved', async () => {
+    if (!(await gate())) return;
+
+    const install = await driver.post('/v1/host/sample/connection-packs/install', { manifest: fixture() });
+    if (install.status === 404 || install.status === 403) return; // seam unwired — soft-skip
+    const installed = install.json as InstallResult | undefined;
+    expect(
+      installed?.installed,
+      driver.describe('connection-packs.md §Manifest clause 1', 'a well-formed connection pack MUST install'),
+    ).toBe(true);
+
+    const hit = await driver.post('/v1/host/sample/connection-packs/resolve', { provider: 'github' });
+    const resolved = hit.json as ResolveResult | undefined;
+    expect(
+      resolved?.resolved,
+      driver.describe('connection-packs.md §Manifest clause 6', 'provider "github" MUST resolve against the installed pack whose provider.id matches'),
+    ).toBe(true);
+    expect(
+      resolved?.source,
+      driver.describe('connection-packs.md §Manifest clause 6', 'the installed pack is the resolution source'),
+    ).toBe('pack');
+
+    const miss = await driver.post('/v1/host/sample/connection-packs/resolve', {
+      provider: 'conformance-nonexistent-provider-xyz',
+    });
+    const unresolved = miss.json as ResolveResult | undefined;
+    expect(
+      unresolved?.resolved,
+      driver.describe('connection-packs.md §Manifest clause 6', 'a provider with no installed pack and no built-in MUST NOT resolve'),
+    ).toBe(false);
+    expect(
+      unresolved?.code,
+      driver.describe('connection-packs.md §Manifest clause 6', 'the refusal code MUST be connection_provider_unresolved'),
+    ).toBe('connection_provider_unresolved');
+  });
+
+  it('an installed prerelease does not outrank a built-in release — conflict surfaces (SemVer §11)', async () => {
+    if (!(await gate())) return;
+
+    const prerelease = { ...fixture(), version: '1.0.0-alpha.1' };
+    prerelease.provider = { ...prerelease.provider, id: 'conformance-prerelease-probe' };
+    const install = await driver.post('/v1/host/sample/connection-packs/install', { manifest: prerelease });
+    if (install.status === 404 || install.status === 403) return; // seam unwired — soft-skip
+    expect(
+      (install.json as InstallResult | undefined)?.installed,
+      driver.describe('connection-packs.md §Manifest clause 1', 'a prerelease-versioned pack is shape-valid and MUST install'),
+    ).toBe(true);
+
+    const res = await driver.post('/v1/host/sample/connection-packs/resolve', {
+      provider: 'conformance-prerelease-probe',
+      simulateBuiltinVersion: '1.0.0',
+    });
+    if (res.status === 404 || res.status === 403) return; // simulate knob unwired — soft-skip
+    const body = res.json as ResolveResult | undefined;
+    expect(
+      body?.code,
+      driver.describe(
+        'connection-packs.md §Manifest clause 6',
+        'SemVer §11: 1.0.0-alpha.1 < 1.0.0 — the installed pack is NOT greater-or-equal, so the host MUST surface connection_provider_conflict rather than silently choosing',
+      ),
+    ).toBe('connection_provider_conflict');
+  });
+
+  it('rejection isolation: one rejected pack never takes down the install path (§B.8)', async () => {
+    if (!(await gate())) return;
+
+    const leaky = fixture();
+    leaky.provider = { ...leaky.provider, id: 'conformance-isolation-probe' };
+    (leaky.provider.auth as Record<string, unknown>).clientSecret = 'ghs_conformance_canary';
+    const bad = await driver.post('/v1/host/sample/connection-packs/install', { manifest: leaky });
+    if (bad.status === 404 || bad.status === 403) return; // seam unwired — soft-skip
+    expect(
+      (bad.json as InstallResult | undefined)?.installed,
+      driver.describe('connection-packs.md §Manifest clause 2', 'the credential-carrying manifest MUST NOT install'),
+    ).toBe(false);
+
+    const good = { ...fixture() };
+    good.provider = { ...good.provider, id: 'conformance-isolation-survivor' };
+    const after = await driver.post('/v1/host/sample/connection-packs/install', { manifest: good });
+    expect(
+      (after.json as InstallResult | undefined)?.installed,
+      driver.describe(
+        'connection-packs.md §Manifest clause 8',
+        'a rejected pack means NOT INSTALLED — nothing more; a subsequent valid install MUST succeed',
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/cross-host-traceparent-propagation.test.ts

@@ -35,10 +35,10 @@
 
 import { describe, it } from 'vitest';
 
-// Behavioral assertions in this file are currently `it.todo` placeholders;
+// Behavioral assertions in this file are currently `it.skip` placeholders;
 // the cross-host MCP / A2A peer harness (gated on OPENWOP_MCP_REAL_SERVER_URL
 // / OPENWOP_A2A_REAL_PEER_URL) hasn't landed yet. When it does, the
-// `it.todo` calls flip back to runnable `it(...)` bodies that read discovery
+// `it.skip` calls flip back to runnable `it(...)` bodies that read discovery
 // (via `driver.get('/.well-known/openwop')`), gate on `Phase 3` advertisement,
 // and drive the workflow through the configured real peer.
 
@@ -48,7 +48,7 @@ describe('cross-host-traceparent-propagation: behavioral (RFC 0040 §B)', () =>
   // OPENWOP_MCP_REAL_SERVER_URL) records inbound headers; the test reads
   // the recorded headers and asserts `traceparent` is present + matches
   // the format `00-{traceId}-{spanId}-{flags}` per W3C tracecontext.
-  // Until the peer harness lands, the assertion is surfaced as `todo` so
+  // Until the peer harness lands, the assertion is surfaced as `it.skip` so
   // test reporters track the gap rather than reporting a vacuous PASS.
   // Marked out of stable profile via RFC 0042 §B (experimental tier):
   // RFC 0040 remains Active. Hosts that wire Phase 3 cross-host causation

package/src/scenarios/export-bundle-portability.test.ts

@@ -0,0 +1,120 @@
+/**
+ * Agent-platform portability — export bundle + tenant import (RFC 0098;
+ * `portability.md`). Public test for the protocol-tier SECURITY invariant
+ * `export-bundle-no-credential-material`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema legs — the capability block (incl. the
+ *      `import ⇒ dryRun` if/then), the `export-bundle.schema.json` shape (no
+ *      credential-named field admitted), and the content-free `import.applied`
+ *      event payload.
+ *
+ *   B. Capability-gated behavioral legs — on a host advertising
+ *      `capabilities.portability` that exposes the `/v1/host/sample/import`
+ *      seam: a bundle carrying a literal credential value is rejected (422),
+ *      and a dry-run import makes zero writes. Hosts without the seam soft-skip
+ *      (404); unadvertised hosts skip via the behavior gate.
+ *
+ * @see spec/v1/portability.md
+ * @see SECURITY/invariants.yaml id: export-bundle-no-credential-material
+ * @see RFCS/0098-agent-platform-portability-export-bundle-and-import.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+const CRED_NAMES = ['clientSecret', 'client_secret', 'apiKey', 'api_key', 'accessToken', 'refreshToken', 'password', 'privateKey'] as const;
+
+describe('export-bundle-portability: capability advertisement (RFC 0098 §A, server-free)', () => {
+  const caps = loadSchema('capabilities.schema.json');
+  const portability = (caps.properties as Record<string, { properties?: Record<string, unknown>; if?: unknown; then?: unknown }>).portability;
+
+  it('capabilities schema declares portability with its sub-flags + the import⇒dryRun if/then', () => {
+    expect(portability, why('capabilities.md §portability', 'portability MUST be declared')).toBeDefined();
+    for (const flag of ['export', 'import', 'kinds', 'dryRun']) {
+      expect(portability?.properties?.[flag], why('RFC 0098 §A', `portability.${flag} MUST be declared`)).toBeDefined();
+    }
+    expect(portability?.if, why('RFC 0098 §A', 'a JSON-Schema if/then MUST enforce dryRun:true when import:true')).toBeDefined();
+    expect(portability?.then, why('RFC 0098 §A', 'the then-branch MUST require dryRun')).toBeDefined();
+  });
+});
+
+describe('export-bundle-portability: ExportBundle shape (RFC 0098 §B, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const validate = ajv.compile(loadSchema('export-bundle.schema.json'));
+
+  const good = {
+    bundleVersion: '1',
+    source: { origin: 'https://host-a.example', exportedAt: '2026-06-13T00:00:00Z' },
+    items: [
+      { kind: 'prompt-template', ref: 'tpl-1', payload: { templateId: 'welcome', version: '1.0.0' } },
+      { kind: 'connection-ref', ref: 'conn-1', dependsOn: ['tpl-1'], payload: { provider: 'slack', credentialRef: 'cred:abc' } },
+    ],
+  };
+
+  it('validates a conforming bundle with refs only', () => {
+    expect(validate(good), why('RFC 0098 §B', `a conforming bundle MUST validate. Errors: ${JSON.stringify(validate.errors)}`)).toBe(true);
+  });
+
+  it('rejects a wrong bundleVersion, an unknown kind, and a missing item ref', () => {
+    expect(validate({ ...good, bundleVersion: '2' }), why('RFC 0098 §B', 'an unsupported bundleVersion MUST be rejected')).toBe(false);
+    expect(validate({ ...good, items: [{ kind: 'mystery', ref: 'x', payload: {} }] }), why('RFC 0098 §B', 'an unknown item kind MUST be rejected')).toBe(false);
+    expect(validate({ ...good, items: [{ kind: 'agent', payload: {} }] }), why('RFC 0098 §B', 'an item without a ref MUST be rejected')).toBe(false);
+  });
+
+  it('the bundle envelope admits no credential-named field at the root or source level (additionalProperties:false)', () => {
+    for (const name of CRED_NAMES) {
+      expect(validate({ ...good, [name]: 'xxx' }), why('SECURITY invariant export-bundle-no-credential-material', `a "${name}" field at the bundle root MUST NOT validate`)).toBe(false);
+      expect(validate({ ...good, source: { ...good.source, [name]: 'xxx' } }), why('SECURITY invariant export-bundle-no-credential-material', `a "${name}" field under source MUST NOT validate`)).toBe(false);
+    }
+  });
+});
+
+describe('export-bundle-portability: content-free event (RFC 0098 §D, server-free)', () => {
+  const runEvent = loadSchema('run-event.schema.json');
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  ajv.addSchema(payloads, 'payloads');
+
+  it('import.applied is in the RunEventType enum and is content-free (counts + refs only)', () => {
+    const en = (runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum ?? [];
+    expect(en).toContain('import.applied');
+    const applied = ajv.getSchema('payloads#/$defs/importApplied')!;
+    expect(applied({ bundleOrigin: 'https://host-a.example', counts: { created: 2, skipped: 1 }, secretsToRebind: ['anthropic'] }), why('RFC 0098 §D', 'a content-free import.applied MUST validate')).toBe(true);
+    expect(applied({ bundleOrigin: 'h', counts: { created: 1 }, items: [{ payload: {} }] }), why('SECURITY invariant export-bundle-no-credential-material', 'import.applied MUST NOT carry item payloads')).toBe(false);
+  });
+});
+
+describe('export-bundle-portability: behavioral (RFC 0098 §E, capability-gated)', () => {
+  it('importing a bundle with a literal credential value is rejected (422)', async () => {
+    const portability = await readCapabilityFamily<{ import?: boolean }>('portability');
+    if (!behaviorGate('portability', portability !== undefined && portability.import === true)) return;
+
+    const leaky = {
+      bundleVersion: '1',
+      source: { origin: 'adapter:conformance' },
+      items: [{ kind: 'connection-ref', ref: 'c1', payload: { provider: 'anthropic', apiKey: 'sk-conformance-canary' } }],
+    };
+    const res = await driver.post('/v1/host/sample/import?dryRun=true', { bundle: leaky });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status,
+      driver.describe('portability.md §Invariants clause 1', 'a bundle carrying a literal credential value MUST be rejected (422)'),
+    ).toBe(422);
+  });
+});

package/src/scenarios/fixtures-valid.test.ts

@@ -154,6 +154,40 @@ describe('fixtures: node-pack-manifest schema validity', () => {
   });
 });
 
+describe('fixtures: connection-pack-manifest schema validity', () => {
+  // Connection-pack fixtures live in `fixtures/connection-packs/` (RFC 0095)
+  // so the node-pack validator above doesn't apply the wrong schema. They are
+  // schema-level proof points AND the canonical install payloads for the
+  // capability-gated `connection-provider-resolution` behavioral scenario.
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const schema = JSON.parse(readFileSync(join(SCHEMAS_DIR, 'connection-pack-manifest.schema.json'), 'utf8'));
+  const validate = ajv.compile(schema);
+
+  const dir = join(FIXTURES_DIR, 'connection-packs');
+  const files = readdirSync(dir)
+    .filter((f) => f.endsWith('.json'))
+    .sort();
+
+  it('finds at least one connection-pack fixture (RFC 0095 coverage)', () => {
+    expect(files.length).toBeGreaterThan(0);
+  });
+
+  for (const file of files) {
+    it(`connection-packs/${file} validates against connection-pack-manifest.schema.json`, () => {
+      const data = JSON.parse(readFileSync(join(dir, file), 'utf8'));
+      const ok = validate(data);
+      const errors = (validate.errors ?? [])
+        .map((e: ErrorObject) => `${e.instancePath || '/'}: ${e.message}`)
+        .join('\n');
+      expect(
+        ok,
+        `Fixture connection-packs/${file} fails connection-pack-manifest schema:\n${errors}`,
+      ).toBe(true);
+    });
+  }
+});
+
 describe('fixtures: prompt-template schema validity', () => {
   // PromptTemplate fixtures live in `fixtures/prompt-templates/` per
   // RFC 0027 §A. Like pack manifests, they're schema-level proof points,

package/src/scenarios/goal-standing-continuation.test.ts

@@ -0,0 +1,139 @@
+/**
+ * Standing goals — judge-based completion + bounded continuation (RFC 0097;
+ * `agent-runtime.md` §"Standing goals"). Public tests for the protocol-tier
+ * SECURITY invariants `goal-continuation-bounded` and
+ * `goal-completion-judge-only`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema legs — the capability block, the
+ *      `goal.schema.json` shape, and the content-free `goal.evaluated` /
+ *      `goal.closed` event payloads.
+ *
+ *   B. Capability-gated behavioral legs — on a host advertising
+ *      `capabilities.agents.goals` that exposes the `/v1/host/sample/goals`
+ *      seam: bounded termination (a never-satisfied goal halts at
+ *      `maxLoopIterations` with `state: bound-exceeded`) and judge-only
+ *      completion (a client-supplied `state: satisfied` is refused). Hosts
+ *      without the seam soft-skip (404); unadvertised hosts skip via the gate.
+ *
+ * @see spec/v1/agent-runtime.md §"Standing goals"
+ * @see SECURITY/invariants.yaml id: goal-continuation-bounded, goal-completion-judge-only
+ * @see RFCS/0097-standing-goals-and-judge-based-continuation.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+describe('goal-standing-continuation: capability advertisement (RFC 0097 §A, server-free)', () => {
+  it('capabilities schema declares agents.goals with its required sub-flags', () => {
+    const caps = loadSchema('capabilities.schema.json');
+    const agents = (caps.properties as Record<string, { properties?: Record<string, { properties?: Record<string, unknown>; required?: string[] }> }>).agents;
+    const goals = agents?.properties?.goals;
+    expect(goals, why('capabilities.md §agents', 'agents.goals MUST be declared')).toBeDefined();
+    for (const flag of ['judge', 'continuation', 'requiresBounds']) {
+      expect(goals?.properties?.[flag], why('RFC 0097 §A', `agents.goals.${flag} MUST be declared`)).toBeDefined();
+    }
+    expect(goals?.required, why('RFC 0097 §A', 'judge + continuation MUST be required')).toEqual(
+      expect.arrayContaining(['judge', 'continuation']),
+    );
+  });
+});
+
+describe('goal-standing-continuation: Goal shape (RFC 0097 §B, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const validate = ajv.compile(loadSchema('goal.schema.json'));
+
+  const good = {
+    id: 'goal-1',
+    objective: 'ship the release checklist',
+    state: 'active',
+    completion: { check: 'verifier', verifierRef: 'vf-1' },
+    continuation: { mode: 'schedule', armRef: 'job-1' },
+    bounds: { maxLoopIterations: 7 },
+    owner: { tenant: 'acme' },
+    createdAt: '2026-06-13T00:00:00Z',
+  };
+
+  it('validates a conforming active goal', () => {
+    expect(validate(good), why('RFC 0097 §B', `a conforming goal MUST validate. Errors: ${JSON.stringify(validate.errors)}`)).toBe(true);
+  });
+
+  it('rejects an unknown state, an unknown judge, and a bad continuation mode', () => {
+    expect(validate({ ...good, state: 'done' }), why('RFC 0097 §B', 'a state outside the lifecycle enum MUST be rejected')).toBe(false);
+    expect(validate({ ...good, completion: { check: 'vibes' } }), why('RFC 0097 §B', 'judge check outside {verifier,host} MUST be rejected')).toBe(false);
+    expect(validate({ ...good, continuation: { mode: 'whenever' } }), why('RFC 0097 §B', 'continuation mode outside the enum MUST be rejected')).toBe(false);
+  });
+});
+
+describe('goal-standing-continuation: content-free events (RFC 0097 §D, server-free)', () => {
+  const runEvent = loadSchema('run-event.schema.json');
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  ajv.addSchema(payloads, 'payloads');
+
+  it('goal.evaluated and goal.closed are in the RunEventType enum', () => {
+    const en = (runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum ?? [];
+    expect(en).toContain('goal.evaluated');
+    expect(en).toContain('goal.closed');
+  });
+
+  it('goal.evaluated is content-free — an objective text field is rejected; goal.closed requires a terminal finalState', () => {
+    const evaluated = ajv.getSchema('payloads#/$defs/goalEvaluated')!;
+    expect(evaluated({ goalId: 'g1', satisfied: false, confidence: 0.4, runId: 'r1', iterations: 2 }), why('RFC 0097 §D', 'a content-free goal.evaluated MUST validate')).toBe(true);
+    expect(evaluated({ goalId: 'g1', satisfied: false, runId: 'r1', iterations: 2, objective: 'ship it' }), why('RFC 0097 §D', 'goal.evaluated MUST NOT carry objective text')).toBe(false);
+    const closed = ajv.getSchema('payloads#/$defs/goalClosed')!;
+    expect(closed({ goalId: 'g1', finalState: 'bound-exceeded' }), why('RFC 0097 §D', 'goal.closed with a terminal finalState MUST validate')).toBe(true);
+    expect(closed({ goalId: 'g1', finalState: 'active' }), why('RFC 0097 §D', 'goal.closed MUST NOT use the non-terminal `active` state')).toBe(false);
+  });
+});
+
+describe('goal-standing-continuation: behavioral (RFC 0097 §E, capability-gated)', () => {
+  it('a goal cannot be created without bounds when requiresBounds is advertised (422)', async () => {
+    const agents = await readCapabilityFamily<{ goals?: { requiresBounds?: boolean } }>('agents');
+    if (!behaviorGate('agents.goals', agents?.goals !== undefined)) return;
+    if (agents?.goals?.requiresBounds === false) return; // host opted out of mandatory bounds
+
+    const res = await driver.post('/v1/host/sample/goals', {
+      objective: 'unbounded work',
+      completion: { check: 'host' },
+      continuation: { mode: 'manual' },
+    });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status,
+      driver.describe('agent-runtime.md §"Standing goals" clause 2', 'POST /goals without RFC 0058 bounds MUST be rejected (422) when requiresBounds is advertised'),
+    ).toBe(422);
+  });
+
+  it('a client MUST NOT set state: satisfied directly', async () => {
+    const agents = await readCapabilityFamily<{ goals?: unknown }>('agents');
+    if (!behaviorGate('agents.goals', agents?.goals !== undefined)) return;
+
+    const list = await driver.get('/v1/host/sample/goals?state=active');
+    if (list.status === 404 || list.status === 403) return;
+    const goals = (list.json as { goals?: Array<{ id: string }> })?.goals ?? [];
+    if (goals.length === 0) return;
+
+    const res = await driver.post(`/v1/host/sample/goals/${goals[0]!.id}`, { state: 'satisfied' });
+    if (res.status === 404) return;
+    expect(
+      res.status >= 400,
+      driver.describe('agent-runtime.md §"Standing goals" clause 1', 'a client-supplied state: satisfied MUST be refused — completion is the judge\'s verdict'),
+    ).toBe(true);
+  });
+});

package/src/scenarios/grpc-transport.test.ts

@@ -0,0 +1,108 @@
+/**
+ * grpc-transport — `spec/v1/grpc-transport.md` advertisement-shape scenario
+ * (capability-gated on `capabilities.grpc`; the schema block lands with
+ * RFC 0094 §H on this branch).
+ *
+ * SHAPE-ONLY by design: this scenario validates the advertised
+ * `capabilities.grpc` block against the doc's MUSTs without dialing gRPC
+ * (the suite ships no gRPC client — see grpc-transport.md §Implementation
+ * notes). The end-to-end legs (GetCapabilities equivalence, run
+ * round-trip, error-envelope mapping, auth metadata) are listed in
+ * grpc-transport.md §Conformance and stay future work for a host-side
+ * gRPC harness.
+ *
+ * Gated via `behaviorGate('openwop-grpc-transport', grpc !== undefined)`
+ * — soft-skip when the block is absent (absent ⇒ no gRPC transport,
+ * which is conformant), hard-fail under `OPENWOP_REQUIRE_BEHAVIOR=true`
+ * unless honestly opted out (root-first family read per RFC 0073).
+ *
+ * Asserted MUSTs (grpc-transport.md §"Field semantics"):
+ *   - `supported` is a boolean;
+ *   - `service` is the canonical `openwop.v1.Engine` for v1;
+ *   - `tls` ∈ {"required", "optional", "disabled"};
+ *   - `endpoint`, when present, is a `grpc://` or `grpcs://` URI;
+ *   - when `supported: true`, root `supportedTransports` includes
+ *     `"grpc"` ("presence required when gRPC is exposed");
+ *   - a production-profile claimant (root `production` block advertised)
+ *     MUST set `tls: "required"`.
+ *
+ * @see spec/v1/grpc-transport.md §"Field semantics" + §Conformance
+ * @see RFCS/0094-wire-shape-reconciliation.md §H
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+const TLS_VALUES = ['required', 'optional', 'disabled'];
+const V1_SERVICE = 'openwop.v1.Engine';
+
+interface GrpcCap {
+  readonly supported?: unknown;
+  readonly endpoint?: unknown;
+  readonly service?: unknown;
+  readonly tls?: unknown;
+}
+
+describe.skipIf(HTTP_SKIP)('grpc-transport: advertisement shape (grpc-transport.md §Field semantics)', () => {
+  it('an advertised capabilities.grpc block satisfies every doc MUST', async () => {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return;
+    const grpc = capabilityFamily<GrpcCap>(res.json, 'grpc');
+    if (!behaviorGate('openwop-grpc-transport', grpc !== undefined)) return;
+
+    expect(
+      typeof grpc!.supported,
+      driver.describe('grpc-transport.md §Field semantics', 'capabilities.grpc.supported MUST be a boolean'),
+    ).toBe('boolean');
+
+    expect(
+      grpc!.service,
+      driver.describe('grpc-transport.md §Field semantics', 'v1 hosts MUST use the canonical service name openwop.v1.Engine'),
+    ).toBe(V1_SERVICE);
+
+    expect(
+      TLS_VALUES,
+      driver.describe(
+        'grpc-transport.md §Field semantics',
+        `capabilities.grpc.tls MUST be one of ${TLS_VALUES.join(' / ')} (got ${String(grpc!.tls)})`,
+      ),
+    ).toContain(grpc!.tls);
+
+    if (grpc!.endpoint !== undefined) {
+      expect(
+        typeof grpc!.endpoint === 'string' && /^grpcs?:\/\/.+/.test(grpc!.endpoint),
+        driver.describe(
+          'grpc-transport.md §Field semantics',
+          `capabilities.grpc.endpoint MUST be a grpc:// (cleartext) or grpcs:// (TLS) URI (got ${String(grpc!.endpoint)})`,
+        ),
+      ).toBe(true);
+    }
+
+    if (grpc!.supported === true) {
+      const transports = capabilityFamily<unknown>(res.json, 'supportedTransports');
+      expect(
+        Array.isArray(transports) && transports.includes('grpc'),
+        driver.describe(
+          'grpc-transport.md §Field semantics',
+          'supportedTransports MUST include "grpc" when the gRPC surface is exposed',
+        ),
+      ).toBe(true);
+    }
+
+    // Production-profile claimants MUST require TLS on the gRPC listener.
+    const production = capabilityFamily<unknown>(res.json, 'production');
+    if (production !== undefined && grpc!.supported === true) {
+      expect(
+        grpc!.tls,
+        driver.describe(
+          'grpc-transport.md §Field semantics',
+          'production hosts MUST set capabilities.grpc.tls: "required"',
+        ),
+      ).toBe('required');
+    }
+  });
+});