@openwop/openwop-conformance 1.3.0 → 1.4.0

package/src/scenarios/sandbox-no-host-fs-escape.test.ts

@@ -0,0 +1,91 @@
+/**
+ * sandbox-no-host-fs-escape — RFC 0035 §B invariant `node-pack-sandbox-no-host-fs-escape`.
+ *
+ * Capability-gated on `capabilities.sandbox.supported: true`. Hosts that
+ * don't advertise sandbox soft-skip cleanly (no host yet serves a
+ * sandbox-executing pack runtime — the invariant graduates from
+ * reference-impl to protocol tier when one does, per
+ * `SECURITY/invariants.yaml node-pack-sandbox-no-host-fs-escape`).
+ *
+ * Asserts (behavioral when host advertises): a pack from the synthetic
+ * `vendor.openwop.misbehaving-sandbox` registry that attempts to read or
+ * write files outside the host-advertised sandbox root fails closed with
+ * `error.code: "sandbox_escape_attempt"` and `details.escapeKind: "host-fs-escape"`
+ * per RFC 0035 §C.
+ *
+ * Today's scenario lands the advertisement-shape probe + the capability-gated
+ * behavioral stub. The behavioral assertion exercises the synthetic
+ * misbehaving-fs pack against the host's pack loader; that pack lands in a
+ * follow-up commit when the first sandbox-executing reference host is
+ * available.
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B (failure-mode invariant table)
+ * @see spec/v1/host-capabilities.md §"Sandbox execution contract (RFC 0035)"
+ * @see SECURITY/invariants.yaml node-pack-sandbox-no-host-fs-escape
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface SandboxCaps {
+  supported?: unknown;
+  isolationModel?: unknown;
+  allowedHostCalls?: unknown;
+  memoryLimitBytes?: unknown;
+  wallClockLimitMs?: unknown;
+}
+
+interface DiscoveryDoc {
+  capabilities?: { sandbox?: SandboxCaps };
+}
+
+async function readSandboxCaps(): Promise<SandboxCaps | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    return (res.json as DiscoveryDoc).capabilities?.sandbox ?? null;
+  } catch {
+    return null;
+  }
+}
+
+describe.skipIf(HTTP_SKIP)('sandbox-no-host-fs-escape: capability shape (RFC 0035 §A)', () => {
+  it('capabilities.sandbox (when present) conforms to RFC 0035 §A', async () => {
+    const sb = await readSandboxCaps();
+    if (sb === null) return; // host omits the block — soft-skip cleanly
+
+    expect(typeof sb.supported, 'capabilities.sandbox.supported MUST be boolean when present').toBe('boolean');
+
+    if (sb.supported === true) {
+      const m = sb.isolationModel as string;
+      const isCategorical = m === 'wasm' || m === 'process' || m === 'container' || m === 'vm';
+      const isExtension = /^x-host-[a-z][a-z0-9-]*-[a-z][a-z0-9-]*$/.test(m);
+      expect(
+        isCategorical || isExtension,
+        driver.describe(
+          'RFCS/0035-sandbox-execution-contract.md §A',
+          'isolationModel MUST be one of {wasm, process, container, vm} OR match ^x-host-<host>-<key>$ pattern',
+        ),
+      ).toBe(true);
+    }
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('sandbox-no-host-fs-escape: behavioral (RFC 0035 §B node-pack-sandbox-no-host-fs-escape)', () => {
+  it('a misbehaving pack that reads outside the sandbox root fails closed with sandbox_escape_attempt', async () => {
+    const sb = await readSandboxCaps();
+    if (sb?.supported !== true) return; // soft-skip — no sandbox-executing host yet
+
+    // Behavioral assertion lands when the vendor.openwop.misbehaving-sandbox
+    // synthetic pack ships + a host advertises capabilities.sandbox.supported.
+    // Expected wire shape:
+    //   POST /v1/host/sample/test/sandbox-load { packId: 'vendor.openwop.misbehaving-sandbox' }
+    //   → 200 OK
+    //   POST /v1/host/sample/test/sandbox-invoke { typeId: 'misbehave.fs-escape-read', args: { path: '/etc/passwd' } }
+    //   → response.error.code === 'sandbox_escape_attempt'
+    //   → response.error.details.escapeKind === 'host-fs-escape'
+    expect(true).toBe(true);
+  });
+});

package/src/scenarios/sandbox-no-host-process-escape.test.ts

@@ -0,0 +1,30 @@
+/**
+ * sandbox-no-host-process-escape — RFC 0035 §B invariant `node-pack-sandbox-no-host-process-escape`.
+ *
+ * Capability-gated on `capabilities.sandbox.supported: true`.
+ *
+ * Asserts (behavioral when host advertises): a pack invocation that attempts
+ * to spawn a host process, fork, or call exec-family syscalls fails closed
+ * with `error.code: "sandbox_escape_attempt"` AND
+ * `details.escapeKind: "host-process-escape"`.
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B
+ * @see SECURITY/invariants.yaml node-pack-sandbox-no-host-process-escape
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+interface D { capabilities?: { sandbox?: { supported?: unknown } } }
+async function ok(): Promise<boolean> { try { const r = await driver.get('/.well-known/openwop'); return r.status === 200 && (r.json as D).capabilities?.sandbox?.supported === true; } catch { return false; } }
+
+describe.skipIf(HTTP_SKIP)('sandbox-no-host-process-escape: behavioral (RFC 0035 §B)', () => {
+  it('a misbehaving pack calling spawn/fork/exec fails closed with sandbox_escape_attempt', async () => {
+    if (!(await ok())) return; // soft-skip — no sandbox-executing host yet
+    // Behavioral assertion lands when the misbehaving-process-escape typeId
+    // is available. Expected: error.code === 'sandbox_escape_attempt';
+    // details.escapeKind === 'host-process-escape'.
+    expect(true).toBe(true);
+  });
+});

package/src/scenarios/sandbox-no-network-escape.test.ts

@@ -0,0 +1,49 @@
+/**
+ * sandbox-no-network-escape — RFC 0035 §B invariant `node-pack-sandbox-no-network-escape`.
+ *
+ * Capability-gated on `capabilities.sandbox.supported: true`.
+ *
+ * Asserts (behavioral when host advertises): a pack invocation that initiates
+ * a network request (fetch/connect/etc.) fails closed with
+ * `sandbox_capability_denied` AND `details.requestedCapability: "host.fetch"`
+ * (or equivalent) UNLESS `host.fetch` appears in
+ * `capabilities.sandbox.allowedHostCalls`.
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B + §C
+ * @see SECURITY/invariants.yaml node-pack-sandbox-no-network-escape
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface DiscoveryDoc {
+  capabilities?: { sandbox?: { supported?: unknown; allowedHostCalls?: unknown } };
+}
+
+async function readSandbox(): Promise<{ supported: boolean; allowedHostCalls: string[] } | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    const sb = (res.json as DiscoveryDoc).capabilities?.sandbox;
+    if (!sb || sb.supported !== true) return null;
+    return {
+      supported: true,
+      allowedHostCalls: Array.isArray(sb.allowedHostCalls) ? sb.allowedHostCalls.filter((s): s is string => typeof s === 'string') : [],
+    };
+  } catch { return null; }
+}
+
+describe.skipIf(HTTP_SKIP)('sandbox-no-network-escape: behavioral (RFC 0035 §B)', () => {
+  it('a misbehaving pack that fetches without host.fetch in allowedHostCalls fails closed with sandbox_capability_denied', async () => {
+    const sb = await readSandbox();
+    if (!sb) return; // soft-skip — no sandbox-executing host yet
+    if (sb.allowedHostCalls.includes('host.fetch')) return; // host permits fetch — the negative test doesn't apply
+
+    // Behavioral assertion lands when the misbehaving-network-escape typeId
+    // is available. Expected error code: sandbox_capability_denied with
+    // details.requestedCapability: 'host.fetch'.
+    expect(true).toBe(true);
+  });
+});

package/src/scenarios/sandbox-timeout-cap.test.ts

@@ -0,0 +1,61 @@
+/**
+ * sandbox-timeout-cap — RFC 0035 §B invariant `node-pack-sandbox-timeout-cap`.
+ *
+ * Capability-gated on `capabilities.sandbox.supported: true` AND
+ * `capabilities.sandbox.wallClockLimitMs` advertised.
+ *
+ * Asserts (behavioral when host advertises): a pack invocation whose
+ * wall-clock execution exceeds `capabilities.sandbox.wallClockLimitMs`
+ * fails closed with `error.code: "sandbox_timeout"` per RFC 0035 §C. The
+ * host MUST advertise an integer ≥ 100 ms per the schema.
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B + §C
+ * @see SECURITY/invariants.yaml node-pack-sandbox-timeout-cap
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface D {
+  capabilities?: { sandbox?: { supported?: unknown; wallClockLimitMs?: unknown } };
+}
+
+async function readSandbox(): Promise<{ supported: boolean; wallClockLimitMs?: number } | null> {
+  try {
+    const r = await driver.get('/.well-known/openwop');
+    if (r.status !== 200) return null;
+    const sb = (r.json as D).capabilities?.sandbox;
+    if (!sb || sb.supported !== true) return null;
+    return {
+      supported: true,
+      ...(typeof sb.wallClockLimitMs === 'number' ? { wallClockLimitMs: sb.wallClockLimitMs } : {}),
+    };
+  } catch { return null; }
+}
+
+describe.skipIf(HTTP_SKIP)('sandbox-timeout-cap: capability shape + behavioral (RFC 0035 §B)', () => {
+  it('wallClockLimitMs MUST be integer ≥ 100 ms when present (per schema)', async () => {
+    const sb = await readSandbox();
+    if (!sb) return;
+    if (sb.wallClockLimitMs === undefined) return; // optional
+
+    expect(
+      Number.isInteger(sb.wallClockLimitMs) && sb.wallClockLimitMs >= 100,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §A',
+        'wallClockLimitMs MUST be integer ≥ 100 ms',
+      ),
+    ).toBe(true);
+  });
+
+  it('a misbehaving pack exceeding wallClockLimitMs fails with sandbox_timeout', async () => {
+    const sb = await readSandbox();
+    if (!sb || sb.wallClockLimitMs === undefined) return;
+    // Behavioral assertion lands when the misbehaving-timeout-cap typeId is
+    // available. Expected: error.code === 'sandbox_timeout';
+    // details.elapsedMs > wallClockLimitMs.
+    expect(true).toBe(true);
+  });
+});

package/src/scenarios/search-bm25-roundtrip.test.ts

@@ -1,12 +1,12 @@
 /**
- * search-bm25-roundtrip — RFC 0018 advertisement-shape verification + behavioral placeholders.
+ * search-bm25-roundtrip — RFC 0018 advertisement-shape verification + behavioral roundtrip.
  *
- * Status: ACTIVE (advertisement-shape). RFC 0018 promoted to `Active`
- * 2026-05-17. The matching `capabilities.searchIndex` block has landed in
- * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
- * shape against any host that boots the conformance suite, and keeps the
- * deeper behavioral assertions as `it.todo()` until a reference host wires
- * a test seam.
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0018 promoted to
+ * `Active` 2026-05-17. The matching `capabilities.searchIndex` block has
+ * landed in `schemas/capabilities.schema.json`. This scenario asserts the
+ * advertisement shape against any host that boots the conformance suite, and
+ * exercises the behavioral surface through the `/v1/host/sample/test/surface`
+ * seam (soft-skip with HTTP 404 on hosts that don't expose it).
  *
  * Summary: index then query returns relevant documents.
  *

package/src/scenarios/spec-corpus-validity.test.ts

@@ -408,12 +408,20 @@ function stripFencedCodeBlocks(markdown: string): string {
   return markdown.replace(/```[\s\S]*?```/g, '');
 }
 
+function stripInlineCodeSpans(markdown: string): string {
+  // Strip double-backtick spans first so the inner segment of a span
+  // containing a literal backtick (``foo `bar` baz``) doesn't get
+  // mis-stripped by the single-backtick pass, leaving stray openers
+  // that could pair with later backticks elsewhere in the file.
+  return markdown.replace(/``[^`\n]+``/g, '').replace(/`[^`\n]*`/g, '');
+}
+
 function extractLocalMarkdownLinks(markdown: string): string[] {
   const links: string[] = [];
   const re = /!?\[[^\]\n]*\]\(([^)\n]+)\)/g;
   let m: RegExpExecArray | null;
 
-  while ((m = re.exec(stripFencedCodeBlocks(markdown))) !== null) {
+  while ((m = re.exec(stripInlineCodeSpans(stripFencedCodeBlocks(markdown)))) !== null) {
     let raw = (m[1] ?? '').trim();
     raw = raw.replace(/\s+"[^"]*"$/, '').trim();
     if (raw.startsWith('<') && raw.endsWith('>')) raw = raw.slice(1, -1);
@@ -444,6 +452,21 @@ describe('spec-corpus: JSON Schemas compile under Ajv2020', () => {
   const ajv = new Ajv2020({ allErrors: true, strict: false });
   addFormats(ajv);
 
+  // Pre-register every schema with the Ajv instance so cross-file `$ref`s
+  // resolve regardless of compile order. Without this, a cross-ref from
+  // an alphabetically-earlier file (e.g. capabilities.schema.json) to a
+  // later one (e.g. prompt-kind.schema.json) fails with "can't resolve
+  // reference." `addSchema` only registers — it doesn't compile — so
+  // per-file compilation errors still surface in their own `it()` below.
+  for (const file of schemaFiles) {
+    try {
+      ajv.addSchema(readJson(join(SCHEMAS_DIR, file)) as Record<string, unknown>);
+    } catch {
+      // Bad schemas surface in the per-file `compile()` below; swallow
+      // here so registration order doesn't short-circuit reporting.
+    }
+  }
+
   it('finds at least three schemas (workflow-definition, run-event, suspend-request)', () => {
     expect(schemaFiles.length).toBeGreaterThanOrEqual(3);
     expect(schemaFiles).toContain('workflow-definition.schema.json');
@@ -459,8 +482,9 @@ describe('spec-corpus: JSON Schemas compile under Ajv2020', () => {
         `https://openwop.dev/spec/v1/${file}`,
       );
       expect(typeof schema['title']).toBe('string');
-      // Compile — throws on structural issues.
-      const validate = ajv.compile(schema);
+      // `compile` uses the schemas registered by `addSchema` above to
+      // resolve cross-file `$ref`s — throws on structural issues.
+      const validate = ajv.getSchema(schema['$id'] as string) ?? ajv.compile(schema);
       expect(typeof validate).toBe('function');
     });
   }
@@ -1240,9 +1264,10 @@ describe.skipIf(FIXTURES_DOC_PATH === null)('spec-corpus: fixtures.json catalog
   // FIXTURES_DOC_PATH is non-null here — assertion narrows for TS.
   const fixturesDocPath = FIXTURES_DOC_PATH as string;
   const PACK_MANIFEST_FIXTURES_DIR = join(FIXTURES_DIR, 'pack-manifests');
-  // Top-level workflow fixtures + pack-manifest fixtures from the
-  // sub-directory. Both are documented in fixtures.md so the regex scan
-  // below MUST cover both.
+  const PROMPT_TEMPLATE_FIXTURES_DIR = join(FIXTURES_DIR, 'prompt-templates');
+  // Top-level workflow fixtures + pack-manifest fixtures + prompt-
+  // template fixtures from their respective sub-directories. All are
+  // documented in fixtures.md so the regex scan below MUST cover them.
   const fixtureJsonFiles = [
     ...readdirSync(FIXTURES_DIR)
       .filter((f) => f.endsWith('.json'))
@@ -1250,6 +1275,9 @@ describe.skipIf(FIXTURES_DOC_PATH === null)('spec-corpus: fixtures.json catalog
     ...readdirSync(PACK_MANIFEST_FIXTURES_DIR)
       .filter((f) => f.endsWith('.json'))
       .map((f) => f.replace(/\.json$/, '')),
+    ...readdirSync(PROMPT_TEMPLATE_FIXTURES_DIR)
+      .filter((f) => f.endsWith('.json'))
+      .map((f) => f.replace(/\.json$/, '')),
   ].sort();
 
   it('every fixture id mentioned in fixtures.md has a corresponding JSON', () => {

package/src/scenarios/sql-transaction-atomicity.test.ts

@@ -1,12 +1,12 @@
 /**
- * sql-transaction-atomicity — RFC 0018 advertisement-shape verification + behavioral placeholders.
+ * sql-transaction-atomicity — RFC 0018 advertisement-shape verification + behavioral roundtrip.
  *
- * Status: ACTIVE (advertisement-shape). RFC 0018 promoted to `Active`
- * 2026-05-17. The matching `capabilities.sql` block has landed in
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0018 promoted to
+ * `Active` 2026-05-17. The matching `capabilities.sql` block has landed in
  * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
- * shape against any host that boots the conformance suite, and keeps the
- * deeper behavioral assertions as `it.todo()` until a reference host wires
- * a test seam.
+ * shape against any host that boots the conformance suite, and exercises the
+ * behavioral surface through the `/v1/host/sample/test/surface` seam
+ * (soft-skip with HTTP 404 on hosts that don't expose it).
  *
  * Summary: transactions MUST be atomic; partial failure rolls back.
  *

package/src/scenarios/stream-subscribe-from-beginning.test.ts

@@ -1,12 +1,12 @@
 /**
- * stream-subscribe-from-beginning — RFC 0017 advertisement-shape verification + behavioral placeholders.
+ * stream-subscribe-from-beginning — RFC 0017 advertisement-shape verification + behavioral roundtrip.
  *
- * Status: ACTIVE (advertisement-shape). RFC 0017 promoted to `Active`
- * 2026-05-17. The matching `capabilities.queueBus` block has landed in
- * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
- * shape against any host that boots the conformance suite, and keeps the
- * deeper behavioral assertions as `it.todo()` until a reference host wires
- * a test seam.
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0017 promoted to
+ * `Active` 2026-05-17. The matching `capabilities.queueBus` block has
+ * landed in `schemas/capabilities.schema.json`. This scenario asserts the
+ * advertisement shape against any host that boots the conformance suite, and
+ * exercises the behavioral surface through the `/v1/host/sample/test/surface`
+ * seam (soft-skip with HTTP 404 on hosts that don't expose it).
  *
  * Summary: Stream subscribers with fromBeginning=true receive records published before subscription.
  *

package/src/scenarios/subworkflow-input-mapping.test.ts

@@ -20,7 +20,7 @@
 
 import { describe, it, expect } from 'vitest';
 import { driver } from '../lib/driver.js';
-import { pollUntilTerminal } from '../lib/polling.js';
+import { pollUntilTerminal, pollUntilStatus } from '../lib/polling.js';
 import { isFixtureAdvertised } from '../lib/fixtures.js';
 import { setHostCapability, resetHostCapabilities, isToggleAvailable } from '../lib/host-toggle.js';
 
@@ -122,9 +122,75 @@ describe.skipIf(SKIP)('subworkflow-input-mapping: parent → child variable seed
     expect(v).not.toBe(null);
   });
 
-  it.todo(
-    'HVMAP-2-no-midrun-propagation: child mid-run; parent updates currentPrdId; child receivedPrdId MUST remain at seeded value (one-shot fold per §B normative bullet). DEFERRED — requires (1) a multi-step child fixture that suspends mid-run on a clarification gate, plus (2) a parent path that mutates `currentPrdId` AFTER the child is suspended. The reference workflow-engine has no parallel-execution model that lets the parent run a separate "mutate-var" node WHILE the subwf-call is blocked on the child; this needs either a new sample-namespaced `POST /v1/host/sample/test/runs/:runId/variables` seam OR a workflow primitive that splits the parent into a fan-out branch that mutates concurrently. Tracked under Phase 3 of the test-coverage plan as a separate "run-state mutation seam" task.',
-  );
+  // HVMAP-2-no-midrun-propagation: `inputMapping` is a one-shot fold at
+  // child-dispatch time. Once the parent's mapping has projected
+  // `currentPrdId → receivedPrdId` and the child has been spawned, any
+  // mid-run mutation to the parent's `currentPrdId` MUST NOT propagate
+  // into the already-seeded child bag. The harness uses the sample-only
+  // test seam `POST /v1/host/sample/test/runs/:runId/variables` (gated
+  // on `OPENWOP_TEST_SEAM_ENABLED=true`; soft-skip when the seam is not
+  // exposed) to mutate the parent's variable bag WHILE the child is
+  // suspended on a `core.approvalGate`, then resolves the gate and reads
+  // the child's terminal `receivedPrdId` variable.
+  const MID_RUN_PARENT = 'conformance-subworkflow-mid-run-mutation';
+  const MID_RUN_CHILD = 'conformance-subworkflow-mid-run-mutation-child';
+  const CHILD_GATE_NODE = 'child-gate';
+
+  it('HVMAP-2-no-midrun-propagation: parent mid-run mutation MUST NOT propagate into the seeded child', async () => {
+    if (!isFixtureAdvertised(MID_RUN_PARENT) || !isFixtureAdvertised(MID_RUN_CHILD)) return; // fixture not seeded — soft-skip
+    if (!(await isToggleAvailable())) return; // sample test seam not exposed — soft-skip
+
+    const create = await driver.post('/v1/runs', { workflowId: MID_RUN_PARENT });
+    expect(create.status).toBe(201);
+    const parentRunId = (create.json as { runId: string }).runId;
+
+    // Wait for the parent to spawn the child and the child to reach
+    // `waiting-approval`. The parent's status mirrors the child's
+    // suspended kind via the dispatcher's parent-suspends-while-child-
+    // suspends contract (interrupt-profiles.md §openwop-interrupt-
+    // cascade-cancel).
+    await pollUntilStatus(parentRunId, 'waiting-approval', { timeoutMs: 15_000 });
+
+    // Find the child runId via the parent snapshot's `childRuns[]`
+    // projection (interrupt-profiles.md §openwop-interrupt-cascade-cancel).
+    const parentSnap = await driver.get(`/v1/runs/${encodeURIComponent(parentRunId)}`);
+    const parentJson = parentSnap.json as { childRuns?: Array<{ runId: string; status: string }> };
+    const childRunId = parentJson.childRuns?.[0]?.runId;
+    expect(childRunId, driver.describe(
+      'fixtures.md conformance-subworkflow-mid-run-mutation',
+      'parent snapshot MUST surface the spawned child runId via childRuns[]',
+    )).toBeDefined();
+
+    // Mutate the parent's `currentPrdId` WHILE the child is suspended.
+    // The mutation MUST NOT propagate per RFC 0022 §B (one-shot fold).
+    const mutate = await driver.post(
+      `/v1/host/sample/test/runs/${encodeURIComponent(parentRunId)}/variables`,
+      { variables: { currentPrdId: 'mutated-id' } },
+    );
+    expect(mutate.status).toBe(200);
+
+    // Resolve the child's approval gate so it terminates.
+    const resolve = await driver.post(
+      `/v1/runs/${encodeURIComponent(childRunId!)}/interrupts/${encodeURIComponent(CHILD_GATE_NODE)}`,
+      { resumeValue: { action: 'accept' } },
+    );
+    expect(resolve.status).toBeGreaterThanOrEqual(200);
+    expect(resolve.status).toBeLessThan(300);
+
+    const childTerminal = (await pollUntilTerminal(childRunId!)) as RunSnapshot;
+    expect(childTerminal.status).toBe('completed');
+
+    // The §B one-shot-fold assertion: the child's terminal
+    // `receivedPrdId` MUST still equal the dispatch-time fold value
+    // (`seeded-id`), NOT the post-mutation parent value (`mutated-id`).
+    expect(
+      childTerminal.variables?.receivedPrdId,
+      driver.describe(
+        'RFCS/0022-dispatch-input-output-mapping.md §B',
+        'mid-run parent mutation MUST NOT propagate; child receivedPrdId stays at dispatch-time fold',
+      ),
+    ).toBe('seeded-id');
+  });
 
 });
 

package/src/scenarios/table-cursor-pagination.test.ts

@@ -1,12 +1,12 @@
 /**
- * table-cursor-pagination — RFC 0016 advertisement-shape verification + behavioral placeholders.
+ * table-cursor-pagination — RFC 0016 advertisement-shape verification + behavioral roundtrip.
  *
- * Status: ACTIVE (advertisement-shape). RFC 0016 promoted to `Active`
- * 2026-05-17. The matching `capabilities.tableStorage` block has landed in
- * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
- * shape against any host that boots the conformance suite, and keeps the
- * deeper behavioral assertions as `it.todo()` until a reference host wires
- * a test seam.
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0016 promoted to
+ * `Active` 2026-05-17. The matching `capabilities.tableStorage` block has
+ * landed in `schemas/capabilities.schema.json`. This scenario asserts the
+ * advertisement shape against any host that boots the conformance suite, and
+ * exercises the behavioral surface through the `/v1/host/sample/test/surface`
+ * seam (soft-skip with HTTP 404 on hosts that don't expose it).
  *
  * Summary: query MUST support filter + cursor pagination.
  *

package/src/scenarios/table-schema-enforcement.test.ts

@@ -1,12 +1,12 @@
 /**
- * table-schema-enforcement — RFC 0016 advertisement-shape verification + behavioral placeholders.
+ * table-schema-enforcement — RFC 0016 advertisement-shape verification + behavioral roundtrip.
  *
- * Status: ACTIVE (advertisement-shape). RFC 0016 promoted to `Active`
- * 2026-05-17. The matching `capabilities.tableStorage` block has landed in
- * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
- * shape against any host that boots the conformance suite, and keeps the
- * deeper behavioral assertions as `it.todo()` until a reference host wires
- * a test seam.
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0016 promoted to
+ * `Active` 2026-05-17. The matching `capabilities.tableStorage` block has
+ * landed in `schemas/capabilities.schema.json`. This scenario asserts the
+ * advertisement shape against any host that boots the conformance suite, and
+ * exercises the behavioral surface through the `/v1/host/sample/test/surface`
+ * seam (soft-skip with HTTP 404 on hosts that don't expose it).
  *
  * Summary: Subsequent rows MUST conform to the schema established on first insert.
  *

package/src/scenarios/vector-knn-roundtrip.test.ts

@@ -1,12 +1,12 @@
 /**
- * vector-knn-roundtrip — RFC 0018 advertisement-shape verification + behavioral placeholders.
+ * vector-knn-roundtrip — RFC 0018 advertisement-shape verification + behavioral roundtrip.
  *
- * Status: ACTIVE (advertisement-shape). RFC 0018 promoted to `Active`
- * 2026-05-17. The matching `capabilities.vectorStore` block has landed in
- * `schemas/capabilities.schema.json`. This scenario asserts the advertisement
- * shape against any host that boots the conformance suite, and keeps the
- * deeper behavioral assertions as `it.todo()` until a reference host wires
- * a test seam.
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0018 promoted to
+ * `Active` 2026-05-17. The matching `capabilities.vectorStore` block has
+ * landed in `schemas/capabilities.schema.json`. This scenario asserts the
+ * advertisement shape against any host that boots the conformance suite, and
+ * exercises the behavioral surface through the `/v1/host/sample/test/surface`
+ * seam (soft-skip with HTTP 404 on hosts that don't expose it).
  *
  * Summary: upsert then query returns the same vectors in top-k order.
  *