@openwop/openwop-conformance 1.4.0 → 1.6.0

package/schemas/node-pack-manifest.schema.json

@@ -69,7 +69,8 @@
       "description": "Optional agent manifests shipped alongside this pack. Each entry is an AgentManifest (see agent-manifest.schema.json + RFC 0003 §`agents[]` extension). Pure-agent packs MUST set `runtime.language: 'remote'` — agents are interpreted by the host, not bundled as executable artifacts. Mixed packs (nodes + agents) declare the runtime that loads the node implementations; agents remain host-interpreted."
     },
     "runtime": { "$ref": "#/$defs/Runtime" },
-    "signing": { "$ref": "#/$defs/Signing" }
+    "signing": { "$ref": "#/$defs/Signing" },
+    "connector": { "$ref": "#/$defs/Connector" }
   },
   "additionalProperties": false,
   "$defs": {
@@ -161,6 +162,15 @@
           "items": { "$ref": "#/$defs/SecretRequirement" },
           "description": "Secrets the node needs to execute. Resolved by the host's secret-resolution adapter at dispatch time. Hosts that don't advertise `Capabilities.secrets.supported` MUST refuse to dispatch a node with non-empty `requiresSecrets` and return `credential_unavailable`."
         },
+        "requiredCredentials": {
+          "type": "array",
+          "items": { "$ref": "#/$defs/CredentialRequirement" },
+          "description": "RFC 0046. Credentials the node needs, resolved by the host's `host.credentials` resolver at dispatch time (distinct from `requiresSecrets`, which targets the informal BYOK annex). Hosts that don't advertise `Capabilities.credentials.supported` MUST refuse to dispatch a node with non-empty `requiredCredentials` and return `credential_unavailable` (peerDependency `credentials: 'supported'`)."
+        },
+        "auth": {
+          "$ref": "#/$defs/NodeAuth",
+          "description": "RFC 0047. The node's third-party authentication need. The host acquires + refreshes the token via the `host.oauth` flow and resolves it into the node sandbox as a bearer token. Hosts that don't advertise `Capabilities.oauth.supported` (or lack the named provider/scope) MUST refuse to register the pack (`oauth_provider_unsupported` / `oauth_scope_unsupported`)."
+        },
         "requiredModelCapabilities": {
           "type": "array",
           "items": {
@@ -219,6 +229,107 @@
       },
       "additionalProperties": false
     },
+    "CredentialRequirement": {
+      "type": "object",
+      "required": ["key"],
+      "description": "RFC 0046. A credential the node needs, resolved by the host's `host.credentials` resolver into the node sandbox at dispatch time. The node declares only the requirement; raw key material NEVER reaches the protocol surface (events, logs, traces, replay) per the `credential-payload-redaction` invariant.",
+      "properties": {
+        "key": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Stable identifier the node executor uses to look up the resolved credential (e.g., `'slack-bot-token'`)."
+        },
+        "scope": {
+          "type": "string",
+          "enum": ["user", "workspace", "tenant"],
+          "description": "Resolution scope. MUST match a scope in `Capabilities.credentials.scopes`. Defaults to the host's default scope when omitted."
+        },
+        "displayName": {
+          "type": "string",
+          "description": "Optional human-readable label for credential-management UIs."
+        }
+      },
+      "additionalProperties": false
+    },
+    "NodeAuth": {
+      "type": "object",
+      "required": ["type", "provider"],
+      "description": "RFC 0047. A node's third-party authentication declaration. The node declares only which provider + scopes it needs; the host performs the OAuth dance and resolves the token in-sandbox. Raw token material NEVER reaches the protocol surface (`credential-payload-redaction` invariant).",
+      "properties": {
+        "type": {
+          "type": "string",
+          "enum": ["oauth2"],
+          "description": "Authentication mechanism. `oauth2` routes through the `host.oauth` flow."
+        },
+        "provider": {
+          "type": "string",
+          "minLength": 1,
+          "description": "Provider id; MUST match an advertised `capabilities.oauth.providers[].id` (e.g. `slack`, `google`)."
+        },
+        "scopes": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "OAuth scopes the node requires; each MUST be in the provider's advertised `scopesSupported`."
+        }
+      },
+      "additionalProperties": false
+    },
+    "ConnectorAuth": {
+      "description": "RFC 0045. The auth declaration shared by a connector's actions. Either an RFC 0047 OAuth2 declaration or an RFC 0046 stored-credential reference.",
+      "oneOf": [
+        { "$ref": "#/$defs/NodeAuth" },
+        {
+          "type": "object",
+          "required": ["type", "key"],
+          "properties": {
+            "type": { "type": "string", "enum": ["credential"], "description": "Static stored-credential auth via the RFC 0046 host.credentials resolver." },
+            "key": { "type": "string", "minLength": 1, "description": "CredentialRequirement key the host resolves into the node sandbox." },
+            "scope": { "type": "string", "enum": ["user", "workspace", "tenant"], "description": "Resolution scope; MUST match a scope in `capabilities.credentials.scopes`." }
+          },
+          "additionalProperties": false
+        }
+      ]
+    },
+    "Connector": {
+      "type": "object",
+      "required": ["id", "displayName"],
+      "description": "RFC 0045. Declares this pack a named connector — a typed integration exposing actions (and reusing the existing trigger model). Optional; packs without it remain plain node packs. Actions are normal side-effectful nodes from this pack's `nodes[]` annotated with scheduler hints; the connector block adds metadata, not a new execution kind.",
+      "properties": {
+        "id": { "type": "string", "pattern": "^[a-z][a-z0-9.-]*$", "description": "Stable connector id, e.g. `salesforce`." },
+        "displayName": { "type": "string", "minLength": 1 },
+        "auth": { "$ref": "#/$defs/ConnectorAuth", "description": "RFC 0047/0046 auth declaration shared by the connector's actions." },
+        "actions": {
+          "type": "array",
+          "description": "Typed actions the connector exposes. Each `typeId` MUST resolve to a node typeId defined in this pack's `nodes[]` (validation error `connector_action_unresolved` otherwise).",
+          "items": {
+            "type": "object",
+            "required": ["typeId", "displayName"],
+            "properties": {
+              "typeId": { "type": "string", "minLength": 1, "description": "MUST match a `nodes[].typeId` in this manifest." },
+              "displayName": { "type": "string", "minLength": 1 },
+              "idempotent": { "type": "boolean", "description": "Action is safe to auto-retry without an idempotency key. Absent/false ⇒ the host MUST NOT auto-retry without one (composes with idempotency.md)." },
+              "rateLimit": {
+                "type": "object",
+                "properties": {
+                  "requests": { "type": "integer", "minimum": 1 },
+                  "perSeconds": { "type": "integer", "minimum": 1 }
+                },
+                "additionalProperties": false,
+                "description": "Advertised rate-limit hint the host scheduler SHOULD honor. Does not change the node's wire shape."
+              },
+              "paginated": { "type": "boolean", "description": "Action returns paginated results." }
+            },
+            "additionalProperties": false
+          }
+        },
+        "triggers": {
+          "type": "array",
+          "items": { "type": "string", "minLength": 1 },
+          "description": "typeIds of triggers (from the existing trigger model) this connector exposes. Each MUST resolve to a node/trigger typeId in this pack."
+        }
+      },
+      "additionalProperties": false
+    },
     "Runtime": {
       "type": "object",
       "required": ["language", "entry"],

package/schemas/run-diff-response.schema.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/run-diff-response.schema.json",
+  "title": "RunDiffResponse",
+  "description": "RFC 0054 — deterministic, replay-aware structured diff of two runs' event sequences and terminal states, returned by GET /v1/runs/{runId}:diff?against={otherRunId}. The diff is a pure function of the two event logs (see spec/v1/replay.md determinism contract).",
+  "type": "object",
+  "required": ["a", "b", "eventDiffs", "stateDiff"],
+  "properties": {
+    "a": {
+      "type": "string",
+      "description": "The {runId} run (the path resource)."
+    },
+    "b": {
+      "type": "string",
+      "description": "The {against} run (the query parameter)."
+    },
+    "divergedAtSeq": {
+      "type": ["integer", "null"],
+      "minimum": 0,
+      "description": "Event sequence number at which the two logs first diverge; null if identical. Aligns with replay.diverged.divergencePoint in spec/v1/replay.md."
+    },
+    "eventDiffs": {
+      "type": "array",
+      "description": "Ordered per-sequence differences. Empty when the logs are identical.",
+      "items": {
+        "type": "object",
+        "required": ["seq", "op"],
+        "properties": {
+          "seq": {
+            "type": "integer",
+            "minimum": 0,
+            "description": "Event sequence number this diff entry applies to."
+          },
+          "op": {
+            "type": "string",
+            "enum": ["added", "removed", "changed"],
+            "description": "added = present in b only; removed = present in a only; changed = present in both at this seq but differ by canonical comparison."
+          },
+          "aEvent": {
+            "type": "object",
+            "additionalProperties": true,
+            "description": "The run-a event at this seq (omitted when op = added). Shape per run-event.schema.json."
+          },
+          "bEvent": {
+            "type": "object",
+            "additionalProperties": true,
+            "description": "The run-b event at this seq (omitted when op = removed). Shape per run-event.schema.json."
+          }
+        },
+        "additionalProperties": false
+      }
+    },
+    "stateDiff": {
+      "type": "object",
+      "additionalProperties": true,
+      "description": "Diff of terminal RunSnapshot states (status, variables, channels) — redaction-safe (never carries credential material)."
+    },
+    "truncated": {
+      "type": "boolean",
+      "description": "True if either run was in-flight and only a prefix was compared."
+    }
+  },
+  "additionalProperties": false
+}

package/schemas/run-event-payloads.schema.json

@@ -2,7 +2,7 @@
   "$schema": "https://json-schema.org/draft/2020-12/schema",
   "$id": "https://openwop.dev/spec/v1/run-event-payloads.schema.json",
   "title": "RunEventPayloads",
-  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n64 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
+  "description": "Per-RunEventType payload schemas. The base RunEventDoc shape (run-event.schema.json) leaves `payload` permissive for forward-compat. This schema defines the canonical payload contract for each known RunEventType. Consumers MAY pin strict payload validation via `$defs.<typeId>` and `ajv.validate(schema.$defs[event.type], event.payload)`. Unknown event types MUST be tolerated (no $defs match → fold best-effort).\n\n71 variants from `run-event.schema.json#$defs.RunEventType` are covered, grouped into ~20 shape families with shared $defs. Naming convention: camelCase keys mirror dotted RunEventType names (e.g., `run.started` → `runStarted`).",
   "type": "object",
   "$defs": {
     "_typeIndex": {
@@ -18,6 +18,7 @@
         "run.paused":                { "$ref": "#/$defs/runPaused" },
         "run.resumed":               { "$ref": "#/$defs/runResumed" },
         "run.restored-from-snapshot":{ "$ref": "#/$defs/runRestoredFromSnapshot" },
+        "run.dead_lettered":         { "$ref": "#/$defs/runDeadLettered" },
         "node.started":              { "$ref": "#/$defs/nodeStarted" },
         "node.completed":            { "$ref": "#/$defs/nodeCompleted" },
         "node.failed":               { "$ref": "#/$defs/nodeFailed" },
@@ -29,6 +30,9 @@
         "node.cancelled":            { "$ref": "#/$defs/nodeCancelled" },
         "approval.requested":        { "$ref": "#/$defs/approvalRequested" },
         "approval.received":         { "$ref": "#/$defs/approvalReceived" },
+        "approval.granted":          { "$ref": "#/$defs/approvalGranted" },
+        "approval.rejected":         { "$ref": "#/$defs/approvalRejected" },
+        "approval.overridden":       { "$ref": "#/$defs/approvalOverridden" },
         "clarification.requested":   { "$ref": "#/$defs/clarificationRequested" },
         "clarification.resolved":    { "$ref": "#/$defs/clarificationResolved" },
         "interrupt.requested":       { "$ref": "#/$defs/interruptRequested" },
@@ -73,7 +77,48 @@
         "conversation.closed":       { "$ref": "#/$defs/conversationClosed" },
         "memory.compacted":          { "$ref": "#/$defs/memoryCompacted" },
         "core.workflowChain.event":  { "$ref": "#/$defs/coreWorkflowChainEvent" },
-        "core.workflowChain.confidence-escalated": { "$ref": "#/$defs/coreWorkflowChainConfidenceEscalated" }
+        "core.workflowChain.confidence-escalated": { "$ref": "#/$defs/coreWorkflowChainConfidenceEscalated" },
+        "connector.authorized":      { "$ref": "#/$defs/connectorAuthorized" },
+        "connector.auth_expired":    { "$ref": "#/$defs/connectorAuthExpired" },
+        "authorization.decided":     { "$ref": "#/$defs/authorizationDecided" }
+      }
+    },
+
+    "authorizationDecided": {
+      "description": "RFC 0049 — emitted on a role-based authorization decision (allow or deny). Redaction-safe: `principal` is an opaque RFC 0048 id; `reason` carries no credential material. Every deny SHOULD be emitted and SHOULD feed the audit log (RFC 0009/0010). MUST NOT be emitted unless `capabilities.authorization.supported: true`.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["principal", "action", "resource", "allowed"],
+      "properties": {
+        "principal": { "type": "string", "minLength": 1, "description": "Opaque RFC 0048 principal id — never PII." },
+        "action": { "type": "string", "minLength": 1, "description": "The attempted action, e.g. `runs:cancel`." },
+        "resource": { "type": "string", "minLength": 1, "description": "The target, e.g. a runId or workflowId." },
+        "allowed": { "type": "boolean" },
+        "reason": { "type": "string", "description": "Human-readable, redaction-safe — no credential material." }
+      }
+    },
+
+    "connectorAuthorized": {
+      "description": "RFC 0047 — emitted when the host acquires (or re-authorizes) a third-party OAuth token on a user's behalf via the `host.oauth` flow. Redaction-safe: carries the credential REFERENCE (RFC 0046), never token material. MUST NOT be emitted unless `capabilities.oauth.supported: true`.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["provider", "credentialRef"],
+      "properties": {
+        "provider": { "type": "string", "minLength": 1, "description": "Provider id, matching an advertised `capabilities.oauth.providers[].id` (e.g. `slack`, `google`)." },
+        "credentialRef": { "type": "string", "minLength": 1, "description": "Opaque RFC 0046 credential reference where the acquired token is stored. NEVER the token itself." },
+        "scopes": { "type": "array", "items": { "type": "string" }, "description": "Scopes granted for the acquired token." }
+      }
+    },
+
+    "connectorAuthExpired": {
+      "description": "RFC 0047 — emitted when a stored OAuth token's refresh fails terminally (revoked/expired refresh token). Redaction-safe: no token material. MUST NOT be emitted unless `capabilities.oauth.supported: true`.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["provider", "credentialRef"],
+      "properties": {
+        "provider": { "type": "string", "minLength": 1, "description": "Provider id, matching an advertised `capabilities.oauth.providers[].id`." },
+        "credentialRef": { "type": "string", "minLength": 1, "description": "Opaque RFC 0046 credential reference for the expired token." },
+        "reason": { "type": "string", "description": "Redaction-safe human-readable reason (e.g. `refresh_token_revoked`)." }
       }
     },
 
@@ -205,6 +250,17 @@
         "inputs":      { "$ref": "#/$defs/_inputsObject" },
         "transport":   { "type": "string", "enum": ["rest", "mcp", "a2a", "ui"] },
         "engineVersion":  { "type": "string" },
+        "owner": {
+          "type": "object",
+          "description": "RFC 0048. Redaction-safe echo of the run's owning identity triple (matches `RunSnapshot.owner`). Optional; single-tenant hosts omit it.",
+          "required": ["tenant"],
+          "properties": {
+            "tenant": { "type": "string", "minLength": 1 },
+            "workspace": { "type": "string", "minLength": 1 },
+            "principal": { "type": "string", "minLength": 1 }
+          },
+          "additionalProperties": false
+        },
         "tags":     { "type": "array", "items": { "type": "string" } },
         "metadata": { "type": "object" }
       },
@@ -272,6 +328,19 @@
       "additionalProperties": true
     },
 
+    "runDeadLettered": {
+      "description": "RFC 0053 — emitted when a run/node exhausts its retry policy (RFC 0009) and is routed to the durable dead-letter sink. The run remains fork-eligible (RFC 0011) for `capabilities.deadLetter.retentionDays`. Redaction-safe: `reason` carries no credential material. MUST NOT be emitted unless `capabilities.deadLetter.supported: true`.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["runId", "reason", "attempts"],
+      "properties": {
+        "runId": { "type": "string", "minLength": 1 },
+        "nodeId": { "type": "string", "description": "The node whose retry exhaustion dead-lettered the run; absent for run-level failures." },
+        "reason": { "type": "string", "minLength": 1, "description": "Redaction-safe terminal-failure reason." },
+        "attempts": { "type": "integer", "minimum": 1, "description": "Total attempts made before dead-lettering." }
+      }
+    },
+
     "nodeStarted": {
       "type": "object",
       "description": "Emitted when a node begins execution.",
@@ -419,6 +488,39 @@
       },
       "additionalProperties": true
     },
+    "approvalGranted": {
+      "description": "RFC 0051 — emitted when an authorized principal grants a `core.openwop.governance.approvalGate`. Redaction-safe: `principal` is an opaque RFC 0048 id. MUST NOT be emitted unless the gate node is registered (peerDependency `authorization: 'supported'`).",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["gateId", "principal"],
+      "properties": {
+        "gateId": { "type": "string", "minLength": 1, "description": "Identifier of the approval gate node." },
+        "principal": { "type": "string", "minLength": 1, "description": "Opaque RFC 0048 principal id of the granting actor." },
+        "quorumProgress": { "type": "object", "additionalProperties": false, "properties": { "granted": { "type": "integer", "minimum": 0 }, "required": { "type": "integer", "minimum": 1 } }, "description": "When the gate requires a quorum: grants accumulated vs required." }
+      }
+    },
+    "approvalRejected": {
+      "description": "RFC 0051 — emitted when an authorized principal rejects an approval gate. The run loops back per the workflow edges (does not terminate by default). Redaction-safe.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["gateId", "principal"],
+      "properties": {
+        "gateId": { "type": "string", "minLength": 1 },
+        "principal": { "type": "string", "minLength": 1, "description": "Opaque RFC 0048 principal id of the rejecting actor." },
+        "reason": { "type": "string", "description": "Redaction-safe human-readable reason." }
+      }
+    },
+    "approvalOverridden": {
+      "description": "RFC 0051 — emitted when a role-gated `override` path bypasses the gate (e.g. owner force-publish). MUST feed the audit log (RFC 0009/0010). Redaction-safe.",
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["gateId", "principal", "reason"],
+      "properties": {
+        "gateId": { "type": "string", "minLength": 1 },
+        "principal": { "type": "string", "minLength": 1, "description": "Opaque RFC 0048 principal id of the overriding actor (MUST satisfy the override role)." },
+        "reason": { "type": "string", "minLength": 1, "description": "Required, redaction-safe rationale — the audit breadcrumb." }
+      }
+    },
     "clarificationRequested": {
       "type": "object",
       "description": "Legacy kind-specific event for HITL clarification requests.",

package/schemas/run-event.schema.json

@@ -71,6 +71,7 @@
         "run.paused",
         "run.resumed",
         "run.restored-from-snapshot",
+        "run.dead_lettered",
         "node.started",
         "node.completed",
         "node.failed",
@@ -82,6 +83,9 @@
         "node.cancelled",
         "approval.requested",
         "approval.received",
+        "approval.granted",
+        "approval.rejected",
+        "approval.overridden",
         "clarification.requested",
         "clarification.resolved",
         "interrupt.requested",
@@ -126,7 +130,10 @@
         "conversation.closed",
         "memory.compacted",
         "core.workflowChain.event",
-        "core.workflowChain.confidence-escalated"
+        "core.workflowChain.confidence-escalated",
+        "connector.authorized",
+        "connector.auth_expired",
+        "authorization.decided"
       ]
     }
   }

package/schemas/run-snapshot.schema.json

@@ -32,6 +32,17 @@
       ],
       "description": "Current run state. `waiting-external` MUST be used when the suspended interrupt's `kind` is `external-event` per `interrupt-profiles.md §openwop-interrupt-external-event` — distinguishes external-event waits from HITL waits at the wire level. Forward-compat: future statuses MAY be added; readers SHOULD treat unknown values as terminal-unknown rather than throw."
     },
+    "owner": {
+      "type": "object",
+      "description": "RFC 0048. The identity triple that owns this run. Redaction-safe — `principal` is an opaque identifier, never PII or credential material. Optional: single-tenant hosts omit it. A principal scoped to one `workspace` MUST NOT read a run owned by another (`run_forbidden`).",
+      "required": ["tenant"],
+      "properties": {
+        "tenant": { "type": "string", "minLength": 1, "description": "Top-level isolation boundary." },
+        "workspace": { "type": "string", "minLength": 1, "description": "Optional sub-tenant within the tenant (RFC 0048 workspace)." },
+        "principal": { "type": "string", "minLength": 1, "description": "Acting identity (user or agent) — opaque id, never PII." }
+      },
+      "additionalProperties": false
+    },
     "currentNodeId": {
       "type": "string",
       "description": "Set when the run is suspended at a specific node (`waiting-approval` / `waiting-input` / `waiting-external`) — identifies which node holds the interrupt."

package/src/lib/behavior-gate.ts

@@ -105,3 +105,54 @@ export function behaviorGate(profileName: string, advertised: boolean): boolean
   );
   return false;
 }
+
+/**
+ * RFC 0042 §D — experimental-tier soft-skip router for capability-gated
+ * scenarios. Wraps `behaviorGate` with an additional tier check.
+ *
+ * Returns true if the scenario should proceed with assertions, false if
+ * it should skip:
+ *   - tier === 'experimental' AND OPENWOP_REQUIRE_EXPERIMENTAL not set → soft-skip
+ *     (the scenario does NOT count toward "Failed" or "Skipped (capability-gated)"
+ *      in the four-bucket taxonomy — a new fifth bucket "Skipped (experimental)"
+ *      SHOULD be tallied by reporters; logged via the dedicated console.warn below.)
+ *   - tier === 'experimental' AND OPENWOP_REQUIRE_EXPERIMENTAL=true → behave as
+ *     stable (hand off to behaviorGate; honor OPENWOP_REQUIRE_BEHAVIOR + opt-out).
+ *   - tier === 'stable' (default) → identical to behaviorGate.
+ *
+ * The `experimentalUntil` ISO-8601 date is logged for telemetry but does NOT
+ * gate behavior — the spec contract is that the wire shape MAY shift before
+ * the date, not that the scenario MUST stop running.
+ */
+export function experimentalGate(
+  profileName: string,
+  advertised: boolean,
+  tier: 'stable' | 'experimental' | undefined,
+  experimentalUntil?: string,
+): boolean {
+  if (tier === 'experimental') {
+    const env = loadEnv();
+    const requireExperimental = process.env.OPENWOP_REQUIRE_EXPERIMENTAL === 'true';
+    if (!requireExperimental) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        `[experimental capability: ${profileName}] host advertises tier='experimental'` +
+          (experimentalUntil ? ` until ${experimentalUntil}` : '') +
+          `; scenario skipped under default mode (set OPENWOP_REQUIRE_EXPERIMENTAL=true to run)`,
+      );
+      return false;
+    }
+    // Strict-mode experimental: hand off to behaviorGate with the standard
+    // advertised+opt-out rules. A host that advertises tier='experimental'
+    // AND opts the profile out via OPENWOP_OPTED_OUT_PROFILES would surface
+    // the standard advertise+opt-out conflict warning from behaviorGate.
+    // Don't strip the env.requireBehavior flag — that's a separate axis.
+    // eslint-disable-next-line no-console
+    console.warn(
+      `[experimental capability: ${profileName}] OPENWOP_REQUIRE_EXPERIMENTAL=true; ` +
+        `running as strict assertion against advertised='${advertised}'`,
+    );
+    void env;
+  }
+  return behaviorGate(profileName, advertised);
+}

package/src/lib/driver.ts

@@ -50,7 +50,19 @@ class OpenWOPDriver {
 
     const fetchInit: RequestInit = { method, headers };
     if (init.body !== undefined) {
-      fetchInit.body = JSON.stringify(init.body);
+      // Buffer / Uint8Array bodies are sent as raw bytes — needed by the
+      // RFC 0025 test-mode publish scenarios so the host's body-shape
+      // check sees the bytes the caller actually wrote (rather than a
+      // JSON-stringified `{"type":"Buffer","data":[...]}` envelope).
+      if (typeof Buffer !== 'undefined' && Buffer.isBuffer(init.body)) {
+        fetchInit.body = new Uint8Array(init.body);
+      } else if (init.body instanceof Uint8Array) {
+        fetchInit.body = init.body;
+      } else if (typeof init.body === 'string') {
+        fetchInit.body = init.body;
+      } else {
+        fetchInit.body = JSON.stringify(init.body);
+      }
     }
     const res = await fetch(url, fetchInit);