@openwop/openwop-conformance 1.4.0 → 1.6.0

package/src/scenarios/connector-manifest-validity.test.ts

@@ -0,0 +1,142 @@
+/**
+ * connector-manifest-validity — RFC 0045 §A/§B verification.
+ *
+ * Status: DRAFT. RFC 0045 (connector pack manifest & action model) is `Draft`.
+ * The optional `connector` block + `Connector` / `ConnectorAuth` $defs have
+ * landed in `schemas/node-pack-manifest.schema.json`.
+ *
+ * Server-free schema + semantic validation. Two contracts:
+ *   1. Schema validity (§A): a well-formed `connector` block validates; a
+ *      block missing `id`/`displayName` or an action missing `typeId` is
+ *      rejected. Both ConnectorAuth variants (oauth2 / credential) validate.
+ *   2. Action resolution (§B): every `connector.actions[].typeId` and
+ *      `connector.triggers[]` entry MUST resolve to a `nodes[].typeId` in the
+ *      same manifest; an unresolved reference is `connector_action_unresolved`.
+ *
+ * The Connector subschema is extracted self-contained (Connector + its
+ * ConnectorAuth + NodeAuth $defs) so ajv compiles it without resolving the
+ * parent manifest's external `agent-manifest.schema.json` $ref.
+ *
+ * @see RFCS/0045-connector-pack-manifest-action-model.md
+ * @see schemas/node-pack-manifest.schema.json §Connector
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+interface SchemaDefs {
+  $defs: Record<string, unknown>;
+  $schema: string;
+}
+
+const manifestSchema = JSON.parse(
+  readFileSync(join(SCHEMAS_DIR, 'node-pack-manifest.schema.json'), 'utf8'),
+) as SchemaDefs;
+
+// Self-contained Connector schema: root = Connector, carrying the $defs it
+// references (ConnectorAuth → NodeAuth). No external $ref resolution needed.
+const connectorSchema = {
+  $schema: manifestSchema.$schema,
+  ...(manifestSchema.$defs.Connector as Record<string, unknown>),
+  $defs: {
+    ConnectorAuth: manifestSchema.$defs.ConnectorAuth,
+    NodeAuth: manifestSchema.$defs.NodeAuth,
+  },
+};
+
+// §B action/trigger resolution — the semantic check the registry applies
+// beyond pure JSON Schema (typeIds must resolve to real nodes).
+interface ConnectorAction {
+  typeId: string;
+}
+interface ConnectorBlock {
+  actions?: ConnectorAction[];
+  triggers?: string[];
+}
+function unresolvedReferences(nodeTypeIds: string[], connector: ConnectorBlock): string[] {
+  const known = new Set(nodeTypeIds);
+  const refs = [
+    ...(connector.actions ?? []).map((a) => a.typeId),
+    ...(connector.triggers ?? []),
+  ];
+  return refs.filter((t) => !known.has(t));
+}
+
+describe('category: connector-manifest validity — schema shape (RFC 0045 §A)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const validate = ajv.compile(connectorSchema);
+
+  it('positive: a well-formed connector block (oauth2 auth) validates', () => {
+    const ok = validate({
+      id: 'salesforce',
+      displayName: 'Salesforce',
+      auth: { type: 'oauth2', provider: 'salesforce', scopes: ['api'] },
+      actions: [
+        { typeId: 'vendor.acme.salesforce.upsert', displayName: 'Upsert', idempotent: true, rateLimit: { requests: 100, perSeconds: 60 } },
+        { typeId: 'vendor.acme.salesforce.query', displayName: 'Query', paginated: true },
+      ],
+      triggers: ['vendor.acme.salesforce.onRecordChange'],
+    });
+    expect(ok, JSON.stringify(validate.errors)).toBe(true);
+  });
+
+  it('positive: credential-auth variant validates', () => {
+    const ok = validate({
+      id: 'stripe',
+      displayName: 'Stripe',
+      auth: { type: 'credential', key: 'stripe-secret-key', scope: 'workspace' },
+      actions: [{ typeId: 'vendor.acme.stripe.charge', displayName: 'Charge' }],
+    });
+    expect(ok, JSON.stringify(validate.errors)).toBe(true);
+  });
+
+  it('negative: connector missing displayName is rejected', () => {
+    expect(validate({ id: 'salesforce' })).toBe(false);
+  });
+
+  it('negative: an action missing typeId is rejected', () => {
+    const ok = validate({
+      id: 'salesforce',
+      displayName: 'Salesforce',
+      actions: [{ displayName: 'Upsert' }],
+    });
+    expect(ok).toBe(false);
+  });
+
+  it('negative: an unknown ConnectorAuth type is rejected', () => {
+    const ok = validate({
+      id: 'salesforce',
+      displayName: 'Salesforce',
+      auth: { type: 'basic', user: 'x' },
+    });
+    expect(ok).toBe(false);
+  });
+});
+
+describe('category: connector-manifest validity — action resolution (RFC 0045 §B)', () => {
+  const nodeTypeIds = [
+    'vendor.acme.salesforce.upsert',
+    'vendor.acme.salesforce.query',
+    'vendor.acme.salesforce.onRecordChange',
+  ];
+
+  it('all action + trigger typeIds resolve to nodes[] in the same manifest', () => {
+    const unresolved = unresolvedReferences(nodeTypeIds, {
+      actions: [{ typeId: 'vendor.acme.salesforce.upsert' }, { typeId: 'vendor.acme.salesforce.query' }],
+      triggers: ['vendor.acme.salesforce.onRecordChange'],
+    });
+    expect(unresolved, 'every connector.actions[].typeId + triggers[] MUST resolve to a nodes[].typeId').toEqual([]);
+  });
+
+  it('an action typeId not in nodes[] is flagged (connector_action_unresolved)', () => {
+    const unresolved = unresolvedReferences(nodeTypeIds, {
+      actions: [{ typeId: 'vendor.acme.salesforce.does-not-exist' }],
+    });
+    expect(unresolved).toContain('vendor.acme.salesforce.does-not-exist');
+  });
+});

package/src/scenarios/credential-payload-redaction.test.ts

@@ -0,0 +1,93 @@
+/**
+ * credential-payload-redaction — RFC 0046 §C.1 / §E invariant verification.
+ *
+ * Status: DRAFT. RFC 0046 (`host.credentials`) is `Draft`. Backs the
+ * SECURITY invariant `credential-payload-redaction`.
+ *
+ * Capability-gated: skips when the host does not advertise
+ * `capabilities.credentials.supported = true`.
+ *
+ * What this scenario asserts:
+ *   1. Advertisement shape — `capabilities.credentials` is well-formed when
+ *      supported (delegated in detail to credentials-capability-shape).
+ *   2. Redaction MUST-NOT — when the host exposes the optional
+ *      `POST /v1/host/sample/credentials/echo` test seam, resolving a seeded
+ *      credential whose plaintext is a known canary MUST NOT cause that
+ *      canary to appear in ANY of the run's observable surfaces (events,
+ *      inputs, persisted variables, channels, snapshot, debug bundle). The
+ *      reference is the only credential artifact permitted on the wire.
+ *
+ * Hosts without the test seam soft-skip the redaction probe (404) and still
+ * assert the advertisement shape — mirroring fs-path-traversal.
+ *
+ * @see RFCS/0046-host-credentials-capability.md
+ * @see SECURITY/invariants.yaml id: credential-payload-redaction
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryCredentials {
+  supported?: boolean;
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    credentials?: DiscoveryCredentials;
+  };
+}
+
+// A unique canary the seam seeds as the resolved credential's plaintext.
+const CANARY = 'OPENWOP_CRED_CANARY_4f1c8a2e9b';
+
+async function readCredentials(): Promise<DiscoveryCredentials | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.credentials ?? null;
+}
+
+describe('credential-payload-redaction: advertisement shape (RFC 0046 §A)', () => {
+  it('capabilities.credentials.supported is a boolean when advertised', async () => {
+    const cred = await readCredentials();
+    if (cred === null) return;
+    expect(
+      typeof cred.supported,
+      driver.describe(
+        'capabilities.schema.json §credentials',
+        'capabilities.credentials.supported MUST be a boolean when credentials is advertised',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('credential-payload-redaction: resolved material MUST NOT cross the wire (RFC 0046 §C.1)', () => {
+  it('canary plaintext is absent from every observable run surface', async () => {
+    const cred = await readCredentials();
+    if (!cred?.supported) return; // capability-gated
+
+    // Seam contract: resolve a seeded credential whose plaintext is CANARY,
+    // run an echo node, and return the run's observable surfaces.
+    const res = await driver.post('/v1/host/sample/credentials/echo', { canary: CANARY });
+    // 404 from a host that hasn't wired the test seam is a soft-skip.
+    if (res.status === 404) return;
+
+    expect(
+      res.status,
+      driver.describe(
+        'SECURITY/invariants.yaml credential-payload-redaction',
+        'the credentials echo seam MUST resolve the seeded credential and return its observable surfaces',
+      ),
+    ).toBeLessThan(400);
+
+    // The entire serialized observable surface (events + inputs + variables +
+    // channels + snapshot + debug bundle) MUST NOT contain the canary plaintext.
+    const serialized = JSON.stringify(res.json ?? {});
+    expect(
+      serialized.includes(CANARY),
+      driver.describe(
+        'SECURITY/invariants.yaml credential-payload-redaction',
+        'resolved credential material MUST NOT appear in inputs, variables, channels, events, snapshot, or debug bundle — only the reference may cross the wire',
+      ),
+    ).toBe(false);
+  });
+});

package/src/scenarios/credentials-capability-shape.test.ts

@@ -0,0 +1,90 @@
+/**
+ * credentials-capability-shape — RFC 0046 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0046 (`host.credentials`) is `Draft`. The
+ * `capabilities.credentials` block has landed in
+ * `schemas/capabilities.schema.json` and the invariant row
+ * `credential-payload-redaction` is in `SECURITY/invariants.yaml`.
+ *
+ * Always runs (shape-only): when the host advertises `capabilities.credentials`,
+ * its fields MUST be well-formed; when it doesn't, the block is simply absent.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.credentials` is either absent or a well-formed object.
+ *   2. When `supported: true`, `scopes` (when present) is a subset of
+ *      {user, workspace, tenant}, and `rotation` (when present) is one of
+ *      {none, two-key-overlap} (RFC 0046 §A).
+ *
+ * @see RFCS/0046-host-credentials-capability.md
+ * @see SECURITY/invariants.yaml id: credential-payload-redaction
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryCredentials {
+  supported?: boolean;
+  scopes?: string[];
+  encryptionAtRest?: boolean;
+  rotation?: string;
+  sharing?: boolean;
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    credentials?: DiscoveryCredentials;
+  };
+}
+
+const VALID_SCOPES: ReadonlySet<string> = new Set(['user', 'workspace', 'tenant']);
+const VALID_ROTATION: ReadonlySet<string> = new Set(['none', 'two-key-overlap']);
+
+async function readCredentials(): Promise<DiscoveryCredentials | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.credentials ?? null;
+}
+
+describe('credentials-capability-shape: advertisement shape (RFC 0046 §A)', () => {
+  it('capabilities.credentials is either absent or well-formed', async () => {
+    const cred = await readCredentials();
+    if (cred === null) return; // host doesn't advertise host.credentials at all
+    expect(
+      typeof cred.supported,
+      driver.describe(
+        'capabilities.schema.json §credentials',
+        'capabilities.credentials.supported MUST be a boolean when credentials is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('scopes is a subset of {user, workspace, tenant} when supported', async () => {
+    const cred = await readCredentials();
+    if (!cred?.supported || cred.scopes === undefined) return;
+    expect(
+      Array.isArray(cred.scopes),
+      driver.describe('RFC 0046 §A', 'capabilities.credentials.scopes MUST be an array'),
+    ).toBe(true);
+    for (const scope of cred.scopes) {
+      expect(
+        VALID_SCOPES.has(scope),
+        driver.describe(
+          'RFC 0046 §A',
+          `capabilities.credentials.scopes entries MUST be one of {${[...VALID_SCOPES].join(', ')}}, got: ${scope}`,
+        ),
+      ).toBe(true);
+    }
+  });
+
+  it('rotation is one of {none, two-key-overlap} when present', async () => {
+    const cred = await readCredentials();
+    if (!cred?.supported || cred.rotation === undefined) return;
+    expect(
+      VALID_ROTATION.has(cred.rotation),
+      driver.describe(
+        'RFC 0046 §A',
+        `capabilities.credentials.rotation MUST be one of {${[...VALID_ROTATION].join(', ')}}, got: ${cred.rotation}`,
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/cross-engine-append-behavior.test.ts

@@ -0,0 +1,204 @@
+/**
+ * cross-engine-append-behavior — RFC 0036 §B cross-engine append-ordering behavioral probe.
+ *
+ * Companion to `cross-engine-append-ordering.test.ts` which carries the
+ * advertisement-shape probes. This file exercises the canonical cross-engine
+ * append-ordering behavior specified by `spec/v1/channels-and-reducers.md`
+ * §"Cross-engine ordering" via the host-extension test seams:
+ *
+ *   POST /v1/host/sample/test/cross-engine/append   — single engine append
+ *   GET  /v1/host/sample/test/cross-engine/read     — read ordered sequence
+ *   POST /v1/host/sample/test/cross-engine/reset    — clear log
+ *
+ * The seam is conformance-only (host-extension namespace), gated on the
+ * host's `OPENWOP_TEST_CROSS_ENGINE_HARNESS=true` env var. The seam itself
+ * is OPTIONAL — hosts that don't expose it soft-skip; hosts that DO expose
+ * it MUST honor the §B contract:
+ *
+ *   1. Multiple engines appending concurrently to the same channelId
+ *      converge to a single globally-ordered linearization on read.
+ *   2. Per-engine order is preserved within each engine's local sequence
+ *      (writes from engine A appear in A's submission order, ditto B).
+ *   3. The host's advertised `orderingModel` (lamport / vector-clock /
+ *      global-sequencer) determines the cross-engine merge semantics.
+ *   4. Read after partition heal converges to the same total order
+ *      regardless of which engine's view we read from.
+ *
+ * @see RFCS/0036-multi-region-and-cross-engine-guarantees.md §B
+ * @see spec/v1/channels-and-reducers.md §"Cross-engine ordering"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface AppendEntry {
+  engineId: string;
+  value: unknown;
+  lamport: number;
+  seq: number;
+}
+
+async function appendEntry(
+  engineId: string,
+  channelId: string,
+  value: unknown,
+  lamport?: number,
+): Promise<{ status: number; entry?: AppendEntry }> {
+  const body: Record<string, unknown> = { engineId, channelId, value };
+  if (lamport !== undefined) body.lamport = lamport;
+  const res = await driver.post('/v1/host/sample/test/cross-engine/append', body);
+  if (res.status === 200) {
+    return { status: res.status, entry: res.json as AppendEntry };
+  }
+  return { status: res.status };
+}
+
+async function readEntries(channelId: string): Promise<{ status: number; entries: AppendEntry[] }> {
+  const res = await driver.get(`/v1/host/sample/test/cross-engine/read?channelId=${encodeURIComponent(channelId)}`);
+  return {
+    status: res.status,
+    entries: res.status === 200 ? (res.json as { entries: AppendEntry[] }).entries : [],
+  };
+}
+
+async function resetLog(): Promise<number> {
+  const res = await driver.post('/v1/host/sample/test/cross-engine/reset', {});
+  return res.status;
+}
+
+describe.skipIf(HTTP_SKIP)('cross-engine-append-behavior: §B cross-engine ordering (RFC 0036)', () => {
+  it('interleaved appends from two engines converge to a single globally-ordered sequence', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip(); // host doesn't expose the cross-engine harness seam
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-A';
+
+    // Engine A: 3 appends. Engine B: 2 appends. Interleaved.
+    const a1 = await appendEntry('engine-A', ch, 'a-1');
+    const b1 = await appendEntry('engine-B', ch, 'b-1');
+    const a2 = await appendEntry('engine-A', ch, 'a-2');
+    const a3 = await appendEntry('engine-A', ch, 'a-3');
+    const b2 = await appendEntry('engine-B', ch, 'b-2');
+
+    for (const r of [a1, b1, a2, a3, b2]) {
+      expect(r.status).toBe(200);
+      expect(r.entry).toBeDefined();
+    }
+
+    const read = await readEntries(ch);
+    expect(read.status).toBe(200);
+
+    expect(
+      read.entries.length,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering"',
+        'all appends across all engines MUST appear in the linearized read',
+      ),
+    ).toBe(5);
+
+    // Per-engine order MUST be preserved within each engine's submissions.
+    const engineAEntries = read.entries.filter((e) => e.engineId === 'engine-A').map((e) => e.value);
+    const engineBEntries = read.entries.filter((e) => e.engineId === 'engine-B').map((e) => e.value);
+    expect(
+      engineAEntries,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering"',
+        'engine-A submissions MUST appear in submission order within the linearization',
+      ),
+    ).toEqual(['a-1', 'a-2', 'a-3']);
+    expect(
+      engineBEntries,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering"',
+        'engine-B submissions MUST appear in submission order within the linearization',
+      ),
+    ).toEqual(['b-1', 'b-2']);
+  });
+
+  it('lamport clocks monotonically advance across engines', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-B';
+    const a1 = await appendEntry('engine-A', ch, 'a-1');
+    const b1 = await appendEntry('engine-B', ch, 'b-1');
+    const a2 = await appendEntry('engine-A', ch, 'a-2');
+
+    expect(a1.entry?.lamport).toBeDefined();
+    expect(b1.entry?.lamport).toBeDefined();
+    expect(a2.entry?.lamport).toBeDefined();
+
+    // Lamport invariant: each subsequent append on the same shared
+    // channel MUST have strictly-higher clock than the previous.
+    expect(
+      a2.entry!.lamport > b1.entry!.lamport && b1.entry!.lamport > a1.entry!.lamport,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering" — Lamport',
+        'lamport clocks MUST be strictly monotonic on the shared channel',
+      ),
+    ).toBe(true);
+  });
+
+  it('lamport hint from engine A advances engine B past it', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-C';
+    // Engine A appends, gets lamport L. Engine B then appends with
+    // lamport hint == L (proxy for "B saw A's clock at L"); B's
+    // resulting clock MUST be > L per the lamport receive rule
+    // max(local, incoming) + 1.
+    const a1 = await appendEntry('engine-A', ch, 'a-1');
+    expect(a1.status).toBe(200);
+    const seen = a1.entry!.lamport;
+    const b1 = await appendEntry('engine-B', ch, 'b-1', seen);
+    expect(b1.status).toBe(200);
+    expect(
+      b1.entry!.lamport > seen,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering" — Lamport receive rule',
+        'when engine B sees engine A\'s clock at L, B\'s next append MUST have clock > L',
+      ),
+    ).toBe(true);
+  });
+
+  it('linearization is deterministic — same appends → same total order', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-D';
+    await appendEntry('engine-A', ch, 'a-1');
+    await appendEntry('engine-B', ch, 'b-1');
+    await appendEntry('engine-A', ch, 'a-2');
+
+    const r1 = await readEntries(ch);
+    const r2 = await readEntries(ch);
+    expect(r1.status).toBe(200);
+    expect(r2.status).toBe(200);
+    expect(
+      r1.entries.map((e) => `${e.engineId}:${String(e.value)}`),
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering" — determinism',
+        'two reads MUST produce the same linearization (deterministic merge)',
+      ),
+    ).toEqual(r2.entries.map((e) => `${e.engineId}:${String(e.value)}`));
+  });
+});

package/src/scenarios/cross-host-traceparent-propagation.test.ts

@@ -50,11 +50,18 @@ describe('cross-host-traceparent-propagation: behavioral (RFC 0040 §B)', () =>
   // the format `00-{traceId}-{spanId}-{flags}` per W3C tracecontext.
   // Until the peer harness lands, the assertion is surfaced as `todo` so
   // test reporters track the gap rather than reporting a vacuous PASS.
-  it.todo('Phase 3 host MUST inject parent run\'s traceparent into outbound MCP requests');
+  // Marked out of stable profile via RFC 0042 §B (experimental tier):
+  // RFC 0040 remains Active. Hosts that wire Phase 3 cross-host causation
+  // before RFC 0040 graduates SHOULD advertise
+  // `multiAgent.executionModel.tier: 'experimental'` per RFC 0042 §A
+  // until cross-host evidence drives the promotion. Path-to-runnable
+  // requires the MCP peer harness (OPENWOP_MCP_REAL_SERVER_URL) +
+  // inbound-header recorder; flips to a real `it()` on first non-steward
+  // Phase 3 host advertising matching capabilities.
+  it.skip('Phase 3 host MUST inject parent run\'s traceparent into outbound MCP requests — out of stable profile via RFC 0042');
 
-  // Behavioral assertion drives a workflow that dispatches an A2A message
-  // via the host's `core.a2a.send` (or equivalent) node. The A2A peer
-  // (configured via OPENWOP_A2A_REAL_PEER_URL) records inbound headers;
-  // the test asserts `traceparent` is present + well-formed.
-  it.todo('Phase 3 host MUST inject parent run\'s traceparent into outbound A2A messages');
+  // Same routing — out of stable profile via RFC 0042 §B until RFC 0040
+  // graduates to Accepted; behavioral A2A test seam contract still to be
+  // designed alongside the corresponding peer harness.
+  it.skip('Phase 3 host MUST inject parent run\'s traceparent into outbound A2A messages — out of stable profile via RFC 0042');
 });

package/src/scenarios/cross-workspace-isolation.test.ts

@@ -0,0 +1,72 @@
+/**
+ * cross-workspace-isolation — RFC 0048 §D verification.
+ *
+ * Status: DRAFT. RFC 0048 (tenant·workspace·principal identity model) is
+ * `Draft`.
+ *
+ * What this scenario asserts:
+ *   1. Run-ownership echo shape — when a readable run snapshot carries
+ *      `owner`, it MUST include a non-empty `tenant` (RFC 0048 §C).
+ *   2. Cross-workspace isolation MUST-NOT (§D) — when the host exposes the
+ *      optional `POST /v1/host/sample/identity/cross-workspace-read` seam
+ *      (a principal scoped to workspace A attempts to read a run owned by
+ *      workspace B), the read MUST fail closed with `run_forbidden` (or a
+ *      `404`/`403` that does not leak the other workspace's run contents).
+ *
+ * Hosts without the seam soft-skip the isolation probe (404). The
+ * advertisement/ownership-shape assertion still runs.
+ *
+ * @see RFCS/0048-tenant-workspace-principal-identity-model.md
+ * @see spec/v1/auth.md §"Identity claims — tenant · workspace · principal"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const ISOLATION_CODES: ReadonlySet<string> = new Set(['run_forbidden', 'not_found']);
+
+interface OwnerTriple {
+  tenant?: string;
+  workspace?: string;
+  principal?: string;
+}
+
+describe('cross-workspace-isolation: run-ownership echo shape (RFC 0048 §C)', () => {
+  it('owner, when present on a run snapshot, carries a non-empty tenant', async () => {
+    // Best-effort: probe a sample run if the host exposes one; otherwise skip.
+    const res = await driver.get('/v1/host/sample/identity/owned-run');
+    if (res.status === 404) return; // no sample-run seam — soft-skip
+    const owner = (res.json as { owner?: OwnerTriple } | undefined)?.owner;
+    if (owner === undefined) return; // single-tenant host — owner omitted
+    expect(
+      typeof owner.tenant === 'string' && owner.tenant.length > 0,
+      driver.describe('RFC 0048 §C', 'RunSnapshot.owner MUST carry a non-empty tenant when present'),
+    ).toBe(true);
+  });
+});
+
+describe('cross-workspace-isolation: a principal MUST NOT read another workspace\'s run (RFC 0048 §D)', () => {
+  it('cross-workspace read fails closed with run_forbidden', async () => {
+    // Seam contract: a principal scoped to workspace A requests a run owned
+    // by workspace B. The host MUST refuse rather than return B's run.
+    const res = await driver.post('/v1/host/sample/identity/cross-workspace-read', {});
+    if (res.status === 404) return; // seam unwired — soft-skip
+
+    expect(
+      res.status,
+      driver.describe(
+        'spec/v1/auth.md §Identity claims',
+        'a cross-workspace read MUST fail closed (4xx), never return the other workspace\'s run',
+      ),
+    ).toBeGreaterThanOrEqual(400);
+
+    const code = (res.json as { error?: string } | undefined)?.error;
+    expect(
+      code !== undefined && ISOLATION_CODES.has(code),
+      driver.describe(
+        'spec/v1/rest-endpoints.md run_forbidden',
+        `error MUST be one of {${[...ISOLATION_CODES].join(', ')}} (fail-closed, no existence leak), got: ${code ?? '(absent)'}`,
+      ),
+    ).toBe(true);
+  });
+});