@openwop/openwop-conformance 1.4.0 → 1.6.0

package/src/scenarios/deadletter-capability-shape.test.ts

@@ -0,0 +1,59 @@
+/**
+ * deadletter-capability-shape — RFC 0053 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0053 (dead-letter routing & failure sinks) is `Draft`.
+ * The `capabilities.deadLetter` block has landed in
+ * `schemas/capabilities.schema.json`.
+ *
+ * Always runs (shape-only): when the host advertises
+ * `capabilities.deadLetter`, its fields MUST be well-formed.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.deadLetter` is either absent or a well-formed object.
+ *   2. When `supported: true`, `retentionDays` (when present) is an integer ≥ 1
+ *      (RFC 0053 §A).
+ *
+ * @see RFCS/0053-dead-letter-routing-and-failure-sinks.md
+ * @see spec/v1/host-capabilities.md §host.deadLetter
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDeadLetter {
+  supported?: boolean;
+  retentionDays?: number;
+}
+
+interface DiscoveryDoc {
+  capabilities?: { deadLetter?: DiscoveryDeadLetter };
+}
+
+async function readDeadLetter(): Promise<DiscoveryDeadLetter | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.deadLetter ?? null;
+}
+
+describe('deadletter-capability-shape: advertisement shape (RFC 0053 §A)', () => {
+  it('capabilities.deadLetter is either absent or well-formed', async () => {
+    const dl = await readDeadLetter();
+    if (dl === null) return; // host doesn't advertise deadLetter at all
+    expect(
+      typeof dl.supported,
+      driver.describe(
+        'capabilities.schema.json §deadLetter',
+        'capabilities.deadLetter.supported MUST be a boolean when deadLetter is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('retentionDays is an integer >= 1 when present + supported', async () => {
+    const dl = await readDeadLetter();
+    if (!dl?.supported || dl.retentionDays === undefined) return;
+    expect(
+      Number.isInteger(dl.retentionDays) && dl.retentionDays >= 1,
+      driver.describe('RFC 0053 §A', `capabilities.deadLetter.retentionDays MUST be an integer >= 1, got: ${dl.retentionDays}`),
+    ).toBe(true);
+  });
+});

package/src/scenarios/deadletter-retry-exhaustion.test.ts

@@ -0,0 +1,62 @@
+/**
+ * deadletter-retry-exhaustion — RFC 0053 §C behavioral verification.
+ *
+ * Status: DRAFT. RFC 0053 (dead-letter routing & failure sinks) is `Draft`.
+ *
+ * Capability-gated: skips when the host does not advertise
+ * `capabilities.deadLetter.supported = true`.
+ *
+ * What this scenario asserts (via the optional
+ * `POST /v1/host/sample/deadletter/exhaust` test seam, which drives a node
+ * that deterministically exhausts a short retry policy):
+ *   1. Retry exhaustion → `run.dead_lettered` — the host emits the event
+ *      carrying `{ runId, reason, attempts }` (RFC 0053 §C.1).
+ *   2. Fork-eligibility — the dead-lettered run remains forkable per RFC 0011
+ *      within the retention window (RFC 0053 §C.2).
+ *
+ * Hosts without the seam soft-skip the behavioral probes (404). Retention
+ * purge is part of the deferred retention scenario (needs a clock seam).
+ *
+ * @see RFCS/0053-dead-letter-routing-and-failure-sinks.md
+ * @see spec/v1/host-capabilities.md §host.deadLetter
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: { deadLetter?: { supported?: boolean } };
+}
+
+async function deadLetterSupported(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  return (res.json as DiscoveryDoc | undefined)?.capabilities?.deadLetter?.supported === true;
+}
+
+describe('deadletter-retry-exhaustion: retry exhaustion → dead-lettered + fork-eligible (RFC 0053 §C)', () => {
+  it('a retry-exhausted run emits run.dead_lettered with attempts', async () => {
+    if (!(await deadLetterSupported())) return; // capability-gated
+    const res = await driver.post('/v1/host/sample/deadletter/exhaust', { scenario: 'exhaust-retries' });
+    if (res.status === 404) return; // seam unwired — soft-skip
+    const body = res.json as { event?: { type?: string; payload?: { attempts?: number; runId?: string } } } | undefined;
+    expect(
+      body?.event?.type,
+      driver.describe('RFC 0053 §C.1', 'retry exhaustion MUST emit a run.dead_lettered event'),
+    ).toBe('run.dead_lettered');
+    expect(
+      typeof body?.event?.payload?.attempts === 'number' && body.event.payload.attempts >= 1,
+      driver.describe('RFC 0053 §C.1', 'run.dead_lettered MUST carry the total attempts (>= 1)'),
+    ).toBe(true);
+  });
+
+  it('the dead-lettered run is fork-eligible (RFC 0011)', async () => {
+    if (!(await deadLetterSupported())) return; // capability-gated
+    const res = await driver.post('/v1/host/sample/deadletter/exhaust', { scenario: 'fork-after-dead-letter' });
+    if (res.status === 404) return; // seam unwired — soft-skip
+    const body = res.json as { forkEligible?: boolean } | undefined;
+    expect(
+      body?.forkEligible,
+      driver.describe('RFC 0053 §C.2', 'a dead-lettered run MUST remain fork-eligible within the retention window'),
+    ).toBe(true);
+  });
+});

package/src/scenarios/experimental-tier-shape.test.ts

@@ -0,0 +1,192 @@
+/**
+ * experimental-tier-shape — RFC 0042 §A + §B + §D advertisement-shape probes.
+ *
+ * RFC 0042 lands the audit's "Active RFC → experimental carve-out" pattern as
+ * an optional `tier ∈ {"stable", "experimental"}` field on capability
+ * advertisements, paired with a required `experimentalUntil` ISO-8601 sunset
+ * date when `tier === "experimental"`. This scenario asserts:
+ *
+ *   1. Schema discipline: when `multiAgent.executionModel` advertises `tier:
+ *      "experimental"`, `experimentalUntil` MUST be present + match
+ *      `YYYY-MM-DD` + be ≤ 365 days in the future.
+ *   2. Default-mode soft-skip routing: scenarios consuming
+ *      `experimentalGate()` honor the tier — the helper returns `false`
+ *      under default mode for `tier: "experimental"` capabilities so the
+ *      scenario soft-skips with a dedicated log line.
+ *   3. Sunset detection: a host advertising `experimentalUntil` in the
+ *      past MUST fail discovery validation (host responsibility — the
+ *      conformance probe simply asserts that the date format and bound
+ *      hold for hosts that DO advertise correctly).
+ *
+ * The scenario lives at three describe levels per the RFC 0042 §D
+ * "Conformance suite changes" contract.
+ *
+ * @see RFCS/0042-experimental-capability-tier.md
+ * @see schemas/capabilities.schema.json §multiAgent.executionModel.tier
+ * @see conformance/src/lib/behavior-gate.ts experimentalGate()
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { experimentalGate } from '../lib/behavior-gate.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface DiscoveryDoc {
+  capabilities?: {
+    multiAgent?: {
+      executionModel?: {
+        supported?: unknown;
+        tier?: unknown;
+        experimentalUntil?: unknown;
+      };
+    };
+  };
+}
+
+async function readDiscovery(): Promise<DiscoveryDoc | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    return res.json as DiscoveryDoc;
+  } catch {
+    return null;
+  }
+}
+
+describe.skipIf(HTTP_SKIP)('experimental-tier-shape: §A schema discipline (RFC 0042 §A)', () => {
+  it('multiAgent.executionModel.tier (when present) MUST be one of {stable, experimental}', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined) {
+      ctx.skip();
+      return;
+    }
+    if (em.tier === undefined) {
+      ctx.skip(); // tier is optional with default 'stable'
+      return;
+    }
+    expect(
+      em.tier === 'stable' || em.tier === 'experimental',
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §A',
+        'multiAgent.executionModel.tier MUST be one of the canonical enum values',
+      ),
+    ).toBe(true);
+  });
+
+  it('when tier === "experimental", experimentalUntil MUST be present + valid date', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined || em.tier !== 'experimental') {
+      ctx.skip();
+      return;
+    }
+
+    expect(
+      typeof em.experimentalUntil,
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        'when tier is "experimental", experimentalUntil MUST be present (the §B sunset-rule contract)',
+      ),
+    ).toBe('string');
+
+    const dateStr = em.experimentalUntil as string;
+    expect(
+      /^\d{4}-\d{2}-\d{2}$/.test(dateStr),
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        'experimentalUntil MUST match YYYY-MM-DD',
+      ),
+    ).toBe(true);
+
+    const parsed = new Date(dateStr + 'T00:00:00Z');
+    expect(
+      !Number.isNaN(parsed.getTime()),
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        'experimentalUntil MUST parse as a valid ISO-8601 date',
+      ),
+    ).toBe(true);
+  });
+
+  it('experimentalUntil MUST be ≤ 365 days in the future (sunset bound)', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined || em.tier !== 'experimental') {
+      ctx.skip();
+      return;
+    }
+    if (typeof em.experimentalUntil !== 'string') {
+      ctx.skip(); // shape probe above will fail; don't double-fail
+      return;
+    }
+    const target = new Date((em.experimentalUntil as string) + 'T00:00:00Z').getTime();
+    const now = Date.now();
+    const daysAhead = (target - now) / (1000 * 60 * 60 * 24);
+    expect(
+      daysAhead <= 365,
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        `experimentalUntil MUST be ≤ 365 days from now (got ${Math.floor(daysAhead)} days; advertised ${em.experimentalUntil})`,
+      ),
+    ).toBe(true);
+  });
+
+  it('sunset detection: experimentalUntil in the past is non-conformant', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined || em.tier !== 'experimental') {
+      ctx.skip();
+      return;
+    }
+    if (typeof em.experimentalUntil !== 'string') {
+      ctx.skip();
+      return;
+    }
+    const target = new Date((em.experimentalUntil as string) + 'T00:00:00Z').getTime();
+    const now = Date.now();
+    expect(
+      target >= now,
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        `experimentalUntil MUST NOT be in the past (advertised ${em.experimentalUntil}; host MUST either flip tier to stable, retract the advertisement, or re-advertise with a future date + open deprecation RFC)`,
+      ),
+    ).toBe(true);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('experimental-tier-shape: §D experimentalGate helper routing (RFC 0042 §D)', () => {
+  it('experimentalGate returns false for tier="experimental" without OPENWOP_REQUIRE_EXPERIMENTAL', () => {
+    // Helper-level behavioral probe — no host needed, this is a pure
+    // function-routing assertion against the imported helper.
+    const prevReqExp = process.env.OPENWOP_REQUIRE_EXPERIMENTAL;
+    delete process.env.OPENWOP_REQUIRE_EXPERIMENTAL;
+    try {
+      const result = experimentalGate('test-profile', true, 'experimental', '2027-05-22');
+      expect(
+        result,
+        driver.describe(
+          'RFCS/0042-experimental-capability-tier.md §D',
+          'default mode + tier="experimental" MUST soft-skip — helper returns false',
+        ),
+      ).toBe(false);
+    } finally {
+      if (prevReqExp !== undefined) process.env.OPENWOP_REQUIRE_EXPERIMENTAL = prevReqExp;
+    }
+  });
+
+  it('experimentalGate routes through behaviorGate when tier === undefined or "stable"', () => {
+    const prevReqBeh = process.env.OPENWOP_REQUIRE_BEHAVIOR;
+    delete process.env.OPENWOP_REQUIRE_BEHAVIOR;
+    try {
+      // Stable + advertised → proceed.
+      expect(experimentalGate('test-stable', true, 'stable')).toBe(true);
+      expect(experimentalGate('test-stable-undef', true, undefined)).toBe(true);
+      // Stable + NOT advertised, default mode → skip (returns false, no throw).
+      expect(experimentalGate('test-not-adv', false, 'stable')).toBe(false);
+    } finally {
+      if (prevReqBeh !== undefined) process.env.OPENWOP_REQUIRE_BEHAVIOR = prevReqBeh;
+    }
+  });
+});

package/src/scenarios/identity-owner-shape.test.ts

@@ -0,0 +1,64 @@
+/**
+ * identity-owner-shape — RFC 0048 §C verification.
+ *
+ * Status: DRAFT. RFC 0048 (tenant·workspace·principal identity model) is
+ * `Draft`. The optional `RunSnapshot.owner` triple has landed in
+ * `schemas/run-snapshot.schema.json`.
+ *
+ * Server-free schema validation of the owner triple:
+ *   - Positive: `{ tenant }` and `{ tenant, workspace, principal }` validate.
+ *   - Negative: missing `tenant` (required), or an unknown property, is rejected.
+ *
+ * The owner subschema is self-contained (no external $ref), so it compiles
+ * standalone via ajv.
+ *
+ * @see RFCS/0048-tenant-workspace-principal-identity-model.md
+ * @see schemas/run-snapshot.schema.json properties.owner
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+
+interface SnapshotSchema {
+  $schema: string;
+  properties: { owner?: Record<string, unknown> };
+}
+
+const snapshot = JSON.parse(
+  readFileSync(join(SCHEMAS_DIR, 'run-snapshot.schema.json'), 'utf8'),
+) as SnapshotSchema;
+
+describe('category: identity owner-triple shape (RFC 0048 §C)', () => {
+  it('run-snapshot.schema.json defines an optional owner triple', () => {
+    expect(
+      snapshot.properties.owner,
+      'RFC 0048 §C: RunSnapshot MUST define an optional `owner` object',
+    ).toBeDefined();
+  });
+
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  const ownerSchema = { $schema: snapshot.$schema, ...(snapshot.properties.owner as Record<string, unknown>) };
+  const validate = ajv.compile(ownerSchema);
+
+  it('positive: tenant-only owner validates', () => {
+    expect(validate({ tenant: 'acme' }), JSON.stringify(validate.errors)).toBe(true);
+  });
+
+  it('positive: full triple validates', () => {
+    expect(
+      validate({ tenant: 'acme', workspace: 'ws-eng', principal: 'user_42' }),
+      JSON.stringify(validate.errors),
+    ).toBe(true);
+  });
+
+  it('negative: owner missing tenant is rejected (tenant is required)', () => {
+    expect(validate({ workspace: 'ws-eng' })).toBe(false);
+  });
+
+  it('negative: unknown owner property is rejected (additionalProperties:false)', () => {
+    expect(validate({ tenant: 'acme', role: 'admin' })).toBe(false);
+  });
+});

package/src/scenarios/multi-agent-confidence-escalation.test.ts

@@ -1,15 +1,16 @@
 /**
  * multi-agent-confidence-escalation — RFC 0039 §A behavioral.
  *
- * Status: ACTIVE (advertisement-shape + behavioral). RFC 0039 Phase 2
- * filed Draft → graduated Active 2026-05-22 in the same commit chain as
- * this scenario. Capability-gated on
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0039
+ * (multi-agent execution model `version: 2`) filed Draft → graduated
+ * Active 2026-05-22 in the same commit chain as this scenario.
+ * Capability-gated on
  * `capabilities.multiAgent.executionModel.supported: true` AND
  * `capabilities.multiAgent.executionModel.version >= 2` AND fixture
- * availability. Hosts that advertise only Phase 1 (version: 1) soft-skip
- * cleanly — the confidence-floor MUST applies only at version >= 2.
+ * availability. Hosts that advertise only `version: 1` soft-skip
+ * cleanly — the confidence-floor MUST applies only at `version >= 2`.
  *
- * Asserts (behavioral when host advertises Phase 2):
+ * Asserts (behavioral when host advertises `version >= 2`):
  *
  *   1. Advertisement shape: confidenceEscalationFloor (when present) MUST be
  *      a number in [0.5, 1.0]; floor < 0.5 is non-conformant per RFC 0039 §A.
@@ -37,11 +38,11 @@
  *      interrupt fires AND BEFORE any `core.workflowChain.event` with
  *      `phase: 'dispatch.began'` for the escalated decision's intended
  *      next-worker"). This is the load-bearing test that distinguishes
- *      Phase 2 from Phase 1: Phase 1 hosts dispatch unconditionally; Phase 2
- *      hosts gate on confidence.
+ *      `version: 2` from `version: 1`: `version: 1` hosts dispatch
+ *      unconditionally; `version: 2` hosts gate on confidence.
  *
  * @see RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §A
- * @see spec/v1/multi-agent-execution.md §"Confidence escalation (RFC 0039 Phase 2)"
+ * @see spec/v1/multi-agent-execution.md §"Confidence escalation (RFC 0039)"
  * @see schemas/run-event-payloads.schema.json §coreWorkflowChainConfidenceEscalated
  */
 
@@ -63,6 +64,7 @@ interface DiscoveryDoc {
         supported?: unknown;
         version?: unknown;
         confidenceEscalationFloor?: unknown;
+        confidenceEscalationInterruptKind?: unknown;
       };
     };
   };
@@ -102,24 +104,60 @@ describe.skipIf(BEHAVIORAL_SKIP)('multi-agent-confidence-escalation: behavioral
     const supported = d?.capabilities?.multiAgent?.executionModel?.supported === true;
     const versionRaw = d?.capabilities?.multiAgent?.executionModel?.version;
     const version = typeof versionRaw === 'number' ? versionRaw : 0;
-    if (!supported || version < 2) return; // soft-skip — Phase 1 hosts pass via this absence
+    if (!supported || version < 2) return; // soft-skip — `version: 1` hosts pass via this absence
 
     const create = await driver.post('/v1/runs', { workflowId: FIXTURE });
     expect(create.status).toBe(201);
     const runId = (create.json as { runId: string }).runId;
 
     const terminal = await pollUntilTerminal(runId);
-    // Phase 2 escalation suspends the parent — NOT a terminal `completed`.
+    // RFC 0039 escalation suspends the parent — NOT a terminal `completed`.
     // The conformance pollUntilTerminal returns when the run reaches any
-    // settled status; we expect `waiting-clarification` or equivalent
-    // non-completed status carrying an open clarification interrupt.
-    expect(
-      terminal.status,
-      driver.describe(
-        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §A + spec/v1/interrupt.md',
-        'a host emitting `interrupt.kind: "clarification"` MUST surface the run as `waiting-clarification` per spec/v1/interrupt.md §"Interrupt kinds"; low-confidence decision MUST NOT reach `completed` because no dispatch fired',
-      ),
-    ).toBe('waiting-clarification');
+    // settled status. RFC 0039 §A gives hosts a choice: clarify-kind
+    // escalation (→ waiting-clarification) OR escalate-kind approval
+    // (→ waiting-approval).
+    //
+    // RFC 0044 routing: when the host advertises
+    // `capabilities.multiAgent.executionModel.confidenceEscalationInterruptKind`
+    // the scenario derives the expected terminal-status from that advertisement
+    // (canonical kinds map 1:1 to waiting-clarification / waiting-approval per
+    // `interrupt.md`; vendor `x-host-<host>-<kind>` kinds accept any waiting-*
+    // status — the host's own interrupt.md mapping determines the suffix).
+    // When the host does NOT advertise the field, fall back to the canonical
+    // either-status check.
+    const advertisedKind = d?.capabilities?.multiAgent?.executionModel?.confidenceEscalationInterruptKind;
+    const isVendorKind = typeof advertisedKind === 'string' && /^x-host-[a-z][a-z0-9-]*-[a-z][a-z0-9-]*$/.test(advertisedKind);
+    const isCanonicalKind = advertisedKind === 'clarification' || advertisedKind === 'approval';
+
+    if (isCanonicalKind) {
+      const expectedStatus = advertisedKind === 'clarification' ? 'waiting-clarification' : 'waiting-approval';
+      expect(
+        terminal.status,
+        driver.describe(
+          'RFCS/0044-confidence-escalation-interrupt-kind-advertisement.md §B',
+          `host advertising confidenceEscalationInterruptKind: "${advertisedKind}" MUST surface the run as "${expectedStatus}" per spec/v1/interrupt.md §"Interrupt kinds"`,
+        ),
+      ).toBe(expectedStatus);
+    } else if (isVendorKind) {
+      const status = terminal.status as string;
+      expect(
+        typeof status === 'string' && status.startsWith('waiting-'),
+        driver.describe(
+          'RFCS/0044-confidence-escalation-interrupt-kind-advertisement.md §B',
+          `host advertising vendor confidenceEscalationInterruptKind ("${advertisedKind}") MUST surface the run as a waiting-* status; the suffix is determined by the host's interrupt.md mapping (see the host's vendor-extensions doc per RFC 0044 §C)`,
+        ),
+      ).toBe(true);
+    } else {
+      // No advertisement — fall back to the canonical either-status check.
+      const acceptedStatuses = ['waiting-clarification', 'waiting-approval'];
+      expect(
+        acceptedStatuses.includes(terminal.status as string),
+        driver.describe(
+          'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §A + spec/v1/interrupt.md',
+          'a host below the confidence floor MUST surface the run as `waiting-clarification` (clarify-kind escalation) OR `waiting-approval` (escalate-kind escalation) per RFC 0039 §A; the low-confidence decision MUST NOT reach `completed` because no dispatch fired',
+        ),
+      ).toBe(true);
+    }
 
     const eventsRes = await driver.get(`/v1/runs/${encodeURIComponent(runId)}/events`);
     expect(eventsRes.status).toBe(200);
@@ -151,7 +189,7 @@ describe.skipIf(BEHAVIORAL_SKIP)('multi-agent-confidence-escalation: behavioral
       'confidence-escalated causationId MUST point at the runOrchestrator.decided that surfaced the low-confidence decision',
     ).toBe('runOrchestrator.decided');
 
-    // Load-bearing: NO dispatch event fired. Phase 2 gates BEFORE the loop.
+    // Load-bearing: NO dispatch event fired. RFC 0039 gates BEFORE the loop.
     const chainEvents = events.filter((e) => e.type === 'core.workflowChain.event');
     expect(
       chainEvents.length,

package/src/scenarios/multi-agent-memory-lifecycle.test.ts

@@ -108,17 +108,92 @@ describe.skipIf(HTTP_SKIP)('multi-agent-memory-lifecycle: behavioral (RFC 0039
   // Until a memory-advertising Phase 2 host wires the seam, the contract
   // is documentation-only — surfaced as `todo` so test reporters track
   // the gap rather than reporting a vacuous PASS.
-  it.todo('MAE-2 cross-run TTL: child write expiresAt MUST be anchored at child write time, not parent start');
+  // MAE-2 is still out of stable profile via RFC 0042 §B (experimental
+  // tier): RFC 0039 §B Half B (MAE-2 + MAE-3) landed on MyndHyve
+  // 2026-05-23 via commit `a51f7bbd` (`snapshotAtSeq()` +
+  // `crossChildMemoryConcurrency: 'strict'`). The MAE-2 cross-run-ttl-
+  // roundtrip seam (POST /v1/host/sample/test/memory/cross-run-ttl-
+  // roundtrip) is still open per host-sample-test-seams.md §"Open seams"
+  // — no host has wired the seam endpoint yet, so the behavioral
+  // assertion stays `it.skip`. Hosts that implement Half B SHOULD
+  // advertise `multiAgent.executionModel.tier: 'experimental'` per
+  // RFC 0042 §A until the seam contract is wired.
+  it.skip('MAE-2 cross-run TTL: child write expiresAt MUST be anchored at child write time, not parent start — out of stable profile via RFC 0042');
 
-  // Behavioral assertion lands when the host implements the snapshot
-  // mechanism per RFC 0039 §B. The assertion drives:
-  //   1. Run a workflow that writes MemoryEntry { key: 'k', value: 'v1' } at index 10.
-  //   2. Write MemoryEntry { key: 'k', value: 'v2' } at index 20.
-  //   3. POST /v1/runs/{runId}:fork { fromSeq: 15 }.
-  //   4. Forked run reads MemoryEntry { key: 'k' }; MUST return 'v1' (not 'v2').
-  //   5. Alternative compliance: fork refused with
-  //      error.code: 'replay_memory_snapshot_unavailable' AND
-  //      details.fromSeq === 15.
-  // Silent substitution of v2 (current state) is non-conformant.
-  it.todo('MAE-3 replay snapshot: fork from past index MUST return memory-as-of-index OR refuse with replay_memory_snapshot_unavailable');
+  // MAE-3 flipped to behavioral 2026-05-25 — MyndHyve workflow-runtime
+  // revision `00206-tdh` advertises Phase 2 + memory and honors the
+  // POST /v1/runs/{runId}:fork mode:replay contract per
+  // host-sample-test-seams.md §"Canonical-endpoint conformance hooks"
+  // §9. The seam reuses the canonical fork endpoint plus the
+  // OPENWOP_TEST_EXPIRED_REPLAY_RUN_ID env-var convention (parallel
+  // naming to OPENWOP_TEST_EXPIRED_RUN_ID used by
+  // production-retention-expiry). Soft-skips on Phase 1 hosts, Phase 2
+  // hosts without memory, and hosts that have not seeded the env var.
+  it('MAE-3 replay snapshot refusal: fork mode:replay against a past-retention runId MUST return 422 replay_memory_snapshot_unavailable with documented envelope; silent substitution is non-conformant', async (ctx) => {
+    const d = await readDiscovery();
+    if (d === null) {
+      ctx.skip();
+      return;
+    }
+    const v = d.capabilities?.multiAgent?.executionModel?.version;
+    const memorySupported = d.capabilities?.memory?.supported;
+    const phase2OrLater = typeof v === 'number' && v >= 2;
+    const expiredRunId = process.env.OPENWOP_TEST_EXPIRED_REPLAY_RUN_ID;
+    if (!phase2OrLater || memorySupported !== true || !expiredRunId) {
+      ctx.skip();
+      return;
+    }
+
+    const fromSeq = 0;
+    const res = await driver.post(`/v1/runs/${encodeURIComponent(expiredRunId)}:fork`, {
+      mode: 'replay',
+      fromSeq,
+    });
+
+    expect(
+      res.status,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'fork mode:replay against a past-retention runId MUST refuse with 422; silent substitution of current memory is non-conformant',
+      ),
+    ).toBe(422);
+
+    const body = res.json as {
+      error?: unknown;
+      details?: { fromSeq?: unknown; sourceRunId?: unknown; reason?: unknown };
+    } | null;
+
+    expect(
+      body?.error,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope error code MUST be "replay_memory_snapshot_unavailable" (distinct from the pre-flight invalid_from_seq gate)',
+      ),
+    ).toBe('replay_memory_snapshot_unavailable');
+
+    expect(
+      body?.details?.fromSeq,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope details.fromSeq MUST echo the requested fromSeq',
+      ),
+    ).toBe(fromSeq);
+
+    expect(
+      body?.details?.sourceRunId,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope details.sourceRunId MUST echo the runId from the URL',
+      ),
+    ).toBe(expiredRunId);
+
+    const reason = body?.details?.reason;
+    expect(
+      reason === 'retention_expired' || reason === 'event_log_unavailable',
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope details.reason MUST be one of {"retention_expired", "event_log_unavailable"}',
+      ),
+    ).toBe(true);
+  });
 });