@openwop/openwop-conformance 1.4.0 → 1.6.0

package/src/scenarios/multi-region-idempotency-behavior.test.ts

@@ -0,0 +1,203 @@
+/**
+ * multi-region-idempotency-behavior — RFC 0036 §C convergence-rule behavioral probe.
+ *
+ * Companion to `multi-region-idempotency.test.ts` which carries the
+ * advertisement-shape probes. This file exercises the canonical convergence
+ * algorithm specified by `spec/v1/idempotency.md` §"Multi-region idempotency
+ * annex" via the host-extension test seam at:
+ *
+ *   POST /v1/host/sample/test/multi-region/simulate-partition
+ *
+ * The seam is conformance-only (host-extension namespace), gated on the
+ * host's `OPENWOP_TEST_MULTI_REGION_SIMULATOR=true` env var. The seam itself
+ * is OPTIONAL — hosts that don't expose it soft-skip; hosts that DO expose
+ * it MUST honor the annex's convergence rule:
+ *
+ *   1. Given ≥2 conflicting `ConflictClaim` records sharing
+ *      `(tenantId, endpoint, key)`, the host's resolver MUST return the
+ *      lex-min `runId` as the winner.
+ *   2. Every region (including the winner's) gets a cache redirect entry
+ *      pointing at the winner's runId.
+ *   3. The loser's cancel reason MUST be the canonical string
+ *      `cross_region_dedup_loss`.
+ *   4. The resolver MUST be order-invariant — shuffling the input claims
+ *      MUST produce the same winner.
+ *   5. Cross-region partition simulation: same idempotency-key submitted
+ *      to 2+ regions simultaneously converges to ONE survivor per the
+ *      lex-min rule, with no coordination required.
+ *
+ * @see RFCS/0036-multi-region-and-cross-engine-guarantees.md §C
+ * @see spec/v1/idempotency.md §"Multi-region idempotency annex"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface ConflictClaim {
+  runId: string;
+  tenantId: string;
+  endpoint: string;
+  key: string;
+  region: string;
+}
+
+interface ConvergenceResult {
+  winner?: ConflictClaim;
+  losers?: ConflictClaim[];
+  cacheRedirects?: Array<{ region: string; cacheKey: string; redirectToRunId: string }>;
+  loserCancelReason?: string;
+}
+
+async function simulatePartition(claims: ConflictClaim[]): Promise<{ status: number; body: ConvergenceResult }> {
+  const res = await driver.post('/v1/host/sample/test/multi-region/simulate-partition', { claims });
+  return { status: res.status, body: (res.json as ConvergenceResult) ?? {} };
+}
+
+describe.skipIf(HTTP_SKIP)('multi-region-idempotency-behavior: convergence rule (RFC 0036 §C)', () => {
+  it('two-region conflict resolves to the lex-min runId per annex §"Convergence rule"', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'run-b-east', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-1', region: 'us-east-1' },
+      { runId: 'run-a-west', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-1', region: 'eu-west-1' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip(); // host doesn't expose the simulator seam
+      return;
+    }
+    expect(
+      probe.status,
+      driver.describe(
+        'idempotency.md §"Multi-region idempotency annex"',
+        'simulate-partition seam MUST return 200 when ≥2 conflicting claims are submitted',
+      ),
+    ).toBe(200);
+    expect(
+      probe.body.winner?.runId,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'winner MUST be the lex-min runId (run-a-west < run-b-east)',
+      ),
+    ).toBe('run-a-west');
+  });
+
+  it('three-region partition resolves to a single winner', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'zzz-3', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-2', region: 'r1' },
+      { runId: 'aaa-1', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-2', region: 'r2' },
+      { runId: 'mmm-2', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-2', region: 'r3' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.winner?.runId,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'winner MUST be the lex-min runId across all conflicting claims',
+      ),
+    ).toBe('aaa-1');
+    expect(
+      probe.body.losers?.length,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'losers array MUST contain N-1 entries when N claims conflict',
+      ),
+    ).toBe(2);
+  });
+
+  it('every region gets a cache redirect entry pointing at the winner', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'run-x', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-3', region: 'r1' },
+      { runId: 'run-a', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-3', region: 'r2' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(probe.status).toBe(200);
+    const redirects = probe.body.cacheRedirects ?? [];
+    expect(
+      redirects.length,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'cacheRedirects MUST contain one entry per claim (including the winner)',
+      ),
+    ).toBe(2);
+    for (const redirect of redirects) {
+      expect(
+        redirect.redirectToRunId,
+        driver.describe(
+          'idempotency.md §"Convergence rule"',
+          'every cache redirect MUST point at the winner runId',
+        ),
+      ).toBe('run-a');
+    }
+  });
+
+  it('loser cancel reason MUST be the canonical `cross_region_dedup_loss` string', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'run-b', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-4', region: 'r1' },
+      { runId: 'run-a', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-4', region: 'r2' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.loserCancelReason,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'loserCancelReason MUST be the canonical `cross_region_dedup_loss` string',
+      ),
+    ).toBe('cross_region_dedup_loss');
+  });
+
+  it('resolver is order-invariant — shuffled inputs produce the same winner', async (ctx) => {
+    const claims: ConflictClaim[] = [
+      { runId: 'c', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-5', region: 'r1' },
+      { runId: 'a', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-5', region: 'r2' },
+      { runId: 'b', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-5', region: 'r3' },
+    ];
+    const p1 = await simulatePartition(claims);
+    if (p1.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(p1.status).toBe(200);
+    const p2 = await simulatePartition([claims[2]!, claims[0]!, claims[1]!]);
+    expect(p2.status).toBe(200);
+    const p3 = await simulatePartition([...claims].reverse());
+    expect(p3.status).toBe(200);
+    expect(
+      p1.body.winner?.runId,
+      driver.describe(
+        'idempotency.md §"Convergence rule" — determinism',
+        'resolver MUST be order-invariant; all permutations MUST produce the same lex-min winner',
+      ),
+    ).toBe('a');
+    expect(p2.body.winner?.runId).toBe('a');
+    expect(p3.body.winner?.runId).toBe('a');
+  });
+
+  it('mismatched tuple rejects with 400 validation_error', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'r1', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-6', region: 'r1' },
+      { runId: 'r2', tenantId: 't2', endpoint: 'POST /v1/runs', key: 'idem-6', region: 'r2' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(
+      probe.status,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'claims with non-matching (tenantId, endpoint, key) MUST be rejected — it would be a programming error in the caller',
+      ),
+    ).toBe(400);
+  });
+});

package/src/scenarios/oauth-capability-shape.test.ts

@@ -0,0 +1,97 @@
+/**
+ * oauth-capability-shape — RFC 0047 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0047 (`host.oauth`) is `Draft`. The
+ * `capabilities.oauth` block has landed in `schemas/capabilities.schema.json`.
+ *
+ * Always runs (shape-only): when the host advertises `capabilities.oauth`,
+ * its fields MUST be well-formed; when it doesn't, the block is absent.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.oauth` is either absent or a well-formed object.
+ *   2. When `supported: true`, `grants` (when present) is a subset of
+ *      {authorization_code, client_credentials, refresh_token}, and every
+ *      `providers[]` entry has a non-empty `id` (RFC 0047 §A).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryOAuthProvider {
+  id?: string;
+  authUrl?: string;
+  tokenUrl?: string;
+  scopesSupported?: string[];
+}
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+  grants?: string[];
+  providers?: DiscoveryOAuthProvider[];
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    oauth?: DiscoveryOAuth;
+  };
+}
+
+const VALID_GRANTS: ReadonlySet<string> = new Set([
+  'authorization_code',
+  'client_credentials',
+  'refresh_token',
+]);
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.oauth ?? null;
+}
+
+describe('oauth-capability-shape: advertisement shape (RFC 0047 §A)', () => {
+  it('capabilities.oauth is either absent or well-formed', async () => {
+    const oauth = await readOAuth();
+    if (oauth === null) return; // host doesn't advertise host.oauth at all
+    expect(
+      typeof oauth.supported,
+      driver.describe(
+        'capabilities.schema.json §oauth',
+        'capabilities.oauth.supported MUST be a boolean when oauth is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('grants is a subset of the canonical grant set when supported', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported || oauth.grants === undefined) return;
+    expect(
+      Array.isArray(oauth.grants),
+      driver.describe('RFC 0047 §A', 'capabilities.oauth.grants MUST be an array'),
+    ).toBe(true);
+    for (const grant of oauth.grants) {
+      expect(
+        VALID_GRANTS.has(grant),
+        driver.describe(
+          'RFC 0047 §A',
+          `capabilities.oauth.grants entries MUST be one of {${[...VALID_GRANTS].join(', ')}}, got: ${grant}`,
+        ),
+      ).toBe(true);
+    }
+  });
+
+  it('every advertised provider has a non-empty id when supported', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported || oauth.providers === undefined) return;
+    for (const provider of oauth.providers) {
+      expect(
+        typeof provider.id === 'string' && provider.id.length > 0,
+        driver.describe(
+          'RFC 0047 §A',
+          'each capabilities.oauth.providers[] entry MUST declare a non-empty id',
+        ),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/oauth-connector-redaction.test.ts

@@ -0,0 +1,91 @@
+/**
+ * oauth-connector-redaction — RFC 0047 §C / §D + `credential-payload-redaction`.
+ *
+ * Status: DRAFT. RFC 0047 (`host.oauth`) is `Draft`. Reuses the RFC 0046
+ * SECURITY invariant `credential-payload-redaction` — OAuth tokens acquired
+ * via host.oauth are stored as host.credentials entries and are subject to
+ * the same no-plaintext-on-the-wire rule.
+ *
+ * Capability-gated: skips when the host does not advertise
+ * `capabilities.oauth.supported = true`.
+ *
+ * What this scenario asserts:
+ *   1. Advertisement shape — `capabilities.oauth.supported` is a boolean.
+ *   2. Token-material redaction MUST-NOT — when the host exposes the optional
+ *      `POST /v1/host/sample/oauth/connector-echo` test seam (a synthetic
+ *      provider acquires a token whose value is a known canary, then a
+ *      connector node runs), the canary MUST NOT appear in ANY observable
+ *      run surface, and `connector.authorized` MUST carry the credential
+ *      reference rather than the token.
+ *
+ * Hosts without the seam soft-skip the redaction probe (404).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md
+ * @see SECURITY/invariants.yaml id: credential-payload-redaction
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    oauth?: DiscoveryOAuth;
+  };
+}
+
+const TOKEN_CANARY = 'OPENWOP_OAUTH_CANARY_b7d3e1a9c2';
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.oauth ?? null;
+}
+
+describe('oauth-connector-redaction: advertisement shape (RFC 0047 §A)', () => {
+  it('capabilities.oauth.supported is a boolean when advertised', async () => {
+    const oauth = await readOAuth();
+    if (oauth === null) return;
+    expect(
+      typeof oauth.supported,
+      driver.describe(
+        'capabilities.schema.json §oauth',
+        'capabilities.oauth.supported MUST be a boolean when oauth is advertised',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('oauth-connector-redaction: token material MUST NOT cross the wire (RFC 0047 §C.2)', () => {
+  it('canary token is absent from every observable run surface', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported) return; // capability-gated
+
+    // Seam contract: a synthetic provider issues a token whose value is
+    // TOKEN_CANARY, a connector node runs, and the run's observable surfaces
+    // (events incl. connector.authorized + snapshot + debug bundle) are returned.
+    const res = await driver.post('/v1/host/sample/oauth/connector-echo', { canary: TOKEN_CANARY });
+    // 404 from a host that hasn't wired the test seam is a soft-skip.
+    if (res.status === 404) return;
+
+    expect(
+      res.status,
+      driver.describe(
+        'RFC 0047 §C',
+        'the oauth connector-echo seam MUST acquire the token and return the run observable surfaces',
+      ),
+    ).toBeLessThan(400);
+
+    const serialized = JSON.stringify(res.json ?? {});
+    expect(
+      serialized.includes(TOKEN_CANARY),
+      driver.describe(
+        'SECURITY/invariants.yaml credential-payload-redaction',
+        'acquired OAuth token material MUST NOT appear in inputs, variables, channels, events, snapshot, or debug bundle — only the credential reference may cross the wire',
+      ),
+    ).toBe(false);
+  });
+});

package/src/scenarios/pack-registry-isolation.test.ts

@@ -0,0 +1,108 @@
+/**
+ * Pack-registry test-mode isolation — RFC 0025 §C point 1.
+ *
+ * Status: BEHAVIORAL (soft-skip). A pack PUT'd to `/v1/packs-test/*` MUST
+ * NOT appear in `/v1/packs/*` listings. This anchors the test-mode
+ * mirror's load-bearing safety invariant: the conformance suite is
+ * trusted to drive publish-error-catalog traffic against the test
+ * namespace precisely because the test catalog is guaranteed distinct
+ * from the production catalog.
+ *
+ * Soft-skips when the host doesn't advertise
+ * `capabilities.packs.testMode.supported: true` (or advertises
+ * `isolated: false` — in which case the host is honestly disclaiming
+ * the invariant and the conformance suite's other publish-error tests
+ * are not applicable either).
+ *
+ * @see RFCS/0025-test-mode-registry-namespace.md §C "Isolation guarantees"
+ * @see schemas/capabilities.schema.json §packs.testMode
+ * @see pack-registry-publish.test.ts (the 25 sibling scenarios this invariant unblocks)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+interface TestModeAdvertisement {
+  readonly supported: boolean;
+  readonly isolated: boolean;
+}
+
+async function getTestModeAdvertisement(): Promise<TestModeAdvertisement | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const packs = top && typeof top === 'object' ? (top['packs'] as Record<string, unknown> | undefined) : undefined;
+  const testMode = packs && typeof packs === 'object' ? (packs['testMode'] as Record<string, unknown> | undefined) : undefined;
+  if (!testMode || typeof testMode !== 'object') return null;
+  return {
+    supported: testMode['supported'] === true,
+    isolated: testMode['isolated'] === true,
+  };
+}
+
+function freshPackName(): string {
+  return `core.openwop.test-isolation-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+
+describe('pack-registry-isolation: test catalog MUST NOT bleed into production (RFC 0025 §C.1)', () => {
+  it('a pack PUT to /v1/packs-test/{name} MUST NOT appear in GET /v1/packs/{name}', async () => {
+    const adv = await getTestModeAdvertisement();
+    if (!adv || !adv.supported) return; // host doesn't advertise the seam
+    if (!adv.isolated) return; // host explicitly disclaims the invariant — no contract to assert
+
+    const name = freshPackName();
+    const version = '1.0.0';
+
+    // PUT to the test namespace. The body is intentionally minimal — the
+    // isolation invariant is independent of whether validation accepts
+    // or rejects the publish. Either outcome is fine; what's tested is
+    // that NEITHER outcome causes the pack to surface in the production
+    // catalog.
+    const putRes = await driver.put(
+      `/v1/packs-test/${encodeURIComponent(name)}/-/${encodeURIComponent(version)}.tgz`,
+      Buffer.from([0x1f, 0x8b, 0]),
+      { headers: { 'Content-Type': 'application/octet-stream' } },
+    );
+
+    // If the seam returns 404, the test-mode endpoint isn't actually
+    // wired up despite the advertisement — pack-registry-publish.test.ts
+    // catches that drift in 24 other scenarios; soft-skip here.
+    if (putRes.status === 404) return;
+
+    // Probe the production namespace. The invariant: a pack written
+    // via /v1/packs-test/* MUST NOT be retrievable via /v1/packs/*.
+    const prodRes = await driver.get(`/v1/packs/${encodeURIComponent(name)}`);
+
+    // 404 is the canonical "not found" — exactly what isolation requires.
+    // 200 with a payload that does NOT name our pack would mean the host
+    // returned a listing of unrelated packs (some hosts serve search-shaped
+    // results on /v1/packs/{nonexistent}); we check the negative explicitly.
+    if (prodRes.status === 200) {
+      const body = prodRes.json as Record<string, unknown> | undefined;
+      const stringified = body ? JSON.stringify(body) : '';
+      expect(
+        stringified.includes(name),
+        driver.describe(
+          'RFCS/0025-test-mode-registry-namespace.md §C point 1',
+          `pack name '${name}' was written via /v1/packs-test/${name}@${version} but appeared in /v1/packs/${name} response body — test-catalog isolation MUST hold`,
+        ),
+      ).toBe(false);
+      return;
+    }
+
+    // Acceptable: 4xx range (404 pack_not_found is the spec-canonical
+    // shape; 410/422 also fine — any "not present in production catalog"
+    // signal satisfies the invariant).
+    expect(
+      prodRes.status >= 400 && prodRes.status < 500,
+      driver.describe(
+        'RFCS/0025-test-mode-registry-namespace.md §C point 1',
+        `expected production-namespace GET to return 4xx for a test-namespace-only pack '${name}', got ${prodRes.status}`,
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/pack-registry-publish.test.ts

@@ -1,7 +1,7 @@
 /**
  * Pack-registry publish scenarios — `node-packs.md` §"PUT /v1/packs/{name}/-/{version}.tgz".
  *
- * Status: BEHAVIORAL (soft-skip). Per RFC 0025 (`Draft` 2026-05-19),
+ * Status: BEHAVIORAL (soft-skip). Per RFC 0025 (`Active` 2026-05-19),
  * the conformance suite drives the documented 19-code error catalog
  * via the test-mode mirror namespace `/v1/packs-test/*`, gated on
  * `capabilities.packs.testMode.supported: true`. Each scenario soft-

package/src/scenarios/prompt-mutation-workspace-membership-enforced.test.ts

@@ -0,0 +1,126 @@
+/**
+ * prompt-mutation-workspace-membership-enforced — RFC 0028 Tier-2 §"Workspace
+ * membership on workspace-scoped writes" verification.
+ *
+ * Status: ACTIVE (capability-gated; behavioral when the host advertises
+ * `capabilities.prompts.mutableLibrary: true`). Hosts that don't advertise
+ * mutableLibrary soft-skip cleanly.
+ *
+ * The contract (spec/v1/prompts.md §"Discovery & distribution" §"REST
+ * endpoints" §"Workspace membership on workspace-scoped writes"):
+ *
+ *   Hosts MUST verify that the authenticated principal is a member of the
+ *   target workspace BEFORE honoring any POST / PUT / DELETE to a
+ *   workspace-scoped /v1/prompts* resource. A workspaceId supplied by the
+ *   caller (request body, URL, or query string) MUST NOT be trusted as
+ *   authorization on its own. Non-members MUST be rejected fail-closed
+ *   (typically 403) before any persistence occurs.
+ *
+ * The probe drives `POST /v1/prompts` with a `workspaceId` the conformance
+ * principal cannot be a member of (a cryptographically-unique random value
+ * by default; operator-overridable via `OPENWOP_TEST_NONMEMBER_WORKSPACE_ID`
+ * for hosts that need a specific synthetic workspace shape). The behavioral
+ * MUST is that the host refuses — NOT a 2xx. Any 4xx/5xx is acceptable
+ * (401 = auth not configured for this surface; 403 = membership check;
+ * 404 = endpoint absent; 422 = body validation; 501 = capability not
+ * provided). The failure mode this invariant guards against is a SILENT
+ * 2xx with a write to a workspace the caller doesn't belong to — that's the
+ * RFC 0028 Tier-2 vulnerability self-disclosed by an adopter on 2026-05-25.
+ *
+ * Why a random workspaceId is sufficient: a non-member workspace check is
+ * negative-space — the host MUST refuse for ANY workspace the principal
+ * isn't a member of, and a random UUID has astronomically-low collision
+ * probability with any real workspace membership grant.
+ *
+ * @see RFCS/0028-prompt-library-endpoints.md §"Post-promotion notes"
+ * @see spec/v1/prompts.md §"Security invariants" §prompt-mutation-workspace-membership-enforced
+ * @see spec/v1/auth.md §"Identity claims — tenant · workspace · principal"
+ * @see RFCS/0048-tenant-workspace-principal-identity-model.md §D
+ */
+
+import { describe, it, expect } from 'vitest';
+import { randomUUID } from 'node:crypto';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface DiscoveryDoc {
+  capabilities?: {
+    prompts?: {
+      mutableLibrary?: unknown;
+    };
+  };
+}
+
+async function readDiscovery(): Promise<DiscoveryDoc | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    return res.json as DiscoveryDoc;
+  } catch {
+    return null;
+  }
+}
+
+describe.skipIf(HTTP_SKIP)(
+  'prompt-mutation-workspace-membership-enforced: writes to non-member workspaces MUST be refused (RFC 0028 Tier-2)',
+  () => {
+    it('POST /v1/prompts with a workspaceId the principal is not a member of MUST NOT succeed with 2xx', async (ctx) => {
+      const d = await readDiscovery();
+      if (d === null) {
+        ctx.skip();
+        return;
+      }
+      const mutableLibrary = d.capabilities?.prompts?.mutableLibrary;
+      if (mutableLibrary !== true) {
+        ctx.skip();
+        return;
+      }
+
+      const nonMemberWorkspaceId =
+        process.env.OPENWOP_TEST_NONMEMBER_WORKSPACE_ID ??
+        `openwop-conformance-nonmember-${randomUUID()}`;
+
+      const res = await driver.post('/v1/prompts', {
+        workspaceId: nonMemberWorkspaceId,
+        templateId: `conformance-membership-probe-${randomUUID()}`,
+        version: '1.0.0',
+        kind: 'system',
+        text: 'conformance probe — SHOULD NOT persist',
+      });
+
+      // The conformance MUST: the host MUST NOT honor a write to a workspace
+      // the caller cannot prove membership of. Any refusal (4xx/5xx) is
+      // acceptable; a 2xx silent success is the failure mode that the RFC
+      // 0028 Tier-2 self-disclosed vulnerability demonstrated.
+      expect(
+        res.status,
+        driver.describe(
+          'spec/v1/prompts.md §Workspace membership on workspace-scoped reads and writes',
+          `mutating /v1/prompts MUST refuse a write to a non-member workspace; ` +
+            `got ${res.status} ${res.text.slice(0, 200)}`,
+        ),
+      ).toBeGreaterThanOrEqual(400);
+
+      // T1 canonicalization (2026-05-25): when the host CHOOSES 403 to
+      // signal the authz boundary, the response envelope MUST carry
+      // `error: "workspace_membership_required"` per rest-endpoints.md
+      // §"Common error codes". Hosts that refuse with other codes
+      // (401 if they treat the failure as authentication-level, 404 to
+      // avoid existence disclosure, 5xx on infra failure) have the
+      // refusal accepted above but the envelope shape is NOT constrained
+      // by this scenario — the canonical envelope is conditional on the
+      // 403 status code, not a forced upgrade.
+      if (res.status === 403) {
+        const body = res.json as { error?: unknown } | null;
+        expect(
+          body?.error,
+          driver.describe(
+            'spec/v1/rest-endpoints.md §Common error codes — workspace_membership_required',
+            `403 refusal of a workspace-scoped mutation MUST carry error: "workspace_membership_required"; got error: ${JSON.stringify(body?.error)}`,
+          ),
+        ).toBe('workspace_membership_required');
+      }
+    });
+  },
+);