@openwop/openwop-conformance 1.5.0 → 1.6.0

package/src/scenarios/multi-agent-confidence-escalation.test.ts

@@ -1,15 +1,16 @@
 /**
  * multi-agent-confidence-escalation — RFC 0039 §A behavioral.
  *
- * Status: ACTIVE (advertisement-shape + behavioral). RFC 0039 Phase 2
- * filed Draft → graduated Active 2026-05-22 in the same commit chain as
- * this scenario. Capability-gated on
+ * Status: ACTIVE (advertisement-shape + behavioral). RFC 0039
+ * (multi-agent execution model `version: 2`) filed Draft → graduated
+ * Active 2026-05-22 in the same commit chain as this scenario.
+ * Capability-gated on
  * `capabilities.multiAgent.executionModel.supported: true` AND
  * `capabilities.multiAgent.executionModel.version >= 2` AND fixture
- * availability. Hosts that advertise only Phase 1 (version: 1) soft-skip
- * cleanly — the confidence-floor MUST applies only at version >= 2.
+ * availability. Hosts that advertise only `version: 1` soft-skip
+ * cleanly — the confidence-floor MUST applies only at `version >= 2`.
  *
- * Asserts (behavioral when host advertises Phase 2):
+ * Asserts (behavioral when host advertises `version >= 2`):
  *
  *   1. Advertisement shape: confidenceEscalationFloor (when present) MUST be
  *      a number in [0.5, 1.0]; floor < 0.5 is non-conformant per RFC 0039 §A.
@@ -37,11 +38,11 @@
  *      interrupt fires AND BEFORE any `core.workflowChain.event` with
  *      `phase: 'dispatch.began'` for the escalated decision's intended
  *      next-worker"). This is the load-bearing test that distinguishes
- *      Phase 2 from Phase 1: Phase 1 hosts dispatch unconditionally; Phase 2
- *      hosts gate on confidence.
+ *      `version: 2` from `version: 1`: `version: 1` hosts dispatch
+ *      unconditionally; `version: 2` hosts gate on confidence.
  *
  * @see RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §A
- * @see spec/v1/multi-agent-execution.md §"Confidence escalation (RFC 0039 Phase 2)"
+ * @see spec/v1/multi-agent-execution.md §"Confidence escalation (RFC 0039)"
  * @see schemas/run-event-payloads.schema.json §coreWorkflowChainConfidenceEscalated
  */
 
@@ -103,14 +104,14 @@ describe.skipIf(BEHAVIORAL_SKIP)('multi-agent-confidence-escalation: behavioral
     const supported = d?.capabilities?.multiAgent?.executionModel?.supported === true;
     const versionRaw = d?.capabilities?.multiAgent?.executionModel?.version;
     const version = typeof versionRaw === 'number' ? versionRaw : 0;
-    if (!supported || version < 2) return; // soft-skip — Phase 1 hosts pass via this absence
+    if (!supported || version < 2) return; // soft-skip — `version: 1` hosts pass via this absence
 
     const create = await driver.post('/v1/runs', { workflowId: FIXTURE });
     expect(create.status).toBe(201);
     const runId = (create.json as { runId: string }).runId;
 
     const terminal = await pollUntilTerminal(runId);
-    // Phase 2 escalation suspends the parent — NOT a terminal `completed`.
+    // RFC 0039 escalation suspends the parent — NOT a terminal `completed`.
     // The conformance pollUntilTerminal returns when the run reaches any
     // settled status. RFC 0039 §A gives hosts a choice: clarify-kind
     // escalation (→ waiting-clarification) OR escalate-kind approval
@@ -188,7 +189,7 @@ describe.skipIf(BEHAVIORAL_SKIP)('multi-agent-confidence-escalation: behavioral
       'confidence-escalated causationId MUST point at the runOrchestrator.decided that surfaced the low-confidence decision',
     ).toBe('runOrchestrator.decided');
 
-    // Load-bearing: NO dispatch event fired. Phase 2 gates BEFORE the loop.
+    // Load-bearing: NO dispatch event fired. RFC 0039 gates BEFORE the loop.
     const chainEvents = events.filter((e) => e.type === 'core.workflowChain.event');
     expect(
       chainEvents.length,

package/src/scenarios/multi-agent-memory-lifecycle.test.ts

@@ -108,17 +108,92 @@ describe.skipIf(HTTP_SKIP)('multi-agent-memory-lifecycle: behavioral (RFC 0039
   // Until a memory-advertising Phase 2 host wires the seam, the contract
   // is documentation-only — surfaced as `todo` so test reporters track
   // the gap rather than reporting a vacuous PASS.
-  it.todo('MAE-2 cross-run TTL: child write expiresAt MUST be anchored at child write time, not parent start');
+  // MAE-2 is still out of stable profile via RFC 0042 §B (experimental
+  // tier): RFC 0039 §B Half B (MAE-2 + MAE-3) landed on MyndHyve
+  // 2026-05-23 via commit `a51f7bbd` (`snapshotAtSeq()` +
+  // `crossChildMemoryConcurrency: 'strict'`). The MAE-2 cross-run-ttl-
+  // roundtrip seam (POST /v1/host/sample/test/memory/cross-run-ttl-
+  // roundtrip) is still open per host-sample-test-seams.md §"Open seams"
+  // — no host has wired the seam endpoint yet, so the behavioral
+  // assertion stays `it.skip`. Hosts that implement Half B SHOULD
+  // advertise `multiAgent.executionModel.tier: 'experimental'` per
+  // RFC 0042 §A until the seam contract is wired.
+  it.skip('MAE-2 cross-run TTL: child write expiresAt MUST be anchored at child write time, not parent start — out of stable profile via RFC 0042');
 
-  // Behavioral assertion lands when the host implements the snapshot
-  // mechanism per RFC 0039 §B. The assertion drives:
-  //   1. Run a workflow that writes MemoryEntry { key: 'k', value: 'v1' } at index 10.
-  //   2. Write MemoryEntry { key: 'k', value: 'v2' } at index 20.
-  //   3. POST /v1/runs/{runId}:fork { fromSeq: 15 }.
-  //   4. Forked run reads MemoryEntry { key: 'k' }; MUST return 'v1' (not 'v2').
-  //   5. Alternative compliance: fork refused with
-  //      error.code: 'replay_memory_snapshot_unavailable' AND
-  //      details.fromSeq === 15.
-  // Silent substitution of v2 (current state) is non-conformant.
-  it.todo('MAE-3 replay snapshot: fork from past index MUST return memory-as-of-index OR refuse with replay_memory_snapshot_unavailable');
+  // MAE-3 flipped to behavioral 2026-05-25 — MyndHyve workflow-runtime
+  // revision `00206-tdh` advertises Phase 2 + memory and honors the
+  // POST /v1/runs/{runId}:fork mode:replay contract per
+  // host-sample-test-seams.md §"Canonical-endpoint conformance hooks"
+  // §9. The seam reuses the canonical fork endpoint plus the
+  // OPENWOP_TEST_EXPIRED_REPLAY_RUN_ID env-var convention (parallel
+  // naming to OPENWOP_TEST_EXPIRED_RUN_ID used by
+  // production-retention-expiry). Soft-skips on Phase 1 hosts, Phase 2
+  // hosts without memory, and hosts that have not seeded the env var.
+  it('MAE-3 replay snapshot refusal: fork mode:replay against a past-retention runId MUST return 422 replay_memory_snapshot_unavailable with documented envelope; silent substitution is non-conformant', async (ctx) => {
+    const d = await readDiscovery();
+    if (d === null) {
+      ctx.skip();
+      return;
+    }
+    const v = d.capabilities?.multiAgent?.executionModel?.version;
+    const memorySupported = d.capabilities?.memory?.supported;
+    const phase2OrLater = typeof v === 'number' && v >= 2;
+    const expiredRunId = process.env.OPENWOP_TEST_EXPIRED_REPLAY_RUN_ID;
+    if (!phase2OrLater || memorySupported !== true || !expiredRunId) {
+      ctx.skip();
+      return;
+    }
+
+    const fromSeq = 0;
+    const res = await driver.post(`/v1/runs/${encodeURIComponent(expiredRunId)}:fork`, {
+      mode: 'replay',
+      fromSeq,
+    });
+
+    expect(
+      res.status,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'fork mode:replay against a past-retention runId MUST refuse with 422; silent substitution of current memory is non-conformant',
+      ),
+    ).toBe(422);
+
+    const body = res.json as {
+      error?: unknown;
+      details?: { fromSeq?: unknown; sourceRunId?: unknown; reason?: unknown };
+    } | null;
+
+    expect(
+      body?.error,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope error code MUST be "replay_memory_snapshot_unavailable" (distinct from the pre-flight invalid_from_seq gate)',
+      ),
+    ).toBe('replay_memory_snapshot_unavailable');
+
+    expect(
+      body?.details?.fromSeq,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope details.fromSeq MUST echo the requested fromSeq',
+      ),
+    ).toBe(fromSeq);
+
+    expect(
+      body?.details?.sourceRunId,
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope details.sourceRunId MUST echo the runId from the URL',
+      ),
+    ).toBe(expiredRunId);
+
+    const reason = body?.details?.reason;
+    expect(
+      reason === 'retention_expired' || reason === 'event_log_unavailable',
+      driver.describe(
+        'RFCS/0039-multi-agent-confidence-and-memory-lifecycle.md §B MAE-3',
+        'refusal envelope details.reason MUST be one of {"retention_expired", "event_log_unavailable"}',
+      ),
+    ).toBe(true);
+  });
 });

package/src/scenarios/multi-region-idempotency-behavior.test.ts

@@ -0,0 +1,203 @@
+/**
+ * multi-region-idempotency-behavior — RFC 0036 §C convergence-rule behavioral probe.
+ *
+ * Companion to `multi-region-idempotency.test.ts` which carries the
+ * advertisement-shape probes. This file exercises the canonical convergence
+ * algorithm specified by `spec/v1/idempotency.md` §"Multi-region idempotency
+ * annex" via the host-extension test seam at:
+ *
+ *   POST /v1/host/sample/test/multi-region/simulate-partition
+ *
+ * The seam is conformance-only (host-extension namespace), gated on the
+ * host's `OPENWOP_TEST_MULTI_REGION_SIMULATOR=true` env var. The seam itself
+ * is OPTIONAL — hosts that don't expose it soft-skip; hosts that DO expose
+ * it MUST honor the annex's convergence rule:
+ *
+ *   1. Given ≥2 conflicting `ConflictClaim` records sharing
+ *      `(tenantId, endpoint, key)`, the host's resolver MUST return the
+ *      lex-min `runId` as the winner.
+ *   2. Every region (including the winner's) gets a cache redirect entry
+ *      pointing at the winner's runId.
+ *   3. The loser's cancel reason MUST be the canonical string
+ *      `cross_region_dedup_loss`.
+ *   4. The resolver MUST be order-invariant — shuffling the input claims
+ *      MUST produce the same winner.
+ *   5. Cross-region partition simulation: same idempotency-key submitted
+ *      to 2+ regions simultaneously converges to ONE survivor per the
+ *      lex-min rule, with no coordination required.
+ *
+ * @see RFCS/0036-multi-region-and-cross-engine-guarantees.md §C
+ * @see spec/v1/idempotency.md §"Multi-region idempotency annex"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface ConflictClaim {
+  runId: string;
+  tenantId: string;
+  endpoint: string;
+  key: string;
+  region: string;
+}
+
+interface ConvergenceResult {
+  winner?: ConflictClaim;
+  losers?: ConflictClaim[];
+  cacheRedirects?: Array<{ region: string; cacheKey: string; redirectToRunId: string }>;
+  loserCancelReason?: string;
+}
+
+async function simulatePartition(claims: ConflictClaim[]): Promise<{ status: number; body: ConvergenceResult }> {
+  const res = await driver.post('/v1/host/sample/test/multi-region/simulate-partition', { claims });
+  return { status: res.status, body: (res.json as ConvergenceResult) ?? {} };
+}
+
+describe.skipIf(HTTP_SKIP)('multi-region-idempotency-behavior: convergence rule (RFC 0036 §C)', () => {
+  it('two-region conflict resolves to the lex-min runId per annex §"Convergence rule"', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'run-b-east', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-1', region: 'us-east-1' },
+      { runId: 'run-a-west', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-1', region: 'eu-west-1' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip(); // host doesn't expose the simulator seam
+      return;
+    }
+    expect(
+      probe.status,
+      driver.describe(
+        'idempotency.md §"Multi-region idempotency annex"',
+        'simulate-partition seam MUST return 200 when ≥2 conflicting claims are submitted',
+      ),
+    ).toBe(200);
+    expect(
+      probe.body.winner?.runId,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'winner MUST be the lex-min runId (run-a-west < run-b-east)',
+      ),
+    ).toBe('run-a-west');
+  });
+
+  it('three-region partition resolves to a single winner', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'zzz-3', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-2', region: 'r1' },
+      { runId: 'aaa-1', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-2', region: 'r2' },
+      { runId: 'mmm-2', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-2', region: 'r3' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.winner?.runId,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'winner MUST be the lex-min runId across all conflicting claims',
+      ),
+    ).toBe('aaa-1');
+    expect(
+      probe.body.losers?.length,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'losers array MUST contain N-1 entries when N claims conflict',
+      ),
+    ).toBe(2);
+  });
+
+  it('every region gets a cache redirect entry pointing at the winner', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'run-x', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-3', region: 'r1' },
+      { runId: 'run-a', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-3', region: 'r2' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(probe.status).toBe(200);
+    const redirects = probe.body.cacheRedirects ?? [];
+    expect(
+      redirects.length,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'cacheRedirects MUST contain one entry per claim (including the winner)',
+      ),
+    ).toBe(2);
+    for (const redirect of redirects) {
+      expect(
+        redirect.redirectToRunId,
+        driver.describe(
+          'idempotency.md §"Convergence rule"',
+          'every cache redirect MUST point at the winner runId',
+        ),
+      ).toBe('run-a');
+    }
+  });
+
+  it('loser cancel reason MUST be the canonical `cross_region_dedup_loss` string', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'run-b', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-4', region: 'r1' },
+      { runId: 'run-a', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-4', region: 'r2' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.loserCancelReason,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'loserCancelReason MUST be the canonical `cross_region_dedup_loss` string',
+      ),
+    ).toBe('cross_region_dedup_loss');
+  });
+
+  it('resolver is order-invariant — shuffled inputs produce the same winner', async (ctx) => {
+    const claims: ConflictClaim[] = [
+      { runId: 'c', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-5', region: 'r1' },
+      { runId: 'a', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-5', region: 'r2' },
+      { runId: 'b', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-5', region: 'r3' },
+    ];
+    const p1 = await simulatePartition(claims);
+    if (p1.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(p1.status).toBe(200);
+    const p2 = await simulatePartition([claims[2]!, claims[0]!, claims[1]!]);
+    expect(p2.status).toBe(200);
+    const p3 = await simulatePartition([...claims].reverse());
+    expect(p3.status).toBe(200);
+    expect(
+      p1.body.winner?.runId,
+      driver.describe(
+        'idempotency.md §"Convergence rule" — determinism',
+        'resolver MUST be order-invariant; all permutations MUST produce the same lex-min winner',
+      ),
+    ).toBe('a');
+    expect(p2.body.winner?.runId).toBe('a');
+    expect(p3.body.winner?.runId).toBe('a');
+  });
+
+  it('mismatched tuple rejects with 400 validation_error', async (ctx) => {
+    const probe = await simulatePartition([
+      { runId: 'r1', tenantId: 't1', endpoint: 'POST /v1/runs', key: 'idem-6', region: 'r1' },
+      { runId: 'r2', tenantId: 't2', endpoint: 'POST /v1/runs', key: 'idem-6', region: 'r2' },
+    ]);
+    if (probe.status === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(
+      probe.status,
+      driver.describe(
+        'idempotency.md §"Convergence rule"',
+        'claims with non-matching (tenantId, endpoint, key) MUST be rejected — it would be a programming error in the caller',
+      ),
+    ).toBe(400);
+  });
+});

package/src/scenarios/oauth-capability-shape.test.ts

@@ -0,0 +1,97 @@
+/**
+ * oauth-capability-shape — RFC 0047 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0047 (`host.oauth`) is `Draft`. The
+ * `capabilities.oauth` block has landed in `schemas/capabilities.schema.json`.
+ *
+ * Always runs (shape-only): when the host advertises `capabilities.oauth`,
+ * its fields MUST be well-formed; when it doesn't, the block is absent.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.oauth` is either absent or a well-formed object.
+ *   2. When `supported: true`, `grants` (when present) is a subset of
+ *      {authorization_code, client_credentials, refresh_token}, and every
+ *      `providers[]` entry has a non-empty `id` (RFC 0047 §A).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryOAuthProvider {
+  id?: string;
+  authUrl?: string;
+  tokenUrl?: string;
+  scopesSupported?: string[];
+}
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+  grants?: string[];
+  providers?: DiscoveryOAuthProvider[];
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    oauth?: DiscoveryOAuth;
+  };
+}
+
+const VALID_GRANTS: ReadonlySet<string> = new Set([
+  'authorization_code',
+  'client_credentials',
+  'refresh_token',
+]);
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.oauth ?? null;
+}
+
+describe('oauth-capability-shape: advertisement shape (RFC 0047 §A)', () => {
+  it('capabilities.oauth is either absent or well-formed', async () => {
+    const oauth = await readOAuth();
+    if (oauth === null) return; // host doesn't advertise host.oauth at all
+    expect(
+      typeof oauth.supported,
+      driver.describe(
+        'capabilities.schema.json §oauth',
+        'capabilities.oauth.supported MUST be a boolean when oauth is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('grants is a subset of the canonical grant set when supported', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported || oauth.grants === undefined) return;
+    expect(
+      Array.isArray(oauth.grants),
+      driver.describe('RFC 0047 §A', 'capabilities.oauth.grants MUST be an array'),
+    ).toBe(true);
+    for (const grant of oauth.grants) {
+      expect(
+        VALID_GRANTS.has(grant),
+        driver.describe(
+          'RFC 0047 §A',
+          `capabilities.oauth.grants entries MUST be one of {${[...VALID_GRANTS].join(', ')}}, got: ${grant}`,
+        ),
+      ).toBe(true);
+    }
+  });
+
+  it('every advertised provider has a non-empty id when supported', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported || oauth.providers === undefined) return;
+    for (const provider of oauth.providers) {
+      expect(
+        typeof provider.id === 'string' && provider.id.length > 0,
+        driver.describe(
+          'RFC 0047 §A',
+          'each capabilities.oauth.providers[] entry MUST declare a non-empty id',
+        ),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/oauth-connector-redaction.test.ts

@@ -0,0 +1,91 @@
+/**
+ * oauth-connector-redaction — RFC 0047 §C / §D + `credential-payload-redaction`.
+ *
+ * Status: DRAFT. RFC 0047 (`host.oauth`) is `Draft`. Reuses the RFC 0046
+ * SECURITY invariant `credential-payload-redaction` — OAuth tokens acquired
+ * via host.oauth are stored as host.credentials entries and are subject to
+ * the same no-plaintext-on-the-wire rule.
+ *
+ * Capability-gated: skips when the host does not advertise
+ * `capabilities.oauth.supported = true`.
+ *
+ * What this scenario asserts:
+ *   1. Advertisement shape — `capabilities.oauth.supported` is a boolean.
+ *   2. Token-material redaction MUST-NOT — when the host exposes the optional
+ *      `POST /v1/host/sample/oauth/connector-echo` test seam (a synthetic
+ *      provider acquires a token whose value is a known canary, then a
+ *      connector node runs), the canary MUST NOT appear in ANY observable
+ *      run surface, and `connector.authorized` MUST carry the credential
+ *      reference rather than the token.
+ *
+ * Hosts without the seam soft-skip the redaction probe (404).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md
+ * @see SECURITY/invariants.yaml id: credential-payload-redaction
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    oauth?: DiscoveryOAuth;
+  };
+}
+
+const TOKEN_CANARY = 'OPENWOP_OAUTH_CANARY_b7d3e1a9c2';
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.oauth ?? null;
+}
+
+describe('oauth-connector-redaction: advertisement shape (RFC 0047 §A)', () => {
+  it('capabilities.oauth.supported is a boolean when advertised', async () => {
+    const oauth = await readOAuth();
+    if (oauth === null) return;
+    expect(
+      typeof oauth.supported,
+      driver.describe(
+        'capabilities.schema.json §oauth',
+        'capabilities.oauth.supported MUST be a boolean when oauth is advertised',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('oauth-connector-redaction: token material MUST NOT cross the wire (RFC 0047 §C.2)', () => {
+  it('canary token is absent from every observable run surface', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported) return; // capability-gated
+
+    // Seam contract: a synthetic provider issues a token whose value is
+    // TOKEN_CANARY, a connector node runs, and the run's observable surfaces
+    // (events incl. connector.authorized + snapshot + debug bundle) are returned.
+    const res = await driver.post('/v1/host/sample/oauth/connector-echo', { canary: TOKEN_CANARY });
+    // 404 from a host that hasn't wired the test seam is a soft-skip.
+    if (res.status === 404) return;
+
+    expect(
+      res.status,
+      driver.describe(
+        'RFC 0047 §C',
+        'the oauth connector-echo seam MUST acquire the token and return the run observable surfaces',
+      ),
+    ).toBeLessThan(400);
+
+    const serialized = JSON.stringify(res.json ?? {});
+    expect(
+      serialized.includes(TOKEN_CANARY),
+      driver.describe(
+        'SECURITY/invariants.yaml credential-payload-redaction',
+        'acquired OAuth token material MUST NOT appear in inputs, variables, channels, events, snapshot, or debug bundle — only the credential reference may cross the wire',
+      ),
+    ).toBe(false);
+  });
+});

package/src/scenarios/pack-registry-isolation.test.ts

@@ -0,0 +1,108 @@
+/**
+ * Pack-registry test-mode isolation — RFC 0025 §C point 1.
+ *
+ * Status: BEHAVIORAL (soft-skip). A pack PUT'd to `/v1/packs-test/*` MUST
+ * NOT appear in `/v1/packs/*` listings. This anchors the test-mode
+ * mirror's load-bearing safety invariant: the conformance suite is
+ * trusted to drive publish-error-catalog traffic against the test
+ * namespace precisely because the test catalog is guaranteed distinct
+ * from the production catalog.
+ *
+ * Soft-skips when the host doesn't advertise
+ * `capabilities.packs.testMode.supported: true` (or advertises
+ * `isolated: false` — in which case the host is honestly disclaiming
+ * the invariant and the conformance suite's other publish-error tests
+ * are not applicable either).
+ *
+ * @see RFCS/0025-test-mode-registry-namespace.md §C "Isolation guarantees"
+ * @see schemas/capabilities.schema.json §packs.testMode
+ * @see pack-registry-publish.test.ts (the 25 sibling scenarios this invariant unblocks)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+interface TestModeAdvertisement {
+  readonly supported: boolean;
+  readonly isolated: boolean;
+}
+
+async function getTestModeAdvertisement(): Promise<TestModeAdvertisement | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const packs = top && typeof top === 'object' ? (top['packs'] as Record<string, unknown> | undefined) : undefined;
+  const testMode = packs && typeof packs === 'object' ? (packs['testMode'] as Record<string, unknown> | undefined) : undefined;
+  if (!testMode || typeof testMode !== 'object') return null;
+  return {
+    supported: testMode['supported'] === true,
+    isolated: testMode['isolated'] === true,
+  };
+}
+
+function freshPackName(): string {
+  return `core.openwop.test-isolation-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+
+describe('pack-registry-isolation: test catalog MUST NOT bleed into production (RFC 0025 §C.1)', () => {
+  it('a pack PUT to /v1/packs-test/{name} MUST NOT appear in GET /v1/packs/{name}', async () => {
+    const adv = await getTestModeAdvertisement();
+    if (!adv || !adv.supported) return; // host doesn't advertise the seam
+    if (!adv.isolated) return; // host explicitly disclaims the invariant — no contract to assert
+
+    const name = freshPackName();
+    const version = '1.0.0';
+
+    // PUT to the test namespace. The body is intentionally minimal — the
+    // isolation invariant is independent of whether validation accepts
+    // or rejects the publish. Either outcome is fine; what's tested is
+    // that NEITHER outcome causes the pack to surface in the production
+    // catalog.
+    const putRes = await driver.put(
+      `/v1/packs-test/${encodeURIComponent(name)}/-/${encodeURIComponent(version)}.tgz`,
+      Buffer.from([0x1f, 0x8b, 0]),
+      { headers: { 'Content-Type': 'application/octet-stream' } },
+    );
+
+    // If the seam returns 404, the test-mode endpoint isn't actually
+    // wired up despite the advertisement — pack-registry-publish.test.ts
+    // catches that drift in 24 other scenarios; soft-skip here.
+    if (putRes.status === 404) return;
+
+    // Probe the production namespace. The invariant: a pack written
+    // via /v1/packs-test/* MUST NOT be retrievable via /v1/packs/*.
+    const prodRes = await driver.get(`/v1/packs/${encodeURIComponent(name)}`);
+
+    // 404 is the canonical "not found" — exactly what isolation requires.
+    // 200 with a payload that does NOT name our pack would mean the host
+    // returned a listing of unrelated packs (some hosts serve search-shaped
+    // results on /v1/packs/{nonexistent}); we check the negative explicitly.
+    if (prodRes.status === 200) {
+      const body = prodRes.json as Record<string, unknown> | undefined;
+      const stringified = body ? JSON.stringify(body) : '';
+      expect(
+        stringified.includes(name),
+        driver.describe(
+          'RFCS/0025-test-mode-registry-namespace.md §C point 1',
+          `pack name '${name}' was written via /v1/packs-test/${name}@${version} but appeared in /v1/packs/${name} response body — test-catalog isolation MUST hold`,
+        ),
+      ).toBe(false);
+      return;
+    }
+
+    // Acceptable: 4xx range (404 pack_not_found is the spec-canonical
+    // shape; 410/422 also fine — any "not present in production catalog"
+    // signal satisfies the invariant).
+    expect(
+      prodRes.status >= 400 && prodRes.status < 500,
+      driver.describe(
+        'RFCS/0025-test-mode-registry-namespace.md §C point 1',
+        `expected production-namespace GET to return 4xx for a test-namespace-only pack '${name}', got ${prodRes.status}`,
+      ),
+    ).toBe(true);
+  });
+});