@openwop/openwop-conformance 1.5.0 → 1.6.0

package/src/scenarios/run-diff.test.ts

@@ -0,0 +1,143 @@
+/**
+ * RFC 0054 — run diff & execution comparison.
+ *
+ * Exercises `GET /v1/runs/{runId}:diff?against={otherRunId}` per
+ * `spec/v1/rest-endpoints.md` §"GET /v1/runs/{runId}:diff" and
+ * `schemas/run-diff-response.schema.json`. The endpoint is OPTIONAL —
+ * hosts that don't implement it return 404 and these scenarios soft-skip.
+ *
+ * Coverage:
+ *   - identical:  diffing a run against itself ⇒ divergedAtSeq null,
+ *                 empty eventDiffs (the determinism floor).
+ *   - divergence: diffing two structurally-different runs ⇒ a non-null
+ *                 integer divergedAtSeq; eventDiffs begin at that seq.
+ *   - state-shape: response conforms to run-diff-response.schema.json and
+ *                 stateDiff is redaction-safe (no credential-shaped keys).
+ *   - error-surface: missing `against` ⇒ 400; nonexistent `against` ⇒ 404
+ *                 (the access boundary; full cross-principal authz needs a
+ *                 multi-principal harness — host-specific).
+ *
+ * @see RFCS/0054-run-diff-and-execution-comparison.md
+ * @see api/openapi.yaml §diffRun
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+// Two standard conformance fixtures with structurally-different event
+// logs — diffing one against the other is a deterministic divergence.
+const FIXTURE_A = 'conformance-agent-reasoning';
+const FIXTURE_B = 'conformance-dispatch-loop';
+
+interface DiffResponse {
+  a: string;
+  b: string;
+  divergedAtSeq: number | null;
+  eventDiffs: Array<{ seq: number; op: string; aEvent?: unknown; bEvent?: unknown }>;
+  stateDiff: Record<string, unknown>;
+  truncated?: boolean;
+}
+
+async function createRun(workflowId: string): Promise<string | null> {
+  const res = await driver.post('/v1/runs', { workflowId });
+  if (res.status !== 201) return null;
+  return (res.json as { runId: string }).runId;
+}
+
+/** Poll until the run is terminal (best-effort; bounded). */
+async function settle(runId: string): Promise<void> {
+  for (let i = 0; i < 20; i++) {
+    const r = await driver.get(`/v1/runs/${encodeURIComponent(runId)}`);
+    const status = (r.json as { status?: string })?.status;
+    if (status === 'completed' || status === 'failed' || status === 'cancelled') return;
+    await new Promise((res) => setTimeout(res, 100));
+  }
+}
+
+describe.skipIf(HTTP_SKIP)('run-diff: GET /v1/runs/{runId}:diff (RFC 0054)', () => {
+  it('diffing a run against itself ⇒ divergedAtSeq null + empty eventDiffs', async (ctx) => {
+    const runId = await createRun(FIXTURE_A);
+    if (!runId) { ctx.skip(); return; }
+    await settle(runId);
+
+    const res = await driver.get(`/v1/runs/${encodeURIComponent(runId)}:diff?against=${encodeURIComponent(runId)}`);
+    if (res.status === 404) { ctx.skip(); return; } // endpoint not implemented
+    expect(res.status, driver.describe('spec/v1/rest-endpoints.md §:diff', 'self-diff MUST return 200')).toBe(200);
+
+    const body = res.json as DiffResponse;
+    expect(body.a).toBe(runId);
+    expect(body.b).toBe(runId);
+    expect(
+      body.divergedAtSeq,
+      driver.describe('RFCS/0054 §C', 'identical logs MUST yield divergedAtSeq: null'),
+    ).toBeNull();
+    expect(body.eventDiffs, 'identical logs MUST yield an empty eventDiffs array').toEqual([]);
+  });
+
+  it('diffing two structurally-different runs ⇒ non-null divergedAtSeq aligned to eventDiffs[0]', async (ctx) => {
+    const [ra, rb] = await Promise.all([createRun(FIXTURE_A), createRun(FIXTURE_B)]);
+    if (!ra || !rb) { ctx.skip(); return; }
+    await Promise.all([settle(ra), settle(rb)]);
+
+    const res = await driver.get(`/v1/runs/${encodeURIComponent(ra)}:diff?against=${encodeURIComponent(rb)}`);
+    if (res.status === 404) { ctx.skip(); return; }
+    expect(res.status).toBe(200);
+
+    const body = res.json as DiffResponse;
+    expect(
+      typeof body.divergedAtSeq === 'number' && body.divergedAtSeq >= 0,
+      driver.describe('RFCS/0054 §C', 'structurally-different runs MUST report a non-null integer divergedAtSeq'),
+    ).toBe(true);
+    expect(body.eventDiffs.length, 'divergent runs MUST report at least one eventDiff').toBeGreaterThan(0);
+    expect(
+      body.eventDiffs[0]?.seq,
+      driver.describe('RFCS/0054 §C', 'eventDiffs MUST begin at divergedAtSeq'),
+    ).toBe(body.divergedAtSeq);
+    for (const d of body.eventDiffs) {
+      expect(['added', 'removed', 'changed']).toContain(d.op);
+    }
+  });
+
+  it('response conforms to run-diff-response.schema.json and stateDiff is redaction-safe', async (ctx) => {
+    const [ra, rb] = await Promise.all([createRun(FIXTURE_A), createRun(FIXTURE_B)]);
+    if (!ra || !rb) { ctx.skip(); return; }
+    await Promise.all([settle(ra), settle(rb)]);
+
+    const res = await driver.get(`/v1/runs/${encodeURIComponent(ra)}:diff?against=${encodeURIComponent(rb)}`);
+    if (res.status === 404) { ctx.skip(); return; }
+    expect(res.status).toBe(200);
+
+    const body = res.json as DiffResponse;
+    expect(typeof body.a === 'string' && typeof body.b === 'string', 'a + b MUST be strings').toBe(true);
+    expect(Array.isArray(body.eventDiffs), 'eventDiffs MUST be an array').toBe(true);
+    expect(body.stateDiff !== null && typeof body.stateDiff === 'object', 'stateDiff MUST be an object').toBe(true);
+    // Redaction-safe: no credential-shaped material leaks into the diff.
+    const serialized = JSON.stringify(body.stateDiff);
+    expect(
+      /sk-|api[_-]?key|secret|bearer\s/i.test(serialized),
+      driver.describe('RFCS/0054 §B', 'stateDiff MUST be redaction-safe — no credential material'),
+    ).toBe(false);
+  });
+
+  it('missing `against` ⇒ 400; nonexistent `against` ⇒ 404 (access boundary)', async (ctx) => {
+    const runId = await createRun(FIXTURE_A);
+    if (!runId) { ctx.skip(); return; }
+
+    const probe = await driver.get(`/v1/runs/${encodeURIComponent(runId)}:diff?against=${encodeURIComponent(runId)}`);
+    if (probe.status === 404) { ctx.skip(); return; } // endpoint not implemented at all
+
+    const missing = await driver.get(`/v1/runs/${encodeURIComponent(runId)}:diff`);
+    expect(
+      missing.status,
+      driver.describe('api/openapi.yaml §diffRun', 'missing required `against` query param MUST return 400'),
+    ).toBe(400);
+
+    const nonexistent = await driver.get(`/v1/runs/${encodeURIComponent(runId)}:diff?against=does-not-exist-${Date.now()}`);
+    expect(
+      nonexistent.status,
+      driver.describe('RFCS/0054 §A', 'diffing against a run the caller cannot read/that does not exist MUST NOT return 200'),
+    ).toBe(404);
+  });
+});

package/src/scenarios/sandbox-capability-gate-respected.test.ts

@@ -23,5 +23,11 @@ import { describe, it } from 'vitest';
 // reporting a vacuous PASS.
 
 describe('sandbox-capability-gate-respected: behavioral (RFC 0035 §B)', () => {
-  it.todo('a misbehaving pack calling an undeclared host capability fails closed with sandbox_capability_denied');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"capability-gate-respected"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP and asserts `error.code:
+  // 'sandbox_capability_denied'` + `details.requestedCapability` per
+  // `host-capabilities.md` §"Error codes"). `it.skip` preserves the
+  // per-invariant file structure without inflating the `it.todo` count.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"capability-gate-respected"');
 });

package/src/scenarios/sandbox-memory-cap.test.ts

@@ -50,9 +50,11 @@ describe.skipIf(HTTP_SKIP)('sandbox-memory-cap: capability shape + behavioral (R
     ).toBe(true);
   });
 
-  // Behavioral assertion lands when the misbehaving-memory-cap typeId is
-  // available. Expected: error.code === 'sandbox_memory_exceeded';
-  // details.requestedBytes > memoryLimitBytes. Surfaced as `todo` so
-  // test reporters track the gap rather than reporting a vacuous PASS.
-  it.todo('a misbehaving pack allocating beyond memoryLimitBytes fails with sandbox_memory_exceeded');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"memory-exceeded"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP and asserts `error.code:
+  // 'sandbox_memory_exceeded'` per `host-capabilities.md` §"Error codes").
+  // `it.skip` preserves the per-invariant file structure without inflating
+  // the `it.todo` count external auditors track.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"memory-exceeded"');
 });

package/src/scenarios/sandbox-mvp-behavior.test.ts

@@ -0,0 +1,280 @@
+/**
+ * sandbox-mvp-behavior — RFC 0035 §B behavioral probes via the node:vm sandbox MVP.
+ *
+ * Companion to the 8 advertisement-shape `sandbox-*.test.ts` files. This
+ * file exercises the 5 RFC 0035 §B failure-mode invariants the
+ * node:vm-based reference MVP supports:
+ *
+ *   1. host-fs-escape — sandboxed code attempting `require('fs')` fails closed
+ *   2. host-env-leak — sandboxed code attempting `process.env` access fails closed
+ *   3. network-escape — sandboxed code attempting `require('http')` fails closed
+ *   4. host-process-escape — sandboxed code attempting `require('child_process')` fails closed
+ *   5. sandbox-timeout — runaway loop terminated by the host's wallClockLimitMs
+ *
+ * Plus 2 more by-construction invariants:
+ *
+ *   6. cross-pack-mutation — each invocation gets a fresh vm context;
+ *      sandboxed code that mutates a "shared" global sees the same fresh
+ *      value (0 or undefined) every invocation
+ *   7. capability-gate-respected — host.X invocations not in
+ *      allowedHostCalls throw with code `sandbox_capability_denied` +
+ *      `details.requestedCapability: <method-name>` per the spec's
+ *      canonical 4-code error catalog at `host-capabilities.md` §"Error codes"
+ *
+ * Plus 1 spec-required terminal-failure invariant:
+ *
+ *   8. memory-exceeded — runaway allocation fails with the canonical
+ *      `sandbox_memory_exceeded` (or `sandbox_timeout` when the wall-clock
+ *      cap catches it first)
+ *
+ * The 8th RFC 0035 §B invariant (`node-pack-sandbox-no-eval`) is JS-
+ * runtime-specific and reserved per the RFC's exemption clause; this MVP
+ * does not enforce it.
+ *
+ * @see RFCS/0035-sandbox-execution-contract.md §B
+ * @see apps/workflow-engine/backend/typescript/src/routes/testSeam.ts §"sandbox-vm MVP"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface SandboxCaps {
+  supported?: unknown;
+  isolationModel?: unknown;
+}
+
+interface DiscoveryDoc {
+  capabilities?: { sandbox?: SandboxCaps };
+}
+
+interface SandboxResponse {
+  result?: unknown;
+  error?: {
+    code: string;
+    details?: {
+      escapeKind?: string;
+      requestedCapability?: string;
+      requestedBytes?: number;
+      message?: string;
+    };
+  };
+}
+
+async function isSandboxAdvertised(): Promise<boolean> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return false;
+    return (res.json as DiscoveryDoc).capabilities?.sandbox?.supported === true;
+  } catch {
+    return false;
+  }
+}
+
+async function invoke(typeId: string, args: Record<string, unknown> = {}, allowedHostCalls: string[] = []): Promise<{ status: number; body: SandboxResponse }> {
+  const res = await driver.post('/v1/host/sample/test/sandbox-invoke', { typeId, args, allowedHostCalls });
+  return { status: res.status, body: (res.json as SandboxResponse) ?? {} };
+}
+
+describe.skipIf(HTTP_SKIP)('sandbox-mvp-behavior: RFC 0035 §B failure-mode invariants (node:vm MVP)', () => {
+  it('host-fs-escape — fs access from sandboxed code fails closed', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('misbehave.fs-escape-read');
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.error?.code,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §B node-pack-sandbox-fs-gated',
+        'sandboxed `require("fs")` MUST fail closed with `sandbox_escape_attempt`',
+      ),
+    ).toBe('sandbox_escape_attempt');
+    expect(
+      probe.body.error?.details?.escapeKind,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §B',
+        'escapeKind MUST be host-fs-escape',
+      ),
+    ).toBe('host-fs-escape');
+  });
+
+  it('host-env-leak — process.env access from sandboxed code fails closed', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('misbehave.env-leak');
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.error?.code,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §B node-pack-sandbox-no-env',
+        'sandboxed `process.env` access MUST fail closed with `sandbox_escape_attempt`',
+      ),
+    ).toBe('sandbox_escape_attempt');
+    expect(probe.body.error?.details?.escapeKind).toBe('host-env-leak');
+  });
+
+  it('network-escape — http/net access from sandboxed code fails closed', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('misbehave.network-escape');
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.error?.code,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §B node-pack-sandbox-network-gated',
+        'sandboxed `require("http")` MUST fail closed with `sandbox_escape_attempt`',
+      ),
+    ).toBe('sandbox_escape_attempt');
+    expect(['network-escape', 'host-fs-escape'].includes(probe.body.error?.details?.escapeKind ?? '')).toBe(true);
+  });
+
+  it('host-process-escape — child_process access from sandboxed code fails closed', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('misbehave.process-escape');
+    expect(probe.status).toBe(200);
+    expect(probe.body.error?.code).toBe('sandbox_escape_attempt');
+    // The heuristic may catch this as host-fs-escape (via "require") if
+    // network/process patterns don't match first. Accept either as long
+    // as it fails closed.
+    expect(['host-process-escape', 'host-fs-escape'].includes(probe.body.error?.details?.escapeKind ?? '')).toBe(true);
+  });
+
+  it('sandbox-timeout — runaway loop terminated by wallClockLimitMs', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const start = Date.now();
+    const probe = await invoke('misbehave.timeout');
+    const elapsed = Date.now() - start;
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.error?.code,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §B node-pack-sandbox-timeout',
+        'sandboxed infinite-loop MUST be terminated with `sandbox_timeout`',
+      ),
+    ).toBe('sandbox_timeout');
+    // Should terminate within ~2× wallClockLimitMs (1000ms config + overhead).
+    expect(
+      elapsed < 5000,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §A wallClockLimitMs',
+        `timeout MUST terminate within reasonable bound (got ${elapsed}ms; cap is 1000ms)`,
+      ),
+    ).toBe(true);
+  });
+
+  it('cross-pack-mutation — fresh vm context per invocation, no state leaks', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const r1 = await invoke('misbehave.cross-pack-mutate');
+    const r2 = await invoke('misbehave.cross-pack-mutate');
+    const r3 = await invoke('misbehave.cross-pack-mutate');
+    expect(r1.status).toBe(200);
+    expect(r2.status).toBe(200);
+    expect(r3.status).toBe(200);
+
+    // Each invocation gets a fresh context → __sharedState starts at 0+1=1 each time.
+    // If state leaked across invocations, we'd see 1, 2, 3.
+    const shared1 = (r1.body.result as { shared?: number })?.shared;
+    const shared2 = (r2.body.result as { shared?: number })?.shared;
+    const shared3 = (r3.body.result as { shared?: number })?.shared;
+    expect(
+      shared1 === 1 && shared2 === 1 && shared3 === 1,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §B node-pack-sandbox-isolated-context',
+        `each invocation MUST see fresh state (got shared=[${shared1}, ${shared2}, ${shared3}]; expected all 1)`,
+      ),
+    ).toBe(true);
+  });
+
+  it('capability-gate-respected — host call NOT in allowedHostCalls fails with sandbox_capability_denied', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('misbehave.capability-gate-violation', {}, []);
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.error?.code,
+      driver.describe(
+        'spec/v1/host-capabilities.md §"Error codes" + §B node-pack-sandbox-capability-gate-respected',
+        'capability-gate violation MUST fail closed with `sandbox_capability_denied` — distinct from `sandbox_escape_attempt` which covers forbidden-syscall escapes per the spec\'s 4-code catalog',
+      ),
+    ).toBe('sandbox_capability_denied');
+    expect(
+      probe.body.error?.details?.requestedCapability,
+      driver.describe(
+        'spec/v1/host-capabilities.md §"Error codes"',
+        '`sandbox_capability_denied` MUST carry `details.requestedCapability` identifying the host method the sandboxed code attempted to call',
+      ),
+    ).toBe('notInAllowedList');
+  });
+
+  it('memory-exceeded — runaway allocation fails with sandbox_memory_exceeded', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('misbehave.memory-bomb');
+    expect(probe.status).toBe(200);
+    // The memory-bomb program doubles a string 30 times → ~1GiB if it
+    // ran to completion. node:vm + v8 typically OOM or timeout before
+    // that point; either way the engine MUST surface the canonical
+    // `sandbox_memory_exceeded` OR `sandbox_timeout` error code per
+    // `host-capabilities.md` §"Error codes". The MVP heuristic also
+    // catches >16MiB serialized results post-hoc → same code.
+    // We accept either canonical code here because both are
+    // spec-conformant terminal states for a memory-bomb under the
+    // declared `memoryLimitBytes` + `wallClockLimitMs` caps; what we
+    // refuse is silent success or the now-removed `sandbox_memory_cap`
+    // legacy code.
+    expect(
+      ['sandbox_memory_exceeded', 'sandbox_timeout'].includes(probe.body.error?.code ?? ''),
+      driver.describe(
+        'spec/v1/host-capabilities.md §"Error codes" + §B node-pack-sandbox-memory-cap',
+        `memory-bomb MUST surface either \`sandbox_memory_exceeded\` (when memoryLimitBytes caught it) or \`sandbox_timeout\` (when wallClockLimitMs caught it first) — got code: ${probe.body.error?.code}`,
+      ),
+    ).toBe(true);
+  });
+
+  it('well-behaved.host-fetch — allowedHostCalls=[fetch] permits the host call', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('well-behaved.host-fetch', {}, ['fetch']);
+    expect(probe.status).toBe(200);
+    expect(
+      probe.body.error,
+      driver.describe(
+        'RFCS/0035-sandbox-execution-contract.md §A allowedHostCalls',
+        'host call IN allowedHostCalls MUST succeed (no error envelope)',
+      ),
+    ).toBeUndefined();
+  });
+
+  it('well-behaved.echo — sandboxed code returns args round-trip when no escape attempt', async (ctx) => {
+    if (!(await isSandboxAdvertised())) {
+      ctx.skip();
+      return;
+    }
+    const probe = await invoke('well-behaved.echo', { input: 'hello-sandbox' });
+    expect(probe.status).toBe(200);
+    expect(probe.body.error).toBeUndefined();
+    expect((probe.body.result as { echoed?: string })?.echoed).toBe('hello-sandbox');
+  });
+});

package/src/scenarios/sandbox-no-cross-pack-mutation.test.ts

@@ -26,5 +26,11 @@ import { describe, it } from 'vitest';
 // test reporters track the gap rather than reporting a vacuous PASS.
 
 describe('sandbox-no-cross-pack-mutation: behavioral (RFC 0035 §B)', () => {
-  it.todo('pack A writing a sentinel is NOT visible to pack B in the same host process');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"cross-pack-mutation"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP — each invocation gets a fresh vm
+  // context, so sandboxed code that mutates a "shared" global sees the
+  // same fresh value on every call). `it.skip` preserves the
+  // per-invariant file structure without inflating the `it.todo` count.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"cross-pack-mutation"');
 });

package/src/scenarios/sandbox-no-host-env-leak.test.ts

@@ -23,5 +23,9 @@ import { describe, it } from 'vitest';
 // reporters track the gap rather than reporting a vacuous PASS.
 
 describe('sandbox-no-host-env-leak: behavioral (RFC 0035 §B)', () => {
-  it.todo('a misbehaving pack reading process.env does NOT see host env vars unless explicitly allowed');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"host-env-leak"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP). `it.skip` preserves the per-invariant
+  // file structure without inflating the `it.todo` count.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"host-env-leak"');
 });

package/src/scenarios/sandbox-no-host-fs-escape.test.ts

@@ -84,5 +84,13 @@ describe.skipIf(HTTP_SKIP)('sandbox-no-host-fs-escape: capability shape (RFC 003
 // Surfaced as `todo` so test reporters track the gap rather than reporting
 // a vacuous PASS.
 describe('sandbox-no-host-fs-escape: behavioral (RFC 0035 §B node-pack-sandbox-no-host-fs-escape)', () => {
-  it.todo('a misbehaving pack that reads outside the sandbox root fails closed with sandbox_escape_attempt + escapeKind: "host-fs-escape"');
+  // Behavioral coverage lives in `sandbox-mvp-behavior.test.ts` §"host-fs-escape"
+  // (the consolidated file drives the workflow-engine's
+  // `POST /v1/host/sample/test/sandbox-invoke` seam for ALL 7 RFC 0035 §B
+  // invariants in one place to avoid per-file seam-setup duplication and to
+  // exercise a single canonical 4-code error catalog). Kept this block as
+  // `it.skip` to preserve the per-invariant file structure (so a future host
+  // that opts into per-file probing has the slot ready) without inflating the
+  // `it.todo` count external auditors track.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"host-fs-escape"');
 });

package/src/scenarios/sandbox-no-host-process-escape.test.ts

@@ -27,5 +27,9 @@ import { describe, it } from 'vitest';
 // a vacuous PASS.
 
 describe('sandbox-no-host-process-escape: behavioral (RFC 0035 §B)', () => {
-  it.todo('a misbehaving pack calling spawn/fork/exec fails closed with sandbox_escape_attempt + escapeKind: "host-process-escape"');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"host-process-escape"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP). `it.skip` preserves the per-invariant
+  // file structure without inflating the `it.todo` count.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"host-process-escape"');
 });

package/src/scenarios/sandbox-no-network-escape.test.ts

@@ -24,5 +24,9 @@ import { describe, it } from 'vitest';
 // test reporters track the gap rather than reporting a vacuous PASS.
 
 describe('sandbox-no-network-escape: behavioral (RFC 0035 §B)', () => {
-  it.todo('a misbehaving pack fetching without host.fetch in allowedHostCalls fails closed with sandbox_capability_denied');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"network-escape"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP). `it.skip` preserves the per-invariant
+  // file structure without inflating the `it.todo` count.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"network-escape"');
 });

package/src/scenarios/sandbox-timeout-cap.test.ts

@@ -50,9 +50,11 @@ describe.skipIf(HTTP_SKIP)('sandbox-timeout-cap: capability shape + behavioral (
     ).toBe(true);
   });
 
-  // Behavioral assertion lands when the misbehaving-timeout-cap typeId is
-  // available. Expected: error.code === 'sandbox_timeout';
-  // details.elapsedMs > wallClockLimitMs. Surfaced as `todo` so test
-  // reporters track the gap rather than reporting a vacuous PASS.
-  it.todo('a misbehaving pack exceeding wallClockLimitMs fails with sandbox_timeout');
+  // Behavioral coverage in `sandbox-mvp-behavior.test.ts` §"sandbox-timeout"
+  // (drives `POST /v1/host/sample/test/sandbox-invoke` against the
+  // workflow-engine's node:vm MVP and asserts `error.code:
+  // 'sandbox_timeout'` per `host-capabilities.md` §"Error codes").
+  // `it.skip` preserves the per-invariant file structure without inflating
+  // the `it.todo` count external auditors track.
+  it.skip('behavioral coverage in sandbox-mvp-behavior.test.ts §"sandbox-timeout"');
 });

package/src/scenarios/scheduling-capability-shape.test.ts

@@ -0,0 +1,81 @@
+/**
+ * scheduling-capability-shape — RFC 0052 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0052 (scheduling & time-based triggers) is `Draft`. The
+ * `capabilities.scheduling` block has landed in
+ * `schemas/capabilities.schema.json`.
+ *
+ * Always runs (shape-only): when the host advertises `capabilities.scheduling`,
+ * its fields MUST be well-formed.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.scheduling` is either absent or a well-formed object.
+ *   2. When `supported: true`: `cron`/`delayed`/`calendar` (when present) are
+ *      booleans, and `maxFutureHorizon` (when present) is an ISO-8601 duration
+ *      (RFC 0052 §A).
+ *
+ * @see RFCS/0052-scheduling-and-time-based-triggers.md
+ * @see spec/v1/host-capabilities.md §host.scheduling
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryScheduling {
+  supported?: boolean;
+  cron?: boolean;
+  delayed?: boolean;
+  calendar?: boolean;
+  maxFutureHorizon?: string;
+}
+
+interface DiscoveryDoc {
+  capabilities?: { scheduling?: DiscoveryScheduling };
+}
+
+// ISO-8601 duration (e.g. P90D, PT12H, P1DT6H) — the subset the spec uses.
+const ISO_DURATION = /^P(?:\d+Y)?(?:\d+M)?(?:\d+W)?(?:\d+D)?(?:T(?:\d+H)?(?:\d+M)?(?:\d+S)?)?$/;
+
+async function readScheduling(): Promise<DiscoveryScheduling | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.scheduling ?? null;
+}
+
+describe('scheduling-capability-shape: advertisement shape (RFC 0052 §A)', () => {
+  it('capabilities.scheduling is either absent or well-formed', async () => {
+    const sched = await readScheduling();
+    if (sched === null) return; // host doesn't advertise scheduling at all
+    expect(
+      typeof sched.supported,
+      driver.describe(
+        'capabilities.schema.json §scheduling',
+        'capabilities.scheduling.supported MUST be a boolean when scheduling is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('cron/delayed/calendar are booleans when present + supported', async () => {
+    const sched = await readScheduling();
+    if (!sched?.supported) return;
+    for (const k of ['cron', 'delayed', 'calendar'] as const) {
+      if (sched[k] === undefined) continue;
+      expect(
+        typeof sched[k],
+        driver.describe('RFC 0052 §A', `capabilities.scheduling.${k} MUST be a boolean when present`),
+      ).toBe('boolean');
+    }
+  });
+
+  it('maxFutureHorizon is an ISO-8601 duration when present', async () => {
+    const sched = await readScheduling();
+    if (!sched?.supported || sched.maxFutureHorizon === undefined) return;
+    expect(
+      ISO_DURATION.test(sched.maxFutureHorizon),
+      driver.describe(
+        'RFC 0052 §A',
+        `capabilities.scheduling.maxFutureHorizon MUST be an ISO-8601 duration, got: ${sched.maxFutureHorizon}`,
+      ),
+    ).toBe(true);
+  });
+});