@openwop/openwop-conformance 1.5.0 → 1.6.1

package/src/scenarios/cross-engine-append-behavior.test.ts

@@ -0,0 +1,204 @@
+/**
+ * cross-engine-append-behavior — RFC 0036 §B cross-engine append-ordering behavioral probe.
+ *
+ * Companion to `cross-engine-append-ordering.test.ts` which carries the
+ * advertisement-shape probes. This file exercises the canonical cross-engine
+ * append-ordering behavior specified by `spec/v1/channels-and-reducers.md`
+ * §"Cross-engine ordering" via the host-extension test seams:
+ *
+ *   POST /v1/host/sample/test/cross-engine/append   — single engine append
+ *   GET  /v1/host/sample/test/cross-engine/read     — read ordered sequence
+ *   POST /v1/host/sample/test/cross-engine/reset    — clear log
+ *
+ * The seam is conformance-only (host-extension namespace), gated on the
+ * host's `OPENWOP_TEST_CROSS_ENGINE_HARNESS=true` env var. The seam itself
+ * is OPTIONAL — hosts that don't expose it soft-skip; hosts that DO expose
+ * it MUST honor the §B contract:
+ *
+ *   1. Multiple engines appending concurrently to the same channelId
+ *      converge to a single globally-ordered linearization on read.
+ *   2. Per-engine order is preserved within each engine's local sequence
+ *      (writes from engine A appear in A's submission order, ditto B).
+ *   3. The host's advertised `orderingModel` (lamport / vector-clock /
+ *      global-sequencer) determines the cross-engine merge semantics.
+ *   4. Read after partition heal converges to the same total order
+ *      regardless of which engine's view we read from.
+ *
+ * @see RFCS/0036-multi-region-and-cross-engine-guarantees.md §B
+ * @see spec/v1/channels-and-reducers.md §"Cross-engine ordering"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface AppendEntry {
+  engineId: string;
+  value: unknown;
+  lamport: number;
+  seq: number;
+}
+
+async function appendEntry(
+  engineId: string,
+  channelId: string,
+  value: unknown,
+  lamport?: number,
+): Promise<{ status: number; entry?: AppendEntry }> {
+  const body: Record<string, unknown> = { engineId, channelId, value };
+  if (lamport !== undefined) body.lamport = lamport;
+  const res = await driver.post('/v1/host/sample/test/cross-engine/append', body);
+  if (res.status === 200) {
+    return { status: res.status, entry: res.json as AppendEntry };
+  }
+  return { status: res.status };
+}
+
+async function readEntries(channelId: string): Promise<{ status: number; entries: AppendEntry[] }> {
+  const res = await driver.get(`/v1/host/sample/test/cross-engine/read?channelId=${encodeURIComponent(channelId)}`);
+  return {
+    status: res.status,
+    entries: res.status === 200 ? (res.json as { entries: AppendEntry[] }).entries : [],
+  };
+}
+
+async function resetLog(): Promise<number> {
+  const res = await driver.post('/v1/host/sample/test/cross-engine/reset', {});
+  return res.status;
+}
+
+describe.skipIf(HTTP_SKIP)('cross-engine-append-behavior: §B cross-engine ordering (RFC 0036)', () => {
+  it('interleaved appends from two engines converge to a single globally-ordered sequence', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip(); // host doesn't expose the cross-engine harness seam
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-A';
+
+    // Engine A: 3 appends. Engine B: 2 appends. Interleaved.
+    const a1 = await appendEntry('engine-A', ch, 'a-1');
+    const b1 = await appendEntry('engine-B', ch, 'b-1');
+    const a2 = await appendEntry('engine-A', ch, 'a-2');
+    const a3 = await appendEntry('engine-A', ch, 'a-3');
+    const b2 = await appendEntry('engine-B', ch, 'b-2');
+
+    for (const r of [a1, b1, a2, a3, b2]) {
+      expect(r.status).toBe(200);
+      expect(r.entry).toBeDefined();
+    }
+
+    const read = await readEntries(ch);
+    expect(read.status).toBe(200);
+
+    expect(
+      read.entries.length,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering"',
+        'all appends across all engines MUST appear in the linearized read',
+      ),
+    ).toBe(5);
+
+    // Per-engine order MUST be preserved within each engine's submissions.
+    const engineAEntries = read.entries.filter((e) => e.engineId === 'engine-A').map((e) => e.value);
+    const engineBEntries = read.entries.filter((e) => e.engineId === 'engine-B').map((e) => e.value);
+    expect(
+      engineAEntries,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering"',
+        'engine-A submissions MUST appear in submission order within the linearization',
+      ),
+    ).toEqual(['a-1', 'a-2', 'a-3']);
+    expect(
+      engineBEntries,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering"',
+        'engine-B submissions MUST appear in submission order within the linearization',
+      ),
+    ).toEqual(['b-1', 'b-2']);
+  });
+
+  it('lamport clocks monotonically advance across engines', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-B';
+    const a1 = await appendEntry('engine-A', ch, 'a-1');
+    const b1 = await appendEntry('engine-B', ch, 'b-1');
+    const a2 = await appendEntry('engine-A', ch, 'a-2');
+
+    expect(a1.entry?.lamport).toBeDefined();
+    expect(b1.entry?.lamport).toBeDefined();
+    expect(a2.entry?.lamport).toBeDefined();
+
+    // Lamport invariant: each subsequent append on the same shared
+    // channel MUST have strictly-higher clock than the previous.
+    expect(
+      a2.entry!.lamport > b1.entry!.lamport && b1.entry!.lamport > a1.entry!.lamport,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering" — Lamport',
+        'lamport clocks MUST be strictly monotonic on the shared channel',
+      ),
+    ).toBe(true);
+  });
+
+  it('lamport hint from engine A advances engine B past it', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-C';
+    // Engine A appends, gets lamport L. Engine B then appends with
+    // lamport hint == L (proxy for "B saw A's clock at L"); B's
+    // resulting clock MUST be > L per the lamport receive rule
+    // max(local, incoming) + 1.
+    const a1 = await appendEntry('engine-A', ch, 'a-1');
+    expect(a1.status).toBe(200);
+    const seen = a1.entry!.lamport;
+    const b1 = await appendEntry('engine-B', ch, 'b-1', seen);
+    expect(b1.status).toBe(200);
+    expect(
+      b1.entry!.lamport > seen,
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering" — Lamport receive rule',
+        'when engine B sees engine A\'s clock at L, B\'s next append MUST have clock > L',
+      ),
+    ).toBe(true);
+  });
+
+  it('linearization is deterministic — same appends → same total order', async (ctx) => {
+    const resetStatus = await resetLog();
+    if (resetStatus === 404) {
+      ctx.skip();
+      return;
+    }
+    expect(resetStatus).toBe(200);
+
+    const ch = 'channel-D';
+    await appendEntry('engine-A', ch, 'a-1');
+    await appendEntry('engine-B', ch, 'b-1');
+    await appendEntry('engine-A', ch, 'a-2');
+
+    const r1 = await readEntries(ch);
+    const r2 = await readEntries(ch);
+    expect(r1.status).toBe(200);
+    expect(r2.status).toBe(200);
+    expect(
+      r1.entries.map((e) => `${e.engineId}:${String(e.value)}`),
+      driver.describe(
+        'channels-and-reducers.md §"Cross-engine ordering" — determinism',
+        'two reads MUST produce the same linearization (deterministic merge)',
+      ),
+    ).toEqual(r2.entries.map((e) => `${e.engineId}:${String(e.value)}`));
+  });
+});

package/src/scenarios/cross-host-traceparent-propagation.test.ts

@@ -50,11 +50,18 @@ describe('cross-host-traceparent-propagation: behavioral (RFC 0040 §B)', () =>
   // the format `00-{traceId}-{spanId}-{flags}` per W3C tracecontext.
   // Until the peer harness lands, the assertion is surfaced as `todo` so
   // test reporters track the gap rather than reporting a vacuous PASS.
-  it.todo('Phase 3 host MUST inject parent run\'s traceparent into outbound MCP requests');
+  // Marked out of stable profile via RFC 0042 §B (experimental tier):
+  // RFC 0040 remains Active. Hosts that wire Phase 3 cross-host causation
+  // before RFC 0040 graduates SHOULD advertise
+  // `multiAgent.executionModel.tier: 'experimental'` per RFC 0042 §A
+  // until cross-host evidence drives the promotion. Path-to-runnable
+  // requires the MCP peer harness (OPENWOP_MCP_REAL_SERVER_URL) +
+  // inbound-header recorder; flips to a real `it()` on first non-steward
+  // Phase 3 host advertising matching capabilities.
+  it.skip('Phase 3 host MUST inject parent run\'s traceparent into outbound MCP requests — out of stable profile via RFC 0042');
 
-  // Behavioral assertion drives a workflow that dispatches an A2A message
-  // via the host's `core.a2a.send` (or equivalent) node. The A2A peer
-  // (configured via OPENWOP_A2A_REAL_PEER_URL) records inbound headers;
-  // the test asserts `traceparent` is present + well-formed.
-  it.todo('Phase 3 host MUST inject parent run\'s traceparent into outbound A2A messages');
+  // Same routing — out of stable profile via RFC 0042 §B until RFC 0040
+  // graduates to Accepted; behavioral A2A test seam contract still to be
+  // designed alongside the corresponding peer harness.
+  it.skip('Phase 3 host MUST inject parent run\'s traceparent into outbound A2A messages — out of stable profile via RFC 0042');
 });

package/src/scenarios/cross-workspace-isolation.test.ts

@@ -0,0 +1,72 @@
+/**
+ * cross-workspace-isolation — RFC 0048 §D verification.
+ *
+ * Status: DRAFT. RFC 0048 (tenant·workspace·principal identity model) is
+ * `Draft`.
+ *
+ * What this scenario asserts:
+ *   1. Run-ownership echo shape — when a readable run snapshot carries
+ *      `owner`, it MUST include a non-empty `tenant` (RFC 0048 §C).
+ *   2. Cross-workspace isolation MUST-NOT (§D) — when the host exposes the
+ *      optional `POST /v1/host/sample/identity/cross-workspace-read` seam
+ *      (a principal scoped to workspace A attempts to read a run owned by
+ *      workspace B), the read MUST fail closed with `run_forbidden` (or a
+ *      `404`/`403` that does not leak the other workspace's run contents).
+ *
+ * Hosts without the seam soft-skip the isolation probe (404). The
+ * advertisement/ownership-shape assertion still runs.
+ *
+ * @see RFCS/0048-tenant-workspace-principal-identity-model.md
+ * @see spec/v1/auth.md §"Identity claims — tenant · workspace · principal"
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+const ISOLATION_CODES: ReadonlySet<string> = new Set(['run_forbidden', 'not_found']);
+
+interface OwnerTriple {
+  tenant?: string;
+  workspace?: string;
+  principal?: string;
+}
+
+describe('cross-workspace-isolation: run-ownership echo shape (RFC 0048 §C)', () => {
+  it('owner, when present on a run snapshot, carries a non-empty tenant', async () => {
+    // Best-effort: probe a sample run if the host exposes one; otherwise skip.
+    const res = await driver.get('/v1/host/sample/identity/owned-run');
+    if (res.status === 404) return; // no sample-run seam — soft-skip
+    const owner = (res.json as { owner?: OwnerTriple } | undefined)?.owner;
+    if (owner === undefined) return; // single-tenant host — owner omitted
+    expect(
+      typeof owner.tenant === 'string' && owner.tenant.length > 0,
+      driver.describe('RFC 0048 §C', 'RunSnapshot.owner MUST carry a non-empty tenant when present'),
+    ).toBe(true);
+  });
+});
+
+describe('cross-workspace-isolation: a principal MUST NOT read another workspace\'s run (RFC 0048 §D)', () => {
+  it('cross-workspace read fails closed with run_forbidden', async () => {
+    // Seam contract: a principal scoped to workspace A requests a run owned
+    // by workspace B. The host MUST refuse rather than return B's run.
+    const res = await driver.post('/v1/host/sample/identity/cross-workspace-read', {});
+    if (res.status === 404) return; // seam unwired — soft-skip
+
+    expect(
+      res.status,
+      driver.describe(
+        'spec/v1/auth.md §Identity claims',
+        'a cross-workspace read MUST fail closed (4xx), never return the other workspace\'s run',
+      ),
+    ).toBeGreaterThanOrEqual(400);
+
+    const code = (res.json as { error?: string } | undefined)?.error;
+    expect(
+      code !== undefined && ISOLATION_CODES.has(code),
+      driver.describe(
+        'spec/v1/rest-endpoints.md run_forbidden',
+        `error MUST be one of {${[...ISOLATION_CODES].join(', ')}} (fail-closed, no existence leak), got: ${code ?? '(absent)'}`,
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/deadletter-capability-shape.test.ts

@@ -0,0 +1,59 @@
+/**
+ * deadletter-capability-shape — RFC 0053 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0053 (dead-letter routing & failure sinks) is `Draft`.
+ * The `capabilities.deadLetter` block has landed in
+ * `schemas/capabilities.schema.json`.
+ *
+ * Always runs (shape-only): when the host advertises
+ * `capabilities.deadLetter`, its fields MUST be well-formed.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.deadLetter` is either absent or a well-formed object.
+ *   2. When `supported: true`, `retentionDays` (when present) is an integer ≥ 1
+ *      (RFC 0053 §A).
+ *
+ * @see RFCS/0053-dead-letter-routing-and-failure-sinks.md
+ * @see spec/v1/host-capabilities.md §host.deadLetter
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDeadLetter {
+  supported?: boolean;
+  retentionDays?: number;
+}
+
+interface DiscoveryDoc {
+  capabilities?: { deadLetter?: DiscoveryDeadLetter };
+}
+
+async function readDeadLetter(): Promise<DiscoveryDeadLetter | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.deadLetter ?? null;
+}
+
+describe('deadletter-capability-shape: advertisement shape (RFC 0053 §A)', () => {
+  it('capabilities.deadLetter is either absent or well-formed', async () => {
+    const dl = await readDeadLetter();
+    if (dl === null) return; // host doesn't advertise deadLetter at all
+    expect(
+      typeof dl.supported,
+      driver.describe(
+        'capabilities.schema.json §deadLetter',
+        'capabilities.deadLetter.supported MUST be a boolean when deadLetter is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('retentionDays is an integer >= 1 when present + supported', async () => {
+    const dl = await readDeadLetter();
+    if (!dl?.supported || dl.retentionDays === undefined) return;
+    expect(
+      Number.isInteger(dl.retentionDays) && dl.retentionDays >= 1,
+      driver.describe('RFC 0053 §A', `capabilities.deadLetter.retentionDays MUST be an integer >= 1, got: ${dl.retentionDays}`),
+    ).toBe(true);
+  });
+});

package/src/scenarios/deadletter-retry-exhaustion.test.ts

@@ -0,0 +1,62 @@
+/**
+ * deadletter-retry-exhaustion — RFC 0053 §C behavioral verification.
+ *
+ * Status: DRAFT. RFC 0053 (dead-letter routing & failure sinks) is `Draft`.
+ *
+ * Capability-gated: skips when the host does not advertise
+ * `capabilities.deadLetter.supported = true`.
+ *
+ * What this scenario asserts (via the optional
+ * `POST /v1/host/sample/deadletter/exhaust` test seam, which drives a node
+ * that deterministically exhausts a short retry policy):
+ *   1. Retry exhaustion → `run.dead_lettered` — the host emits the event
+ *      carrying `{ runId, reason, attempts }` (RFC 0053 §C.1).
+ *   2. Fork-eligibility — the dead-lettered run remains forkable per RFC 0011
+ *      within the retention window (RFC 0053 §C.2).
+ *
+ * Hosts without the seam soft-skip the behavioral probes (404). Retention
+ * purge is part of the deferred retention scenario (needs a clock seam).
+ *
+ * @see RFCS/0053-dead-letter-routing-and-failure-sinks.md
+ * @see spec/v1/host-capabilities.md §host.deadLetter
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: { deadLetter?: { supported?: boolean } };
+}
+
+async function deadLetterSupported(): Promise<boolean> {
+  const res = await driver.get('/.well-known/openwop');
+  return (res.json as DiscoveryDoc | undefined)?.capabilities?.deadLetter?.supported === true;
+}
+
+describe('deadletter-retry-exhaustion: retry exhaustion → dead-lettered + fork-eligible (RFC 0053 §C)', () => {
+  it('a retry-exhausted run emits run.dead_lettered with attempts', async () => {
+    if (!(await deadLetterSupported())) return; // capability-gated
+    const res = await driver.post('/v1/host/sample/deadletter/exhaust', { scenario: 'exhaust-retries' });
+    if (res.status === 404) return; // seam unwired — soft-skip
+    const body = res.json as { event?: { type?: string; payload?: { attempts?: number; runId?: string } } } | undefined;
+    expect(
+      body?.event?.type,
+      driver.describe('RFC 0053 §C.1', 'retry exhaustion MUST emit a run.dead_lettered event'),
+    ).toBe('run.dead_lettered');
+    expect(
+      typeof body?.event?.payload?.attempts === 'number' && body.event.payload.attempts >= 1,
+      driver.describe('RFC 0053 §C.1', 'run.dead_lettered MUST carry the total attempts (>= 1)'),
+    ).toBe(true);
+  });
+
+  it('the dead-lettered run is fork-eligible (RFC 0011)', async () => {
+    if (!(await deadLetterSupported())) return; // capability-gated
+    const res = await driver.post('/v1/host/sample/deadletter/exhaust', { scenario: 'fork-after-dead-letter' });
+    if (res.status === 404) return; // seam unwired — soft-skip
+    const body = res.json as { forkEligible?: boolean } | undefined;
+    expect(
+      body?.forkEligible,
+      driver.describe('RFC 0053 §C.2', 'a dead-lettered run MUST remain fork-eligible within the retention window'),
+    ).toBe(true);
+  });
+});

package/src/scenarios/experimental-tier-shape.test.ts

@@ -0,0 +1,192 @@
+/**
+ * experimental-tier-shape — RFC 0042 §A + §B + §D advertisement-shape probes.
+ *
+ * RFC 0042 lands the audit's "Active RFC → experimental carve-out" pattern as
+ * an optional `tier ∈ {"stable", "experimental"}` field on capability
+ * advertisements, paired with a required `experimentalUntil` ISO-8601 sunset
+ * date when `tier === "experimental"`. This scenario asserts:
+ *
+ *   1. Schema discipline: when `multiAgent.executionModel` advertises `tier:
+ *      "experimental"`, `experimentalUntil` MUST be present + match
+ *      `YYYY-MM-DD` + be ≤ 365 days in the future.
+ *   2. Default-mode soft-skip routing: scenarios consuming
+ *      `experimentalGate()` honor the tier — the helper returns `false`
+ *      under default mode for `tier: "experimental"` capabilities so the
+ *      scenario soft-skips with a dedicated log line.
+ *   3. Sunset detection: a host advertising `experimentalUntil` in the
+ *      past MUST fail discovery validation (host responsibility — the
+ *      conformance probe simply asserts that the date format and bound
+ *      hold for hosts that DO advertise correctly).
+ *
+ * The scenario lives at three describe levels per the RFC 0042 §D
+ * "Conformance suite changes" contract.
+ *
+ * @see RFCS/0042-experimental-capability-tier.md
+ * @see schemas/capabilities.schema.json §multiAgent.executionModel.tier
+ * @see conformance/src/lib/behavior-gate.ts experimentalGate()
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { experimentalGate } from '../lib/behavior-gate.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface DiscoveryDoc {
+  capabilities?: {
+    multiAgent?: {
+      executionModel?: {
+        supported?: unknown;
+        tier?: unknown;
+        experimentalUntil?: unknown;
+      };
+    };
+  };
+}
+
+async function readDiscovery(): Promise<DiscoveryDoc | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    return res.json as DiscoveryDoc;
+  } catch {
+    return null;
+  }
+}
+
+describe.skipIf(HTTP_SKIP)('experimental-tier-shape: §A schema discipline (RFC 0042 §A)', () => {
+  it('multiAgent.executionModel.tier (when present) MUST be one of {stable, experimental}', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined) {
+      ctx.skip();
+      return;
+    }
+    if (em.tier === undefined) {
+      ctx.skip(); // tier is optional with default 'stable'
+      return;
+    }
+    expect(
+      em.tier === 'stable' || em.tier === 'experimental',
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §A',
+        'multiAgent.executionModel.tier MUST be one of the canonical enum values',
+      ),
+    ).toBe(true);
+  });
+
+  it('when tier === "experimental", experimentalUntil MUST be present + valid date', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined || em.tier !== 'experimental') {
+      ctx.skip();
+      return;
+    }
+
+    expect(
+      typeof em.experimentalUntil,
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        'when tier is "experimental", experimentalUntil MUST be present (the §B sunset-rule contract)',
+      ),
+    ).toBe('string');
+
+    const dateStr = em.experimentalUntil as string;
+    expect(
+      /^\d{4}-\d{2}-\d{2}$/.test(dateStr),
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        'experimentalUntil MUST match YYYY-MM-DD',
+      ),
+    ).toBe(true);
+
+    const parsed = new Date(dateStr + 'T00:00:00Z');
+    expect(
+      !Number.isNaN(parsed.getTime()),
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        'experimentalUntil MUST parse as a valid ISO-8601 date',
+      ),
+    ).toBe(true);
+  });
+
+  it('experimentalUntil MUST be ≤ 365 days in the future (sunset bound)', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined || em.tier !== 'experimental') {
+      ctx.skip();
+      return;
+    }
+    if (typeof em.experimentalUntil !== 'string') {
+      ctx.skip(); // shape probe above will fail; don't double-fail
+      return;
+    }
+    const target = new Date((em.experimentalUntil as string) + 'T00:00:00Z').getTime();
+    const now = Date.now();
+    const daysAhead = (target - now) / (1000 * 60 * 60 * 24);
+    expect(
+      daysAhead <= 365,
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        `experimentalUntil MUST be ≤ 365 days from now (got ${Math.floor(daysAhead)} days; advertised ${em.experimentalUntil})`,
+      ),
+    ).toBe(true);
+  });
+
+  it('sunset detection: experimentalUntil in the past is non-conformant', async (ctx) => {
+    const d = await readDiscovery();
+    const em = d?.capabilities?.multiAgent?.executionModel;
+    if (em === undefined || em.tier !== 'experimental') {
+      ctx.skip();
+      return;
+    }
+    if (typeof em.experimentalUntil !== 'string') {
+      ctx.skip();
+      return;
+    }
+    const target = new Date((em.experimentalUntil as string) + 'T00:00:00Z').getTime();
+    const now = Date.now();
+    expect(
+      target >= now,
+      driver.describe(
+        'RFCS/0042-experimental-capability-tier.md §B',
+        `experimentalUntil MUST NOT be in the past (advertised ${em.experimentalUntil}; host MUST either flip tier to stable, retract the advertisement, or re-advertise with a future date + open deprecation RFC)`,
+      ),
+    ).toBe(true);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('experimental-tier-shape: §D experimentalGate helper routing (RFC 0042 §D)', () => {
+  it('experimentalGate returns false for tier="experimental" without OPENWOP_REQUIRE_EXPERIMENTAL', () => {
+    // Helper-level behavioral probe — no host needed, this is a pure
+    // function-routing assertion against the imported helper.
+    const prevReqExp = process.env.OPENWOP_REQUIRE_EXPERIMENTAL;
+    delete process.env.OPENWOP_REQUIRE_EXPERIMENTAL;
+    try {
+      const result = experimentalGate('test-profile', true, 'experimental', '2027-05-22');
+      expect(
+        result,
+        driver.describe(
+          'RFCS/0042-experimental-capability-tier.md §D',
+          'default mode + tier="experimental" MUST soft-skip — helper returns false',
+        ),
+      ).toBe(false);
+    } finally {
+      if (prevReqExp !== undefined) process.env.OPENWOP_REQUIRE_EXPERIMENTAL = prevReqExp;
+    }
+  });
+
+  it('experimentalGate routes through behaviorGate when tier === undefined or "stable"', () => {
+    const prevReqBeh = process.env.OPENWOP_REQUIRE_BEHAVIOR;
+    delete process.env.OPENWOP_REQUIRE_BEHAVIOR;
+    try {
+      // Stable + advertised → proceed.
+      expect(experimentalGate('test-stable', true, 'stable')).toBe(true);
+      expect(experimentalGate('test-stable-undef', true, undefined)).toBe(true);
+      // Stable + NOT advertised, default mode → skip (returns false, no throw).
+      expect(experimentalGate('test-not-adv', false, 'stable')).toBe(false);
+    } finally {
+      if (prevReqBeh !== undefined) process.env.OPENWOP_REQUIRE_BEHAVIOR = prevReqBeh;
+    }
+  });
+});

package/src/scenarios/feedback-capability-shape.test.ts

@@ -0,0 +1,35 @@
+/**
+ * feedback-capability-shape — RFC 0056 §A. The `capabilities.feedback`
+ * advertisement block is either absent or a well-formed object.
+ *
+ * Status: ACTIVE (advertisement-shape; always runs). Behavioral coverage
+ * lives in the sibling `feedback-*.test.ts` scenarios, gated on
+ * `capabilities.feedback.supported`.
+ *
+ * @see RFCS/0056-run-feedback-and-annotation-event.md §A
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { readFeedbackCap } from '../lib/feedback.js';
+
+describe('feedback-capability-shape: advertisement (RFC 0056 §A)', () => {
+  it('capabilities.feedback is absent or a well-formed object', async () => {
+    const cap = await readFeedbackCap();
+    if (cap === null) return; // not advertised — valid
+    expect(
+      typeof cap.supported,
+      driver.describe('capabilities.schema.json §feedback', 'capabilities.feedback.supported MUST be a boolean when present'),
+    ).toBe('boolean');
+    if (Array.isArray(cap.targets)) {
+      for (const t of cap.targets) {
+        expect(['run', 'event', 'node']).toContain(t);
+      }
+    }
+    if (Array.isArray(cap.signals)) {
+      for (const s of cap.signals) {
+        expect(['rating', 'correction', 'label', 'flag']).toContain(s);
+      }
+    }
+  });
+});