@openwop/openwop-conformance 1.5.0 → 1.6.1

package/src/scenarios/oauth-capability-shape.test.ts

@@ -0,0 +1,97 @@
+/**
+ * oauth-capability-shape — RFC 0047 §A advertisement-shape verification.
+ *
+ * Status: DRAFT. RFC 0047 (`host.oauth`) is `Draft`. The
+ * `capabilities.oauth` block has landed in `schemas/capabilities.schema.json`.
+ *
+ * Always runs (shape-only): when the host advertises `capabilities.oauth`,
+ * its fields MUST be well-formed; when it doesn't, the block is absent.
+ *
+ * What this scenario asserts:
+ *   1. `capabilities.oauth` is either absent or a well-formed object.
+ *   2. When `supported: true`, `grants` (when present) is a subset of
+ *      {authorization_code, client_credentials, refresh_token}, and every
+ *      `providers[]` entry has a non-empty `id` (RFC 0047 §A).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryOAuthProvider {
+  id?: string;
+  authUrl?: string;
+  tokenUrl?: string;
+  scopesSupported?: string[];
+}
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+  grants?: string[];
+  providers?: DiscoveryOAuthProvider[];
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    oauth?: DiscoveryOAuth;
+  };
+}
+
+const VALID_GRANTS: ReadonlySet<string> = new Set([
+  'authorization_code',
+  'client_credentials',
+  'refresh_token',
+]);
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.oauth ?? null;
+}
+
+describe('oauth-capability-shape: advertisement shape (RFC 0047 §A)', () => {
+  it('capabilities.oauth is either absent or well-formed', async () => {
+    const oauth = await readOAuth();
+    if (oauth === null) return; // host doesn't advertise host.oauth at all
+    expect(
+      typeof oauth.supported,
+      driver.describe(
+        'capabilities.schema.json §oauth',
+        'capabilities.oauth.supported MUST be a boolean when oauth is advertised',
+      ),
+    ).toBe('boolean');
+  });
+
+  it('grants is a subset of the canonical grant set when supported', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported || oauth.grants === undefined) return;
+    expect(
+      Array.isArray(oauth.grants),
+      driver.describe('RFC 0047 §A', 'capabilities.oauth.grants MUST be an array'),
+    ).toBe(true);
+    for (const grant of oauth.grants) {
+      expect(
+        VALID_GRANTS.has(grant),
+        driver.describe(
+          'RFC 0047 §A',
+          `capabilities.oauth.grants entries MUST be one of {${[...VALID_GRANTS].join(', ')}}, got: ${grant}`,
+        ),
+      ).toBe(true);
+    }
+  });
+
+  it('every advertised provider has a non-empty id when supported', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported || oauth.providers === undefined) return;
+    for (const provider of oauth.providers) {
+      expect(
+        typeof provider.id === 'string' && provider.id.length > 0,
+        driver.describe(
+          'RFC 0047 §A',
+          'each capabilities.oauth.providers[] entry MUST declare a non-empty id',
+        ),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/oauth-connector-redaction.test.ts

@@ -0,0 +1,91 @@
+/**
+ * oauth-connector-redaction — RFC 0047 §C / §D + `credential-payload-redaction`.
+ *
+ * Status: DRAFT. RFC 0047 (`host.oauth`) is `Draft`. Reuses the RFC 0046
+ * SECURITY invariant `credential-payload-redaction` — OAuth tokens acquired
+ * via host.oauth are stored as host.credentials entries and are subject to
+ * the same no-plaintext-on-the-wire rule.
+ *
+ * Capability-gated: skips when the host does not advertise
+ * `capabilities.oauth.supported = true`.
+ *
+ * What this scenario asserts:
+ *   1. Advertisement shape — `capabilities.oauth.supported` is a boolean.
+ *   2. Token-material redaction MUST-NOT — when the host exposes the optional
+ *      `POST /v1/host/sample/oauth/connector-echo` test seam (a synthetic
+ *      provider acquires a token whose value is a known canary, then a
+ *      connector node runs), the canary MUST NOT appear in ANY observable
+ *      run surface, and `connector.authorized` MUST carry the credential
+ *      reference rather than the token.
+ *
+ * Hosts without the seam soft-skip the redaction probe (404).
+ *
+ * @see RFCS/0047-host-oauth-connector-flows.md
+ * @see SECURITY/invariants.yaml id: credential-payload-redaction
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryOAuth {
+  supported?: boolean;
+}
+
+interface DiscoveryDoc {
+  capabilities?: {
+    oauth?: DiscoveryOAuth;
+  };
+}
+
+const TOKEN_CANARY = 'OPENWOP_OAUTH_CANARY_b7d3e1a9c2';
+
+async function readOAuth(): Promise<DiscoveryOAuth | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  return body?.capabilities?.oauth ?? null;
+}
+
+describe('oauth-connector-redaction: advertisement shape (RFC 0047 §A)', () => {
+  it('capabilities.oauth.supported is a boolean when advertised', async () => {
+    const oauth = await readOAuth();
+    if (oauth === null) return;
+    expect(
+      typeof oauth.supported,
+      driver.describe(
+        'capabilities.schema.json §oauth',
+        'capabilities.oauth.supported MUST be a boolean when oauth is advertised',
+      ),
+    ).toBe('boolean');
+  });
+});
+
+describe('oauth-connector-redaction: token material MUST NOT cross the wire (RFC 0047 §C.2)', () => {
+  it('canary token is absent from every observable run surface', async () => {
+    const oauth = await readOAuth();
+    if (!oauth?.supported) return; // capability-gated
+
+    // Seam contract: a synthetic provider issues a token whose value is
+    // TOKEN_CANARY, a connector node runs, and the run's observable surfaces
+    // (events incl. connector.authorized + snapshot + debug bundle) are returned.
+    const res = await driver.post('/v1/host/sample/oauth/connector-echo', { canary: TOKEN_CANARY });
+    // 404 from a host that hasn't wired the test seam is a soft-skip.
+    if (res.status === 404) return;
+
+    expect(
+      res.status,
+      driver.describe(
+        'RFC 0047 §C',
+        'the oauth connector-echo seam MUST acquire the token and return the run observable surfaces',
+      ),
+    ).toBeLessThan(400);
+
+    const serialized = JSON.stringify(res.json ?? {});
+    expect(
+      serialized.includes(TOKEN_CANARY),
+      driver.describe(
+        'SECURITY/invariants.yaml credential-payload-redaction',
+        'acquired OAuth token material MUST NOT appear in inputs, variables, channels, events, snapshot, or debug bundle — only the credential reference may cross the wire',
+      ),
+    ).toBe(false);
+  });
+});

package/src/scenarios/pack-registry-isolation.test.ts

@@ -0,0 +1,108 @@
+/**
+ * Pack-registry test-mode isolation — RFC 0025 §C point 1.
+ *
+ * Status: BEHAVIORAL (soft-skip). A pack PUT'd to `/v1/packs-test/*` MUST
+ * NOT appear in `/v1/packs/*` listings. This anchors the test-mode
+ * mirror's load-bearing safety invariant: the conformance suite is
+ * trusted to drive publish-error-catalog traffic against the test
+ * namespace precisely because the test catalog is guaranteed distinct
+ * from the production catalog.
+ *
+ * Soft-skips when the host doesn't advertise
+ * `capabilities.packs.testMode.supported: true` (or advertises
+ * `isolated: false` — in which case the host is honestly disclaiming
+ * the invariant and the conformance suite's other publish-error tests
+ * are not applicable either).
+ *
+ * @see RFCS/0025-test-mode-registry-namespace.md §C "Isolation guarantees"
+ * @see schemas/capabilities.schema.json §packs.testMode
+ * @see pack-registry-publish.test.ts (the 25 sibling scenarios this invariant unblocks)
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+
+interface DiscoveryDoc {
+  capabilities?: Record<string, unknown>;
+}
+
+interface TestModeAdvertisement {
+  readonly supported: boolean;
+  readonly isolated: boolean;
+}
+
+async function getTestModeAdvertisement(): Promise<TestModeAdvertisement | null> {
+  const res = await driver.get('/.well-known/openwop');
+  const body = res.json as DiscoveryDoc | undefined;
+  const top = body?.capabilities as Record<string, unknown> | undefined;
+  const packs = top && typeof top === 'object' ? (top['packs'] as Record<string, unknown> | undefined) : undefined;
+  const testMode = packs && typeof packs === 'object' ? (packs['testMode'] as Record<string, unknown> | undefined) : undefined;
+  if (!testMode || typeof testMode !== 'object') return null;
+  return {
+    supported: testMode['supported'] === true,
+    isolated: testMode['isolated'] === true,
+  };
+}
+
+function freshPackName(): string {
+  return `core.openwop.test-isolation-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+}
+
+describe('pack-registry-isolation: test catalog MUST NOT bleed into production (RFC 0025 §C.1)', () => {
+  it('a pack PUT to /v1/packs-test/{name} MUST NOT appear in GET /v1/packs/{name}', async () => {
+    const adv = await getTestModeAdvertisement();
+    if (!adv || !adv.supported) return; // host doesn't advertise the seam
+    if (!adv.isolated) return; // host explicitly disclaims the invariant — no contract to assert
+
+    const name = freshPackName();
+    const version = '1.0.0';
+
+    // PUT to the test namespace. The body is intentionally minimal — the
+    // isolation invariant is independent of whether validation accepts
+    // or rejects the publish. Either outcome is fine; what's tested is
+    // that NEITHER outcome causes the pack to surface in the production
+    // catalog.
+    const putRes = await driver.put(
+      `/v1/packs-test/${encodeURIComponent(name)}/-/${encodeURIComponent(version)}.tgz`,
+      Buffer.from([0x1f, 0x8b, 0]),
+      { headers: { 'Content-Type': 'application/octet-stream' } },
+    );
+
+    // If the seam returns 404, the test-mode endpoint isn't actually
+    // wired up despite the advertisement — pack-registry-publish.test.ts
+    // catches that drift in 24 other scenarios; soft-skip here.
+    if (putRes.status === 404) return;
+
+    // Probe the production namespace. The invariant: a pack written
+    // via /v1/packs-test/* MUST NOT be retrievable via /v1/packs/*.
+    const prodRes = await driver.get(`/v1/packs/${encodeURIComponent(name)}`);
+
+    // 404 is the canonical "not found" — exactly what isolation requires.
+    // 200 with a payload that does NOT name our pack would mean the host
+    // returned a listing of unrelated packs (some hosts serve search-shaped
+    // results on /v1/packs/{nonexistent}); we check the negative explicitly.
+    if (prodRes.status === 200) {
+      const body = prodRes.json as Record<string, unknown> | undefined;
+      const stringified = body ? JSON.stringify(body) : '';
+      expect(
+        stringified.includes(name),
+        driver.describe(
+          'RFCS/0025-test-mode-registry-namespace.md §C point 1',
+          `pack name '${name}' was written via /v1/packs-test/${name}@${version} but appeared in /v1/packs/${name} response body — test-catalog isolation MUST hold`,
+        ),
+      ).toBe(false);
+      return;
+    }
+
+    // Acceptable: 4xx range (404 pack_not_found is the spec-canonical
+    // shape; 410/422 also fine — any "not present in production catalog"
+    // signal satisfies the invariant).
+    expect(
+      prodRes.status >= 400 && prodRes.status < 500,
+      driver.describe(
+        'RFCS/0025-test-mode-registry-namespace.md §C point 1',
+        `expected production-namespace GET to return 4xx for a test-namespace-only pack '${name}', got ${prodRes.status}`,
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/pack-registry-publish.test.ts

@@ -1,7 +1,7 @@
 /**
  * Pack-registry publish scenarios — `node-packs.md` §"PUT /v1/packs/{name}/-/{version}.tgz".
  *
- * Status: BEHAVIORAL (soft-skip). Per RFC 0025 (`Draft` 2026-05-19),
+ * Status: BEHAVIORAL (soft-skip). Per RFC 0025 (`Active` 2026-05-19),
  * the conformance suite drives the documented 19-code error catalog
  * via the test-mode mirror namespace `/v1/packs-test/*`, gated on
  * `capabilities.packs.testMode.supported: true`. Each scenario soft-

package/src/scenarios/prompt-mutation-workspace-membership-enforced.test.ts

@@ -0,0 +1,126 @@
+/**
+ * prompt-mutation-workspace-membership-enforced — RFC 0028 Tier-2 §"Workspace
+ * membership on workspace-scoped writes" verification.
+ *
+ * Status: ACTIVE (capability-gated; behavioral when the host advertises
+ * `capabilities.prompts.mutableLibrary: true`). Hosts that don't advertise
+ * mutableLibrary soft-skip cleanly.
+ *
+ * The contract (spec/v1/prompts.md §"Discovery & distribution" §"REST
+ * endpoints" §"Workspace membership on workspace-scoped writes"):
+ *
+ *   Hosts MUST verify that the authenticated principal is a member of the
+ *   target workspace BEFORE honoring any POST / PUT / DELETE to a
+ *   workspace-scoped /v1/prompts* resource. A workspaceId supplied by the
+ *   caller (request body, URL, or query string) MUST NOT be trusted as
+ *   authorization on its own. Non-members MUST be rejected fail-closed
+ *   (typically 403) before any persistence occurs.
+ *
+ * The probe drives `POST /v1/prompts` with a `workspaceId` the conformance
+ * principal cannot be a member of (a cryptographically-unique random value
+ * by default; operator-overridable via `OPENWOP_TEST_NONMEMBER_WORKSPACE_ID`
+ * for hosts that need a specific synthetic workspace shape). The behavioral
+ * MUST is that the host refuses — NOT a 2xx. Any 4xx/5xx is acceptable
+ * (401 = auth not configured for this surface; 403 = membership check;
+ * 404 = endpoint absent; 422 = body validation; 501 = capability not
+ * provided). The failure mode this invariant guards against is a SILENT
+ * 2xx with a write to a workspace the caller doesn't belong to — that's the
+ * RFC 0028 Tier-2 vulnerability self-disclosed by an adopter on 2026-05-25.
+ *
+ * Why a random workspaceId is sufficient: a non-member workspace check is
+ * negative-space — the host MUST refuse for ANY workspace the principal
+ * isn't a member of, and a random UUID has astronomically-low collision
+ * probability with any real workspace membership grant.
+ *
+ * @see RFCS/0028-prompt-library-endpoints.md §"Post-promotion notes"
+ * @see spec/v1/prompts.md §"Security invariants" §prompt-mutation-workspace-membership-enforced
+ * @see spec/v1/auth.md §"Identity claims — tenant · workspace · principal"
+ * @see RFCS/0048-tenant-workspace-principal-identity-model.md §D
+ */
+
+import { describe, it, expect } from 'vitest';
+import { randomUUID } from 'node:crypto';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface DiscoveryDoc {
+  capabilities?: {
+    prompts?: {
+      mutableLibrary?: unknown;
+    };
+  };
+}
+
+async function readDiscovery(): Promise<DiscoveryDoc | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    return res.json as DiscoveryDoc;
+  } catch {
+    return null;
+  }
+}
+
+describe.skipIf(HTTP_SKIP)(
+  'prompt-mutation-workspace-membership-enforced: writes to non-member workspaces MUST be refused (RFC 0028 Tier-2)',
+  () => {
+    it('POST /v1/prompts with a workspaceId the principal is not a member of MUST NOT succeed with 2xx', async (ctx) => {
+      const d = await readDiscovery();
+      if (d === null) {
+        ctx.skip();
+        return;
+      }
+      const mutableLibrary = d.capabilities?.prompts?.mutableLibrary;
+      if (mutableLibrary !== true) {
+        ctx.skip();
+        return;
+      }
+
+      const nonMemberWorkspaceId =
+        process.env.OPENWOP_TEST_NONMEMBER_WORKSPACE_ID ??
+        `openwop-conformance-nonmember-${randomUUID()}`;
+
+      const res = await driver.post('/v1/prompts', {
+        workspaceId: nonMemberWorkspaceId,
+        templateId: `conformance-membership-probe-${randomUUID()}`,
+        version: '1.0.0',
+        kind: 'system',
+        text: 'conformance probe — SHOULD NOT persist',
+      });
+
+      // The conformance MUST: the host MUST NOT honor a write to a workspace
+      // the caller cannot prove membership of. Any refusal (4xx/5xx) is
+      // acceptable; a 2xx silent success is the failure mode that the RFC
+      // 0028 Tier-2 self-disclosed vulnerability demonstrated.
+      expect(
+        res.status,
+        driver.describe(
+          'spec/v1/prompts.md §Workspace membership on workspace-scoped reads and writes',
+          `mutating /v1/prompts MUST refuse a write to a non-member workspace; ` +
+            `got ${res.status} ${res.text.slice(0, 200)}`,
+        ),
+      ).toBeGreaterThanOrEqual(400);
+
+      // T1 canonicalization (2026-05-25): when the host CHOOSES 403 to
+      // signal the authz boundary, the response envelope MUST carry
+      // `error: "workspace_membership_required"` per rest-endpoints.md
+      // §"Common error codes". Hosts that refuse with other codes
+      // (401 if they treat the failure as authentication-level, 404 to
+      // avoid existence disclosure, 5xx on infra failure) have the
+      // refusal accepted above but the envelope shape is NOT constrained
+      // by this scenario — the canonical envelope is conditional on the
+      // 403 status code, not a forced upgrade.
+      if (res.status === 403) {
+        const body = res.json as { error?: unknown } | null;
+        expect(
+          body?.error,
+          driver.describe(
+            'spec/v1/rest-endpoints.md §Common error codes — workspace_membership_required',
+            `403 refusal of a workspace-scoped mutation MUST carry error: "workspace_membership_required"; got error: ${JSON.stringify(body?.error)}`,
+          ),
+        ).toBe('workspace_membership_required');
+      }
+    });
+  },
+);

package/src/scenarios/prompt-read-workspace-membership-enforced.test.ts

@@ -0,0 +1,183 @@
+/**
+ * prompt-read-workspace-membership-enforced — RFC 0028 Tier-2 §"Workspace
+ * membership on workspace-scoped reads and writes" verification (READ path).
+ *
+ * Status: ACTIVE (capability-gated; behavioral when the host advertises
+ * `capabilities.prompts.supported: true` AND accepts `?workspaceId=` on
+ * `GET /v1/prompts`). Hosts that don't expose workspace-scoped reads
+ * (host-only template libraries with no workspace dimension) self-skip
+ * via response-shape detection.
+ *
+ * The contract (spec/v1/prompts.md §"Discovery & distribution" §"REST
+ * endpoints" §"Workspace membership on workspace-scoped reads and writes"):
+ *
+ *   Read paths are NOT exempt from the workspace-membership invariant
+ *   just because they don't write. A GET /v1/prompts?workspaceId=<not-mine>
+ *   that returns another workspace's templates is a cross-tenant data leak
+ *   with the same blast radius as a cross-tenant write. Hosts MUST verify
+ *   the authenticated principal's workspace membership BEFORE returning
+ *   workspace-scoped content.
+ *
+ * Gate per MyndHyve relay 2026-05-25 ("Option B"): probe ALL hosts that
+ * advertise `capabilities.prompts.supported: true` regardless of
+ * `mutableLibrary`; read-only hosts that expose `?workspaceId=` reads are
+ * NOT exempt from the symmetric authz invariant. Hosts that don't expose
+ * workspace-scoped reads at all self-skip via the response interpretation
+ * below (the suite avoids inventing a new capability field just for this
+ * gating concern).
+ *
+ * The probe drives `GET /v1/prompts?workspaceId=<random-uuid>` and
+ * interprets the response:
+ *
+ *   - 4xx (any code) — PASS (refused). If 403 specifically, additionally
+ *     pin `error === "workspace_membership_required"` per the canonical
+ *     envelope in rest-endpoints.md §"Common error codes".
+ *   - 200 with `templates: []` — PASS. The host correctly returned no
+ *     content for a workspace the principal isn't a member of. A random
+ *     UUID workspace also definitionally has no real content, so an empty
+ *     result is the correct null answer.
+ *   - 200 with `templates: [non-empty]` — FAIL. The host returned content
+ *     for an unauthorized workspace. This is the cross-tenant data leak
+ *     failure mode. (Note: this scenario uses a random workspaceId so any
+ *     non-empty result is a leak — there can't legitimately be templates
+ *     in a freshly-generated nonexistent workspace.)
+ *   - 200 without a `templates[]` field, or a response shape that doesn't
+ *     resemble the documented `/v1/prompts` list shape — SKIP with a
+ *     diagnostic log. Indicates the host doesn't recognize `?workspaceId=`
+ *     on this endpoint (e.g., host-only template library with no
+ *     workspace dimension).
+ *   - 5xx — PASS (refused; envelope shape unconstrained).
+ *
+ * Why a random workspaceId is sufficient: the assertion is negative-space.
+ * A host that correctly enforces membership MUST refuse for ANY workspace
+ * the principal isn't a member of, and a random UUID has astronomically-low
+ * collision probability with any real workspace membership grant. A host
+ * that returns templates from a random UUID workspace is leaking content
+ * from somewhere (host-built-in misclassified as workspace, or a silent
+ * fall-through to another workspace's content, or a query bug returning
+ * everything).
+ *
+ * @see RFCS/0028-prompt-library-endpoints.md §"Post-promotion notes"
+ * @see spec/v1/prompts.md §"Security invariants" §prompt-read-workspace-membership-enforced
+ * @see spec/v1/rest-endpoints.md §"Common error codes" §workspace_membership_required
+ * @see spec/v1/auth.md §"Identity claims — tenant · workspace · principal"
+ * @see RFCS/0048-tenant-workspace-principal-identity-model.md §D
+ */
+
+import { describe, it, expect } from 'vitest';
+import { randomUUID } from 'node:crypto';
+import { driver } from '../lib/driver.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+interface DiscoveryDoc {
+  capabilities?: {
+    prompts?: {
+      supported?: unknown;
+    };
+  };
+}
+
+interface PromptListResponse {
+  templates?: unknown;
+}
+
+async function readDiscovery(): Promise<DiscoveryDoc | null> {
+  try {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return null;
+    return res.json as DiscoveryDoc;
+  } catch {
+    return null;
+  }
+}
+
+describe.skipIf(HTTP_SKIP)(
+  'prompt-read-workspace-membership-enforced: workspace-scoped reads MUST NOT leak templates from another workspace (RFC 0028 Tier-2)',
+  () => {
+    it('GET /v1/prompts?workspaceId=<non-member> MUST refuse OR return empty templates[] — never another workspace\'s content', async (ctx) => {
+      const d = await readDiscovery();
+      if (d === null) {
+        ctx.skip();
+        return;
+      }
+      const promptsSupported = d.capabilities?.prompts?.supported;
+      if (promptsSupported !== true) {
+        ctx.skip();
+        return;
+      }
+
+      const nonMemberWorkspaceId =
+        process.env.OPENWOP_TEST_NONMEMBER_WORKSPACE_ID ??
+        `openwop-conformance-nonmember-${randomUUID()}`;
+
+      const res = await driver.get(
+        `/v1/prompts?workspaceId=${encodeURIComponent(nonMemberWorkspaceId)}`,
+      );
+
+      // 4xx — refused. Acceptable shape for the membership-required failure
+      // (and any other refusal mode the host chooses: 401, 404 for
+      // existence-disclosure avoidance, etc).
+      if (res.status >= 400 && res.status < 500) {
+        // Canonical envelope on 403 per rest-endpoints.md §"Common error codes".
+        if (res.status === 403) {
+          const body = res.json as { error?: unknown } | null;
+          expect(
+            body?.error,
+            driver.describe(
+              'spec/v1/rest-endpoints.md §Common error codes — workspace_membership_required',
+              `403 refusal of a workspace-scoped read MUST carry error: "workspace_membership_required"; got error: ${JSON.stringify(body?.error)}`,
+            ),
+          ).toBe('workspace_membership_required');
+        }
+        return;
+      }
+
+      // 5xx — refused (infrastructure failure is acceptable; envelope shape
+      // unconstrained).
+      if (res.status >= 500) return;
+
+      // 2xx — must inspect the response body. The failure mode this
+      // invariant guards against is a 200 response that LEAKS templates
+      // from a workspace the principal isn't a member of.
+      if (res.status >= 200 && res.status < 300) {
+        const body = res.json as PromptListResponse | null;
+        if (
+          body === null ||
+          typeof body !== 'object' ||
+          !('templates' in body)
+        ) {
+          // Host doesn't recognize `?workspaceId=` on this endpoint
+          // (response shape doesn't include the documented `templates[]`
+          // field). Soft-skip: this scenario probes hosts that expose
+          // workspace-scoped reads, and a host without that surface is
+          // simply out of scope.
+          ctx.skip();
+          return;
+        }
+        const templates = body.templates;
+        if (!Array.isArray(templates)) {
+          // Same: unrecognized shape, skip.
+          ctx.skip();
+          return;
+        }
+
+        // A random non-member workspaceId can never legitimately contain
+        // templates the caller is authorized to see. Any non-empty result
+        // is a cross-tenant data leak.
+        expect(
+          templates.length,
+          driver.describe(
+            'spec/v1/prompts.md §Workspace membership on workspace-scoped reads and writes',
+            `GET /v1/prompts?workspaceId=<random-non-member> MUST NOT return any templates; got ${templates.length} templates which is a cross-tenant data leak (the random workspaceId is freshly generated per probe and cannot legitimately contain authorized content)`,
+          ),
+        ).toBe(0);
+        return;
+      }
+
+      // Other status codes (1xx, 3xx) — soft-skip with note. Not a clear
+      // signal either way.
+      ctx.skip();
+    });
+  },
+);

package/src/scenarios/redaction.test.ts

@@ -100,7 +100,10 @@ describe('redaction: /.well-known/openwop secrets+aiProviders shape contract', (
         'when secrets.supported is true, scopes MUST be non-empty',
       )).toBeGreaterThanOrEqual(1);
       for (const scope of scopes) {
-        expect(['tenant', 'user', 'run']).toContain(scope);
+        // Allowlist MUST track the `secrets.scopes` enum in capabilities.schema.json
+        // (`["tenant", "user", "run", "workspace"]`). `workspace` is the RFC 0046/0048
+        // sub-tenant scope — additive; hosts that advertise it (e.g. MyndHyve) are conformant.
+        expect(['tenant', 'user', 'run', 'workspace']).toContain(scope);
       }
       expect(s.resolution, driver.describe(
         'capabilities.md §"Secrets"',