@openwop/openwop-conformance 1.6.1 → 1.11.0

package/src/scenarios/heartbeat-fires-once-per-tick.test.ts

@@ -0,0 +1,28 @@
+/**
+ * heartbeat-fires-once-per-tick — RFC 0060 §B.1. A tick produces exactly one
+ * `heartbeat.evaluated`; an overlapping tick while a prior evaluation is still
+ * running is skipped (not queued).
+ *
+ * Gated on `capabilities.heartbeat.supported` + the host heartbeat tick seam
+ * (`POST /v1/host/sample/heartbeat/tick`); soft-skips when either is absent.
+ *
+ * @see RFCS/0060-host-heartbeat-capability.md §B
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { readHeartbeatCap, heartbeatSupported, tickHeartbeat } from '../lib/heartbeat.js';
+
+describe('heartbeat-fires-once-per-tick (RFC 0060 §B.1)', () => {
+  it('one tick emits exactly one heartbeat.evaluated', async () => {
+    if (!heartbeatSupported(await readHeartbeatCap())) return;
+    const res = await tickHeartbeat({ heartbeatId: 'conformance-hb', observedState: { n: 0 } });
+    if (res === null) return; // seam absent — soft-skip
+    const evaluated = (res.json as { evaluated?: unknown[] } | undefined)?.evaluated;
+    if (!Array.isArray(evaluated)) return; // host doesn't surface per-tick events on the seam
+    expect(
+      evaluated.length,
+      driver.describe('RFC 0060 §B.1', 'a single tick MUST emit exactly one heartbeat.evaluated'),
+    ).toBe(1);
+  });
+});

package/src/scenarios/heartbeat-idempotent-no-spam.test.ts

@@ -0,0 +1,43 @@
+/**
+ * heartbeat-idempotent-no-spam — RFC 0060 §B.5. Two ticks at unchanged state
+ * produce zero enqueued runs and zero `heartbeat.stateChanged`; only the
+ * transitioning tick produces exactly one of each. This is the anti-spam
+ * guarantee — action is gated on a state *transition*, not on the tick.
+ *
+ * Gated on `capabilities.heartbeat.supported` + the host tick seam;
+ * soft-skips when either is absent.
+ *
+ * @see RFCS/0060-host-heartbeat-capability.md §B
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { readHeartbeatCap, heartbeatSupported, tickHeartbeat } from '../lib/heartbeat.js';
+
+function changedCount(json: unknown): number | null {
+  const sc = (json as { stateChanged?: unknown[] } | undefined)?.stateChanged;
+  return Array.isArray(sc) ? sc.length : null;
+}
+
+describe('heartbeat-idempotent-no-spam (RFC 0060 §B.5)', () => {
+  it('an unchanged tick enqueues nothing; only a transition does', async () => {
+    if (!heartbeatSupported(await readHeartbeatCap())) return;
+    const hb = 'conformance-hb-spam';
+    const first = await tickHeartbeat({ heartbeatId: hb, observedState: { unread: 0 } });
+    if (first === null) return; // seam absent — soft-skip
+    const second = await tickHeartbeat({ heartbeatId: hb, observedState: { unread: 0 } });
+    if (second === null) return;
+    const unchanged = changedCount(second.json);
+    if (unchanged === null) return; // host doesn't surface stateChanged on the seam
+    expect(
+      unchanged,
+      driver.describe('RFC 0060 §B.5', 'an unchanged tick MUST NOT emit heartbeat.stateChanged'),
+    ).toBe(0);
+    const transition = await tickHeartbeat({ heartbeatId: hb, observedState: { unread: 3 } });
+    if (transition === null) return;
+    expect(
+      changedCount(transition.json),
+      driver.describe('RFC 0060 §B.5', 'a transitioning tick MUST emit exactly one heartbeat.stateChanged'),
+    ).toBe(1);
+  });
+});

package/src/scenarios/heartbeat-runtime-bound.test.ts

@@ -0,0 +1,30 @@
+/**
+ * heartbeat-runtime-bound — RFC 0060 §B.2. A predicate exceeding `maxRuntimeMs`
+ * is terminated and reported `heartbeat.evaluated { status: "timeout" }`,
+ * never left running.
+ *
+ * Gated on `capabilities.heartbeat.supported` + the host tick seam;
+ * soft-skips when either is absent.
+ *
+ * @see RFCS/0060-host-heartbeat-capability.md §B
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { readHeartbeatCap, heartbeatSupported, tickHeartbeat } from '../lib/heartbeat.js';
+
+describe('heartbeat-runtime-bound (RFC 0060 §B.2)', () => {
+  it('an over-budget predicate is reported as timeout', async () => {
+    if (!heartbeatSupported(await readHeartbeatCap())) return;
+    // `simulateSlowMs` is a host-seam hint asking the predicate to overrun
+    // its maxRuntimeMs budget; hosts not honoring it surface no `timeout`.
+    const res = await tickHeartbeat({ heartbeatId: 'conformance-hb-slow', observedState: {}, simulateSlowMs: 60_000 });
+    if (res === null) return; // seam absent — soft-skip
+    const evaluated = (res.json as { evaluated?: Array<{ status?: unknown }> } | undefined)?.evaluated;
+    if (!Array.isArray(evaluated) || evaluated.length === 0) return; // host doesn't surface per-tick events
+    expect(
+      evaluated.every((e) => e.status === 'timeout'),
+      driver.describe('RFC 0060 §B.2', 'an over-budget predicate MUST be terminated and reported status:"timeout"'),
+    ).toBe(true);
+  });
+});

package/src/scenarios/http-client-ssrf.test.ts

@@ -20,12 +20,13 @@
 
 import { describe, it, expect } from 'vitest';
 import { driver } from '../lib/driver.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
 
 async function isHttpClientSupported(): Promise<boolean> {
   const disco = await driver.get('/.well-known/openwop');
-  const caps = (disco.json as { capabilities?: { httpClient?: { supported?: boolean } } })
-    .capabilities;
-  return caps?.httpClient?.supported === true;
+  return (
+    capabilityFamily<{ supported?: boolean }>(disco.json, 'httpClient')?.supported === true
+  );
 }
 
 describe('http-client-ssrf: capability advertisement contract', () => {
@@ -36,16 +37,12 @@ describe('http-client-ssrf: capability advertisement contract', () => {
       return;
     }
     const disco = await driver.get('/.well-known/openwop');
-    const cap = (disco.json as {
-      capabilities?: {
-        httpClient?: {
-          supported?: boolean;
-          ssrfGuard?: boolean;
-          maxResponseBodyBytes?: number;
-          methods?: unknown;
-        };
-      };
-    }).capabilities?.httpClient;
+    const cap = capabilityFamily<{
+      supported?: boolean;
+      ssrfGuard?: boolean;
+      maxResponseBodyBytes?: number;
+      methods?: unknown;
+    }>(disco.json, 'httpClient');
 
     expect(cap?.supported, driver.describe(
       'capabilities.md §httpClient',

package/src/scenarios/mcp-toolcall-redaction.test.ts

@@ -21,6 +21,7 @@
 
 import { describe, it, expect } from 'vitest';
 import { driver } from '../lib/driver.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
 
 async function isMcpClientSupported(): Promise<boolean> {
   const disco = await driver.get('/.well-known/openwop');
@@ -37,11 +38,11 @@ describe('mcp-toolcall-redaction: capability advertisement contract', () => {
       return;
     }
     const disco = await driver.get('/.well-known/openwop');
-    const cap = (disco.json as {
+    const cap = capabilityFamily((disco.json as {
       capabilities?: {
         mcpClient?: { supported?: boolean; transports?: unknown; trustBoundary?: string };
       };
-    }).capabilities?.mcpClient;
+    }), 'mcpClient');
 
     expect(cap?.supported, driver.describe(
       'host-capabilities.md §host.mcp',

package/src/scenarios/media-url-inline-cap.test.ts

@@ -0,0 +1,167 @@
+/**
+ * media-url-inline-cap — RFC 0055 §C media envelope kinds + asset-URL discipline.
+ *
+ * SECURITY invariant: `media-asset-url-tenant-scoped` (RFC 0055 §C rule 1 + 4).
+ *
+ * Always-on (server-free):
+ *   1. The three `media.{image,audio,file}` payload schemas compile (Ajv2020).
+ *   2. Positive round-trip: a URL-reference payload and an inline-base64
+ *      payload each validate.
+ *   3. Negative: a payload missing the required `bytes` is rejected; an
+ *      unknown property is rejected (additionalProperties:false).
+ *
+ * Advertisement-shape (HTTP, soft-skip offline):
+ *   4. When a host advertises `aiProviders.maxInlineMediaBytes`, it MUST be a
+ *      non-negative integer.
+ *
+ * Behavioral (cross-tenant scoping + cap enforcement) is staged via `it.todo`
+ * until a reference host wires tenant-scoped asset serving (greenfield;
+ * RFC 0027 §G precedent — advertisement + schema land first).
+ *
+ * @see RFCS/0055-multimodal-envelope-variants-and-rendering-hints.md §C
+ * @see spec/v1/ai-envelope.md §"Media reference payloads"
+ * @see SECURITY/invariants.yaml#media-asset-url-tenant-scoped
+ */
+
+import { describe, it, expect } from 'vitest';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { driver } from '../lib/driver.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { capabilityFamily } from '../lib/discovery-capabilities.js';
+
+const MEDIA_KINDS = ['media.image', 'media.audio', 'media.file'] as const;
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+function compile(kind: string): ReturnType<Ajv2020['compile']> {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const schema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, `envelopes/${kind}.schema.json`), 'utf8'),
+  ) as Record<string, unknown>;
+  return ajv.compile(schema);
+}
+
+describe('media-url-inline-cap: media payload schemas compile + round-trip (RFC 0055 §C)', () => {
+  for (const kind of MEDIA_KINDS) {
+    it(`envelopes/${kind}.schema.json compiles under Ajv2020`, () => {
+      expect(
+        compile(kind),
+        `ai-envelope.md §"Media reference payloads": ${kind} payload schema MUST compile`,
+      ).toBeTypeOf('function');
+    });
+  }
+
+  it('accepts a URL-reference image payload', () => {
+    const ok = compile('media.image')({
+      url: 'https://host.example/v1/runs/run_1/assets/img_9.png',
+      bytes: 184320,
+      mimeType: 'image/png',
+    });
+    expect(ok, 'URL-reference media payload MUST validate').toBe(true);
+  });
+
+  it('accepts an inline-base64 audio payload', () => {
+    const ok = compile('media.audio')({ base64: 'AAAA', bytes: 3, mimeType: 'audio/ogg', durationSeconds: 1.2 });
+    expect(ok, 'inline-base64 media payload MUST validate').toBe(true);
+  });
+
+  it('rejects a payload missing required bytes', () => {
+    const ok = compile('media.file')({ url: 'https://host.example/v1/runs/run_1/assets/report.pdf' });
+    expect(ok, 'ai-envelope.md §"Media reference payloads": `bytes` is required').toBe(false);
+  });
+
+  it('rejects an unknown property (additionalProperties:false)', () => {
+    const ok = compile('media.image')({ bytes: 1, wat: true });
+    expect(ok, 'media payload is additionalProperties:false').toBe(false);
+  });
+});
+
+interface DiscoveryDoc {
+  capabilities?: { aiProviders?: { maxInlineMediaBytes?: unknown } };
+}
+
+describe.skipIf(HTTP_SKIP)('media-url-inline-cap: advertisement shape (RFC 0055 §C rule 2)', () => {
+  it('aiProviders.maxInlineMediaBytes is a non-negative integer when advertised', async () => {
+    const res = await driver.get('/.well-known/openwop');
+    if (res.status !== 200) return;
+    const cap = capabilityFamily((res.json as DiscoveryDoc), 'aiProviders')?.maxInlineMediaBytes;
+    if (cap === undefined) return; // optional — soft-skip when absent
+    expect(
+      Number.isInteger(cap) && (cap as number) >= 0,
+      driver.describe('capabilities.md §aiProviders.maxInlineMediaBytes', 'cap MUST be a non-negative integer'),
+    ).toBe(true);
+  });
+
+  // Behavioral assertions for `media-asset-url-tenant-scoped`. Driven via the
+  // reference host's media-asset seam (store: POST /v1/host/sample/media/put,
+  // env-gated; serve: GET /v1/host/sample/assets/{token}, public token-auth).
+  // Soft-skip (return) when the host doesn't expose the store seam (404).
+  const PNG_1x1 =
+    'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==';
+
+  it('a stored media asset is served by a tenant-scoped URL, not inlined', async () => {
+    const stored = await driver.post('/v1/host/sample/media/put', { contentBase64: PNG_1x1, contentType: 'image/png' });
+    if (stored.status === 404) return; // store seam disabled — soft-skip
+    expect(stored.status, 'media store MUST return 201').toBe(201);
+    const body = stored.json as { url?: string; bytes?: number };
+    expect(
+      typeof body.url === 'string' && /\/v1\/host\/sample\/assets\//.test(body.url!),
+      driver.describe('ai-envelope.md §"Media reference payloads"', 'asset MUST be served by a URL reference, not inlined'),
+    ).toBe(true);
+    const served = await driver.get(body.url!);
+    expect(served.status, 'the asset URL MUST resolve').toBe(200);
+  });
+
+  it('an unminted/guessed asset token does not resolve (media-asset-url-tenant-scoped)', async () => {
+    // Probe whether the serve route exists at all; soft-skip if not.
+    const probe = await driver.get('/v1/host/sample/assets/probe-never-minted-token');
+    if (probe.status === 404 && !process.env.OPENWOP_BASE_URL) return;
+    expect(
+      probe.status,
+      driver.describe('SECURITY/invariants.yaml#media-asset-url-tenant-scoped', 'a token not held by the caller (unguessable 256-bit) MUST NOT resolve'),
+    ).toBe(404);
+  });
+
+  it('a media.* payload in a run debug bundle is referenced by URL, not inlined (RFC 0055 §C rule 3)', async () => {
+    // RFC 0055 §C rule 3: asset URLs are part of a run's debug-bundle manifest
+    // BY REFERENCE, never by inlining the binary. Gated on a host that both
+    // serves media (advertises aiProviders.maxInlineMediaBytes) and exports
+    // debug bundles (capabilities.debugBundle.supported). Soft-skips otherwise
+    // — and on the reference host, which exports debug bundles but has no node
+    // that emits a media.* envelope into a run (so no media payload appears).
+    const disc = await driver.get('/.well-known/openwop');
+    if (disc.status !== 200) return;
+    const caps = (disc.json as {
+      capabilities?: { aiProviders?: { maxInlineMediaBytes?: unknown }; debugBundle?: { supported?: unknown } };
+    }).capabilities;
+    if (caps?.aiProviders?.maxInlineMediaBytes === undefined || caps.debugBundle?.supported !== true) {
+      return; // host doesn't serve media + export debug bundles — contract not exercisable
+    }
+    // Find a recent run and inspect its debug bundle for any media.* event.
+    const runs = await driver.get('/v1/runs?limit=20');
+    if (runs.status !== 200) return;
+    const runIds = ((runs.json as { runs?: { runId?: string }[] }).runs ?? [])
+      .map((r) => r.runId)
+      .filter((id): id is string => typeof id === 'string');
+    for (const runId of runIds) {
+      const bundle = await driver.get(`/v1/runs/${encodeURIComponent(runId)}/debug-bundle`);
+      if (bundle.status !== 200) continue;
+      const events = (bundle.json as { events?: { type?: string; payload?: { url?: unknown; base64?: unknown } }[] }).events ?? [];
+      for (const ev of events) {
+        if (typeof ev.type === 'string' && ev.type.startsWith('media.')) {
+          // The §C rule-3 contract: served by URL, not inlined binary.
+          expect(
+            typeof ev.payload?.url === 'string' && ev.payload?.base64 === undefined,
+            driver.describe('ai-envelope.md §"Media reference payloads"', 'a media.* payload in a debug bundle MUST be a URL reference, never inlined binary'),
+          ).toBe(true);
+          return; // asserted one — contract proven
+        }
+      }
+    }
+    // No media.* payload surfaced in any recent run's debug bundle on this
+    // host — nothing to assert (the contract holds vacuously).
+  });
+});

package/src/scenarios/memory-attribution-emits-on-write.test.ts

@@ -0,0 +1,54 @@
+/**
+ * memory-attribution-emits-on-write — RFC 0057 §A/§B. A host advertising
+ * `capabilities.memory.attribution.emitsWriteEvents: true` emits a
+ * `memory.written` event (with resolvable identifiers) for the memory its run
+ * writes. A host NOT advertising the capability emits none and still passes
+ * the locked core.
+ *
+ * @see RFCS/0057-memory-write-attribution-event.md §A
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { readMemoryAttributionCap, emitsWriteEvents, seedRun, memoryWrittenEvents } from '../lib/memoryAttribution.js';
+
+describe('memory-attribution-emits-on-write (RFC 0057 §A/§B)', () => {
+  it('an advertised host emits memory.written carrying a stable memoryId', async () => {
+    const cap = await readMemoryAttributionCap();
+    if (!emitsWriteEvents(cap)) return;
+    const runId = await seedRun('mem-attr-emit');
+    if (!runId) return;
+    try {
+      await pollUntilTerminal(runId, { timeoutMs: 10_000 });
+    } catch {
+      return;
+    }
+    const events = await memoryWrittenEvents(runId);
+    if (events.length === 0) return; // run wrote no memory — soft-skip
+    for (const e of events) {
+      const memoryId = (e.payload as { memoryId?: unknown } | undefined)?.memoryId;
+      expect(
+        typeof memoryId === 'string' && memoryId.length > 0,
+        driver.describe('RFC 0057 §B', 'memory.written.memoryId MUST be a stable, non-empty identifier'),
+      ).toBe(true);
+    }
+  });
+
+  it('a host without the capability emits no memory.written', async () => {
+    const cap = await readMemoryAttributionCap();
+    if (emitsWriteEvents(cap)) return; // advertised — N/A
+    const runId = await seedRun('mem-attr-absent');
+    if (!runId) return;
+    try {
+      await pollUntilTerminal(runId, { timeoutMs: 10_000 });
+    } catch {
+      return;
+    }
+    const events = await memoryWrittenEvents(runId);
+    expect(
+      events.length,
+      driver.describe('RFC 0057 §A', 'a host not advertising memory.attribution MUST NOT emit memory.written'),
+    ).toBe(0);
+  });
+});

package/src/scenarios/memory-attribution-no-content.test.ts

@@ -0,0 +1,45 @@
+/**
+ * memory-attribution-no-content — RFC 0057 §C + SECURITY/invariants.yaml
+ * `memory-attribution-no-content`. A `memory.written` payload carries
+ * identifiers + non-secret tags only — never the memory entry content (the
+ * read-side serves that, already SR-1-redacted).
+ *
+ * Gated on `capabilities.memory.attribution.emitsWriteEvents`; soft-skips when
+ * unadvertised or when the seeded run wrote no memory.
+ *
+ * @see RFCS/0057-memory-write-attribution-event.md §C
+ * @see SECURITY/invariants.yaml — memory-attribution-no-content
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { readMemoryAttributionCap, emitsWriteEvents, seedRun, memoryWrittenEvents } from '../lib/memoryAttribution.js';
+
+describe('memory-attribution-no-content (RFC 0057 §C)', () => {
+  it('memory.written payloads carry no entry content', async () => {
+    const cap = await readMemoryAttributionCap();
+    if (!emitsWriteEvents(cap)) return;
+    const runId = await seedRun('mem-attr-no-content');
+    if (!runId) return;
+    try {
+      await pollUntilTerminal(runId, { timeoutMs: 10_000 });
+    } catch {
+      return;
+    }
+    const events = await memoryWrittenEvents(runId);
+    if (events.length === 0) return; // run wrote no memory — soft-skip
+    for (const e of events) {
+      const payload = e.payload ?? {};
+      expect(
+        'content' in payload,
+        driver.describe('RFC 0057 §C', 'memory.written MUST NOT carry the entry content field'),
+      ).toBe(false);
+      expect(
+        typeof (payload as { memoryRef?: unknown }).memoryRef === 'string' &&
+          typeof (payload as { memoryId?: unknown }).memoryId === 'string',
+        driver.describe('RFC 0057 §B', 'memory.written MUST carry memoryRef + memoryId identifiers'),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/memory-attribution-replay-stable.test.ts

@@ -0,0 +1,60 @@
+/**
+ * memory-attribution-replay-stable — RFC 0057 §D. `memory.written` is an
+ * immutable recorded fact: a `replay`-mode fork MUST NOT mint a new
+ * `memoryId` for a write the source run already recorded. This asserts the
+ * "MUST NOT regenerate" half — every `memory.written` on a replayed run
+ * reuses a `memoryId` the source run recorded (a compliant host that
+ * suppresses re-mint on replay satisfies this vacuously with zero events).
+ *
+ * Gated on `capabilities.memory.attribution.emitsWriteEvents`; soft-skips
+ * when unadvertised, when the seeded run wrote no memory, or when the host
+ * doesn't support `:fork` in `replay` mode.
+ *
+ * @see RFCS/0057-memory-write-attribution-event.md §D
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { readMemoryAttributionCap, emitsWriteEvents, seedRun, memoryWrittenEvents } from '../lib/memoryAttribution.js';
+
+function memoryIdOf(payload: Record<string, unknown> | undefined): string | null {
+  const id = (payload ?? {})['memoryId'];
+  return typeof id === 'string' ? id : null;
+}
+
+describe('memory-attribution-replay-stable (RFC 0057 §D)', () => {
+  it('a replay-mode fork introduces no memory.written with a new memoryId', async () => {
+    const cap = await readMemoryAttributionCap();
+    if (!emitsWriteEvents(cap)) return;
+    const runId = await seedRun('mem-attr-replay');
+    if (!runId) return;
+    try {
+      await pollUntilTerminal(runId, { timeoutMs: 10_000 });
+    } catch {
+      return;
+    }
+    const original = await memoryWrittenEvents(runId);
+    if (original.length === 0) return; // run wrote no memory — nothing to test
+    const recordedIds = new Set(original.map((e) => memoryIdOf(e.payload)).filter((x): x is string => x !== null));
+
+    const fork = await driver.post(`/v1/runs/${runId}:fork`, { fromSeq: 0, mode: 'replay' });
+    if (fork.status !== 200 && fork.status !== 201) return; // replay fork unsupported — soft-skip
+    const forkId = (fork.json as { runId?: string } | undefined)?.runId;
+    if (!forkId) return;
+    try {
+      await pollUntilTerminal(forkId, { timeoutMs: 10_000 });
+    } catch {
+      /* still assert on whatever the replay emitted */
+    }
+
+    const replayed = await memoryWrittenEvents(forkId);
+    for (const e of replayed) {
+      const id = memoryIdOf(e.payload);
+      expect(
+        id !== null && recordedIds.has(id),
+        driver.describe('RFC 0057 §D', 'a replay MUST NOT regenerate memoryId — every replayed memory.written reuses a recorded id'),
+      ).toBe(true);
+    }
+  });
+});

package/src/scenarios/memory-attribution-shape.test.ts

@@ -0,0 +1,28 @@
+/**
+ * memory-attribution-shape — RFC 0057 §A. The `capabilities.memory.attribution`
+ * advertisement block is either absent or a well-formed object.
+ *
+ * Status: ACTIVE (advertisement-shape; always runs). Behavioral coverage lives
+ * in the sibling memory-attribution-*.test.ts scenarios, gated on
+ * `capabilities.memory.attribution.emitsWriteEvents`.
+ *
+ * @see RFCS/0057-memory-write-attribution-event.md §A
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { readMemoryAttributionCap } from '../lib/memoryAttribution.js';
+
+describe('memory-attribution-shape: advertisement (RFC 0057 §A)', () => {
+  it('capabilities.memory.attribution is absent or a well-formed object', async () => {
+    const cap = await readMemoryAttributionCap();
+    if (cap === null) return; // not advertised — valid
+    expect(
+      cap.supported,
+      driver.describe('capabilities.schema.json §memory.attribution', 'memory.attribution.supported MUST be the literal true when the block is present'),
+    ).toBe(true);
+    if (cap.emitsWriteEvents !== undefined) {
+      expect(typeof cap.emitsWriteEvents).toBe('boolean');
+    }
+  });
+});

package/src/scenarios/memory-attribution-tenant-scoped.test.ts

@@ -0,0 +1,44 @@
+/**
+ * memory-attribution-tenant-scoped — RFC 0057 §C + SECURITY/invariants.yaml
+ * `memory-attribution-tenant-scoped`. A run's `memory.written` events appear
+ * only on that run's stream (mirrors CTI-1). The full cross-tenant proof
+ * (tenant B cannot read tenant A's run stream) needs a multi-tenant auth seam
+ * not standardized for this surface — that half soft-skips, mirroring
+ * `feedback-cross-tenant-isolation`.
+ *
+ * Gated on `capabilities.memory.attribution.emitsWriteEvents`.
+ *
+ * @see RFCS/0057-memory-write-attribution-event.md §C
+ * @see SECURITY/invariants.yaml — memory-attribution-tenant-scoped
+ */
+
+import { describe, it, expect } from 'vitest';
+import { driver } from '../lib/driver.js';
+import { pollUntilTerminal } from '../lib/polling.js';
+import { readMemoryAttributionCap, emitsWriteEvents, seedRun, memoryWrittenEvents } from '../lib/memoryAttribution.js';
+
+describe('memory-attribution-tenant-scoped (RFC 0057 §C)', () => {
+  it("a run's memory.written events appear only on that run's stream", async () => {
+    const cap = await readMemoryAttributionCap();
+    if (!emitsWriteEvents(cap)) return;
+    const runId = await seedRun('mem-attr-cti');
+    if (!runId) return;
+    try {
+      await pollUntilTerminal(runId, { timeoutMs: 10_000 });
+    } catch {
+      return;
+    }
+    const events = await memoryWrittenEvents(runId);
+    if (events.length === 0) return;
+    // Every memory.written we read came from THIS run's /events stream; if the
+    // host echoes a runId in the event it MUST be this run's (no cross-run leak).
+    for (const e of events) {
+      if (typeof e.runId === 'string') {
+        expect(
+          e.runId,
+          driver.describe('RFC 0057 §C', "a memory.written event MUST belong to its own run's stream (CTI-1)"),
+        ).toBe(runId);
+      }
+    }
+  });
+});