feat(examples): add comprehensive httpbin workflow examples

Five new Arazzo specs targeting httpbin.org for live integration testing:
- httpbin-auth: basic auth, bearer tokens, 401 error recovery
- httpbin-conditions: ==, !=, <, >=, contains, &&, || operators
- httpbin-error-handling: retry exhaustion, criteria routing, workflow-
  level failureActions, goto error recovery
- httpbin-methods: POST/PUT/PATCH/DELETE with JSON request bodies
- httpbin-data-flow: output chaining, {$expr} interpolation, custom
  headers, cookie parameters, sub-workflow invocation

20 workflows pass, 3 expected-fail (retry exhaustion, workflow-level
end, bearer-no-token). Updated FINDINGS.md with float input bug (P2).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: strefethen

FINDINGS.md

@@ -1,13 +1,9 @@
 # Findings
 
-## P1 — Nil pointer panic in handleStepResult when sub-workflow fails criteria with no OnFailure handler
-- **File**: `runtime/engine.go`, ~line 482
-- **Severity**: P1 (broken functionality)
-- **Repro**: Sub-workflow step returns `stepResult{success: false}` (no response) → no OnFailure handler → `result.response.Body` panics
-- **Fix**: Add nil guard for `result.response` before accessing `.Body` and `.StatusCode`
+## P2 — Numeric CLI inputs serialize as floats in URL paths
 
-## P2 — getCompiledRegex double-compile in parallel mode
-- **File**: `runtime/engine.go`, ~line 715-724
-- **Severity**: P2 (wasted work, no correctness impact)
-- **Repro**: Two goroutines miss cache simultaneously, both compile and store the same pattern
-- **Fix**: Use `regexCache.LoadOrStore` instead of separate `Load` + `Store`
+- **Files:** `crates/arazzo-cli/src/main.rs` (input parsing), `crates/arazzo-runtime/src/runtime_core/engine_impl.rs` (path param interpolation)
+- **Severity:** P2 (degraded behavior — workflows with numeric path inputs produce invalid URLs)
+- **Repro:** `cargo run -p arazzo-cli -- run examples/httpbin-get.arazzo.yaml status-check -i code=200` → URL becomes `/status/200.0` instead of `/status/200`
+- **Root cause:** The `-i key=value` flag parses values through serde_yaml, which converts `200` to `f64(200.0)`. When interpolated into URL path parameters, the float renders as `"200.0"`.
+- **Fix:** Either parse CLI input values as raw strings, or add integer-aware formatting in the path parameter interpolation (`value_to_string` should format whole floats without `.0` suffix).

examples/httpbin-auth.arazzo.yaml

@@ -0,0 +1,96 @@
+arazzo: 1.0.0
+info:
+  title: HTTPBin Authentication Tests
+  version: 1.0.0
+  description: >
+    Tests authentication patterns against httpbin.org including basic auth,
+    bearer tokens, and auth failure handling with error recovery.
+sourceDescriptions:
+  - name: httpbin
+    url: https://httpbin.org
+    type: openapi
+workflows:
+  - workflowId: basic-auth-success
+    summary: Correct basic auth credentials return 200
+    steps:
+      - stepId: authenticate
+        operationPath: /basic-auth/{user}/{passwd}
+        parameters:
+          - name: user
+            in: path
+            value: "testuser"
+          - name: passwd
+            in: path
+            value: "testpass"
+          - name: Authorization
+            in: header
+            value: "Basic dGVzdHVzZXI6dGVzdHBhc3M="
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          authenticated: $response.body.authenticated
+          user: $response.body.user
+    outputs:
+      authenticated: $steps.authenticate.outputs.authenticated
+      user: $steps.authenticate.outputs.user
+
+  - workflowId: basic-auth-failure
+    summary: Wrong credentials trigger 401, error handler recovers
+    steps:
+      - stepId: bad-auth
+        operationPath: /basic-auth/{user}/{passwd}
+        parameters:
+          - name: user
+            in: path
+            value: "testuser"
+          - name: passwd
+            in: path
+            value: "testpass"
+          - name: Authorization
+            in: header
+            value: "Basic d3Jvbmc6Y3JlZHM="
+        successCriteria:
+          - condition: $statusCode == 200
+        onFailure:
+          - type: goto
+            stepId: handle-auth-error
+            criteria:
+              - condition: $statusCode == 401
+          - type: end
+      - stepId: handle-auth-error
+        operationPath: /get
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          recovery: $response.body.url
+    outputs:
+      recovery: $steps.handle-auth-error.outputs.recovery
+
+  - workflowId: bearer-auth
+    summary: Bearer token authentication succeeds
+    steps:
+      - stepId: auth-with-token
+        operationPath: /bearer
+        parameters:
+          - name: Authorization
+            in: header
+            value: "Bearer my-secret-api-token"
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          authenticated: $response.body.authenticated
+          token: $response.body.token
+    outputs:
+      authenticated: $steps.auth-with-token.outputs.authenticated
+      token: $steps.auth-with-token.outputs.token
+
+  - workflowId: bearer-no-token
+    summary: Missing bearer token triggers 401 and workflow ends cleanly
+    steps:
+      - stepId: no-token
+        operationPath: /bearer
+        successCriteria:
+          - condition: $statusCode == 200
+        onFailure:
+          - type: end
+    outputs: {}

examples/httpbin-conditions.arazzo.yaml

@@ -0,0 +1,74 @@
+arazzo: 1.0.0
+info:
+  title: HTTPBin Condition Expression Tests
+  version: 1.0.0
+  description: >
+    Tests the full range of Arazzo condition expressions: comparison operators,
+    string operators (contains, matches), and compound conditions (&&, ||).
+sourceDescriptions:
+  - name: httpbin
+    url: https://httpbin.org
+    type: openapi
+workflows:
+  - workflowId: status-code-comparisons
+    summary: Test numeric comparison operators on status codes
+    steps:
+      - stepId: check-200
+        operationPath: /status/200
+        successCriteria:
+          - condition: $statusCode == 200
+          - condition: $statusCode != 404
+          - condition: $statusCode < 300
+          - condition: $statusCode >= 200
+          - condition: $statusCode <= 200
+          - condition: $statusCode > 199
+    outputs: {}
+
+  - workflowId: body-string-equality
+    summary: Verify response body string field equality
+    steps:
+      - stepId: fetch-data
+        operationPath: /get
+        parameters:
+          - name: fruit
+            in: query
+            value: "apple"
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          fruit: $response.body.args.fruit
+      - stepId: verify-value
+        operationPath: /get
+        parameters:
+          - name: check
+            in: query
+            value: $steps.fetch-data.outputs.fruit
+        successCriteria:
+          - condition: $statusCode == 200
+          - condition: $response.body.args.check == "apple"
+    outputs:
+      fruit: $steps.fetch-data.outputs.fruit
+
+  - workflowId: contains-operator
+    summary: Test the contains operator on response body strings
+    steps:
+      - stepId: fetch-url
+        operationPath: /get
+        successCriteria:
+          - condition: $statusCode == 200
+          - condition: '$response.body.url contains "httpbin"'
+          - condition: '$response.body.headers.Host contains "httpbin"'
+    outputs: {}
+
+  - workflowId: compound-conditions
+    summary: Test && and || compound conditions
+    steps:
+      - stepId: success-range
+        operationPath: /status/200
+        successCriteria:
+          - condition: $statusCode >= 200 && $statusCode < 300
+      - stepId: fetch-with-or
+        operationPath: /get
+        successCriteria:
+          - condition: $statusCode == 200 || $statusCode == 201
+    outputs: {}

examples/httpbin-data-flow.arazzo.yaml

@@ -0,0 +1,137 @@
+arazzo: 1.0.0
+info:
+  title: HTTPBin Data Flow, Chaining, and Sub-Workflows
+  version: 1.0.0
+  description: >
+    Tests multi-step data chaining (output of one step feeds the next),
+    expression interpolation in parameter values, custom headers,
+    cookie parameters, and sub-workflow invocation with input/output passing.
+sourceDescriptions:
+  - name: httpbin
+    url: https://httpbin.org
+    type: openapi
+workflows:
+  - workflowId: chained-outputs
+    summary: Step 1 output feeds into step 2 as a query parameter
+    steps:
+      - stepId: get-origin
+        operationPath: /get
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          origin: $response.body.origin
+      - stepId: echo-origin
+        operationPath: /get
+        parameters:
+          - name: caller_ip
+            in: query
+            value: $steps.get-origin.outputs.origin
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          echoed_ip: $response.body.args.caller_ip
+    outputs:
+      origin: $steps.get-origin.outputs.origin
+      echoed_ip: $steps.echo-origin.outputs.echoed_ip
+
+  - workflowId: interpolation
+    summary: Expression interpolation in string values using {$expr} syntax
+    inputs:
+      type: object
+      properties:
+        greeting:
+          type: string
+      required:
+        - greeting
+    steps:
+      - stepId: greet
+        operationPath: /get
+        parameters:
+          - name: message
+            in: query
+            value: "{$inputs.greeting} from arazzo-cli"
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          message: $response.body.args.message
+    outputs:
+      message: $steps.greet.outputs.message
+
+  - workflowId: custom-headers-and-cookies
+    summary: Send custom headers and cookie parameters, verify they echo back
+    steps:
+      - stepId: send-headers
+        operationPath: /headers
+        parameters:
+          - name: X-Custom-Header
+            in: header
+            value: "arazzo-test-value"
+          - name: X-Arazzo-Test
+            in: header
+            value: "req-12345"
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          custom_header: $response.body.headers.X-Custom-Header
+          arazzo_test: $response.body.headers.X-Arazzo-Test
+      - stepId: send-cookies
+        operationPath: /cookies
+        parameters:
+          - name: session_id
+            in: cookie
+            value: "abc-123-def"
+          - name: theme
+            in: cookie
+            value: "dark"
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          session: $response.body.cookies.session_id
+          theme: $response.body.cookies.theme
+    outputs:
+      custom_header: $steps.send-headers.outputs.custom_header
+      arazzo_test: $steps.send-headers.outputs.arazzo_test
+      session: $steps.send-cookies.outputs.session
+      theme: $steps.send-cookies.outputs.theme
+
+  - workflowId: parent-workflow
+    summary: Calls child-workflow with inputs and reads its outputs
+    steps:
+      - stepId: call-child
+        workflowId: child-workflow
+        parameters:
+          - name: item_name
+            value: "test-widget"
+      - stepId: verify-child
+        operationPath: /get
+        parameters:
+          - name: from_child
+            in: query
+            value: $steps.call-child.outputs.created_url
+        successCriteria:
+          - condition: $statusCode == 200
+    outputs:
+      child_result: $steps.call-child.outputs.created_url
+
+  - workflowId: child-workflow
+    summary: Receives item_name input, creates it via POST, returns the URL
+    inputs:
+      type: object
+      properties:
+        item_name:
+          type: string
+      required:
+        - item_name
+    steps:
+      - stepId: create-item
+        operationPath: POST /post
+        requestBody:
+          contentType: application/json
+          payload:
+            name: $inputs.item_name
+        successCriteria:
+          - condition: $statusCode == 200
+        outputs:
+          created_url: $response.body.url
+    outputs:
+      created_url: $steps.create-item.outputs.created_url