@openwop/openwop-conformance 1.23.0 → 1.25.0

package/schemas/trigger-event.schema.json

@@ -0,0 +1,149 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/trigger-event.schema.json",
+  "title": "TriggerEvent",
+  "description": "RFC 0099 §F.1. The normalized external-event envelope a host hands a started run as `ctx.triggerData` when an externally-originated event (`webhook`/`email`/`form`) is delivered to an `active` TriggerSubscription (RFC 0083). This is an IN-RUN payload only — it never appears on the durable event log; the `trigger.delivery.attempted` event stays content-free (RFC 0083 §C / SECURITY `trigger-ingestion-content-redaction`). A TriggerEvent carries exactly the per-source sub-object matching its `source`. All content is `untrusted` (SECURITY `threat-model-prompt-injection.md`).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["source", "subscriptionId", "deliveryId", "receivedAt"],
+  "properties": {
+    "source": {
+      "type": "string",
+      "enum": ["webhook", "email", "form"],
+      "description": "Which external source originated the event. A TriggerEvent MUST carry exactly the per-source sub-object matching this value and MUST NOT carry the others (RFC 0099 §F.1)."
+    },
+    "subscriptionId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The RFC 0083 §B subscription this event was delivered to."
+    },
+    "deliveryId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Stable per-delivery id; equals the `causationId` stamped on `run.started` (RFC 0083 §C-3 / RFC 0040)."
+    },
+    "dedupKey": {
+      "type": "string",
+      "description": "The host-opaque dedup key (RFC 0083 §C-1). Present iff the subscription's `dedupEnabled`. MUST NOT embed inbound body/header content in cleartext (SECURITY `trigger-ingestion-content-redaction`)."
+    },
+    "receivedAt": {
+      "type": "string",
+      "format": "date-time",
+      "description": "When the host received the external event."
+    },
+    "verified": {
+      "type": "boolean",
+      "description": "Whether the host verified the source's authenticity (webhook signature / email DMARC / form CSRF+origin) before delivery per the subscription's `verification` policy (RFC 0099 §F.2). A run MUST be able to gate on this."
+    },
+    "contentTrust": {
+      "type": "string",
+      "enum": ["untrusted"],
+      "description": "Always `untrusted`. Inbound external content reaching an LLM node MUST be wrapped per `threat-model-prompt-injection.md` §UNTRUSTED; a TriggerEvent MUST NOT directly advance a HITL approval gate (the `prompt-injection-mcp-no-approval` invariant generalizes)."
+    },
+    "webhook": { "$ref": "#/$defs/WebhookEvent" },
+    "email": { "$ref": "#/$defs/EmailEvent" },
+    "form": { "$ref": "#/$defs/FormEvent" }
+  },
+  "allOf": [
+    {
+      "description": "RFC 0099 §F.1 — a TriggerEvent MUST carry exactly the per-source sub-object matching its `source` and MUST NOT carry the others.",
+      "if": { "properties": { "source": { "const": "webhook" } } },
+      "then": { "not": { "anyOf": [{ "required": ["email"] }, { "required": ["form"] }] } }
+    },
+    {
+      "if": { "properties": { "source": { "const": "email" } } },
+      "then": { "not": { "anyOf": [{ "required": ["webhook"] }, { "required": ["form"] }] } }
+    },
+    {
+      "if": { "properties": { "source": { "const": "form" } } },
+      "then": { "not": { "anyOf": [{ "required": ["webhook"] }, { "required": ["email"] }] } }
+    }
+  ],
+  "$defs": {
+    "WebhookEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"webhook\"`.",
+      "properties": {
+        "method": { "type": "string", "enum": ["POST", "PUT", "PATCH"] },
+        "headers": {
+          "type": "object",
+          "additionalProperties": { "type": "string" },
+          "description": "Host-allowlisted headers only — a host MUST NOT pass through `Authorization`, `Cookie`, `Proxy-Authorization`, or any header carrying credential material (RFC 0099 §F.1 / SECURITY `trigger-ingestion-content-redaction`)."
+        },
+        "body": {
+          "description": "The parsed JSON body, or a string for non-JSON. Bounded by `triggerBridge.ingestion.maxBodyBytes`."
+        }
+      }
+    },
+    "EmailEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"email\"`.",
+      "properties": {
+        "from": { "type": "string" },
+        "to": { "type": "array", "items": { "type": "string" } },
+        "subject": { "type": "string" },
+        "text": { "type": "string" },
+        "html": { "type": "string" },
+        "attachments": { "type": "array", "items": { "$ref": "#/$defs/AttachmentRef" } }
+      }
+    },
+    "FormEvent": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Present iff `source == \"form\"`.",
+      "properties": {
+        "fields": { "type": "object", "additionalProperties": true, "description": "The submitted field map." },
+        "files": { "type": "array", "items": { "$ref": "#/$defs/AttachmentRef" } }
+      }
+    },
+    "AttachmentRef": {
+      "type": "object",
+      "additionalProperties": false,
+      "required": ["ref"],
+      "description": "A host-internal opaque handle to a resolved attachment/upload — NEVER a raw external URL the run is expected to fetch itself (RFC 0099 §F.1/§F.4). The host resolves and ingests attachments through its SSRF guard (SECURITY `trigger-ingestion-ssrf`), then hands the run an internal ref.",
+      "properties": {
+        "ref": {
+          "type": "string",
+          "minLength": 1,
+          "description": "A host-internal opaque handle (e.g. a `host.blobStorage` key)."
+        },
+        "filename": { "type": "string" },
+        "mediaType": { "type": "string" },
+        "bytes": { "type": "integer", "minimum": 0 }
+      }
+    }
+  },
+  "examples": [
+    {
+      "source": "email",
+      "subscriptionId": "sub_7",
+      "deliveryId": "dlv_a1b2",
+      "dedupKey": "msgid:abc@in.example.com",
+      "receivedAt": "2026-06-13T18:04:11Z",
+      "verified": true,
+      "contentTrust": "untrusted",
+      "email": {
+        "from": "customer@example.org",
+        "to": ["triage-support+sub_7@in.example.com"],
+        "subject": "Cannot log in",
+        "text": "I keep getting a 403.",
+        "attachments": [{ "ref": "blob_a1", "filename": "screenshot.png", "mediaType": "image/png", "bytes": 20481 }]
+      }
+    },
+    {
+      "source": "webhook",
+      "subscriptionId": "sub_9",
+      "deliveryId": "dlv_c3d4",
+      "receivedAt": "2026-06-13T18:10:00Z",
+      "verified": true,
+      "contentTrust": "untrusted",
+      "webhook": {
+        "method": "POST",
+        "headers": { "X-Event-Type": "issue.created" },
+        "body": { "issue": { "id": 42, "title": "Bug" } }
+      }
+    }
+  ]
+}

package/schemas/trigger-subscription-registration.schema.json

@@ -0,0 +1,67 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://openwop.dev/spec/v1/trigger-subscription-registration.schema.json",
+  "title": "TriggerSubscriptionRegistration",
+  "description": "RFC 0099 §F.2. The portable create request for an external-event trigger subscription, served by `POST /v1/trigger-subscriptions`. Binds an external source (`webhook`/`email`/`form`) to a Workflow to start, with a dedup config and a source-authenticity verification policy. This is the unified create surface RFC 0083 UQ1 left per-source. The response returns the created `TriggerSubscription` (RFC 0083 §B) plus a source-specific `binding`; the binding secret/URL is returned ONCE at creation and is not re-fetchable in cleartext (SR-1).",
+  "type": "object",
+  "additionalProperties": false,
+  "required": ["source", "workflowId"],
+  "properties": {
+    "source": {
+      "type": "string",
+      "enum": ["webhook", "email", "form"],
+      "description": "The external source this subscription ingests. MUST appear in the host's `capabilities.triggerBridge.ingestion.externalSources[]`."
+    },
+    "workflowId": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The Workflow a delivered event starts (the run's `workflowId`). MUST resolve under the caller's RFC 0048 owner triple — a registration MUST NOT bind a workflow the caller cannot start (RFC 0049 scope check)."
+    },
+    "dedupEnabled": {
+      "type": "boolean",
+      "default": true,
+      "description": "Per RFC 0083 §C-1. Defaults true for external sources — at-least-once inbound delivery without dedup is a footgun."
+    },
+    "retryPolicy": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Delivery retry policy (RFC 0083 §C-2). Same shape as `trigger-subscription.schema.json#/properties/retryPolicy`. On exhaustion the delivery transitions to `dead-lettered` (RFC 0053).",
+      "properties": {
+        "maxAttempts": { "type": "integer", "minimum": 1, "description": "Maximum delivery attempts before dead-lettering." },
+        "backoff": { "type": "string", "enum": ["none", "fixed", "exponential"], "description": "Backoff strategy between attempts." }
+      }
+    },
+    "verification": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Source-authenticity policy. The host MUST verify per this policy BEFORE delivery and stamp `TriggerEvent.verified`; an event failing a `required` verification MUST NOT start a run (it transitions `trigger.delivery.attempted{outcome:'dead-lettered'}` with `trigger.subscription.state.changed.reason:'signature-invalid'`).",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["required", "best-effort", "none"],
+          "default": "required",
+          "description": "`required`: an unverified event is dead-lettered, no run. `best-effort`: the host verifies when it can and stamps `verified` accordingly but still delivers. `none`: no verification."
+        }
+      }
+    },
+    "inputMapping": {
+      "type": "object",
+      "additionalProperties": true,
+      "description": "OPTIONAL host-extension hint mapping `TriggerEvent` fields onto the workflow's `inputs`. Non-normative shape (host-specific); absent ⇒ the run receives the whole `TriggerEvent` as `ctx.triggerData`."
+    }
+  },
+  "examples": [
+    {
+      "source": "email",
+      "workflowId": "triage-support",
+      "dedupEnabled": true,
+      "verification": { "mode": "required" }
+    },
+    {
+      "source": "webhook",
+      "workflowId": "ingest-jira-issue",
+      "verification": { "mode": "required" },
+      "retryPolicy": { "maxAttempts": 5, "backoff": "exponential" }
+    }
+  ]
+}

package/src/lib/profiles.ts

@@ -236,15 +236,18 @@ export function isMemory(c: DiscoveryPayload): boolean {
 }
 
 /**
- * `openwop-trigger-bridge` predicate (RFC 0083). Host composes the durable
- * inbound-work contract: advertises the `triggerBridge`, has a `deadLetter`
- * sink for exhausted deliveries, and has at least one durable inbound source
- * (queue bus, durable webhooks, or scheduling). Capability families are
+ * `openwop-trigger-bridge` predicate (RFC 0083, widened by RFC 0099). Host
+ * composes the durable inbound-work contract: advertises the `triggerBridge`,
+ * has a `deadLetter` sink for exhausted deliveries, and has at least one
+ * durable inbound source (queue bus, durable webhooks, scheduling, OR — per
+ * RFC 0099 — externally-ingested `email`/`form` via
+ * `triggerBridge.ingestion.externalSources[]`). Capability families are
  * document-root properties (RFC 0073), so this reads `c.triggerBridge` /
- * `c.deadLetter` / `c.queueBus` / `c.webhooks` / `c.scheduling`.
+ * `c.deadLetter` / `c.queueBus` / `c.webhooks` / `c.scheduling`. The RFC 0099
+ * widening only ADDS disjuncts — a host already in the profile stays in it.
  *
  * @see spec/v1/profiles.md §`openwop-trigger-bridge`
- * @see spec/v1/trigger-bridge.md
+ * @see spec/v1/trigger-bridge.md §D / §F
  */
 export function isTriggerBridge(c: DiscoveryPayload): boolean {
   if (!isCore(c)) return false;
@@ -253,10 +256,16 @@ export function isTriggerBridge(c: DiscoveryPayload): boolean {
   if (!supported(c.triggerBridge)) return false;
   if (!supported(c.deadLetter)) return false;
   const webhooks = c.webhooks as { durable?: unknown } | undefined;
+  // RFC 0099: an externally-ingested email/form source is a durable inbound
+  // source for the profile (it rides the same four-state machine + dead-letter).
+  const ingestion = (c.triggerBridge as { ingestion?: { externalSources?: unknown } } | undefined)?.ingestion;
+  const externalSources = Array.isArray(ingestion?.externalSources) ? (ingestion!.externalSources as unknown[]) : [];
+  const externalEmailOrForm = externalSources.includes('email') || externalSources.includes('form');
   const durableSource =
     supported(c.queueBus) ||
     supported(c.scheduling) ||
-    (webhooks != null && typeof webhooks === 'object' && webhooks.durable === true);
+    (webhooks != null && typeof webhooks === 'object' && webhooks.durable === true) ||
+    externalEmailOrForm;
   return durableSource;
 }
 

package/src/scenarios/a2a-task-roundtrip.test.ts

@@ -36,12 +36,20 @@
  */
 
 import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
 import { driver } from '../lib/driver.js';
 import { getA2AFakePeer } from '../lib/a2a-fake-peer.js';
 import { isFixtureAdvertised } from '../lib/fixtures.js';
 import { pollUntilTerminal, pollUntilStatus } from '../lib/polling.js';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
 
 const ROUNDTRIP_FIXTURE = 'conformance-a2a-task-roundtrip';
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
 
 /** Resolve the A2A endpoint to probe: real-peer env wins; otherwise the in-process fake. */
 function probePeer(): { url: string; isReal: boolean } | null {
@@ -266,3 +274,131 @@ describe('a2a-task-roundtrip: drift point #4 — REJECTED projects to failed', (
     )).toBe(true);
   });
 });
+
+// ─── RFC 0100: async / durable A2A tasks ──────────────────────────────
+// Capability-shape always-on + durable-get / resubscribe / push-SSRF gated.
+
+describe('a2a-task-roundtrip: A2ATaskState + a2a capability shape (always-on, server-free; RFC 0100)', () => {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const taskStateSchema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, 'a2a-task-state.schema.json'), 'utf8'),
+  );
+  const capabilitiesSchema = JSON.parse(
+    readFileSync(join(SCHEMAS_DIR, 'capabilities.schema.json'), 'utf8'),
+  );
+  const validateTaskState = ajv.compile(taskStateSchema);
+  const a2aBlockSchema = capabilitiesSchema.properties?.a2a;
+
+  it('a conforming A2ATaskState validates with the lowercase-hyphen state enum and taskId == runId', () => {
+    const ok = {
+      taskId: 'run_x',
+      runId: 'run_x',
+      contextId: 'ctx_42',
+      state: 'input-required',
+      interruptKind: 'approval',
+      updatedAt: '2026-06-13T19:00:00Z',
+    };
+    expect(
+      validateTaskState(ok),
+      `a2a-task-state.schema.json MUST accept a conforming record. Errors: ${JSON.stringify(validateTaskState.errors)}`,
+    ).toBe(true);
+  });
+
+  it('an UPPERCASE state fails (the persisted/wire form is the A2A v0.3 lowercase-hyphen variant)', () => {
+    expect(
+      validateTaskState({ taskId: 'r', runId: 'r', state: 'WORKING', updatedAt: '2026-06-13T19:00:00Z' }),
+      'a2a-integration.md spelling-drift note — the persisted A2ATaskState.state MUST be the lowercase-hyphen form',
+    ).toBe(false);
+  });
+
+  it('an A2ATaskState carrying run inputs/artifacts inline fails (additionalProperties:false; SR-1)', () => {
+    expect(
+      validateTaskState({
+        taskId: 'r',
+        runId: 'r',
+        state: 'completed',
+        updatedAt: '2026-06-13T19:00:00Z',
+        inputs: { secret: 'x' },
+      }),
+      'SECURITY a2a-push-egress-ssrf / SR-1 — the persisted record MUST NOT carry run inputs/outputs/artifacts inline',
+    ).toBe(false);
+  });
+
+  it('a PushConfig requires `url` and structurally rejects a raw (non-truncated) push token', () => {
+    const validatePush = ajv.compile({
+      $ref: 'https://openwop.dev/spec/v1/a2a-task-state.schema.json#/$defs/PushConfig',
+      $defs: taskStateSchema.$defs,
+    });
+    expect(validatePush({ tokenFingerprint: 'a1b2' }), 'PushConfig MUST require `url`').toBe(false);
+    expect(
+      validatePush({ url: 'https://caller.example.com/push', tokenFingerprint: 'a'.repeat(33) }),
+      'SECURITY a2a-push-egress-ssrf — tokenFingerprint maxLength:32 structurally rejects a full-length raw token (SR-1)',
+    ).toBe(false);
+    expect(
+      validatePush({ url: 'https://caller.example.com/push', tokenFingerprint: 'a1b2c3d4' }),
+      'a truncated fingerprint + uri url MUST validate',
+    ).toBe(true);
+  });
+
+  it('the capabilities.a2a block shape is declared (supported + agentCardUrl required; three optional booleans)', () => {
+    expect(a2aBlockSchema, 'capabilities.schema.json MUST declare the a2a block').toBeDefined();
+    expect(a2aBlockSchema.required).toEqual(expect.arrayContaining(['supported', 'agentCardUrl']));
+    expect(a2aBlockSchema.additionalProperties).toBe(false);
+    const validateA2A = ajv.compile({ ...a2aBlockSchema, $id: 'urn:test:a2a-block' });
+    expect(
+      validateA2A({ supported: true, agentCardUrl: 'https://example.com/.well-known/agent-card.json', durableTasks: true }),
+      `a conforming a2a block MUST validate. Errors: ${JSON.stringify(validateA2A.errors)}`,
+    ).toBe(true);
+    expect(validateA2A({ supported: true }), 'agentCardUrl is required').toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2a-task-roundtrip: durable tasks/get after disconnect (gated on a2a.durableTasks; RFC 0100)', () => {
+  it('a paused-at-HITL run projects a live input-required task on a later tasks/get read', async () => {
+    const a2a = await readCapabilityFamily<{ durableTasks?: boolean }>('a2a');
+    if (!behaviorGate('a2a.durableTasks', a2a?.durableTasks === true)) return;
+
+    // Host-extension durable-task read seam (RFC 0100 §2). The host drives a
+    // backing run to a paused HITL state; we read the persisted projection
+    // WITHOUT holding the original connection.
+    const start = await driver.post('/v1/host/sample/a2a/tasks/start', {
+      scenario: 'paused-at-approval',
+    });
+    if (start.status === 404 || start.status === 403) return; // seam unwired — soft-skip
+    const taskId = (start.json as { taskId?: string })?.taskId;
+    if (!taskId) return;
+
+    const read = await driver.get(`/v1/host/sample/a2a/tasks/${encodeURIComponent(taskId)}`);
+    if (read.status === 404 || read.status === 403) return;
+    const state = read.json as { state?: string; runId?: string; metadata?: { openwop?: { interrupt?: { kind?: string } } } };
+    expect(
+      state.state,
+      driver.describe('a2a-integration.md §"Async / durable Tasks"', 'tasks/get after disconnect MUST return the live input-required projection (not a stale working)'),
+    ).toBe('input-required');
+    expect(
+      state.runId,
+      driver.describe('a2a-task-state.schema.json', 'taskId MUST equal the backing runId'),
+    ).toBe(taskId);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('a2a-task-roundtrip: push-config SSRF (gated on a2a.pushNotifications; RFC 0100)', () => {
+  it('registering a pushConfig.url at a private address is refused (a2a-push-egress-ssrf)', async () => {
+    const a2a = await readCapabilityFamily<{ pushNotifications?: boolean }>('a2a');
+    if (!behaviorGate('a2a.pushNotifications', a2a?.pushNotifications === true)) return;
+
+    const res = await driver.post('/v1/host/sample/a2a/tasks/push-config', {
+      taskId: 'run_x',
+      url: 'http://10.0.0.5/push',
+    });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status >= 400,
+      driver.describe(
+        'a2a-integration.md §"Async / durable Tasks"',
+        'a2a-push-egress-ssrf — a caller-supplied pushConfig.url at a private/loopback address MUST be refused before any push',
+      ),
+    ).toBe(true);
+  });
+});

package/src/scenarios/export-bundle-portability.test.ts

@@ -0,0 +1,120 @@
+/**
+ * Agent-platform portability — export bundle + tenant import (RFC 0098;
+ * `portability.md`). Public test for the protocol-tier SECURITY invariant
+ * `export-bundle-no-credential-material`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema legs — the capability block (incl. the
+ *      `import ⇒ dryRun` if/then), the `export-bundle.schema.json` shape (no
+ *      credential-named field admitted), and the content-free `import.applied`
+ *      event payload.
+ *
+ *   B. Capability-gated behavioral legs — on a host advertising
+ *      `capabilities.portability` that exposes the `/v1/host/sample/import`
+ *      seam: a bundle carrying a literal credential value is rejected (422),
+ *      and a dry-run import makes zero writes. Hosts without the seam soft-skip
+ *      (404); unadvertised hosts skip via the behavior gate.
+ *
+ * @see spec/v1/portability.md
+ * @see SECURITY/invariants.yaml id: export-bundle-no-credential-material
+ * @see RFCS/0098-agent-platform-portability-export-bundle-and-import.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+const CRED_NAMES = ['clientSecret', 'client_secret', 'apiKey', 'api_key', 'accessToken', 'refreshToken', 'password', 'privateKey'] as const;
+
+describe('export-bundle-portability: capability advertisement (RFC 0098 §A, server-free)', () => {
+  const caps = loadSchema('capabilities.schema.json');
+  const portability = (caps.properties as Record<string, { properties?: Record<string, unknown>; if?: unknown; then?: unknown }>).portability;
+
+  it('capabilities schema declares portability with its sub-flags + the import⇒dryRun if/then', () => {
+    expect(portability, why('capabilities.md §portability', 'portability MUST be declared')).toBeDefined();
+    for (const flag of ['export', 'import', 'kinds', 'dryRun']) {
+      expect(portability?.properties?.[flag], why('RFC 0098 §A', `portability.${flag} MUST be declared`)).toBeDefined();
+    }
+    expect(portability?.if, why('RFC 0098 §A', 'a JSON-Schema if/then MUST enforce dryRun:true when import:true')).toBeDefined();
+    expect(portability?.then, why('RFC 0098 §A', 'the then-branch MUST require dryRun')).toBeDefined();
+  });
+});
+
+describe('export-bundle-portability: ExportBundle shape (RFC 0098 §B, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const validate = ajv.compile(loadSchema('export-bundle.schema.json'));
+
+  const good = {
+    bundleVersion: '1',
+    source: { origin: 'https://host-a.example', exportedAt: '2026-06-13T00:00:00Z' },
+    items: [
+      { kind: 'prompt-template', ref: 'tpl-1', payload: { templateId: 'welcome', version: '1.0.0' } },
+      { kind: 'connection-ref', ref: 'conn-1', dependsOn: ['tpl-1'], payload: { provider: 'slack', credentialRef: 'cred:abc' } },
+    ],
+  };
+
+  it('validates a conforming bundle with refs only', () => {
+    expect(validate(good), why('RFC 0098 §B', `a conforming bundle MUST validate. Errors: ${JSON.stringify(validate.errors)}`)).toBe(true);
+  });
+
+  it('rejects a wrong bundleVersion, an unknown kind, and a missing item ref', () => {
+    expect(validate({ ...good, bundleVersion: '2' }), why('RFC 0098 §B', 'an unsupported bundleVersion MUST be rejected')).toBe(false);
+    expect(validate({ ...good, items: [{ kind: 'mystery', ref: 'x', payload: {} }] }), why('RFC 0098 §B', 'an unknown item kind MUST be rejected')).toBe(false);
+    expect(validate({ ...good, items: [{ kind: 'agent', payload: {} }] }), why('RFC 0098 §B', 'an item without a ref MUST be rejected')).toBe(false);
+  });
+
+  it('the bundle envelope admits no credential-named field at the root or source level (additionalProperties:false)', () => {
+    for (const name of CRED_NAMES) {
+      expect(validate({ ...good, [name]: 'xxx' }), why('SECURITY invariant export-bundle-no-credential-material', `a "${name}" field at the bundle root MUST NOT validate`)).toBe(false);
+      expect(validate({ ...good, source: { ...good.source, [name]: 'xxx' } }), why('SECURITY invariant export-bundle-no-credential-material', `a "${name}" field under source MUST NOT validate`)).toBe(false);
+    }
+  });
+});
+
+describe('export-bundle-portability: content-free event (RFC 0098 §D, server-free)', () => {
+  const runEvent = loadSchema('run-event.schema.json');
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  ajv.addSchema(payloads, 'payloads');
+
+  it('import.applied is in the RunEventType enum and is content-free (counts + refs only)', () => {
+    const en = (runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum ?? [];
+    expect(en).toContain('import.applied');
+    const applied = ajv.getSchema('payloads#/$defs/importApplied')!;
+    expect(applied({ bundleOrigin: 'https://host-a.example', counts: { created: 2, skipped: 1 }, secretsToRebind: ['anthropic'] }), why('RFC 0098 §D', 'a content-free import.applied MUST validate')).toBe(true);
+    expect(applied({ bundleOrigin: 'h', counts: { created: 1 }, items: [{ payload: {} }] }), why('SECURITY invariant export-bundle-no-credential-material', 'import.applied MUST NOT carry item payloads')).toBe(false);
+  });
+});
+
+describe('export-bundle-portability: behavioral (RFC 0098 §E, capability-gated)', () => {
+  it('importing a bundle with a literal credential value is rejected (422)', async () => {
+    const portability = await readCapabilityFamily<{ import?: boolean }>('portability');
+    if (!behaviorGate('portability', portability !== undefined && portability.import === true)) return;
+
+    const leaky = {
+      bundleVersion: '1',
+      source: { origin: 'adapter:conformance' },
+      items: [{ kind: 'connection-ref', ref: 'c1', payload: { provider: 'anthropic', apiKey: 'sk-conformance-canary' } }],
+    };
+    const res = await driver.post('/v1/host/sample/import?dryRun=true', { bundle: leaky });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status,
+      driver.describe('portability.md §Invariants clause 1', 'a bundle carrying a literal credential value MUST be rejected (422)'),
+    ).toBe(422);
+  });
+});

package/src/scenarios/fixtures-valid.test.ts

@@ -188,6 +188,44 @@ describe('fixtures: connection-pack-manifest schema validity', () => {
   }
 });
 
+describe('fixtures: trigger-event + registration schema validity', () => {
+  // External-event ingestion fixtures live in `fixtures/trigger-events/`
+  // (RFC 0099). They are schema-level proof points validated against the
+  // `TriggerEvent` / `TriggerSubscriptionRegistration` schemas — NOT seeded
+  // into a workflow store. A fixture is dispatched to the right schema by a
+  // filename convention: `trigger-event-*` → trigger-event.schema.json;
+  // `trigger-subscription-registration-*` → the registration schema.
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  // The registration schema $refs the subscription schema; register it.
+  ajv.addSchema(JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-subscription.schema.json'), 'utf8')));
+  const validateEvent = ajv.compile(JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-event.schema.json'), 'utf8')));
+  const validateReg = ajv.compile(
+    JSON.parse(readFileSync(join(SCHEMAS_DIR, 'trigger-subscription-registration.schema.json'), 'utf8')),
+  );
+
+  const dir = join(FIXTURES_DIR, 'trigger-events');
+  const files = readdirSync(dir)
+    .filter((f) => f.endsWith('.json'))
+    .sort();
+
+  it('finds at least one trigger-event fixture (RFC 0099 coverage)', () => {
+    expect(files.length).toBeGreaterThan(0);
+  });
+
+  for (const file of files) {
+    it(`trigger-events/${file} validates against its schema`, () => {
+      const data = JSON.parse(readFileSync(join(dir, file), 'utf8'));
+      const validate = file.startsWith('trigger-subscription-registration') ? validateReg : validateEvent;
+      const ok = validate(data);
+      const errors = (validate.errors ?? [])
+        .map((e: ErrorObject) => `${e.instancePath || '/'}: ${e.message}`)
+        .join('\n');
+      expect(ok, `Fixture trigger-events/${file} fails its schema:\n${errors}`).toBe(true);
+    });
+  }
+});
+
 describe('fixtures: prompt-template schema validity', () => {
   // PromptTemplate fixtures live in `fixtures/prompt-templates/` per
   // RFC 0027 §A. Like pack manifests, they're schema-level proof points,