@openwop/openwop-conformance 1.23.0 → 1.25.0

package/src/scenarios/goal-standing-continuation.test.ts

@@ -0,0 +1,139 @@
+/**
+ * Standing goals — judge-based completion + bounded continuation (RFC 0097;
+ * `agent-runtime.md` §"Standing goals"). Public tests for the protocol-tier
+ * SECURITY invariants `goal-continuation-bounded` and
+ * `goal-completion-judge-only`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema legs — the capability block, the
+ *      `goal.schema.json` shape, and the content-free `goal.evaluated` /
+ *      `goal.closed` event payloads.
+ *
+ *   B. Capability-gated behavioral legs — on a host advertising
+ *      `capabilities.agents.goals` that exposes the `/v1/host/sample/goals`
+ *      seam: bounded termination (a never-satisfied goal halts at
+ *      `maxLoopIterations` with `state: bound-exceeded`) and judge-only
+ *      completion (a client-supplied `state: satisfied` is refused). Hosts
+ *      without the seam soft-skip (404); unadvertised hosts skip via the gate.
+ *
+ * @see spec/v1/agent-runtime.md §"Standing goals"
+ * @see SECURITY/invariants.yaml id: goal-continuation-bounded, goal-completion-judge-only
+ * @see RFCS/0097-standing-goals-and-judge-based-continuation.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+describe('goal-standing-continuation: capability advertisement (RFC 0097 §A, server-free)', () => {
+  it('capabilities schema declares agents.goals with its required sub-flags', () => {
+    const caps = loadSchema('capabilities.schema.json');
+    const agents = (caps.properties as Record<string, { properties?: Record<string, { properties?: Record<string, unknown>; required?: string[] }> }>).agents;
+    const goals = agents?.properties?.goals;
+    expect(goals, why('capabilities.md §agents', 'agents.goals MUST be declared')).toBeDefined();
+    for (const flag of ['judge', 'continuation', 'requiresBounds']) {
+      expect(goals?.properties?.[flag], why('RFC 0097 §A', `agents.goals.${flag} MUST be declared`)).toBeDefined();
+    }
+    expect(goals?.required, why('RFC 0097 §A', 'judge + continuation MUST be required')).toEqual(
+      expect.arrayContaining(['judge', 'continuation']),
+    );
+  });
+});
+
+describe('goal-standing-continuation: Goal shape (RFC 0097 §B, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const validate = ajv.compile(loadSchema('goal.schema.json'));
+
+  const good = {
+    id: 'goal-1',
+    objective: 'ship the release checklist',
+    state: 'active',
+    completion: { check: 'verifier', verifierRef: 'vf-1' },
+    continuation: { mode: 'schedule', armRef: 'job-1' },
+    bounds: { maxLoopIterations: 7 },
+    owner: { tenant: 'acme' },
+    createdAt: '2026-06-13T00:00:00Z',
+  };
+
+  it('validates a conforming active goal', () => {
+    expect(validate(good), why('RFC 0097 §B', `a conforming goal MUST validate. Errors: ${JSON.stringify(validate.errors)}`)).toBe(true);
+  });
+
+  it('rejects an unknown state, an unknown judge, and a bad continuation mode', () => {
+    expect(validate({ ...good, state: 'done' }), why('RFC 0097 §B', 'a state outside the lifecycle enum MUST be rejected')).toBe(false);
+    expect(validate({ ...good, completion: { check: 'vibes' } }), why('RFC 0097 §B', 'judge check outside {verifier,host} MUST be rejected')).toBe(false);
+    expect(validate({ ...good, continuation: { mode: 'whenever' } }), why('RFC 0097 §B', 'continuation mode outside the enum MUST be rejected')).toBe(false);
+  });
+});
+
+describe('goal-standing-continuation: content-free events (RFC 0097 §D, server-free)', () => {
+  const runEvent = loadSchema('run-event.schema.json');
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  ajv.addSchema(payloads, 'payloads');
+
+  it('goal.evaluated and goal.closed are in the RunEventType enum', () => {
+    const en = (runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum ?? [];
+    expect(en).toContain('goal.evaluated');
+    expect(en).toContain('goal.closed');
+  });
+
+  it('goal.evaluated is content-free — an objective text field is rejected; goal.closed requires a terminal finalState', () => {
+    const evaluated = ajv.getSchema('payloads#/$defs/goalEvaluated')!;
+    expect(evaluated({ goalId: 'g1', satisfied: false, confidence: 0.4, runId: 'r1', iterations: 2 }), why('RFC 0097 §D', 'a content-free goal.evaluated MUST validate')).toBe(true);
+    expect(evaluated({ goalId: 'g1', satisfied: false, runId: 'r1', iterations: 2, objective: 'ship it' }), why('RFC 0097 §D', 'goal.evaluated MUST NOT carry objective text')).toBe(false);
+    const closed = ajv.getSchema('payloads#/$defs/goalClosed')!;
+    expect(closed({ goalId: 'g1', finalState: 'bound-exceeded' }), why('RFC 0097 §D', 'goal.closed with a terminal finalState MUST validate')).toBe(true);
+    expect(closed({ goalId: 'g1', finalState: 'active' }), why('RFC 0097 §D', 'goal.closed MUST NOT use the non-terminal `active` state')).toBe(false);
+  });
+});
+
+describe('goal-standing-continuation: behavioral (RFC 0097 §E, capability-gated)', () => {
+  it('a goal cannot be created without bounds when requiresBounds is advertised (422)', async () => {
+    const agents = await readCapabilityFamily<{ goals?: { requiresBounds?: boolean } }>('agents');
+    if (!behaviorGate('agents.goals', agents?.goals !== undefined)) return;
+    if (agents?.goals?.requiresBounds === false) return; // host opted out of mandatory bounds
+
+    const res = await driver.post('/v1/host/sample/goals', {
+      objective: 'unbounded work',
+      completion: { check: 'host' },
+      continuation: { mode: 'manual' },
+    });
+    if (res.status === 404 || res.status === 403) return; // seam unwired — soft-skip
+    expect(
+      res.status,
+      driver.describe('agent-runtime.md §"Standing goals" clause 2', 'POST /goals without RFC 0058 bounds MUST be rejected (422) when requiresBounds is advertised'),
+    ).toBe(422);
+  });
+
+  it('a client MUST NOT set state: satisfied directly', async () => {
+    const agents = await readCapabilityFamily<{ goals?: unknown }>('agents');
+    if (!behaviorGate('agents.goals', agents?.goals !== undefined)) return;
+
+    const list = await driver.get('/v1/host/sample/goals?state=active');
+    if (list.status === 404 || list.status === 403) return;
+    const goals = (list.json as { goals?: Array<{ id: string }> })?.goals ?? [];
+    if (goals.length === 0) return;
+
+    const res = await driver.post(`/v1/host/sample/goals/${goals[0]!.id}`, { state: 'satisfied' });
+    if (res.status === 404) return;
+    expect(
+      res.status >= 400,
+      driver.describe('agent-runtime.md §"Standing goals" clause 1', 'a client-supplied state: satisfied MUST be refused — completion is the judge\'s verdict'),
+    ).toBe(true);
+  });
+});

package/src/scenarios/proposal-reviewable-learning.test.ts

@@ -0,0 +1,129 @@
+/**
+ * Reviewable learning — the proposal lifecycle (RFC 0096; `agent-memory.md`
+ * §"Reviewable learning"). Public tests for the protocol-tier SECURITY
+ * invariants `proposal-inert-until-applied` and `proposal-no-resynthesis`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema legs — the capability block, the
+ *      `proposal.schema.json` shape (incl. the dropped `rule` kind), and the
+ *      content-free `proposal.created` / `proposal.activated` event payloads.
+ *
+ *   B. Capability-gated behavioral legs — on a host advertising
+ *      `capabilities.agents.proposals` that exposes the
+ *      `/v1/host/sample/proposals` seam: inertness (a draft proposal does not
+ *      influence a run), gated activation (`apply` without scope → 403), and
+ *      no-re-synthesis (installed artifact byte-matches the last-persisted
+ *      `artifact`). Hosts without the seam soft-skip (404); unadvertised
+ *      hosts skip via the behavior gate.
+ *
+ * @see spec/v1/agent-memory.md §"Reviewable learning"
+ * @see SECURITY/invariants.yaml id: proposal-inert-until-applied, proposal-no-resynthesis
+ * @see RFCS/0096-reviewable-learning-skill-proposal-lifecycle.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const why = (specRef: string, requirement: string): string => `${specRef} — ${requirement}`;
+function loadSchema(name: string): Record<string, unknown> {
+  return JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')) as Record<string, unknown>;
+}
+
+describe('proposal-reviewable-learning: capability advertisement (RFC 0096 §A, server-free)', () => {
+  const caps = loadSchema('capabilities.schema.json');
+  const agents = (caps.properties as Record<string, { properties?: Record<string, { properties?: Record<string, unknown>; required?: string[] }> }>).agents;
+
+  it('capabilities schema declares agents.proposals with its required sub-flags', () => {
+    const proposals = agents?.properties?.proposals;
+    expect(proposals, why('capabilities.md §agents', 'agents.proposals MUST be declared')).toBeDefined();
+    for (const flag of ['artifactKinds', 'duplicationDetection', 'activation']) {
+      expect(proposals?.properties?.[flag], why('RFC 0096 §A', `agents.proposals.${flag} MUST be declared`)).toBeDefined();
+    }
+    expect(proposals?.required, why('RFC 0096 §A', 'artifactKinds + activation MUST be required')).toEqual(
+      expect.arrayContaining(['artifactKinds', 'activation']),
+    );
+  });
+
+  it('the `rule` artifact kind is NOT in the enum (dropped — no defining RFC)', () => {
+    const kinds = (agents?.properties?.proposals as { properties?: Record<string, { items?: { enum?: string[] } }> })?.properties?.artifactKinds?.items?.enum ?? [];
+    expect(kinds, why('RFC 0096 §A', 'artifactKinds enumerates the four kinds with a defining RFC')).toEqual(
+      expect.arrayContaining(['agent-pack', 'workflow-chain-pack', 'prompt-template', 'automation']),
+    );
+    expect(kinds, why('RFC 0096 §A', '`rule` MUST NOT appear — it has no defining RFC, so its artifact is unvalidatable')).not.toContain('rule');
+  });
+});
+
+describe('proposal-reviewable-learning: Proposal shape (RFC 0096 §B, server-free)', () => {
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  const validate = ajv.compile(loadSchema('proposal.schema.json'));
+
+  const good = {
+    id: 'prop-1',
+    kind: 'workflow-chain-pack',
+    state: 'draft',
+    artifact: { name: 'weekly-digest', version: '1.0.0' },
+    provenance: { sourceRunIds: ['run-a', 'run-b'] },
+    owner: { tenant: 'acme' },
+    createdAt: '2026-06-13T00:00:00Z',
+  };
+
+  it('validates a conforming draft proposal', () => {
+    expect(validate(good), why('RFC 0096 §B', `a conforming proposal MUST validate. Errors: ${JSON.stringify(validate.errors)}`)).toBe(true);
+  });
+
+  it('rejects an unknown state and the dropped `rule` kind', () => {
+    expect(validate({ ...good, state: 'live' }), why('RFC 0096 §B', 'a state outside the lifecycle enum MUST be rejected')).toBe(false);
+    expect(validate({ ...good, kind: 'rule' }), why('RFC 0096 §B', '`kind: "rule"` MUST be rejected (dropped from the enum)')).toBe(false);
+    expect(validate({ ...good, owner: { workspace: 'x' } }), why('RFC 0048', 'owner without tenant MUST be rejected')).toBe(false);
+  });
+});
+
+describe('proposal-reviewable-learning: content-free events (RFC 0096 §D, server-free)', () => {
+  const runEvent = loadSchema('run-event.schema.json');
+  const payloads = loadSchema('run-event-payloads.schema.json');
+  const ajv = new Ajv2020({ strict: false, allErrors: true });
+  addFormats(ajv);
+  ajv.addSchema(payloads, 'payloads');
+
+  it('proposal.created and proposal.activated are in the RunEventType enum', () => {
+    const en = (runEvent.$defs as Record<string, { enum?: string[] }>).RunEventType?.enum ?? [];
+    expect(en).toContain('proposal.created');
+    expect(en).toContain('proposal.activated');
+  });
+
+  it('proposal.created is content-free — an artifact body and rationale text are rejected', () => {
+    const created = ajv.getSchema('payloads#/$defs/proposalCreated')!;
+    expect(created({ proposalId: 'p1', kind: 'agent-pack', sourceRunIds: ['r1'], duplicateOf: null }), why('RFC 0096 §D', 'a content-free proposal.created MUST validate')).toBe(true);
+    expect(created({ proposalId: 'p1', kind: 'agent-pack', artifact: { x: 1 } }), why('SECURITY invariant proposal-inert-until-applied', 'proposal.created MUST NOT carry the artifact body')).toBe(false);
+    expect(created({ proposalId: 'p1', kind: 'agent-pack', rationale: 'because…' }), why('RFC 0096 §D', 'proposal.created MUST NOT carry rationale text')).toBe(false);
+  });
+});
+
+describe('proposal-reviewable-learning: behavioral (RFC 0096 §E, capability-gated)', () => {
+  it('apply without the activation scope is denied (403) and installs nothing', async () => {
+    const agents = await readCapabilityFamily<{ proposals?: { activation?: string } }>('agents');
+    if (!behaviorGate('agents.proposals', agents?.proposals !== undefined)) return;
+
+    const list = await driver.get('/v1/host/sample/proposals?state=draft');
+    if (list.status === 404 || list.status === 403) return; // seam unwired — soft-skip
+    const proposals = (list.json as { proposals?: Array<{ id: string }> })?.proposals ?? [];
+    if (proposals.length === 0) return; // nothing to act on — soft-skip
+
+    // Apply with no auth/scope — MUST be refused.
+    const res = await driver.post(`/v1/host/sample/proposals/${proposals[0]!.id}/apply`, {});
+    if (res.status === 404) return;
+    expect(
+      res.status,
+      driver.describe('agent-memory.md §"Reviewable learning" clause 2', 'apply without the activation scope MUST be denied (403)'),
+    ).toBe(403);
+  });
+});

package/src/scenarios/trigger-ingestion.test.ts

@@ -0,0 +1,235 @@
+/**
+ * External-event trigger ingestion (RFC 0099) — `trigger-bridge.md` §F.
+ *
+ * Verifies the additive external-event ingestion leg of the RFC 0083
+ * durable-trigger bridge: the normalized in-run `TriggerEvent` envelope,
+ * the `TriggerSubscriptionRegistration` create contract, and the two new
+ * SECURITY invariants `trigger-ingestion-ssrf` +
+ * `trigger-ingestion-content-redaction`.
+ *
+ * Two layers:
+ *
+ *   A. Always-on, server-free schema probes:
+ *      - `trigger-event.schema.json` round-trips a conforming per-source
+ *        `TriggerEvent` and enforces the §F.1 one-of rule (a
+ *        `source:"email"` event carrying a `webhook` sub-object fails).
+ *      - `AttachmentRef` requires a host-internal `ref` and rejects a raw
+ *        external `url` field (the public test for `trigger-ingestion-ssrf`
+ *        at the schema layer — the host never hands the run a fetchable URL).
+ *      - `contentTrust` is the const `"untrusted"`.
+ *      - the durable `trigger.delivery.attempted` payload carries ONLY the
+ *        content-free `{subscriptionId,dedupKey,attempt,outcome}` shape (the
+ *        public test for `trigger-ingestion-content-redaction` — the inbound
+ *        body has no slot on the durable event).
+ *      - `trigger-subscription-registration.schema.json` validates + requires
+ *        `source` + `workflowId`.
+ *
+ *   B. Capability-gated behavioral leg (`triggerBridge.ingestion`, via the
+ *      `POST /v1/host/sample/trigger-bridge/ingest` seam): a simulated
+ *      external event starts a run whose `ctx.triggerData` matches the
+ *      `TriggerEvent` shape and whose `trigger.delivery.attempted` is
+ *      content-free; an ingestion-path fetch to a private address is refused
+ *      (`trigger-ingestion-ssrf`); a `webhook.headers.Authorization`
+ *      passthrough is stripped (`trigger-ingestion-content-redaction`).
+ *      Soft-skips when the capability is unadvertised or the seam is unwired.
+ *
+ * @see spec/v1/trigger-bridge.md §F
+ * @see SECURITY/invariants.yaml ids trigger-ingestion-ssrf, trigger-ingestion-content-redaction
+ * @see RFCS/0099-external-event-trigger-ingestion.md
+ */
+
+import { describe, it, expect } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import Ajv2020 from 'ajv/dist/2020.js';
+import addFormats from 'ajv-formats';
+import { SCHEMAS_DIR, FIXTURES_DIR } from '../lib/paths.js';
+import { driver } from '../lib/driver.js';
+import { behaviorGate } from '../lib/behavior-gate.js';
+import { readCapabilityFamily } from '../lib/discovery-capabilities.js';
+
+const HTTP_SKIP = !process.env.OPENWOP_BASE_URL;
+
+const EVENT_SCHEMA_PATH = join(SCHEMAS_DIR, 'trigger-event.schema.json');
+const REG_SCHEMA_PATH = join(SCHEMAS_DIR, 'trigger-subscription-registration.schema.json');
+const EVENT_FIXTURE = join(FIXTURES_DIR, 'trigger-events', 'trigger-event-email.json');
+const REG_FIXTURE = join(FIXTURES_DIR, 'trigger-events', 'trigger-subscription-registration-email.json');
+
+function buildAjv(): Ajv2020 {
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  // The registration schema $refs the trigger-subscription schema for
+  // `retryPolicy`; register it so the absolute $ref resolves offline.
+  for (const name of ['trigger-subscription.schema.json']) {
+    ajv.addSchema(JSON.parse(readFileSync(join(SCHEMAS_DIR, name), 'utf8')));
+  }
+  return ajv;
+}
+
+describe('trigger-ingestion: TriggerEvent schema (always-on, server-free)', () => {
+  const ajv = buildAjv();
+  const validate = ajv.compile(JSON.parse(readFileSync(EVENT_SCHEMA_PATH, 'utf8')));
+
+  it('the canonical email TriggerEvent fixture validates', () => {
+    const ev = JSON.parse(readFileSync(EVENT_FIXTURE, 'utf8'));
+    expect(
+      validate(ev),
+      `trigger-event.schema.json MUST accept a conforming email TriggerEvent. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+
+  it('the §F.1 one-of rule holds — a source:"email" event carrying a webhook sub-object fails', () => {
+    const ev = JSON.parse(readFileSync(EVENT_FIXTURE, 'utf8'));
+    ev.webhook = { method: 'POST', body: { x: 1 } };
+    expect(
+      validate(ev),
+      'trigger-bridge.md §F.1 — a TriggerEvent MUST carry exactly the per-source sub-object matching its `source` and MUST NOT carry the others',
+    ).toBe(false);
+  });
+
+  it('contentTrust MUST be the const "untrusted"', () => {
+    const ev = JSON.parse(readFileSync(EVENT_FIXTURE, 'utf8'));
+    ev.contentTrust = 'trusted';
+    expect(
+      validate(ev),
+      'trigger-bridge.md §F.1 — `contentTrust` MUST be `"untrusted"`',
+    ).toBe(false);
+  });
+
+  it('AttachmentRef requires a host-internal `ref` and rejects a raw external `url` (trigger-ingestion-ssrf)', () => {
+    // Missing ref → invalid.
+    const noRef = JSON.parse(readFileSync(EVENT_FIXTURE, 'utf8'));
+    noRef.email.attachments = [{ filename: 'x.png' }];
+    expect(
+      validate(noRef),
+      'SECURITY invariant trigger-ingestion-ssrf — an AttachmentRef MUST carry a host-internal `ref`',
+    ).toBe(false);
+
+    // A raw external `url` the run would fetch itself → invalid
+    // (additionalProperties:false structurally forbids it).
+    const rawUrl = JSON.parse(readFileSync(EVENT_FIXTURE, 'utf8'));
+    rawUrl.email.attachments = [{ ref: 'blob_a1', url: 'http://169.254.169.254/latest/meta-data/' }];
+    expect(
+      validate(rawUrl),
+      'SECURITY invariant trigger-ingestion-ssrf — the host MUST NOT hand the run an external URL to fetch itself; AttachmentRef is a host-internal handle only',
+    ).toBe(false);
+  });
+
+  it('a webhook TriggerEvent with an allowlisted header validates', () => {
+    const ev = {
+      source: 'webhook',
+      subscriptionId: 'sub_9',
+      deliveryId: 'dlv_c3d4',
+      receivedAt: '2026-06-13T18:10:00Z',
+      verified: true,
+      contentTrust: 'untrusted',
+      webhook: { method: 'POST', headers: { 'X-Event-Type': 'issue.created' }, body: { issue: { id: 42 } } },
+    };
+    expect(
+      validate(ev),
+      `a conforming webhook TriggerEvent MUST validate. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+});
+
+describe('trigger-ingestion: content-freeness of the durable trigger.delivery.attempted payload (trigger-ingestion-content-redaction)', () => {
+  // The public, schema-layer proof for `trigger-ingestion-content-redaction`:
+  // the durable event payload defines ONLY content-free fields. The inbound
+  // body/headers/email/form content has NO slot — it lives only in the in-run
+  // TriggerEvent (`ctx.triggerData`), never on the event log.
+  const ajv = new Ajv2020({ allErrors: true, strict: false });
+  addFormats(ajv);
+  const payloads = JSON.parse(readFileSync(join(SCHEMAS_DIR, 'run-event-payloads.schema.json'), 'utf8'));
+  const deliveryDef = payloads.$defs?.triggerDeliveryAttempted;
+
+  it('trigger.delivery.attempted declares only the content-free RFC 0083 §C fields', () => {
+    expect(deliveryDef, 'run-event-payloads.schema.json MUST define triggerDeliveryAttempted').toBeDefined();
+    const props = Object.keys(deliveryDef.properties ?? {});
+    // The complete content-free field set — no `body`, `headers`, `email`,
+    // `form`, `fields`, or any inbound-content carrier.
+    expect(props.sort()).toEqual(['attempt', 'dedupKey', 'outcome', 'runId', 'subscriptionId'].sort());
+    for (const banned of ['body', 'headers', 'email', 'form', 'fields', 'html', 'text', 'subject']) {
+      expect(
+        props.includes(banned),
+        `trigger-ingestion-content-redaction — the durable trigger.delivery.attempted payload MUST NOT carry an inbound-content field ("${banned}")`,
+      ).toBe(false);
+    }
+  });
+});
+
+describe('trigger-ingestion: TriggerSubscriptionRegistration schema (always-on, server-free)', () => {
+  const ajv = buildAjv();
+  const validate = ajv.compile(JSON.parse(readFileSync(REG_SCHEMA_PATH, 'utf8')));
+
+  it('the canonical registration fixture validates', () => {
+    const reg = JSON.parse(readFileSync(REG_FIXTURE, 'utf8'));
+    expect(
+      validate(reg),
+      `trigger-subscription-registration.schema.json MUST accept a conforming registration. Errors: ${JSON.stringify(validate.errors)}`,
+    ).toBe(true);
+  });
+
+  it('requires source + workflowId and rejects an out-of-enum source', () => {
+    expect(validate({ workflowId: 'w' }), 'registration MUST require `source`').toBe(false);
+    expect(validate({ source: 'email' }), 'registration MUST require `workflowId`').toBe(false);
+    expect(
+      validate({ source: 'schedule', workflowId: 'w' }),
+      'registration `source` MUST be one of webhook/email/form (schedule is not externally registerable)',
+    ).toBe(false);
+  });
+});
+
+describe.skipIf(HTTP_SKIP)('trigger-ingestion: behavioral ingestion + SSRF (capability-gated)', () => {
+  it('an ingestion-path fetch to a private address is refused; a delivered event is content-free', async () => {
+    const tb = await readCapabilityFamily<{ ingestion?: { externalSources?: string[] } }>('triggerBridge');
+    const ingests = Array.isArray(tb?.ingestion?.externalSources) && tb!.ingestion!.externalSources!.length > 0;
+    if (!behaviorGate('triggerBridge.ingestion', ingests)) return;
+
+    // SSRF leg — an attachment whose resolution would hit a private address
+    // MUST be refused by the host's safeFetch guard (trigger-ingestion-ssrf).
+    const ssrf = await driver.post('/v1/host/sample/trigger-bridge/ingest', {
+      source: 'email',
+      verification: { mode: 'none' },
+      attachmentUrl: 'http://169.254.169.254/latest/meta-data/',
+    });
+    if (ssrf.status === 404 || ssrf.status === 403) return; // seam unwired — soft-skip
+
+    const ssrfBody = ssrf.json as { triggerEvent?: { email?: { attachments?: unknown[] } }; ssrfRefused?: boolean } | undefined;
+    expect(
+      ssrfBody?.ssrfRefused === true ||
+        (ssrfBody?.triggerEvent?.email?.attachments ?? []).length === 0,
+      driver.describe(
+        'trigger-bridge.md §F.4',
+        'trigger-ingestion-ssrf — an ingestion-path fetch to a private address MUST be refused (attachment dropped), the run still starting on the rest of the event',
+      ),
+    ).toBe(true);
+
+    // Content-redaction leg — the durable trigger.delivery.attempted MUST be
+    // content-free even when the inbound carried a credential-bearing header.
+    const del = await driver.post('/v1/host/sample/trigger-bridge/ingest', {
+      source: 'webhook',
+      verification: { mode: 'none' },
+      webhook: { method: 'POST', headers: { Authorization: 'Bearer canary' }, body: { x: 1 } },
+    });
+    if (del.status === 404 || del.status === 403) return;
+    const delBody = del.json as
+      | { deliveryEvent?: Record<string, unknown>; triggerEvent?: { webhook?: { headers?: Record<string, string> } } }
+      | undefined;
+    const evtJson = JSON.stringify(delBody?.deliveryEvent ?? {});
+    expect(
+      evtJson.includes('Bearer canary') === false && evtJson.includes('Authorization') === false,
+      driver.describe(
+        'trigger-bridge.md §F.4',
+        'trigger-ingestion-content-redaction — the durable trigger.delivery.attempted MUST NOT carry inbound body/header content',
+      ),
+    ).toBe(true);
+    const passedHeaders = delBody?.triggerEvent?.webhook?.headers ?? {};
+    expect(
+      Object.keys(passedHeaders).every((k) => k.toLowerCase() !== 'authorization'),
+      driver.describe(
+        'trigger-bridge.md §F.1',
+        'webhook.headers MUST be a host-curated allowlist — Authorization MUST NOT pass through',
+      ),
+    ).toBe(true);
+  });
+});