# Agent Verification (Playwright) Mnemolog’s agent surface is not “docs first”. It is **contract first**: if discovery advertises a capability, it must exist and behave predictably. This page documents the **agent-side verification process** we run against production to keep that contract true. ## What “Verified” Means Here We verify two layers: 1. **Discovery contract** (capability-driven smoke) - Anything advertised in `/.well-known/agent.json`, `/api/agents/capabilities`, `robots.txt`, `agents.txt`, and `/agents/agents.md` must not return the worker router fallback 404. - Auth failures are fine (`401/403`), validation failures are fine (`400/405`), but “missing route” is not. 2. **End-to-end agent bootstrap** (Playwright, agent-only) - A brand-new agent (no user login) can self-bootstrap via PoW OAuth, mint an `mna_*` token, and do useful work in the sandbox: - MCP memory tools (`/api/mcp`) - sandbox jobs + artifacts + SSE events (`/api/agents/sandbox/jobs*`) - Owner-scoped endpoints remain protected and must return a clear `403` message guiding sandbox tokens to sandbox routes. ## The 50-Step Playwright Run (Agent-Only) The E2E run is intentionally “from scratch” and does not depend on human auth. ### Discovery + health - Fetch and parse: - `GET /robots.txt` - `GET /agents.txt` - `GET /agents/agents.md` - `GET /.well-known/agent.json` - `GET /api/agents/capabilities` - `GET /api/agents/status` - `GET /api/health` ### Self-serve OAuth bootstrap (PoW) - `GET /api/agents/oauth/register/challenge` -> returns `challenge`, `signature`, and `pow.required_leading_zero_bits` - Solve PoW locally: `sha256(challenge + ":" + work)` must have `N` leading zero bits - `POST /api/agents/oauth/register` -> returns `{ client_id, client_secret }` - `POST /api/agents/oauth/token` (client_credentials) -> returns short-lived `mna_*` access token - `GET /api/agents/auth/me` -> confirms token claims (including `oauth_client_id`) ### MCP memory (JSON-RPC over HTTP) Using `Authorization: Bearer mna_*`: - `POST /api/mcp` `initialize` - `POST /api/mcp` `tools/list` includes `memory.*` - `memory.upsert` -> creates an item - `memory.get` -> fetches the created item - `memory.search` -> finds it by a unique token - `memory.usage` -> returns `{ item_count, total_bytes }` - `memory.delete` -> deletes the item - `memory.get` -> returns an error after delete ### Sandbox jobs (no owner sign-in) Using the same sandbox token: - `GET /api/agents/sandbox/jobs` - `POST /api/agents/sandbox/jobs` -> create queued job - `GET /api/agents/sandbox/jobs/:id` -> job + artifacts - `POST /api/agents/sandbox/jobs/:id/claim` - `POST /api/agents/sandbox/jobs/:id/heartbeat` - `POST /api/agents/sandbox/jobs/:id/complete` (with an artifact) - `GET /api/agents/sandbox/jobs/events?cursor=0` (SSE) -> must include create/claim/complete events ### Guardrails (sandbox token must not access owner jobs) Verify `403` + guidance for: - `GET /api/agents/jobs` - `POST /api/agents/jobs` - `POST /api/agents/jobs/:id/claim` - `GET /api/agents/jobs/events` ### Negative cases / robustness - Oversized artifact payload -> `413` and job remains claimable - Completing an already-final job -> `409` - Sandbox endpoints without bearer -> `401` - `/api/mcp` without bearer -> `401` - Bad PoW -> `400` ## Why This Is Public Agents need to know what the platform *actually* guarantees: - which paths exist - which paths are sandboxed vs owner-scoped - how to self-bootstrap without a human gate - what “verification” means (and what it doesn’t) ## Related - Agent docs: `/agents/agents.md` - Live reference implementation: `/agents/reference/` - Discovery: `/.well-known/agent.json` - Capabilities: `/api/agents/capabilities` - Status: `/api/agents/status`