diff --git a/CLAUDE.md b/CLAUDE.md
index 7bb5b8b..e66660c 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -16,8 +16,11 @@ agents/
   scenario-generator.md        # Step 3: Scenarios
   env-factory-generator.md     # Step 4: Environment Factory implementation
   scenario-validator.md        # Step 5: Scenario lifecycle validation
+  auth-login-validator.md      # Step 5: agentic fallback for login probe
   test-case-generator.md       # Step 6: E2E tests
   focused-test-case-generator.md
+skills/agent-browser/SKILL.md        # agent-browser CLI reference
+skills/validate-auth-login/SKILL.md  # headless browser login probe
 hooks/
   hooks.json
   pipeline-kickoff.sh
@@ -54,7 +57,8 @@ Validators are in `hooks/validators/`.
 | `validate_endpoint_implemented.py` | `*/autonoma/.endpoint-implemented` | handler path and factory integrity |
 | `validate_creation_file_immutable.py` | `*/autonoma/.endpoint-implemented` | accepted audit creation files were not rewritten unsafely |
 | `validate_factory_fidelity.py` | `*/autonoma/.endpoint-implemented` | semantic per-model factory fidelity |
-| `validate_scenario_validation.py` | `*/autonoma/.scenario-validation.json` | Step 5 terminal-state contract |
+| `validate_scenario_validation.py` | `*/autonoma/.scenario-validation.json` | Step 5 terminal-state contract (incl. `loginProbe`) |
+| `login_probe.py` | invoked by `scenario-validator.md` between `up` and `down` | headless-browser login verification via `agent-browser` |
 | `validate_scenario_recipes.py` | `*/autonoma/scenario-recipes.json` | recipe schema |
 | `validate_test_index.py` | `*/autonoma/qa-tests/INDEX.md` | test totals and folder sums |
 | `validate_directory_structure.py` | `*/autonoma/qa-tests/INDEX.md` | test directory structure |
@@ -76,5 +80,5 @@ pytest
 
 - Step 4 implements the Environment Factory and may edit target backend code.
 - Step 4 writes `autonoma/.endpoint-implemented` only after discover smoke and factory-integrity checks pass.
-- Step 5 validates signed `discover` / `up` / `down` for every scenario and may fix handler bugs or reconcile `scenarios.md`.
+- Step 5 validates signed `discover` / `up` / `down` for every scenario and may fix handler bugs or reconcile `scenarios.md`. Between `up` and `down` on the first auth-carrying scenario it also runs the login probe (`hooks/validators/login_probe.py`), which drives headless Chrome via [`agent-browser`](https://github.com/vercel-labs/agent-browser) to prove the returned credentials actually reach a logged-in page. Install via `brew install agent-browser` or `npm install -g agent-browser`; the probe skips cleanly if the binary is missing.
 - Step 6 is gated on `autonoma/.endpoint-validated`.
diff --git a/agents/auth-login-validator.md b/agents/auth-login-validator.md
new file mode 100644
index 0000000..bf4ba9c
--- /dev/null
+++ b/agents/auth-login-validator.md
@@ -0,0 +1,47 @@
+---
+description: >
+  Login probe subagent invoked via `claude -p` from the scenario-validator
+  (Step 5). Uses the agent-browser CLI to verify that auth credentials
+  returned by the Environment Factory's `up` action actually reach an
+  authenticated page. Headless only.
+tools:
+  - Bash
+  - Read
+maxTurns: 20
+---
+
+# Auth Login Validator
+
+You are a login probe. You have `agent-browser` available as a Bash CLI.
+Read the `skills/agent-browser/SKILL.md` reference if you need the full
+command surface. Your job: verify that the auth payload you receive actually
+produces a logged-in browser session.
+
+## Rules
+
+- Always use `--session login-probe-<label>` and `--json`.
+- Always headless — never pass `--headed`.
+- Use `agent-browser snapshot -i` to discover form fields when selectors
+  are unknown — don't guess selectors.
+- Close the session when done: `agent-browser --session ... close`
+- Do not modify any files outside `autonoma/.login-probe/`.
+
+## Output
+
+Print EXACTLY one JSON object to stdout when done — no markdown fences, no
+extra text before or after.
+
+Success:
+```json
+{"ok": true, "mode": "cookies|token|form", "evidence": {"final_url": "...", "screenshot": "..."}, "scenario": "<label>"}
+```
+
+Failure:
+```json
+{"ok": false, "mode": "cookies|token|form", "failure": {"category": "<cat>", "detail": "one sentence", "screenshot_path": "..."}, "evidence": {}}
+```
+
+Categories: `redirected_to_login`, `cookie_not_sent`, `marker_missing`,
+`bad_credentials`, `open_failed`, `fill_failed`, `submit_failed`, `unknown_ui`.
+
+Take a screenshot before reporting.
diff --git a/agents/scenario-validator.md b/agents/scenario-validator.md
index f5ec61c..baa3f3d 100644
--- a/agents/scenario-validator.md
+++ b/agents/scenario-validator.md
@@ -118,8 +118,54 @@ Repeat until all three actions succeed for every scenario OR you exhaust 5 itera
       - **Auth check**: `auth` MUST be non-null and contain at least one of `{ cookies, headers, token, user }`. If empty, the auth callback is not wired — fix it and restart.
       - **Refs check**: every top-level model in the `create` tree MUST appear in `refs`.
    5. Verify DB state with a read-only `SELECT` for at least one refs id.
-   6. POST `{action:"down", refsToken}`. Expect `{ok:true}`.
-   7. Verify the refs rows are gone.
+   6. **Login probe** (once per run — on the first scenario whose `auth`
+      carries credentials, then remember the verdict):
+      Drive a real headless Chrome session through `hooks/validators/login_probe.py`
+      to prove that the returned `auth` actually reaches a logged-in page. This
+      catches subtle auth-callback bugs (wrong cookie domain, missing CSRF seed,
+      token not honored, Set-Cookie attrs stripped) that lifecycle checks miss.
+      ```bash
+      # $KB is autonoma/AUTONOMA.md. Extract loginPath + protectedPath from the
+      # `flows: login` section there. `markerText` is optional — if the KB lists
+      # a known post-login text fragment ("Dashboard", username echo, etc.) pass it.
+      python3 "$(cat /tmp/autonoma-plugin-root)/hooks/validators/login_probe.py" \
+        --input - <<JSON
+      {
+        "baseUrl": "$BASE_URL",
+        "loginPath": "$LOGIN_PATH",
+        "protectedPath": "$PROTECTED_PATH",
+        "markerText": "$MARKER_TEXT",
+        "screenshotDir": "autonoma/.login-probe",
+        "label": "$SCENARIO_NAME",
+        "auth": $AUTH_JSON
+      }
+      JSON
+      ```
+      Interpret the JSON verdict (same file — `{ok, mode, failure.category, ...}`):
+        - `ok: true` → record `loginProbe: { ok: true, mode, scenario: "$SCENARIO_NAME", evidence }`
+          in the terminal artifact (step 7) and skip the probe for the remaining
+          scenarios — one successful probe per run is sufficient signal.
+        - `skipped: true` (no cookies/headers/user OR `agent-browser` not installed) →
+          record the skip payload verbatim and continue. Do not treat as failure.
+        - `ok: false` → this is a **handler bug** (path 3a above). The failure
+          `category` tells you what to fix:
+            - `redirected_to_login` → the cookie/token reached the server but was
+              rejected. Check the auth callback's signing/session secret and cookie
+              value format.
+            - `cookie_not_sent` → browser refused to attach the cookie. Check
+              `domain`, `path`, `Secure`, `SameSite`, `HttpOnly` attrs on Set-Cookie.
+            - `marker_missing` → redirect succeeded but page didn't render the
+              expected post-login marker. Either the marker is wrong (update KB)
+              or a downstream load fails (inspect screenshot, fix handler).
+            - `bad_credentials` → form submit with the user's password didn't
+              authenticate. The `user` payload the auth callback returns doesn't
+              match the real credentials stored in the DB.
+            - `open_failed` / `fill_failed` / `submit_failed` → browser-side
+              infrastructure issue, inspect `failure.detail`.
+          Fix the handler and restart the loop. Do NOT move on to `down` for this
+          scenario — the session artifacts from a broken `up` aren't trustworthy.
+   7. POST `{action:"down", refsToken}`. Expect `{ok:true}`.
+   8. Verify the refs rows are gone.
 
 5. After every scenario passes cleanly, emit the scenario recipes.
 
@@ -208,10 +254,20 @@ Repeat until all three actions succeed for every scenario OR you exhaust 5 itera
      "blockingIssues": [],
      "recipePath": "autonoma/scenario-recipes.json",
      "validationMode": "endpoint-lifecycle",
-     "endpointUrl": "http://localhost:3000/api/autonoma"
+     "endpointUrl": "http://localhost:3000/api/autonoma",
+     "loginProbe": {
+       "ok": true,
+       "mode": "cookies",
+       "scenario": "standard",
+       "evidence": { "final_url": "http://localhost:3000/dashboard" }
+     }
    }
    ```
 
+   `loginProbe` is REQUIRED when `status == "ok"`. Use the verdict from step 4.6.
+   If the probe was skipped (no auth material or `agent-browser` unavailable) record
+   `{ "ok": false, "skipped": true, "reason": "..." }` — that satisfies the schema.
+
    On failure keep the same shape with `status: "failed"`, `preflightPassed: false` when
    preflight did not pass, populated `failedScenarios`, and concrete `blockingIssues`.
 
diff --git a/hooks/validators/login_probe.py b/hooks/validators/login_probe.py
new file mode 100755
index 0000000..73d147c
--- /dev/null
+++ b/hooks/validators/login_probe.py
@@ -0,0 +1,291 @@
+#!/usr/bin/env python3
+"""Login probe — spawns `claude -p` with the agent-browser skill to verify
+that the `auth` payload returned by `up` actually reaches an authenticated
+page in a real browser.
+
+This script does NOT drive agent-browser itself. It hands the full task to
+a `claude -p` subprocess so the agent can reason about the login UI, pick
+selectors via `snapshot`, and adapt to non-standard forms. Context-isolated
+from the main pipeline, same pattern as validate_factory_fidelity.py.
+
+Input: JSON on stdin (or --input file).
+Output: JSON on stdout (or --output file).
+
+Exit codes:
+  0  success OR skipped
+  2  probe failure (login didn't work)
+"""
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import re
+import shutil
+import subprocess
+import sys
+from pathlib import Path
+
+
+TIMEOUT = int(os.environ.get("AUTONOMA_LOGIN_PROBE_TIMEOUT", "180"))
+PLUGIN_ROOT_FILE = "/tmp/autonoma-plugin-root"
+
+
+def _install_agent_browser() -> tuple[bool, str]:
+    """Auto-install agent-browser. Returns (success, log)."""
+    log: list[str] = []
+
+    def _try(cmd: list[str], timeout: int = 600) -> bool:
+        log.append(f"$ {' '.join(cmd)}")
+        try:
+            proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
+        except FileNotFoundError:
+            log.append("  (command not found)")
+            return False
+        except subprocess.TimeoutExpired:
+            log.append(f"  (timeout after {timeout}s)")
+            return False
+        tail = (proc.stdout + proc.stderr).strip().splitlines()[-5:]
+        log.extend(f"  {l}" for l in tail)
+        return proc.returncode == 0
+
+    installed = False
+    if shutil.which("npm") and _try(["npm", "install", "-g", "agent-browser"]):
+        installed = True
+    elif shutil.which("brew") and _try(["brew", "install", "agent-browser"]):
+        installed = True
+    elif shutil.which("cargo") and _try(["cargo", "install", "agent-browser"]):
+        installed = True
+
+    if not installed:
+        return False, "\n".join(log) or "no installer available (need npm, brew, or cargo)"
+
+    _try(["agent-browser", "install"], timeout=900)
+    return shutil.which("agent-browser") is not None, "\n".join(log)
+
+
+def _load_skill() -> str:
+    """Load the agent-browser skill so claude -p knows the CLI surface."""
+    # Try plugin root first, fall back to relative path.
+    candidates = []
+    if os.path.isfile(PLUGIN_ROOT_FILE):
+        root = Path(open(PLUGIN_ROOT_FILE).read().strip())
+        candidates.append(root / "skills" / "agent-browser" / "SKILL.md")
+    candidates.append(Path(__file__).resolve().parent.parent.parent / "skills" / "agent-browser" / "SKILL.md")
+    for p in candidates:
+        if p.is_file():
+            return p.read_text()
+    return ""
+
+
+def _build_prompt(cfg: dict, skill_text: str) -> str:
+    auth_json = json.dumps(cfg.get("auth", {}), indent=2)
+    base_url = cfg["baseUrl"]
+    login_path = cfg.get("loginPath", "/login")
+    protected_path = cfg.get("protectedPath", "/dashboard")
+    marker_text = cfg.get("markerText", "")
+    label = cfg.get("label", "probe")
+    screenshot_dir = cfg.get("screenshotDir", "autonoma/.login-probe")
+
+    return f"""You are a login probe. You have access to `agent-browser`, a headless browser
+CLI. Use it via Bash to verify that the auth credentials below actually reach
+an authenticated page.
+
+## agent-browser reference
+
+{skill_text}
+
+## Task
+
+The Environment Factory's `up` action returned the auth payload below.
+Your job: use agent-browser to prove these credentials reach an authenticated
+state on the running dev server. Always run headless (never --headed).
+Always use `--session login-probe-{label}`.
+
+**Base URL**: {base_url}
+**Login path**: {login_path}
+**Protected path**: {protected_path}
+**Marker text** (substring expected on the authed page): {marker_text or "(none)"}
+**Screenshot dir**: {screenshot_dir}
+
+**Auth payload**:
+```json
+{auth_json}
+```
+
+## Strategy
+
+1. If `auth` has `cookies`: navigate to {base_url}{login_path} first (to set
+   the origin), then use `agent-browser cookies set <name> <value>` for each
+   cookie. Then navigate to {base_url}{protected_path}. Check that the final
+   URL is NOT {login_path} and optionally that the marker text appears.
+
+2. If `auth` has `headers` or `token`: use
+   `agent-browser open {base_url}{protected_path} --headers '<json>'` with
+   the appropriate Authorization header. Check the final URL.
+
+3. If `auth` has `user` (username/password): navigate to {base_url}{login_path},
+   use `agent-browser snapshot -i` to find the form fields, fill them with
+   `agent-browser fill <selector> <value>`, submit, then navigate to the
+   protected path and check.
+
+Try cookies first, then token/headers, then form. Stop at the first success.
+
+## Output
+
+When done, print EXACTLY one JSON object to stdout (no markdown fences, no
+extra text before or after) with this shape:
+
+Success:
+{{"ok": true, "mode": "cookies|token|form", "evidence": {{"final_url": "...", "screenshot": "..."}}, "scenario": "{label}"}}
+
+Failure:
+{{"ok": false, "mode": "cookies|token|form", "failure": {{"category": "redirected_to_login|cookie_not_sent|marker_missing|bad_credentials|open_failed|fill_failed|submit_failed|unknown_ui", "detail": "one sentence explanation", "screenshot_path": "..."}}, "evidence": {{}}}}
+
+Categories:
+- redirected_to_login: cookie/token reached server but was rejected
+- cookie_not_sent: browser didn't attach the cookie (path/domain/scope issue)
+- marker_missing: page loaded but expected marker text absent
+- bad_credentials: form submit with given user/pass didn't authenticate
+- open_failed: couldn't navigate (server down, bad URL)
+- fill_failed / submit_failed: form selectors didn't match
+- unknown_ui: can't figure out the login UI
+
+Take a screenshot before reporting: `agent-browser screenshot {screenshot_dir}/{label}.png`
+
+Close the session when done: `agent-browser --session login-probe-{label} close`
+"""
+
+
+def _parse_verdict(text: str) -> dict:
+    """Extract the JSON verdict from claude -p output.
+
+    `claude -p --output-format json` wraps the assistant's text in an
+    envelope like `{"result": "...", "duration_ms": ..., ...}`. We unwrap
+    that first, then hunt for a JSON object with an "ok" key inside the
+    assistant's response text.
+    """
+    text = text.strip()
+
+    # Step 1: unwrap the claude envelope if present.
+    inner = text
+    try:
+        envelope = json.loads(text)
+        if isinstance(envelope, dict):
+            raw = envelope.get("result") or envelope.get("text") or envelope.get("output") or ""
+            if isinstance(raw, str) and raw.strip():
+                inner = raw.strip()
+            elif isinstance(raw, list):
+                inner = "\n".join(str(x) for x in raw).strip()
+            # If envelope itself has "ok", it IS the verdict (e.g. tests).
+            if "ok" in envelope:
+                return envelope
+    except json.JSONDecodeError:
+        pass
+
+    # Step 2: try parsing the inner text as JSON directly.
+    try:
+        obj = json.loads(inner)
+        if isinstance(obj, dict):
+            return obj
+    except json.JSONDecodeError:
+        pass
+
+    # Step 3: strip markdown fences.
+    cleaned = re.sub(r"^```[a-zA-Z]*\n", "", inner)
+    cleaned = re.sub(r"\n```\s*$", "", cleaned)
+    try:
+        obj = json.loads(cleaned)
+        if isinstance(obj, dict):
+            return obj
+    except json.JSONDecodeError:
+        pass
+
+    # Step 4: find the last JSON object containing "ok" (the agent may
+    # print narrative before the verdict).
+    candidates = list(re.finditer(r"\{[^{}]*(?:\{[^{}]*\}[^{}]*)*\}", inner))
+    for m in reversed(candidates):
+        try:
+            obj = json.loads(m.group(0))
+            if isinstance(obj, dict) and "ok" in obj:
+                return obj
+        except json.JSONDecodeError:
+            continue
+
+    return {"ok": False, "failure": {"category": "parse_error",
+            "detail": f"Could not parse verdict from claude output: {inner[:300]}"}}
+
+
+def run(cfg: dict) -> dict:
+    # Ensure agent-browser is available.
+    if shutil.which("agent-browser") is None:
+        if os.environ.get("AUTONOMA_LOGIN_PROBE_NO_INSTALL") == "1":
+            return {"ok": False, "skipped": True,
+                    "reason": "agent-browser not on PATH; auto-install disabled via env."}
+        ok, install_log = _install_agent_browser()
+        if not ok:
+            return {"ok": False, "skipped": True,
+                    "reason": f"agent-browser auto-install failed.\n{install_log}"}
+
+    # Ensure claude CLI is available.
+    if shutil.which("claude") is None:
+        return {"ok": False, "skipped": True,
+                "reason": "claude CLI not on PATH."}
+
+    # Check auth has anything to probe.
+    auth = cfg.get("auth") or {}
+    if not any(auth.get(k) for k in ("cookies", "headers", "token", "user")):
+        return {"ok": False, "skipped": True,
+                "reason": "auth payload has no cookies, headers, token, or user."}
+
+    skill_text = _load_skill()
+    prompt = _build_prompt(cfg, skill_text)
+
+    cmd = [
+        "claude", "-p", "--output-format", "json",
+        "--allowedTools", "Bash(agent-browser *)",
+        "--allowedTools", "Bash(mkdir *)",
+    ]
+    model = os.environ.get("AUTONOMA_LOGIN_PROBE_MODEL", "sonnet")
+    if model:
+        cmd.extend(["--model", model])
+
+    try:
+        proc = subprocess.run(
+            cmd, input=prompt, capture_output=True, text=True, timeout=TIMEOUT,
+        )
+    except subprocess.TimeoutExpired:
+        return {"ok": False, "failure": {"category": "open_failed",
+                "detail": f"claude -p timed out after {TIMEOUT}s"}}
+    except FileNotFoundError:
+        return {"ok": False, "skipped": True,
+                "reason": "claude CLI not found."}
+
+    if proc.returncode != 0:
+        return {"ok": False, "failure": {"category": "open_failed",
+                "detail": f"claude -p exited {proc.returncode}: {proc.stderr[:400]}"}}
+
+    return _parse_verdict(proc.stdout)
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--input")
+    parser.add_argument("--output")
+    args = parser.parse_args()
+
+    raw = Path(args.input).read_text() if args.input else sys.stdin.read()
+    cfg = json.loads(raw)
+
+    result = run(cfg)
+
+    payload = json.dumps(result, indent=2)
+    if args.output:
+        Path(args.output).write_text(payload)
+    else:
+        sys.stdout.write(payload + "\n")
+    return 0 if result.get("ok") or result.get("skipped") else 2
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/hooks/validators/validate_scenario_validation.py b/hooks/validators/validate_scenario_validation.py
index 1339352..8455c73 100644
--- a/hooks/validators/validate_scenario_validation.py
+++ b/hooks/validators/validate_scenario_validation.py
@@ -64,4 +64,28 @@ def fail(message: str) -> None:
 if parsed.scheme not in {"http", "https"} or not parsed.netloc:
     fail("endpointUrl must be an absolute http/https URL")
 
+# Login probe result — required when status == "ok" so .endpoint-validated is
+# never written unless at least one scenario proved that the returned auth
+# actually reaches a logged-in state in a real browser. Skipped results (e.g.
+# agent-browser unavailable) are accepted but flagged so the SDK consumer can
+# decide whether to gate on the probe or only on lifecycle success.
+probe = payload.get("loginProbe")
+if payload.get("status") == "ok":
+    if not isinstance(probe, dict):
+        fail("loginProbe must be an object when status is 'ok'")
+    if "ok" not in probe or not isinstance(probe["ok"], bool):
+        fail("loginProbe.ok must be a boolean")
+    skipped = bool(probe.get("skipped"))
+    if not probe["ok"] and not skipped:
+        fail("loginProbe.ok is false — status cannot be 'ok' while login probe failed")
+    if probe["ok"]:
+        mode = probe.get("mode")
+        if mode not in {"cookies", "token", "form"}:
+            fail("loginProbe.mode must be one of 'cookies', 'token', 'form' when ok")
+        scenario = probe.get("scenario")
+        if not isinstance(scenario, str) or not scenario.strip():
+            fail("loginProbe.scenario must be a non-empty string when ok")
+elif probe is not None and not isinstance(probe, dict):
+    fail("loginProbe, when present, must be an object")
+
 print("OK")
diff --git a/skills/agent-browser/SKILL.md b/skills/agent-browser/SKILL.md
new file mode 100644
index 0000000..49e34e9
--- /dev/null
+++ b/skills/agent-browser/SKILL.md
@@ -0,0 +1,257 @@
+---
+name: agent-browser
+description: >
+  Full CLI reference for agent-browser, a headless browser automation tool
+  for AI agents. Use this skill when driving a browser via Bash to navigate,
+  interact with elements, manage cookies/storage, and verify page state.
+---
+
+# agent-browser CLI Reference
+
+`agent-browser` is a fast, headless-by-default browser automation CLI built
+for AI agents. It uses Playwright under the hood, exposed as simple shell
+commands with `--json` output.
+
+Install: `npm install -g agent-browser && agent-browser install`
+
+## Global Options (apply to all commands)
+
+| Flag | Description |
+|------|-------------|
+| `--session <name>` | Isolated browser session (or `AGENT_BROWSER_SESSION` env) |
+| `--json` | JSON output (`{"success": bool, "data": ..., "error": ...}`) |
+| `--headed` | Show browser window (default is headless) |
+| `--headers <json>` | HTTP headers scoped to the URL's origin (for auth) |
+| `--cdp <port>` | Connect via Chrome DevTools Protocol |
+
+**Always use `--json`** for machine-readable output.
+**Always use `--session <name>`** to avoid session conflicts.
+**Never use `--headed`** in automated pipelines.
+
+## Core Commands
+
+### Navigation
+
+```bash
+agent-browser open <url>                  # Navigate to URL
+agent-browser open <url> --headers '{"Authorization": "Bearer ..."}'
+agent-browser back                        # Go back
+agent-browser forward                     # Go forward
+agent-browser reload                      # Reload page
+```
+
+`open` auto-prepends `https://` if no protocol given. Headers are scoped to
+that origin only.
+
+### Interaction
+
+```bash
+agent-browser click <selector>            # Click element (CSS, XPath, or @ref)
+agent-browser dblclick <selector>         # Double-click
+agent-browser fill <selector> <text>      # Clear + fill input
+agent-browser type <selector> <text>      # Type without clearing
+agent-browser press <key>                 # Press key (Enter, Tab, Control+a)
+agent-browser hover <selector>            # Hover element
+agent-browser focus <selector>            # Focus element
+agent-browser check <selector>            # Check checkbox
+agent-browser uncheck <selector>          # Uncheck checkbox
+agent-browser select <selector> <value>   # Select dropdown option
+agent-browser upload <selector> <files>   # Upload files
+agent-browser scroll <dir> [px]           # Scroll (up/down/left/right)
+agent-browser scrollintoview <selector>   # Scroll element into view
+```
+
+Selectors can be CSS (`"#id"`, `".class"`), XPath (`"//button"`), or
+element refs from `snapshot` (`@e1`, `@e2`).
+
+### Getting Information
+
+```bash
+agent-browser get text <selector>         # Text content
+agent-browser get html <selector>         # Inner HTML
+agent-browser get value <selector>        # Input value
+agent-browser get attr <selector> <name>  # Attribute value
+agent-browser get title                   # Page title
+agent-browser get url                     # Current URL
+agent-browser get count <selector>        # Count matching elements
+agent-browser get box <selector>          # Bounding box
+```
+
+### State Checks
+
+```bash
+agent-browser is visible <selector>       # true/false
+agent-browser is enabled <selector>
+agent-browser is checked <selector>
+```
+
+### Finding Elements (semantic locators)
+
+```bash
+agent-browser find role <role> click              # By ARIA role
+agent-browser find role button click --name Submit
+agent-browser find text "Sign in" click           # By visible text
+agent-browser find label "Email" fill "user@x.com"
+agent-browser find placeholder "Password" fill "secret"
+agent-browser find testid "login-btn" click       # By data-testid
+agent-browser find first "input" fill "value"     # First match
+agent-browser find nth 2 "li" click               # Nth match (0-based)
+```
+
+Options: `--name <n>` (filter role by name), `--exact` (exact text match).
+
+### Snapshots & Screenshots
+
+```bash
+agent-browser snapshot                    # Accessibility tree with @refs
+agent-browser snapshot -i                 # Interactive elements only
+agent-browser snapshot -c                 # Compact (remove empty nodes)
+agent-browser snapshot -d 3               # Limit depth
+agent-browser snapshot -s "#main"         # Scope to CSS selector
+
+agent-browser screenshot [path]           # Screenshot (base64 if no path)
+agent-browser screenshot ./shot.png
+agent-browser screenshot --full ./full.png  # Full page
+agent-browser pdf <path>                  # Save as PDF
+```
+
+**Use `snapshot -i` to discover form fields** — it shows element refs
+(`@e1`, `@e2`) you can use in subsequent `fill`, `click` commands.
+
+### Cookies & Storage
+
+```bash
+agent-browser cookies                     # Get all cookies
+agent-browser cookies get                 # Same
+agent-browser cookies set <name> <value>  # Set cookie (current context)
+agent-browser cookies clear               # Clear all
+
+agent-browser storage local               # Get all localStorage
+agent-browser storage local get <key>
+agent-browser storage local set <key> <value>
+agent-browser storage local clear
+agent-browser storage session get <key>   # sessionStorage
+```
+
+**Important**: `cookies set` scopes to the current page context. Navigate to
+the target origin first before setting cookies.
+
+### JavaScript Evaluation
+
+```bash
+agent-browser eval "document.title"
+agent-browser eval "document.cookie='name=value; path=/; domain=localhost'"
+agent-browser eval "window.location.href"
+```
+
+Use `eval` with `document.cookie=` when you need to set cookie attributes
+(path, domain, SameSite, Secure, HttpOnly) that `cookies set` doesn't expose.
+
+### Waiting
+
+```bash
+agent-browser wait <selector>             # Wait for element
+agent-browser wait 2000                   # Wait ms
+agent-browser wait --url "**/dashboard"   # Wait for URL match
+agent-browser wait --load networkidle     # Wait for load state
+agent-browser wait --fn "window.ready"    # Wait for JS expression
+agent-browser wait --text "Welcome"       # Wait for text
+```
+
+### Network
+
+```bash
+agent-browser network route "**/api/*" --abort     # Block requests
+agent-browser network route "**/data" --body '{"mock": true}'
+agent-browser network unroute                      # Remove routes
+agent-browser network requests                     # List requests
+agent-browser network requests --filter "api"
+```
+
+### Browser Settings
+
+```bash
+agent-browser set viewport 1920 1080
+agent-browser set device "iPhone 12"
+agent-browser set headers '{"X-Custom": "value"}'
+agent-browser set credentials <user> <pass>   # HTTP auth
+agent-browser set media dark
+agent-browser set offline on
+```
+
+### Tabs
+
+```bash
+agent-browser tab list
+agent-browser tab new
+agent-browser tab close
+agent-browser tab 2                       # Switch to tab
+```
+
+### Session Management
+
+```bash
+agent-browser session                     # Show current session
+agent-browser session list                # List active sessions
+agent-browser close                       # Close browser & session
+```
+
+### Debug
+
+```bash
+agent-browser console                     # View console logs
+agent-browser errors                      # View page errors
+agent-browser highlight <selector>        # Highlight element
+agent-browser trace start                 # Record trace
+agent-browser trace stop [path]
+```
+
+## JSON Output Format
+
+All commands with `--json` return:
+
+```json
+{"success": true,  "data": <command-specific>, "error": null}
+{"success": false, "data": null, "error": "error message"}
+```
+
+Examples:
+- `get url` → `{"success": true, "data": {"url": "https://..."}, "error": null}`
+- `cookies get` → `{"success": true, "data": {"cookies": [...]}, "error": null}`
+- `snapshot` → `{"success": true, "data": {"snapshot": "..."}, "error": null}`
+
+## Common Patterns
+
+### Set cookie and verify protected page
+
+```bash
+agent-browser --session s1 --json open http://localhost:3000/login
+agent-browser --session s1 --json cookies set session "abc123"
+agent-browser --session s1 --json open http://localhost:3000/dashboard
+agent-browser --session s1 --json get url    # check not redirected
+agent-browser --session s1 --json get text body  # check marker text
+agent-browser --session s1 screenshot ./proof.png
+agent-browser --session s1 close
+```
+
+### Fill login form using snapshot
+
+```bash
+agent-browser --session s1 --json open http://localhost:3000/login
+agent-browser --session s1 snapshot -i       # find form field refs
+agent-browser --session s1 --json fill @e1 "user@example.com"
+agent-browser --session s1 --json fill @e2 "password123"
+agent-browser --session s1 --json click @e3  # submit button
+agent-browser --session s1 --json wait --url "**/dashboard"
+agent-browser --session s1 --json get url
+agent-browser --session s1 close
+```
+
+### Auth via headers
+
+```bash
+agent-browser --session s1 --json open http://localhost:3000/dashboard \
+  --headers '{"Authorization": "Bearer eyJ..."}'
+agent-browser --session s1 --json get url
+agent-browser --session s1 close
+```
diff --git a/skills/validate-auth-login/SKILL.md b/skills/validate-auth-login/SKILL.md
new file mode 100644
index 0000000..bdc2508
--- /dev/null
+++ b/skills/validate-auth-login/SKILL.md
@@ -0,0 +1,114 @@
+---
+name: validate-auth-login
+description: >
+  Drive a real headless Chrome session through vercel-labs/agent-browser to
+  verify that the `auth` payload returned by the Environment Factory's `up`
+  action actually reaches an authenticated page. Invoked by the scenario-
+  validator (Step 5) once per run, between `up` and `down`.
+---
+
+# Validate Auth / Login
+
+Problem: Step 4 can produce a handler whose `up` response *looks* valid
+(returns cookies / token / user) but the credentials don't actually log in —
+cookie domain wrong, session secret mismatch, CSRF seed missing, token type
+wrong, Set-Cookie attrs stripped. Downstream E2E tests then fail in an
+opaque "redirected to /login" way.
+
+Solution: before we write `.endpoint-validated`, drive a real browser with
+the `auth` payload against the protected page and confirm the session
+sticks. Headless. Deterministic (no LLM in the hot path).
+
+## When to use
+
+The scenario-validator agent invokes this skill once per run, on the first
+scenario whose `up` response contains `auth.cookies`, `auth.headers`,
+`auth.token`, or `auth.user`. Record the verdict in
+`autonoma/.scenario-validation.json` under `loginProbe`.
+
+If the probe fails, the scenario-validator's existing iterative-fix loop
+picks up the failure category and fixes the handler (up to 5 iterations).
+
+## How to run
+
+```bash
+python3 "$(cat /tmp/autonoma-plugin-root)/hooks/validators/login_probe.py" \
+  --input - <<'JSON'
+{
+  "baseUrl":       "http://localhost:3000",
+  "loginPath":     "/login",
+  "protectedPath": "/dashboard",
+  "markerText":    "Dashboard",
+  "screenshotDir": "autonoma/.login-probe",
+  "label":         "standard",
+  "auth": {
+    "cookies":  [{"name": "session", "value": "...", "domain": "localhost", "path": "/"}],
+    "headers":  {"Authorization": "Bearer ..."},
+    "token":    "...",
+    "user":     {"username": "demo", "password": "demo123"}
+  }
+}
+JSON
+```
+
+Reads `baseUrl`/`loginPath`/`protectedPath` from `autonoma/AUTONOMA.md`'s
+login flow. `markerText` is the substring the probe looks for on the
+protected page to confirm a logged-in state (usually the username echo or
+a "Dashboard" header). Optional — if absent, the probe accepts any
+non-login URL as success.
+
+## Output contract
+
+Single JSON object on stdout:
+
+```json
+{ "ok": true,  "mode": "cookies|token|form", "evidence": { "final_url": "...", "screenshot": "..." } }
+{ "ok": false, "mode": "...", "failure": { "category": "...", "detail": "...", "screenshot_path": "..." } }
+{ "ok": false, "skipped": true, "reason": "..." }
+```
+
+Exit code: `0` on success or skip, `2` on failure. Screenshots are written
+to `autonoma/.login-probe/<label>-<mode>.png` so you can eyeball the state
+when diagnosing a failure.
+
+## Installing agent-browser
+
+The probe auto-installs `agent-browser` on first run if it is not on PATH,
+trying `npm install -g agent-browser`, then `brew install agent-browser`,
+then `cargo install agent-browser` (whichever toolchain is available). It
+also runs `agent-browser install` to download headless Chrome. Only if all
+three installers are missing does the probe fall back to a structured skip —
+the user never has to intervene.
+
+Manual install fallback:
+
+```bash
+# macOS
+brew install agent-browser
+
+# or any OS via npm
+npm install -g agent-browser
+
+# then download the headless Chrome it drives:
+agent-browser install
+```
+
+Runs headless by default. Never pass `--headed` in CI / pipeline context.
+
+## Failure categories
+
+| `failure.category`    | What it means                                               | Typical fix                                        |
+|-----------------------|-------------------------------------------------------------|----------------------------------------------------|
+| `redirected_to_login` | Cookie/token was sent but server rejected it.                | Check auth callback's session secret / token type. |
+| `cookie_not_sent`     | Browser refused to attach the cookie.                        | Fix `domain`/`path`/`Secure`/`SameSite`/`HttpOnly`.|
+| `marker_missing`      | Reached a non-login URL but expected post-login marker absent. | Update marker in KB, or fix handler render.        |
+| `bad_credentials`     | Form submit with `auth.user` didn't authenticate.            | Align returned credentials with DB state.          |
+| `open_failed`         | agent-browser couldn't navigate (server down, bad URL).      | Confirm dev server up, baseUrl reachable.          |
+| `fill_failed` / `submit_failed` | Selectors don't match the login form.              | Supply correct `usernameSelector` / `passwordSelector` / `submitSelector`. |
+
+## Tests
+
+Fixture app + pytest coverage at `tests/fixtures/login-app/server.py` and
+`tests/test_login_probe.py`. The fixture is a stdlib-only HTTP server with
+hardcoded `demo`/`demo123` credentials, providing deterministic success and
+failure paths for every category above.
diff --git a/tests/fixtures/login-app/server.py b/tests/fixtures/login-app/server.py
new file mode 100644
index 0000000..a0034f1
--- /dev/null
+++ b/tests/fixtures/login-app/server.py
@@ -0,0 +1,118 @@
+#!/usr/bin/env python3
+"""Tiny login fixture app for login-probe tests.
+
+Endpoints:
+  GET  /login      -> HTML form (username, password)
+  POST /login      -> checks demo/demo123, sets Set-Cookie: session=valid-token; Path=/
+  GET  /dashboard  -> if session cookie == valid-token => 200 with marker
+                      else 302 Location: /login
+
+Intentionally dependency-free (stdlib only) so pytest can bring it up
+in-process without touching the user's Python env.
+"""
+from __future__ import annotations
+
+import argparse
+import threading
+from http.cookies import SimpleCookie
+from http.server import BaseHTTPRequestHandler, ThreadingHTTPServer
+from urllib.parse import parse_qs
+
+VALID_USER = "demo"
+VALID_PASS = "demo123"
+VALID_TOKEN = "valid-token"
+
+LOGIN_HTML = """<!doctype html>
+<html><body>
+<h1>Login</h1>
+<form method="post" action="/login">
+  <input name="username" id="username" />
+  <input name="password" id="password" type="password" />
+  <button type="submit" id="submit">Sign in</button>
+</form>
+</body></html>
+"""
+
+DASH_HTML = """<!doctype html>
+<html><body>
+<h1>Dashboard</h1>
+<span data-testid="user-menu">demo</span>
+</body></html>
+"""
+
+
+class Handler(BaseHTTPRequestHandler):
+    def log_message(self, *_a, **_k):
+        return
+
+    def _cookie(self) -> str | None:
+        raw = self.headers.get("Cookie")
+        if not raw:
+            return None
+        jar = SimpleCookie()
+        jar.load(raw)
+        if "session" in jar:
+            return jar["session"].value
+        return None
+
+    def do_GET(self):  # noqa: N802
+        if self.path == "/login":
+            body = LOGIN_HTML.encode()
+            self.send_response(200)
+            self.send_header("Content-Type", "text/html; charset=utf-8")
+            self.send_header("Content-Length", str(len(body)))
+            self.end_headers()
+            self.wfile.write(body)
+            return
+        if self.path == "/dashboard":
+            if self._cookie() == VALID_TOKEN:
+                body = DASH_HTML.encode()
+                self.send_response(200)
+                self.send_header("Content-Type", "text/html; charset=utf-8")
+                self.send_header("Content-Length", str(len(body)))
+                self.end_headers()
+                self.wfile.write(body)
+                return
+            self.send_response(302)
+            self.send_header("Location", "/login")
+            self.end_headers()
+            return
+        self.send_response(404)
+        self.end_headers()
+
+    def do_POST(self):  # noqa: N802
+        if self.path != "/login":
+            self.send_response(404)
+            self.end_headers()
+            return
+        length = int(self.headers.get("Content-Length") or 0)
+        raw = self.rfile.read(length).decode("utf-8") if length else ""
+        form = {k: v[0] for k, v in parse_qs(raw).items()}
+        if form.get("username") == VALID_USER and form.get("password") == VALID_PASS:
+            self.send_response(302)
+            self.send_header("Location", "/dashboard")
+            self.send_header("Set-Cookie", f"session={VALID_TOKEN}; Path=/")
+            self.end_headers()
+            return
+        self.send_response(302)
+        self.send_header("Location", "/login?error=1")
+        self.end_headers()
+
+
+def serve(host: str = "127.0.0.1", port: int = 0) -> tuple[ThreadingHTTPServer, threading.Thread]:
+    server = ThreadingHTTPServer((host, port), Handler)
+    thread = threading.Thread(target=server.serve_forever, daemon=True)
+    thread.start()
+    return server, thread
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--port", type=int, default=8787)
+    args = parser.parse_args()
+    srv, _ = serve(port=args.port)
+    print(f"listening on http://127.0.0.1:{srv.server_address[1]}")
+    try:
+        srv.serve_forever()
+    except KeyboardInterrupt:
+        srv.shutdown()
diff --git a/tests/test_login_probe.py b/tests/test_login_probe.py
new file mode 100644
index 0000000..33e5fef
--- /dev/null
+++ b/tests/test_login_probe.py
@@ -0,0 +1,174 @@
+"""End-to-end tests for hooks/validators/login_probe.py against the login-app
+fixture. Requires both `agent-browser` and `claude` CLIs on PATH."""
+from __future__ import annotations
+
+import json
+import os
+import shutil
+import subprocess
+import sys
+import time
+from pathlib import Path
+
+import pytest
+
+ROOT = Path(__file__).resolve().parent.parent
+PROBE = ROOT / "hooks" / "validators" / "login_probe.py"
+FIXTURE = ROOT / "tests" / "fixtures" / "login-app" / "server.py"
+
+needs_agent_browser = pytest.mark.skipif(
+    shutil.which("agent-browser") is None,
+    reason="agent-browser CLI not installed",
+)
+needs_claude = pytest.mark.skipif(
+    shutil.which("claude") is None,
+    reason="claude CLI not installed",
+)
+
+
+@pytest.fixture(scope="module")
+def fixture_server():
+    sys.path.insert(0, str(FIXTURE.parent))
+    import server  # type: ignore
+
+    srv, _thread = server.serve(port=0)
+    port = srv.server_address[1]
+    base = f"http://127.0.0.1:{port}"
+    for _ in range(20):
+        try:
+            import urllib.request
+            urllib.request.urlopen(base + "/login", timeout=1).read()
+            break
+        except Exception:
+            time.sleep(0.05)
+    yield base
+    srv.shutdown()
+    sys.path.remove(str(FIXTURE.parent))
+
+
+def run_probe(cfg: dict, tmp_path: Path, timeout: int = 300) -> tuple[int, dict]:
+    cfg.setdefault("screenshotDir", str(tmp_path))
+    cfg.setdefault("markerText", "demo")
+    payload = json.dumps(cfg)
+    env = {**os.environ, "PYTHONUNBUFFERED": "1",
+           "AUTONOMA_LOGIN_PROBE_MODEL": "haiku",
+           "AUTONOMA_LOGIN_PROBE_TIMEOUT": "240"}
+    proc = subprocess.run(
+        [sys.executable, str(PROBE)],
+        input=payload,
+        capture_output=True,
+        text=True,
+        env=env,
+        timeout=timeout,
+    )
+    verdict = json.loads(proc.stdout) if proc.stdout.strip() else {}
+    return proc.returncode, verdict
+
+
+@needs_agent_browser
+@needs_claude
+def test_cookie_success(fixture_server, tmp_path):
+    rc, verdict = run_probe({
+        "baseUrl": fixture_server,
+        "loginPath": "/login",
+        "protectedPath": "/dashboard",
+        "label": "cookie-ok",
+        "auth": {"cookies": [
+            {"name": "session", "value": "valid-token",
+             "domain": "127.0.0.1", "path": "/"},
+        ]},
+    }, tmp_path)
+    assert rc == 0, verdict
+    assert verdict["ok"] is True
+    assert verdict["mode"] == "cookies"
+
+
+@needs_agent_browser
+@needs_claude
+def test_cookie_wrong_value(fixture_server, tmp_path):
+    rc, verdict = run_probe({
+        "baseUrl": fixture_server,
+        "loginPath": "/login",
+        "protectedPath": "/dashboard",
+        "label": "cookie-wrong",
+        "auth": {"cookies": [
+            {"name": "session", "value": "garbage",
+             "domain": "127.0.0.1", "path": "/"},
+        ]},
+    }, tmp_path)
+    assert rc == 2
+    assert verdict["ok"] is False
+    assert verdict.get("failure", {}).get("category") in {
+        "redirected_to_login", "cookie_not_sent", "marker_missing",
+    }
+
+
+@needs_agent_browser
+@needs_claude
+def test_form_success(fixture_server, tmp_path):
+    rc, verdict = run_probe({
+        "baseUrl": fixture_server,
+        "loginPath": "/login",
+        "protectedPath": "/dashboard",
+        "label": "form-ok",
+        "auth": {"user": {"username": "demo", "password": "demo123"}},
+    }, tmp_path)
+    assert rc == 0, verdict
+    assert verdict["ok"] is True
+    assert verdict["mode"] == "form"
+
+
+@needs_agent_browser
+@needs_claude
+def test_form_bad_credentials(fixture_server, tmp_path):
+    rc, verdict = run_probe({
+        "baseUrl": fixture_server,
+        "loginPath": "/login",
+        "protectedPath": "/dashboard",
+        "label": "form-bad",
+        "auth": {"user": {"username": "demo", "password": "WRONG"}},
+    }, tmp_path)
+    assert rc == 2
+    assert verdict["ok"] is False
+    assert verdict.get("failure", {}).get("category") in {
+        "bad_credentials", "redirected_to_login", "marker_missing",
+    }
+
+
+def test_agent_browser_missing_is_skip(tmp_path):
+    """If agent-browser is not on PATH, probe exits 0 with skipped=True."""
+    python_bin_dir = str(Path(sys.executable).parent)
+    filtered = [p for p in os.environ.get("PATH", "").split(os.pathsep)
+                if not (Path(p) / "agent-browser").exists()]
+    path = os.pathsep.join([python_bin_dir, *filtered])
+    assert shutil.which("agent-browser", path=path) is None, (
+        "could not construct a PATH without agent-browser"
+    )
+    proc = subprocess.run(
+        [sys.executable, str(PROBE)],
+        input=json.dumps({
+            "baseUrl": "http://127.0.0.1:1",
+            "loginPath": "/login",
+            "protectedPath": "/dashboard",
+            "auth": {"cookies": [{"name": "x", "value": "y"}]},
+        }),
+        capture_output=True, text=True,
+        env={"PATH": path, "PYTHONUNBUFFERED": "1",
+             "AUTONOMA_LOGIN_PROBE_NO_INSTALL": "1"},
+        timeout=15,
+    )
+    assert proc.returncode == 0, proc.stderr
+    verdict = json.loads(proc.stdout)
+    assert verdict.get("skipped") is True
+
+
+def test_empty_auth_is_skip(tmp_path):
+    """Auth payload with no credentials should skip."""
+    rc, verdict = run_probe({
+        "baseUrl": "http://127.0.0.1:1",
+        "loginPath": "/login",
+        "protectedPath": "/dashboard",
+        "auth": {},
+    }, tmp_path, timeout=15)
+    assert rc == 0
+    assert verdict.get("skipped") is True
diff --git a/tests/test_validate_scenario_validation.py b/tests/test_validate_scenario_validation.py
index a7f7b07..f47bcd6 100644
--- a/tests/test_validate_scenario_validation.py
+++ b/tests/test_validate_scenario_validation.py
@@ -18,6 +18,12 @@ def valid_payload(**overrides):
         "recipePath": "autonoma/scenario-recipes.json",
         "validationMode": "sdk-check",
         "endpointUrl": "http://127.0.0.1:3000/api/autonoma",
+        "loginProbe": {
+            "ok": True,
+            "mode": "cookies",
+            "scenario": "standard",
+            "evidence": {"final_url": "http://127.0.0.1:3000/dashboard"},
+        },
     }
     payload.update(overrides)
     return payload
@@ -30,15 +36,30 @@ def test_accepts_valid_payload():
 
 
 def test_accepts_failed_status_payload():
+    payload = valid_payload(
+        status="failed",
+        preflightPassed=False,
+        validatedScenarios=["standard"],
+        failedScenarios=["empty", "large"],
+        blockingIssues=["duplicate email"],
+    )
+    # Failed-status payloads don't require a successful probe.
+    payload.pop("loginProbe")
+    code, out = run_validator(SCRIPT, json.dumps(payload), filename=".scenario-validation.json")
+    assert code == 0
+    assert out == "OK"
+
+
+def test_accepts_ok_payload_with_skipped_probe():
     code, out = run_validator(
         SCRIPT,
         json.dumps(
             valid_payload(
-                status="failed",
-                preflightPassed=False,
-                validatedScenarios=["standard"],
-                failedScenarios=["empty", "large"],
-                blockingIssues=["duplicate email"],
+                loginProbe={
+                    "ok": False,
+                    "skipped": True,
+                    "reason": "agent-browser not installed",
+                }
             )
         ),
         filename=".scenario-validation.json",
@@ -47,6 +68,44 @@ def test_accepts_failed_status_payload():
     assert out == "OK"
 
 
+def test_rejects_ok_payload_missing_probe():
+    payload = valid_payload()
+    payload.pop("loginProbe")
+    code, out = run_validator(SCRIPT, json.dumps(payload), filename=".scenario-validation.json")
+    assert code == 1
+    assert "loginProbe" in out
+
+
+def test_rejects_ok_payload_with_failed_probe():
+    code, out = run_validator(
+        SCRIPT,
+        json.dumps(
+            valid_payload(
+                loginProbe={
+                    "ok": False,
+                    "mode": "cookies",
+                    "failure": {"category": "redirected_to_login", "detail": "..."},
+                }
+            )
+        ),
+        filename=".scenario-validation.json",
+    )
+    assert code == 1
+    assert "login probe failed" in out
+
+
+def test_rejects_ok_probe_without_scenario():
+    code, out = run_validator(
+        SCRIPT,
+        json.dumps(
+            valid_payload(loginProbe={"ok": True, "mode": "token"})
+        ),
+        filename=".scenario-validation.json",
+    )
+    assert code == 1
+    assert "scenario" in out
+
+
 def test_rejects_missing_required_field():
     payload = valid_payload()
     payload.pop("recipePath")