Registry Quality Gates

CI gates, integration tests, custom scripts, and pre-deploy checks for the Registry service.

Bucket A: Go Tests - Integration

  1. Schema conformance (load frozen schema + fixtures, assert pass/fail)
  2. Canonicalization vector (assert the fixture is byte-equal)
  3. Proof-of-control abuse (nonce replay, body/method/URI mismatch, kid handling)
  4. SSRF (use Go’s httptest to fake redirects and private ranges)
  5. Idempotency + optimistic locking (re-register, PATCH with stale If-Match, expect 409)
  6. Dependency-failure behavior (stop the Postgres/Redis container, assert /readyz flips and 503s come back)
  7. etc.

Bucket B: CLI tools(Integrate to CI pipeline)

  1. golangci-lint
  2. SAST, CA and Secret Detection
  3. Test coverage
  4. promtool check rules to validate alert rule files

Bucket C: Custom scripts

  1. Discovery accuracy: a Go test that loads the golden-set file (intent to expected DIDs), runs the queries against the test DB, and computes precision/recall against a floor. The math is a few lines.
  2. Log hygiene: a Go test that fires representative requests (including failing ones), captures the log output, and asserts the forbidden strings (signature, body, nonce, token) never appear.
  3. Metrics wired: a Go test that scrapes /metrics and checks each expected metric name is present.

Bucket D: Pre-deploy one-timers (run on staging)

These need a running environment or a person, so they are a checklist step before cutover, not a per-commit gate.

  1. Load test: a handful of k6 scripts (load, spike, stress) run against staging, with thresholds set to P95/P99 numbers so k6 itself passes or fails. Check query plans with EXPLAIN ANALYZE on the hot paths.
  2. TLS: run testssl.sh against the staging endpoint, confirm 1.3 only.
  3. Backup + restore: a short shell script (or documented manual steps) that restores a backup and confirms it comes up within your RTO. The drill is the test.
  4. Security review / pentest: people plus tools, scoped to the time. Internal review is the floor.
  5. Compliance: mostly a config checklist (encryption at rest, 180-day in-India retention, NTP to nic/npl sources, audit trail immutable) plus the CERT-In 6-hour tabletop. The one code piece is a Go test that the data_residency filter is enforced, which already lives in Bucket A.