Registry Quality Gates
CI gates, integration tests, custom scripts, and pre-deploy checks for the Registry service.
Bucket A: Go Tests - Integration
- Schema conformance (load frozen schema + fixtures, assert pass/fail)
- Canonicalization vector (assert the fixture is byte-equal)
- Proof-of-control abuse (nonce replay, body/method/URI mismatch, kid handling)
- SSRF (use Go’s httptest to fake redirects and private ranges)
- Idempotency + optimistic locking (re-register, PATCH with stale If-Match, expect 409)
- Dependency-failure behavior (stop the Postgres/Redis container, assert /readyz flips and 503s come back)
- etc.
Bucket B: CLI tools(Integrate to CI pipeline)
- golangci-lint
- SAST, CA and Secret Detection
- Test coverage
promtool check rulesto validate alert rule files
Bucket C: Custom scripts
- Discovery accuracy: a Go test that loads the golden-set file (intent to expected DIDs), runs the queries against the test DB, and computes precision/recall against a floor. The math is a few lines.
- Log hygiene: a Go test that fires representative requests (including failing ones), captures the log output, and asserts the forbidden strings (signature, body, nonce, token) never appear.
- Metrics wired: a Go test that scrapes /metrics and checks each expected metric name is present.
Bucket D: Pre-deploy one-timers (run on staging)
These need a running environment or a person, so they are a checklist step before cutover, not a per-commit gate.
- Load test: a handful of k6 scripts (load, spike, stress) run against staging, with thresholds set to P95/P99 numbers so k6 itself passes or fails. Check query plans with EXPLAIN ANALYZE on the hot paths.
- TLS: run testssl.sh against the staging endpoint, confirm 1.3 only.
- Backup + restore: a short shell script (or documented manual steps) that restores a backup and confirms it comes up within your RTO. The drill is the test.
- Security review / pentest: people plus tools, scoped to the time. Internal review is the floor.
- Compliance: mostly a config checklist (encryption at rest, 180-day in-India retention, NTP to nic/npl sources, audit trail immutable) plus the CERT-In 6-hour tabletop. The one code piece is a Go test that the data_residency filter is enforced, which already lives in Bucket A.