Trust Server Quality Gates
CI gates, integration tests, custom scripts, and pre-deploy checks for the Trust Server service.
Bucket A: Go Tests - Integration
- Schema conformance (load frozen UAIRiskPolicy + ConsentArtifact schemas with fixtures, assert pass/fail)
- Token vector (mint with pkg/jwtmint against the frozen reference vector, assert the compact JWT is byte-equal; verify with pkg/jwtverify and the Python reference validator, assert all three agree)
- Claims profile (every minted token carries iss, sub, aud, iat, nbf, exp, jti, scope, txn; exp - iat equals the tier TTL; cnf.jkt present at Tier 3+, absent below; no claim is client-settable)
- Proof-of-control abuse (nonce replay, body/method/URI mismatch, kid handling; same matrix as the Registry, reusing the shared vector)
- Policy engine (longest-prefix wins over wildcard; unknown scope is a hard 422, never a default tier; contradictory policy fails load; failed reload keeps the running policy, no half-swap)
- Consent checks (expired, revoked, scope-mismatch, DID-mismatch, and each false DPDP property all fail issuance with 422; a valid artifact passes)
- DPoP seam (missing header, thumbprint mismatch, replayed jti, iat outside skew all fail; a valid proof yields the correct RFC 7638 thumbprint into cnf.jkt)
- Key rotation invariants (a token signed under the previous key still verifies after rotation while that key remains published; a new kid resolves at /.well-known/did.json before it is ever used to sign)
- Provider gate (suspended Provider, unsupported scope, and tier over risk_tier_max each return 403; the token endpoint never returns 404)
- Fail-closed behavior (stop the stub Registry, assert issuance returns 503; stop the Redis container, assert /readyz flips and challenges stop; nothing defaults open)
- SSRF (httptest fakes for redirects and private ranges, on both the did:web resolver and the consent-artifact fetch)
Bucket B: CLI tools (integrate to CI pipeline)
- golangci-lint (including the depguard boundary rules)
- SAST, CA and Secret Detection
- Test coverage
promtool check rulesto validate alert rule files (must include the unknown-kid rotation alert)
Bucket C: Custom scripts
- Log hygiene: a Go test that fires representative requests (including failing ones), captures log output, and asserts the forbidden strings (minted token, signature, DPoP proof, nonce, subject_ref) never appear.
- Metrics wired: a Go test that scrapes /metrics and checks each expected metric name is present, including tokens-minted-by-tier, issuance latency histogram, active-key age, and did.json fetch rate.
- Audit completeness: a Go test that runs one issuance (success and failure) plus one admin action, then asserts each produced exactly one append-only audit record with actor, kid, txn, jti, scope, tier, and outcome, and that no record contains a token or personal data.
- did.json contract: a Go test that fetches /.well-known/did.json and asserts explicit Cache-Control headers, version stamp, and one verification method per retained key with stable kids.
Bucket D: Pre-deploy one-timers (run on staging)
These need a running environment or a person, so they are a checklist step before cutover, not a per-commit gate.
- Load test: k6 scripts (load, spike, stress) against the token endpoint on staging, thresholds set so k6 passes or fails on P95 under 500ms including the challenge round-trip.
- TLS: run testssl.sh against the staging endpoint, confirm 1.3 only; confirm mTLS is enforced on the internal/admin listener (a client without a cert is refused).
- Live rotation drill: rotate the key ring on staging while a token-issuing loop runs; confirm zero verification failures downstream and that publish-ahead held (no kid seen before it resolved). The drill is the test.
- Genesis key ceremony: executed per the runbook (KMS/HSM generation, fingerprint published, witnesses recorded). One-time, but gating: no production tokens before it.
- Security review / pentest: people plus tools, scoped to the time. Internal review is the floor; token forgery and replay attempts in scope.
- Compliance: config checklist (keys never leave KMS/HSM, one-year in-India log retention per DPDP Rule 6, NTP to nic/npl sources, audit trail immutable) plus two tabletops: the CERT-In 6-hour incident drill and the DPDP 72-hour breach-notification drill. The code pieces (retention config, audit hygiene) already live in Buckets A and C.