Tutorial: the v0.1 acceptance gate
Goal: understand and run the single command that proves the local Auth Plane behaves correctly — the canonical definition of "v0.1 is healthy."
What it is
make v01-acceptance
This is deterministic and local-only. It uses no Docker, Helm, cloud deploy, release automation, publish automation, or wiki sync. A green run means the local Auth Plane contract is ready for review.
What it actually runs
The gate (scripts/v01-acceptance.sh) chains four things:
Concretely, it executes:
sh scripts/transcript-v1-conformance.sh— cross-language transcript equality.- Targeted
go test ./internal/broker— software-signer issue,insufficient_key_binding, transcript digest match, broker-issued headers passing and being rejected for abuse and duplicate replay through the adapter. - Targeted
go test ./cmd/trustplane-cli—signheaders accepted by the transcript-v1 adapter, tamper deny, rejecting a stronger key-binding than provided, theupflow verifying through the adapter, and bundle-policy failure denials. - Targeted
go test ./pkg/middleware/http— route key-binding policy, bundle freshness failing before the verifier, realtime freshness window, policy denial not consuming replay, and transcript tamper/corruption denials. ./examples/provider-gateway/run.sh— the full broker → adapter → upstream walkthrough.
What "passing" proves
| Behavior | Proven by |
|---|---|
| A valid proof-bound request is accepted | broker + provider-gateway |
| Wrong route is denied | CLI + middleware |
Duplicate replay is denied (jti_replay) | broker |
| Stale bundle fails closed | middleware |
| Insufficient key binding is denied | broker + middleware |
| Tampered request binding is denied | CLI + middleware |
Policy denial does not burn the jti | middleware |
| Cross-language transcript output is identical | conformance |
The fuller reviewer checklist
Before any later tag/deploy, the repo's reviewer checklist runs:
make boundaries
scripts/check-boundaries.sh
make transcript-conformance
make v01-acceptance
go test ./internal/... ./pkg/... ./spec ./cmd/... ./examples/...
make test
scripts/public-release-scan.sh
git diff --check
A durability note
The v01-acceptance gate exists and passes, but at the time of writing it is run manually —
the CI workflow runs make test and make boundaries but not make v01-acceptance or
make transcript-conformance. Wiring those two into CI is the recommended way to keep v0.1 from
silently regressing on a future PR.
← Back to Quickstart · → v0.1 boundary reference