--- phase: 4 slug: security status: draft nyquist_compliant: false wave_0_complete: false created: 2026-03-11 --- # Phase 4 — Validation Strategy > Per-phase validation contract for feedback sampling during execution. --- ## Test Infrastructure | Property | Value | |----------|-------| | **Framework** | JUnit 5 + Spring Boot Test + Spring Security Test | | **Config file** | cameleer3-server-app/src/test/resources/application-test.yml | | **Quick run command** | `mvn test -pl cameleer3-server-app -Dtest="Security*,Jwt*,Bootstrap*,Ed25519*" -Dsurefire.reuseForks=false` | | **Full suite command** | `mvn clean verify` | | **Estimated runtime** | ~60 seconds | --- ## Sampling Rate - **After every task commit:** Run `mvn test -pl cameleer3-server-app -Dsurefire.reuseForks=false` - **After every plan wave:** Run `mvn clean verify` - **Before `/gsd:verify-work`:** Full suite must be green - **Max feedback latency:** 60 seconds --- ## Per-Task Verification Map | Task ID | Plan | Wave | Requirement | Test Type | Automated Command | File Exists | Status | |---------|------|------|-------------|-----------|-------------------|-------------|--------| | 04-01-01 | 01 | 1 | SECU-03 | unit | `mvn test -pl cameleer3-server-app -Dtest=Ed25519SigningServiceTest -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | | 04-01-02 | 01 | 1 | SECU-01 | unit | `mvn test -pl cameleer3-server-app -Dtest=JwtServiceTest -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | | 04-01-03 | 01 | 1 | SECU-05 | integration | `mvn test -pl cameleer3-server-app -Dtest=BootstrapTokenIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | | 04-01-04 | 01 | 1 | SECU-01 | integration | `mvn test -pl cameleer3-server-app -Dtest=SecurityFilterIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | | 04-01-05 | 01 | 1 | SECU-02 | integration | `mvn test -pl cameleer3-server-app -Dtest=JwtRefreshIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | | 04-01-06 | 01 | 1 | SECU-04 | integration | `mvn test -pl cameleer3-server-app -Dtest=SseSigningIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | | 04-01-07 | 01 | 1 | N/A | integration | `mvn test -pl cameleer3-server-app -Dtest=RegistrationSecurityIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | *Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky* --- ## Wave 0 Requirements - [ ] `Ed25519SigningServiceTest.java` — unit test stubs for Ed25519 signing roundtrip (SECU-03) - [ ] `JwtServiceTest.java` — unit test stubs for JWT creation/validation/expiry (SECU-01, SECU-02) - [ ] `BootstrapTokenIT.java` — integration test stubs for bootstrap token validation (SECU-05) - [ ] `SecurityFilterIT.java` — integration test stubs for protected/public endpoint access (SECU-01) - [ ] `JwtRefreshIT.java` — integration test stubs for refresh flow (SECU-02) - [ ] `SseSigningIT.java` — integration test stubs for Ed25519 SSE signing (SECU-04) - [ ] `RegistrationSecurityIT.java` — integration test stubs for registration with bootstrap + public key (SECU-03, SECU-05) - [ ] Update `application-test.yml` with `CAMELEER_AUTH_TOKEN: test-token` - [ ] Update ALL existing ITs to include JWT auth headers (21 test files affected) *Existing infrastructure covers test framework and Testcontainers setup.* --- ## Manual-Only Verifications | Behavior | Requirement | Why Manual | Test Instructions | |----------|-------------|------------|-------------------| | JWT token leakage in SSE query param logs | SECU-01 | Requires production log inspection | Check access logs don't log query parameters containing JWT tokens | --- ## Validation Sign-Off - [ ] All tasks have `` verify or Wave 0 dependencies - [ ] Sampling continuity: no 3 consecutive tasks without automated verify - [ ] Wave 0 covers all MISSING references - [ ] No watch-mode flags - [ ] Feedback latency < 60s - [ ] `nyquist_compliant: true` set in frontmatter **Approval:** pending