Verification Metadata
- Route:
/transparency/testing/ - Last verified:
- Next review due:
- Current suite inventory: 1,212 listed tests across 118 files.
- Previous version: Testing and Validation Governance before the June 2026 tooling update
CI/CD Relationship
The testing stack described here is one layer of the broader CI/CD Tooling and Release Governance model, which also covers local hooks, public promotion, release-ledger deployment state, and production receipts.
Release-Blocking Validation Stack
For release hygiene sweeps (including /mis workflow), the following gates are run and treated as blockers:
./vendor/bin/phpunit -c phpunit.xml(backend unit/integration/contract suite)cd html && composer run phpstan:strict(PHPStan Level 9 strict)cd .. && npm run test:js(JS lint + security sink checks)cd .. && npm run test:a11y:all(PHPUnit a11y + Playwright + strict WCAG + contrast + Lightpanda)
When a gate fails, release work is paused until the failure is fixed and the affected gate is re-run.
Current Test Topology
| Suite Category | Files | Coverage Focus |
|---|---|---|
| Unit | 60 | Domain and service behavior, security invariants, helper logic |
| Integration | 49 | Controller/API flows, auth paths, encrypted lifecycle, runtime protections |
| Contract | 7 | Boundary and compatibility contracts across critical components |
| Manual | 2 | Operator-driven drills and targeted environment verification |
Recent Security-Test Expansion
- Capability token lifecycle and mismatch-denial coverage.
- CSP report ingestion endpoint coverage for flat and nested payload variants.
- Guardian sanitizer coverage anchored to runtime configuration and blocked-selector controls.
- Admin mutation denial regressions for missing/invalid one-shot capability tokens.
Public Traceability Policy
When release content changes behavior, we publish updates in both:
docs/v1.changelog.md(technical release detail)- Transparency pages under
/transparency/(public explanation)
This keeps implementation evidence and public commitments synchronized.
For npm lockfile policy and CI gate mapping details, see /transparency/dependency-ci/. For the complete CI/CD operating model, see /transparency/ci-cd-tooling-2026-06/.