gw-07 — Verification

One command

cd gw-07-edge-security-mtls && bash scripts/verify.sh

What the tests prove

TestInvariant
TestIssueAndExtractSpiffea leaf carries its SPIFFE ID in the URI SAN and it round-trips out via SpiffeIDFromState
TestPolicyAllowlongest-prefix authz: allow / deny-wrong-identity / wildcard / default-deny
TestHotRotationCertHolder.Set changes the active certificate (the rotation mechanism)
TestMTLSEndToEndover a real TLS listener: authorized→200, wrong identity→403, no client cert→handshake fails

All under -race.

What "green" does NOT guarantee

  • Lab CA, not a real issuer. Production uses SPIRE/Metatron with workload attestation + SDS push (gw-08).
  • No origin-side mTLS / JWT. End-to-end identity and end-user token validation are exercises (GUIDE §6.1/§6.2).
  • Authz is local. The fail-open/fail-closed decision for an external authz dependency is an exercise (GUIDE §6.3) — and a key design call.
  • Termination only. SNI passthrough (keeping splice, gw-01) is an exercise (GUIDE §6.4).

Manual check

go run ./cmd/mtlsgw   # then run the printed curl; confirm 200 with cert,
                      # handshake error without; watch the rotation log.
openssl x509 -in /tmp/gw07-client.crt -text -noout | grep -A1 'Alternative'