Conformance Testing
Deterministic verification against normative test vectors. Implementations at any conformance level can prove correct receipt handling without depending on the reference TypeScript code.
Package: @peac/cli
What Conformance Means
A conformant implementation produces the same verification result as the reference implementation for every test vector at a given level. Each vector specifies an input receipt (compact JWS), a public key, and the expected verification outcome. The harness runs vectors sequentially, comparing actual results against expected results.
Conformance is deterministic: given the same input, every correct implementation produces the same output. There is no nondeterminism in signature verification or claim validation.
Conformance Levels
Three levels of increasing strictness. Each level includes all checks from the previous level.
| Level | Checks | Description |
|---|---|---|
basic | Structure + Ed25519 signature | Validates JWS structure (header, payload, signature) and verifies the Ed25519 signature against the provided public key |
standard | + Claim validation + expiry | Validates required claims (iss, aud, iat, exp), checks temporal validity, and enforces issuer allowlist matching |
full | + Kernel constraints + policy binding | Enforces kernel constraint validation (DD-60, DD-121) and policy binding status checks (DD-49) |
Running the Harness
The conformance harness is available via @peac/cli. Install it globally or use npx:
# Install the CLI npm install -g @peac/cli # Run conformance at a specific level peac conformance run --level basic peac conformance run --level standard peac conformance run --level full
Example output for a successful run:
PEAC Conformance Harness v0.11.2 Level: standard Vectors: specs/conformance/ [PASS] valid-receipt-ed25519 [PASS] expired-receipt-rejected [PASS] wrong-key-rejected [PASS] missing-iss-rejected [PASS] missing-aud-rejected [PASS] future-iat-rejected [PASS] issuer-allowlist-mismatch 7/7 vectors passed Conformance level: standard
Test Vector Format
Test vectors are JSON fixtures stored in the specs/conformance/ directory. Each vector is self-contained: it includes all inputs and expected outputs needed for deterministic verification.
{
"id": "valid-receipt-ed25519",
"description": "Valid receipt with Ed25519 signature",
"level": "basic",
"input": {
"receipt_jws": "eyJhbGciOiJFZERTQSIsInR5cCI6InBlYWMtcmVjZWlwdC8wLjEifQ...",
"public_key": {
"kty": "OKP",
"crv": "Ed25519",
"x": "base64url-encoded-public-key"
}
},
"expected": {
"result": "verified",
"claims": {
"iss": "https://api.example.com",
"aud": "https://client.example.com"
}
}
}Vector fields
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier for the vector |
description | string | Human-readable description of what the vector tests |
level | string | Minimum conformance level: basic, standard, or full |
input.receipt_jws | string | Compact JWS receipt to verify |
input.public_key | JWK | Ed25519 public key for signature verification |
expected | object | Expected verification result and extracted claims |
Integrator Kit
Third-party implementations (in any language) can test against the normative vectors without depending on the TypeScript reference code. The process:
The vectors are language-agnostic JSON. Any implementation that produces matching results for all vectors at a given level is conformant at that level.
Links
Test Your Implementation
Clone the test vectors, run them against your implementation, and verify conformance at your target level. The vectors are language-agnostic JSON: use them from Go, Python, Rust, or any language with Ed25519 and JSON support.