POLICYGATE — CONFORMANCE SUITE

Verify governance enforcement in the request path.

Run a matrix of scenarios against a live PolicyGate deployment. Each scenario mints a JWT, sends a real HTTP request, and verifies the policy decision against expectations — with the cryptographic provenance of the signed bundle visible at every step.

Run all scenarios Browse scenarios

01 — OVERVIEW

What this tool tests.

Runtime policy enforcement

Every scenario sends a real HTTP request through Envoy. Policy decisions are made by OPA against the cosign-signed bundle, not stubbed.

Signed bundle provenance

Every decision links back to a specific bundle digest, signed by orca-policy's CI workflow and recorded in the Sigstore transparency log.

Deny taxonomy clarity

Each deny carries a structured reason like residency.jwt_region_mismatch or authz.missing_scope. The same taxonomy auditors see in Shield's audit logs.