Atomic & composite policy enforcement tests
Each scenario is a self-contained test of one policy axis. Click any card to view the full fixture, expected outcome, and run it against the live deployment.
Single-policy isolation tests. Each scenario exercises one rule in isolation.
Happy path: valid JWT, allowed everything
Valid JWT with correct issuer, audience, scopes, and home_region. Request body uses an allowed model for an allowed tenant.
JWT missing the route's required scope
Valid JWT, but scopes contain `ai.chat.read` instead of the required `ai.chat.write` for /v1/chat.
JWT home_region does not match edge region
Valid JWT with home_region 'eu-west', but this edge deployment is configured for region 'tst'. Residency policy denies.
Tenant not configured
Valid JWT for a tenant that Shield has not registered in data.customer.tenants. The model_allowlist policy denies with model.tenant_not_configured.
Model not in tenant allowlist
Valid JWT for a configured tenant, but the requested model is not in the tenant's allowed_models list. The model_allowlist policy denies with model.not_allowed.
Expired JWT
JWT with exp in the past. Envoy's jwt_authn filter rejects before ext_authz runs.
Wrong JWT audience
JWT signed for a different audience than the edge expects. jwt_authn returns HTTP 403 (RFC 6750 insufficient_scope) since the token authenticates valid but lacks the right audience claim for this resource. Distinct from 401 returned for expired or missing tokens.
Wrong JWT issuer
JWT iss claim doesn't match the issuer Envoy's jwt_authn expects.
Invalid JWT signature
JWT body claims look valid, but the signature was produced by a key NOT in the JWKS Envoy fetches. Signature verification fails.
Missing Authorization header
Request sent with no Authorization header at all. Envoy's jwt_authn rejects before ext_authz.
Unknown route
Valid JWT, but the request path is not in Envoy's RBAC allowlist. Envoy rejects with 403 before ext_authz runs — OPA is never consulted.
No composite scenarios defined yet.