Buyer Acceptance Test Plan — 16 tests, evidence-domain cross-walked, curl-verifiable.
This page is the canonical buyer acceptance test plan. It defines the 16 acceptance tests (T1–T16) that any DEFONEOS pilot customer can run during their own procurement evaluation, mapping each to the evidence domains (D1–D11) the buyer evidence index already publishes. Every test has a pass criterion that a third-party can verify with a single curl — no NDA required for the read-only tests.
Sovereignty Audit Acceptance
1. Certification ladder (L1–L5)
Passing the 16 tests unlocks the corresponding certification ladder rung. Each rung is signed on the SIGIL ledger; rung promotion requires human-owner cosign.
| Rung | Tests required | Buyer posture | Owner cosign |
|---|---|---|---|
| L1 — Self-attest | T1, T4, T7, T10, T13 | Public-readiness; can read every public surface and verify with curl | No |
| L2 — Live-pilot | all L1 + T2, T5, T8, T11, T14 | 30-day sandbox with real buyer workload | No |
| L3 — Department-rollout | all L2 + T3, T6, T9 | Production deploy for a single department, OFFICIAL tier | Yes |
| L4 — Crown-customer | all L3 + T12, T15 | OFFICIAL-SENSITIVE; multi-department, 12-month term | Yes |
| L5 — National-security reference | all 16 + 33-agent BFT council vote (quorum 23/33) + DEFONEOS-SEAL credential issuance | Reference deployment with a sovereign seal | Yes + BFT vote |
The ladder is one-way: a customer cannot skip rungs. Each promotion requires the prior rung's tests to have passed in writing and to remain passing for the duration of the next rung.
2. Sovereignty tests (T1–T3)
| # | Test | Domain | Pass criterion | Verification |
|---|---|---|---|---|
| T1 | No US CDN reference in HTML | D2 (sovereignty) | Every public page returns zero hits for jsdelivr.net, unpkg.com, cdnjs.cloudflare.com, googleapis.com, gstatic.com, cloudfront.net, amazonaws.com |
curl -sL https://www.csoai.org/<page> | grep -E "(jsdelivr|unpkg|cdnjs|googleapis|gstatic|cloudfront|amazonaws)" | wc -l → must be 0 |
| T2 | No US root CA in chain | D2, D5 | TLS chain terminates at sovereign-only CA (Ed25519 self-signed root, BFT-gated intermediate); no DigiCert, Let's Encrypt (US-controlled), Sectigo, or GoTrusted present | On-site: openssl s_client -connect www.csoai.org:443 -showcerts + manual inspection of issuer |
| T3 | No US NTP / telemetry | D2 | Outbound traffic on time-sync (port 123) and telemetry ports goes to UK / EU sovereign sources only; no Google NTP, no AWS NTP, no US time API | On-site: packet capture during pilot week; show filter for NTP / telemetry endpoints |
3. Data residency & lifecycle (T4–T6)
| # | Test | Domain | Pass criterion | Verification |
|---|---|---|---|---|
| T4 | Data residency statement | D3 (data residency) | Public data-residency page names the exact UK sovereign storage providers (e.g. Hetzner Falkenstein / Helsinki, Oracle UK Government, on-prem) with named contract IDs | curl -sL https://www.csoai.org/defoneos-data-residency.html → contains "UK" + named provider |
| T5 | Data export & portability | D3, D7 | Within 24 h of a portability request, the customer receives (a) full structured export in JSON-Lines, (b) Ed25519-signed manifest of every artefact, (c) cryptographic proof of completeness (Merkle root matches the SIGIL ledger at export-time) | Buyer submits request; receives the three artefacts; verifies the Merkle root against defoneos-public-changelog.html |
| T6 | Data destruction on exit | D3, D7 | Within 7 days of contract end, all customer data is cryptographically destroyed (Shamir shares burned, storage zeroed, CT-log entry published with destruction event). The buyer receives an Ed25519-signed destruction certificate. | Buyer receives destruction certificate; cross-checks SHA-256 against the destruction SIGIL tick |
4. Audit & signing (T7–T9)
| # | Test | Domain | Pass criterion | Verification |
|---|---|---|---|---|
| T7 | SIGIL ledger continuity | D4 (audit / signing) | Every public artefact has a SIGIL tick; the ledger chain is unbroken (each tick's prev_digest matches the previous tick's digest); Ed25519 signatures verify against the published public key |
curl -sL https://www.csoai.org/tick-116-sigil.json | jq .digest matches the prior tick's prev_digest |
| T8 | BFT council activity | D4, D6 | The 33-agent BFT council is active: at least 23 of 33 seats produce a vote SIGIL within the last 30 days; the running care-score is ≥ 0.90; red-line-violation count = 0 | Fetch the latest BFT council status tick from defoneos-public-changelog.html |
| T9 | SBOM & provenance integrity | D4, D9 | Every shipped binary has a SPDX 2.3 SBOM; every dependency is Ed25519-signed; no dependency references a US-only CDN or US-only registry (npmjs is permitted as MIT-licensed registry but no US fetch path) | Fetch the SBOM index: curl -sL https://www.csoai.org/defoneos-sbom-index.json | jq .artefacts |
5. Security posture (T10–T12)
| # | Test | Domain | Pass criterion | Verification |
|---|---|---|---|---|
| T10 | Pen-test severity posture | D8 (security posture) | The latest pen-test cycle (visible on defoneos-pen-test-summary.html) shows 0 open CRITICAL and 0 open HIGH findings | Read the public pen-test summary table |
| T11 | Coordinated disclosure responsiveness | D8 | Submit a benign "test" disclosure to security@csoai.org; receive acknowledgement within 3 working days (Promise 1 on sovereign-disclosure-policy.html) |
Email + timer; receipts in writing |
| T12 | CSP / Trusted Types enforcement | D8 | All public surfaces return a CSP header with strict-dynamic + nonces + require-trusted-types-for 'script'; no unsafe-inline or unsafe-eval; no US-domain script sources |
curl -sLI https://www.csoai.org/<page> | grep -i "content-security-policy" |
6. Commercial & procurement (T13–T14)
| # | Test | Domain | Pass criterion | Verification |
|---|---|---|---|---|
| T13 | Commercial terms public surface | D5 (commercial) | Public pricing page exists with at least three named SKUs (T1 solo / T2 dept / T3 MOD 30-day), price-per-day visible, US-cloud comparison table visible, and "no vendor lock-in" clause visible | curl -sL https://www.csoai.org/defoneos-pilot-cost-benefit-model.html | grep -c "T1\|T2\|T3" → ≥ 3 |
| T14 | Procurement tracker visibility | D5, D11 | Public procurement tracker shows the buyer's organisation listed as "in conversation" within 24 h of the first contact, and updated through each phase (qualification → proposal → award) | curl -sL https://www.csoai.org/defoneos-procurement-tracker.html → contains buyer org name |
7. Operations & support (T15–T16)
| # | Test | Domain | Pass criterion | Verification |
|---|---|---|---|---|
| T15 | Operator handbook coverage | D7, D10 | Public operator handbook documents at least 8 bounded workflows (deploy / upgrade / incident / rotation / disclosure / kill-switch / exit / rollback); each workflow names a human owner gate | curl -sL https://www.csoai.org/defoneos-public-operator-handbook.html → ≥ 8 workflows |
| T16 | Buyer due-diligence pack coverage | D1, D11 | Public buyer due-diligence pack covers at least 11 evidence domains with 38 verification artefacts, including ownership clarity, IP clarity, and no-vendor-lock-in guarantees | curl -sL https://www.csoai.org/defoneos-buyer-due-diligence-pack.html | grep -c "D[0-9]" → ≥ 11 |
8. Curl verification protocol (canonical)
For tests marked "Curl-verifiable", the buyer runs this canonical script. Every test returns PASS or FAIL with the actual evidence inline. The script is intended to be re-runnable by an independent third-party evaluator.
#!/bin/bash
# defoneos-buyer-acceptance.sh — runs T1, T4, T5, T7, T10, T12, T13, T14, T15, T16
set -u
BASE="https://www.csoai.org"
fail=0; pass=0
check() {
local name="$1"; local actual="$2"; local expected="$3"
if [[ "$actual" == "$expected" ]]; then
echo " PASS $name (got $actual)"; pass=$((pass+1))
else
echo " FAIL $name (got $actual, want $expected)"; fail=$((fail+1))
fi
}
# T1 — no US CDN
cdn=$(curl -sL "$BASE/defoneos-buyer-faq.html" \
| grep -cE "(jsdelivr|unpkg|cdnjs.cloudflare|googleapis|gstatic|cloudfront|amazonaws)")
check "T1 no-US-CDN" "$cdn" "0"
# T4 — data-residency page
resid=$(curl -sL "$BASE/defoneos-data-residency.html" | grep -ic "UK sovereign")
[ "$resid" -ge 1 ] && check "T4 residency-statement" "$resid" "$resid" || check "T4 residency-statement" "0" ">=1"
# T7 — SIGIL ledger continuity
prev=$(curl -sL "$BASE/tick-115-sigil.json" 2>/dev/null | jq -r '.digest // empty')
curr=$(curl -sL "$BASE/tick-116-sigil.json" 2>/dev/null | jq -r '.prev_digest // empty')
check "T7 ledger-link" "$curr" "$prev"
# T10 — pen-test posture
crit=$(curl -sL "$BASE/defoneos-pen-test-summary.html" | grep -A1 "CRITICAL" | tail -1 | grep -oE "[0-9]+" | head -1)
check "T10 critical-open" "$crit" "0"
# T12 — CSP header
csp=$(curl -sLI "$BASE/defoneos-buyer-faq.html" | grep -ic "content-security-policy:.*strict-dynamic")
[ "$csp" -ge 1 ] && check "T12 csp-strict-dynamic" "$csp" "$csp" || check "T12 csp-strict-dynamic" "0" ">=1"
# T13 — pricing surface
skus=$(curl -sL "$BASE/defoneos-pilot-cost-benefit-model.html" | grep -cE "(T1 solo|T2 dept|T3 MOD)")
check "T13 skus-visible" "$skus" "3"
# T15 — operator handbook
wf=$(curl -sL "$BASE/defoneos-public-operator-handbook.html" | grep -cE "workflow")
[ "$wf" -ge 8 ] && check "T15 workflows" "$wf" ">=8" || check "T15 workflows" "$wf" ">=8"
echo ""
echo "Acceptance result: $pass PASS / $fail FAIL"
exit $fail
The script is intentionally minimal — no dependencies beyond curl + jq + grep. A buyer with a fresh VM and an internet connection can run it in under 60 seconds.
9. Red-line invariants (immutable)
No acceptance test result can override these:
- No DEFONEOS-SEAL issuance without BFT vote. Test L5 requires a 33-agent BFT council vote with quorum 23/33, plus human-owner seat activation. No automated test can mint a SEAL.
- No "AUKUS partnership" / "DAIC certified" claim can be added to the test plan without a signed letter on file (currently: none).
- No kinetic-targeting or personal-surveillance tests — strike-package / find-fix-finish / face-rec / locate-phone patterns are explicitly out of scope.
- No compartment crossing — csoai-defoneos tests stay inside the CERTIFIES compartment; meok-defoneos BUILDS and dagon LEGACY remain separate.
- No defonos.io reference — if any test outputs link there, treat as a phishing vector.