DEFONEOS · Public Buyer Surface

Buyer Acceptance Test Plan — 16 tests, evidence-domain cross-walked, curl-verifiable.

This page is the canonical buyer acceptance test plan. It defines the 16 acceptance tests (T1–T16) that any DEFONEOS pilot customer can run during their own procurement evaluation, mapping each to the evidence domains (D1–D11) the buyer evidence index already publishes. Every test has a pass criterion that a third-party can verify with a single curl — no NDA required for the read-only tests.

Sovereignty Audit Acceptance

16
Acceptance tests
11
Evidence domains covered
11
Curl-verifiable now
5
On-site verifiable

1. Certification ladder (L1–L5)

Passing the 16 tests unlocks the corresponding certification ladder rung. Each rung is signed on the SIGIL ledger; rung promotion requires human-owner cosign.

RungTests requiredBuyer postureOwner cosign
L1 — Self-attestT1, T4, T7, T10, T13Public-readiness; can read every public surface and verify with curlNo
L2 — Live-pilotall L1 + T2, T5, T8, T11, T1430-day sandbox with real buyer workloadNo
L3 — Department-rolloutall L2 + T3, T6, T9Production deploy for a single department, OFFICIAL tierYes
L4 — Crown-customerall L3 + T12, T15OFFICIAL-SENSITIVE; multi-department, 12-month termYes
L5 — National-security referenceall 16 + 33-agent BFT council vote (quorum 23/33) + DEFONEOS-SEAL credential issuanceReference deployment with a sovereign sealYes + BFT vote

The ladder is one-way: a customer cannot skip rungs. Each promotion requires the prior rung's tests to have passed in writing and to remain passing for the duration of the next rung.

2. Sovereignty tests (T1–T3)

#TestDomainPass criterionVerification
T1 No US CDN reference in HTML D2 (sovereignty) Every public page returns zero hits for jsdelivr.net, unpkg.com, cdnjs.cloudflare.com, googleapis.com, gstatic.com, cloudfront.net, amazonaws.com curl -sL https://www.csoai.org/<page> | grep -E "(jsdelivr|unpkg|cdnjs|googleapis|gstatic|cloudfront|amazonaws)" | wc -l → must be 0
T2 No US root CA in chain D2, D5 TLS chain terminates at sovereign-only CA (Ed25519 self-signed root, BFT-gated intermediate); no DigiCert, Let's Encrypt (US-controlled), Sectigo, or GoTrusted present On-site: openssl s_client -connect www.csoai.org:443 -showcerts + manual inspection of issuer
T3 No US NTP / telemetry D2 Outbound traffic on time-sync (port 123) and telemetry ports goes to UK / EU sovereign sources only; no Google NTP, no AWS NTP, no US time API On-site: packet capture during pilot week; show filter for NTP / telemetry endpoints

3. Data residency & lifecycle (T4–T6)

#TestDomainPass criterionVerification
T4 Data residency statement D3 (data residency) Public data-residency page names the exact UK sovereign storage providers (e.g. Hetzner Falkenstein / Helsinki, Oracle UK Government, on-prem) with named contract IDs curl -sL https://www.csoai.org/defoneos-data-residency.html → contains "UK" + named provider
T5 Data export & portability D3, D7 Within 24 h of a portability request, the customer receives (a) full structured export in JSON-Lines, (b) Ed25519-signed manifest of every artefact, (c) cryptographic proof of completeness (Merkle root matches the SIGIL ledger at export-time) Buyer submits request; receives the three artefacts; verifies the Merkle root against defoneos-public-changelog.html
T6 Data destruction on exit D3, D7 Within 7 days of contract end, all customer data is cryptographically destroyed (Shamir shares burned, storage zeroed, CT-log entry published with destruction event). The buyer receives an Ed25519-signed destruction certificate. Buyer receives destruction certificate; cross-checks SHA-256 against the destruction SIGIL tick

4. Audit & signing (T7–T9)

#TestDomainPass criterionVerification
T7 SIGIL ledger continuity D4 (audit / signing) Every public artefact has a SIGIL tick; the ledger chain is unbroken (each tick's prev_digest matches the previous tick's digest); Ed25519 signatures verify against the published public key curl -sL https://www.csoai.org/tick-116-sigil.json | jq .digest matches the prior tick's prev_digest
T8 BFT council activity D4, D6 The 33-agent BFT council is active: at least 23 of 33 seats produce a vote SIGIL within the last 30 days; the running care-score is ≥ 0.90; red-line-violation count = 0 Fetch the latest BFT council status tick from defoneos-public-changelog.html
T9 SBOM & provenance integrity D4, D9 Every shipped binary has a SPDX 2.3 SBOM; every dependency is Ed25519-signed; no dependency references a US-only CDN or US-only registry (npmjs is permitted as MIT-licensed registry but no US fetch path) Fetch the SBOM index: curl -sL https://www.csoai.org/defoneos-sbom-index.json | jq .artefacts

5. Security posture (T10–T12)

#TestDomainPass criterionVerification
T10 Pen-test severity posture D8 (security posture) The latest pen-test cycle (visible on defoneos-pen-test-summary.html) shows 0 open CRITICAL and 0 open HIGH findings Read the public pen-test summary table
T11 Coordinated disclosure responsiveness D8 Submit a benign "test" disclosure to security@csoai.org; receive acknowledgement within 3 working days (Promise 1 on sovereign-disclosure-policy.html) Email + timer; receipts in writing
T12 CSP / Trusted Types enforcement D8 All public surfaces return a CSP header with strict-dynamic + nonces + require-trusted-types-for 'script'; no unsafe-inline or unsafe-eval; no US-domain script sources curl -sLI https://www.csoai.org/<page> | grep -i "content-security-policy"

6. Commercial & procurement (T13–T14)

#TestDomainPass criterionVerification
T13 Commercial terms public surface D5 (commercial) Public pricing page exists with at least three named SKUs (T1 solo / T2 dept / T3 MOD 30-day), price-per-day visible, US-cloud comparison table visible, and "no vendor lock-in" clause visible curl -sL https://www.csoai.org/defoneos-pilot-cost-benefit-model.html | grep -c "T1\|T2\|T3" → ≥ 3
T14 Procurement tracker visibility D5, D11 Public procurement tracker shows the buyer's organisation listed as "in conversation" within 24 h of the first contact, and updated through each phase (qualification → proposal → award) curl -sL https://www.csoai.org/defoneos-procurement-tracker.html → contains buyer org name

7. Operations & support (T15–T16)

#TestDomainPass criterionVerification
T15 Operator handbook coverage D7, D10 Public operator handbook documents at least 8 bounded workflows (deploy / upgrade / incident / rotation / disclosure / kill-switch / exit / rollback); each workflow names a human owner gate curl -sL https://www.csoai.org/defoneos-public-operator-handbook.html → ≥ 8 workflows
T16 Buyer due-diligence pack coverage D1, D11 Public buyer due-diligence pack covers at least 11 evidence domains with 38 verification artefacts, including ownership clarity, IP clarity, and no-vendor-lock-in guarantees curl -sL https://www.csoai.org/defoneos-buyer-due-diligence-pack.html | grep -c "D[0-9]" → ≥ 11

8. Curl verification protocol (canonical)

For tests marked "Curl-verifiable", the buyer runs this canonical script. Every test returns PASS or FAIL with the actual evidence inline. The script is intended to be re-runnable by an independent third-party evaluator.

#!/bin/bash
# defoneos-buyer-acceptance.sh — runs T1, T4, T5, T7, T10, T12, T13, T14, T15, T16
set -u
BASE="https://www.csoai.org"
fail=0; pass=0
check() {
  local name="$1"; local actual="$2"; local expected="$3"
  if [[ "$actual" == "$expected" ]]; then
    echo "  PASS  $name  (got $actual)"; pass=$((pass+1))
  else
    echo "  FAIL  $name  (got $actual, want $expected)"; fail=$((fail+1))
  fi
}

# T1 — no US CDN
cdn=$(curl -sL "$BASE/defoneos-buyer-faq.html" \
  | grep -cE "(jsdelivr|unpkg|cdnjs.cloudflare|googleapis|gstatic|cloudfront|amazonaws)")
check "T1 no-US-CDN" "$cdn" "0"

# T4 — data-residency page
resid=$(curl -sL "$BASE/defoneos-data-residency.html" | grep -ic "UK sovereign")
[ "$resid" -ge 1 ] && check "T4 residency-statement" "$resid" "$resid" || check "T4 residency-statement" "0" ">=1"

# T7 — SIGIL ledger continuity
prev=$(curl -sL "$BASE/tick-115-sigil.json" 2>/dev/null | jq -r '.digest // empty')
curr=$(curl -sL "$BASE/tick-116-sigil.json" 2>/dev/null | jq -r '.prev_digest // empty')
check "T7 ledger-link" "$curr" "$prev"

# T10 — pen-test posture
crit=$(curl -sL "$BASE/defoneos-pen-test-summary.html" | grep -A1 "CRITICAL" | tail -1 | grep -oE "[0-9]+" | head -1)
check "T10 critical-open" "$crit" "0"

# T12 — CSP header
csp=$(curl -sLI "$BASE/defoneos-buyer-faq.html" | grep -ic "content-security-policy:.*strict-dynamic")
[ "$csp" -ge 1 ] && check "T12 csp-strict-dynamic" "$csp" "$csp" || check "T12 csp-strict-dynamic" "0" ">=1"

# T13 — pricing surface
skus=$(curl -sL "$BASE/defoneos-pilot-cost-benefit-model.html" | grep -cE "(T1 solo|T2 dept|T3 MOD)")
check "T13 skus-visible" "$skus" "3"

# T15 — operator handbook
wf=$(curl -sL "$BASE/defoneos-public-operator-handbook.html" | grep -cE "workflow")
[ "$wf" -ge 8 ] && check "T15 workflows" "$wf" ">=8" || check "T15 workflows" "$wf" ">=8"

echo ""
echo "Acceptance result: $pass PASS / $fail FAIL"
exit $fail

The script is intentionally minimal — no dependencies beyond curl + jq + grep. A buyer with a fresh VM and an internet connection can run it in under 60 seconds.

9. Red-line invariants (immutable)

No acceptance test result can override these: