The Gauntlet
A comprehensive integration test suite for verifying security guarantees.
What is The Gauntlet?
Definition: A comprehensive shell-based integration test suite that validates MCPTrust's security guarantees.
Location: tests/gauntlet.sh
Philosophy: "If all Gauntlet phases pass, the binary is safe to deploy."
Phases
| Phase | Name | What It Proves |
|---|---|---|
| 0 | Build | Compiles without errors |
| 1 | Discovery | Scan with live/mock fallback |
| 2 | Governance | Policy check validation |
| 3 | Persistence | Lock command function |
| 4 | Identity | Keygen + Sign operations |
| 5a/b | Determinism | Same inputs → same lockfile/bundle hash |
| 6 | Tamper | Bit-flip in lockfile causes verify failure |
| 7-9 | Negative Testing | Wrong key, corrupted pubkey, etc. |
| 10 | Policy Fail | Negative test for impossible policy |
| 11 | Bundle Integrity | Extract, verify, tamper, re-verify |
| 12 | Artifact Pinning | --pin flag test (live npm) |
| 13 | Artifact Verify | Integrity check validation |
| 14 | Provenance | SLSA attestation verification |
| 15 | Policy Presets | Baseline (warn-only) and strict (fail-closed) presets |
| 16 | Tarball SHA256 | Deep tarball verification and SHA256 mismatch detection |
| 17 | Enforced Runner | Dry-run execution with integrity/provenance verification |
Running The Gauntlet
cd tests
./gauntlet.shCI Integration
- Gauntlet runs on every PR and merge to main.
- Failure blocks merge.