feat(smoke): add compliance-smoke crate + scripts/smoke.sh tenant-gating harness

A minimal Axum binary that mounts compliance-core's M7.1 middleware on three endpoints (public health, protected GET echo, protected POST echo) so we can prove the tenant-gating contract end-to-end against a live KC before any auth-path PR merges. scripts/smoke.sh drives the binary against the five test users defined in the certifai realm (admin/user → active, trial/frozen/archived) and asserts the exact response code per (user × method × endpoint). Run it once before touching auth, tenant_status, or org_roles code. Validated locally — 15/15 assertions pass: * anon/bogus → 401 on protected, 200 on /health * active/trial → 200 on read + write * frozen → 200 read, 402 write (read-after-cancel gate) * archived → 410 read + 410 write (retention window closed) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-04 11:07:45 +02:00
parent f583d0788c
commit 079f913024
5 changed files with 288 additions and 0 deletions
@@ -0,0 +1,22 @@
+[package]
+name = "compliance-smoke"
+version = "0.1.0"
+edition = "2021"
+description = "Tiny Axum service exercising compliance-core M7.1 tenant gating. Run smoke.sh against it before merging anything that touches the auth/tenant path."
+
+[lints]
+workspace = true
+
+[[bin]]
+name = "compliance-smoke"
+path = "src/main.rs"
+
+[dependencies]
+compliance-core = { workspace = true, features = ["axum"] }
+axum = "0.8"
+tokio = { workspace = true }
+tracing = { workspace = true }
+tracing-subscriber = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+reqwest = { workspace = true }