Testing & Validation

How to test your EEP implementation for conformance.

Compliance CLI

The fastest way to check a running deployment's end-to-end EEP conformance (live HTTP surface):

Run Compliance
npx @eep-dev/compliance-cli \
  --target https://api.yourplatform.com \
  --api-key sk_test_... \
  --entity u/test-entity \
  --report-json ./eep-audit.json \
  --report-md ./eep-audit.md

The CLI reports pass/fail checks, a score_100 summary, and concrete recommendations for failed checks. Use JSON output in CI and Markdown output for human review during release gates.

Setup CLI artifact checks

eep-setup verify (from @eep-dev/setup-cli) validates a generated artifact tree (manifests, OpenAPI fragments, etc.) — complementary to the compliance CLI, which exercises a live API. For CI patterns, see EEP-ready verification ↗.

Schema Validation

Validate CloudEvent
import Ajv from 'ajv';
import schema from './schemas/v0.1/event.envelope.json';


const ajv = new Ajv();
const validate = ajv.compile(schema);
const valid = validate(yourEvent);
if (!valid) console.error(validate.errors);

Unit Testing: Signer

Signer Tests
import { EEPSigner, verifyEEPWebhook } from '@eep-dev/signer';


test('sign and verify', () => {
  const signer = new EEPSigner('test-secret');
  const sig = signer.sign('msg_1', '1708123456', '{"data":"test"}');
  expect(sig).toBeTruthy();


  const valid = verifyEEPWebhook('{"data":"test"}', {
    'webhook-id': 'msg_1',
    'webhook-timestamp': '1708123456',
    'webhook-signature': `v1,${sig}`,
  }, 'test-secret');
  expect(valid).toBe(true);
});

Unit Testing: Gates

Gate Tests
import { parseGateConfig, resolveAccess, ProofVerifierRegistry } from '@eep-dev/gates';


test('resolves access correctly', async () => {
  const config = parseGateConfig({
    default_tier: 'public',
    tiers: {
      public: { requirements: [], access: ['profile.summary'] },
      premium: {
        requirements: [{ type: 'payment', amount: 5, currency: 'usd', per: 'month' }],
        access: ['*'],
      },
    },
  });


  const registry = new ProofVerifierRegistry();
  const result = await resolveAccess([], config, 'profile.summary', registry);
  expect(result.granted).toBe(true);
  expect(result.tier).toBe('public');
});

Integration Testing: SSRF

SSRF Tests
import { validateSSRF } from '@eep-dev/validator';


test('blocks private IPs', async () => {
  await expect(validateSSRF('http://127.0.0.1/callback'))
    .rejects.toThrow('SSRFError');


  await expect(validateSSRF('http://10.0.0.1/callback'))
    .rejects.toThrow('SSRFError');


  await expect(validateSSRF('http://169.254.169.254/latest/meta-data'))
    .rejects.toThrow('SSRFError');
});