Cairn Identity

Trust

Release Gates

Required evidence before CairnID can be recommended for production use.

Cairn Identity is pre-beta. A release can be recommended for production use only after every required gate below has current evidence from a production-like HTTPS deployment.

Required Gates

GateEvidenceStatus
Source hygienebun run check:public-surface passesCI-gated
Dependency policycargo deny check, cargo audit, bun run audit, and cairn-api operations dependency-policy-evidence passCI-gated locally; release receipt required
Rust qualitycargo fmt, cargo check, cargo test, and cargo clippy -D warnings passCI-gated
Frontend qualitybun run check, bun run test, bun run build, and bun run test:e2e passCI-gated
Database migrationsPostgres 17 migration tests pass against a disposable databaseCI-gated
ContainersCompose validates, API image builds, web image builds, and image-level smoke checks passCI-gated
Deployed OIDC metadatacairn-api operations oidc-metadata-smoke passes against the HTTPS API originPending external evidence
OpenID conformanceConfig OP and Basic OP suite runs pass using generated static registration/config artifactsPending external evidence
Browser origin defensecairn-api operations browser-origin-smoke passes against the HTTPS API originPending external evidence
Security headerscairn-api operations security-headers-smoke passes against HTTPS API and web originsPending external evidence
SCIM provisioningBuilt-in SCIM smoke and token-free Okta/Entra connector summaries passPending external evidence
Email deliveryProvider smoke and lifecycle email smoke pass through the configured production command providerPending external evidence
Restore drillcairn-api operations restore-check passes against a restored databasePending external evidence
Key operationsSigning-key rotation and KEK re-encryption receipts pass evidence validationPending external evidence
Emergency accessBreak-glass admin recovery drill passes and records audit evidencePending external evidence
Audit operationsNDJSON archive and retention purge receipts pass evidence validationPending external evidence
Final release evidencecairn-api operations evidence-check <evidence-dir> passes with fresh artifacts and no unexpected filesPending external evidence

Evidence Workflow

cairn-api operations evidence-plan
cairn-api operations evidence-init <evidence-dir>
cairn-api operations evidence-status <evidence-dir>
cairn-api operations evidence-check <evidence-dir>

evidence-plan confirms that required environment variable names are present without printing values. evidence-init creates the guarded evidence directory. evidence-status shows missing or failed artifacts while evidence is being collected. evidence-check is the final local release gate.

Do not commit release evidence directories. They can include operational context and must stay in controlled storage.

Current Blockers

  • No published OpenID Foundation conformance result.
  • No deployed HTTPS metadata/JWKS smoke receipt.
  • No deployed browser-origin or security-header smoke receipt.
  • No production provider email smoke receipt.
  • No production-like restore, signing-key rotation, KEK rotation, break-glass, audit export, or audit purge drill receipt.
  • No external Okta and Entra SCIM connector summaries.