# Validation Ledger

This file records concrete validation outcomes rather than aspirations.

## 2026-04-03

Environment:

- host workspace: `/home/uprootiny/damm`
- local node version: `v22.14.0`
- rust present
- no `HCLOUD_TOKEN` in environment at validation time
- no `DIGITALOCEAN_TOKEN` in environment at validation time

Validated:

- `npm test` passed with 18 passing tests.
- integration coverage now includes spawned control-plane lifecycle, enroll, admin login, signed catalog verification, key rotation, and revoke.
- `npm run tracer` completed successfully.
- tracer artifacts included:
  - enrolled device response
  - signed catalog envelope
  - admin login token
  - admin audit event
  - gateway config
  - deployment plan
  - reconcile plan
  - apply-plan output
- `node orchestrator/hetzner-smoke.js locations` completed in plan mode.
- `node orchestrator/hetzner-smoke.js ingress --region eu-central` completed in plan mode.
- `node orchestrator/hetzner-smoke.js egress --region eu-central` completed in plan mode.
- `node orchestrator/apply-plan.js --mode plan --policy examples/provider-policy.json ...` completed successfully.
- `node orchestrator/hetzner-cleanup.js --region eu-central ...` completed in plan mode.
- provider policy gating is implemented and tested.
- payment credential handling model documented.
- Raindesk Observatory free-stack integration path documented as a potential advisory sidecar.
- `nix flake show --all-systems` evaluated successfully and exposed `checks.x86_64-linux.damm-lab`.
- `bash scripts/run-nix-lab.sh` failed fast with a correct host-prerequisite message because `/dev/kvm` is absent in this environment.

Trustworthy evidence files:

- `data/tracer-enroll-response.json`
- `data/tracer-catalog.json`
- `data/tracer-admin-login.json`
- `data/tracer-audit.json`
- `data/tracer-gateway.conf`
- `data/tracer-deployment-plan.json`
- `data/tracer-reconcile-plan.json`
- `data/tracer-apply-results.json`
- `data/hetzner-locations.json`
- `data/hetzner-ingress-smoke.json`
- `data/hetzner-egress-smoke-2.json`

Known gaps:

- no live provider provisioning was executed because provider API tokens were absent
- control-plane persistence is still JSON-backed rather than database-backed
- no benchmark history has been recorded yet beyond ad hoc local runs
- the Nix virtual lab has not been fully executed end to end on this host because KVM is unavailable here
- gateway registration is not yet implemented
- client failover logic is not yet implemented