M·S
Mid Solution Programs Software Quality Assurance Portal
Public docs · vrule-dmn-tck

Methodology + trust model

DMN-TCK Audit Methodology

This document explains exactly what dmn-tck-audit does so an auditor can decide whether the report it produces is meaningful.

Subject under test

The subject under test is a deterministic Business Rule Engine. Inputs:

Output:

The internal representation the engine uses to evaluate rules — how DMN gets compiled, what the bytecode looks like, how the runtime is deployed — is intentionally outside the audit scope. The audit verifies behaviour against the public DMN-TCK kit and nothing else.

Test corpus

The bundle ships the official DMN Technology Compatibility Kit unmodified, copied from github.com/dmn-tck/tck. The exact upstream commit used is recorded in tck-corpus.upstream.txt. Per-file SHA-256 hashes are recorded in tck-corpus.SHA256 so the auditor can confirm no DMN file or test XML has been altered.

The kit declares three buckets:

BucketCompliance claim
compliance-level-2Public Level 2 conformance
compliance-level-3Public Level 3 conformance
non-compliantNegative-path tests, not part of any conformance claim

dmn-tck-audit verify --scope compliant (the default) runs Level 2 and Level 3 only. Use --scope all to also exercise the non-compliant bucket; results from that bucket must be reported separately and never rolled into a Level 2 / Level 3 figure.

What a single test case does

For each <testCase> in the kit:

  1. The CLI reads the DMN file referenced by <modelName> and the <inputNode> values declared in the test XML.
  2. The CLI builds a JSON input document keyed by inputNode name.
  3. The CLI POSTs { dmn_xml, input, decision_name } to POST /dmn-tck/v1/verify on the configured rule engine endpoint.
  4. The endpoint returns a signed envelope:
    • envelope_b64 — base64 of the canonical JSON envelope.
    • signature_hex — Ed25519 signature over those exact bytes.
  5. The CLI verifies the signature against the bundled audit-server.pubkey. A bad signature aborts the case and records fail_bad_signature.
  6. The CLI parses the envelope (decision, outputs, server_case_id, timestamp).
  7. The CLI compares outputs against the <expected> value from the test XML. Comparison is performed locally — the rule engine cannot fake a pass.

Comparison rules

Any mismatch is recorded with the expected value, the actual value, and the decision name searched. The report is the source of truth for what failed and why.

Trust model

Three independent properties hold the audit together:

  1. Corpus integrity. Per-file SHA-256 in tck-corpus.SHA256 and the upstream commit hash in tck-corpus.upstream.txt allow the auditor to confirm that the kit shipped in this bundle is the same kit anyone can fetch from github.com/dmn-tck/tck.
  2. Response correctness. The endpoint returns materialized output, not a boolean. The CLI compares output against the expected value declared in the kit. A server cannot cause the CLI to print "pass" without producing the right value.
  3. Response authenticity. Each response is wrapped in an Ed25519-signed envelope. The CLI refuses to accept any case whose signature does not verify against the bundled public key.

The signature does not prove the engine is correct — it proves the response came from the holder of the matching private key. Correctness still rests on the comparison in property (2).

What the report contains

dmn-tck-audit verify --report-out report.json writes a structured JSON document with:

What the audit does not do

Reproducibility

A run is reproducible to the extent that:

← All docs for vrule-dmn-tck  ·  Program landing