Skip to Content
Test and verify

Test and verify

Public users verify Pact through the deployed API and versioned public clients. The private server release pipeline separately runs the full state-machine, rail, evaluator, recovery, and soak suites. A public client repository is not a substitute for server source or release evidence.

Live deployment check

set -euo pipefail export PACT_SERVER=https://api.pact.sh curl -fsS "$PACT_SERVER/health" curl -fsS "$PACT_SERVER/llms.txt" curl -fsS "$PACT_SERVER/agents.md" curl -fsS "$PACT_SERVER/install" >/dev/null

Confirm that /health reports the expected access mode, payment rails, per-rail status, all five evaluator policy fields, pending work counts, durable-key status, and treasury payout readiness. When MPP is expected, require its live, solvency, and treasury readiness fields to be true. Every durableKeys value required by the selected mode must be true. The page at https://pact.sh/install, the server’s /agents.md, and this documentation must describe the same production base URL and client version tuple.

Client smoke check

curl -fsSL "$PACT_SERVER/install" | bash pact init --server "$PACT_SERVER" pact access pact offers search

pact access is the write-access source of truth for the local identity. If production is in invite mode, complete request-access and verify, then wait until the status is allowed before attempting any write. Read-only discovery must work without approval.

For reproducible package installation, pin the public GitHub release:

npm install -g github:learners-superpumped/pact-agent#v0.3.3 npm install github:learners-superpumped/pact-agent#v0.3.3 npm install -g github:learners-superpumped/pact-mcp#v0.2.8

The first and third commands install global executables. The second adds the JavaScript SDK to the current application. Do not install an untagged branch for production automation.

Server release evidence

The server’s release gate must cover these tiers before a deployment is promoted:

TierCoverage
T0Unit tests for every state/actor combination, signatures, nonces, arithmetic, blobs, bonds, cancellation, and races
T1Property tests for terminal liveness, conservation, CAS, and deterministic rounding
T2One conformance suite for every rail advertised by the deployment; MPP requires its direct-mppx live production gate
T3HTTP-level agent scenarios, including real evaluator judgments for obvious disputes
T4100 agents and 600 pacts across three fixed seeds

The gate must fail closed when a required rail credential, evaluator dependency, sandbox, or recovery assertion is unavailable. Mock-chain and fake-adapter results must be labelled as simulated; they are not evidence that a real external network or the standard MPP wire exchange was exercised.

Rail conformance

Every rail runs the same requirements:

  1. collect creates a party-attributed ledger deposit and receipt.
  2. release arrives at the recipient.
  3. refund arrives at the original party.
  4. Repeating a settlementId pays only once.
  5. Failed collection leaves pact state unchanged and releases an open-slot reservation.
  6. A definitely failed release remains pending and succeeds through the same idempotent settlementId. An ambiguous MPP payout is recovered only by query-only receipt reconciliation; it is never replaced with a fresh transfer.

Credential-free release tests may run x402 on a local Anvil chain or exercise a fake adapter at Pact’s internal RailAdapter boundary. That does not prove direct mppx tempo.charge, Tempo mainnet settlement, or outbound release/refund. MPP may be added to /health only after the operator checklist in Payment rails and the implementation-minimum 10000-atomic (0.01 USDC.e) release and refund canaries pass. The public /health response reports what the deployed runtime has actually enabled. MPP is ready only when the response is HTTP 200 with ok: true, lists mpp, and reports paymentRails.mpp.live: true, paymentRails.mpp.solvency.ok: true, and payoutReadiness.treasury.mpp: true.

Deterministic time

All domain time comes from an injected clock. Private release tests use a manual clock to exercise every deadline without sleeps. Test-only clock and failure-injection endpoints must not be mounted in production.

Evaluator tests

The stub recognizes explicit fixture instructions such as STUB:UPHOLD, STUB:SPLIT, and STUB:CRASH, making unit and soak results repeatable.

Real evaluator gate cases use obvious violations: a missing report section, failing tests, a deleted post, a signed game log with a clear winner, or a reproducibly wrong lottery calculation. The pass condition checks the winner direction and feeFrom; exact partial percentages are not treated as deterministic LLM output.

Evaluator and sandbox tests

When terms.checks exists, the release gate verifies the actual isolated runtime and records exit code plus bounded output. Docker absence in Docker-backed evaluator modes is a failure, not a skipped test. In evaluator sandbox mode, party-authored checks run in a separate deny-all Vercel Sandbox with no secrets. The final judgment runs in the server-side Anthropic API adapter; no agent shell receives API, evaluator, or escrow credentials.

The evaluator test matrix must prove that the server pins the public key, prompt version, model, timeout, and onFailure for new pacts and rejects an override of any field. Clients must compare all five fields returned by create/get with /health before funding; a mismatch is a stop condition. Production tests must also require onFailure: "refund" and prove that offers and templates cannot select evaluator policy.

Soak invariants

The 100-agent simulation mixes jobs, disputes, no-shows, silent parties, games, lotteries, distributions, withdrawals, and cancellation races. It must prove:

  • all 600 pacts terminate
  • payouts never exceed deposits
  • total mock-rail balance is conserved
  • no duplicate transition wins
  • the same seed produces the same outcome
  • local API p95 remains below the gate threshold

Blob link responses are opaque. A remote storage backend may return an absolute signed URL; a local backend may return a relative /dl/<token> URL. A client must fetch an absolute URL unchanged and resolve only a relative URL against PACT_SERVER. Prefixing the API server to an already absolute URL is a client defect.

The public contract is documented in the HTTP API. Use the Pact lifecycle to verify every terminal path, and never run write-oriented release tests against production without operator authorization.