Step 9 of 10

Verification strategy

Canonical verification approach for Restormel Keys integrations — during rollout and ongoing.

This document defines three layers of verification: dashboard checks (visual, no code), CLI checks (terminal, scriptable), and smoke tests (HTTP, automatable). Use all three during cutover (Phase 6) and the first two on an ongoing basis.

1. Verification layers
LayerWhen to useWho runs itAutomatable?
DashboardAfter any config change (route, policy, credential); during cutover monitoringHuman (or browser automation)Partially
CLIAfter install, before deploy, in CI, during cutoverHuman or CIYes
Smoke testsAfter deploy, during cutover, as a scheduled health checkCI or cronYes
2. Dashboard checks

Open the Dashboard and verify the following. These checks require no code — just visual confirmation. You can also try the embeddable KeyManager and ModelSelector and run doctor/validate-style checks in the Sandbox (after signing in).

2.1 Project health

What to checkWhereExpected
Project existsProjects listYour project is listed
Environment existsProject → Environmentsproduction (and staging if used)
Gateway Key existsProject → API KeysAt least one key with rk_… prefix
Provider credentials validProject → Provider CredentialsGreen "valid" status for each configured provider

2.2 Route health

What to checkWhereExpected
Routes existProject → RoutesAt least one route (e.g. ingestion, interactive)
Steps in correct orderRoute detailSteps listed in your intended fallback order
Route mode correctRoute detailfallback_chain (or your intended mode)

2.3 Policy health

What to checkWhereExpected
Policies existProject → PoliciesAt least one policy (e.g. model_allowlist)
Policy scope correctPolicy detailScoped to the right project/environment
No conflicting policiesPolicies listNo two policies that contradict each other

2.4 Usage and logs

What to checkWhereExpected
Request count non-zeroProject → UsageAfter cutover, requests appear
No error spikesProject → Usage / LogsError rate comparable to or lower than pre-cutover
Correct route distributionProject → UsageTraffic hitting the expected routes
3. CLI checks

These checks run in a terminal and can be scripted into CI.

3.1 Restormel Doctor (npx @restormel/doctor)

bash
npx @restormel/doctor

Checks: Framework detection, packages installed, config file validity, and whether local provider keys are present (if you use them).

Expected: Exit code 0, all checks green.

When to run: After install (Phase 1), before every deploy, in CI on every PR.

3.2 Restormel Validate (npx @restormel/validate)

bash
npx @restormel/validate

Checks: Provider access verification for the mode you’ve chosen: gateway-backed (canary request through gateway / auth + reachability) or builder-managed direct (presence/shape checks for required env vars and optional canary calls if you explicitly enable them).

Expected: Exit code 0 if checks pass. Exit code 1 if verification fails.

When to run: Before deploy, in CI on a schedule (e.g. daily), after rotating any gateway/provider credentials in your own infrastructure.

TipRestormel Validate is designed for CI gates. It exits 1 when verification fails, so deploys fail when your provider-access layer (gateway or env-backed) is misconfigured or unhealthy.
yaml
# .github/workflows/deploy.yml
- name: Validate Restormel keys
  run: npx @restormel/validate

3.3 keys estimate (optional)

bash
npx @restormel/keys-cli estimate gpt-4o --input 1000 --output 500

Checks: Returns the estimated cost for a given model and token count.

When to run: Before enabling a new model in a route, to understand cost implications.

4. Smoke tests

HTTP-based tests that verify the resolve endpoint and policy evaluation. Automatable; run after every deploy and on a schedule.

4.1 Resolve smoke test

POST to the resolve endpoint with your project ID, environment, and route ID. Expect HTTP 200 and a non-null providerType (and modelId) in the response. Use RESTORMEL_GATEWAY_KEY for auth.

Expected: HTTP 200, non-null provider in response.

4.2 Fallback smoke test

Create a dedicated test route in the dashboard with a deliberately failing first step (e.g. invalid provider), then a second step (e.g. OpenAI). Call resolve for that route and confirm the result is the fallback provider.

Expected: Resolve returns the fallback step's provider.

4.3 Policy smoke test

Call the policy evaluate endpoint for an allowed model (expect allowed: true) and for a blocked model (expect allowed: false). Use RESTORMEL_GATEWAY_KEY from your backend for auth.

4.4 Combined smoke test script

The script from Phase 6 (Step 6.4) combines all checks:

bash
pnpm run smoke:restormel
5. Ongoing monitoring recommendations
WhatHowFrequency
Resolve latencyLog time per restormelResolve() call; alert if p95 > 200msEvery request
Resolve errorsCount errors from resolve client; alert on spikeEvery request
Fallback rateCount fallback-to-legacy or next-step events; alert if > 5%Every request
Credential expiryRestormel Validate in CI; alert on exit code 1Daily
Policy violationsDashboard logs; alert if unexpected blocksDaily
Budget utilisationDashboard usage; alert at 80% of capDaily
Config driftRestormel Doctor in CI; alert on warningsEvery deploy

Implementors: See “Agent prompts” below for a ready-to-run CI prompt.

6. Verification schedule summary
EventChecks to run
Phase 1 completeRestormel Doctor
Phase 2 completeRestormel Doctor, resolve curl test
Phase 3 completeResolve with route ID, fallback test
Phase 4 completePolicy evaluate (allowed + blocked)
Phase 5 completeVisual: ModelSelector renders, callbacks fire
Phase 6 cutoverFull smoke test, dashboard usage, error rate
OngoingRestormel Doctor + Restormel Validate in CI; smoke test on schedule; dashboard monitoring

Checkpoint checklist: mark each section complete as you read it.

Checklist

Prompts for this phase

These are optional and collapsed by default. Use them if you're adding verification and CI gates with a coding agent.

See the Walkthrough index for the full phase listing and related docs.