laboratori-cloud/.planning/phases/03-lab-02-network-vpc/03-VALIDATION.md

---
phase: 3
slug: lab-02-network-vpc
status: draft
nyquist_compliant: false
wave_0_complete: false
created: 2026-03-25
---

# Phase 3 — Validation Strategy

> Per-phase validation contract for network isolation and VPC simulation testing.

---

## Test Infrastructure

| Property | Value |
|----------|-------|
| **Framework** | bash (test scripts) |
| **Config file** | none |
| **Quick run command** | `bash labs/lab-02-network/tests/quick-test.sh` |
| **Full suite command** | `bash labs/lab-02-network/tests/run-all-tests.sh` |
| **Estimated runtime** | ~30 seconds |

---

## Sampling Rate

- **After every task commit:** Run `bash labs/lab-02-network/tests/quick-test.sh`
- **After every plan wave:** Run `bash labs/lab-02-network/tests/run-all-tests.sh`
- **Before `/gsd:verify-work`:** Full suite must be green
- **Max feedback latency:** 30 seconds

---

## Per-Task Verification Map

| Task ID | Plan | Wave | Requirement | Test Type | Automated Command | File Exists | Status |
|---------|------|------|-------------|-----------|-------------------|-------------|--------|
| 03-01-01 | 01 | 1 | LAB-02, TEST-01 | unit | `bash labs/lab-02-network/tests/test-network-isolation.sh` | ❌ W0 | ⬜ pending |
| 03-01-02 | 01 | 1 | INF-02 | integration | `bash labs/lab-02-network/tests/test-private-network-no-expose.sh` | ❌ W0 | ⬜ pending |
| 03-02-01 | 02 | 1 | DOCT-01, DOCT-02 | documentation | File existence check | ❌ W0 | ⬜ pending |
| 03-03-01 | 03 | 2 | LAB-02, INF-02 | infrastructure | `docker-compose config` + container ping test | ❌ W0 | ⬜ pending |

*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky*

---

## Wave 0 Requirements

- [ ] `labs/lab-02-network/tests/test-network-isolation.sh` — stubs for network isolation tests
- [ ] `labs/lab-02-network/tests/test-private-network-no-expose.sh` — stubs for INF-02 compliance
- [ ] `labs/lab-02-network/tests/run-all-tests.sh` — test orchestration script
- [ ] `labs/lab-02-network/tests/quick-test.sh` — quick validation script

---

## Manual-Only Verifications

| Behavior | Requirement | Why Manual | Test Instructions |
|----------|-------------|------------|-------------------|
| Visual verification of network topology | LAB-02 | Requires human interpretation of docker network ls output | Student runs `docker network ls` and compares to expected VPC structure |
| Documentation completeness | DOCT-01, DOCT-02, DOCT-03, DOCT-04 | Requires human judgment of Diátaxis quadrant coverage | Instructor reviews all 4 quadrants for completeness |

---

## Validation Sign-Off

- [ ] All tasks have `<automated>` verify or Wave 0 dependencies
- [ ] Sampling continuity: no 3 consecutive tasks without automated verify
- [ ] Wave 0 covers all MISSING references
- [ ] No watch-mode flags
- [ ] Feedback latency < 30s
- [ ] `nyquist_compliant: true` set in frontmatter

**Approval:** pending

---

## Integration Points

### Phase 2 Dependencies
- IAM concepts from Lab 01 are foundational but Network lab can run independently
- Test script patterns from Phase 2 (run-all-tests.sh, color output) should be reused

### Future Phase Dependencies
- Lab 04 (Storage & S3) will use networks created in this phase
- Lab 05 (Database) will place database in private network created here
- Network isolation is prerequisite for multi-tier architecture

### INF-02 Compliance Verification
- Private networks must NOT expose ports on 0.0.0.0
- Test verifies `docker-compose config` output for `127.0.0.1:PORT:PORT` pattern
- Manual verification: `netstat -tlnp | grep docker` shows no 0.0.0.0 bindings for private services