ULTIMA — Test Suite

Checks Phoenix HTTP, NIF module loaded, all core agents (KeyVault, SigningVault, NoiseGuard, TimingCountermeasure, SecurityMonitor, XqClient, Tunnel.Connector, Tunnel.Listener) registered and alive, XQ session present.

20-iteration average for: ML-KEM-768 encap/decap, ML-DSA-65 sign/verify, ML-DSA-87 sign/verify, AES-256-GCM enc/dec 1 KB, full DSA65+AES256 send/recv pipeline. Microsecond resolution via Erlang monotonic clock.

TimingCountermeasure agent alive, constant-time compare with equal inputs, constant-time compare with length mismatch, NoiseGuard SHAKE-256 DRBG health, FIPS entropy noise generation, CPU feature detection, register-scrub callable.

Runs the Elixir NIF-backed SFT v2.1 tests: 10 MB chunked roundtrip, IV uniqueness at scale, chunk-reorder rejection via AAD, cross-session injection rejection, opener tampering rejection, session replay rejection. Source: test_sft_v21.exs.

NIF cross-verification of the Chat v2.1 envelope: wrong-secret-key decap (A1), wrong-DSA-PK verify (A2), enc bit-flip (A3a/A3b), kemCt substitution (A4), cross-account decap (A6), sender-name A8 scope gap validation. Cryptographic reference implementation only — does not drive browser.

Stores the 2026-04-08 full test-battery results: reverse direction, key rotation, revoked-key, invite flow, expired-key warning, multi-device selection, bidirectional rapid exchange, 1 MB chunked transfer, stale session offline decrypt. Result cache shown inline.

39-test FIPS 203 (ML-KEM) + FIPS 204 (ML-DSA) compliance battery: deterministic keypair from seed, encapsulate/decapsulate roundtrip, sign/verify with known-answer test vectors, wrong-input rejection, edge-case lengths. Uses NIF reference.

Sends a marker message through the live PQC tunnel (Kyber768 + AES-512 + Dilithium5 via sender_encrypt_sign_87_512), waits for peer acknowledgement, reports round-trip latency. Tests live tunnel health, not cryptographic correctness.