KES Cutover Parity Checklist
Control-Plane Reads
GET /kes-orchestrator/cases?page=1&pageSize=...GET /kes-orchestrator/cases/:idGET /kes-orchestrator/cases/:id/projectionGET /kes-orchestrator/control-planeGET /kes-orchestrator/suggestions
Process-Map Checks
GET /kes-orchestrator/process-mapPUT /kes-orchestrator/process-mapwith authenticated operator fixture- denial path for unauthenticated
PUT /kes-orchestrator/process-map
Case / Task / Inspection Action Checks
POST /kes-orchestrator/casesPOST /kes-orchestrator/cases/:id/approve-landownerPOST /kes-orchestrator/cases/:id/publish-auctionPOST /kes-orchestrator/cases/:id/confirm-fundingPOST /kes-orchestrator/cases/:id/tasksPOST /kes-orchestrator/cases/:id/inspectionsPOST /kes-orchestrator/cases/:id/close
Payment-Sensitive Ingress Checks
POST /kes-orchestrator/cases/:id/payments/request- verify KYC boundary behavior
- verify signature gate behavior
POST /kes-orchestrator/payments/:id/approve- verify signature gate behavior
POST /kes-orchestrator/payments/:id/settle- verify signature gate behavior
Auth-Protected Denial Checks
- unauthenticated
POST /kes-orchestrator/cases - unauthenticated
PUT /kes-orchestrator/process-map - unauthenticated payment mutation path
Env-Cutover Checks
- fallback mode with
KES_ORCHESTRATOR_SERVICE_URLunset or pointing tohttp://localhost:4020 - extracted cutover mode with
KES_ORCHESTRATOR_SERVICE_URL=http://localhost:4025 - verify route shape remains identical on gateway
- verify auth behavior remains identical on gateway
Rollback Checks
- revert
KES_ORCHESTRATOR_SERVICE_URLback tohttp://localhost:4020or unset it - restart API only
- confirm fallback path works again immediately
Event-Backbone Note
Parity for the first cut should be interpreted as:
- KES HTTP/runtime parity
- KES route/support parity
- KES persistence parity
It is not a claim that the extracted KES runtime already owns:
- Kafka relay
- broader projection pipeline
- idempotency store
- DLQ / replay tooling
Those remain shared outside first-cut KES ownership by design.