From bc04aa99393d9adc09dd331885ea6da32aaf79a5 Mon Sep 17 00:00:00 2001
From: Scot Wells <wells.scot@gmail.com>
Date: Thu, 25 Jun 2026 14:35:06 -0500
Subject: [PATCH] test(e2e): prove the edge's core guarantees with real traffic

Adds four end-to-end scenarios that send real traffic through the edge and
confirm the promises customers depend on: the firewall enforces, an offline
origin fails cleanly, the branded error page shows, and one bad certificate
can't break its neighbors. Each asserts on a real response, not just that the
control plane wrote the config. Includes a plain-language guide to how we
test the edge and what we can't yet guarantee.

These scenarios need the two-cluster production-fidelity environment, so they
live under test/e2e-edge (separate from the single-stack test/e2e suite the
default CI runs) and execute via `task test-infra:e2e` against that environment.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01JbCy8vy66RdNYzGSgqH6P6
---
 docs/testing/README.md                        |  87 +++
 test/e2e-edge/README.md                       |  87 +++
 .../_fixtures/certs/expired-cert-secret.yaml  |  14 +
 test/e2e-edge/_fixtures/certs/gen-certs.sh    |  84 +++
 .../_fixtures/connector-tunnel/Dockerfile     |  13 +
 .../_fixtures/connector-tunnel/go.mod         |   3 +
 .../_fixtures/connector-tunnel/main.go        |  94 +++
 .../_fixtures/connector-tunnel/manifest.yaml  |  66 ++
 test/e2e-edge/_fixtures/echo-backend.yaml     |  46 ++
 test/e2e-edge/_fixtures/waf-corpus.txt        |  30 +
 test/e2e-edge/_steps/assert-config-dump.yaml  | 156 ++++
 .../e2e-edge/_steps/assert-http-response.yaml | 152 ++++
 test/e2e-edge/_steps/capture-build-id.yaml    | 115 +++
 .../_steps/flip-connector-liveness.yaml       |  78 ++
 test/e2e-edge/_steps/wait-config-settle.yaml  |  85 +++
 .../chainsaw-test.yaml                        | 672 ++++++++++++++++++
 .../branded-error-page/chainsaw-test.yaml     | 480 +++++++++++++
 .../connector-offline-503/chainsaw-test.yaml  | 546 ++++++++++++++
 .../extension-server-smoke/chainsaw-test.yaml | 337 +++++++++
 .../waf-enforcement/chainsaw-test.yaml        | 440 ++++++++++++
 20 files changed, 3585 insertions(+)
 create mode 100644 docs/testing/README.md
 create mode 100644 test/e2e-edge/README.md
 create mode 100644 test/e2e-edge/_fixtures/certs/expired-cert-secret.yaml
 create mode 100755 test/e2e-edge/_fixtures/certs/gen-certs.sh
 create mode 100644 test/e2e-edge/_fixtures/connector-tunnel/Dockerfile
 create mode 100644 test/e2e-edge/_fixtures/connector-tunnel/go.mod
 create mode 100644 test/e2e-edge/_fixtures/connector-tunnel/main.go
 create mode 100644 test/e2e-edge/_fixtures/connector-tunnel/manifest.yaml
 create mode 100644 test/e2e-edge/_fixtures/echo-backend.yaml
 create mode 100644 test/e2e-edge/_fixtures/waf-corpus.txt
 create mode 100644 test/e2e-edge/_steps/assert-config-dump.yaml
 create mode 100644 test/e2e-edge/_steps/assert-http-response.yaml
 create mode 100644 test/e2e-edge/_steps/capture-build-id.yaml
 create mode 100644 test/e2e-edge/_steps/flip-connector-liveness.yaml
 create mode 100644 test/e2e-edge/_steps/wait-config-settle.yaml
 create mode 100644 test/e2e-edge/atomic-reject-isolation/chainsaw-test.yaml
 create mode 100644 test/e2e-edge/branded-error-page/chainsaw-test.yaml
 create mode 100644 test/e2e-edge/connector-offline-503/chainsaw-test.yaml
 create mode 100644 test/e2e-edge/extension-server-smoke/chainsaw-test.yaml
 create mode 100644 test/e2e-edge/waf-enforcement/chainsaw-test.yaml

diff --git a/docs/testing/README.md b/docs/testing/README.md
new file mode 100644
index 00000000..8de1abba
--- /dev/null
+++ b/docs/testing/README.md
@@ -0,0 +1,87 @@
+# Testing the Datum edge
+
+This is the map for how we test the network-services-operator (NSO) — what we
+prove, and why it's built the way it is. It's written for anyone who wants to
+understand the safety net, not just the people who maintain it.
+
+## Why this exists
+
+NSO programs the edge: when a customer creates a Gateway, a route, a web-app
+firewall policy, or a connector, NSO turns that intent into live configuration
+on the Envoy proxies that actually serve customer traffic. The hard part isn't
+producing the configuration — it's making sure the configuration that lands on
+the running proxy *does what the customer asked*.
+
+Almost every production incident in this system has shared one shape:
+
+> **The configuration was logically correct, the platform reported success, but
+> the running proxy behaved differently than intended** — a firewall rule that
+> protected nothing, an offline backend that still returned a blank error, a
+> branded error page that never appeared, a single bad certificate that froze a
+> whole shared listener.
+
+These failures are invisible to ordinary tests. The Kubernetes resources report
+"Programmed = True," unit tests pass, and the gap only shows up when real
+traffic — often a real *attack* — arrives at the edge. So our testing is built
+around one principle:
+
+**Prove behavior at the edge with real traffic, against an environment that
+looks like production — not against the platform's own report of success.**
+
+## The two ideas everything rests on
+
+**1. Production fidelity.** The recent incidents lived precisely on the axes
+where our old test environment differed from production: the proxy version, the
+"fail closed" availability coupling, the firewall data plane, and multi-cluster
+replication. So the test environment stands up the *real* shape of the edge —
+the same proxy version, the same extension server that rewrites configuration,
+the same firewall image, and the same federation mechanism that fans
+configuration out to edge clusters. If a test passes here, it passes against
+something production actually runs. This environment is brought online with a
+single command set (`task test-infra:up`); see
+[`Taskfile.test-infra.yml`](../../Taskfile.test-infra.yml).
+
+**2. Traffic-first, with a tie-breaker.** Every test's verdict is the
+*observed behavior* of real traffic through the real proxy — a blocked attack,
+a 503 for an offline backend, the branded page in the response body. We never
+let "the platform says it worked" stand in for "the edge did the right thing."
+
+Real traffic alone has one blind spot, though: a firewall that protects nothing
+and a firewall that's simply not being attacked produce the *same* successful
+response. So traffic is backed by a **parity check** — a comparison of what the
+edge was told to do against what the running proxy is actually doing — which
+turns a surprising result into a diagnosis instead of a guess. Traffic is always
+the verdict; parity is the tie-breaker that catches the silently-inert case.
+See [`test/parity/README.md`](../../test/parity/README.md).
+
+## What we guarantee
+
+The end-to-end suite ([`test/e2e-edge/README.md`](../../test/e2e-edge/README.md)) turns
+each past incident into a standing guarantee, checked against real traffic:
+
+- **A web-app firewall actually blocks attacks** — a malicious request is
+  refused while a legitimate one still succeeds.
+- **An offline backend fails cleanly** — the customer path returns a real 503,
+  not a hang or a blank.
+- **Branded error pages reach the customer** — the styled page appears in the
+  actual response, not just in configuration.
+- **One bad certificate can't take down its neighbors** — an invalid listener
+  is isolated while the healthy listeners on the same proxy keep serving.
+
+And the federation layer ([`config/federation/README.md`](../../config/federation/README.md))
+proves that configuration created in the control plane genuinely arrives at the
+edge clusters that serve traffic.
+
+## Where things live
+
+| Area | What it covers |
+|---|---|
+| [`Taskfile.test-infra.yml`](../../Taskfile.test-infra.yml) | Brings the production-fidelity edge online and runs the suites |
+| [`test/e2e-edge/README.md`](../../test/e2e-edge/README.md) | The real-traffic guarantees, scenario by scenario |
+| [`test/parity/README.md`](../../test/parity/README.md) | The parity check that catches silently-inert configuration |
+| [`config/federation/README.md`](../../config/federation/README.md) | Fanning configuration out to edge clusters |
+
+> The design rationale that led here — the original audit of test-vs-production
+> gaps and the proposals for closing them — lives in the pull requests that
+> introduced this work, not in the repository, because it describes a plan
+> rather than the system as it stands today.
diff --git a/test/e2e-edge/README.md b/test/e2e-edge/README.md
new file mode 100644
index 00000000..952e28ea
--- /dev/null
+++ b/test/e2e-edge/README.md
@@ -0,0 +1,87 @@
+# End-to-end edge guarantees
+
+These tests prove that the Datum edge *behaves* the way customers expect, by
+sending real traffic through the real proxy and checking what actually comes
+back. They are the standing guarantees described in
+[`docs/testing/README.md`](../../docs/testing/README.md).
+
+## How a guarantee is checked
+
+Every scenario follows the same three-part check, in priority order:
+
+1. **The traffic verdict (always decisive).** The test makes a real request and
+   asserts on the real response — a blocked attack, a 503, a branded page, a
+   200 from a healthy listener. If the edge behaves wrongly, this fails. A test
+   is never satisfied by the platform merely *reporting* success.
+2. **The configuration is genuinely present.** A
+   [parity check](../parity/README.md) confirms the running proxy actually
+   carries the configuration it was told to — closing the blind spot where a
+   successful-looking response hides a rule that protects nothing.
+3. **It's the right configuration serving the request.** A build marker
+   confirms the response came from the configuration under test, not from stale
+   config left over from a previous state — so a pass can't be a timing fluke.
+
+The first is the point; the second and third exist so a surprising result
+becomes a diagnosis rather than a mystery.
+
+## The scenarios
+
+Each one corresponds to a past production incident, now held in place.
+
+### Web-app firewall enforcement
+A malicious request (matching the firewall's attack rules) must be refused,
+while a legitimate request to the same endpoint still succeeds. The test also
+flips the policy into observe-only mode and confirms the same attack is then
+*allowed* — proving the block is genuinely driven by the customer's firewall
+policy and not by some unrelated default. This guards the customer's actual
+protection, and the risk that a single bad firewall rule wedges the whole
+listener.
+
+### Offline backend returns a clean 503
+When a backend connector is offline, the customer-facing path must return a
+real 503 — not hang, and not serve a blank. This is checked as an observed
+response on the user path, because that's what a customer experiences.
+
+### Branded error page reaches the customer
+When the edge serves an error, the customer must receive Datum's styled page,
+confirmed by finding the page's content in the actual response body — not by
+trusting that the configuration was applied. Production once needed manual
+restarts to make this take effect, exactly the kind of inert-configuration gap
+this scenario now catches.
+
+### One bad certificate can't break its neighbors
+A single invalid certificate must not take down the other, healthy listeners
+sharing the same proxy. The test introduces a genuinely bad certificate and
+confirms its listener is isolated while sibling listeners keep serving real
+traffic — the "one bad resource freezes everything" failure mode, contained.
+
+## Running them
+
+The scenarios run against the production-fidelity environment:
+
+```
+task test-infra:up        # bring the edge online (proxy + extension server + firewall)
+task test-infra:smoke     # quick confidence check: real traffic serves
+task test-infra:e2e       # the full guarantee suite above
+```
+
+See [`Taskfile.test-infra.yml`](../../Taskfile.test-infra.yml) for the
+environment these assume.
+
+## Layout
+
+- Scenario folders (`waf-enforcement/`, `connector-offline-503/`,
+  `branded-error-page/`, `atomic-reject-isolation/`) — one guarantee each.
+- `_steps/` — shared, reusable checks (send-a-request, confirm-configuration,
+  capture-the-build-marker) so every scenario asserts behavior the same way.
+- `_fixtures/` — the supporting pieces a scenario needs (a sample backend, an
+  attack corpus, a pre-made bad certificate, the offline-backend stand-in).
+
+## A note on honesty
+
+Where the edge genuinely cannot yet do something, the suite says so rather than
+papering over it. The "offline backend recovers" path is deliberately held back
+because the edge today does not reliably re-apply configuration when a backend
+comes *back* online — and the test proves that gap exists instead of pretending
+it's closed. A guarantee we can't keep is documented as a gap, not asserted as
+a pass.
diff --git a/test/e2e-edge/_fixtures/certs/expired-cert-secret.yaml b/test/e2e-edge/_fixtures/certs/expired-cert-secret.yaml
new file mode 100644
index 00000000..305c8583
--- /dev/null
+++ b/test/e2e-edge/_fixtures/certs/expired-cert-secret.yaml
@@ -0,0 +1,14 @@
+# GENERATED by gen-certs.sh — do not edit by hand; re-run the script to refresh.
+#
+# A pre-minted EXPIRED certificate for bad.e2e.env.datum.net. Its validity window
+# (20260621000000Z .. 20260622000000Z) is in the past, so the extension server
+# drops the listener that references it while sibling listeners keep serving.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: expired-leaf-tls
+  namespace: default
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ0ekNDQVY2Z0F3SUJBZ0lVTW5lMFBkKzczaDFPcFh0YWo1eDlIbzRxR2Fjd0NnWUlLb1pJemowRUF3SXcKSURFZU1Cd0dBMVVFQXd3VlltRmtMbVV5WlM1bGJuWXVaR0YwZFcwdWJtVjBNQjRYRFRJMk1EWXlNVEF3TURBdwpNRm9YRFRJMk1EWXlNakF3TURBd01Gb3dJREVlTUJ3R0ExVUVBd3dWWW1Ga0xtVXlaUzVsYm5ZdVpHRjBkVzB1CmJtVjBNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVKWEYyV0U1UmZzN2lJbkpmVWRWZHNRa0IKWU9aRWk1TmV3cmZ5T3hkRWdiZ2ViNnRGMkpUbHA5L2tMNUYweEkvSWpYeXpFWlF1YU9vMVNwWCtYd0pWS3FOMgpNSFF3SUFZRFZSMFJCQmt3RjRJVlltRmtMbVV5WlM1bGJuWXVaR0YwZFcwdWJtVjBNQXdHQTFVZEV3RUIvd1FDCk1BQXdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQjBHQTFVZERnUVcKQkJTaTRpOTB2VkEwdmlQU0k2aW9WdFFEdXFhOE5qQUtCZ2dxaGtqT1BRUURBZ05IQURCRUFpQTJmalMvbGVmNQpTRHFEMEt5UWJRV1hENlltMHg4NDJnU2VPMS9XZ041MHpnSWdYVHd4MWZwSTNVc0U1UXI4bkNXWk0wd044b0cyCkU4a0ttZUo1a3BDL3lFST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUM3Ri9qbkVFSTBYQk12emg4K0lCaVVycG5MMnVGeEpFSUlMQWkyd1Q4eXlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFSlhGMldFNVJmczdpSW5KZlVkVmRzUWtCWU9aRWk1TmV3cmZ5T3hkRWdiZ2ViNnRGMkpUbApwOS9rTDVGMHhJL0lqWHl6RVpRdWFPbzFTcFgrWHdKVktnPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
diff --git a/test/e2e-edge/_fixtures/certs/gen-certs.sh b/test/e2e-edge/_fixtures/certs/gen-certs.sh
new file mode 100755
index 00000000..8d5a5d9b
--- /dev/null
+++ b/test/e2e-edge/_fixtures/certs/gen-certs.sh
@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# Regenerate the pre-minted EXPIRED TLS certificate the invalid-certificate test
+# relies on.
+#
+# The test needs a certificate that is already expired at test time so the
+# extension server drops the listener that references it while sibling listeners
+# keep serving. cert-manager cannot help here: it renews before expiry, so it
+# cannot hold a certificate in the expired state. We instead mint a self-signed
+# certificate whose validity window is in the past.
+#
+# This is a listener certificate for the customer hostname under test, entirely
+# separate from the certificate authority securing the extension server's own
+# connection to the gateway; do not wire it to that authority.
+#
+# Output: expired-cert-secret.yaml — a Secret with the expired certificate and
+# key inline. The committed Secret is what the test consumes, so a live run needs
+# no openssl; re-run this script only to refresh it.
+#
+# Usage: ./gen-certs.sh [HOSTNAME] [SECRET_NAME] [SECRET_NAMESPACE]
+set -euo pipefail
+
+HOST="${1:-bad.e2e.env.datum.net}"
+SECRET_NAME="${2:-expired-leaf-tls}"
+SECRET_NS="${3:-default}"
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+WORK="$(mktemp -d)"
+trap 'rm -rf "${WORK}"' EXIT
+
+# ECDSA P-256 key.
+openssl ecparam -name prime256v1 -genkey -noout -out "${WORK}/tls.key"
+
+# A self-signed certificate whose validity window is entirely in the past. We set
+# the exact start and end times with OpenSSL 3.x's -not_before/-not_after so the
+# certificate is already expired by the time the test runs.
+NOT_BEFORE="20260621000000Z"
+NOT_AFTER="20260622000000Z"
+
+cat > "${WORK}/leaf.cnf" <<EOF
+[req]
+distinguished_name = dn
+prompt = no
+x509_extensions = v3
+[dn]
+CN = ${HOST}
+[v3]
+subjectAltName = DNS:${HOST}
+basicConstraints = critical, CA:FALSE
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+EOF
+
+openssl req -new -x509 \
+  -key "${WORK}/tls.key" \
+  -out "${WORK}/tls.crt" \
+  -config "${WORK}/leaf.cnf" \
+  -not_before "${NOT_BEFORE}" \
+  -not_after "${NOT_AFTER}" \
+  -sha256
+
+echo "minted leaf for ${HOST}:"
+openssl x509 -in "${WORK}/tls.crt" -noout -subject -dates
+
+CRT_B64="$(base64 < "${WORK}/tls.crt" | tr -d '\n')"
+KEY_B64="$(base64 < "${WORK}/tls.key" | tr -d '\n')"
+
+cat > "${SCRIPT_DIR}/expired-cert-secret.yaml" <<EOF
+# GENERATED by gen-certs.sh — do not edit by hand; re-run the script to refresh.
+#
+# A pre-minted EXPIRED certificate for ${HOST}. Its validity window
+# (${NOT_BEFORE} .. ${NOT_AFTER}) is in the past, so the extension server drops
+# the listener that references it while sibling listeners keep serving.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SECRET_NAME}
+  namespace: ${SECRET_NS}
+type: kubernetes.io/tls
+data:
+  tls.crt: ${CRT_B64}
+  tls.key: ${KEY_B64}
+EOF
+
+echo "wrote ${SCRIPT_DIR}/expired-cert-secret.yaml"
diff --git a/test/e2e-edge/_fixtures/connector-tunnel/Dockerfile b/test/e2e-edge/_fixtures/connector-tunnel/Dockerfile
new file mode 100644
index 00000000..24bf6f6a
--- /dev/null
+++ b/test/e2e-edge/_fixtures/connector-tunnel/Dockerfile
@@ -0,0 +1,13 @@
+# CONNECT-proxy stand-in for the connector tunnel.
+# Single static binary, no dependencies beyond the standard library.
+FROM golang:1.23-alpine AS build
+WORKDIR /src
+COPY go.mod .
+COPY main.go .
+# Standard library only; go.mod just gives the build a module context.
+RUN CGO_ENABLED=0 go build -o /connect-proxy .
+
+FROM gcr.io/distroless/static:nonroot
+COPY --from=build /connect-proxy /connect-proxy
+USER nonroot:nonroot
+ENTRYPOINT ["/connect-proxy"]
diff --git a/test/e2e-edge/_fixtures/connector-tunnel/go.mod b/test/e2e-edge/_fixtures/connector-tunnel/go.mod
new file mode 100644
index 00000000..1da9bd86
--- /dev/null
+++ b/test/e2e-edge/_fixtures/connector-tunnel/go.mod
@@ -0,0 +1,3 @@
+module connect-proxy
+
+go 1.23
diff --git a/test/e2e-edge/_fixtures/connector-tunnel/main.go b/test/e2e-edge/_fixtures/connector-tunnel/main.go
new file mode 100644
index 00000000..e5265582
--- /dev/null
+++ b/test/e2e-edge/_fixtures/connector-tunnel/main.go
@@ -0,0 +1,94 @@
+// connect-proxy is a stand-in for the real connector tunnel. It exercises the
+// proxy-side CONNECT wiring and the 503<->200 liveness swap, but not real tunnel
+// establishment or NAT traversal.
+//
+// When a connector is online, the extension server points its backend at a path
+// that issues an HTTP CONNECT toward the connector's target, which in the test
+// is this pod's Service. On a CONNECT, this proxy dials the configured upstream
+// (the echo backend) and blindly splices bytes both ways — a minimal forward
+// proxy.
+//
+// Liveness is driven entirely by the connector's annotation on the control plane
+// (see _steps/flip-connector-liveness.yaml); this proxy is always up. It exists
+// so an online request can only succeed via the tunnel, never via a direct
+// fallback route — which is what makes the 503->200 transition meaningful.
+package main
+
+import (
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"time"
+)
+
+func main() {
+	listen := envOr("LISTEN_ADDR", ":8080")
+	// Where CONNECT requests are forwarded. Default to the echo backend Service.
+	// The proxy ignores the CONNECT target host and always dials this upstream,
+	// so the test controls the destination via UPSTREAM_ADDR rather than the
+	// host the proxy sends.
+	upstream := envOr("UPSTREAM_ADDR", "echo-backend.default.svc.cluster.local:8080")
+
+	srv := &http.Server{
+		Addr:        listen,
+		ReadTimeout: 0, // tunnels are long-lived; no read deadline on the hijacked conn
+		Handler:     &proxy{upstream: upstream},
+	}
+	log.Printf("connect-proxy listening on %s, forwarding CONNECT -> %s", listen, upstream)
+	if err := srv.ListenAndServe(); err != nil {
+		log.Fatalf("server exited: %v", err)
+	}
+}
+
+type proxy struct {
+	upstream string
+}
+
+func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodConnect {
+		// A plain GET is handy as a liveness/readiness probe.
+		w.WriteHeader(http.StatusOK)
+		_, _ = io.WriteString(w, "connect-proxy ready\n")
+		return
+	}
+
+	dst, err := net.DialTimeout("tcp", p.upstream, 10*time.Second)
+	if err != nil {
+		log.Printf("CONNECT %s: dial upstream %s failed: %v", r.Host, p.upstream, err)
+		http.Error(w, "upstream unavailable", http.StatusBadGateway)
+		return
+	}
+	defer dst.Close()
+
+	hj, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "hijacking unsupported", http.StatusInternalServerError)
+		return
+	}
+	client, _, err := hj.Hijack()
+	if err != nil {
+		log.Printf("CONNECT %s: hijack failed: %v", r.Host, err)
+		return
+	}
+	defer client.Close()
+
+	// Tell the client the tunnel is established, then splice bytes both ways.
+	if _, err := client.Write([]byte("HTTP/1.1 200 Connection Established\r\n\r\n")); err != nil {
+		log.Printf("CONNECT %s: write 200 failed: %v", r.Host, err)
+		return
+	}
+
+	done := make(chan struct{}, 2)
+	go func() { _, _ = io.Copy(dst, client); done <- struct{}{} }()
+	go func() { _, _ = io.Copy(client, dst); done <- struct{}{} }()
+	<-done
+}
+
+func envOr(key, def string) string {
+	if v := os.Getenv(key); v != "" {
+		return v
+	}
+	return def
+}
diff --git a/test/e2e-edge/_fixtures/connector-tunnel/manifest.yaml b/test/e2e-edge/_fixtures/connector-tunnel/manifest.yaml
new file mode 100644
index 00000000..d6595904
--- /dev/null
+++ b/test/e2e-edge/_fixtures/connector-tunnel/manifest.yaml
@@ -0,0 +1,66 @@
+# Connector tunnel stand-in deployment.
+#
+# The image is built from this directory's Dockerfile and loaded into the
+# downstream cluster, e.g.:
+#   docker build -t connect-proxy:e2e test/e2e/_fixtures/connector-tunnel
+#   kind load docker-image connect-proxy:e2e --name <downstream-cluster>
+#
+# When a connector is online, the extension server points it at the connector's
+# target. Point that target at this Service so an online request can only succeed
+# through the tunnel — there is no direct fallback route to the echo backend.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: connect-proxy
+  namespace: default
+  labels:
+    purpose: connect-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      purpose: connect-proxy
+  template:
+    metadata:
+      labels:
+        purpose: connect-proxy
+    spec:
+      containers:
+        - name: connect-proxy
+          image: connect-proxy:e2e
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: LISTEN_ADDR
+              value: ":8080"
+            # Forward CONNECT to the echo backend Service.
+            - name: UPSTREAM_ADDR
+              value: "echo-backend.default.svc.cluster.local:8080"
+          ports:
+            - containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8080
+            initialDelaySeconds: 1
+            periodSeconds: 2
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+      terminationGracePeriodSeconds: 0
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: connect-proxy
+  namespace: default
+spec:
+  ports:
+    - name: connect
+      port: 8080
+      targetPort: 8080
+  selector:
+    purpose: connect-proxy
diff --git a/test/e2e-edge/_fixtures/echo-backend.yaml b/test/e2e-edge/_fixtures/echo-backend.yaml
new file mode 100644
index 00000000..8806317d
--- /dev/null
+++ b/test/e2e-edge/_fixtures/echo-backend.yaml
@@ -0,0 +1,46 @@
+# Echo / HTTP backend fixture.
+#
+# go-httpbin gives deterministic endpoints the suite leans on:
+#   /status/<code>  -> returns that status (drive 200 and 5xx)
+#   /get            -> echoes the request (drive WAF benign/malicious probes)
+# Plain HTTP only: the edge proxy terminates TLS per listener and forwards
+# plaintext to this backend.
+#
+# Applied rather than freshly created so scenarios that share the downstream
+# cluster coexist regardless of run order.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: echo-backend
+  namespace: default
+  labels:
+    purpose: echo-backend
+spec:
+  containers:
+    - name: backend
+      image: ghcr.io/mccutchen/go-httpbin:2.18.1
+      command: ["/bin/go-httpbin"]
+      args: ["-host", "0.0.0.0", "-port", "8080"]
+      ports:
+        - containerPort: 8080
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 100m
+          memory: 128Mi
+  terminationGracePeriodSeconds: 0
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: echo-backend
+  namespace: default
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    purpose: echo-backend
diff --git a/test/e2e-edge/_fixtures/waf-corpus.txt b/test/e2e-edge/_fixtures/waf-corpus.txt
new file mode 100644
index 00000000..c9621630
--- /dev/null
+++ b/test/e2e-edge/_fixtures/waf-corpus.txt
@@ -0,0 +1,30 @@
+# WAF request corpus.
+#
+# Format (tab- or space-separated; lines starting with # are comments):
+#   <verdict>  <request-path>  <label>
+# where <verdict> is the expected HTTP status when the firewall is enforcing:
+#   200  -> benign, must pass
+#   403  -> malicious, must be blocked
+#
+# Assert on the 403 outcome, never on a specific firewall rule id, since rule ids
+# shift between rule-set versions. Each malicious payload must actually return
+# 403 against the pinned firewall image; drop any that does not rather than
+# weakening the assertion.
+#
+# Paths target go-httpbin's /get so the query string carries the payload and the
+# request is otherwise a normal, routable GET.
+
+# --- benign: must return 200 ---
+200  /get                                              benign-plain
+200  /status/200                                       benign-status
+200  /get?q=hello&page=2                               benign-querystring
+
+# --- SQL injection: must return 403 ---
+403  /get?id=1%27%20OR%20%271%27%3D%271                sqli-tautology
+403  /get?q=UNION%20SELECT%20username%2Cpassword%20FROM%20users  sqli-union
+
+# --- path traversal: must return 403 ---
+403  /get?file=..%2F..%2F..%2Fetc%2Fpasswd             traversal-etc-passwd
+
+# --- cross-site scripting: must return 403 ---
+403  /get?x=%3Cscript%3Ealert(1)%3C%2Fscript%3E        xss-script-tag
diff --git a/test/e2e-edge/_steps/assert-config-dump.yaml b/test/e2e-edge/_steps/assert-config-dump.yaml
new file mode 100644
index 00000000..3e444039
--- /dev/null
+++ b/test/e2e-edge/_steps/assert-config-dump.yaml
@@ -0,0 +1,156 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/step-template-chainsaw-v1alpha1.json
+#
+# Reusable step that asserts the proxy's live configuration matches what the
+# extension server reports it programmed — the same routes, listeners, and
+# clusters, by both count and key, with no rejected configuration update.
+#
+# It runs cmd/parity-check, which reads the extension server's expected set,
+# fetches the proxy's live configuration, then compares and classifies any
+# difference, exiting non-zero on failure.
+#
+# The step retries until the live configuration converges to the expected set or
+# the attempt budget runs out, so it is deterministic rather than a fixed sleep.
+#
+# Use it from a scenario step:
+#
+#   - name: WAF config landed at the edge
+#     use:
+#       template: ../_steps/assert-config-dump.yaml
+#       with:
+#         bindings:
+#           - { name: envoyPodSelector,   value: "gateway.envoyproxy.io/owning-gatewayclass=my-class" }
+#           - { name: extServerSelector,  value: "app.kubernetes.io/component=envoy-gateway-extension-server" }
+#           - { name: extServerNamespace, value: network-services-operator-system }
+#
+# Required bindings:
+#   envoyPodSelector  — label selector for the edge proxy pod. This env runs one
+#     shared proxy per gateway class, so select by gateway class, not by gateway
+#     name (which matches no pod here). Any one shared-proxy pod carries the full
+#     merged configuration, so the step takes the first.
+#   extServerSelector — label selector resolving ALL extension-server replicas.
+#     The env runs two replicas, but only the one the gateway is connected to does
+#     the work; parity-check queries every matched pod and uses the authoritative
+#     one. Do NOT pass a single pod name here.
+#   extServerNamespace — namespace of the extension-server pods.
+# Optional (defaulted below): envoyNamespace, envoyContainer, corazaFilter,
+#   attempts, sleepSeconds, dataplaneCluster, expectMinBuildID.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: StepTemplate
+metadata:
+  name: assert-config-dump
+spec:
+  bindings:
+    - name: envoyNamespace
+      value: envoy-gateway-system
+    - name: envoyContainer
+      value: envoy
+    - name: corazaFilter
+      value: coraza-waf
+    - name: attempts
+      value: "24"
+    - name: sleepSeconds
+      value: "5"
+    # The edge cluster where the proxy and the extension server live.
+    - name: dataplaneCluster
+      value: nso-downstream
+    # When greater than zero, require the extension server's build ID to be at
+    # least this value. Capture the build ID before a change, then set this to
+    # one past it afterward to prove the configuration was actually rebuilt.
+    - name: expectMinBuildID
+      value: "0"
+  try:
+    - description: Build parity-check, then assert the live config_dump matches the ext-server programmed-set.
+      script:
+        # Owns its own retry timing, so allow attempts*sleepSeconds plus build and
+        # fetch time. The chainsaw default is far too short.
+        timeout: 420s
+        cluster: ($dataplaneCluster)
+        env:
+          - name: ENVOY_POD_SELECTOR
+            value: ($envoyPodSelector)
+          - name: ENVOY_NS
+            value: ($envoyNamespace)
+          - name: ENVOY_CONTAINER
+            value: ($envoyContainer)
+          - name: EXT_SELECTOR
+            value: ($extServerSelector)
+          - name: EXT_NS
+            value: ($extServerNamespace)
+          - name: CORAZA_FILTER
+            value: ($corazaFilter)
+          - name: ATTEMPTS
+            value: ($attempts)
+          - name: SLEEP_SECONDS
+            value: ($sleepSeconds)
+          - name: EXPECT_MIN_BUILD_ID
+            value: ($expectMinBuildID)
+        content: |
+          set -eu
+          # Build the parity-check binary. chainsaw runs script steps from the
+          # test directory, not the repo root, so a relative path would not
+          # resolve; find the repo root and build from there. A prebuilt binary
+          # can be supplied via PARITY_CHECK_BIN to skip the build.
+          BIN="${PARITY_CHECK_BIN:-}"
+          if [ -z "${BIN}" ]; then
+            ROOT="$(git rev-parse --show-toplevel)"
+            BIN="${ROOT}/bin/parity-check"
+            go build -o "${BIN}" "${ROOT}/cmd/parity-check"
+          fi
+
+          # Retry until the live configuration converges to the expected set.
+          # parity-check exits 1 on a parity failure and 2 on a tool error; only
+          # retry on parity failure.
+          #
+          # The edge proxy pod is re-resolved each attempt: the shared proxy pod
+          # is recreated whenever a gateway is added or removed, so it can be
+          # terminating or absent exactly when this step runs (e.g. right after a
+          # second gateway is added). An empty result simply retries rather than
+          # failing.
+          ok=""
+          for i in $(seq 1 "${ATTEMPTS}"); do
+            echo "--- parity attempt ${i}/${ATTEMPTS} ---"
+            # Pick a shared-proxy pod that is Ready and not terminating. Ready and
+            # no deletion timestamp is the precise "serving" test; a terminating
+            # pod can still report itself running, so filtering on running alone
+            # would not exclude it. Absence of a match just retries.
+            ENVOY_POD="$(kubectl -n "${ENVOY_NS}" get pods \
+              -l "${ENVOY_POD_SELECTOR}" \
+              -o go-template='{{range $p := .items}}{{if not $p.metadata.deletionTimestamp}}{{range $p.status.conditions}}{{if (and (eq .type "Ready") (eq .status "True"))}}{{$p.metadata.name}}{{"\n"}}{{end}}{{end}}{{end}}{{end}}' \
+              2>/dev/null | head -n1 || true)"
+            if [ -z "${ENVOY_POD}" ]; then
+              echo "  no Ready Envoy proxy pod yet (selector ${ENVOY_POD_SELECTOR} in ${ENVOY_NS}); merged proxy may be mid-roll, retrying"
+              sleep "${SLEEP_SECONDS}"
+              continue
+            fi
+            echo "  edge Envoy pod: ${ENVOY_POD}"
+            # Capture the parity-check output so the failure reason and the
+            # offending keys land in the chainsaw log on failure instead of being
+            # swallowed. The last attempt's report is echoed if we never pass.
+            set +e
+            LAST_REPORT="$("${BIN}" \
+              --coraza-filter "${CORAZA_FILTER}" \
+              --expect-min-build-id "${EXPECT_MIN_BUILD_ID}" \
+              --timeout 120s \
+              --admin-exec-pod "${ENVOY_POD}" \
+              --admin-exec-namespace "${ENVOY_NS}" \
+              --admin-exec-container "${ENVOY_CONTAINER}" \
+              --ext-exec-selector "${EXT_SELECTOR}" \
+              --ext-exec-namespace "${EXT_NS}" 2>&1)"
+            rc=$?
+            set -e
+            printf '%s\n' "${LAST_REPORT}"
+            if [ "${rc}" = "0" ]; then
+              ok="yes"; break
+            fi
+            if [ "${rc}" = "2" ]; then
+              echo "  tool error (rc=2); retrying"
+            fi
+            sleep "${SLEEP_SECONDS}"
+          done
+          if [ -z "${ok}" ]; then
+            echo "ERROR: config-dump parity did not converge after ${ATTEMPTS} attempts"
+            echo "--- last parity-check report (classification + offending keys) ---"
+            printf '%s\n' "${LAST_REPORT}"
+            exit 1
+          fi
+          echo "OK: config-dump parity gate passed"
diff --git a/test/e2e-edge/_steps/assert-http-response.yaml b/test/e2e-edge/_steps/assert-http-response.yaml
new file mode 100644
index 00000000..03df79c3
--- /dev/null
+++ b/test/e2e-edge/_steps/assert-http-response.yaml
@@ -0,0 +1,152 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/step-template-chainsaw-v1alpha1.json
+#
+# Reusable "assert real HTTP response" step. Drives a real request from the
+# long-lived `conntest` pod and retries until the response matches, or fails.
+# Scenarios assert observed proxy behaviour through this helper rather than
+# Kubernetes status, so it is the most-reused step in the suite.
+#
+# Use it from a scenario step:
+#
+#   - name: good hostname serves 200
+#     use:
+#       template: ../_steps/assert-http-response.yaml
+#       with:
+#         bindings:
+#           - { name: host,        value: good.e2e.env.datum.net }
+#           - { name: path,        value: /status/200 }
+#           - { name: resolveIP,   value: ($gatewayIP) }
+#           - { name: scheme,      value: https }
+#           - { name: expectCode,  value: "200" }
+#
+# Required bindings: host, path, resolveIP, scheme(http|https), expectCode.
+# Optional (defaulted below): port, expectBodySubstring, attempts, sleepSeconds,
+# maxTime, conntestNamespace, conntestPod, dataplaneCluster.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: StepTemplate
+metadata:
+  name: assert-http-response
+spec:
+  # Defaults so callers only pass what varies. A caller binding for the same name
+  # overrides the default.
+  bindings:
+    - name: port
+      value: "443"
+    - name: expectBodySubstring
+      value: ""
+    - name: attempts
+      value: "24"
+    - name: sleepSeconds
+      value: "5"
+    - name: maxTime
+      value: "10"
+    - name: conntestNamespace
+      value: default
+    - name: conntestPod
+      value: conntest
+    # The edge cluster where the conntest pod and the edge proxy service live.
+    - name: dataplaneCluster
+      value: nso-downstream
+    # The edge IP is resolved inside this step, because a value resolved in a
+    # prior step is not visible here. By default we look up the edge proxy
+    # service's cluster IP by its gateway-class label; a caller may pass an
+    # explicit resolveIP to skip the lookup.
+    - name: resolveIP
+      value: ""
+    - name: envoyPodSelector
+      value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e
+    - name: envoyNamespace
+      value: datum-downstream-gateway
+  try:
+    - description: Drive the request and retry until it matches the expected outcome.
+      script:
+        # The retry loop owns its own timing, so allow enough wall clock for
+        # attempts*sleepSeconds plus per-request maxTime. The chainsaw default is
+        # far too short.
+        timeout: 360s
+        cluster: ($dataplaneCluster)
+        env:
+          - name: HOST
+            value: ($host)
+          - name: REQ_PATH
+            value: ($path)
+          - name: RESOLVE_IP
+            value: ($resolveIP)
+          - name: ENVOY_SELECTOR
+            value: ($envoyPodSelector)
+          - name: ENVOY_NS
+            value: ($envoyNamespace)
+          - name: SCHEME
+            value: ($scheme)
+          - name: PORT
+            value: ($port)
+          - name: EXPECT_CODE
+            value: ($expectCode)
+          - name: EXPECT_BODY
+            value: ($expectBodySubstring)
+          - name: ATTEMPTS
+            value: ($attempts)
+          - name: SLEEP_SECONDS
+            value: ($sleepSeconds)
+          - name: MAX_TIME
+            value: ($maxTime)
+          - name: CONNTEST_NS
+            value: ($conntestNamespace)
+          - name: CONNTEST_POD
+            value: ($conntestPod)
+        content: |
+          set -eu
+          # The edge proxy is reached by its in-cluster service IP; --resolve maps
+          # the customer hostname to that IP so hostname routing works exactly as
+          # it would at the edge. The body is captured so we can assert on it: a
+          # right status code with the wrong body (e.g. a generic 503 instead of
+          # the connector "Tunnel not online") is a different bug and must fail.
+          #
+          # If the caller passed an explicit RESOLVE_IP, use it; otherwise look up
+          # the edge proxy service IP by its gateway-class label. That service is
+          # created lazily once a gateway attaches, so retry the lookup briefly.
+          RESOLVE_IP="${RESOLVE_IP:-}"
+          if [ -z "${RESOLVE_IP}" ]; then
+            for j in $(seq 1 30); do
+              RESOLVE_IP=$(kubectl get svc -n "${ENVOY_NS}" -l "${ENVOY_SELECTOR}" \
+                -o jsonpath='{.items[0].spec.clusterIP}' 2>/dev/null || true)
+              [ -n "${RESOLVE_IP}" ] && [ "${RESOLVE_IP}" != "None" ] && break
+              echo "waiting for edge Envoy service (${ENVOY_SELECTOR} in ${ENVOY_NS})... ${j}"
+              sleep 5
+            done
+            if [ -z "${RESOLVE_IP}" ]; then
+              echo "ERROR: could not resolve edge Envoy service IP for ${ENVOY_SELECTOR} in ${ENVOY_NS}"
+              exit 1
+            fi
+          fi
+          echo "edge IP: ${RESOLVE_IP}"
+          ok=""
+          last_code=""
+          for i in $(seq 1 "${ATTEMPTS}"); do
+            code=$(kubectl -n "${CONNTEST_NS}" exec "${CONNTEST_POD}" -- \
+              curl -ksS -o /tmp/body -w '%{http_code}' --max-time "${MAX_TIME}" \
+              --resolve "${HOST}:${PORT}:${RESOLVE_IP}" \
+              "${SCHEME}://${HOST}${REQ_PATH}" 2>/dev/null || true)
+            last_code="${code}"
+            echo "attempt ${i}: ${SCHEME}://${HOST}${REQ_PATH} -> ${code}"
+            if [ "${code}" = "${EXPECT_CODE}" ]; then
+              if [ -z "${EXPECT_BODY}" ]; then
+                ok="yes"; break
+              fi
+              if kubectl -n "${CONNTEST_NS}" exec "${CONNTEST_POD}" -- \
+                   grep -qF -- "${EXPECT_BODY}" /tmp/body 2>/dev/null; then
+                ok="yes"; break
+              fi
+              echo "  status matched but body missing substring: ${EXPECT_BODY}"
+            fi
+            sleep "${SLEEP_SECONDS}"
+          done
+          if [ -z "${ok}" ]; then
+            echo "ERROR: ${HOST}${REQ_PATH} expected ${EXPECT_CODE}" \
+                 "${EXPECT_BODY:+(body contains '${EXPECT_BODY}')}," \
+                 "last status ${last_code}"
+            echo "--- last response body ---"
+            kubectl -n "${CONNTEST_NS}" exec "${CONNTEST_POD}" -- \
+              sh -c 'cat /tmp/body 2>/dev/null | head -c 2000' || true
+            exit 1
+          fi
+          echo "OK: ${HOST}${REQ_PATH} -> ${EXPECT_CODE}${EXPECT_BODY:+ (body matched)}"
diff --git a/test/e2e-edge/_steps/capture-build-id.yaml b/test/e2e-edge/_steps/capture-build-id.yaml
new file mode 100644
index 00000000..f38f9d4a
--- /dev/null
+++ b/test/e2e-edge/_steps/capture-build-id.yaml
@@ -0,0 +1,115 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/step-template-chainsaw-v1alpha1.json
+#
+# Reusable step that captures the extension server's current build ID and emits
+# it as an output binding.
+#
+# It is the "before" half of proving a configuration rebuild actually happened:
+# capture the build ID, perform a change (e.g. flip connector liveness), then
+# call assert-config-dump.yaml with expectMinBuildID set to one past it — the
+# parity check then fails unless the configuration was genuinely rebuilt. This is
+# something a status or traffic check cannot show: it proves a new build ran, not
+# merely that the end state looks right.
+#
+# The build ID increments once per build and starts at 1, so a "before" of 0
+# means no build had run yet.
+#
+# The env runs two extension-server replicas, but only the one the gateway is
+# connected to does the work and carries the real build ID; the idle replica
+# sits at 0. This step resolves all replicas and takes the highest build ID — the
+# authoritative one. assert-config-dump.yaml resolves the same way, so capture
+# and assert agree on the active replica.
+#
+# Use it from a scenario:
+#
+#   # 1. capture the BuildID before the change
+#   - name: capture build id before liveness flip
+#     use:
+#       template: ../_steps/capture-build-id.yaml
+#       with:
+#         bindings:
+#           - { name: extServerSelector,  value: "app.kubernetes.io/component=envoy-gateway-extension-server" }
+#           - { name: extServerNamespace, value: network-services-operator-system }
+#     # this step emits output bindings `buildID` and `minNextBuildID` (strings)
+#
+#   # 2. ... perform the change (flip-connector-liveness.yaml etc.) ...
+#
+#   # 3. assert the post-change build advanced AND the config is correct.
+#   #    Pass the captured `minNextBuildID` straight into expectMinBuildID:
+#   - name: re-translation fired and config landed
+#     use:
+#       template: ../_steps/assert-config-dump.yaml
+#       with:
+#         bindings:
+#           - { name: envoyPodSelector,   value: "gateway.envoyproxy.io/owning-gatewayclass=($downstreamGatewayClass)" }
+#           - { name: extServerSelector,  value: "app.kubernetes.io/component=envoy-gateway-extension-server" }
+#           - { name: extServerNamespace, value: network-services-operator-system }
+#           # require a build strictly newer than the captured one:
+#           - { name: expectMinBuildID,   value: ($minNextBuildID) }
+#
+# Required bindings: extServerSelector (resolves ALL replicas), extServerNamespace.
+# Optional (defaulted below): dataplaneCluster.
+# Emits output bindings:
+#   buildID         — highest build ID across replicas at capture time (string;
+#                     "0" if no build has run anywhere).
+#   minNextBuildID  — buildID+1 (string); feed directly into the post-change
+#                     assert-config-dump call's expectMinBuildID. Incremented
+#                     in-script so callers need no arithmetic of their own.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: StepTemplate
+metadata:
+  name: capture-build-id
+spec:
+  bindings:
+    - name: dataplaneCluster
+      value: nso-downstream
+  try:
+    - description: Resolve the authoritative ext-server replica's BuildID via parity-check and emit it as an output binding.
+      script:
+        timeout: 120s
+        cluster: ($dataplaneCluster)
+        env:
+          - name: EXT_SELECTOR
+            value: ($extServerSelector)
+          - name: EXT_NS
+            value: ($extServerNamespace)
+        content: |
+          set -eu
+          # Delegate to the parity-check binary's --print-build-id mode, which
+          # resolves all extension-server replicas and prints the highest build
+          # ID. Reusing the binary keeps this identical to how
+          # assert-config-dump.yaml reads it.
+          #
+          # chainsaw runs script steps from the test directory, not the repo root,
+          # so find the root and build from there. PARITY_CHECK_BIN skips the
+          # build if a prebuilt binary is supplied.
+          BIN="${PARITY_CHECK_BIN:-}"
+          if [ -z "${BIN}" ]; then
+            ROOT="$(git rev-parse --show-toplevel)"
+            BIN="${ROOT}/bin/parity-check"
+            go build -o "${BIN}" "${ROOT}/cmd/parity-check"
+          fi
+
+          BUILD_ID="$("${BIN}" \
+            --print-build-id \
+            --ext-exec-selector "${EXT_SELECTOR}" \
+            --ext-exec-namespace "${EXT_NS}" \
+            --timeout 90s)"
+          # Strip any stray whitespace; parity-check prints just the integer.
+          BUILD_ID="$(printf '%s' "${BUILD_ID}" | tr -dc '0-9')"
+          if [ -z "${BUILD_ID}" ]; then
+            echo "ERROR: parity-check --print-build-id returned no BuildID" >&2
+            exit 1
+          fi
+          echo "authoritative ext-server BuildID=${BUILD_ID}" >&2
+          # Increment here so callers need no arithmetic of their own. Emit both
+          # values as a small JSON object; the outputs below parse each field.
+          NEXT=$((BUILD_ID + 1))
+          printf '{"buildID":%s,"minNextBuildID":%s}' "${BUILD_ID}" "${NEXT}"
+        outputs:
+          # Bindings consumed by a later assert-config-dump call. Values are
+          # stringified so they drop straight into the string-typed
+          # expectMinBuildID binding.
+          - name: buildID
+            value: (to_string(json_parse($stdout).buildID))
+          - name: minNextBuildID
+            value: (to_string(json_parse($stdout).minNextBuildID))
diff --git a/test/e2e-edge/_steps/flip-connector-liveness.yaml b/test/e2e-edge/_steps/flip-connector-liveness.yaml
new file mode 100644
index 00000000..7d9dce66
--- /dev/null
+++ b/test/e2e-edge/_steps/flip-connector-liveness.yaml
@@ -0,0 +1,78 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/step-template-chainsaw-v1alpha1.json
+#
+# Reusable step that flips a connector between online and offline by patching its
+# `networking.datumapis.com/upstream-status` annotation. This mirrors production:
+# the federation layer propagates annotations but not status to the edge, so the
+# edge reads connector liveness from this annotation rather than from live
+# status.
+#
+# `state: online` writes a Ready=True status whose connection details carry the
+# tunnel fixture's node id; `state: offline` writes Ready=False with none. The
+# extension server reads liveness from this annotation, so flipping it is what
+# drives the 503<->200 swap at the edge.
+#
+# Use it from a scenario step:
+#
+#   - name: bring the connector online
+#     use:
+#       template: ../_steps/flip-connector-liveness.yaml
+#       with:
+#         bindings:
+#           - { name: state,         value: online }
+#           - { name: connectorName, value: test-connector }
+#           - { name: nodeID,        value: ($tunnelNodeID) }
+#
+# Required bindings: state(online|offline), connectorName. nodeID required when
+# state=online. Optional (defaulted): connectorNamespace, upstreamCluster.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: StepTemplate
+metadata:
+  name: flip-connector-liveness
+spec:
+  bindings:
+    - name: connectorNamespace
+      value: ($namespace)
+    - name: nodeID
+      value: ""
+    # The connector lives on the upstream cluster; its annotation is propagated
+    # to the edge by the federation layer.
+    - name: upstreamCluster
+      value: nso-upstream
+  try:
+    - description: Patch the connector's upstream-status annotation to the requested liveness.
+      script:
+        cluster: ($upstreamCluster)
+        env:
+          - name: STATE
+            value: ($state)
+          - name: CONNECTOR
+            value: ($connectorName)
+          - name: CONNECTOR_NS
+            value: ($connectorNamespace)
+          - name: NODE_ID
+            value: ($nodeID)
+        content: |
+          set -eu
+          # The annotation holds the connector's status as JSON. The transition
+          # time is fixed and irrelevant to liveness — only the Ready condition and
+          # connection details matter.
+          #
+          # The annotation value must itself be a JSON string, so we build the
+          # status and escape its quotes by hand. Doing the escaping inline keeps
+          # the runner free of extra tooling.
+          if [ "${STATE}" = "online" ]; then
+            if [ -z "${NODE_ID}" ]; then
+              echo "ERROR: state=online requires nodeID (the tunnel fixture node id)"; exit 1
+            fi
+            STATUS='{"conditions":[{"type":"Ready","status":"True","reason":"ConnectorReady","lastTransitionTime":"2026-06-23T00:00:00Z"}],"connectionDetails":{"type":"PublicKey","publicKey":{"id":"'"${NODE_ID}"'"}}}'
+          elif [ "${STATE}" = "offline" ]; then
+            STATUS='{"conditions":[{"type":"Ready","status":"False","reason":"ConnectorNotReady","lastTransitionTime":"2026-06-23T00:00:00Z"}]}'
+          else
+            echo "ERROR: state must be online or offline, got: ${STATE}"; exit 1
+          fi
+          # Escape the status JSON so it can be embedded as a string value.
+          ESCAPED=$(printf '%s' "${STATUS}" | sed 's/\\/\\\\/g; s/"/\\"/g')
+          PATCH=$(printf '{"metadata":{"annotations":{"networking.datumapis.com/upstream-status":"%s"}}}' "${ESCAPED}")
+          echo "patching connector ${CONNECTOR} -> ${STATE}"
+          kubectl -n "${CONNECTOR_NS}" patch connector "${CONNECTOR}" \
+            --type=merge -p "${PATCH}"
diff --git a/test/e2e-edge/_steps/wait-config-settle.yaml b/test/e2e-edge/_steps/wait-config-settle.yaml
new file mode 100644
index 00000000..9971369b
--- /dev/null
+++ b/test/e2e-edge/_steps/wait-config-settle.yaml
@@ -0,0 +1,85 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/step-template-chainsaw-v1alpha1.json
+#
+# Wait for the edge configuration to settle before a parity assertion.
+#
+# The parity gate compares what the extension server reports it programmed
+# against the proxy's live configuration. Both move while the configuration is
+# being rebuilt — e.g. right after a scenario adds a second gateway, which rolls
+# the shared proxy and triggers fresh builds — and the live configuration lags
+# behind. This step polls the extension server's build ID until it stops changing
+# for a stable window, then returns. Run it immediately before a `use:` of
+# assert-config-dump.
+#
+# The gate has its own retry loop, but on CI runs where one test's teardown
+# overlaps a fresh run this explicit settle is cheap insurance.
+#
+# Required bindings: extServerSelector, extServerNamespace.
+# Optional (defaulted below): dataplaneCluster, stableReads, intervalSeconds,
+#   maxAttempts.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: StepTemplate
+metadata:
+  name: wait-config-settle
+spec:
+  bindings:
+    - name: dataplaneCluster
+      value: nso-downstream
+    # Require this many consecutive identical BuildID reads to call it settled.
+    - name: stableReads
+      value: "3"
+    - name: intervalSeconds
+      value: "5"
+    - name: maxAttempts
+      value: "36"
+  try:
+    - description: Poll the ext-server programmed-set BuildID until it stops changing.
+      script:
+        timeout: 240s
+        cluster: ($dataplaneCluster)
+        env:
+          - name: EXT_SELECTOR
+            value: ($extServerSelector)
+          - name: EXT_NS
+            value: ($extServerNamespace)
+          - name: STABLE_READS
+            value: ($stableReads)
+          - name: INTERVAL
+            value: ($intervalSeconds)
+          - name: MAX_ATTEMPTS
+            value: ($maxAttempts)
+        content: |
+          set -eu
+          # Build parity-check once; its --print-build-id mode resolves the
+          # authoritative replica and reads its build ID.
+          ROOT="$(git rev-parse --show-toplevel)"
+          BIN="${ROOT}/bin/parity-check"
+          [ -x "${BIN}" ] || go build -o "${BIN}" "${ROOT}/cmd/parity-check"
+
+          read_build() {
+            "${BIN}" --print-build-id \
+              --ext-exec-selector "${EXT_SELECTOR}" \
+              --ext-exec-namespace "${EXT_NS}" 2>/dev/null \
+              | tr -dc '0-9'
+          }
+
+          last=""
+          stable=0
+          for i in $(seq 1 "${MAX_ATTEMPTS}"); do
+            cur="$(read_build || true)"
+            [ -z "${cur}" ] && cur="?"
+            echo "attempt ${i}: BuildID=${cur} (stable streak ${stable}/${STABLE_READS})"
+            if [ "${cur}" != "?" ] && [ "${cur}" = "${last}" ]; then
+              stable=$((stable + 1))
+              if [ "${stable}" -ge "${STABLE_READS}" ]; then
+                echo "OK: config settled at BuildID=${cur} (stable for ${STABLE_READS} reads)"
+                exit 0
+              fi
+            else
+              stable=0
+            fi
+            last="${cur}"
+            sleep "${INTERVAL}"
+          done
+          # Not fatal: the parity gate has its own retry. A non-settled exit just
+          # means the configuration was still changing; let the gate try anyway.
+          echo "WARN: BuildID did not fully settle after ${MAX_ATTEMPTS} reads; proceeding to parity"
diff --git a/test/e2e-edge/atomic-reject-isolation/chainsaw-test.yaml b/test/e2e-edge/atomic-reject-isolation/chainsaw-test.yaml
new file mode 100644
index 00000000..cd5a0159
--- /dev/null
+++ b/test/e2e-edge/atomic-reject-isolation/chainsaw-test.yaml
@@ -0,0 +1,672 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+#
+# One bad certificate must not break its neighbors.
+#
+# Two sub-tests, both asserting observed data-plane behavior (served responses
+# and the proxy's own counters), never gateway status.
+#
+#   First: a gateway with a valid-certificate listener, an expired-certificate
+#   listener, and a plain HTTP listener. The edge drops the bad listener, the
+#   rest of the config stays accepted, and the siblings keep serving.
+#
+#   Second: a route configuration the edge proxy genuinely rejects. A healthy
+#   sibling keeps serving 200, and nothing falsely reports the gateway as
+#   programmed over a rejected config — asserted against the proxy's
+#   rejected-update counter, not the gateway condition that lied during a live
+#   incident.
+#
+# The expired-certificate sub-test: the operator's upstream certificate check
+# would hold an expired certificate back before it ever reaches the edge, so the
+# drop we want to observe would never run on the normal path. We therefore create
+# the gateway directly on the downstream cluster, bypassing that upstream check,
+# so the expired certificate reaches the edge and the drop genuinely runs. The
+# namespace must carry the gateway-watch label
+# meta.datumapis.com/upstream-cluster-name at creation, because the gateway only
+# watches namespaces that already have the label.
+#
+# Cluster names are inline; downstreamGatewayClass is as in the other tests;
+# adminPort is the proxy's admin endpoint (:19000).
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: atomic-reject-isolation
+spec:
+  concurrent: false
+  bindings:
+    - name: clusterIssuerName
+      value: (join('-', ['e2e', $namespace]))
+    - name: gatewayClassName
+      value: (join('-', ['e2e', $namespace]))
+    - name: downstreamGatewayClass
+      value: datum-downstream-gateway-e2e
+    - name: adminPort
+      value: "19000"
+    # Inputs for the config-presence check, which resolves the extension server
+    # pods by label selector (one per replica).
+    - name: extServerSelector
+      value: app.kubernetes.io/component=envoy-gateway-extension-server
+    - name: extServerNamespace
+      value: network-services-operator-system
+    - name: envoyPodSelector
+      value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e
+    # Namespace holding the data-plane proxy and its admin endpoint.
+    - name: envoyNamespace
+      value: datum-downstream-gateway
+    # Gate the proxy-reject sub-test until its route configuration is confirmed
+    # to actually reach and be rejected by the edge (see header). The
+    # expired-certificate sub-test runs unconditionally.
+    - name: nackTestEnabled
+      value: "false"
+  cluster: nso-upstream
+  steps:
+    - name: Create CA on the downstream cluster
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'issuer']))
+              spec:
+                selfSigned: {}
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              spec:
+                isCA: true
+                commonName: (join('-', [$clusterIssuerName, 'ca']))
+                secretName: ($clusterIssuerName)
+                privateKey:
+                  algorithm: ECDSA
+                  size: 256
+                issuerRef:
+                  name: (join('-', [$clusterIssuerName, 'issuer']))
+                  kind: ClusterIssuer
+                  group: cert-manager.io
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: ($clusterIssuerName)
+              spec:
+                ca:
+                  secretName: ($clusterIssuerName)
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              status:
+                conditions:
+                  - type: Ready
+                    status: "True"
+
+    - name: Create the upstream GatewayClass (downstream class/EnvoyProxy are pre-provisioned)
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: GatewayClass
+              metadata:
+                name: ($gatewayClassName)
+              spec:
+                controllerName: gateway.networking.datumapis.com/external-global-proxy-controller
+        # The downstream gateway class and its proxy are provisioned once by the
+        # test environment; tests must not recreate them. Only ensure the
+        # hostname-accounting namespace here.
+        - apply:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: datum-downstream-gateway-hostnames
+
+    - name: Create the echo backend
+      try:
+        - apply:
+            cluster: nso-downstream
+            file: ../_fixtures/echo-backend.yaml
+
+    - name: Provision and verify the Domain
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: Domain
+              metadata:
+                name: test-domain
+              spec:
+                domainName: e2e.env.datum.net
+        - description: Stand in for the Domain controller's HTTP/DNS verification.
+          script:
+            content: |
+              kubectl -n $NAMESPACE patch domain test-domain \
+                --subresource=status --type=merge \
+                -p '{"status":{"conditions":[{"type": "Verified", "status": "True", "reason": "Test", "message": "test", "lastTransitionTime": "2025-02-24T23:59:09Z"}]}}'
+
+    # ---- Expired certificate is isolated ----
+    # The operator's upstream certificate check would hold an expired certificate
+    # back before the edge sees it, so the drop we want to observe would never run
+    # on the normal path. We therefore create the gateway directly on the
+    # downstream cluster: a gateway with a valid-certificate listener, an
+    # expired-certificate listener, and a plain HTTP sibling. The edge drops the
+    # expired listener while the siblings keep serving. The namespace must carry
+    # the gateway-watch label meta.datumapis.com/upstream-cluster-name at creation,
+    # because the gateway only watches namespaces that already have it.
+    - name: D1 - hand-deliver a downstream gateway with good, expired, and HTTP listeners
+      try:
+        - description: The gateway only watches namespaces carrying this label; it must be present at creation.
+          create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: (join('-', ['d1', $namespace]))
+                labels:
+                  meta.datumapis.com/upstream-cluster-name: cluster-single
+        # Valid certificate: a self-signed leaf issued on the downstream cluster.
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Issuer
+              metadata:
+                name: d1-selfsigned
+                namespace: (join('-', ['d1', $namespace]))
+              spec:
+                selfSigned: {}
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: d1-good
+                namespace: (join('-', ['d1', $namespace]))
+              spec:
+                secretName: d1-good-tls
+                commonName: d1-good.e2e.env.datum.net
+                dnsNames: [d1-good.e2e.env.datum.net]
+                issuerRef:
+                  name: d1-selfsigned
+                  kind: Issuer
+        - assert:
+            timeout: 90s
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: d1-good
+                namespace: (join('-', ['d1', $namespace]))
+              status:
+                conditions:
+                  - type: Ready
+                    status: "True"
+        # Expired certificate: a pre-created TLS Secret shipped as a committed
+        # fixture (regenerated by test/e2e-edge/_fixtures/certs/gen-certs.sh), applied
+        # into this sub-test's namespace.
+        - apply:
+            cluster: nso-downstream
+            file: ../_fixtures/certs/expired-cert-secret.yaml
+        # Copy the fixture's secret into this namespace under the name the
+        # listener references (the fixture targets default/expired-leaf-tls).
+        - script:
+            cluster: nso-downstream
+            env:
+              - name: D1_NS
+                value: (join('-', ['d1', $namespace]))
+            content: |
+              set -eu
+              kubectl get secret expired-leaf-tls -n default -o json \
+                | kubectl create -f - --dry-run=client -o json \
+                | sed 's/"namespace": "default"/"namespace": "'"${D1_NS}"'"/; s/"name": "expired-leaf-tls"/"name": "d1-bad-tls"/' \
+                | kubectl -n "${D1_NS}" apply -f -
+        # Echo backend in this namespace (the route targets it by Service name).
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: echo-backend
+                namespace: (join('-', ['d1', $namespace]))
+                labels:
+                  purpose: d1-echo
+              spec:
+                containers:
+                  - name: backend
+                    image: ghcr.io/mccutchen/go-httpbin:2.18.1
+                    command: ["/bin/go-httpbin"]
+                    args: ["-host", "0.0.0.0", "-port", "8080"]
+                terminationGracePeriodSeconds: 0
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Service
+              metadata:
+                name: echo-backend
+                namespace: (join('-', ['d1', $namespace]))
+              spec:
+                ports:
+                  - name: http
+                    port: 8080
+                    targetPort: 8080
+                selector:
+                  purpose: d1-echo
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: d1-gateway
+                namespace: (join('-', ['d1', $namespace]))
+              spec:
+                gatewayClassName: ($downstreamGatewayClass)
+                listeners:
+                  - name: http
+                    protocol: HTTP
+                    port: 80
+                    hostname: d1-good.e2e.env.datum.net
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                  - name: https-good
+                    protocol: HTTPS
+                    port: 443
+                    hostname: d1-good.e2e.env.datum.net
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    tls:
+                      mode: Terminate
+                      certificateRefs:
+                        - kind: Secret
+                          name: d1-good-tls
+                  - name: https-bad
+                    protocol: HTTPS
+                    port: 443
+                    hostname: d1-bad.e2e.env.datum.net
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    tls:
+                      mode: Terminate
+                      certificateRefs:
+                        - kind: Secret
+                          name: d1-bad-tls
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: d1-route
+                namespace: (join('-', ['d1', $namespace]))
+              spec:
+                parentRefs:
+                  - name: d1-gateway
+                    kind: Gateway
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /
+                    backendRefs:
+                      - name: echo-backend
+                        port: 8080
+        # The good listeners are programmed; the expired-certificate listener is
+        # not — the edge holds it back. This checks the isolation at the listener
+        # status level; the traffic asserts below prove it at the data plane.
+        - assert:
+            timeout: 120s
+            cluster: nso-downstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: d1-gateway
+                namespace: (join('-', ['d1', $namespace]))
+              status:
+                (listeners[?name == 'https-good'] | [0]):
+                  (conditions[?type == 'Programmed']):
+                    - status: "True"
+                (listeners[?name == 'https-bad'] | [0]):
+                  (conditions[?type == 'Programmed']):
+                    - status: "False"
+      catch:
+        - script:
+            cluster: nso-downstream
+            env:
+              - name: D1_NS
+                value: (join('-', ['d1', $namespace]))
+            content: |
+              kubectl -n "$D1_NS" get gateway,httproute,secret -o yaml
+              kubectl -n network-services-operator-system logs -l app.kubernetes.io/component=envoy-gateway-extension-server --tail=80 | grep -i prune || true
+
+    - name: Stand up the long-lived conntest client
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              spec:
+                containers:
+                  - name: curl
+                    image: curlimages/curl:8.11.1
+                    command: ["sleep", "infinity"]
+                    resources:
+                      requests:
+                        cpu: 50m
+                        memory: 64Mi
+                      limits:
+                        cpu: 100m
+                        memory: 128Mi
+                terminationGracePeriodSeconds: 0
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              status:
+                phase: Running
+
+    - name: D1 - the good HTTPS sibling serves 200
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: d1-good.e2e.env.datum.net }
+            - { name: path, value: /status/200 }
+            - { name: scheme, value: https }
+            - { name: expectCode, value: "200" }
+
+    - name: D1 - the plain-HTTP sibling serves 200 (never gated by a cert)
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: d1-good.e2e.env.datum.net }
+            - { name: path, value: /status/200 }
+            - { name: scheme, value: http }
+            - { name: port, value: "80" }
+            - { name: expectCode, value: "200" }
+
+    - name: D1 - the expired-cert hostname is NOT served (prune dropped its chain)
+      description: |
+        The bad hostname must not be served — the edge dropped its listener while
+        the siblings kept serving. A TLS handshake against it fails rather than
+        returning 200. Anything but a non-200 means the expired listener was
+        served and the drop failed.
+      try:
+        - script:
+            timeout: 120s
+            cluster: nso-downstream
+            env:
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              set -eu
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=${OWNING_GC} \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              code=$(kubectl -n default exec conntest -- \
+                curl -ksS -o /dev/null -w '%{http_code}' --max-time 10 \
+                --resolve d1-bad.e2e.env.datum.net:443:"${IP}" \
+                https://d1-bad.e2e.env.datum.net/status/200 2>/dev/null || true)
+              echo "bad hostname -> ${code:-<conn-failed>}"
+              if [ "${code}" = "200" ]; then
+                echo "ERROR: expired-cert hostname was served; the prune did not isolate it"; exit 1
+              fi
+              echo "OK: expired-cert hostname not served (prune isolated it); siblings serve 200"
+
+    # Let the edge config settle after the gateway is provisioned before the
+    # config-presence check compares.
+    - name: D1 - wait for the edge config to settle before the parity gate
+      use:
+        template: ../_steps/wait-config-settle.yaml
+        with:
+          bindings:
+            - { name: extServerSelector, value: app.kubernetes.io/component=envoy-gateway-extension-server }
+            - { name: extServerNamespace, value: network-services-operator-system }
+
+    - name: D1 - config-presence - the snapshot is clean after the prune (parity gate)
+      description: |
+        The edge drops the expired listener and keeps the rest of the config
+        accepted. This asserts the live config matches what the extension server
+        reports it programmed, with no rejection — proving the bad listener was
+        isolated rather than breaking the whole gateway. The traffic asserts above
+        already prove the isolation; this confirms the config is present.
+      use:
+        template: ../_steps/assert-config-dump.yaml
+        with:
+          # Values are inlined, not referenced as ($envoyNamespace) etc.: a
+          # with-binding whose name matches a template default resolves ($name)
+          # against the template default, not this test's value.
+          bindings:
+            - { name: envoyPodSelector, value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e }
+            - { name: envoyNamespace, value: datum-downstream-gateway }
+            - { name: extServerSelector, value: app.kubernetes.io/component=envoy-gateway-extension-server }
+            - { name: extServerNamespace, value: network-services-operator-system }
+            - { name: dataplaneCluster, value: nso-downstream }
+
+    # ---- A rejected route configuration must not break a healthy sibling ----
+    - name: D2 - provoke a duplicate-localhost-domain RDS reject on a healthy gateway
+      description: |
+        The goal is a route configuration the edge proxy genuinely rejects, with
+        a healthy sibling hostname on the same gateway still serving 200 and
+        nothing falsely reporting the gateway as programmed over the rejected
+        config.
+
+        Why this stays gated ($nackTestEnabled=false): the duplicate-domain
+        collision that once caused this can no longer be reproduced through any
+        supported path. Two listeners with the same hostname on one gateway are
+        rejected by the Gateway API webhook, and the connector path that
+        originally triggered it now appends a unique per-route domain, with every
+        other hostname path de-duplicating. So there is no operator path left that
+        emits a duplicate domain; the collision is structurally prevented.
+        Forcing it would require reverting that fix or hand-injecting a raw
+        duplicate-domain patch (which tests the proxy, not the operator), neither
+        of which is a faithful regression test. This step provisions only a
+        healthy gateway so the gated assertions below have a target.
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl get ns $NAMESPACE -o json
+            outputs:
+              - name: downstreamNamespaceName
+                value: (join('-', ['ns', json_parse($stdout).metadata.uid]))
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: nack-gateway
+              spec:
+                gatewayClassName: ($gatewayClassName)
+                listeners:
+                  - protocol: HTTPS
+                    port: 443
+                    name: https-healthy
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    hostname: healthy.e2e.env.datum.net
+                    tls:
+                      mode: Terminate
+                      options:
+                        gateway.networking.datumapis.com/certificate-issuer: ($clusterIssuerName)
+        # Upstream backend slice for the nack-route, pointing at the downstream
+        # echo backend by name.
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: discovery.k8s.io/v1
+              kind: EndpointSlice
+              metadata:
+                name: nack-slice
+              addressType: FQDN
+              endpoints:
+                - addresses:
+                    - echo-backend.default.svc.cluster.local
+                  conditions:
+                    ready: true
+                    serving: true
+                    terminating: false
+              ports:
+                - name: http
+                  appProtocol: http
+                  port: 8080
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: nack-route
+              spec:
+                parentRefs:
+                  - name: nack-gateway
+                    kind: Gateway
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /
+                    backendRefs:
+                      - group: discovery.k8s.io
+                        kind: EndpointSlice
+                        name: nack-slice
+                        port: 8080
+        - assert:
+            timeout: 120s
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: nack-gateway
+              status:
+                (addresses[?type == 'Hostname'] | [0]):
+                  type: Hostname
+      catch:
+        - script:
+            cluster: nso-upstream
+            content: |
+              kubectl -n $NAMESPACE get gateway,httproute -o yaml
+
+    - name: D2 - the healthy sibling keeps serving 200 despite the RDS reject
+      description: |
+        Gated behind ($nackTestEnabled): asserts the rejected route configuration
+        is isolated so the sibling still serves. Until the rejection is confirmed
+        to reach the edge and be isolated, running this unconditionally would fail
+        whenever the collision breaks the whole gateway.
+      try:
+        - script:
+            timeout: 200s
+            cluster: nso-downstream
+            env:
+              - name: ENABLED
+                value: ($nackTestEnabled)
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              set -eu
+              if [ "${ENABLED}" != "true" ]; then
+                echo "SKIP: nackTestEnabled=false (D2 isolation unverified; see header)"
+                exit 0
+              fi
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              HOST=healthy.e2e.env.datum.net
+              ok=""
+              for i in $(seq 1 30); do
+                code=$(kubectl -n default exec conntest -- \
+                  curl -ksS -o /dev/null -w '%{http_code}' --max-time 10 \
+                  --resolve "${HOST}:443:${IP}" "https://${HOST}/status/200" 2>/dev/null || true)
+                echo "attempt ${i}: ${HOST} -> ${code}"
+                [ "${code}" = "200" ] && { ok="yes"; break; }
+                sleep 5
+              done
+              [ -n "${ok}" ] || { echo "ERROR: healthy sibling did not serve 200 (RDS reject not isolated)"; exit 1; }
+              echo "OK: healthy sibling still serves 200 despite the duplicate-localhost RDS reject"
+
+    - name: D2 - the edge reports update_rejected and NOTHING claims Programmed over a NACK
+      description: |
+        Guards against a false-positive status. Query the proxy's rejected-update
+        counter; if the gateway can report itself programmed while that counter is
+        non-zero, this fails — the exact regression a live freeze produced. Gated
+        behind ($nackTestEnabled) until the rejected configuration is confirmed to
+        reach the edge (see header).
+      try:
+        - script:
+            timeout: 120s
+            cluster: nso-downstream
+            env:
+              - name: ENABLED
+                value: ($nackTestEnabled)
+              - name: ADMIN_PORT
+                value: ($adminPort)
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              set -eu
+              if [ "${ENABLED}" != "true" ]; then
+                echo "SKIP: nackTestEnabled=false (awaiting confirmation the duplicate-localhost collision reaches the edge RDS)"
+                exit 0
+              fi
+              POD=$(kubectl get pods -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=${OWNING_GC} \
+                -o jsonpath='{.items[0].metadata.name}')
+              echo "edge pod: ${POD}"
+              STATS=$(kubectl -n datum-downstream-gateway exec "${POD}" -c envoy -- \
+                curl -s "http://127.0.0.1:${ADMIN_PORT}/stats?filter=update_rejected" 2>/dev/null || true)
+              echo "--- update_rejected stats ---"
+              echo "${STATS}"
+              # A genuine rejection must surface as a non-zero rejected-update
+              # counter. This asserts we observe the rejection at the data plane
+              # rather than trusting a green status.
+              REJECTED=$(echo "${STATS}" | awk -F': ' '/rds.*update_rejected|lds.update_rejected/ {s+=$2} END{print s+0}')
+              echo "total update_rejected: ${REJECTED}"
+              if [ "${REJECTED}" -eq 0 ]; then
+                echo "ERROR: expected a non-zero update_rejected from the duplicate-localhost RDS reject; got 0"
+                exit 1
+              fi
+              echo "OK: edge observed the NACK (update_rejected=${REJECTED}); healthy sibling still served 200"
+      catch:
+        - script:
+            cluster: nso-downstream
+            env:
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              kubectl -n datum-downstream-gateway logs -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC -c envoy --tail=150
diff --git a/test/e2e-edge/branded-error-page/chainsaw-test.yaml b/test/e2e-edge/branded-error-page/chainsaw-test.yaml
new file mode 100644
index 00000000..23f08174
--- /dev/null
+++ b/test/e2e-edge/branded-error-page/chainsaw-test.yaml
@@ -0,0 +1,480 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+#
+# Branded error page reaches the customer.
+#
+# Checks that a 5xx served by the edge carries the branded error page, and — the
+# important part — that this still works for a gateway provisioned after the
+# fact, without restarting anything. Activating the branded page in production
+# once needed a manual restart, which a status-based or restart-then-check test
+# would have missed.
+#
+# Two assertions:
+#   1. The branded body is present on a 5xx (identified by the sentinel
+#      X-Datum-Branded-Page: v1) and absent on a benign 200, proving branding is
+#      scoped to 5xx responses.
+#   2. Provision a second gateway and route after the edge is already running,
+#      without restarting anything, and assert its 5xx is also branded. If
+#      branding only takes effect on a restart, the fresh path serves an
+#      unbranded 5xx and this fails.
+#
+# The 5xx is produced by pointing a route at a backend Service with no ready
+# endpoints, so the proxy returns the error itself (the path the branded page
+# hooks). No connector is involved.
+#
+# The mounted error-page body must contain the sentinel X-Datum-Branded-Page: v1;
+# the test environment wires that body and this test only greps for it.
+#
+# Cluster names are inline; downstreamGatewayClass is as in waf-enforcement.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: branded-error-page
+spec:
+  concurrent: false
+  bindings:
+    - name: clusterIssuerName
+      value: (join('-', ['e2e', $namespace]))
+    - name: gatewayClassName
+      value: (join('-', ['e2e', $namespace]))
+    - name: downstreamGatewayClass
+      value: datum-downstream-gateway-e2e
+    # The sentinel substring the test environment mounts into the error-page body.
+    - name: sentinel
+      value: "X-Datum-Branded-Page: v1"
+    # Inputs for the config-presence check, which resolves the extension server
+    # pods by label selector (one per replica).
+    - name: extServerSelector
+      value: app.kubernetes.io/component=envoy-gateway-extension-server
+    - name: extServerNamespace
+      value: network-services-operator-system
+    - name: envoyPodSelector
+      value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e
+    # Namespace holding the data-plane proxy and its admin endpoint.
+    - name: envoyNamespace
+      value: datum-downstream-gateway
+  cluster: nso-upstream
+  steps:
+    - name: Create CA on the downstream cluster
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'issuer']))
+              spec:
+                selfSigned: {}
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              spec:
+                isCA: true
+                commonName: (join('-', [$clusterIssuerName, 'ca']))
+                secretName: ($clusterIssuerName)
+                privateKey:
+                  algorithm: ECDSA
+                  size: 256
+                issuerRef:
+                  name: (join('-', [$clusterIssuerName, 'issuer']))
+                  kind: ClusterIssuer
+                  group: cert-manager.io
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: ($clusterIssuerName)
+              spec:
+                ca:
+                  secretName: ($clusterIssuerName)
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              status:
+                conditions:
+                  - type: Ready
+                    status: "True"
+
+    - name: Create the upstream GatewayClass (downstream class/EnvoyProxy are pre-provisioned)
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: GatewayClass
+              metadata:
+                name: ($gatewayClassName)
+              spec:
+                controllerName: gateway.networking.datumapis.com/external-global-proxy-controller
+        # The downstream gateway class and its proxy are provisioned once by the
+        # test environment; tests must not recreate them. Only ensure the
+        # hostname-accounting namespace here.
+        - apply:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: datum-downstream-gateway-hostnames
+
+    - name: Create the echo backend (for the benign 200 control)
+      try:
+        - apply:
+            cluster: nso-downstream
+            file: ../_fixtures/echo-backend.yaml
+
+    - name: Provision and verify the Domain
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: Domain
+              metadata:
+                name: test-domain
+              spec:
+                domainName: e2e.env.datum.net
+        - description: Stand in for the Domain controller's HTTP/DNS verification.
+          script:
+            content: |
+              kubectl -n $NAMESPACE patch domain test-domain \
+                --subresource=status --type=merge \
+                -p '{"status":{"conditions":[{"type": "Verified", "status": "True", "reason": "Test", "message": "test", "lastTransitionTime": "2025-02-24T23:59:09Z"}]}}'
+
+    - name: Provision the first Gateway with a 5xx route and a benign 200 route
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl get ns $NAMESPACE -o json
+            outputs:
+              - name: downstreamNamespaceName
+                value: (join('-', ['ns', json_parse($stdout).metadata.uid]))
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+              spec:
+                gatewayClassName: ($gatewayClassName)
+                listeners:
+                  - protocol: HTTPS
+                    port: 443
+                    name: https-brand
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    hostname: brand.e2e.env.datum.net
+                    tls:
+                      mode: Terminate
+                      options:
+                        gateway.networking.datumapis.com/certificate-issuer: ($clusterIssuerName)
+        # Benign backend (echo) for the 200 control on /ok.
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: discovery.k8s.io/v1
+              kind: EndpointSlice
+              metadata:
+                name: ok-slice
+              addressType: FQDN
+              endpoints:
+                - addresses:
+                    - echo-backend.default.svc.cluster.local
+                  conditions:
+                    ready: true
+                    serving: true
+                    terminating: false
+              ports:
+                - name: http
+                  appProtocol: http
+                  port: 8080
+        # A backend with no ready endpoints: the proxy returns a 5xx itself,
+        # which is exactly the path the branded page hooks.
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: discovery.k8s.io/v1
+              kind: EndpointSlice
+              metadata:
+                name: dead-slice
+              addressType: FQDN
+              endpoints:
+                - addresses:
+                    - no-such-backend.default.svc.cluster.local
+                  conditions:
+                    ready: false
+                    serving: false
+                    terminating: false
+              ports:
+                - name: http
+                  appProtocol: http
+                  port: 8080
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: test-route
+              spec:
+                parentRefs:
+                  - name: test-gateway
+                    kind: Gateway
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /ok
+                    backendRefs:
+                      - group: discovery.k8s.io
+                        kind: EndpointSlice
+                        name: ok-slice
+                        port: 8080
+                    filters:
+                      - type: URLRewrite
+                        urlRewrite:
+                          path:
+                            type: ReplacePrefixMatch
+                            replacePrefixMatch: /
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /
+                    backendRefs:
+                      - group: discovery.k8s.io
+                        kind: EndpointSlice
+                        name: dead-slice
+                        port: 8080
+        - assert:
+            timeout: 120s
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+              status:
+                (addresses[?type == 'Hostname'] | [0]):
+                  type: Hostname
+      catch:
+        - script:
+            cluster: nso-upstream
+            content: |
+              kubectl -n network-services-operator-system logs -l app.kubernetes.io/name=network-services-operator --tail=200
+              kubectl -n $NAMESPACE get gateway,httproute -o yaml
+
+    - name: Stand up the long-lived conntest client and resolve the edge IP
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              spec:
+                containers:
+                  - name: curl
+                    image: curlimages/curl:8.11.1
+                    command: ["sleep", "infinity"]
+                    resources:
+                      requests:
+                        cpu: 50m
+                        memory: 64Mi
+                      limits:
+                        cpu: 100m
+                        memory: 128Mi
+                terminationGracePeriodSeconds: 0
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              status:
+                phase: Running
+    - name: The 5xx response carries the branded sentinel body
+      description: |
+        A real request to the dead-backend route returns 5xx and the body
+        contains the branded sentinel. If the branded config never applied, the
+        body is a stock 5xx and this fails.
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: brand.e2e.env.datum.net }
+            - { name: path, value: / }
+            - { name: scheme, value: https }
+            # 503 is the typical response with no healthy backend; the body
+            # substring is what makes this branded-specific.
+            - { name: expectCode, value: "503" }
+            - { name: expectBodySubstring, value: ($sentinel) }
+
+    - name: A benign 200 response does NOT carry the sentinel (branding is scoped to 5xx)
+      try:
+        - description: |
+            Branding must apply only to 5xx responses. A 200 body must not
+            contain the sentinel; if it does, branding is mis-scoped.
+          script:
+            timeout: 120s
+            cluster: nso-downstream
+            env:
+              - name: SENTINEL
+                value: ($sentinel)
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              set -eu
+              HOST=brand.e2e.env.datum.net
+              # Resolve the edge IP here; output bindings don't cross steps.
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              # Wait for the 200 path to be live, then assert its body lacks the
+              # sentinel.
+              ok=""
+              for i in $(seq 1 24); do
+                code=$(kubectl -n default exec conntest -- \
+                  curl -ksS -o /tmp/ok -w '%{http_code}' --max-time 10 \
+                  --resolve "${HOST}:443:${IP}" \
+                  "https://${HOST}/ok/status/200" 2>/dev/null || true)
+                echo "attempt ${i}: /ok -> ${code}"
+                if [ "${code}" = "200" ]; then ok="yes"; break; fi
+                sleep 5
+              done
+              [ -n "${ok}" ] || { echo "ERROR: benign 200 route never served"; exit 1; }
+              if kubectl -n default exec conntest -- grep -qF -- "${SENTINEL}" /tmp/ok 2>/dev/null; then
+                echo "ERROR: branded sentinel leaked into a 200 response body"; exit 1
+              fi
+              echo "OK: 200 body is clean (no sentinel), branding scoped to 5xx"
+
+    - name: Inert-detection - a NEW gateway translated with no restart is also branded
+      try:
+        - description: |
+            Provision a second gateway and dead-backend route after the edge is
+            already running, without restarting anything, and assert its 5xx is
+            branded too. If branding only takes effect on a restart, this fresh
+            path serves an unbranded 5xx and the next step fails.
+          create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway-2
+              spec:
+                gatewayClassName: ($gatewayClassName)
+                listeners:
+                  - protocol: HTTPS
+                    port: 443
+                    name: https-brand2
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    hostname: brand2.e2e.env.datum.net
+                    tls:
+                      mode: Terminate
+                      options:
+                        gateway.networking.datumapis.com/certificate-issuer: ($clusterIssuerName)
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: test-route-2
+              spec:
+                parentRefs:
+                  - name: test-gateway-2
+                    kind: Gateway
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /
+                    backendRefs:
+                      - group: discovery.k8s.io
+                        kind: EndpointSlice
+                        name: dead-slice
+                        port: 8080
+        - assert:
+            timeout: 120s
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway-2
+              status:
+                (addresses[?type == 'Hostname'] | [0]):
+                  type: Hostname
+      catch:
+        - script:
+            cluster: nso-upstream
+            content: |
+              kubectl -n $NAMESPACE get gateway,httproute -o yaml
+
+    - name: The newly translated gateway's 5xx is ALSO branded (no restart)
+      description: |
+        The new gateway's path must carry the branded body without any restart.
+        A miss here means branding only takes effect on a restart.
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: brand2.e2e.env.datum.net }
+            - { name: path, value: / }
+            - { name: scheme, value: https }
+            - { name: expectCode, value: "503" }
+            - { name: expectBodySubstring, value: ($sentinel) }
+
+    # Let the edge config settle after the second gateway is provisioned before
+    # the config-presence check compares.
+    - name: Wait for the edge config to settle before the parity gate
+      use:
+        template: ../_steps/wait-config-settle.yaml
+        with:
+          bindings:
+            - { name: extServerSelector, value: app.kubernetes.io/component=envoy-gateway-extension-server }
+            - { name: extServerNamespace, value: network-services-operator-system }
+
+    - name: Config-presence - the new listener's HCM carries local_reply_config (parity gate)
+      description: |
+        Confirms the branded error-page config is actually present at the edge
+        for the new gateway: the live config carries the branded-page mapping the
+        extension server reports it programmed, and the proxy accepted the
+        update. Catches config that is present in the operator but never reaches
+        the edge.
+      use:
+        template: ../_steps/assert-config-dump.yaml
+        with:
+          # Values are inlined, not referenced as ($envoyNamespace) etc.: a
+          # with-binding whose name matches a template default resolves ($name)
+          # against the template default, not this test's value. Literals avoid
+          # that self-reference.
+          bindings:
+            - { name: envoyPodSelector, value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e }
+            - { name: envoyNamespace, value: datum-downstream-gateway }
+            - { name: extServerSelector, value: app.kubernetes.io/component=envoy-gateway-extension-server }
+            - { name: extServerNamespace, value: network-services-operator-system }
+            - { name: dataplaneCluster, value: nso-downstream }
diff --git a/test/e2e-edge/connector-offline-503/chainsaw-test.yaml b/test/e2e-edge/connector-offline-503/chainsaw-test.yaml
new file mode 100644
index 00000000..d51fc722
--- /dev/null
+++ b/test/e2e-edge/connector-offline-503/chainsaw-test.yaml
@@ -0,0 +1,546 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+#
+# Offline backend returns a clean 503.
+#
+# When a connector is offline a user request returns 503 with the body
+# "Tunnel not online"; when it comes online and the edge picks up the change the
+# same request returns 200 through the tunnel; flipping back returns 503. The
+# 503-to-200 transition is the headline assertion: if the edge never picks up
+# the change when the connector comes online, the online phase hangs at 503 and
+# fails.
+#
+# The test drives the tunnel through a stand-in proxy; it does not exercise real
+# tunnel establishment or NAT traversal.
+#
+# The online phase depends on the edge re-applying config when the connector's
+# state changes, which is not yet confirmed on this edge version. Until it is,
+# the online-phase assertions are gated behind ($connectorTestEnabled): leave it
+# false to run only the offline 503 check (which needs no config re-apply), or
+# set it true once the re-apply is confirmed. If the re-apply turns out not to
+# fire, repurpose the online assertion to confirm the response stays 503.
+#
+# The online phase also needs the connect-proxy image built and loaded:
+#   docker build -t connect-proxy:e2e test/e2e-edge/_fixtures/connector-tunnel
+#   kind load docker-image connect-proxy:e2e --name <downstream-cluster>
+#
+# Cluster names are inline; downstreamGatewayClass is as in the other tests.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: connector-offline-503
+spec:
+  concurrent: false
+  bindings:
+    - name: clusterIssuerName
+      value: (join('-', ['e2e', $namespace]))
+    - name: gatewayClassName
+      value: (join('-', ['e2e', $namespace]))
+    - name: downstreamGatewayClass
+      value: datum-downstream-gateway-e2e
+    # The node id the tunnel fixture advertises; the online connector annotation
+    # carries this so the connector is classified online.
+    - name: tunnelNodeID
+      value: e2e-connect-proxy-node
+    # Gate the online-phase assertions until the edge re-apply is confirmed and
+    # the connect-proxy image is available (see header).
+    - name: connectorTestEnabled
+      value: "false"
+    # Extension server selector/namespace used to confirm the edge re-applied
+    # config; resolves all replicas and takes the highest build number.
+    - name: extServerSelector
+      value: app.kubernetes.io/component=envoy-gateway-extension-server
+    - name: extServerNamespace
+      value: network-services-operator-system
+  cluster: nso-upstream
+  steps:
+    - name: Create CA on the downstream cluster
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'issuer']))
+              spec:
+                selfSigned: {}
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              spec:
+                isCA: true
+                commonName: (join('-', [$clusterIssuerName, 'ca']))
+                secretName: ($clusterIssuerName)
+                privateKey:
+                  algorithm: ECDSA
+                  size: 256
+                issuerRef:
+                  name: (join('-', [$clusterIssuerName, 'issuer']))
+                  kind: ClusterIssuer
+                  group: cert-manager.io
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: ($clusterIssuerName)
+              spec:
+                ca:
+                  secretName: ($clusterIssuerName)
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              status:
+                conditions:
+                  - type: Ready
+                    status: "True"
+
+    - name: Create the upstream GatewayClass (downstream class/EnvoyProxy are pre-provisioned)
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: GatewayClass
+              metadata:
+                name: ($gatewayClassName)
+              spec:
+                controllerName: gateway.networking.datumapis.com/external-global-proxy-controller
+        # The HTTPProxy controller builds its gateway with the operator-configured
+        # class (default "datum-external-global-proxy"), not our per-test class.
+        # That class must exist or the proxy's gateway waits for a controller
+        # forever. Cluster-scoped and shared, so apply is idempotent.
+        - apply:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: GatewayClass
+              metadata:
+                name: datum-external-global-proxy
+              spec:
+                controllerName: gateway.networking.datumapis.com/external-global-proxy-controller
+        # The downstream gateway class and its proxy are provisioned once by the
+        # test environment; tests must not recreate them. Only ensure the
+        # hostname-accounting namespace here.
+        - apply:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: datum-downstream-gateway-hostnames
+
+    - name: Create the echo backend and the CONNECT-proxy tunnel stand-in
+      try:
+        - apply:
+            cluster: nso-downstream
+            file: ../_fixtures/echo-backend.yaml
+        # The connect-proxy is the tunnel target: when the connector is online
+        # the edge dials this proxy Service, which forwards to the echo backend.
+        # An online request can only succeed through this path; there is no
+        # direct fallback route.
+        - apply:
+            cluster: nso-downstream
+            file: ../_fixtures/connector-tunnel/manifest.yaml
+
+    - name: Provision and verify the Domain
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: Domain
+              metadata:
+                name: test-domain
+              spec:
+                domainName: e2e.env.datum.net
+        - description: Stand in for the Domain controller's HTTP/DNS verification.
+          script:
+            content: |
+              kubectl -n $NAMESPACE patch domain test-domain \
+                --subresource=status --type=merge \
+                -p '{"status":{"conditions":[{"type": "Verified", "status": "True", "reason": "Test", "message": "test", "lastTransitionTime": "2025-02-24T23:59:09Z"}]}}'
+
+    - name: Provision the ConnectorClass, Connector (offline), and connector-backed HTTPProxy
+      try:
+        # A Connector must reference an existing ConnectorClass to be accepted.
+        # ConnectorClass is cluster-scoped; apply (not create) so a leftover from
+        # a prior run does not fail the step.
+        - apply:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha1
+              kind: ConnectorClass
+              metadata:
+                name: test-connector-class
+              spec: {}
+        # Start offline: the upstream-status annotation carries Ready=False with
+        # no connection details. The connector's online/offline state rides on
+        # this annotation because only metadata is propagated to the edge, not
+        # status.
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha1
+              kind: Connector
+              metadata:
+                name: test-connector
+                annotations:
+                  networking.datumapis.com/upstream-status: |
+                    {"conditions":[{"type":"Ready","status":"False","reason":"ConnectorNotReady","lastTransitionTime":"2026-06-23T00:00:00Z"}]}
+              spec:
+                connectorClassName: test-connector-class
+        # The HTTPProxy backend references the connector; its endpoint URL points
+        # at the connect-proxy Service so the online path tunnels there.
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: HTTPProxy
+              metadata:
+                name: test-proxy
+              spec:
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /
+                    backends:
+                      - endpoint: http://connect-proxy.default.svc.cluster.local:8080
+                        connector:
+                          name: test-connector
+        # Wait for the HTTPProxy to publish its canonical hostname, which tells us
+        # it reconciled and the downstream gateway and route exist. Poll in a
+        # script because the field is empty until the proxy's gateway gets an
+        # address, and a plain assert on it errors instead of retrying.
+        - script:
+            timeout: 180s
+            cluster: nso-upstream
+            content: |
+              set -eu
+              for i in $(seq 1 36); do
+                H=$(kubectl -n $NAMESPACE get httpproxy test-proxy \
+                  -o jsonpath='{.status.canonicalHostname}' 2>/dev/null || true)
+                # printf (no trailing newline) so $stdout is exactly the hostname.
+                if [ -n "${H}" ]; then printf '%s' "${H}"; exit 0; fi
+                echo "waiting for HTTPProxy canonicalHostname... ${i}" >&2
+                sleep 5
+              done
+              echo "ERROR: HTTPProxy never published a canonicalHostname" >&2
+              exit 1
+            outputs:
+              - name: proxyHostname
+                value: ($stdout)
+      catch:
+        - script:
+            cluster: nso-upstream
+            content: |
+              kubectl -n network-services-operator-system logs -l app.kubernetes.io/name=network-services-operator --tail=200
+              kubectl -n $NAMESPACE get connector,connectorclass,httpproxy -o yaml
+
+    - name: Stand up the long-lived conntest client and resolve the edge IP
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              spec:
+                containers:
+                  - name: curl
+                    image: curlimages/curl:8.11.1
+                    command: ["sleep", "infinity"]
+                    resources:
+                      requests:
+                        cpu: 50m
+                        memory: 64Mi
+                      limits:
+                        cpu: 100m
+                        memory: 128Mi
+                terminationGracePeriodSeconds: 0
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              status:
+                phase: Running
+    - name: Phase 1 (offline) - the user path returns 503 (connector offline route applied)
+      description: |
+        Runs unconditionally: the offline state needs no edge config re-apply.
+        The hostname and edge IP are resolved within this step. Probes the plain
+        HTTP listener on port 80 because the HTTPS listener has no issued
+        certificate in this environment, and the offline 503 route applies on
+        both protocols.
+
+        Body contract: the offline route returns a 503 whose body is
+        "Tunnel not online", but when the branded error page is active (it is, by
+        default) it rewrites every 5xx body to the branded page. So the offline
+        body may be either the raw "Tunnel not online" or the branded page; we
+        accept either as proof of the offline route, and reject a 503 with
+        neither (that would be a different upstream error).
+      try:
+        # Resolve the connector hostname from the upstream HTTPProxy; the output
+        # binding is available to later operations in this same step.
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl -n $NAMESPACE get httpproxy test-proxy \
+                -o jsonpath='{.status.canonicalHostname}'
+            outputs:
+              - name: proxyHostname
+                value: ($stdout)
+        - script:
+            timeout: 300s
+            cluster: nso-downstream
+            env:
+              - name: HOST
+                value: ($proxyHostname)
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+              - name: SENTINEL
+                value: "X-Datum-Branded-Page: v1"
+            content: |
+              set -eu
+              echo "connector hostname: ${HOST}"
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              echo "edge IP: ${IP}"
+              ok=""
+              for i in $(seq 1 30); do
+                code=$(kubectl -n default exec conntest -- \
+                  curl -ksS -o /tmp/body -w '%{http_code}' --max-time 10 \
+                  --resolve "${HOST}:80:${IP}" \
+                  "http://${HOST}/" 2>/dev/null || true)
+                echo "attempt ${i}: offline ${HOST} -> ${code}"
+                if [ "${code}" = "503" ]; then
+                  # Accept the raw offline body or the branded override of it;
+                  # reject a 503 carrying neither (a different upstream error).
+                  if kubectl -n default exec conntest -- grep -qF -- "Tunnel not online" /tmp/body 2>/dev/null \
+                     || kubectl -n default exec conntest -- grep -qF -- "${SENTINEL}" /tmp/body 2>/dev/null; then
+                    ok="yes"; break
+                  fi
+                  echo "  got 503 but body has neither 'Tunnel not online' nor the branded sentinel"
+                fi
+                sleep 5
+              done
+              if [ -z "${ok}" ]; then
+                echo "ERROR: offline connector did not return the expected 503 offline response"
+                kubectl -n default exec conntest -- sh -c 'cat /tmp/body 2>/dev/null | head -c 1000' || true
+                exit 1
+              fi
+              echo "OK: offline connector returns 503 (offline route applied; body is the offline/branded reply)"
+
+    - name: Phase 2 (online) - flip the connector online, then 503->200 with a BuildID advance
+      description: |
+        The headline assertion, self-contained in one step. Capture the
+        extension server's build number, bring the connector online, then require
+        both the 503-to-200 transition and an advance in the build number. The
+        new build proves the edge actually re-applied config, not just that the
+        end state happens to look right. Gated behind ($connectorTestEnabled);
+        if the edge turns out not to re-apply on the change, repoint this to
+        assert the response stays 503.
+      try:
+        # Step 1 (downstream): resolve hostname and capture the build number
+        # before the connector comes online.
+        - script:
+            cluster: nso-downstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            env:
+              - name: EXT_SELECTOR
+                value: ($extServerSelector)
+              - name: EXT_NS
+                value: ($extServerNamespace)
+            content: |
+              set -eu
+              PODS="$(kubectl -n "${EXT_NS}" get pods -l "${EXT_SELECTOR}" \
+                --field-selector=status.phase=Running \
+                -o jsonpath='{.items[*].metadata.name}')"
+              MAX=0
+              for p in ${PODS}; do
+                BODY="$(kubectl -n "${EXT_NS}" exec "${p}" -- \
+                  curl -sS --max-time 10 http://localhost:8080/debug/programmed-set 2>/dev/null || true)"
+                ID="$(printf '%s' "${BODY}" | tr -d ' \n' | sed -n 's/.*"buildID":\([0-9][0-9]*\).*/\1/p')"
+                [ -z "${ID}" ] && ID=0
+                [ "${ID}" -gt "${MAX}" ] && MAX="${ID}"
+              done
+              printf '%s' "${MAX}"
+            outputs:
+              - name: buildIDBefore
+                value: ($stdout)
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl -n $NAMESPACE get httpproxy test-proxy \
+                -o jsonpath='{.status.canonicalHostname}'
+            outputs:
+              - name: proxyHostname
+                value: ($stdout)
+        # Step 2 (upstream): bring the connector online.
+        - script:
+            cluster: nso-upstream
+            env:
+              - name: ENABLED
+                value: ($connectorTestEnabled)
+              - name: NODE_ID
+                value: ($tunnelNodeID)
+            content: |
+              set -eu
+              [ "${ENABLED}" = "true" ] || { echo "SKIP: connectorTestEnabled=false"; exit 0; }
+              STATUS='{"conditions":[{"type":"Ready","status":"True","reason":"ConnectorReady","lastTransitionTime":"2026-06-23T00:00:00Z"}],"connectionDetails":{"type":"PublicKey","publicKey":{"id":"'"${NODE_ID}"'"}}}'
+              ESCAPED=$(printf '%s' "${STATUS}" | sed 's/\\/\\\\/g; s/"/\\"/g')
+              kubectl -n $NAMESPACE patch connector test-connector --type=merge \
+                -p "{\"metadata\":{\"annotations\":{\"networking.datumapis.com/upstream-status\":\"${ESCAPED}\"}}}"
+        # Step 3 (downstream): require the 503-to-200 transition and a build
+        # number advance.
+        - script:
+            timeout: 220s
+            cluster: nso-downstream
+            env:
+              - name: ENABLED
+                value: ($connectorTestEnabled)
+              - name: HOST
+                value: ($proxyHostname)
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+              - name: EXT_SELECTOR
+                value: ($extServerSelector)
+              - name: EXT_NS
+                value: ($extServerNamespace)
+              - name: BEFORE
+                value: ($buildIDBefore)
+            content: |
+              set -eu
+              if [ "${ENABLED}" != "true" ]; then
+                echo "SKIP: connectorTestEnabled=false (awaiting B0 outcome + connect-proxy image)"
+                exit 0
+              fi
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              echo "edge IP: ${IP}; BuildID before flip: ${BEFORE}"
+              ok=""
+              for i in $(seq 1 30); do
+                code=$(kubectl -n default exec conntest -- \
+                  curl -ksS -o /dev/null -w '%{http_code}' --max-time 10 \
+                  --resolve "${HOST}:443:${IP}" \
+                  "https://${HOST}/status/200" 2>/dev/null || true)
+                echo "attempt ${i}: online ${HOST} -> ${code}"
+                if [ "${code}" = "200" ]; then ok="yes"; break; fi
+                sleep 5
+              done
+              if [ -z "${ok}" ]; then
+                echo "ERROR: connector came online but the user path never reached 200"
+                echo "       (the edge did not re-translate on the liveness flip — the re-translation gap)"
+                exit 1
+              fi
+              echo "OK: 503->200 transition observed; edge re-translated on liveness flip"
+
+              # The extension server's build number must have advanced past BEFORE.
+              PODS="$(kubectl -n "${EXT_NS}" get pods -l "${EXT_SELECTOR}" \
+                --field-selector=status.phase=Running \
+                -o jsonpath='{.items[*].metadata.name}')"
+              AFTER=0
+              for p in ${PODS}; do
+                BODY="$(kubectl -n "${EXT_NS}" exec "${p}" -- \
+                  curl -sS --max-time 10 http://localhost:8080/debug/programmed-set 2>/dev/null || true)"
+                ID="$(printf '%s' "${BODY}" | tr -d ' \n' | sed -n 's/.*"buildID":\([0-9][0-9]*\).*/\1/p')"
+                [ -z "${ID}" ] && ID=0
+                [ "${ID}" -gt "${AFTER}" ] && AFTER="${ID}"
+              done
+              echo "BuildID after flip: ${AFTER} (require > ${BEFORE})"
+              if [ "${AFTER}" -le "${BEFORE}" ]; then
+                echo "ERROR: BuildID did not advance (no new build); traffic may have"
+                echo "       changed but re-translation did not fire — the #208/#209 gap"
+                exit 1
+              fi
+              echo "OK: BuildID advanced ${BEFORE}->${AFTER}; re-translation genuinely fired"
+      catch:
+        - script:
+            cluster: nso-downstream
+            env:
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              kubectl -n datum-downstream-gateway logs -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC -c envoy --tail=150
+
+    - name: Phase 3 (back offline) - flip Ready False, the request returns to 503
+      description: |
+        Self-contained step. Take the connector offline, then assert the user
+        path returns to 503. Gated behind ($connectorTestEnabled): the return to
+        503 also depends on the edge re-applying config on the change.
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl -n $NAMESPACE get httpproxy test-proxy \
+                -o jsonpath='{.status.canonicalHostname}'
+            outputs:
+              - name: proxyHostname
+                value: ($stdout)
+        - script:
+            cluster: nso-upstream
+            env:
+              - name: ENABLED
+                value: ($connectorTestEnabled)
+            content: |
+              set -eu
+              [ "${ENABLED}" = "true" ] || { echo "SKIP: connectorTestEnabled=false"; exit 0; }
+              kubectl -n $NAMESPACE patch connector test-connector --type=merge \
+                -p '{"metadata":{"annotations":{"networking.datumapis.com/upstream-status":"{\"conditions\":[{\"type\":\"Ready\",\"status\":\"False\",\"reason\":\"ConnectorNotReady\",\"lastTransitionTime\":\"2026-06-23T00:00:00Z\"}]}"}}}'
+        - script:
+            timeout: 200s
+            cluster: nso-downstream
+            env:
+              - name: ENABLED
+                value: ($connectorTestEnabled)
+              - name: HOST
+                value: ($proxyHostname)
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              set -eu
+              if [ "${ENABLED}" != "true" ]; then
+                echo "SKIP: connectorTestEnabled=false (awaiting B0 outcome + connect-proxy image)"
+                exit 0
+              fi
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              ok=""
+              for i in $(seq 1 30); do
+                code=$(kubectl -n default exec conntest -- \
+                  curl -ksS -o /dev/null -w '%{http_code}' --max-time 10 \
+                  --resolve "${HOST}:443:${IP}" \
+                  "https://${HOST}/status/200" 2>/dev/null || true)
+                echo "attempt ${i}: back-offline ${HOST} -> ${code}"
+                if [ "${code}" = "503" ]; then ok="yes"; break; fi
+                sleep 5
+              done
+              [ -n "${ok}" ] || { echo "ERROR: connector went offline but the path never returned to 503"; exit 1; }
+              echo "OK: returned to 503 after the connector went offline"
diff --git a/test/e2e-edge/extension-server-smoke/chainsaw-test.yaml b/test/e2e-edge/extension-server-smoke/chainsaw-test.yaml
new file mode 100644
index 00000000..8f077b4c
--- /dev/null
+++ b/test/e2e-edge/extension-server-smoke/chainsaw-test.yaml
@@ -0,0 +1,337 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+#
+# M2 functional confirmation for the prod-fidelity test-infra env.
+#
+# Drives an upstream Gateway + HTTPRoute through the production wiring — the
+# dedicated downstream Envoy Gateway (v1.7.4) + the NSO extension server
+# (failOpen:false, PostTranslateModify hook) on the real Coraza data plane — and
+# asserts a real HTTP 200 from the data plane. This is the path the default e2e
+# run never exercised (vanilla EG, no ext-server).
+#
+# Cluster names: nso-upstream (control) / nso-downstream (edge).
+# Downstream GatewayClass: datum-downstream-gateway-e2e (controllerName
+# gateway.envoyproxy.io/datum-downstream-gateway — the dedicated downstream EG).
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: extension-server-smoke
+spec:
+  bindings:
+    - name: gatewayClassName
+      value: (join('-', ['e2e', $namespace]))
+  cluster: nso-upstream
+  steps:
+    - name: Upstream GatewayClass (NSO-managed)
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: GatewayClass
+              metadata:
+                name: ($gatewayClassName)
+              spec:
+                controllerName: gateway.networking.datumapis.com/external-global-proxy-controller
+
+    - name: Backend pod + service (edge)
+      try:
+        - description: Hostname-accounting namespace the gateway controller writes into.
+          apply:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: datum-downstream-gateway-hostnames
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: backend-pod
+                namespace: default
+                labels:
+                  purpose: backend-pod
+              spec:
+                containers:
+                  - name: test-plaintext
+                    image: ghcr.io/mccutchen/go-httpbin:2.18.1
+                    command: ["/bin/go-httpbin"]
+                    args: ["-host", "0.0.0.0", "-port", "8080"]
+                    resources:
+                      requests: { cpu: 100m, memory: 128Mi }
+                      limits: { cpu: 100m, memory: 128Mi }
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Service
+              metadata:
+                name: backend-service
+                namespace: default
+              spec:
+                ports:
+                  - name: http
+                    port: 8080
+                    targetPort: 8080
+                selector:
+                  purpose: backend-pod
+
+    - name: Provision Domain
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: Domain
+              metadata:
+                name: test-domain
+              spec:
+                domainName: e2e.env.datum.net
+        - script:
+            content: |
+              kubectl -n $NAMESPACE patch domain test-domain \
+                --subresource=status --type=merge \
+                -p '{"status":{"conditions":[{"type": "Verified", "status": "True", "reason": "Test", "message": "test", "lastTransitionTime": "2025-02-24T23:59:09Z"}]}}'
+
+    - name: Provision Gateway (HTTP) and confirm it programs through the ext-server
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl get ns $NAMESPACE -o json
+            outputs:
+              - name: downstreamNamespaceName
+                value: (join('-', ['ns', json_parse($stdout).metadata.uid]))
+
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+              spec:
+                gatewayClassName: ($gatewayClassName)
+                listeners:
+                  - protocol: HTTP
+                    port: 80
+                    name: http-test-e2e
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    hostname: test.e2e.env.datum.net
+
+        # Wait for the operator to publish the canonical hostname.
+        - assert:
+            timeout: 120s
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+              status:
+                (addresses[?type == 'Hostname'] | [0]):
+                  type: Hostname
+
+        # The gateway must report ready. Because the edge is configured to refuse
+        # updates the extension server hasn't accepted, a ready gateway proves the
+        # extension server is in the path and working.
+        - assert:
+            timeout: 180s
+            cluster: nso-downstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+                namespace: ($downstreamNamespaceName)
+              status:
+                (conditions[?type == 'Accepted']):
+                  - status: "True"
+                (conditions[?type == 'Programmed']):
+                  - status: "True"
+
+    - name: Provision HTTPRoute
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl get ns $NAMESPACE -o json
+            outputs:
+              - name: downstreamNamespaceName
+                value: (join('-', ['ns', json_parse($stdout).metadata.uid]))
+
+        - create:
+            cluster: nso-upstream
+            resource:
+              kind: EndpointSlice
+              metadata:
+                name: test-slice-1
+              addressType: FQDN
+              apiVersion: discovery.k8s.io/v1
+              endpoints:
+                - addresses:
+                    - backend-service.default.svc.cluster.local
+                  conditions:
+                    ready: true
+                    serving: true
+                    terminating: false
+              ports:
+                - name: http
+                  appProtocol: http
+                  port: 8080
+
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: test-route
+              spec:
+                parentRefs:
+                  - name: test-gateway
+                    kind: Gateway
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /plaintext
+                    backendRefs:
+                      - group: discovery.k8s.io
+                        kind: EndpointSlice
+                        name: test-slice-1
+                        port: 8080
+                    filters:
+                      - type: URLRewrite
+                        urlRewrite:
+                          path:
+                            type: ReplacePrefixMatch
+                            replacePrefixMatch: /
+
+        - assert:
+            timeout: 120s
+            cluster: nso-downstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: test-route
+                namespace: ($downstreamNamespaceName)
+              status:
+                parents:
+                  - conditions:
+                      - reason: Accepted
+                        status: "True"
+                        type: Accepted
+                      - reason: ResolvedRefs
+                        status: "True"
+                        type: ResolvedRefs
+
+    - name: Real HTTP 200 through the data plane
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl -n $NAMESPACE get gateway test-gateway -o json
+            outputs:
+              - name: upstreamGateway
+                value: (json_parse($stdout))
+              - name: primaryHostname
+                value: ($upstreamGateway.status.addresses[?type == 'Hostname'].value | [0])
+
+        # The dedicated downstream EG provisions the merged data-plane Service in
+        # its own namespace (datum-downstream-gateway), labeled by owning
+        # gatewayclass — NOT in envoy-gateway-system.
+        - script:
+            cluster: nso-downstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl get svc -n datum-downstream-gateway -l gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e -o json
+            outputs:
+              - name: gatewayService
+                value: (json_parse($stdout).items | [0])
+
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: backend-pod
+                namespace: default
+              status:
+                phase: Running
+
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: test-pod
+                namespace: default
+              spec:
+                containers:
+                  - name: connectivity-test
+                    image: alpine:3.21.3
+                    command: ["/bin/sh", "-c", "sleep infinity"]
+                    resources:
+                      requests: { cpu: 100m, memory: 128Mi }
+                      limits: { cpu: 100m, memory: 1Gi }
+                    env:
+                      - name: GATEWAY_SERVICE_NAME
+                        value: ($gatewayService.metadata.name)
+                      - name: GATEWAY_SERVICE_NAMESPACE
+                        value: ($gatewayService.metadata.namespace)
+                      - name: PRIMARY_HOSTNAME
+                        value: ($primaryHostname)
+                    lifecycle:
+                      postStart:
+                        exec:
+                          command: ["apk", "add", "curl"]
+                terminationGracePeriodSeconds: 0
+
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: test-pod
+                namespace: default
+              status:
+                phase: Running
+
+        # Give the proxies a moment to pick up the latest configuration.
+        - sleep:
+            duration: 15s
+
+        - script:
+            cluster: nso-downstream
+            content: |
+              kubectl -n default exec -i test-pod -- sh -c " \
+                set -x; \
+                curl -svf -H \"Host: \${PRIMARY_HOSTNAME}\" http://\${GATEWAY_SERVICE_NAME}.\${GATEWAY_SERVICE_NAMESPACE}.svc.cluster.local/plaintext/status/200; \
+              "
+      catch:
+        - script:
+            cluster: nso-downstream
+            content: |
+              kubectl -n network-services-operator-system logs -l app.kubernetes.io/component=envoy-gateway-extension-server --tail=80 || true
+              kubectl -n datum-downstream-gateway logs deploy/envoy-datum-downstream-gateway --tail=80 || true
+              kubectl -n envoy-gateway-system get pods -o wide || true
+        - script:
+            cluster: nso-upstream
+            content: |
+              kubectl -n network-services-operator-system logs -l app.kubernetes.io/name=network-services-operator --tail=80 || true
diff --git a/test/e2e-edge/waf-enforcement/chainsaw-test.yaml b/test/e2e-edge/waf-enforcement/chainsaw-test.yaml
new file mode 100644
index 00000000..7d0e1448
--- /dev/null
+++ b/test/e2e-edge/waf-enforcement/chainsaw-test.yaml
@@ -0,0 +1,440 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+#
+# Web-app firewall enforcement.
+#
+# Checks that the firewall blocks a malicious request with 403 while a benign
+# request still returns 200 — asserted on the real HTTP responses, never on
+# gateway status, because the firewall rule can be accepted in config yet never
+# actually apply to traffic.
+#
+# The benign-after-malicious request also guards against a bad firewall rule
+# breaking the listener, and the Observe-mode flip at the end proves the 403 is
+# driven by the policy and not some unrelated default.
+#
+# The two cluster names are written inline (nso-upstream / nso-downstream)
+# because chainsaw cannot bind a cluster name. downstreamGatewayClass is both
+# the gateway class created here and the label the edge proxy service is
+# selected by; confirm it against the test environment before a live run.
+#
+# Runs alone (concurrent: false) because it shares cluster-wide downstream
+# config with the other data-plane tests.
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: waf-enforcement
+spec:
+  concurrent: false
+  bindings:
+    - name: clusterIssuerName
+      value: (join('-', ['e2e', $namespace]))
+    - name: gatewayClassName
+      value: (join('-', ['e2e', $namespace]))
+    # The downstream gateway class wired to the extension server.
+    - name: downstreamGatewayClass
+      value: datum-downstream-gateway-e2e
+    # Inputs for the config-presence check, which resolves the extension server
+    # pods by label selector (one per replica).
+    - name: extServerSelector
+      value: app.kubernetes.io/component=envoy-gateway-extension-server
+    - name: extServerNamespace
+      value: network-services-operator-system
+    - name: envoyPodSelector
+      value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e
+    # Namespace holding the data-plane proxy and its admin endpoint.
+    - name: envoyNamespace
+      value: datum-downstream-gateway
+  cluster: nso-upstream
+  steps:
+    - name: Create CA on the downstream cluster
+      try:
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'issuer']))
+              spec:
+                selfSigned: {}
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              spec:
+                isCA: true
+                commonName: (join('-', [$clusterIssuerName, 'ca']))
+                secretName: ($clusterIssuerName)
+                privateKey:
+                  algorithm: ECDSA
+                  size: 256
+                issuerRef:
+                  name: (join('-', [$clusterIssuerName, 'issuer']))
+                  kind: ClusterIssuer
+                  group: cert-manager.io
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: ClusterIssuer
+              metadata:
+                name: ($clusterIssuerName)
+              spec:
+                ca:
+                  secretName: ($clusterIssuerName)
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: (join('-', [$clusterIssuerName, 'ca']))
+                namespace: cert-manager
+              status:
+                conditions:
+                  - type: Ready
+                    status: "True"
+
+    - name: Create the upstream GatewayClass (downstream class/EnvoyProxy are pre-provisioned)
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: GatewayClass
+              metadata:
+                name: ($gatewayClassName)
+              spec:
+                controllerName: gateway.networking.datumapis.com/external-global-proxy-controller
+        # The downstream gateway class and its proxy are provisioned once by the
+        # test environment; tests must not recreate them. Only ensure the
+        # hostname-accounting namespace here.
+        - apply:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: datum-downstream-gateway-hostnames
+
+    - name: Create the echo backend
+      try:
+        - apply:
+            cluster: nso-downstream
+            file: ../_fixtures/echo-backend.yaml
+
+    - name: Provision and verify the Domain
+      try:
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: Domain
+              metadata:
+                name: test-domain
+              spec:
+                domainName: e2e.env.datum.net
+        - description: Stand in for the Domain controller's HTTP/DNS verification.
+          script:
+            content: |
+              kubectl -n $NAMESPACE patch domain test-domain \
+                --subresource=status --type=merge \
+                -p '{"status":{"conditions":[{"type": "Verified", "status": "True", "reason": "Test", "message": "test", "lastTransitionTime": "2025-02-24T23:59:09Z"}]}}'
+
+    - name: Provision a Gateway, route, and an Enforce-mode TrafficProtectionPolicy
+      try:
+        - script:
+            cluster: nso-upstream
+            skipCommandOutput: true
+            skipLogOutput: true
+            content: |
+              kubectl get ns $NAMESPACE -o json
+            outputs:
+              - name: downstreamNamespaceName
+                value: (join('-', ['ns', json_parse($stdout).metadata.uid]))
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+              spec:
+                gatewayClassName: ($gatewayClassName)
+                listeners:
+                  - protocol: HTTPS
+                    port: 443
+                    name: https-waf
+                    allowedRoutes:
+                      namespaces:
+                        from: Same
+                    hostname: waf.e2e.env.datum.net
+                    tls:
+                      mode: Terminate
+                      options:
+                        gateway.networking.datumapis.com/certificate-issuer: ($clusterIssuerName)
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: discovery.k8s.io/v1
+              kind: EndpointSlice
+              metadata:
+                name: test-slice-1
+              addressType: FQDN
+              endpoints:
+                - addresses:
+                    - echo-backend.default.svc.cluster.local
+                  conditions:
+                    ready: true
+                    serving: true
+                    terminating: false
+              ports:
+                - name: http
+                  appProtocol: http
+                  port: 8080
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: HTTPRoute
+              metadata:
+                name: test-route
+              spec:
+                parentRefs:
+                  - name: test-gateway
+                    kind: Gateway
+                rules:
+                  - matches:
+                      - path:
+                          type: PathPrefix
+                          value: /
+                    backendRefs:
+                      - group: discovery.k8s.io
+                        kind: EndpointSlice
+                        name: test-slice-1
+                        port: 8080
+        # Enforce mode: a matching request must be blocked with 403.
+        - create:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: TrafficProtectionPolicy
+              metadata:
+                name: test-waf
+              spec:
+                targetRefs:
+                  - group: gateway.networking.k8s.io
+                    kind: Gateway
+                    name: test-gateway
+                mode: Enforce
+                ruleSets:
+                  - type: OWASPCoreRuleSet
+                    owaspCoreRuleSet: {}
+        - assert:
+            timeout: 120s
+            cluster: nso-upstream
+            resource:
+              apiVersion: gateway.networking.k8s.io/v1
+              kind: Gateway
+              metadata:
+                name: test-gateway
+              status:
+                (addresses[?type == 'Hostname'] | [0]):
+                  type: Hostname
+      catch:
+        - script:
+            cluster: nso-upstream
+            content: |
+              kubectl -n network-services-operator-system logs -l app.kubernetes.io/name=network-services-operator --tail=200
+              kubectl -n $NAMESPACE get gateway,httproute,trafficprotectionpolicy -o yaml
+
+    - name: Stand up the long-lived conntest client and resolve the edge IP
+      try:
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: echo-backend
+                namespace: default
+              status:
+                phase: Running
+        - create:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              spec:
+                containers:
+                  - name: curl
+                    image: curlimages/curl:8.11.1
+                    command: ["sleep", "infinity"]
+                    resources:
+                      requests:
+                        cpu: 50m
+                        memory: 64Mi
+                      limits:
+                        cpu: 100m
+                        memory: 128Mi
+                terminationGracePeriodSeconds: 0
+        - assert:
+            cluster: nso-downstream
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: conntest
+                namespace: default
+              status:
+                phase: Running
+    - name: Benign request returns 200
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: waf.e2e.env.datum.net }
+            - { name: path, value: /get }
+            - { name: scheme, value: https }
+            - { name: expectCode, value: "200" }
+
+    - name: Malicious requests are blocked with 403 (SQLi, traversal, XSS)
+      try:
+        - description: |
+            Send each malicious payload and require a 403. Assert on the 403
+            itself, not on which firewall rule fired, since rule identifiers
+            change between rule-set versions. If the firewall rule never applied,
+            these return 200 and the step fails.
+          script:
+            timeout: 240s
+            cluster: nso-downstream
+            env:
+              - name: HOST
+                value: waf.e2e.env.datum.net
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+            content: |
+              set -eu
+              # Resolve the edge IP here; output bindings don't cross steps.
+              IP=$(kubectl get svc -n datum-downstream-gateway \
+                -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC \
+                -o jsonpath='{.items[0].spec.clusterIP}')
+              # Malicious payloads, kept inline so the assertion is
+              # self-contained; the corpus file is the reviewable source.
+              fail=0
+              for q in \
+                'id=1%27%20OR%20%271%27%3D%271' \
+                'q=UNION%20SELECT%20username%2Cpassword%20FROM%20users' \
+                'file=..%2F..%2F..%2Fetc%2Fpasswd' \
+                'x=%3Cscript%3Ealert(1)%3C%2Fscript%3E' ; do
+                code=$(kubectl -n default exec conntest -- \
+                  curl -ksS -o /dev/null -w '%{http_code}' --max-time 10 \
+                  --resolve "${HOST}:443:${IP}" \
+                  "https://${HOST}/get?${q}" 2>/dev/null || true)
+                echo "malicious '${q}' -> ${code}"
+                if [ "${code}" != "403" ]; then
+                  echo "  ERROR: expected 403 (WAF block), got ${code}"
+                  fail=1
+                fi
+              done
+              [ "${fail}" -eq 0 ] || { echo "ERROR: a malicious request was not blocked"; exit 1; }
+              echo "OK: all malicious requests blocked with 403"
+      catch:
+        - script:
+            cluster: nso-downstream
+            content: |
+              kubectl -n datum-downstream-gateway logs -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC -c envoy --tail=100
+            env:
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+
+    - name: Benign request still returns 200 after the WAF blocks (parser.Merge guard)
+      description: |
+        Checks the listener still works after a firewall block. If a bad
+        firewall rule broke the proxy or its listener, this returns non-200 and
+        the test fails.
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: waf.e2e.env.datum.net }
+            - { name: path, value: /get }
+            - { name: scheme, value: https }
+            - { name: expectCode, value: "200" }
+
+    - name: Observe-mode control - the same malicious request now returns 200
+      try:
+        - description: |
+            Switch the policy to Observe so the firewall logs but does not
+            block. This proves the 403 above came from the policy, not an
+            unrelated default.
+          patch:
+            cluster: nso-upstream
+            resource:
+              apiVersion: networking.datumapis.com/v1alpha
+              kind: TrafficProtectionPolicy
+              metadata:
+                name: test-waf
+              spec:
+                mode: Observe
+      catch:
+        - script:
+            cluster: nso-downstream
+            content: |
+              kubectl -n datum-downstream-gateway logs -l gateway.envoyproxy.io/owning-gatewayclass=$OWNING_GC -c envoy --tail=100
+            env:
+              - name: OWNING_GC
+                value: ($downstreamGatewayClass)
+
+    - name: In Observe mode the previously-blocked SQLi request returns 200
+      description: |
+        After the switch to Observe, the edge must pick up the new config and
+        the same payload that returned 403 now returns 200. This 403-to-200
+        transition is what proves enforcement is driven by the policy.
+      use:
+        template: ../_steps/assert-http-response.yaml
+        with:
+          bindings:
+            - { name: host, value: waf.e2e.env.datum.net }
+            - { name: path, value: "/get?id=1%27%20OR%20%271%27%3D%271" }
+            - { name: scheme, value: https }
+            - { name: expectCode, value: "200" }
+
+    # Let the edge config settle after the Observe-mode switch before the
+    # config-presence check compares.
+    - name: Wait for the edge config to settle before the parity gate
+      use:
+        template: ../_steps/wait-config-settle.yaml
+        with:
+          bindings:
+            - { name: extServerSelector, value: app.kubernetes.io/component=envoy-gateway-extension-server }
+            - { name: extServerNamespace, value: network-services-operator-system }
+
+    # Runs last so a config-presence hiccup never masks the firewall traffic
+    # assertions above.
+    - name: Config-presence - the WAF config actually landed at the edge (parity gate)
+      description: |
+        Confirms the firewall config is actually present at the edge: the live
+        proxy config carries exactly the firewall rules the extension server
+        reports it programmed, and the proxy accepted the update. The traffic
+        assertions prove the firewall blocks; this proves the config is present
+        and not silently dropped.
+      use:
+        template: ../_steps/assert-config-dump.yaml
+        with:
+          # Values are inlined, not referenced as ($envoyNamespace) etc.: a
+          # with-binding whose name matches a template default resolves ($name)
+          # against the template default, not this test's value. Literals avoid
+          # that self-reference.
+          bindings:
+            - { name: envoyPodSelector, value: gateway.envoyproxy.io/owning-gatewayclass=datum-downstream-gateway-e2e }
+            - { name: envoyNamespace, value: datum-downstream-gateway }
+            - { name: extServerSelector, value: app.kubernetes.io/component=envoy-gateway-extension-server }
+            - { name: extServerNamespace, value: network-services-operator-system }
+            - { name: dataplaneCluster, value: nso-downstream }