diff --git a/test/anubis_configs/less_paranoid.yaml b/test/anubis_configs/less_paranoid.yaml
new file mode 100644
index 00000000..f3679f20
--- /dev/null
+++ b/test/anubis_configs/less_paranoid.yaml
@@ -0,0 +1,10 @@
+bots:
+  - name: challenge
+    user_agent_regex: Mozilla
+    action: WEIGH
+    weight:
+      adjust: 10
+
+status_codes:
+  CHALLENGE: 401
+  DENY: 403
diff --git a/test/caddy/docker-compose.yaml b/test/caddy/docker-compose.yaml
index 73ccce5d..a7456ff2 100644
--- a/test/caddy/docker-compose.yaml
+++ b/test/caddy/docker-compose.yaml
@@ -9,14 +9,14 @@ services:
       - "../pki/caddy.local.cetacean.club:/etc/techaro/pki/caddy.local.cetacean.club/"
 
   anubis:
-    image: ghcr.io/techarohq/anubis:main
+    image: ko.local/anubis
     environment:
       BIND: ":3000"
       TARGET: http://httpdebug:3000
-      POLICY_FNAME: /etc/techaro/anubis/less_paranoid.yaml
+      POLICY_FNAME: /cfg/less_paranoid.yaml
+      SLOG_LEVEL: DEBUG
     volumes:
-      - ../anubis_configs:/etc/techaro/anubis
+      - ../anubis_configs:/cfg
 
   httpdebug:
     image: ghcr.io/xe/x/httpdebug
-    pull_policy: always
diff --git a/test/caddy/start.sh b/test/caddy/start.sh
deleted file mode 100644
index 7e617e20..00000000
--- a/test/caddy/start.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-
-# If the transient local TLS certificate doesn't exist, mint a new one
-if [ ! -f ../pki/caddy.local.cetacean.club/cert.pem ]; then
-  # Subshell to contain the directory change
-  (
-    cd ../pki \
-    && mkdir -p caddy.local.cetacean.club \
-    && \
-    # Try using https://github.com/FiloSottile/mkcert for better DevEx,
-    # but fall back to using https://github.com/jsha/minica in case
-    # you don't have that installed.
-    (
-      mkcert \
-        --cert-file ./caddy.local.cetacean.club/cert.pem \
-        --key-file ./caddy.local.cetacean.club/key.pem caddy.local.cetacean.club \
-      || go tool minica -domains caddy.local.cetacean.club
-    )
-  )
-fi
-
-docker compose up --build
\ No newline at end of file
diff --git a/test/caddy/test.mjs b/test/caddy/test.mjs
new file mode 100644
index 00000000..1e53a23c
--- /dev/null
+++ b/test/caddy/test.mjs
@@ -0,0 +1,27 @@
+async function testWithUserAgent(userAgent) {
+  const statusCode =
+    await fetch("https://relayd.local.cetacean.club:8443/reqmeta", {
+      headers: {
+        "User-Agent": userAgent,
+      }
+    })
+      .then(resp => resp.status);
+  return statusCode;
+}
+
+const codes = {
+  Mozilla: await testWithUserAgent("Mozilla"),
+  curl: await testWithUserAgent("curl"),
+}
+
+const expected = {
+  Mozilla: 401,
+  curl: 200,
+};
+
+console.log("Mozilla:", codes.Mozilla);
+console.log("curl:   ", codes.curl);
+
+if (JSON.stringify(codes) !== JSON.stringify(expected)) {
+  throw new Error(`wanted ${JSON.stringify(expected)}, got: ${JSON.stringify(codes)}`);
+}
\ No newline at end of file
diff --git a/test/caddy/test.sh b/test/caddy/test.sh
new file mode 100755
index 00000000..489418c9
--- /dev/null
+++ b/test/caddy/test.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+source ../lib/lib.sh
+
+build_anubis_ko
+
+docker compose up -d --build
+
+export NODE_TLS_REJECT_UNAUTHORIZED=0
+
+backoff-retry node test.mjs
diff --git a/test/lib/lib.sh b/test/lib/lib.sh
new file mode 100644
index 00000000..37dcc898
--- /dev/null
+++ b/test/lib/lib.sh
@@ -0,0 +1,54 @@
+REPO_ROOT=$(git rev-parse --show-toplevel)
+(cd $REPO_ROOT && go install ./utils/cmd/...)
+
+function cleanup() {
+  pkill -P $$
+
+  if [ -f "docker-compose.yaml" ]; then
+    docker compose down
+  fi
+}
+
+trap cleanup EXIT SIGINT
+
+function build_anubis_ko() {
+  (
+    cd ../.. &&
+      VERSION=devel ko build \
+        --platform=all \
+        --base-import-paths \
+        --tags="latest" \
+        --image-user=1000 \
+        --image-annotation="" \
+        --image-label="" \
+        ./cmd/anubis \
+        -L
+  )
+}
+
+function mint_cert() {
+  if [ "$#" -ne 1 ]; then
+    echo "Usage: mint_cert <domain.name>"
+  fi
+
+  domainName="$1"
+
+  # If the transient local TLS certificate doesn't exist, mint a new one
+  if [ ! -f "../pki/${domainName}/cert.pem" ]; then
+    # Subshell to contain the directory change
+    (
+      cd ../pki &&
+        mkdir -p "${domainName}" &&
+        # Try using https://github.com/FiloSottile/mkcert for better DevEx,
+        # but fall back to using https://github.com/jsha/minica in case
+        # you don't have that installed.
+        (
+          mkcert \
+            --cert-file ./"${domainName}"/cert.pem \
+            --key-file ./"${domainName}"/key.pem \
+            "${domainName}" ||
+            go tool minica -domains "${domainName}"
+        )
+    )
+  fi
+}