The Impartial Auditor: ValidKeep Verify Without AI
New here? ValidKeep governs regulated software with linked atomic files in Git and deterministic npx validkeep verify (no LLM in the audit path). Optional ysbuild helps author specs; verify is the impartial gate either way.
Start with the ecosystem map for the platform stack (assurance profile, landscape profile, CLI, ValidKeep Hub). Then read the atomic model ($D_x$, $R_x$, $C_x$, $L_x$) if notation like $C_x$ is unfamiliar. Operational Qualification (OQ) and Performance Qualification (PQ) are explained in their own articles.
npx validkeep verify is not an LLM. It is a deterministic, profile-driven auditor that keeps authoring tools (including Yttrigen ysbuild) honest. Exit code zero means the repository satisfies the assurance grammar referenced in validkeep.yaml; anything else blocks promotion.
What verify checks
Atomic file types use short role codes (rx, cx, lx, and others) defined in the assurance profile; see ysbuild for the full inventory.
- DAG balance: demand and supply equations per module ($O_x = C_x$ where enforced); see the atomic model
- Sidecar trace joins: fragment headings link across
dx/rx/cx/lx/oqtest/pqtest/codeper profile rules - Orphan policy: code without
rx/lx/cxchain fails CI (zero-orphan posture) - Fragment attributes: required risk tags, heading shapes, parser-specific structure
- Profile-required headings: each node type's authoring standard from the assurance YAML
MiniHub vs ValidKeep Hub
- MiniHub: local rehearsal ledger; headless cycles in sandbox and developer machines
- ValidKeep Hub: official CR and release ledger; human signatures on formal test evidence
Verify runs locally and in CI; ValidKeep Hub records executed cycles and attestation. Both are deterministic services; neither invokes a language model.
Zero-orphan example
Suppose CR-101 adds calculator code but omits an updated calc.rx.md trace join. npx validkeep verify fails on the devcr push: the DAG shows CODE without a complete upstream chain. The developer must fix atoms, not override the gate. That is the scope-change story regulators expect: silent code drift cannot merge.
CI + ValidKeep Hub triangle on devcr push
Three gates must align:
- CLI exit 0 (assurance grammar satisfied)
- ValidKeep Hub CR unlocked for the branch action
- Studio scope check: touched files map to modules assigned to the CR
See Governed SDLC landscape for branch context.
Contrast with ysbuild
ysbuild agents propose patches; npx validkeep verify accepts or rejects. Agents may hallucinate structure; verify cannot. That separation is intentional for QA review: impartial verification suitable for signature, with humans signing ValidKeep Hub evidence, not model outputs.
Regulatory framing
Deterministic verify supports ALCOA+ integrity: the same inputs yield the same pass/fail. Combined with executed OQ drivers and PQ telemetry in ValidKeep Hub, you have evidence tied to commit SHA, not attestations divorced from running software.