The Impartial Auditor: ValidKeep Verify Without AI

Platform 8 min read

New here? ValidKeep governs regulated software with linked atomic files in Git and deterministic npx validkeep verify (no LLM in the audit path). Optional ysbuild helps author specs; verify is the impartial gate either way.

Start with the ecosystem map for the platform stack (assurance profile, landscape profile, CLI, ValidKeep Hub). Then read the atomic model ($D_x$, $R_x$, $C_x$, $L_x$) if notation like $C_x$ is unfamiliar. Operational Qualification (OQ) and Performance Qualification (PQ) are explained in their own articles.

npx validkeep verify is not an LLM. It is a deterministic, profile-driven auditor that keeps authoring tools (including Yttrigen ysbuild) honest. Exit code zero means the repository satisfies the assurance grammar referenced in validkeep.yaml; anything else blocks promotion.

What verify checks

Atomic file types use short role codes (rx, cx, lx, and others) defined in the assurance profile; see ysbuild for the full inventory.

  • DAG balance: demand and supply equations per module ($O_x = C_x$ where enforced); see the atomic model
  • Sidecar trace joins: fragment headings link across dx/rx/cx/lx/oqtest/pqtest/code per profile rules
  • Orphan policy: code without rx/lx/cx chain fails CI (zero-orphan posture)
  • Fragment attributes: required risk tags, heading shapes, parser-specific structure
  • Profile-required headings: each node type's authoring standard from the assurance YAML

MiniHub vs ValidKeep Hub

  • MiniHub: local rehearsal ledger; headless cycles in sandbox and developer machines
  • ValidKeep Hub: official CR and release ledger; human signatures on formal test evidence

Verify runs locally and in CI; ValidKeep Hub records executed cycles and attestation. Both are deterministic services; neither invokes a language model.

Zero-orphan example

Suppose CR-101 adds calculator code but omits an updated calc.rx.md trace join. npx validkeep verify fails on the devcr push: the DAG shows CODE without a complete upstream chain. The developer must fix atoms, not override the gate. That is the scope-change story regulators expect: silent code drift cannot merge.

CI + ValidKeep Hub triangle on devcr push

Three gates must align:

  1. CLI exit 0 (assurance grammar satisfied)
  2. ValidKeep Hub CR unlocked for the branch action
  3. Studio scope check: touched files map to modules assigned to the CR

See Governed SDLC landscape for branch context.

Contrast with ysbuild

ysbuild agents propose patches; npx validkeep verify accepts or rejects. Agents may hallucinate structure; verify cannot. That separation is intentional for QA review: impartial verification suitable for signature, with humans signing ValidKeep Hub evidence, not model outputs.

Regulatory framing

Deterministic verify supports ALCOA+ integrity: the same inputs yield the same pass/fail. Combined with executed OQ drivers and PQ telemetry in ValidKeep Hub, you have evidence tied to commit SHA, not attestations divorced from running software.


Where to go next