Validation Pipeline

adr-ledger now has a layered validation path:

  1. scripts/validate_adr.py
  2. parses YAML frontmatter and Markdown sections
  3. validates the merged document against ./.schema/adr.schema.json
  4. detects unresolved template placeholders
  5. scripts/opa-validate.sh
  6. evaluates each ADR against ./policies/adr/validation.rego
  7. uses data.adr.validation.result as the default OPA query
  8. .chain/sbom_manager.py
  9. generates candidate SBOM manifests from the current repository state
  10. publishes official manifests through the internal SBOM registry service
  11. verifies the current state against the remote official manifest when ADR_SBOM_SERVICE_URL is configured
  12. .chain/bitcoin_attestation.py
  13. signs or verifies snapshot receipts using ECDSA secp256k1
  14. stores receipts in ./.chain/bitcoin/receipts

Commands

nix develop --command bash -lc '
  bash scripts/validate.sh
'

nix develop --command bash -lc '
  bash scripts/opa-validate.sh
'

nix develop --command bash -lc '
  export ADR_SBOM_BACKEND=service
  export ADR_SBOM_SERVICE_URL=http://127.0.0.1:8787
  python3.13 .chain/sbom_manager.py publish --git-ref "$(git rev-parse HEAD)"
  python3.13 .chain/sbom_manager.py verify --remote --strict-remote --expected-ref "$(git rev-parse HEAD)"
'

nix develop --command bash -lc '
  python3.13 .chain/bitcoin_attestation.py keygen --name kernelcore
  python3.13 .chain/bitcoin_attestation.py attest --signer kernelcore
  python3.13 .chain/bitcoin_attestation.py verify-all
'

Gate Semantics

  • Hard fail: malformed ADR, schema violation, or OPA denial.
  • Hard fail: remote SBOM verification mismatch or missing official manifest when remote validation is required (ADR_SBOM_REQUIRE_REMOTE=1 or CI strict mode).
  • Soft warning: historical chain drift or missing Bitcoin-compatible receipts when governance is in warn mode.
  • Dedicated cryptographic commands remain available when you want strict enforcement:
  • adr chain verify
  • adr sbom verify --remote --strict-remote
  • adr bitcoin verify-all

Scope Clarification

The Bitcoin layer implemented here is a local secp256k1 attestation flow, compatible with Bitcoin cryptographic primitives, but it does not broadcast transactions or implement wallet signmessage RPC semantics. It is intended as a deterministic receipt layer that can be anchored or bridged later.