OpenGantry is not a certification. It is a local evidence engine: every mission leaves a chain in Git that a reviewer can open without trusting IDE chat or a hand-waved “passed locally.”

The chain

  1. A Planner legislates scope in .gitagent/missions/MSN-XXXX.yaml and commits [MSN-XXXX].
  2. An executor edits only inside TMVC roots.
  3. Evidence lands in EXECUTOR_LOG.md as verbatim PASS quotes.
  4. gantry verify checks the gate command and maps every claimed PASS to a real quote.

If the gate fails, a quote is missing, or an anchor is wrong, verify fails closed. Nothing passes because a model said so.

Who does what

The Planner (allowlisted in GANTRY_PLANNER_EMAILS) owns mission law and governance commits. The executor does the edits. The verifier is gantry verify, a deterministic process separate from whoever did the work. Rule 4.4 in .gitagent/planner/RULES.md treats a PASS claim without a matching EXECUTOR_LOG.md quote as evidence tampering.

What to open in a review

ArtifactWhat it shows
Mission YAMLScope, gate command, trace rows
Planner commit [MSN-XXXX]Who authorized the change
EXECUTOR_LOG.mdVerbatim quotes tied to DoD rows
Verify JSONGate result and structured failures

Success envelope:

{
  "status": "passed",
  "phase": "full",
  "msn_id": "MSN-0042",
  "mission_file_path": ".gitagent/missions/MSN-0042.ship-feature.yaml"
}

Failure item:

{
  "failed_gate": "arch",
  "offending_file": "src/core/auth.ts",
  "line": 12,
  "severity": "error",
  "resolution_hint": "Import crosses layer boundary per TARGET_ARCHITECTURE.yaml"
}

Compliance context

OpenGantry does not replace your QMS, pen test, or auditor. It gives you developer-native artifacts you can attach to control narratives.

For SOC 2 change management, mission commits plus verify JSON show scoped, gated changes instead of opaque agent edits. For ISO/IEC 27001 logging themes, Git history plus EXECUTOR_LOG.md plus deterministic gates read as a reproducible audit log. For ISO/IEC 42001 traceability, the mission contract and bounded TMVC bound what automated work was allowed to do.

Certification outcomes still depend on policies, access control, infra, and training across the whole environment.

Weak vs strong evidence

Chat “looks good” is weak. A mission YAML bound to a [MSN-XXXX] commit, trace quotes in Git, and a named gate with verify output is strong. Retention follows your Git policy: branches, tags, signed commits, and optional git notes for break-glass (refs/notes/gxt-bypass) with a recorded reason.

Break-glass

gantry verify --break-glass --reason "..." exists for emergencies. It is explicit, reasoned, and note-backed. Forbidden-zone policy is never bypassed.

Further reading