Workflow 4: Employee Validation And Trust Decision

Lea from Release Operations receives the document and wants to know whether it is intact and actually signed by a trusted board member.

Verify the file cryptographically

Her first step is a direct cryptographic verification against the board author registry.

protoparser verify pml "./governance/board-release-approval.pml"

If the nearest project protoml.macros.json already lists the board registry, this checks the detached signature cryptographically and also looks up the signer without extra flags.

Inspect the full trust result

protoparser trust "./governance/board-release-approval.pml"

This is the better command when Lea wants the full trust picture, including document-level trust classification and any imported ProtoML dependencies. Extra -trustRegistry=... flags are only needed when the project config does not already list every relevant source.

Run strict validation before reuse

protoparser validate "./governance/board-release-approval.pml" -trust=strict

This catches structural issues too, not just signature issues. The nearest project protoml.macros.json is used automatically when present.

What if registries are split?

Some companies separate responsibilities:

• the board secretariat owns the author-only registry
• the platform team owns a macro/package registry

Then the employee can combine them:

protoparser validate "./governance/board-release-approval.pml" -trust=strict -trustRegistry="./board-authors-registry" -trustRegistry="./macro-registry"

ProtoML merges the provided trust sources for author lookup. Registries that have no relevant authors entries simply add nothing to that part of the result.

How to read the outcome

• trusted: the file matches its signature and the signer is trusted in the registry
• unknown: the signature may be valid, but the signer is not matched to a trusted registry author
• untrusted: the signature is invalid, the signer is marked untrusted, or dependent trust checks fail

Why this workflow works well

• the board can stay focused on people and approvals instead of package delivery
• employees get one repeatable CLI workflow for validation
• directory-level register reports still complement the file-level trust story
• the same signing model also works for other governance documents such as policies, onboarding approvals, or audit records

Related guides

• Governance Documents
• Macro Security And Trust Model
• Validation And Analysis Workflows
• Own Macro Registry Guide

Continue with

Once Lea trusts the single file, the next question is usually broader: which governance documents across the portfolio are missing metadata, overdue, or still open? Continue with Workflow 5: Review A Governance Portfolio.