ADCG enforces governance through infrastructure isolation, sequential gate evaluation, and immutable evidence collection. Nothing is optional.
The platform operates across 3 isolated infrastructure zones:
| Zone | Purpose | Network Access |
|---|---|---|
| Host/Core | Orchestration, API, policy engine, evidence storage | Internal only — no public ingress except API gateway |
| DinD (Docker-in-Docker) | Isolated code generation and execution | No outbound network. No access to Host/Core databases. Ephemeral containers destroyed after each run. |
| DMZ | Quarantine intake and scanning | Receives inbound submissions. Scans before forwarding. No direct access to Host/Core. |
Every submission passes through gates 0–12 in sequence. A gate cannot be skipped. If a gate fails, execution halts.
Submission → DMZ Intake → Gate 0 → Gate 1 → ... → Gate 12 → Admitted
Each gate evaluates a specific aspect of the submission against the active policy ruleset. Gates produce evidence regardless of pass/fail — the audit trail records everything.
At every gate, the system generates a JSON evidence artifact:
{
"gateId": 3,
"verdict": "pass",
"timestamp": "2026-02-15T14:32:01.847Z",
"executor": "gate-runner-v2.1.0",
"ruleResults": [
{ "ruleId": "complexity-max", "operator": "lte", "expected": 15, "actual": 8, "pass": true },
{ "ruleId": "test-coverage", "operator": "gte", "expected": 80, "actual": 94, "pass": true }
],
"evidenceHash": "sha256:a1b2c3d4..."
}
Evidence artifacts are stored in a hash-chained log. Database triggers block UPDATE and DELETE operations on evidence tables — once written, evidence cannot be modified or removed. Each entry's hash includes the previous entry's hash, creating a tamper-evident chain.
When a run completes, the system assembles a proof package containing:
This package is the deliverable auditors, compliance officers, and security reviewers use to verify governance was applied.