KYE Plugin Marketplace · lightweight extensions

Extend KYE with small, focused plugins.

The KYE Plugin Marketplace is for lightweight installable modules — MCP tools, webhook verifiers, policy adapters, evidence exporters, conformance fixtures, sandbox flows, dashboard widgets, SDK extensions, and approval workflows. Start small, plug into your stack, then scale into a full KYE Runtime Gateway deployment.

Connector Hub integrates KYE. App Store productises KYE. Plugin Marketplace extends KYE.

category 9 categories apps Reference plugins data_object Manifest schema security Permissions publish Publish a plugin
Nine categories

Small surfaces, focused jobs.

smart_toyMCP ToolsAdd a single MCP tool (read-only, decision, or gated admin) to the KYE MCP Server.
verifiedWebhook VerifiersDrop-in libraries for verifying signed KYE webhook payloads in your runtime.
policyPolicy PacksPre-baked OPA / Cerbos / Cedar bundles for sector profiles.
cloud_downloadEvidence ExportersOne-job exporters that translate evidence packs into your downstream format.
scienceConformance FixturesAdd or extend the conformance pack with sector-specific fixtures.
terminalSDK ExtensionsLightweight TypeScript / Python / Go modules that ride on the official SDK.
dashboardDashboard WidgetsEmbed-ready UI widgets for Decision Map, Authority Graph, evidence preview.
play_circleSandbox FlowsSynthetic test data + walkthroughs for the regulatory sandbox harness.
approvalApproval WorkflowsReusable step-up / require-approval handlers for human-in-the-loop flows.
Reference plugins

Open-source starters that ship with v1.0.

  • Webhook verifier — JS / TS · @kye-protocol/webhook-verifier · runs on Node / Cloudflare Workers / browser. Verifies signed KYE webhook envelopes against the publisher's JWKS.
  • Webhook verifier — Python · kye-webhook-verifier · same surface, sync + async APIs.
  • Webhook verifier — Go · github.com/KYE-Protocol/webhook-verifier-go · zero-dependency, drop-in.
  • OPA policy pack — Core · ready-to-use Rego bundles for the Core profile.
  • OPA policy pack — Payments · Rego for the Payments + Agent Purchasing profiles.
  • Cerbos bundle — Core · Cerbos derived-roles + resource policies for the Core profile.
  • Cedar bundle — Core · Cedar policy bundles for the Core profile.
  • Evidence exporter — OSCAL · project a KYE evidence pack into OSCAL component-definition / SSP / assessment-results / POA&M.
  • Evidence exporter — Splunk HEC · stream signed events into Splunk HTTP Event Collector.
  • Evidence exporter — Microsoft Sentinel · same surface, Sentinel ingestion endpoints.
  • MCP tool — verify_evidence_pack · read-only MCP tool that verifies a pack offline using the published JWKS.
  • MCP tool — explain_decision · read-only MCP tool that renders a Decision Map in natural language.
  • Dashboard widget — Decision Map · embeddable widget for any HTML host (the same engine used on this site).
  • Dashboard widget — Authority Graph · embeddable graph viewer for actor / principal / capability nodes.
  • Sandbox flow — agent-purchasing · synthetic test fixtures for the agent-purchasing profile.
  • Sandbox flow — open-banking · synthetic test fixtures for the open-banking profile.
  • Approval workflow — Slack · reusable Slack approval handler bound to require_approval decisions.
  • Approval workflow — email · SMTP fallback for sites without Slack.

The Plugin Marketplace opens with the v1.1 release. Founding plugins ship under Apache 2.0 from the public org; commercial plugins ship through KYE Cloud.

Plugin manifest

Every plugin ships a kye.plugin_manifest.v1.

Plugin manifests declare the plugin's runtime, permission requirements, side-effect level, and OSS licence. Schema: https://schemas.kye.dev/plugin-manifest.json.

{
  "schema_version": "kye.plugin_manifest.v1",
  "plugin_id":      "kye:plugin:webhook-verifier-js",
  "name":           "KYE Webhook Verifier for JavaScript",
  "plugin_type":    "sdk_extension",
  "category":       "webhooks",
  "version":        "1.0.0",
  "description":    "Verifies KYE™ signed webhook payloads in JavaScript and TypeScript applications.",
  "runtime": {
    "language":             "typescript",
    "supported_environments": ["node", "cloudflare_workers", "browser"]
  },
  "permissions": {
    "requires_secret_access":  true,
    "requires_network_access": false,
    "side_effect_level":       "read_only"
  },
  "oss_license": "Apache-2.0",
  "status":      "active"
}
Permissions

Plugins declare their blast radius.

Every plugin declares its side_effect_level from the manifest dictionary — read_only, audit_only, decision_only, write_internal, send_external_message, execute_transaction, move_money, modify_authority, admin_action, destructive. Higher levels require stricter install gates: tenant auth, idempotency, audit emission, optional step-up. The plugin runtime refuses to load a manifest whose declared permissions exceed the installer's allowlist.

Publish a plugin

Five steps from idea to marketplace.

  1. P1Author the manifest. Fill in plugin_type, runtime, permissions, side-effect level, OSS licence.
  2. P2Write the plugin. One file or one package — small surface area is the point. Conformance harness checks shape and signature handling.
  3. P3Sign & submit. Programme verifies the manifest signature and runs an automated security review (no admin escalation, no hidden network access, no unsigned dependencies).
  4. P4Programme review. ~2 working days for read-only and audit-only plugins; ~5 days for write-side. Reviewer checks the security boundary you declared.
  5. P5Publish. Plugin lands in the public marketplace and is installable via SDK CLI.
handshake Partner programme → extension Connector Hub apps App Store forum Talk to the programme
Adjacent reading

Where to go next.

construction Build extension Connector Hub apps App Store smart_toy KYE MCP Server