A signed proof that the engine governs and audits itself.
Three JSON artefacts — a self-audit run record, an engine-health snapshot and an audit-chain integrity check — signed with EdDSA over a canonical payload, verifiable by anyone using the published JWKS. The fixture is deterministic: the same inputs produce the same artefact, byte-for-byte. Production-grade self-audit runs (the live ones inside the KYE Reference Gateway™) sign with a key whose private half lives in HSM/KMS — see protocol § self-govern.
Three signed JSON files. Fetch them.
self-audit-run.json
Outcome of a canonical 17-area run over the protocol's reference state. schema_version, self_audit_id, profiles_tested, summary.tests_*, findings, evidence_refs.
trust/self-audit/self-audit-run.json
engine-health.json
Point-in-time snapshot of every engine: schema_validator, dictionary_resolver, profile_resolver, registry_resolver, authority_engine, state_engine, policy_adapter, decision_engine, audit_engine, evidence_engine, graph_engine, webhook_engine, recovery_engine.
trust/self-audit/engine-health.json
audit-integrity-check.json
Hash-chain replay verification: events checked, orphan events, missing reason codes, missing evidence refs, overall result.
trust/self-audit/audit-integrity-check.json
JWKS for verification: trust/self-audit-jwks.json — a single Ed25519 public key with kid kye:key:self-audit-fixture-2026-05.
One command. Zero credentials.
The verifier is a 90-line Node script in the public repo. It fetches the three artefacts and the JWKS, recomputes the canonical payload (sorted keys, no whitespace), and verifies the EdDSA signature. Node 18+ only — no npm install.
A · Run the verifier (recommended)
curl -fsSL https://raw.githubusercontent.com/KYE-Protocol/app/main/scripts/verify-self-audit.mjs -o /tmp/verify-self-audit.mjs
node /tmp/verify-self-audit.mjs
# Expected output:
# Loaded JWKS — 1 key(s): kye:key:self-audit-fixture-2026-05
# ✓ self-audit-run.json alg=EdDSA kid=kye:key:self-audit-fixture-2026-05
# ✓ engine-health.json alg=EdDSA kid=kye:key:self-audit-fixture-2026-05
# ✓ audit-integrity-check.json alg=EdDSA kid=kye:key:self-audit-fixture-2026-05
# All artefacts verified.B · Or: roll your own
For each artefact: parse JSON, extract payload and signature, canonicalise payload (sorted keys, no whitespace), base64url-decode signature.sig, look up signature.kid in self-audit-jwks.json, and verify EdDSA. The fixture is small enough (< 4 kB) that a Python or Go verifier is ~30 lines.
A real, working self-audit pipeline.
- The mechanism is implemented and reproducible. The same script that produces these fixtures runs in CI on every commit (
npm run test:self-audit-snapshot); a regression in the schema, the audit-chain integrity check, or the engine-health snapshot would fail PR CI. Public visitors don't have to take our word for it. - The signing path is real. EdDSA over canonical JSON, with a published JWKS, with a working verifier — not a mocked-up signature blob. The same construction is used by the live Reference Gateway™ for webhook signing and self-audit run records.
- The schema is normative and stable.
kye.self_audit_run.v1,kye.engine_health.v1,kye.audit_integrity_check.v1. Schema drift would break the verifier. - The KYE™-on-KYE™ wiring exists in code, not just slides. See protocol § self-govern —
POST /v1/self-audit:runon the KYE Reference Gateway™ emits the same shape this fixture uses.
For procurement, regulator and security teams.
The reproducible fixture above proves the mechanism. Operational detail and the full hardening register are part of the procurement pack delivered to design partners under NDA.