Trust Center · reproducible by anyone

What is verifiable today, what is in progress, what needs external action.

Every claim on this page either runs as a shell command against the public KYE-Protocol mirror repos, points at a runbook delivered with the commercial reference implementation, or is explicitly tagged as requiring external attestation we cannot produce ourselves. No marketing-speak; reproducibility wins.

v1.0contract frozen, Apache 2.0

10public mirror repos — reproducible

13compliance frameworks mapped

NDAprocurement pack on request

check_circle Verifiable today shield Posture rule Frameworks handshake Procurement pack gavel Gov agency readiness

1 · Verifiable today · reproducible by anyone

Every row clones a public mirror repo. Run it; replicate it.

Every command below operates exclusively on Apache 2.0-licensed public mirrors under github.com/KYE-Protocol. The proprietary master (KYE-Protocol/app) is not referenced; nothing here exposes implementation paths or internal artefacts.

Public repo	Status	Reproduce
JSON Schemas — `KYE-Protocol/schemas`	69 / 69 validate against examples	`git clone https://github.com/KYE-Protocol/schemas && cd schemas && npm ci && npm test`
OpenAPI surface — `KYE-Protocol/openapi`	193 ops redocly-clean, three specs	`git clone https://github.com/KYE-Protocol/openapi && cd openapi && npm ci && npm run lint`
Conformance pack — `KYE-Protocol/conformance`	41 / 41 black-box scenarios	`git clone https://github.com/KYE-Protocol/conformance && cd conformance && npm ci && npm run run`
TypeScript SDK — `KYE-Protocol/sdk-typescript`	67 / 67 tests	`git clone https://github.com/KYE-Protocol/sdk-typescript && cd sdk-typescript && npm ci && npm test`
Python SDK — `KYE-Protocol/sdk-python`	51 / 53 (2 skipped — async/network)	`git clone https://github.com/KYE-Protocol/sdk-python && cd sdk-python && python3 -m pip install -e . && pytest -q`
Go SDK — `KYE-Protocol/sdk-go`	core surface pass	`git clone https://github.com/KYE-Protocol/sdk-go && cd sdk-go && go test ./...`
Webhook verifier (Go) — `KYE-Protocol/webhook-verifier-go`	test vectors · per the published profile	`git clone https://github.com/KYE-Protocol/webhook-verifier-go && cd webhook-verifier-go && go test ./...`
Vocabulary register — `KYE-Protocol/vocabulary`	38 marks machine-readable, JSON-Schema-validated	`curl -fsSL https://raw.githubusercontent.com/KYE-Protocol/vocabulary/main/trademarks.json \| jq '.entries \| length'`
URN ID format — `KYE-Protocol/id-format`	parser conformance	`git clone https://github.com/KYE-Protocol/id-format && cd id-format && npm ci && npm test`
Examples gallery — `KYE-Protocol/examples`	every schema has ≥ 1 example	Validated under the `schemas` test above.

Public mirror total: the rows above replicate the public surface; nothing on this list requires access to the proprietary master.

2 · Reference-implementation posture

Bank-grade hardening, covered under commercial licence.

The reference Gateway ships with a documented production-hardening posture — tenant authn (mTLS / OAuth2-CC), multi-tenant request scoping by trust_domain_id, per-tenant rate-limiting, security headers, append-only audit chain, swappable HSM/KMS key custody, policy-engine pluggability, structured observability, and a wired KYE™-on-KYE™ self-governing engine (operator actions like key rotation and self-audit runs route through the same engine and emit the same audit + evidence-pack format as external decisions; see protocol § self-govern). Operator runbooks cover Tier-1 onboarding, incident response, disaster recovery, GDPR (DPA / ROPA / DSR), customer SLA, sub-processor inventory, key rotation and regulator-comms templates. The full hardening register and runbook bundle are part of the procurement pack delivered to design partners under NDA, not published on the public web.

verified Public self-audit fixture (signed) → handshake Request the procurement pack →

3 · Framework mappings · 266 controls × 13 frameworks

Where the protocol artefacts satisfy each control.

Each row maps a KYE™ artefact (entity record · delegation · scope · credential · attestation · audit event · proof bundle · signal · transparency receipt · capability grant · recovery proof · break-glass grant · compromise report · state transition) to the control it satisfies and the endpoint to extract it. The control-mapping register is published as part of the public KYE-Protocol/conformance repo; the source-of-truth normative spec ships under commercial licence.

Framework	Mappings
SOC 2 (TSC 2017)	~25 control mappings
ISO/IEC 27001:2022 — Annex A	~28 control mappings
PCI DSS 4.0	~22 control mappings
PSD2 / PSD3 (RTS Reg. 2018/389)	~16 control mappings
DORA — Reg. (EU) 2022/2554	~22 control mappings
NIS2 — Dir. (EU) 2022/2555	~18 control mappings
EU AI Act — Reg. (EU) 2024/1689	10 controls (KYE-EUAIACT-001..010)
NIST SP 800-207 — Zero Trust Architecture	~18 control mappings
ISO/IEC 42001 — AIMS	~20 control mappings
NIST AI RMF 1.0	~24 control mappings
GDPR — Reg. (EU) 2016/679	~18 control mappings
FedRAMP — Federal Risk and Authorization Management	~30 control mappings
NIST Cybersecurity Framework 2.0	~16 control mappings

4 · Procurement pack · under NDA

Detail for procurement teams — on request.

The full hardening register, runbook bundle, attestation roadmap (SOC 2 / ISO 27001 / FedRAMP timing), HSM-integration matrix, and supply-chain controls are packaged for procurement teams under NDA, alongside the reference-implementation architecture documents. We don’t publish gap lists or implementation inventories on the open web.

handshake Request the procurement pack → rule Public framework mappings →

5 · Government agency readiness

Sovereign / public-sector path.

Public-sector adoption follows a distinct path from commercial banks. The protocol artefacts that gov agencies will ask for:

Artefact	Status
KYE Sovereign AI Profile™ — protocol surface	v1.1 preview · 9 sub-profiles + 5 planned apps
KYE Public Sector Profile™	v1.1 preview
KYE Cross-Agency Delegation Profile™	v1.1 preview
KYE Government API Authority Profile™	v1.1 preview
NIST 800-207 Zero Trust mapping	published in control-mapping register
NIST AI RMF mapping	published in control-mapping register
FedRAMP control mapping	published in control-mapping register (no ATO yet)
OSCAL projection (component-definition / SSP / assessment-results / POA&M)	7 / 7 tests pass
Public-sector decision evidence pack	v1.1 preview
Sovereign data-residency profile	v1.1 preview
FIPS 140-3 cryptographic compliance	requires HSM-vendor module + test report
StateRAMP / CCCS readiness	scoped via FedRAMP base mappings

In one paragraph.

The KYE Protocol™ contract is bank-grade and frozen. The Apache 2.0 public mirror repos — schemas, OpenAPI, conformance pack, three SDKs, vocabulary, ID format, examples — are reproducible today: clone, install, run the test commands above. The reference implementation is shipped under commercial licence to design partners with the full hardening register, the operator runbook bundle, and the procurement pack. Procurement and security teams should request that pack via /engage.

handshake Request the procurement pack → monitor_heart Live status → balance Legal →