Claude Code plugin
Five slash commands: /kye:diagnose · /kye:score · /kye:report · /kye:verify · /kye:framework-map. Install via plugin marketplace once published, or clone the source directly.
24 questions · 6 lenses · 5 bands · ~10 min
Authority Finality™ Diagnostic — score your agentic AI authority posture.
Six lenses, twenty-four questions, one pyramid-summary score. Run it inside your IDE in ten minutes. Optional: a signed regulator-grade kye.report.v1 envelope verifiable offline by anyone with the public key — auditor, procurement, regulator. Free tier: 3 sealed envelopes per month per email. Paid pilot: unlimited.
Six lenses — where authority is granted, used, recorded, and proved.
The diagnostic asks four questions per lens. Each answer is a 0–3 ordinal where 3 = strongest authority posture. Lenses are simple-average aggregated for the in-IDE pyramid summary. The production weighting and palette MAP are proprietary and applied server-side when you request the signed envelope.
| Lens | What it measures | Anchor regulatory clauses |
|---|---|---|
| Entity Verification | Can you name and verifiably distinguish every actor (human, agent, service) that can hold authority? | NIST 800-53 IA-2, IA-5 · GDPR Art 32 · ISO 27001 A.9.2 |
| Chain of Authority | For every privileged action, is there a verifiable chain back to a human principal — with tamper-evident anchoring? | EU AI Act Art 9, Art 13 · SR 11-7 §V · DORA Art 28 · NIST 800-53 AU-9 |
| Scoped Delegation | Are agent permissions purpose-bound, time-bound, and revocable — or implicit, broad, and unrevoked? | EU AI Act Art 50 · GDPR Art 6 · NIST 800-53 AC-3, AC-6 · SOC 2 CC6 |
| Runtime Policy Resolution | Is the rule evaluator a pure, deterministic, replayable function — same inputs, same verdict, every time? | EU AI Act Art 13 · NIST AI RMF GOVERN-1.2 · ISO 42001 A.4 · NIST 800-53 CM-2 |
| Evidence & Replay | Can a regulator with only your public keys reconstruct the decision and verify it offline? | SEC 17a-4 · FINRA 4511 · DORA Art 28 · NIST 800-53 AU-9, AU-10 · HAARF.2 |
| Authority Finality™ | Is authority committed-then-acted, with proof generated at decision time — not narrated after the fact? | EU AI Act Art 12 · BCBS 239 · FCA OpRes IBS · NIST 800-53 AU-12, AU-2 |
Five bands — where your posture lands on a regulator's spectrum.
| Score | Band | What it means in a regulator conversation |
|---|---|---|
| 0–25 | Pre-authority | No machine-verifiable authority chain. The audit answer to "who told the agent it could do that?" is a human paraphrase. |
| 26–50 | Implicit | Authority is in code paths, not in artefacts. The audit team can point at lines of code but cannot replay the decision. |
| 51–75 | Developing | Partial chain. Some signed evidence; gaps in replay, scoping, or the binding between principal and agent. |
| 76–90 | Strong | Chain + signed evidence end-to-end. Gaps in T = 0 finality (proof-before-commit) or in offline replayability. |
| 91–100 | Authority Finality™ achieved | Proof-before-commit, public-key verifiable, offline replayable. The audit answer is a one-line URL. |
Three ways to run it — all free, all open source.
MCP server (universal)
One server reaches Claude Desktop, Claude Code, Cursor, Windsurf, Cline, Zed simultaneously. Five tools mirroring the plugin commands. Add to your MCP client config and run.
kye CLI — API direct
kye diagnostic seal <answers.json> for CI pipelines and automation. Wraps POST /v1/diagnostic/seal. Same gating model; same signed envelope.
Free · signed · pilot — three honest tiers.
| Tier | What you get | What it costs |
|---|---|---|
| Free score | In-IDE pyramid summary computed locally from the simple-average reference. No account required. Reasonable for self-assessment. | $0 · no account · runs offline after one-time install |
| Free signed report | Server-side production-weighted score, packaged as a signed kye.report.v1 envelope. Auditor-grade. Anyone with the public key can verify offline. |
$0 with a free KYE™ account · 3 sealed envelopes per month per email · rate-limited only by quota |
| Paid pilot | Unlimited signed envelopes plus the runtime that closes the gaps the diagnostic flagged: PDP, Authority Engine, Evidence Pack™ assembler, Decision Map™, Replay-Proof™ bundles, dual-channel admin, framework-coverage bijection, all 60+ CI gates. | Pilot SKUs from £15,000 · quote on the pilot apply page |
One run — every regulator.
Every lens cites the regulatory clauses it anchors. The signed envelope embeds the crosswalk for every lens below 60. Twenty frameworks crosswalk one-hop into the canonical NIST 800-53 Rev 5 hub: EU AI Act · DORA · GDPR · SOC 2 · ISO 27001 / 42001 · NIST AI RMF · NIST 800-207 · FCA OpRes · SR 11-7 · BCBS 239 · PCI DSS 4 · PSD2 / 3 · HIPAA · HAARF · MHRA SaMD · FedRAMP Mod · SEC 17a-4 · FINRA 4511 · UK NCSC CAF · NIST CSF 2.0.
Procurement question “do you map to X?” = one hop, deterministic, machine-readable answer. Not a marketing slide.
What’s open · what’s proprietary
| Surface | License | Status |
|---|---|---|
| 24 questions · 6 lens labels · 5 band labels | Apache 2.0 | Open. The diagnostic vocabulary is portable. |
| Reference simple-average score & in-IDE pyramid renderer | Apache 2.0 | Open. Suitable for self-assessment. |
| Plugin / MCP server / CLI scaffolding | Apache 2.0 | Open. SPDX-tagged. |
| Production weighting · canonicalisation · palette MAP · Ed25519 signing recipe | Proprietary | Server-side only. Applied when you request the signed envelope. |
| Authority Engine · PDP · Evidence Pack™ assembler · Decision Map™ · Replay-Proof™ bundles | Proprietary | Runtime. Available on paid pilot. |
The split is intentional. The vocabulary is open so it can be cited; the mechanism is closed so it can be improved without breaking your contract.