Step 7 · Runtime gateway

Enforcement at the decision point.

Step 6 produces a signed verdict. Step 7 is the gateway that enforces it. The gateway intercepts a candidate action at the commit boundary, asks the policy engine for a decision, and only lets the action commit when the signed Decision Map™ says allow.

rocket_launch Apply for pilot → menu_book Read the docs
1 · What it does

Three reference deployments. All open.

Every claim here is backed by the open KYE Protocol™ contracts and verifiable end-to-end from the publisher's JWKS — you check it yourself, you don't take our word for it.

dnsKYE Reference Gateway™edge-native PEP+PDP Worker. npx wrangler dev (in internal). Production hardening (auth, rate limit, body-size, structured logging, JSONL audit chain) opt-in via env vars.
extensionExpress PEP middlewareNode middleware that wraps any Express route with a KYE™ authorize call. Drops into existing services without rewriting the action surface.
offline_boltePDP — edge PDPLocally-cached, offline-capable PDP for the bank / merchant edge. Walks the chain, verifies signatures, returns a decision in < 1 ms.
2 · The enforcement contract

Three obligations. Every commit-level action.

Every claim here is backed by the open KYE Protocol™ contracts and verifiable end-to-end from the publisher's JWKS — you check it yourself, you don't take our word for it.

  1. Pre-commit decision — call POST /v1/runtime/authorize; do not commit unless the verdict is allow (or allow_with_constraints and constraints are satisfied).
  2. Audit chain emission — the gateway hash-links every decision into an append-only audit ledger; the verify endpoint detects breaks end-to-end.
  3. Signal Bus™ publication — the gateway publishes signed events (kye.decision.*, kye.signal.*, profile-specific events) so downstream subscribers can react atomically.
Where to go next

Continue the stack →

Every claim here is backed by the open KYE Protocol™ contracts and verifiable end-to-end from the publisher's JWKS — you check it yourself, you don't take our word for it.

gavel ← Step 6 · Policy engine verified Step 8 · Evidence Pack™ →

Ready to see your AI agents flagged?

Start in shadow mode. We’ll deliver your first Evidence Pack™ in 4–8 weeks.

rocket_launch Apply for pilot → science Try the sandbox →