KYE Plugin Marketplace · lightweight extensions

Extend KYE with small, focused plugins.

The KYE Plugin Marketplace is for lightweight installable modules — MCP tools, webhook verifiers, policy adapters, evidence exporters, conformance fixtures, sandbox flows, dashboard widgets, SDK extensions, and approval workflows. Start small, plug into your stack, then scale into a full KYE Runtime Gateway deployment.

Connector Hub integrates KYE. App Store productises KYE. Plugin Marketplace extends KYE.

category 9 categories apps Reference plugins data_object Manifest schema security Permissions publish Publish a plugin
Nine categories

Small surfaces, focused jobs.

smart_toyMCP ToolsAdd a single MCP tool (read-only, decision, or gated admin) to the KYE MCP Server.
verifiedWebhook VerifiersDrop-in libraries for verifying signed KYE webhook payloads in your runtime.
policyPolicy PacksPre-baked OPA / Cerbos / Cedar bundles for sector profiles.
cloud_downloadEvidence ExportersOne-job exporters that translate evidence packs into your downstream format.
scienceConformance FixturesAdd or extend the conformance pack with sector-specific fixtures.
terminalSDK ExtensionsLightweight TypeScript / Python / Go modules that ride on the official SDK.
dashboardDashboard WidgetsEmbed-ready UI widgets for Decision Map, Authority Graph, evidence preview.
play_circleSandbox FlowsSynthetic test data + walkthroughs for the regulatory sandbox harness.
approvalApproval WorkflowsReusable step-up / require-approval handlers for human-in-the-loop flows.
Reference plugins · 18 starters

Open-source starters shipping with the v1.1 marketplace.

Webhook verifiers in three languages ship today as standalone libraries. The full marketplace surface (categorisation, install gating, manifest signing, programme review) opens with v1.1.

  • Webhook verifier — JS / TS · @kye-protocol/webhook-verifier · runs on Node / Cloudflare Workers / browser. Verifies signed KYE webhook envelopes against the publisher's JWKS.
  • Webhook verifier — Python · kye-signal-verifier · same surface, sync + async APIs.
  • Webhook verifier — Go · github.com/KYE-Protocol/webhook-verifier-go · zero-dependency, drop-in.
  • OPA policy pack — Core · ready-to-use Rego bundles for the Core profile.
  • OPA policy pack — Payments · Rego for the Payments + Agent Purchasing profiles.
  • Cerbos bundle — Core · Cerbos derived-roles + resource policies for the Core profile.
  • Cedar bundle — Core · Cedar policy bundles for the Core profile.
  • Evidence exporter — OSCAL · project a KYE evidence pack into OSCAL component-definition / SSP / assessment-results / POA&M.
  • Evidence exporter — Splunk HEC · stream signed events into Splunk HTTP Event Collector.
  • Evidence exporter — Microsoft Sentinel · same surface, Sentinel ingestion endpoints.
  • MCP tool — verify_evidence_pack · read-only MCP tool that verifies a pack offline using the published JWKS.
  • MCP tool — explain_decision · read-only MCP tool that renders a Decision Map in natural language.
  • Dashboard widget — Decision Map · embeddable widget for any HTML host (the same engine used on this site).
  • Dashboard widget — Authority Graph · embeddable graph viewer for actor / principal / capability nodes.
  • Sandbox flow — agent-purchasing · synthetic test fixtures for the agent-purchasing profile.
  • Sandbox flow — open-banking · synthetic test fixtures for the open-banking profile.
  • Approval workflow — Slack · reusable Slack approval handler bound to require_approval decisions.
  • Approval workflow — email · SMTP fallback for sites without Slack.

Founding plugins ship under Apache 2.0 from the public org.

Plugin manifest

Every plugin ships a kye.plugin_manifest.v1.

Plugin manifests declare the plugin's runtime, permission requirements, side-effect level, and OSS licence. Schema: https://kyeprotocol.com/schemas/plugin-manifest.json.

{
  "schema_version": "kye.plugin_manifest.v1",
  "plugin_id":      "kye:plugin:webhook-verifier-js",
  "name":           "KYE Signal Verifier for JavaScript",
  "plugin_type":    "sdk_extension",
  "category":       "webhooks",
  "version":        "1.0.0",
  "description":    "Verifies KYE™ signed webhook payloads in JavaScript and TypeScript applications.",
  "runtime": {
    "language":             "typescript",
    "supported_environments": ["node", "cloudflare_workers", "browser"]
  },
  "permissions": {
    "requires_secret_access":  true,
    "requires_network_access": false,
    "side_effect_level":       "read_only"
  },
  "oss_license": "Apache-2.0",
  "status":      "active"
}
Permissions

Plugins declare their blast radius.

Every plugin declares its side_effect_level from the manifest dictionary — read_only, audit_only, decision_only, write_internal, send_external_message, execute_transaction, move_money, modify_authority, admin_action, destructive. Higher levels require stricter install gates: tenant auth, idempotency, audit emission, optional step-up. The plugin runtime refuses to load a manifest whose declared permissions exceed the installer's allowlist.

Publish a plugin

Five steps from idea to marketplace.

Manifest schema, conformance harness, and signature flow are defined now. Submission and review go live with the v1.1 marketplace.

  1. P1Author the manifest. Fill in plugin_type, runtime, permissions, side-effect level, OSS licence.
  2. P2Write the plugin. One file or one package — small surface area is the point. Conformance harness checks shape and signature handling.
  3. P3Sign & submit. Programme verifies the manifest signature and runs an automated security review (no admin escalation, no hidden network access, no unsigned dependencies).
  4. P4Programme review. ~2 working days for read-only and audit-only plugins; ~5 days for write-side. Reviewer checks the security boundary you declared.
  5. P5Publish. Plugin lands in the public marketplace and is installable via SDK CLI.
handshake Partner programme → extension Connector Hub apps App Store forum Talk to the programme
Adjacent reading

Where to go next.

construction Build extension Connector Hub apps App Store smart_toy KYE MCP Server

Ready to see your AI agents flagged?

Start in shadow mode. We’ll deliver your first Evidence Pack in 4–8 weeks.

rocket_launch Apply for pilot → science Try the sandbox →