Constitution §0.3 · the protocol governs itself

KYE Protocol™ governs itself.

Every privileged action that runs against this codebase — a CI gate, a production deploy, a schema migration, a secret rotation, a domain binding, an edge-runtime promotion — emits the same signed evidence-pack family we ask every KYE™ customer to emit. Same envelopes. Same signing recipe. Same replay-proof construction.

Read the receipts below, fetch the signed artefacts, and verify them with the public JWKS — no further dependency on us.

receipt_long Live transparency log (JSON) verified_user IP-safe envelope fixture & verifier
1 · The claim

A protocol that asks customers to be governable must be governable first.

Constitution §0.3 (adopted 2026-05-15): The protocol governs itself. Every privileged action MUST be governed by the KYE Governance Engine™ (Purpose Permission™ + Decision Engine) and MUST emit the canonical evidence-event family. Every regulatory-framework claim MUST map to a control row and an attestation with a ≤ 90-day decay.

Concretely, this means — on this codebase, today — the same primitives we license commercially are used internally to:

  • Gate every CI workflow under a signed Decision Map™.
  • Bind every privileged operation (deploy, migration, rotation) to a Purpose Permission™ token with attenuable scope.
  • Seal every privileged decision with an Execution Context Seal™.
  • Export the result as an Evidence Pack™ that anyone can replay offline.
  • Re-derive the verdict from the same context, with the publisher's JWKS alone, as a Replay Proof™.
  • Attest the regulatory-framework claim with a kye.compliance.attestation.v1 event, refreshed ≤ every 90 days.
2 · The receipts

IP-safe, signed, publicly verifiable.

Three live transparency surfaces. None disclose a KYE™ mechanism — only the canonical envelopes the protocol's clients consume. The proprietary track stays intact; the audit story stays auditable.

Self-governance run log

Every signed self-governance run published with its decision-map id, evidence-pack id, replay-proof id, signing key id, git SHA, and drift / replay-equivalence flags.

/self-audit-runs/index.json

Reference envelope fixture

Three signed JSON artefacts — a self-audit run record, an engine-health snapshot, an audit-chain integrity check — signed with EdDSA over a canonical payload. Drop-in verifier; 30-line Python / Go equivalent. No mechanism content.

trust-self-audit.html · trust/self-audit/self-audit-run.json

Public verification key

Single Ed25519 public key — everything in this transparency log verifies against it. Per-run public keys also published in each run directory under public-key.jwk so rotation is observable.

trust/self-audit-jwks.json

3 · Verify it yourself

Two commands. No further dependency on us.

The fixture is small enough that a Python or Go verifier fits in 30 lines. The drop-in JavaScript verifier is in the public mirror.

# 1) Fetch the canonical verifier from the public mirror.
curl -fsSL https://raw.githubusercontent.com/KYE-Protocol/app/main/scripts/verify-self-audit.mjs -o /tmp/verify-self-audit.mjs

# 2) Run it against the live transparency log.
node /tmp/verify-self-audit.mjs

# Output (abridged):
#   Loaded JWKS — 1 key(s): kye:key:self-audit-fixture-2026-05
#   ✓ self-audit-run.json       alg=EdDSA kid=kye:key:self-audit-fixture-2026-05
#   ✓ engine-health.json        alg=EdDSA kid=kye:key:self-audit-fixture-2026-05
#   ✓ audit-integrity-check.json alg=EdDSA kid=kye:key:self-audit-fixture-2026-05

For each artefact: parse JSON, extract payload and signature, canonicalise payload (sorted keys, no whitespace), base64url-decode signature.sig, look up signature.kid in the JWKS, and verify EdDSA. No KYE-specific cryptography — vendor-documented primitives only.

4 · What's covered

Every privileged surface, enforced by the protocol itself.

Self-governance isn't a marketing claim; it's a CI gate. The test:self-description gate (constitution §45) verifies that every declared engine, agent, rail and amendment maps to a proven-to-execute enforcer. The test:self-governance-coverage gate (§0.3) verifies that every privileged surface emits the canonical evidence-event family.

EnginesSSOT library + transport wrapper(s) per concept — canonical implementation registry (§40).
AgentsSingle agent_manifest entry; runtime path declared; behavioural probe attached at high-risk tier.
RailsOne canonical doc per rail; cross-doc references machine-checkable.
AmendmentsEach constitution amendment binds to one or more gates that enforce its substantive locks.
Privileged opsCI runs, deploys, schema migrations, secret rotations, domain bindings — every action emits kye.purpose.request.v1, kye.evidence.pack.v1, kye.replay.proof.v1.
Reconciliation21 declared-vs-deployed reconcilers (§34): bindings, manifests, registries, schemas. Drift is a blocking failure, not a notification.
ResilienceLiveness Engine (§44) heartbeat-probes every Worker, every 6 hours; failures route through the §41 error-collector rail.
AttestationsPer-framework kye.compliance.attestation.v1 events, refreshed ≤ every 90 days. Stale attestations are a gate failure.

See protocol § self-govern for the canonical engine wiring · Trust Center for the full hardening register · Compliance for the framework control mappings.

See it in your stack.

The same primitives that govern this codebase ship as the KYE Reference Gateway™. Start in shadow mode; your first signed Evidence Pack™ in 4–8 weeks.

rocket_launch Apply for pilot → verified_user Inspect the envelope