KYE Reporting Engineā¢
Your auditor opens one file. They verify it offline. They are done.
The engine signs a compliance report for your buyer, your auditor, or your regulator. Each report replays from your published keys alone. The synthesis is proprietary and is not disclosed in this repository.
What you get
A signed envelope your buyer can verify without calling us. No portal log-in. No vendor cooperation.
- Wire envelope:
kye.report.v1. One file per period, per framework. - Signature: Ed25519 (Edwards-curve Digital Signature Algorithm), sealed by your per-tenant
assembler_kid. - Replay: any third party can verify the report from your published signing keys.
- Delivery: opt-in email to your nominated recipients. Each delivery emits a signed
kye.report.delivery.v1receipt.
Example envelope
A representative shape. Your auditor verifies the signature over the canonical bytes.
loading...
CLI
Two commands. One to seal a period. One to verify what someone gave you.
$ kye report generate \
--kind soc2_type2 \
--framework soc_2
# → signed kye.report.v1 envelope returned in stdout
$ kye report verify --id kye:report:soc2_type2:acme:2026Q2
{"ok": true, "verified": true}
How you verify offline
Four steps. No KYE service contact required.
- Receive the envelope. Receive the signer's public key from the JWKS (JSON Web Key Set) at the publisher's well-known URL.
- Recompute the canonical bytes with JCS (JSON Canonicalization Scheme, RFC 8785).
- Run
Ed25519.verify(pubkey, canonical_bytes, signature_b64). - If the verify call returns true, you trust the report. If false, you reject it.
The derivation construction is proprietary and is not disclosed in this repository.