Supply-Y Protocol

Developer Documentation

Protocol 1.0
Documentation

Search Supply-Y

All documentation
MarkdownDemo
Customer Operating Guide

Plan a Managed Pilot

One bounded business loop, explicit customer boundaries and evidence both participants can review.

Pilot operating plan
From evaluation to a controlled exchange

A bounded proof, not an open-ended integration

Start with one decision and fictional data. Continue only when both companies approve the scope, controls and evidence for the next gate.

ScopeOne loop, two companies
StartFictional or sanitized data
TransportNative or Catena-X, never both
FinishPortable evidence and an exit decision

Status: Live customer operating guide for Supply-Y Protocol 1.0. It explains how a managed pilot is scoped and accepted; it is not part of the immutable 1.0 wire contract or a public service-level agreement.

What the pilot is

A Supply-Y pilot proves one useful cross-company decision loop between two named participants. It is deliberately narrower than a production rollout: one business question, one sender, one recipient, one approved Skill and one transport path.

The pilot must prove both sides of the exchange. The business participants receive enough bounded information to act, while the technical evidence proves which exact protocol release, Agent configuration, Package bytes, policy decision and receipts governed the loop.

The pilot is not a request to centralize ERP data, replace either company's Agent or open customer systems to Supply-Y.

Entry criteria

AreaMinimum needed before a two-party exchange
ParticipantsOne business owner and one technical owner at each company
DecisionOne concrete question, intended recipient, response type and decision window
Agent pathExisting company Agent or a customer-isolated Jenae deployment
DataA fictional or sanitized example that demonstrates the required business meaning
KeysCustomer-controlled signing and encryption key plan; no private key export
TransportOne choice for the pilot: Native Mode or Catena-X EDC
ControlsNamed disclosure approver, retention rule, forwarding rule and tool permissions
OperationsSecurity contact, pilot incident contact and agreed pause authority

A participant can begin discovery before all criteria are complete. No cross-company exchange starts until both participants approve the scope and the technical readiness evidence.

Who does what

OwnerResponsibility
Sending companyMaps local source data, chooses what to disclose, approves the recipient and signs the outbound policy result
Receiving companyDefines the useful response, verifies incoming data as untrusted, controls local tools and returns a signed receipt or response
Both companiesAgree the shared business meaning, success criteria, transport path, retention and escalation rules
SupplyWhyProvides the pinned protocol contracts, signed pilot Skills, isolated coordination service, conformance run and ciphertext-safe audit evidence

SupplyWhy does not approve a customer's disclosure, hold customer private keys or decide whether an Agent may act in a customer system.

Data and key boundary

The pilot starts with fictional or sanitized data. If both companies later approve a bounded operational exchange, only the Package defined by the selected Skill crosses the company boundary. Raw source records, internal transformations, credentials, private keys and decrypted Packages stay in customer-controlled environments.

In Native Mode, Supply-Y stores one encrypted Package plus the metadata needed for routing and audit. In Catena-X Mode, the Package travels once through the participants' EDC data plane and Supply-Y stores transfer references and audit evidence, not a second copy.

Supply-Y does not receive a customer decryption key. A content-level joint review is a separate, time-limited action that requires both participants to authorize the exact Package and scope. See Security And Trust for the complete ownership table.

Pilot stages and gates

StageWorkGate to continue
1. ScopeName the decision, participants, value for each side, protected data and target responseBoth business owners approve one written loop definition
2. Local readinessPin Protocol 1.0, configure customer-local references, validate fixtures and run the Agent compatibility checksEach Agent produces a reviewed Compatibility Report; production exchange remains disabled
3. Two-party sandboxExchange a fictional or sanitized Package and Response Object through the selected transportSignatures, digests, receipts, thread state and recovery behavior match on both sides
4. Controlled exchangeEnable only the approved Skill, recipient, fields, retention and decision window in an isolated pilot environmentBoth participants approve the exact controls and can pause the loop independently
5. CloseoutReview business outcome, disclosure boundary, failures, audit evidence and operating ownershipJoint written decision to stop, revise, repeat or prepare a production agreement

Passing one stage never silently enables the next. Every enablement decision is explicit, evidence-bound and reversible.

Acceptance evidence

The final pilot record should let either participant reconstruct the exchange without asking Supply-Y for business plaintext. It contains:

  • the exact Protocol 1.0 Manifest URL and digest;
  • the selected Skill coordinates, release digest and publisher status;
  • one Compatibility Report for each participating Agent and environment;
  • customer-local Connection Profile digests, never the credentials or private keys they reference;
  • Package, Response Object, Policy Receipt and recipient receipt identifiers, digests and signatures;
  • Native or Catena-X transfer evidence showing that one Package used one transport path;
  • an ordered thread and append-only audit evidence;
  • one demonstrated notification retry or ordered recovery path;
  • one tested pause, revocation or retention action;
  • a business review naming the action taken, value for each participant and information deliberately withheld.

A pilot succeeds only when the technical evidence passes and both participants agree that the bounded information was useful enough to make the named decision. Schema validity alone is not business success.

Failure, pause and exit

Either participant may pause its Agent or stop the pilot according to the agreed authority. A partial failure remains visible as its own state; it is retried, rejected or resolved rather than reported as a completed loop.

At exit, SupplyWhy stops pilot credentials and delivery, applies the agreed ciphertext retention or deletion rule, and exports ciphertext-safe audit evidence. Each customer retains its local mappings, approvals, keys, decrypted content and Agent logs. The stable protocol artifacts and customer evidence remain portable; continuing with Supply-Y is not required to read them.

Commercial and support boundary

Protocol 1.0 does not define pricing, uptime or incident-response commitments. Pilot fees, usage measures, any value-linked commercial model, support hours, severity definitions and response targets belong in a signed pilot order.

Any billable measure must be deterministic and reviewable by both parties. Supply-Y does not rely on reading customer plaintext or on a unilateral estimate of savings to calculate a charge. No public SLA is implied by this guide.

Start without sending sensitive data

Send only the minimum sanitized context needed to plan a call:

  • the two participant roles or company types;
  • the decision the loop should help make;
  • who would send and who would respond;
  • existing Agent language or the need for Jenae;
  • Native or Catena-X transport preference, if known;
  • the desired evaluation period and named business and technical contacts.

Do not send credentials, private keys, production tokens, raw ERP exports, decrypted Packages or confidential contract data. Start a pilot conversation with sanitized context, or first complete the public Getting Started path without an account or customer data.

On this page