Supply-Y Protocol

Developer Documentation

Protocol 1.0
Documentation

Search Supply-Y

All documentation
MarkdownDemo
Customer Assurance

Trust Center

A reviewable boundary between published controls, local evidence, customer validation and production assurance.

Transparent, not certified
Current assurance decision

Strong public contract evidence, without a false production certificate

Customers can inspect the exact Protocol 1.0 controls and run the public evidence now. Production use still requires implementation-specific keys, peer tests, operations and assurance.

Protocol
Protocol 1.0
Local controls verified
10 / 12
Hosted API
Not Generally Available
Certification
Not Yet Available
Custody boundary

Three places, three different responsibilities

Customer controlled

Plaintext, private keys and approvals

ERP mappings, decrypted Packages, local Agent logs and authorization decisions remain with each participant.

Supply-Y coordinated

Ciphertext, routing state and audit metadata

Native Mode stores encrypted bytes; Catena-X Mode stores transfer references. Neither path gives Supply-Y a customer decryption key.

Bilateral exception

Time-limited joint audit

Plaintext review requires both parties to approve one exact scope, isolated session, expiry and logged access.

Control evidence

What is defined, what is verified, and what remains open

ControlOperational boundaryPublished evidenceStatus
Plaintext custodyReadable business content remains in sender and authorized recipient environments on the normal path.The data-ownership contract names every system of record and the exceptional bilateral audit path.Defined in 1.0
Private-key custodyCustomer KMS or HSM infrastructure signs and decrypts without exporting private key material to Supply-Y.Non-exporting SDK adapters pass signer and decrypter substitution rejection checks; customer KMS evidence remains implementation-specific.Verified locally
Package confidentiality and integrityNative payload bytes are encrypted for sender and recipient, bound to authenticated metadata and signed by the sender.The same nine committed vector checks pass through JOSE, WebCrypto and Python cryptography implementations.Verified locally
Release integrity and downgrade resistanceAgents pin one immutable Protocol 1.0 Manifest and verify artifact byte counts and SHA-256 digests before parsing.The release gate verifies 15 pinned artifacts and rejects stale, mixed or changed release bytes.Verified locally
Local disclosure evidenceThe sender Agent signs a plaintext-free Policy Receipt for the exact Package, recipient, Skill, policy and approval result.Receipt structure, signature, binding and eligibility outcomes pass locally; hidden sender honesty is not cryptographically proven.Verified locally
Untrusted Agent inputIncoming Package text is data, never executable instructions or a source of tool permission.Committed safety cases quarantine instruction override, tool execution and active-content attempts.Verified locally
Delivery and recoverySigned notifications use durable inbox storage, bounded retry, dead-letter handling, replay and ordered acknowledgement.Twenty-four delivery cases cover signatures, retries, duplicates, gaps, polling and acknowledgement behavior.Verified locally
Ciphertext-safe audit trailLifecycle evidence records identities, object IDs, digests, signatures, state and time without requiring Package plaintext.Native and Catena-X reference exchanges both produce valid append-only audit hash chains.Verified locally
One Package, one transportNative Mode stores one encrypted Package; Catena-X Mode stores an EDC transfer reference instead of a duplicate payload.The two-Agent harness proves one data path in both modes and matching content semantics across transports.Verified locally
Cross-language Agent exchangeA Node.js sender delivers exact signed and encrypted bytes to a separate Python recipient, which validates the Package and signs the receipt.Twenty-six Native and Catena-X checks pass across ten isolated Node.js and Python Agent processes; Node.js verifies the Python receipt.Verified locally
Reference build supply chainExact Node lock, patched Python crypto pin and commit-pinned GitHub Actions.Every PR and main push runs dependency audit plus the complete Protocol release gate; Dependabot monitors npm, pip and Actions.Verified locally
Production assuranceHosted availability, production Skill trust, customer-specific KMS evidence and certification must bind to a real implementation and environment.No public production certificate, hosted-service SLA or independent partner interoperability claim is currently published.Pre-production gate
Review packet

Follow the evidence to its source

Open assurance gates

Required before a broad production claim

  1. 01

    A generally available hosted Agent API with published production SLOs and retention commitments.

  2. 02

    A protected production Skill publisher trust root with rotation, revocation and retained release history.

  3. 03

    An independently maintained external Agent, customer KMS or HSM and qualified Catena-X partner evidence.

  4. 04

    An external security and privacy review plus implementation-specific production certification.

Status: Public assurance guide for Supply-Y Protocol 1.0. It summarizes published controls and evidence; it is not a production certification, service-level agreement or legal compliance attestation.

How to read this page

Supply-Y separates four claims that are often blurred together:

  1. Defined in Protocol 1.0: the public contract says what an implementation must do.
  2. Verified locally: committed executable evidence proves the reference implementation behaves that way under the named test conditions.
  3. Verified for a customer: a specific Agent, key system, peer, transport and operating environment produced its own evidence.
  4. Certified for production: an authorized assurance process bound reviewed evidence to a named implementation, scope and expiry.

The first two exist today. The third is part of a managed pilot. The fourth is not generally available. A green local test must never be presented as a customer production certificate.

The default trust boundary

Customer systems remain the source of truth for raw operational data. Customer Agents transform those records locally, choose an approved disclosure boundary and encrypt the resulting Package before it leaves the participant environment. Customer KMS or HSM systems retain private signing and decryption keys.

Supply-Y coordinates identity, public keys, signed Skills, encrypted Native Packages, Catena-X transfer references, Thread state, receipts, notifications and audit metadata. It does not receive a customer decryption key on the normal exchange path.

Evidence answers a precise question

A schema result proves object structure. A content digest proves byte integrity. A signature proves that a registered key approved exact bytes. A Policy Receipt proves what the sender Agent claimed to check. An audit chain proves the order and integrity of observed lifecycle events. None of those proves that a hidden business statement is true.

The control matrix links each claim to its canonical contract or evidence page. Reviewers should follow those links instead of treating this summary as standalone proof.

Customer-specific assurance

Before controlled use, each participant still validates its own Agent implementation, customer-local Connection Profile, KMS or HSM adapters, approved Skills, disclosure and approval rules, transport, peer compatibility, notification recovery, retention and pause authority. The resulting Compatibility Report belongs to that implementation and environment.

Two participants then prove one complete loop with fictional or sanitized data. Production data and service commitments are considered only after both parties accept the technical and business evidence in a signed pilot or service agreement.

Reporting and review

Send protocol questions with a minimal fictional example and exact artifact version. Report suspected vulnerabilities privately and do not include credentials, private keys, production tokens, decrypted Packages or customer plaintext in the first message. See Governance And Support for the correct route and Availability And Readiness for the current product boundary.

Reference build and dependency integrity

The public reference repository locks Node dependencies, pins the Python cryptographic conformance dependency and runs the complete Protocol release gate on every pull request and every push to main. The workflow installs exact dependencies, runs npm audit at moderate severity, executes all protocol and cross-language cryptographic checks, and produces a clean production build.

CI then starts that production build and runs the same browser acceptance suite used for release review. It verifies all 26 documentation routes and their unique metadata, the hosted Sandbox UI and exchange, every discovered internal link, OpenGraph output, security response headers, Axe accessibility results, keyboard navigation, responsive layouts and a nonblank interactive 3D scene. A failure retains browser screenshots for review instead of publishing a green check without page-level evidence.

GitHub Actions are pinned to immutable commit SHAs. Dependabot monitors npm, pip and GitHub Actions every week, while pull requests receive a dependency review that blocks newly introduced moderate-or-higher vulnerabilities. The current Python conformance pin is cryptography==48.0.1, which contains the fixes required by the three advisories affecting the previous 46.0.5 pin.

This evidence covers the Supply-Y reference repository and its published conformance tools. It does not certify a customer's Agent, operating system, container base image, KMS adapter or transitive dependencies; each customer must scan and attest its own deployment.

On this page