Build on the corpus.
The Apeiris public knowledge layer is open, machine-readable, and signed. Everything here is one fetch → verify → use pattern away — no SDK required, no account, same-origin JSON over HTTPS.
Quickstart
Three steps: fetch the signed manifest, verify an artifact against its pinned hash, then use the data. This runs in a browser or Node with no dependencies.
// 1. Fetch the signed manifest (the index + integrity anchor) const manifest = await (await fetch('https://apeiris.ai/integration/manifest.json')).json(); // 2. Fetch a domain matrix and verify its bytes against the pinned SHA-256 const res = await fetch('https://apeiris.ai/integration/domains/security-controls-full.json'); const bytes = await res.arrayBuffer(); const hash = [...new Uint8Array(await crypto.subtle.digest('SHA-256', bytes))] .map(b => b.toString(16).padStart(2, '0')).join(''); const pinned = manifest.domains.find(d => d.slug === 'security').sha256; if (hash !== pinned) throw new Error('integrity check failed — do not trust this artifact'); // 3. Use the controls const { dataset } = JSON.parse(new TextDecoder().decode(bytes)); console.log(dataset.controls.length, 'controls'); // 52
Don't trust — recompute. The manifest is signed (Ed25519 over the JCS-canonical bytes); every artifact carries a SHA-256 you can recompute yourself. The Verify page does exactly this, live, in your browser.
Core concepts
Four kinds of artifact
- Control matrices — the 12 domain JSONs at
/integration/domains/<slug>-controls-full.json. Each control carries itsvalidation_objective,evidence_required,machine_tests,blocking_effect, andframeworks[]mappings. - The manifest —
/integration/manifest.json: the domain index, per-artifact SHA-256, and an Ed25519 signature over the whole thing. - Coverage & proof — per-framework coverage maps and the Evidence Proof Map (
/integration/proofmap.json): obligation → addressing controls → required evidence → verdict. - The conformance contract —
/integration/conformance.json: every controlled vocabulary (fit,basis,blocking_effect, …), each value's meaning, and the consumer invariants — derived live from the data.
Two invariants that keep it honest
- mapped ≠ satisfied. A control being mapped to a framework obligation says the map exists; it does not say your deployment satisfies it. That is decided by evidence at runtime. Try it on the Prove an obligation page.
- basis: anchored vs asserted. Each framework mapping carries a
basis:anchoredmeans the cited identifier was validated in CI against the framework's captured primary text;assertedmeans cited but not yet anchored. Treatassertedas unvalidated.
Endpoints
Everything is static JSON over HTTPS with permissive CORS. The most useful entry points:
The full, categorized reference — all endpoints with copy-paste curl examples — lives on the API & Endpoints page. Machine discovery: /llms.txt.
Verify integrity
Two layers, both recomputable without trusting us:
- Per-artifact SHA-256 — each artifact's hash is pinned in the manifest (see the Quickstart). Recompute the bytes and compare.
- Manifest signature — the manifest carries an Ed25519 signature over its RFC 8785 (JCS) canonical form, minus the signature field. The public key (trust anchor) is at
/integration/keys/manifest-signing-ed25519.pub.json; the private key is held offline.
The Verify page runs both checks live in the browser; the API page lists the out-of-band CLI equivalents.
MCP servers
Two read-only, zero-dependency MCP servers (stdio JSON-RPC, protocol 2024-11-05) let an agent query the corpus through one governed, checksum-verified interface. They live in the apeiris-control-core repo; run from its root:
// claude / MCP client config
{
"mcpServers": {
"apeiris-graph": { "command": "node", "args": ["adapters/graph-mcp/server.js"] },
"apeiris-atlas": { "command": "node", "args": ["adapters/atlas-mcp/server.js"] }
}
}
- Knowledge graph —
get_node,neighbors,shortest_path,query_graphover the ~3,200-node graph. Human view: the Graph Explorer. - ATLAS —
get_technique/mitigation/tactic/case_study,search,version_diff,map_to_apeirisover the pinned MITRE ATLAS model.
Both verify their artifact against the manifest SHA on load and refuse to serve on mismatch; every response carries provenance.
Build a verifier
A minimal Apeiris-aware verifier does three things:
- Fetch + verify the manifest and the artifacts you rely on (Quickstart) — refuse to proceed on a hash mismatch.
- Resolve controls by their cross-domain URI, e.g.
apeiris://security/controls/IA-01, and readevidence_required+blocking_effectto know what a passing state demands. - Compose obligations — walk an obligation's proof chain (from
proofmap.json) and evaluate each control against the evidence you hold. Keepcoverage(mapped) andevidence(satisfied) as two distinct verdicts. The Prove page is a reference implementation of this loop in ~120 lines.
Cite Apeiris
Cite a single control by its stable cross-domain URI:
apeiris://security/controls/IA-01
→ https://apeiris.ai/domains/security/#IA-01
Cite the corpus as a versioned, verifiable whole by pinning the manifest version and its signature key id — so a reader can reproduce exactly what you cited:
Apeiris public knowledge layer, manifest v1.1.0, signed ed25519-… — https://apeiris.ai/integration/manifest.json
License
The public knowledge layer is openly published. The authoritative license is declared in the manifest's usage block (shown live below) and governs reuse of the control definitions, evidence model, and cross-domain URI scheme. Read the full license →
License: loading from the manifest…