Don't trust — verify.
Apeiris is a corpus about proof, so it holds itself to the same standard. Everything published here is content-addressed, signed, and independently checkable — you should not have to take our word for any of it. Here is exactly how to check, and what we do and don't claim.
One signed manifest anchors every byte.
Each artifact — every domain control matrix, schema, coverage and analysis file, and the knowledge graph — is content-addressed by its SHA-256 and pinned in a single integration/manifest.json. That manifest is itself signed with an offline Ed25519 key over its RFC 8785 (JCS) canonical bytes; the public key is published as the trust anchor and the private key never touches the repository or a build server.
Recompute the hashes and the signature — live.
The integrity checker re-fetches the manifest, recomputes every artifact's SHA-256 in your browser, and verifies the Ed25519 signature against the published key — no Apeiris code trusted in the loop. The docs show the same fetch → verify → use pattern for doing it out-of-band in your own pipeline. A mismatch means the copy you fetched isn't what Apeiris signed — treat it as fail-closed and stop.
Mapped, satisfied, and anchored are three different things.
Every framework mapping carries an explicit fit, a mapping_confidence, and a computed basis: anchored means the cited identifier was validated in CI against the framework's captured primary text; asserted means it's cited but the framework isn't yet ingested as an anchor, and it says so. We don't write a citation from memory — see the source references and the citation-fidelity model in the docs. And mapped ≠ satisfied: a mapping shows where a control could apply, not that your evidence holds — the proof composer makes that distinction executable.
Nothing hidden behind a login.
The public knowledge layer is open under CC BY 4.0 and fully machine-readable. Machine-authored content that hasn't yet had human review is tracked honestly in a review-status ledger rather than presented as reviewed. You can read every control, every source, and every mapping directly, or query the corpus through the read-only MCP servers described in the docs.
Report issues responsibly.
We publish a security.txt and welcome coordinated disclosure. Email security@apeiris.ai with findings on the public site or the integration endpoints. Please don't run destructive tests, high-volume automated scanning, or social engineering — the scope and preferred practice are in the security.txt.
Honest framing.
We are building the evidence fabric for autonomous enterprise action; the public knowledge layer defines how AI actions can be verified. It is a knowledge and integrity layer — not a certification, and not a guarantee that any system is compliant or safe. The Apeiris platform (the runtime trust engine) is a prototype, not a hosted product. See the Terms for the full statement.