Trust

Don't trust — verify.

Apeiris is a corpus about proof, so it holds itself to the same standard. Everything published here is content-addressed, signed, and independently checkable — you should not have to take our word for any of it. Here is exactly how to check, and what we do and don't claim.

Signed & content-addressed

One signed manifest anchors every byte.

Each artifact — every domain control matrix, schema, coverage and analysis file, and the knowledge graph — is content-addressed by its SHA-256 and pinned in a single integration/manifest.json. That manifest is itself signed with an offline Ed25519 key over its RFC 8785 (JCS) canonical bytes; the public key is published as the trust anchor and the private key never touches the repository or a build server.

Verify it yourself

Recompute the hashes and the signature — live.

The integrity checker re-fetches the manifest, recomputes every artifact's SHA-256 in your browser, and verifies the Ed25519 signature against the published key — no Apeiris code trusted in the loop. The docs show the same fetch → verify → use pattern for doing it out-of-band in your own pipeline. A mismatch means the copy you fetched isn't what Apeiris signed — treat it as fail-closed and stop.

Citation fidelity

Mapped, satisfied, and anchored are three different things.

Every framework mapping carries an explicit fit, a mapping_confidence, and a computed basis: anchored means the cited identifier was validated in CI against the framework's captured primary text; asserted means it's cited but the framework isn't yet ingested as an anchor, and it says so. We don't write a citation from memory — see the source references and the citation-fidelity model in the docs. And mapped ≠ satisfied: a mapping shows where a control could apply, not that your evidence holds — the proof composer makes that distinction executable.

Open & inspectable

Nothing hidden behind a login.

The public knowledge layer is open under CC BY 4.0 and fully machine-readable. Machine-authored content that hasn't yet had human review is tracked honestly in a review-status ledger rather than presented as reviewed. You can read every control, every source, and every mapping directly, or query the corpus through the read-only MCP servers described in the docs.

Security & disclosure

Report issues responsibly.

We publish a security.txt and welcome coordinated disclosure. Email security@apeiris.ai with findings on the public site or the integration endpoints. Please don't run destructive tests, high-volume automated scanning, or social engineering — the scope and preferred practice are in the security.txt.

What we don't claim

Honest framing.

We are building the evidence fabric for autonomous enterprise action; the public knowledge layer defines how AI actions can be verified. It is a knowledge and integrity layer — not a certification, and not a guarantee that any system is compliant or safe. The Apeiris platform (the runtime trust engine) is a prototype, not a hosted product. See the Terms for the full statement.