LiveCC0 spec · IETF Internet Draft (draft-shovan-gap-00)
GAP: Governed Action Protocol
The open wire protocol for governed capability invocation across any actor type.
Specifies the four-phase lifecycle (Declare, Grant, Invoke, Receipt) for governed capability invocation. Any actor -- AI agent, device, industrial controller, MCP tool server -- speaks a common envelope: content-addressed CDROs (Content-addressed, Deterministic, Replayable Objects) with SHA-256 object identifiers any party can independently verify. Every gate decision produces a signed GapDecisionReceipt. Conformance tiers L1 through L4 cover CDRO validation through hybrid Ed25519 + ML-DSA-65 signing, authorized-axis classification, and federated revocation. Protocol spec published under CC0; @synoi/gap type library Apache-2.0; SynOI Gateway reference implementation AGPL-3.0-or-later (commercial license available). Submitted to the IETF as an Individual Internet-Draft (draft-shovan-gap-00).
Audience · Protocol implementors · standards reviewers · integration architects
Read the paper →DraftPublic draft
SRAID-Core: Self-Routing Addressable Identity Data
The content-addressed object substrate beneath every Decision Receipt and GAP invocation.
Specifies the SRAID L0 object layer: content-addressed envelope (CDRO), OID computation (SHA-256 over canonical form), supersession links for immutable update chains, and point-in-time query semantics. Wire format is canonical JSON with lexicographically sorted keys; a CBOR profile is reserved for a future version. Signing uses hybrid Ed25519 + ML-DSA-65 over the canonical body, enabling offline independent verification without contacting the issuer.
Audience · Protocol designers · standards working groups · security researchers
Draft on request · via the contact formPlannedArchitecture white paper
Supply Chain Guard: Four-Layer Package Defense
State-aware behavioral analysis at every package surface: fetch, diff, install, and publish.
Architecture of the Supply Chain Guard product: four defensive layers -- Registry Mirror (silent divergence scoring at fetch time), PR Bot (diff-time verdict on lockfile changes), Lockfile Verifier (CI-time gate that re-checks every install), and Verified Publisher (out-of-band human approval required before any release token can post). Behavioral scoring compares each install against the maintainer's state history: postinstall changes, new egress endpoints, dependency mutations, and publishing burst patterns. Every decision produces a hybrid-signed GapDecisionReceipt.
Audience · Engineering leaders · security architects · open-source maintainers
Notify on release · via the contact formPlannedPlanned · Q3 2026
Decision Receipt Cryptography
How every receipt is signed, content-addressed, and verified offline.
Canonicalization rules, hybrid signature scheme (Ed25519 + ML-DSA-65 over a canonical JSON projection), OID derivation, key rotation, optional Rekor anchoring, and the post-quantum migration path (FIPS 204). The v1 format signs a canonical projection of decision fields; the planned v2 format upgrades to a full DSSE attestation envelope with PAE type-binding. Includes worked examples and an independent reviewer kit.
Audience · Auditors · compliance teams · cryptography reviewers
Notify on release · via the contact formPlannedPlanned · Q3 2026
Tenant-Encrypted Deployment
Payload content never stored in plaintext. The tenant holds the master key; SynOI never can.
Specifies the tenant-encryption deployment tier: each content object is encrypted with a per-object Data Encryption Key (DEK). The DEK is wrapped by the tenant-held master key, which never leaves the tenant environment. SynOI retains only the wrapped DEK, hashed object identifiers, timestamps, and signed decision verdicts -- never plaintext payload content. The security boundary and leakage profile are defined explicitly: what SynOI can observe (verdict, timestamp, OID hash) and what it structurally cannot (payload, policy text, entity names). Includes key-rotation protocol, wrapped-DEK storage layout, and the threat model for a compromised SynOI operator.
Audience · Privacy officers · compliance teams · security architects
Notify on release · via the contact formPlannedPlanned · Q4 2026
SynOI Trust Model
Who must be trusted, for what, and what survives operator compromise.
Formal trust model: tenant, operator, upstream provider, and verifier roles. What each can and cannot do. What guarantees survive operator compromise (signature verifiability, public log anchoring, byte-identical replay). What requires operator integrity (key non-disclosure, policy distribution). Covers the tenant-encrypted deployment tier: content encrypted with per-object DEKs wrapped by a tenant-held master key, so SynOI is structurally incapable of reading payload content. Includes threat tables and explicit non-goals.