Security & supply chain
Before a firm lets a vendor's open-source libraries near privileged data, it asks four questions: who maintains this, is it license-clean, is it actively patched, and can I prove the build was not tampered with. KAOS answers all four on one public page — and every answer links to evidence you can re-check yourself, with no NDA and no procurement round-trip.
The dashboard
kaos-compliance is a continuously-refreshed, public compliance and supply-chain dashboard. A stdlib-only collector reads only public sources — the GitHub API, PyPI, sigstore's transparency log, the OSV and GitHub advisory databases — on a schedule, writes one signed JSON snapshot, and renders it to a set of static pages. The dashboard tracks the same 18 packages listed on /packages; it is the authority that page is reconciled against.
It is anchored to the frameworks security and procurement teams already cite — OpenSSF Scorecard, SLSA, NIST SSDF (SP 800-218), the CISA SBOM Minimum Elements, PEP 740 with sigstore and PyPI Trusted Publishers, and the EU Cyber Resilience Act. And it is deliberately restrained: no invented composite score, no GitHub-star count, no maintainer-identity signals. Its own README puts it plainly — it should make maintainers slightly uncomfortable and procurement slightly happier.
For legal & procurement
01
Every claim on the dashboard carries a Verify link to a third-party source you can open: a GitHub Actions run, a PyPI release page, a sigstore transparency-log entry. The methodology publishes a link-by-link reproduction table. Nothing asks you to take 273 Ventures' word for it — the evidence lives on infrastructure 273 Ventures does not control.
02
The 2026 license audit covered every transitive dependency across the suite — over 1,200 components — and found no strong-copyleft (GPL or AGPL) anywhere in the critical path. The handful of weak-copyleft components are all MPL-2.0, file-scoped, and individually documented with public rationale. A firm or vendor can ship a KAOS-built product without an AGPL audit blowing up the deal. The license policy is version-controlled: permissive passes, strong-copyleft and source-available licenses hard-fail. Check the current numbers on the dashboard →
03
Signals are organized against NIST SSDF (SP 800-218), the CISA SBOM Minimum Elements, and the EU Cyber Resilience Act, with a per-clause traceability matrix. Where a framework element is not yet fully met — the SBOM dependency-edge graph, for one — the dashboard flags the gap in plain sight rather than papering over it.
04
There is no composite "compliance score out of 100" — a single number is gameable and tells a buyer nothing. The dashboard surfaces the raw, framework-standard signals and lets your team set its own bar. Where a signal cannot be extracted, it reads no signal yet in gray — never a silent zero dressed up as a pass.
05
Governance, security policy, and the license allowlist are committed to the repository. The coordinated-disclosure window is 90 days, aligned with the EU Cyber Resilience Act. The maintainers disclose the obvious conflict — they build the software they rate — and answer it by making the methodology, the collector, and every evidence link public.
Framework coverage
Each tile maps to a public standard. Status reflects how completely KAOS meets it today; the dashboard reports the gaps as loudly as the passes. Open it for the live, per-package detail.
FULL = met across the suite today. HIGH = met for most packages, gaps named per-package. MEDIUM = partial. LOW = a documented gap the dashboard tracks openly (the SBOM dependency-edge graph is not yet emitted, so SBOMs are labeled "manifest, not full SBOM"). Verify the current state on the live dashboard.
For engineers & security teams
01
Every package publishes PEP 740 attestations bound to a named GitHub Actions workflow at a specific ref, with a sigstore Rekor transparency-log index. The dashboard signs its own snapshot too — a keyless OIDC signature ties the published bytes to the exact sweep that produced them. You can verify any artifact without trusting the dashboard at all.
02
The HTML is one render of a published snapshot.json that ships with a Draft 2020-12 JSON Schema, derived from the collector's own dataclasses. Validate it programmatically and wire it into your own compliance pipeline — no scraping, no screen-reading. Per-package CycloneDX 1.5 SBOMs are published at stable URLs alongside it.
03
The collector never executes a test suite and never trusts a private endpoint. A signal it cannot extract is null — "we tried and could not tell" — never a silent zero. Test counts are parsed statically from source, so a parametrized case counts once: a deliberate, honest lower bound rather than an inflated headline. The "tests" tile counts real test functions; the matrix-leg number is relabeled "CI test legs" to name what it actually measures.
04
A four-hour security sweep runs gitleaks, bandit, vulture, pip-audit, cargo-audit, and cargo-deny, then cross-checks every package against OSV and the GitHub advisory database — a version only clears when both feeds return empty. A 24-hour full sweep rebuilds the SBOMs. A heartbeat watchdog flags the page stale after 26 hours, so a frozen pipeline can never quietly serve old results as fresh.
Verify a published build yourself, or read the data directly:
# Every published wheel carries a PEP 740 attestation, logged in# sigstore's public transparency log. Verify one yourself:pip download kaos-core --no-deps -d ./dlcosign verify-blob \ --bundle ./dl/kaos_core-*.whl.publish.attestation \ --certificate-identity-regexp 'github.com/273v' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ ./dl/kaos_core-*.whl
# Or skip the dashboard entirely and read the data:curl -s https://273v.github.io/kaos-compliance/api/v1/snapshot.json | jq '.packages[] | {name, attestations: .supply_chain.attestations}'What this does not prove
License is declared, not legally concluded — the dashboard records what each component states, and does not adjudicate upstream license claims. The SBOM dependency-edge graph is not yet emitted, so SBOMs are honest manifests rather than full relationship graphs. The dashboard itself is pre-alpha, and its numbers move with each sweep. None of that is hidden; it is written down, on the methodology page and in the dashboard's own published audits.
That restraint is the point. For a legal audience, a claim you can check beats a claim that sounds impressive. Open the dashboard, follow a Verify link, and decide for yourself.