Software bill of materials
A CycloneDX SBOM is generated and validated in CI on every build. Download sbom.cdx.json.
Enterprise governance & trust
Provenance, licensing, and governance for the open-source payments and post-quantum libraries — the evidence a vendor-risk or compliance review needs, in one place.
Provenance
A CycloneDX SBOM is generated and validated in CI on every build. Download sbom.cdx.json.
The deployed SBOM carries a signed build-provenance attestation. Verify it yourself:
gh attestation verify sbom.cdx.json \ --owner sebastienrousseau
Every article is Sigstore-signed and dated, so a reader can prove authorship and integrity independently.
Supply-chain posture is scored weekly. View the live Scorecard.
Licensing
| Library | Scope | License |
|---|---|---|
| pain001 | ISO 20022 pain.001 generation | Apache-2.0 / MIT |
| pacs008 | ISO 20022 pacs.008 FI-to-FI transfer | Apache-2.0 / MIT |
| KyberLib | ML-KEM (CRYSTALS-Kyber, NIST FIPS 203) | Apache-2.0 / MIT |
| BankStatementParser | Structured statement parsing | Apache-2.0 / MIT |
Every library is permissively licensed and runs on your own infrastructure — no proprietary translator between your systems and the clearing network, no vendor lock-in.
Governance
These libraries are authored and maintained by one person. For regulated adoption that raises a fair bus-factor question, so here is the mitigation, stated plainly rather than hidden:
Recognition
Every item below links to a dated, externally verifiable artefact.