Inspect the Glacis source under NDA

Glacis draws a deliberate line: the OVERT standard and the OVERT-as-Code policy language are open source; the runtime enforcement engine and Notary are source-available under NDA — not published on a public repository.

Why this model

Two real needs pull in opposite directions, and “open code under NDA” satisfies both:

• Regulated buyers must be able to verify trust. Healthcare and finance procurement often requires inspecting how a control actually works — “check our math with Glacis dead and buried.” You should not have to take our word for it.
• The runtime is the commercial core. Publishing the proxy/Notary on GitHub would let a monitoring vendor clone the enforcement engine and bolt their own layer on top. That would dissolve the moat without serving a single customer better.

Note

This is distinct from the public layers. You can verify any receipt the bundle produces with the open, vendor-neutral verifier — no NDA needed. The NDA covers reading the enforcement source, not checking the proof.

What you can review under NDA

• The proxy/Notary source (Ed25519 / RFC 8785 / RFC 6962 implementation)
• The inline control implementations and their honest receipt-status mapping
• Deployment topology, key isolation, and tenant-isolation design
• The machine-checked assurance claim (CLAIM.md) and the gate that keeps it from drifting above what the build enforces

How to start

Source inspection is arranged per engagement under a mutual NDA. Contact us to scope a review — typically alongside a deployment evaluation.

Procurement note

Regulated buyers frequently request source-inspection rights during procurement. Raise it early so the NDA and review can run in parallel with the technical evaluation rather than blocking it.