60 seconds

Total wall-clock from npm install to a signed decision artifact: under a minute. The first three steps are offline — you can run them on a plane and they will return the exact bytes the production edge would.

1. Install

$ npm i -g wos-core
   added 1 package in 4s

$ wos --version
wos          0.1.0
athena (L1)  0.1.0
nyx    (L2)  0.1.0

Node 20+. The published binary is signed; the verification recipe lives at /security/verification. If you don’t verify, you don’t run it.

2. Lint a policy

The repo ships a working KYC policy at examples/policy.yaml. Four rules, one fallback, fully Athena-compliant.

$ wos lint examples/policy.yaml
✓  Policy is valid — 4 rules compiled clean
   policy_id: kyc.tier2.jp.v3
   linter:    athena 0.1.0

Athena (L1) compiles the DSL into a deterministic decision graph in-process. Errors carry stable machine codes (SCHEMA_VIOLATION, CONTRADICTORY_RULES, MISSING_ARRAY_MAX, …) and a JSON path to the offending node — wire wos lint --json straight into your pre-commit hook.

Full CLI reference →

3. Simulate a decision

A passing input also ships in the repo, at examples/input.json.

$ wos simulate examples/policy.yaml examples/input.json
✓  PASS  via rule R004
   policy_id:     kyc.tier2.jp.v3
   confidence:    0.96
   fallback_used: false

Trace
   › R001  applicant.sanctions_hit == true                  no match
   › R002  applicant.years_since_incorporation < 3          no match
   › R003  applicant.capital < 5000000                      no match
✓  R004  documents.any(d => d.type == 'CORP_REGISTRY' && …)  → PASS

Nyx (L2) returns the same byte sequence the production edge would return. Glass-Box: every fact L2 read is in the trace, every rule it evaluated is in the trace, every rule it skipped is in the trace. Pipe --json and you get a single document you can store and replay.

Full simulate reference →

4. (Optional) Deploy

This is the only step that opens a socket. You’ll need an API token first — see Install & sign up.

$ export WOS_API_TOKEN="wos_sk_live_…"
$ wos deploy examples/policy.yaml
✓  Deployed — kyc.tier2.jp.v3 v1
   dsl_hash:     b1946ac9···
   version:      1
   committed_at: 2026-05-10T12:00:00Z

deploy lints the policy locally before it ever opens a socket — a malformed DSL never reaches the wire. Idempotent on dsl_hash: re-deploying identical bytes returns the existing version row, so your repo’s git history and the control plane’s version history stay 1 : 1.

Full deploy reference →

What you have at the end

A locally-validated policy with a deterministic dsl_hash you can pin in CI assertions.
A signed decision artifact reproducible from the input bytes plus the policy bytes plus our public key.
Three exit codes (0, 1, 2) you can wire into pre-commit, CI, and CD with no framework dependencies.

Where to go next

Install & sign up — the install path you actually run, with binary verification and your first API token.
Core concepts — five terms, five sentences, five verifiable artifacts.
Architecture deep-dive — every layer, every primitive, every file path in the repo.
Cookbook: Tier-2 Japanese KYC — the policy you just ran, walked through line by line.

Install & sign up