Skip to main content

Release and Attestation

Every release of the Open Agentic Platform is accompanied by cryptographic attestations to ensure supply chain integrity (Spec 117).

SLSA Build Provenance

Every shipped installer (e.g., .dmg, .AppImage, .exe, .deb, .rpm, .msi) carries a SLSA build-provenance attestation (<installer>.intoto.jsonl).

This is a Sigstore-signed claim asserting that the installer was built by the official GitHub Actions workflow (release-desktop.yml), from a specific commit, on a GitHub-hosted runner.

Verifying Provenance

You can verify the attestation using the GitHub CLI (gh version 2.50+):

gh attestation verify path/to/opc_<version>_aarch64.dmg \
--repo stagecraft-ing/open-agentic-platform

CycloneDX SBOM

Every release target also carries a CycloneDX Software Bill of Materials (SBOM) (sbom-desktop-<target>.cdx.json).

This SBOM provides a complete inventory of the crates and npm packages that went into the build. It includes the full Rust closure from src-tauri/Cargo.lock and the frontend npm closure from product/pnpm-lock.yaml.

Bundled Sidecar SBOM

The axiomregent MCP server is bundled into the OPC desktop installer as an internal sidecar. Its specific SBOM (sbom-axiomregent.cdx.json) is generated during the desktop release flow and linked from each installer SBOM via a CycloneDX externalReferences BOM-Link.