The building blocks of the Universal Chain of Custody for Autonomous Workflows
Every interaction follows the Plan → Govern → Apply lifecycle. Artifacts are hashed and signed, policies validate decisions, and receipts prove execution.
Platform-agnostic Go/Rust binary with embedded OPA for policy enforcement. Uses keyless OIDC for identity and generates cryptographically sealed audit logs.
OCI-native workers (Scout, Planner, Dev, Infra, Tower) that execute specialized tasks. Open source and distributed as container images.
Self-contained proofs (audit.json) with pluggable drivers. Default pushes to Git orphan branch, enterprise fans out to Splunk/S3.
No long-lived keys. Uses OIDC tokens from GitHub/AWS/GitLab to sign logs. Zero-config for OSS users via GitHub Actions adapter.
Engines distributed as OCI images, executed as subprocesses to share host tools (git, npm). Content-addressable caching for CI efficiency.
Open Source (Apache 2.0): Protocol, Engines, CLI, Drivers
Commercial (BSL 1.1): Orchestrator with Vendor Signatures & Advanced Governance