Back to Releases
ops v0.1.0 stable

ops v0.1.0 — first reference-implementation release

cli-v0.1.0 Download

ops v0.1.0 — first reference-implementation release

This is the first versioned release of the ops CLI, the reference implementation of the Agent Operations specification. It bundles the work landed in milestones M09 through M19.

Highlights

  • Single binary, subcommands as modules (D15): ops run, ops log, ops cab, ops deploy, ops chk, ops doctor, ops self-update.
  • AES-evented: every state-changing subcommand emits an Audit Evidence Schema record, signed by a per-leaf Ed25519 key, validated against audit_evidence_schema.v0.1.0.json.
  • Sigstore-signed binaries: each platform binary is signed keyless via GitHub Actions OIDC; the SHA256SUMS aggregate file is signed the same way. See Verifying below.
  • Signed self-update (M20): ops self-update --to-version v0.1.0 --bundle-dir <dir> cosign-verifies a downloaded bundle against the expected workload identity before atomically swapping the running binary.
  • Forwarder daemon (M18), doctor (M17), chk (M16), deploy (M14, M15) and cab (M12, M13) all wired through ops-core.

Supported targets

TripleBinary
x86_64-unknown-linux-gnuops-x86_64-unknown-linux-gnu
aarch64-unknown-linux-gnuops-aarch64-unknown-linux-gnu
aarch64-apple-darwinops-aarch64-apple-darwin
x86_64-pc-windows-msvcops-x86_64-pc-windows-msvc

Downloads

All artefacts (binary + .sig + .pem per target, plus the signed SHA256SUMS aggregate and the aes-records-cli-v0.1.0.tar.gz build audit bundle) live on the GitHub Release:

Verifying

Each binary is published with .sig (Sigstore signature) and .pem (Fulcio certificate) sidecars. To verify a downloaded binary:

cosign verify-blob \
  --certificate ops-x86_64-unknown-linux-gnu.pem \
  --signature   ops-x86_64-unknown-linux-gnu.sig \
  --certificate-identity-regexp \
    'https://github\.com/deixei/AgntOpsCli/\.github/workflows/release\.yml@refs/tags/cli-v0\.1\.0' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  ops-x86_64-unknown-linux-gnu

The SHA256SUMS aggregate is signed the same way. To verify the aggregate then the binaries against it:

cosign verify-blob \
  --certificate SHA256SUMS.pem --signature SHA256SUMS.sig \
  --certificate-identity-regexp \
    'https://github\.com/deixei/AgntOpsCli/\.github/workflows/release\.yml@refs/tags/cli-v0\.1\.0' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  SHA256SUMS
sha256sum --check SHA256SUMS

Self-update

If you have a prior ops install, you can upgrade in place:

gh release download cli-v0.1.0 \
  --pattern 'ops-x86_64-unknown-linux-gnu*' \
  --dir /tmp/ops-upgrade
ops self-update --to-version v0.1.0 --bundle-dir /tmp/ops-upgrade

ops self-update will refuse the swap and exit with code 65 if the Sigstore signature does not verify against the GitHub Actions release identity. A release.autoupdate AES record is appended to .ops/ under the working directory on both pass and refuse paths.

Licence (D33)

The reference implementation is released under the Business Source License 1.1 with a four-year Change Date converting to Apache 2.0. Single-organisation production use is permitted as an Additional Use Grant (D33.3). The candidate specification at spec/ remains CC-BY-4.0. See LICENSE.

Canonical source

The canonical release notes are the file in the repository at releases/cli-v0.1.0/RELEASE_NOTES.md and the corresponding GitHub Release.