01
Change Governance Protocol
The first standardized, vendor-neutral protocol for governing software change. Actor-agnostic, transport-independent, audit-first.
The governance layer for software change
Governing change in an AI-driven world
As AI agents and CI systems generate more code, deciding what should ship becomes the hardest problem. Relicta governs change — before it reaches production.
Agent / CI
→
Relicta
→
Production
The decision layer for modern software delivery.
The Problem
Software delivery scaled. Decision-making didn't.
Code is cheap. Changes are frequent. Risk is hidden. Trust erodes.
Past
Human-written code. Human reviews. Human pace.
Now
Agent-generated change. CI automation. Overwhelmed humans.
The Gap
Governance. How do we trust the machine to ship?
The Solution
Relicta governs change — not just releases.
Relicta sits between humans, agents, and CI systems. It decides what changes, how risky it is, who approves, and how it's communicated.
The Core Decisions
- What changed? (Semantic Analysis)
- Is it risky? (Risk Scoring)
- Who approves? (Governance)
- How to tell users? (Communication)
How It Works
From commit to production, governed.
One command. Five stages. Full audit trail.
Plan
Analyze commits, detect breaking changes, calculate risk score, suggest version.
Bump
Apply semantic version. Create git tag.
Notes
Generate AI-powered release notes. Engineering, product, executive, and customer variants.
Approve
Policy check. Auto-approve low-risk, require humans for high-risk. Audit hash chain entry.
Publish
Tag, changelog, plugins, Sigstore attestation. Done.
$ relicta release
plan 47 commits since v1.3.0 · 2 breaking, 8 features, 12 fixes
Risk: 0.58 (medium) · Blast radius: 3/7 packages
Suggesting: v2.0.0 (major)
bump Version set to v2.0.0
notes Release notes generated via Claude
4 audience variants: engineering, product, executive, external
approve Policy: risk > 0.5 requires approval
Auto-approved: actor trust score 0.94
Audit: SHA-256 hash chain entry recorded
publish ✓ GitHub release created
✓ npm package published
✓ Slack #releases notified
✓ in-toto attestation signed via Sigstore
Done. v2.0.0 released with full governance trail.Differentiators
What no other tool offers
Other tools automate releases. Relicta governs them.
02
MCP-Native AI Agents
The only release tool that's an MCP server. AI agents can plan, assess risk, approve, and publish releases natively.
03
Risk Scoring with Memory
7-factor weighted risk calculation that learns from past releases and incidents. Gets smarter every time you ship.
04
Blast Radius Analysis
Maps changed files to impacted packages, builds dependency graphs, and quantifies change scope before you release.
05
Audience-Specific Narratives
One release, four stories. Engineering gets the diff. Product gets highlights. Executives get impact. Customers get the upgrade guide.
06
Policy DSL
Composable governance rules with full logic support. Define approval gates, team routing, and auto-approval criteria as code.
07
Release Memory
Tracks actor reliability, incident correlation, and risk patterns over time. Your release intelligence compounds.
08
SLSA Governance Attestation
in-toto v1 attestation signed via Sigstore. Proves not just what was built, but why it was approved and by whom.
Comparison
Why Relicta?
| Capability | semantic-release | release-please | goreleaser | LaunchDarkly | Relicta |
|---|---|---|---|---|---|
| Semver automation | ✓ | ✓ | ✓ | — | ✓ |
| AI release notes | — | — | — | — | 5 providers |
| Risk scoring | — | — | — | Basic | 7-factor + learning |
| Approval workflows | — | — | — | — | Policy DSL |
| Audit trail | — | — | — | Flags | Cryptographic |
| MCP server | — | — | — | — | Native |
| Blast radius | — | — | — | — | ✓ |
| Supply chain attestation | — | — | Partial | — | in-toto + Sigstore |
| Single binary | — | — | ✓ | — | ✓ |
| Open source | MIT | Apache | MIT | — | MIT |
Trust & Security
Enterprise-grade security. Developer-grade UX.
Zero data leaves your environment
Runs locally or in your CI. No SaaS. No cloud dependency. Your code, your keys, your infrastructure.
Cryptographic audit trails
Every governance decision is recorded in an immutable SHA-256 hash chain. Tamper-evident by design.
SLSA attestation
in-toto v1 statements signed via Sigstore prove what was released, why it was approved, and by whom.
Plugin sandboxing
Plugins run in isolated processes with capability-based restrictions on filesystem, network, and environment access.
SBOM generation
Full software bill of materials for supply chain transparency and compliance.
Secret masking
API keys and tokens are automatically redacted from all output and logs. Enabled by default.
Production Ready
Ship today. Govern tomorrow.
Start with release automation. Grow into full change governance.
- Semantic version planning from conventional commits — with heuristic fallback for messy histories
- AI-assisted release notes via OpenAI, Anthropic, Gemini, Azure, or Ollama
- Approval & audit trail with configurable policy DSL
- Plugin-based publishing — GitHub, npm, Docker, Slack, Jira, Helm, and more
- MCP server for AI agents — full release workflow via Claude, GPT, or custom agents
- Monorepo & multi-repo — independent, lockstep, or hybrid versioning with dependency coordination
The Evolution
From release automation to change governance
Today
Where It's Going
Version bumps
Risk-aware decisions
Changelogs
Outcome-based communication
CI automation
Agent governance
Plugins
Protocol ecosystem (MCP, CGP)
Single repo
Multi-repo federation
Pass/fail gates
Probabilistic risk scoring
Built For
Teams shipping at scale
Platform Engineers
Standardize release workflows across hundreds of services. One config, consistent governance, full observability. Monorepo support with independent, lockstep, and hybrid versioning.
Release Managers
Regain visibility without slowing anyone down. Risk scores surface what needs attention; auto-approval handles what doesn't. Real-time dashboard with WebSocket streaming.
Security & Compliance
Immutable hash-chain audit log. SLSA in-toto attestation with Sigstore signing. SBOM generation. OIDC/SSO with role-based access.
Teams Adopting Agents
CGP protocol governs agent-initiated changes. Policy DSL defines what agents can auto-approve. Actor trust scores track reliability over time.
AI-Native
The first release tool built for AI agents.
MCP is the industry standard for connecting AI agents to tools. Relicta is a native MCP server — not a wrapper, not a plugin.
Tools (Agent Actions)
relicta.planAnalyze commits & suggest versionrelicta.bumpApply semantic versionrelicta.notesGenerate release notesrelicta.evaluateCGP risk evaluationrelicta.approveGovernance gaterelicta.publishExecute releaserelicta.blast_radiusImpact analysisrelicta.validate_releasePre-flight checks
Resources (Agent Reads)
relicta://stateRelease state machinerelicta://configProject configurationrelicta://commitsPending commitsrelicta://changelogGenerated changelogrelicta://risk-reportRisk assessment
Built-in MCP Apps
Status Dashboard
Live release status at a glance
Release Pipeline
Step-by-step release progress
Risk Assessment
Visual risk scoring breakdown
Commit Review
Classified commit analysis
Approval Workflow
Interactive governance gates
Blast Radius
Impact analysis across packages
Open Source
Open by design. Extensible by default.
We believe the governance layer must be open. No vendor lock-in. Full transparency.
- Open CLI (MIT Licensed)
- Plugin ecosystem (gRPC based, sandboxed)
- MCP server & interactive apps for AI agents
- Change Governance Protocol specification
- Protocol-first mindset
Start governing change today.
One binary. Zero cloud dependencies. Full governance trail.
brew install relicta-tech/tap/relicta