Relicta Relicta

Vision

The Agentic Shift

We are entering an era where most code will be written by agents, not humans. The bottleneck is no longer creation — it's decision.

Why release automation isn't enough

Traditional CI/CD pipelines assume a human wrote the code. They automate the process of delivery (build, test, deploy) but they do not automate the governance of change.

When an AI agent submits a pull request, who checks for semantic correctness? Who evaluates the blast radius? Who decides if this specific change is safe to ship at 4 PM on a Friday?

Automation makes things fast. Governance makes them safe.

Change Governance Protocol (CGP)

We are defining a standard for how changes are proposed, analyzed, and approved. CGP is a protocol that allows:

  • Agents to propose changes with structured intent.
  • Systems to score risk based on history and blast radius.
  • Humans to hold the keys for high-risk decisions.

The Protocol Stack

Authority Layer (Human/Policy)
Risk Layer (Scoring/Analysis)
Transport Layer (CI/CD)

Humans, Agents, and Authority

We don't believe in "human-out-of-the-loop" for critical infrastructure yet. We believe in human-on-the-loop.

Relicta acts as the interface where agents prove their work to humans. It provides the "Trust Anchor" — a verifiable record that a specific change passed specific policy checks before being signed.

Strategic Themes

Where we are going

Three themes define Relicta's evolution from release CLI to governance platform.

01

Risk-Awareness

Moving from "pass/fail" tests to probabilistic risk scoring that learns from outcomes.

Outcome-Based Calibration

Risk weights today are static. Tomorrow, they calibrate against actual outcomes — correlating risk scores with post-release incidents, rollbacks, and hotfixes. The model improves with every release.

Predictive Risk Patterns

Detect patterns that static factors miss. Friday deployments. Actor fatigue after high release frequency. Cascading risk when dependent packages release simultaneously. Seasonal patterns around team capacity.

Org-Wide Risk Aggregation

When multiple repos release simultaneously, aggregate risk across the organization. Set risk budgets per team, per week, per freeze window. Surface the org-level view that no individual repo can see.

External Risk Signals

Ingest signals from PagerDuty, Datadog, and GitHub Security Advisories into the risk calculation. Active incidents increase release risk. Anomalous metrics trigger caution. Known CVEs auto-escalate.

Today 7-factor static risk scoring
Next Calibrated models, predictive patterns
Future Org-wide risk intelligence, budgets, external signals
02

Agent Identity

Cryptographically signing changes with agent identities. Trust earned, not assumed.

Actor Trust Framework

Every actor — human or agent — has a verifiable identity and earned trust level. Trust scores aggregate across repos, weighted by recency. Agents earn autonomy through track record, not configuration.

Capability Certificates

Short-lived, Sigstore-signed certificates encode what an agent is allowed to do. "Claude can plan and bump patch versions, but publishing requires a human." Capabilities are scoped, time-limited, and revocable.

Multi-Agent Orchestration

As MCP v2 enables agent-to-agent communication, Relicta becomes the coordination hub. Agent A writes code. Agent B reviews. Relicta governs the release. Chain-of-custody is cryptographically verifiable.

Reputation System

Trust scores based on verifiable outcomes. Release success rate. Risk prediction accuracy. Time-to-detection for issues. Reputation decays for inactive agents and grows for agents that consistently ship safely.

Today Per-repo actor trust scoring
Next Org-level identity, capability certificates
Future Multi-agent orchestration, cross-org reputation
03

Universal Ledger

A decentralized audit log of every change decision. Tamper-evident, verifiable, permanent.

Org-Level Governance Store

Aggregate all governance decisions from individual repos into a single source of truth. Query across repos: "Show me every major version release in Q1 that was auto-approved." Generate compliance reports automatically.

Governance Analytics

Mean time to release. Approval bottleneck analysis. Policy effectiveness scoring. Risk trend analysis. DORA metrics derived from governance data. The numbers that tell you if your release process is improving.

Transparency Log

Move from database to tamper-evident, append-only ledger. Every governance decision becomes a signed, timestamped entry in a transparency log — verifiable by any party, like Certificate Transparency for releases.

Supply Chain Governance

Extend governance beyond internal changes to dependency updates. Apply CGP risk assessment to Dependabot PRs. SBOM diff before and after. Policy: "CVE fixes auto-approve; major dependency bumps require human review."

Today Per-repo hash-chain audit trail
Next Org-level governance store, compliance reports
Future Transparency log, cross-org federation

The Path

From CLI to platform

Now

Developer CLI

Single binary. Local governance. Per-repo state. MCP server for AI agents.

Phase 1

Team Platform

Shared PostgreSQL state. Dashboard with WebSocket streaming. Org-level actor registry. Risk calibration from outcomes.

Phase 2

Org Hub

Central governance store. Cross-repo risk aggregation. Compliance report generation. Agent capability certificates.

Phase 3

Governance Network

CGP as open standard. Cross-org federation. Transparency log. Supply chain governance. Agent reputation system.

The future of shipping is governed.

Start with the CLI today. Scale to the platform tomorrow.

Get started View on GitHub Read the CGP spec