Security & Supply Chain

Release Signing

Every release is signed at multiple levels:

Verify a Release

# Cosign (CI-signed releases)
cosign verify-blob omegon-*.tar.gz \
  --signature omegon-*.tar.gz.sig \
  --certificate omegon-*.tar.gz.pem \
  --certificate-identity-regexp '.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# GitHub Attestations
gh attestation verify omegon-*.tar.gz --repo styrene-lab/omegon

SBOM

Every release includes a CycloneDX Software Bill of Materials (omegon-sbom.cdx.json) listing all Rust crate dependencies with versions. The SBOM is itself signed with cosign.

Credential Storage

API keys and OAuth tokens are stored in the system keychain:

• macOS — Keychain Services (via security CLI)
• Linux — Secret Service API (GNOME Keyring, KWallet)
• Fallback — Encrypted file in ~/.config/omegon/

OAuth tokens are refreshed automatically. JWT claims are extracted for account identity (used by the Codex client for account ID routing).

HashiCorp Vault Integration

/vault status       # Check Vault connectivity
/vault login        # Authenticate to Vault
/vault configure    # Set Vault address and auth method
/vault init-policy  # Create a least-privilege policy for omegon

For teams that manage secrets through Vault, Omegon can read credentials directly from Vault paths instead of environment variables or the local keychain.

Process Safety

• The agent executes tools directly — no sandbox. The operator is responsible for reviewing tool calls.
• All tool calls are logged in the conversation with full arguments and results.
• Esc or Ctrl+C cancels the active turn immediately.
• Session auto-save means you can always audit what happened.
• The --max-turns flag limits how many turns the agent can take before stopping.

License

Omegon is licensed under the Business Source License 1.1. The BSL converts to MIT on 2031-03-19. Non-production use is permitted; production use requires a separate license from Black Meridian, LLC (until the change date).