OpenTrApp v0.8.0

Just install

Pick the row for your operating system and click the link. After downloading, double-click to install. The setup wizard takes over from there — Anthropic key, Telegram bot pairing, and the five-container perimeter download. No terminal needed.

Your OS	Download
Windows	OpenTrApp_0.8.0_x64_en-US.msi
macOS — Apple Silicon	OpenTrApp_0.8.0_aarch64.dmg
macOS — Intel	OpenTrApp_0.8.0_x64.dmg
Linux — Ubuntu / Debian	OpenTrApp_0.8.0_amd64.deb
Linux — universal	OpenTrApp_0.8.0_amd64.AppImage
Linux — Fedora / RHEL	OpenTrApp-0.8.0-1.x86_64.rpm

The full release notes for this version live at docs/release-notes-v0.8.0.md.

Verification artefacts (for security auditors)

Each binary above is shipped alongside three companion files in the asset list:

• <filename>.sig — cosign keyless signature (Sigstore)
• <filename>.pem — signing certificate (Sigstore Fulcio)
• sbom-<platform>.cyclonedx.json — CycloneDX 1.5 software bill of materials

To verify a binary against its signature:

cosign verify-blob \
  --certificate OpenTrApp_0.8.0_x64_en-US.msi.pem \
  --signature   OpenTrApp_0.8.0_x64_en-US.msi.sig \
  --certificate-identity-regexp 'https://github.com/albertdobmeyer/opentrapp' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  OpenTrApp_0.8.0_x64_en-US.msi

The SLSA Build Level 2 build-provenance attestation for this release is in the Attestations panel above the asset list.

The full asset list (including all signature, certificate, and SBOM files for every platform) is below.

Skill Firewall Action skill-scan-v1.0.0

Skill Firewall Action — first stable release

The standalone, offline half of OpenTrApp's skill defense, packaged as a reusable GitHub Action. It scans agent skills and plugins for malware and prompt injection before an agent loads them, right in your CI. No model, no network. It runs the same engine OpenTrApp runs inside its five-container perimeter, so there is no separate fork to trust.

This release is verified end to end in real CI by the self-scan dogfood workflow (the only place a GitHub Action can actually be exercised).

Use it

permissions:
  contents: read
  security-events: write   # only to upload findings to the Security tab

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: albertdobmeyer/opentrapp/actions/skill-scan@skill-scan-v1
        with:
          path: ./skills      # a skill dir, a parent of several, or a single SKILL.md
          strict: false

Pin to @skill-scan-v1 to receive patches within major version 1, or to @skill-scan-v1.0.0 for an exact pin.

What it checks

• An 87 pattern blocklist mapped to MITRE ATT&CK, including 16 prompt injection patterns.
• A zero trust line classifier that quarantines a skill if a single line is unrecognised.
• SARIF output, so findings appear in your repository's Security tab.

The honesty boundary

This Action reads and pattern matches text. It does not execute the skill. Its guarantee is "vet a skill before an agent loads it," not "no untrusted content ever touches your runner." The stronger "untrusted content is only ever processed inside an isolated container" property belongs to the full OpenTrApp perimeter. See ADR-0025 and the Action README.

This is a subdirectory action in the OpenTrApp monorepo. It is fully usable via the uses: line above; it is not listed on the GitHub Marketplace, which requires a single action at a repository root.

OpenTrApp v0.7.2-rc1

Just install

Pick the row for your operating system and click the link. After downloading, double-click to install. The setup wizard takes over from there — Anthropic key, Telegram bot pairing, and the five-container perimeter download. No terminal needed.

Your OS	Download
Windows	OpenTrApp_0.7.2-rc1_x64_en-US.msi
macOS — Apple Silicon	OpenTrApp_0.7.2-rc1_aarch64.dmg
macOS — Intel	OpenTrApp_0.7.2-rc1_x64.dmg
Linux — Ubuntu / Debian	OpenTrApp_0.7.2-rc1_amd64.deb
Linux — universal	OpenTrApp_0.7.2-rc1_amd64.AppImage
Linux — Fedora / RHEL	OpenTrApp-0.7.2-rc1-1.x86_64.rpm

The full release notes for this version live at docs/release-notes-v0.7.2-rc1.md.

Verification artefacts (for security auditors)

Each binary above is shipped alongside three companion files in the asset list:

• <filename>.sig — cosign keyless signature (Sigstore)
• <filename>.pem — signing certificate (Sigstore Fulcio)
• sbom-<platform>.cyclonedx.json — CycloneDX 1.5 software bill of materials

To verify a binary against its signature:

cosign verify-blob \
  --certificate OpenTrApp_0.7.2-rc1_x64_en-US.msi.pem \
  --signature   OpenTrApp_0.7.2-rc1_x64_en-US.msi.sig \
  --certificate-identity-regexp 'https://github.com/albertdobmeyer/opentrapp' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  OpenTrApp_0.7.2-rc1_x64_en-US.msi

The SLSA Build Level 2 build-provenance attestation for this release is in the Attestations panel above the asset list.

The full asset list (including all signature, certificate, and SBOM files for every platform) is below.

OpenTrApp v0.6.0

Release notes — v0.6.0 (A tiny local AI makes AI safe)

v0.6.0 makes the project's thesis — "uses AI to make AI safe" — real and
demonstrable rather than aspirational. A tiny, local judgment layer (Sentinel)
now watches the gray zone the static defences miss, across all three concerns:
runtime containment, the skill supply chain, and the agent-social feed. The
everyday judge is local and cheap, so it can be consulted constantly; the
powerful, privacy-spending option is always a deliberate, visible choice.

What changed

Sentinel — a local AI judgment ladder

A shared escalation ladder all three concerns consult (ADR-0015): static rung 0
→ embeddings rung 1 (all-minilm) → a tiny local LLM judge rung 2
(qwen2.5-coder:3b) → a rare, human-triggered rung 3. Cheap rungs handle the
common case; the expensive ones only fire when the cheap ones genuinely can't
resolve a case. The judge is load-on-demand and injection-hardened, and a
malformed answer always escalates — never a silent allow.

A tiered-model finding underlies it: give the bigger model only to the role
whose mistakes you can't otherwise catch. The CDR parser stays on the leaner
qwen2.5-coder:1.5b (its failures are schema-detectable and retry-recoverable);
the judge gets qwen2.5-coder:3b (its failures are not self-checking).

Adaptive containment — explained, one-tap allowlist decisions

An off-allowlist request is no longer a blunt block. Sentinel judges the
gray-zone hosts and surfaces the allow-leaning ones as pending approvals with
a plain-language reason; you tap "Allow always" or "Block". By construction, only
the human can ever loosen the perimeter — the agent has no path to do so, the
judge only recommends, and clear exfiltration is hard-blocked and never reaches
the judge (ADR-0002, ADR-0016).

The skills cleanroom — a judge second opinion + a disarm diff

The 87-pattern scanner stays as the cheap pre-filter, and the local judge is now
a fail-safe second opinion on what the scanner would auto-allow: it can only
tighten a clean verdict, never loosen a quarantine, catching a novel or
paraphrased skill-level threat the regexes miss. CDR is now reliable
(retry-with-repair, quarantine-never-silent), and a plain-language disarm diff
shows exactly what was removed from a skill before it was rebuilt.

The semantic firewall — live, on AT Protocol

The social shield is un-parked behind a protocol-adapter abstraction and a first
live network adapter for AT Protocol (Bluesky) (ADR-0017): the rung-2
judge catches paraphrased injections the 25 static patterns miss, and an
outgoing persona-drift guard holds a post that no longer matches the agent's
own voice. Reads use the public AppView (no auth); the leg is opt-in and the
perimeter never auto-participates.

Modular distribution + the skills rename

A single distribution.yml drives profile-based image bundling and a standalone
per-shield installer, so a user can install only what they want (ADR-0014). The
forge workload is renamed to skills throughout (vault-skills,
openagent-skills).

---

Breaking changes

None for end users. Existing credentials and settings carry forward. The
container vault-forge is renamed vault-skills; a fresh perimeter is brought
up on first launch.

New runtime requirement (optional)

The local-AI rungs need Ollama reachable on the host with
qwen2.5-coder:1.5b, qwen2.5-coder:3b, and all-minilm pulled. Without it the
fast static defences still run; the AI rungs degrade fail-safe (hold for review)
rather than judging automatically.

Known issues

• The Sentinel rung-2/rung-1 features require Ollama as above; they are inert
  (fail-safe) without it.
• The live social adapter is opt-in and validated against AT Protocol; other
  networks (Mastodon, Nostr) are future adapters behind the same contract.

Upgrade path

Standard auto-update — the Tauri updater will prompt in-app. To update manually,
download the installer for your platform from the assets below and run it over
the existing installation.

Full commit range

git log --oneline v0.5.0..v0.6.0 — the v0.6 reassessment: M0–M4 (rename,
Sentinel judge lib + CDR fix, modular distribution, adaptive containment,
semantic firewall), rung-1 embeddings, the GUI Sentinel bridge + activity
indicator, persona-drift, the disarm-diff display, and the completion items —
production Sentinel staging, host-mediated allowlist approval, the live AT
Protocol adapter, and the judge-as-second-opinion on skill auto-allow.

OpenTrApp v0.5.0

Just install

Pick the row for your operating system and click the link. After downloading, double-click to install. The setup wizard takes over from there — Anthropic key, Telegram bot pairing, and the five-container perimeter download. No terminal needed.

Your OS	Download
Windows	OpenTrApp_0.5.0_x64_en-US.msi
macOS — Apple Silicon	OpenTrApp_0.5.0_aarch64.dmg
macOS — Intel	OpenTrApp_0.5.0_x64.dmg
Linux — Ubuntu / Debian	OpenTrApp_0.5.0_amd64.deb
Linux — universal	OpenTrApp_0.5.0_amd64.AppImage
Linux — Fedora / RHEL	OpenTrApp-0.5.0-1.x86_64.rpm

The full release notes for this version live at docs/release-notes-v0.5.0.md.

Verification artefacts (for security auditors)

Each binary above is shipped alongside three companion files in the asset list:

• <filename>.sig — cosign keyless signature (Sigstore)
• <filename>.pem — signing certificate (Sigstore Fulcio)
• sbom-<platform>.cyclonedx.json — CycloneDX 1.5 software bill of materials

To verify a binary against its signature:

cosign verify-blob \
  --certificate OpenTrApp_0.5.0_x64_en-US.msi.pem \
  --signature   OpenTrApp_0.5.0_x64_en-US.msi.sig \
  --certificate-identity-regexp 'https://github.com/albertdobmeyer/opentrapp' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  OpenTrApp_0.5.0_x64_en-US.msi

The SLSA Build Level 2 build-provenance attestation for this release is in the Attestations panel above the asset list.

The full asset list (including all signature, certificate, and SBOM files for every platform) is below.

OpenTrApp v0.4.0

🪧 Note on naming: This release was built before the OpenTrApp rebrand (May 2026) — the asset filenames still carry the old Lobster-TrApp prefix. A new release with OpenTrApp_* filenames is queued. The download links below still work via GitHub's auto-redirect from the old repository name.

Just install

Pick the row for your operating system and click the link. After downloading, double-click to install. The setup wizard takes over from there — Anthropic key, Telegram bot pairing, and the four-container perimeter download. No terminal needed.

Your OS	Download
Windows	Lobster-TrApp_0.3.2_x64_en-US.msi
macOS — Apple Silicon	Lobster-TrApp_0.3.2_aarch64.dmg
macOS — Intel	Lobster-TrApp_0.3.2_x64.dmg
Linux — Ubuntu / Debian	Lobster-TrApp_0.3.2_amd64.deb
Linux — universal	Lobster-TrApp_0.3.2_amd64.AppImage
Linux — Fedora / RHEL	Lobster-TrApp-0.3.2-1.x86_64.rpm

The full release notes for this version live at docs/release-notes-v0.4.0.md.

Verification artefacts (for security auditors)

Each binary above is shipped alongside three companion files in the asset list:

• <filename>.sig — cosign keyless signature (Sigstore)
• <filename>.pem — signing certificate (Sigstore Fulcio)
• sbom-<platform>.cyclonedx.json — CycloneDX 1.5 software bill of materials

The signing identity is bound to https://github.com/albertdobmeyer/opentrapp/.github/workflows/release.yml@refs/tags/v0.4.0 — verification proves the binary was built by this exact workflow at this exact tag.

OpenTrApp v0.3.2

See the assets below to download and install.

OpenTrApp v0.3.0 — Delightful Sloth

OpenTrApp grew up — every screen is now a real surface, not a placeholder.

v0.3.0 is the first build I'm comfortable putting in front of someone non-technical. v0.2.0 was the hardened-but-clunky release; this one is the same security model, presented in a way Karen can actually navigate.

What changed since v0.2.0

• Home is real — 7-state hero card, backend status aggregator, proactive alerts banner, daily use-case tip.
• Discover is real — 19-entry use-case gallery with one-click Telegram deep-links.
• Preferences is real — keys (with auto-restart on rotation), notifications (with OS permission gate), startup (actually wired through), re-run setup, advanced mode.
• Lifecycle ownership — app start ⇒ perimeter up; graceful exit ⇒ perimeter down; SIGKILL reaped on next launch. New paused_by_user state with cross-restart durability.
• No spending dashboard — Anthropic Console already does this better than we ever could. The Spending tile is now a clean deep-link.

Karen's full journey, before vs. after

Moment	v0.2.0	v0.3.0
Returning use (Home)	3.8	9.0
Monitoring (Security)	4.9	8.5
Adding tools (Discover)	4.9	9.0
Setting changes (Preferences)	4.9	8.7
Crash & recovery	~7	9.0

The Pass-1 cliff at moments 4–7 is closed.

Quality bar

• 56 / 56 Rust unit tests
• 175 / 175 vitest tests
• 25 / 25 Playwright e2e tests
• 42 / 42 orchestrator-check (0 warnings)
• 28 banned terms enforced on every commit (no developer jargon leaks)
• Production build: 85 KB gzipped

Full release notes: docs/release-notes-v0.3.0.md
Pre-ship audit: docs/specs/2026-05-02-pass-8-preship-walk.md

Known limitations carried into Pass 9 (post-launch polish)

1. ErrorBoundary still shows raw error.message (friendlier copy queued).
2. macOS / Windows install copy still says "Podman Desktop" (rename queued).
3. Help page is a friendlier placeholder (diagnostic-bundle button + FAQ queued).
4. Security Monitor is a friendlier placeholder (real content from vault-proxy logs queued).