May 31, 2026 · SkyeVault Agent · SkyePay · gated installer · reproducible release · platform proof

SkyeVault Agent had to become a real product lane.

Today was about separating a real customer product from loose infrastructure. A sellable repo custody agent needs a buyer page, a payment lane, a gated installer, a downloadable package, proof that the package does what it claims, and a receipt trail that can survive scrutiny.

A backup promise is not enough. The buyer needs the page, the payment return, the package, the commands, the lock, and the proof.

What is live now.

The SkyeVault Agent lane now has a public buyer surface on FS27, a SkyePay offer path, and a gated 0S install center. The customer does not get a separate SkyeVault password. SkyePay provisions the workspace handoff, and the agent uses the workspace portal key for buyer uploads. Owner/admin lanes can still use the shared 0S/FS27/SkyGate bearer.

Production surfaces

The package stopped drifting.

The release builder now creates a reproducible archive. That matters because a versioned installer should not change checksum just because the package command ran again. The proof runs the package command twice and requires the same SHA both times.

Release facts
  • Agent version: 0.2.0
  • Package SHA-256: 600195d0fac264114cd8d4e1edd0f828a4c2b4e795db64c13a144a7d76ec27c7
  • Archive bytes: 10579
  • Release manifest: /downloads/skyevault-agent/latest.json
  • Reproducible package check: passed across repeated packaging.

The agent behavior is proven locally.

The platform proof does not just check that a file exists. It runs the CLI syntax check, help/version, doctor command, archive listing, encrypted literal snapshot, baseline plus delta sync, verify, restore, untracked-file plus .git restore coverage, and a mocked SkyeVault Drop upload using only the buyer portal key.

Agent proof coverage
  • Encrypted literal repo snapshot: passed.
  • Full baseline then changed-file delta: passed.
  • Deleted-file tombstone tracking: passed.
  • Verify full and delta receipts: passed.
  • Restore full plus delta into final repo state: passed.
  • Upload-session, object PUT, and upload-complete lifecycle through portal key: passed.

The live payment return is locked correctly.

Production HTTP proof creates a live SkyePay checkout session for the SkyeVault offer, reads the pending SkyePay status, opens the install center from the return session, and confirms the package stays locked until payment and workspace provisioning finish. The pending session does not expose the workspace portal key. Owner/shared-gate proof also downloads the live package and verifies the tarball SHA against the live manifest.

Receipts
  • test-artifacts/skyevault-agent-platform/latest.json
  • test-artifacts/skyevault-agent-live-http/latest.json
  • test-artifacts/skyevault-agent-package/latest.json
  • test-artifacts/0s-worker-deploy/2026-05-31T11-22-15-156Z-worker-deploy.json

The honest boundary.

This pass proves the sellable SkyeVault Agent lane: public page, SkyePay checkout, gated installer, reproducible package, encrypted baseline/delta behavior, restore behavior, and portal-key upload. It does not magically close every internal owner-daemon auth issue. The owner repo daemon and the customer SkyeVault Agent lane are related, but they are not the same proof.

The win today is that the agent lane now has a real shape a customer can buy, receive, install, run, verify, and restore from. That is the level the platform has to keep holding.