x0x 0.18.4

Agent-to-agent gossip network for AI systems — no winners, no losers, just cooperation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584

name: Release

on:
  push:
    tags:
      - 'v*'
  workflow_dispatch:

# Prevent concurrent release workflows from racing on asset uploads.
# A new tag push cancels any in-flight release for a previous tag.
concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: true

env:
  CARGO_TERM_COLOR: always

permissions:
  contents: write
  id-token: write

jobs:
  validate-release-metadata:
    name: Validate release metadata
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Validate release metadata (tag)
        if: startsWith(github.ref, 'refs/tags/v')
        run: |
          python3 .github/scripts/validate_release_metadata.py \
            --mode release_tag \
            --tag "${GITHUB_REF_NAME}"

      - name: Validate release metadata (manual dispatch)
        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: |
          python3 .github/scripts/validate_release_metadata.py \
            --mode push_main

  # ============================================================
  # Build release binaries for all platforms
  # ============================================================
  build-release:
    name: Build ${{ matrix.platform }}
    needs: validate-release-metadata
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: linux-x64-gnu
            os: ubuntu-latest
            target: x86_64-unknown-linux-gnu
            cross: false
            archive: tar.gz
            binary: x0xd

          - platform: linux-x64-musl
            os: ubuntu-latest
            target: x86_64-unknown-linux-musl
            cross: true
            archive: tar.gz
            binary: x0xd

          - platform: linux-arm64-gnu
            os: ubuntu-latest
            target: aarch64-unknown-linux-gnu
            cross: true
            archive: tar.gz
            binary: x0xd

          - platform: macos-x64
            os: macos-14
            target: x86_64-apple-darwin
            cross: false
            archive: tar.gz
            binary: x0xd

          - platform: macos-arm64
            os: macos-14
            target: aarch64-apple-darwin
            cross: false
            archive: tar.gz
            binary: x0xd

          - platform: windows-x64
            os: windows-latest
            target: x86_64-pc-windows-msvc
            cross: false
            archive: zip
            binary: x0xd.exe

    steps:
      - uses: actions/checkout@v5

      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: ${{ matrix.target }}

      - name: Cache cargo registry
        uses: actions/cache@v5
        with:
          path: ~/.cargo/registry
          key: ${{ runner.os }}-${{ matrix.target }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }}

      - name: Cache cargo index
        uses: actions/cache@v5
        with:
          path: ~/.cargo/git
          key: ${{ runner.os }}-${{ matrix.target }}-cargo-git-${{ hashFiles('**/Cargo.lock') }}

      - name: Cache target directory
        uses: actions/cache@v5
        with:
          path: target
          key: ${{ runner.os }}-${{ matrix.target }}-target-release-${{ hashFiles('**/Cargo.lock') }}

      - name: Install cross
        if: matrix.cross
        run: cargo install cross --locked

      - name: Build (native)
        if: ${{ !matrix.cross }}
        run: cargo build --release --target ${{ matrix.target }} --bin x0xd --bin x0x

      - name: Build (cross)
        if: matrix.cross
        run: cross build --release --target ${{ matrix.target }} --bin x0xd --bin x0x

      # ---- macOS Code Signing & Notarization ----
      - name: Import macOS signing certificate
        if: startsWith(matrix.platform, 'macos')
        env:
          MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
          MACOS_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

          echo "$MACOS_CERTIFICATE" | base64 --decode -o "$CERTIFICATE_PATH"

          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          security import "$CERTIFICATE_PATH" -P "$MACOS_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security list-keychain -d user -s "$KEYCHAIN_PATH"

      - name: Sign macOS binaries
        if: startsWith(matrix.platform, 'macos')
        env:
          MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }}
        run: |
          for bin in x0xd x0x; do
            BINARY="target/${{ matrix.target }}/release/${bin}"
            if [ -f "$BINARY" ]; then
              codesign --force --options runtime --sign "$MACOS_SIGNING_IDENTITY" --timestamp "$BINARY"
              codesign --verify --deep --strict "$BINARY"
              echo "Signed ${bin} successfully"
            fi
          done

      - name: Notarize macOS binaries
        if: startsWith(matrix.platform, 'macos')
        env:
          MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
          MACOS_NOTARIZATION_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWORD }}
          MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
        run: |
          for bin in x0xd x0x; do
            BINARY="target/${{ matrix.target }}/release/${bin}"
            if [ -f "$BINARY" ]; then
              ditto -c -k --keepParent "$BINARY" "$RUNNER_TEMP/notarize-${bin}.zip"
              xcrun notarytool submit "$RUNNER_TEMP/notarize-${bin}.zip" \
                --apple-id "$MACOS_NOTARIZATION_APPLE_ID" \
                --password "$MACOS_NOTARIZATION_PASSWORD" \
                --team-id "$MACOS_NOTARIZATION_TEAM_ID" \
                --wait
              echo "Notarized ${bin} successfully"
            fi
          done

      - name: Clean up macOS keychain
        if: startsWith(matrix.platform, 'macos') && always()
        run: |
          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 2>/dev/null || true

      # ---- Strip Linux binaries ----
      - name: Strip binaries (Linux native)
        if: matrix.platform == 'linux-x64-gnu'
        run: |
          strip target/${{ matrix.target }}/release/${{ matrix.binary }}
          strip target/${{ matrix.target }}/release/x0xd
          strip target/${{ matrix.target }}/release/x0x

      # ---- Package artifacts ----
      - name: Package (tar.gz)
        if: matrix.archive == 'tar.gz'
        run: |
          STAGING="x0x-${{ matrix.platform }}"
          mkdir -p "$STAGING"
          # Include x0xd daemon and x0x CLI binaries
          for bin in x0xd x0x; do
            BIN="target/${{ matrix.target }}/release/${bin}"
            if [ -f "$BIN" ]; then cp "$BIN" "$STAGING/"; fi
          done
          cp LICENSE* "$STAGING/" 2>/dev/null || true
          cp README.md "$STAGING/" 2>/dev/null || true
          tar czf "x0x-${{ matrix.platform }}.tar.gz" "$STAGING"
          echo "ASSET=x0x-${{ matrix.platform }}.tar.gz" >> $GITHUB_ENV

      - name: Package (zip)
        if: matrix.archive == 'zip'
        shell: pwsh
        run: |
          $staging = "x0x-${{ matrix.platform }}"
          New-Item -ItemType Directory -Path $staging -Force
          # Include x0xd daemon and x0x CLI binaries
          $x0xd = "target/${{ matrix.target }}/release/x0xd.exe"
          if (Test-Path $x0xd) { Copy-Item $x0xd -Destination $staging }
          $x0x = "target/${{ matrix.target }}/release/x0x.exe"
          if (Test-Path $x0x) { Copy-Item $x0x -Destination $staging }
          if (Test-Path "LICENSE*") { Copy-Item LICENSE* -Destination $staging }
          if (Test-Path "README.md") { Copy-Item README.md -Destination $staging }
          Compress-Archive -Path "$staging/*" -DestinationPath "x0x-${{ matrix.platform }}.zip"
          "ASSET=x0x-${{ matrix.platform }}.zip" | Out-File -FilePath $env:GITHUB_ENV -Append

      - name: Generate SHA-256 checksum
        shell: bash
        run: |
          # Use sha256sum (Linux/Windows) or shasum (macOS)
          hash_cmd="sha256sum"
          if ! command -v sha256sum &>/dev/null; then
            hash_cmd="shasum -a 256"
          fi
          if [ "${{ matrix.archive }}" = "zip" ]; then
            $hash_cmd "x0x-${{ matrix.platform }}.zip" > "x0x-${{ matrix.platform }}.zip.sha256"
          else
            $hash_cmd "x0x-${{ matrix.platform }}.tar.gz" > "x0x-${{ matrix.platform }}.tar.gz.sha256"
          fi

      - name: Upload release artifacts
        uses: actions/upload-artifact@v5
        with:
          name: release-${{ matrix.platform }}
          path: |
            x0x-${{ matrix.platform }}.*
          if-no-files-found: error

  # ============================================================
  # ML-DSA-65 sign release archives (post-quantum)
  # ============================================================
  sign-release:
    name: ML-DSA-65 Sign Archives
    needs: build-release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable

      - name: Cache cargo
        uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
            target
          key: ${{ runner.os }}-sign-cargo-${{ hashFiles('**/Cargo.lock') }}

      - name: Build x0x-keygen
        run: cargo build --release --bin x0x-keygen

      - name: Download all artifacts
        uses: actions/download-artifact@v5
        with:
          path: artifacts
          pattern: release-*

      - name: Write ML-DSA-65 signing key
        env:
          ML_DSA_SECRET_KEY: ${{ secrets.ML_DSA_SECRET_KEY }}
        run: |
          echo "$ML_DSA_SECRET_KEY" | base64 --decode > /tmp/release-signing.secret
          chmod 600 /tmp/release-signing.secret

      - name: Sign archives with ML-DSA-65
        run: |
          for archive in artifacts/release-*/*.tar.gz artifacts/release-*/*.zip; do
            [ -f "$archive" ] || continue
            ./target/release/x0x-keygen sign \
              --key /tmp/release-signing.secret \
              --input "$archive" \
              --output "${archive}.sig" \
              --context "x0x-release-v1"
            echo "Signed: $archive"
          done

      - name: Generate and sign release manifest
        run: |
          # Collect all archives into a flat directory for manifest generation
          mkdir -p manifest-assets
          for archive in artifacts/release-*/*.tar.gz artifacts/release-*/*.zip; do
            [ -f "$archive" ] || continue
            cp "$archive" manifest-assets/
          done
          # Strip 'v' prefix from tag for version string
          VERSION="${GITHUB_REF_NAME#v}"
          # Validate that VERSION is a valid semver string (prevents broken manifests from workflow_dispatch)
          if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+ ]]; then
            echo "ERROR: '$VERSION' is not a valid semver version (expected tag like v1.2.3)"
            exit 1
          fi
          ./target/release/x0x-keygen manifest \
            --version "$VERSION" \
            --assets-dir manifest-assets/ \
            --skill-path SKILL.md \
            --key /tmp/release-signing.secret \
            --output-dir manifest-assets/

      - name: Clean up signing key
        if: always()
        run: rm -f /tmp/release-signing.secret

      - name: Upload signed artifacts
        uses: actions/upload-artifact@v5
        with:
          name: ml-dsa-signatures
          path: artifacts/release-*/*.sig
          if-no-files-found: error

      - name: Upload release manifest
        uses: actions/upload-artifact@v5
        with:
          name: release-manifest
          path: |
            manifest-assets/release-manifest.json
            manifest-assets/release-manifest.json.sig
          if-no-files-found: error

  # ============================================================
  # GPG-sign SKILL.md and create GitHub Release
  # ============================================================
  create-release:
    name: Create GitHub Release
    needs: [build-release, sign-release]
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v5

      - name: Download build artifacts
        uses: actions/download-artifact@v5
        with:
          path: artifacts
          pattern: release-*

      - name: Download ML-DSA-65 signatures
        uses: actions/download-artifact@v5
        with:
          name: ml-dsa-signatures
          path: artifacts

      - name: Download release manifest
        uses: actions/download-artifact@v5
        with:
          name: release-manifest
          path: artifacts/manifest

      - name: Import GPG key
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
        run: |
          echo "$GPG_PRIVATE_KEY" | gpg --import --batch --yes

      - name: Sign SKILL.md
        env:
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          gpg --batch --pinentry-mode loopback --passphrase-fd 0 \
            --detach-sign --armor --output SKILL.md.sig SKILL.md <<< "$GPG_PASSPHRASE"
          gpg --verify SKILL.md.sig SKILL.md

      - name: Export public key
        run: |
          gpg --armor --export david@saorsalabs.com > SAORSA_PUBLIC_KEY.asc
          if [ ! -s SAORSA_PUBLIC_KEY.asc ]; then
            echo "Error: Failed to export public key"
            exit 1
          fi

      - name: GPG-sign release archives
        env:
          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
        run: |
          for archive in artifacts/release-*/*.tar.gz artifacts/release-*/*.zip; do
            [ -f "$archive" ] || continue
            gpg --batch --pinentry-mode loopback --passphrase-fd 0 \
              --detach-sign --armor --output "${archive}.asc" "$archive" <<< "$GPG_PASSPHRASE"
          done

      - name: Collect all release files
        run: |
          mkdir -p release-files
          # Copy archives, checksums, GPG signatures, and ML-DSA-65 signatures
          for dir in artifacts/release-*/; do
            cp "$dir"/*.tar.gz release-files/ 2>/dev/null || true
            cp "$dir"/*.zip release-files/ 2>/dev/null || true
            cp "$dir"/*.sha256 release-files/ 2>/dev/null || true
            cp "$dir"/*.asc release-files/ 2>/dev/null || true
            cp "$dir"/*.sig release-files/ 2>/dev/null || true
          done
          # Copy release manifest
          cp artifacts/manifest/release-manifest.json release-files/ 2>/dev/null || true
          cp artifacts/manifest/release-manifest.json.sig release-files/ 2>/dev/null || true
          # Copy SKILL.md artifacts
          cp SKILL.md release-files/
          cp SKILL.md.sig release-files/
          cp SAORSA_PUBLIC_KEY.asc release-files/
          cp .well-known/agent.json release-files/ 2>/dev/null || true
          ls -la release-files/

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        with:
          files: release-files/*
          draft: false
          generate_release_notes: true
          body: |
            ## x0x ${{ github.ref_name }}

            **Agent-to-Agent Secure Communication Network**

            Post-quantum encrypted P2P gossip network for AI agents. Enable agents to discover each other, communicate securely, and collaborate on shared task lists without central servers.

            ### Binaries Included

            - **x0xd** — Agent daemon with REST API (default: `127.0.0.1:12700`)

            ### Installation

            **Rust:**
            ```bash
            cargo add x0x
            ```

            **TypeScript/Node.js:**
            ```bash
            npm install x0x
            ```

            **Python:**
            ```bash
            pip install agent-x0x
            ```

            ### Platform Binaries

            | Platform | File | Code Signed |
            |----------|------|-------------|
            | Linux x64 (glibc) | `x0x-linux-x64-gnu.tar.gz` | ML-DSA-65 + GPG |
            | Linux x64 (musl/static) | `x0x-linux-x64-musl.tar.gz` | ML-DSA-65 + GPG |
            | Linux ARM64 | `x0x-linux-arm64-gnu.tar.gz` | ML-DSA-65 + GPG |
            | macOS x64 (Intel) | `x0x-macos-x64.tar.gz` | ML-DSA-65 + Apple + GPG |
            | macOS ARM64 (Apple Silicon) | `x0x-macos-arm64.tar.gz` | ML-DSA-65 + Apple + GPG |
            | Windows x64 | `x0x-windows-x64.zip` | ML-DSA-65 + GPG |

            All binaries are signed with ML-DSA-65 (post-quantum, `.sig` files) and GPG (`.asc` files). macOS binaries are additionally signed with Apple Developer ID and notarized.

            ### Verify GPG Signatures

            ```bash
            # Import Saorsa Labs public key
            gpg --import SAORSA_PUBLIC_KEY.asc

            # Verify any archive
            gpg --verify x0x-linux-x64-gnu.tar.gz.asc x0x-linux-x64-gnu.tar.gz

            # Verify SKILL.md
            gpg --verify SKILL.md.sig SKILL.md
            ```

            ### Verify SHA-256 Checksums

            ```bash
            sha256sum -c x0x-linux-x64-gnu.tar.gz.sha256
            ```

            ### SKILL.md (GPG-Signed)

            This release includes the GPG-signed SKILL.md file for Anthropic Agent Skills.

            ### A2A Agent Card

            The `agent.json` file provides Agent-to-Agent (A2A) discovery metadata compatible with Google's A2A spec.

            ### Bootstrap Nodes

            - NYC, US: `quic://142.93.199.50:5483`
            - SFO, US: `quic://147.182.234.192:5483`
            - Helsinki, FI: `quic://65.21.157.229:5483`
            - Nuremberg, DE: `quic://116.203.101.172:5483`
            - Singapore, SG: `quic://149.28.156.231:5483`
            - Tokyo, JP: `quic://45.77.176.184:5483`

            ---

            **x0x** - A gift to the AI agent ecosystem from [Saorsa Labs](https://saorsalabs.com).
            No winners, no losers - just cooperation.

  # ============================================================
  # Publish to crates.io
  # ============================================================
  publish-crates:
    name: Publish to crates.io
    needs: create-release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - uses: dtolnay/rust-toolchain@stable

      - name: Publish x0x crate
        env:
          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
        run: |
          cargo publish -p x0x || echo "x0x already published or publish failed"

  # ============================================================
  # Publish to npm (with provenance)
  # ============================================================
  publish-npm:
    name: Publish to npm
    needs: create-release
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      - name: Publish to npm
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          cd bindings/nodejs
          npm publish --provenance --access public || echo "npm publish failed or already published"

  # ============================================================
  # Publish to PyPI (via maturin)
  # ============================================================
  publish-pypi:
    name: Publish to PyPI
    needs: create-release
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5

      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install maturin
        run: pip install maturin

      - name: Build and publish
        env:
          MATURIN_PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
        run: |
          cd bindings/python
          maturin publish || echo "PyPI publish failed or already published"