I have build a proper workflow system for complex work that composes environments from nix flakes (very extended flakes) - it allows you to combines deterministic with agentic steps. The release process is a workflow in your project that requires to generate reproducible outputs - nix does this for you. The network basically is a distributed CI system - Multiple parties need to check and build your release. When all parties agree, that the package is correct, the SUI smart contract gives it's go. IKA is a multi party encryption network which implements a novel MCP-2pc algorithm. Your release key is split in half - IKA has one part, you have the other. Only is both parties sign the transaction, your software package gets release. Every party, even your PC can be compromised, and it is very hard to just release malware in your package. The whole release pipeline needs to succeed ant then you need to sign it with your hardware token. There are mandatory workflows in the release pipeline that check your software for side loading, comparing your dependency tree to the last version published, etc.

It is the largest project I have ever build and I code since 25 years.

I was just not satisfied with the agentic tools out there, nor with the CI / build infrastructure. Nix is nice, but the way packages are build / signed is just half way to perfect.

We can be lucky that the github hack did not infect the CI infrastructure. Imagine you infect the compilers in github CI to add a sleeper worm that does nothing for a month...

Only if you have multiple parties, building the same software with bootstrapped compilers and every artifact is hash compared, you can be sure it is legit