Skip to content

Install & Run

The whole substrate is a single, attested image. One docker run stands up PostgreSQL 17, the pgRDF graph engine, the pgCK runtime, NATS, and the browser client — about 128 MB, scratch base, no Python. The only prerequisite is Docker.

One docker run

sh
docker run --rm -d --name ckp \
  -e OCIGER_CK_PARTICIPANT_PASSWORD='choose-a-password' \
  -p 5432:5432 -p 8000:8000 -p 4222:4222 -p 9222:9222 \
  ghcr.io/sporaxis-com/ociger-ck-allinone:v0.7.28

That single command gives you a complete CKP v3.9.1 — Critical Isolation substrate:

PostgreSQL 17  +  pgRDF (graph engine)  +  pgCK (concept-kernel runtime)
NATS core :4222  +  NATS WebSocket :9222   (the only door for apps)
busybox httpd :8000  serving /cklib/ (the browser client) + a landing probe
  • Set OCIGER_CK_PARTICIPANT_PASSWORD. Without it the participant role exists but cannot log in, so the isolation floor is never cosmetic.
  • Open http://localhost:8000/ — the landing page runs a live round-trip in your browser and shows ✓ when the wire is alive.
  • Persist /var/lib/postgresql/data with a volume to keep sealed data across restarts.

Then drive it with cklib — activate a kernel, land a sealed task, verify its proof.

The image is attested

The bundle publishes with SLSA Build Provenance v1. Pull it, then verify the provenance before you trust it:

sh
docker pull ghcr.io/sporaxis-com/ociger-ck-allinone:v0.7.28

gh attestation verify \
  oci://ghcr.io/sporaxis-com/ociger-ck-allinone:v0.7.28 \
  --repo sporaxis-com/oci-germination
Imageghcr.io/sporaxis-com/ociger-ck-allinone:v0.7.28
Digestsha256:c652647fed8e433a4668b3cac590175ddbb65a1bf9472e04504ca19b0d9a1dfa
ProvenanceSLSA Build Provenance v1 — verified before publication
Pullpublic, anonymous

What it composes

The image is a tested composition of the fleet, pinned to exact versions:

LayerVersion
PostgreSQL17.10 (pgcrypto auto-installed on first boot)
pgRDF — the graph engine0.6.19
pgCK — the concept-kernel runtime0.4.21
cklib — the client, served at /cklib/1.5.3
NATS core / WebSocket2.14.2 (:4222 / :9222)

The protocol is CKP v3.9.1; the door is ckp.dispatch(verb, kernel_urn, payload, identity).

GitHub releases

Every release below is CI-built and provenance-attested, with a LATEST.md in each repository confirming the verified head.

Behind a gateway

The bundle's NATS WebSocket is on :9222. On a direct docker run an app opens ws://<host>:9222. Behind a TLS gateway, route /wss:9222 and apps open wss://<host>/wss. The bundled landing page auto-detects which case it is from its own URL.

Alpha-trust today

Identity is currently the participant role's shared password, not a per-user verified claim. The isolation floor is real — the role can call ckp.dispatch and nothing else — but treat a deployment as alpha-trust and do not expose it to untrusted users as-is. Per-user verified-JWT identity is an inherited upstream prerequisite (CKP v3.9 §10).

Continue

Released under the MIT License.