Tacita
Security

Software bill of materials (SBOM)

Every shipping platform publishes a CycloneDX 1.5 software bill of materials generated from the resolved lock files. Each artifact lists every dependency by name, version, and content hash. Detached minisign signatures bootstrap with the first official release; until then, SHA-256 hashes published on this page anchor in-transit integrity.

The artifacts below are produced from the repository lock files (pubspec.lock on mobile, Cargo.lock on the desktop Rust core, and package-lock.json on the desktop UI + this website) at build time. They are valid CycloneDX 1.5 JSON and can be loaded directly into Dependency-Track, Grype, OSV-Scanner, or any other CycloneDX consumer.

Generated: Fri, 22 May 2026 09:13:40 GMT · total components: 1,493 · format: CycloneDX 1.5

Artifacts

  • Tacita mobile (Flutter / Dart)

    272 components
    Download
    tacita-mobile.cdx.json (121.7 KB)
    Source lock file
    Tacita/pubspec.lock
    SHA-256
    663364daeadf7deadc210f9ffd89dd75abdd9e71712718daaf1937c608d0f9f5

  • Tacita desktop (Rust / Cargo)

    592 components
    Download
    tacita-desktop.cdx.json (281.5 KB)
    Source lock file
    tacita-desktop/Cargo.lock
    SHA-256
    4bca243e64821fa557d122e950fe7057ad5421c49a4f6a6fa064c3d688d7cf94

  • Tacita desktop UI (Svelte / npm)

    207 components
    Download
    tacita-desktop-ui.cdx.json (140.3 KB)
    Source lock file
    tacita-desktop/frontend/package-lock.json
    SHA-256
    c9954a229396dd4706483fb48a92e5e8edc6616a74bdf0e8a25e8534c6e697fc

  • Tacita website (Astro / npm)

    422 components
    Download
    tacita-web.cdx.json (286.9 KB)
    Source lock file
    tacita-web/package-lock.json
    SHA-256
    2d148ab45c22469b6a6651d0c486194f2b1faa05e2dbae45ac7e82d346e44646

Index

A machine-readable index of every artifact, including SHA-256 and component count, is published at /sbom/index.json. Mirror scripts and downstream consumers should fetch the index first and use its hashes as the trust anchor for each artifact.

Signed verification

The CycloneDX documents above are real and ship today. Detached minisign signatures (*.minisig) and the public verification key (tacita_sbom_pub.minisign) bootstrap with the first official release; until then the artifacts are published unsigned and the verification recipe on /security labels the signed-verification step as coming in the same convention the page uses for the other staged primitives.

What is verifiable today: the SHA-256 listed beside each artifact on this page (and in index.json) is the hash of the bytes served at the listed URL. A standard sha256sum tacita-<platform>.cdx.json against the download confirms the artifact has not been altered in transit.

Generating the SBOM locally

The generator lives in this repository at scripts/gen-sbom.mjs. It runs offline against the lock files and never touches the network. It rewrites public/sbom/ in place. 

node scripts/gen-sbom.mjs
ls public/sbom/

Related: /security (named primitives and the binary verification recipe), /security/policy (responsible-disclosure policy).