Skip to content
OS.MFOpen source manifest

Public OSPO, ten projects in the open.

What FlyttGo maintains, what FlyttGo sponsors, what FlyttGo contributes upstream — and the explicit boundary between OSS and proprietary in the platform stack. Open Source Programme Office policy public; quarterly contribution report shipped alongside the changelog.

  • Maintained projects
    5
  • Sponsored projects
    3
  • Upstream contributions
    2
OS.PROSPO posture
  • OS.PR.01

    Maintained projects

    FlyttGo maintains the SDK, the reference MCP server, the policy-as-code library, the CLI, and the sigstore helpers. Each released under MIT or Apache-2.0; CI in GitHub Actions; CodeQL + Sigstore on every release.

  • OS.PR.02

    Sponsored projects

    FlyttGo sponsors paid maintainer time on Sigstore Cosign, Open Policy Agent and CycloneDX CLI — three projects in the platform's critical-supply-chain path. Sponsorship is public, audit-trail-attached, and signed via OpenSSF Funding.

  • OS.PR.03

    Upstream contributions

    FlyttGo engineers contribute spec feedback to MCP, OpenTelemetry, AsyncAPI and W3C VC working groups. Time-budgeted, public, and reflected on individual engineers' OSS-contribution profiles.

  • OS.PR.04

    OSPO policy

    Open Source Programme Office policy: 10 % engineering time available for contributions; CLA-free upstream where the project allows; license-compatibility scan on every dependency; quarterly OSPO report.

OS.PJProject registry

Ten projects, three contribution shapes.

  • flyttgo/sdk-typescript
    Maintained

    Official TypeScript SDK across the FlyttGo platform — auto-generated from OpenAPI 3.1 specs, ESM-first, tree-shakable.

    TypeScript·MIT
    Open on GitHub
  • flyttgo/mcp-server
    Maintained

    Reference MCP server implementation exposing the platform tool registry. Used by Claude, Cursor, OpenAI Agents SDK.

    TypeScript·Apache-2.0
    Open on GitHub
  • flyttgo/policy-as-code
    Maintained

    Open Policy Agent rego library covering the FlyttGo platform-policy API — admission controls, agent scopes, sovereign-region policies.

    Rego·Apache-2.0
    Open on GitHub
  • flyttgo/cli
    Maintained

    Command-line tool for workspace operations — workspace token issuance, deployment scaffolding, audit log export.

    Go·MIT
    Open on GitHub
  • flyttgo/sigstore-helpers
    Maintained

    Sigstore signing + verification helpers used internally on every release artefact; useful as a reference for SLSA L3 builds.

    Go·Apache-2.0
    Open on GitHub
  • sigstore/cosign
    Sponsored

    Container-signing tool used across the FlyttGo release pipeline. FlyttGo sponsors maintainer time on the project.

    Go·Apache-2.0
    Open on GitHub
  • open-policy-agent/opa
    Sponsored

    Open Policy Agent — used for admission policy across every FlyttGo deployment substrate. FlyttGo contributes upstream.

    Go·Apache-2.0
    Open on GitHub
  • CycloneDX/cyclonedx-cli
    Sponsored

    CycloneDX SBOM tooling — generates the per-release SBOMs published at /sbom. FlyttGo contributes upstream.

    C#·Apache-2.0
    Open on GitHub
  • modelcontextprotocol/specification
    Contributed

    Model Context Protocol specification. FlyttGo contributes spec feedback + interop test coverage from production.

    Markdown·MIT
    Open on GitHub
  • opentelemetry-io/oteps
    Contributed

    OpenTelemetry Enhancement Proposals. FlyttGo contributes telemetry-schema feedback for cross-tenant observability.

    Markdown·Apache-2.0
    Open on GitHub
OS.LNOSS vs. proprietary boundary

Where the line sits, surface by surface.

SurfacePosition
Platform modules (Transify, Workverge, Civitas, EduPro, Identra, Payvera, Ledgera, Marketplace)Proprietary
TypeScript SDK + CLIOpen · MIT
Reference MCP serverOpen · Apache-2.0
Policy-as-code (OPA rego library)Open · Apache-2.0
OpenAPI 3.1 specificationsOpen · CC-BY 4.0
Audit envelope schema (CloudEvents 1.0)Open standard · adopted upstream
Sigstore signing toolingSponsored upstream
OpenTelemetry exportersOpen · upstream
Sovereign-cluster bootstrapperProprietary · partner-shared under MNDA
AI weights + retraining pipelinesProprietary · disclosed in AIBOM
OS.NXWhere the OSS posture plugs in

Open source touches every other trust artefact.

OSS posture is a procurement signal. The four pathways below take a security or developer review from this manifest into deeper engagement.