Attested Builds

Attested builds are a new approach to verifiable software distribution. Source code is compiled inside hardware-isolated environments that produce cryptographic proof linking binaries to their exact inputs.Powered by Kettle, Lunal's open-source implementation.

GET /build/{id}/events

Streams build progress as Server-Sent Events (SSE). Each event is a JSON object on a data: line. The stream begins by replaying every event emitted so far, then delivers new events live until the terminal complete event.

Use the job_id returned by POST /build. Once the build completes successfully, download the outputs with GET /build/{id}/result.

Parameters

ParameterInDescription
idpathThe job_id returned by POST /build.
fromqueryOptional. Skip the first N already-delivered events when replaying the backlog. Used by clients to resume after a dropped connection. Defaults to 0.

Returns 404 Not Found if no job matches id.

Example

curl -N https://build.confidential.ai/build/$JOB/events

The -N flag disables output buffering so events appear in real time.

Event types

Each event has a type field. All phase events carry a msg string; queued carries a position, and complete carries a result.

typePayloadMeaning
queuedposition (number)Build is queued; position is its place in line.
vmmsgConfidential VM lifecycle progress.
initmsgWorkspace initialization.
detectmsgToolchain detection (Cargo / Nix).
buildmsgBuild output — one event per line of build log.
provenancemsgProvenance generation.
attestmsgAttestation generation.
completeresultTerminal event; build finished. See below.

Stream example

data: {"type":"queued","position":0}
data: {"type":"detect","msg":"cargo"}
data: {"type":"init","msg":"Verifying build inputs"}
data: {"type":"build","msg":"   Compiling serde v1.0.0"}
data: {"type":"build","msg":"    Finished release [optimized] target(s)"}
data: {"type":"provenance","msg":"Generating provenance"}
data: {"type":"attest","msg":"Generating attestation"}
data: {"type":"complete","result":{"status":"ok"}}

The complete result

On success:

{ "type": "complete", "result": { "status": "ok" } }

On failure:

{
  "type": "complete",
  "result": {
    "status": "failed",
    "error": "Description of what went wrong",
    "error_type": "BuildError"
  }
}

When the result is ok, download the outputs with GET /build/{id}/result.