Thoth SDK
sdk v0.1.15 / proxy v0.3.4
Deployments

Deployment Validation Matrix

Post-deployment validation checklist for Homebrew, PKG, Jamf, Intune, Kandji, and Santa rollout paths.

Use this matrix after each thoth/v* rollout to confirm endpoint health, governance enforcement, and trust controls.

Global pre-check (all paths)

Run on a representative endpoint:

thoth --version
thothctl --version
thoth health --json
thoth status

Required outcomes:

  • Installed version matches intended release tag.
  • thoth health --json reports healthy registration.
  • Governed servers appear in thoth status.

Validation matrix

PathVerify installVerify trustVerify runtime behavior
Homebrewbrew list --versions thothsha256sum -c checksums.sha256 on release assets used in tap updatethoth health --json + one governed MCP tool call
Notarized PKGpkgutil --pkg-info com.atensecurity.thoth.clipkgutil --check-signature + spctl --assess --type install on packagethoth status after Claude restart
Jamf macOSJamf policy success + binary present in /usr/local/binValidate signed PKG source + optional Santa rule checkthoth health --json on test/pilot devices
Intune macOSAssignment success + binary presentVerify source checksums and package provenancethoth status + config path exists
Intune WindowsWin32 app install success + thoth.exe on PATHVerify artifact checksums and Sigstore bundlethoth health --json in PowerShell
Intune LinuxScript/package assignment successVerify artifact checksumsthoth status + config path exists
Kandji macOSCustom App install success + script successValidate package notarization + signaturesthoth health --json on scoped devices
Santa macOSsanta-cli rule state matches policy repoTeam ID/hash rules match santa-metadata.json and checksums.sha256Thoth binaries execute under Santa enforcement

Path-specific commands

Homebrew

brew update
brew list --versions thoth
thoth --version

macOS PKG / Jamf / Kandji

pkgutil --check-signature thoth-macos-universal.pkg
spctl --assess --type install --verbose=4 thoth-macos-universal.pkg
codesign -dv --verbose=4 /usr/local/bin/thoth 2>&1 | grep -E 'TeamIdentifier|Authority='

Intune Windows

thoth --version
thothctl --version
thoth health --json
Test-Path "C:\ProgramData\Thoth\thoth-config.json"

Intune Linux

thoth --version
thothctl --version
thoth health --json
test -f /etc/thoth/thoth-config.json

Santa

TEAM_ID_EXPECTED="$(jq -r '.teamId' santa-metadata.json)"
sudo santa-cli rule --check --teamid "$TEAM_ID_EXPECTED"

Release artifact validation (required per release)

sha256sum -c checksums.sha256
jq -e '.provenanceType == "release-artifact-provenance"' provenance.json
jq -e '.bomFormat == "CycloneDX"' sbom.cdx.json
jq -e '.spdxVersion | startswith("SPDX-")' sbom.spdx.json

Optional attestation verification:

gh attestation verify checksums.sha256 --repo atensecurity/thoth

Suggested rollout gates

  1. Test: 1-5 endpoints per platform.
  2. Pilot: 5-15% of platform fleet.
  3. Production: full scope after pilot SLO passes.

Gate to next stage only if:

  • health checks remain stable for 24h,
  • no policy regression tickets are opened,
  • drift remediation scripts remain idempotent.

Previous

Release Channels + Verification

Next

Jamf, Kandji, and Santa Test Plan

On this page