Container attestations, Code auth, and Dispatch loading.

Published BuildKit provenance and SBOM attestations with VNext Docker images and documented the release pipeline supply-chain outputs.

Moved runtime images to Debian Trixie bases, updated Go and A2A dependencies, and added VNext Docker SBOM and provenance publishing coverage.

Changed production deployment back to a fast source-tag promotion with `source_tag` validation instead of rebuilding `latest`, cutting the workflow timeout to five minutes.

Made first-run GitHub token validation retry without `gh auth status --active` when the installed GitHub CLI does not support that flag, while restoring temporary token environment variables.

Checked agent-auth status for non-Claude harnesses before UI handling so configured runtimes can surface readiness consistently without starting Claude browser login.

Added Docker SBOM generation and registry-pushed provenance attestations for VNext builds and production tag promotions.

Showed a clear connected-agent loading state while Molten Hub connection is being attempted and agent refresh is in flight.

Published the May 5 release rollup without changing existing historical release entries.