Lines 1-30javascript
2// bin/install.mjs — the one-command installer for RuvNet Brain.
4// npx ruvnet-brain # published on npm — shortest, recommended
5// npx github:stuinfla/ruvnet-brain # always the latest commit, even ahead of the npm release
6// node bin/install.mjs --local # from a repo clone that already has dist/ruvnet-brain.zip
8// Goal: a newcomer runs ONE command and ends up with (a) the brain on disk and (b) the Claude Code
9// plugin wired at user scope — narrating "what I'm doing and why" at every step (the product's ethos).
11// Design rules: dependency-free (Node built-ins + shelling to unzip/npm/claude only), idempotent
12// (safe to re-run), and never a silent half-state (every failure explains the next step).
14import https from 'node:https';
15import fs from 'node:fs';
16import os from 'node:os';
17import path from 'node:path';
18import { spawnSync } from 'node:child_process';
19import { fileURLToPath, pathToFileURL } from 'node:url';
HighSandbox Evasion Gated Capability
Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.
bin/install.mjsView on unpkg · L10 MediumInstall Persistence
Source writes installer persistence such as shell profile or service configuration.
bin/install.mjsView on unpkg · L10 20import readline from 'node:readline';
21import crypto from 'node:crypto';
23// SEC-0010 #6 — the Ed25519 PUBLIC key is EMBEDDED here (not a separate file) so the installer's
24// trust root travels with the installer code itself: an attacker who swaps the downloaded bundle
25// cannot also swap the key the installer checks it against. Rotate via `node scripts/sign-bundle.mjs
26// --gen-key` and paste the new keys/…pub.pem here. Verify logic mirrors scripts/verify-bundle.mjs.
27const SIGNING_PUBKEY_PEM = `-----BEGIN PUBLIC KEY-----
28MCowBQYDK2VwAyEAgse9TAtehXUvUfTrJFY2CCHiCbmelR8yCgS//sen5/w=
29-----END PUBLIC KEY-----`;
30function verifyBundle(bundlePath, sigPath) {