Documentation Index
Fetch the complete documentation index at: https://docs.automagik.dev/llms.txt
Use this file to discover all available pages before exploring further.
This page describes the direction Genie’s distribution is moving toward, anchored by the
aegis-distribution-sovereignty umbrella merged in PR #1425. Some of the install paths described below ship in 2026-Q2/Q3 — see the per-component status notes.The threat we’re closing
In April 2026, the@automagik/genie npm package was weaponized as part of the CanisterWorm/TeamPCP compromise. The detection-and-response runbook ships through the same npm pipe that carried the malicious payload. As long as Genie is acquired through npm install -g @automagik/genie, three structural exposures remain:
- No cosign enforcement at install time. npm verifies a tarball checksum but knows nothing about Sigstore certificates. A compromised publish token bypasses every cryptographic control upstream of npm.
- Arbitrary
postinstallscripts in transitive deps. A single compromised dependency anywhere in the resolved tree runs arbitrary code on the operator’s machine before Genie’s own code executes. - Threat-intel cadence locked to npm publish. The signature packs Genie uses to detect new IOCs are tied to whatever release rhythm npm allows. Worms propagate in hours; signature updates need to arrive in minutes.
The new install path
- Detects your platform (
uname -s/uname -m, with Rosetta 2 awareness on Apple Silicon and libc detection on Linux). Mirrors Claude Code’s bootstrap pattern. - Downloads the platform-appropriate static binary from
cdn.automagik.dev/genie/<channel>/<version>/<platform>/genie. The binary is a single file produced bybun build --compile— no Node, no npm, no transitive dep tree. - Verifies SHA256, cosign, and SLSA L3 provenance. Three independent gates. Tamper at any layer fails the install with a clear exit code.
- Hands off to the binary’s own
installsubcommand to wire shell integration, install completions, and create~/.genie/.
cdn.automagik.dev can fall back to the GitHub Releases mirror — same artifacts, same signatures, different transport.
Linux x86_64
glibc + musl, both supported.
Linux ARM64
Native ARM64 binary, glibc.
macOS x86_64
Intel Macs.
macOS ARM64
Apple Silicon, with Rosetta detection so the right binary is picked even when running under emulation.
The verification stack
Each release publishes:| Artifact | Purpose | Verifier |
|---|---|---|
genie (per platform) | The binary itself | shasum -a 256 against manifest.json |
genie.sig | Cosign signature, keyless via OIDC | cosign verify-blob |
genie.cert | Fulcio certificate identifying the workflow + commit | embedded in cosign verify-blob check |
provenance.intoto.jsonl | SLSA Level 3 provenance attestation | slsa-verifier verify-artifact |
manifest.json | Schema-versioned envelope listing all of the above | JSON Schema validation against docs/security/manifest.schema.json |
install.sh bundles tiny static portable verifiers (sigstore-rs + slsa-verifier, ≤2 MB each) so an operator with no preinstalled cryptographic tooling can still run the full chain. The verifiers are themselves cosign-signed by the same OIDC identity, with their SHA256 inlined in install.sh to defeat verifier-substitution attacks.
The cosign certificate identity is pinned across four independent channels. Cross-check before you run.
What about npm?
@automagik/genie on npm is being soft-deprecated, not yanked. Existing operators on npm install -g @automagik/genie continue to work — but the package contents shrink to a ≤50-LOC postinstall.js shim that:
- Detects the platform (mirroring
install.sh’s logic). - Downloads
install.shfrom the CDN, verifying an inlined SHA256. - Runs
bash install.shwith platform pre-set. - Prints a loud deprecation banner pointing at the canonical install path and the sunset date.
npm deprecate-flagged with a stronger message; existing pinned versions continue to install via the shim, but the package itself is no longer the recommended path.
We do not unpublish. Forensic tooling and dependency graphs benefit from the package’s continued existence; the shim’s loudness handles the rest.
What this does NOT solve (yet)
Distribution sovereignty closes the acquisition exposure. Three larger exposures remain in flight:- Build-time supply chain. Genie itself is built from
bun install. A compromised dependency in our build environment defeats every downstream control. Tracked under a separate future umbrella (genie-build-sovereignty); not in scope here. - Runtime privilege boundary. Once Genie runs, it has full host permissions. The Aegis runtime sandbox (in flight) adds default-deny network egress and continuous workspace scanning. v1 is observe-only; v2 graduates to kernel-level enforcement.
- Content inspection at the prompt boundary. Prompt-injection / PII / data-leak detection lives in our enterprise tier (
@khal-os), not in the OSS distribution covered by this page.
Status
| Component | Status | Tracker |
|---|---|---|
| Cosign keyless + SLSA L3 signing | ✅ Shipped | genie-supply-chain-signing |
| Signature packs + version-gated matching | ✅ Shipped | sec-signature-registry (@automagik/genie-signatures) |
cdn.automagik.dev + per-platform binaries + install.sh | 🚧 Wave 1 | distribution-exodus (Wave 1 of the umbrella) |
genie self-update | 🚧 Wave 2 | genie-self-update |
| Aegis runtime sandbox | 🚧 Wave 2 | aegis-runtime |
| Aegis continuous scanner | 🚧 Wave 3 | aegis-scanner |
| npm soft-deprecate + sunset | 🚧 Wave 1 finale | distribution-exodus Group 5 |