docs: current install story for the composed tools#26
Conversation
truecopy + strongroom install from npm; redstamp from its signed release tarball (releases/latest/download/redstamp.tgz) or the tool-page one-liners. The stack itself stays a GitHub install (--allow-git on npm >= 12).
sprayberry-reviewer
left a comment
There was a problem hiding this comment.
Automated review from the Sprayberry Labs fleet code reviewer.
Verdict: No blocking issues — clean, accurate doc update. Approving.
What I checked
gh pr diff 26— a one-line README change (README.md, +1/-1).- CI rollup: CodeQL,
test,truecopy gate, and CodeQL analyze allSUCCESS.
Findings
None blocking. This is a documentation-only change replacing a stale "not yet on npm" note with a more precise breakdown of how each composed tool installs (@askalf/truecopy and @askalf/strongroom from npm, redstamp from its signed release tarball or tool-page one-liners, and the stack itself via npx -y github:askalf/agent-security-stack with the npm ≥ 12 --allow-git caveat). The claim that dependency pins stay as git+SHA on purpose (a commit pin being stronger than a replaceable release asset) is a reasonable rationale and isn't contradicted by anything in the diff.
Minor: worth a human sanity-check that the redstamp.tgz release-asset URL and the ownyourstack.sprayberrylabs.com/tools/redstamp link are live, since a stale/broken link in a README is low-cost to slip in — but that's outside what a diff review can verify, and not a reason to block.
What's good
Precise, corrected install guidance replacing a vague placeholder; no code or behavior touched; CI green.
The README note under the MCP config still said the whole trilogy installs from GitHub. Now: truecopy + strongroom from npm, redstamp from its signed release tarball (or the tool-page one-liners at ownyourstack.sprayberrylabs.com/tools/redstamp), and the stack itself stays a GitHub npx install with the npm >= 12 --allow-git caveat noted. Dependency pins stay as git+SHA on purpose - a commit pin is stronger than a replaceable release asset.