Skip to content

docs: current install story for the composed tools#26

Merged
askalf merged 1 commit into
masterfrom
docs/install-refresh
Jul 18, 2026
Merged

docs: current install story for the composed tools#26
askalf merged 1 commit into
masterfrom
docs/install-refresh

Conversation

@askalf

@askalf askalf commented Jul 18, 2026

Copy link
Copy Markdown
Owner

The README note under the MCP config still said the whole trilogy installs from GitHub. Now: truecopy + strongroom from npm, redstamp from its signed release tarball (or the tool-page one-liners at ownyourstack.sprayberrylabs.com/tools/redstamp), and the stack itself stays a GitHub npx install with the npm >= 12 --allow-git caveat noted. Dependency pins stay as git+SHA on purpose - a commit pin is stronger than a replaceable release asset.

truecopy + strongroom install from npm; redstamp from its signed release
tarball (releases/latest/download/redstamp.tgz) or the tool-page one-liners.
The stack itself stays a GitHub install (--allow-git on npm >= 12).

@sprayberry-reviewer sprayberry-reviewer left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review from the Sprayberry Labs fleet code reviewer.

Verdict: No blocking issues — clean, accurate doc update. Approving.

What I checked

  • gh pr diff 26 — a one-line README change (README.md, +1/-1).
  • CI rollup: CodeQL, test, truecopy gate, and CodeQL analyze all SUCCESS.

Findings

None blocking. This is a documentation-only change replacing a stale "not yet on npm" note with a more precise breakdown of how each composed tool installs (@askalf/truecopy and @askalf/strongroom from npm, redstamp from its signed release tarball or tool-page one-liners, and the stack itself via npx -y github:askalf/agent-security-stack with the npm ≥ 12 --allow-git caveat). The claim that dependency pins stay as git+SHA on purpose (a commit pin being stronger than a replaceable release asset) is a reasonable rationale and isn't contradicted by anything in the diff.

Minor: worth a human sanity-check that the redstamp.tgz release-asset URL and the ownyourstack.sprayberrylabs.com/tools/redstamp link are live, since a stale/broken link in a README is low-cost to slip in — but that's outside what a diff review can verify, and not a reason to block.

What's good

Precise, corrected install guidance replacing a vague placeholder; no code or behavior touched; CI green.

@askalf
askalf merged commit 1996ca3 into master Jul 18, 2026
4 checks passed
@askalf
askalf deleted the docs/install-refresh branch July 18, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants