This document records the measured release-oriented install contract for the Zig port.
- macOS and Linux:
cbm-<os>-<arch>.tar.gz - Windows:
cbm-windows-amd64.zip - Shared checksum file:
checksums.txt - Shared release manifest:
release-manifest.json
- one-line installers:
install.shinstall.ps1
- setup wrappers:
scripts/setup.shscripts/setup-windows.ps1
- local release packager:
scripts/package-release.sh
scripts/package-release.shnow emits bothchecksums.txtand a repo-ownedrelease-manifest.jsonwith archive metadata, SHA-256 digests, sizes, target triples, and the source commit used to produce the artifacts.install.shandinstall.ps1verify the target archive checksum whenchecksums.txtis present and also verify the matching manifest entry whenrelease-manifest.jsonis present..github/workflows/release.ymlmerges the per-job manifests, validates the merged result against the actual release archives pluschecksums.txt, and then uploads the validated release set as a draft GitHub release.
Build a local release archive:
bash scripts/package-release.sh --version 0.0.0-devInstall from a release directory without touching agent config:
CBM_DOWNLOAD_URL="file://$(pwd)/dist/release" bash install.sh --dir /tmp/cbm-install --skip-configInstall from the same release directory through PowerShell:
pwsh -NoLogo -NoProfile -File ./install.ps1 -BaseUrl "$(pwd)/dist/release" -InstallDir /tmp/cbm-install-ps -SkipConfigBuild and install from the current checkout instead:
bash scripts/setup.sh --from-source --dir /tmp/cbm-install --skip-configThis packaging story is intentionally separate from the agent-installer surface.
The release scripts are responsible for getting the cbm binary onto disk and
verifying it runs. The existing cbm install command remains responsible for
post-install MCP and agent configuration behavior.
Deliberate exclusions in the current hardening slice:
- no signing or external attestation
- no SBOM or malware-scanning pipeline
- no UI-variant packaging
- no off-repo trust infrastructure