chore(npm): mark @automagik/genie as soft-deprecated; canonical install moves to get.automagik.dev#1429
Conversation
…ll moves to get.automagik.dev Operator-visible signaling that the npm distribution channel is being soft-deprecated in favor of the cosign + SLSA verified installer at get.automagik.dev/genie. Three changes, no behavior change in this PR: 1. package.json description — `npm view @automagik/genie` and the npmjs.com listing now lead with the deprecation notice + canonical install command + docs link. Operators inspecting the package see the runway up front. 2. README.md — top-of-page IMPORTANT callout explains the soft-deprecate posture and points at the docs. 3. .github/workflows/version.yml — every successful `npm publish` is followed by `npm deprecate <version> "<message>"`. Operators running `npm install -g @automagik/genie` see npm's own warn-deprecated notice immediately. The npm install path KEEPS WORKING — the binary still installs as before. The actual install-flow rewrite (50-LOC postinstall shim that delegates to install.sh, hard sunset 90 days post-v1 GA) ships in PR-A10. This PR is metadata + signaling only; the deprecation message is the only behavior change operators see today. PR-A3 in the security-roadmap mini-PR sequence. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a soft-deprecation notice for the npm distribution in both the README and package.json, directing users to a new verified installation method via CDN. A critical issue was identified in the package.json description where invalid escape sequences would cause parsing errors; a suggestion was provided to fix this and reorder the text for better visibility in registry UIs.
| "name": "@automagik/genie", | ||
| "version": "4.260427.10", | ||
| "description": "Collaborative terminal toolkit for human + AI workflows", | ||
| "description": "Collaborative terminal toolkit for human + AI workflows. NOTE: the npm distribution is being soft-deprecated — the canonical install is `curl -fsSL https://get.automagik.dev/genie | bash` (cosign + SLSA verified). See https://automagik.dev/genie/security/distribution-sovereignty", |
There was a problem hiding this comment.
The description field contains invalid JSON escape sequences (`). In JSON, backticks do not need to be escaped, and a backslash followed by a backtick is not a valid escape sequence, which will cause parsing errors for the package.json file. Additionally, the PR description mentions that the description was rewritten to lead with the deprecation notice for better visibility in registry UIs, but the current implementation appends it to the end. I have updated the suggestion to move the notice to the front and removed the invalid escapes.
| "description": "Collaborative terminal toolkit for human + AI workflows. NOTE: the npm distribution is being soft-deprecated — the canonical install is `curl -fsSL https://get.automagik.dev/genie | bash` (cosign + SLSA verified). See https://automagik.dev/genie/security/distribution-sovereignty", | |
| "description": "NOTE: The npm distribution is being soft-deprecated — the canonical install is 'curl -fsSL https://get.automagik.dev/genie | bash' (cosign + SLSA verified). Collaborative terminal toolkit for human + AI workflows. See https://automagik.dev/genie/security/distribution-sovereignty", |
…ll moves to get.automagik.dev (#1429) Operator-visible signaling that the npm distribution channel is being soft-deprecated in favor of the cosign + SLSA verified installer at get.automagik.dev/genie. Three changes, no behavior change in this PR: 1. package.json description — `npm view @automagik/genie` and the npmjs.com listing now lead with the deprecation notice + canonical install command + docs link. Operators inspecting the package see the runway up front. 2. README.md — top-of-page IMPORTANT callout explains the soft-deprecate posture and points at the docs. 3. .github/workflows/version.yml — every successful `npm publish` is followed by `npm deprecate <version> "<message>"`. Operators running `npm install -g @automagik/genie` see npm's own warn-deprecated notice immediately. The npm install path KEEPS WORKING — the binary still installs as before. The actual install-flow rewrite (50-LOC postinstall shim that delegates to install.sh, hard sunset 90 days post-v1 GA) ships in PR-A10. This PR is metadata + signaling only; the deprecation message is the only behavior change operators see today. PR-A3 in the security-roadmap mini-PR sequence. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Snyk security upgrade (uuid 11.1.0 → 14.0.0, #1438) and atomic-PID serve fix (#1430) landed on main while dev was running release prep on PR 1431. Merge main into dev to clear the package.json conflict on the dev→main release PR. Resolution: - Keep dev's pinned dependency style (no `^`) from PR #1429 ("pin every runtime dep") - Take main's uuid 14.0.0 security upgrade (pinned, no `^`) - bun.lock regenerated against the new version uuid usage in dev (`import { v4 as uuidv4 }` in src/lib/team-chat.ts + src/lib/mailbox.ts) uses the stable v4 API — no migration needed for v14. Authorized by user (felipe@namastex.io) for direct push to dev to resolve PR 1431 conflict. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 participant
Summary
Operator-visible signaling that the npm distribution channel is being soft-deprecated in favor of the cosign + SLSA verified installer at
get.automagik.dev/genie. Three small changes; no install behavior changes in this PR — the binary still installs as before. Only the deprecation message changes.Changes
package.jsonnpm view @automagik/genieand the npmjs.com listing now show this immediately.README.md> [!IMPORTANT]callout explaining the soft-deprecate posture and pointing at the docs..github/workflows/version.ymlnpm publishstep is now followed bynpm deprecate <version> "<message>". Operators runningnpm install -g @automagik/geniesee npm's own warn-deprecated notice immediately.What does NOT change
npm install -g @automagik/geniestill produces a working binarydist/genie.js, the postinstall scripts, or any downstream toolingnpm update -gSequencing
This is PR-A3 in the security-roadmap mini-PR sequence:
The hard install-flow change (50-LOC postinstall shim that delegates to install.sh, hard sunset 90 days post-v1 GA) ships in PR-A10 — that's the actual cutover. This PR is signaling only.
🤖 Generated with Claude Code