Skip to content

chore(npm): mark @automagik/genie as soft-deprecated; canonical install moves to get.automagik.dev #1429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
namastex888 merged 1 commit into from
Apr 28, 2026
Merged

chore(npm): mark @automagik/genie as soft-deprecated; canonical install moves to get.automagik.dev #1429

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,3 +176,18 @@ jobs:
# (no bump, matches the GitHub Release tag exactly).
# On dev context: publish the version we just bumped to as @next.
run: npm publish --access public --tag ${{ steps.context.outputs.npm_tag }}

- name: Mark published version as deprecated (npm-distribution sunset)
# The npm distribution channel is being soft-deprecated in favor of
# the cosign + SLSA verified installer at get.automagik.dev/genie.
# Every published version carries an `npm warn deprecated` notice
# pointing operators at the canonical install path. Existing pinned
# versions continue to install (the postinstall shim handles the
# delegation in the next umbrella PR); this step just makes the
# sunset visible in npm's own UX.
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
version="$(node -p 'require("./package.json").version')"
npm deprecate "@automagik/genie@${version}" \
"@automagik/genie via npm is soft-deprecated. Canonical install: curl -fsSL https://get.automagik.dev/genie | bash (cosign + SLSA verified). See https://automagik.dev/genie/security/distribution-sovereignty for the threat model and verification flow."
13 changes: 13 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,19 @@

<br />

> [!IMPORTANT]
> **Genie's npm distribution is being soft-deprecated** in favor of a cosign + SLSA-verified install through our own CDN.
>
> The canonical install going forward is:
>
> ```bash
> curl -fsSL https://get.automagik.dev/genie | bash
> ```
>
> Existing operators on `npm install -g @automagik/genie` continue to work — the npm package will become a thin postinstall shim that downloads and runs the verified installer. See [Security & Trust → Distribution Sovereignty](https://automagik.dev/genie/security/distribution-sovereignty) for the threat model and verification flow.

<br />

<!-- TODO: Record a 30s terminal demo with vhs/asciinema and uncomment:
<p align="center">
<img src=".github/assets/genie-demo.gif" alt="Genie demo" width="720" />
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@automagik/genie",
"version": "4.260427.10",
"description": "Collaborative terminal toolkit for human + AI workflows",
"description": "Collaborative terminal toolkit for human + AI workflows. NOTE: the npm distribution is being soft-deprecated — the canonical install is `curl -fsSL https://get.automagik.dev/genie | bash` (cosign + SLSA verified). See https://automagik.dev/genie/security/distribution-sovereignty",
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The description field contains invalid JSON escape sequences (`). In JSON, backticks do not need to be escaped, and a backslash followed by a backtick is not a valid escape sequence, which will cause parsing errors for the package.json file. Additionally, the PR description mentions that the description was rewritten to lead with the deprecation notice for better visibility in registry UIs, but the current implementation appends it to the end. I have updated the suggestion to move the notice to the front and removed the invalid escapes.

Suggested change
"description": "Collaborative terminal toolkit for human + AI workflows. NOTE: the npm distribution is being soft-deprecated — the canonical install is `curl -fsSL https://get.automagik.dev/genie | bash` (cosign + SLSA verified). See https://automagik.dev/genie/security/distribution-sovereignty",
"description": "NOTE: The npm distribution is being soft-deprecated — the canonical install is 'curl -fsSL https://get.automagik.dev/genie | bash' (cosign + SLSA verified). Collaborative terminal toolkit for human + AI workflows. See https://automagik.dev/genie/security/distribution-sovereignty",

"type": "module",
"bin": {
"genie": "./dist/genie.js"
Expand Down
Loading