Security: Out-of-Band Checksum Integrity
install.sh now fetches CHECKSUMS.sha256 from the GitHub Release assets (out-of-band) instead of the repo tree. A single compromised commit can no longer swap both code and checksums simultaneously.
Changes
- Checksums fetched from GitHub release API, not repo tree
- Hard fail on verification failure (no silent fallback)
TOKEN_OPTIMIZER_SKIP_VERIFY=1escape hatch for air-gapped installs- New
scripts/sign-release.shfor release signing workflow - Checksum scope expanded to cover
install.shandhooks/hooks.json - CLA GitHub Action pinned to commit SHA + Node 24 compatibility
- Python JSON parser replaces fragile grep+sed pipeline
- EXIT trap for temp file cleanup on interrupts
Version Alignment
All manifests synced: Claude Code, Codex, OpenClaw (2.4.1), OpenCode (1.0.0).
Closes #36.