Skip to main content
Syndicate Code

How do I install Syndicate Code?

Run: curl -fsSL https://syndicatecode.ca/install.sh | bash. For verification, download the script, check the SHA-256 hash against install.sh.sha256, then execute. Tier 3 (verified install) is recommended for production use.

Get Started

Install, verify, execute.

Time to first claim validation: under 5 minutes (local only, no external infrastructure required).

What you get

Approval record

Who approved what, when, with what arguments

Action digest

SHA-256 bound to exact arguments, not prompt

Event log

Immutable record: actor, action, approval, outcome

Installation

Choose your trust level. Higher tier = stronger integrity guarantee.

1

Convenience Install

Quick install — executes without prior verification

curl -fsSL https://syndicatecode.ca/install.sh | bash

Verification

Script integrity:Not verified
Source immutability:Not pinned
Pre-execution inspection:Not required

Executes script immediately without verification. If script integrity must be verified before execution, use Tier 2 or Tier 3.

2

Inspectable Install

Review before execution — script is readable

curl -O https://syndicatecode.ca/install.sh
less install.sh
bash install.sh

Verification

Script integrity:Not verified
Source immutability:Not pinned
Pre-execution inspection:Possible
3

Verified Install

Preferred

Integrity verified before execution

curl -O https://syndicatecode.ca/install.sh
curl -O https://syndicatecode.ca/install.sh.sha256
sha256sum -c install.sh.sha256
bash install.sh

Verification

Script integrity:Verified (SHA-256)
Source immutability:Pinned to release tag
Pre-execution inspection:Possible + verified

First execution

Run the onboarding wizard, then start the TUI.

$ syndicate
Welcome to Syndicate Code
? Select model provider: anthropic
? Enter API key: sk-ant-...
✓ Configuration saved
✓ Session created: sess_01H...
✓ Policy loaded: default
$ syndicate dev
Syndicate Code v0.1.0
Session: sess_01H...
Policy: default (require-approval-for-write)
> _

Claim output example

Every execution produces a bounded claim record. Example:

{
  "claim": "Policy enforcement: policy evaluated before action execution",
  "status": "validated",
  "enforcement_point": "control-plane.evaluateSessionPolicy()",
  "scope": "Direct execution paths via control plane API",
  "exclusions": ["Indirect execution paths", "Offline/degraded mode"],
  "failure_mode": "If execution bypasses control plane API, policy is not enforced",
  "evidence": "/proof/policy-enforcement-gate"
}

Each claim is bounded: scope defines what it applies to, exclusions define what it does not, failure_mode defines how it breaks.

Failure behavior

If a claim cannot be validated, execution is blocked at enforcement boundaries.

Claim validation fails

Execution blocked at CI boundary. Deployment halted until resolved.

Event: evt_... status="claim_invalid"

Digest mismatch on approval

Action denied. Approval cancelled. Event recorded with mismatch flag.

Event: evt_... status="digest_mismatch"

Policy version conflict

Execution paused. Prompt requests re-approval under current policy.

Event: evt_... status="policy_version_changed"

How installation aligns with claim integrity

The install script is versioned alongside the claims it installs. Each release tag has a SHA-256 hash for integrity verification.

Tier 3 verifies script integrity during transfer. The verification chain is: release tag → SHA-256 hash → script content. This ensures the script was not modified in transit.

For full authenticity verification (ensuring the script actually came from this project), signed artifacts with independent verification are required. This is documented in theproduct repository.

What this is not

Not a security product

Records what happened, does not prevent harm. Governance is your responsibility.

Not a compliance checkbox

Attribution exists only if enforcement boundaries are respected. Gaps have failure modes.

Not universally safe

Install verification does not guarantee runtime safety. Claims define actual guarantees.

Not fire-and-forget

Approval binding requires human attention. Operator quality affects governance quality.

Next steps

How it worksView claimsApprovalsArchitecture

How do I install Syndicate Code?

Run: curl -fsSL https://syndicatecode.ca/install.sh | bash. For verification, download the script, check the SHA-256 hash against install.sh.sha256, then execute. Tier 3 (verified install) is recommended for production use.

Frequently asked questions

What is the difference between Tier 1, 2, and 3 install?

Tier 1 executes the install script immediately without verification. Tier 2 lets you review the script before running it. Tier 3 verifies script integrity using SHA-256 before execution. Use Tier 3 for production deployments.

Does SHA-256 verification guarantee the script is safe?

SHA-256 verifies integrity during transfer—it confirms the script was not modified in transit. It does not verify source authenticity. For full authenticity guarantees, signed artifacts with independent verification are required (see product repository).

What do I need before installing?

A model API key (Anthropic, OpenAI, or Google). The CLI will prompt for configuration during first run. No server or external infrastructure required for local development.

How long does installation take?

Under 5 minutes for time-to-first-claim-validation on a local machine. The install script downloads the CLI binary and configures your environment.