feat: add npm malware detection on deploy

[jhaynie]

add npm malware detection on deploy

Overview

Adds npm dependency malware detection during deployments to protect against supply chain attacks. The system uses Aikido's malware predictions database containing ~50,000 known malicious packages.

How It Works

1. After creating a deployment, the CLI extracts all resolved dependencies using bun pm ls --all
2. Package list is sent to Catalyst's malware check endpoint (runs async during build)
3. Catalyst checks each package against in-memory malware database (O(1) lookups)
4. Before uploading, CLI awaits the result and blocks if malware is detected
5. Clear error messages show which packages are malicious and why

Changes

Catalyst

• internal/malware/store.go - Atomic store with O(1) lookup, wildcard version support
• internal/malware/loader.go - HTTP fetch with 30s timeout, 50MB limit, ETag support
• internal/malware/refresh.go - Background service with 24h refresh cycle (±15min jitter)
• server/apis/security/malware_check_2026_01_22.go - POST endpoint for package checking
• server/routes/routes.go - Route registration
• server/server.go - Service initialization on startup
• docs/malware_detection.md - Architecture documentation

SDK

• packages/server/src/api/project/malware.ts - Zod schemas and API client
• packages/cli/src/utils/deps.ts - Dependency extraction using bun pm ls --all
• packages/cli/src/cmd/cloud/deploy.ts - Async malware check with Security Scan step

Error Handling

Scenario	Behavior
Aikido unreachable at startup	Fail open: deploys continue with warning
Refresh fails	Keep last-known-good list, log error
Malware detected	Block deploy, print findings, exit non-zero
Endpoint timeout/error	Fail open with warning

Detection Logic

Packages are blocked if their reason is MALWARE or SUSPICIOUS. Packages with TELEMETRY reason are NOT blocked (privacy concern but not malware).

Testing

• Unit tests for store lookup and dependency parsing
• Integration test for Catalyst endpoint
• Manual testing with clean projects and known-malicious packages

Repository-Specific Changes

• Created packages/server/src/api/project/malware.ts with Zod schemas and API client
• Created packages/cli/src/utils/deps.ts for extracting dependencies via bun pm ls --all
• Modified deploy.ts to start async malware check after deployment creation
• Added 'Security Scan' step that awaits result before upload
• Blocks deployment with clear error messages if malware detected
• Adds malware findings to build report if --report-file specified

Summary by CodeRabbit

• New Features

  • Added malware scanning during deployment to detect and block malicious dependencies before they are deployed

• Tests

  • Added comprehensive test coverage for malware detection and dependency analysis

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Introduces malware scanning capability for cloud deployments with dependency extraction utilities and API integration. Includes refactoring of CLI formatting across multiple modules, infrastructure updates for error handling and code organization, and comprehensive test coverage for the new scanning functionality.

Changes

Cohort / File(s)	Change Summary
CLI Formatting Updates packages/cli/src/cli.ts, packages/cli/src/cmd/ai/index.ts, packages/cli/src/cmd/ai/cadence/index.ts, packages/cli/src/cmd/cloud/eval-run/list.ts, packages/cli/test/schema-parser-confirm-alias.test.ts	Reformatted imports, command arrays, and conditional statements from inline to multi-line layouts for improved readability. No functional changes.
Malware Scanning Feature - Deployment Integration packages/cli/src/cmd/cloud/deploy.ts	Integrated malware scanning into deployment workflow: added asynchronous malware check parallel to build/deploy, dependency extraction, Security Scan step with blocking capability on findings, and exit code handling for detected malware. Added imports: projectDeploymentMalwareCheck, MalwareCheckResult, getExitCode, extractDependencies.
Dependency Extraction Utility packages/cli/src/utils/deps.ts	New module providing PackageRef type, extractDependencies() function to run bun pm ls --all and extract packages, and parseBunPmLsOutput() parser with deduplication and error handling.
Malware Check API & Server Module packages/server/src/api/project/malware.ts, packages/server/src/api/project/index.ts	New malware module defining PackageRef, MalwareFinding, MalwareCheckResult types via zod schemas and projectDeploymentMalwareCheck() function issuing POST requests to deployment malware check endpoints. Added re-export in project index.
Malware Feature Test Suite packages/cli/test/deps.test.ts, packages/server/test/malware.test.ts	Comprehensive tests for dependency parsing covering simple, scoped, nested packages, deduplication, prerelease versions, edge cases, and large trees. API tests validate successful allow/block actions, empty packages, unavailability, failures, request structure, and URL path generation.
Code Formatting & Infrastructure Updates packages/cli/src/cmd/cloud/queue/dlq.ts, packages/server/src/api/sandbox/util.ts, packages/runtime/src/middleware.ts	Reflowed object literals and error message expressions across multiple lines; no behavioral changes to timestamp computation, error mapping, or control flow.
Documentation & UI Updates packages/opencode/README.md, packages/vscode/src/features/dataExplorer/index.ts	Minor documentation formatting in Cadence section and table alignment; reformatted conditional branches in data explorer handler without logic changes.

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

🧹 Recent nitpick comments

packages/server/src/api/project/malware.ts (1)

57-59: Consider using StructuredError for consistency.

As per coding guidelines, packages/server/src/**/*.ts files should use StructuredError from @agentuity/core for error handling. The current implementation throws a plain Error.

♻️ Suggested refactor

+import { StructuredError } from '@agentuity/core';
 import { z } from 'zod';
 import { type APIClient, APIResponseSchema } from '../api';
+
+export const MalwareCheckError = StructuredError('MalwareCheckError')<{
+	deploymentId: string;
+}>();

Then in the function:

 	if (!resp.success) {
-		throw new Error(resp.message || 'Malware check request failed');
+		throw new MalwareCheckError({
+			message: resp.message || 'Malware check request failed',
+			deploymentId,
+		});
 	}

packages/cli/src/cmd/cloud/deploy.ts (1)

333-360: Consider capturing deployment.id before the async closure for clarity.

The non-null assertion deployment!.id on line 347 is logically safe since it's inside the if (deployment) block, but TypeScript doesn't preserve narrowing across async closures. Capturing the value before the closure would be cleaner and eliminate the need for the assertion.

♻️ Suggested improvement

 // Start malware check async (runs in parallel with build)
 if (deployment) {
+   const deploymentId = deployment.id;
    malwareCheckPromise = (async () => {
       try {
          logger.debug('Starting malware dependency check');
          const packages = await extractDependencies(projectDir, logger);
          if (packages.length === 0) {
             logger.debug('No packages to check for malware');
             return null;
          }
          logger.debug('Checking %d packages for malware', packages.length);
          const result = await projectDeploymentMalwareCheck(
             apiClient,
-            deployment!.id,
+            deploymentId,
             packages
          );

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f09e9fe and 365b18e.

📒 Files selected for processing (16)

• packages/cli/src/cli.ts
• packages/cli/src/cmd/ai/cadence/index.ts
• packages/cli/src/cmd/ai/index.ts
• packages/cli/src/cmd/cloud/deploy.ts
• packages/cli/src/cmd/cloud/eval-run/list.ts
• packages/cli/src/cmd/cloud/queue/dlq.ts
• packages/cli/src/utils/deps.ts
• packages/cli/test/deps.test.ts
• packages/cli/test/schema-parser-confirm-alias.test.ts
• packages/opencode/README.md
• packages/runtime/src/middleware.ts
• packages/server/src/api/project/index.ts
• packages/server/src/api/project/malware.ts
• packages/server/src/api/sandbox/util.ts
• packages/server/test/malware.test.ts
• packages/vscode/src/features/dataExplorer/index.ts

🧰 Additional context used

📓 Path-based instructions (8)

packages/cli/src/cmd/*/index.ts

📄 CodeRabbit inference engine (packages/cli/AGENTS.md)

packages/cli/src/cmd/*/index.ts: Each command must be a directory in src/cmd/ with an index.ts file as the main entry point
Always define interfaces for command options instead of using any type

Files:

• packages/cli/src/cmd/ai/index.ts

packages/cli/src/cmd/**/*.ts

📄 CodeRabbit inference engine (packages/cli/AGENTS.md)

packages/cli/src/cmd/**/*.ts: Use tui.* helpers for formatted output instead of raw console logs
Use ctx.logger for logging; call logger.fatal() to log and exit with code 1

Files:

• packages/cli/src/cmd/ai/index.ts
• packages/cli/src/cmd/cloud/eval-run/list.ts
• packages/cli/src/cmd/ai/cadence/index.ts
• packages/cli/src/cmd/cloud/queue/dlq.ts
• packages/cli/src/cmd/cloud/deploy.ts

packages/cli/src/**/*.ts

📄 CodeRabbit inference engine (packages/cli/AGENTS.md)

Use Bun.file(f).exists() instead of existsSync(f) for file existence checks

Files:

• packages/cli/src/cmd/ai/index.ts
• packages/cli/src/cmd/cloud/eval-run/list.ts
• packages/cli/src/cmd/ai/cadence/index.ts
• packages/cli/src/utils/deps.ts
• packages/cli/src/cmd/cloud/queue/dlq.ts
• packages/cli/src/cli.ts
• packages/cli/src/cmd/cloud/deploy.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use Prettier formatter with tabs (width 3), single quotes, and semicolons for TypeScript files
Use TypeScript strict mode with ESNext target and bundler moduleResolution
Use StructuredError from @agentuity/core for error handling

Files:

• packages/cli/src/cmd/ai/index.ts
• packages/server/src/api/sandbox/util.ts
• packages/server/src/api/project/index.ts
• packages/cli/src/cmd/cloud/eval-run/list.ts
• packages/cli/src/cmd/ai/cadence/index.ts
• packages/cli/src/utils/deps.ts
• packages/cli/src/cmd/cloud/queue/dlq.ts
• packages/cli/test/schema-parser-confirm-alias.test.ts
• packages/server/test/malware.test.ts
• packages/cli/src/cli.ts
• packages/cli/test/deps.test.ts
• packages/runtime/src/middleware.ts
• packages/vscode/src/features/dataExplorer/index.ts
• packages/server/src/api/project/malware.ts
• packages/cli/src/cmd/cloud/deploy.ts

packages/server/src/**/*.ts

📄 CodeRabbit inference engine (packages/server/AGENTS.md)

packages/server/src/**/*.ts: Build TypeScript with bun run build command using tsc for compilation
Run TypeScript type checking with bun run typecheck
All code must be runtime-agnostic - no Bun-specific or Node-specific APIs
No browser APIs allowed - server-side only
Prefer interfaces for public APIs in TypeScript

Files:

• packages/server/src/api/sandbox/util.ts
• packages/server/src/api/project/index.ts
• packages/server/src/api/project/malware.ts

packages/*/test/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

packages/*/test/**/*.{ts,tsx}: Place test files in test/ folder (never in src/ or __tests__/)
Import from ../src/ in test files to reference source code
Use @agentuity/test-utils for mocks and test helpers

Files:

• packages/cli/test/schema-parser-confirm-alias.test.ts
• packages/server/test/malware.test.ts
• packages/cli/test/deps.test.ts

packages/server/**/*.test.ts

📄 CodeRabbit inference engine (packages/server/AGENTS.md)

packages/server/**/*.test.ts: Use Bun's built-in test runner with bun test command
Avoid runtime-specific test utilities - test with both Node.js and Bun when possible

Files:

• packages/server/test/malware.test.ts

packages/runtime/**/*.{ts,tsx}

📄 CodeRabbit inference engine (packages/runtime/AGENTS.md)

packages/runtime/**/*.{ts,tsx}: Every agent handler receives AgentContext with logger, tracer, storage (kv, vector, stream), and auth properties
Use ctx.logger instead of console.log for observability

Files:

• packages/runtime/src/middleware.ts

🧠 Learnings (5)

📚 Learning: 2025-12-21T00:31:41.858Z

Learnt from: jhaynie
Repo: agentuity/sdk PR: 274
File: packages/cli/src/cmd/build/vite/server-bundler.ts:12-41
Timestamp: 2025-12-21T00:31:41.858Z
Learning: In Bun runtime, BuildMessage and ResolveMessage are global types and are not exported from the bun module. Do not import { BuildMessage } from 'bun' or similar; these types are available globally and should be used without import. This applies to all TypeScript files that target the Bun runtime within the repository.

Applied to files:

• packages/cli/src/cmd/ai/index.ts
• packages/server/src/api/sandbox/util.ts
• packages/server/src/api/project/index.ts
• packages/cli/src/cmd/cloud/eval-run/list.ts
• packages/cli/src/cmd/ai/cadence/index.ts
• packages/cli/src/utils/deps.ts
• packages/cli/src/cmd/cloud/queue/dlq.ts
• packages/cli/test/schema-parser-confirm-alias.test.ts
• packages/server/test/malware.test.ts
• packages/cli/src/cli.ts
• packages/cli/test/deps.test.ts
• packages/runtime/src/middleware.ts
• packages/vscode/src/features/dataExplorer/index.ts
• packages/server/src/api/project/malware.ts
• packages/cli/src/cmd/cloud/deploy.ts

📚 Learning: 2025-12-19T14:19:33.765Z

Learnt from: jhaynie
Repo: agentuity/sdk PR: 259
File: packages/cli/src/cmd/build/vite/registry-generator.ts:306-312
Timestamp: 2025-12-19T14:19:33.765Z
Learning: Route files under src/api should use the .ts extension only (no .tsx) and regex patterns for such paths should anchor to \.ts$ (e.g., /\/.ts$/). Agent files may support both .ts and .tsx, but route files in the Agentuity SDK codebase are restricted to .ts. This guideline applies to all similar route files under src/api across the repository.

Applied to files:

• packages/server/src/api/sandbox/util.ts
• packages/server/src/api/project/index.ts
• packages/server/src/api/project/malware.ts

📚 Learning: 2025-12-30T00:13:37.849Z

Learnt from: jhaynie
Repo: agentuity/sdk PR: 355
File: packages/server/src/api/sandbox/util.ts:2-6
Timestamp: 2025-12-30T00:13:37.849Z
Learning: In the packages/server tree, treat code as runtime-agnostic between Node.js and Bun. Ensure TypeScript files (e.g., util.ts) import and use APIs in a way that works under both runtimes. It is acceptable to rely on Bun’s Node.js compatibility for built-ins accessed via the node: namespace (e.g., node:events, node:stream, node:buffer). During reviews, prefer patterns and imports that remain compatible with Bun's environment, and flag any hard dependencies on runtime-specific globals or non-portable Node APIs.

Applied to files:

• packages/server/src/api/sandbox/util.ts
• packages/server/src/api/project/index.ts
• packages/server/test/malware.test.ts
• packages/server/src/api/project/malware.ts

📚 Learning: 2026-01-13T04:32:02.691Z

Learnt from: jhaynie
Repo: agentuity/sdk PR: 565
File: packages/cli/src/cmd/cloud/region-lookup.ts:14-26
Timestamp: 2026-01-13T04:32:02.691Z
Learning: Enforce sandbox identifier prefixes in new code within the CLI cloud region lookup: new sandboxes must use the sbx_ prefix. The snbx_ prefix may appear in legacy code or examples, but do not use snbx_ for new sandboxes. When reviewing changes in packages/cli/src/cmd/cloud/, ensure any created sandbox identifiers use sbx_ and remove or migrate any snbx_ usages in newly added code.

Applied to files:

• packages/cli/src/cmd/cloud/eval-run/list.ts
• packages/cli/src/cmd/cloud/queue/dlq.ts
• packages/cli/src/cmd/cloud/deploy.ts

📚 Learning: 2025-12-13T14:15:18.261Z

Learnt from: jhaynie
Repo: agentuity/sdk PR: 168
File: packages/runtime/src/session.ts:536-546
Timestamp: 2025-12-13T14:15:18.261Z
Learning: The agentuity/runtime package is Bun-only; during code reviews, do not replace Bun-native APIs (e.g., Bun.CryptoHasher, Bun.serve, and other Bun namespace APIs) with Node.js alternatives. Review changes with the assumption that runtime runs on Bun, and ensure any edits preserve Bun compatibility and do not introduce Node.js-specific fallbacks. Apply this guidance broadly to files under packages/runtime (e.g., packages/runtime/src/...); if there are conditional environment checks, document why Bun is required and avoid dereferencing Bun-only APIs in non-Bun contexts.

Applied to files:

• packages/runtime/src/middleware.ts

🧬 Code graph analysis (5)

packages/server/src/api/sandbox/util.ts (1)

packages/server/src/api/sandbox/index.ts (1)

• SandboxResponseError (23-23)

packages/cli/test/schema-parser-confirm-alias.test.ts (1)

packages/cli/src/schema-parser.ts (1)

• buildValidationInputAsync (406-433)

packages/server/test/malware.test.ts (1)

packages/server/src/api/project/malware.ts (1)

• projectDeploymentMalwareCheck (42-62)

packages/cli/test/deps.test.ts (1)

packages/cli/src/utils/deps.ts (2)

• parseBunPmLsOutput (37-54)
• PackageRef (4-7)

packages/server/src/api/project/malware.ts (3)

packages/cli/src/utils/deps.ts (1)

• PackageRef (4-7)

packages/schema/src/index.ts (1)

• infer (177-177)

packages/server/src/api/api.ts (1)

• APIResponseSchema (712-723)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: Sandbox CLI Tests
• GitHub Check: Framework Integration Tests (TanStack & Next.js)
• GitHub Check: Pack & Upload
• GitHub Check: Playwright E2E Smoke Test
• GitHub Check: Queue CLI Tests
• GitHub Check: Cloud Deployment Tests
• GitHub Check: Package Installation & Usage Test
• GitHub Check: SDK Integration Test Suite
• GitHub Check: Template Integration Tests
• GitHub Check: Build

🔇 Additional comments (27)

packages/runtime/src/middleware.ts (2)

466-468: Parenthesization is clear and harmless.
No behavior change; improves readability of the nullish/conditional expression.

---

482-487: Parenthesization keeps error message logic intact.
This is a readability-only tweak; logic remains unchanged.

packages/cli/src/cmd/cloud/eval-run/list.ts (1)

130-134: Formatting-only change looks good.

No behavioral impact; the expanded conditional stays clear and consistent.

packages/cli/test/schema-parser-confirm-alias.test.ts (1)

62-67: LGTM — readability improvement only.

packages/cli/src/cmd/ai/cadence/index.ts (1)

17-24: Examples formatting is clear.

packages/cli/src/cmd/cloud/queue/dlq.ts (1)

70-80: LGTM — fallback order preserved.

packages/vscode/src/features/dataExplorer/index.ts (1)

34-45: Formatting-only change is fine.

packages/cli/src/cmd/ai/index.ts (1)

33-40: LGTM — clearer list formatting.

packages/server/src/api/sandbox/util.ts (1)

198-204: LGTM!

The reformatting to multi-line object literal improves readability without changing behavior.

packages/opencode/README.md (1)

97-112: LGTM!

Documentation formatting improvements enhance readability of the Cadence section.

packages/server/src/api/project/malware.ts (1)

1-40: Well-structured Zod schemas for the malware check API.

The schema definitions are clear and properly typed. Good use of z.infer for deriving TypeScript types.

packages/server/src/api/project/index.ts (1)

11-11: LGTM!

Clean barrel export following the established pattern.

packages/cli/src/utils/deps.ts (3)

4-7: LGTM!

Clean interface definition for package references.

---

9-35: Solid fail-open implementation for dependency extraction.

The error handling correctly returns an empty array on failure, aligning with the fail-open design documented in the PR objectives. Logging warnings provides visibility without blocking deploys.

---

37-54: Parser includes the root project in results.

The regex matches any line with the name@version pattern, including the root project line (e.g., my-app@1.0.0). This appears intentional based on the test expectations, but worth confirming this is desired behavior for malware scanning—the user's own project name would be sent to the malware check endpoint.

packages/cli/test/deps.test.ts (3)

1-3: LGTM!

Correct import path per coding guidelines (../src/ for test files).

---

4-151: Excellent test coverage for the parser.

Comprehensive tests covering:

• Simple and scoped packages
• Nested/transitive dependencies
• Deduplication logic
• Prerelease version formats
• Edge cases (empty output, missing version patterns)

Well-structured and readable test cases.

---

153-195: Good scenario-based tests for malware detection use case.

The tests properly validate that malicious packages in both direct and transitive dependencies are detected. The large dependency tree test (1000 packages) provides confidence in scalability.

packages/server/test/malware.test.ts (6)

1-5: LGTM! Well-structured test setup.

The imports follow coding guidelines: using Bun's built-in test runner, importing from ../src/, and using @agentuity/test-utils for mocks.

---

8-47: LGTM! Comprehensive test for allow action scenario.

Good coverage of the successful scan response including verification of success, action, summary, and findings fields.

---

49-94: LGTM! Tests block action with malware findings.

Good verification of both MALWARE and SUSPICIOUS reasons, and correct assertion of findings count and individual finding details.

---

96-161: LGTM! Edge cases for empty list and service unavailability.

Correctly tests fail-open behavior (action: 'allow' with success: false) when service is unavailable, and handles empty package list gracefully.

---

163-185: LGTM! API failure test.

Verifies that API failures (401 Unauthorized) properly throw an error, matching the implementation in projectDeploymentMalwareCheck.

---

187-254: LGTM! Endpoint path and request body verification.

Good integration tests verifying the URL includes the deployment ID and date path segment, and that scoped packages (e.g., @types/node, @agentuity/core) are correctly serialized in the request body with ecosystem identifier.

packages/cli/src/cmd/cloud/deploy.ts (2)

36-61: LGTM! Import additions for malware scanning.

Imports are well-organized, adding the necessary API function, type, error code utility, and dependency extraction function for the new security scan feature.

---

564-606: LGTM! Security Scan step implementation.

The step correctly:

• Skips gracefully when malware check wasn't started or is unavailable (fail-open)
• Blocks deployment when findings require action
• Adds findings to build report for traceability
• Uses tui.errorBox for clear error display with detailed package list
• Exits with specific MALWARE_DETECTED exit code

The use of pauseStepUI(true) before rendering the error box ensures clean output.

packages/cli/src/cli.ts (1)

22-22: LGTM! Formatting adjustment.

Import reformatted to single line with no functional change.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Canary Packages Published

version: 0.1.24-42e6d18

Packages

Package	Version	URL
@agentuity/auth	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-auth-0.1.24-42e6d18.tgz
@agentuity/evals	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-evals-0.1.24-42e6d18.tgz
@agentuity/core	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-core-0.1.24-42e6d18.tgz
@agentuity/server	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-server-0.1.24-42e6d18.tgz
@agentuity/workbench	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-workbench-0.1.24-42e6d18.tgz
@agentuity/react	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-react-0.1.24-42e6d18.tgz
@agentuity/schema	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-schema-0.1.24-42e6d18.tgz
@agentuity/cli	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-cli-0.1.24-42e6d18.tgz
@agentuity/frontend	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-frontend-0.1.24-42e6d18.tgz
@agentuity/opencode	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-opencode-0.1.24-42e6d18.tgz
@agentuity/runtime	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-runtime-0.1.24-42e6d18.tgz

Install

Add to your package.json:

{
  "dependencies": {
    "@agentuity/auth": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-auth-0.1.24-42e6d18.tgz",
    "@agentuity/evals": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-evals-0.1.24-42e6d18.tgz",
    "@agentuity/core": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-core-0.1.24-42e6d18.tgz",
    "@agentuity/server": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-server-0.1.24-42e6d18.tgz",
    "@agentuity/workbench": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-workbench-0.1.24-42e6d18.tgz",
    "@agentuity/react": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-react-0.1.24-42e6d18.tgz",
    "@agentuity/schema": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-schema-0.1.24-42e6d18.tgz",
    "@agentuity/cli": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-cli-0.1.24-42e6d18.tgz",
    "@agentuity/frontend": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-frontend-0.1.24-42e6d18.tgz",
    "@agentuity/opencode": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-opencode-0.1.24-42e6d18.tgz",
    "@agentuity/runtime": "https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-runtime-0.1.24-42e6d18.tgz"
  }
}

Or install directly:

bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-auth-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-evals-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-core-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-server-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-workbench-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-react-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-schema-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-cli-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-frontend-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-opencode-0.1.24-42e6d18.tgz
bun add https://agentuity-sdk-objects.t3.storage.dev/npm/0.1.24-42e6d18/agentuity-runtime-0.1.24-42e6d18.tgz

CLI Executables

Platform	Version	URL
linux-x64	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/binary/0.1.24-42e6d18/agentuity-linux-x64.gz
linux-arm64	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/binary/0.1.24-42e6d18/agentuity-linux-arm64.gz
darwin-arm64	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/binary/0.1.24-42e6d18/agentuity-darwin-arm64.gz
darwin-x64	0.1.24-42e6d18	https://agentuity-sdk-objects.t3.storage.dev/binary/0.1.24-42e6d18/agentuity-darwin-x64.gz

Run Canary CLI

agentuity canary 0.1.24-42e6d18 [command] [...args]