Add install scripts, CI pre-signing, download E2E smoke tests

install.sh: one-liner for macOS/Linux — detects OS/arch (Rosetta-
aware), downloads release, verifies checksum, extracts, signs on
macOS, runs install -y for all 10 agents. Supports --ui flag and
CBM_DOWNLOAD_URL env var for testing.

install.ps1: one-liner for Windows — Invoke-WebRequest + Expand-
Archive + Unblock-File (strips MOTW), installs to %LOCALAPPDATA%,
adds to user PATH via [Environment]::SetEnvironmentVariable.

CI pre-signing: add codesign --sign - step for macOS builds in
both dry-run.yml and release.yml, before archiving. Release
binaries now ship pre-signed.

Phase 12 smoke tests: real HTTP download via local artifact server,
checksum verification, archive extraction, binary verification.
Runs only when SMOKE_DOWNLOAD_URL is set (CI provides it).

Phase 13 smoke tests: install.sh E2E — runs full script with local
URL + isolated HOME, verifies binary placed, signed, runs, and
agent configs created.

CI HTTP server: smoke jobs start python3 HTTP server serving the
built binary as a tar.gz/zip archive + checksums.txt. Enables
Phases 12-13 in CI on all platforms.

Update security allowlist: remove system() entry (eliminated),
add cbm_popen for pgrep. Update README with one-liner Quick Start.

Author: DeusData

.github/workflows/dry-run.yml

@@ -249,6 +249,10 @@ jobs:
       - name: Build standard binary
         run: scripts/build.sh CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
 
+      - name: Ad-hoc sign macOS binary
+        if: startsWith(matrix.os, 'macos')
+        run: codesign --sign - --force build/c/codebase-memory-mcp
+
       - name: Archive standard binary
         run: |
           cp LICENSE build/c/
@@ -258,6 +262,10 @@ jobs:
       - name: Build UI binary
         run: scripts/build.sh --with-ui CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
 
+      - name: Ad-hoc sign macOS UI binary
+        if: startsWith(matrix.os, 'macos')
+        run: codesign --sign - --force build/c/codebase-memory-mcp
+
       - name: Frontend integrity scan (post-build dist/)
         if: matrix.goos == 'linux' && matrix.goarch == 'amd64'
         run: scripts/security-ui.sh
@@ -358,8 +366,23 @@ jobs:
           tar -xzf codebase-memory-mcp${SUFFIX}-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz
           chmod +x codebase-memory-mcp
 
+      - name: Start artifact server for E2E smoke tests
+        run: |
+          mkdir -p /tmp/smoke-server
+          cp codebase-memory-mcp /tmp/smoke-server/
+          OS=${{ matrix.goos }}
+          ARCH=${{ matrix.goarch }}
+          SUFFIX=${{ matrix.variant == 'ui' && '-ui' || '' }}
+          tar -czf "/tmp/smoke-server/codebase-memory-mcp${SUFFIX}-${OS}-${ARCH}.tar.gz" \
+            -C /tmp/smoke-server codebase-memory-mcp
+          cd /tmp/smoke-server
+          sha256sum *.tar.gz > checksums.txt 2>/dev/null || shasum -a 256 *.tar.gz > checksums.txt
+          python3 -m http.server 18080 -d /tmp/smoke-server &
+
       - name: Smoke test (${{ matrix.variant }}, ${{ matrix.goos }}-${{ matrix.goarch }})
         run: scripts/smoke-test.sh ./codebase-memory-mcp
+        env:
+          SMOKE_DOWNLOAD_URL: http://localhost:18080
 
       - name: Binary string audit (${{ matrix.goos }}-${{ matrix.goarch }})
         if: matrix.variant == 'standard'
@@ -438,9 +461,22 @@ jobs:
           unzip -o "codebase-memory-mcp${SUFFIX}-windows-amd64.zip"
           [ -n "$SUFFIX" ] && cp "codebase-memory-mcp${SUFFIX}.exe" codebase-memory-mcp.exe || true
 
+      - name: Start artifact server for E2E smoke tests
+        shell: msys2 {0}
+        run: |
+          mkdir -p /tmp/smoke-server
+          cp codebase-memory-mcp.exe /tmp/smoke-server/codebase-memory-mcp.exe
+          SUFFIX=${{ matrix.variant == 'ui' && '-ui' || '' }}
+          cd /tmp/smoke-server
+          zip -q "codebase-memory-mcp${SUFFIX}-windows-amd64.zip" codebase-memory-mcp.exe
+          sha256sum *.zip > checksums.txt
+          python3 -m http.server 18080 -d /tmp/smoke-server &
+
       - name: Smoke test (${{ matrix.variant }}, windows-amd64)
         shell: msys2 {0}
         run: scripts/smoke-test.sh ./codebase-memory-mcp.exe
+        env:
+          SMOKE_DOWNLOAD_URL: http://localhost:18080
 
       - name: Binary string audit (windows-amd64)
         if: matrix.variant == 'standard'

.github/workflows/release.yml

@@ -248,6 +248,10 @@ jobs:
       - name: Build standard binary
         run: scripts/build.sh --version ${{ inputs.version }} CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
 
+      - name: Ad-hoc sign macOS binary
+        if: startsWith(matrix.os, 'macos')
+        run: codesign --sign - --force build/c/codebase-memory-mcp
+
       - name: Archive standard binary
         run: |
           cp LICENSE build/c/
@@ -257,6 +261,10 @@ jobs:
       - name: Build UI binary
         run: scripts/build.sh --with-ui --version ${{ inputs.version }} CC=${{ matrix.cc }} CXX=${{ matrix.cxx }}
 
+      - name: Ad-hoc sign macOS UI binary
+        if: startsWith(matrix.os, 'macos')
+        run: codesign --sign - --force build/c/codebase-memory-mcp
+
       - name: Frontend integrity scan (post-build dist/)
         if: matrix.goos == 'linux' && matrix.goarch == 'amd64'
         run: scripts/security-ui.sh
@@ -354,8 +362,23 @@ jobs:
           tar -xzf codebase-memory-mcp${SUFFIX}-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz
           chmod +x codebase-memory-mcp
 
+      - name: Start artifact server for E2E smoke tests
+        run: |
+          mkdir -p /tmp/smoke-server
+          cp codebase-memory-mcp /tmp/smoke-server/
+          OS=${{ matrix.goos }}
+          ARCH=${{ matrix.goarch }}
+          SUFFIX=${{ matrix.variant == 'ui' && '-ui' || '' }}
+          tar -czf "/tmp/smoke-server/codebase-memory-mcp${SUFFIX}-${OS}-${ARCH}.tar.gz" \
+            -C /tmp/smoke-server codebase-memory-mcp
+          cd /tmp/smoke-server
+          sha256sum *.tar.gz > checksums.txt 2>/dev/null || shasum -a 256 *.tar.gz > checksums.txt
+          python3 -m http.server 18080 -d /tmp/smoke-server &
+
       - name: Smoke test (${{ matrix.variant }}, ${{ matrix.goos }}-${{ matrix.goarch }})
         run: scripts/smoke-test.sh ./codebase-memory-mcp
+        env:
+          SMOKE_DOWNLOAD_URL: http://localhost:18080
 
       - name: Binary string audit (${{ matrix.goos }}-${{ matrix.goarch }})
         if: matrix.variant == 'standard'
@@ -435,9 +458,22 @@ jobs:
           unzip -o "codebase-memory-mcp${SUFFIX}-windows-amd64.zip"
           [ -n "$SUFFIX" ] && cp "codebase-memory-mcp${SUFFIX}.exe" codebase-memory-mcp.exe || true
 
+      - name: Start artifact server for E2E smoke tests
+        shell: msys2 {0}
+        run: |
+          mkdir -p /tmp/smoke-server
+          cp codebase-memory-mcp.exe /tmp/smoke-server/codebase-memory-mcp.exe
+          SUFFIX=${{ matrix.variant == 'ui' && '-ui' || '' }}
+          cd /tmp/smoke-server
+          zip -q "codebase-memory-mcp${SUFFIX}-windows-amd64.zip" codebase-memory-mcp.exe
+          sha256sum *.zip > checksums.txt
+          python3 -m http.server 18080 -d /tmp/smoke-server &
+
       - name: Smoke test (${{ matrix.variant }}, windows-amd64)
         shell: msys2 {0}
         run: scripts/smoke-test.sh ./codebase-memory-mcp.exe
+        env:
+          SMOKE_DOWNLOAD_URL: http://localhost:18080
 
       - name: Binary string audit (windows-amd64)
         if: matrix.variant == 'standard'

README.md

@@ -33,6 +33,26 @@ High-quality parsing through [tree-sitter](https://tree-sitter.github.io/tree-si
 
 ## Quick Start
 
+**One-line install** (macOS / Linux):
+```bash
+curl -fsSL https://raw.githubusercontent.com/DeusData/codebase-memory-mcp/main/install.sh | bash
+```
+
+With graph visualization UI:
+```bash
+curl -fsSL https://raw.githubusercontent.com/DeusData/codebase-memory-mcp/main/install.sh | bash -s -- --ui
+```
+
+**Windows** (PowerShell):
+```powershell
+powershell -ExecutionPolicy ByPass -c "irm https://raw.githubusercontent.com/DeusData/codebase-memory-mcp/main/install.ps1 | iex"
+```
+
+Restart your coding agent. Say **"Index this project"** — done.
+
+<details>
+<summary>Manual install</summary>
+
 1. **Download** the binary for your platform from the [latest release](https://github.com/DeusData/codebase-memory-mcp/releases/latest):
    - `codebase-memory-mcp-<os>-<arch>.tar.gz` — standard (MCP server only)
    - `codebase-memory-mcp-ui-<os>-<arch>.tar.gz` — with embedded graph visualization
@@ -44,7 +64,14 @@ High-quality parsing through [tree-sitter](https://tree-sitter.github.io/tree-si
    codebase-memory-mcp install
    ```
 
-3. **Restart** your coding agent. Say **"Index this project"** — done.
+3. **Restart** your coding agent.
+
+On macOS, if the binary is killed on launch, fix code signing:
+```bash
+xattr -d com.apple.quarantine ~/.local/bin/codebase-memory-mcp
+codesign --sign - --force ~/.local/bin/codebase-memory-mcp
+```
+</details>
 
 The `install` command auto-detects all installed coding agents and configures MCP server entries, instruction files, skills, and pre-tool hooks for each.
 

install.ps1

@@ -0,0 +1,145 @@
+# install.ps1 — One-line installer for codebase-memory-mcp (Windows).
+#
+# Usage:
+#   powershell -ExecutionPolicy ByPass -c "irm https://raw.githubusercontent.com/DeusData/codebase-memory-mcp/main/install.ps1 | iex"
+#
+# Environment:
+#   CBM_DOWNLOAD_URL  Override base URL for downloads (for testing)
+
+$ErrorActionPreference = "Stop"
+
+$Repo = "DeusData/codebase-memory-mcp"
+$InstallDir = "$env:LOCALAPPDATA\Programs\codebase-memory-mcp"
+$BinName = "codebase-memory-mcp.exe"
+$BaseUrl = if ($env:CBM_DOWNLOAD_URL) { $env:CBM_DOWNLOAD_URL } else { "https://github.com/$Repo/releases/latest/download" }
+
+# Detect variant from args (--ui or --standard)
+$Variant = "standard"
+foreach ($arg in $args) {
+    if ($arg -eq "--ui") { $Variant = "ui" }
+    if ($arg -eq "--standard") { $Variant = "standard" }
+    if ($arg -like "--dir=*") { $InstallDir = $arg.Substring(6) }
+}
+
+Write-Host "codebase-memory-mcp installer (Windows)"
+Write-Host "  variant: $Variant"
+Write-Host "  target:  $InstallDir\$BinName"
+Write-Host ""
+
+# Build download URL
+if ($Variant -eq "ui") {
+    $Archive = "codebase-memory-mcp-ui-windows-amd64.zip"
+} else {
+    $Archive = "codebase-memory-mcp-windows-amd64.zip"
+}
+$Url = "$BaseUrl/$Archive"
+
+# Download
+$TmpDir = Join-Path ([System.IO.Path]::GetTempPath()) "cbm-install-$(Get-Random)"
+New-Item -ItemType Directory -Path $TmpDir -Force | Out-Null
+
+Write-Host "Downloading $Archive..."
+try {
+    Invoke-WebRequest -Uri $Url -OutFile "$TmpDir\$Archive" -UseBasicParsing
+} catch {
+    Write-Host "error: download failed: $_" -ForegroundColor Red
+    Remove-Item -Recurse -Force $TmpDir -ErrorAction SilentlyContinue
+    exit 1
+}
+
+# Remove MOTW (prevents SmartScreen popup)
+Unblock-File -Path "$TmpDir\$Archive" -ErrorAction SilentlyContinue
+
+# Checksum verification
+$ChecksumUrl = "$BaseUrl/checksums.txt"
+try {
+    Invoke-WebRequest -Uri $ChecksumUrl -OutFile "$TmpDir\checksums.txt" -UseBasicParsing
+    $checksumLine = Get-Content "$TmpDir\checksums.txt" | Where-Object { $_ -like "*$Archive*" }
+    if ($checksumLine) {
+        $expected = ($checksumLine -split '\s+')[0]
+        $actual = (Get-FileHash -Path "$TmpDir\$Archive" -Algorithm SHA256).Hash.ToLower()
+        if ($expected -ne $actual) {
+            Write-Host "error: CHECKSUM MISMATCH!" -ForegroundColor Red
+            Write-Host "  expected: $expected"
+            Write-Host "  actual:   $actual"
+            Remove-Item -Recurse -Force $TmpDir
+            exit 1
+        }
+        Write-Host "Checksum verified."
+    }
+} catch {
+    Write-Host "warning: could not verify checksum (non-fatal)"
+}
+
+# Extract
+Write-Host "Extracting..."
+Expand-Archive -Path "$TmpDir\$Archive" -DestinationPath $TmpDir -Force
+
+$DlBin = Join-Path $TmpDir $BinName
+if (-not (Test-Path $DlBin)) {
+    # UI variant may have different name in zip
+    $UiBin = Join-Path $TmpDir "codebase-memory-mcp-ui.exe"
+    if (Test-Path $UiBin) {
+        Rename-Item $UiBin $BinName
+        $DlBin = Join-Path $TmpDir $BinName
+    } else {
+        Write-Host "error: binary not found after extraction" -ForegroundColor Red
+        Remove-Item -Recurse -Force $TmpDir
+        exit 1
+    }
+}
+
+# Remove MOTW from extracted binary
+Unblock-File -Path $DlBin -ErrorAction SilentlyContinue
+
+# Install
+New-Item -ItemType Directory -Path $InstallDir -Force | Out-Null
+$Dest = Join-Path $InstallDir $BinName
+
+# Handle replace-if-running (rename-aside)
+if (Test-Path $Dest) {
+    $OldDest = "$Dest.old"
+    Remove-Item $OldDest -Force -ErrorAction SilentlyContinue
+    try {
+        Rename-Item $Dest $OldDest -ErrorAction Stop
+    } catch {
+        Write-Host "warning: could not rename existing binary (may be in use)"
+    }
+}
+
+Copy-Item $DlBin $Dest -Force
+Unblock-File -Path $Dest -ErrorAction SilentlyContinue
+
+# Verify
+try {
+    $ver = & $Dest --version 2>&1
+    Write-Host "Installed: $ver"
+} catch {
+    Write-Host "error: installed binary failed to run" -ForegroundColor Red
+    Remove-Item -Recurse -Force $TmpDir
+    exit 1
+}
+
+# Configure agents
+Write-Host ""
+Write-Host "Configuring coding agents..."
+try {
+    & $Dest install -y 2>&1 | Write-Host
+} catch {
+    Write-Host "Agent configuration failed (non-fatal)."
+    Write-Host "Run manually: codebase-memory-mcp install"
+}
+
+# Add to PATH (user scope, no admin needed)
+$UserPath = [Environment]::GetEnvironmentVariable("PATH", "User")
+if ($UserPath -notlike "*$InstallDir*") {
+    [Environment]::SetEnvironmentVariable("PATH", "$UserPath;$InstallDir", "User")
+    $env:PATH = "$env:PATH;$InstallDir"
+    Write-Host "Added $InstallDir to user PATH"
+}
+
+# Cleanup
+Remove-Item -Recurse -Force $TmpDir -ErrorAction SilentlyContinue
+
+Write-Host ""
+Write-Host "Done! Restart your terminal and coding agent to start using codebase-memory-mcp."