Skip to content

Surface verified installer path in first-mile bootstrap UX #1384

Description

@codeforester

Context

Claude's 2026-07-02 review re-raised the first-mile trust concern: README and install docs still promote curl -fsSL .../bootstrap.sh | bash as the fast path, while the safer pinned Homebrew installer mode exists but is not prominent in the unpinned path.

Current code does log the Homebrew installer trust policy when Homebrew is missing during setup, and docs/remote-installer-policy.md documents the pinned BASE_HOMEBREW_INSTALLER_URL + BASE_HOMEBREW_INSTALLER_SHA256 mode. The remaining gap is first-touch UX: users following the unpinned path should see the verified/pinned alternative before trust concerns become a blocker.

Proposed outcome

Make the safer first-mile option visible from the default bootstrap/install journey without making managed-team rollout harder.

Acceptance criteria

  • The unpinned Homebrew installer path prints a concise pointer to the pinned URL/SHA-256 alternative, including the required environment variable names.
  • README/bootstrap docs show the pinned/verified path near the default bootstrap path rather than only in the policy document.
  • Dry-run output remains explicit about whether Base would run the mutable official Homebrew installer or a pinned verified installer.
  • Tests cover the new user-facing output so the trust guidance does not drift.

Related review finding: S1 from the 2026-07-02 Base technical/product analysis.

Metadata

Metadata

Assignees

Labels

documentationDocumentation improvementssecuritySecurity hardening or vulnerability work

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Ready

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions