Security at BrainverseInstaller Transparency
Installer Transparency. Every byte, documented.
This page exists because IT and security reviewers should know exactly what runs inside their network before approving the Brainverse onboarding installer. Below is the full step list for both macOS and Windows, with every download URL, every install destination, and every verification step.
We have nothing to hide. Our installer is a thin wrapper around well-known public installers from Apple, Microsoft, GitHub, the Node.js Foundation, and Anthropic. The only Brainverse-specific code that gets pulled is the client's own customized agent repository, which the client owns.
TL;DR for reviewers
- Our installer is a thin shell script that calls public, well-known vendor installers. It is not a custom packaged binary that can hide payloads.
- All downloads come from publicly trusted vendor URLs: nodejs.org, github.com/cli/cli, claude.ai, code.visualstudio.com, and microsoft.com for Windows components.
- No Brainverse-proprietary code is silently fetched. The only repository cloned is the client's own customized agent repository, hosted in a GitHub organization the client owns.
- Every download has a smoke test (e.g.
node --version,gh --version) before the script proceeds. Failed downloads halt the script with a clear error. - Zero telemetry. The installer makes no callbacks to Brainverse infrastructure. We do not get notified when an installer succeeds or fails.
- Source review on request. The installer is currently shipped with proposals to active prospects. We provide read access to the source for IT and security teams who request it. See the bottom of this page.
macOS installer
One shell script, run as the regular user, no admin password required for any of the automated steps. The script is delivered as part of the onboarding zip and executed with bash ~/Downloads/{client}-setup-files/onboard-macos.sh.
Steps 0 through 6 run automatically. Steps A through C are interactive (GitHub auth, repo clone, Claude Code login). Steps marked with letters require user input.
| Step | What it does | Source / URL | Verification |
|---|---|---|---|
| 0 | Pre-install checks: macOS 13+ (Ventura), 2GB+ free disk, internet reachability to claude.ai, GitHub, and nodejs.org. | Local probes only. No external download. | Hard-fails with explicit reason if any check fails. No silent continuation. |
| 0a | Xcode Command Line Tools (provides Git and Python 3). Triggers the Apple system installer dialog if not already present. | Apple, via xcode-select --install. Asset is delivered by Apple Software Update. | Apple-signed and notarized by Apple. We do not download or stage this asset, the OS does. |
| 1 | Confirm Git is on PATH after Xcode CLT install. | No download. Local check. | git --version must succeed. |
| 2 | Configure git user.name and user.email globally for the user account. | Local config write to ~/.gitconfig. | Values are echoed back to the user before continuing. |
| 3 | Install Claude Code (Anthropic, native macOS binary). | https://claude.ai/install.sh, downloaded with curl -fsSL to /tmp, executed with bash. The installer fetches a signed and notarized binary from Anthropic. | Three retries with exponential backoff. The downloaded file is checked to be a real shell script (first line matches #!/.*sh) before execution. After install, claude --version is run as a smoke test. |
| 3a | Install Node.js LTS (currently v24 line, fallback pin v24.15.0). | Latest LTS metadata fetched from https://nodejs.org/dist/index.json. Tarball downloaded from https://nodejs.org/dist/v{VERSION}/node-v{VERSION}-darwin-{arm64|x64}.tar.xz. Extracted to ~/.agent-tools/node/. Symlinks placed in ~/.agent-tools/bin/. | Three retries on download. The downloaded file is verified to be a real XZ archive via the file command before extraction. After install, node --version is run as a smoke test. No admin rights required. |
| 4 | Install GitHub CLI. | Latest version fetched from api.github.com/repos/cli/cli/releases/latest. Asset downloaded from https://github.com/cli/cli/releases/download/v{VERSION}/gh_{VERSION}_macOS_{arm64|amd64}.zip. Extracted to ~/.agent-tools/gh/. Symlink placed in ~/.agent-tools/bin/gh. | Three retries on download. The downloaded file is verified to be a real ZIP archive via the file command before extraction. After install, gh --version is run as a smoke test. No admin rights required. |
| 5 | Install Visual Studio Code (universal build, Intel + Apple Silicon in one bundle). | https://update.code.visualstudio.com/latest/darwin-universal/stable (Microsoft CDN). Installed to /Applications/ when writable, otherwise ~/Applications/. | Three retries on download. ZIP archive is verified before extract. macOS Gatekeeper attribute is stripped to avoid first-launch prompts. Optional, install is skipped with a warning if download fails. |
| 6 | Create a Desktop shortcut that opens the client project folder in VS Code. The shortcut is named after the client engagement. | Generated locally from a brand icon shipped inside the installer payload. No download. | Best-effort, non-blocking. If macOS sips or iconutil are unavailable, the script logs a warning and continues without the shortcut. |
| A | Authenticate with GitHub (interactive). Opens browser to GitHub OAuth. | gh auth login --web --git-protocol https --hostname github.com. The browser flow is hosted by GitHub. | Standard GitHub OAuth device flow. The token lives in the user account keychain. |
| B | Clone the client's customized agent repository. | git clone https://github.com/{org}/{repo}.git into ~/projects/{repo}/. The org and repo are owned by the client. | Repo presence is confirmed by checking that CLAUDE.md exists at the cloned root. If the repo has package.json, npm install runs against it. |
| C | Sign into Claude Code (interactive). | Browser-based OAuth flow hosted by Anthropic. The token lives in the user account. | Standard Anthropic OAuth flow. No credentials touch the install script. |
Windows installer
Two phases. Phase 1 is a PowerShell script that requires admin rights, only because installing WSL 2 requires enabling Windows features. Phase 2 is a bash script that runs inside WSL as the regular user, no sudo required.
Admin rights for Phase 1 are scoped to: enabling the WSL and VirtualMachinePlatform Windows features, installing the Ubuntu distribution from the Microsoft Store, installing Git for Windows via winget, and installing Visual Studio Code via the Microsoft user installer. No persistent admin services are created.
Phase 1: Windows side, run as administrator
| Step | What it does | Source / URL | Verification |
|---|---|---|---|
| 1 | Pre-install checks: Windows 10 build 19041+ or Windows 11, virtualization extensions enabled in BIOS, network reachable to required endpoints. | Local probes only. | Hard-fails with explicit reason if any check fails. Admin rights are required because Phase 1 enables Windows features and installs WSL. |
| 2 | Enable WSL 2 and install the Ubuntu distribution (Microsoft default). | wsl --install --no-launch (Microsoft Windows Subsystem for Linux). Falls back to dism.exe /online /enable-feature for the WSL and VirtualMachinePlatform features if wsl --install is unavailable on older Windows. | WSL is a first-party Microsoft subsystem. The Ubuntu image is fetched by Windows itself from the Microsoft Store, not by our script. |
| 3 | Configure WSL 2 memory cap based on host RAM. | Local write to %USERPROFILE%\.wslconfig (e.g. memory=4GB on 16GB hosts, 8GB on 32GB hosts). | Skipped if .wslconfig already exists. Network-profile paths are detected and the script falls back to a local profile. |
| 4 | Install Git for Windows. | winget install --id Git.Git (Microsoft Windows Package Manager). Falls back to manual download from https://git-scm.com/download/win with a prompt to install before continuing. | Skipped if git is already on PATH. winget verifies vendor signatures. |
| 5 | Install Visual Studio Code (user installer, no admin needed for the install itself). | https://update.code.visualstudio.com/latest/win32-x64-user/stable (Microsoft CDN). Installer is run silently with /VERYSILENT /CURRENTUSER /MERGETASKS=!runcode. | Three retries on download. The downloaded file size is checked to rule out HTML error pages from corporate proxies. The Remote-WSL extension is installed as a follow-up. |
| 6 | Install Claude Code (Windows native). | Anthropic Windows installer. URL is https://claude.ai/install.ps1 or the equivalent native binary, downloaded with Invoke-WebRequest. | Smoke test runs claude --version after install. Logs are written to the install log if the smoke test fails. |
Phase 2: Ubuntu (WSL) side, run as the regular user
| Step | What it does | Source / URL | Verification |
|---|---|---|---|
| 1 | Pre-install checks inside Ubuntu (WSL): core system tools (curl, git, tar, xz, unzip), network reachability to required endpoints. | Local probes only. | Hard-fails with explicit reason if any check fails. Phase 2 runs as the regular WSL user, no sudo required for the install steps below. |
| 2 | Configure PATH to include ~/.agent-tools/bin and ~/.local/bin in .bashrc, .zshrc, .profile. | Local writes only. | Idempotent, only adds the lines if they are not already present. |
| 3 | Configure git user.name and user.email globally inside WSL. | Local config write to ~/.gitconfig inside WSL. | Values are echoed back before continuing. |
| 4 | Install Claude Code (Anthropic, Linux binary inside WSL). | https://claude.ai/install.sh, downloaded with curl -fsSL, executed with bash. | Three retries with exponential backoff. The downloaded file is checked to be a real shell script before execution. After install, claude --version is run as a smoke test. |
| 5 | Install Node.js LTS (currently v24 line, fallback pin v24.15.0) inside WSL. | Latest LTS metadata from https://nodejs.org/dist/index.json. Tarball from https://nodejs.org/dist/v{VERSION}/node-v{VERSION}-linux-x64.tar.xz. Extracted to ~/.agent-tools/node/. | Three retries. XZ archive verified via file command before extract. node --version smoke test after install. |
| 6 | Install GitHub CLI inside WSL. | Latest version from api.github.com/repos/cli/cli/releases/latest. Asset from https://github.com/cli/cli/releases/download/v{VERSION}/gh_{VERSION}_linux_amd64.tar.gz. | Three retries. Tarball verified before extract. gh --version smoke test. |
| 7 | Authenticate with GitHub (interactive) and clone the client repo into ~/projects/{repo} inside WSL. | gh auth login --web for OAuth. git clone https://github.com/{org}/{repo}.git into ~/projects/{repo}/. | Repo presence confirmed by checking that CLAUDE.md exists at the cloned root. |
What gets installed on the client machine
Every artifact below is sourced from a publicly trusted vendor and installed under the user account. Versions are pinned only as a fallback when the latest-LTS lookup fails.
| Component | Version policy | Install location |
|---|---|---|
| Node.js | Latest LTS, fallback pin v24.15.0 | ~/.agent-tools/node/ (macOS, WSL) |
| GitHub CLI | Latest stable from cli/cli releases | ~/.agent-tools/gh/ (macOS, WSL) |
| VS Code | Latest stable, universal build | /Applications/ (macOS) or %LOCALAPPDATA% (Windows) |
| Claude Code | Latest stable from Anthropic installer | ~/.local/bin/claude or ~/.claude/bin/claude |
| Python 3 | Bundled with Xcode CLT (macOS) or Ubuntu (WSL) | System default |
| Git | Bundled with Xcode CLT (macOS) or via winget (Windows) or Ubuntu (WSL) | System default |
| Client's customized agent repository | Owned by the client, hosted in a GitHub org the client controls | ~/projects/{repo}/ |
What does not happen
Specific anti-claims so a reviewer does not have to guess. If we do something on this list, it is a bug, please report it.
- No kernel extensions, no kexts, no kernel-mode drivers.
- No system-level services, no LaunchDaemons, no Windows services. The Desktop shortcut on macOS is a user-launchable .app, not a background agent.
- No auto-launch on login, no LaunchAgents, no scheduled tasks. The installer runs once, exits, and never wakes itself up.
- No telemetry to Brainverse during install or after. The installer does not POST any callback to brainverse.ai. We learn install outcomes only when the user tells us.
- No remote code execution after install completes. There is no agent, no daemon, no listener. Subsequent code that runs is whatever the user types into Claude Code, and that is governed by Claude Code's own agent harness.
- No privileged background processes. The only admin operation is enabling WSL and the VirtualMachinePlatform Windows feature in Phase 1 on Windows. After that, everything runs as the regular user.
- No collection of files outside the project directory. The installer does not scan, index, or read user files outside the steps documented above.
- No Brainverse server contacted at runtime. The runtime data plane (when the user runs Claude Code) talks to Anthropic, GitHub, and any inference or tool endpoints declared in the customized agent repository, never to Brainverse infrastructure unless the client explicitly opts in to BrainSync (see the deployment-modes matrix).
Source code, signed builds, and SBOM
The installer source lives in a private Brainverse repository today. We provide read access to IT and security reviewers who request it as part of a procurement or due-diligence review.
Organizations with stricter requirements can request a signed installer plus a Software Bill of Materials (SBOM) listing every transitive component and its hash. This is a custom Enterprise deliverable, scoped per engagement.
For either of the above, email [email protected] with your organization, the engagement context, and what level of access you need (read access to source, signed installer build, or SBOM). We respond within one business day.
See also
Last updated 2026-05-01.