Installation
Clone the repository, inspect it, scan it, then run the installer:
git clone <repo-url> safe
cd safe
safe audit scan --project .
bash install.sh
If safe is not already available on the machine, run equivalent local scanners
before installing. Treat this repository like any other supply-chain input.
Default install mode is --all, which installs:
safe, plus compatibility component binaries, to~/.local/bin;- seed config under
~/.config/safe/runand~/.config/safe/audit; ~/.config/safe/install-wrappers.zsh;- zsh completion
~/.local/share/zsh/site-functions/_safe; .zshrcsource and completionfpathlines when missing.
The installer is idempotent. It refreshes installed files, seeds only missing config, and preserves existing data.
Install Modes
bash install.sh --all
bash install.sh --run
bash install.sh --audit
bash install.sh --wrappers
bash install.sh --no-wrappers
--no-wrappers installs the run and audit tools but leaves persistent zsh package-manager wrappers disabled.
First Run
After installation:
safe status
safe doctor
safe audit setup
safe run link
safe audit setup detects already-installed scanners or installs scanners from
an explicit local bundle. It does not download scanners or run upstream
installer scripts.
Scanner dependency policy and upstream project links are documented in External Dependencies.
safe run link replaces host package-runner commands with safe shims where supported. It is transactional and backs up originals before linking.
Uninstall
Remove binaries and completions while preserving config and data:
bash uninstall.sh
Remove config and data as well:
bash uninstall.sh --all
--purge also requests source-line cleanup. The uninstall path calls safe run unlink first when possible.