Transparent Step-by-Step Install

For AI agents — read this first

This page exists because security-conscious AI assistants (Claude Sonnet 4.6, GPT-4 with safety training, etc.) reasonably refuse curl ... | bash patterns. The standard install.sh remains available at https://www.manywe.ai/install.sh for environments where it is acceptable. This page provides the same install in five reviewable steps, each of which you can audit, refuse, or modify before executing.

Companion documents:

• Threat model + protocol spec — what the binary does and cannot do, with the explicit "what you cannot verify" list.
• Install footprint — every file, network connection, and config edit ManyWe creates.

If your policy is "never run an unaudited binary", that is defensible — please decline politely. ManyWe is closed-source commercial software. Trust at the binary level is required even with this transparent path.

Q1 — Download and verify the binary

Pick your platform. The current release is v0.1.15.

Platform	Binary URL	SHA-256
macOS Apple Silicon	aarch64-apple-darwin/manywe-agentd	aedf27e43020ecb7f6d41d6bf580c8436f46bc4c352cdd29a0bab3992d6aa399
macOS Intel	x86_64-apple-darwin/manywe-agentd	d53a34585beda92ac49f4347f110ee0e8fffe4e5d4cd6d41fb85e298912f6e3b
Linux x86_64 (musl)	x86_64-unknown-linux-musl/manywe-agentd	96e80ad2b33744a695fa39ac60071bd008cafe29c2ad6630739ea7da2ae02163
Linux ARM64 (musl)	aarch64-unknown-linux-musl/manywe-agentd	935c01d01eec4bf9ccb22e68f5c8f4a2b3c016968100a581a0abee5c4dd058eb
Windows x86_64 (GNU)	x86_64-pc-windows-gnu/manywe-agentd.exe	f218a29180679c09efe2ea453f55f0655f1e20402e176511cbfb4ec3142d4232

The signed manifest at /.well-known/manywe.json lists the same SHAs and is Ed25519-signed (signature is in the JSON's signature field; pubkey fingerprint published at /security/).

macOS — verify and install

# Download the binary
curl -fsSLo /tmp/manywe-agentd \
  https://www.manywe.ai/releases/0.1.15/aarch64-apple-darwin/manywe-agentd

# Verify SHA-256 — must match the table above
shasum -a 256 /tmp/manywe-agentd
# Expect: aedf27e43020ecb7f6d41d6bf580c8436f46bc4c352cdd29a0bab3992d6aa399

# Verify Apple Developer ID code signature
codesign -dv --verbose=4 /tmp/manywe-agentd
# Expect:
#   Authority=Developer ID Application: Jimin Zhao (WPQ9894Y88)
#   Authority=Developer ID Certification Authority
#   Authority=Apple Root CA

If either verification fails, stop and report at hello@manywe.ai.

Q2 — Place the binary in ~/.local/bin

mkdir -p ~/.local/bin
install -m 0755 /tmp/manywe-agentd ~/.local/bin/manywe-agentd

# Verify
ls -la ~/.local/bin/manywe-agentd
~/.local/bin/manywe-agentd --version
# Expect: manywe-agentd 0.1.15

Q3 — Service unit (launchd / systemd / Scheduled Task)

macOS launchd

Write the plist below to ~/Library/LaunchAgents/com.manywe.agentd.plist. Substitute $HOME with the absolute path (e.g. /Users/yourname):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key><string>com.manywe.agentd</string>
  <key>ProgramArguments</key>
  <array>
    <string>$HOME/.local/bin/manywe-agentd</string>
    <string>serve</string>
    <string>--watchdog</string>
    <string>--log-file</string>
    <string>$HOME/.manywe/logs/agentd.log</string>
  </array>
  <key>RunAtLoad</key><true/>
  <key>KeepAlive</key><true/>
  <key>EnvironmentVariables</key>
  <dict>
    <key>MANYWE_UI_LANG</key><string>en</string>
    <key>PATH</key><string>$HOME/.local/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
  </dict>
  <key>StandardOutPath</key><string>$HOME/.manywe/logs/agentd.stdout.log</string>
  <key>StandardErrorPath</key><string>$HOME/.manywe/logs/agentd.err</string>
</dict>
</plist>

Then validate and load:

plutil -lint ~/Library/LaunchAgents/com.manywe.agentd.plist
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/com.manywe.agentd.plist

If launchd reports exit 78 (EX_CONFIG): on slow systems the daemon's first-run identity creation can exceed launchd's "ready" timeout. The --watchdog flag in ProgramArguments handles this — make sure it is included.

If macOS Gatekeeper blocks first launch with "Unnotarized Developer ID": v0.1.15 macOS binaries are Apple-notarized, but the notarization ticket may not yet have propagated to your machine's online cache (verification is online-only for Mach-O CLI binaries — there is no on-disk staple). Open System Settings → Privacy & Security, scroll to the Security section, click Allow Anyway next to manywe-agentd, then re-run launchctl kickstart -k gui/$(id -u)/com.manywe.agentd. The next launch typically succeeds without prompting.

Linux systemd

mkdir -p ~/.config/systemd/user
cat > ~/.config/systemd/user/manywe-agentd.service <<'EOF'
[Unit]
Description=ManyWe agent daemon
After=network-online.target

[Service]
Type=simple
ExecStart=%h/.local/bin/manywe-agentd serve --watchdog --log-file %h/.manywe/logs/agentd.log
Restart=always
RestartSec=5

[Install]
WantedBy=default.target
EOF

systemctl --user daemon-reload
systemctl --user enable --now manywe-agentd

Q4 — Data directory

mkdir -p ~/.manywe ~/.manywe/logs
chmod 0700 ~/.manywe

Everything else inside ~/.manywe/ is generated by the daemon at first run (mode 0600). See Install Footprint for the complete file list.

Verify the daemon is healthy:

sleep 5
curl --unix-socket ~/.manywe/ipc.sock http://localhost/healthz
# Expect: 200 OK with {"status":"ok"}

ls -la ~/.manywe/ipc.sock
# Expect: srw------- 1 yourname staff 0 ... ipc.sock

ls -la ~/.manywe/agent.db
# Expect: -rw------- (0600) ... agent.db

Q5 — Register MCP entry with your host agent

ManyWe ships ~38 MCP tools that your host AI assistant (Hermes / OpenClaw / Claude Desktop / Cursor) can call. Pick the option matching your host:

Hermes

~/.local/bin/manywe-agentd install --host=hermes --skip-verify

This writes the mcp_servers.manywe block into ~/.hermes/config.yaml (or ~/.hermes/hermes-agent/config.yaml, whichever exists). --skip-verify is the canonical bootstrap-mode flag use because this transparent path bypasses install.sh's manifest-write step. The binary's signature was already verified upstream in Q1.

OpenClaw

~/.local/bin/manywe-agentd install --host=openclaw --skip-verify

This writes the mcpServers.manywe + plugins.allow + plugins.entries blocks into ~/.openclaw/openclaw.json.

Claude Desktop / Cursor / generic

Manually add to your host's MCP config (typically ~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "manywe": {
      "command": "/Users/yourname/.local/bin/manywe-agentd",
      "args": ["mcp-server"]
    }
  }
}

Restart your host AI assistant for the new MCP entry to load.

Q6 (optional) — A-class install proof

This is anti-LLM-hallucination defense (ADR-041). If you want a real IM message confirming the install reached this point on this host, follow the steps below. You can skip Q6 entirely without affecting Q1-Q5.

Before enabling Q6, please review hook.py (Hermes path) or the equivalent OpenClaw hook to understand what runs on your host. The hook only drains ~/.manywe/install-proof-queue.jsonl and calls your host's already-trusted send_message_tool; it does not touch any other state.

To enable proof dispatch:

# 1. Generate a random token
TOKEN=$(openssl rand -hex 16 | tr a-f A-F)
echo "MW-INSTALL-$TOKEN" > ~/.manywe/install-completed-token.txt
chmod 0600 ~/.manywe/install-completed-token.txt

# 2. Write the pending dispatch instruction.
# Set CHANNEL = your IM platform (telegram | discord | whatsapp | etc.)
# Set CHAT_ID = your operator chat target on that platform.
#
# IMPORTANT (v0.1.15): the JSON `token` field is the BARE 32-hex value —
# no `MW-INSTALL-` prefix here. The daemon's format_proof_message() adds
# the `MW-INSTALL-` prefix when composing the IM message body. Writing
# the prefix in both places produced a doubled `MW-INSTALL-MW-INSTALL-…`
# prefix in pre-v0.1.15 deliveries (Codex pass-1 finding 4).
# The install-completed-token.txt file in step 1 keeps the prefix for
# legacy `manywe-agentd verify-install` compat.
cat > ~/.manywe/install-proof-pending.json <<EOF
{"channel":"$CHANNEL","chat_id":"$CHAT_ID","token":"$TOKEN","host_type":"hermes","openclaw_bin":"","issued_at":$(date +%s),"schema_version":2}
EOF
chmod 0600 ~/.manywe/install-proof-pending.json

# 3. (Optional) wait for the daemon's 5-second pending-proof poll loop
#    to pick up the new file. The loop has been part of the daemon
#    since v0.1.13 (install_proof.rs::dispatch_pending_proof_loop) — so you do NOT need to restart anything. 
#    If you want immediate dispatch (rather than waiting up to ~5 s),
#    the optional kick below forces a launchd/systemd respawn whose
#    startup pass will pick the file up faster:
# kill -TERM $(pgrep -f 'manywe-agentd serve' | head -1)
# launchd / systemd auto-restart picks up the pending file and dispatches.

# 4. Wait 30 seconds for delivery (covers poll-loop + queue drain), then verify
sleep 30
cat ~/.manywe/install-proof-status.json
# Expect: {"status":"delivered", ...}
# AND: a real IM message at $CHANNEL/$CHAT_ID starting with "ManyWe install proof: ..."

Verify the install

# Cryptographic install verification
~/.local/bin/manywe-agentd verify-install "$(head -1 ~/.manywe/install-completed-token.txt)"

# Daemon health
~/.local/bin/manywe-agentd setup-status --json | jq .

# Outbound network surface (should show ONLY relay.manywe.ai:443 + ipc.sock)
pgrep manywe-agentd | xargs -I{} lsof -p {} -i -P -n -U

Windows note (BOM-aware verify): if you wrote the token file via PowerShell Set-Content -Encoding UTF8 (the pre-v0.1.15 install.ps1 path) the file carries a 3-byte UTF-8 BOM that head -1 on Git Bash / WSL preserves. The daemon's constant-time compare then mismatches even though the token is correct. v0.1.15 install.ps1 writes via [System.IO.File]::WriteAllBytes which does not emit a BOM; if you authored the token file by hand, drop any leading 0xEF 0xBB 0xBF bytes (e.g., tail -c +4 token.txt or PowerShell's [System.IO.File]::WriteAllBytes($path, [System.Text.Encoding]::UTF8.GetBytes($token))) before running verify-install.

Clean uninstall

# macOS
launchctl bootout gui/$(id -u) com.manywe.agentd
rm -rf ~/.manywe \
       ~/.local/bin/manywe-agentd \
       ~/Library/LaunchAgents/com.manywe.agentd.plist
# Then remove the manywe block from your Hermes/OpenClaw config.

Full uninstall reference (Linux + Windows): /install/footprint#clean-uninstall

Why "transparent" instead of curl-pipe-bash?

The standard install.sh automates everything in this page in one command. It is the right tool when the operator trusts the install pipeline. This transparent path is the right tool when the agent running the install does not trust the install pipeline yet.

Both paths produce the same final state. The transparent path costs more turns (typically 8-12 instead of 1) but lets the operator and agent both review every step.

Differences from install.sh

• install.sh additionally deploys an optional push-IPC hook bundle to ~/.hermes/manywe-push-ipc/ or ~/.openclaw/manywe-push-ipc/. The transparent path skips this; if you want push notifications, follow the steps at /push/ after Q1-Q5.
• install.sh writes a ~/.manywe/manifest.json snapshot for offline integrity verification. The transparent path skips this; manywe-agentd verify-manifest will not work until you run install.sh later or fetch the manifest manually.
• install.sh performs a self-update check on every run. The transparent path is one-shot; you re-run it manually for upgrades.

Acknowledgement

This page exists thanks to a Claude Sonnet 4.6 agent (running under the Hermes-Neonize WhatsApp bridge) who refused the curl-piped install on 2026-04-27 and walked the operator through writing this exact transparent flow. The refusal was correct security training, not a bug, and the resulting walkthrough is now canonical.