Docs

Installing packages

Four steps from zero to an agent that starts ahead. Every install is verified on your machine — you never have to trust the network, the mirror, or even this registry.

01

Install the CLI

lean-ctx is the reference client — it creates, verifies and installs packages. One binary, no runtime dependencies.

curl -fsSL https://leanctx.com/install.sh | sh
02

Install a package

Free packages install without an account. Your machine downloads the artifact, re-computes its SHA-256 fingerprint against the catalog and re-verifies the author’s ed25519 signature — only then does anything land on disk.

lean-ctx pack install leanctx/lean-ctx-project-context
03

Commit the lockfile

The install pins the exact version and fingerprint in ctxpkg.lock. Commit it: everyone on your team — and your CI — gets byte-identical knowledge.

git add ctxpkg.lock && git commit -m "pin agent context"
04

Let your agent use it

Installed packages feed the lean-ctx context engine automatically: facts, decisions and gotchas are available to your agent from the first prompt — no re-deriving.

lean-ctx pack list   # see what your agent knows

CI installs

The lockfile makes CI reproducible. For private or purchased packages, mint a read token (ctxr_…) in your account and pass it as a secret: 

# .github/workflows/agent.yml (any CI works the same way)
env:
  CTXPKG_TOKEN: ${{ secrets.CTXPKG_READ_TOKEN }}
run: lean-ctx pack install @acme/auth-service-context

Questions you'll have

Do I need an account to install?

Not for free packages — anonymous installs are allowed and rate-limited per IP. Paid packages require a signed-in purchase; CI uses a read token (ctxr_…) minted in your account.

What happens if a download was tampered with?

The install aborts before anything is written. The fingerprint comparison catches changed bytes; the signature check catches anything signed by the wrong key — even a compromised registry could not get altered content past your machine.

How do I install a paid package?

Buy it once on its package page (Stripe checkout). After that, install works exactly like a free package while you are signed in — or with a ctxr_ read token in CI.

How do I update?

Run install again for the newer version and commit the updated ctxpkg.lock. Versions are immutable, so updates are always explicit — nothing changes under you.

Can I verify a package without installing it?

Yes. Download the artifact and run the standalone verifier — it checks structure, both integrity hashes and the signature, and prints a per-check report.

Want the full mechanics? The complete verification model is documented on the trust page, and the wire protocol on ctxpkg.org.