Install the Anima CLI
Theanima CLI is built for agents, not for human click-through installs. That shapes every decision on this page:
- No macOS or Windows binaries. Agent workloads run on Linux — in containers, VMs, and CI runners. A developer on a Mac should use the npm package; their agent, when it actually executes, runs on Linux.
- No Homebrew or Winget. Those exist to make installs ergonomic for humans; agents read release manifests directly.
- Sigstore everywhere. One uniform trust anchor for both install paths, verifiable offline from any pipeline.
Pick your channel
- Node / TS agent — npm
- Container / CI — curl | sh (Linux x64, arm64)
anima is a runtime dependency of a Node/TS agent project.Inside a Dockerfile
For a reproducible agent container, pin the version and verify explicitly:RUN step fails and the image build stops.
Verify the install
Configuration
Every setting resolves in priority order — a flag wins, then an environment variable, then the active profile, then your saved defaults:- CLI flag (e.g.
--org,--api-key,--api-url) - Environment variable (
ANIMA_API_KEY,ANIMA_API_URL,ANIMA_DEFAULT_ORG,ANIMA_DEFAULT_IDENTITY,ANIMA_OUTPUT_FORMAT) - Active profile (
anima config profile use <name>) - Saved defaults (
anima config set <key> <value>oranima init)
Verify a binary manually
Every release asset has a matching Sigstore bundle. To verify end-to-end without trusting the installer (e.g. in an air-gapped pipeline):- The binary was signed by our release workflow, at a release tag — not a different repo’s and not a non-tagged build.
- The signing event is recorded in the public Rekor transparency log — anyone can audit it.
- The binary bytes haven’t been modified since signing.
GPG (optional, for distro pipelines)
Releases ship a GPG-signedSHA256SUMS.asc when the publisher key is provisioned. This is redundant with Sigstore and exists only for downstream packagers that prefer a traditional PGP trust chain. Verify with:
Troubleshooting
Unsupported OS — You ran the curl | sh installer on macOS or Windows. The CLI ships Linux-only binaries; on a developer machine, use npm install -g @anima-labs/cli instead.
Signature verification failed — Do not proceed. Report at github.com/anima-labs-ai/cli/issues and include the full installer output. A failed verification is either a transient CDN issue (retry) or a genuine tampering attempt (we want to hear about it immediately).
~/.local/bin not in PATH — The installer prints the exact line to add to your shell rc:
See also
- Security — full signing chain and threat model
- Quickstart: Vault — your first
anima vaultcommand - SDKs — Python & TypeScript client libraries
