whoisd
v0.2.1
Published
whois — model your orgs (humans + AI agents) in Markdown, served by a local daemon. This wrapper downloads the signed-checksum release binaries on first run; nothing executes at install time.
Maintainers
Readme
whoisd
Model your orgs — humans and AI agents — in plain Markdown, served by a local daemon every agent on your machine can query. This package is the installer/launcher for the whois binaries.
npx whoisd init # scaffold ~/.whois + your personal org (runs `wi init`)
npx whoisd query "who knows go?"
npx whoisd daemon -config-dir ~/.whois -addr 127.0.0.1:7400 -token-file ~/.whois/tokenAny verb other than daemon / mcp / telegram is passed through to
the wi CLI.
Security posture
Designed against the 2026 npm supply-chain campaigns (Miasma, Shai-Hulud — see the decision record):
- Nothing executes at install. No
preinstall/postinstall/prepare—npm install --ignore-scriptschanges nothing. The platform binary downloads on your first explicit invocation, and the command prints exactly what it fetches. - Zero dependencies. Node stdlib only.
- Pinned, verified binaries. The download targets the exact
release tag matching this package's version on
github.com/barneyfoxuk/whois(https only; redirects restricted to GitHub's asset hosts) and is verified against a SHA-256 embedded in this package at publish time — npm's package immutability freezes it, so the binary a version delivers can never change after publish. A mismatch refuses to install. - Published via OIDC trusted publishing with provenance, from a workflow that runs only on protected version tags.
Binaries land in ~/.whois/bin/<version>/. Building from source is
always an option: go build ./... in the repo.
