feat(installer): verify release assets + switch public docs to standalone entrypoint

README.md

@@ -46,15 +46,13 @@ Qwen Code is an open-source AI agent for the terminal, optimized for Qwen series
 #### Linux / macOS
 
 ```bash
-bash -c "$(curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh)"
+curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen-standalone.sh | bash
 ```
 
-#### Windows (Run as Administrator)
+#### Windows
 
-Works in both Command Prompt and PowerShell:
-
-```cmd
-powershell -Command "Invoke-WebRequest 'https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.bat' -OutFile (Join-Path $env:TEMP 'install-qwen.bat'); & (Join-Path $env:TEMP 'install-qwen.bat')"
+```powershell
+irm https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen-standalone.ps1 | iex
 ```
 
 > **Note**: It's recommended to restart your terminal after installation to ensure environment variables take effect.

docs/users/overview.md

@@ -10,19 +10,19 @@
 ### Install Qwen Code:
 
 The recommended installer uses a standalone archive when one is available for
-your platform. If it falls back to npm, Node.js 20 or later with npm must be
+your platform. If it falls back to npm, Node.js 22 or later with npm must be
 available on PATH.
 
 **Linux / macOS**
 
 ```sh
-curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh | bash
+curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen-standalone.sh | bash
 ```
 
 **Windows**
 
-```cmd
-powershell -Command "Invoke-WebRequest 'https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.bat' -OutFile (Join-Path $env:TEMP 'install-qwen.bat'); & (Join-Path $env:TEMP 'install-qwen.bat')"
+```powershell
+irm https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen-standalone.ps1 | iex
 ```
 
 > [!note]

docs/users/quickstart.md

@@ -21,13 +21,13 @@ To install Qwen Code, use one of the following methods:
 **Linux / macOS**
 
 ```sh
-curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.sh | bash
+curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen-standalone.sh | bash
 ```
 
-**Windows (Run as Administrator)**
+**Windows**
 
-```cmd
-powershell -Command "Invoke-WebRequest 'https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen.bat' -OutFile (Join-Path $env:TEMP 'install-qwen.bat'); & (Join-Path $env:TEMP 'install-qwen.bat')"
+```powershell
+irm https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/install-qwen-standalone.ps1 | iex
 ```
 
 > [!note]

docs/users/support/Uninstall.md

@@ -1,6 +1,6 @@
 # Uninstall
 
-Your uninstall method depends on how you ran the CLI. Follow the instructions for either npx or a global npm installation.
+Your uninstall method depends on how you installed the CLI.
 
 ## Method 1: Using npx
 
@@ -40,3 +40,21 @@ npm uninstall -g @qwen-code/qwen-code
 ```
 
 This command completely removes the package from your system.
+
+## Method 3: Standalone Install
+
+If you installed via the standalone installer (`curl ... | bash` or `irm ... | iex`), use the dedicated uninstall script.
+
+**Linux / macOS**
+
+```bash
+curl -fsSL https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/uninstall-qwen-standalone.sh | bash
+```
+
+**Windows**
+
+```powershell
+irm https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/uninstall-qwen-standalone.ps1 | iex
+```
+
+The uninstaller removes the standalone runtime, generated `qwen` wrapper, and installer-managed PATH changes. Your Qwen Code configuration (`~/.qwen`) is preserved by default.

scripts/installation/INSTALLATION_GUIDE.md

@@ -46,11 +46,6 @@ standalone release. The `standalone` suffix intentionally avoids overwriting the
 existing production `install-qwen.sh` / `install-qwen.bat` OSS objects during
 the staged rollout.
 
-Public installation documentation intentionally continues to use the existing
-production installer in this PR. Update README and other public quick-install
-instructions in a follow-up after the standalone-suffixed hosted installers and
-release archive sync have been validated in production.
-
 Hosted installer assets are staged separately from GitHub Release archives:
 
 - `install-qwen-standalone.sh` is the Linux/macOS hosted entrypoint.

scripts/installation/install-qwen-with-source.bat

@@ -306,7 +306,9 @@ exit /b 1
 
 :ValidateVersion
 if /i "!VERSION!"=="latest" exit /b 0
-echo(!VERSION!| findstr /R /C:"^v*[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*[A-Za-z0-9.-]*$" >nul
+echo(!VERSION!| findstr /R /C:"^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*[A-Za-z0-9.-]*$" >nul
+if %ERRORLEVEL% EQU 0 exit /b 0
+echo(!VERSION!| findstr /R /C:"^v[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*[A-Za-z0-9.-]*$" >nul
 if %ERRORLEVEL% EQU 0 exit /b 0
 echo ERROR: --version must be 'latest' or a semver string.
 exit /b 1

scripts/installation/install-qwen-with-source.sh

@@ -624,6 +624,22 @@ validate_archive_entry_path() {
     esac
 }
 
+archive_contains_symlinks() {
+    local archive_path="$1"
+
+    case "${archive_path}" in
+        *.zip)
+            unzip -Z -v "${archive_path}" 2>/dev/null | grep -E 'Unix file attributes \(12[0-7]{4} octal\)' >/dev/null
+            ;;
+        *.tar.gz|*.tgz|*.tar.xz)
+            tar -tvf "${archive_path}" 2>/dev/null | awk '$1 ~ /^l/ { found=1 } END { exit found ? 0 : 1 }'
+            ;;
+        *)
+            return 1
+            ;;
+    esac
+}
+
 validate_archive_contents() {
     local archive_path="$1"
     local entries
@@ -652,6 +668,16 @@ validate_archive_contents() {
             ;;
     esac
 
+    if [[ -z "${entries}" ]]; then
+        log_error "Archive is empty: ${archive_path}"
+        return 1
+    fi
+
+    if archive_contains_symlinks "${archive_path}"; then
+        log_error "Archive contains symlinks; refusing to install."
+        return 1
+    fi
+
     while IFS= read -r entry; do
         validate_archive_entry_path "${entry}" || return 1
     done <<< "${entries}"

scripts/tests/install-script.test.js

@@ -127,6 +127,8 @@
     expect(script).toContain('validate_https_url "${NPM_REGISTRY}"');
     expect(script).toContain('qwen-code/node/bin/node');
     expect(script).toContain('Archive contains symlinks; refusing to install');
+    expect(script).toContain('Archive is empty');
+    expect(script).toContain('archive_contains_symlinks()');
     expect(script).toContain('not a Qwen Code standalone install');
     expect(script).toContain(
       'Return 2 only when a standalone archive is unavailable',
@@ -288,6 +290,13 @@
     expect(script).toContain('if "!INSTALL_DIR:~1,2!"==":/"');
     expect(script).toContain('if "!INSTALL_BIN_DIR:~1,2!"==":/"');
     expect(script).toContain(':ValidateVersion');
+    expect(script).toContain(
+      'findstr /R /C:"^[0-9][0-9]*\\.[0-9][0-9]*\\.[0-9][0-9]*[A-Za-z0-9.-]*$"',
+    );
+    expect(script).toContain(
+      'findstr /R /C:"^v[0-9][0-9]*\\.[0-9][0-9]*\\.[0-9][0-9]*[A-Za-z0-9.-]*$"',
+    );
+    expect(script).not.toContain('/C:"^v*[0-9]');
     expect(script).toContain(
       'call :ValidateHttpsUrlVar "NPM_REGISTRY" "--registry"',
     );
@@ -664,7 +673,7 @@
       ['scripts/build-hosted-installation-assets.js', '--help'],
       { encoding: 'utf8' },
     );
     const verifierOutput = execFileSync(
       process.execPath,
       ['scripts/verify-installation-release.js', '--help'],
       { encoding: 'utf8' },
@@ -696,7 +705,7 @@
           caughtError?.stdout?.toString(),
           caughtError?.stderr?.toString(),
         ].join('\n'),
       ).toMatch(expectedOutput);
     };
 
     expectFail(
@@ -1201,6 +1210,32 @@
       await expect(verifyReleaseDirectory(tmpDir)).rejects.toThrow(
         /Unexpected release asset checksum: qwen-code-extra\.tar\.gz/,
       );
+
+      writeStandaloneReleaseAssets(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES);
+      writeStandaloneReleaseChecksums(
+        tmpDir,
+        EXPECTED_STANDALONE_ARCHIVE_NAMES.slice(1),
+      );
+      await expect(verifyReleaseDirectory(tmpDir)).rejects.toThrow(
+        /Missing release asset checksum: qwen-code-/,
+      );
+    } finally {
+      rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  it('rejects unexpected files in a release directory', async () => {
+    const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseDirectory } =
+      await import(installationReleaseVerificationScriptUrl);
+    const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-release-verify-'));
+
+    try {
+      writeStandaloneReleaseAssets(tmpDir, EXPECTED_STANDALONE_ARCHIVE_NAMES);
+      writeFileSync(path.join(tmpDir, '.DS_Store'), 'finder metadata\n');
+
+      await expect(verifyReleaseDirectory(tmpDir)).rejects.toThrow(
+        /Unexpected file\(s\) in release directory: \.DS_Store/,
+      );
     } finally {
       rmSync(tmpDir, { recursive: true, force: true });
     }
@@ -1278,11 +1313,62 @@
     ).rejects.toThrow(/Checksum mismatch for qwen-code-/);
   });
 
+  it('rejects remote SHA256SUMS responses that are unavailable', async () => {
+    const { verifyReleaseBaseUrl } = await import(
+      installationReleaseVerificationScriptUrl
+    );
+
+    await expect(
+      verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
+        fetchImpl: async () => new Response('missing', { status: 404 }),
+      }),
+    ).rejects.toThrow(/Failed to download .*SHA256SUMS: 404/);
+  });
+
+  it('rejects remote SHA256SUMS with missing or extra archive entries', async () => {
+    const { EXPECTED_STANDALONE_ARCHIVE_NAMES, verifyReleaseBaseUrl } =
+      await import(installationReleaseVerificationScriptUrl);
+
+    await expect(
+      verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
+        fetchImpl: async (url) => {
+          if (url.endsWith('/SHA256SUMS')) {
+            return new Response(
+              placeholderChecksumContent(
+                EXPECTED_STANDALONE_ARCHIVE_NAMES.slice(1),
+              ),
+            );
+          }
+          return new Response(null, { status: 200 });
+        },
+      }),
+    ).rejects.toThrow(/Missing release asset checksum: qwen-code-/);
+
+    await expect(
+      verifyReleaseBaseUrl('https://example.com/qwen-code/v0.0.0', {
+        fetchImpl: async (url) => {
+          if (url.endsWith('/SHA256SUMS')) {
+            return new Response(
+              placeholderChecksumContent([
+                ...EXPECTED_STANDALONE_ARCHIVE_NAMES,
+                'qwen-code-extra.tar.gz',
+              ]),
+            );
+          }
+          return new Response(null, { status: 200 });
+        },
+      }),
+    ).rejects.toThrow(
+      /Unexpected release asset checksum: qwen-code-extra\.tar\.gz/,
+    );
+  });
+
   it('rejects a release base URL that is not https', async () => {
     const { verifyReleaseBaseUrl } = await import(
       installationReleaseVerificationScriptUrl
     );
 
+    // file:// must be rejected as a URL the verifier cannot reach safely.
     await expect(verifyReleaseBaseUrl('file:///tmp/release/')).rejects.toThrow(
       /--base-url must use https/,
     );
@@ -1811,7 +1897,7 @@
     expect(guide).toContain('ALIYUN_OSS_ACCESS_KEY_SECRET');
     expect(guide).toContain('ALIYUN_OSS_BUCKET');
     expect(guide).toContain('ALIYUN_OSS_ENDPOINT');
     expect(guide).toContain('Public installation documentation');
     expect(guide).toContain('node-pty');
     expect(guide).toContain('clipboard');
   });
@@ -1869,7 +1955,7 @@
         const archive = packageFakeStandalone(tmpDir);
         const installRoot = path.join(tmpDir, 'install');
         const home = path.join(tmpDir, 'home');
-        const output = runUnixInstaller(archive, installRoot, home).toString();
+        runUnixInstaller(archive, installRoot, home);
 
         expect(existsSync(path.join(installRoot, 'bin', 'qwen'))).toBe(true);
         expect(
@@ -1887,26 +1973,26 @@
           .toString()
           .trim();
         expect(version).toBe('0.0.0-smoke');
         expect(output).toContain('Installing Qwen Code version: latest');
         expect(output).toContain('QWEN CODE');
         expect(output).toContain(
           'Qwen Code 0.0.0-smoke installed successfully.',
         );
         expect(output).toContain('To start:\n  cd <project>\n  qwen');
         expect(output).toContain(
           `Installed to:\n  ${path.join(installRoot, 'lib', 'qwen-code')}`,
         );
         expect(output).toContain('Uninstall:');
         expect(output).toContain(
           'https://qwen-code-assets.oss-cn-hangzhou.aliyuncs.com/installation/uninstall-qwen-standalone.sh',
         );
         expect(output).toContain(
           `QWEN_INSTALL_LIB_DIR='${path.join(installRoot, 'lib', 'qwen-code')}'`,
         );
         expect(output).toContain(
           `QWEN_INSTALL_BIN_DIR='${path.join(installRoot, 'bin')}'`,
         );
         expect(output).not.toContain('rm -rf');
       } finally {
         rmSync(tmpDir, { recursive: true, force: true });
         restoreMinimalDist(createdDist);
@@ -2630,6 +2716,64 @@
     }
   });
 
+  itOnUnix('rejects archive symlinks before extraction', () => {
+    const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
+
+    try {
+      const archive = createSymlinkStandaloneArchive(tmpDir);
+      const tarWrapperDir = path.join(tmpDir, 'bin');
+      const marker = path.join(tmpDir, 'tar-extraction-attempted');
+      mkdirSync(tarWrapperDir, { recursive: true });
+      writeFileSync(
+        path.join(tarWrapperDir, 'tar'),
+        [
+          '#!/usr/bin/env bash',
+          'if [[ "$1" == "-xzf" || "$1" == "-xf" ]]; then',
+          '  touch "$QWEN_TAR_EXTRACT_MARKER"',
+          'fi',
+          'exec "$QWEN_REAL_TAR" "$@"',
+          '',
+        ].join('\n'),
+      );
+      chmodSync(path.join(tarWrapperDir, 'tar'), 0o755);
+
+      expect(() =>
+        runUnixInstaller(
+          archive,
+          path.join(tmpDir, 'install'),
+          path.join(tmpDir, 'home'),
+          'standalone',
+          {
+            PATH: `${tarWrapperDir}${path.delimiter}${process.env.PATH}`,
+            QWEN_REAL_TAR: execFileSync('which', ['tar']).toString().trim(),
+            QWEN_TAR_EXTRACT_MARKER: marker,
+          },
+        ),
+      ).toThrow(/Archive contains symlinks/);
+      expect(existsSync(marker)).toBe(false);
+    } finally {
+      rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+
+  itOnUnix('rejects empty standalone archives with a clear error', () => {
+    const tmpDir = mkdtempSync(path.join(tmpdir(), 'qwen-install-test-'));
+
+    try {
+      const archive = createEmptyStandaloneArchive(tmpDir);
+
+      expect(() =>
+        runUnixInstaller(
+          archive,
+          path.join(tmpDir, 'install'),
+          path.join(tmpDir, 'home'),
+        ),
+      ).toThrow(/Archive is empty/);
+    } finally {
+      rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+
   itOnUnix(
     'rejects standalone archives containing path traversal entries',
     () => {
@@ -3802,6 +3946,17 @@
   return archive;
 }
 
+function createEmptyStandaloneArchive(tmpDir) {
+  const outDir = path.join(tmpDir, 'out');
+  mkdirSync(outDir, { recursive: true });
+  const archive = path.join(outDir, 'qwen-code-linux-x64.tar.gz');
+  execFileSync('tar', ['-czf', archive, '-T', '/dev/null'], {
+    stdio: 'ignore',
+  });
+  writeChecksumFile(outDir, path.basename(archive));
+  return archive;
+}
+
 function createTraversalStandaloneArchive(tmpDir) {
   const maliciousRoot = path.join(tmpDir, 'malicious');
   const packageRoot = path.join(maliciousRoot, 'qwen-code');