Install

Quick install

curl | sh

curl -fsSL https://sealedsecurity.com/seal-install.sh | sh

The installer:

• Picks the platform-appropriate tarball from the latest GitHub release.
• Verifies its SHA-256 against the release’s checksum file.
• Drops seal into ~/.local/bin/seal (or /usr/local/bin/seal if writable).
• Drops the agent WASM component into ~/.local/share/seal/seal_agent.wasm.

Supported platforms: x86_64-linux, aarch64-linux, x86_64-darwin, aarch64-darwin.

Homebrew

brew tap sealedsecurity/seal
brew install seal

Pulls the same release tarballs as the curl-pipe-sh path. Upgrades land via brew upgrade seal; the tap auto-refreshes on each release.

From source

git clone https://github.com/sealedsecurity/seal
cd seal
just install-deps     # nightly + rust-src + wasm target + cargo-edit + mprocs
just install-debug    # builds + installs to ~/.local/bin

Requires the nightly Rust toolchain pinned in rust-toolchain.toml; rustup picks it up automatically. System dependencies:

• macOS — brew install protobuf just (the build needs protoc for the seal-proto crate; just for the task recipes).
• Linux — apt install protobuf-compiler libdbus-1-dev just (or your distro’s equivalent — libdbus-1-dev is required for the keychain backend on Linux).

For a release build instead of the debug install, use just install — same binaries, ~/.cargo/bin install dir, longer compile time.

Other install paths

Coming soon: cargo binstall seal (post-launch — needs the crates.io publish to land), and a Nix flake at github:sealedsecurity/seal for nix-darwin / NixOS users. Track SEA-517 and SEA-518 if you care about either.

Verify

seal --version

The first run will set up ~/.seal/ (your per-user data dir for session logs, manifest signatures, and the daemon socket).

Set up an LLM provider

The least-friction path on launch day is a Claude subscription OAuth token. From a machine with Claude Code installed:

claude setup-token

…then take the printed sk-ant-oat... token and export it where Seal will find it:

export CLAUDE_CODE_OAUTH_TOKEN="sk-ant-oat..."

claude setup-token documentation: code.claude.com/docs/en/authentication#generate-a-long-lived-token.

For API keys, OpenRouter, or other providers, see Provider backends.

First project

seal embark is the friendly first-run wizard. It checks you have a credential set, walks you through provider selection, and stamps a starter seal.toml into the current directory:

cd ~/code/my-project
seal embark

Once embark has set up the project, seal launches the TUI in interactive mode:

seal

For subsequent projects (or to re-scaffold a manifest in a project that already has its credentials configured), use seal init — it skips the credential check and just writes the starter seal.toml.

See Getting started for the full first-prompt walkthrough.

Uninstall

rm -f ~/.local/bin/seal /usr/local/bin/seal
rm -rf ~/.local/share/seal
rm -rf ~/.seal

Project-local seal.toml and .seal/ directories stay untouched — they’re per-project state, not per-install.