v0.5.1: TSA on by default, install UX improvements, setup enhancements

- TSA anchoring enabled by default (free DigiCert service, rate-limited)
- README: add "Why I built this" section with ICP positioning
- README: simplify Quick Start to two commands, Windows in collapsible
- install.sh: platform-aware install dir (~/.punkgo/bin/ on Windows)
- install.sh: PATH detection + guidance after install
- install.sh: skip chmod +x on Windows, mkdir -p before install
- setup: print survey link (punkgo.ai/why) after successful setup
- setup: check kernel version compatibility, warn if outdated
- cargo fmt across touched files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: FeilixX

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "punkgo-jack"
-version = "0.5.0"
+version = "0.5.1"
 edition = "2021"
 description = "AI tool hook adapter for punkgo-kernel — every tool call gets a cryptographic receipt with Ed25519 signing and RFC 3161 TSA anchoring"
 license = "MIT"

README.md

@@ -12,26 +12,46 @@ Your AI agent just deleted your production database. Your `.env`. It happens eve
 
 ---
 
-**Contents:** [Quick Start](#quick-start) · [How It Works](#how-it-works) · [Verify](#verify) · [Trust Layers](#trust-layers) · [CLI](#cli) · [Config](#config) · [Supported Tools](#supported-tools) · [Evolution](#evolution)
+**Contents:** [Why](#why-i-built-this) · [Quick Start](#quick-start) · [How It Works](#how-it-works) · [Verify](#verify) · [Trust Layers](#trust-layers) · [CLI](#cli) · [Config](#config) · [Supported Tools](#supported-tools) · [Evolution](#evolution)
+
+---
+
+## Why I built this
+
+I've been using Claude Code daily since January 2025. After 25,000+ AI actions, I realized I had zero proof of what actually happened. The AI's own logs? It can edit those. Git history? Doesn't capture the thinking process. I wanted something that works like a dashcam — always recording, can't be tampered with, and there when you need it.
+
+PunkGo Jack is that dashcam. Not a log file you can delete. Not a summary the AI writes about itself. A cryptographic receipt — append-only, Ed25519-signed, RFC 3161 timestamped. You can't backdate it, you can't delete it, you can't forge it.
+
+**Who is this for?** If you use Claude Code or Cursor for client work, team projects, or anything where you need to show what your AI actually did — this is for you.
 
 ---
 
 ## Quick Start
 
 ```bash
-# Install
 curl -fsSL https://raw.githubusercontent.com/PunkGo/punkgo-jack/main/install.sh | bash
-# or: cargo install punkgo-jack && cargo install punkgo-kernel
+punkgo-jack setup claude-code   # or: punkgo-jack setup cursor
+```
 
-# Setup (pick your tool)
-punkgo-jack setup claude-code
-punkgo-jack setup cursor
+That's it — two commands. Your next AI session is recorded with Ed25519 signatures and RFC 3161 timestamps. Verify anytime:
+
+```bash
+punkgo-jack receipt             # session summary + anchor time
+punkgo-jack verify <ID>         # cryptographic proof
+```
 
-# Optional: enable RFC 3161 TSA time anchoring
-echo -e '[tsa]\nenabled = true' >> ~/.punkgo/config.toml
+Upgrade: `punkgo-jack upgrade`. Uninstall: `punkgo-jack unsetup claude-code`.
+
+<details>
+<summary>Windows / manual install</summary>
+
+```powershell
+cargo install punkgo-jack && cargo install punkgo-kernel
+punkgo-jack setup claude-code
 ```
 
-That's it. Your next session is already being recorded. Upgrade anytime: `punkgo-jack upgrade`.
+Requires [Rust toolchain](https://rustup.rs). The install script also works in Git Bash on Windows.
+</details>
 
 ## How It Works
 
@@ -86,17 +106,17 @@ A root operator with the signing key could rebuild the tree — this is the sing
 
 ## Config
 
-TSA anchoring is opt-in. Create `~/.punkgo/config.toml`:
+TSA anchoring is **on by default** (free DigiCert public service, rate-limited to once per 5 minutes). To customize, create `~/.punkgo/config.toml`:
 
 ```toml
 [tsa]
-enabled = true
-# url = "http://timestamp.digicert.com"   # default
+# enabled = true                           # default: true
+# url = "http://timestamp.digicert.com"    # default
 # timeout_secs = 10                        # default
 # min_interval_secs = 300                  # 0 for CI burst mode
 ```
 
-Env var overrides: `PUNKGO_TSA_ENABLED`, `PUNKGO_TSA_URL`, `PUNKGO_TSA_MIN_INTERVAL_SECS`.
+Disable TSA: set `enabled = false` or `PUNKGO_TSA_ENABLED=false`. Other env vars: `PUNKGO_TSA_URL`, `PUNKGO_TSA_MIN_INTERVAL_SECS`.
 
 ## Supported Tools
 
@@ -111,7 +131,8 @@ Env var overrides: `PUNKGO_TSA_ENABLED`, `PUNKGO_TSA_URL`, `PUNKGO_TSA_MIN_INTER
 
 | Version | What changed |
 |---------|-------------|
-| **v0.5.0** | RFC 3161 TSA anchoring, verify-tsr, config system |
+| **v0.5.1** | TSA on by default, Windows install fix, kernel version check, setup survey |
+| v0.5.0 | RFC 3161 TSA anchoring, verify-tsr, config system |
 | v0.4.2 | Multi-agent default (--actor shows all) |
 | v0.4.1 | Cursor IDE support, dual-tool coexistence |
 | v0.4.0 | Verify, export, presence heatmap, MCP server |

install.sh

@@ -5,7 +5,20 @@ set -euo pipefail
 
 JACK_REPO="PunkGo/punkgo-jack"
 KERNEL_REPO="PunkGo/punkgo-kernel"
-INSTALL_DIR="${PUNKGO_INSTALL_DIR:-/usr/local/bin}"
+
+# Default install directory: platform-aware.
+if [ -z "${PUNKGO_INSTALL_DIR:-}" ]; then
+  case "$(uname -s)" in
+    MINGW*|MSYS*|CYGWIN*)
+      # Windows: install to ~/.punkgo/bin/ (always writable, no sudo).
+      # Use $HOME (POSIX path, consistent with Git Bash $PATH format).
+      INSTALL_DIR="$HOME/.punkgo/bin" ;;
+    *)
+      INSTALL_DIR="/usr/local/bin" ;;
+  esac
+else
+  INSTALL_DIR="$PUNKGO_INSTALL_DIR"
+fi
 
 # Colors
 RED='\033[0;31m'
@@ -91,14 +104,15 @@ install_binary() {
     return 1
   fi
 
-  # Install
+  # Install — ensure target dir exists.
+  mkdir -p "$INSTALL_DIR"
   if [ -w "$INSTALL_DIR" ]; then
     mv "${tmpdir}/${bin_name}" "${INSTALL_DIR}/${bin_name}"
   else
     info "Need sudo to install to ${INSTALL_DIR}"
     sudo mv "${tmpdir}/${bin_name}" "${INSTALL_DIR}/${bin_name}"
   fi
-  chmod +x "${INSTALL_DIR}/${bin_name}"
+  [ "$OS" != "windows" ] && chmod +x "${INSTALL_DIR}/${bin_name}"
 
   rm -rf "$tmpdir"
   info "Installed ${bin_name} → ${INSTALL_DIR}/${bin_name}"
@@ -130,6 +144,21 @@ main() {
   if [ "$failed" -eq 0 ]; then
     info "Installation complete!"
     echo ""
+    # Check if INSTALL_DIR is in PATH.
+    case ":$PATH:" in
+      *":${INSTALL_DIR}:"*) ;;
+      *)
+        warn "${INSTALL_DIR} is not in your PATH."
+        if [ "$OS" = "windows" ]; then
+          dim "Add it:  setx PATH \"%PATH%;$(cygpath -w "$INSTALL_DIR" 2>/dev/null || echo "$INSTALL_DIR")\""
+          dim "Then restart your terminal."
+        else
+          dim "Add it:  export PATH=\"${INSTALL_DIR}:\$PATH\""
+          dim "Or add that line to your ~/.bashrc / ~/.zshrc"
+        fi
+        echo ""
+        ;;
+    esac
     dim "Next step:"
     echo "  punkgo-jack setup claude-code"
     echo ""

src/anchor.rs

@@ -100,15 +100,14 @@ pub fn do_anchor(config: &Config) -> Result<Option<AnchorReceipt>> {
     let client = IpcClient::from_env(None);
     let (tree_size, root_hash) = fetch_checkpoint(&client)?;
 
-    let tsr_path = config::tsr_path(tree_size)
-        .context("failed to determine TSR storage path")?;
+    let tsr_path = config::tsr_path(tree_size).context("failed to determine TSR storage path")?;
     if tsr_path.exists() {
         debug!(tree_size, "already anchored");
         return Ok(None);
     }
 
-    let hash_bytes = tsa_verify::hex_to_32bytes(&root_hash)
-        .context("invalid root_hash hex from checkpoint")?;
+    let hash_bytes =
+        tsa_verify::hex_to_32bytes(&root_hash).context("invalid root_hash hex from checkpoint")?;
     let tsq = build_timestamp_req(&hash_bytes)?;
 
     info!(url = %config.tsa.url, tree_size, "submitting to TSA");
@@ -145,8 +144,7 @@ fn needs_anchor() -> Result<bool> {
         Ok(v) => v,
         Err(_) => return Ok(false),
     };
-    let tsr_path = config::tsr_path(tree_size)
-        .context("failed to determine TSR path")?;
+    let tsr_path = config::tsr_path(tree_size).context("failed to determine TSR path")?;
     Ok(!tsr_path.exists())
 }
 
@@ -162,10 +160,14 @@ fn fetch_checkpoint(client: &IpcClient) -> Result<(i64, String)> {
     if resp.status != "ok" {
         anyhow::bail!("kernel returned error: {}", resp.payload);
     }
-    let tree_size = resp.payload.get("tree_size")
+    let tree_size = resp
+        .payload
+        .get("tree_size")
         .and_then(|v| v.as_i64())
         .context("missing tree_size in checkpoint response")?;
-    let root_hash = resp.payload.get("root_hash")
+    let root_hash = resp
+        .payload
+        .get("root_hash")
         .and_then(|v| v.as_str())
         .context("missing root_hash in checkpoint response")?
         .to_string();

src/config.rs

@@ -20,8 +20,10 @@ pub struct Config {
 /// TSA anchoring configuration.
 #[derive(Debug, Deserialize, PartialEq)]
 pub struct TsaConfig {
-    /// Master switch. Default: false (opt-in).
-    #[serde(default)]
+    /// Master switch. Default: true (opt-out).
+    /// TSA uses the free DigiCert public service with rate limiting,
+    /// so it is safe to enable by default.
+    #[serde(default = "default_tsa_enabled")]
     pub enabled: bool,
 
     /// Primary TSA endpoint URL. RFC 3161 over HTTP(S).
@@ -41,10 +43,14 @@ pub struct TsaConfig {
     pub min_interval_secs: u64,
 }
 
+fn default_tsa_enabled() -> bool {
+    true
+}
+
 impl Default for TsaConfig {
     fn default() -> Self {
         Self {
-            enabled: false,
+            enabled: true,
             url: default_tsa_url(),
             timeout_secs: default_timeout(),
             min_interval_secs: default_min_interval(),
@@ -127,7 +133,7 @@ mod tests {
     #[test]
     fn default_config_values() {
         let config = Config::default();
-        assert!(!config.tsa.enabled);
+        assert!(config.tsa.enabled);
         assert_eq!(config.tsa.url, "http://timestamp.digicert.com");
         assert_eq!(config.tsa.timeout_secs, 10);
         assert_eq!(config.tsa.min_interval_secs, 300);
@@ -168,12 +174,12 @@ min_interval_secs = 0
     #[test]
     fn env_override_enabled() {
         let mut config = Config::default();
-        assert!(!config.tsa.enabled);
+        assert!(config.tsa.enabled); // default is now true
 
-        // Simulate env var
-        std::env::set_var("PUNKGO_TSA_ENABLED", "true");
+        // Simulate env var to disable
+        std::env::set_var("PUNKGO_TSA_ENABLED", "false");
         apply_env_overrides(&mut config);
-        assert!(config.tsa.enabled);
+        assert!(!config.tsa.enabled);
 
         // Cleanup
         std::env::remove_var("PUNKGO_TSA_ENABLED");

src/history.rs

@@ -556,9 +556,7 @@ fn print_receipt_tsa_status(tree_size: u64) {
             let name_str = name.to_string_lossy();
             if let Some(stem) = name_str.strip_suffix(".tsr") {
                 if let Ok(ts) = stem.parse::<i64>() {
-                    if ts >= tree_size as i64
-                        && best.as_ref().is_none_or(|(b, _)| ts < *b)
-                    {
+                    if ts >= tree_size as i64 && best.as_ref().is_none_or(|(b, _)| ts < *b) {
                         best = Some((ts, entry.path()));
                     }
                 }