Tags

v0.7.0

feat: setup --registry adds to existing config, downgrade warning, bootstrap docs

v0.6.0

kit v0.6.0

Ship audit release. Root cause fix for checksum verification failures
on own tools, plus 8 additional findings from comprehensive code audit.

kit check was downloading cosign bundles (.bundle files) instead of
binaries for own tools. The release link matching used contains()
which matched kit-darwin-arm64.bundle before kit-darwin-arm64 because
the bundle link appeared earlier in the release links array.

Fixed: exact name match first, then URL ends_with(/asset_name) fallback.

- jq advisory filter: escape dots in version before regex interpolation
- Bundle URL construction: append .bundle instead of replace() which
  could corrupt URL path
- resolve_installed_sha: return None when binary not found (don't
  store registry checksums in the binary_sha256 field)
- cmd_upgrade: remove stale [tool.checksums] after version bump
- check_crates: exact name match instead of prefix match
- URL validation: reject embedded newlines
- cmd_pin: validate version before saving
- apply commit: include flagged updates in commit message

125 tests. 0 clippy warnings.
6 adversarial reviews + 1 ship audit, 55 total findings addressed.

v0.5.4

kit v0.5.4

Simplified check (no in-code retry), crates.io publish fix.

Changes since v0.5.2:
- Reverted retry/diagnostic logic in check -- download, hash, compare,
  report. Transient failures handled by CI retry, not application code.
- Pipeline component updated to v2.4.7 (--allow-dirty for cargo publish).

v0.5.3

kit v0.5.3

Simplified check: download, hash, compare, report.

Removed in-code retry logic, diagnostic logging, and CDN caching
workarounds from the check phase. Transient download failures are
the CI layer's responsibility (retry: max: 2 in pipeline config).
Kit check should surface problems, not mask them.

Investigated on GCE: the checksum mismatches seen on storr could
not be reproduced with the same container image and reqwest config.
The issue is transient and infrastructure-specific.

v0.5.2

kit v0.5.2 -- flagged updates included in MR diff

v0.5.1

kit v0.5.1 -- evaluate no longer fatals on rejections, branch naming fix, graceful npm/crates skip

v0.5.0

First crates.io release as nomograph-kit

v0.4.0

kit v0.4.0 -- Three-Pipeline Supply Chain Architecture

Sense/Respond/Verify -- LLM-augmented supply chain maintenance.

New: kit sense, kit verify-registry.
Changed: check no longer fatals on version bumps, evaluate accepts
sense-report.json, apply produces richer MR audit trail, init --ci
generates three-pipeline CI.

125 tests. 20 commands.

cargo install nomograph-kit

v0.3.2

kit v0.3.2

Security fix release.

- S5-1: add https_only to MR creation fallback client
- Pipeline v2.1.0: nomograph container registry, release install instructions
- Explicit audit_allow_failure: false
- Updated yanked fastrand

v0.3.1

kit v0.3.1

CI hardening and supply chain fix.

- Pipeline v2.1.0: nomograph container registry, release install instructions
- Explicit audit_allow_failure: false
- Supply chain gap fixes from main (unreleased since v0.3.0)
- Updated yanked fastrand

v0.3.0

kit v0.3.0

kit is a supply chain tool for managing developer toolchains from
git-based registries. It resolves versions, generates mise config,
verifies checksums and cosign signatures, and automates upstream
update tracking.

kit setup no longer hardcodes a default registry. Everyone brings
their own:

    kit setup --registry https://gitlab.com/nomograph/kits.git

Interactive tool update workflow for day-to-day use. Queries upstream,
shows available updates with bump classification (major/minor/patch),
and updates tool definitions on confirmation:

    kit upgrade
    kit upgrade --yes
    kit upgrade cosign

kit add now produces zero-edit tool definitions for both GitHub and
GitLab sources:

    kit add jq jqlang/jq
    kit add muxr nomograph/muxr --gitlab

Auto-detects: aqua registry membership, cosign bundles in release
assets, tier based on registry namespace, checksum files and format,
tag prefix and version. Resolves GitLab project_id from URL path
(--project-id flag removed).

    kit audit              # check all tools for known CVEs
    kit remove <name>      # remove a tool from writable registry

    kit man-page > kit.1

- kit check reports ALL checksum mismatches before exiting
- kit apply falls back to GitLab API when glab auth unavailable in CI
- CI images now pulled from GitLab container registry (no Docker Hub)

103 tests. 16 commands. 0 clippy warnings.

    kit setup --registry https://gitlab.com/nomograph/kits.git
    kit sync

v0.2.1

v0.2.0

kit v0.2.0

Uses `mise which` for binary path resolution instead of heuristic
guessing. Distinguishes archive-distributed tools (binary-hash) from
bare-binary tools (full checksum + cosign verification). 23/26 tools
verify out of the box.

Query GitHub Advisory DB for known CVEs on all GitHub and npm-sourced
tools. Exits non-zero on high/critical findings.

Delete a tool definition from a writable registry. Git commit + push.

Reports ALL checksum mismatches before exiting, not just the first.
Gives operators full incident scope in one CI run.

MR creation falls back to GitLab API via CI_JOB_TOKEN when glab auth
is unavailable. Tested end-to-end in the nomograph/kits registry
pipeline.

94 tests. 0 clippy warnings. 14 commands.

    cargo install --git https://gitlab.com/nomograph/kit.git

v0.1.0

kit v0.1.0 -- Verified Tool Registry Manager

First release. Manages developer toolchains from git-based registries
with cryptographic verification. Built for the Nomograph project.

kit resolves tool versions across multiple registries, generates mise
configuration, verifies checksums and cosign signatures, and automates
upstream update tracking via CI.

- kit setup       -- one-time config, add default registry
- kit sync        -- pull registries, resolve, generate mise config, install
- kit status      -- drift detection, tier/registry display
- kit verify      -- re-verify all installed binaries (cosign + checksums)
- kit add         -- query upstream, auto-populate version/assets/checksums
- kit push        -- commit and push tool definition to registry
- kit pin/unpin   -- local version or registry overrides
- kit check       -- scan upstream for newer versions (CI mode)
- kit evaluate    -- LLM review for edge cases (CI mode)
- kit apply       -- surgical TOML updates, branch, MR creation (CI mode)
- kit init        -- scaffold a new registry with optional CI template
- kit completions -- shell completions (bash/zsh/fish/elvish/powershell)

Per-tool TOML definitions in tools/*.toml. Self-contained: each file
has source, version, platform assets, checksum config, and optional
cosign signature identity. Template syntax: {version} single brace.

Default registry: nomograph/kits

- TOML injection prevention: mise config via toml_edit API, never strings
- Input validation: all fields validated against strict regex patterns
- Supply chain attack detection: same version + changed checksum = hard stop
- Dependency confusion prevention: registry migration requires confirmation
- Cosign exact certificate identity match
- Registry URLs restricted to https:// and git@
- Symlink rejection in registry tool loading
- Direct source URLs enforced HTTPS
- Tag prefix, branch name, pin version all validated
- Inline checksums validated as 64-char hex strings

    cargo install --git https://gitlab.com/nomograph/kit.git

    cosign verify-blob \
      --bundle kit-darwin-arm64.bundle \
      --certificate-oidc-issuer https://gitlab.com \
      --certificate-identity 'https://gitlab.com/nomograph/kit' \
      kit-darwin-arm64