Tags

Tags give the ability to mark specific points in history as being important

  • v0.3.2

    fa19ce79 · chore: bump version to 0.3.2 ·
    Release: kit v0.3.2 
    kit v0.3.2

Security fix release.

- S5-1: add https_only to MR creation fallback client
- Pipeline v2.1.0: nomograph container registry, release install instructions
- Explicit audit_allow_failure: false
- Updated yanked fastrand

  • v0.3.1

    fd7d5f5f · chore: version 0.3.1, pipeline v2.1.0 ·
    Release: kit v0.3.1 
    kit v0.3.1

CI hardening and supply chain fix.

- Pipeline v2.1.0: nomograph container registry, release install instructions
- Explicit audit_allow_failure: false
- Supply chain gap fixes from main (unreleased since v0.3.0)
- Updated yanked fastrand

  • v0.3.0

    09e5b2fe · ci(kit): upgrade to pipeline component v2.0.0 ·
    Release: kit v0.3.0 
    kit v0.3.0

kit is a supply chain tool for managing developer toolchains from
git-based registries. It resolves versions, generates mise config,
verifies checksums and cosign signatures, and automates upstream
update tracking.

kit setup no longer hardcodes a default registry. Everyone brings
their own:

    kit setup --registry https://gitlab.com/nomograph/kits.git

Interactive tool update workflow for day-to-day use. Queries upstream,
shows available updates with bump classification (major/minor/patch),
and updates tool definitions on confirmation:

    kit upgrade
    kit upgrade --yes
    kit upgrade cosign

kit add now produces zero-edit tool definitions for both GitHub and
GitLab sources:

    kit add jq jqlang/jq
    kit add muxr nomograph/muxr --gitlab

Auto-detects: aqua registry membership, cosign bundles in release
assets, tier based on registry namespace, checksum files and format,
tag prefix and version. Resolves GitLab project_id from URL path
(--project-id flag removed).

    kit audit              # check all tools for known CVEs
    kit remove <name>      # remove a tool from writable registry

    kit man-page > kit.1

- kit check reports ALL checksum mismatches before exiting
- kit apply falls back to GitLab API when glab auth unavailable in CI
- CI images now pulled from GitLab container registry (no Docker Hub)

103 tests. 16 commands. 0 clippy warnings.

    kit setup --registry https://gitlab.com/nomograph/kits.git
    kit sync

  • v0.2.1

    66f74f8c · tidy: add hero to README, update component path ·
    Release: kit v0.2.1

  • v0.2.0

    950d5df3 · ci: use nomograph/ci v0.2.0 catalog component · 
    kit v0.2.0

Uses `mise which` for binary path resolution instead of heuristic
guessing. Distinguishes archive-distributed tools (binary-hash) from
bare-binary tools (full checksum + cosign verification). 23/26 tools
verify out of the box.

Query GitHub Advisory DB for known CVEs on all GitHub and npm-sourced
tools. Exits non-zero on high/critical findings.

Delete a tool definition from a writable registry. Git commit + push.

Reports ALL checksum mismatches before exiting, not just the first.
Gives operators full incident scope in one CI run.

MR creation falls back to GitLab API via CI_JOB_TOKEN when glab auth
is unavailable. Tested end-to-end in the nomograph/kits registry
pipeline.

94 tests. 0 clippy warnings. 14 commands.

    cargo install --git https://gitlab.com/nomograph/kit.git

  • v0.1.0

    f7959e5f · fix(ci): use chrono now feature, drop CoreFoundation dependency ·
    Release: kit v0.1.0 
    kit v0.1.0 -- Verified Tool Registry Manager

First release. Manages developer toolchains from git-based registries
with cryptographic verification. Built for the Nomograph project.

kit resolves tool versions across multiple registries, generates mise
configuration, verifies checksums and cosign signatures, and automates
upstream update tracking via CI.

- kit setup       -- one-time config, add default registry
- kit sync        -- pull registries, resolve, generate mise config, install
- kit status      -- drift detection, tier/registry display
- kit verify      -- re-verify all installed binaries (cosign + checksums)
- kit add         -- query upstream, auto-populate version/assets/checksums
- kit push        -- commit and push tool definition to registry
- kit pin/unpin   -- local version or registry overrides
- kit check       -- scan upstream for newer versions (CI mode)
- kit evaluate    -- LLM review for edge cases (CI mode)
- kit apply       -- surgical TOML updates, branch, MR creation (CI mode)
- kit init        -- scaffold a new registry with optional CI template
- kit completions -- shell completions (bash/zsh/fish/elvish/powershell)

Per-tool TOML definitions in tools/*.toml. Self-contained: each file
has source, version, platform assets, checksum config, and optional
cosign signature identity. Template syntax: {version} single brace.

Default registry: nomograph/kits

- TOML injection prevention: mise config via toml_edit API, never strings
- Input validation: all fields validated against strict regex patterns
- Supply chain attack detection: same version + changed checksum = hard stop
- Dependency confusion prevention: registry migration requires confirmation
- Cosign exact certificate identity match
- Registry URLs restricted to https:// and git@
- Symlink rejection in registry tool loading
- Direct source URLs enforced HTTPS
- Tag prefix, branch name, pin version all validated
- Inline checksums validated as 64-char hex strings

    cargo install --git https://gitlab.com/nomograph/kit.git

    cosign verify-blob \
      --bundle kit-darwin-arm64.bundle \
      --certificate-oidc-issuer https://gitlab.com \
      --certificate-identity 'https://gitlab.com/nomograph/kit' \
      kit-darwin-arm64