v0.1.0 protected
Andrew G. Dunn's avatar
Andrew G. Dunn
@andrewdunndev
f7959e5f · fix(ci): use chrono now feature, drop CoreFoundation dependency ·
Release: kit v0.1.0 
kit v0.1.0 -- Verified Tool Registry Manager

First release. Manages developer toolchains from git-based registries
with cryptographic verification. Built for the Nomograph project.

kit resolves tool versions across multiple registries, generates mise
configuration, verifies checksums and cosign signatures, and automates
upstream update tracking via CI.

- kit setup       -- one-time config, add default registry
- kit sync        -- pull registries, resolve, generate mise config, install
- kit status      -- drift detection, tier/registry display
- kit verify      -- re-verify all installed binaries (cosign + checksums)
- kit add         -- query upstream, auto-populate version/assets/checksums
- kit push        -- commit and push tool definition to registry
- kit pin/unpin   -- local version or registry overrides
- kit check       -- scan upstream for newer versions (CI mode)
- kit evaluate    -- LLM review for edge cases (CI mode)
- kit apply       -- surgical TOML updates, branch, MR creation (CI mode)
- kit init        -- scaffold a new registry with optional CI template
- kit completions -- shell completions (bash/zsh/fish/elvish/powershell)

Per-tool TOML definitions in tools/*.toml. Self-contained: each file
has source, version, platform assets, checksum config, and optional
cosign signature identity. Template syntax: {version} single brace.

Default registry: nomograph/kits

- TOML injection prevention: mise config via toml_edit API, never strings
- Input validation: all fields validated against strict regex patterns
- Supply chain attack detection: same version + changed checksum = hard stop
- Dependency confusion prevention: registry migration requires confirmation
- Cosign exact certificate identity match
- Registry URLs restricted to https:// and git@
- Symlink rejection in registry tool loading
- Direct source URLs enforced HTTPS
- Tag prefix, branch name, pin version all validated
- Inline checksums validated as 64-char hex strings

    cargo install --git https://gitlab.com/nomograph/kit.git

    cosign verify-blob \
      --bundle kit-darwin-arm64.bundle \
      --certificate-oidc-issuer https://gitlab.com \
      --certificate-identity 'https://gitlab.com/nomograph/kit' \
      kit-darwin-arm64