nomograph-kit 0.11.0

Verified tool registry manager -- manages developer toolchains from git-based registries
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231

![hero](hero.svg)

# kit

[![crates.io](https://img.shields.io/crates/v/nomograph-kit)](https://crates.io/crates/nomograph-kit)
[![pipeline](https://gitlab.com/nomograph/kit/badges/main/pipeline.svg)](https://gitlab.com/nomograph/kit/-/pipelines)
[![license](https://img.shields.io/badge/license-MIT-green)](LICENSE)
[![built with GitLab](https://img.shields.io/badge/built_with-GitLab-FC6D26?logo=gitlab)](https://gitlab.com/nomograph/kit)

Verified tool registry manager -- manages developer toolchains from
git-based registries.

kit resolves tool versions across multiple registries, generates
[mise](https://mise.jdx.dev) configuration, verifies checksums and
cosign signatures, and automates upstream update tracking via a
three-pipeline CI architecture.

## Bootstrap

![bootstrap sequence](bootstrap.svg)

## Install

If you don't have Rust yet, the quickest path is [mise](https://mise.jdx.dev):

```bash
mise use --global rust
cargo install nomograph-kit
```

Or use rustup:

```bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
cargo install nomograph-kit
```

The binary is called `kit`.

## Quick start

```bash
kit setup --registry https://gitlab.com/your/registry.git
kit sync
kit status
```

## Commands

| Command | Description |
|---------|-------------|
| `kit setup` | One-time config, optionally add a registry |
| `kit sync` | Pull registries, resolve, generate mise config, install |
| `kit status` | Installed vs registry, drift detection, verification strength |
| `kit diff` | Show changes between lockfile and registry |
| `kit upgrade` | Interactive tool update workflow |
| `kit verify` | Re-verify all installed binaries (cosign + checksums) |
| `kit audit` | Check tools for known security advisories |
| `kit add <name> <source>` | Query upstream, generate tool definition |
| `kit push <name>` | Commit and push a tool definition |
| `kit remove <name>` | Remove a tool from a writable registry |
| `kit pin <name> <version>` | Pin a tool's version locally |
| `kit unpin <name>` | Remove a local pin |
| `kit sense` | Detect upstream changes, classify by risk (CI) |
| `kit evaluate` | Rule-based + LLM review of findings (CI) |
| `kit apply` | Update TOMLs, partition by auto-merge eligibility (CI) |
| `kit verify-registry` | Validate all tool definitions before merge (CI) |
| `kit init [--ci]` | Scaffold a new registry |
| `kit completions <shell>` | Shell completions (bash/zsh/fish) |
| `kit man-page` | Generate man page |

## Registries

A registry is a git repo with per-tool TOML definitions:

```
tools/
  _meta.toml        # registry metadata + merge policy
  gh.toml           # one file per tool
  muxr.toml
  ...
```

Each tool definition is self-contained:

```toml
[tool]
name = "gh"
source = "github"
repo = "cli/cli"
version = "2.89.0"
tag_prefix = "v"
bin = "gh"
tier = "high"
aqua = "cli/cli"

[tool.assets]
macos-arm64 = "gh_{version}_macOS_arm64.zip"
linux-x64 = "gh_{version}_linux_amd64.tar.gz"

[tool.checksum]
file = "gh_{version}_checksums.txt"
format = "sha256"

[tool.signature]
method = "github-attestation"
```

Sources: `github`, `gitlab`, `npm`, `crates`, `direct`, `rustup`

Smart `kit add` queries upstream and auto-populates:

```bash
kit add jq jqlang/jq              # GitHub
kit add muxr nomograph/muxr --gitlab  # GitLab (resolves project_id)
kit add claude-code --npm @anthropic-ai/claude-code
kit add cargo-nextest --crates
```

### Trust tiers

Each tool has a tier that controls merge policy:

| Tier | Meaning | Typical policy |
|------|---------|----------------|
| own | Tools you build and publish | Auto-merge all bumps |
| high | Critical third-party tools | Manual review |
| low | Commodity tools | Auto-merge patch/minor |

Tiers are set per-tool in the TOML definition. The registry's
`_meta.toml` defines which tiers auto-merge:

```toml
[policy]
auto_merge_tiers = ["own", "low"]
auto_merge_bump = ["patch", "minor"]
auto_merge_requires_checksum = true
```

### Multi-registry

Configure multiple registries in `~/.config/kit/config.toml`. First
registry wins when tools overlap. Local pins override.

```toml
[[registry]]
name = "nomograph"
url = "https://gitlab.com/nomograph/kits.git"

[[registry]]
name = "personal"
url = "https://gitlab.com/you/kits.git"
```

Separate registries by trust boundary. For example, keep your own
tools in one registry and third-party tools in another. Each
registry has its own pipeline, merge policy, and update cadence.

### Project-local

kit discovers `kit.toml` by walking up from the working directory.
When found, tools scope to that project:

- `.kit.lock` next to `kit.toml` (committed to git)
- `.mise.toml` merged with `# kit:begin` / `# kit:end` markers
- User tools outside the markers are never touched

## CI Pipeline

kit powers a three-pipeline supply chain architecture via the
[kit-registry](https://gitlab.com/nomograph/pipeline) CI component:

```yaml
include:
  - component: gitlab.com/nomograph/pipeline/kit-registry@v3
    inputs:
      kit_version: "0.10.1"
      mr_assignee: "andunn"
```

### Sense (scheduled, read-only)

`kit sense` queries upstream releases, downloads assets, verifies
checksums, and checks advisory databases. Classifies each finding
by risk (bump level, tier, checksum status). Never fails on version
drift -- drift is what it detects.

### Evaluate (after sense)

`kit evaluate` applies deterministic rules (auto-approve clean
patches, reject checksum mismatches) and optionally invokes an LLM
for edge cases (major bumps, missing checksums, advisories).

### Apply (after evaluate)

`kit apply` updates tool TOML files on disk and partitions updates
into two groups by auto-merge eligibility:

- **auto_merge_group** -- updates eligible per registry policy
  (right tier, right bump, checksums verified)
- **review_group** -- everything else (wrong tier, major bumps,
  flagged by evaluator, unverified checksums)

The CI component creates a separate branch and MR for each group.
The auto-merge MR merges itself after the verify pipeline passes.
The review MR stays open for human review.

### Verify (on MR)

`kit verify-registry` re-validates all tool definitions and
re-verifies checksums. Runs on every MR as a merge gate.

## Security

kit is a supply chain tool. Security is enforced at every layer:

- **Input validation**: all fields validated against strict regex patterns
- **TOML injection prevention**: mise config built via toml_edit API
- **Supply chain attack detection**: same version + changed checksum = hard stop
- **Dependency confusion prevention**: registry migration requires confirmation
- **Cosign verification**: anchored certificate identity match
- **Registry URL restriction**: https:// and git@ only
- **Symlink rejection**: malicious registries cannot escape tools/ directory
- **HTTPS-only**: all HTTP clients enforce TLS

46 security findings identified and addressed across 5 adversarial
review passes.

## License

MIT -- [Nomograph](https://gitlab.com/nomograph)