nomograph-kit-0.11.0 is not a library.

hero

kit

Verified tool registry manager -- manages developer toolchains from git-based registries.

kit resolves tool versions across multiple registries, generates mise configuration, verifies checksums and cosign signatures, and automates upstream update tracking via a three-pipeline CI architecture.

Bootstrap

bootstrap sequence

Install

If you don't have Rust yet, the quickest path is mise:

mise use --global rust
cargo install nomograph-kit

Or use rustup:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
cargo install nomograph-kit

The binary is called kit.

Quick start

kit setup --registry https://gitlab.com/your/registry.git
kit sync
kit status

Commands

Command	Description
`kit setup`	One-time config, optionally add a registry
`kit sync`	Pull registries, resolve, generate mise config, install
`kit status`	Installed vs registry, drift detection, verification strength
`kit diff`	Show changes between lockfile and registry
`kit upgrade`	Interactive tool update workflow
`kit verify`	Re-verify all installed binaries (cosign + checksums)
`kit audit`	Check tools for known security advisories
`kit add <name> <source>`	Query upstream, generate tool definition
`kit push <name>`	Commit and push a tool definition
`kit remove <name>`	Remove a tool from a writable registry
`kit pin <name> <version>`	Pin a tool's version locally
`kit unpin <name>`	Remove a local pin
`kit sense`	Detect upstream changes, classify by risk (CI)
`kit evaluate`	Rule-based + LLM review of findings (CI)
`kit apply`	Update TOMLs, partition by auto-merge eligibility (CI)
`kit verify-registry`	Validate all tool definitions before merge (CI)
`kit init [--ci]`	Scaffold a new registry
`kit completions <shell>`	Shell completions (bash/zsh/fish)
`kit man-page`	Generate man page

Registries

A registry is a git repo with per-tool TOML definitions:

tools/
  _meta.toml        # registry metadata + merge policy
  gh.toml           # one file per tool
  muxr.toml
  ...

Each tool definition is self-contained:

[tool]
name = "gh"
source = "github"
repo = "cli/cli"
version = "2.89.0"
tag_prefix = "v"
bin = "gh"
tier = "high"
aqua = "cli/cli"

[tool.assets]
macos-arm64 = "gh_{version}_macOS_arm64.zip"
linux-x64 = "gh_{version}_linux_amd64.tar.gz"

[tool.checksum]
file = "gh_{version}_checksums.txt"
format = "sha256"

[tool.signature]
method = "github-attestation"

Sources: github, gitlab, npm, crates, direct, rustup

Smart kit add queries upstream and auto-populates:

kit add jq jqlang/jq              # GitHub
kit add muxr nomograph/muxr --gitlab  # GitLab (resolves project_id)
kit add claude-code --npm @anthropic-ai/claude-code
kit add cargo-nextest --crates

Trust tiers

Each tool has a tier that controls merge policy:

Tier	Meaning	Typical policy
own	Tools you build and publish	Auto-merge all bumps
high	Critical third-party tools	Manual review
low	Commodity tools	Auto-merge patch/minor

Tiers are set per-tool in the TOML definition. The registry's _meta.toml defines which tiers auto-merge:

[policy]
auto_merge_tiers = ["own", "low"]
auto_merge_bump = ["patch", "minor"]
auto_merge_requires_checksum = true

Multi-registry

Configure multiple registries in ~/.config/kit/config.toml. First registry wins when tools overlap. Local pins override.

[[registry]]
name = "nomograph"
url = "https://gitlab.com/nomograph/kits.git"

[[registry]]
name = "personal"
url = "https://gitlab.com/you/kits.git"

Separate registries by trust boundary. For example, keep your own tools in one registry and third-party tools in another. Each registry has its own pipeline, merge policy, and update cadence.

Project-local

kit discovers kit.toml by walking up from the working directory. When found, tools scope to that project:

.kit.lock next to kit.toml (committed to git)
.mise.toml merged with # kit:begin / # kit:end markers
User tools outside the markers are never touched

CI Pipeline

kit powers a three-pipeline supply chain architecture via the kit-registry CI component:

include:
  - component: gitlab.com/nomograph/pipeline/kit-registry@v3
    inputs:
      kit_version: "0.10.1"
      mr_assignee: "andunn"

Sense (scheduled, read-only)

kit sense queries upstream releases, downloads assets, verifies checksums, and checks advisory databases. Classifies each finding by risk (bump level, tier, checksum status). Never fails on version drift -- drift is what it detects.

Evaluate (after sense)

kit evaluate applies deterministic rules (auto-approve clean patches, reject checksum mismatches) and optionally invokes an LLM for edge cases (major bumps, missing checksums, advisories).

Apply (after evaluate)

kit apply updates tool TOML files on disk and partitions updates into two groups by auto-merge eligibility:

auto_merge_group -- updates eligible per registry policy (right tier, right bump, checksums verified)
review_group -- everything else (wrong tier, major bumps, flagged by evaluator, unverified checksums)

The CI component creates a separate branch and MR for each group. The auto-merge MR merges itself after the verify pipeline passes. The review MR stays open for human review.

Verify (on MR)

kit verify-registry re-validates all tool definitions and re-verifies checksums. Runs on every MR as a merge gate.

Security

kit is a supply chain tool. Security is enforced at every layer:

Input validation: all fields validated against strict regex patterns
TOML injection prevention: mise config built via toml_edit API
Supply chain attack detection: same version + changed checksum = hard stop
Dependency confusion prevention: registry migration requires confirmation
Cosign verification: anchored certificate identity match
Registry URL restriction: https:// and git@ only
Symlink rejection: malicious registries cannot escape tools/ directory
HTTPS-only: all HTTP clients enforce TLS

46 security findings identified and addressed across 5 adversarial review passes.

License

MIT -- Nomograph

nomograph-kit 0.11.0

kit