Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

kyos-cli

Package Overview
Dependencies
Maintainers
1
Versions
22
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

kyos-cli - npm Package Compare versions

Comparing version
0.2.12
 to
0.2.13
+60
CHANGELOG.md
# Changelog
All notable changes to this project are documented here.
Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
## [0.2.13] - 2026-04-27
### Changed
- chore: improve Socket score — author, provenance, eslint, CHANGELOG, security docs
## [0.2.12] - 2026-04-25
### Added
- `--doctor` command: checks managed file integrity and reports drift
- Manifest generation for managed-file baselines
- Baseline guard in `managed-files.js` to prevent silent overwrites
- Release script (`scripts/release.js`) with clean-tree assertion, version bump, test gate, and tag
## [0.2.11] - 2026-04-24
### Added
- GitHub Actions publish pipeline with npm provenance attestation
- `SECURITY.md` shipped in the tarball
- `package-lock.json` committed and kept in sync
### Changed
- Renamed `silent-executor` skill to `silent-execution` for consistency
## [0.2.10] - 2026-04-23
### Added
- `--update` flag: force-regenerates `.kyos/` without touching `.claude/`
- New default agent and skill seeded on `--init`
- `.kyos/` added to `.gitignore` on first bootstrap
### Changed
- Refactored skill and agent catalog structure
- Updated `/kyos:implement` and `/kyos:tasks` command prompts
## [0.2.9] - 2026-04-22
### Added
- `security-engineer` agent and `/kyos:prevalidate` command
- Catalog-based managed commands with `--init --force` destructive reset path
## [0.2.8] - 2026-04-21
### Added
- Hardened write paths, write-through-symlink protection
- `rules/` folder seeded on bootstrap
- Integration test suite (`test/flow.test.js`)
- `.kyos/`/`.claude/` two-layer architecture finalized
### Changed
- Migrated local commands and skills to new layer model
- Aligned CLI messaging and `npx kyos-cli` usage docs
## [0.2.7] - 2026-04-20
### Added
- `/kyos:architecture`, `/kyos:hire`, `/kyos:spec`, `/kyos:tech`, `/kyos:implement`, `/kyos:tasks`, `/kyos:verify` workflow commands
- Hardened capability path handling
- Security audit skills in catalog
### Changed
- Renamed CLI from `bootstrap` to `kyos`
- Prepared package for npm publish
## [0.1.0] - 2026-04-20
### Added
- Initial commit: basic bootstrap CLI, `.claude/` layout generation
+30
SECURITY.md
# Security Policy
## Supported Versions
Only the latest published version of `kyos-cli` receives security fixes.
| Version | Supported |
| ------- | --------- |
| latest | Yes |
| older | No |
## Reporting a Vulnerability
Please **do not** open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting:
1. Go to the [Security tab](https://github.com/ajesskit/kyos/security).
2. Click **"Report a vulnerability"**.
3. Fill in the details and submit.
You will receive a response within **7 days**.
## Scope
Relevant vulnerability classes for this tool:
- Path traversal or arbitrary file writes
- Command injection via CLI arguments
- Malicious catalog entries that produce unsafe output files
+1
-1
catalog/registry.json

@@ -5,3 +5,3 @@ {

"description": "Shared Claude Code baseline structure and conventions for every repository.",
"version": "0.2.12"
"version": "0.2.13"
}

@@ -8,0 +8,0 @@ },

+19
-5
package.json
{
"name": "kyos-cli",
"version": "0.2.12",
"version": "0.2.13",
"description": "Bootstrap and safely evolve a shared Claude Code repo structure.",
"author": "Eugene",
"keywords": [

@@ -10,3 +11,6 @@ "claude",

"kyos",
"mcp"
"mcp",
"supply-chain",
"zero-dependencies",
"npm-provenance"
],

@@ -31,6 +35,9 @@ "license": "MIT",

"README.md",
"LICENSE"
"LICENSE",
"SECURITY.md",
"CHANGELOG.md"
],
"publishConfig": {
"access": "public"
"access": "public",
"provenance": true
},

@@ -40,2 +47,4 @@ "scripts": {

"test": "node ./test/run.js",
"lint": "eslint src/ bin/",
"prepublishOnly": "npm run lint && npm test && npm pack --dry-run",
"prepack": "npm test",

@@ -46,4 +55,9 @@ "pack:check": "npm pack --dry-run",

"engines": {
"node": ">=18"
"node": ">=20",
"npm": ">=9"
},
"devDependencies": {
"@eslint/js": "^10.0.1",
"eslint": "^10.2.1"
}
}
+10
-0
README.md

@@ -192,1 +192,11 @@ # kyos-cli

```
## Security
- **Zero runtime dependencies** — no third-party code runs when you install or use `kyos-cli`.
- **No install scripts** — `package.json` declares no `preinstall`, `postinstall`, or `install` hooks. Nothing executes at install time.
- **Publish provenance** — every release is published with [npm provenance attestation](https://docs.npmjs.com/generating-provenance-statements) via GitHub Actions, so the build source is cryptographically verifiable.
- **Lockfile committed** — `package-lock.json` is committed and regenerated on every release to prevent dependency drift.
- **Path traversal protection** — all file I/O is validated in `src/core/fs.js`: relative paths only, no `..` segments, no symlinks escaping the repo root.
To report a vulnerability, see [SECURITY.md](./SECURITY.md).
+0
-2
src/core/managed-files.js

@@ -6,3 +6,2 @@ const fs = require("fs");

CLAUDE_MD_FILE,
CLAUDE_ROOT,
FRAMEWORK_PACKAGE,

@@ -23,3 +22,2 @@ FRAMEWORK_VERSION,

writeRepoTextFile,
writeTextFile,
} = require("./fs");

@@ -26,0 +24,0 @@ const { sha256 } = require("./hash");