
Security News
Risky Biz Podcast: AI Agents Are Raising the Stakes for Software Supply Chain Security
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.
Claude is powerful — but without structure, conversations drift, context gets lost, and results are inconsistent. kyos-cli gives you a proven workflow so you don't have to figure that out yourself. One command sets it up in your project; from there, Claude knows how to guide you from idea to working code.
npx kyos-cli --init
--apply to add only what's missing, or --init --force to start fresh.Getting great results from Claude on complex tasks takes more than a single prompt — you need structure, clear steps, and a way to keep context across the session. kyos-cli gives you all of that out of the box.
kyos-cli installs a structured workflow that breaks the process into clear steps:
| Command | What it does |
|---|---|
/kyos:spec | Nail down what you're building before touching any code |
/kyos:tech | Turn the idea into a concrete plan Claude can follow |
/kyos:tasks | Break the plan into small, checkable steps |
/kyos:implement | Execute the steps one by one, with verification at each |
/kyos:verify | Confirm the result actually matches what was planned |
Run them in order for any feature or fix:
/kyos:spec → /kyos:tech → /kyos:tasks → /kyos:implement → /kyos:verify
Each step saves its output to a file, so you can pause, resume in a new session, or hand off to someone else without losing context.
There are also two planning commands for bigger decisions:
| Command | What it does |
|---|---|
/kyos:prevalidate | Quick safety check before making changes |
/kyos:architecture | Set or revise your project's technical direction |
/kyos:hire | Add support for tools or patterns missing from your stack |
/kyos:spec or /kyos:tech, run /compact before continuing. Everything is saved to disk, so nothing is lost and the next command starts with a clean budget./clear just before /kyos:implement to give the implementation run the full context window. Then reference the saved tasks file directly: /kyos:implement @docs/execution/your-feature/tasks.md.spec.md, tech.md, or tasks.md already exist when you open a new session, pass them in directly: /kyos:tech @docs/execution/your-feature/spec.md. Claude will read the file and continue from there./kyos:tech or /kyos:tasks (scope shifts, new constraints, a better approach), reflect those changes back in the earlier files too. Keeping spec, tech, and tasks aligned means they can later be assembled into accurate feature documentation with minimal effort.| Command | Description |
|---|---|
kyos-cli --init | Set up or inspect an existing setup (default) |
kyos-cli --init --force | Reset everything to a clean baseline |
kyos-cli --apply | Add only missing files, never overwrites anything |
kyos-cli --update | Pull in the latest managed files without touching your customizations |
kyos-cli --add <type> <name> | Add a skill, agent, or MCP from the catalog |
kyos-cli --doctor | Check that everything is in order |
Extend your setup with optional capabilities:
kyos-cli --add skill release-notes
kyos-cli --add skill security-audit
kyos-cli --add skill path-safety
kyos-cli --add skill mcp-hardening
kyos-cli --add skill secrets-and-supply-chain
kyos-cli --add agent triage
kyos-cli --add mcp context7
kyos-cli --add mcp filesystem
Each addition creates a file you can fill with project-specific guidance. MCP entries are wired up automatically.
The CLI runs in whatever directory you're in, so you can roll it out across projects with a simple loop:
for repo in ./repo-a ./repo-b ./repo-c; do
(cd "$repo" && npx kyos-cli --init)
done
kyos-cli.To report a vulnerability, see SECURITY.md.
FAQs
Bootstrap and safely evolve a shared Claude Code repo structure.
The npm package kyos-cli receives a total of 81 weekly downloads. As such, kyos-cli popularity was classified as not popular.
We found that kyos-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Open source attacks are accelerating as AI coding agents pull in dependencies faster, with less human review.

Research
/Security News
Malicious Chrome and Firefox extensions posed as free VPNs while stealing clipboard data through later extension updates.

Research
/Security News
Miasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.