npm - @aryaminus/controlkeel - Versions diffs - 0.3.2 → 0.3.5 - Mend

@aryaminus/controlkeel 0.3.2 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -37,4 +37,14 @@ echo "//npm.pkg.github.com/:_authToken=YOUR_GITHUB_TOKEN_WITH_READ_PACKAGES" >>
 npm i -g @aryaminus/controlkeel --registry=https://npm.pkg.github.com
 ```
+## Security
+This package uses a postinstall script to download the native ControlKeel binary from GitHub Releases. This is intentional and necessary for cross-platform distribution. For detailed information about security practices and how the postinstall script works, see [SECURITY.md](SECURITY.md).
+To skip automatic binary download, set the environment variable:
+```bash
+CONTROLKEEL_SKIP_DOWNLOAD=1 npm i -g @aryaminus/controlkeel
+```
 <!-- mcp-name: io.github.aryaminus/controlkeel -->

package/SECURITY.md ADDED Viewed

@@ -0,0 +1,63 @@
+# Security Policy
+## Postinstall Script
+This package uses a `postinstall` script to download the native ControlKeel binary from GitHub Releases. This is intentional and necessary for the following reasons:
+### Why the postinstall script exists
+ControlKeel is a native CLI tool written in Rust/Elixir that needs to be distributed as platform-specific binaries. Rather than requiring users to manually download the correct binary for their platform, this npm package serves as a bootstrap installer that:
+1. Detects the user's platform (OS and architecture)
+2. Downloads the appropriate pre-compiled binary from GitHub Releases
+3. Makes it available as the `controlkeel` command
+### What the postinstall script does
+The `postinstall` script (`lib/postinstall.js`) performs the following actions:
+- Calls `ensureBinary()` to download the platform-specific binary
+- Downloads from official GitHub Releases: `https://github.com/aryaminus/controlkeel/releases/latest`
+- Verifies the download and places the binary in the appropriate location
+- Can be skipped by setting the environment variable `CONTROLKEEL_SKIP_DOWNLOAD=1`
+### Security considerations
+- **Source**: Binaries are downloaded exclusively from official GitHub Releases
+- **Verification**: The download process uses GitHub's authenticated release endpoints
+- **Transparency**: The source code for the bootstrap installer is fully visible in this repository
+- **Opt-out**: Users can skip automatic download by setting `CONTROLKEEL_SKIP_DOWNLOAD=1`
+- **No external dependencies**: The bootstrap installer has no runtime dependencies beyond Node.js built-ins
+### Manual verification
+Users who prefer manual verification can:
+1. Set `CONTROLKEEL_SKIP_DOWNLOAD=1` to prevent automatic download
+2. Download the binary directly from [GitHub Releases](https://github.com/aryaminus/controlkeel/releases/latest)
+3. Verify the checksums provided in the release notes
+4. Place the binary in their PATH manually
+## Reporting Security Issues
+If you discover a security vulnerability, please report it responsibly:
+1. Do not open a public issue
+2. Email security details to: [security contact to be added]
+3. Include steps to reproduce and expected impact
+4. Allow time for the issue to be investigated and fixed before disclosure
+## Supported Versions
+Security updates are provided for the latest version of the package. Users are encouraged to keep their installation up to date.
+## Supply Chain Security
+This package is designed with supply chain security in mind:
+- **Minimal attack surface**: The bootstrap installer has no external dependencies
+- **Reproducible builds**: Native binaries are built from source in CI/CD
+- **Signed releases**: GitHub Releases provide cryptographic verification
+- **Transparent source**: All installer code is open and auditable
+For detailed information about the native binary build process and security practices, see the main repository's [security documentation](https://github.com/aryaminus/controlkeel/blob/main/SECURITY.md).

package/index.js ADDED Viewed

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+/**
+ * ControlKeel Bootstrap Installer
+ *
+ * This is a bootstrap package for the ControlKeel native CLI.
+ * The main entry point re-exports the binary functionality.
+ *
+ * For programmatic use, the package downloads and manages the native
+ * ControlKeel binary from GitHub Releases.
+ */
+const { ensureBinary } = require("./lib/install");
+/**
+ * Ensure the ControlKeel binary is downloaded and available.
+ * @param {Object} options - Options for binary download
+ * @param {boolean} options.forceDownload - Force re-download even if binary exists
+ * @returns {Promise<string>} Path to the downloaded binary
+ */
+async function getBinaryPath(options = {}) {
+  return await ensureBinary(options);
+}
+/**
+ * Main entry point for when this package is required programmatically.
+ */
+module.exports = {
+  getBinaryPath,
+  ensureBinary
+};
+// If run directly, execute the CLI
+if (require.main === module) {
+  const { spawn } = require("node:child_process");
+  getBinaryPath({ forceDownload: false }).then((binaryPath) => {
+    const child = spawn(binaryPath, process.argv.slice(2), { stdio: "inherit" });
+    child.on("exit", (code, signal) => {
+      if (signal) {
+        process.kill(process.pid, signal);
+        return;
+      }
+      process.exit(code ?? 0);
+    });
+  }).catch((error) => {
+    console.error(error.message || error);
+    process.exit(1);
+  });
+}

package/package.json CHANGED Viewed

@@ -1,8 +1,12 @@
 {
   "name": "@aryaminus/controlkeel",
-  "version": "0.3.2",
-  "description": "Bootstrap installer for the ControlKeel native CLI.",
+  "version": "0.3.5",
+  "description": "Bootstrap installer for the ControlKeel native CLI - a control plane for agent-generated software delivery.",
   "license": "Apache-2.0",
+  "author": {
+    "name": "aryaminus",
+    "url": "https://github.com/aryaminus"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/aryaminus/controlkeel.git"
@@ -11,13 +15,30 @@
   "bugs": {
     "url": "https://github.com/aryaminus/controlkeel/issues"
   },
+  "keywords": [
+    "controlkeel",
+    "governance",
+    "agent",
+    "ai",
+    "cli",
+    "devops",
+    "security",
+    "validation",
+    "compliance",
+    "automation",
+    "mcp",
+    "model-context-protocol"
+  ],
+  "main": "index.js",
   "bin": {
     "controlkeel": "bin/controlkeel.js"
   },
   "files": [
     "bin",
     "lib",
+    "index.js",
     "README.md",
+    "SECURITY.md",
     "server.json"
   ],
   "scripts": {

package/server.json CHANGED Viewed

@@ -7,12 +7,12 @@
     "url": "https://github.com/aryaminus/controlkeel.git",
     "source": "github"
   },
-  "version": "0.3.2",
+  "version": "0.3.5",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@aryaminus/controlkeel",
-      "version": "0.3.2",
+      "version": "0.3.5",
       "runtimeHint": "npx",
       "transport": {
         "type": "stdio"