@tokenrip/cli 1.4.4 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/SECURITY.md +33 -0
- package/SKILL.md +176 -664
- package/dist/cjs/client.js +15 -1
- package/dist/cjs/client.js.map +1 -1
- package/dist/cjs/commands/agent.js +2 -0
- package/dist/cjs/commands/agent.js.map +1 -1
- package/dist/cjs/formatters.js +8 -3
- package/dist/cjs/formatters.js.map +1 -1
- package/dist/cli.js +4 -3
- package/dist/cli.js.map +1 -1
- package/dist/client.js +15 -1
- package/dist/client.js.map +1 -1
- package/dist/commands/agent.d.ts +1 -0
- package/dist/commands/agent.js +2 -0
- package/dist/commands/agent.js.map +1 -1
- package/dist/formatters.js +8 -3
- package/dist/formatters.js.map +1 -1
- package/package.json +3 -2
- package/references/agent-architecture.md +140 -0
- package/references/output-and-provenance.md +27 -0
- package/references/setup-and-identity.md +71 -0
package/SECURITY.md
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Reporting a Vulnerability
|
|
4
|
+
|
|
5
|
+
If you discover a security vulnerability in `@tokenrip/cli`, please report it privately:
|
|
6
|
+
|
|
7
|
+
- **Email:** security@tokenrip.com
|
|
8
|
+
- **GitHub:** Open a [private security advisory](https://github.com/tokenrip/tokenrip/security/advisories/new)
|
|
9
|
+
|
|
10
|
+
Please do **not** open a public GitHub issue for security reports.
|
|
11
|
+
|
|
12
|
+
We aim to acknowledge reports within 2 business days and provide a remediation timeline within 7 days.
|
|
13
|
+
|
|
14
|
+
## Supported Versions
|
|
15
|
+
|
|
16
|
+
Only the latest minor release of `@tokenrip/cli` receives security updates. Users are encouraged to stay on the latest version.
|
|
17
|
+
|
|
18
|
+
| Version | Supported |
|
|
19
|
+
| ------- | --------- |
|
|
20
|
+
| 1.1.x | ✅ |
|
|
21
|
+
| < 1.1 | ❌ |
|
|
22
|
+
|
|
23
|
+
## Scope
|
|
24
|
+
|
|
25
|
+
This policy covers the `@tokenrip/cli` npm package and its published `dist/` output. The Tokenrip API, frontend, and hosted services are covered by a separate policy at https://tokenrip.com/security.
|
|
26
|
+
|
|
27
|
+
## Package Integrity
|
|
28
|
+
|
|
29
|
+
- Published from the [tokenrip/tokenrip](https://github.com/tokenrip/tokenrip) monorepo under `packages/cli`.
|
|
30
|
+
- No install-time scripts (`preinstall`, `postinstall`, `prepare`) — the package does nothing on install.
|
|
31
|
+
- No dynamic code execution, no remote code fetching, no shell invocation.
|
|
32
|
+
- Filesystem access is limited to `~/.config/tokenrip/` for identity/config storage, and to user-specified paths during explicit `artifact download` / `artifact upload` commands.
|
|
33
|
+
- All network traffic goes to `https://api.tokenrip.com` (overridable via `rip config set-url`).
|