Toolkit is organized as a layered pipeline that ingests catalog data, normalizes and ranks items, then applies policy controls before installation.
Mermaid source: assets/visual-architecture.mmd
Regenerate the SVG:
npx -y @mermaid-js/mermaid-cli -i assets/visual-architecture.mmd -o assets/visual-architecture.svg -b transparent- Official provider feeds
- Community sources (optional)
- Local fallback entries
- Remote fetch with incremental cursor support
- Provider adapter mapping
- Zod schema validation
- Deterministic normalization/merge
- Unified catalog store (
data/catalog/items.json) - Trust-first ranking and risk assessment engines
- Security policy gates by risk tier
- Whitelist verification
- Quarantine state management
- Install audit logs
- Setup and diagnostics (
init,doctor) - Discovery (
list,search,show,top) - Recommendation/export (
recommend) - Risk and install controls (
assess,install:item) - Health/sync (
status,sync)
- CI validation
- Security scans (CodeQL, dependency review, secrets, SBOM/Trivy)
- Daily quarantine automation
- Daily catalog sync
- Sync pulls and merges source registries.
- Validation enforces data contracts via Zod.
- Ranking and risk scoring compute candidate quality.
- Project scan provides context-aware fit signals.
- Recommendation returns policy-filtered candidates.
- Assess validates install risk for a selected ID.
- Install writes audit logs and respects gate policy.
- Scheduled workflows verify whitelist and quarantine violations.
- CLI commands:
cli-reference.md - Security model:
security/README.md - Daily quarantine workflow:
ci/daily-quarantine.md