kief.dev

Changelog

All notable changes to Vekt. Follows Keep a Changelog conventions.

0.2.0

2026-04-06 breaking
added

Cloud authorize/report flow

8708496
  • New `vekt auth ` command to store your API key locally at `~/.config/vekt/config.toml`
  • `vekt auth --status` shows current auth state; `vekt auth --logout` removes stored key
  • Global `--api-key` flag and `VEKT_API_KEY` environment variable for CI/CD
  • CLI calls `/api/vekt/authorize` before scanning to validate key and decrement quota
  • Scan telemetry reported to `/api/vekt/report` after scanning -- no lockfile content is ever uploaded
  • Graceful degradation: if authorization fails, scanning continues locally without quota tracking
  • Config file written with `0600` permissions on Unix systems
  • `vekt auth --status` shows only last 4 characters of key as fingerprint
security

Server-side hardening

8708496
  • File upload scan endpoint (`POST /api/vekt/scan`) retired with HTTP 410 Gone
  • One-time scan tokens bind `request_id` to API key -- prevents fabricated telemetry reports
  • Report endpoint validates inputs: allowlisted lockfile types, range-checked numerics
  • Nginx `client_max_body_size 4k` scoped to `/api/vekt/` routes
  • Bot protection exempts `/api/` routes so SDK clients (python-requests, httpx) work correctly
  • Stripe SDK migrated to v8: Billing Meter Events API, Invoice.parent.subscription_details
deprecated

Upload scan endpoint retired

8708496
  • `POST /api/vekt/scan` now returns `410 Gone` with migration instructions
  • Use the CLI for scanning: `curl -fsSL https://kief.dev/vekt/install.sh | sh`
  • Authenticate with `vekt auth `, then scan with `vekt scan .`

0.1.2

2026-03-30
added

Chrome extension approved

b3c560c
  • Browser extension published on the [Chrome Web Store](https://chromewebstore.google.com/detail/fkhdbbbhignkhicjadpjpapkepcmpdjb)
  • Trust badge on npm, PyPI, crates.io, and 6 more registries
  • Full trust panel: OpenSSF Scorecard, maintainer profiles with GitHub stars, vulnerability count, provenance status
  • Maintainer profiles link to GitHub with star counts

0.1.1

2026-03-28
added

Browser extension enrichment pipeline

8682542
  • Full enrichment pipeline in extension panel: OpenSSF Scorecard, download stats, version timeline
  • Fixed bottom overlay bar design with traffic light indicators
  • npm publish date uses `time[version]` instead of `modified` for accuracy

0.1.0

2026-03-28
added

Initial release

16c8ce7
  • Rust CLI scanning 22 lockfile formats across 12 package ecosystems
  • Real-time threat intelligence from OSV.dev with batched queries
  • Three threat levels: MALICIOUS, VULN, HOLDER (security placeholder)
  • Parallel lockfile parsing with deduplication across lockfiles
  • JSON output (`--json`) for CI/CD integration
  • Quiet mode (`--quiet`) suppresses output on clean scans
  • Exit code conventions: 0 = clean, 1 = findings, 2 = error
  • LSP server (`vekt-lsp`) for IDE integration
  • Cargo workspace with `vekt-core`, `vekt-cli`, and `vekt-lsp` crates
Download binaries · Quickstart guide · CLI reference