kaos-mcp v0.1.3

License: Apache-2.0 Runtime: Python 3.13+ Released: 2026-06-22 Repository

Changes since last sweep

No signal changes detected since 2026-06-23.

Trust scorecard

Composite: 8/8 green
Build passing
Latest CI conclusion: success
Tests + coverage
Latest CI conclusion: success
No critical CVEs
Latest Security workflow conclusion: success
Signed release artifacts
PEP 740 attestation verified for 2/2 artifacts
License clean
Wheel license: Apache-2.0
SBOM published
SBOM published — 51 components
Branch protection
GitHub reports main as protected; admin-only rule details were not available to the sweep token
SECURITY.md + CODEOWNERS
SECURITY.md + CODEOWNERS present

CI matrix

Environment pytestruff tybandit pip-audit
linux-x64 / py3.14
linux-x64 / py3.14t
linux-x64 / py3.15
macos-arm64 / py3.13
windows-x64 / py3.13

Security

Open advisories
0
Fixed in 90d
0
Dependabot alerts
Suppressions (total)
not inspected (sibling clone absent)

Suppressions are markers that silence a linter, type-checker, or security scanner. See security.html for the full ledger across the org.

Supply chain

Direct deps
Transitive deps
SBOM
CycloneDX (mirror) · CycloneDX (GitHub Release)

Governance + velocity

Maintainers
2
Commits 90d
41
Releases 90d
10

Code surface area

Python source (LoC)
2,659 across 24 files
Python tests (LoC)
1,848 across 13 files
Rust source (LoC)
Rust tests (LoC)
Source lines of code
4,507 LoC

Counts non-blank, non-comment lines (sloc). Excludes .venv, target, dist, build, __pycache__, _site, and lockfiles (uv.lock, Cargo.lock). Tests are paths whose ancestors contain tests, test, or benches. Authorship: this codebase is AI-assisted — lines were generated with Claude (Anthropic) and human-reviewed before commit. We count what's in git; we do not claim humans typed every character.

Evidence

Download JSON

Methodology

How these eight checks are scored Each check is collected by an automated workflow against public sources only (GitHub API, OSV, Sigstore transparency log, package registry metadata). No self-attestation is accepted. A check is green when the underlying signal is present and meets a documented threshold, yellow when partial, red when failing, and gray when the collector has not yet implemented the probe. See methodology.html for thresholds and source URLs.