External Sources & Trust
Beyond its built-in scaffolders and enhancements, tinkerise can run external
enhancements published to npm (tinkerise-enhancement-*). Because that means running
third-party code on your machine, every external source must be explicitly trusted before
it runs — once per source, remembered afterwards.
The trust model
Section titled “The trust model”A source is identified canonically as npm:<package> (or github:<owner>/<repo>). tinkerise
keeps a trust store of sources you have consented to; nothing external is loaded or executed
until its source is trusted.
tinkerise trust list # show trusted sources + installed-but-untrusted onestinkerise trust add npm:tinkerise-enhancement-biome # trust a sourcetinkerise trust remove npm:tinkerise-enhancement-biome # revoke trusttrust list also surfaces installed tinkerise-scaffolder-* / tinkerise-enhancement-*
packages found in the current project that you haven’t trusted yet, so you can see what’s
available.
Using an external enhancement
Section titled “Using an external enhancement”Add an npm enhancement the same way you add a built-in one — just use its npm: source id:
tinkerise add npm:tinkerise-enhancement-biomeThe first time you reference an untrusted source interactively, tinkerise shows an explicit
warning that it will run third-party code and asks you to confirm — defaulting to No.
Granting consent records the source as trusted, so you won’t be asked again. Once trusted, the
enhancement runs through the normal add pipeline (the usual skip / replace / merge handling
for existing config).
CI and non-interactive use
Section titled “CI and non-interactive use”In CI (or any non-interactive context) there is no prompt to answer, so tinkerise requires pre-trust: an untrusted source fails fast rather than silently executing third-party code.
# In CI, trust the source explicitly first, then use it:tinkerise trust add npm:tinkerise-enhancement-biometinkerise add npm:tinkerise-enhancement-biomeRunning tinkerise add npm:… against an untrusted source in CI errors with
SOURCE_NOT_TRUSTED and tells you to run tinkerise trust add first.
Boundaries
Section titled “Boundaries”- npm enhancements only, for now.
github:sources are recognized by the resolver but not yet executable (SOURCE_KIND_UNSUPPORTED). - Consent is per-source. Trusting one package does not trust any other.
- Trust is revocable.
tinkerise trust remove <source>drops it from the store.
Where to go next
Section titled “Where to go next”- Add built-in tooling in
/guides/enhancements/ - Record and reproduce a stack with Reproducible Projects
- See every command and flag in
/reference/commands/