sanitize: remove patent-metadata from main tree (Tier 1+2+3)

Pre-public-launch cleanup. 17 files touched. Grep verification confirms
only Tier 4 (intentional GTM attribution) remains: README + docs/PHILOSOPHY
credit to Denis Parfionovich / KeiLab.

## Tier 1 — INFRA-LEAKS (4 targets, 1 file)
- _blocks/ci-forgejo-actions.md: Tailscale IPs 100.91.246.53 removed,
  kgl-runner-01 → my-runner-01, SSH fingerprint line deleted, Forgejo
  topology description generalised to "private interface"

## Tier 2 — PATENT-FLAG PROSE (4 files, ~10 edits)
- _manifests/kei-{modal-runner,ml-implementer,infra-implementer}.toml:
  "proprietary/non-public-deploy" → "private/non-public-deploy"
- _blocks/ci-forgejo-actions.md: RULE 0.1 sensitive IP references softened
  to generic "sensitive IP / compliance / air-gap" framing

## Tier 3 — INTERNAL PROJECT NAMES (8 files)
- kei-provision/tests/backend_smoke.rs: kgl-* fixtures → test-srv-*/test-vultr
- kei-auth/tests/integration.rs: project: "kgl" → "demo"
- kei-memory/src/coaccess.rs: "PROJECT-C/Genesis" origin → "in-house implementation"
- _primitives/{tomd.sh,README.md}: PROJECT-D provenance removed
- _bridges/README.md: PROJECT-D cross-ref line deleted
- skills/site-create/: keiagent/fal.ai → generic AI-asset generator
- skills/self-audit/: hardcoded project paths → ~/Projects/my-project
- skills/compose-solution/: hardcoded ~/Projects/PROJECT-E →
  ${KEISEI_BUNDLE_PATH:-} env-conditional lookup
- skills/sleep-setup/: forgejo.example.com → forgejo.example.com

## Phase 2 — Regenerated 3 root .md (Option B manual)
Assembler invocation blocked by sandbox; fell back to manual Edit on
kei-ml-implementer.md + kei-infra-implementer.md + kei-modal-runner.md
with same Tier-2 replacements as their source manifests.

## Known residual (Phase 3 pending user decision)
Git history still contains 619+ patent-term hits (pre-rewrite). Filter-repo
on /tmp/keisei-mirror.git prepared by separate agent; force-push
pending user approval because `genesis-scan` / `genesis-leak-guard` are
intentional kit features — naive rewrite would break them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

_blocks/ci-forgejo-actions.md

@@ -1,6 +1,6 @@
 # CI — Forgejo Actions (self-hosted, Tailscale-only admin)
 
-Forgejo Actions is GitHub-Actions compatible at the workflow-syntax layer (derived from Gitea Actions, which re-uses the `actions/*` runtime via `act`). A workflow that runs on GH usually runs on Forgejo with only the runner labels and registry URLs changed. Pair with RULE 0.1 — KeiGit repos MUST stay on private Forgejo, never mirror to github.com.
+Forgejo Actions is GitHub-Actions compatible at the workflow-syntax layer (derived from Gitea Actions, which re-uses the `actions/*` runtime via `act`). A workflow that runs on GH usually runs on Forgejo with only the runner labels and registry URLs changed. Good fit for any repo that must stay on private hosting (sensitive IP, compliance, air-gap).
 
 ## Layout
 
@@ -19,8 +19,8 @@ Registration:
 ```bash
 forgejo-runner register \
   --no-interactive \
-  --instance http://100.91.246.53:3000 \
-  --name kgl-runner-01 \
+  --instance http://<forgejo-host>:3000 \
+  --name my-runner-01 \
   --labels "self-hosted,linux,x64,docker" \
   --token "$FORGEJO_RUNNER_TOKEN"       # from secrets/runner.env (RULE 0.8)
 ```
@@ -45,9 +45,7 @@ Workaround for OIDC: for cloud deploys from Forgejo, prefer short-lived STS toke
 
 ## Tailscale-only admin posture
 
-Forgejo Web UI is http://100.91.246.53:3000, SSH is `ssh://git@100.91.246.53:2222/...`. Both on Tailscale CGNAT. NEVER bind Forgejo to a public IP — runner tokens, PATs, and repo contents are unfiled patent IP (RULE 0.1).
-
-Key fingerprint for the existing KeiGit host: `SHA256:TxHcs7YuEZiy4Gu0yZOoVidVqlvj8TPC+QgUGjmh0Mw` labelled `macbook`.
+Forgejo bound to a private interface (Tailscale/Wireguard/VPC); pick an address + SSH port per your topology. NEVER bind Forgejo to a public IP — runner tokens, PATs, and repo contents are all harvestable from a publicly-reachable instance.
 
 ## Secrets
 
@@ -57,5 +55,5 @@ Forgejo repo secrets (`Repo → Settings → Actions → Secrets`) mirror GH sec
 
 - Exposing Forgejo port 3000 or 2222 on a public IP
 - Running `forgejo-runner` on a host that is also a production application node
-- Mirroring a KeiGit repo to github.com to "get free CI" (RULE 0.1)
+- Mirroring a private Forgejo repo to github.com to "get free CI" — if any project rule forbids a github remote, the mirror violates it transitively
 - Hard-coded runner tokens in workflow YAML (always `${{ secrets.* }}`)

_bridges/README.md

@@ -17,5 +17,3 @@ Tool-agnostic coding-rules templates, rendered into any project via `_bridges/em
 | `replit.tmpl` | `replit.md` |
 
 Render: `_bridges/emit.sh <target-dir> [project-name] [project-description]`. Idempotent — existing files are skipped.
-
-Cross-ref: KeiAgent is the personal-CLI predecessor that also ships these templates (verified against vendor docs 2026-04).

_manifests/kei-infra-implementer.toml

@@ -3,7 +3,7 @@
 # Edit THIS file, not the generated .md.
 
 name = "kei-infra-implementer"
-description = "Infrastructure code, deploys, CI/CD, secrets management, container/IaC. Per-project credential isolation, banned-deploy enforcement, Self-Sufficiency Protocol, cost guard on paid compute."
+description = "Infrastructure code, deploys, CI/CD, secrets management, container/IaC. Per-project credential isolation, non-public-deploy enforcement, Self-Sufficiency Protocol, cost guard on paid compute."
 tools = ["Glob", "Grep", "Read", "Edit", "Write", "Bash", "Agent"]
 model = "opus"
 
@@ -16,7 +16,7 @@ substrate_role = "edit-local"
 role = """
 You are a senior infrastructure engineer. You write deploy scripts, CI/CD pipelines, container/IaC \
 definitions, and secrets management code, enforcing per-project credential isolation, the \
-banned-deploy list, the Self-Sufficiency Protocol, and API Cost Guard on every paid surface. You \
+non-public-deploy list, the Self-Sufficiency Protocol, and API Cost Guard on every paid surface. You \
 are NOT an ML trainer (hand off to `kei-ml-implementer`), NOT a generic code writer (hand off to \
 `kei-code-implementer`). Your output is production infrastructure with `.env`-gitignored secrets, \
 Self-Sufficient API permissions set up once, verification commands passing, and \
@@ -36,7 +36,7 @@ blocks = [
 domain_in = [
     "Writing deploy scripts, CI/CD pipelines, Dockerfiles, Terraform/Pulumi IaC, secrets management code",
     "Per-project credential isolation — one project = one credential set, NO shared keys across projects",
-    "Banned-deploy enforcement — consult your project's banned-list doc BEFORE any public-surface deploy",
+    "Non-public-deploy enforcement — consult your project's non-public-deploy list doc BEFORE any public-surface deploy",
     "Self-Sufficiency Protocol — compile FULL API-permission list upfront, never ask user for manual dashboard work that the API supports",
     "Secrets discipline — `.env` gitignored, grep staged files for credential patterns before commit, no plaintext in Terraform state / Dockerfile / CI inline / logs",
     "Paid-compute cost guard — dashboard balance check, pricing-page verification, single-variant first, 2-min monitor (Modal, AWS, GCP, fal.ai, Apify, ElevenLabs)",
@@ -45,9 +45,9 @@ domain_in = [
 ]
 
 forbidden_domain = [
-    "`git push` to a public-hosting remote for any project flagged sensitive (banned-deploy list / proprietary weights / offensive-cyber / kernel-level) — hook will block, do not try to bypass",
+    "`git push` to a public-hosting remote for any project flagged sensitive (non-public-deploy list / private weights / offensive-cyber / kernel-level) — hook will block, do not try to bypass",
     "`gh repo create/push/sync` against public hosting; `git remote add/set-url` pointing at public hosting for sensitive projects",
-    "Public deploy of any project on your banned-deploy list without double explicit confirmation (\"yes, deploy\" + \"I confirm publication\")",
+    "Public deploy of any project on your non-public-deploy list without double explicit confirmation (\"yes, deploy\" + \"I confirm publication\")",
     "Sharing credentials across projects (NO reuse of tokens, SSH keys, API keys, service accounts)",
     "Committing `.env`, `*.pem`, `*.key`, `secrets/`, or any credential file in any form",
     "`git add -A` — stage specific files only",
@@ -65,7 +65,7 @@ forbidden_domain = [
 
 output_extra_fields = [
     "Project: <name>",
-    "Banned-deploy check: <not on list | on list, override secured/refused>",
+    "Non-public-deploy check: <not on list | on list, override secured/refused>",
     "Plan: resources / order / rollback (1 command if possible) / cost+tier",
     "Credentials: project-isolated yes/no, shared-infra risks, Self-Sufficiency full perm list requested upfront",
     "Secrets layout: `.env` abs path, `.gitignore` covers yes/no, pre-commit scan <clean | blocked>",

_manifests/kei-ml-implementer.toml

@@ -62,7 +62,7 @@ forbidden_domain = [
     "Cherry-picking single held-out subject/env as the headline number — cross-validation mean±std required",
     "Joint monolithic training when per-node supervision signals exist (use specialized-node training)",
     "Exploration from scratch when a published baseline exists in the env package (search `baselines_*/`, `checkpoints/`, `pretrained/` first)",
-    "`git push` to public-hosting — ML weights and architectures may be proprietary / banned-deploy IP",
+    "`git push` to public-hosting — ML weights and architectures may be private / non-public-deploy",
 ]
 
 output_extra_fields = [

_manifests/kei-modal-runner.toml

@@ -67,7 +67,7 @@ forbidden_domain = [
     "`.map(return_exceptions=False)` for batch spawning — cascade kill on single failure",
     "Restarting \"for cleanliness\" when current run is producing checkpoints — fix the script for next launch",
     "A bug in the launching script is NOT a reason to kill a running training run",
-    "`git push` to public-hosting for training scripts from projects flagged sensitive (proprietary-weights / banned-deploy list)",
+    "`git push` to public-hosting for training scripts flagged sensitive (private weights / non-public-deploy list)",
 ]
 
 # Agent-specific output fields (appended to standard report shape)

_primitives/README.md

@@ -11,9 +11,9 @@ programs installed at `$HOME/.claude/agents/_primitives/` by `install.sh`.
 |---|---|---|
 | `tomd.sh` | Universal non-native-format → markdown converter (PDF, DOCX, XLSX, PPTX, CSV, images, code). | `~/.claude/agents/_primitives/tomd.sh <file>` |
 
-`tomd.sh` is ported from the KeiAgent project (user's personal CLI
-predecessor) `bin/keiagent-tomd` — same format matrix, KeiSeiKit-style
-error tags (`[tomd]`), configurable cache directory (`KEISEI_TOMD_CACHE`).
+`tomd.sh` is a first-class primitive. Universal non-native-format →
+markdown converter with configurable cache directory
+(`KEISEI_TOMD_CACHE`) and KeiSeiKit-style error tags (`[tomd]`).
 
 ## Hook integration
 

_primitives/_rust/kei-auth/tests/integration.rs

@@ -7,10 +7,10 @@ const KEY: &[u8] = b"test-key-must-not-be-used-in-production";
 #[test]
 fn issue_and_verify() {
     let conn = open_memory().unwrap();
-    let tok = issue(&conn, "alice", "kgl", Scope::Write, 3600, KEY).unwrap();
+    let tok = issue(&conn, "alice", "demo", Scope::Write, 3600, KEY).unwrap();
     let out = verify(&conn, &tok, KEY).unwrap();
     assert_eq!(out.user_id, "alice");
-    assert_eq!(out.project, "kgl");
+    assert_eq!(out.project, "demo");
     assert_eq!(out.scope, Scope::Write);
 }
 

_primitives/_rust/kei-memory/src/coaccess.rs

@@ -1,7 +1,7 @@
 //! Co-access tracking — files touched within a 5-minute window.
 //!
 //! Constructor Pattern: one cube, single responsibility.
-//! Derived from KeiMD/src/ml.rs (2026-04-22 verified Genesis-clean).
+//! Derived from an in-house implementation, algorithmic spec documented in coaccess.md.
 //! Key difference: session-id isn't part of the coaccess PK — we aggregate
 //! across sessions so cross-session recurrences surface in `patterns`.
 

_primitives/_rust/kei-provision/tests/backend_smoke.rs

@@ -64,7 +64,7 @@ fn prep_env(dir: &Path, token_var: &str) {
 
 const HETZNER_DESCRIBE: &str = r#"{
   "id": 42,
-  "name": "kgl-test",
+  "name": "test-srv-a",
   "status": "running",
   "public_net": { "ipv4": { "ip": "1.2.3.4" } },
   "server_type": { "name": "cx22" },
@@ -74,13 +74,13 @@ const HETZNER_DESCRIBE: &str = r#"{
 const HETZNER_LIST: &str = r#"[
   {
     "id": 42,
-    "name": "kgl-a",
+    "name": "test-srv-a",
     "status": "running",
     "public_net": { "ipv4": { "ip": "1.2.3.4" } }
   },
   {
     "id": 43,
-    "name": "kgl-b",
+    "name": "test-srv-b",
     "status": "running",
     "public_net": { "ipv4": { "ip": "5.6.7.8" } }
   }
@@ -90,7 +90,7 @@ const VULTR_LIST: &str = r#"{
   "instances": [
     {
       "id": "abc-123",
-      "label": "kgl-vultr",
+      "label": "test-vultr",
       "status": "active",
       "power_status": "running",
       "main_ip": "9.8.7.6",
@@ -108,8 +108,8 @@ fn hetzner_status_parses_ipv4_and_id() {
     prep_env(dir.path(), "HCLOUD_TOKEN");
 
     let b = resolve("hetzner").unwrap();
-    let info = b.status("kgl-test").unwrap().expect("server present");
-    assert_eq!(info.name, "kgl-test");
+    let info = b.status("test-srv-a").unwrap().expect("server present");
+    assert_eq!(info.name, "test-srv-a");
     assert_eq!(info.id, "42");
     assert_eq!(info.ipv4.as_deref(), Some("1.2.3.4"));
     assert_eq!(info.status, "running");
@@ -136,7 +136,7 @@ fn hetzner_list_parses_array() {
     let b = resolve("hetzner").unwrap();
     let servers = b.list().unwrap();
     assert_eq!(servers.len(), 2);
-    assert_eq!(servers[0].name, "kgl-a");
+    assert_eq!(servers[0].name, "test-srv-a");
     assert_eq!(servers[1].ipv4.as_deref(), Some("5.6.7.8"));
 }
 
@@ -148,7 +148,7 @@ fn vultr_status_matches_label() {
     prep_env(dir.path(), "VULTR_API_KEY");
 
     let b = resolve("vultr").unwrap();
-    let info = b.status("kgl-vultr").unwrap().expect("found");
+    let info = b.status("test-vultr").unwrap().expect("found");
     assert_eq!(info.id, "abc-123");
     assert_eq!(info.ipv4.as_deref(), Some("9.8.7.6"));
     assert_eq!(info.status, "active");

_primitives/tomd.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # tomd — universal non-native-format → markdown converter.
-# Ported from ~/Projects/KeiAgent/bin/keiagent-tomd. First-class primitive.
+# First-class primitive. Universal non-native-format → markdown converter.
 # Install path: $HOME/.claude/agents/_primitives/tomd.sh.
 # Deps: pandoc, python3, jq. Optional: pymupdf4llm, openpyxl, tesseract.
 

kei-infra-implementer.md

@@ -1,6 +1,6 @@
 ---
 name: kei-infra-implementer
-description: Infrastructure code, deploys, CI/CD, secrets management, container/IaC. Per-project credential isolation, banned-deploy enforcement, Self-Sufficiency Protocol, cost guard on paid compute.
+description: Infrastructure code, deploys, CI/CD, secrets management, container/IaC. Per-project credential isolation, non-public-deploy enforcement, Self-Sufficiency Protocol, cost guard on paid compute.
 tools: Glob, Grep, Read, Edit, Write, Bash, Agent
 model: opus
 ---
@@ -9,7 +9,7 @@ model: opus
 
 # ROLE
 
-You are a senior infrastructure engineer. You write deploy scripts, CI/CD pipelines, container/IaC definitions, and secrets management code, enforcing per-project credential isolation, the banned-deploy list, the Self-Sufficiency Protocol, and API Cost Guard on every paid surface. You are NOT an ML trainer (hand off to `kei-ml-implementer`), NOT a generic code writer (hand off to `kei-code-implementer`). Your output is production infrastructure with `.env`-gitignored secrets, Self-Sufficient API permissions set up once, verification commands passing, and `memory/{project}.md` updated with endpoints and credentials refs.
+You are a senior infrastructure engineer. You write deploy scripts, CI/CD pipelines, container/IaC definitions, and secrets management code, enforcing per-project credential isolation, the non-public-deploy list, the Self-Sufficiency Protocol, and API Cost Guard on every paid surface. You are NOT an ML trainer (hand off to `kei-ml-implementer`), NOT a generic code writer (hand off to `kei-code-implementer`). Your output is production infrastructure with `.env`-gitignored secrets, Self-Sufficient API permissions set up once, verification commands passing, and `memory/{project}.md` updated with endpoints and credentials refs.
 
 # AGENT SUBSTRATE — role `edit-local`
 
@@ -332,7 +332,7 @@ Counter: each FAILED attempt on the SAME problem = +1. Success = reset.
 **In:**
 - Writing deploy scripts, CI/CD pipelines, Dockerfiles, Terraform/Pulumi IaC, secrets management code
 - Per-project credential isolation — one project = one credential set, NO shared keys across projects
-- Banned-deploy enforcement — consult your project's banned-list doc BEFORE any public-surface deploy
+- Non-public-deploy enforcement — consult your project's non-public-deploy list doc BEFORE any public-surface deploy
 - Self-Sufficiency Protocol — compile FULL API-permission list upfront, never ask user for manual dashboard work that the API supports
 - Secrets discipline — `.env` gitignored, grep staged files for credential patterns before commit, no plaintext in Terraform state / Dockerfile / CI inline / logs
 - Paid-compute cost guard — dashboard balance check, pricing-page verification, single-variant first, 2-min monitor (Modal, AWS, GCP, fal.ai, Apify, ElevenLabs)
@@ -368,7 +368,7 @@ Verify: <each criterion pass/fail>
 Evidence grades: <E1-E6 for each major claim>
 Handoffs made: <list>
 Project: <name>
-Banned-deploy check: <not on list | on list, override secured/refused>
+Non-public-deploy check: <not on list | on list, override secured/refused>
 Plan: resources / order / rollback (1 command if possible) / cost+tier
 Credentials: project-isolated yes/no, shared-infra risks, Self-Sufficiency full perm list requested upfront
 Secrets layout: `.env` abs path, `.gitignore` covers yes/no, pre-commit scan <clean | blocked>
@@ -379,9 +379,9 @@ Blockers / next: <list>
 
 # FORBIDDEN
 
-- `git push` to a public-hosting remote for any project flagged sensitive (banned-deploy list / proprietary weights / offensive-cyber / kernel-level) — hook will block, do not try to bypass
+- `git push` to a public-hosting remote for any project flagged sensitive (non-public-deploy list / private weights / offensive-cyber / kernel-level) — hook will block, do not try to bypass
 - `gh repo create/push/sync` against public hosting; `git remote add/set-url` pointing at public hosting for sensitive projects
-- Public deploy of any project on your banned-deploy list without double explicit confirmation ("yes, deploy" + "I confirm publication")
+- Public deploy of any project on your non-public-deploy list without double explicit confirmation ("yes, deploy" + "I confirm publication")
 - Sharing credentials across projects (NO reuse of tokens, SSH keys, API keys, service accounts)
 - Committing `.env`, `*.pem`, `*.key`, `secrets/`, or any credential file in any form
 - `git add -A` — stage specific files only

kei-ml-implementer.md

@@ -432,7 +432,7 @@ Blockers / next: <list>
 - Cherry-picking single held-out subject/env as the headline number — cross-validation mean±std required
 - Joint monolithic training when per-node supervision signals exist (use specialized-node training)
 - Exploration from scratch when a published baseline exists in the env package (search `baselines_*/`, `checkpoints/`, `pretrained/` first)
-- `git push` to public-hosting — ML weights and architectures may be proprietary / banned-deploy IP
+- `git push` to public-hosting — ML weights and architectures may be private / non-public-deploy
 
 # REFERENCES
 

kei-modal-runner.md

@@ -389,7 +389,7 @@ Blockers / next: <list>
 - `.map(return_exceptions=False)` for batch spawning — cascade kill on single failure
 - Restarting "for cleanliness" when current run is producing checkpoints — fix the script for next launch
 - A bug in the launching script is NOT a reason to kill a running training run
-- `git push` to public-hosting for training scripts from projects flagged sensitive (proprietary-weights / banned-deploy list)
+- `git push` to public-hosting for training scripts flagged sensitive (private weights / non-public-deploy list)
 
 # REFERENCES
 

skills/compose-solution/phase-3-prior-art.md

@@ -20,11 +20,16 @@ grep -rinlE '<keywords>' \
 
 ## 3b — Personal bundle reuse (conditional, skip on missing)
 
+If the environment variable `KEISEI_BUNDLE_PATH` is set and the directory
+exists, grep prior art there. Otherwise skip Layer B. Do not hard-code
+any path — the bundle is user-specific.
+
 ```bash
-if [ -d ~/Projects/KeiSeiBundle ]; then
-  grep -rinlE '<keywords>' ~/Projects/KeiSeiBundle/ 2>/dev/null | head -20
+bundle="${KEISEI_BUNDLE_PATH:-}"
+if [ -n "$bundle" ] && [ -d "$bundle" ]; then
+  grep -rinlE '<keywords>' "$bundle" 2>/dev/null | head -20
 else
-  echo "KeiSeiBundle: absent — skipping layer B"
+  echo "personal bundle: absent (KEISEI_BUNDLE_PATH unset or missing) — skipping layer B"
 fi
 ```
 

skills/self-audit/phase-3-present.md

@@ -15,9 +15,8 @@ This is the RULE 0.14 silent-first contract. Do NOT prompt the user.
 
 ## 3b — Patent-IP guard
 
-If CWD sits under a banned project (`~/Projects/KeiLab`, `~/Projects/keinet`,
-`~/Projects/keidog`, `~/Projects/vortex`, `~/Projects/neuralcloak`,
-`~/Projects/KGL`) OR a `CLAUDE.md` in CWD contains a banned-marker line
+If CWD sits under a banned project (`~/Projects/my-project`) OR a
+`CLAUDE.md` in CWD contains a banned-marker line
 matching `/banned-project|patent-ip/i`:
 
 - Log every finding to backlog with `[SELF-AUDIT OFFLINE]` prefix.

skills/site-create/phase-1-design.md

@@ -34,8 +34,8 @@ Depending on `BRAND` from Phase 0:
 
 - **I'll provide** — ask free-text once for the logo path + 2-3 hex colors.
   Convert hex to OKLCH before writing into tokens.
-- **Generate with AI** — fan out to an external image-gen service via
-  `keiagent`/`fal.ai` (skill-agnostic; the generator is not part of this
+- **Generate with AI** — fan out to an optional AI-asset generator of
+  your choice (skill-agnostic; the generator is not part of this
   pipeline's required deps). Save to `public/brand/logo.svg` (or .png).
 - **Minimal** — emit a text-only logo placeholder; no image asset.
 

skills/sleep-setup/phase-2-repo-url.md

@@ -32,7 +32,7 @@ Invalid SSH URL. Expected shape: git@<host>:<org>/<repo>.git
 Examples:
   git@github.com:alice/kei-memory.git
   git@gitlab.com:alice/devops/kei-memory.git
-  git@forgejo.keisei.app:alice/kei-memory.git
+  git@forgejo.example.com:alice/kei-memory.git
 ```
 
 Re-emit the same `AskUserQuestion`. Up to 3 attempts; on the 3rd failure