Advisory hook (RULE 0.12). Reads Agent tool_input JSON from stdin, hashes
the prompt (SHA-256 first 16), derives agent id and branch per isolation
mode, emits kei-ledger fork row.
NEVER blocks: every exit path is exit 0. Missing jq / kei-ledger / git
= silent no-op. Advisory because isolation=false trivial agents are
expected to slip through (RULE 0.12 Exceptions 1-2).
Constructor Pattern: 51 LOC, POSIX sh, chmod +x.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hub-and-spoke skill that converts "I need auth for app X" into a
reviewable plan across 5 phases: intake (flows/stack/storage/MFA),
identity-provider pick + env scaffold, session strategy + cookies,
authorization model + permission matrix, and threats + mitigations.
- 8 AskUserQuestion calls total (≥6 hub-and-spoke contract; 4 in Phase 1
+ 1 each in Phases 2–5).
- Reads all four _blocks/auth-*.md; never writes production code or
secret values.
- RULE 0.8 (Secrets SSoT): emits env VARIABLE NAMES only; storage path
is secrets/auth.env per domain-has-secrets.md.
- Constructor Pattern: 6 files, largest 115 LOC (<200 limit).
- Fail-closed default + NO DOWNGRADE on unsafe combinations
(passkey-only without recovery → return recovery-path options, not
"not supported").
Evidence grade [E2] — pipeline mirrors OWASP ASVS v4.0.3 chapters 2–4.
Single binary, three backends (Postgres/SQLite/MySQL) autodetected
from DATABASE_URL scheme. Sequential .sql migrations tracked in
_kei_migrations with SHA-256 checksums.
Commands:
kei-migrate up — apply pending
kei-migrate down [n] — revert last N (requires .down.sql)
kei-migrate status — list applied vs pending
kei-migrate create <name> — scaffold up+down pair with UTC ts
Constructor Pattern: 10 source files, all <90 LOC, functions <30 LOC.
Deps: sqlx 0.8 (any+postgres+sqlite+mysql, rustls), clap 4, chrono,
sha2, anyhow, tokio.
Tests: 9/9 passing (cargo test, SQLite backend).
Clippy clean: cargo clippy --all-targets -- -D warnings.
Safety features:
- checksum drift detection on applied migrations
- IRREVERSIBLE marker blocks down-revert
- duplicate version detection at scan time
- each migration in its own transaction
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds four behavioural blocks for testing paradigms beyond unit tests
(test-gen already covers unit-test generation):
- test-fuzz.md — cargo-fuzz/hypothesis/fast-check corpus + triage + CI
- test-property.md — proptest/hypothesis/fast-check invariants + shrinking
- test-load.md — k6/vegeta/oha/hyperfine baseline→profile→fix loop + SLO
- test-e2e.md — Playwright page-objects + trace viewer + flake policy
Each block 32-53 LOC (within 60-LOC block cap). Single-concern,
composable via _manifests/*.toml like any other _blocks/*.md.
Tooling cited at [E4] based on official docs; version pinning deferred
to consumers.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- L1: install.sh post-install banners '~14 generated agents' → '12 generated agents'
(both the activated-path and the manual-merge-path copies).
- L2: skills/compose-solution/SKILL.md handoff reference '14 kit agents' → '12 kit agents'.
- L3: README /new-agent section rephrases 'via option-pickers' to call out that
the 6 questions are grouped into multiple option-picker batches (two
AskUserQuestion calls) rather than six separate prompts.
- M1 (RULE 0.4): replace fabricated URLs 'https://example.invalid/PROJECT-D'
and 'https://…/PROJECT-D' with plain text ('user's personal CLI predecessor').
- M2: tomd-preread cache key = basename + mtime + 8-char shasum of full path,
so two files with the same basename+mtime at different paths no longer
collide. Portable shasum shim; falls back to 'nohash' if shasum absent.
- M3: install.sh --with-bridges gated on ROLLED_BACK=0 so bridges are NOT
emitted into $PWD after an ERR-trap rollback.
- M4: rollback() guards rm -rf "$orig" behind an existence check.
- M5: skills/research/SKILL.md front-matter note — role tags like
'web-researcher' / 'meta-critic' are ad-hoc prompt labels for the generic
kei-researcher subagent, NOT separate manifests. Prevents fruitless
grep in _manifests/.
- M6: README adds a 'Frontend-stack coverage gap' callout listing the
planned-but-not-shipped frameworks (React-Vite, Vue-Nuxt, SvelteKit,
Astro, Angular, plain-web).
- M7: no-hand-edit-agents.sh documents at case block that the GENERATED
marker is the SOLE source of truth — legacy unmarked .md files pass
silently by design; re-run the assembler to adopt them.
- phase-2-decompose.md: delete 'or researcher if that agent is present in the user's
global fleet' clause that silently bypassed the kei-namespace. Replace with an
explicit prefer-kei note warning that bare 'researcher' matches only the user's
personal fleet and may have divergent handoffs.
- install.sh activate_hooks(): call backup_file "$target" on the merge path
(after the 'create new' early-return) so ERR-trap rollback can restore the
pre-merge settings.json. Previously an ERR in the jq-merge or mv left no
backup pair to restore.
