Three independent shell hardening fixes from Opus Shell + Sonnet Shell audits.
1. disk-reclaim.sh Guard 3 — protect branches without upstream tracking (HIGH)
File: hooks/disk-reclaim.sh:88-101
Bug: when a worktree branch has no upstream tracking ref, `git log @{u}..`
exited non-zero and `unpushed=""` (empty). The check
`[ -n "$unpushed" ] && [ "$unpushed" != "0" ]` evaluated FALSE, so the
worktree fell through Guard 3 and was eligible for mtime-based pruning.
Local-only branches with committed work were silently deleted.
Fix: explicit two-branch logic. Run `git rev-parse --abbrev-ref @{u}` first;
only run the unpushed-count check if upstream exists. If no upstream, log
SKIP[no-upstream] and `continue` conservatively. New
`worktrees_skip_unpushed` counter increments in both unpushed paths.
2. secrets-pre-guard.sh — placeholder allowlist scope-narrow (MEDIUM)
File: hooks/secrets-pre-guard.sh:43-103
Bug: word "placeholder" anywhere in content disabled all secret-pattern
scanning for that whole Write. Allowlist was too broad — a doc with the
word "placeholder" in its prose could mask a real sk-ant- token elsewhere.
Fix: replaced global early-exit with per-line awk scan. New scan_pattern()
helper walks content line-by-line; each line matching a secret regex is
allowed ONLY if the SAME line also matches ALLOWLIST_RE. Doc prose can no
longer mask cross-line secrets. Added `dummy[_-]?(key|token|secret)` to
allowlist for legitimate test fixtures.
3. lib-rust-prebuild.sh — sha256 fail-closed (HIGH supply-chain)
File: install/lib-rust-prebuild.sh:75-88
Bug: when ${url}.sha256 404'd, installer printed WARNING and proceeded with
unverified tarball. A compromised github release uploader could ship a
malicious tarball, omit .sha256, and the installer would extract it into
~/.cargo/bin/.
Fix: missing .sha256 → ERROR + abort. Path A install fails → falls back to
Path B (cargo build from source). Override via KEI_ALLOW_UNVERIFIED_TARBALL=1
(visible per-call, intentional friction).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pre-fix: install.sh on a fresh clone has no binaries — target/ is gitignored,
copy_prebuilt_substrate_binaries() skips silently with "no pre-built found",
end users get zero kei-fork / kei-ledger / kei-cortex / etc.
New module: install/lib-rust-prebuild.sh (~120 LOC, Constructor Pattern).
ensure_rust_binaries() — main entry, idempotent
1. has_prebuilt_substrate_binaries() — quorum check (5+ kit binaries already in
target/release/ → no-op).
2. Else Path A: download keisei-${TARGET}.tar.gz from
https://github.com/KeiSei84/KeiSeiKit-1.0/releases/latest/download/
Detects target via uname (x86_64/aarch64 × darwin/linux), verifies
sha256, extracts into target/release/.
3. Path A fail (404, network, sha mismatch) → Path B fallback:
cargo build --release --workspace (slow first time, requires Rust).
4. Path B fail (no cargo) → say + return non-zero.
Bypass: KEI_SKIP_RUST=1 — skip both paths (markdown-only install).
Wired in install/lib-rust.sh — ensure_rust_binaries() called BEFORE
copy_prebuilt_substrate_binaries() in regenerate_rust_workspace.
Path A activates ONLY after a v* tag is pushed and release.yml uploads
tarballs to github releases. Until then, Path A 404s and Path B kicks in.
This commit lays the wire — release tag is a separate user-driven action.
Verify:
- bash -n install.sh: OK
- bash -n install/lib-rust-prebuild.sh: OK
- detect_rust_target on this host: aarch64-apple-darwin
- has_prebuilt_substrate_binaries: correctly returns false on partial dev
target (only kei-memory + kei-db-contract built locally today)
Out of scope (not done in this commit):
- Tag v0.X release to populate github tarballs (deploy step, deferred)
- Update keiseikit.dev/install.sh redirect target (downstream wiring)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
