keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
174 commits 3 branches 11 tags 12 MiB
Commit graph

5 commits

Author SHA1 Message Date
Parfii-bot
3e792d169d Merge feat/v0.16-changelog-gen — Keep-a-Changelog + release workflow 2026-04-22 15:13:05 +08:00
Parfii-bot
d97afb63ec feat(v0.16): CHANGELOG + tag-driven release workflow 
Keep-a-Changelog format. 12 sections: [Unreleased] + 11 real
releases v0.8.0..v0.15.0, every bullet with real git SHA pulled
via git log --no-merges. 150 LOC.

.github/workflows/release.yml — 3 jobs, triggered on tag push:
  build-release: 4-platform matrix
    - x86_64-unknown-linux-gnu
    - aarch64-unknown-linux-gnu (continue-on-error)
    - x86_64-apple-darwin
    - aarch64-apple-darwin
    Builds entire _primitives/_rust workspace, emits tar.gz +
    sha256 per target via portable executable-discovery loop.
  release: downloads artifacts, runs local
    kei-changelog --from <prev-tag> --to <tag>, publishes via
    softprops/action-gh-release@v2.
  npm-publish: graceful skip when NPM_TOKEN secret absent
    (steps.have_token.outputs.present gate + || warning wrap
    so one failing package doesn't kill the job).

Companion install support: install/lib-rust.sh gains
have_prebuilt_binaries() + KEI_SKIP_RUST_BUILD=1 guard (shipped
as part of install-split bundle). Users can download tarball
instead of compiling Rust from source.

release.yml validated via yaml.safe_load: 3 jobs parse cleanly,
matrix expands 4-wide, jobs = [build-release, release, npm-publish].

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 15:10:00 +08:00
Parfii-bot
f77c1b7fdc fix(v0.15.1): RED-1 CVE + typed-handoff + schema minItems 
Security hotfix — v0.15.1 Wave 1 fixes from 4-parallel audit.

RED-1 (CVE): KEI_DISABLED_HOOKS tokenized match — was `*all*`
substring-glob (trivially bypassable via "install", "wall-clock", etc.),
now exact-token split on comma/space. Patched in all 9 hooks:
no-hand-edit-agents, assemble-agents, assemble-validate, tomd-preread,
agent-fork-logger, site-wysiwyd-check, error-spike-detector,
milestone-commit-hook, session-end-dump.

RED-2 (observability): minimal profile whitelist now includes
agent-fork-logger and session-end-dump (ledger + trace paths) so
observability is not silently lost on minimal installs.

HIGH: review.json schema minItems:1 on findings — rejects empty
reviews; new Rust test review_schema_rejects_empty_findings.

HIGH: typed-handoff wire-up — produces_artifact declared at top
level on 5 manifests (kei-security-auditor, kei-validator,
kei-architect, kei-code-implementer, kei-critic); duplicate
per-handoff declarations removed.

MED: kei-artifact validate.rs gains warn_unsupported_keywords —
non-fatal stderr warning when schema uses keywords outside the
hand-rolled 2020-12 subset.

LOW: CI Node matrix dropped 18, now ['20','22'].

Doc drift: skills/hooks-control/SKILL.md reflects tokenized-match
semantics and updated minimal-profile hook list.

Tests: 191 Rust workspace + 30 assembler (both pass). RED-1
reproducer 10/10 (4 former-CVE vectors blocked, 5 legit vectors
accepted, empty passes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 15:08:51 +08:00
Parfii-bot
24c584ee50 fix: remove genesis-scan from public kit (internal tool, Bundle-only) 
Per user decision: publishing the sensitive IP pattern blocklist via public
scanner is leak of the blocklist itself (attack surface). genesis-scan
remains in PROJECT-E (private); user-global
~/.claude/hooks/genesis-leak-guard.sh (runtime hook) separate.

Deleted:
- _primitives/_rust/genesis-scan/ (whole crate, 5 files)
- hooks/git-pre-commit-genesis.sh (scanner companion)

Modified:
- workspace Cargo.toml -1 member (24→23)
- MANIFEST.toml — removed [primitive.genesis-scan] + core/full profile refs
- .github/workflows/ci.yml — removed genesis-scan job
- README.md — 7 count/description edits (24→23 rust, 10→9 hooks, 37→36 full)
- install.sh — 5 edits (--help + menus)
- mcp-server tool-registry.ts + test — scanner removed from MCP surface
- kei-sleep-queue.sh — removed scan_prompt() pre-submit hook
- 2 sleep-on-it skill phases — removed genesis-scan references

Tests: 160 Rust (was 167, -7 genesis-scan tests as expected), 24 assembler unchanged.
 2026-04-22 14:11:22 +08:00
Parfii-bot
fbd8adf9cf feat(ci): GitHub Actions workflows + .claude/worktrees gitignore 
- 6 CI jobs: rust-assembler, rust-primitives, ts-packages, install-dry-run, shell-lint, genesis-scan
- matrix: Ubuntu+macOS × rust-stable × Node 18/20/22
- closes 'no CI' -10% audit deduction
 2026-04-22 13:36:17 +08:00