6 commits

Author	SHA1	Message	Date
KeiSei84	3b54f0b5e0	feat(v0.44): pre-release audit — 1 CRITICAL + 4 HIGH + 4 MEDIUM patched ... Four-CLI parallel pre-release audit (Claude+Grok+Gemini+Copilot, each reviewing different angle) surfaced 9 real issues in v0.43. All fixed. ## Audit team & their finds - Claude (critic): code review — found #5 KEI_ALLOWED_ROOTS bypass, #6 macOS TMPDIR denylist conflict, #7 timeout doc drift, #9 failure-cache schema mismatch. - Gemini (security): wrote Rust PoC, verified — found #1 CRITICAL parent symlink for non-existent leaf, #2 TOCTOU await, #3 curl config injection, #4 env inheritance, #8 cwd. - Grok (architect): noted safe_tools.rs at 572 LOC (>200 Constructor threshold). Deferred decomposition to v0.45. - Copilot (docs): inspected README/encyclopedia, no blocker findings (1 Premium, 977k cached tokens). ## Fixes shipped [#1 CRITICAL] Parent-symlink bypass for non-existent leaf paths v0.42 only canonicalized PARENT. If THAT parent didn't exist either, the path fell through to "absolute as-is" with no canonicalization. E.g. /proj/symlink -> /Users/denis, then kei_write /proj/symlink/ newdir/file would write inside /Users/denis with no check. Fix: walk_up_to_canonicalize() — find DEEPEST existing ancestor, canonicalize THAT (resolving all symlinks in the existing prefix), then reattach the non-existent tail. [#2 HIGH] TOCTOU between validate_path and fs::write 60s of hook chain await between path check and write. Concurrent process could swap leaf for symlink during that window; fs::write followed it. Fix: open file with O_NOFOLLOW + write through the open fd (not the path again). Open() itself fails on symlink-swap. Edit + Write both patched. Falls back to plain tokio::fs on non-Unix. [#3 HIGH] curl config injection via MOONSHOT_API_KEY Was: token interpolated into printf 'header = "...%s..."' fed to curl --config. If token contained " + newline + 'url = "evil"', curl parsed the injected config and redirected. Fix: validate MOONSHOT_API_KEY matches [A-Za-z0-9_.-]+; reject any other chars before probe runs. [#4 HIGH] Subprocess env inheritance — secret leak via kei_bash Was: spawned bash inherited AWS_*, GITHUB_TOKEN, MOONSHOT_API_KEY, etc. Agent running `env` via kei_bash could exfiltrate all of them. Fix: apply_safe_env() — env_clear() + whitelist forward of PATH/ HOME/USER/LANG/TERM/SHELL/PWD/TMPDIR/LOGNAME/LC_*. Operators add named vars via KEI_SAFE_ENV_EXTRA. Applied to BOTH kei_bash spawn AND hook subprocess spawn. [#5 HIGH] KEI_ALLOWED_ROOTS unanchored prefix bypass Was: str::starts_with on raw user-supplied root. KEI_ALLOWED_ROOTS=/home/u/proj also allowed /home/u/proj-secrets/... Fix: normalize each entry to canonical + trailing slash; use Path::starts_with (component-aware). v0.44 combines with #6 fix (canonicalize symlinks like /var → /private/var on macOS). [#6 MEDIUM] macOS $TMPDIR denied by /var/ blanket Was: denylist included /var/, /private/var/ blanket entries. macOS $TMPDIR = /var/folders/... canonicalized to /private/var/ folders/... hit the denylist before allowed_roots was checked. Fix: (a) allowed_roots check FIRST; (b) narrowed denylist to /var/db/, /var/log/, /var/root/ (and /private/ counterparts) instead of blanket /var/. /var/folders + /private/tmp are now legitimate working dirs. [#7 MEDIUM] Timeout aggregate claim was always false Was: doc said "Hard cap on single chain + action ... 60s" — actually was per-step. For 3-hook chain, total = 4 * 60 = 240s. Fix: doc comment now honest about per-step semantics. Aggregate- deadline impl deferred to v0.45 (not security-blocking). [#8 MEDIUM] cwd not in hook input — hook approves wrong cwd Was: kei_bash accepts cwd arg but did not pass it to safety hooks. Hook could approve `rm -rf *` assuming PWD, while cwd actually pointed at /etc or ~/.ssh. Fix: include cwd in hook_input JSON. Hooks now see the real working dir for their decision. [#9 MEDIUM] Failure-fallback cache had different schema Was: emit '{"ts":"","status":"assembly-failed"}' — no per-CLI keys. Pet's .kimi.available_balance_usd read got null/error; kei-limits own per-CLI render loop emitted 5 malformed rows. Fix: failure-fallback emits same shape as success {ts, claude, grok, agy, copilot, kimi} with each marked status='assembly-failed'. LOW: empty old_string in kei_edit now rejected (was: silently prepended new_string since contents.contains("") is always true). ## Tests + smokes cargo test -p kei-mcp: 3/3 pass. 8 MCP smokes (all green after every audit round): - kei_bash blocks RULE 0.1 push - kei_bash passes echo OK - kei_write /etc/passwd → denied (system dir) - kei_write ../ → denied (.. segment) - kei_write ~/.ssh/ → denied (outside roots) - kei_write symlink-to-etc/passwd → denied (canonicalized) - kei_write ~/.claude/hooks/ → denied (substrate dir) - kei_write ~/.zshrc → denied (outside roots) NEW v0.44 smokes: - kei_write /Users/denis/.ssh/newdir/keys via /tmp/v44_link → denied - KEI_ALLOWED_ROOTS=/tmp/proj does NOT match /tmp/proj-evil - FAKE_SECRET=stolen → TOKEN=empty in subprocess (env stripped) - MOONSHOT_API_KEY='abc"NL_url="evil"' → rejected pre-probe - macOS $TMPDIR via KEI_ALLOWED_ROOTS works (canonicalize fix) ## Deferred to v0.45 - safe_tools.rs at 572 LOC — extract path_guard + chain_runner modules - Aggregate-deadline timeout (single Instant::now() + remaining) - Hardlink check (open fd then fstat + dev/ino compare) - INVALID_PARAMS used for missing-arg (currently INTERNAL_ERROR) - INVALID_PARAMS_REF dead code at EOF (silencer for unused import) These are correctness/style/architectural, NOT security blockers.	2026-05-26 23:00:34 +08:00
KeiSei84	65d17007c3	feat(v0.42): 6 fixes from 4-CLI re-audit (CRITICAL + 2 HIGH + 3 MED) ... Convergent dogfood audit by Claude+Grok+Gemini+Copilot on v0.41 surfaced that the v0.41 'fixes' were incomplete. 3 of 4 reviewers independently found the same CRITICAL bypass; Gemini wrote a Rust test suite to verify. ## Convergent findings → v0.42 fixes [#1 CRITICAL] Symlink leaf bypass (3-of-4 convergent) v0.41 only canonicalized PARENT, then re-attached leaf as-is. Exploit: 1. kei_bash 'ln -s ~/.ssh/authorized_keys ./cfg.txt' (passes the bash hook chain — ln itself is non-destructive) 2. kei_write file_path=cfg.txt content=<key> validate_path saw $PWD/cfg.txt (allowed) → fs::write followed leaf symlink → overwrote authorized_keys. Fix: canonicalize FULL path (incl. leaf) when file exists; for new files, symlink_metadata on leaf and reject is_symlink. Now the denylist check sees the real target. [#2 HIGH] $HOME blanket-allowed = self-neutering (2-of-4 convergent) allowed_roots() defaulted to [$PWD, $HOME], denylist only had 4 secret dirs. So kei_write $HOME/.claude/hooks/no-github-push.sh content='exit 0' was ALLOWED — agent could overwrite the substrate's own policy hooks. Similar attacks on ~/.zshrc (RCE on next shell), ~/.gitconfig, ~/.npmrc. Fix: default to $PWD only. Denylist extended with .claude/, .grok/, .gemini/, .copilot/, .kimi/, all major shell-init files, and additional credential paths. KEI_ALLOWED_ROOTS for explicit widening. [#3 HIGH] Empty-section fail-OPEN (Gemini test-verified) v0.41 'fail-closed on missing config' fix was incomplete: if config file existed but section [bash]/[edit]/[write] was empty, load_chain returned Ok(vec![]) → run_chain early-returned Ok → action ran ungated. Fix: empty chain also FAIL-CLOSED with same KEI_POLICY_CHAIN_OPTIONAL opt-in. [#4 MEDIUM] load_chain still blocked tokio worker (Claude) v0.41 fix #4 converted handle_edit/handle_write reads to tokio::fs but left load_chain on std::fs. Slow/hung mount on policy-chain.toml would freeze a worker for every safe_* invocation. Fix: load_chain → async + tokio::fs::{try_exists, read_to_string}. [#5 MEDIUM] process_group only applied to bash, not hooks (Claude) v0.41 fix #5 set_process_group on kei_bash's child shell, but the hook subprocess (spawned per-hook in run_chain) was NOT in its own group. On hook timeout, kill_on_drop killed only the immediate hook process; grandchildren orphaned — the exact failure mode fix #5 was meant to prevent. Fix: set_process_group + killpg also on hook spawn in run_chain. [#6 MEDIUM] Per-step vs aggregate timeout (Claude) Doc claimed 'Hard cap on single chain + action — 60s'. Actual: each hook gets independent 60s, then action gets another 60s. For a 3-hook bash chain that's 240s max — 4× documented. Status: documented as known-limit; single-deadline impl deferred to v0.43 (not security-blocking, just a doc/correctness drift). ## Verification (8 smokes — all green) /etc/passwd → denied (system dir) ✓ ../escape.txt → denied (../ segment) ✓ /tmp/symlink → /etc/passwd writeable → denied (resolved /private/etc) ✓ NEW ~/.claude/hooks/no-github-push.sh → denied (substrate dir) ✓ NEW ~/.zshrc → denied (shell-init file) ✓ NEW policy-chain.toml empty [bash] → FAIL-CLOSED ✓ NEW KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓ kei_bash git-push-github → BLOCKED (regression) ✓ kei_bash echo HELLO → returns content (regression) ✓ cargo test -p kei-mcp: 3/3 still pass. ## Architecture note from Grok Grok architect flagged: safe_tools.rs is 474 LOC, exceeds Constructor Pattern 200-line threshold. v0.42 does NOT refactor (security fixes shipped first); v0.43 will extract path_guard.rs + chain_runner.rs. ## Per-CLI audit value demonstrated Claude — 5 issues + 5 minor, exhaustive line-anchored analysis Grok — architectural review with grep-verified citations Gemini — wrote Rust test project to verify findings (PoC code!) Copilot — partial fact-check, ran out of mid-task	2026-05-26 21:33:54 +08:00
KeiSei84	8086bec486	feat(v0.41): patch 5 Gemini security findings + Copilot doc bug + claude/grok perms ... Audit pass via Phase C dogfooding (security-auditor @ Agy/Gemini reviewing our own safe_tools.rs) surfaced 5 real bugs. All fixed. ## Gemini findings (5 real bugs) [#1 HIGH] FAIL-OPEN on missing config/hook Before: missing policy-chain.toml → "passing through" warning; missing hook script → "skipped" warning. Misconfig silently disabled enforcement. After: both paths FAIL-CLOSED with clear error surfaced to caller. Tests/dev can opt in to pass-through via KEI_POLICY_CHAIN_OPTIONAL=1. [#2 HIGH] Path traversal in kei_edit/kei_write Before: no validation; attacker could pass file_path=/etc/passwd or $HOME/.ssh/authorized_keys. After: validate_path() rejects '..' segments, system dirs (/etc/, /usr/, /System/, /var/, /root/), and dotfile-secret dirs (~/.ssh/, ~/.aws/, ~/.gnupg/, ~/.config/gcloud/). Override via KEI_ALLOWED_ROOTS for explicit single-root confinement. [#3 HIGH] CLAUDECODE/GROKCODE env bypass Behavior unchanged — this guard is a perf/UX optimization to avoid double-firing hooks when called from inside Claude/Grok (which already ran their own PreToolUse). Documented explicitly as NOT a security boundary: attacker controlling parent env already owns the invocation. Module header gains a DESIGN NOTE making this load-bearing. [#4 MED] std::fs in async context Before: handle_edit/handle_write used std::fs::{read_to_string,write}, which block the tokio worker thread. Pathological paths like /dev/random would freeze a worker indefinitely. After: tokio::fs::{read_to_string,write}.await — async I/O, worker stays responsive. [#5 MED] kill_on_drop only kills immediate child Before: timeout in kei_bash drops the Child handle; tokio's kill_on_drop SIGKILLs only the shell. Grandchildren (e.g., 'sleep 1000 &') orphaned. After: Unix-only: spawn child in its own process group (Command::process_group(0)), and on timeout libc::kill(-pid, SIGKILL) to take down the whole group. New libc dep on Unix. ## Copilot doc fix Doc claimed "kei-mcp exposes 4 built-in tools" without saying spawn_agent lives in tools.rs while kei_bash/edit/write live in safe_tools.rs. Validator agent flagged this as FALSE/MISLEADING. Now the doc spells out the two-file structure + adds a v0.41 hardening summary. ## claude/grok subprocess permissions Cross-CLI audit demo revealed that 'claude -p' and 'grok --print' returned empty when invoked headless with a real audit task — they need explicit permission flags to use Read/Grep tools in non-interactive mode. Added: claude: --permission-mode=bypassPermissions grok: --always-approve agy: --dangerously-skip-permissions Override via KEI_AGENT_PERMISSIVE=0 to keep strict default. Re-verified: claude+grok both echo SMOKE-OK-V41 with the flag. ## Verification cargo test -p kei-mcp --release → 3/3 pass MCP JSON-RPC smoke (all 7): - tools/list shows 4 built-ins ✓ - kei_bash blocks RULE 0.1 push ✓ - kei_bash passes 'echo OK' ✓ - kei_write rejects /etc/passwd ✓ - kei_write rejects ../ traversal ✓ - kei_write rejects ~/.ssh/* ✓ - missing policy-chain → FAIL-CLOSED with clear error ✓ - KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓	2026-05-26 19:48:29 +08:00
KeiSei84	4e5e6bd2c0	feat(phase-C): cross-CLI hook enforcement via kei_bash/kei_edit/kei_write MCP tools ... Closes the "hooks only fire on Claude" gap. Phase C extends KeiSeiKit safety enforcement (no-github-push, safety-guard, destructive-guard, citation-verify, numeric-claims-guard) to any MCP-capable LLM CLI through a 3-tier honesty model. ## 3-tier model TIER 1 (full native): claude (existing), grok (port hooks to grok settings.json) TIER 2 (MCP-wrapped): copilot (--excluded-tools=shell + force kei_bash via MCP) TIER 3 (advisory): agy + kimi (cannot disable native shell; prompt-level only) ## Design (Constructor Pattern) 1. hooks/_lib/policy-chain.toml — SSoT: which hooks gate which tool (bash/edit/write) 2. _primitives/_rust/kei-mcp/src/handlers/safe_tools.rs — new module, 3 built-in MCP tools that synthesize Claude PreToolUse JSON, run hook chain, abort on exit-2, exec on all-pass. Same input contract → hooks reused as-is, no rewrite. 3. tools.rs short-circuit: kei_bash/kei_edit/kei_write dispatched before atom layer 4. 6 wire scripts: orchestrator + one per CLI (Constructor Pattern, no mixin) 5. bin/kei mcp-wire arm 6. docs/encyclopedia/cross-cli-policy.md — honest 3-tier matrix + verification ## Double-enforcement guard If kei-mcp invoked from a process with $CLAUDECODE=1 or $GROKCODE=1, the chain SKIPS — native hooks already fired. Wire scripts set these env vars in the MCP server registration for claude/grok respectively. On copilot/agy/kimi the env is unset → chain runs. ## Smoke (verified live) Block: kei_bash{command: forbidden-push-pattern} → JSON-RPC error -32603 with full "BLOCK — RULE 0.1 NO GITHUB PUSH" stderr ✓ Pass: kei_bash{command: "echo HELLO-FROM-KEI-BASH"} → result.content[0].text = "HELLO-FROM-KEI-BASH" ✓ tools/list: 4 built-ins present (spawn_agent + kei_bash + kei_edit + kei_write) ✓ ## Tests kei-mcp: 3/3 (tools_list assertions updated for atoms+4 built-ins). Build clean with toml = "0.8" dep added. ## Out of scope (deferred) - Codex CLI wiring (not installed locally) - ACP middleware proxy (transport, not middleware — ruled out at research) - Container/firejail sandboxing for agy/kimi (heavy; documented limit instead) - Native Rust PatternGate migration (optimization, separate phase)	2026-05-26 18:03:33 +08:00
KeiSei84	3fec43ea7e	feat(orchestrator): kei pick + spawn_agent MCP tool — true multi-LLM shell ... Closes the "Claude Code as single primary" gap. Now `kei` (no args) execs whichever CLI is configured as primary, and ANY MCP-capable orchestrator can spawn KeiSeiKit agents on any backend via the built-in spawn_agent tool. ## A — orchestrator picker bin/kei now reads ~/.claude/config/primary.toml and execs that CLI instead of hardcoding claude. New arms: kei pick interactive menu → set primary → launch it kei --on=<backend> one-shot launch of <backend> (no primary write) kei primary [<b>] get/set primary Splash shows `primary CLI: <backend>` so the orchestrator is visible. Failure mode: if primary's CLI isn't on PATH, prints install hint + offers `kei pick` recovery. scripts/kei-pick.sh — Constructor Pattern picker (<140 LOC). Lists all 6 backends with install status (✓/✗), highlights current primary, writes choice to primary.toml, execs the picked CLI. Honors stdin TTY gate (RULE TTY-INTERACTIVITY-GATE — -t 0, not -t 1) for non-interactive safety. ## B — spawn_agent MCP tool _primitives/_rust/kei-mcp/src/handlers/tools.rs gains a built-in `spawn_agent` tool, exposed alongside discovered atoms: - inputSchema: { name: str, task: str, on?: backend-enum } - Calls kei-agent-cli.sh internally with same DNA resolution - 60s timeout, kill-on-drop - Honors KEI_AGENT_CLI env for testing Smoke 2026-05-26 (MCP stdio JSON-RPC round-trip): spawn_agent(name=smoke-test, on=claude) → "SMOKE-OK" ✅ spawn_agent(name=smoke-test, on=grok) → "SMOKE-OK" ✅ Why it matters: Claude Code has a native Agent tool. Grok / Agy / Copilot / Kimi don't have an equivalent native sub-agent surface — but they all speak MCP. spawn_agent gives them KeiSeiKit's sub-agent capability when they're the orchestrator. The chosen orchestrator no longer caps the sub-agent fleet. ## Other _primitives/_rust/kei-mcp/Cargo.toml: tokio gains "io-std" feature (was missing — main.rs uses tokio::io::stdin/stdout). This fixes a latent build error unrelated to this PR (kei-mcp wasn't building cleanly before). Tests: tools_list assertions updated for the +1 built-in tool (3 total instead of 2 with atoms; 1 instead of 0 on empty root). All MCP tests pass. Assembler 3/3 golden tests still pass (provider field is optional).	2026-05-26 16:48:23 +08:00
Parfii-bot	0be354a920	KeiSeiKit-public — clean state ... Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00