Root causes found by reproducing a clean install from keigit:
1. PROFILE_PRIMS resolved only inside check_prereqs → unbound for
--no-execute (plan showed 0 prims for every profile) and silently
empty for --skip-prereqs. Now resolved unconditionally in install.sh
before any reader (SSoT).
2. Every profile (even minimal, advertised "no Rust compile") fell back
to a 5-15 min `cargo build --workspace` because no prebuilt release
binaries exist. Auto-set KEI_SKIP_RUST for profiles with no rust
primitives → minimal installs in ~18s (assembler only). cargo stays a
hard prereq because the agent assembler always compiles.
3. The assembler aborted the WHOLE install on any single bad manifest
(set -e). generate_agents is now tolerant: bad manifests print FAIL
but hooks/skills/settings still land. Commit-time validate stays strict.
4. Data bugs that broke the assembler:
- duplicate [taxonomy] table in _roles/{auditor,merger}.toml
- fal-ai-runner handoff → keimd-expert (not shipped in kit)
- infra-implementer-cicd forbidden_domain literal `${{ secrets.NAME }}`
collided with assembler ${{ }} placeholder detection
5. Metadata: KeiSei84 (nonexistent GitHub org) → KeiSeiLab/KeiSeiKit-1.0
across plugin manifests, bootstrap, README, docs, Cargo/npm metadata.
.claude-plugin/{plugin,marketplace}.json 0.16.0 → 0.38.0. SECURITY.md
supported version 0.14.x → 0.38.x.
feat: ship KeiSei tamagotchi statusline into the kit
- scripts/keisei-pet{,-update}.sh (portable, state under ~/.claude/pet/)
- install copies them to ~/.claude/scripts/
- settings-snippet adds statusLine (set-if-absent, never clobbers an
existing one) + 4 pet-update hooks (prompt/rust_write/github_block/sleep)
Verified: clean minimal install RC=0, zero FAIL, 38 agents + 52 hooks +
68 skills, settings valid, statusLine wired, pet renders, idempotent re-run.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three independent shell hardening fixes from Opus Shell + Sonnet Shell audits.
1. disk-reclaim.sh Guard 3 — protect branches without upstream tracking (HIGH)
File: hooks/disk-reclaim.sh:88-101
Bug: when a worktree branch has no upstream tracking ref, `git log @{u}..`
exited non-zero and `unpushed=""` (empty). The check
`[ -n "$unpushed" ] && [ "$unpushed" != "0" ]` evaluated FALSE, so the
worktree fell through Guard 3 and was eligible for mtime-based pruning.
Local-only branches with committed work were silently deleted.
Fix: explicit two-branch logic. Run `git rev-parse --abbrev-ref @{u}` first;
only run the unpushed-count check if upstream exists. If no upstream, log
SKIP[no-upstream] and `continue` conservatively. New
`worktrees_skip_unpushed` counter increments in both unpushed paths.
2. secrets-pre-guard.sh — placeholder allowlist scope-narrow (MEDIUM)
File: hooks/secrets-pre-guard.sh:43-103
Bug: word "placeholder" anywhere in content disabled all secret-pattern
scanning for that whole Write. Allowlist was too broad — a doc with the
word "placeholder" in its prose could mask a real sk-ant- token elsewhere.
Fix: replaced global early-exit with per-line awk scan. New scan_pattern()
helper walks content line-by-line; each line matching a secret regex is
allowed ONLY if the SAME line also matches ALLOWLIST_RE. Doc prose can no
longer mask cross-line secrets. Added `dummy[_-]?(key|token|secret)` to
allowlist for legitimate test fixtures.
3. lib-rust-prebuild.sh — sha256 fail-closed (HIGH supply-chain)
File: install/lib-rust-prebuild.sh:75-88
Bug: when ${url}.sha256 404'd, installer printed WARNING and proceeded with
unverified tarball. A compromised github release uploader could ship a
malicious tarball, omit .sha256, and the installer would extract it into
~/.cargo/bin/.
Fix: missing .sha256 → ERROR + abort. Path A install fails → falls back to
Path B (cargo build from source). Override via KEI_ALLOW_UNVERIFIED_TARBALL=1
(visible per-call, intentional friction).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pre-fix: install.sh on a fresh clone has no binaries — target/ is gitignored,
copy_prebuilt_substrate_binaries() skips silently with "no pre-built found",
end users get zero kei-fork / kei-ledger / kei-cortex / etc.
New module: install/lib-rust-prebuild.sh (~120 LOC, Constructor Pattern).
ensure_rust_binaries() — main entry, idempotent
1. has_prebuilt_substrate_binaries() — quorum check (5+ kit binaries already in
target/release/ → no-op).
2. Else Path A: download keisei-${TARGET}.tar.gz from
https://github.com/KeiSei84/KeiSeiKit-1.0/releases/latest/download/
Detects target via uname (x86_64/aarch64 × darwin/linux), verifies
sha256, extracts into target/release/.
3. Path A fail (404, network, sha mismatch) → Path B fallback:
cargo build --release --workspace (slow first time, requires Rust).
4. Path B fail (no cargo) → say + return non-zero.
Bypass: KEI_SKIP_RUST=1 — skip both paths (markdown-only install).
Wired in install/lib-rust.sh — ensure_rust_binaries() called BEFORE
copy_prebuilt_substrate_binaries() in regenerate_rust_workspace.
Path A activates ONLY after a v* tag is pushed and release.yml uploads
tarballs to github releases. Until then, Path A 404s and Path B kicks in.
This commit lays the wire — release tag is a separate user-driven action.
Verify:
- bash -n install.sh: OK
- bash -n install/lib-rust-prebuild.sh: OK
- detect_rust_target on this host: aarch64-apple-darwin
- has_prebuilt_substrate_binaries: correctly returns false on partial dev
target (only kei-memory + kei-db-contract built locally today)
Out of scope (not done in this commit):
- Tag v0.X release to populate github tarballs (deploy step, deferred)
- Update keiseikit.dev/install.sh redirect target (downstream wiring)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
