15 commits

Author	SHA1	Message	Date
KeiSei84	2ffb3a8b1e	chore(public-prep): scrub author identity + private-IP references ... Pre-public Phase 1. Remove personal/IP traces that should not ship in a general-purpose kit; keep only intended author attribution. - no-github-push.sh + hooks-and-blocks.md + ci-scaffold: drop "KeiTech unfiled patent IP / trade secrets / priority date" wording; reword as a generic opt-in guard for keeping code on a private remote. - check-error-patterns.sh: remove author-local absolute path from the tombstone comment. - graph-export-watcher.sh: default viz dir to ~/.local/share/kei/graph-viz (was a personal project path). - agent manifests (cost-guardian, modal-runner, infra/ml/code-implementer) + ci.yml: strip private memory references and dated personal incidents; keep the generic cost/ops lessons. Snapshots regenerated; golden 3/3. Kept intentionally: author attribution (NOTICE / README / Cargo / plugin). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-25 15:00:07 +08:00
Denis Parfionovich	fc0758d2bb	chore: версия 0.38.0 единая + warning-fixes + mold для release-job ... 1. Версии npm-пакетов приведены к 0.38.0 (был зоопарк 0.14.0/0.14.6): _ts_packages/{,packages/{gmail,grok,mcp-server,recall,telegram,youtube}-adapter} 2. Rust warnings (cargo check workspace): - kei-cortex: deprecated validate_path → validate_path_lexical, удалён orphan-wrapper в read.rs, struct Input → pub(crate) - frustration-matrix: #[allow(dead_code)] на confusion_* поля EvalReport + train_from_dir (будущий CLI) 3. CI release.yml job 'release' падал на Build kei-changelog: clang invalid linker '-fuse-ld=mold' — в .cargo/config.toml жёстко прописан mold для linux. Добавлен Install mold шаг (как уже сделано в build-release matrix).	2026-05-18 13:41:37 +08:00
Parfii-bot	35136a9840	feat(npm-publish): keigit as primary registry, npmjs reserved for future ... - _ts_packages/tsconfig.base.json: sourceMap=false, declarationMap=false (source maps leaked absolute dev paths in published tarballs). - All 6 @keisei/* packages: publishConfig.registry = keigit.com. mcp-server bumped 0.14.5 -> 0.14.6 (republished without maps). - .github/workflows/release.yml split into two jobs: npm-publish-keigit: primary. Activates on KEIGIT_NPM_TOKEN + KEIGIT_NPM_USER secrets. Publishes via direct curl PUT (Forgejo requires Basic auth; npm CLI sends Bearer). npm-publish-npmjs: reserved for future. Activates on NPM_TOKEN secret. Currently no token -> job skipped gracefully. End-to-end verified: clean dir + scope @keisei -> keigit + npm install pulls 145 deps, no leaked paths, no .map files in any of 6 packages.	2026-05-17 00:18:44 +08:00
Parfii-bot	aaa8f36e10	perf(ci): P1+P2 — thin-LTO + cu=16 + mold linker (~17min → ~4-5min) ... Critical-path math (cargo workspace 105 crates × 3 matrix targets): - Current profile: opt-level=z + lto=true + codegen-units=1 = compile cost ~10-20× over default; observed wall-time ~17min/release run - After P1+P2 stack: predicted ~4-5min cold, ~1.5min warm == P1 — _primitives/_rust/Cargo.toml profile.release == - lto: true → "thin" (full LTO is 3-5× slower; thin keeps most opts) - codegen-units: 1 → 16 (parallel codegen restored, was serial) - Binary size cost: ~10-15% larger (acceptable for non-embedded targets) - VERIFIED: cargo check --workspace exits clean [REAL: ran in this session; 0 errors, warnings only] == P2 — mold linker for Linux targets == - New: _primitives/_rust/.cargo/config.toml (7 LOC) * x86_64-unknown-linux-gnu + aarch64-unknown-linux-gnu use clang+mold * macOS targets unaffected (use system ld + LLVM) - New step in .github/workflows/release.yml::build-release: Install mold linker (Linux only) — apt-get mold clang Gate: `if: contains(matrix.target, 'linux')` - Inserted AFTER rust-toolchain BEFORE rust-cache - Predicted gain: link phase 60s → 6s on Linux entries == P3 — explicitly NOT applied == - Path-filter on docs-only commits considered + rejected per task spec: Release tags should always rebuild even if commit only touches docs. Files: - _primitives/_rust/Cargo.toml (+2/-2 LOC) - _primitives/_rust/.cargo/config.toml (NEW, 7 LOC) - .github/workflows/release.yml (+5/-0 LOC, mold install step) [ESTIMATE-HTC: rustc + mold benchmarks claim 3-5× and 5-10× respectively on full release builds — not re-benchmarked on this 105-crate workspace yet; will measure on next v* tag push] NOTE: this commit does NOT retag — keigit publish 401 issue is on the keigit-server side (verified: token works locally, 401 from runner IP) and requires user-side action (fail2ban/Caddy whitelist GitHub Actions IP ranges on 45.77.41.204). After user fixes that, next tag will verify both speed gain AND publish success. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 01:32:29 +08:00
Parfii-bot	0c3584d9ee	diag(release): v0.14.5 — keigit auth diagnostic step before publish ... v0.14.4 failed with same 401 despite local-probe showing path-scoped + Basic-auth fallback work. Adding a diagnostic step BEFORE publish: - npm whoami against keigit - curl Bearer probe (read endpoint /api/v1/user) - curl PUT probe (publish endpoint with empty body) - npm config dump (registry resolution) Will reveal: - Whether token actually authenticates from runner network - Whether npm correctly resolves @keisei:registry to keigit URL - Whether something in CI environment is rewriting/blocking the auth header Bump 0.14.4 → 0.14.5 to trigger fresh release run. [FROM-JOURNAL: this session — local probe confirms .npmrc form works, CI rejects with 401, narrowing to runner-environment issue] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 01:03:39 +08:00
Parfii-bot	8a885a7d76	fix(release+slices): v0.14.4 publish auth fallback + 4 fix-implementer slices ... After v0.14.3 npm-publish failed again with 401 Unauthorized despite path-scoped _authToken. Direct curl probe to keigit confirmed BOTH Bearer and Basic auth schemes work — so the issue is npm 10 not sending the auth header in CI. Likely cause: deprecated `always-auth=true` interfered with token resolution. == Publish auth fix == - Drop `always-auth=true` (deprecated in npm 10+; warns in logs) - Keep path-scoped `_authToken` (npm 10 canonical) - Add legacy Basic-auth fallback rows (username/_password/email) — Forgejo accepts both schemes per direct probe; if one resolution path fails, npm tries the other - chmod 600 on $HOME/.npmrc and project .npmrc (defense-in-depth) - Bump 0.14.3 → 0.14.4 == Slice A — TS server hardening (Sonnet code-implementer-typescript) == File: _ts_packages/packages/mcp-server/src/server.ts (+3/-1) File: _ts_packages/packages/mcp-server/src/index.ts (+14/-4) - safeEqual constant-time path on length mismatch (timing oracle close) - HTTP server defaults to 127.0.0.1 bind; --bind <addr> opt-in for 0.0.0.0 - Body cap 1 MiB with 413 response (DoS prevention) - VERIFIED: tsc -b --noEmit exit 0 == Slice B — Outcome-only profile hardening (Sonnet code-implementer) == Files: install.sh, install/lib-args.sh, install/lib-profile-outcome-only.sh - Confirm-screen gate before destructive install (skips on --dry-run / --yes) - _outcome_install_ledger return value tracked → summary reflects reality (was: false-success "ledger: ..." when init failed) - --dry-run silent-ignored on non-outcome profiles → now warns - VERIFIED: end-to-end smoke against fake $HOME with `<<< "y"` — all 5 files installed, schema v9 + 2 triggers, summary correct == Slice D — jq-merge dedup tuple (Sonnet code-implementer) == File: install/lib-hooks.sh - Replaced `unique_by(.command)` with reduce-into-object keyed on norm-ed command (tilde-vs-absolute path collision fix) - Snippet-wins precedence on collision - 3 manual scenario traces pass: tilde+tilde, absolute+tilde, idempotency == Slice E — Doc honesty pass (Sonnet code-implementer, selective-merged) == Files: README.md, docs/{INSTALL,ARCHITECTURE,PROFILE-OUTCOME-ONLY}.md Note: Slice E worktree was based on an older main commit; merged selectively to preserve current-main values (565 DNAs, not worktree's 518) - README:62 plugin marketplace URL: KeiSei84/KeiSeiKit → KeiSei84/KeiSeiKit-1.0 (consistent with line 66 git clone URL + Cargo.toml repository field) - README:9-15: per-claim [REAL: <command>] markers on all 8 numerics - README:124-132 + PROFILE-OUTCOME-ONLY.md:43-55 + ARCHITECTURE.md:288-302: rephrase 100-row router claim — now describes Wilson lower-bound (δ=0.10, q*=0.70) continuous metric with file:line pointer to select.rs - INSTALL.md: ESTIMATE-HTC marker covering all install-time / disk-size numerics in profile table (RULE 0.18 compliance) - PROFILE-OUTCOME-ONLY.md privacy section: discloses agent-toolstats.jsonl sidecar (was undocumented per W3 finding) - PROFILE-OUTCOME-ONLY.md uninstall: added 6th rm -f for .bak-* cleanup (closes orphan-accumulation per W3+W4 audits) [FROM-JOURNAL: tasks.jsonl this session — 12 audit agents waves 5+6 + 4 parallel fix-implementer worktrees ran ~25 min wall-time] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 00:16:48 +08:00
Parfii-bot	ca99f78f66	fix(release): path-scoped npmrc + hard-fail publish (v0.14.3 retry) ... v0.14.2 publish run reported "success" but @keisei/mcp-server NEVER landed on keigit because: 1. Host-scoped `.npmrc` token (`//keigit.com/:_authToken=...`) was silently ignored by npm 10 — every publish errored with ENEEDAUTH. 2. The publish loop's `|| echo ":⚠️:"` swallowed the failure so the job exited 0 (W1+W3 finding F3). Two fixes in one commit: A) Path-scoped npmrc per Forgejo docs: `//keigit.com/api/packages/keisei/npm/:_authToken=${KEIGIT_TOKEN}` + `always-auth=true` for scoped registry. Also tee'd to $HOME/.npmrc so the publish loop's `cd packages/<pkg>` cwd doesn't lose the auth line. [VERIFIED: curl PUT with Bearer to /api/packages/keisei/npm/ returns 400 "package is invalid" (auth ACCEPTED, payload bad) — auth format is correct] B) Hard-fail publish loop for packages with publishConfig: - Iterate all packages - For each: read .publishConfig presence - If publish errors AND has publishConfig → record gated_failed=1 - If publish errors AND no publishConfig → notice "skipped" (adapter without registry pin reached npm.org default, expected fail) - End of loop: exit 1 if any gated_failed - Adapters without publishConfig (gmail/grok/recall/telegram/youtube) correctly skip; only @keisei/mcp-server is gated, and a real failure now blocks the job. Bump 0.14.2 → 0.14.3 (0.14.2 tag exists with previous failed publish). Verification done locally: - PAT owner Parfionovich is member of org keisei [REAL: api/v1/user + api/v1/users/Parfionovich/orgs] - Bearer auth to keigit npm registry works [REAL: curl probe → 400 "package invalid", not 401 "unauthorized"] - Cargo workspace clean [REAL: cargo check exit 0] After tag v0.14.3: - npm-publish job creates .npmrc with path-scoped auth - Publishes @keisei/mcp-server@0.14.3 to https://keigit.com/api/packages/keisei/npm/ - Adapters skip cleanly (no publishConfig, no NPM_TOKEN) - Job exits 0 only if mcp-server actually landed Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 23:48:07 +08:00
Parfii-bot	cbed9e2275	fix(release): decouple npm-publish + drop x86_64-darwin (v0.14.2 retry) ... v0.14.1 tag triggered Release workflow but npm-publish was SKIPPED because Rust matrix entry x86_64-apple-darwin failed and release job needs:[build-release, build-mcp-binary]; npm-publish needs:release. Single Rust target failure → entire publish chain blocks. This was the W3 Opus CI/build finding deferred from audit-batch-2. Two fixes: 1. **Drop x86_64-apple-darwin from build-release matrix.** GitHub's `macos-latest` runner is now Apple Silicon (M1+); cross-compile to x86_64 needs an OpenSSL sysroot that the arm64 image doesn't ship. `openssl-sys 0.9.114` build fails with "Could not find openssl via pkg-config: pkg-config has not been configured to support cross-compilation". Apple Silicon mandatory for new Macs since 2020; x86 Mac is legacy. If a future user needs x86 darwin, re-add with `experimental: true` and `openssl-sys` features=["vendored"]. 2. **Decouple `npm-publish` from `release`.** The npm package builds its own `dist/` from `_ts_packages/` — it does NOT consume Rust release tarballs. Previously `needs: release` meant a single Rust matrix failure blocked the npm publish even though the two are architecturally independent. Now `needs: []` (parallel with build-release matrix). KEIGIT_TOKEN-presence guard still gracefully skips when secret is absent. Bump version 0.14.1 → 0.14.2 (v0.14.1 tag already exists from prior run). After re-tag v0.14.2: - build-release matrix: 3 targets (was 4) — should all succeed - build-mcp-binary: 5 platforms (unchanged) — already passed in 0.14.1 run - release job: produces GitHub Release with 3 Rust tarballs + 5 MCP binaries - npm-publish job: runs in PARALLEL, publishes @keisei/mcp-server@0.14.2 to keigit regardless of Rust matrix status [FROM-JOURNAL: tasks.jsonl this session — v0.14.1 release run 25280711426 ran 14m wall, 8/9 jobs success, x86_64-darwin failed at openssl-sys build, release+npm-publish skipped via needs-chain] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 22:30:50 +08:00
Parfii-bot	94a7d682c4	feat(mcp-server): production publish path via keigit.com (Forgejo npm) ... Wire @keisei/mcp-server publish to the author-operated keigit.com Forgejo npm registry. Verified live: keigit.com → 45.77.41.204 (Vultr, public DNS), Caddy → Forgejo 9.0.3, TLS valid, /api/v1/version=200. Why keigit, not GitHub Packages or npm.org: - keigit IS the canonical npm registry for the @keisei scope (operator runs it; no separate vendor account needed) - npm scope @keisei stays @keisei (no rename to match a github org) - Public DNS resolves from any client; auth via per-user PAT - One auth surface for both the git remote and the npm registry Files changed (7): - _ts_packages/packages/mcp-server/package.json · removed `private: true` (was blocking ALL publish, including ours) · added publishConfig.registry = https://keigit.com/api/packages/keisei/npm/ so accidental `npm publish` cannot route to npm.org · added repository field (provenance link to KeiSeiKit-1.0) · added license: Apache-2.0 - README.md (2 hunks): maturity row + install section say "published to keigit.com", show ~/.npmrc setup - PLUGIN.md (3 hunks): same updates referencing keigit - .claude-plugin/mcp-template.json: _comment updated - docs/encyclopedia/substrate-overview.md (1 hunk): MCP row says "alpha" not "stable" + clarifies registry+scope - .github/workflows/release.yml: npm-publish job rewired: · KEIGIT_TOKEN secret instead of NPM_TOKEN as gate · Two-row .npmrc temp-write: @keisei → keigit.com (always when KEIGIT_TOKEN set), npm.org auth as optional fallback · .npmrc cleanup via `if: always()` step - .gitignore: _ts_packages/.npmrc + .npmrc excluded (RULE 0.8) Verification: - node -e 'require("./.../package.json")' parses clean, publishConfig pinned to keigit, private:false [REAL: ran in session] - `npm run build --workspace=@keisei/mcp-server` → tsc -b exit 0, dist/index.js produced [REAL: built in session] - Server starts: `node dist/index.js` lives >1s, doesn't throw, reports expected `[adapters] not installed` for un-built siblings - keigit.com reachable from this machine: HTTP 200 root + Forgejo 9.0.3 version endpoint [REAL: curl ran in session] Required user-side setup before first publish: 1. Create user/org `keisei` on keigit.com (web UI; currently /keisei → 404) 2. Generate a keigit PAT with write:package scope 3. Add as github repo secret KEIGIT_TOKEN 4. Push tag v0.14.1+ → release workflow's npm-publish job picks it up History note: - Earlier in this session a github-packages-scope-rename variant (commit a6f1c72) was pushed; reverted by 542a0a8 because keigit is the right registry. Current commit lands the keigit wiring on top of the revert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 18:11:24 +08:00
Parfii-bot	542a0a816e	Revert "feat(mcp-server): production-ready publish path via GitHub Packages" ... This reverts commit a6f1c72472.	2026-05-03 18:04:00 +08:00
Parfii-bot	a6f1c72472	feat(mcp-server): production-ready publish path via GitHub Packages ... Renamed @keisei/mcp-server → @keisei84/mcp-server (scope must match github org KeiSei84 for GitHub Packages publish). Replaced private:true with publishConfig pinned to npm.pkg.github.com so an accidental `npm publish` cannot leak to npm.org. CI npm-publish job rewired to GitHub Packages auth (GITHUB_TOKEN with packages:write permission). Why GitHub Packages, not npm.org: - Authentication piggybacks on existing github org / PAT — no separate account or NPM_TOKEN required for the core kit - Scope @keisei84 maps 1:1 to org KeiSei84 (npm rule for github) - Doesn't require public DNS for our private Forgejo (Tailscale-only 100.91.246.53 cannot be the publish target — IP-leak in public ref) - Published artefacts live under github.com/orgs/KeiSei84/packages, same access surface as the source repo Why not @keisei (un-scoped or different scope): - npm scope @keisei IS reachable on npm.org but we don't own it there (would require email-verified npm account claim + ongoing maintenance) - @keisei84 requires zero new accounts; works the moment KeiSei84 org has packages enabled (github default) Files changed (11): - _ts_packages/packages/mcp-server/package.json — rename + publishConfig + repository field (required by GitHub Packages); removed private:true - _ts_packages/package-lock.json — regenerated via `npm install` (workspace recognises @keisei84/mcp-server symlink) - README.md (2 hunks) — maturity row says "alpha" not "alpha (unpublished)"; install section documents `~/.npmrc` setup for `@keisei84:registry=https://npm.pkg.github.com/` - PLUGIN.md (3 hunks) — same `~/.npmrc` setup; .mcp.json references @keisei84/mcp-server; "not yet on npm" replaced with "lives on GitHub Packages, not npm.org" - .claude-plugin/mcp-template.json — args use @keisei84 scope - _ts_packages/README.md (4 hunks) — package layout + npx examples - docs/INSTALL.md, install/lib-rust.sh — comment refs - docs/encyclopedia/substrate-overview.md (2 hunks) — package table + publishing notes (was "published to keigit.com npm" — wrong; keigit is a separate community-publish path for user-contributed packages, not the destination for core @keisei84 packages) - .github/workflows/release.yml — npm-publish job rebuilt: · permissions: packages:write · Two-scope .npmrc temp-write: @keisei84 → npm.pkg.github.com (always), @keisei → npm.org (only if NPM_TOKEN secret set, else skipped per pkg) · NODE_AUTH_TOKEN sourced from GITHUB_TOKEN · .npmrc cleaned up via `if: always()` step - .gitignore — _ts_packages/.npmrc + .npmrc excluded (RULE 0.8: auth tokens never in git; CI temp-creates per-job) Verification: - `npm install` clean against new scope: node_modules/@keisei84/mcp-server symlinks to packages/mcp-server, other adapters untouched in node_modules/@keisei/* [REAL: install ran 2026-05-03 in this session] - `npm run build --workspace=@keisei84/mcp-server` produces dist/index.js [REAL: tsc -b exit 0] - Server starts cleanly: `node dist/index.js` runs >1s, emits expected "[adapters] not installed" warnings for un-built sibling adapters, doesn't throw - 17 references to old @keisei/mcp-server scope migrated; 0 left [REAL: grep -rn "@keisei/mcp-server" returns 0 lines] Bad-commit-hygiene note: - Two earlier local commits (cb8dc2a + revert 474fe1c) attempted a keigit.com-pinned variant; soft-reset past them so this commit lands on top of public 2bb2f10. Bad commits never reached remote. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 17:50:59 +08:00
Parfii-bot	3043188da2	fix(ci): leak-check uses awk instead of sed (shellcheck SC2001) ... Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 21:15:09 +08:00
Parfii-bot	ce3deb43fa	fix(ci): leak-check allowlists itself (workflow contains pattern as detection rule) ... leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep. On first run after install, it flags itself. Same fix as the local .git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:04:36 +08:00
Parfii-bot	a23910d445	chore(security): scrub username paths from public artefacts + leak-check CI ... Public repo had absolute paths revealing username: - 5 _manifests/*.toml — companion_memory_files had author-time hardcoded ~/.claude/projects/-Users-<user>/memory/... paths - 5 _generated/*.md — same paths rendered through to public output - docs/DNA-INDEX.md — 107 absolute paths (kei-dna-index emits absolute for atoms but relative for primitives — generator inconsistency) - skills/escalate-recurrence/SKILL.md — 2 instructional path examples Substitution: ~/.claude/projects/-Users-<user>/memory/ -> ~/.claude/memory/ /Users/<user>/Projects/KeiSeiKit-public/ -> <relative> Defence-in-depth: - .github/workflows/leak-check.yml — CI gate (PR + push to main) - (local) .git/hooks/pre-commit — maintainer-side guard with allowlist for legitimate detection-rule files (the hook + the workflow itself) NOTICE + README byline allowlisted (intentional copyright). No secrets exposed — only metadata (username + private-memory filenames). DNA-INDEX root-cause fix in kei-dna-index Rust binary tracked as TODO. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 19:59:29 +08:00
Parfii-bot	0be354a920	KeiSeiKit-public — clean state ... Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00