Pre-tag bump. publishConfig.registry already pinned to
https://keigit.com/api/packages/keisei/npm/. KEIGIT_TOKEN secret
configured on github KeiSei84/KeiSeiKit-1.0 repo. keigit org
`keisei` (id=5) created and verified live.
Verification:
- `npm run build --workspace=@keisei/mcp-server` exits 0
[REAL: ran in this session]
- dist/index.js produced (4125 bytes)
- Token works: `GET /api/v1/user` with PAT → 200
- Registry empty: `GET /api/packages/keisei/npm/` → 404 (expected)
After tag v0.14.1 pushes, the release workflow's npm-publish job
runs `npm publish --access public` which routes via publishConfig
to keigit. Expected: package lands at
https://keigit.com/keisei/-/packages/npm/@keisei%2Fmcp-server
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
12-agent audit (waves 3+4 Opus+Sonnet) on commit 88de01c found that 2 of
my prior fixes had regressions, plus the prev batch missed 8 stale-text
sites and 2 latent bugs. This batch closes them all.
== Regressions in audit-batch (88de01c) — now fixed ==
1. PRAGMA user_version=9 placement — could silently downgrade schema on
cross-version install (existing v10 DB → re-run reset to 9 →
migrations replay → ALTER TABLE duplicate-column errors)
- install/sql/outcome-only-schema.sql: PRAGMA moved OUTSIDE the
transaction (after COMMIT) for portability across SQLite versions
- install/lib-profile-outcome-only.sh::_outcome_install_ledger:
added downgrade guard — reads existing user_version BEFORE running
ANY init path; if >9, skips entirely (preserves newer schema)
- VERIFIED: simulated v10 DB → re-run prints "skipping init to
preserve newer schema"; user_version stays at 10 (was downgraded
to 9 in the prior batch) [REAL: ran in this session]
2. backup_file mv→cp workaround left orphan backups + bypassed rollback
contract (BACKUP_PAIRS not registered)
- install/lib-profile-outcome-only.sh: now manually appends to
BACKUP_PAIRS so rollback trap restores on later failure;
removes the .bak on success path
- Comment updated to explain the workaround vs backup_file mv
3. CLAUDE.md skip-guard "STATUS-TRUTH MARKER" was too broad —
false-positive on existing kit users (RULE 0.16 doc text matches)
- lib-profile-outcome-only.sh: changed grep to literal HTML comment
marker `<!-- outcome-only profile (KeiSeiKit) -->` (specific marker
written by the installer itself)
== Tier 1 missed in prev batch — now fixed ==
4. _ts_packages/package-lock.json referenced packages/cortex-ui which
does NOT exist on disk → npm ci would fail with ELSPROBLEMS in CI
- Regenerated via fresh `rm package-lock.json && npm install`
- npm ci now exits 0 cleanly [REAL: ran in this session]
- Lockfile shrunk 2403→0 lines on the cortex-ui section (full regen)
5. v3 triggers (branch length cap ≤256) were MISSING from
outcome-only-schema.sql — sqlite3 fallback path skipped a schema
feature that the Rust kei-ledger flow enforces, creating cross-flow
drift
- Added trg_agents_branch_len_ins + trg_agents_branch_len_upd
mirroring migrations_list.rs:30-44
- Header comment in outcome-only-schema.sql rewritten to match
current behavior (was stale)
- VERIFIED: end-to-end install creates 2 triggers [REAL: sqlite3
.schema | grep trg_agents_branch_len returns 2]
6. README.md:232 said "102 crates" while README.md:9 said "105 crates"
— internal contradiction in same doc
- README:232 → "105 workspace crates"
7. ARCHITECTURE.md:165 "53 Rust crates + 13 shell primitives" stale
- Updated to "105 Rust workspace crates (47 declared in MANIFEST.toml
`full` profile) + 14 shell primitives"
8. ARCHITECTURE.md:157 "45 /commands" stale
- Updated to 68
9. plugin.json + marketplace.json description strings still had
pre-fix counts (23 primitives / 39 skills / 9 hooks / 12 agents)
- Both rewritten to match README:9 SSoT (38 agents / 68 skills /
38 hooks / 105 workspace crates / 47 installable + 14 shell)
10. PROFILE-OUTCOME-ONLY.md:28-29 "What does NOT get installed" still
cited 102/67/37/82
- Updated to 105/68/38/85
11. encyclopedia/substrate-overview.md §6/§11/§12 still said
"80-char DNA"; §13 said "495 DNA indices"; §6 said "11 install
profiles (.../Cursor/Continue/etc)"
- All 4 sites fixed to current language (≥33-char variable, 565
DNAs, 12 install profiles)
12. docs/DNA-INDEX.md:1352 said wire format is "(80 chars)"
- Updated to "(≥33 chars; role + caps slugs are variable — see
docs/DNA-FORMAT.md)"
== Tier 2 honesty fixes ==
13. Wagner et al. 2004 citation in SLEEP-LAYER.md:26 lacked [VERIFIED]
marker (W3 doc consistency caught it)
- Added [VERIFIED: doi:10.1038/nature02223] + clarification that
the original study did not isolate a specific sleep stage; SWS
attribution comes from secondary literature (Diekelmann/Born)
14. PHILOSOPHY.md:125 attributed "overnight consolidation of un-finished
intentions" to Wagner 2004 — that paper is about insight gain on
the Number Reduction Task, not Zeigarnik-effect cued memory
- Rewritten to accurately describe Wagner 2004's actual finding +
[VERIFIED: doi:10.1038/nature02223]
Verification:
- `npm ci` in _ts_packages/ exits 0 [REAL: ran in this session]
- `cargo check --workspace` exits 0 in _primitives/_rust [REAL: ran in
this session]
- Outcome-only end-to-end fresh install produces user_version=9 +
2 triggers (correct schema shape)
- Outcome-only re-run against v10 DB preserves user_version=10
(downgrade guard works)
- CLAUDE.md skip-guard now triggers ONLY on literal marker, not on
RULE 0.16 phrase
NOT addressed in this batch (deferred to a future round):
- github KeiSei84/{KeiSeiKit, KeiSeiKit-1.0} 404 (user-side action:
publish repo or update refs)
- keigit user `keisei` does not exist (user-side: create org or
rename scope)
- KEIGIT_TOKEN secret not configured (user-side action)
- Forgejo registration disabled (admin-side)
- safeEqual timing leak in TS server (LOW per W3 reassessment)
- HTTP bind 0.0.0.0 default (MEDIUM)
- Unbounded request body (MEDIUM)
- Outcome-only confirm-screen bypass (RULE 0.1 spirit)
- Ledger fallthrough false summary
- Node 20 deprecation (deadline 2026-06-02, 30 days)
- Hook count triple-discrepancy (38 README / 53 DNA-INDEX / 35 maturity-row)
- 100-row router claim still in README:117 + PROFILE-OUTCOME-ONLY.md
- INSTALL.md numerics without [REAL:] markers
- Stale .bak files accumulation policy (cosmetic)
- README per-claim [REAL: ] markers for 6 of 7 numerics
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renamed @keisei/mcp-server → @keisei84/mcp-server (scope must match
github org KeiSei84 for GitHub Packages publish). Replaced private:true
with publishConfig pinned to npm.pkg.github.com so an accidental
`npm publish` cannot leak to npm.org. CI npm-publish job rewired to
GitHub Packages auth (GITHUB_TOKEN with packages:write permission).
Why GitHub Packages, not npm.org:
- Authentication piggybacks on existing github org / PAT — no separate
account or NPM_TOKEN required for the core kit
- Scope @keisei84 maps 1:1 to org KeiSei84 (npm rule for github)
- Doesn't require public DNS for our private Forgejo (Tailscale-only
100.91.246.53 cannot be the publish target — IP-leak in public ref)
- Published artefacts live under github.com/orgs/KeiSei84/packages,
same access surface as the source repo
Why not @keisei (un-scoped or different scope):
- npm scope @keisei IS reachable on npm.org but we don't own it there
(would require email-verified npm account claim + ongoing maintenance)
- @keisei84 requires zero new accounts; works the moment KeiSei84 org
has packages enabled (github default)
Files changed (11):
- _ts_packages/packages/mcp-server/package.json — rename + publishConfig
+ repository field (required by GitHub Packages); removed private:true
- _ts_packages/package-lock.json — regenerated via `npm install`
(workspace recognises @keisei84/mcp-server symlink)
- README.md (2 hunks) — maturity row says "alpha" not
"alpha (unpublished)"; install section documents `~/.npmrc` setup
for `@keisei84:registry=https://npm.pkg.github.com/`
- PLUGIN.md (3 hunks) — same `~/.npmrc` setup; .mcp.json references
@keisei84/mcp-server; "not yet on npm" replaced with "lives on
GitHub Packages, not npm.org"
- .claude-plugin/mcp-template.json — args use @keisei84 scope
- _ts_packages/README.md (4 hunks) — package layout + npx examples
- docs/INSTALL.md, install/lib-rust.sh — comment refs
- docs/encyclopedia/substrate-overview.md (2 hunks) — package table +
publishing notes (was "published to keigit.com npm" — wrong; keigit
is a separate community-publish path for user-contributed packages,
not the destination for core @keisei84 packages)
- .github/workflows/release.yml — npm-publish job rebuilt:
· permissions: packages:write
· Two-scope .npmrc temp-write: @keisei84 → npm.pkg.github.com (always),
@keisei → npm.org (only if NPM_TOKEN secret set, else skipped per pkg)
· NODE_AUTH_TOKEN sourced from GITHUB_TOKEN
· .npmrc cleaned up via `if: always()` step
- .gitignore — _ts_packages/.npmrc + .npmrc excluded (RULE 0.8: auth
tokens never in git; CI temp-creates per-job)
Verification:
- `npm install` clean against new scope: node_modules/@keisei84/mcp-server
symlinks to packages/mcp-server, other adapters untouched in
node_modules/@keisei/* [REAL: install ran 2026-05-03 in this session]
- `npm run build --workspace=@keisei84/mcp-server` produces dist/index.js
[REAL: tsc -b exit 0]
- Server starts cleanly: `node dist/index.js` runs >1s, emits expected
"[adapters] not installed" warnings for un-built sibling adapters,
doesn't throw
- 17 references to old @keisei/mcp-server scope migrated; 0 left
[REAL: grep -rn "@keisei/mcp-server" returns 0 lines]
Bad-commit-hygiene note:
- Two earlier local commits (cb8dc2a + revert 474fe1c) attempted a
keigit.com-pinned variant; soft-reset past them so this commit lands
on top of public 368df5b. Bad commits never reached remote.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Parfii-bot