5 commits

Author	SHA1	Message	Date
denis	305787fae3	fix(install): make fresh install complete + ship tamagotchi (#1)	2026-05-20 18:50:09 +00:00
Parfii-bot	8a885a7d76	fix(release+slices): v0.14.4 publish auth fallback + 4 fix-implementer slices ... After v0.14.3 npm-publish failed again with 401 Unauthorized despite path-scoped _authToken. Direct curl probe to keigit confirmed BOTH Bearer and Basic auth schemes work — so the issue is npm 10 not sending the auth header in CI. Likely cause: deprecated `always-auth=true` interfered with token resolution. == Publish auth fix == - Drop `always-auth=true` (deprecated in npm 10+; warns in logs) - Keep path-scoped `_authToken` (npm 10 canonical) - Add legacy Basic-auth fallback rows (username/_password/email) — Forgejo accepts both schemes per direct probe; if one resolution path fails, npm tries the other - chmod 600 on $HOME/.npmrc and project .npmrc (defense-in-depth) - Bump 0.14.3 → 0.14.4 == Slice A — TS server hardening (Sonnet code-implementer-typescript) == File: _ts_packages/packages/mcp-server/src/server.ts (+3/-1) File: _ts_packages/packages/mcp-server/src/index.ts (+14/-4) - safeEqual constant-time path on length mismatch (timing oracle close) - HTTP server defaults to 127.0.0.1 bind; --bind <addr> opt-in for 0.0.0.0 - Body cap 1 MiB with 413 response (DoS prevention) - VERIFIED: tsc -b --noEmit exit 0 == Slice B — Outcome-only profile hardening (Sonnet code-implementer) == Files: install.sh, install/lib-args.sh, install/lib-profile-outcome-only.sh - Confirm-screen gate before destructive install (skips on --dry-run / --yes) - _outcome_install_ledger return value tracked → summary reflects reality (was: false-success "ledger: ..." when init failed) - --dry-run silent-ignored on non-outcome profiles → now warns - VERIFIED: end-to-end smoke against fake $HOME with `<<< "y"` — all 5 files installed, schema v9 + 2 triggers, summary correct == Slice D — jq-merge dedup tuple (Sonnet code-implementer) == File: install/lib-hooks.sh - Replaced `unique_by(.command)` with reduce-into-object keyed on norm-ed command (tilde-vs-absolute path collision fix) - Snippet-wins precedence on collision - 3 manual scenario traces pass: tilde+tilde, absolute+tilde, idempotency == Slice E — Doc honesty pass (Sonnet code-implementer, selective-merged) == Files: README.md, docs/{INSTALL,ARCHITECTURE,PROFILE-OUTCOME-ONLY}.md Note: Slice E worktree was based on an older main commit; merged selectively to preserve current-main values (565 DNAs, not worktree's 518) - README:62 plugin marketplace URL: KeiSei84/KeiSeiKit → KeiSei84/KeiSeiKit-1.0 (consistent with line 66 git clone URL + Cargo.toml repository field) - README:9-15: per-claim [REAL: <command>] markers on all 8 numerics - README:124-132 + PROFILE-OUTCOME-ONLY.md:43-55 + ARCHITECTURE.md:288-302: rephrase 100-row router claim — now describes Wilson lower-bound (δ=0.10, q*=0.70) continuous metric with file:line pointer to select.rs - INSTALL.md: ESTIMATE-HTC marker covering all install-time / disk-size numerics in profile table (RULE 0.18 compliance) - PROFILE-OUTCOME-ONLY.md privacy section: discloses agent-toolstats.jsonl sidecar (was undocumented per W3 finding) - PROFILE-OUTCOME-ONLY.md uninstall: added 6th rm -f for .bak-* cleanup (closes orphan-accumulation per W3+W4 audits) [FROM-JOURNAL: tasks.jsonl this session — 12 audit agents waves 5+6 + 4 parallel fix-implementer worktrees ran ~25 min wall-time] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-04 00:16:48 +08:00
Parfii-bot	542a0a816e	Revert "feat(mcp-server): production-ready publish path via GitHub Packages" ... This reverts commit a6f1c72472.	2026-05-03 18:04:00 +08:00
Parfii-bot	a6f1c72472	feat(mcp-server): production-ready publish path via GitHub Packages ... Renamed @keisei/mcp-server → @keisei84/mcp-server (scope must match github org KeiSei84 for GitHub Packages publish). Replaced private:true with publishConfig pinned to npm.pkg.github.com so an accidental `npm publish` cannot leak to npm.org. CI npm-publish job rewired to GitHub Packages auth (GITHUB_TOKEN with packages:write permission). Why GitHub Packages, not npm.org: - Authentication piggybacks on existing github org / PAT — no separate account or NPM_TOKEN required for the core kit - Scope @keisei84 maps 1:1 to org KeiSei84 (npm rule for github) - Doesn't require public DNS for our private Forgejo (Tailscale-only 100.91.246.53 cannot be the publish target — IP-leak in public ref) - Published artefacts live under github.com/orgs/KeiSei84/packages, same access surface as the source repo Why not @keisei (un-scoped or different scope): - npm scope @keisei IS reachable on npm.org but we don't own it there (would require email-verified npm account claim + ongoing maintenance) - @keisei84 requires zero new accounts; works the moment KeiSei84 org has packages enabled (github default) Files changed (11): - _ts_packages/packages/mcp-server/package.json — rename + publishConfig + repository field (required by GitHub Packages); removed private:true - _ts_packages/package-lock.json — regenerated via `npm install` (workspace recognises @keisei84/mcp-server symlink) - README.md (2 hunks) — maturity row says "alpha" not "alpha (unpublished)"; install section documents `~/.npmrc` setup for `@keisei84:registry=https://npm.pkg.github.com/` - PLUGIN.md (3 hunks) — same `~/.npmrc` setup; .mcp.json references @keisei84/mcp-server; "not yet on npm" replaced with "lives on GitHub Packages, not npm.org" - .claude-plugin/mcp-template.json — args use @keisei84 scope - _ts_packages/README.md (4 hunks) — package layout + npx examples - docs/INSTALL.md, install/lib-rust.sh — comment refs - docs/encyclopedia/substrate-overview.md (2 hunks) — package table + publishing notes (was "published to keigit.com npm" — wrong; keigit is a separate community-publish path for user-contributed packages, not the destination for core @keisei84 packages) - .github/workflows/release.yml — npm-publish job rebuilt: · permissions: packages:write · Two-scope .npmrc temp-write: @keisei84 → npm.pkg.github.com (always), @keisei → npm.org (only if NPM_TOKEN secret set, else skipped per pkg) · NODE_AUTH_TOKEN sourced from GITHUB_TOKEN · .npmrc cleaned up via `if: always()` step - .gitignore — _ts_packages/.npmrc + .npmrc excluded (RULE 0.8: auth tokens never in git; CI temp-creates per-job) Verification: - `npm install` clean against new scope: node_modules/@keisei84/mcp-server symlinks to packages/mcp-server, other adapters untouched in node_modules/@keisei/* [REAL: install ran 2026-05-03 in this session] - `npm run build --workspace=@keisei84/mcp-server` produces dist/index.js [REAL: tsc -b exit 0] - Server starts cleanly: `node dist/index.js` runs >1s, emits expected "[adapters] not installed" warnings for un-built sibling adapters, doesn't throw - 17 references to old @keisei/mcp-server scope migrated; 0 left [REAL: grep -rn "@keisei/mcp-server" returns 0 lines] Bad-commit-hygiene note: - Two earlier local commits (cb8dc2a + revert 474fe1c) attempted a keigit.com-pinned variant; soft-reset past them so this commit lands on top of public 2bb2f10. Bad commits never reached remote. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 17:50:59 +08:00
Parfii-bot	0be354a920	KeiSeiKit-public — clean state ... Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00