2 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
| 8086bec486 |
feat(v0.41): patch 5 Gemini security findings + Copilot doc bug + claude/grok perms
Some checks are pending
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / preflight (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / vps-smoke (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:frustration-matrix,kei-frustration-loop,kei-skill-importer,kei-projects-index,kei-projects-watcher,kei-gdrive-import,kei-leak-matrix,kei-skills,kei-gateway,kei-cron-scheduler,kei-export-trajectories,kei-backend-daytona,kei-d… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-compute-baremetal,kei-compute-vultr,kei-compute-linode,kei-compute-digitalocean,kei-svc-systemd,kei-llm-bridge-mlx name:hosted-sleep-compute]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-diff,kei-scheduler,kei-watch,kei-prune,kei-discover,kei-brain-view,kei-hibernate,kei-ledger-sign,kei-fork name:wave13-15]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-git-gitea,kei-git-forgejo,kei-git-gitlab,kei-git-bitbucket,kei-memory-sled,kei-memory-redis,kei-memory-postgres,kei-memory-sqlite,kei-auth-google,kei-auth-apple,kei-auth-magiclink,kei-auth-webauthn,kei-notify-slack,kei-n… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-ledger,kei-migrate,kei-changelog,kei-memory,kei-store,kei-conflict-scan,kei-refactor-engine,kei-graph-check,kei-shared,kei-dna-index,kei-pet name:core]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-machine-probe,kei-llm-ollama,kei-llm-llamacpp,kei-llm-mlx,kei-llm-router,kei-model name:llm-stack]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-router,kei-sage,kei-task,kei-chat-store,kei-crossdomain,kei-search-core,kei-content-store,kei-social-store,kei-curator,kei-auth,kei-artifact name:mcp-lbm]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:keisei,kei-forge,kei-runtime,kei-runtime-core,kei-atom-discovery,kei-agent-runtime,kei-capability,kei-provision,kei-entity-store,kei-pipe,kei-cache,kei-spawn,kei-replay name:atom-substrate]) (push) Blocked by required conditions
Audit pass via Phase C dogfooding (security-auditor @ Agy/Gemini reviewing our own safe_tools.rs) surfaced 5 real bugs. All fixed. ## Gemini findings (5 real bugs) [#1 HIGH] FAIL-OPEN on missing config/hook Before: missing policy-chain.toml → "passing through" warning; missing hook script → "skipped" warning. Misconfig silently disabled enforcement. After: both paths FAIL-CLOSED with clear error surfaced to caller. Tests/dev can opt in to pass-through via KEI_POLICY_CHAIN_OPTIONAL=1. [#2 HIGH] Path traversal in kei_edit/kei_write Before: no validation; attacker could pass file_path=/etc/passwd or $HOME/.ssh/authorized_keys. After: validate_path() rejects '..' segments, system dirs (/etc/, /usr/, /System/, /var/, /root/), and dotfile-secret dirs (~/.ssh/, ~/.aws/, ~/.gnupg/, ~/.config/gcloud/). Override via KEI_ALLOWED_ROOTS for explicit single-root confinement. [#3 HIGH] CLAUDECODE/GROKCODE env bypass Behavior unchanged — this guard is a perf/UX optimization to avoid double-firing hooks when called from inside Claude/Grok (which already ran their own PreToolUse). Documented explicitly as NOT a security boundary: attacker controlling parent env already owns the invocation. Module header gains a DESIGN NOTE making this load-bearing. [#4 MED] std::fs in async context Before: handle_edit/handle_write used std::fs::{read_to_string,write}, which block the tokio worker thread. Pathological paths like /dev/random would freeze a worker indefinitely. After: tokio::fs::{read_to_string,write}.await — async I/O, worker stays responsive. [#5 MED] kill_on_drop only kills immediate child Before: timeout in kei_bash drops the Child handle; tokio's kill_on_drop SIGKILLs only the shell. Grandchildren (e.g., 'sleep 1000 &') orphaned. After: Unix-only: spawn child in its own process group (Command::process_group(0)), and on timeout libc::kill(-pid, SIGKILL) to take down the whole group. New libc dep on Unix. ## Copilot doc fix Doc claimed "kei-mcp exposes 4 built-in tools" without saying spawn_agent lives in tools.rs while kei_bash/edit/write live in safe_tools.rs. Validator agent flagged this as FALSE/MISLEADING. Now the doc spells out the two-file structure + adds a v0.41 hardening summary. ## claude/grok subprocess permissions Cross-CLI audit demo revealed that 'claude -p' and 'grok --print' returned empty when invoked headless with a real audit task — they need explicit permission flags to use Read/Grep tools in non-interactive mode. Added: claude: --permission-mode=bypassPermissions grok: --always-approve agy: --dangerously-skip-permissions Override via KEI_AGENT_PERMISSIVE=0 to keep strict default. Re-verified: claude+grok both echo SMOKE-OK-V41 with the flag. ## Verification cargo test -p kei-mcp --release → 3/3 pass MCP JSON-RPC smoke (all 7): - tools/list shows 4 built-ins ✓ - kei_bash blocks RULE 0.1 push ✓ - kei_bash passes 'echo OK' ✓ - kei_write rejects /etc/passwd ✓ - kei_write rejects ../ traversal ✓ - kei_write rejects ~/.ssh/* ✓ - missing policy-chain → FAIL-CLOSED with clear error ✓ - KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓ |
|||
| 4e5e6bd2c0 |
feat(phase-C): cross-CLI hook enforcement via kei_bash/kei_edit/kei_write MCP tools
Some checks are pending
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / preflight (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / vps-smoke (push) Waiting to run
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:frustration-matrix,kei-frustration-loop,kei-skill-importer,kei-projects-index,kei-projects-watcher,kei-gdrive-import,kei-leak-matrix,kei-skills,kei-gateway,kei-cron-scheduler,kei-export-trajectories,kei-backend-daytona,kei-d… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-compute-baremetal,kei-compute-vultr,kei-compute-linode,kei-compute-digitalocean,kei-svc-systemd,kei-llm-bridge-mlx name:hosted-sleep-compute]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-diff,kei-scheduler,kei-watch,kei-prune,kei-discover,kei-brain-view,kei-hibernate,kei-ledger-sign,kei-fork name:wave13-15]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-git-gitea,kei-git-forgejo,kei-git-gitlab,kei-git-bitbucket,kei-memory-sled,kei-memory-redis,kei-memory-postgres,kei-memory-sqlite,kei-auth-google,kei-auth-apple,kei-auth-magiclink,kei-auth-webauthn,kei-notify-slack,kei-n… (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-ledger,kei-migrate,kei-changelog,kei-memory,kei-store,kei-conflict-scan,kei-refactor-engine,kei-graph-check,kei-shared,kei-dna-index,kei-pet name:core]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-machine-probe,kei-llm-ollama,kei-llm-llamacpp,kei-llm-mlx,kei-llm-router,kei-model name:llm-stack]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:kei-router,kei-sage,kei-task,kei-chat-store,kei-crossdomain,kei-search-core,kei-content-store,kei-social-store,kei-curator,kei-auth,kei-artifact name:mcp-lbm]) (push) Blocked by required conditions
CI (Forgejo Actions — self-hosted runner on Mac, host mode) / rust-primitives (map[crates:keisei,kei-forge,kei-runtime,kei-runtime-core,kei-atom-discovery,kei-agent-runtime,kei-capability,kei-provision,kei-entity-store,kei-pipe,kei-cache,kei-spawn,kei-replay name:atom-substrate]) (push) Blocked by required conditions
Closes the "hooks only fire on Claude" gap. Phase C extends KeiSeiKit safety
enforcement (no-github-push, safety-guard, destructive-guard, citation-verify,
numeric-claims-guard) to any MCP-capable LLM CLI through a 3-tier honesty model.
## 3-tier model
TIER 1 (full native): claude (existing), grok (port hooks to grok settings.json)
TIER 2 (MCP-wrapped): copilot (--excluded-tools=shell + force kei_bash via MCP)
TIER 3 (advisory): agy + kimi (cannot disable native shell; prompt-level only)
## Design (Constructor Pattern)
1. hooks/_lib/policy-chain.toml — SSoT: which hooks gate which tool (bash/edit/write)
2. _primitives/_rust/kei-mcp/src/handlers/safe_tools.rs — new module, 3 built-in
MCP tools that synthesize Claude PreToolUse JSON, run hook chain, abort on
exit-2, exec on all-pass. Same input contract → hooks reused as-is, no rewrite.
3. tools.rs short-circuit: kei_bash/kei_edit/kei_write dispatched before atom layer
4. 6 wire scripts: orchestrator + one per CLI (Constructor Pattern, no mixin)
5. bin/kei mcp-wire arm
6. docs/encyclopedia/cross-cli-policy.md — honest 3-tier matrix + verification
## Double-enforcement guard
If kei-mcp invoked from a process with $CLAUDECODE=1 or $GROKCODE=1, the chain
SKIPS — native hooks already fired. Wire scripts set these env vars in the
MCP server registration for claude/grok respectively. On copilot/agy/kimi the
env is unset → chain runs.
## Smoke (verified live)
Block: kei_bash{command: forbidden-push-pattern}
→ JSON-RPC error -32603 with full "BLOCK — RULE 0.1 NO GITHUB PUSH" stderr ✓
Pass: kei_bash{command: "echo HELLO-FROM-KEI-BASH"}
→ result.content[0].text = "HELLO-FROM-KEI-BASH" ✓
tools/list: 4 built-ins present (spawn_agent + kei_bash + kei_edit + kei_write) ✓
## Tests
kei-mcp: 3/3 (tools_list assertions updated for atoms+4 built-ins).
Build clean with toml = "0.8" dep added.
## Out of scope (deferred)
- Codex CLI wiring (not installed locally)
- ACP middleware proxy (transport, not middleware — ruled out at research)
- Container/firejail sandboxing for agy/kimi (heavy; documented limit instead)
- Native Rust PatternGate migration (optimization, separate phase)
|
