KeiSeiKit-1.0

keisei/KeiSeiKit-1.0

Fork 0

Commit graph

Author	SHA1	Message	Date
Parfii-bot	913d62c280	fix(security): RCE allowlist + WebSocket auth + SSH option-injection Group D — three independent security primitives hardening (post-audit 2026-05-02). kei-runtime — atom invoke RCE allowlist: - invoke.rs: is_safe_crate_name validator (regex ^kei-[a-z][a-z0-9-]+$); rejects /, \\, .., :, absolute paths, empty, >128 chars. InvalidAtom error variant. stdout/stderr capped at 16 MiB (was unbounded). - main.rs: InvalidAtom mapped to exit code 2. - tests/invoke_exit_codes_smoke.rs: invoke_unsafe_crate_name_exits_2 added. - Closes: any user able to write atoms/*.md with crate_name: "rm" or "sudo" triggered arbitrary command execution. kei-graph-stream — WebSocket bearer + Origin: - auth.rs (new, 142 LOC): token load + bearer extraction + Origin allowlist + ConstantTimeEq compare; 8 unit tests. - ws.rs: ws_handler validates Origin + bearer before upgrade (403/401 on failure). - main.rs: --public-bind-i-accept-the-leak flag required for non-loopback bind; else bail!() with explicit error. - tests/smoke.rs: rewritten with Origin + bearer headers via connect_async_with_config. - Closes: WebSocket /stream had zero auth, zero Origin check; browser CSWSH could subscribe to agent activity broadcast; KEI_GRAPH_STREAM_BIND env silently accepted any SocketAddr. kei-compute-baremetal — SSH option injection (CVE-2023-51385 class): - ssh.rs: is_safe_user + is_safe_host validators (alphanumeric + -_.; reject leading -; max 64 chars; no @, :, /, \\, space). - ssh.rs: -- sentinel before user@host argv (OpenSSH 9.6+ stops flag parsing). - ssh.rs: StrictHostKeyChecking=yes default; KEI_BAREMETAL_ACCEPT_NEW=1 for TOFU. - error.rs: InvalidRegion variant. - provider.rs: validators applied in target_for_spec + target_for_handle. - Closes: spec.region "-oProxyCommand=evil" triggered local RCE before TCP connect. Test results: 29 passed; 0 failed across all three crates. cargo check clean. Findings: RCE allowlist (Wave-A) + WebSocket auth (Wave-B) + SSH injection (Wave-B) were unique-per-retest discoveries. None present in original wave-1 audit. Note: kei-compute-baremetal/src/provider.rs at 300 LOC (was 268; +32 from validators). Pre-existing >200 LOC violation, fix scope was security-additions only. Follow-up: split provider.rs into provider.rs (<200) + provider_tests.rs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 21:40:24 +08:00
Parfii-bot	a4e667de10	KeiSeiKit-public — clean state Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00

Author

SHA1

Message

Date

Parfii-bot

913d62c280

fix(security): RCE allowlist + WebSocket auth + SSH option-injection

Group D — three independent security primitives hardening (post-audit 2026-05-02).

kei-runtime — atom invoke RCE allowlist:
- invoke.rs: is_safe_crate_name validator (regex ^kei-[a-z][a-z0-9-]+$);
             rejects /, \\, .., :, absolute paths, empty, >128 chars.
             InvalidAtom error variant.
             stdout/stderr capped at 16 MiB (was unbounded).
- main.rs: InvalidAtom mapped to exit code 2.
- tests/invoke_exit_codes_smoke.rs: invoke_unsafe_crate_name_exits_2 added.
- Closes: any user able to write atoms/*.md with crate_name: "rm" or "sudo"
           triggered arbitrary command execution.

kei-graph-stream — WebSocket bearer + Origin:
- auth.rs (new, 142 LOC): token load + bearer extraction + Origin allowlist +
                            ConstantTimeEq compare; 8 unit tests.
- ws.rs: ws_handler validates Origin + bearer before upgrade (403/401 on failure).
- main.rs: --public-bind-i-accept-the-leak flag required for non-loopback bind;
            else bail!() with explicit error.
- tests/smoke.rs: rewritten with Origin + bearer headers via connect_async_with_config.
- Closes: WebSocket /stream had zero auth, zero Origin check; browser CSWSH could
           subscribe to agent activity broadcast; KEI_GRAPH_STREAM_BIND env silently
           accepted any SocketAddr.

kei-compute-baremetal — SSH option injection (CVE-2023-51385 class):
- ssh.rs: is_safe_user + is_safe_host validators (alphanumeric + -_.; reject leading -;
           max 64 chars; no @, :, /, \\, space).
- ssh.rs: -- sentinel before user@host argv (OpenSSH 9.6+ stops flag parsing).
- ssh.rs: StrictHostKeyChecking=yes default; KEI_BAREMETAL_ACCEPT_NEW=1 for TOFU.
- error.rs: InvalidRegion variant.
- provider.rs: validators applied in target_for_spec + target_for_handle.
- Closes: spec.region "-oProxyCommand=evil" triggered local RCE before TCP connect.

Test results: 29 passed; 0 failed across all three crates. cargo check clean.

Findings: RCE allowlist (Wave-A) + WebSocket auth (Wave-B) + SSH injection (Wave-B)
were unique-per-retest discoveries. None present in original wave-1 audit.

Note: kei-compute-baremetal/src/provider.rs at 300 LOC (was 268; +32 from validators).
Pre-existing >200 LOC violation, fix scope was security-additions only. Follow-up:
split provider.rs into provider.rs (<200) + provider_tests.rs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 21:40:24 +08:00

Parfii-bot

a4e667de10

KeiSeiKit-public — clean state

Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.

2026-05-01 12:09:03 +08:00

2 commits