KeiSeiKit-1.0

keisei/KeiSeiKit-1.0

Fork 0

Commit graph

Author	SHA1	Message	Date
Parfii-bot	f33408f0d6	fix(v0.21.2): pin actionlint v1.7.12 sha256 constants (was SKIP placeholders) Closes the one outstanding item from v0.21.1 wave-audit: SEC-H1 agent left SHA256_* vars as 'SKIP' because no WebFetch available this session. Sources verified via live curl: https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt Pinned hashes (4 platforms): darwin_amd64: 5b44c3bc...c644 darwin_arm64: aba9ced2...953f linux_amd64: 8aca8db9...a3d8 linux_arm64: 325e971b...f0c6 End-to-end verified locally (darwin_arm64): HOME=/tmp/aln-test bash scripts/install-actionlint.sh → SHA-256 verified: aba9ced2... → actionlint -version: 1.7.12 installed by downloading from release page Header comment updated: [UNVERIFIED] → [VERIFIED 2026-04-22 via curl ...]. ACTIONLINT_SHA256_OVERRIDE env var still works (for CI with different pins). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 20:42:58 +08:00
Parfii-bot	f12eb9f83c	fix(v0.21.1): wave-audit consolidated — 5 critic HIGH + 2 security HIGH + 3 polish Closes 10 audit findings from 4-agent wave (critic + security + architect + validator) on v0.21.0. CRITIC HIGH (5): H1 s3_cloud::commit() was listing with delimiter='/' — nested writes silently dropped from manifest hash. Added list_recursive() (no delimiter), filter manifest-.json from hash input. H2 S3Cfg access_key_env + secret_key_env were advertised in TOML but never read. Wired via resolve_explicit_creds() with aws-credential-types. Partial-set or empty-resolve → error. H3 display::sanitize_display missing in detach.rs + mount.rs (regression of v0.19.2 L9 ANSI injection fix). Applied at 8 print sites. 2 new integration tests. H4 adapters/jsonmcp.rs RESTORED (was lost in earlier merge). 107 LOC shared module: load_json_or_empty / upsert_under_key / remove_under_key / persist. claude_code 163→105, cursor 165→106, zed 178→114. Unified error handling via ConfigParseError. H5 ENV_LOCK shared across kei-store tests. New test_env.rs (24 LOC) exposed under cfg(any(test, feature='s3')). github.rs + s3_cloud/tests.rs + s3_smoke.rs all use shared mutex. Fixes parallel-test race on KEI_STORE_S3_ENDPOINT. SECURITY HIGH (2): SEC-H1 scripts/install-actionlint.sh — added sha256 verify (shasum/sha256sum) before extract. ACTIONLINT_SHA256_OVERRIDE env var for CI injection. Per-platform constants marked [UNVERIFIED: SKIP] pending live checksums.txt fetch (agent had no WebFetch this session — user follow-up: paste from https://github.com/rhysd/actionlint/releases/download/v1.7.12/checksums.txt). SEC-H2 S3 SSRF/IMDS guard. validate_endpoint() rejects: loopback (127/8, ::1, localhost), link-local (169.254/16, fe80::/10), metadata hostnames (google/azure). Override via KEI_STORE_S3_ALLOW_INTERNAL=1. HTTP rejected unless KEI_STORE_S3_ALLOW_INSECURE=1. Custom endpoint now REQUIRES explicit creds (no IMDS chain leak via third-party endpoint). 4 reject + 3 accept tests pass. POLISH (3): D1 docs/USB-BRAIN-GUIDE.md — ⚠️ WARNING block under Prerequisites: exFAT/FAT32 NOT safe for multi-client attach (SQLite WAL needs shared-mem mmap). Use ONE client at a time on those FSes. New Troubleshooting entry 'SQLite corruption on mount-attach'. D2 '~5 MB release binary growth' now labelled [estimate, E5 — not yet measured] in CHANGELOG.md + s3_cloud/mod.rs header. D3 scripts/validate-workflow-shas.sh exits 2 (not 0) when UNVERIFIED_COUNT > 0 and GITHUB_TOKEN absent. Distinguishes 'network denied' from 'all good'. REAL VERIFICATION (pasted by agent): cargo check -p keisei -p kei-store: Finished (clean) cargo test -p keisei --release: 30 passed 0 failed cargo test -p kei-store --release: 10 + 9 passed (default features) cargo test -p kei-store --features s3 --release: 31 + 9 + 6 = 46 passed (with s3) bash -n scripts/.sh: OK regen-counts.sh --check: no drift Constructor Pattern: largest new src 200 LOC (s3_cloud/mod.rs, at limit). jsonmcp.rs 107 LOC. test_env.rs 24 LOC. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 20:03:17 +08:00
Parfii-bot	c778b7d9a3	feat(v0.20.1): workflow-file validation infrastructure Three layers of defense against the dtolnay-SHA-class bug reaching main (today's incident: agent SHA-pinned dtolnay/rust-toolchain with a pin that was real but semantically wrong — lost 'install current stable' meaning, locked to rust 1.94.1 branch tip, broke CI). Layer 1 — actionlint static lint scripts/install-actionlint.sh (65 LOC) — installs rhysd/actionlint v1.7.12 [VERIFIED] to ~/.local/bin or suggests brew install. scripts/lint-workflows.sh (40 LOC) — runs actionlint on .github/workflows/.yml, exit 0 on clean, advisory when binary missing. Layer 2 — SHA existence check (today's bug class) scripts/validate-workflow-shas.sh (98 LOC) — extracts every 'uses: <repo>@<40-hex>' from workflow files + dependabot.yml, checks each via GitHub REST commits API (exit 200/404/422). Supports 'validate-workflow-shas: skip=<reason>' trailing comment for intentional exceptions. Falls back to anonymous API (60/hr quota) if GITHUB_TOKEN probe fails. DESIGN PIVOT from spec: spec said 'git ls-remote <repo> <sha>' but that only resolves REFS (branch/tag tips), not arbitrary commit SHAs — would have given false-positive 100% MISSING report. Switched to REST API /commits/{sha} for unambiguous 200/404/422. Layer 3 — CI gate .github/workflows/ci.yml — new 'workflow-lint' job after shell-lint. Installs actionlint + runs both scripts on every push to main and PR. Blocks CI on any fabricated SHA. Layer 4 — optional pre-commit hook scripts/pre-commit-workflow-lint.sh (54 LOC) — detects staged .github/workflows/.{yml,yaml} + .github/dependabot.yml changes, runs layers 1+2, blocks commit on failure. Install via: ln -sf ../../scripts/pre-commit-workflow-lint.sh .git/hooks/pre-commit REAL EXECUTION VERIFIED (not claim-only): - actionlint ran: zero findings on current workflows - validate-workflow-shas.sh ran: 21 SHA pins checked, 21 OK, 0 MISSING (confirms all current v0.19.1+ pins resolve) - bash -n on every new script: clean - bash-3.2 parser bug workaround: case-in-subshell → grep -E RULE 0.2 exception #6 (shell is external convention for git hooks + GH Actions runs — Rust rewrite would add zero value). RULE 0.13 respected — no git invocations except read-only API calls. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 17:50:23 +08:00

Author

SHA1

Message

Date

Parfii-bot

f33408f0d6

fix(v0.21.2): pin actionlint v1.7.12 sha256 constants (was SKIP placeholders)

Closes the one outstanding item from v0.21.1 wave-audit: SEC-H1 agent
left SHA256_* vars as 'SKIP' because no WebFetch available this session.

Sources verified via live curl:
  https://github.com/rhysd/actionlint/releases/download/v1.7.12/actionlint_1.7.12_checksums.txt

Pinned hashes (4 platforms):
  darwin_amd64: 5b44c3bc...c644
  darwin_arm64: aba9ced2...953f
  linux_amd64:  8aca8db9...a3d8
  linux_arm64:  325e971b...f0c6

End-to-end verified locally (darwin_arm64):
  HOME=/tmp/aln-test bash scripts/install-actionlint.sh
  → SHA-256 verified: aba9ced2...
  → actionlint -version: 1.7.12 installed by downloading from release page

Header comment updated: [UNVERIFIED] → [VERIFIED 2026-04-22 via curl ...].

ACTIONLINT_SHA256_OVERRIDE env var still works (for CI with different pins).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 20:42:58 +08:00

Parfii-bot

f12eb9f83c

fix(v0.21.1): wave-audit consolidated — 5 critic HIGH + 2 security HIGH + 3 polish

Closes 10 audit findings from 4-agent wave (critic + security +
architect + validator) on v0.21.0.

CRITIC HIGH (5):
  H1 s3_cloud::commit() was listing with delimiter='/' — nested
     writes silently dropped from manifest hash. Added
     list_recursive() (no delimiter), filter manifest-*.json from
     hash input.
  H2 S3Cfg access_key_env + secret_key_env were advertised in TOML
     but never read. Wired via resolve_explicit_creds() with
     aws-credential-types. Partial-set or empty-resolve → error.
  H3 display::sanitize_display missing in detach.rs + mount.rs
     (regression of v0.19.2 L9 ANSI injection fix). Applied at 8
     print sites. 2 new integration tests.
  H4 adapters/jsonmcp.rs RESTORED (was lost in earlier merge).
     107 LOC shared module: load_json_or_empty / upsert_under_key /
     remove_under_key / persist. claude_code 163→105, cursor 165→106,
     zed 178→114. Unified error handling via ConfigParseError.
  H5 ENV_LOCK shared across kei-store tests. New test_env.rs (24 LOC)
     exposed under cfg(any(test, feature='s3')). github.rs +
     s3_cloud/tests.rs + s3_smoke.rs all use shared mutex. Fixes
     parallel-test race on KEI_STORE_S3_ENDPOINT.

SECURITY HIGH (2):
  SEC-H1 scripts/install-actionlint.sh — added sha256 verify
     (shasum/sha256sum) before extract. ACTIONLINT_SHA256_OVERRIDE
     env var for CI injection. Per-platform constants marked
     [UNVERIFIED: SKIP] pending live checksums.txt fetch (agent had
     no WebFetch this session — user follow-up: paste from
     https://github.com/rhysd/actionlint/releases/download/v1.7.12/checksums.txt).
  SEC-H2 S3 SSRF/IMDS guard. validate_endpoint() rejects:
     loopback (127/8, ::1, localhost), link-local (169.254/16,
     fe80::/10), metadata hostnames (google/azure). Override via
     KEI_STORE_S3_ALLOW_INTERNAL=1. HTTP rejected unless
     KEI_STORE_S3_ALLOW_INSECURE=1. Custom endpoint now REQUIRES
     explicit creds (no IMDS chain leak via third-party endpoint).
     4 reject + 3 accept tests pass.

POLISH (3):
  D1 docs/USB-BRAIN-GUIDE.md — ⚠️ WARNING block under Prerequisites:
     exFAT/FAT32 NOT safe for multi-client attach (SQLite WAL needs
     shared-mem mmap). Use ONE client at a time on those FSes.
     New Troubleshooting entry 'SQLite corruption on mount-attach'.
  D2 '~5 MB release binary growth' now labelled [estimate, E5 —
     not yet measured] in CHANGELOG.md + s3_cloud/mod.rs header.
  D3 scripts/validate-workflow-shas.sh exits 2 (not 0) when
     UNVERIFIED_COUNT > 0 and GITHUB_TOKEN absent. Distinguishes
     'network denied' from 'all good'.

REAL VERIFICATION (pasted by agent):
  cargo check -p keisei -p kei-store: Finished (clean)
  cargo test -p keisei --release: 30 passed 0 failed
  cargo test -p kei-store --release: 10 + 9 passed (default features)
  cargo test -p kei-store --features s3 --release:
    31 + 9 + 6 = 46 passed (with s3)
  bash -n scripts/*.sh: OK
  regen-counts.sh --check: no drift

Constructor Pattern: largest new src 200 LOC (s3_cloud/mod.rs, at
limit). jsonmcp.rs 107 LOC. test_env.rs 24 LOC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 20:03:17 +08:00

Parfii-bot

c778b7d9a3

feat(v0.20.1): workflow-file validation infrastructure

Three layers of defense against the dtolnay-SHA-class bug reaching main
(today's incident: agent SHA-pinned dtolnay/rust-toolchain with a pin
that was real but semantically wrong — lost 'install current stable'
meaning, locked to rust 1.94.1 branch tip, broke CI).

Layer 1 — actionlint static lint
  scripts/install-actionlint.sh (65 LOC) — installs rhysd/actionlint
    v1.7.12 [VERIFIED] to ~/.local/bin or suggests brew install.
  scripts/lint-workflows.sh (40 LOC) — runs actionlint on
    .github/workflows/*.yml, exit 0 on clean, advisory when binary
    missing.

Layer 2 — SHA existence check (today's bug class)
  scripts/validate-workflow-shas.sh (98 LOC) — extracts every
    'uses: <repo>@<40-hex>' from workflow files + dependabot.yml,
    checks each via GitHub REST commits API (exit 200/404/422).
    Supports 'validate-workflow-shas: skip=<reason>' trailing
    comment for intentional exceptions. Falls back to anonymous
    API (60/hr quota) if GITHUB_TOKEN probe fails.
  DESIGN PIVOT from spec: spec said 'git ls-remote <repo> <sha>'
    but that only resolves REFS (branch/tag tips), not arbitrary
    commit SHAs — would have given false-positive 100% MISSING
    report. Switched to REST API /commits/{sha} for unambiguous
    200/404/422.

Layer 3 — CI gate
  .github/workflows/ci.yml — new 'workflow-lint' job after
    shell-lint. Installs actionlint + runs both scripts on every
    push to main and PR. Blocks CI on any fabricated SHA.

Layer 4 — optional pre-commit hook
  scripts/pre-commit-workflow-lint.sh (54 LOC) — detects staged
    .github/workflows/*.{yml,yaml} + .github/dependabot.yml
    changes, runs layers 1+2, blocks commit on failure.
  Install via: ln -sf ../../scripts/pre-commit-workflow-lint.sh
    .git/hooks/pre-commit

REAL EXECUTION VERIFIED (not claim-only):
  - actionlint ran: zero findings on current workflows
  - validate-workflow-shas.sh ran: 21 SHA pins checked, 21 OK,
    0 MISSING (confirms all current v0.19.1+ pins resolve)
  - bash -n on every new script: clean
  - bash-3.2 parser bug workaround: case-in-subshell → grep -E

RULE 0.2 exception #6 (shell is external convention for git hooks
+ GH Actions runs — Rust rewrite would add zero value).
RULE 0.13 respected — no git invocations except read-only API calls.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-22 17:50:23 +08:00

3 commits