Root-cause of the username-path leak in DNA-INDEX.md (107 atom rows
in v0.17 — sed-patched in 8fcba39). The encyclopedia render's
short_path() prefix list omitted every top-level dir except
`_primitives/`, `skills/`, `hooks/`, `rules/` — so atom and capability
rows fell through to the absolute path stored in the registry DB,
leaking the maintainer's home prefix into the public encyclopedia.
Fix: add `_blocks/`, `_manifests/`, `_generated/`, `_atoms/`,
`_assembler/`, `_roles/`, `_capabilities/`, `agents/`, `docs/` to
the prefix list. 8 unit tests cover the new prefixes (fixtures use
CI-style paths like `/srv/ci/build/...` so the source file does not
contain a maintainer-shaped path that would itself trip the local
pre-commit hook + leak-check CI).
Verified: regenerated docs/DNA-INDEX.md has 0 absolute-path hits.
Source fix supersedes the sed hot-fix in 8fcba39 — the next
`kei-registry encyclopedia` invocation will not regress.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
leak-check.yml has the pattern 'denisparfionovich' as a literal in its grep.
On first run after install, it flags itself. Same fix as the local
.git/hooks/pre-commit — allowlist the workflow file alongside NOTICE/README.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pre-fix: install.sh on a fresh clone has no binaries — target/ is gitignored,
copy_prebuilt_substrate_binaries() skips silently with "no pre-built found",
end users get zero kei-fork / kei-ledger / kei-cortex / etc.
New module: install/lib-rust-prebuild.sh (~120 LOC, Constructor Pattern).
ensure_rust_binaries() — main entry, idempotent
1. has_prebuilt_substrate_binaries() — quorum check (5+ kit binaries already in
target/release/ → no-op).
2. Else Path A: download keisei-${TARGET}.tar.gz from
https://github.com/KeiSei84/KeiSeiKit-1.0/releases/latest/download/
Detects target via uname (x86_64/aarch64 × darwin/linux), verifies
sha256, extracts into target/release/.
3. Path A fail (404, network, sha mismatch) → Path B fallback:
cargo build --release --workspace (slow first time, requires Rust).
4. Path B fail (no cargo) → say + return non-zero.
Bypass: KEI_SKIP_RUST=1 — skip both paths (markdown-only install).
Wired in install/lib-rust.sh — ensure_rust_binaries() called BEFORE
copy_prebuilt_substrate_binaries() in regenerate_rust_workspace.
Path A activates ONLY after a v* tag is pushed and release.yml uploads
tarballs to github releases. Until then, Path A 404s and Path B kicks in.
This commit lays the wire — release tag is a separate user-driven action.
Verify:
- bash -n install.sh: OK
- bash -n install/lib-rust-prebuild.sh: OK
- detect_rust_target on this host: aarch64-apple-darwin
- has_prebuilt_substrate_binaries: correctly returns false on partial dev
target (only kei-memory + kei-db-contract built locally today)
Out of scope (not done in this commit):
- Tag v0.X release to populate github tarballs (deploy step, deferred)
- Update keiseikit.dev/install.sh redirect target (downstream wiring)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After session-wide kit scrub (CfC/Born-like/KILL GUARD/etc → generic),
_assembler/tests/snapshots/{code-implementer,researcher}.snap held stale
expectations. CI failed on golden_code_implementer + golden_researcher
across 9 consecutive runs.
Regenerated via cargo-insta accept. Snapshot diffs are exactly the term
substitutions Wave A applied to manifests:
- "ML/RL/CfC-adjacent" → "ML/RL specialized-node"
- similar 1-line shifts in code-implementer.snap
cargo test --release now green across all 11 _assembler test binaries
(22+3+3+3+1+2+2+7+4+6 = 53 tests passing).
=== STATUS-TRUTH MARKER ===
shipped: functional
stubs: 0
cargo-check: PASS
cargo-test: PASS (53 tests, 0 failures)
behaviour-verified: yes
follow-up-required:
- none — CI should turn green on next push
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
NOTICE: parfionovich@keilab.io → info@greendragon.info
Earlier mass-scrub missed NOTICE; now consistent with all Cargo.toml + package.json.
HERMES-MIGRATION-PLAN.md: removed 'Patent / IP considerations' section.
Original text revealed: internal prior-art search activity, plan to file
defensive provisional before public release of P3, reference to
keipatent-project-specialist (private agent, not in public kit).
Replaced with generic 'Licensing' block (MIT/Apache attribution only).
Audit confirmed remaining 'patent' mentions are legitimate:
- LICENSE/NOTICE Apache 2.0 boilerplate (patent grant clause required)
- README license-choice rationale
- kei-leak-matrix source — IT IS the secret-scanner with Category::PatentIp
- _generated/{researcher,ml-researcher,validator}.md — reference public agent 'patent-researcher'
- kei-store/github.rs — explain RULE 0.1 rationale to kit users
- skills/ci-scaffold — security-feature wording
- docs/AGENT-ROLES + skills/compose-solution — 'prior-art search' as generic researcher capability
No real-secret findings (sk-/ghp_/AKIA/etc) in tracked files.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
