keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
191 commits 3 branches 11 tags 12 MiB
Commit graph

9 commits

Author SHA1 Message Date
Parfii-bot
d09dc5b142 chore(v0.19.1): replace placeholder bun.lock with real lockfile + fix workspace path 
bun is a monorepo tool — lockfile lives at workspace root
(_ts_packages/bun.lock), not per-subpackage. Placeholder at
_ts_packages/packages/mcp-server/bun.lock was the wrong path.

Changes:
  - Generated real _ts_packages/bun.lock (626 lines) via 'bun install'
    (bun 1.3.13, auto-migrated from package-lock.json)
  - .github/workflows/release.yml working-directory:
    _ts_packages/packages/mcp-server → _ts_packages (workspace root)
  - BUILD.md Lockfile section rewritten to document workspace-root
    location + coexistence with package-lock.json (L2 audit finding
    partially resolved — full consolidation deferred to v0.20)

release.yml build-mcp-binary job now has real lockfile to consume —
H4 'tag build fails on missing lockfile' gate still active but now
there's something actually committed to satisfy it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 17:16:57 +08:00
Parfii-bot
ca046e61c1 fix(v0.19.1): supply-chain hardening remainder — ci.yml SHA-pin + dependabot + bun.lock placeholder 
Follow-up to c27b626 (release.yml pinning). Finishes H4 + H5.

ci.yml:
  - 11 third-party actions SHA-pinned with # vN.m.k comments
  - actions/checkout@34e114876b... (v4.3.1)
  - actions/setup-node@49933ea5288... (v4.4.0)
  - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
  - Swatinem/rust-cache@c19371144... (v2.9.1)

.github/dependabot.yml (NEW):
  - 3 ecosystems weekly: github-actions, npm, cargo
  - PR cap 5, labels [dependencies, <ecosystem>]
  - Auto-opens update PRs for SHA bumps — human reviews, not silent churn

_ts_packages/packages/mcp-server/bun.lock (NEW — placeholder):
  - 13-line comment explaining H4 gate
  - Instructs: 'cd _ts_packages/packages/mcp-server && bun install' before release
  - release.yml (since v0.19.1) uses --frozen-lockfile with NO fallback —
    missing real lockfile fails the build deliberately

BUILD.md:
  - New 'Lockfile' section (19 LOC) documenting the pre-release workflow

CHANGELOG.md:
  - [Unreleased] → Security: 3 bullets covering this + prior supply-chain commit

All SHAs E1 (verified via api.github.com or reused from release.yml).

NEXT STEP BEFORE TAGGING v0.19.1:
  Populate real bun.lock locally, commit, then tag. Workflow will fail
  on missing/stale lockfile — that's the point of H4 defense.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 17:12:15 +08:00
Parfii-bot
c27b626af7 fix(v0.19.1): SHA-pin release.yml GitHub Actions + require bun.lock 
Partial supply-chain hardening (rate-limited before completing).

release.yml (H5 — CVE-2025-30066 class defense):
  - actions/checkout@34e114876b... (v4.3.1)
  - dtolnay/rust-toolchain@3c5f7ea28... (rust 1.94.1)
  - Swatinem/rust-cache@c19371144... (v2.9.1)
  - actions/upload-artifact@ea165f8d6... (v4.6.2)
  - actions/download-artifact@<pinned>
  - oven-sh/setup-bun@0c5077e51... (v2.2.0)
  - softprops/action-gh-release@<pinned>

release.yml (H4 — reproducible build):
  - Removed '|| bun install' fallback from build-mcp-binary job.
  - bun.lock now REQUIRED — missing lockfile fails the build.

NOT YET DONE (deferred to follow-up agent):
  - ci.yml same SHA-pinning (separate commit)
  - .github/dependabot.yml (weekly SHA update PRs)
  - _ts_packages/packages/mcp-server/bun.lock (placeholder commit)
  - BUILD.md 'Lockfile' subsection
  - CHANGELOG Security section under [Unreleased]

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 17:09:16 +08:00
Parfii-bot
e67ade47c8 feat(v0.18): kei-mcp-server single-binary compile — 5-platform via bun 
Phase 1 of exobrain architecture. Ships TS MCP server as a static
binary so users on machines without Node can run KeiSeiKit (USB /
flashdrive / air-gapped scenarios).

.github/workflows/release.yml (+62 LOC) — new build-mcp-binary job:
  - 5-target matrix: darwin arm64/x64, linux arm64/x64, windows x64
  - bun build --compile, linux arm64 continue-on-error (ARM runners
    less reliable)
  - Artifact kei-mcp-server-<os>-<arch>[.exe] + sha256
  - release job now needs [build-release, build-mcp-binary]

install/lib-rust.sh (+50 LOC) — have_prebuilt_mcp_server() +
  report_mcp_server_binary_status(); KEI_SKIP_MCP_BUILD=1 env
  flag skips bun/npm install when a prebuilt binary is present.
  File 165 LOC (<200 limit).

_ts_packages/packages/mcp-server/package.json — scripts.build:native
  + 5 per-target aliases (macos-arm, macos-x64, linux-x64,
  linux-arm, win-x64) for local dev.

_ts_packages/packages/mcp-server/BUILD.md (NEW, 52 LOC) — local
  compile guide per platform + Gatekeeper/code-sign notes +
  cites bun docs [VERIFIED: https://bun.sh/docs/bundler/executables].

README.md pre-built-binaries section gains 'MCP server binary'
subsection (download, chmod +x, xattr -d com.apple.quarantine for
macOS, UAC note for Windows).

CHANGELOG.md [Unreleased] bullet added.

Output size: ~90 MB per binary (bundled bun runtime). Acceptable
trade for zero-dep USB distribution.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 15:52:36 +08:00
Parfii-bot
3e792d169d Merge feat/v0.16-changelog-gen — Keep-a-Changelog + release workflow 2026-04-22 15:13:05 +08:00
Parfii-bot
d97afb63ec feat(v0.16): CHANGELOG + tag-driven release workflow 
Keep-a-Changelog format. 12 sections: [Unreleased] + 11 real
releases v0.8.0..v0.15.0, every bullet with real git SHA pulled
via git log --no-merges. 150 LOC.

.github/workflows/release.yml — 3 jobs, triggered on tag push:
  build-release: 4-platform matrix
    - x86_64-unknown-linux-gnu
    - aarch64-unknown-linux-gnu (continue-on-error)
    - x86_64-apple-darwin
    - aarch64-apple-darwin
    Builds entire _primitives/_rust workspace, emits tar.gz +
    sha256 per target via portable executable-discovery loop.
  release: downloads artifacts, runs local
    kei-changelog --from <prev-tag> --to <tag>, publishes via
    softprops/action-gh-release@v2.
  npm-publish: graceful skip when NPM_TOKEN secret absent
    (steps.have_token.outputs.present gate + || warning wrap
    so one failing package doesn't kill the job).

Companion install support: install/lib-rust.sh gains
have_prebuilt_binaries() + KEI_SKIP_RUST_BUILD=1 guard (shipped
as part of install-split bundle). Users can download tarball
instead of compiling Rust from source.

release.yml validated via yaml.safe_load: 3 jobs parse cleanly,
matrix expands 4-wide, jobs = [build-release, release, npm-publish].

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 15:10:00 +08:00
Parfii-bot
f77c1b7fdc fix(v0.15.1): RED-1 CVE + typed-handoff + schema minItems 
Security hotfix — v0.15.1 Wave 1 fixes from 4-parallel audit.

RED-1 (CVE): KEI_DISABLED_HOOKS tokenized match — was `*all*`
substring-glob (trivially bypassable via "install", "wall-clock", etc.),
now exact-token split on comma/space. Patched in all 9 hooks:
no-hand-edit-agents, assemble-agents, assemble-validate, tomd-preread,
agent-fork-logger, site-wysiwyd-check, error-spike-detector,
milestone-commit-hook, session-end-dump.

RED-2 (observability): minimal profile whitelist now includes
agent-fork-logger and session-end-dump (ledger + trace paths) so
observability is not silently lost on minimal installs.

HIGH: review.json schema minItems:1 on findings — rejects empty
reviews; new Rust test review_schema_rejects_empty_findings.

HIGH: typed-handoff wire-up — produces_artifact declared at top
level on 5 manifests (kei-security-auditor, kei-validator,
kei-architect, kei-code-implementer, kei-critic); duplicate
per-handoff declarations removed.

MED: kei-artifact validate.rs gains warn_unsupported_keywords —
non-fatal stderr warning when schema uses keywords outside the
hand-rolled 2020-12 subset.

LOW: CI Node matrix dropped 18, now ['20','22'].

Doc drift: skills/hooks-control/SKILL.md reflects tokenized-match
semantics and updated minimal-profile hook list.

Tests: 191 Rust workspace + 30 assembler (both pass). RED-1
reproducer 10/10 (4 former-CVE vectors blocked, 5 legit vectors
accepted, empty passes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-04-22 15:08:51 +08:00
Parfii-bot
24c584ee50 fix: remove genesis-scan from public kit (internal tool, Bundle-only) 
Per user decision: publishing the sensitive IP pattern blocklist via public
scanner is leak of the blocklist itself (attack surface). genesis-scan
remains in PROJECT-E (private); user-global
~/.claude/hooks/genesis-leak-guard.sh (runtime hook) separate.

Deleted:
- _primitives/_rust/genesis-scan/ (whole crate, 5 files)
- hooks/git-pre-commit-genesis.sh (scanner companion)

Modified:
- workspace Cargo.toml -1 member (24→23)
- MANIFEST.toml — removed [primitive.genesis-scan] + core/full profile refs
- .github/workflows/ci.yml — removed genesis-scan job
- README.md — 7 count/description edits (24→23 rust, 10→9 hooks, 37→36 full)
- install.sh — 5 edits (--help + menus)
- mcp-server tool-registry.ts + test — scanner removed from MCP surface
- kei-sleep-queue.sh — removed scan_prompt() pre-submit hook
- 2 sleep-on-it skill phases — removed genesis-scan references

Tests: 160 Rust (was 167, -7 genesis-scan tests as expected), 24 assembler unchanged.
 2026-04-22 14:11:22 +08:00
Parfii-bot
fbd8adf9cf feat(ci): GitHub Actions workflows + .claude/worktrees gitignore 
- 6 CI jobs: rust-assembler, rust-primitives, ts-packages, install-dry-run, shell-lint, genesis-scan
- matrix: Ubuntu+macOS × rust-stable × Node 18/20/22
- closes 'no CI' -10% audit deduction
 2026-04-22 13:36:17 +08:00