KeiSeiKit-1.0

keisei/KeiSeiKit-1.0

Fork 0

Commit graph

Author	SHA1	Message	Date
Parfii-bot	9aa29aca15	fix(kei-cortex): SSRF + atomic token + body limits + capped reads Group C — kei-cortex daemon security hardening (post-audit 2026-05-02). - fal_ssrf.rs (new): validate_fal_url whitelist (fal.ai/.media/.run only). Applied to upload_url, file_url, status_url, images[0].url, and download_image. Closes SSRF where compromised fal response could direct daemon to fetch IMDSv1 (169.254.169.254) and stream cloud creds. - fal_pipeline.rs (new): HTTP step functions extracted from fal.rs; fal.rs trimmed to thin orchestrator (101 LOC, was over 200 LOC limit). - auth.rs: save_token now writes to <path>.<nanos>.tmp + sync_all + rename. Was non-atomic OpenOptions truncate+write — crash mid-write produced empty token file -> bootstrap rotated -> stale clients locked out. - routes.rs + routes_auth.rs (new): explicit DefaultBodyLimit per route — chat 256 KiB, tool/apply 11 MiB, pet/interaction 64 KiB, tts 32 KiB. Bearer auth middleware extracted to routes_auth. - handlers/chat.rs: validate_body enforces MAX_MESSAGE_CHARS = 50_000. Closed cost amplification where 1.99 MiB chat message billed 500K tokens ($1.50/turn at Sonnet pricing) on every send. - anthropic_sse.rs: SseParser MAX_BUF = 1 MiB cap; was unbounded — peer streaming 1 GB without \\n\\n would OOM daemon. - http_helpers.rs (new): HTTP_CLIENT: Lazy<reqwest::Client> shared across handlers (was per-request Client::new() => 100-300ms TLS handshake per chat turn, no HTTP/2 multiplexing, fd leak risk on macOS TIME_WAIT). - http_helpers.rs::read_capped: per-response body cap (16 KiB error / 64 MiB success). Applied to anthropic, anthropic_invoker, elevenlabs, fal_pipeline. Closed unbounded resp.text() / .bytes() pattern that compromised upstream could exploit. Test results: 462 passed; 0 failed (single-threaded). cargo check clean. 2 pre-existing port-binding flakes in openai_loop_wiring tests are unrelated. Findings consensus: fal SSRF + body-size + bearer-token-atomicity appeared in Wave-A retest; chat message cap + SSE buf cap appeared in Wave-A only. Would have been missed by single audit pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 21:39:57 +08:00
Parfii-bot	0be354a920	KeiSeiKit-public — clean state Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00

Author

SHA1

Message

Date

Parfii-bot

9aa29aca15

fix(kei-cortex): SSRF + atomic token + body limits + capped reads

Group C — kei-cortex daemon security hardening (post-audit 2026-05-02).

- fal_ssrf.rs (new): validate_fal_url whitelist (fal.ai/.media/.run only).
                      Applied to upload_url, file_url, status_url, images[0].url,
                      and download_image. Closes SSRF where compromised fal response
                      could direct daemon to fetch IMDSv1 (169.254.169.254) and
                      stream cloud creds.
- fal_pipeline.rs (new): HTTP step functions extracted from fal.rs; fal.rs trimmed
                          to thin orchestrator (101 LOC, was over 200 LOC limit).
- auth.rs: save_token now writes to <path>.<nanos>.tmp + sync_all + rename. Was
            non-atomic OpenOptions truncate+write — crash mid-write produced empty
            token file -> bootstrap rotated -> stale clients locked out.
- routes.rs + routes_auth.rs (new): explicit DefaultBodyLimit per route — chat 256 KiB,
                                     tool/apply 11 MiB, pet/interaction 64 KiB, tts 32 KiB.
                                     Bearer auth middleware extracted to routes_auth.
- handlers/chat.rs: validate_body enforces MAX_MESSAGE_CHARS = 50_000. Closed cost
                     amplification where 1.99 MiB chat message billed 500K tokens
                     ($1.50/turn at Sonnet pricing) on every send.
- anthropic_sse.rs: SseParser MAX_BUF = 1 MiB cap; was unbounded — peer streaming
                     1 GB without \\n\\n would OOM daemon.
- http_helpers.rs (new): HTTP_CLIENT: Lazy<reqwest::Client> shared across handlers
                          (was per-request Client::new() => 100-300ms TLS handshake
                          per chat turn, no HTTP/2 multiplexing, fd leak risk on
                          macOS TIME_WAIT).
- http_helpers.rs::read_capped: per-response body cap (16 KiB error / 64 MiB success).
                                  Applied to anthropic, anthropic_invoker, elevenlabs,
                                  fal_pipeline. Closed unbounded resp.text() / .bytes()
                                  pattern that compromised upstream could exploit.

Test results: 462 passed; 0 failed (single-threaded). cargo check clean.
2 pre-existing port-binding flakes in openai_loop_wiring tests are unrelated.

Findings consensus: fal SSRF + body-size + bearer-token-atomicity appeared in
Wave-A retest; chat message cap + SSE buf cap appeared in Wave-A only. Would have
been missed by single audit pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-02 21:39:57 +08:00

Parfii-bot

0be354a920

KeiSeiKit-public — clean state

Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.

2026-05-01 12:09:03 +08:00

2 commits