Parfii-bot
97ffa5b4dc
chore: strip dangling sibling refs from Cargo.toml descriptions
...
Opus TOML audit found 7 crates whose Cargo.toml description fields
advertised sibling crates that don't exist in the workspace:
- kei-auth-magiclink, kei-auth-webauthn → mentioned kei-auth-{github,microsoft}
(workspace has only google + apple + magiclink + webauthn)
- kei-notify-discord → mentioned kei-notify-email (workspace has telegram /
discord / slack / sms only)
- kei-net-wireguard, kei-net-ipsec → mentioned kei-net-tailscale (workspace
has wireguard / openvpn / ipsec only)
- kei-git-forgejo → mentioned kei-git-keigit (workspace has forgejo / gitea /
gitlab / bitbucket)
- kei-compute-linode → mentioned kei-compute-hetzner (Hetzner removed per
rules/projects/project-vortex.md after TSPU blocks)
- kei-provision/Cargo.toml description + metadata → both mentioned Hetzner
Updated each description to mention only actually-existing siblings. cargo
metadata consumers, IDE tooltips, and any future crates.io publication will
no longer carry misleading sibling lists.
cargo check --workspace clean (only pre-existing warnings unrelated to this
change). Description-only metadata edits — zero functional impact.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 15:37:33 +08:00
Parfii-bot
fc03c98408
chore: author email + Cargo metadata SSoT (parfionovich@keilab.io)
...
Two related changes:
1. Author email update across the kit
- All `info@greendragon.info` references replaced with `parfionovich@keilab.io`
- Touched: NOTICE, README.md, _ts_packages/package.json (and 5 adapter packages),
plus 90+ Cargo.toml files
- Apache-2.0 attribution unchanged (Denis Parfionovich, 2026)
2. Cargo workspace.package SSoT for author/license/repository/homepage
- Added to [workspace.package]:
authors = ["Denis Parfionovich <parfionovich@keilab.io>"]
license = "Apache-2.0"
repository = "https://github.com/KeiSei84/KeiSeiKit-1.0 "
homepage = "https://github.com/KeiSei84/KeiSeiKit-1.0 "
- All ~89 member crates migrated from inline declarations to:
authors.workspace = true
license.workspace = true
(repository/homepage where applicable)
- Closes audit gap: kei-graph-stream, kei-cortex, kei-shared previously had no
license field at the crate level, blocking `cargo publish` on those.
Now they inherit Apache-2.0 from workspace.
- kei-scheduler/Cargo.toml: removed stray duplicate `authors` line introduced
by an earlier migration sweep.
cargo check --workspace: clean. No code changes; metadata-only migration.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 13:55:28 +08:00
Parfii-bot
f47c087646
feat(auth): JWT verification + OAuth CSRF + PKCE + secret redaction
...
Group B — auth-crate security hardening (post-audit Sonnet test-retest 2026-05-02).
kei-auth-apple:
- jwt.rs: full ES256 JWKS signature verification (jsonwebtoken crate);
validates iss == https://appleid.apple.com , aud == client_id, exp, iat;
decode_id_token_unverified is now cfg(test)-only.
Module docstring promised this since v0.1 — now actually implemented.
- claims.rs (new): IdTokenClaims + AudClaim extracted from jwt.rs.
- error.rs: JwtVerify, JwtDecode, MissingClaim variants.
- client.rs: client_secret_jwt: SecretString (was String); exchange_code accepts
code_verifier: Option<&str> for PKCE.
- provider.rs: verify() does CSRF expected_state ConstantTimeEq + JWT verification;
build_auth_url accepts state + verifier and emits PKCE code_challenge.
- tests/apple_smoke.rs + helpers/: 6 tests including malformed-JWT + non-Apple OAuth +
400-mapping + provider_verify_csrf_mismatch_rejected.
kei-auth-google:
- pkce.rs (new): pkce_challenge + url_encode (RFC 7636 §B.1 test vector covered).
- client.rs: client_secret: SecretString; exchange_code accepts code_verifier.
- provider.rs: verify() rejects on state mismatch; build_auth_url emits S256 challenge.
- tests/google_smoke.rs: 7 tests including CSRF mismatch.
kei-auth:
- main.rs: resolve_token() supports stdin (-) and KEI_AUTH_TOKEN env. Token positional
arg leaked via /proc/<pid>/cmdline + shell history; same fix that v0.14.1
applied to --key.
- main.rs::key(): hard fail if KEI_AUTH_KEY len < 32 bytes (mirror of magiclink).
- tokens.rs::verify(): query_row(...).optional()? instead of .ok() — DB errors now
propagate instead of being swallowed as "token unknown".
kei-runtime-core:
- secrets.rs (new, 81 LOC): SecretString newtype with redacted Debug + zeroize-on-Drop.
Required by every auth crate that holds secret material.
- traits/auth.rs: AuthChallenge::Password.password is now SecretString;
OAuthCode { state, expected_state }.
- error.rs: CsrfStateMismatch variant.
Test results: 48 passed; 0 failed across kei-auth, kei-auth-apple, kei-auth-google,
kei-auth-magiclink, kei-runtime-core. cargo check --workspace clean.
Findings consensus: Apple JWT unverified + OAuth state CSRF appeared in all 3
audit waves (Wave-1 + Wave-A + Wave-B); PKCE absence + secret-derive-Debug appeared
only in Wave-A retest, would have been missed by single-pass audit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 21:39:18 +08:00
Parfii-bot
a4e667de10
KeiSeiKit-public — clean state
...
Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.
Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)
Author: Denis Parfionovich <info@greendragon.info>
License: see LICENSE.
2026-05-01 12:09:03 +08:00
