- Rename _manifests/{architect,code-implementer,cost-guardian,critic,
fal-ai-runner,infra-implementer,ml-implementer,ml-researcher,modal-runner,
patent-compliance,patent-researcher,researcher,security-auditor,validator}.toml
to kei-<name>.toml (git mv — history preserved).
- Update every `name = "..."` field to the new kei- name.
- Update every handoff `target = "..."` cross-reference (62 occurrences across
14 manifests) to point at the kei-prefixed counterpart.
- Update backticked prose cross-refs in role/forbidden_domain/description
strings: `code-implementer` -> `kei-code-implementer`, etc.
- Update SSoT header comments: "SSoT for <name>." -> "SSoT for kei-<name>.".
- Fix 3 bare-word prose refs missed by quoted/backticked patterns:
kei-code-implementer.toml (validator enforces), kei-security-auditor.toml
(description Hands fixes off to ..., forbidden_domain separate critic pass).
Noun-phrase mentions left intact (not agent refs): "senior software
architect", "ruthless code critic", "patent prior-art researcher",
"architectural claim", "critical findings", etc.
Verify:
cd _assembler && cargo build --release
AGENT_ROOT=$(pwd)/.. target/release/assemble --validate
-> 14 OK
Namespace motivation: kit-shipped agents live in a reserved "kei-*"
namespace so downstream installs can drop in custom, same-name agents
without collision (e.g. user's own `validator` or `critic`).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Regression test for the fix in 30cd08b (replaced
`root.parent().unwrap()` with `.unwrap_or(root.as_path())` at
main.rs:45). Two cases:
- `agent_root_slash_does_not_panic` — `AGENT_ROOT=/ assemble /dev/null`
must reach the "parse failed" error path without panicking. Guards
against the `relative_to()` call site specifically.
- `agent_root_slash_full_run_no_panic` — same env with a valid stub
manifest supplied explicitly. Even though the run fails at
`mkdir /_generated` (unprivileged), it must fail GRACEFULLY, not
with SIGABRT from an `.unwrap()` on a None parent.
Both assertions: no "panicked at" in stderr, and `status.code()` is
Some (signal-kill would return None on Unix).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tests/determinism.rs (3 cases):
- same input across 2 isolated tempdirs → byte-identical output
- same input across 10 isolated tempdirs → all byte-identical
(catches HashMap iteration nondeterminism a 2-run check can miss)
- reordering blocks in the manifest changes output, but only in the
block region — frontmatter + role + trailing sections are stable
tests/roundtrip.rs (2 cases):
- every manifest string (name, model, tools list, all domain_in /
forbidden_domain / handoff.target / handoff.trigger entries)
appears verbatim in the generated output; no field silently dropped
- two consecutive runs in the SAME tempdir produce identical bytes
(defence against caching / mutable-global drift)
tests/validator_negative.rs (6 cases):
- unknown block ref → error mentions the bad name
- missing obligatory block (memory-protocol removed) → error names it
- empty handoff array → error mentions "handoff"
- whitespace-only role → error mentions "role"
- empty domain_in → error mentions "domain_in"
- --validate flag on a valid manifest: exit 0, no file written
Not covered: unsubstituted `{{placeholder}}` check — that validator
rule is being added in a parallel PR (fix/remaining-findings) and is
not yet on this base branch. Add a case for it when the check lands.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add tests/golden.rs with insta-backed snapshot assertions for:
- researcher (minimal — 3 obligatory blocks only)
- cost-guardian (minimal + output_extra_fields)
- patent-compliance (minimal + references.extra)
- code-implementer (obligatory + 4 implementer-specific blocks)
Coverage: all four frontmatter fields (name/description/tools/model),
role body, block concatenation order, domain_in / forbidden_domain /
handoffs / output format (including extra fields) / references (both
optional memory_project + project_claudemd and references.extra).
The snapshots in tests/snapshots/*.snap are the signed contract —
any change to assembler.rs output must be reviewed via
`cargo insta review` and committed alongside the code change.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add insta + tempfile to _assembler/Cargo.toml [dev-dependencies].
- Create tests/common/mod.rs with helpers: seed_tempdir (copies
fixtures into an isolated AGENT_ROOT), run_assemble (invokes the
built binary via std::process::Command), and assemble_one
(end-to-end single-manifest helper).
- Seed tests/fixtures/ with the 4 manifests covered by the golden
snapshots (code-implementer, researcher, cost-guardian,
patent-compliance) and the 7 blocks they reference (baseline,
evidence-grading, memory-protocol, rule-pre-dev-gate,
rule-test-first, rule-error-budget, rule-double-audit).
Binary-only crate (no lib target), so integration tests invoke the
assemble binary in-process instead of calling internal functions.
This exercises the full main.rs I/O + validator + assembler pipeline
end-to-end, which is exactly what the determinism claim covers.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
$HOOKS_DIR ($HOME/.claude/hooks) is shared with other kits. Backing up
the whole directory cumulatively bloats foreign hooks across re-runs.
Switch to backup_file per KeiSeiKit-owned hook so only the 3 files we
actually overwrite get a .bak-TIMESTAMP sibling. backup_dir remains for
KeiSeiKit-owned directories (_blocks, _templates, _assembler, skills).
say/warn/err now detect isatty(1) and the NO_COLOR env convention. When
stdout is redirected to a log file or NO_COLOR is set, ANSI escape codes
are suppressed. Interactive activation prompt also gated.
Previous block-rebuild path piped through head -40, so a FAIL on line 50
was invisible. Now FAIL/ERROR lines are always printed first; OK lines
are still truncated. Written in POSIX sh per Fix 4.
Walks every string-valued manifest field after load and rejects values
containing `{{...}}` (conservative: requires both `{{` and `}}`). Catches
wizard bugs that would emit literal `{{MEMORY_PROJECT}}` into the
generated agent .md. Four unit tests cover role/memory_project/single-brace
accept/empty-accept cases.
Offline build is attempted first so a fresh clone with a warm registry
cache can install without network. On failure, fall back to a regular
cargo build --release which will fetch from crates.io.
All three hooks changed shebang from bash to sh. No bashisms were in use
(no [[, no local, no arrays) so only the interpreter line moved. Verified
with sh -n, and dash smoke-run with a sample tool_input JSON.
Explains that 8 of 34 blocks are used by shipped manifests; the other 26
feed the /new-agent wizard. Adds a v0.1.1 disclaimer that re-running
install.sh backs up kit-owned directories and hook files to .bak-TIMESTAMP.
Adds --activate-hooks flag for non-interactive hook activation, plus a
TTY prompt at end-of-install. Merge is jq-based, groups by matcher, and
de-dupes hook entries by command — idempotent across re-runs. Existing
user hooks on the same matcher are preserved. Non-TTY without the flag
keeps the manual instructions.
If cargo build or any later step fails, the ERR trap walks the list of
backups created during this run and atomically swaps each .bak-TIMESTAMP
back onto its original. Idempotent via ROLLED_BACK guard. On success
nothing is rolled back — backups remain as the user's recovery copy.
_blocks/memory-protocol.md references ~/.claude/memory/MEMORY.md, but the
installer previously only scaffolded agents/ hooks/ skills/ — so the first
agent that followed the block would fail reading a non-existent index.
Now mkdir -p ~/.claude/memory and, only when MEMORY.md is absent, write a
minimal placeholder (frontmatter + pointer to the block). User-edited
MEMORY.md is never overwritten.
root.parent().unwrap() at main.rs:45 panicked if AGENT_ROOT pointed at a
filesystem root (e.g. AGENT_ROOT=/). Now falls back to root itself via
.unwrap_or(root.as_path()) so the 'OK <manifest> → <path>' line just
prints the absolute path in that edge case instead of aborting.
All three hooks used `set -eu` + `cat | jq …`. Without jq installed, jq
would fail and `-e` would abort the hook → non-zero exit → Claude Code
refuses Edit/Write/Bash system-wide. Now each hook probes for jq BEFORE
`set -eu` and exits 0 silently if absent. Also dropped the useless `cat |`
pipe — `jq -r` reads stdin directly.
Companion: install.sh jq check upgraded from warn to hard `exit 1` because
without jq the hooks are dead weight; message states jq is required on
any machine that will activate the hooks.
Previously cp -f clobbered user-edited _blocks/, _templates/, _assembler/,
hooks/, and skills/ silently — violating the README's "idempotent" claim
on re-run. Now each of those targets is snapshotted to a timestamped
<target>.bak-$(date +%s)/ sibling before overwrite, but only when the
target actually contains regular files (freshly-mkdir'd scaffolds are
skipped). _manifests/ unchanged — already uses per-file skip-if-exists.
Kit source ($KIT_DIR) is never backed up.
