KeiSeiKit-1.0

keisei/KeiSeiKit-1.0

Fork 0

Commit graph

Author	SHA1	Message	Date
Parfii-bot	71f17337fe	fix(security): cortex /term env_clear + bind guard, agent-stub-scan stdin, magiclink revoke Three independent security hardenings from cross-cutting audits. 1. cortex /term PTY env leak + bind guard (HIGH — Sonnet Cross-cutting + Opus) - kei-cortex/src/handlers/term_pty.rs: PTY spawn was inheriting daemon's full process env (KEI_AUTH_KEY, ANTHROPIC_API_KEY, FAL_KEY, etc.) into every authenticated /term shell. Combined with default cors_origin = https://keisei.app, one stored XSS on keisei.app + one bearer token = full local shell with all daemon secrets. Added apply_safe_env() helper: env_clear() + re-set only HOME, PATH, USER, LANG, TERM. Spawn helper invokes it before spawn_command. - kei-cortex/src/main.rs: extracted build_config() helper; added enforce_loopback_or_local_cors() guard called before serve.bind. Refuses to start if bind addr is non-loopback AND cors_origin is a public domain — prevents the XSS-to-shell scenario in production. 2. agent-stub-scan.sh stdin parsing (HIGH — multiple audits) - hooks/agent-stub-scan.sh: previously read $CLAUDE_AGENT_TRANSCRIPT env var which Claude Code does NOT set on PostToolUse:Agent. Hook silently exited 0 — RULE 0.16 enforcement was dead-code in production. Rewrote to read stdin JSON via jq, flatten .tool_response recursively (string\|array\|object via the same pattern as agent-event-done.sh), guard on .tool_name == "Agent" and command -v jq. Maintained WARN-tier exit-0 with TODO marker for ENFORCE flip on 2026-05-05 (per RULE 0.16 §2 ladder). 3. magiclink revoke() silent no-op (HIGH — Opus Rust + Sonnet Cross-cutting) - kei-auth-magiclink/src/{error,provider}.rs: revoke() previously returned Ok(()) without doing anything. Operators expecting "revoke a session" semantics from the AuthProvider trait got false success. Stolen magic- link URLs remained valid until the 15-minute TTL. Added Error::Unsupported variant. revoke() now returns Err(Unsupported(...)) with explicit guidance: "rotate KEI_MAGICLINK_HMAC_ KEY to invalidate all live tokens, or maintain a deny-list at the caller layer". Test provider_revoke_returns_unsupported_error confirms the error variant is wired. Tests: cargo check + cargo test both PASS. 444 functional tests across kei-cortex (428 lib) + kei-auth-magiclink (16 lib + smoke). Pre-existing openai_loop_wiring.rs 502 failures in routes/openai/{chat,responses}.rs are NOT introduced by these fixes — separate unrelated triage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 15:38:23 +08:00
Parfii-bot	0be354a920	KeiSeiKit-public — clean state Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00

Author

SHA1

Message

Date

Parfii-bot

71f17337fe

fix(security): cortex /term env_clear + bind guard, agent-stub-scan stdin, magiclink revoke

Three independent security hardenings from cross-cutting audits.

1. cortex /term PTY env leak + bind guard (HIGH — Sonnet Cross-cutting + Opus)
   - kei-cortex/src/handlers/term_pty.rs: PTY spawn was inheriting daemon's
     full process env (KEI_AUTH_KEY, ANTHROPIC_API_KEY, FAL_KEY, etc.) into
     every authenticated /term shell. Combined with default cors_origin =
     https://keisei.app, one stored XSS on keisei.app + one bearer token =
     full local shell with all daemon secrets.
     Added apply_safe_env() helper: env_clear() + re-set only HOME, PATH,
     USER, LANG, TERM. Spawn helper invokes it before spawn_command.
   - kei-cortex/src/main.rs: extracted build_config() helper; added
     enforce_loopback_or_local_cors() guard called before serve.bind. Refuses
     to start if bind addr is non-loopback AND cors_origin is a public
     domain — prevents the XSS-to-shell scenario in production.

2. agent-stub-scan.sh stdin parsing (HIGH — multiple audits)
   - hooks/agent-stub-scan.sh: previously read $CLAUDE_AGENT_TRANSCRIPT env
     var which Claude Code does NOT set on PostToolUse:Agent. Hook silently
     exited 0 — RULE 0.16 enforcement was dead-code in production.
     Rewrote to read stdin JSON via jq, flatten .tool_response recursively
     (string|array|object via the same pattern as agent-event-done.sh),
     guard on .tool_name == "Agent" and command -v jq. Maintained WARN-tier
     exit-0 with TODO marker for ENFORCE flip on 2026-05-05 (per RULE 0.16
     §2 ladder).

3. magiclink revoke() silent no-op (HIGH — Opus Rust + Sonnet Cross-cutting)
   - kei-auth-magiclink/src/{error,provider}.rs: revoke() previously returned
     Ok(()) without doing anything. Operators expecting "revoke a session"
     semantics from the AuthProvider trait got false success. Stolen magic-
     link URLs remained valid until the 15-minute TTL.
     Added Error::Unsupported variant. revoke() now returns
     Err(Unsupported(...)) with explicit guidance: "rotate KEI_MAGICLINK_HMAC_
     KEY to invalidate all live tokens, or maintain a deny-list at the caller
     layer". Test provider_revoke_returns_unsupported_error confirms the
     error variant is wired.

Tests: cargo check + cargo test both PASS. 444 functional tests across
kei-cortex (428 lib) + kei-auth-magiclink (16 lib + smoke). Pre-existing
openai_loop_wiring.rs 502 failures in routes/openai/{chat,responses}.rs are
NOT introduced by these fixes — separate unrelated triage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 15:38:23 +08:00

Parfii-bot

0be354a920

KeiSeiKit-public — clean state

Single-commit clean baseline after security scrub of niche-tells,
project codenames, internal jargon, and contributor-email leaks.

Contents:
- 100 Rust crates (_primitives/_rust/)
- 37 agent manifests (_manifests/) + generated specs (_generated/)
- 67 user-invocable skills (skills/)
- 33 hooks (hooks/)
- Composition blocks (_blocks/)
- Documentation (docs/, README.md)
- TS adapter packages (_ts_packages/)
- Assembler (_assembler/)
- Roles (_roles/)
- Templates (_templates/)
- Forgejo CI (.forgejo/)

Author: Denis Parfionovich <info@greendragon.info>

License: see LICENSE.

2026-05-01 12:09:03 +08:00

2 commits