curl|bash reads this script byte-by-byte from the pipe; a bare `exec < /dev/tty`
then made bash read the NEXT line (the bootstrap exec) from the keyboard →
infinite hang after "delegating", bootstrap never started. Fix: merge the
redirect into the bootstrap exec (one command). Verified piped-under-pty:
buggy=HANG, fixed=full install completes.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
web-install.sh tees stdout to a logfile, so -t 1 is false even in an interactive
curl|bash; the /dev/tty fix reattached only stdin. Wizard gates required BOTH
-t 0 and -t 1, so onboarding (language select) and bootstrap's profile wizard
were silently skipped on the primary install path. Prompts go to stderr and read
from stdin — interactive stdin is the only real requirement.
Gates: bootstrap.sh, lib-onboarding.sh (×2), lib-preflight.sh, lib-hooks.sh.
Non-interactive (CI / </dev/null) still skips — verified.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
E2E (curl install.keisei.app | bash, no controlling terminal) died at
`exec < /dev/tty` — "No such device or address". `[ -r /dev/tty ]` stat's
the path readable but the device can't be opened without a controlling
terminal (CI/cron/ssh non-interactive) — the documented `| bash -s -- --yes`
CI path. Now probes a real open via `{ : < /dev/tty; }` and reattaches only
on success; else proceeds non-interactively. Verified RC=0 end-to-end.
Root causes found by reproducing a clean install from keigit:
1. PROFILE_PRIMS resolved only inside check_prereqs → unbound for
--no-execute (plan showed 0 prims for every profile) and silently
empty for --skip-prereqs. Now resolved unconditionally in install.sh
before any reader (SSoT).
2. Every profile (even minimal, advertised "no Rust compile") fell back
to a 5-15 min `cargo build --workspace` because no prebuilt release
binaries exist. Auto-set KEI_SKIP_RUST for profiles with no rust
primitives → minimal installs in ~18s (assembler only). cargo stays a
hard prereq because the agent assembler always compiles.
3. The assembler aborted the WHOLE install on any single bad manifest
(set -e). generate_agents is now tolerant: bad manifests print FAIL
but hooks/skills/settings still land. Commit-time validate stays strict.
4. Data bugs that broke the assembler:
- duplicate [taxonomy] table in _roles/{auditor,merger}.toml
- fal-ai-runner handoff → keimd-expert (not shipped in kit)
- infra-implementer-cicd forbidden_domain literal `${{ secrets.NAME }}`
collided with assembler ${{ }} placeholder detection
5. Metadata: KeiSei84 (nonexistent GitHub org) → KeiSeiLab/KeiSeiKit-1.0
across plugin manifests, bootstrap, README, docs, Cargo/npm metadata.
.claude-plugin/{plugin,marketplace}.json 0.16.0 → 0.38.0. SECURITY.md
supported version 0.14.x → 0.38.x.
feat: ship KeiSei tamagotchi statusline into the kit
- scripts/keisei-pet{,-update}.sh (portable, state under ~/.claude/pet/)
- install copies them to ~/.claude/scripts/
- settings-snippet adds statusLine (set-if-absent, never clobbers an
existing one) + 4 pet-update hooks (prompt/rust_write/github_block/sleep)
Verified: clean minimal install RC=0, zero FAIL, 38 agents + 52 hooks +
68 skills, settings valid, statusLine wired, pet renders, idempotent re-run.
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gx10 fail при первой установке (фото юзера 2026-05-18):
jq: error: Could not open file /home/keisei/.claude/settings.json
[error] jq-merge produced invalid output; ... unchanged
[error] install failed at line 126; rolled back
Root cause:
backup_file() (install/lib-backup.sh:56) делал `mv target backup`,
затем activate_hooks() → _jq_merge_hooks() пыталась читать оригинал
target'а через jq — но оригинал уже унесён mv'ом, открыть нечего.
jq fail → rollback всей установки.
Fix: cp -a вместо mv (как уже сделано в backup_path() для директорий).
Атомарный безопасный бэкап; оригинал остаётся для jq, потом
_jq_merge_hooks атомарно переписывает его mv tmp → target.
CI run 26014515768 — `x86_64-apple-darwin` упал на webauthn-attestation-ca
→ openssl-sys 0.9.115: pkg-config не настроен для cross-compile
(macos-latest = arm64, target = x86_64).
Фикс: добавлен прямой dep `openssl-sys = { version = "0.9", features =
["vendored"] }` в kei-auth-webauthn — компилит openssl из исходников,
не требует системного. Транзитивно достаточно одного объявления feature
во всём workspace (Cargo unifies features).
CI v0.38.0 mcp-server билды все 5 упали на `bun install --frozen-lockfile`
с «lockfile had changes, but lockfile is frozen». В lockfile отставали:
- @keisei/mcp-server 0.14.0 → 0.14.6
- ajv 8.18.0 → 8.20.0
- express-rate-limit 8.3.2 → 8.4.1
- hono 4.12.14 → 4.12.16
Пересоздан `rm bun.lock && bun install` под bun 1.3.14 (тот же что в CI).
audit-2026-05-18 (соседняя сессия на gx10, 3 бага из 5 подтверждены):
#1 [HIGH] cortex profile сломан — kei-cortex depends on kei-router
path-dep'ом, а kei-router → kei-model. kei-model не было в
profile list, cargo build падал с «failed to read kei-model/
Cargo.toml». Добавил kei-model в cortex profile.
#3 [HIGH] cortex-ui отсутствует в репо — был в profile list, но
исходника нет ни в _primitives/_rust/, ни в _ts_packages/.
Удалил из profile.
#4 [MEDIUM] web-install.sh теряет /dev/tty — exec | tee + curl|bash
делают stdin pipe, wizard'у read нечего читать, onboarding падает
на первом prompt. Переподключаю stdin к /dev/tty перед exec
bootstrap.sh, если /dev/tty доступен.
#2 (linux-arm64 prebuild) — tag v0.38.0 не запушен на github, CI
release.yml не сработал. Требует RULE 0.1 triple-confirm.
#5 (non-TTY default = minimal) — уже корректно, install.sh:141
`PROFILE="${PROFILE:-minimal}"` + lib-menu.sh skip on non-TTY.
Авто-сгенерирован из _blocks/*.md по категориям префикса:
API / AUTH / CI / DB / DEPLOY / DOCS / DOMAIN / MODE / OBS /
PATH / RULE / SCRAPER / SECURITY / STACK / TEST + прочие.
Каждая запись: `name` — первая H1-строка файла.
Использование в _manifests/<agent>.toml:
blocks = ["baseline", "rule-pre-dev-gate", "api-anthropic", ...]
Assembler читает блоки из _blocks/, склеивает в финальный
_generated/<agent>.md. Новый блок = просто .md в _blocks/.
Регенерация INDEX.md — TODO build-index.sh скрипт (сейчас
сгенерирован вручную bash циклом).
Новые словари:
uk Українська
de Deutsch
fr Français
es Español
pt Português
it Italiano
tr Türkçe
ar العربية
hi हिन्दी
zh 简体中文
ja 日本語
ko 한국어
id Bahasa Indonesia
vi Tiếng Việt
Каждый файл — 17 STR_* ключей (тот же контракт что en.sh + ru.sh).
lib-i18n.sh::i18n_available_languages — единый список (en + 15)
для меню выбора в мастере. i18n_load_lang упрощён: всегда грузит
английский как fallback, потом поверх — словарь языка (отсутствующий
ключ остаётся английским).
onboarding_pick_language теперь генерирует whiptail/bash select из
i18n_available_languages динамически — добавление нового языка =
один файл `install/i18n/<код>.sh` + одна строка в available_languages,
дальше всё подхватится автоматически.
Перевод формальный, без излишеств. Welcome баннер всегда EN (юзер
ещё не выбрал на момент показа).
Проверено: bash -n всех 16 словарей чисто, roundtrip всех языков
работает (i18n_load_lang en/ru/uk/de/fr/es/pt/it/tr/ar/hi/zh/ja/ko/id/vi
выдают локализованные STR_DONE_TITLE + STR_TR_DIRECT_API), non-TTY
smoke install --no-execute проходит.
- preflight failure handling: вместо `|| true` (молчаливое продолжение
при упавшем preflight) — явный prompt «продолжить? [y/N]» с return 1
при отказе. Без TTY печатает warning и продолжает. Это закрывает
HIGH bug-9: «.onboarded флаг выставляется при нерабочей конфигурации».
- lib-preflight.sh::preflight_check_cli — общий helper (command -v +
offer-install + version echo). Убирает 6-file boilerplate (хотя сами
per-provider файлы пока не переписаны под него — это отдельный шаг).
- onboarding_fallback_providers: расширен с 3 до 14 провайдеров,
покрывает все 7 транспортов. Был дрейф vs providers.toml (14 vs 3),
юзер без submodule видел только anthropic+openai+ollama.
- STR_PICK_PROVIDER plural mismatch: whiptail и plain ветки теперь
используют один fallback "Provider within" (раньше plain имел
"Providers within", whiptail — "Provider within").
- STR_DONE_NEXT удалён из en.sh + ru.sh (мёртвый ключ).
- Новые ключи: STR_MENU_* (для lib-menu.sh) + STR_PREFLIGHT_FAILED +
STR_PREFLIGHT_CONTINUE. lib-menu.sh начал использовать
STR_MENU_TITLE / STR_MENU_SUBSTRATE (частичная локализация, остальное
меню — отдельной задачей).
Тесты: bash -n чисто, i18n round-trip EN/RU работает, non-TTY smoke
install --no-execute проходит.
1. HIGH-1: onboarding ↔ kei-model-router связка
До: onboarding мастер писал ~/.claude/config/onboarding.toml,
но router его не читал — выбор провайдера декоративный.
После: lib-onboarding.sh::onboarding_write_config доп. пишет
~/.claude/config/user-model-override.toml; registry.rs::Registry
получил load_user_override() возвращающий UserModelOverride.
Приоритет: --pinned > user-override > agent-profiles default_model_ref.
2 новых теста (round-trip TOML, optional transport).
2. HIGH-2: eval "$install_cmd" → bash -c "$install_cmd"
До: lib-preflight.sh::preflight_offer_install делал eval.
После: bash -c с явным subshell + печать команды юзеру до запуска.
3. HIGH-3: codex.sh regex false-pass
До: grep -qiE "logged.in|active" пропускал "not logged in" как pass.
После: сначала negative-pattern (not logged|signed out|please log in),
потом positive (\blogged in\b|status: active|auth: yes).
4. HIGH-4: path traversal в source preflight
До: lib-preflight.sh::preflight_run делал source без валидации
provider id — `../../../evil` сработал бы.
После: whitelist regex ^[a-z0-9][a-z0-9_-]{0,63}$ + realpath
проверка что resolved путь не вышел за PREFLIGHT_DIR.
5. HIGH-5: curl|sh без verification
ollama-local.sh + google-vertex.sh теперь печатают предупреждение
что Linux-установка тянет shell-скрипт с внешнего сервера без
проверки хэша/подписи, и предлагают альтернативу.
MEDIUM попутно:
- anthropic-bedrock.sh: один вызов aws sts get-caller-identity
вместо двух (экономит 1-3с), различает cred-error от network
по тексту stderr, маскирует account ID в ARN перед печатью.
- mlx-local.sh: pip install --user mlx-lm вместо global pip install
(не требует sudo, не загрязняет system Python).
Тесты: cargo test --lib 80/80, bash -n всех изменённых файлов чисто.
Структура локализации:
install/i18n/en.sh — английский словарь (дефолт, fallback)
install/i18n/ru.sh — русский словарь
install/lib-i18n.sh — лоадер + welcome banner
Поток:
1. install.sh source'ит lib-i18n.sh и зовёт i18n_load_default →
все строки на английском.
2. Если onboarding нужен — печатается welcome banner ASCII-рамка
на английском (язык ещё не выбран).
3. onboarding_pick_language — единственный двуязычный шаг
("Choose language / Выберите язык"). По выбору вызывает
i18n_load_lang ru|en — перегружает словарь.
4. Все последующие шаги (transport / provider / model / auth /
completion) идут на выбранном языке.
Fallback: если ru-словарь не имеет ключа — используется английское
значение (load_default вызывается до загрузки ru.sh, переменные
перезаписываются поверх).
lib-onboarding.sh переведён со смешанных hardcoded строк на
${STR_*} placeholders.
Тесты: bash -n всех 5 файлов чисто, i18n loader unit-тест показывает
EN/RU перегрузку, non-TTY smoke install --no-execute проходит.
1. OID-check в parse_x25519_pkcs8_pem
До: брался последний 32-байтный slice любого PKCS#8 DER, OID не
проверялся. RSA/EC/Ed25519 ключ молча давал 32 неправильных байта
→ decrypt падал с generic "wrong key" без объяснения.
После: строгая проверка длины (48 байт) + OID 1.3.101.110 (X25519,
byte slice 9..12 = 0x2b,0x65,0x6e). Внешний openssl ключ другого
алгоритма теперь даёт явную ошибку с указанием реального OID.
Константы X25519_OID + X25519_PKCS8_DER_LEN.
RFC 8410 §3 + §7 ссылка в doc-комментарии.
2. x25519-dalek feature `zeroize`
До: features=["static_secrets"] — StaticSecret хранил priv-ключ
в куче без затирания при Drop. Локальный priv_raw.zeroize() стирал
только стек-копию, оригинал в куче оставался до GC.
После: features=["static_secrets","zeroize"] — StaticSecret сам
реализует ZeroizeOnDrop, ключ затирается при выходе из scope.
3. Два новых теста:
- parse_rejects_wrong_length_der — 32-байтный DER (вместо 48)
отклоняется с сообщением про "48 bytes"
- parse_rejects_wrong_oid — DER с OID Ed25519 (0x2b,0x65,0x70)
отклоняется с сообщением про "X25519"
8/8 тестов модуля проходят, cargo check workspace чисто.
Старая 0.14.5 mcp-server (с source maps содержавшими /Users/
denisparfionovich/...) удалена с keigit.com отдельной операцией
через Forgejo DELETE API.
Новый интерактивный мастер при первой установке:
1. Язык интерфейса (RU/EN)
2. Транспорт (direct-api / aws-bedrock / azure-openai / google-vertex
/ local / proxy / subscription)
3. Провайдер внутри транспорта (14 вариантов суммарно)
4. Модель из выбранного провайдера (3 моделей Anthropic, и т.д.)
5. Ключи/креды (silent read, пишет в ~/.claude/secrets/.env chmod 600)
Skip-логика:
- флаг ~/.claude/.onboarded
- env KEISEI_SKIP_ONBOARD=1
- не-TTY запуск
Запись:
~/.claude/config/onboarding.toml — выбор lang/transport/provider/model
~/.claude/secrets/.env — ключи провайдера
~/.claude/.onboarded — флаг прохождения
Парсер toml — pure awk (без зависимостей). Реестры из submodule
_blocks/registries. Submodule bumped до afe0c6f с новым полем transport.
Fallback если submodule не подтянут: anthropic + sonnet.
- _ts_packages/tsconfig.base.json: sourceMap=false, declarationMap=false
(source maps leaked absolute dev paths in published tarballs).
- All 6 @keisei/* packages: publishConfig.registry = keigit.com.
mcp-server bumped 0.14.5 -> 0.14.6 (republished without maps).
- .github/workflows/release.yml split into two jobs:
npm-publish-keigit: primary. Activates on KEIGIT_NPM_TOKEN +
KEIGIT_NPM_USER secrets. Publishes via direct curl PUT
(Forgejo requires Basic auth; npm CLI sends Bearer).
npm-publish-npmjs: reserved for future. Activates on NPM_TOKEN
secret. Currently no token -> job skipped gracefully.
End-to-end verified: clean dir + scope @keisei -> keigit + npm install
pulls 145 deps, no leaked paths, no .map files in any of 6 packages.
Thin wrapper (88 LOC) that lets a fresh machine install KeiSeiKit with
one line, no prior clone:
curl -fsSL https://install.keisei.app | bash
curl -fsSL https://install.keisei.app | bash -s -- --profile=dev --yes
## Why a third install entry point
Existing install path required `git clone` + `cd` + `./bootstrap.sh` —
three commands the user has to type, plus they must already have the
repo URL handy. For private repos with SSH auth this is real friction.
`web-install.sh` is meant to be served as a static file (Cloudflare
Pages / nginx) at install.keisei.app. It does ONE thing: prereq → clone
→ delegate to ./bootstrap.sh. Single source of truth — no duplicated
install logic.
## What it does
1. Splash + log to ~/.keisei-install.log
2. Hard prereq: git (the one thing bootstrap.sh cannot self-install)
3. SSH auth probe for git@github.com — clear error message if key missing
4. Clone/pull KeiSeiLab/KeiSeiKit-1.0 to $KEISEI_ROOT (default ~/.local/share/keisei)
5. git submodule update --init (pulls kei-registries)
6. exec ./bootstrap.sh "$@" — pass-through all flags
## Env overrides
- KEISEI_ROOT — install location
- KEISEI_REPO — git URL
- KEISEI_REF — branch/tag/sha
## Hosting
Push this file to install.keisei.app (Cloudflare Pages, S3+CF, nginx
static — anything that serves a single .sh over HTTPS).
## README updated
Quick start section now shows the curl one-liner as the recommended
path. Repo URL corrected from KeiSei84 → KeiSeiLab org.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes audit HIGH-1 (SSoT drift between KSK and marketplace).
_blocks/registries/ now tracks the single canonical kei-registries repo;
marketplace consumes the same submodule.
closes MEDIUM/LOW from feat/agent-dna-three-layer audit:
- models.toml: cache_write_1h_per_mtok_micro added to all 11 entries
(Anthropic: 200M/600M/1000M micro = $2/$6/$10 per MTok per pricing page;
other providers: 0 placeholder)
- main.rs (kei-model-router): WAL pragma + busy_timeout errors now logged
to stderr instead of silently dropped (previously .ok() swallowed both)
- models.toml: Haiku id pin TODO documented (router still hardcodes alias)
Adds `agent_shell_dna` cube parsing the new agent-shell::<p>:<m>:<c>::<scope>::<body>-<nonce>
format emitted by keisei-marketplace/src/lib/cryptoid.ts::agentDna.
Companion to legacy 4-segment `dna_class` (untouched per RULE Don't-Rewrite).
Accepts both 8-hex (legacy) and 16-hex (current) lengths for forward-compat.
- new file: src/agent_shell_dna.rs (235 LOC, 13 tests all pass)
- lib.rs: pub mod agent_shell_dna + module doc
Closes HIGH-2 (dna-three-layer audit).
Codex CRITICAL + 4 HIGH + 5 MEDIUM/LOW from RULE 0.23 dual-review and
RULE 0.25 multi-critic swarm — all closed.
CRITICAL fix
- Model::slug() ledger compatibility: posterior.rs + select_kernel.rs
query `WHERE model = ?2 OR model = ?3`, binding canonical + legacy
slug pair via new `Model::legacy_slug()`. Production ledger rows
written under "haiku"/"sonnet"/"opus" remain visible to posterior
aggregation. Regression test ledger_legacy_slug_counted.
HIGH fixes
- cmd_select(): no longer early-returns on profile match. Profile's
default_model_ref now becomes DecisionInput.fallback; select() always
runs, posterior/kernel evidence wins if present. RULE 0.20 cost
optimisation restored for all 18 registered agents.
- Registry pricing SSoT: DecisionInput now carries Option<Arc<Registry>>.
estimated_cost() tries registry first; hardcoded match is documented
fallback only. select_posterior.rs no longer duplicates models.toml
constants.
- registry.rs portability: include_str!() embeds the three TOMLs at
compile time. load_embedded() new; disk path tried first via
KEI_REGISTRIES_DIR, embedded as fallback. `cargo install`d binaries
now find registries unconditionally. embedded_registry_matches_disk
test ensures embedded ≡ disk source.
- next_model() ambiguity: replaced Option<&Model> with EscalationResult
enum (Next(&Model) / AtTop / NotFound). Callers can distinguish typo
from ceiling. 5 new tests.
MEDIUM fixes
- posterior.rs u32 overflow: `(n_plus + n_minus) as u32` →
`u32::try_from(n_plus.saturating_add(n_minus)).unwrap_or(u32::MAX)`.
overflow_guard_on_huge_n test with i64::MAX.
- pick() unknown-model: now returns None when default_model_ref's model
is absent from registry. Inverted the deprecation guard.
- HOME unset: disk_registries_dir() returns None on empty HOME and
falls through to embedded registries. open_ledger() logs warning
and returns None instead of opening at malformed path.
- SQLite WAL + busy_timeout: applied to ledger connection in
open_ledger() — concurrent CLI invocations no longer SQLITE_BUSY.
LOW fixes
- impl Model consolidation: next_tier() moved to pricing.rs.
escalate.rs uses current.next_tier() instead of duplicating logic.
- complexity.rs: removed duplicate "ml-implementer" in HEAVY_ROLES.
- dna_class.rs: role("") now returns None instead of Some("").
Verification (orchestrator-side, RULE 0.13 §Verify-before-commit):
- cargo check → clean
- cargo test --release → 63 passed / 0 failed (was 58 → +5 new tests
cover legacy-slug, EscalationResult, overflow, unknown-model, embedded)
- Constructor Pattern → all files ≤ 200 LOC (max registry.rs 196)
- Largest fn from_ledger 28 LOC / limit 30
DNA-INDEX.md regenerated by kei-registry hook (cosmetic).
=== STATUS-TRUTH MARKER ===
shipped: functional
stubs: 0
cargo-check: PASS
behaviour-verified: yes
follow-up-required:
- (none from this commit; next audit pass before merge to main)
Splits agent definition into stable provider + swappable model + role-bound
profile. Adding a new LLM API is one row in providers.toml; new model is
one row in models.toml; agent invocation picks any (provider, model) pair
through agent-profiles.toml default_model_ref.
- providers.toml: 10 providers — anthropic, openai, codex (OAuth), xai,
deepseek, google, ollama-local, mlx-local, lmstudio-local, litellm-proxy
- models.toml: 11 models with cost_*_per_mtok_micro + context_window +
verified_at + deprecated_at
- agent-profiles.toml: 18 representative profiles; manifest_path points
to the canonical .md in ~/.claude/agents/
Three-layer DNA per the new architecture:
agent-shell::<provider>:<model>:<caps>::<scope8>::<body8>-<nonce8>
This commit only adds registries — kei-model-router still hardcodes
the Claude-only Model enum. Wave 4 will rewire it to read TOML.
Profile bundles the crates kei-buddy needs at runtime:
kei-buddy, kei-telegram-webhook, kei-shared, kei-chat-store,
kei-social-store, kei-memory-sqlite, kei-router, kei-llm-bridge-mlx.
Used by keisei-marketplace cloud-init when user clicks 'хочу своего
KeiBuddy' on /keibuddy/setup — Hetzner VPS spawn pulls KeiSeiKit and
runs install.sh --profile=buddy --yes.
Previous wiremock conversion fixed the listener-lifecycle race but
left the underlying problem unsolved: `ensure_env()` mutates the
process-global ANTHROPIC_ENDPOINT, and parallel `cargo test` threads
race on that write. Manifested as 502 / "error sending request for
url …" on the first concurrent test pair under both macOS and Linux.
Annotate every #[tokio::test] in openai_loop_wiring.rs +
openai_compat.rs with `#[serial_test::serial]` — these are the only
tests that touch ANTHROPIC_ENDPOINT via shared_mock_anthropic.
serial_test enforces process-wide ordering so the env mutation +
HTTP request pair is atomic per test. All other tests stay parallel.
Stress: 5 parallel `cargo test` runs all green.
Previous `tests/common/mod.rs` spawned a mock Anthropic upstream via
hand-rolled axum + std:🧵:spawn + own current-thread tokio runtime
bound to 127.0.0.1:0. Stable on Linux runner; flaked on macOS GitHub
Actions runners:
thread 'streaming_responses_runs_real_loop_not_stub' panicked at
kei-cortex/tests/openai_loop_wiring.rs:277:5:
no responses delta event in stream: event: response.error
data: {"error":"model: anthropic request: error sending request
for url (http://127.0.0.1:49312/v1/messages)"}
Root cause traced to macOS-runner loopback / fd-limit pressure on the
dedicated-thread current-thread runtime. wiremock crate runs a
production-quality hyper-based mock server, manages its own listener
lifecycle, and survives the macOS runner constraints.
## Change
- `Cargo.toml`: add wiremock = workspace dev-dep (already 0.6 in workspace)
- `tests/common/mod.rs::MockAnthropicServer` rebuilt over wiremock::MockServer
- `build_mock(text)` mounts `POST /v1/messages → 200 + canned body` on a
wiremock instance
- `mock_anthropic_responding_with()` spins one per call on a parked
helper thread (preserves `MockAnthropicServer: 'static` lifetime for
`shared_mock_anthropic` `OnceLock` singleton)
- `shared_mock_anthropic()` API unchanged; existing test sites in
`tests/openai_loop_wiring.rs` + `tests/openai_compat.rs` continue to
work without modification
## Verification
`cargo test -p kei-cortex --test openai_loop_wiring`: 7/7 pass locally
`cargo test -p kei-cortex`: full suite green (428 lib + integration)
Also includes DNA-INDEX regenerate (auto-encyclopedia hook artefact;
0 vortex matches preserved).
Removes the two banned-project references (project-vortex::vortex and
project-vortex::vortex-constraints at lines 703/707 of DNA-INDEX.md
pre-regenerate) that surfaced in the public-readiness audit (P0
finding from sub-agent a2c1199a).
Source: ~/.claude/registry.sqlite row 391 +
~/.claude/registry-fragments/project-vortex__vortex-constraints.md.
Both removed locally so kei-registry encyclopedia regen no longer
emits the lines. auto-encyclopedia-refresh.sh PostToolUse:Edit|Write
hook will not re-add them on next run since the source row is gone.
If the Vortex agent project (cyber-banned per ~/.claude/rules/security.md)
needs that rule again, it should be registered into a SEPARATE local-only
registry (e.g. ~/.claude/registry-private.sqlite) so it never leaks into
the public encyclopedia path.
After regen: 0 vortex/neuralcloak/keidog/keinet matches in entire
KeiSeiKit-public tree (git grep). Public-readiness P0 = 0.
Replaces the rigid FSM after Intro/AskLanguage with a single LLM call per
turn that sees:
* persona (what's already known — slots not re-asked)
* recent 10 chat_log messages (history)
* top-5 kei-sage atoms relevant to user_text (graph-RAG, not embeddings)
* raw user_text
LLM returns JSON {slot_updates, response_text, done, focus} which drives
the next state + persona patch + reply. No embeddings, no vector store —
kei-sage's FTS5 + Obsidian-style atom graph is the retrieval layer.
New files:
* src/retrieval.rs (101 LOC) — retrieve_context(chat_log, topics,
chat_id, query, history_n, atoms_k) -> RetrievalContext
* src/conversational.rs (157 LOC) — conversational_step
(state, persona, context, text, extractor, lang) -> StepOutput
Modified:
* src/serve.rs::run_fsm — branch on state: Intro/AskLanguage still go
through legacy handle_step (jump-start); everything else routes to
conversational_step with retrieval context.
* src/lib.rs — module declarations.
Tests (5 new, 60 total passing):
* parses_well_formed_llm_response
* done_true_transitions_to_ready
* invalid_json_falls_back_gracefully
* retrieve_returns_empty_on_empty_stores
* retrieve_finds_seeded_data
Verify:
* cargo check -p kei-buddy: PASS
* cargo test -p kei-buddy --lib: 60/0 (was 55, +5)
Why graph-RAG instead of embeddings: kei-sage already in tree (atoms +
edges + BFS + PageRank + FTS5). Explicit edges (message → topic →
contact) beat opaque cosine similarity for personal-assistant memory
where relationships are typed. No sqlite-vec dep, no embedding cost.
NOT deployed yet — needs server rebuild.
Closes engine bugs #1, #2, #3 from the user's backlog.md entry dated
2026-05-11 "kei-refactor-engine — 4 false-positive bugs". Bug #4 was
fixed in d2c966d8 (wikilink path-norm + handoff scanner removal).
## Bug #1 — vendored marketplaces skip
Engine was scanning `plugins/marketplaces/claude-plugins-official/` —
vendored upstream code where Constructor Pattern thresholds don't
apply. ~246 cp-violations were from this tree.
Fix: `tree::should_skip_path()` central filter. Skips any path
component named `marketplaces`, `target`, `node_modules`, or `.git`.
Applied via `WalkDir::filter_entry()` in `collect_markdown`,
`collect_with_ext`, `scanners::cp::scan`, `scanners::orphans::scan`,
`scanners::orphans::all_basenames`. `scanners::cp::skip_dir` now
delegates to `should_skip_path` (removed the older inline
`/target/`-substring check).
## Bug #2 — hooks-share-matcher false-positive class
Claude Code hook chains are designed to support N hooks per event by
design. `scanners::hooks` was flagging every pair sharing a matcher
as a "redundancy conflict" — 9 hooks/medium findings in the last
deep-sleep run, every one false-positive.
Fix: `scanners::hooks::scan` reduced to a no-op stub returning
`Vec::new()`. Module docstring documents the retraction + future
direction (a real `hooks-validity` scanner for broken shebangs,
missing chmod, syntax errors would replace it).
## Bug #3 — `.patch` file not unified diff
Already resolved in prior commit (v0.14.1 retraction in patch.rs):
CLI default is `plan-autoresolve.md`, Phase C template references
`-autoresolve.md` suffix, `write_patch` is deprecated shim. Only
legacy `.patch` artefacts in sync-repo/reports/ remain — those are
audit trail, not active.
## Phase C draft file emission (deep-sleep-trigger-prompt.md §6.d)
The earlier Phase C template emitted `proposed_rule` markdown blocks
only — no actionable artefacts. Extended §6 with step 6.d: when
WITH_FORK=1 AND fork branch was created, ALSO write skeleton draft
files into the branch:
sync-repo/sleep-deep/YYYY-MM-DD/drafts/rules/<slug>.md
sync-repo/sleep-deep/YYYY-MM-DD/drafts/hooks/<slug>.sh
Drafts follow pattern-codifier-agent Phase 3 templates. Phase C does
NOT register hooks — that's pattern-codifier's job via /sleep-review
morning click-flow (skill Phase 3a added in ~/.claude commit 49a320d).
This closes the loop: Phase C surfaces draft → morning review clicks
approve → pattern-codifier installs → settings.json registered.
Smoke-test required in §6.d: every emitted `.sh` MUST `bash -n` clean
or be excluded from commit + listed in plan markdown.
## Results on ~/.claude/memory/sync-repo (live data)
| Scanner | Before | After | Delta |
|-----------|-------:|------:|------:|
| orphans | 108 | 1 | -107 |
| hooks | 2 | 0 | -2 |
| cp | 174 | 0 | -174 |
| **TOTAL** | 284 | 1 | -283 |
On full ~/.claude scan: total drops from ~1614 (per 2026-05-11
backlog) to 983 (cp=186 + orphans=797 — orphan count high because
~/.claude tree has many memory/chatlogs/ refs out-of-tree).
## Tests
12/12 pass on kei-conflict-scan workspace (4 unit + 8 integration).
Pre-existing `oversize_file_flagged` + `orphan_wikilinks_flagged`
still green; new `cross_repo_wikilink_not_flagged` +
`path_prefixed_wikilink_matches_basename` from d2c966d8 still green.
Private mirror at ~/Projects/KeiSeiKit/_primitives/_rust/ synced
(4 files: tree.rs, scanners/cp.rs, scanners/orphans.rs,
scanners/hooks.rs).
Closes backlog "engine-noise-2026-05-11" tag bugs #1, #2, #3.
Three follow-up atomics on top of the contacts/topics/sync wave.
## 1. AskLanguage state + ru/en localisation (default en)
New state `AskLanguage` inserted between `Intro` and `AskName`. Intro now
sends a bilingual greeting + language picker. AskLanguage parses
en/english/1/ru/русский/2/etc → persona_patch{"language":"<code>"} →
transitions to AskName with that language's prompt.
All later prompts (AskName / AskTone / AskInterests / AskHobbies /
TopicSpecifics / TopicNowLater / TopicResearch / AskSchedule / Ready)
read persona.language via Lang::from_persona and dispatch through
Strings::* helpers — two language tables, no fallthrough.
Back-compat migration: existing chats without `language` key (like the
user currently in topic_now_later) get an implicit "ru" patch on next
turn so their Russian onboarding continues without regression.
New files: strings.rs (164), machine_lang.rs (145).
Modified: state.rs (+AskLanguage variant), machine.rs (Intro→AskLanguage,
AskLanguage arm, migration guard), machine_helpers.rs, machine_tests.rs.
5 new tests (intro_to_ask_language, ask_language_en, ask_language_ru,
ask_language_invalid, migration_sets_ru_when_language_missing).
## 2. Real proposeTopicSources — removed TODO(phase2) stub
machine_lang.rs::step_topic_research now calls
extractor.extract(prompt, topic_title) with a {name, url, why} schema.
Parses JSON, formats numbered source list, transitions to TopicSources.
Failure paths (LLM error, empty array): graceful fallback prompt asking
user to suggest their own — still transitions to TopicSources so flow
doesn't deadlock.
3 new tests in machine_tests_topic_research.rs:
topic_research_yes_proposes_sources,
topic_research_yes_empty_sources_still_advances,
topic_research_no_skips_topic_sources.
## 3. Voice-message handling (Telegram voice/audio → STT → text pipeline)
kei-telegram-webhook: added Voice/Audio sub-structs on Message and
WebhookEvent::Voice variant. classify() detects message.voice OR
message.audio. 2 new tests in event.rs.
kei-buddy/src/voice.rs (178 LOC):
VoiceHandler { bot_token, stt: Arc<dyn SttBackend>, http }
transcribe_file(file_id, mime_type) does:
1. GET https://api.telegram.org/bot{token}/getFile?file_id=...
2. GET https://api.telegram.org/file/bot{token}/{file_path}
3. SttRequest { audio_bytes, mime_type, language: None } → backend.transcribe
4. Returns transcript text.
2 wiremock tests (download chain + 500 error mapping).
serve.rs adds voice: Option<Arc<VoiceHandler>> to BuddyContext;
on_event Voice arm: whitelist check → transcribe → handle_text (same
pipeline as if user typed). Voice unavailable: warn + ignore.
serve_runner.rs builds VoiceHandler from KEI_BUDDY_STT_BACKEND env.
kei-stt added as optional dep gated by serve feature. Default backend
whisper-local (no extra build deps).
TTS reply path deferred (next atomic).
## Verify
* cargo check --workspace: PASS
* cargo test -p kei-buddy --lib: 55 passed / 0 failed (was 41 → 50 → 53 → 55)
* cargo test -p kei-telegram-webhook --lib: 7 passed (was 5, +2 voice)
* cargo build -p kei-buddy --release: PASS (23.7s)
NOT deployed yet — three new things to roll out next:
* новые миграции (нет — БД без изменений)
* новые env: KEI_BUDDY_STT_BACKEND (optional)
* установка faster-whisper / piper-tts на сервер для STT
(без него Voice event просто warn-логируется и игнорируется)
Three atomics finish phase 3 of kei-buddy contacts integration:
## kei-buddy: contact-sync glue + slash commands (+5 tests)
New src/contacts_sync.rs (146 LOC):
* SyncReport { fetched, added, skipped, errors }
* sync_from_google(access_token, contacts) — builds GooglePeopleClient,
list_connections, dedups by (name+email) via search_contacts,
add_contact in loop
* sync_from_apple(apple_id, app_pw, addressbook_url, contacts) — same
pattern over ICloudCardDavClient.list_contacts
* All errors collected into report.errors; never panics, never propagates
New slash commands in commands.rs / command_exec.rs:
* /sync-google — reads GOOGLE_OAUTH_ACCESS_TOKEN env, calls sync_from_google,
Russian-formatted summary "Google: загружено N, добавлено M, пропущено K"
* /sync-apple — reads APPLE_ID + APPLE_APP_PASSWORD + APPLE_CARDDAV_URL,
calls sync_from_apple
* Missing env → human-readable "не настроено: …" response
* /help text updated
Deps added: kei-contacts-google + kei-contacts-apple as path deps.
## kei-contacts-google: pagination via nextPageToken (+1 test)
Refactor: client.rs 182→56 LOC; pagination logic + deserialization moved
to new src/pagination.rs (188 LOC). list_connections unchanged
(back-compat, returns first page only). New list_all_connections loops
via fetch_page(Some(token)) until token=None; hard cap 50 pages with
tracing::warn on cap.
Test list_all_connections_two_pages: wiremock returns page 1 with
nextPageToken="abc" + page 2 without; assert len = sum AND second
request carries pageToken=abc query.
## kei-contacts-apple: vCard line-folding + CardDAV auto-discovery (+2 tests)
vcard.rs +unfold() helper applied in parse_vcard per RFC 6350 §3.2:
continuation lines starting with space/tab strip the prefix and append
to previous line. Test parse_folded_vcard.
New src/discovery.rs (199 LOC): discover_addressbook() walks
.well-known/carddav → current-user-principal → addressbook-home-set →
first addressbook with C:addressbook resourcetype. Three PROPFIND
requests with canned XML bodies. Regex-based extract_first_href_under +
extract_addressbook_href helpers. Test discover_walks_three_propfinds
against 3-step wiremock fixture.
client.rs adds discover_addressbook_url() method calling discovery.
## Verify-before-commit
* cargo check --workspace: PASS
* cargo test -p kei-buddy --lib: 46/0 (was 41)
* cargo test -p kei-contacts-google: 5/0 (was 4, +1 pagination)
* cargo test -p kei-contacts-apple: 9/0 (was 7, +1 folding +1 discovery)
NOT deployed — user still in live conversation with bot.
Follow-up (deferred, non-blocking):
* Real iCloud smoke test for discover_addressbook_url — regex parser
may need adjustment for deeply-nested namespace prefixes
* Wiremock-backed integration test for sync_from_google glue (HTTP
layer already covered in kei-contacts-google tests)
Two architectural bugs in orphans scanner — both surfaced by morning
/sleep-review of deep-sleep/2026-05-12-0400 (108 false-positive
orphan-wikilinks; the engine was scanning sync-repo MEMORY.md and
flagging every `[[../../../rules/X]]` cross-repo ref as broken).
1. Asymmetric normalization in extract_wikilinks
- `all_basenames(root)` indexed file_stem (lowercase, no path)
- `extract_wikilinks` returned lowercased FULL link text including
`../../../`-prefix and `subdir/` segments
- Result: `[[chatlogs/X/Y]]` never matched `Y.md` in index, every
`[[../../../rules/X]]` always flagged orphan
Fix: `normalize_target(raw) -> Option<String>` strips path prefix,
strips `.md` suffix, returns None for `../`-rooted refs that escape
the scan tree (engine cannot validate cross-repo targets).
2. extract_handoffs scanner removed
- Regex `^\s*-\s*\*\*([a-z0-9][a-z0-9_-]{2,})\*\*` was matching every
prose bold-bullet, e.g. `- **english-jargon** — last 7d:` in
backlog.md or `- **L1-Path-C**:` in chatlogs.
- sync-repo scan: 0 real handoff sections present, 100% of matches
were prose. Real handoff syntax in agent-graph repos uses YAML
frontmatter, not prose markdown bullets.
- Scanner deleted along with its helper; wikilink scanner alone
covers the explicit `[[...]]` ref use case.
## Result on sync-repo (live data)
| Metric | Before | After |
|----------------|-------:|------:|
| orphan refs | 108 | 1 |
| false-positive | 107 | 0 |
Remaining 1 = legitimate `[[wikilink]]` literal in backlog.md prose.
## Tests added (already present in HEAD via prior fleet commit)
- `tests::cross_repo_ref_skipped` — `../../../foo` -> None
- `tests::path_prefixed_target_basenamed` — `chatlogs/X/Y` -> "Y"
- `tests::plain_basename_passes_through`
- `tests::md_suffix_stripped`
- integration `cross_repo_wikilink_not_flagged` (E2E)
- integration `path_prefixed_wikilink_matches_basename` (E2E)
12/12 tests pass. Release binary rebuilt + installed to ~/.cargo/bin/.
Private mirror at ~/Projects/KeiSeiKit/_primitives/... synced.
Closes backlog.md "engine bug #4" (added by user via prior /sleep-review).
