Priority-scaled time budgets (quick/standard/deep/marathon/weekly),
marathon-mode for hard derivations (skips Phase B REM for one task),
checkpointing every N minutes via partial commits.
Hub-and-spoke skill that converts "I need auth for app X" into a
reviewable plan across 5 phases: intake (flows/stack/storage/MFA),
identity-provider pick + env scaffold, session strategy + cookies,
authorization model + permission matrix, and threats + mitigations.
- 8 AskUserQuestion calls total (≥6 hub-and-spoke contract; 4 in Phase 1
+ 1 each in Phases 2–5).
- Reads all four _blocks/auth-*.md; never writes production code or
secret values.
- RULE 0.8 (Secrets SSoT): emits env VARIABLE NAMES only; storage path
is secrets/auth.env per domain-has-secrets.md.
- Constructor Pattern: 6 files, largest 115 LOC (<200 limit).
- Fail-closed default + NO DOWNGRADE on unsafe combinations
(passkey-only without recovery → return recovery-path options, not
"not supported").
Evidence grade [E2] — pipeline mirrors OWASP ASVS v4.0.3 chapters 2–4.
- L1: install.sh post-install banners '~14 generated agents' → '12 generated agents'
(both the activated-path and the manual-merge-path copies).
- L2: skills/compose-solution/SKILL.md handoff reference '14 kit agents' → '12 kit agents'.
- L3: README /new-agent section rephrases 'via option-pickers' to call out that
the 6 questions are grouped into multiple option-picker batches (two
AskUserQuestion calls) rather than six separate prompts.
- M1 (RULE 0.4): replace fabricated URLs 'https://example.invalid/PROJECT-D'
and 'https://…/PROJECT-D' with plain text ('user's personal CLI predecessor').
- M2: tomd-preread cache key = basename + mtime + 8-char shasum of full path,
so two files with the same basename+mtime at different paths no longer
collide. Portable shasum shim; falls back to 'nohash' if shasum absent.
- M3: install.sh --with-bridges gated on ROLLED_BACK=0 so bridges are NOT
emitted into $PWD after an ERR-trap rollback.
- M4: rollback() guards rm -rf "$orig" behind an existence check.
- M5: skills/research/SKILL.md front-matter note — role tags like
'web-researcher' / 'meta-critic' are ad-hoc prompt labels for the generic
kei-researcher subagent, NOT separate manifests. Prevents fruitless
grep in _manifests/.
- M6: README adds a 'Frontend-stack coverage gap' callout listing the
planned-but-not-shipped frameworks (React-Vite, Vue-Nuxt, SvelteKit,
Astro, Angular, plain-web).
- M7: no-hand-edit-agents.sh documents at case block that the GENERATED
marker is the SOLE source of truth — legacy unmarked .md files pass
silently by design; re-run the assembler to adopt them.
- phase-2-decompose.md: delete 'or researcher if that agent is present in the user's
global fleet' clause that silently bypassed the kei-namespace. Replace with an
explicit prefer-kei note warning that bare 'researcher' matches only the user's
personal fleet and may have divergent handoffs.
- install.sh activate_hooks(): call backup_file "$target" on the merge path
(after the 'create new' early-return) so ERR-trap rollback can restore the
pre-merge settings.json. Previously an ERR in the jq-merge or mv left no
backup pair to restore.
- README.md: new 'Primitives' section between Cross-tool bridges and
Meta-composer. Explains _primitives/ vs _blocks/, lists tomd, names
the PreToolUse(Read) hook, notes /compose-solution auto-discovery
- phase-3-prior-art.md: extend grep target list to include _primitives/
- phase-5-architecture.md: one-paragraph note on referencing tomd
primitive instead of rolling custom binary-format parsing (reuse
over rewrite)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
After merging feat/compose-solution, 3 phase files still referenced
patent-scale research / patent block suffix / sensitive IP question. Strip
those generic-kit-incompatible examples:
- phase-2-decompose.md: "patent-scale" → "deep-domain"
- phase-6-block-augment.md: "<slug>-patent" disambiguator → "<slug>-embedded"
- phase-7-assemble.md: drop sensitive IP from fields passed to new-agent wizard
Final grep for "patent" in main tree: zero hits.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Strip all patent-related tooling from the generic kit so it can ship
publicly under MIT without leaking sensitive IP. restricted-scope agents,
blocks, and skill conditionals live in the private PROJECT-E.
Deleted (5 files):
- _manifests/kei-patent-compliance.toml
- _manifests/kei-patent-researcher.toml
- _blocks/domain-sensitive IP-aware.md
- _assembler/tests/fixtures/_manifests/kei-patent-compliance.toml
- _assembler/tests/snapshots/kei-patent-compliance.snap
Cross-reference cleanup:
- 6 manifests: remove kei-patent-* handoffs and "sensitive IP" forbidden lines
- _blocks/deploy-local-only.md: drop sensitive IP rationale, keep ML weights /
offensive / kernel / client-confidential banned-public triggers
- skills/research/SKILL.md: drop patent-angle-scanner + "Patent angles" section
- skills/new-agent/SKILL.md: drop Q5 (patent), renumber Q6→Q5 Q7→Q6
- README.md: drop 2 restricted agents rows, renumber wizard questions 5-7→5-6,
update counts 34→33 blocks / 14→12 agents
- _assembler/tests/golden.rs: remove golden_patent_compliance test
- _assembler/tests/roundtrip.rs: swap kei-patent-compliance fixture to
kei-cost-guardian for double-assembly determinism test
- _assembler/tests/fixtures/_manifests/kei-researcher.toml + snapshot:
remove kei-patent-researcher handoff
Tests: 21 → 20 integration tests, all passing. Grep for "patent" in
main tree returns zero hits outside .claude/worktrees.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds a pure-click meta-composer that converts a free-text task description
into the right durable KeiSeiKit artefact — agent, skill, hook, rule, or
block — by composing existing primitives:
- Phase 1 intake (one free-text DESC + target-type click)
- Phase 2 wave-based decomposition (delegates to /research for heavy tasks)
- Phase 3 prior-art grep sweep across _blocks/, _manifests/, skills/,
_bridges/, hooks/ + optional PROJECT-E + external docs
- Phase 4 gap analysis (AskUserQuestion multi-select)
- Phase 5 math-first architecture proposal (derive-first, "what is
unnecessary" pass, Constructor-Pattern check)
- Phase 6 block augmentation — drafts + persists new _blocks/<slug>.md
on user click; kit gets smarter each session
- Phase 7 recipe assembly — branches by type, hands off to /new-agent
(agent) or /escalate-recurrence (hook / rule)
Split into SKILL.md (121-LOC index) + seven phase-*.md files (each <160
LOC) to stay under the 500-LOC/file Constructor-Pattern limit. Minimum 6
AskUserQuestion calls per session enforced by the pipeline; every
referenced block / skill / manifest / bridge path verified to exist on
disk before commit (RULE 0.4 — no fabricated references).
Writes only to _blocks/<slug>.md and skills/<slug>/SKILL.md;
handoffs to /new-agent and /escalate-recurrence own their own files.
