13 commits

Author	SHA1	Message	Date
KeiSei84	3b54f0b5e0	feat(v0.44): pre-release audit — 1 CRITICAL + 4 HIGH + 4 MEDIUM patched ... Four-CLI parallel pre-release audit (Claude+Grok+Gemini+Copilot, each reviewing different angle) surfaced 9 real issues in v0.43. All fixed. ## Audit team & their finds - Claude (critic): code review — found #5 KEI_ALLOWED_ROOTS bypass, #6 macOS TMPDIR denylist conflict, #7 timeout doc drift, #9 failure-cache schema mismatch. - Gemini (security): wrote Rust PoC, verified — found #1 CRITICAL parent symlink for non-existent leaf, #2 TOCTOU await, #3 curl config injection, #4 env inheritance, #8 cwd. - Grok (architect): noted safe_tools.rs at 572 LOC (>200 Constructor threshold). Deferred decomposition to v0.45. - Copilot (docs): inspected README/encyclopedia, no blocker findings (1 Premium, 977k cached tokens). ## Fixes shipped [#1 CRITICAL] Parent-symlink bypass for non-existent leaf paths v0.42 only canonicalized PARENT. If THAT parent didn't exist either, the path fell through to "absolute as-is" with no canonicalization. E.g. /proj/symlink -> /Users/denis, then kei_write /proj/symlink/ newdir/file would write inside /Users/denis with no check. Fix: walk_up_to_canonicalize() — find DEEPEST existing ancestor, canonicalize THAT (resolving all symlinks in the existing prefix), then reattach the non-existent tail. [#2 HIGH] TOCTOU between validate_path and fs::write 60s of hook chain await between path check and write. Concurrent process could swap leaf for symlink during that window; fs::write followed it. Fix: open file with O_NOFOLLOW + write through the open fd (not the path again). Open() itself fails on symlink-swap. Edit + Write both patched. Falls back to plain tokio::fs on non-Unix. [#3 HIGH] curl config injection via MOONSHOT_API_KEY Was: token interpolated into printf 'header = "...%s..."' fed to curl --config. If token contained " + newline + 'url = "evil"', curl parsed the injected config and redirected. Fix: validate MOONSHOT_API_KEY matches [A-Za-z0-9_.-]+; reject any other chars before probe runs. [#4 HIGH] Subprocess env inheritance — secret leak via kei_bash Was: spawned bash inherited AWS_*, GITHUB_TOKEN, MOONSHOT_API_KEY, etc. Agent running `env` via kei_bash could exfiltrate all of them. Fix: apply_safe_env() — env_clear() + whitelist forward of PATH/ HOME/USER/LANG/TERM/SHELL/PWD/TMPDIR/LOGNAME/LC_*. Operators add named vars via KEI_SAFE_ENV_EXTRA. Applied to BOTH kei_bash spawn AND hook subprocess spawn. [#5 HIGH] KEI_ALLOWED_ROOTS unanchored prefix bypass Was: str::starts_with on raw user-supplied root. KEI_ALLOWED_ROOTS=/home/u/proj also allowed /home/u/proj-secrets/... Fix: normalize each entry to canonical + trailing slash; use Path::starts_with (component-aware). v0.44 combines with #6 fix (canonicalize symlinks like /var → /private/var on macOS). [#6 MEDIUM] macOS $TMPDIR denied by /var/ blanket Was: denylist included /var/, /private/var/ blanket entries. macOS $TMPDIR = /var/folders/... canonicalized to /private/var/ folders/... hit the denylist before allowed_roots was checked. Fix: (a) allowed_roots check FIRST; (b) narrowed denylist to /var/db/, /var/log/, /var/root/ (and /private/ counterparts) instead of blanket /var/. /var/folders + /private/tmp are now legitimate working dirs. [#7 MEDIUM] Timeout aggregate claim was always false Was: doc said "Hard cap on single chain + action ... 60s" — actually was per-step. For 3-hook chain, total = 4 * 60 = 240s. Fix: doc comment now honest about per-step semantics. Aggregate- deadline impl deferred to v0.45 (not security-blocking). [#8 MEDIUM] cwd not in hook input — hook approves wrong cwd Was: kei_bash accepts cwd arg but did not pass it to safety hooks. Hook could approve `rm -rf *` assuming PWD, while cwd actually pointed at /etc or ~/.ssh. Fix: include cwd in hook_input JSON. Hooks now see the real working dir for their decision. [#9 MEDIUM] Failure-fallback cache had different schema Was: emit '{"ts":"","status":"assembly-failed"}' — no per-CLI keys. Pet's .kimi.available_balance_usd read got null/error; kei-limits own per-CLI render loop emitted 5 malformed rows. Fix: failure-fallback emits same shape as success {ts, claude, grok, agy, copilot, kimi} with each marked status='assembly-failed'. LOW: empty old_string in kei_edit now rejected (was: silently prepended new_string since contents.contains("") is always true). ## Tests + smokes cargo test -p kei-mcp: 3/3 pass. 8 MCP smokes (all green after every audit round): - kei_bash blocks RULE 0.1 push - kei_bash passes echo OK - kei_write /etc/passwd → denied (system dir) - kei_write ../ → denied (.. segment) - kei_write ~/.ssh/ → denied (outside roots) - kei_write symlink-to-etc/passwd → denied (canonicalized) - kei_write ~/.claude/hooks/ → denied (substrate dir) - kei_write ~/.zshrc → denied (outside roots) NEW v0.44 smokes: - kei_write /Users/denis/.ssh/newdir/keys via /tmp/v44_link → denied - KEI_ALLOWED_ROOTS=/tmp/proj does NOT match /tmp/proj-evil - FAKE_SECRET=stolen → TOKEN=empty in subprocess (env stripped) - MOONSHOT_API_KEY='abc"NL_url="evil"' → rejected pre-probe - macOS $TMPDIR via KEI_ALLOWED_ROOTS works (canonicalize fix) ## Deferred to v0.45 - safe_tools.rs at 572 LOC — extract path_guard + chain_runner modules - Aggregate-deadline timeout (single Instant::now() + remaining) - Hardlink check (open fd then fstat + dev/ino compare) - INVALID_PARAMS used for missing-arg (currently INTERNAL_ERROR) - INVALID_PARAMS_REF dead code at EOF (silencer for unused import) These are correctness/style/architectural, NOT security blockers.	2026-05-26 23:00:34 +08:00
KeiSei84	633ee4aeeb	feat(limits): honest kei limits CLI + pet cache integration ... Cross-CLI subscription limits — research-grounded honest delivery after 5-parallel-agent investigation found that 4 of 5 CLIs have no public programmatic API for quota. ## Reality findings (research) - claude no public API; `anthropic-ratelimit-*` headers per-call only; Admin API exists but needs separate admin token. See dashboard. - grok no public API; `x-ratelimit-*` headers per-call only. No file. - agy interactive /usage slash-cmd shows 100% always (forum bug). No public API. - copilot no public quota API; web dashboard only. The 'gh api /user/ copilot_billing' endpoint does NOT exist. June 2026 billing migration to AI Credits further changes the surface. - kimi Moonshot /v1/users/me/balance returns $ balance only (no session/weekly quota fields). Requires MOONSHOT_API_KEY. ## Delivery (no false promises) - scripts/kei-limits.sh — probe-all honest tool. For Kimi: real curl call to Moonshot balance API if MOONSHOT_API_KEY set. For other 4: status marker + dashboard URL. - Pet integration — reads ~/.claude/pet/limits-cache.json IF present; shows Kimi balance segment ONLY when status=='live'. Pet does NOT poll; cache is populated by user-invoked 'kei limits'. - bin/kei limits arm + --json mode + --quiet mode for cron. Cache is bounded by user's explicit refresh; pet shows '(Xm old)' if older than 1h. No background polling, no rate-limit waste, no fake data.	2026-05-26 21:43:39 +08:00
KeiSei84	65d17007c3	feat(v0.42): 6 fixes from 4-CLI re-audit (CRITICAL + 2 HIGH + 3 MED) ... Convergent dogfood audit by Claude+Grok+Gemini+Copilot on v0.41 surfaced that the v0.41 'fixes' were incomplete. 3 of 4 reviewers independently found the same CRITICAL bypass; Gemini wrote a Rust test suite to verify. ## Convergent findings → v0.42 fixes [#1 CRITICAL] Symlink leaf bypass (3-of-4 convergent) v0.41 only canonicalized PARENT, then re-attached leaf as-is. Exploit: 1. kei_bash 'ln -s ~/.ssh/authorized_keys ./cfg.txt' (passes the bash hook chain — ln itself is non-destructive) 2. kei_write file_path=cfg.txt content=<key> validate_path saw $PWD/cfg.txt (allowed) → fs::write followed leaf symlink → overwrote authorized_keys. Fix: canonicalize FULL path (incl. leaf) when file exists; for new files, symlink_metadata on leaf and reject is_symlink. Now the denylist check sees the real target. [#2 HIGH] $HOME blanket-allowed = self-neutering (2-of-4 convergent) allowed_roots() defaulted to [$PWD, $HOME], denylist only had 4 secret dirs. So kei_write $HOME/.claude/hooks/no-github-push.sh content='exit 0' was ALLOWED — agent could overwrite the substrate's own policy hooks. Similar attacks on ~/.zshrc (RCE on next shell), ~/.gitconfig, ~/.npmrc. Fix: default to $PWD only. Denylist extended with .claude/, .grok/, .gemini/, .copilot/, .kimi/, all major shell-init files, and additional credential paths. KEI_ALLOWED_ROOTS for explicit widening. [#3 HIGH] Empty-section fail-OPEN (Gemini test-verified) v0.41 'fail-closed on missing config' fix was incomplete: if config file existed but section [bash]/[edit]/[write] was empty, load_chain returned Ok(vec![]) → run_chain early-returned Ok → action ran ungated. Fix: empty chain also FAIL-CLOSED with same KEI_POLICY_CHAIN_OPTIONAL opt-in. [#4 MEDIUM] load_chain still blocked tokio worker (Claude) v0.41 fix #4 converted handle_edit/handle_write reads to tokio::fs but left load_chain on std::fs. Slow/hung mount on policy-chain.toml would freeze a worker for every safe_* invocation. Fix: load_chain → async + tokio::fs::{try_exists, read_to_string}. [#5 MEDIUM] process_group only applied to bash, not hooks (Claude) v0.41 fix #5 set_process_group on kei_bash's child shell, but the hook subprocess (spawned per-hook in run_chain) was NOT in its own group. On hook timeout, kill_on_drop killed only the immediate hook process; grandchildren orphaned — the exact failure mode fix #5 was meant to prevent. Fix: set_process_group + killpg also on hook spawn in run_chain. [#6 MEDIUM] Per-step vs aggregate timeout (Claude) Doc claimed 'Hard cap on single chain + action — 60s'. Actual: each hook gets independent 60s, then action gets another 60s. For a 3-hook bash chain that's 240s max — 4× documented. Status: documented as known-limit; single-deadline impl deferred to v0.43 (not security-blocking, just a doc/correctness drift). ## Verification (8 smokes — all green) /etc/passwd → denied (system dir) ✓ ../escape.txt → denied (../ segment) ✓ /tmp/symlink → /etc/passwd writeable → denied (resolved /private/etc) ✓ NEW ~/.claude/hooks/no-github-push.sh → denied (substrate dir) ✓ NEW ~/.zshrc → denied (shell-init file) ✓ NEW policy-chain.toml empty [bash] → FAIL-CLOSED ✓ NEW KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓ kei_bash git-push-github → BLOCKED (regression) ✓ kei_bash echo HELLO → returns content (regression) ✓ cargo test -p kei-mcp: 3/3 still pass. ## Architecture note from Grok Grok architect flagged: safe_tools.rs is 474 LOC, exceeds Constructor Pattern 200-line threshold. v0.42 does NOT refactor (security fixes shipped first); v0.43 will extract path_guard.rs + chain_runner.rs. ## Per-CLI audit value demonstrated Claude — 5 issues + 5 minor, exhaustive line-anchored analysis Grok — architectural review with grep-verified citations Gemini — wrote Rust test project to verify findings (PoC code!) Copilot — partial fact-check, ran out of mid-task	2026-05-26 21:33:54 +08:00
KeiSei84	596e0b20a1	chore(release): bump v0.40.0 — Phase C cross-CLI hook enforcement ... plugin.json: 0.38.0 → 0.40.0; description updated with real counts (38 agents / 69 skills / 54 hooks / 86 blocks) and cross-CLI policy enforcement summary. bin/kei splash: v0.39 → v0.40 (Phase C ship).	2026-05-26 18:07:18 +08:00
KeiSei84	4e5e6bd2c0	feat(phase-C): cross-CLI hook enforcement via kei_bash/kei_edit/kei_write MCP tools ... Closes the "hooks only fire on Claude" gap. Phase C extends KeiSeiKit safety enforcement (no-github-push, safety-guard, destructive-guard, citation-verify, numeric-claims-guard) to any MCP-capable LLM CLI through a 3-tier honesty model. ## 3-tier model TIER 1 (full native): claude (existing), grok (port hooks to grok settings.json) TIER 2 (MCP-wrapped): copilot (--excluded-tools=shell + force kei_bash via MCP) TIER 3 (advisory): agy + kimi (cannot disable native shell; prompt-level only) ## Design (Constructor Pattern) 1. hooks/_lib/policy-chain.toml — SSoT: which hooks gate which tool (bash/edit/write) 2. _primitives/_rust/kei-mcp/src/handlers/safe_tools.rs — new module, 3 built-in MCP tools that synthesize Claude PreToolUse JSON, run hook chain, abort on exit-2, exec on all-pass. Same input contract → hooks reused as-is, no rewrite. 3. tools.rs short-circuit: kei_bash/kei_edit/kei_write dispatched before atom layer 4. 6 wire scripts: orchestrator + one per CLI (Constructor Pattern, no mixin) 5. bin/kei mcp-wire arm 6. docs/encyclopedia/cross-cli-policy.md — honest 3-tier matrix + verification ## Double-enforcement guard If kei-mcp invoked from a process with $CLAUDECODE=1 or $GROKCODE=1, the chain SKIPS — native hooks already fired. Wire scripts set these env vars in the MCP server registration for claude/grok respectively. On copilot/agy/kimi the env is unset → chain runs. ## Smoke (verified live) Block: kei_bash{command: forbidden-push-pattern} → JSON-RPC error -32603 with full "BLOCK — RULE 0.1 NO GITHUB PUSH" stderr ✓ Pass: kei_bash{command: "echo HELLO-FROM-KEI-BASH"} → result.content[0].text = "HELLO-FROM-KEI-BASH" ✓ tools/list: 4 built-ins present (spawn_agent + kei_bash + kei_edit + kei_write) ✓ ## Tests kei-mcp: 3/3 (tools_list assertions updated for atoms+4 built-ins). Build clean with toml = "0.8" dep added. ## Out of scope (deferred) - Codex CLI wiring (not installed locally) - ACP middleware proxy (transport, not middleware — ruled out at research) - Container/firejail sandboxing for agy/kimi (heavy; documented limit instead) - Native Rust PatternGate migration (optimization, separate phase)	2026-05-26 18:03:33 +08:00
KeiSei84	3fec43ea7e	feat(orchestrator): kei pick + spawn_agent MCP tool — true multi-LLM shell ... Closes the "Claude Code as single primary" gap. Now `kei` (no args) execs whichever CLI is configured as primary, and ANY MCP-capable orchestrator can spawn KeiSeiKit agents on any backend via the built-in spawn_agent tool. ## A — orchestrator picker bin/kei now reads ~/.claude/config/primary.toml and execs that CLI instead of hardcoding claude. New arms: kei pick interactive menu → set primary → launch it kei --on=<backend> one-shot launch of <backend> (no primary write) kei primary [<b>] get/set primary Splash shows `primary CLI: <backend>` so the orchestrator is visible. Failure mode: if primary's CLI isn't on PATH, prints install hint + offers `kei pick` recovery. scripts/kei-pick.sh — Constructor Pattern picker (<140 LOC). Lists all 6 backends with install status (✓/✗), highlights current primary, writes choice to primary.toml, execs the picked CLI. Honors stdin TTY gate (RULE TTY-INTERACTIVITY-GATE — -t 0, not -t 1) for non-interactive safety. ## B — spawn_agent MCP tool _primitives/_rust/kei-mcp/src/handlers/tools.rs gains a built-in `spawn_agent` tool, exposed alongside discovered atoms: - inputSchema: { name: str, task: str, on?: backend-enum } - Calls kei-agent-cli.sh internally with same DNA resolution - 60s timeout, kill-on-drop - Honors KEI_AGENT_CLI env for testing Smoke 2026-05-26 (MCP stdio JSON-RPC round-trip): spawn_agent(name=smoke-test, on=claude) → "SMOKE-OK" ✅ spawn_agent(name=smoke-test, on=grok) → "SMOKE-OK" ✅ Why it matters: Claude Code has a native Agent tool. Grok / Agy / Copilot / Kimi don't have an equivalent native sub-agent surface — but they all speak MCP. spawn_agent gives them KeiSeiKit's sub-agent capability when they're the orchestrator. The chosen orchestrator no longer caps the sub-agent fleet. ## Other _primitives/_rust/kei-mcp/Cargo.toml: tokio gains "io-std" feature (was missing — main.rs uses tokio::io::stdin/stdout). This fixes a latent build error unrelated to this PR (kei-mcp wasn't building cleanly before). Tests: tools_list assertions updated for the +1 built-in tool (3 total instead of 2 with atoms; 1 instead of 0 on empty root). All MCP tests pass. Assembler 3/3 golden tests still pass (provider field is optional).	2026-05-26 16:48:23 +08:00
KeiSei84	e4980f6ad7	feat(dna): provider+model in agent DNA; kei primary; smoke-tested 4/5 CLIs ... Makes KeiSeiKit truly multi-LLM: any agent can declare its preferred backend in its manifest. The DNA resolver picks the right CLI; `kei primary` swaps the fleet-wide default. KeiSeiKit is no longer tied to Claude Code single-model. Resolution order: --on=<backend> → manifest provider → primary.toml → claude Files: _assembler/src/manifest.rs + Option<String> provider field _assembler/src/assembler.rs emit provider: in frontmatter (when set) scripts/kei-agent-cli.sh DNA resolver; `kei primary` get/set; `kei agent` arm (DNA-driven); honest kimi handling (TUI-only) bin/kei new arms: agent, primary _primitives/cli-backends.toml mark kimi as tui-only docs/encyclopedia/multi-cli-agents.md rewritten with DNA flow, smoke results, rule-enforcement caveat Smoke 2026-05-26 (real CLI invocations): claude ✓ via `claude -p` grok ✓ via `grok --print` (DNA: manifest provider=grok) agy ✓ via `agy --print` (Antigravity / Gemini) copilot ✓ via `copilot --prompt` (1 Premium / 9s / 20.6k tok) kimi ⚠ TUI-only, no print mode; need `kimi acp` JSON-RPC client codex — register-only (not installed locally) Rule-enforcement caveat documented: KeiSeiKit hooks fire only inside Claude Code's PreToolUse pipeline. Non-claude backends carry the agent's PROMPT but not the hook layer. For tool-level policy on non-claude, route through MCP. ALSO: fix(stop-hook) — RULE 0.14 session-end-dump.sh "Recombobulating..." 4-minute hang on 18MB+ transcripts. Root cause: kei-memory ingest + frustration- matrix scan + kei-sleep-sync ran sync at session end. Now async-detached with per-op portable timeout (timeout/gtimeout/perl alarm). Hook returns in 0.03s. Raw JSONL saved sync; only index/embedding step deferred (idempotent on session_id so safe).	2026-05-26 16:21:11 +08:00
KeiSei84	3be9a8bf71	feat(multi-cli): kei run-via <backend> — agents over external LLM CLIs ... Adds a uniform launcher that lets any KeiSeiKit agent run on whichever LLM CLI you have a subscription to. Pick by familiarity, pricing, or to get a second opinion on the same prompt. Backends (locally installed, by subscription): claude Claude Code (claude -p) grok xAI Grok (grok --print; native --agent supported) agy Antigravity (agy --print) alias: antigravity copilot GitHub Copilot (copilot --prompt) kimi Moonshot Kimi (stdin, TUI primary) codex OpenAI Codex (codex -p) register-only Files: _primitives/cli-backends.toml SSoT backend table scripts/kei-agent-cli.sh launcher; loads ~/.claude/agents/<n>.md, strips frontmatter, composes with task, execs backend non-interactive bin/kei new arm: run-via | via | run | agent-via docs/encyclopedia/multi-cli-agents.md user-facing docs + usage Auto-installed via lib-scaffold.sh:77 glob (no install code change needed). Test plan: kei run-via list # status + agents kei run-via grok critic "review src/auth.rs" # via Grok kei run-via agy critic "review src/auth.rs" # via Antigravity kei run-via copilot critic "review src/auth.rs" # via Copilot KEI_NATIVE_AGENT=1 kei run-via grok critic "..." # native --agent	2026-05-26 15:05:02 +08:00
KeiSei84	abae256c1d	feat(install): opt-in hook packs + stack profiles (public posture) ... A fresh install now activates only the safety pack; discipline hooks and agents are opt-in via an onboarding step (step 6) or `kei configure`. "People don't need Rust-only" — they pick their own stack. - _primitives/hook-packs.toml: SSoT mapping pack -> hooks, stack -> packs + agent groups. safety always on; evidence/observability/epistemic/ orchestration/git-guard/stack-rust opt-in. rust-first/no-python only under the systems stack; git-guard (no-github-push) opt-in only, pulled by no stack. - lib-profile: extract generic _toml_array (reused by lib-packs); profile_members becomes a thin wrapper (no behavior change). - lib-packs: pack/stack/agent resolvers + selection loader. - lib-hooks: filter_snippet_by_packs (install-time allowlist) + prune_kit_hooks (reconfigure removes deselected kit hooks, keeps foreign ones); activate_hooks rewired to prune + filter + merge. No custom settings.json fields (/doctor safe). - lib-agents: install_manifests filters by stack agent set (empty = install all). - onboarding: pick_stack step (reuse _onb_read_choice), persists stack_profile + enabled_packs to onboarding.toml; i18n STR_* added. - bin/kei configure -> scripts/kei-configure.sh (re-pick without reinstall); install stamps ~/.claude/.kei-kit-dir. - numeric-claims-guard: money regex no longer matches shell positionals ($1..$9); requires decimal / unit / 2+ digits / tilde. Real money + time still caught. - gate one-liner added to 8 discipline hooks (runtime toggle via hooks-control). Verified end-to-end (scratch HOME): fresh=safety only; evidence pack adds numeric+citation; systems stack wires rust-first + 14 base/systems agents (no data-science/swift); reconfigure-shrink prunes kit hooks but keeps a foreign hook; settings schema clean; assembler golden 3/3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-25 17:27:14 +08:00
KeiSei84	3aff00290f	fix: pre-public audit — critical install regression + 7 blockers ... CRITICAL: lib-hooks.sh had an apostrophe ("user's") inside the jq program's bash single-quote, closing the quote and producing a parse error so EVERY install aborted at source time (install.sh:71). Caught by a full minimal e2e (rc=2 then rc=0 after fix). Reworded the jq comment to drop the apostrophe. Audit blockers fixed: - MANIFEST: drop cortex-ui (no such primitive) from 4 profiles + block; lib-menu desc no longer references it. Profile resolution verified clean. - lib-dev-hub-forgejo / -zoekt: source lib-launchd.sh (register_launchd was undefined, so full-hub dev-hub install would fail at runtime). - kei-message: portable 16-digit id. BSD date prints literal "N" for %N; fall back to /dev/urandom. Verified numeric in both code paths. - bootstrap non-TTY default cortex to minimal (matches install.sh; avoids divergent curl-bash vs direct-install behaviour and 105-crate surprise). - install.sh stamps ~/.claude/.kei-profile; bin/kei reads it (splash showed "profile: ?" before, since .installed holds only primitive names). - README hook count 38 to 54 (real: ls hooks star dot sh). - web-install warns before it discards local edits in the managed clone. Verified: 106 shell files bash -n clean; minimal e2e rc=0 (38 agents, 57 hooks, 69 skills, profile stamped, mailbox present). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 10:48:06 +08:00
KeiSei84	c347f329aa	feat(kei message): persistent inter-session mailbox + pull-inbox hook ... Any Claude Code session can now message any other (not just Agent-Teams teammates), without tmux. Append-only jsonl bus + a UserPromptSubmit hook that pulls unread into each session's context per turn. - scripts/kei-message.sh: `kei message send [--to <name|all>] <text>` / inbox / list / channels. Identity = basename(cwd); broadcast channel "all". - hooks/mailbox-inject.sh: UserPromptSubmit. Injects messages addressed to this session (cwd-basename) or "all", since last turn; per-session cursor dedup; first turn sets baseline (no history dump); never echoes own messages. - bin/kei: `kei message ...` dispatch before splash. - lib-scaffold: copy ALL scripts/*.sh on install (picks up kei-message.sh). - settings-snippet: wire mailbox-inject under UserPromptSubmit. Store: ~/.claude/mailbox/messages.jsonl. Bypass: KEI_MAILBOX_BYPASS=1. Verified: addressed delivery, broadcast, first-turn no-dump, cursor dedup, no self-echo (2-session simulation). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-23 15:00:10 +08:00
KeiSei84	2873474486	style(kei): brand splash colors (голубой logo + жёлтый values), bump v0.16→v0.38 ... Splash was cyan; rebrand to the blue/yellow palette: sky-blue (38;5;39) logo + dim-blue separators, gold (38;5;220) brand line + field values. Version string was stale (v0.16 → v0.38). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-22 13:49:44 +08:00
Parfii-bot	0be354a920	KeiSeiKit-public — clean state ... Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.	2026-05-01 12:09:03 +08:00