KeiSei84
155d187699
ARCHITECTURAL FIXES (Constructor Pattern — file >200 LOC):
1. safe_tools.rs (738 LOC god-object) → safe_tools/ module (5 files):
- mod.rs (99 LOC) — descriptors + dispatch
- env_guard.rs (79 LOC) — KillPgGuard RAII + apply_safe_env
- path_guard.rs (166 LOC) — validate_path + canonicalize walk-up
- chain_runner.rs (159 LOC) — hook chain loader/runner
- exec.rs (222 LOC) — handle_bash/edit/write with O_NOFOLLOW
2. CRITICAL Grok bypass closed (Claude critic finding):
- REMOVED env-based chain skip (CLAUDECODE / GROKCODE checks)
- The skip assumed native PreToolUse would catch the call, but
PreToolUse matchers fire on tool_name="Bash"|"Edit"|"Write" while
MCP tools are named kei_bash/kei_edit/kei_write — so native hooks
NEVER fire on MCP tool calls. The skip created an auth-bypass hole.
- Chain now ALWAYS runs for kei_bash/kei_edit/kei_write.
- Wire scripts (kei-mcp-wire-claude.sh + -grok.sh) updated: empty
env block + comment explaining v0.46 rationale.
3. Fail-closed defaults (architecturally correct, not bandaid):
- validate_path: empty allowed_roots() → ERROR (was silent disable)
- load_chain: missing/empty section → ERROR unless KEI_POLICY_CHAIN_OPTIONAL=1
4. RAII guard for process-group cleanup:
- KillPgGuard fires killpg on ANY exit path (success, error, timeout,
panic) until explicitly disarmed. Replaces error-path-only killpg.
5. validate_path moved off tokio worker via spawn_blocking — was blocking
syscalls in async context.
VERIFIED:
- cargo build --release → clean
- cargo test -p kei-mcp --release → 2 passed
- MCP smoke: chain fires under CLAUDECODE=1, GROKCODE=1, and no env
(all three previously skipped; all three now block kei_bash on
forbidden git push patterns).
- Safe commands still pass (kei_bash echo HELLO → HELLO returned).
README: substrate counts refreshed (105→110 Rust crates, v0.45→v0.46).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
45 lines
1.5 KiB
Bash
Executable file
45 lines
1.5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# kei-mcp-wire-claude — verify Claude Code MCP wiring (TIER 1: already native).
|
|
#
|
|
# Claude Code reads MCP servers from ~/.claude/settings.json `mcpServers`
|
|
# block. We don't strictly need kei-mcp here (Claude's native PreToolUse
|
|
# hooks already enforce policy), but adding it gives Claude access to
|
|
# `spawn_agent` for cross-CLI sub-agent dispatch.
|
|
|
|
set -eu
|
|
|
|
CFG="$HOME/.claude/settings.json"
|
|
BIN="$HOME/.claude/_primitives/_rust/target/release/kei-mcp"
|
|
[ -f "$BIN" ] || BIN="$(command -v kei-mcp 2>/dev/null || true)"
|
|
|
|
if [ -z "$BIN" ] || [ ! -x "$BIN" ]; then
|
|
echo " kei-mcp binary not found — build first: cargo build -p kei-mcp --release"
|
|
exit 0
|
|
fi
|
|
|
|
echo " claude: native PreToolUse hooks already enforce policy chain (TIER 1)"
|
|
echo " kei-mcp binary: $BIN"
|
|
echo " (spawn_agent + kei_bash MCP tools available if added to"
|
|
echo " $CFG mcpServers — optional for Claude.)"
|
|
|
|
# Optional: dump merge snippet
|
|
if [ "${KEI_WIRE_CHECK:-0}" = "1" ] || [ "${KEI_WIRE_DRY_RUN:-0}" = "1" ]; then
|
|
cat <<EOF
|
|
|
|
Suggested merge into $CFG:
|
|
{
|
|
"mcpServers": {
|
|
"kei-mcp": {
|
|
"command": "$BIN",
|
|
"env": {}
|
|
}
|
|
}
|
|
}
|
|
|
|
(v0.46: CLAUDECODE/GROKCODE env-skip was removed — the chain runs
|
|
always now. Native PreToolUse hooks fire on tool_name='Bash'/'Edit'/
|
|
'Write', but MCP tools are named kei_bash/kei_edit/kei_write, so
|
|
native hooks would NOT fire anyway — there is no double-enforcement
|
|
to avoid. Empty env block left in case operators add their own vars.)
|
|
EOF
|
|
fi
|