keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/scripts/kei-mcp-wire-grok.sh
KeiSei84 155d187699 refactor(kei-mcp): v0.46 — decompose safe_tools + fix CRITICAL Grok bypass 
ARCHITECTURAL FIXES (Constructor Pattern — file >200 LOC):

1. safe_tools.rs (738 LOC god-object) → safe_tools/ module (5 files):
   - mod.rs       (99 LOC) — descriptors + dispatch
   - env_guard.rs (79 LOC) — KillPgGuard RAII + apply_safe_env
   - path_guard.rs (166 LOC) — validate_path + canonicalize walk-up
   - chain_runner.rs (159 LOC) — hook chain loader/runner
   - exec.rs (222 LOC) — handle_bash/edit/write with O_NOFOLLOW

2. CRITICAL Grok bypass closed (Claude critic finding):
   - REMOVED env-based chain skip (CLAUDECODE / GROKCODE checks)
   - The skip assumed native PreToolUse would catch the call, but
     PreToolUse matchers fire on tool_name="Bash"|"Edit"|"Write" while
     MCP tools are named kei_bash/kei_edit/kei_write — so native hooks
     NEVER fire on MCP tool calls. The skip created an auth-bypass hole.
   - Chain now ALWAYS runs for kei_bash/kei_edit/kei_write.
   - Wire scripts (kei-mcp-wire-claude.sh + -grok.sh) updated: empty
     env block + comment explaining v0.46 rationale.

3. Fail-closed defaults (architecturally correct, not bandaid):
   - validate_path: empty allowed_roots() → ERROR (was silent disable)
   - load_chain: missing/empty section → ERROR unless KEI_POLICY_CHAIN_OPTIONAL=1

4. RAII guard for process-group cleanup:
   - KillPgGuard fires killpg on ANY exit path (success, error, timeout,
     panic) until explicitly disarmed. Replaces error-path-only killpg.

5. validate_path moved off tokio worker via spawn_blocking — was blocking
   syscalls in async context.

VERIFIED:
- cargo build --release → clean
- cargo test -p kei-mcp --release → 2 passed
- MCP smoke: chain fires under CLAUDECODE=1, GROKCODE=1, and no env
  (all three previously skipped; all three now block kei_bash on
  forbidden git push patterns).
- Safe commands still pass (kei_bash echo HELLO → HELLO returned).

README: substrate counts refreshed (105→110 Rust crates, v0.45→v0.46).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:00:16 +08:00

77 lines
2.7 KiB
Bash
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/bin/env bash
# kei-mcp-wire-grok — TIER 1: port KeiSeiKit hooks to Grok's PreToolUse pipeline.
#
# Grok CLI supports Claude-Code-compatible PreToolUse hooks via
# ~/.grok/settings.json. Same JSON input contract → our existing
# ~/.claude/hooks/*.sh scripts run unchanged.
#
# We register THREE hook entries (one per Bash-gating safety hook) plus
# the kei-mcp MCP server so Grok can also call spawn_agent.
#
# Idempotent: jq-merge into existing settings.json; foreign entries survive.
set -eu
CFG="$HOME/.grok/settings.json"
HOOKS_DIR="$HOME/.claude/hooks"
KEI_MCP_BIN="$HOME/.claude/_primitives/_rust/target/release/kei-mcp"
[ -f "$KEI_MCP_BIN" ] || KEI_MCP_BIN="$(command -v kei-mcp 2>/dev/null || true)"
mkdir -p "$(dirname "$CFG")"
[ -f "$CFG" ] || echo '{}' > "$CFG"
# Build the hook block — three Bash hooks + two Edit/Write hooks (same as
# Claude's policy-chain.toml).
desired=$(cat <<JSON
{
"hooks": {
"PreToolUse": [
{"matcher": "Bash", "hooks": [{"type": "command", "command": "$HOOKS_DIR/no-github-push.sh"}]},
{"matcher": "Bash", "hooks": [{"type": "command", "command": "$HOOKS_DIR/safety-guard.sh"}]},
{"matcher": "Bash", "hooks": [{"type": "command", "command": "$HOOKS_DIR/destructive-guard.sh"}]},
{"matcher": "Edit", "hooks": [{"type": "command", "command": "$HOOKS_DIR/citation-verify.sh"}]},
{"matcher": "Edit", "hooks": [{"type": "command", "command": "$HOOKS_DIR/numeric-claims-guard.sh"}]},
{"matcher": "Write", "hooks": [{"type": "command", "command": "$HOOKS_DIR/citation-verify.sh"}]},
{"matcher": "Write", "hooks": [{"type": "command", "command": "$HOOKS_DIR/numeric-claims-guard.sh"}]}
]
}
}
JSON
)
mcp_block=""
if [ -n "$KEI_MCP_BIN" ] && [ -x "$KEI_MCP_BIN" ]; then
mcp_block=$(cat <<JSON
{
"mcpServers": {
"kei-mcp": {
"command": "$KEI_MCP_BIN",
"env": {}
}
}
}
JSON
)
fi
if [ "${KEI_WIRE_DRY_RUN:-0}" = "1" ] || [ "${KEI_WIRE_CHECK:-0}" = "1" ]; then
echo " grok: would merge into $CFG:"
printf '%s\n' "$desired"
[ -n "$mcp_block" ] && printf '%s\n' "$mcp_block"
exit 0
fi
# Merge: existing | desired (desired wins on key conflict; arrays are
# replaced, not appended — Grok PreToolUse semantics).
tmp=$(mktemp)
if [ -n "$mcp_block" ]; then
jq -s '.[0] * .[1] * .[2]' "$CFG" <(printf '%s\n' "$desired") <(printf '%s\n' "$mcp_block") > "$tmp"
else
jq -s '.[0] * .[1]' "$CFG" <(printf '%s\n' "$desired") > "$tmp"
fi
mv "$tmp" "$CFG"
echo " grok: wired PreToolUse hooks → $CFG"
echo " 5 hook entries (Bash×3 + Edit×2 + Write×2)"
[ -n "$mcp_block" ] && echo " kei-mcp MCP server registered (v0.46: chain always runs, no env-skip)"
echo " Same enforcement as Claude Code."
Reference in a new issue View git blame Copy permalink