keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust
History
Parfii-bot 23b818a682 fix(auth): SecretString redacted Serialize + PKCE verifier wired 
Two findings from KeiSeiKit2.0 pr-review (~/Projects/KeiSeiKit2.0/skills/pr-review)
applied to commit range 897d010..HEAD.

1. BLOCKER — SecretString silently leaked plaintext via Serialize.

   File: _primitives/_rust/kei-runtime-core/src/secrets.rs
   Was: derive(Serialize) + serde(transparent) -> serde_json::to_string(&secret)
        emitted the raw plaintext in any parent struct with #[derive(Serialize)].
        Debug was redacted but Serialize was not. Defeated the type's purpose.
   Now: manual Serialize impl always emits literal "<redacted>". Deserialize
        derive kept (callers need to read secrets from config/env).
        Test serialize_emits_redacted_literal asserts JSON output is "\"<redacted>\"".

2. WARNING — PKCE code_verifier dropped before token exchange.

   build_auth_url generated code_challenge = SHA256(verifier) but verify() never
   threaded the verifier to the token endpoint. Token exchange submitted no
   code_verifier, defeating the PKCE protection.

   Files:
   - _primitives/_rust/kei-runtime-core/src/traits/auth.rs:
     AuthChallenge::OAuthCode now carries code_verifier: Option<String>.
     Caller stores verifier alongside state in their session-store, exactly as
     they already store state for CSRF check.
   - _primitives/_rust/kei-auth-google/src/provider.rs:
     verify() destructures code_verifier and passes to client.exchange_code(...).
   - _primitives/_rust/kei-auth-apple/src/provider.rs:
     same change.

   Tests added (wiremock body assertions):
   - google_smoke / apple_smoke: assert exchange request body contains
     code_verifier=<value> when challenge carried Some(verifier).
   - existing tests updated to construct OAuthCode { ..., code_verifier: None }.

Test split (Constructor Pattern 200 LOC):
   - apple_smoke.rs grew over 200 LOC after PKCE test addition. Split into
     apple_smoke.rs (provider tests) + apple_client_smoke.rs (client tests).
   - same for google_smoke.rs / google_client_smoke.rs.

Test results: 31 passed; 0 failed across kei-auth, kei-auth-apple, kei-auth-google,
kei-runtime-core unit + integration tests. cargo check --workspace clean.

Breaking change: any caller that constructs AuthChallenge::OAuthCode outside this
workspace must add code_verifier field (None for legacy no-PKCE; Some for PKCE).
Compile-time surfaced gap, not runtime regression.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 23:49:10 +08:00
..
firewall-diff KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
frustration-matrix chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-agent-runtime chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-artifact chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-atom-discovery chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-auth feat(auth): JWT verification + OAuth CSRF + PKCE + secret redaction 2026-05-02 21:39:18 +08:00
kei-auth-apple fix(auth): SecretString redacted Serialize + PKCE verifier wired 2026-05-02 23:49:10 +08:00
kei-auth-google fix(auth): SecretString redacted Serialize + PKCE verifier wired 2026-05-02 23:49:10 +08:00
kei-auth-magiclink feat(auth): JWT verification + OAuth CSRF + PKCE + secret redaction 2026-05-02 21:39:18 +08:00
kei-auth-webauthn feat(auth): JWT verification + OAuth CSRF + PKCE + secret redaction 2026-05-02 21:39:18 +08:00
kei-backend-daytona chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-brain-view chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-cache chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-capability chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-changelog chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-chat-store chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-compute-baremetal fix(security): RCE allowlist + WebSocket auth + SSH option-injection 2026-05-02 21:40:24 +08:00
kei-compute-digitalocean chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-compute-linode chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-compute-vultr chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-conflict-scan chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-content-store chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-cortex fix(kei-cortex): SSRF + atomic token + body limits + capped reads 2026-05-02 21:39:57 +08:00
kei-cron-scheduler chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-crossdomain chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-curator chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-db-contract chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-decision chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-decompose chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-diff chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-discover chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-dna-index chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-entity-store chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-export-trajectories chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-forge chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-fork chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-frustration-loop KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-gateway chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-gdrive-import chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-git-bitbucket chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-git-forgejo chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-git-gitea chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-git-gitlab chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-graph-check chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-graph-export feat(graph): live runtime DNA viewer — kei-graph-export + lbm-graph-viz adapter 2026-05-02 13:07:21 +08:00
kei-graph-stream fix(security): RCE allowlist + WebSocket auth + SSH option-injection 2026-05-02 21:40:24 +08:00
kei-hibernate chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-import-project KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-leak-matrix KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-ledger chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-ledger-sign chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-llm-bridge-mlx chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-llm-llamacpp KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-llm-mlx chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-llm-ollama chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-llm-router chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-machine-probe chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-mcp chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-memory chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-memory-postgres chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-memory-redis chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-memory-sled chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-memory-sqlite chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-migrate chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-model chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-model-router chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-net-ipsec chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-net-openvpn chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-net-wireguard KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-notify-discord KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-notify-slack KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-notify-sms KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-notify-telegram chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-pet chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-ping chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-pipe chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-projects-index chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-projects-watcher chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-provision chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-prune chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-refactor-engine chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-registry fix(substrate): dangling handoffs + atomar manifest fill-out + validator extension 2026-05-02 21:41:16 +08:00
kei-replay chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-router chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-runtime fix(security): RCE allowlist + WebSocket auth + SSH option-injection 2026-05-02 21:40:24 +08:00
kei-runtime-core fix(auth): SecretString redacted Serialize + PKCE verifier wired 2026-05-02 23:49:10 +08:00
kei-sage chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-scheduler chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-search-core chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-shared chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-skill-importer chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-skills chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-social-store chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-spawn chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-store chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-svc-systemd chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-task chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-tlog chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-token-tracker KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
kei-tty chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
kei-watch chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
keisei chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
mock-render KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
ssh-check KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
tokens-sync KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
visual-diff KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
.gitignore KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
Cargo.lock chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00
Cargo.toml chore(workspace): SSoT inheritance + version unification 2026-05-02 21:40:46 +08:00