Parfii-bot d2068cded7 docs: reviewer-response — honesty pass + portable format specs

External reviewer raised 7 overclaim/scope concerns. Agents verified each
against source; this commit applies all fixes that landed in docs.

Honesty pass:
- README:25-29 — Cortex daemon track listed as alpha (was beta); MCP server
  marked "alpha (unpublished) — install via local dist build"; Phase B
  noted "auto-codification not yet wired (manual via /escalate-recurrence)";
  keigit framed as author-operated mirror (KeiSei84 / private Forgejo),
  not neutral community service
- README:95-97 — Cortex CLI/daemon track downgraded beta→alpha
  with rationale (browser-app + VSCode-extension are concept-level)
- docs/ARCHITECTURE.md — added "Model router — current state (2026-05-03)"
  subsection: per-call fixed estimate routing, NO 100-row Bayesian threshold
  in current source (select.rs:74-124); reviewer suggestion deferred
- docs/SLEEP-LAYER.md — added Phase B scope clarification: morning report
  is read-only markdown, no auto-codification path
- docs/PUBLISHING.md — aligned framing with README:43 ("author-operated
  mirror" not "community registry"); added vendor-neutrality note that
  substrate works against any npm-compatible registry
- mcp-server/package.json — added "private": true and description note
  to prevent accidental publish before maturity gate

Portable format specs (reviewer asked for memory-repo agnosticism):
- docs/MEMORY-FORMAT.md (196 LOC) — JSONL schemas for traces / decisions /
  agent-events with jq/awk/pandas recipes, grounded in actual writers
- docs/DNA-FORMAT.md (159 LOC) — DNA wire format ("type::caps::sha8")
  with shell+python parsers
- docs/LEDGER-SCHEMA.md (199 LOC) — full SQLite DDL (agents +
  skill_invocations + indexes + triggers) with sample queries

Auto-regen artifact:
- docs/DNA-INDEX.md — kei-registry regenerated count 564→565

Verification:
- All claims traced to file:line in source by agent a52b29ae
- All new docs ≤200 LOC per Constructor Pattern
- Reality verification verdicts: README/MCP/Phase-B/Cortex VERIFIED;
  Bayesian-router PARTIAL (overclaim removed); keigit PARTIAL (framing
  fixed in this commit); memory-format VERIFIED-FALSE (spec added)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-03 16:59:25 +08:00

7.6 KiB

Raw Blame History

Publishing via keigit.com (author-operated mirror)

Publish KeiSeiKit agents, skills, and primitives as scoped npm packages against keigit.com — an author-operated mirror (KeiSei84 / private Forgejo + npm registry), OAuth-only, per-user PAT for npm publish. This is not a neutral community registry — it is a single-operator opt-in instance the author runs. The substrate is remote-agnostic; you can point it at any git remote and any npm-compatible registry.

Overview

keigit.com is one git+npm host the substrate happens to know how to publish to — a public Forgejo instance plus an npm-compatible package registry, both run by the author of KeiSeiKit. Anyone with a GitHub or Google account can sign up in one click, publish scoped packages under their own namespace, and share agents / skills / hooks the same way they would on registry.npmjs.org. Free, no quotas at launch; the operator (the author) reserves the right to introduce quotas, suspend accounts, or shut the instance down — same as any single-operator mirror.

Use it when you want others to npm install @you/your-skill against your published bundle without standing up your own registry. If you need vendor-neutrality, point your ~/.npmrc at any other npm-compatible registry (Verdaccio, Gitea, GitLab Package Registry, public npm) — the substrate's publishing tooling does not require keigit.com.

Open https://keigit.com.
Click Sign in with GitHub or Sign in with Google.
Approve the OAuth scope on the provider page. You're back on keigit.com signed in; your username is your provider username (lowercased, special chars stripped).

There is no email/password registration form — OAuth is the only path. If both GitHub and Google share the same primary email, the first login wins and the second provider can be linked later under Settings → Linked Accounts.

Generate a PAT

npm publish needs a personal access token (PAT) with package-write permission. Web cookies don't authenticate the npm CLI.

Click your avatar (top-right) → Settings → Applications.
Scroll to Generate New Token.
Name it (e.g. npm-publish-laptop).
Tick scopes:
- write:package — required for npm publish
- write:repository — only if you also push git repos with the same token; otherwise leave unchecked
Click Generate Token. Copy it now — you won't see it again.

Tokens are revocable from the same page. Rotate every 90 days or immediately on suspected compromise.

Configure npm

Two settings in your global ~/.npmrc: the scope-to-registry mapping and the auth token. Per-user scope means each publisher writes to their own URL prefix — there is no shared @keisei namespace.

# Replace 'alice' with your keigit.com username.
npm config set @alice:registry https://keigit.com/api/packages/alice/npm/
npm config set //keigit.com/:_authToken <token-from-step-above>

Resulting ~/.npmrc:

@alice:registry=https://keigit.com/api/packages/alice/npm/
//keigit.com/:_authToken=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Notes on portability:

The @scope:registry line is what npm uses to route reads and writes for that scope. It must match the scope in your package.json name field exactly.
The //keigit.com/:_authToken line is registry-host-scoped, so the same token covers any @scope:registry URL on keigit.com.
For per-project overrides (CI, multi-account machines), put the same two lines into a .npmrc next to your package.json. Project-level beats user-level.

Publish a package

Skeleton, using @alice/keigit-smoke (the shape proven by the 2026-05-01 smoke test):

mkdir keigit-smoke && cd keigit-smoke
npm init -y

Edit package.json so name, version, and main are set:

{
  "name": "@alice/keigit-smoke",
  "version": "0.1.0",
  "description": "Smoke test of keigit.com npm publish path.",
  "main": "index.js",
  "license": "Apache-2.0",
  "repository": "https://keigit.com/alice/keigit-smoke"
}

echo "module.exports = { ok: true };" > index.js
npm publish

Expected output:

npm notice
npm notice 📦  @alice/keigit-smoke@0.1.0
npm notice === Tarball Contents ===
npm notice 33B  index.js
npm notice 220B package.json
npm notice === Tarball Details ===
npm notice name:          @alice/keigit-smoke
npm notice version:       0.1.0
npm notice ...
+ @alice/keigit-smoke@0.1.0

Re-publishing the same version is rejected — bump the version in package.json (npm version patch does it for you) before each npm publish.

Install someone else's package

To consume @alice/keigit-smoke from a different machine or project:

# Once per machine — point the @alice scope at keigit
npm config set @alice:registry https://keigit.com/api/packages/alice/npm/

# Then install normally
npm install @alice/keigit-smoke

You don't need a PAT to install public packages — only to publish and to install private packages. If alice later marks the package private, install starts requiring an auth token under //keigit.com/:_authToken.

Verify on the web UI

Every publish lands on:

https://keigit.com/<user>/-/packages

For the example above: https://keigit.com/alice/-/packages

Click the package name to see versions, tarball size, README (if your package.json has "readme" or there's a README.md at the root of the publish), and the dist-tags (default latest).

Limits

Free tier, no quotas at launch. Free for everyone, no per-user byte cap, no per-day publish-count cap. May be introduced when traffic warrants — current users will be grandfathered with at least 30 days notice.
Tarball size soft-limit ~50 MB per version. Hard limits not enforced today; expect them later. If you have a >50 MB artefact, ship it as a release attachment on the git side, not as an npm tarball.
No mirroring of registry.npmjs.org. Packages on keigit.com are independent. Don't npm publish a name you don't control on the public registry — it'll confuse downstream installs that have no @scope:registry override.

Troubleshooting

401 Unauthorized on npm publish — PAT is wrong, expired, or not in ~/.npmrc. Check:

npm config get //keigit.com/:_authToken

If the output is null or doesn't match the token in Settings → Applications, re-set it:

npm config set //keigit.com/:_authToken <fresh-token>

403 Forbidden on npm publish — token is valid but missing the write:package scope, or the package name's scope doesn't match your username. The scope segment of the package name (@alice/...) must equal your keigit.com username. Re-check the token's scopes on the Applications page; regenerate if needed.

404 Not Found on npm install — most often the @scope:registry mapping is missing or wrong. The first time you install from a new scope, run:

npm config get @alice:registry

Should print https://keigit.com/api/packages/alice/npm/. If it's empty or points at https://registry.npmjs.org/, fix it with npm config set per the Configure npm section.

E_PUBLISH_VERSION_EXISTS / Cannot publish over the previously published versions — bump the version in package.json and republish. keigit.com refuses overwrites of existing versions for the same reason registry.npmjs.org does.

docs/IMPORT-RUNTIME.md — kei-import for ingesting third-party Rust / TS / Python / Go repos
docs/INSTALL.md — kit-wide install paths
docs/SECURITY.md — kit-wide security posture, including how PATs and OAuth scopes are handled

7.6 KiB Raw Blame History