KeiSei84
65d17007c3
Convergent dogfood audit by Claude+Grok+Gemini+Copilot on v0.41 surfaced that the v0.41 'fixes' were incomplete. 3 of 4 reviewers independently found the same CRITICAL bypass; Gemini wrote a Rust test suite to verify. ## Convergent findings → v0.42 fixes [#1 CRITICAL] Symlink leaf bypass (3-of-4 convergent) v0.41 only canonicalized PARENT, then re-attached leaf as-is. Exploit: 1. kei_bash 'ln -s ~/.ssh/authorized_keys ./cfg.txt' (passes the bash hook chain — ln itself is non-destructive) 2. kei_write file_path=cfg.txt content=<key> validate_path saw $PWD/cfg.txt (allowed) → fs::write followed leaf symlink → overwrote authorized_keys. Fix: canonicalize FULL path (incl. leaf) when file exists; for new files, symlink_metadata on leaf and reject is_symlink. Now the denylist check sees the real target. [#2 HIGH] $HOME blanket-allowed = self-neutering (2-of-4 convergent) allowed_roots() defaulted to [$PWD, $HOME], denylist only had 4 secret dirs. So kei_write $HOME/.claude/hooks/no-github-push.sh content='exit 0' was ALLOWED — agent could overwrite the substrate's own policy hooks. Similar attacks on ~/.zshrc (RCE on next shell), ~/.gitconfig, ~/.npmrc. Fix: default to $PWD only. Denylist extended with .claude/, .grok/, .gemini/, .copilot/, .kimi/, all major shell-init files, and additional credential paths. KEI_ALLOWED_ROOTS for explicit widening. [#3 HIGH] Empty-section fail-OPEN (Gemini test-verified) v0.41 'fail-closed on missing config' fix was incomplete: if config file existed but section [bash]/[edit]/[write] was empty, load_chain returned Ok(vec![]) → run_chain early-returned Ok → action ran ungated. Fix: empty chain also FAIL-CLOSED with same KEI_POLICY_CHAIN_OPTIONAL opt-in. [#4 MEDIUM] load_chain still blocked tokio worker (Claude) v0.41 fix #4 converted handle_edit/handle_write reads to tokio::fs but left load_chain on std::fs. Slow/hung mount on policy-chain.toml would freeze a worker for every safe_* invocation. Fix: load_chain → async + tokio::fs::{try_exists, read_to_string}. [#5 MEDIUM] process_group only applied to bash, not hooks (Claude) v0.41 fix #5 set_process_group on kei_bash's child shell, but the hook subprocess (spawned per-hook in run_chain) was NOT in its own group. On hook timeout, kill_on_drop killed only the immediate hook process; grandchildren orphaned — the exact failure mode fix #5 was meant to prevent. Fix: set_process_group + killpg also on hook spawn in run_chain. [#6 MEDIUM] Per-step vs aggregate timeout (Claude) Doc claimed 'Hard cap on single chain + action — 60s'. Actual: each hook gets independent 60s, then action gets another 60s. For a 3-hook bash chain that's 240s max — 4× documented. Status: documented as known-limit; single-deadline impl deferred to v0.43 (not security-blocking, just a doc/correctness drift). ## Verification (8 smokes — all green) /etc/passwd → denied (system dir) ✓ ../escape.txt → denied (../ segment) ✓ /tmp/symlink → /etc/passwd writeable → denied (resolved /private/etc) ✓ NEW ~/.claude/hooks/no-github-push.sh → denied (substrate dir) ✓ NEW ~/.zshrc → denied (shell-init file) ✓ NEW policy-chain.toml empty [bash] → FAIL-CLOSED ✓ NEW KEI_POLICY_CHAIN_OPTIONAL=1 → opt-in pass-through ✓ kei_bash git-push-github → BLOCKED (regression) ✓ kei_bash echo HELLO → returns content (regression) ✓ cargo test -p kei-mcp: 3/3 still pass. ## Architecture note from Grok Grok architect flagged: safe_tools.rs is 474 LOC, exceeds Constructor Pattern 200-line threshold. v0.42 does NOT refactor (security fixes shipped first); v0.43 will extract path_guard.rs + chain_runner.rs. ## Per-CLI audit value demonstrated Claude — 5 issues + 5 minor, exhaustive line-anchored analysis Grok — architectural review with grep-verified citations Gemini — wrote Rust test project to verify findings (PoC code!) Copilot — partial fact-check, ran out of mid-task
7.8 KiB
Cross-CLI policy enforcement
Same safety rules. Any LLM CLI. Three honesty tiers.
KeiSeiKit's safety hooks (no-github-push, safety-guard, destructive-guard,
citation-verify, numeric-claims-guard) originally fired only inside Claude
Code's PreToolUse pipeline. Phase C extends enforcement to other CLIs —
but the strength of enforcement depends on what each CLI permits.
The 3-tier honesty model
| Tier | What it means | CLIs |
|---|---|---|
| TIER 1 — full native | Tool-call enforcement at the CLI's own hook layer. Same as Claude. | claude, grok |
| TIER 2 — MCP-wrapped | Native shell disabled at launch; agent forced to use our policy-gated kei_bash/kei_edit/kei_write MCP tools. |
copilot |
| TIER 3 — advisory | CLI can't disable native shell; we register kei-mcp and instruct the agent to prefer kei_* tools, but enforcement is prompt-level only. |
agy, kimi |
For patent-sensitive or production-PR work — stick to TIER 1 (claude or grok).
How to wire
One command sets up enforcement for whichever CLIs you have installed:
kei mcp-wire # detect + wire all installed CLIs
kei mcp-wire grok # wire one CLI
kei mcp-wire --dry-run # preview config changes without writing
kei mcp-wire --list # show enforcement tier per CLI
The orchestrator is idempotent — running twice produces the same config.
What kei mcp-wire writes
claude (TIER 1 — already enforced)
No-op. Native PreToolUse hooks already gate every tool call. kei mcp-wire claude
prints the optional mcpServers snippet you can add to
~/.claude/settings.json if you want claude to also see spawn_agent for
sub-agent dispatch.
grok (TIER 1 — port our hooks)
Writes ~/.grok/settings.json hooks.PreToolUse block:
Bashmatcher →no-github-push.sh+safety-guard.sh+destructive-guard.shEditmatcher →citation-verify.sh+numeric-claims-guard.shWritematcher →citation-verify.sh+numeric-claims-guard.sh
Plus registers kei-mcp with GROKCODE=1 env (so kei-mcp's policy chain skips
duplicate enforcement when invoked via Grok — your native hooks already fired).
xAI's Grok uses the same JSON input contract as Claude Code's PreToolUse, so our hook scripts run unchanged. Identical enforcement to claude.
copilot (TIER 2 — disable native shell, force MCP)
Writes ~/.copilot/mcp-config.json registering kei-mcp. To activate enforcement,
launch copilot with --excluded-tools='shell':
alias copilot='copilot --excluded-tools=shell'
The agent will have NO native shell tool, only kei-mcp's kei_bash —
which runs the policy chain before execution. kei_edit / kei_write
similarly gate file mutations.
agy / kimi (TIER 3 — advisory)
Writes their MCP config (~/.gemini/config/mcp_config.json for agy,
~/.kimi/mcp.json for kimi) registering kei-mcp.
The honest part: these CLIs do NOT have a way to disable their native
shell. The agent CAN reach for native bash regardless of what we tell it.
The system prompt nudges it toward kei_bash, but a determined or careless
agent can bypass.
For patent-sensitive work — don't use agy or kimi as orchestrator. Use them for analysis / brainstorming / no-side-effect tasks only.
Internals
policy-chain.toml (SSoT)
One file declares which hooks gate which tool, for all CLIs that go through the MCP layer:
# ~/.claude/hooks/_lib/policy-chain.toml
[bash]
chain = ["no-github-push.sh", "safety-guard.sh", "destructive-guard.sh"]
[edit]
chain = ["citation-verify.sh", "numeric-claims-guard.sh"]
[write]
chain = ["citation-verify.sh", "numeric-claims-guard.sh"]
To add a hook: append its basename. The hook script must already exist in
~/.claude/hooks/ and follow the standard PreToolUse contract (read JSON
on stdin with .tool_name + .tool_input, return exit 0 = pass / 2 = block).
kei-mcp built-in tools
kei-mcp (Rust MCP server at _primitives/_rust/kei-mcp/) exposes 4
built-in tools across two source files (both bypass the atom-discovery
loop in handlers/tools.rs):
In handlers/tools.rs:
spawn_agent(name, task, on?)— invokes a KeiSeiKit agent on any backend
In handlers/safe_tools.rs (Phase C, v0.40+):
kei_bash(command, cwd?)— runs[bash]chain → executeskei_edit(file_path, old_string, new_string)— runs[edit]chain → editskei_write(file_path, content)— runs[write]chain → writes
The chain runs against the same hook scripts Claude uses; identical input shape, identical decisions. On block, the hook's stderr surfaces as the MCP error message so the calling agent sees exactly why.
v0.42 hardening (post 4-CLI re-audit, supersedes v0.41):
- Fail-CLOSED everywhere — missing config, missing hook, OR empty
section (
[bash]/[edit]/[write]with no entries) all refuse to run. Tests / dev can opt in viaKEI_POLICY_CHAIN_OPTIONAL=1. - Symlink-safe path guard —
kei_edit/kei_writecanonicalize the FULL path (resolving any leaf symlink to its real target) and reject if the leaf itself is a symlink for a not-yet-existent file. Fixes the v0.41 CRITICAL bypass whereln -s ~/.ssh/keys ./x; kei_write xwould follow the link. - $PWD-only default root —
allowed_rootsdefaults to current working directory only. Was:$PWD+ entire$HOME— too permissive, agent could overwrite~/.claude/hooks/*(self-neuter) or~/.zshrc(RCE on next shell). Operators who need broader access setKEI_ALLOWED_ROOTS. - Denylist extended — system dirs (
/etc/,/usr/,/System/,/var/,/root/,/bin/,/sbin/); credential stores (~/.ssh/,~/.aws/,~/.gnupg/,~/.config/gcloud/,~/.cargo/credentials,~/.docker/config.json,~/.kube/); substrate dirs (~/.claude/,~/.grok/,~/.gemini/,~/.copilot/,~/.kimi/); exact shell-init files (.zshrc,.bashrc,.profile,.zshenv,.gitconfig, ...). - Async file I/O in load_chain —
policy-chain.tomlnow read viatokio::fs(was: blockingstd::fsfroze worker on slow mounts). - Process-group kill on hooks too — hook subprocesses get
process_group(0)andkillpg(SIGKILL)on timeout. Was: only the bash action got this; hook grandchildren orphaned. - CLAUDECODE/GROKCODE design note — documented as perf/UX optimization, NOT a security boundary (env-controllable parent → confused deputy is already-game-over scenario).
Double-enforcement guard
If kei-mcp is invoked from a process where $CLAUDECODE=1 or $GROKCODE=1,
it SKIPS its hook chain — the CLI's native hooks already fired. This is set
automatically by kei mcp-wire claude / kei mcp-wire grok. On copilot /
agy / kimi the env is unset → chain runs.
Verification
# All 4 built-ins must list:
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}' \
| kei-mcp | jq -r '.result.capabilities'
# Block test (kei_bash refuses forbidden command):
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05"}}
{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kei_bash","arguments":{"command":"git push https://github.com/x/y.git main"}}}' \
| kei-mcp 2>&1 | grep "RULE 0.1" # expects: BLOCK — RULE 0.1 NO GITHUB PUSH
# Pass test:
echo '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05"}}
{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"kei_bash","arguments":{"command":"echo OK"}}}' \
| kei-mcp | tail -1 | jq -r '.result.content[0].text' # expects: OK
Related
- Multi-CLI agent invocation — DNA-resolved agent dispatch
kei-mcpsource:_primitives/_rust/kei-mcp/src/handlers/safe_tools.rs- Policy SSoT:
hooks/_lib/policy-chain.toml - Wire scripts:
scripts/kei-mcp-wire*.sh