KeiSeiKit-1.0

History

Parfii-bot 71f17337fe fix(security): cortex /term env_clear + bind guard, agent-stub-scan stdin, magiclink revoke Three independent security hardenings from cross-cutting audits. 1. cortex /term PTY env leak + bind guard (HIGH — Sonnet Cross-cutting + Opus) - kei-cortex/src/handlers/term_pty.rs: PTY spawn was inheriting daemon's full process env (KEI_AUTH_KEY, ANTHROPIC_API_KEY, FAL_KEY, etc.) into every authenticated /term shell. Combined with default cors_origin = https://keisei.app, one stored XSS on keisei.app + one bearer token = full local shell with all daemon secrets. Added apply_safe_env() helper: env_clear() + re-set only HOME, PATH, USER, LANG, TERM. Spawn helper invokes it before spawn_command. - kei-cortex/src/main.rs: extracted build_config() helper; added enforce_loopback_or_local_cors() guard called before serve.bind. Refuses to start if bind addr is non-loopback AND cors_origin is a public domain — prevents the XSS-to-shell scenario in production. 2. agent-stub-scan.sh stdin parsing (HIGH — multiple audits) - hooks/agent-stub-scan.sh: previously read $CLAUDE_AGENT_TRANSCRIPT env var which Claude Code does NOT set on PostToolUse:Agent. Hook silently exited 0 — RULE 0.16 enforcement was dead-code in production. Rewrote to read stdin JSON via jq, flatten .tool_response recursively (string\|array\|object via the same pattern as agent-event-done.sh), guard on .tool_name == "Agent" and command -v jq. Maintained WARN-tier exit-0 with TODO marker for ENFORCE flip on 2026-05-05 (per RULE 0.16 §2 ladder). 3. magiclink revoke() silent no-op (HIGH — Opus Rust + Sonnet Cross-cutting) - kei-auth-magiclink/src/{error,provider}.rs: revoke() previously returned Ok(()) without doing anything. Operators expecting "revoke a session" semantics from the AuthProvider trait got false success. Stolen magic- link URLs remained valid until the 15-minute TTL. Added Error::Unsupported variant. revoke() now returns Err(Unsupported(...)) with explicit guidance: "rotate KEI_MAGICLINK_HMAC_ KEY to invalidate all live tokens, or maintain a deny-list at the caller layer". Test provider_revoke_returns_unsupported_error confirms the error variant is wired. Tests: cargo check + cargo test both PASS. 444 functional tests across kei-cortex (428 lib) + kei-auth-magiclink (16 lib + smoke). Pre-existing openai_loop_wiring.rs 502 failures in routes/openai/{chat,responses}.rs are NOT introduced by these fixes — separate unrelated triage. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-03 15:38:23 +08:00
..
_lib	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
affect-live-scan.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
agent-capability-check.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
agent-capability-verify.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
agent-event-done.sh	fix(live-graph): tool_use events properly attribute to spawning agent	2026-05-02 14:43:42 +08:00
agent-event-spawn.sh	fix(live-graph): tool_use events properly attribute to spawning agent	2026-05-02 14:43:42 +08:00
agent-fork-done.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
agent-fork-logger.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
agent-heartbeat-tick.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
agent-outcome-backfill.sh	feat(tracking): close 3 last observability gaps — toolStats + skill-record + numeric-claims journal	2026-05-02 03:42:09 +08:00
agent-stub-scan.sh	fix(security): cortex /term env_clear + bind guard, agent-stub-scan stdin, magiclink revoke	2026-05-03 15:38:23 +08:00
alignment-check.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
assemble-agents.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
assemble-validate.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
auto-dev-guard.sh	feat(frontend-loop): kei-db-contract primitive + frontend-validator agent + auto-dev-guard hook	2026-05-01 15:34:39 +08:00
auto-encyclopedia-refresh.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
auto-register-on-edit.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
block-dangerous.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
chat-numeric-postflag.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
chat-numeric-prewarn.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
check-error-patterns.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
citation-verify.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
decompose-rules-on-edit.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
destructive-guard.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
disk-headroom-check.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
disk-reclaim.sh	fix(hooks+install): disk-reclaim Guard 3 + secrets per-line + sha256 fail-closed	2026-05-03 15:37:57 +08:00
error-spike-detector.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
extract-task-durations.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
graph-export-watcher.sh	feat(graph): live runtime DNA viewer — kei-graph-export + lbm-graph-viz adapter	2026-05-02 13:07:21 +08:00
hooks.json	feat(frontend-loop): kei-db-contract primitive + frontend-validator agent + auto-dev-guard hook	2026-05-01 15:34:39 +08:00
milestone-commit-hook.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
no-downgrade.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
no-github-push.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
no-hand-edit-agents.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
no-python-without-approval.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
numeric-claims-guard.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
numeric-claims-record.sh	feat(tracking): close 3 last observability gaps — toolStats + skill-record + numeric-claims journal	2026-05-02 03:42:09 +08:00
orchestrator-branch-check.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
orchestrator-dirty-check.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
phase-b-rem.sh	feat(sleep): cloud-agent reasoning + Telegram delivery to whitelist	2026-05-02 04:38:52 +08:00
post-commit-audit.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
post-write-check.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
recurrence-suggest.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
rust-first.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
safety-guard.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
secrets-pre-guard.sh	fix(hooks+install): disk-reclaim Guard 3 + secrets per-line + sha256 fail-closed	2026-05-03 15:37:57 +08:00
session-end-dump.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
site-wysiwyd-check.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
skill-record.sh	feat(live-graph): WebSocket activity stream — orchestrator-centric live view	2026-05-02 13:30:24 +08:00
sleep-report-tg.sh	chore(sleep-tg): minor prompt tightening (compress reasoning output)	2026-05-02 19:25:33 +08:00
stop-verify.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
task-timer.sh	fix(hooks): post-audit hook chain hardening + 4 new defensive hooks	2026-05-02 21:38:47 +08:00
tomd-preread.sh	KeiSeiKit-public — clean state	2026-05-01 12:09:03 +08:00
tool-use-event.sh	fix(live-graph): tool_use events properly attribute to spawning agent	2026-05-02 14:43:42 +08:00