keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_primitives/_rust
History
KeiSei84 155d187699 refactor(kei-mcp): v0.46 — decompose safe_tools + fix CRITICAL Grok bypass 
ARCHITECTURAL FIXES (Constructor Pattern — file >200 LOC):

1. safe_tools.rs (738 LOC god-object) → safe_tools/ module (5 files):
   - mod.rs       (99 LOC) — descriptors + dispatch
   - env_guard.rs (79 LOC) — KillPgGuard RAII + apply_safe_env
   - path_guard.rs (166 LOC) — validate_path + canonicalize walk-up
   - chain_runner.rs (159 LOC) — hook chain loader/runner
   - exec.rs (222 LOC) — handle_bash/edit/write with O_NOFOLLOW

2. CRITICAL Grok bypass closed (Claude critic finding):
   - REMOVED env-based chain skip (CLAUDECODE / GROKCODE checks)
   - The skip assumed native PreToolUse would catch the call, but
     PreToolUse matchers fire on tool_name="Bash"|"Edit"|"Write" while
     MCP tools are named kei_bash/kei_edit/kei_write — so native hooks
     NEVER fire on MCP tool calls. The skip created an auth-bypass hole.
   - Chain now ALWAYS runs for kei_bash/kei_edit/kei_write.
   - Wire scripts (kei-mcp-wire-claude.sh + -grok.sh) updated: empty
     env block + comment explaining v0.46 rationale.

3. Fail-closed defaults (architecturally correct, not bandaid):
   - validate_path: empty allowed_roots() → ERROR (was silent disable)
   - load_chain: missing/empty section → ERROR unless KEI_POLICY_CHAIN_OPTIONAL=1

4. RAII guard for process-group cleanup:
   - KillPgGuard fires killpg on ANY exit path (success, error, timeout,
     panic) until explicitly disarmed. Replaces error-path-only killpg.

5. validate_path moved off tokio worker via spawn_blocking — was blocking
   syscalls in async context.

VERIFIED:
- cargo build --release → clean
- cargo test -p kei-mcp --release → 2 passed
- MCP smoke: chain fires under CLAUDECODE=1, GROKCODE=1, and no env
  (all three previously skipped; all three now block kei_bash on
  forbidden git push patterns).
- Safe commands still pass (kei_bash echo HELLO → HELLO returned).

README: substrate counts refreshed (105→110 Rust crates, v0.45→v0.46).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 14:00:16 +08:00
..
.cargo perf(ci): P1+P2 — thin-LTO + cu=16 + mold linker (~17min → ~4-5min) 2026-05-04 01:32:29 +08:00
firewall-diff chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
frustration-matrix chore: версия 0.38.0 единая + warning-fixes + mold для release-job 2026-05-18 13:41:37 +08:00
kei-agent-runtime chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-artifact chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-atom-discovery chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-auth chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-auth-apple chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-auth-google fix(auth): Google OIDC account-takeover (CVE-2023-7028 class) — email_verified gate + sub as user_id + id_token cross-check 2026-05-03 15:38:53 +08:00
kei-auth-magiclink fix(security): cortex /term env_clear + bind guard, agent-stub-scan stdin, magiclink revoke 2026-05-03 15:38:23 +08:00
kei-auth-webauthn fix(ci): vendored openssl-sys для cross-compile x86_64-apple-darwin 2026-05-18 13:08:40 +08:00
kei-backend-daytona chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-brain-view chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-buddy fix(kei-buddy): close 3 HIGH audit findings from session multi-critic swarm 2026-05-17 13:41:18 +08:00
kei-cache chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-capability chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-changelog chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-chat-store chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-compute-baremetal chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-compute-digitalocean chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-compute-linode chore: strip dangling sibling refs from Cargo.toml descriptions 2026-05-03 15:37:33 +08:00
kei-compute-vultr chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-conflict-scan fix(kei-conflict-scan): close 3 backlog bugs + Phase C draft emission 2026-05-12 18:30:01 +08:00
kei-contacts-apple feat(contacts): glue sync + Google pagination + Apple discovery & folding 2026-05-12 17:04:15 +08:00
kei-contacts-google feat(contacts): glue sync + Google pagination + Apple discovery & folding 2026-05-12 17:04:15 +08:00
kei-content-store chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-cortex chore: версия 0.38.0 единая + warning-fixes + mold для release-job 2026-05-18 13:41:37 +08:00
kei-cron-scheduler chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-crossdomain chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-curator chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-db-contract chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-decision chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-decompose chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-diff chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-discover chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-dna-index chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-entity-store chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-export-trajectories chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-forge chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-fork chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-frustration-loop chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-gateway chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-gdrive-import chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-git-bitbucket chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-git-forgejo chore: strip dangling sibling refs from Cargo.toml descriptions 2026-05-03 15:37:33 +08:00
kei-git-gitea chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-git-gitlab chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-graph-check chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-graph-export chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-graph-stream chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-hibernate chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-import-project chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-leak-matrix chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-ledger chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-ledger-sign chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-llm-bridge-mlx chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-llm-llamacpp chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-llm-mlx chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-llm-ollama chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-llm-router chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-machine-probe chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-mcp refactor(kei-mcp): v0.46 — decompose safe_tools + fix CRITICAL Grok bypass 2026-05-27 14:00:16 +08:00
kei-memory chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-memory-postgres chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-memory-redis chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-memory-sled chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-memory-sqlite chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-migrate chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-model chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-model-router fix(install,router): close 5 HIGH audit findings 2026-05-17 16:28:33 +08:00
kei-net-ipsec chore: strip dangling sibling refs from Cargo.toml descriptions 2026-05-03 15:37:33 +08:00
kei-net-openvpn chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-net-wireguard chore: strip dangling sibling refs from Cargo.toml descriptions 2026-05-03 15:37:33 +08:00
kei-notify-discord chore: strip dangling sibling refs from Cargo.toml descriptions 2026-05-03 15:37:33 +08:00
kei-notify-slack chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-notify-sms chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-notify-telegram chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-pet chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-ping chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-pipe chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-projects-index chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-projects-watcher chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-provision chore: strip dangling sibling refs from Cargo.toml descriptions 2026-05-03 15:37:33 +08:00
kei-prune chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-refactor-engine chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-registry chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-replay chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-router chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-runtime fix(perf): bound per-user lock LRU + stream-cap atom subprocess output 2026-05-03 15:39:50 +08:00
kei-runtime-core chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-sage chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-scheduler chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-search-core chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-shared chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-skill-importer chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-skills chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-social-store chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-spawn chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-store chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-stt feat(kei-tts + kei-stt): TTS/STT abstractions with 4+3 backends 2026-05-12 13:47:35 +08:00
kei-svc-systemd chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-task chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-telegram-webhook feat(kei-buddy): AskLanguage i18n + real proposeTopicSources + voice handling 2026-05-12 17:49:06 +08:00
kei-tlog chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-token-tracker chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-tts feat(kei-tts + kei-stt): TTS/STT abstractions with 4+3 backends 2026-05-12 13:47:35 +08:00
kei-tty chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
kei-watch chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
keisei chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
mock-render chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
ssh-check chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
tokens-sync chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
visual-diff chore: author email + Cargo metadata SSoT (parfionovich@keilab.io) 2026-05-03 13:55:28 +08:00
.gitignore KeiSeiKit-public — clean state 2026-05-01 12:09:03 +08:00
Cargo.lock feat(v0.41): 5 audit fixes + doc + claude/grok perms (#49) 2026-05-26 18:52:40 +07:00
Cargo.toml fix(install): make fresh install actually complete + ship tamagotchi (#26) 2026-05-21 01:40:50 +08:00